RFC 1918 -v- Postfix

[Steve]

Hello 'list';
This is my first time out in 'list' land so please don't flame me if I
get the format wrong. Coaching and constructive criticism is fine ;-)
{usenet group seems to be almost dead ?}

I've recently noticed that my Postfix is being a naughty bunny. It is
attempting to query my ISP nameserver to reverse resolve LAN addresses
defined in my_networks.

The queries look like this;
19-May-2009 7:26:56.489 client #12345: query:
60.1.168.192.in-addr.arpa IN PTR +

Which in turn gives this;
security: warning: client #12345: RFC 1918 response from
Internet for 60.1.168.192.in-addr.arpa

I've isolated it to Postfix and a telnet test to it from any machine in
'mynetworks' causes it to perform the reverse lookup for an internal IP.

My suspicion is that I have not configured it as it should be. It still
needs to do PTR lookups for hosts (I don't want to kill the whole
feature), but skip them for anything defined in my_networks.

I have tried the various 'permit my_networks' in the client restriction
(and other places) and I simply cannot get Postfix to stop performing
these queries.

Anyone know what I am missing? Happy to RTM but I'm tending to find it
is verbose, but all over the place.

mail_version = 2.5.5

Steve

Re: RFC 1918 -v- Postfix

[Ralf Hildebrandt]

* Steve :
> Hello 'list';
> This is my first time out in 'list' land so please don't flame me if I
> get the format wrong. Coaching and constructive criticism is fine ;-)
> {usenet group seems to be almost dead ?}
> 
> I've recently noticed that my Postfix is being a naughty bunny. It is
> attempting to query my ISP nameserver to reverse resolve LAN addresses
> defined in my_networks.

Of course. 
It tries to resolve the IP address of all clients connecting.

> The queries look like this;
> 19-May-2009 7:26:56.489 client #12345: query: 
> 60.1.168.192.in-addr.arpa IN PTR +

Yes.

> Which in turn gives this;
> security: warning: client #12345: RFC 1918 response from
> Internet for 60.1.168.192.in-addr.arpa

The security warning is broken. Turn it off.

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
Für spezielle Leute den Schwiegermutter-Modus, eine keifende
Stimme, die schreit: "Und ich habe Dir doch gesagt, Du sollst
einen Backup machen. Aber Du hörst ja nie auf mich."

Re: RFC 1918 -v- Postfix

[Steve]

On Tue, 2009-05-19 at 09:28 +0200, Ralf Hildebrandt wrote:
> * Steve :
> > Hello 'list';
> > This is my first time out in 'list' land so please don't flame me if I
> > get the format wrong. Coaching and constructive criticism is fine ;-)
> > {usenet group seems to be almost dead ?}
> > 
> > I've recently noticed that my Postfix is being a naughty bunny. It is
> > attempting to query my ISP nameserver to reverse resolve LAN addresses
> > defined in my_networks.
> 
> Of course. 
> It tries to resolve the IP address of all clients connecting.
> 
> > The queries look like this;
> > 19-May-2009 7:26:56.489 client #12345: query: 
> > 60.1.168.192.in-addr.arpa IN PTR +
> 
> Yes.
> 
> > Which in turn gives this;
> > security: warning: client #12345: RFC 1918 response from
> > Internet for 60.1.168.192.in-addr.arpa
> 
> The security warning is broken. Turn it off.
> 
I disagree. It looks like Postfix is broken. Whilst I can see the desire
to look up private IP ranges to see if they have a PTR record, it would
not be unreasonable to expect it not to do it for trusted clients - such
as those defined in 'my_networks'.

Previous use of MailEnable, for example, does not give this issue when
doing PTR/Reverse lookups.

As a trusted and solid MTA there must be a way to get it to stop leaking
rubbish DNS lookups from private networks ?

Re: RFC 1918 -v- Postfix

[Ralf Hildebrandt]

* Steve :

> I disagree. It looks like Postfix is broken. Whilst I can see the desire
> to look up private IP ranges to see if they have a PTR record, it would
> not be unreasonable to expect it not to do it for trusted clients - such
> as those defined in 'my_networks'.

Where is this behaviour documented?

> As a trusted and solid MTA there must be a way to get it to stop leaking
> rubbish DNS lookups from private networks ?

You could set up your forwarder/local DNS properly. This doesn't
happen here.

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
One of my frequent mistakes is to believe users' interpretation
of what is happening. -- Wietse

Re: RFC 1918 -v- Postfix

[Steve]

On Tue, 2009-05-19 at 09:39 +0200, Ralf Hildebrandt wrote:
> * Steve :
> 
> > I disagree. It looks like Postfix is broken. Whilst I can see the desire
> > to look up private IP ranges to see if they have a PTR record, it would
> > not be unreasonable to expect it not to do it for trusted clients - such
> > as those defined in 'my_networks'.
> 
> Where is this behaviour documented?
Good question. If it is not surely it would make a sensible feature
request? Clearly as an expert on Postfix perhaps you can tell *ME* how
to get Postfix to stop attempting rubbish DNS lookups rather than try
and start an argument with me? 

Asking the question with the BIND list (which I did before coming here)
clearly put the blame on the attempting client here - AKA 'Postfix'.
Postfix is asking stupid questions to public DNS servers. They are
nonsensical in my network context. That is, small class C with a handful
of hosts, external DNS. Not only are they nonsensical queries to make,
they are also a total waste of network resources and bandwidth. The fix
here is to stop the client making them, not to stop the resolver from
answering them.

Just where is anything fully documented with Postfix? There is a lot of
'half' documentation Ralf and plenty of 'assumed that you know'. It the
documentation was s great I would not have had to ask on a list for
something rather basic like this.
> 
> > As a trusted and solid MTA there must be a way to get it to stop leaking
> > rubbish DNS lookups from private networks ?
> 
> You could set up your forwarder/local DNS properly. This doesn't
> happen here.
If somebody asks you a stupid question, you still have to answer it if the 
rules say so Ralf.
It may waste your time, it may waste your resources, but answer it you must. 
If Postfix asks a stupid question of the DNS system, it still has to be 
answered.
The fix is *not* to make any changes to the DNS system, the fix is to stop the 
stupid question in the first place.

I'm sorry we don't agree on this. Please don't waste any more of your time 
following this up.
Regards
Steve

Re: RFC 1918 -v- Postfix

[Ralf Hildebrandt]

* Steve :

> > Where is this behaviour documented?

> Good question. If it is not surely it would make a sensible feature
> request? Clearly as an expert on Postfix perhaps you can tell *ME* how
> to get Postfix to stop attempting rubbish DNS lookups rather than try
> and start an argument with me? 

