Re: Mails stuck in incoming queue

[Victor Duchovni]

On Thu, May 07, 2009 at 10:16:51AM +0530, ram wrote:

> > The "pickup" process is not responsible for moving mail out of the
> > "incoming" queue. If mail is stuck in "maildrop", then debug "pickup".
> > 
> > http://www.postfix.org/QSHAPE_README.html#queues
> 
> Sorry,  I had not fully read the architecture. If mails are coming from
> a remote host , the go first into incoming and then put into active. 
> 
> In my case the incoming directory keeps increasing in size( and number
> of files)  and the active directory is empty
> 
> Why are the mails not put into active ?

Well, I did spend a good chunk of time writing the document:

http://www.postfix.org/QSHAPE_README.html#incoming

 The queue manager scans the incoming queue bringing any new mail into
 the "active" queue if the active queue resource limits have not been
 exceeded. By default, the active queue accommodates at most 2
 messages. Once the active queue message limit is reached, the queue
 manager stops scanning the incoming (and deferred, see below) queue.

 Under normal conditions the incoming queue is nearly empty (has
 only mode 0600 files), with the queue manager able to import new
 messages into the active queue as soon as they become available.

 The incoming queue grows when the message input rate spikes above
 the rate at which the queue manager can import messages into the
 active queue. The main factors slowing down the queue manager are
 disk I/O and lookup queries to the trivial-rewrite service. If
 the queue manager is routinely not keeping up, consider not using
 "slow" lookup services (MySQL, LDAP, ...) for transport lookups
 or speeding up the hosts that provide the lookup service. If the
 problem is I/O starvation, consider striping the queue over more
 disks, faster controllers with a battery write cache, or other
 hardware improvements. At the very least, make sure that the queue
 directory is mounted with the "noatime" option if applicable to
 the underlying filesystem.

If the files are mode 0700, and the active queue is not full, your queue
manager is not doing its job at all, or is totally starved of disk I/O
or is stuck waiting for trivial-rewrite to perform table lookups.

One possiblity not mentioned in QSHAPE_README, is qmgr(8) DoS via a slow
syslogd(8) on a Linux system with an incorrectly defined "mail" facility
log file (uses /path not -/path). This would probably be the best guess
here.

http://www.postfix.org/BASIC_CONFIGURATION_README.html#syslog_howto
http://www.postfix.org/LINUX_README.html

It is fundamentally the same as the disk-starvation, only the cause is
more indirect, because syslogd is starved for disk, and qmgr is blocked
waiting for syslogd. As with direct disk I/O startvation, a single qmgr(8)
is competing against lots of smtpd(8) and cleanup(8) processes, so can't
possibly keep up.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Postfix 2.6.0-RC3 and 2.7-20090428 available

[Victor Duchovni]

On Wed, May 06, 2009 at 03:26:50PM -0700, Quanah Gibson-Mount wrote:

> --On Wednesday, April 29, 2009 8:40 AM -0400 Wietse Venema 
>  wrote:
>
>> Postfix 2.6 stable release candidate 3 is available. If this has
>> no problems, then Postfix 2.6.0 will happen soon. The same code is
>> also available as Postfix 2.7 experimental release 20090428.
>
> Although the download link is correct, the text is wrong:
>
> Postfix 2.6.0 stable release candidate 2
>
> rather than
>
> Postfix 2.6.0 stable release candidate 3
>
> 
>
> A random sampling of mirrors around the world showed this.

No, in fact RC3 is right one.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Postfix 2.6.0-RC3 and 2.7-20090428 available

[Bill Landry]

Victor Duchovni wrote:
> On Wed, May 06, 2009 at 03:26:50PM -0700, Quanah Gibson-Mount wrote:
> 
>> --On Wednesday, April 29, 2009 8:40 AM -0400 Wietse Venema 
>>  wrote:
>>
>>> Postfix 2.6 stable release candidate 3 is available. If this has
>>> no problems, then Postfix 2.6.0 will happen soon. The same code is
>>> also available as Postfix 2.7 experimental release 20090428.
>> Although the download link is correct, the text is wrong:
>>
>> Postfix 2.6.0 stable release candidate 2
>>
>> rather than
>>
>> Postfix 2.6.0 stable release candidate 3
>>
>> 
>>
>> A random sampling of mirrors around the world showed this.
> 
> No, in fact RC3 is right one.

ftp://ftp.porcupine.org/mirrors/postfix-release/index.html

Shows:

Postfix 2.6.0 stable release candidate 2 Source code | PGP signature |
Release notes | Change log

Note that the text says: "release candidate 2".  However, mouse over the
"Source code" link and it points to:

ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.6.0-RC3.tar.gz

Which correctly points to the latest update, RC3.  Quanah was simply
pointing out the mismatch between what is says and what it is.

Bill

Redundant relayhost

[albertvd]

Hello,

In our office we have a Postfix server which takes care of delivering email  
inside and outside the office. For Internet mail it relays mail through the  
ISP SMTP server. For this the relayhost parameter has been set to  
relayhost=smtp.isp.tld.


We have a redundant Internet connection with the primary using ADSL and the  
secondary using HSDPA. Both uses dynamic IP and due to this a lot of  
legitimate mail is bounced as it is being sent from a dynamic IP host -  
therefore the use of relayhost. The two Internet links are provided by two  
different service providers and subsequently two different networks. The  
ISP SMTP servers only relay for hosts connected to their respective  
networks.


From time to time it happens that the ADSL link fails. An automatic switch  
over happens to the HSDPA network but at that point no Internet mail is  
delivered any more as the ADSL ISP bounces the mail indicating relay denied.


Is there a way of configuring Postfix to use two relayhosts. If the first  
fails (cannot connect or bounce) then the second is tried automatically?


Thanks,

Albert

Re: Question re: blocking unwanted senders

[Charles Marcus]

On 5/6/2009 10:45 PM, Sahil Tandon wrote:
> Show entire output instead of snippets via grep.

