Re: Issue with spam being sent by webmail

[mouss]

Ross Tsolakidis a écrit :
>> I had to resort to installing postfix-policyd to rate limit them.
>> (Make sure you have Squirrel use auth so regardless of forged-from
>> lines, you still rate limit accounts).
> 
> I've just been playing with postfix-policyd (debian package 1.80).
> 
> The only way I could get it working was by using the following command
> in main.cf
> smtpd_end_of_data_restrictions = check_policy_service
> inet:127.0.0.1:10031
> 
> Definitely looks good, however, once configured, it blocks 127.0.0.1 :(
> Which of course is correct as that is the IP sending via webmail !
> I've missed something here.
> 

create a specific smtpd for webmail (say on port 8025) and configure
your webmail to use it. then for this smtpd:

127.0.0.1:8025    smtpd
-o smtpd_sender_restrictions=${webmail_client_restrictions}
...

and in main.cf
webmail_sender_restrictions=
# only accept senders from our domains ...
check_sender_access ...
# rate limit with policyd
check_policy_service ...
...





> [snip]

Re: Piping /etc/aliases to newaliases

[mouss]

Bryce Nesbitt a écrit :
> Noel Jones wrote:
>> You can't pipe to newaliases.
>> You can use a proto file with comments and some script to create the
>> input file that newaliases requires.  This seems a natural for a
>> Makefile.
>>   -- Noel Jones
> I was aiming for something that was "no mistakes" proof for other system
> administrators.
> 
> Meaning:
> 1) /etc/aliases would be the file to edit (not some other file).
> 2) "newaliases" would still be the command to run.
> 

just tell postfix to use another place:

alias_maps = /etc/postfix/autogenerated/aliases
alias_database = ${alias_maps}

then edit /etc/aliases as you want, and use your shell to generate
/etc/postfix/autogenerated/aliases.

as Noel said, put this in a Makefile...

> The hack I came up with was /etc/aliases has comments.  /etc/newaliases
> is my script.  Strips comments to a temporary file.  It then calls
> "sendmail -I" to process the aliases.  Then it deletes the temp file. 
> 
> Not so elegant.
> Would anyone else appreciate end of line comments, as an extension to
> /etc/aliases and *.pcre?  What character should introduce such comments?

why fight against the system. isn't this ok:

# joe blah blah
joe jim

(that is: comments on their own lines).

Re: my mailserver has been blacklisted

[Charles Marcus]

On 3/26/2009, Noel Jones (njo...@megan.vbhcs.org) wrote:
> (A better design is to have a separate IP for "official" mail and
> another IP used for client internet access.  Then client misbehavior
> doesn't affect the mail system.  of course that means you must have
> more than one IP...)

I like this idea, but, how effective would it be if the two IPs were
neighbors? E.g., two consecutive IPs on the same net block?

-- 

Best regards,

Charles

Re: my mailserver has been blacklisted

[Ivan Ricotti]

Hello,

Noel Jones wrote:
> The above is the result of a postfix reject_unverified_recipient check. 
> The double_bounce entries you see are address probes.  In other words,
> these are not in any way related to your problem.

oook, thanks!

> Since you so far haven't shown anything remotely suspicious in your
> postfix config or logs, most likely you have some virus infected client
> machines that are sending mail direct to the recipient's MX - *not*
> relaying through your postfix.

Happy to hear this: I suspected something like that but I wasn't sure...
now I made some tests and I found a windows user with a workstation full
of trojans. I sanitized the pc. I don't know if it was the real problem
but a clean pc is better then a sick one...

> The first thing you must do is make sure that your border firewall or
> router prevents outgoing connections to destination port 25 for everyone
> except your postfix box. Then at least an infected machine can't spew
> its payload.

That was the real problem! There wasn't no rule on my firewall regarding
outbound connection towards smtp port. I fixed this and spotted on the
log some workstations using other mailservers rather then mine.

> At this point, your problem doesn't appear to be a postfix problem, nor
> something that can be addressed in postfix.

Many thanks to you all for your help.
I greatly appreciate it!

Now let's see what's gonna happen with spamcop (who tagged my IP) in
next few ours.

Thanks, again!
Ivan

-- 
Ivan Ricotti
--- 
eLabor sc - via G. Garibaldi 33, 56127 Pisa
tel: +39 050970363 web: http://www.elabor.biz
email: i...@elabor.homelinux.org
GnuPG KeyID: DFD581C5 - 13/11/2003

Re: postfix with mysql&dovecot delivery - user unknown in virtual mailbox table

[Steffen Schaumburg]

Thanks for the quick response and sorry I missed that. Here's the output
from postfinger-1.30 without parameters:
--System Parameters--
mail_version = 2.5.6
hostname = davserver
uname = Linux davserver 2.6.28-gentoo-r4 #1 SMP Thu Mar 19 22:24:29 GMT
2009 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz GenuineIntel GNU/Linux

--Packaging information--

--main.cf non-default parameters--
home_mailbox = .maildir/
smtpd_client_restrictions = permit_inet_interfaces, permit_mynetworks,
permit_sasl_authenticated, permit
smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient
permit_sasl_authenticated reject_unauth_destination permit
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender, permit
soft_bounce = yes
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_base = /var/mail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domain_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot

--master.cf--
smtp  inet  n   -   n   -   -   smtpd -v
pickupfifo  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   n   -   -   smtp -v
relay unix  -   -   n   -   -   smtp -v
-o smtp_fallback_relay=
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil -v
scacheunix  -   -   n   -   1   scache
dovecot   unix  -   n   n   -   -   pipe
  flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -f ${sender}
-d ${recipient}


Note that postfinger didn't pick up on one of the dovecot lines in main.cf.
As I understand the howto
(http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot) as
well as the Postfix documentation
(http://www.postfix.org/postconf.5.html#transport_destination_recipient_limit)
however the option is correct. Here's the line it missed:
dovecot_destination_recipient_limit = 1

Cheers, Steffen

On Thu, 26 Mar 2009 20:11:31 -0400, Sahil Tandon  wrote:
> On Thu, 26 Mar 2009, Steffen Schaumburg wrote:
> 
>> Hi everyone,
>> Sorry if this has been asked before I searched all over the place but I
>> just can't figure it out. I'm trying to setup postfix, using dovecot for
>> delivery (and IMAP&POP3). Dovecot in turn uses a MySQL backend. I used
> this
>> guide:
> http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot
>> Basically IMAP and POP3 are working, but when I try to send email to the
>> new server it fails. I tried:
>> - sending email from the new server to the new server (using thunderbird
>> via SMTP).
>> - sending email from my old server (this one) to the new one.
>> - I tried sending to both real mailboxes as well as to two aliases.
>> 
>> The error is always the same, here's thunderbird's version when using
> the
>> new server's SMTP: "An error occurred while sending mail. The mail
> server
>> responded: 5.1.1 : Recipient address rejected:
>> User unknown in virtual mailbox table. Please check the message
> recipients
>> and try again."
>> 
>> I should mention that I'm not exactly an expert with this stuff, but I
> have
>> successfully setup postfix before (but without dovecot) and have a fair
> bit
>> of experience with *nix administration. I used postfix 2.5.5 originally,
> I
>> tried updating to 2.5.6 just in case it was a bug but no change. I
> assume
>> this is a silly error on my part somewhere ;)
>> I also checked that the SQL user&pw used for this is working, all the
>> configs and SQL entries seem to be correct as far as I can tell.
> 
> [clutter]
> 
> http://www.postfix.org/DEBUG_README.html#mail
> 
> (pay particular attention to sixth bullet point)
> 
>