I THINK it is possible, but that would disable it for all lookups,
which is not wanted.
 
> Asking the question with the BIND list (which I did before coming here)
> clearly put the blame on the attempting client here - AKA 'Postfix'.
> Postfix is asking stupid questions to public DNS servers.

Postfix does not perform DNS queries, that is done by your local
(libc) resolver. 

> They are nonsensical in my network context. That is, small class C with
> a handful of hosts, external DNS. Not only are they nonsensical queries
> to make, they are also a total waste of network resources and
> bandwidth. The fix here is to stop the client making them, not to stop
> the resolver from answering them.

Usually, you would make BIND responsible for those local network, e.g.
with dummy zones. powerdns does this automatically (which seems to be
beneficial for your setup)

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
Only through hard work and perseverance can one truly suffer.

Re: RFC 1918 -v- Postfix

[Steve]

On Tue, 2009-05-19 at 10:43 +0200, Ralf Hildebrandt wrote:
> * Steve :
> 
> > > Where is this behaviour documented?
> 
> > Good question. If it is not surely it would make a sensible feature
> > request? Clearly as an expert on Postfix perhaps you can tell *ME* how
> > to get Postfix to stop attempting rubbish DNS lookups rather than try
> > and start an argument with me? 
> 
> I THINK it is possible, but that would disable it for all lookups,
> which is not wanted.
>  
> > Asking the question with the BIND list (which I did before coming here)
> > clearly put the blame on the attempting client here - AKA 'Postfix'.
> > Postfix is asking stupid questions to public DNS servers.
> 
> Postfix does not perform DNS queries, that is done by your local
> (libc) resolver. 
> 
> > They are nonsensical in my network context. That is, small class C with
> > a handful of hosts, external DNS. Not only are they nonsensical queries
> > to make, they are also a total waste of network resources and
> > bandwidth. The fix here is to stop the client making them, not to stop
> > the resolver from answering them.
> 
> Usually, you would make BIND responsible for those local network, e.g.
> with dummy zones. powerdns does this automatically (which seems to be
> beneficial for your setup)
> 
Indeed, Postfix does *not* perform DNS queries. However, it asks the
question in the first instance that results in the lookup. This is just
a case of arguing semantics. It is close to buggy behaviour IMHO. If it
produces unintended results = bug.

Thanks again. 

Re: RFC 1918 -v- Postfix

[Ralf Hildebrandt]

* Steve :

> Indeed, Postfix does *not* perform DNS queries. However, it asks the
> question in the first instance that results in the lookup. This is just
> a case of arguing semantics. It is close to buggy behaviour IMHO. If it
> produces unintended results = bug.

smtpd_peername_lookup = yes

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
PP: MMDF gone mad with standards fever. Think "Brazil". 

Re: RFC 1918 -v- Postfix

[Ralf Hildebrandt]

* Ralf Hildebrandt :

> > Indeed, Postfix does *not* perform DNS queries. However, it asks the
> > question in the first instance that results in the lookup. This is just
> > a case of arguing semantics. It is close to buggy behaviour IMHO. If it
> > produces unintended results = bug.
> 
> smtpd_peername_lookup = yes

I meant: smtpd_peername_lookup = no - of course.

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
Postfix sucks, we all use it because we are masochists!

Re: RFC 1918 -v- Postfix

[Steve]

On Tue, 2009-05-19 at 10:49 +0200, Ralf Hildebrandt wrote:
> smtpd_peername_lookup = no

Any idea what it defaults to Ralf?

Re: RFC 1918 -v- Postfix

[Ralf Hildebrandt]

* Steve :
> On Tue, 2009-05-19 at 10:49 +0200, Ralf Hildebrandt wrote:
> > smtpd_peername_lookup = no
> 
> Any idea what it defaults to Ralf?

postconf -d smtpd_peername_lookup

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
A: No.
Q: Should I include quotations after my reply?

Re: Postfix-2.6.0 RPM

[YOSHIMURA Keitaro]

> On Mon, May 18, 2009 20:38:54 PM +0200, Simon J Mudd wrote:
>  
> > I'll see if I can make some time to build some 2.6 rpms, but am
> > likely to respond more if there are people who show an interest in
> > these rpms I build.
> 
> +1 for me, thanks if you find the time!

"2.7 snapshot rpms for CentOSv4" here!:)
http://ramix.jp/RPM/4/postfix-2.7-snapshot/

"2.6.x for CentOSv4" here!:)
http://ramix.jp/RPMS/4/postfix-2.6/

This repos was only include japanese document.:)
can use repos via yum or apt.

% postconf mail_version mydomain
mail_version = 2.7-20090511
mydomain = ramix.jp

# but not have CentOSv5 build env...

-- 
<|> YOSHIMURA Keitaro/ramsy @JUSTPLAYER
<|> ra...@ramix.jp
<|> http://ramix.jp/~ramsy/
<|> http://www.justplayer.co.jp/

Re: RFC 1918 -v- Postfix

[Steve]

On Tue, 2009-05-19 at 11:15 +0200, Ralf Hildebrandt wrote:
> * Steve :
> > On Tue, 2009-05-19 at 10:49 +0200, Ralf Hildebrandt wrote:
> > > smtpd_peername_lookup = no
> > 
> > Any idea what it defaults to Ralf?
> 
> postconf -d smtpd_peername_lookup
> 
No good. Stops all PTR lookups. Never mind.

I'll have to live with the waste of bandwidth looking up local clients
has on the network. It's a small cost value, but an unnecessary one and
it really should be more configurable than on or off. There needs to be
a way to make sane exemptions.

Re: RFC 1918 -v- Postfix

[Victoriano Giralt]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

Steve wrote:
> I'll have to live with the waste of bandwidth looking up local clients
> has on the network. It's a small cost value, but an unnecessary one and
> it really should be more configurable than on or off. There needs to be
> a way to make sane exemptions.
Well...
Postfix supposes a properly configured network underneath, and for years
on end I have been teaching that the best oil for any IP network is a
properly configured name resolution, be it /etc/hosts (difficult to
scale) or DNS. If you have a network of a few hosts your problem is
easily solved by a few lines in /etc/hosts. If it is a big one, your are
only asking for trouble refusing to configure local DNS service.

To me that is easier thn giving newbees another opportunity to shoot
themselves on their feet.