Sorry... I didn't provide the full output because this config has been
vetted here before, and this specific config weakness that was exploited
had already been pointed out, but obviously you don't know that and I
should have provided it anyway, sorry...

myhost ~ # postconf -n
alias_maps = hash:/etc/mail/aliases, hash:/var/lib/mailman/data/aliases
anvil_rate_time_unit = 360s
anvil_status_update_time = 3600s
bounce_size_limit = 1
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_warning_time = 15m
home_mailbox = .maildir/
message_size_limit = 5120
mydomain = media-brokers.com
myhostname = smtp.media-brokers.com
mynetworks = 127.0.0.0/8 192.168.1.32
parent_domain_matches_subdomains =
recipient_delimiter = +
relay_domains =
relayhost = [post18.emailfiltering.com]
smtp_fallback_relay = [smtp.nuvox.net]
smtpd_hard_error_limit = 3
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/moved-employees,  permit_mynetworks,
permit_sasl_authenticated,  reject_unauth_destination,
check_client_access cidr:/etc/postfix/allowed_clients.cidr,
check_recipient_access hash:/etc/postfix/x-employees,
check_sender_access hash:/etc/postfix/blocked_senders,
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/wildcard.crt
smtpd_tls_key_file = /etc/ssl/wildcard.key
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/mysql_vam.cf,
hash:/var/lib/mailman/data/virtual-mailman
virtual_gid_maps = static:207
virtual_mailbox_base = /var/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_vmd.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_vmm.cf
virtual_minimum_uid = 207
virtual_uid_maps = static:207
myhost ~ #

Incidentally, the check_recipient_access does not contain any OK's, only
custom rejects.

>> 1. What is the best way to 'plonk' someone at the smtp level?

> Identify them in some way (ENVELOPE sender, connecting IP, et cetera) and
> REJECT them.

Thats the point - I thought I did. Is that not what check_sender_access
checks?

myhost ~ # cat /etc/postfix/blocked_senders
# Senders Being Blocked
...
#hlug090...@buzzhost.co.uk reject

Which as you can see above is called by smtpd_recipient_restrictions
check_sender_access per my original post.

>> 2. What exactly was wrong with the way I went about blocking this idiot?

> Provide more information, especially some relevant logs instead of a portion
> of the messages you were receiving.

It wasn't a portion, it was the entire message (as an attachment) with
full headers, but you're right I should have sent logs... my excuse is I
sent this in a hurry because I had somewhere I *had* to be (buying a
house is a pain in the arse), but was hoping for some answers to look
more closely at this issue this morning...

Anyway, logs:

Here are the two rejects from his last two attempts to send a message
after I blocked him:

May  6 15:20:31 myhost postfix/smtpd[4799]: connect from
ixe-mta-18-tx.emailfiltering.com[194.116.198.213]
May  6 15:20:31 myhost postfix/smtpd[4799]: NOQUEUE: reject: RCPT from
ixe-mta-18-tx.emailfiltering.com[194.116.198.213]: 554 5.7.1
: Sender address rejected: Access denied;
from= to=
proto=ESMTP helo=
May  6 15:20:31 myhost postfix/smtpd[4799]: disconnect from
ixe-mta-18-tx.emailfiltering.com[194.116.198.213]

and

May  6 15:22:06 myhost postfix/smtpd[4799]: connect from
ixe-mta-18-tx.emailfiltering.com[194.116.198.213]
May  6 15:22:06 myhost postfix/smtpd[4799]: NOQUEUE: reject: RCPT from
ixe-mta-18-tx.emailfiltering.com[194.116.198.213]: 554 5.7.1 : Sender address rejected: Access denied;
from= to=
proto=ESMTP helo
=

Then about 42 minutes later, the flood of these 'ABUSE' messages (about
one per second until I removed the address from the blocked senders
list, after which they immediately stopped):

May  6 16:04:19 myhost postfix/smtpd[5523]: connect from
ixe-mta-18-tx.emailfiltering.com[194.116.198.213]
May  6 16:04:20 myhost postfix/smtpd[5523]: 1F0844D45CD:
client=ixe-mta-18-tx.emailfiltering.com[194.116.198.213]
May  6 16:04:20 myhost postfix/cleanup[5541]: 1F0844D45CD:
message-id=<20090506200420.1f0844d4...@smtp.media-brokers.com>
May  6 16:04:20 myhost postfix/qmgr[919]: 1F0844D45CD:
from=, size=1809, nrcpt=1 (queue active)
May  6 16:04:20 myhost postfix/virtual[5608]: 1F0844D45CD:
to=, relay=virtual, delay=0.47,
delays=0.46/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
May  6 16:04:20 myhost postfix/qmgr[919]: 1F0844D45CD: removed

They all have these 'message-id= lines
in them... maybe SAV probes are somehow being used to generate them?

>> 3. What was the mechanism employed to flood my server with these
>>messages, and how do I protect against it in the future (maybe simply
>>changing the way I'm blocking unwanted senders now will accomplish
>>t

Recommendation For Postfix Mailboxes

[Carlos Williams]

I am starting a new mail server for the company (CentOS 5.3 + Postfix)
and was wondering what the best recommendation for user mailboxes are?

I was once told by someone here that we should create a MySQL database
/ user structure on the mail server so each user is virtual or listed
in MySQL
rather than an actual user on the server itself and having their own
home directory. I have always used the useradd command in Linux to
create a new Postfix home directory for a user and it really has been
fine for me since I am not that experienced with Postfix but would
like to know if it is preferred to do a MySQL user base, then perhaps
learn how something like that is possible. I don't want to obviously
if it is so complex to the point it frustrates me and there is no real
basic advantage. Right now I guess I could say having Maildir/ style
home directories has worked this long so why bother changing but
sometimes ignorance is bliss...

Thanks for any help - advice - recommendations and if anyone knows of
a company who supports RHEL / CentOS + Postfix, I would be interested
to hear.

Re: Question re: blocking unwanted senders

[Noel Jones]

Charles Marcus wrote:

Now, I'm honestly asking for help here... my server was intentionally
ATTACKED by this asshat simply because I rejected mail from him, and if
I hadn't just happened to be sitting here and noticed it within 3
minutes, there's no telling how much damage might have been done.

I'm not crying about being a victim - yes, obviously he exploited a
specific configuration weakness of mine, and I'd like to know how to FIX
it, and also learn what is the proper way to reject mail from people I
don't want mail from without them being able to cripple my mail server
in retaliation for their mail being rejected.



I see no obvious problems in your config.