Re: postfix with mysql&dovecot delivery - user unknown in virtual mailbox table

[suomi]

Hi Steffen
we use quite a similar config, but instead of mysql:, we use proxy:ldap:

contrasting to your config we have:

virtual_transport = virtual

suomi

Steffen Schaumburg wrote:

Thanks for the quick response and sorry I missed that. Here's the output
from postfinger-1.30 without parameters:
--System Parameters--
mail_version = 2.5.6
hostname = davserver
uname = Linux davserver 2.6.28-gentoo-r4 #1 SMP Thu Mar 19 22:24:29 GMT
2009 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz GenuineIntel GNU/Linux

--Packaging information--

--main.cf non-default parameters--
home_mailbox = .maildir/
smtpd_client_restrictions = permit_inet_interfaces, permit_mynetworks,
permit_sasl_authenticated, permit
smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient
permit_sasl_authenticated reject_unauth_destination permit
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender, permit
soft_bounce = yes
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_base = /var/mail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domain_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot

--master.cf--
smtp  inet  n   -   n   -   -   smtpd -v
pickupfifo  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   n   -   -   smtp -v
relay unix  -   -   n   -   -   smtp -v
-o smtp_fallback_relay=
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil -v
scacheunix  -   -   n   -   1   scache
dovecot   unix  -   n   n   -   -   pipe
  flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -f ${sender}
-d ${recipient}


Note that postfinger didn't pick up on one of the dovecot lines in main.cf.
As I understand the howto
(http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot) as
well as the Postfix documentation
(http://www.postfix.org/postconf.5.html#transport_destination_recipient_limit)
however the option is correct. Here's the line it missed:
dovecot_destination_recipient_limit = 1

Cheers, Steffen

On Thu, 26 Mar 2009 20:11:31 -0400, Sahil Tandon  wrote:

On Thu, 26 Mar 2009, Steffen Schaumburg wrote:


Hi everyone,
Sorry if this has been asked before I searched all over the place but I
just can't figure it out. I'm trying to setup postfix, using dovecot for
delivery (and IMAP&POP3). Dovecot in turn uses a MySQL backend. I used

this

guide:

http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot

Basically IMAP and POP3 are working, but when I try to send email to the
new server it fails. I tried:
- sending email from the new server to the new server (using thunderbird
via SMTP).
- sending email from my old server (this one) to the new one.
- I tried sending to both real mailboxes as well as to two aliases.

The error is always the same, here's thunderbird's version when using

the

new server's SMTP: "An error occurred while sending mail. The mail

server

responded: 5.1.1 : Recipient address rejected:
User unknown in virtual mailbox table. Please check the message

recipients

and try again."

I should mention that I'm not exactly an expert with this stuff, but I

have

successfully setup postfix before (but without dovecot) and have a fair

bit

of experience with *nix administration. I used postfix 2.5.5 originally,

I

tried updating to 2.5.6 just in case it was a bug but no change. I

assume

this is a silly error on my part somewhere ;)
I also checked that the SQL user&pw used for this is working, all the
configs and SQL entries seem to be correct as far as I can tell.

[clutter]

http://www.postfix.org/DEBUG_R

Re: postfix with mysql&dovecot delivery - user unknown in virtual mailbox table

[Brian Evans - Postfix List]

Steffen Schaumburg wrote:
> Thanks for the quick response and sorry I missed that. Here's the output
> from postfinger-1.30 without parameters:
> --System Parameters--
> mail_version = 2.5.6
> hostname = davserver
> uname = Linux davserver 2.6.28-gentoo-r4 #1 SMP Thu Mar 19 22:24:29 GMT
> 2009 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz GenuineIntel GNU/Linux
>
> --Packaging information--
>
> --main.cf non-default parameters--
> smtpd_client_restrictions = permit_inet_interfaces, permit_mynetworks,
> permit_sasl_authenticated, permit
>   
This has no purpose.. permit, permit, permit, permit.
> smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient
> permit_sasl_authenticated reject_unauth_destination permit
[...]
> virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
> virtual_mailbox_base = /var/mail
> virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domain_maps.cf
> virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
> virtual_transport = dovecot
>   
What does 'postmap -q use...@schaumburger.info
mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf'
and 'postmap -q use...@schaumburger.info
mysql:/etc/postfix/mysql_virtual_alias_maps.cf'
return?

Do not trust your queries until you see what Postfix is using.

> Note that postfinger didn't pick up on one of the dovecot lines in main.cf.
> As I understand the howto
> (http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot) as
> well as the Postfix documentation
> (http://www.postfix.org/postconf.5.html#transport_destination_recipient_limit)
> however the option is correct. Here's the line it missed:
> dovecot_destination_recipient_limit = 1
>   
postconf (which postfinger uses) does not understand
(transport)_destination_recipient_limit.
It does not print parameters it does not understand.

Brian

Re: postfix with mysql&dovecot delivery - user unknown in virtual mailbox table

[Steffen Schaumburg]

>> dovecot   unix  -   n   n   -   -   pipe
>>  flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -f
> ${sender}
>> -d ${recipient}
> 
> add in -e just before  -d
> 

I tried this first, same result.

On Fri, 27 Mar 2009 22:17:01 +1000 (EST), Res  wrote:
> On Fri, 27 Mar 2009, Steffen Schaumburg wrote:
> 
>>
>> --main.cf non-default parameters--
> 
> Is your sql querry written OK?
> Connect to mysql and issue the commands manually to ensure it returns a 
> lookup result.

Tried (using the mailauth user as written in the mysql_virtual_*.cf files)
and they work. One thing that might be off is the mailbox query which
yields "schaumburger.info/steffen/Maildir/" - is that enough or should it
be "/var/mail/schaumburger.info/steffen/Maildir/"? Also the SQL commands in
the .cf files do not finish with a ; but it worked on a previous setup I
had so I don't think that's it?
I also checked that the alias table contains the mailboxes as well, and it
does. 