- --
Victoriano Giralt
Systems Manager
Central ICT Services
University of Malaga
SPAIN
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKEoqvV6+mDjj1PTgRA+tmAJ0di7qbF78tw3zavJLPkQglFbWWqgCgpRTF
2WZIM/bh2779Sr8P4ldcmMI=
=v4b8
-END PGP SIGNATURE-

Re: RFC 1918 -v- Postfix

[Charles Marcus]

On 5/19/2009, Steve (steve.h...@digitalcertainty.co.uk) wrote:
> Just where is anything fully documented with Postfix? There is a lot of
> 'half' documentation Ralf and plenty of 'assumed that you know'. It the
> documentation was s great I would not have had to ask on a list for
> something rather basic like this.

Eh? Postfix has some of, if not the, best documentation of any app I
have ever used, including commercial software.

If you disagree, please point to the doc section that is lacking.

Unless of course you're talking about $random_howto found somewhere on
the net, in which case surely you aren't blaming postfix for the quality
or lack thereof?

-- 

Best regards,

Charles

Re: RFC 1918 -v- Postfix

[Benny Pedersen]

On Tue, May 19, 2009 10:49, Ralf Hildebrandt wrote:
>> smtpd_peername_lookup = yes
> I meant: smtpd_peername_lookup = no - of course.

smtpd_peername_excemptions_maps missing so ?

-- 
http://localhost/ 100% uptime and 100% mirrored :)

Re: RFC 1918 -v- Postfix

[Reinaldo de Carvalho]

On Tue, May 19, 2009 at 8:01 AM, Benny Pedersen  wrote:
>
> On Tue, May 19, 2009 10:49, Ralf Hildebrandt wrote:
>>> smtpd_peername_lookup = yes
>> I meant: smtpd_peername_lookup = no - of course.
>
> smtpd_peername_excemptions_maps missing so ?
>

Its way.

Steve,

Its not possible disable PTR lookups for "some" networks. Its not a
bug. RFC1918 suggest the YOUR dns server can´t query local networks
for root servers. RFC1918 don´t say that any software or any resolver
should implement it.

Install a dns server and make then authoritative for local networks
and forward another queries for the provider.


-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

Re: RFC 1918 -v- Postfix

[Steve]

On Tue, 2009-05-19 at 06:41 -0400, Charles Marcus wrote:
> On 5/19/2009, Steve (steve.h...@digitalcertainty.co.uk) wrote:
> > Just where is anything fully documented with Postfix? There is a lot of
> > 'half' documentation Ralf and plenty of 'assumed that you know'. It the
> > documentation was s great I would not have had to ask on a list for
> > something rather basic like this.
> 
> Eh? Postfix has some of, if not the, best documentation of any app I
> have ever used, including commercial software.
> 
> If you disagree, please point to the doc section that is lacking.
> 
> Unless of course you're talking about $random_howto found somewhere on
> the net, in which case surely you aren't blaming postfix for the quality
> or lack thereof?
> 
Can you fix your client to post ONLIST please, and not direct to user.
Thanks.
Steve.

Re: RFC 1918 -v- Postfix

[Mark Goodge]

On Tue, May 19, 2009 at 12:32 PM, Steve
 wrote:
>>
> Can you fix your client to post ONLIST please, and not direct to user.

>From the headers of your email:

Reply-to: steve.h...@digitalcertainty.co.uk

So either the list software is broken, or yours is (I suspect the
former). It's not the fault of the recipient if they reply to a
message and it goes to the wrong place because the reply-to header is
wrong.

Mark

RE: Postfix-2.6.0 RPM

[Brian Collins]

> I'll see if I can make some time to build some 2.6 rpms, but am likely
> to respond more if there are people who show an interest in these rpms
> I build.

+1 for me as well, Simon.  I appreciate your work and have used your RPMs
for years to keep my mail servers and filters up to date.

Re: RFC 1918 -v- Postfix

[Henrik K]

On Tue, May 19, 2009 at 10:51:57AM +0100, Steve wrote:
> 
> I'll have to live with the waste of bandwidth looking up local clients
> has on the network. It's a small cost value, but an unnecessary one and

Thanks for the laugh. I wonder what you call not having a local caching
nameserver then? You do realize that all duplicate lookups are going to your
ISP server? Or maybe this is a case of "saving memory/CPU"..

Re: RFC 1918 -v- Postfix

[Wietse Venema]

Steve:
> I've recently noticed that my Postfix is being a naughty bunny. It is
> attempting to query my ISP nameserver to reverse resolve LAN addresses
> defined in my_networks.

There are many errors in that statement.

1) Postfix does not send DNS queries to your ISP, or to anyone else.

2) The choice between /etc/hosts and DNS is made by nsswitch.conf
   (or equivalent; I am assuming Linux for the sake of simplicity).

3) The choice between local zone files and your ISP is made by the
   name daemon config file and by /etc/resolv.conf.

Wietse

Re: RFC 1918 -v- Postfix

[Steve]

On Tue, 2009-05-19 at 06:41 -0400, Charles Marcus wrote:
> On 5/19/2009, Steve (steve.h...@digitalcertainty.co.uk) wrote:
> > Just where is anything fully documented with Postfix? There is a lot of
> > 'half' documentation Ralf and plenty of 'assumed that you know'. It the
> > documentation was s great I would not have had to ask on a list for
> > something rather basic like this.
> 
> Eh? Postfix has some of, if not the, best documentation of any app I
> have ever used, including commercial software.
> 
> If you disagree, please point to the doc section that is lacking.
> 
> Unless of course you're talking about $random_howto found somewhere on
> the net, in which case surely you aren't blaming postfix for the quality
> or lack thereof?
> 
Here is one stunning example;
http://www.postfix.org/uce.html#rbl_reply_maps

Specifically;

Syntax:
Specify zero or more domain names, /file/name patterns and/or
type:name lookup tables, separated by whitespace and/or commas.
A /file/name is replaced by its contents; type:name requests
that table lookup is done instead of string comparison.

Following this cryptic clue with 4 hours of experimenting I gave up.
Funny thing was it was solved for me by a "$random_howto found somewhere
on the net"

I suspect this comes down to the TOP GOOGLE HITS AND THE LINK ABOVE
CARRYING THIS WARNING;
Note: this web page is no longer maintained. It exists only to avoid
breaking links in web pages that describe earlier versions of the
Postfix mail system

You would assume that being a postfix.org URL it may be remotely
'legitimate' documentation and useful. I guess I'm still to find the
"best documentation of any app" - subject to finding the MAN for
locating the current MAN for the current version of DOC at
anyones.guess.com

Re: RFC 1918 -v- Postfix

[Steve]

On Tue, 2009-05-19 at 14:52 +0300, Henrik K wrote:
> On Tue, May 19, 2009 at 10:51:57AM +0100, Steve wrote:
> > 
> > I'll have to live with the waste of bandwidth looking up local clients
> > has on the network. It's a small cost value, but an unnecessary one and
> 
> Thanks for the laugh. I wonder what you call not having a local caching
> nameserver then? You do realize that all duplicate lookups are going to your
> ISP server? Or maybe this is a case of "saving memory/CPU"..
> 
Because I have nothing else doing reverse lookups to DNS. My unbroken
apps are happy to follow the proper pattern, hosts first, dns later.