Unless I'm missing something:
- you can't control what other people send, or how often they 
send it.
- rejecting messages is a relatively low-overhead process. 
Unless your system is already on the edge of failure, one 
extra reject per second is barely noticeable load.
- If some server doesn't respond well to a REJECT, maybe 
DISCARD is a better answer for their unwanted mail.
- Some posts aren't worth responding to.  The best way to 
ignore a post is to, well, ignore it.  Just press the delete 
key and move on.  (although I admit to sometimes writing a 
really smoking response and then delete before sending.  I'm 
still learning, too.)



  -- Noel Jones

Re: Question re: blocking unwanted senders

[Charles Marcus]

On 5/7/2009 9:05 AM, Noel Jones wrote:
> I see no obvious problems in your config.
> 
> Unless I'm missing something:

Yes, I think you are missing something (see below)... ;)

> - you can't control what other people send, or how often they send it.
> - rejecting messages is a relatively low-overhead process. Unless your
> system is already on the edge of failure, one extra reject per second is
> barely noticeable load.

The first two log excerpts I provided were the only two rejects in the
logs... and you're right, if it was only rejects, I wouldn't care.

The problem is the , 42 minutes later (after those 2 rejects), I started
receiving actual messages with a subject of 'UCE AND ABUSE IDENTIFIED'
(again, example with full headers attached), to the tune of 1-2 per
second, delivered to my Inbox. In less than 3 minutes, I had 351 of
them, all with identical log entries (except the date/time of course) of
the last log example I provided, namely:

May  6 16:04:19 myhost postfix/smtpd[5523]: connect from
ixe-mta-18-tx.emailfiltering.com[194.116.198.213]
May  6 16:04:20 myhost postfix/smtpd[5523]: 1F0844D45CD:
client=ixe-mta-18-tx.emailfiltering.com[194.116.198.213]
May  6 16:04:20 myhost postfix/cleanup[5541]: 1F0844D45CD:
message-id=<20090506200420.1f0844d4...@smtp.media-brokers.com>
May  6 16:04:20 myhost postfix/qmgr[919]: 1F0844D45CD:
from=, size=1809, nrcpt=1 (queue active)
May  6 16:04:20 myhost postfix/virtual[5608]: 1F0844D45CD:
to=, relay=virtual, delay=0.47,
delays=0.46/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
May  6 16:04:20 myhost postfix/qmgr[919]: 1F0844D45CD: removed

> - If some server doesn't respond well to a REJECT, maybe DISCARD is a
> better answer for their unwanted mail.

Actually, I had already considered this... thanks for the confirmation...

But I'd still like to understand the mechanism involved, and what this
guy did to trigger this flood of messages...

> - Some posts aren't worth responding to.  The best way to ignore a post
> is to, well, ignore it.  Just press the delete key and move on. 
> (although I admit to sometimes writing a really smoking response and
> then delete before sending.  I'm still learning, too.)

;) I know, I know...

Thanks for the response...

-- 

Best regards,

Charles
--- Begin Message ---
SMTP Server <70.43.81.99> rejected recipient  (Error 
following RCPT command). It responded as follows: [554 5.7.1 
: Sender address rejected: Access denied]


emailheaders.txt
Description: application/txt
--- End Message ---

Re: Recommendation For Postfix Mailboxes

[Noel Jones]

Carlos Williams wrote:

I am starting a new mail server for the company (CentOS 5.3 + Postfix)
and was wondering what the best recommendation for user mailboxes are?

I was once told by someone here that we should create a MySQL database
/ user structure on the mail server so each user is virtual or listed
in MySQL
rather than an actual user on the server itself and having their own
home directory. I have always used the useradd command in Linux to
create a new Postfix home directory for a user and it really has been
fine for me since I am not that experienced with Postfix but would
like to know if it is preferred to do a MySQL user base, then perhaps
learn how something like that is possible. I don't want to obviously
if it is so complex to the point it frustrates me and there is no real
basic advantage. Right now I guess I could say having Maildir/ style
home directories has worked this long so why bother changing but
sometimes ignorance is bliss...

Thanks for any help - advice - recommendations and if anyone knows of
a company who supports RHEL / CentOS + Postfix, I would be interested
to hear.


Use whichever works best for you.
- Virtual users stored in MySQL makes for easier management if 
you have a large number of users, or if users change 
frequently.  This is a more complex solution, but is more 
flexible and capable of handling a huge number of users.
This also makes it possible to expand to multiple servers if 
necessary.
- Local users makes for simple, easy setup.  But doesn't scale 
as well.  I would limit this to 1000 or so users, but that's 
just an opinion.


You get to pick which fits your needs best.

  -- Noel Jones

Re: Question re: blocking unwanted senders

[Noel Jones]

Charles Marcus wrote:

On 5/7/2009 9:05 AM, Noel Jones wrote:
The problem is the , 42 minutes later (after those 2 rejects), I started
receiving actual messages with a subject of 'UCE AND ABUSE IDENTIFIED'
(again, example with full headers attached), to the tune of 1-2 per
second, delivered to my Inbox. In less than 3 minutes, I had 351 of
them, all with identical log entries (except the date/time of course) of
the last log example I provided, namely:


You can't control what other people send.  Your rejection of 
the original message was "correct".



But I'd still like to understand the mechanism involved, and what this
guy did to trigger this flood of messages...


A broken autoresponder?  Broken content inspection system? 
Sophomoric manual intervention?  It doesn't really matter.


Sometimes DISCARD is a better choice than REJECT.  ;)

  -- Noel Jones

Escaping '^From ' in the body

[LuKreme]

I changed all my delivery mailboxes over to Maildir with procmail as  
the LDA, but I am still seeing lines that begin with 'From ' being  
rewritten to '>From '


My list account is a local account and procmail is invoked via the  
mailbox_command:


mailbox_command = /usr/local/bin/procmail -t -a $EXTENSION

and delivery in procmail is executed by this recipe:

:0
* ! LISTNAME ?? 
{
   :0
   .$LISTNAME.$MYDATE/
}

So from everything I've read, everyone knows it's a maildir and the  
'^From ' should NOT be escaped.


Last time I asked this Viktor said:
> How are you invoking procmail? pipe(8) provides controls for this,  
and local(8) only does this when delivering to an mbox file.


The virtual users on the server are delivered by a pipe that invokes  
procmail, and those do NOT have '^From ' escaped, but as I said, my  
list user is a local user.


(doing a grep on a virtual user I got a result of:

--
To read makes our speaking English good.