I just compared my configs on the new server to a testserver I had made
some time ago and that I only just remembered and it seems to be identical
except on the testserver I had manually set mydomain, myorigin and
myhostname. Now I didn't think this could be the cause of the problem but I
tried anyways, and the problem persists exactly as before :(
I also checked the SQL queries in the testserver and they yield identical
results (except the domain is different since that was running on a
different domain).

>> dovecot_destination_recipient_limit = 1
> 
> Thats a good entry idea.
> I dont use gentoo, we use Slackware, but it's similar. I'll send you 
> off-list a URL to check out.
> 

Cheers, I have to be honest though I just copied that from the guide :)

Maybe somebody knows this, is the error in the postfix stage (of checking
if the user exists) or is it in the dovecot phase (of actually delivering
the mail)? I would think it's the postfix stage but having confirmation of
that would be nice.

Also as you could see from the output of postfinger I tried adding -v to
master.cf to get more info but there's nothing in my log files about my
attempts to send emails. Can I get it to be more verbose?


Thanks so far, hope we can track this problem down :)
Steffen

Re: postfix with mysql&dovecot delivery - user unknown in virtual mailbox table

[Steffen Schaumburg]

On Fri, 27 Mar 2009 09:10:42 -0400, Brian Evans - Postfix List
 wrote:
> Steffen Schaumburg wrote:
>> Thanks for the quick response and sorry I missed that. Here's the output
>> from postfinger-1.30 without parameters:
>> --System Parameters--
>> mail_version = 2.5.6
>> hostname = davserver
>> uname = Linux davserver 2.6.28-gentoo-r4 #1 SMP Thu Mar 19 22:24:29 GMT
>> 2009 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz GenuineIntel GNU/Linux
>>
>> --Packaging information--
>>
>> --main.cf non-default parameters--
>> smtpd_client_restrictions = permit_inet_interfaces, permit_mynetworks,
>> permit_sasl_authenticated, permit
>>   
> This has no purpose.. permit, permit, permit, permit.

Cheers, I'll add a note to my todo list to change this and update the wiki
howto that I used - in the meantime - since it's all permits - it shouldn't
cause the problem, right?

>> smtpd_recipient_restrictions = permit_mynetworks,
> reject_non_fqdn_recipient
>> permit_sasl_authenticated reject_unauth_destination permit
> [...]
>> virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
>> virtual_mailbox_base = /var/mail
>> virtual_mailbox_domains =
> mysql:/etc/postfix/mysql_virtual_domain_maps.cf
>> virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
>> virtual_transport = dovecot
>>   
> What does 'postmap -q use...@schaumburger.info
> mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf'

This returns nothing, which I think is correct since usenet is just an
alias. When I run it on the destination mailbox stef...@schaumburger.info
it returns "stef...@schaumburger.info", again, I think this is correct?

> and 'postmap -q use...@schaumburger.info
> mysql:/etc/postfix/mysql_virtual_alias_maps.cf'
> return?

That gives "schaumburger.info/steffen/Maildir/"
The absolute path to the folder is
"/var/mail/schaumburger.info/steffen/Maildir/" so I think the result is
correct?

> Do not trust your queries until you see what Postfix is using.

Thanks, I wasn't aware of the postmap command - on my previous setups
everything just worked straight away so I didn't need them ;)

>> Note that postfinger didn't pick up on one of the dovecot lines in
> main.cf.
>> As I understand the howto
>> (http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot)
> as
>> well as the Postfix documentation
>>
>
(http://www.postfix.org/postconf.5.html#transport_destination_recipient_limit)
>> however the option is correct. Here's the line it missed:
>> dovecot_destination_recipient_limit = 1
>>   
> postconf (which postfinger uses) does not understand
> (transport)_destination_recipient_limit.
> It does not print parameters it does not understand.

Makes sense, but when I noticed the parameter missing I figured I should
note that so you have all the necessary information.

Re: postfix with mysql&dovecot delivery - user unknown in virtual mailbox table

[Brian Evans - Postfix List]

Steffen Schaumburg wrote:
> On Fri, 27 Mar 2009 09:10:42 -0400, Brian Evans - Postfix List
>  wrote:
>   
>> Steffen Schaumburg wrote:
>> 
>>> Thanks for the quick response and sorry I missed that. Here's the output
>>> from postfinger-1.30 without parameters:
>>> --System Parameters--
>>> mail_version = 2.5.6
>>> hostname = davserver
>>> uname = Linux davserver 2.6.28-gentoo-r4 #1 SMP Thu Mar 19 22:24:29 GMT
>>> 2009 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz GenuineIntel GNU/Linux
>>>
>>> --Packaging information--
>>>
>>> --main.cf non-default parameters--
>>> smtpd_client_restrictions = permit_inet_interfaces, permit_mynetworks,
>>> permit_sasl_authenticated, permit
>>>   
>>>   
>> This has no purpose.. permit, permit, permit, permit.
>> 
>
> Cheers, I'll add a note to my todo list to change this and update the wiki
> howto that I used - in the meantime - since it's all permits - it shouldn't
> cause the problem, right?
>
>   

Problems? No.
I've been changing the wiki too so others do not ask.

>>
>>> virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
>>> virtual_mailbox_base = /var/mail
>>> virtual_mailbox_domains =
>>>   
>> mysql:/etc/postfix/mysql_virtual_domain_maps.cf
>> 
>>> virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
>>> virtual_transport = dovecot
>>>   
>>>   
>> What does 'postmap -q use...@schaumburger.info
>> mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf'
>> 
>
> This returns nothing, which I think is correct since usenet is just an
> alias. When I run it on the destination mailbox stef...@schaumburger.info
> it returns "stef...@schaumburger.info", again, I think this is correct?
>
>   
>> and 'postmap -q use...@schaumburger.info
>> mysql:/etc/postfix/mysql_virtual_alias_maps.cf'
>> return?
>> 
>
> That gives "schaumburger.info/steffen/Maildir/"
> The absolute path to the folder is
> "/var/mail/schaumburger.info/steffen/Maildir/" so I think the result is
> correct?
When virtual_transport != virtual (the default), the result of a
virtual_mailbox_map is ignored for the purpose of storage.
Does a mail sent to stef...@schaumburger.info succeed?

Also, show the (non-verbose) log lines for a transaction from the
server, not the client.

Brian

Re: postfix with mysql&dovecot delivery - user unknown in virtual mailbox table

[Steffen Schaumburg]

Sorry i got those outputs mixed up and apologies for spamming the list but
I didn't want to mix my replies to different mails all into one mail to
avoid confusion. Anyways here's the correct outputs:

"postmap -q use...@schaumburger.info
mysql:/etc/postfix/mysql_virtual_alias_maps.cf" gives
"stef...@schaumburger.info"

"postmap -q use...@schaumburger.info
mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf" gives nothing (usenet is
just an alias though)

"postmap -q stef...@schaumburger.info
mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf" gives
"schaumburger.info/steffen/Maildir/"

Finally I also tried "postmap -q schaumburger.info
mysql:/etc/postfix/mysql_virtual_domain_maps.cf" and that gives
"schaumburger.info"

All correct I think?