But thanks for the laugh :-)

Re: RFC 1918 -v- Postfix

[Steve]

On Tue, 2009-05-19 at 12:32 +0200, Victoriano Giralt wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: RIPEMD160
> 
> Steve wrote:
> > I'll have to live with the waste of bandwidth looking up local clients
> > has on the network. It's a small cost value, but an unnecessary one and
> > it really should be more configurable than on or off. There needs to be
> > a way to make sane exemptions.
> Well...
> Postfix supposes a properly configured network underneath, and for years
> on end I have been teaching that the best oil for any IP network is a
> properly configured name resolution, be it /etc/hosts (difficult to
> scale) or DNS. If you have a network of a few hosts your problem is
> easily solved by a few lines in /etc/hosts. If it is a big one, your are
> only asking for trouble refusing to configure local DNS service.
> 
> To me that is easier thn giving newbees another opportunity to shoot
> themselves on their feet.
> 
> - --
> Victoriano Giralt
> Systems Manager
> Central ICT Services
> University of Malaga
> SPAIN
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFKEoqvV6+mDjj1PTgRA+tmAJ0di7qbF78tw3zavJLPkQglFbWWqgCgpRTF
> 2WZIM/bh2779Sr8P4ldcmMI=
> =v4b8
> -END PGP SIGNATURE-

It's already in the hosts files - that was the first place I looked when
this broke out. Nothing else on the box is stupid enough to look out to
DNS for local queries. It's wierd that it only happens with reverse
lookups from Postfix. I can't see why nothing else does this, just
postfix and PTR.

Re: RFC 1918 -v- Postfix

[Wietse Venema]

Steve:
> DNS for local queries. It's wierd that it only happens with reverse
> lookups from Postfix. I can't see why nothing else does this, just
> postfix and PTR.

You have turned on the "chroot" feature for smtpd in master.cf,
but you have not provided the proper name service files in the
/var/spool/postfix jail.

Postfix as distributed from postfix.org does not chroot any
Postfix services.

mails not getting delivered

[punit jain]

Hi ,

I have a setup with postfix integrated with spamassassin and amavis. I have
a configuration with all spam tagged mails redirected to a spam id. For a
user i have a problem with mails not being recieved in inbox though postfix
logs say its delivered. I checked out time stamp with client system too and
everything seems fine. Do anyone has hints on this. Below are logs and
configuration: -

May 19 14:36:16 mail postfix/smtpd[22988]: A1A88E6063B:
client=localhost.localdomain[127.0.0.1]
May 19 14:36:16 mail postfix/cleanup[22961]: A1A88E6063B: redirect: header
X-Spam-Status: Yes, score=2.2 required=2
tests=[ALL_TRUSTED=-3.3,??BAYES_00=-2.599, NO_REAL_NAME=0.007,
URIBL_AB_SURBL=0.417,??URIBL_JP_SURBL=2.462, URIBL_OB_SURBL=3.213,
URIBL_PH_SURBL=2] from localhost.localdomain[127.0.0.1]; from=<
jeetendra.jo...@orgltd.com> to= proto=ESMTP
helo=: spamad...@orgltd.com
May 19 14:36:16 mail postfix/cleanup[22961]: A1A88E6063B: message-id=<
3888.192.168.2.60.1242723975.squir...@mail.orgltd.com>
May 19 14:36:16 mail postfix/qmgr[14618]: A1A88E6063B: from=<
jeetendra.jo...@orgltd.com>, size=2492, nrcpt=1 (queue active)
May 19 14:36:16 mail amavis[24359]: (24359-15) Passed SPAMMY, <
jeetendra.jo...@orgltd.com> -> , Message-ID: <
3888.192.168.2.60.1242723975.squir...@mail.orgltd.com>, mail_id:
BEs8YhKeJ-Tl, Hits: 2.2, size: 1785, queued_as: A1A88E6063B, 1361 ms
May 19 14:36:16 mail postfix/smtp[22962]: 3BA26E60642: to=<
vinod.n...@orgltd.com>, relay=127.0.0.1[127.0.0.1], delay=1, status=sent
(250 Ok: queued as A1A88E6063B)
May 19 14:36:16 mail postfix/local[23411]: A1A88E6063B: to=<
spamad...@orgltd.com>, orig_to=, relay=local,
delay=0, status=sent (delivered to maildir)
May 19 14:36:16 mail postfix/qmgr[14618]: A1A88E6063B: removed

This mail should be delivered to spamadmin account but is not.

Here is postconf -n output

[r...@mail ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 20
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_destination_concurrency_limit = 2
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydestination = $mydomain, $myhostname, localhost
mydomain = orgltd.com
myhostname = mail.orgltd.com
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
sample_directory = /usr/share/doc/postfix-2.1.5/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_done_timeout = 10s
smtpd_banner = $myhostname ESMTP
smtpd_error_sleep_time = 3s
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender,reject_unknown_sender_domain,
permit_mynetworks,permit_sasl_authenticated,
reject_unauth_destination,  check_sender_access
hash:/etc/postfix/whitelist_sendersreject_rbl_client
zen.spamhaus.org,
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_soft_error_limit = 5
unknown_local_recipient_reject_code = 550


Any hints to the problem ?

Re: mails not getting delivered

[Ralf Hildebrandt]

* punit jain :
> Hi ,
> 
> I have a setup with postfix integrated with spamassassin and amavis. I
> have a configuration with all spam tagged mails redirected to a spam
> id. For a user i have a problem with mails not being recieved in inbox
> though postfix logs say its delivered.

How do you check if the mail is in the mailbox?

> May 19 14:36:16 mail postfix/local[23411]: A1A88E6063B: 
> to=, orig_to=, relay=local, 
> delay=0, status=sent (delivered to maildir)
...
> home_mailbox = Maildir/

I guess the mail should be here:

mutt -f ~spamadmin/Maildir/

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
We have joy, we have fun, we have Linux on our Sun!

Re: RFC 1918 -v- Postfix

[Res]

On Tue, 19 May 2009, Steve wrote:


lookups from Postfix. I can't see why nothing else does this, just
postfix and PTR.