Re: Escaping '^From ' in the body

[LuKreme]

oops.. sent before compelte:
On 7-May-2009, at 07:53, LuKreme wrote:


(doing a grep on a virtual user I got a result of:



cur/ 
1228061198 
.M123110P48822V0054I00769D49_41.mail.covisp.net,S=2584:2,RS:From  
predictions to


(no escaping)

searching the list mail I find:

cur/1241387260.91128_0.mail.covisp.net:2,S:>From the comments:

(escaping)

--
If we get through this alive I'll meet you next week same place
same time

Re: Question re: blocking unwanted senders

[Charles Marcus]

On 5/7/2009, Noel Jones (njo...@megan.vbhcs.org) wrote:
>> But I'd still like to understand the mechanism involved, and what
>> this guy did to trigger this flood of messages...

> A broken autoresponder?

I wasn't sending him anything to respond to (other than the smtp rejects).

> Broken content inspection system?

I wasn't sending him any content to inspect.

> Sophomoric manual intervention?

More like sadistic, but yeah...

> It doesn't really matter.
>
> Sometimes DISCARD is a better choice than REJECT.  ;) 

Ok, then, I guess there's no better answer forthcoming.

Oh well, thanks again...

-- 

Best regards,

Charles

Re: Escaping '^From ' in the body

[Wietse Venema]

LuKreme:
> I changed all my delivery mailboxes over to Maildir with procmail as  
> the LDA, but I am still seeing lines that begin with 'From ' being  
> rewritten to '>From '

You need to verify that the > is added by Postfix, not by some
upstream system.

Wietse

Re: Recommendation For Postfix Mailboxes

[Carlos Williams]

Thanks all. I think with less than 300 users & security not being a
huge deal since I set everyone's shell to /sbin/nologin.

Re: Recommendation For Postfix Mailboxes

[LuKreme]

On May 7, 2009, at 8:38, Carlos Williams  wrote:

Thanks all. I think with less than 300 users & security not being a
huge deal since I set everyone's shell to /sbin/nologin.


The main reason I setup almost all my users as virtual is to allow  
them to configure aliases and change their own passwords via a web  
interface like postfixadmin. Otherwise, I have to do every change  
myself.

Re: ldap and result_filter question

[postfix]

Hi Victor,

ok, I know my question is a bit confusing. That's because I tried to
"simplify" the case I face with a generic example. It seems
simplification leads to more confusion ... sorry !
Here below the real case:

in main.cf: 
check_recipient_access
ldap:/etc/postfix/ldapUserAccess_mgrprfc822mailmember.cf

$cat ldapUserAccess_mgrprfc822mailmember.cf
server_host = ldap://fe-ldap1-data:389
search_base = ou=fe1,o=fe
bind_dn = cn=root DN
bind_pw = xx
version = 3
query_filter =
(&(mgrprfc822mailmember=%s)(|(objectclass=mailrecipient)(objectclass=inetlocalmailrecipient)(objectclass=mailgroup)(objectclass=inetmailgroup)))
domain = hash:/etc/postfix/relay_domains
result_attribute = mail
bind = yes
result_filter = OK
expansion_limit = 1

Here below the error message I have with some recipients emails addresses:
postmap -q "j...@u.org"
ldap:/etc/postfix/ldapUserAccess_mgrprfc822mailmember.cf
warning: dict_ldap_lookup: Search error 4: Size limit exceeded

WHY ? => because for theses recipients emails addresses the query_filter
matches several time in the ldap and the expansion_limit is set to 1
$ldap | grep j...@u.org
mgrpRFC822MailMember: j...@u.org
mgrpRFC822MailMember: j...@u.org
mgrpRFC822MailMember: j...@u.org
mgrpRFC822MailMember: j...@u.org
mgrpRFC822MailMember: j...@u.org
mgrpRFC822MailMember: j...@u.org

if i set the expansion_limit to 0 then as each entry (dn) has a mail
attribute i will have the following:
postmap -q "j...@u.org"
ldap:/etc/postfix/ldapUserAccess_mgrprfc822mailmember.cf
OK,OK,OK,OK,OK,OK

That's my problem. 
Is it possible to only have one OK as a result ? 

Rgds
Alain 

- Original Message -
From: Victor Duchovni 
Date: Thursday, May 7, 2009 3:29 pm
Subject: Re: ldap and result_filter question
To: postfix 
Cc: postfix-users@postfix.org

> On Wed, May 06, 2009 at 11:54:42AM +0200, postfix wrote:
> 
> > Hi,
> > 
> > I am using Postfix 2.5.5.
> > 
> > I would like to test recipients against a ldap query.
> > I have 2 mailAlternateAddress attributes for the ldap entry wich 
> mail> attribute is post...@spam3.gm.transpac.fr:
> > # postmap -q post...@spam3.gm.transpac.fr
> > ldap:/etc/postfix/ldapUserAccessTest.cf
> > OK,OK
> 
> When LDAP is used as an access(5) table, use a single-valued result
> attribute and a query that always matches at most one LDAP entry.
> 
> > #cat  ldapUserAccessTest.cf   
> > server_host = 10.1.1.64 
> > server_port = 389
> > search_base = o=spam3.gm.transpac.fr, o=antipam, o=cd3
> > bind_dn = cn=root DN
> > bind_pw = xxx
> > version = 3
> > query_filter =
> > (&(|(mail=%s)(mailAlternateAddress=%s))(mailUserStatus=active))
> > result_attribute = mailAlternateAddress
> > bind = yes
> > result_filter = OK
> > expansion_limit = 0
> 
> Don't set the limit to 0, that means "unlimited". Do use a single-
> valuedresult attribute. Undoubtedly there is at least one single-
> valuedattribute in the LDAP schema of the class in question.
> 
> > Any idea knowing that the condition is to keep "result_attribute =
> > mailAlternateAddress" (so not use any other result attribut as for
> > example "result_attribute = mail" - which I know works) ? 
> 
> Why impose non-sensical restrictions? If the attribute value is not
> actually used (replaced with the fixed string "OK"), what would 
> motivateyou to ask for a particularly non-useful attribute?
> 
> -- 
>   Viktor.
> 

Re: ldap and result_filter question

[Victor Duchovni]

On Thu, May 07, 2009 at 05:30:37PM +0200, postfix wrote:

> Hi Victor,
> 
> ok, I know my question is a bit confusing. That's because I tried to
> "simplify" the case I face with a generic example. It seems
> simplification leads to more confusion ... sorry !
> Here below the real case:
> 
> in main.cf: 
> check_recipient_access
> ldap:/etc/postfix/ldapUserAccess_mgrprfc822mailmember.cf
> 
> $cat ldapUserAccess_mgrprfc822mailmember.cf
> server_host = ldap://fe-ldap1-data:389
> search_base = ou=fe1,o=fe
> bind_dn = cn=root DN
> bind_pw = xx
> version = 3
> query_filter =
> (&(mgrprfc822mailmember=%s)(|(objectclass=mailrecipient)(objectclass=inetlocalmailrecipient)(objectclass=mailgroup)(objectclass=inetmailgroup)))
> domain = hash:/etc/postfix/relay_domains
> result_attribute = mail
> bind = yes
> result_filter = OK
> expansion_limit = 1

This is an access(5) table, not a rewriting table. Why are you writing
a query that matches multiple "entries" for a subset of valid lookup
keys. DON'T DO THAT.

The query filter looks rather bogus, it insists on finding the address
as a member of a group, rather than as the address of a group or the
address of a user.

> That's my problem. 
> Is it possible to only have one OK as a result ? 

Yes, by writing a sensible query and choosing a sensible result attribute.

Forget LDAP for a moment, describe the intended semantics of this table,
in high-level terms:

- Return OK when an input address X has useful property Y

What is "useful property Y"? I am skeptical that "mgrprfc822mailmember=%s"
is a useful property of an *input* address.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Postfix 2.6.0-RC3 and 2.7-20090428 available

[Quanah Gibson-Mount]

--On Thursday, May 07, 2009 12:52 AM -0700 Bill Landry  
wrote:




Although the download link is correct, the text is wrong:

Postfix 2.6.0 stable release candidate 2

rather than

Postfix 2.6.0 stable release candidate 3



A random sampling of mirrors around the world showed this.


No, in fact RC3 is right one.


ftp://ftp.porcupine.org/mirrors/postfix-release/index.html

Shows:

Postfix 2.6.0 stable release candidate 2 Source code | PGP signature |
Release notes | Change log

Note that the text says: "release candidate 2".  However, mouse over the
"Source code" link and it points to:

ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.6.0-RC
3.tar.gz

Which correctly points to the latest update, RC3.  Quanah was simply
pointing out the mismatch between what is says and what it is.


Thanks Bill.  I thought what I wrote was pretty clear, but I guess not.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

Re: Escaping '^From ' in the body

[LuKreme]

On 7-May-2009, at 08:29, Wietse Venema wrote:

LuKreme:

I changed all my delivery mailboxes over to Maildir with procmail as
the LDA, but I am still seeing lines that begin with 'From ' being
rewritten to '>From '


You need to verify that the > is added by Postfix, not by some
upstream system.


I send a message to a local and virtual user from the command line.

$ cat Maildir/.Misc.List\ Replies/new/1241717704.61327_0.mail.covisp.net
Return-Path: 
[blah blah ]

>From escape test to local and virtual

===EOF

$ cat /usr/local/virtual/u...@example.com/new/ 
1241717703.61328_1.mail.covisp.net

Received: by mail.covisp.net (Postfix, from userid 0)
id F2A69118BA8E; Thu,  7 May 2009 11:35:01 -0600 (MDT)
[blah blah]

From escape test to local and virtual

===EOF

$ postconf -n
alias_database = hash:$config_directory/aliases
alias_maps = hash:$config_directory/aliases
allow_percent_hack = no
anvil_rate_time_unit = 60s
body_checks = pcre:$config_directory/body_checks.pcre
bounce_size_limit = 10240
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
default_process_limit = 800
disable_vrfy_command = yes
header_checks = pcre:$config_directory/header_checks.pcre
header_size_limit = 10240
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_command = /usr/local/bin/procmail -t -a $EXTENSION
mailbox_size_limit = 52428800
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 15728640
mime_header_checks = pcre:$config_directory/mime_headers.pcre
mydestination = $myhostname, localhost.$mydomain, $mydomain,  
localhost, ns1.$mydomain, ns2.$mydomain, mail.$mydomain, www. 
$mydomain, webmail.$mydomain

mydomain = covisp.net
myhostname = mail.covisp.net
mynetworks = 75.148.117.88/29, 71.33.236.13, 75.148.41.113, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
parent_domain_matches_subdomains =  
debug_peer_list 
,fast_flush_domains,mynetworks,qmqpd_authorized_clients,relay_domains

queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
show_user_unknown_table_name = no
smtpd_banner = $myhostname ESMTP $mail_name $mail_version
smtpd_client_connection_count_limit = 15
smtpd_client_connection_rate_limit = 8
smtpd_data_restrictions = reject_unauth_pipelining, 
reject_multi_recipient_bounce,check_sender_access hash: 
$config_directory/backscatterpermit

smtpd_error_sleep_time = 28
smtpd_hard_error_limit = 8
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, 
reject_invalid_helo_hostname,   reject_non_fqdn_helo_hostname,  permit

smtpd_recipient_limit = 25
smtpd_recipient_restrictions = reject_non_fqdn_sender,  
reject_non_fqdn_recipient, reject_unknown_sender_domain,  
reject_invalid_hostname, permit_mynetworks, check_client_access hash: 
$config_directory/pbs, permit_sasl_authenticated,  
reject_unauth_destination, reject_unlisted_sender, check_client_access  
cidr:/var/db/dnswl/postfix-dnswl-permit check_helo_access pcre: 
$config_directory/helo_checks.pcre,  check_sender_access pcre: 
$config_directory/sender_access.pcre, check_client_access pcre: 
$config_directory/check_client_fqdn.pcre, check_recipient_access pcre: 
$config_directory/recipient_checks.pcre, check_client_access hash: 
$config_directory/access, reject_rbl_client zen.spamhaus.org, permit

smtpd_restriction_classes = check_greylist
smtpd_sender_restrictions = check_client_access hash:$config_directory/ 
pbs,  permit_sasl_authenticated,   permit_mynetworks

smtpd_soft_error_limit = 4
smtpd_starttls_timeout = 90s
smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_sessions
smtpd_tls_session_cache_timeout = 1800s
soft_bounce = no
swap_bangpath = no
transport_maps = hash:/etc/postfix/transport
undisclosed_recipients_header = To: List of Bcc addresses:;
unknown_local_recipient_reject_code = 550
virtual_alias_domains = kreme.com
virtual_alias_maps = hash:$config_directory/virtualpcre: 
$config_directory/virtual.pcre,pcre:$config_directory/ 
virtual_sql.pcre,mysql:$config_directory/mysql_virtual_alias_maps.cf

virtual_gid_maps = static:89
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = mysql:$config_directory/ 
mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:$config_directory/ 
mysql_virtual_mailbox_maps.cf

virtual_minimum_uid = 89
virtual_transport = procmail
virtual_uid_maps = static:89

--
I think it would be fun to run a newspaper.