On Fri, 27 Mar 2009 14:20:21 +0100, Steffen Schaumburg
 wrote:
> 
> 
> On Fri, 27 Mar 2009 09:10:42 -0400, Brian Evans - Postfix List
>  wrote:
>> Steffen Schaumburg wrote:
>>> Thanks for the quick response and sorry I missed that. Here's the
> output
>>> from postfinger-1.30 without parameters:
>>> --System Parameters--
>>> mail_version = 2.5.6
>>> hostname = davserver
>>> uname = Linux davserver 2.6.28-gentoo-r4 #1 SMP Thu Mar 19 22:24:29 GMT
>>> 2009 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz GenuineIntel GNU/Linux
>>>
>>> --Packaging information--
>>>
>>> --main.cf non-default parameters--
>>> smtpd_client_restrictions = permit_inet_interfaces, permit_mynetworks,
>>> permit_sasl_authenticated, permit
>>>   
>> This has no purpose.. permit, permit, permit, permit.
> 
> Cheers, I'll add a note to my todo list to change this and update the
wiki
> howto that I used - in the meantime - since it's all permits - it
> shouldn't
> cause the problem, right?
> 
>>> smtpd_recipient_restrictions = permit_mynetworks,
>> reject_non_fqdn_recipient
>>> permit_sasl_authenticated reject_unauth_destination permit
>> [...]
>>> virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
>>> virtual_mailbox_base = /var/mail
>>> virtual_mailbox_domains =
>> mysql:/etc/postfix/mysql_virtual_domain_maps.cf
>>> virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
>>> virtual_transport = dovecot
>>>   
>> What does 'postmap -q use...@schaumburger.info
>> mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf'
> 
> This returns nothing, which I think is correct since usenet is just an
> alias. When I run it on the destination mailbox stef...@schaumburger.info
> it returns "stef...@schaumburger.info", again, I think this is correct?
> 
>> and 'postmap -q use...@schaumburger.info
>> mysql:/etc/postfix/mysql_virtual_alias_maps.cf'
>> return?
> 
> That gives "schaumburger.info/steffen/Maildir/"
> The absolute path to the folder is
> "/var/mail/schaumburger.info/steffen/Maildir/" so I think the result is
> correct?
> 
>> Do not trust your queries until you see what Postfix is using.
> 
> Thanks, I wasn't aware of the postmap command - on my previous setups
> everything just worked straight away so I didn't need them ;)
> 
>>> Note that postfinger didn't pick up on one of the dovecot lines in
>> main.cf.
>>> As I understand the howto
>>> (http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot)
>> as
>>> well as the Postfix documentation
>>>
>>
>
(http://www.postfix.org/postconf.5.html#transport_destination_recipient_limit)
>>> however the option is correct. Here's the line it missed:
>>> dovecot_destination_recipient_limit = 1
>>>   
>> postconf (which postfinger uses) does not understand
>> (transport)_destination_recipient_limit.
>> It does not print parameters it does not understand.
> 
> Makes sense, but when I noticed the parameter missing I figured I should
> note that so you have all the necessary information.

Re: postfix with mysql&dovecot delivery - user unknown in virtual mailbox table

[Steffen Schaumburg]

 Thanks for the quick response and sorry I missed that. Here's the
> output
 from postfinger-1.30 without parameters:
 --System Parameters--
 mail_version = 2.5.6
 hostname = davserver
 uname = Linux davserver 2.6.28-gentoo-r4 #1 SMP Thu Mar 19 22:24:29
> GMT
 2009 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz GenuineIntel GNU/Linux

 --Packaging information--

 --main.cf non-default parameters--
 smtpd_client_restrictions = permit_inet_interfaces, permit_mynetworks,
 permit_sasl_authenticated, permit
   
   
>>> This has no purpose.. permit, permit, permit, permit.
>>> 
>>
>> Cheers, I'll add a note to my todo list to change this and update the
> wiki
>> howto that I used - in the meantime - since it's all permits - it
> shouldn't
>> cause the problem, right?
> 
> Problems? No.
> I've been changing the wiki too so others do not ask.

Thanks

 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
 virtual_mailbox_base = /var/mail
 virtual_mailbox_domains =
   
>>> mysql:/etc/postfix/mysql_virtual_domain_maps.cf
>>> 
 virtual_mailbox_maps =
> mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
 virtual_transport = dovecot
   
   
>>> What does 'postmap -q use...@schaumburger.info
>>> mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf'
>>> 
>>
>> This returns nothing, which I think is correct since usenet is just an
>> alias. When I run it on the destination mailbox
> stef...@schaumburger.info
>> it returns "stef...@schaumburger.info", again, I think this is correct?
>>
>>   
>>> and 'postmap -q use...@schaumburger.info
>>> mysql:/etc/postfix/mysql_virtual_alias_maps.cf'
>>> return?
>>> 
>>
>> That gives "schaumburger.info/steffen/Maildir/"
>> The absolute path to the folder is
>> "/var/mail/schaumburger.info/steffen/Maildir/" so I think the result is
>> correct?
> When virtual_transport != virtual (the default), the result of a
> virtual_mailbox_map is ignored for the purpose of storage.
> Does a mail sent to stef...@schaumburger.info succeed?

No. I tried from this address (using roundcube webmail which simply says
"failed") as well as via SMTP on the server itself (ie. SMTP to
schaumburger.info to send a mail to stef...@schaumburger.info, gives the
error message that I posted). The folders do exist on the hard drive and
IMAP as well as POP3 access to them works.

> Also, show the (non-verbose) log lines for a transaction from the
> server, not the client.

The only thing postfix put in my log is the startup:
Mar 27 13:46:40 davserver postfix/postfix-script[24448]: starting the
Postfix mail system
Mar 27 13:46:40 davserver postfix/master[24449]: daemon started -- version
2.5.6, configuration /etc/postfix

I know you said non-verbose, but since the above was useless I tried
activating verbose for all lines in master.cf (except the dovecot one) but
the log still says nothing about my attempt to send a mail?? I did double
check my thunderbird config, and it does use schaumburger.info as SMTP
server - I'm really confused now :(

Cheers, Steffen

Re: postfix with mysql&dovecot delivery - user unknown in virtual mailbox table

[Brian Evans - Postfix List]

Steffen Schaumburg wrote:
>> Does a mail sent to stef...@schaumburger.info succeed?
>> 
>
> No. I tried from this address (using roundcube webmail which simply says
> "failed") as well as via SMTP on the server itself (ie. SMTP to
> schaumburger.info to send a mail to stef...@schaumburger.info, gives the
> error message that I posted). The folders do exist on the hard drive and
> IMAP as well as POP3 access to them works.
>
>   
>> Also, show the (non-verbose) log lines for a transaction from the
>> server, not the client.
>> 
>
> The only thing postfix put in my log is the startup:
> Mar 27 13:46:40 davserver postfix/postfix-script[24448]: starting the
> Postfix mail system
> Mar 27 13:46:40 davserver postfix/master[24449]: daemon started -- version
> 2.5.6, configuration /etc/postfix
>
> I know you said non-verbose, but since the above was useless I tried
> activating verbose for all lines in master.cf (except the dovecot one) but
> the log still says nothing about my attempt to send a mail?? I did double
> check my thunderbird config, and it does use schaumburger.info as SMTP
> server - I'm really confused now :(
If Postfix does not log a connect, then Postfix is not receiving one.