Sendmail also does this (and likely Exim and others), unless IIRC, the 
range was included in access AND class R, this likely wont work with 
Postfix's methods since Sendmail's class R will whitelist for everything 
including milters, AFAIK, nothing will do that in Postfix, or not easily, 
we found that out last year when converting from sendmail to postfix 
with milter-regex.


I agree that DNS is not broken, it only answers what it has been asked 
for.


The best thing to do is setup bind on your mail server, let it be caching 
for everything but include a localnet range, you'll also find it helps 
and has benefits if you get a lot of mail from, or web lookup to same 
places etc, set all you local clients to use your DNS first with your 
ISP's as the secondary.


Its simple...add in (assuming you are using 192.168.x.x) to named.conf

zone "168.192.in-addr.arpa" {
type master;
file "localnet.rev";
notify no;
};


and in /var/named/localnet.rev
$TTL1D
@   IN  SOA your.dns.name. hostmaster (
2009051701
3H
30M
4W
1H )
NS  your.dns.name.

1.0 PTR foobar.dns.name.
2.0 PTR foo.dns.name.
3.0 PTR bar.dns.name.

then  host 192.168.0.1 would return foobar.dns.name 192.168.0.2 would
then return foo.dns.name

you can also add in the forward zone (this is not the list for DNS though
so I wont go into it any further here)


Once done...all your problems and fears should then disappear


--
Res

-Beware of programmers who carry screwdrivers

[OT] Re: kill ip from bootnets and zombi (shell script)

[lst_hoe02]

Zitat von Andreas Schuldei :


* Julio Cesar Covolato (ju...@psi.com.br) [090514 07:26]:

Hi!

I made a litle shell script to stoping bootnets and zombis, and I want
know what you think about it.

The purpose is drop via iptables  hosts  that  are rejected  several
times in a litle  space of time, reading the log generated by postfix.

Tested in a Linux box.

The script is so poor, but it's functional!  I think that  using perl
will be very better ( Anyone? I'm very bad in perl, sorry!).

Just download, untar, configure (optional), and run it by comand line
for a few minutes, and see the show!!!

The idea is block via firewall the connections that is garbage. Test it!!

Download pf-ip-killer :

http://psi.com.br/~julio/postfix/pf-ip-killer.tgz


this could be done with the "recent" module for iptables. that
would take care of everything this script does (minus the pruning
after one or two hours). if that could be done, too, all this
could be a static iptables configuration.


Any comments on using the recent iptables module from someone with  
higher traffic? We use the following to DROP connections from IPs with  
too high

connection-rate / time at IP-Level without known trouble :


$IPTABLES -X SMTP-BLOCK
# Wird verwendet wenn ein Host die zulaessige Anzahl an neuen
# Verbindungen / Zeit ueberschreitet
# Die Ueberpruefung findet in der Aufruf-Zeile statt, die SUB-Routine
# setzt den Zaehler, generiert ein LOG-Event und verwirft das Packet
$IPTABLES -N SMTP-BLOCK
$IPTABLES -A SMTP-BLOCK -m limit --limit 1/m --limit-burst 3 -j LOG  
--log-level notice --log-prefix "iptables SMTP-BLOCK "

$IPTABLES -A SMTP-BLOCK -m recent --name SMTPBLOCK --set -j DROP
# Ab 05/2007 Rate-Limit auf 15 neue Verbindungen innerhalb von 60 Sekunden
# Ausserdem mit Postfix-Mitteln (anvil) auf 10 gleichzeitige Verbindungen
# beschraenkt.
# Bei mehr als  verbindungsanfragen pro 60 sec wird der Client
# in die SMTP-BLOCK Liste eingetragen und erst nach Ablauf der 360 sec.
# ohne weiteren Versuch wieder zugelassen.
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent  
--name SMTPBLOCK  --rcheck --seconds 360 -j SMTP-BLOCK
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent  
--name SMTP --set
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent  
--name SMTP --rcheck --seconds 60 --hitcount 15 -j SMTP-BLOCK

$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#

As far as i know the only drawback is the limited number of entries  
ipt_recent can hold at once.


Regards

Andreas

adding secondary MX

[postfix]

I have a postfix mail server (postfix-2.3.3-2.1.centos.mysql_pgsql) 
hosting 20-30 virtual domains on mysql.


Now I find myself with the need to make that server also the 
secondary MX for another specific domain that I was for all users.


If I understand the steps correctly (from 
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall), I need to:

Add the MX record to DNS,

Add a relay_domains entry:
relay_domains = the.backed-up.domain.tld

add:
relay_recipient_maps = hash:/etc/postfix/relay_recipients

Add an entry to /etc/postfix/relay_recipients:
@the.backed-up.domain.tld x
(and rebuild the hash)

restart postfix.

That about it?

Rick


[r...@agencymail filter.d]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 2d
bounce_size_limit = 5
bounce_template_file = /etc/postfix/bounce.cf
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisd-new:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_rbl_reply = $rbl_code Service unavailable; $rbl_class 
[$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}

delay_warning_time = 2h
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /var/www/html/postfix
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 2d
message_size_limit = 3072
mime_header_checks = pcre:/etc/postfix/mime_header_checks
mydestination = localhost $myhostname
mydomain = example.com
myhostname = agencymail.example.com
myorigin = example2.com
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_loglevel = 2
smtp_use_tls = yes
smtpd_client_connection_rate_limit = 30
smtpd_client_restrictions =
smtpd_data_restrictions = reject_multi_recipient_bounce
smtpd_helo_required = yes
smtpd_recipient_restrictions = 
reject_non_fqdn_recipientreject_non_fqdn_sender 
permit_mynetworks   permit_sasl_authenticated 
check_client_access 
hash:/etc/postfix/agencies  reject_unauth_destination 
check_helo_access 
pcre:/etc/postfix/helo_checks check_sender_access 
hash:/etc/postfix/accessreject_unknown_sender_domain 
reject_rbl_client zen.spamhaus.org reject_rbl_client 
bl.spamcop.net reject_rbl_client 
dnsbl.sorbs.net   reject_rbl_client cbl.abuseat.org

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
smtpd_tls_cert_file = /etc/httpd/certs/agencymail_example_com.crt
smtpd_tls_key_file = /etc/httpd/certs/agencymail.example.com.key.no.password
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:105
virtual_mailbox_base = /var/spool/mail
virtual_mailbox_domains = 
proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = 
proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf

virtual_transport = dovecot
virtual_uid_maps = static:1015


Rick Steeves
http://www.sinister.net

"The more I learn, it seems, the less I know." Frazz

Re: RFC 1918 -v- Postfix

[Charles Marcus]

On 5/19/2009, Steve (steve.h...@digitalcertainty.co.uk) wrote:
> Just where is anything fully documented with Postfix?

http://www.postfix.org/documentation.html

?