Re: Setting up localhost and configuring a single user for a test environment

[Bill Cole]

Jonathan McMahon wrote, On 5/4/09 11:37 PM:

My email timed out and truncated the subject line...

I'm trying to set up an extremely basic mailserver on Leopard 10.5 in
order to check the behavior of some PHP scripts. Nothing fancy needed - I
just want to send and receive mail to/from myself without having to go
out to my ISP.


Then you should have no problem using the Postfix config Apple provides as a 
base. It really only needs to be tweaked to run a smtpd all the time. I 
believe that editing /System/Library/LaunchDaemons/org.postfix.master.plist 
to eliminate "-e 60" as arguments to master and add a RunAtLoad key (and 
reloading it) will do the trick.



QUESTION #1 I've been able to get Postfix started and can telnet into
127.0.0.1 to get a test email sent. The issue is that it bounces as an
unknown user...is there a basic checklist I can run through to make sure
the user does in fact exist? I can only find buts and pieces on the web.

Here is the error message I'm getting:

to=, orig_to=,
relay=local, delay=0.07, delays=0.06/0/0/0, dsn=5.1.1, status=bounced
(unknown user: "john")


It might have helped a bit to see the whole of that SMTP-by-telnet session, 
but it's not really indispensable...


Presumably you said "RCPT TO:" and your postfix config 
added '.localhost' (which is odd...) and there's no user named 'john' so it 
rejected the message.



I modified  /etc/postfix/aliases:

root:john

then ran newaliases, but that doesn't seem to help.


Right, because that says to treat mail to the local user "root" to the local 
user "john" and that is not  helpful. on a mac, going the other way might 
not help either, since by default /var/root/.forward contains '/dev/null' 
and that will send mail to the bitbucket.


Assuming that you have a fairly normal Mac, the valid users all have home 
directories under /Users named with what Apple refers to as the 'short name' 
which is their Unix login name and the local part of the addresses Postfix 
will accept as local.





QUESTION #2
I know that I need an FQDN in order for Postfix to function properly,


Yes and no.

You need Postfix to be able to determine and/or construct a FQDN. It can do 
so on any normally configured Mac without any changes to the Postfix config. 
The name may not be useful for exposing Postfix to the world, but it will 
handle local delivery of messages submitted via port 25 on the loopback or 
the sendmail compatibility interface just fine.



but  I'm having trouble understanding what goes where in the

> "u...@host.domain.tld" scheme.


My System Preferences list the following:

Computer Name: John Doe's iMac

Computers on your local network can access your computer at:
john-does-imac.local


That looks like a usable FQDN to me, at least as long as you stay local.


Assuming I want to send a message to johndoe, what does the FQDN look

> like?

john-does-imac.local

Assuming that there's a local user 'johndoe', the whole address would be: 
john...@john-does-imac.local


HOWEVER, Postfix would normally accept 'johndoe' and 
'john...@john-does-imac' and extend them, unless you've fiddled with the 
config.


> How about the following parameters?
>

myhostname =
mydomain =
myorigin =


Leave them alone. The defaults are fine.


The confusing part is what to use for the domain and tld since I don't
own an actual domain like "yahoo.com". My best guess is:

j...@john-does-imac.localdomain.local


No.

There's also no reason to guess. Postfix provides a tool that will tell you 
its configuration: postconf


This is from a Mac I just set up and have left with the Apple main.cf:

  william-coles-macbook:~ bill$ postconf mydomain myorigin myhostname 
mydestination

  mydomain = localdomain
  myorigin = $myhostname
  myhostname = william-coles-macbook.local
  mydestination = $myhostname, localhost.$mydomain, localhost

None of those is actually set in my main.cf. No need.



--
Output of postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = localhost
mail_owner = _postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain_fallback = localhost
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
unknown_local_recipient_reject_code = 550


Any help would be appreciated. Thanks.


Action plan:

1. Revert to the main.cf and master.cf that Apple provides.
2. Fix up the launchd plist so that master doesn't kill itself
3. Use sender and recipient addresses with local parts that match real users 
that your system actu

Re: Postfix 2.6.0-RC3 and 2.7-20090428 available

[Wietse Venema]

Quanah Gibson-Mount:
> --On Thursday, May 07, 2009 12:52 AM -0700 Bill Landry  
> wrote:
> 
> 
> >>> Although the download link is correct, the text is wrong:
> >>>
> >>> Postfix 2.6.0 stable release candidate 2

I have fixed the text this morning (the hyperlinks already said RC3).

Wietse

Re: Escaping '^From ' in the body

[Wietse Venema]

LuKreme:
> On 7-May-2009, at 08:29, Wietse Venema wrote:
> > LuKreme:
> >> I changed all my delivery mailboxes over to Maildir with procmail as
> >> the LDA, but I am still seeing lines that begin with 'From ' being
> >> rewritten to '>From '
> >
> > You need to verify that the > is added by Postfix, not by some
> > upstream system.
> 
> I send a message to a local and virtual user from the command line.

This involves three systems: the mail submission command, Postfix,
and procmail. Which of these introduces the problem?

Wietse

Re: Question re: blocking unwanted senders

[Rik]

That's the problem Charles. When you abuse people on lists *thinking*
you are some kind of expert, and then get caught with your pants down on
the basics you have to see the funny side.

I'll tell you what you need to fix if you apologise to me and call me
Sir.

Re: Question re: blocking unwanted senders

[Wietse Venema]

Rik:
> That's the problem Charles. When you abuse people on lists *thinking*
> you are some kind of expert, and then get caught with your pants down on
> the basics you have to see the funny side.
> 
> I'll tell you what you need to fix if you apologise to me and call me
> Sir.