When you telnet to your mail server, what is the banner response?
grkni...@mx1 ~ $ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mx1.scent-team.com ESMTP Postfix


Try this from both localhost and where you're attempting to send the
mail from.

You did not change the banner (from the postfinger) so it should read
similar to mine with Postfix at the end.

Brian

Re: postfix with mysql&dovecot delivery - user unknown in virtual mailbox table

[Steffen Schaumburg]

>> The only thing postfix put in my log is the startup:
>> Mar 27 13:46:40 davserver postfix/postfix-script[24448]: starting the
>> Postfix mail system
>> Mar 27 13:46:40 davserver postfix/master[24449]: daemon started --
> version
>> 2.5.6, configuration /etc/postfix
>>
>> I know you said non-verbose, but since the above was useless I tried
>> activating verbose for all lines in master.cf (except the dovecot one)
> but
>> the log still says nothing about my attempt to send a mail?? I did
> double
>> check my thunderbird config, and it does use schaumburger.info as SMTP
>> server - I'm really confused now :(
> If Postfix does not log a connect, then Postfix is not receiving one.

But then how can thunderbird give the error message about the virtual
mailbox table?

> When you telnet to your mail server, what is the banner response?
> grkni...@mx1 ~ $ telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mx1.scent-team.com ESMTP Postfix
> 
> 
> Try this from both localhost and where you're attempting to send the
> mail from.

Tried, and that did produce log messages. Very very verbose lol.
So I removed the verboseness again and tried telnet again and it connected.

Now comes the weird part - now suddenly it works.
The only things that changed:
- I reinstalled (remerged) mysql with debug on (but haven't restarted since
so I don't think that's what fixed it)
- I installed telnet-bsd. I just tried removing it again and it still works
so that shouldn't be it.
- I had started a reinstall of everything, but aborted it after a few
packages.

So my best guess is that somewhere during install it had screwed up. I
don't understand why - I did update glibc, but I did also reinstall
everything after that so I really don't see why reinstalling now should've
suddenly fixed things.
Very, very, very weird. In any case, thanks for all your help, I'd put this
down to freak install problem potentially due to updating core libraries
and/or GCC. I don't think it'd be possible to reproduce this error so I
don't think it's possible to investigate the root cause. Personally I'm
prepared to put this away into the "unexplained mysteries" shelf unless
someone would like to take it further.

So thanks again - you guys give MUCH better support than certain commercial
mail server developers that I had to deal with at work ;)
Steffen

check_sender_access SQL Query

[JohnD]

Hi,

I have been running Postfix 2.5.x on a linux server using virtual
domains with PostgreSQL for a while now and I've just implemented a
basic check_sender_access policy using a hash.  Everything works fine,
but now I would like to convert this to an SQL statement and store the
data in the database.

I've looked through both [1] and [2] but am uncertain as to what the
appropriate query, and table structure, need to be:

[1] http://www.postfix.org/pgsql_table.5.html
[2] http://www.postfix.org/postconf.5.html#smtpd_client_restrictions

Can someone point me to any documentation to assist me?

Thank you,
John

Re: check_sender_access SQL Query

[Brian Evans - Postfix List]

JohnD wrote:
> Hi,
>
> I have been running Postfix 2.5.x on a linux server using virtual
> domains with PostgreSQL for a while now and I've just implemented a
> basic check_sender_access policy using a hash.  Everything works fine,
> but now I would like to convert this to an SQL statement and store the
> data in the database.
>
> I've looked through both [1] and [2] but am uncertain as to what the
> appropriate query, and table structure, need to be:
>
> [1] 
> http://www.postfix.org/pgsql_table.5.html
> [2] http://www.postfix.org/postconf.5.html#smtpd_client_restrictions
>
> Can someone point me to any documentation to assist me?
>

Use the Email Address Patterns for the lookup key sequence in
http://www.postfix.org/access.5.html and apply that to the pgsql_table
document..
A check sender access will always reference the MAIL FROM given to Postfix.

It is up to you and your needs as to what the table will contain and its
structure.

Brian

Re: postfix with mysql&dovecot delivery - user unknown in virtual mailbox table

[James A R Brown]

Hi Steffen,

The following are links I did use before to create a
postfix.dovecot.mysql system, but on Fedora, but maybe some help.

http://wiki.rbcollins.net/index.php/Postfix_backend_server#Postfix.2BMySQL.2BDovecot.2BSquirrelMail.2BSpamAssassin.2BAmavisd-new.2BClamAV_on_Fedora_Core_5|RB

http://happystoddards.com/neildocs/index.php/Fedora_Core_6_Postfix_Smart-hosting_with_SASL_and_MySQL#Install_Postfix_with_SASL_and_MySQL_Support

And these are our own config files incase we had a server failure, I
could not afford the time to relearn what I did ;)

http://wiki.enrogen.org/index.php/Setup_MailServer

Please note some of the data has been tweaked, some is outdated. I am
just about to update our info following a recent upgrade to F10... so
maybe a few weeks and newer build info will be here.

I will try to update this info this weekend. If you need me to dump some
sql table structures, config files and so on, just drop a mail..
probably directly so I pickup on it.