-- 

Best regards,

Charles

Re: suppressing (No client certificate requested) from TLS header

[Julius Thijssen]

On Mon, May 18, 2009 at 17:36, Victor Duchovni
 wrote:
> On Mon, May 18, 2009 at 09:42:08AM -0500, Noel Jones wrote:
>
> > IF /^Received: .*by mail.my.domain/
> > IF /no client certificate/
> > /(.*)\(No client certificate requested\)(.*)/
> >   REPLACE $1 $2
> > ENDIF
> > ENDIF
>
> This will leave a blank line in the middle of the folded header, which
> violates RFC5322. With PCRE:
>
>    # If $mail_name is not "Postfix" adjust accordingly...
>    /^(Received: from \S+ \S+ \S+\n\t\([^\n]*\)\n)\t\(No client certificate 
> requested\)\n((?:\t\([^\n]*\)\n)*?\tby mail\.example\.com \(Postfix\).*)/
>        REPLACE ${1}${2}

Thanks. This works.

> This deals with optional "(Authenticated sender: ...)" comments between
> the TLS comments and "by mtahost ...". It errs on the side of not removing
> the client cert comment if at all in doubt, by making sure that all the
> expected elements are in the expected form and place.
>
> This said, the whole thing is a waste of time. Just leave the comment
> there, it does no harm.

Hmm.. the reason I wanted to do this is precisely because it already caused harm
by upsetting silly users that worried they were doing something wrong in the
way their clients were configged. Explaining that it does no harm is not really
functional in such cases, is my experience..

Julius

Re: dbmail or dovecot

[Bill Cole]

[Reply-To set, as this is only peripheral to Postfix]

Just E. Mail wrote, On 5/10/09 11:17 AM:

This question is going to be difficult  for many to answer, but please
help.

I am trying to setup a Master/Client server setup to run Postfix. The
MASTER server has Postfix & PostgreSQL Client installed on it. The
Master machine is at the backend with PostgreSQL Server installed on it.

All emails will be held on the backend PostgreSQL Server, which is only
accessible from the Postfix/PostgreSQL Server. I hope you get the picture.

I am trying to determine whether I use 'dbmail' or 'dovecot'? I am new
to both of these applications & they both seems interesting. I am a


I'm late for your weekend deadline, but in case you haven't figured it out: 
this is not just like comparing apples to oranges, but like asking a group 
of butchers for advice on whether to drink wine or beer...


If you are determined to store your mail in a Postgres database, Dovecot is 
not an option. Dbmail can do that, and it is by far the most prominent free 
software that is able to use a generic RDBMS as a mailstore for POP and IMAP 
access.



NEWBIE so it is important to know which one of these two application is
easy to install, setup, maintain & feature rich. It will be nice to see
URL of a site or Screen shots to see how each of them look. I am sure I
am leaving few things out. Please help. I am working on the weekend.


I can't speak to a direct comparison, as I haven't looked closely at dbmail 
2.x. However, there are some things you should understand:


1. Neither dovecot nor dbmail provide much in the way of "look" because they 
are both NOT user-facing. I expect that both have had add-on GUI 
administration tools built for them (such as modules for Webmin) but in both 
cases you are essentially looking at fairly traditional Unix/Linux server 
software that is configured and administered from a command line.


2. There are reasons that dbmail is just about the only software using 
generic RDBMS's to store mail. Others have tried that (including Oracle) and 
met disappointment in the market. The tasks that a RDBMS (i.e. Postgres, 
MySQL, Oracle, etc.) is optimized for are tasks that are rarely needed for 
email, and the data structure of email fits poorly into traditional RDBMS 
models. Everyone's needs are different of course, so maybe you really do 
need your mail in Postgres, but you should understand that by making that 
choice you are probably giving up performance and flexibility in some common 
use cases for email. You should also be aware of the fact that "how should I 
store messages?" is one of the questions that many mail admins have to 
address repeatedly, not because they answer it wrong, but because the right 
answer depends on what a particular population of users want from their 
mailboxes today.


3. If you decide not to store mail in Postgres, dovecot probably is your 
best bet for what it does. There are other choices, but they are not 
particularly compelling for an environment where a "newbie" admin is likely 
to be working. Put more bluntly: if you are in a situation where Cyrus would 
really make sense, you probably need to hire someone with experience.

Webmail

[Just E. Mail]

I am posting this message here because I want Postfix uses to suggest a 
webmail application best suited with Postfix. This question has been 
asked and answered several times but since LINUX is changing so fast, I 
am asking again.


System: CentOS 5.3, NSF-1.3.23, PostgreSQL-8.3.7, Postfix-2.3.3, 
Dovecot-1.0.7,...


Now I like to install a webmail program. I have looked in SqirrelMail 
and it looks promising. However, I like to know if there is another 
webmail application I should also look into?


Please note, that eventually, I will be using PostgreSQL backend to 
store emails, if that makes any difference.

Re: Webmail

[Matt Hayes]

Just E. Mail wrote:
> I am posting this message here because I want Postfix uses to suggest a
> webmail application best suited with Postfix. This question has been
> asked and answered several times but since LINUX is changing so fast, I
> am asking again.
> 
> System: CentOS 5.3, NSF-1.3.23, PostgreSQL-8.3.7, Postfix-2.3.3,
> Dovecot-1.0.7,...
> 
> Now I like to install a webmail program. I have looked in SqirrelMail
> and it looks promising. However, I like to know if there is another
> webmail application I should also look into?
> 
> Please note, that eventually, I will be using PostgreSQL backend to
> store emails, if that makes any difference.

I would suggest squirrelmail right off the bat, however, Roundcube
Webmail seems to be taking shape very well.  Nice interface, decent
development cycle.

Roundcube has some pitfalls in the fact that it doesn't have the
plethora of plugins that Squirrelmail does.

-Matt

Re: Webmail

[Carlos Williams]

On Tue, May 19, 2009 at 11:25 AM, Just E. Mail  wrote:
> I am posting this message here because I want Postfix uses to suggest a
> webmail application best suited with Postfix. This question has been asked
> and answered several times but since LINUX is changing so fast, I am asking
> again.
>
> System: CentOS 5.3, NSF-1.3.23, PostgreSQL-8.3.7, Postfix-2.3.3,
> Dovecot-1.0.7,...
>
> Now I like to install a webmail program. I have looked in SqirrelMail and it
> looks promising. However, I like to know if there is another webmail
> application I should also look into?
>
> Please note, that eventually, I will be using PostgreSQL backend to store
> emails, if that makes any difference.

I just moved from Squirellmail to Roundcube and I love it!