Enough. This thread is not about Postfix. Take it off-list, please.

Wietse

Re: Question re: blocking unwanted senders

[Rik]

Actually, yes it is but to keep you happy I withdraw the public offer to
show Charles how to set up his Postfix properly. Perhaps you can help
him instead Wietse.


On Thu, 2009-05-07 at 14:47 -0400, Wietse Venema wrote:
> Rik:
> > That's the problem Charles. When you abuse people on lists *thinking*
> > you are some kind of expert, and then get caught with your pants down on
> > the basics you have to see the funny side.
> > 
> > I'll tell you what you need to fix if you apologise to me and call me
> > Sir.
> 
> Enough. This thread is not about Postfix. Take it off-list, please.
> 
>   Wietse
> 

Re: Escaping '^From ' in the body

[LuKreme]

On May 7, 2009, at 12:18, wie...@porcupine.org (Wietse Venema) wrote:


LuKreme:

On 7-May-2009, at 08:29, Wietse Venema wrote:

LuKreme:
I changed all my delivery mailboxes over to Maildir with procmail  
as

the LDA, but I am still seeing lines that begin with 'From ' being
rewritten to '>From '


You need to verify that the > is added by Postfix, not by some
upstream system.


I send a message to a local and virtual user from the command line.


This involves three systems: the mail submission command, Postfix,
and procmail. Which of these introduces the problem?


I sent a single message to both users so I doubt it's got anything to  
do with submission. The procmail recipes look the same, each doing a  
delivery to a maildir folder. The only difference is one is local(8)  
and one is pipe(8).


However, I have no way of seeing *exactly* where in the process of  
delivery the > gets added, unless you have some idea of how I can get  
more detailed debug info. 

Re: Escaping '^From ' in the body

[mouss]

LuKreme a écrit :
> On May 7, 2009, at 12:18, wie...@porcupine.org (Wietse Venema) wrote:
> 
>> LuKreme:
>>> On 7-May-2009, at 08:29, Wietse Venema wrote:
 LuKreme:
> I changed all my delivery mailboxes over to Maildir with procmail as
> the LDA, but I am still seeing lines that begin with 'From ' being
> rewritten to '>From '

 You need to verify that the > is added by Postfix, not by some
 upstream system.
>>>
>>> I send a message to a local and virtual user from the command line.
>>
>> This involves three systems: the mail submission command, Postfix,
>> and procmail. Which of these introduces the problem?
> 
> I sent a single message to both users so I doubt it's got anything to do
> with submission. The procmail recipes look the same, each doing a
> delivery to a maildir folder. The only difference is one is local(8) and
> one is pipe(8).
> 
> However, I have no way of seeing *exactly* where in the process of
> delivery the > gets added, unless you have some idea of how I can get
> more detailed debug info.

procmail isn't part of postfix. so test without procmail.

Re: Configuring SMTP Auth with SASL + MySQL for virtual domains

[mouss]

Gurunandan R. Bhat a écrit :
> Hi,
> 
> I am configuring Virtual domains and mailboxes on CentOS 5.5 using
> MySQL for data maps and SASL for SMTP Auth.  As far as I can say, I have
> followed The Book of Postfix.
> 
> Dovecot and Postfix both use the same tables for authentication and
> POP authentication works perfectly. However any attempt at SMTP
> authentication gives the following (SASL?) error:
> 
> May  7 01:02:23 Server1 postfix/smtpd[11760]: auxpropfunc error invalid
> parameter supplied
> May  7 01:02:23 Server1 postfix/smtpd[11760]: sql_select option missing
> May  7 01:02:23 Server1 postfix/smtpd[11760]: auxpropfunc error no
> mechanism available
> 
> and then followed by:
> 
> May  7 01:02:24 Server1 saslauthd[11666]: do_auth: auth failure:
> [user=] [service=smtp][realm=X] [mech=pam][reason=PAM auth error]
> 
> My /usr/lib/sasl2/smtpd.conf reads:
> 
> log_level: 8
> pwcheck_method: auxprop
> mech_list: PLAIN LOGIN
> auxprop_plugin: sql
> sql_verbose: yes
> sql_engine: mysql
> sql_hostnames: localhost
> sql_user: XX
> sql_passwd: XX
> sql_database: postfix
> sql_select: select password from mailbox where username = '%...@%r
> '
> 
> I would really appreciate your help in figuring whats wrong.
> 

maybe it looks for an smtpd.conf in another place. unfortunately, this
is system dependent. you can check this by intentionally putting a
syntax error in the file.

if your postfix version supports dovecot sasl, then use it. It is far
easier than cyrus-sasl (and it's also more secure since less code is
linked against postfix).

Re: Escaping '^From ' in the body

[Noel Jones]

LuKreme wrote:
The only difference is one is local(8) and 
one is pipe(8).


did you try:
mail_spool_directory = /var/mail/

http://www.postfix.org/local.8.html


  -- Noel Jones

keep recipient_bcc_maps from picking up aliases in virtual_alias_maps

[J.P. Trosclair]

Is it possible to avoid recipient_bcc_maps picking up aliases in the 
virtual_alias_maps table?


I have a pcre recipient_bcc_map entry that catches an entire domain and 
forwards it in such a way that the transports table hands it to my 
archivemail transport:


# cat recipient_bcc
/(.*)@judelawfirm.com$/ $...@judelawfirm.com.archive

# cat transports
s...@spam-catcher.spam   spam-mail:
h...@ham-catcher.ham  ham-mail:

.archivearchivemail:
.vacation   vacation:

The problem is the recipient_bcc_map catches virtual aliases too and 
tries to hand them over to my archivemail transport which doesn't like 
it because the virtual alias isn't a real mail box.


I suppose I could tweak my archivemail service in such that it checked 
if the account was a real mail box or not and discard it accordingly... 
just wondering if there is possibly another way around it.