James




On Fri, 2009-03-27 at 15:40 +0100, Steffen Schaumburg wrote:
> >> The only thing postfix put in my log is the startup:
> >> Mar 27 13:46:40 davserver postfix/postfix-script[24448]: starting the
> >> Postfix mail system
> >> Mar 27 13:46:40 davserver postfix/master[24449]: daemon started --
> > version
> >> 2.5.6, configuration /etc/postfix
> >>
> >> I know you said non-verbose, but since the above was useless I tried
> >> activating verbose for all lines in master.cf (except the dovecot one)
> > but
> >> the log still says nothing about my attempt to send a mail?? I did
> > double
> >> check my thunderbird config, and it does use schaumburger.info as SMTP
> >> server - I'm really confused now :(
> > If Postfix does not log a connect, then Postfix is not receiving one.
> 
> But then how can thunderbird give the error message about the virtual
> mailbox table?
> 
> > When you telnet to your mail server, what is the banner response?
> > grkni...@mx1 ~ $ telnet localhost 25
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > 220 mx1.scent-team.com ESMTP Postfix
> > 
> > 
> > Try this from both localhost and where you're attempting to send the
> > mail from.
> 
> Tried, and that did produce log messages. Very very verbose lol.
> So I removed the verboseness again and tried telnet again and it connected.
> 
> Now comes the weird part - now suddenly it works.
> The only things that changed:
> - I reinstalled (remerged) mysql with debug on (but haven't restarted since
> so I don't think that's what fixed it)
> - I installed telnet-bsd. I just tried removing it again and it still works
> so that shouldn't be it.
> - I had started a reinstall of everything, but aborted it after a few
> packages.
> 
> So my best guess is that somewhere during install it had screwed up. I
> don't understand why - I did update glibc, but I did also reinstall
> everything after that so I really don't see why reinstalling now should've
> suddenly fixed things.
> Very, very, very weird. In any case, thanks for all your help, I'd put this
> down to freak install problem potentially due to updating core libraries
> and/or GCC. I don't think it'd be possible to reproduce this error so I
> don't think it's possible to investigate the root cause. Personally I'm
> prepared to put this away into the "unexplained mysteries" shelf unless
> someone would like to take it further.
> 
> So thanks again - you guys give MUCH better support than certain commercial
> mail server developers that I had to deal with at work ;)
> Steffen
> 

Re: my mailserver has been blacklisted

[Noel Jones]

Charles Marcus wrote:

On 3/26/2009, Noel Jones (njo...@megan.vbhcs.org) wrote:

(A better design is to have a separate IP for "official" mail and
another IP used for client internet access.  Then client misbehavior
doesn't affect the mail system.  of course that means you must have
more than one IP...)


I like this idea, but, how effective would it be if the two IPs were
neighbors? E.g., two consecutive IPs on the same net block?



YMMV ... depends on the blacklist.  The "widely used" lists 
seem to just list single IPs or sometimes registered netblocks 
for the more obvious professional spammers.


But I have had trouble with some less-used lists when a 
"neighbor" (unrelated business in the same /24) got 
blacklisted for backscatter.



  -- Noel Jones

Re: postmaster@ and spam

[LuKreme]

On 26-Mar-2009, at 18:06, Sahil Tandon wrote:

On Thu, 26 Mar 2009, LuKreme wrote:


I have in my postffix helo checks, perhaps a bad idea,

[some checks up here that reject]
/^postmaster\@/ OK
/^abuse\@/  OK


Why do these email address patterns appear in a HELO access(5) map?


Because 9 years ago or so it is what I was told to do.  On this list,  
I'm pretty sure.



--
...but the senator, while insisting he was not intoxicated,
could not explain his nudity.

Re: postmaster@ and spam

[Ralf Hildebrandt]

* LuKreme :
> On 26-Mar-2009, at 18:06, Sahil Tandon wrote:
>> On Thu, 26 Mar 2009, LuKreme wrote:
>>
>>> I have in my postffix helo checks, perhaps a bad idea,
>>>
>>> [some checks up here that reject]
>>> /^postmaster\@/ OK
>>> /^abuse\@/  OK
>>
>> Why do these email address patterns appear in a HELO access(5) map?
>
> Because 9 years ago or so it is what I was told to do.  On this list, I'm 
> pretty sure.

In HELO?

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
This is the crucial difference between fiction and real life: fiction
must be plausible; real life has no such constraint.   -- Kevin Kelly

Re: spam check only local destinations

[Georgy Goshin]

I just thoght that there is a way to pass message to filter right before 
passing it to mailbox_command, deliver in my case.


D.


1- if it's ok to filter mail if one of the recipient is local
(eventhough other recipients may belong to other domains), you can use
check_recipient_access:

content_filter =

smtpd_sender_restrictions =
check_recipient_access hash:/etc/postfix/filter

== filter:
example.com FILTER spamfilter:nexthop

2- otherwise, you need multiple postfix instance (run postfix twice) and
use transport_maps instead of content_filter.

In (1), a multi-recipient message is not split into local and relay
copies. it's passed to the filter as soon as one of the recipients is
local (is *...@example.com).

In (2), the message is split: one copy is sent to "local" users after
filtering. another copy is relayed without filtering.

Re: Piping /etc/aliases to newaliases

[LuKreme]

On 26-Mar-2009, at 18:23, Bryce Nesbitt wrote:

Would anyone else appreciate end of line comments, as an extension to
/etc/aliases and *.pcre?  What character should introduce such  
comments?


Actually?  No.  I find end-of-line comments to be far more trouble  
than they are worth.


# 20090101 requested by fumble
foo: fum

# 2009013 #AZ-12313
fiddle: fee, fie, foo

I find that format much better, both in terms of readability (the  
comment about the source of the change comes first, and the date is  
first in that) and maintainability. For example:


# 20090101 requested by fumble
foo: fum
# 20090107
bar: car
# 20090219
oscar: oskar

# 20090113 #AZ-12313
fiddle: fee, fie, foo

Well, now I know all those requests were from fumble.

There are very few cases when end-of-line comments are really useful,  
and this is not one of them.



--
Can't stop the signal

Re: postmaster@ and spam

[LuKreme]

On 27-Mar-2009, at 09:57, Ralf Hildebrandt wrote:

* LuKreme :

On 26-Mar-2009, at 18:06, Sahil Tandon wrote:

On Thu, 26 Mar 2009, LuKreme wrote:


I have in my postffix helo checks, perhaps a bad idea,

[some checks up here that reject]
/^postmaster\@/ OK
/^abuse\@/  OK


Why do these email address patterns appear in a HELO access(5) map?


Because 9 years ago or so it is what I was told to do.  On this  
list, I'm

pretty sure.


In HELO?


Doesn't sound right, does it.  Did helo checks used to apply to the  
entire pre-DATA part of the transaction?



--
When the routine bites hard / and ambitions are low
And the resentment rides high / but emotions won't grow
And we're changing our ways, / taking different roads
Then love, love will tear us apart again

Re: Postfix denies relays when sending from Eudora

[Asai]

Magnus Bäck wrote:

On Thursday, March 26, 2009 at 21:48 CET,
 Asai  wrote:

  

From /var/log/maillog, one example of the problem:

Mar 26 11:58:18 triata postfix/smtpd[25357]: NOQUEUE: reject: RCPT from 
unknown[63.229.177.226]: 554 5.7.1 : Relay access 
denied; from= to= 
proto=ESMTP helo=



The connecting client has not authenticated and/or is not listed in
mynetworks.

http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from

  

Thank you all.  I was able to solve it by adding the IP to mynetworks.