Re: adding secondary MX

[Noel Jones]

post...@corwyn.net wrote:



I have a postfix mail server (postfix-2.3.3-2.1.centos.mysql_pgsql) 
hosting 20-30 virtual domains on mysql.


Now I find myself with the need to make that server also the secondary 
MX for another specific domain that I was for all users.


If I understand the steps correctly (from 
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall), I 
need to:

Add the MX record to DNS,

Add a relay_domains entry:
relay_domains = the.backed-up.domain.tld

add:
relay_recipient_maps = hash:/etc/postfix/relay_recipients


Yes, the above is correct.


Add an entry to /etc/postfix/relay_recipients:
@the.backed-up.domain.tld x


Technically correct, but unwise.
You must validate recipients for the backed-up domain.  Either 
create some method for updating the relay_recipients_maps 
table, or use postfix's active verification through the 
reject_unverified_recipient restriction.  Use a 
check_recipient_access table to restrict verification probes 
to only the relay domain.


[r...@agencymail filter.d]# postconf -n 

...

maximal_queue_lifetime = 2d


That's quite short.  Do you have lots of undeliverable mail?


smtpd_client_restrictions =
smtpd_data_restrictions = reject_multi_recipient_bounce
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient
reject_non_fqdn_sender permit_mynetworks   permit_sasl_authenticated 
check_client_access hash:/etc/postfix/agencies  
reject_unauth_destination check_helo_access 
pcre:/etc/postfix/helo_checks check_sender_access 
hash:/etc/postfix/accessreject_unknown_sender_domain 
reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net 
reject_rbl_client dnsbl.sorbs.net   reject_rbl_client cbl.abuseat.org


cbl.abuseat.org is included in zen.spamhaus.org.  You should 
remove it.



"The more I learn, it seems, the less I know." Frazz


How true...


  -- Noel Jones

Re: Webmail

[utahnix]

Carlos Williams wrote:
> On Tue, May 19, 2009 at 11:25 AM, Just E. Mail  
> wrote:
>   
>> I am posting this message here because I want Postfix uses to suggest a
>> webmail application best suited with Postfix. This question has been asked
>> and answered several times but since LINUX is changing so fast, I am asking
>> again.
>>
>> System: CentOS 5.3, NSF-1.3.23, PostgreSQL-8.3.7, Postfix-2.3.3,
>> Dovecot-1.0.7,...
>>
>> Now I like to install a webmail program. I have looked in SqirrelMail and it
>> looks promising. However, I like to know if there is another webmail
>> application I should also look into?
>>
>> Please note, that eventually, I will be using PostgreSQL backend to store
>> emails, if that makes any difference.
>> 
>
> I just moved from Squirellmail to Roundcube and I love it!
>   
I have to second that. Roundcube is awesome. Squirrelmail is good too,
but Roundcube is visually more appealing and a lot easier to use for
most novice users, IMHO.

Re: RFC 1918 -v- Postfix

[David Favro]

Friends,

What would be valuable (or at least interesting) to me is to treat the RDNS
lookup (peer address->name and subsequent name->address) as a part of
smtpd_client_restrictions, or in some way delay it until that time.  Currently,
it seems that both of the above lookups take place before any
smtpd_client_restrictions processing even begins, which means that two DNS
queries are made [I won't say that postfix makes them since that seems to
provoke some ire, but it does cause them to be made on its behalf via a call to
gethostbyaddr()], which in some cases could be avoided, thus saving reducing
traffic.  For example, I eliminate >85% of my incoming email at "RCPT TO" time
via a local access(5) map for valid/invalid recipients
(smtpd_recipient_restrictions's check_recipient_access), which generates no
external traffic; since I use "smtpd_delay_reject = yes", I defer RBL lookups
(which also consume network resources since I don't locally mirror any RBLs)
until after receipt of the "RCPT TO" and subsequent recipient-check; but I am
not able to defer the peername lookup without turning off smtpd_peername_lookup
entirely, which I assume disables the use of, e.g.,
reject_unknown_client_hostname (whether or not this is true is ambiguous at best
in the postconf(5) documentation for my version, 2.5.5, which might be an
example of what Steve refers to as incomplete documentation).

I suspect that eliminating 3 or 4 DNS query packets and the same number of DNS
result packets outweighs the additional traffic of receiving HELO, MAIL FROM:
and RCPT TO: (and resultant TCP ACKs), and it definitely would save on traffic
for me since I will delay-reject in any case, to reduce the number of queries to
the RBL.

If the peername lookup could be specified (in order) as a part of
smtpd_client_restrictions (smtpd_helo_restrictions,
smtpd_recipient_restrictions, etc. when smtpd_delay_reject is turned on), it
would allow me to check my local invalid-recipient map and reject the majority
of incoming connections without two external PTR lookups while preserving the
ability to check the peername validity for incoming connection with a valid
recipient.  Of course, the reverse-resolved peername is sometimes needed as part
of client restrictions, so another strategy is "lazy resolution", delaying
resolution until needed, i.e. during/after client restrictions processing.

If I understand Steve's problem correctly, wouldn't this furthermore solve it,
since he could specify permit_mynetworks prior to reject_unknown_client_hostname
(or perhaps a new "pseudo-restriction" to specify lookup without rejection like
"lookup_client_hostname") in smtpd_client_restrictions?

Of course, I haven't gone through the code with a fine-toothed comb, so there
may perhaps be something taking place between the peername lookup (looks to me
to be very early on, in smtpd_peer_init(), called from smtpd_state_init()) and
the later checks (e.g. client-check in smtpd_check_client(), called from
smtpd_proto()) that might require the reverse-resolved peername, but (1) it
currently may not be available if smtpd_peername_lookup is turned off, and (2)
if needed, the "lazy-resolve" method would retrieve it "just in time."

Cheers,
David

Re: adding secondary MX

[postfix]

At 11:40 AM 5/19/2009, Noel Jones wrote:

Add an entry to /etc/postfix/relay_recipients:
@the.backed-up.domain.tld x


Technically correct, but unwise.
You must validate recipients for the backed-up domain.


why "must"?

Won't the mail just be forwarded to the primary mail server, who can 
reject it there?



...

maximal_queue_lifetime = 2d


That's quite short.  Do you have lots of undeliverable mail?


For most of our mail, if it doesn't deliver in 2 days, it's  never 
going to deliver. And  if it takes 2 days, it's already too late.


zen.spamhaus.org reject_rbl_client bl.spamcop.net 
reject_rbl_client dnsbl.sorbs.net   reject_rbl_client cbl.abuseat.org


cbl.abuseat.org is included in zen.spamhaus.org.  You should remove it.