# postconf -n
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
maximal_backoff_time = 1h
message_size_limit = 0
minimal_backoff_time = 10m
mydestination = vmail1.judelawfirm.com, vmail1.jude
myhostname = vmail1.judelawfirm.com
mynetworks = 127.0.0.0/8192.168.1.0/24
myorigin = vmail1.judelawfirm.com
queue_run_delay = 120s
readme_directory = no
recipient_bcc_maps = pcre:/etc/postfix/recipient_bcc
recipient_delimiter = +
sender_bcc_maps = pcre:/etc/postfix/recipient_bcc
smtp_enforce_tls = no
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = check_client_access 
hash:/etc/postfix/white_listcheck_client_access 
pcre:/etc/postfix/black_list_client_country check_client_access 
hash:/etc/postfix/black_list
smtpd_data_restrictions = reject_unauth_pipelining 
permit_mynetworks   permit_sasl_authenticated

smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated 
permit_mynetworks   reject_invalid_hostnamereject_non_fqdn_hostname 
check_helo_access hash:/etc/postfix/white_list  check_helo_access 
pcre:/etc/postfix/black_list_helo_country check_helo_access 
hash:/etc/postfix/black_list
smtpd_recipient_restrictions = permit_mynetworks 
permit_sasl_authenticated   check_sender_access 
hash:/etc/postfix/white_listcheck_sender_access 
hash:/etc/postfix/black_listcheck_sender_access 
pcre:/etc/postfix/black_list_sender_country reject_unlisted_recipient 
reject_non_fqdn_hostnamereject_non_fqdn_sender 
reject_non_fqdn_recipient   reject_unauth_destination 
reject_unauth_pipelining reject_invalid_hostname

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transports
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1000
virtual_transport = dovecot
virtual_uid_maps = static:1000

Re: Question re: blocking unwanted senders

[Sahil Tandon]

On Thu, 07 May 2009, Charles Marcus wrote:

> relayhost = [post18.emailfiltering.com]

Interesting.

> May  6 15:22:06 myhost postfix/smtpd[4799]: connect from
> ixe-mta-18-tx.emailfiltering.com[194.116.198.213]
> May  6 15:22:06 myhost postfix/smtpd[4799]: NOQUEUE: reject: RCPT from
> ixe-mta-18-tx.emailfiltering.com[194.116.198.213]: 554 5.7.1  0...@buzzhost.co.uk>: Sender address rejected: Access denied;
> from= to=
> proto=ESMTP helo
> =

Notice your relayhost (which also acts as the MX for your domain) accepts the
message from the sender and tries to deliver it to your mail store, at which
point your Postfix installation REJECTs the message.  This probably generates
a bounce report (by emailfiltering.com) to the envelope sender.  If so, that
is backscatter.

> Then about 42 minutes later, the flood of these 'ABUSE' messages (about
> one per second until I removed the address from the blocked senders
> list, after which they immediately stopped):
> 
> May  6 16:04:19 myhost postfix/smtpd[5523]: connect from
> ixe-mta-18-tx.emailfiltering.com[194.116.198.213]
> May  6 16:04:20 myhost postfix/smtpd[5523]: 1F0844D45CD:
> client=ixe-mta-18-tx.emailfiltering.com[194.116.198.213]
> May  6 16:04:20 myhost postfix/cleanup[5541]: 1F0844D45CD:
> message-id=<20090506200420.1f0844d4...@smtp.media-brokers.com>
> May  6 16:04:20 myhost postfix/qmgr[919]: 1F0844D45CD:
> from=, size=1809, nrcpt=1 (queue active)
> May  6 16:04:20 myhost postfix/virtual[5608]: 1F0844D45CD:
> to=, relay=virtual, delay=0.47,
> delays=0.46/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
> May  6 16:04:20 myhost postfix/qmgr[919]: 1F0844D45CD: removed

Again, these messages hit your machine not from their source, but the
emailfiltering.com machine that relays mail to and fro your Postfix box.  You
should troubleshoot this issue at the actual gateway MX that receives or
generates the offending message.

> Look, I certainly know Victor and Wietse don't need me to defend them
> from impotent threats of violence from morons like Rik, and I should
> have just kept my mouth shut, but it really irked me to see these
> comments aimed at the people who provide such incredible help here, of
> which I have been the recipient more than once.

It's best to ignore such things and get on with your day.

-- 
Sahil Tandon 

Re: keep recipient_bcc_maps from picking up aliases in virtual_alias_maps

[Wietse Venema]

J.P. Trosclair:
> Is it possible to avoid recipient_bcc_maps picking up aliases in the 
> virtual_alias_maps table?

No.

Wietse

Re: Escaping '^From ' in the body

[LuKreme]

On 7-May-2009, at 16:01, mouss wrote:

procmail isn't part of postfix. so test without procmail.



If I send a message to a non-procmail enabled account, it delivers to  
a mbox file in $HOME/Maildir/ with a name like msg.Dv4Z.


On 7-May-2009, at 16:07, Noel Jones wrote:

LuKreme wrote:

The only difference is one is local(8) and one is pipe(8).


did you try:
mail_spool_directory = /var/mail/


Ah, no.  I did home_mailbox = Maildir/

All mail is stored uner the user's own home.  mail_spool_directory is  
for mbox files, not maildirs.



--
Amazingly Beautiful Creatures Dancing Excites the Forest
Glade, in my Heart how I do Jump like the Kudo Listen to the
Music so Nice the Organ Plays. Quietly Rests the Sleepy
Tiger Under the Vine tree at the Water's side and X marks
the spot 'neath the Yellow moon where the Zulu king and
I did hide.

Re: Mails stuck in incoming queue

[ram]

On Thu, 2009-05-07 at 03:22 -0400, Victor Duchovni wrote:
> On Thu, May 07, 2009 at 10:16:51AM +0530, ram wrote:
> 
> > > The "pickup" process is not responsible for moving mail out of the
> > > "incoming" queue. If mail is stuck in "maildrop", then debug "pickup".
> > > 
> > >   http://www.postfix.org/QSHAPE_README.html#queues
> > 
> > Sorry,  I had not fully read the architecture. If mails are coming from
> > a remote host , the go first into incoming and then put into active. 
> > 
> > In my case the incoming directory keeps increasing in size( and number
> > of files)  and the active directory is empty
> > 
> > Why are the mails not put into active ?
> 
> Well, I did spend a good chunk of time writing the document:



Thanks for all the info. Well the high incoming queue is definitely is
due to syslog.  Because I also notice that some of my logs are also
getting dropped. 

Sorry for being OT , but can someone help me find what is wrong with my
syslogd. 


I use sysklogd-1.4.2 ( from default rpm )  on Centos 5.2 ,64bit