--
asai

Re: postmaster@ and spam

[Sahil Tandon]

On Mar 27, 2009, at 12:18 PM, LuKreme  wrote:


On 27-Mar-2009, at 09:57, Ralf Hildebrandt wrote:

* LuKreme :

On 26-Mar-2009, at 18:06, Sahil Tandon wrote:

On Thu, 26 Mar 2009, LuKreme wrote:


I have in my postffix helo checks, perhaps a bad idea,

[some checks up here that reject]
/^postmaster\@/ OK
/^abuse\@/  OK


Why do these email address patterns appear in a HELO access(5) map?


Because 9 years ago or so it is what I was told to do.  On this  
list, I'm

pretty sure.


In HELO?


Doesn't sound right, does it.  Did helo checks used to apply to the  
entire pre-DATA part of the transaction?


There are scenarios in which non HELO checks can be placed under  
smtpd_helo_restrictions, but in your case you explicitly call  
check_helo_access and then reference a map with email address patterns  
on the LHS.  Don't believe everything you read on the list, or at  
least confirm it with the documentation.


--
Sahil Tandon 

Order of SMTP_*_restrictions.

[KLaM Postmaster]

Is the a readme or other document that that outlines an optimal order
for smtp_*_restrictions.
TIA
JLA

Order of SMTP_*_restrictions.

[KLaM Postmaster]

Is the a readme or other document that that outlines an optimal order
for smtp_*_restrictions.


Sorry, I should have been a little more specific, I am talking about the
order of the parameters with in a class of restriction (eg.
smtp_recipient_restrictions), not the order of the restriction classes.
once again
TIA
JLA

Re: Order of SMTP_*_restrictions.

[Brian Evans - Postfix List]

KLaM Postmaster wrote:
> Is the a readme or other document that that outlines an optimal order
> for smtp_*_restrictions.
> TIA
> JLA
>   
http://www.postfix.org/SMTPD_ACCESS_README.html#lists

Re: Order of SMTP_*_restrictions.

[Brian Evans - Postfix List]

KLaM Postmaster wrote:
> Is the a readme or other document that that outlines an optimal order
> for smtp_*_restrictions.
>
>
> Sorry, I should have been a little more specific, I am talking about the
> order of the parameters with in a class of restriction (eg.
> smtp_recipient_restrictions), not the order of the restriction classes.
> once again
> TIA
> JLA
>   
That is totally up to what you want to accomplish.

The first match will trigger Postfix into action.

The only danger is described best here. 
http://www.postfix.org/SMTPD_ACCESS_README.html#danger

Brian

Re: Order of SMTP_*_restrictions.

[Sahil Tandon]

On Mar 27, 2009, at 1:32 PM, KLaM Postmaster  wrote:


Is the a readme or other document that that outlines an optimal order
for smtp_*_restrictions.


Sorry, I should have been a little more specific, I am talking about  
the

order of the parameters with in a class of restriction (eg.
smtp_recipient_restrictions), not the order of the restriction  
classes.


Your question is a bit vague.  The optimal order depends on your  
particular environment and requirements.  Start with the  
SMTPD_ACCESS_README.

Re: Clustering

[Jose Perez]

Hi:

On Thu, Mar 26, 2009 at 6:05 PM, Wietse Venema  wrote:
> carconni:
>> Hi,
>>
>> I've been digging around and I haven't been able to find what I'm
>> really looking for so I thought I'd go straight to the ones "who know".
>>
>> Can Postfix be run in a clustered environment (ie: multiple servers
>> running postfix utilizing one data store) under any OS?
>
> Each Postfix instance must have its own config_directory,
> queue_directory and data_directory. These cannot be shared.
>

So how can I make sure that a queue file (stored in one node of a
cluster) it will be managed by another postfix instance (running in a
different node of a cluster)?

I thought that using DRBD (network mirrored data) over the postfix
queue directory would be the solution but apparently I'm wrong...

>> I know NFS is not really recommended - is there any alternative?
>
> For support statement, see http://www.postfix.org/NFS_README.html
>
>        Wietse
>

Re: Clustering

[Wietse Venema]

Jose Perez:
> Hi:
> 
> On Thu, Mar 26, 2009 at 6:05 PM, Wietse Venema  wrote:
> > carconni:
> >> Hi,
> >>
> >> I've been digging around and I haven't been able to find what I'm
> >> really looking for so I thought I'd go straight to the ones "who know".
> >>
> >> Can Postfix be run in a clustered environment (ie: multiple servers
> >> running postfix utilizing one data store) under any OS?
> >
> > Each Postfix instance must have its own config_directory,
> > queue_directory and data_directory. These cannot be shared.
> 
> So how can I make sure that a queue file (stored in one node of a
> cluster) it will be managed by another postfix instance (running in a
> different node of a cluster)?

I don't have to solve that problem.  

You can use any file/disk sharing mechanism as long as there is no
simultaneous access to queue_directory and data_directory, and as
long as the sharing mechanism respects the RFC 5321 transaction
requirement:

Once the MTA replies with 2XX to END-OF-DATA, mail must not
disappear just because of some crash or power failure.

Thus, running rsync from one disk to another does not qualify,
because there is a time window where a file exists only in one
place.

Wietse

> I thought that using DRBD (network mirrored data) over the postfix
> queue directory would be the solution but apparently I'm wrong...
> 
> >> I know NFS is not really recommended - is there any alternative?
> >
> > For support statement, see http://www.postfix.org/NFS_README.html

Re: Clustering

[Wietse Venema]

Wietse Venema:
> Jose Perez:
> > Hi:
> > 
> > On Thu, Mar 26, 2009 at 6:05 PM, Wietse Venema  wrote:
> > > carconni:
> > >> Hi,
> > >>
> > >> I've been digging around and I haven't been able to find what I'm
> > >> really looking for so I thought I'd go straight to the ones "who know".
> > >>
> > >> Can Postfix be run in a clustered environment (ie: multiple servers
> > >> running postfix utilizing one data store) under any OS?
> > >
> > > Each Postfix instance must have its own config_directory,
> > > queue_directory and data_directory. These cannot be shared.
> > 
> > So how can I make sure that a queue file (stored in one node of a
> > cluster) it will be managed by another postfix instance (running in a
> > different node of a cluster)?
> 
> I don't have to solve that problem.  
> 
> You can use any file/disk sharing mechanism as long as there is no
> simultaneous access to queue_directory and data_directory, and as
> long as the sharing mechanism respects the RFC 5321 transaction
> requirement:
> 
> Once the MTA replies with 2XX to END-OF-DATA, mail must not
> disappear just because of some crash or power failure.

In terms of system implementations, this means that fsync() must
not return until the queue file's data and metadata are stored on
the disk (or on their way to the disk, in battery-backed buffers).

> Thus, running rsync from one disk to another does not qualify,
> because there is a time window where a file exists only in one
> place.

I mention rsync here because it is an example where replication
happens after fsync(), resulting in a time window where data
exists in one place but not in the other.

I don't know if DRBD propagates data before fsync() returns, or
whether its updates happen later. If the updates happen later, the
backup may never learn that mail was queued because the update
still sits in the sender's DRBD queue.

NFS does not have this propagation problem, but of course you
need a server with high-quality RAID.

Wietse
 
> > I thought that using DRBD (network mirrored data) over the postfix
> > queue directory would be the solution but apparently I'm wrong...
> > 
> > >> I know NFS is not really recommended - is there any alternative?
> > >
> > > For support statement, see http://www.postfix.org/NFS_README.html
> 
> 

Re: postmaster@ and spam

[mouss]

LuKreme a écrit :
> On 27-Mar-2009, at 09:57, Ralf Hildebrandt wrote:
>> * LuKreme :
>>> On 26-Mar-2009, at 18:06, Sahil Tandon wrote:
 On Thu, 26 Mar 2009, LuKreme wrote:

> I have in my postffix helo checks, perhaps a bad idea,
>
> [some checks up here that reject]
> /^postmaster\@/ OK
> /^abuse\@/  OK

 Why do these email address patterns appear in a HELO access(5) map?
>>>
>>> Because 9 years ago or so it is what I was told to do.  On this list,
>>> I'm
>>> pretty sure.
>>
>> In HELO?
> 
> Doesn't sound right, does it.  Did helo checks used to apply to the
> entire pre-DATA part of the transaction?
> 
> 

do not confuse smtpd_helo_restrictions and check_helo_access

smtpd_helo_restrictions are a set of checks that can may contain many
checks, including permit_sasl_authenticated,
reject_unknown_sender_domain, ... etc.

check_helo_access is ONE check that looks the HELO/EHLO argument in a
map and applies the decision found in that map.

in short,
check_helo_access whatever
will never do anything with
/^postmaster\@/
except if a silly spammer heloes with "postmas...@something", which I
have never seen (and which is easily blocked by
reject_invalid_helo_hostname anyway).

and by the way, pcre isn't perl. '@' doesn't need to be escaped ('\@'
isn't needed. '@' is ok).

Re: postfix with mysql&dovecot delivery - user unknown in virtual mailbox table

[mouss]

Steffen Schaumburg a écrit :
>>> The only thing postfix put in my log is the startup:
>>> Mar 27 13:46:40 davserver postfix/postfix-script[24448]: starting the
>>> Postfix mail system
>>> Mar 27 13:46:40 davserver postfix/master[24449]: daemon started --
>> version
>>> 2.5.6, configuration /etc/postfix
>>>
>>> I know you said non-verbose, but since the above was useless I tried
>>> activating verbose for all lines in master.cf (except the dovecot one)
>> but
>>> the log still says nothing about my attempt to send a mail?? I did
>> double
>>> check my thunderbird config, and it does use schaumburger.info as SMTP
>>> server - I'm really confused now :(
>> If Postfix does not log a connect, then Postfix is not receiving one.
> 
> But then how can thunderbird give the error message about the virtual
> mailbox table?
> 

maybe it's talking to another postfix, another smtpd, another system...
etc.

if you can't reproduce the problem with a "telnet", then you'll need to
see where thunderbird is heading.

>> When you telnet to your mail server, what is the banner response?
>> grkni...@mx1 ~ $ telnet localhost 25
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> 220 mx1.scent-team.com ESMTP Postfix
>>
>>
>> Try this from both localhost and where you're attempting to send the
>> mail from.
> 
> Tried, and that did produce log messages. Very very verbose lol.
> So I removed the verboseness again and tried telnet again and it connected.
> 

beware. don't use the term "connected" so frivoulously on list where
many people are tcp/ip versed...

> [snip]

Re: Order of SMTP_*_restrictions.

[mouss]

KLaM Postmaster a écrit :
> Is the a readme or other document that that outlines an optimal order
> for smtp_*_restrictions.
> 
> 
> Sorry, I should have been a little more specific, I am talking about the
> order of the parameters with in a class of restriction (eg.
> smtp_recipient_restrictions), not the order of the restriction classes.
> once again


no one size...

there are criterias that you can use. here is a "candidate" list:

- correctness. you want to order your checks so that they match your
access policy. This is the most important criteria. while it is ok to
ignore all the other ones, you can't afford to get this one wrong.

- simplicity: keep your checks simple. this may mean letting some junk
in for the sake of keeping a simple and maintainable configuration. of
course, the junk you let in can be detected by your content filter.

- "precision": when you reject a connection, the sender gets an error
and you see that error in your log. when a transaction can be rejected
because of multiple reasons, it is better if it is rejected by the
"worst" reason. even if you don't care about the sender, it is better to
reject a relay attempt with reject_unauth_destination than with a helo
check. indeed, when you parse/check your logs, you don't need to wonder
if a relay attempt is a false positive...

- performances: This is only meaningful for sites that get a lot of mail
and spam. it is meaningless without measurement. if applicable, then you
should run cheap tests before expensive ones. for example,
reject_invalid_helo_hostname is cheaper than check_foo_access, which is
cheaper than reject_unknown_sender_domain.

comments.suggestions, ... welcome.

Re: unusual access requirement

[Terry Carmen]

Res wrote:

Hi,

I have an internal requirement to deny access to an email address, 
which I'd like to do via access, however, we'd also like to accept 
that message for storage somewhere, I was thinking of the access BCC 
method, but then I need to also send a 5xx message in their connect 
transaction, I know this is a contradiction of the way SMTP works :) 
but is it possible with postfix or do we need an alternative method, I 
know milters work like this for scanners etc, so I was hoping someones 
done similar or knows of a milter that can do this?

What do you mean by "deny access"?

Are you trying to stop internal users from sending mail using a certain
email address as the sender or reject incoming mail that lists that
email address as a recipient (a distribution list, for example)?

Terry

Re: unusual access requirement

[Terry Carmen]

Res wrote:

Hi Terry,

On Fri, 27 Mar 2009, Terry Carmen wrote:

I have an internal requirement to deny access to an email address, 
which I'd like to do via access, however, we'd also like to accept 
that message for storage somewhere, I was thinking of the access BCC 
method, but then I need to also send a 5xx message in their connect 
transaction, I know this



What do you mean by "deny access"?


Lets say user is f...@example.com ... and I'm example.net

when f...@example.com SMTP connects to our SMTP, I want the message 
"secretly accepted" (for lack of a better term) but then I want our 
SMTP to,
after accepting, return: 550 service unavailable in their transaction, 
just as if we had set in access: f...@example.com REJECT ..to avoid 
accepting then generating backscatter bounce message which is what I 
can do now in 5 seconds, but I'm trying to avoid that despite 
f...@example.com being a real address that someone reads.
You want to accept the message, deliver it to the recipient and still 
return a 550?


I'm not sure why anybody would want this, but AFAIK, you can't do it 
without modifying postfix or writing a filter.


Terry