Duly noted - thanks!


rick

Re: adding secondary MX

[Aaron Wolfe]

On Tue, May 19, 2009 at 1:07 PM,   wrote:
> At 11:40 AM 5/19/2009, Noel Jones wrote:
>>>
>>> Add an entry to /etc/postfix/relay_recipients:
>>> @the.backed-up.domain.tld x
>>
>> Technically correct, but unwise.
>> You must validate recipients for the backed-up domain.
>
> why "must"?
>
> Won't the mail just be forwarded to the primary mail server, who can reject
> it there?
>

No.  You will be a massive source of backscatter using this
configuration.  Your secondary server's mail queue will fill with NDRs
for all the messages your accepted that cannot be delivered, and your
site will end up blacklisted all over the place.


>> ...
>>>
>>> maximal_queue_lifetime = 2d
>>
>> That's quite short.  Do you have lots of undeliverable mail?
>
> For most of our mail, if it doesn't deliver in 2 days, it's  never going to
> deliver. And  if it takes 2 days, it's already too late.
>
>>> zen.spamhaus.org     reject_rbl_client bl.spamcop.net reject_rbl_client
>>> dnsbl.sorbs.net       reject_rbl_client cbl.abuseat.org
>>
>> cbl.abuseat.org is included in zen.spamhaus.org.  You should remove it.
>
> Duly noted - thanks!
>
>
> rick
>
>

getting around "warning: Illegal address syntax"

[Security Admin (NetSec)]

I have a network device that I am trying to have logs sent to my mail server 
via my postfix mail gateway.  When trying to send a test e-mail I get the 
following error in my maillog file:

postfix/smtpd[17063]: warning: Illegal address syntax from 
device.domain.com[xxx.yyy.zzz.9] in MAIL command:  
dev...@domain.com

I tried modifying the main.cf file to allow the IP address through 
("permit_mynetworks" is the first thing listed in the restrictions) but still 
was met with this error.  Saw a few postings via a Google from about 5 years 
ago but could not see what the solution might be.  Using Postfix v2.5.6

Thanks in advance!

Edward W. Ray

Re: getting around "warning: Illegal address syntax"

[Noel Jones]

Security Admin (NetSec) wrote:
I have a network device that I am trying to have logs sent to my mail 
server via my postfix mail gateway.  When trying to send a test e-mail I 
get the following error in my maillog file:


 

/postfix/smtpd[17063]: warning: Illegal address syntax from 
device.domain.com[xxx.yyy.zzz.9] in MAIL command:  dev...@domain.com 
/


[please post in plain-text only]

The above is a warning only, stating the device doesn't speak 
SMTP.  Get a better device.


Postfix accepts such garbage in order to be compatible with 
poorly implemented software.

http://www.postfix.org/postconf.5.html#strict_rfc821_envelopes

If the message is rejected, there will be a separate log entry 
with details of why the message was rejected.


  -- Noel Jones

Re: Webmail

[Just E. Mail]

Thank you all.

I am going with roundcube:  http://www.roundcube.net

Re: adding secondary MX

[Noel Jones]

post...@corwyn.net wrote:

At 11:40 AM 5/19/2009, Noel Jones wrote:

Add an entry to /etc/postfix/relay_recipients:
@the.backed-up.domain.tld x


Technically correct, but unwise.
You must validate recipients for the backed-up domain.


why "must"?

Won't the mail just be forwarded to the primary mail server, who can 
reject it there?


... which then causes your server to generate a bounce to the 
(often forged) envelope sender.  Your queue will be clogged 
with undeliverable bounces, choking performance for legit mail.
Eventually you will deliver enough mail to forged senders that 
your server will be blacklisted as an outscatter/backscatter 
source.






...

maximal_queue_lifetime = 2d


That's quite short.  Do you have lots of undeliverable mail?


For most of our mail, if it doesn't deliver in 2 days, it's  never going 
to deliver. And  if it takes 2 days, it's already too late.


We often see people using a short queue lifetime to cover up 
more serious problems with undeliverable mail.  If you have 
more than a handful of undeliverable mails, whether bounces or 
not, you should address the problem more directly.


  -- Noel Jones

Re: getting around "warning: Illegal address syntax"

[Wietse Venema]

Security Admin (NetSec):
> I have a network device that I am trying to have logs sent to my
> mail server via my postfix mail gateway.  When trying to send a
> test e-mail I get the following error in my maillog file:
> 
> postfix/smtpd[17063]: warning: Illegal address syntax from
> device.domain.com[xxx.yyy.zzz.9] in MAIL command:
> dev...@domain.com

That is because YOU configured "strict_rfc821_envelopes=yes"
in main.cf.

Wietse

Re: RFC 1918 -v- Postfix

[Wietse Venema]

David Favro:
> Friends,
> 
> What would be valuable (or at least interesting) to me is to treat the RDNS
> lookup (peer address->name and subsequent name->address) as a part of
> smtpd_client_restrictions, or in some way delay it until that time.  
> Currently,
> it seems that both of the above lookups take place before any
> smtpd_client_restrictions processing even begins, which means that two DNS
> queries are made [I won't say that postfix makes them since that seems to
> provoke some ire, but it does cause them to be made on its behalf via a call 
> to
> gethostbyaddr()], which in some cases could be avoided, thus saving reducing
> traffic.

The client name is needed for logging purposes, so there is no gain
from looking up late. If you don't want the name to be looked up,
then configure postfix accordingly.

Wietse

Re: Webmail

[Carlos Williams]

On Tue, May 19, 2009 at 1:50 PM, Just E. Mail  wrote:
> Thank you all.
>
> I am going with roundcube:  http://www.roundcube.net

It's really eacy to install. Main thing is making sure you have PHP
5.2+ installed on Apache and also configuring your MySQL database
which is super easy if you follow the wiki.

I did this on RHEL / CentOS and it worked great! If you need any more
assistance, please let me know. There are a few things I wish I had
known before it went live that I know now. I don't know
your environment so if you need more info, please let me know!

PS - They had a great forums but its down now for some reason. Their
support forums is re-directed to some crazy Pokemon type page...

Re: suppressing (No client certificate requested) from TLS header

[Victor Duchovni]

On Tue, May 19, 2009 at 05:21:54PM +0200, Julius Thijssen wrote:

> Hmm.. the reason I wanted to do this is precisely because it already caused 
> harm
> by upsetting silly users that worried they were doing something wrong in the
> way their clients were configged. Explaining that it does no harm is not 
> really
> functional in such cases, is my experience..

I don't know what obligations you have to these users. In mutt, I have
keyboard bindings that generate "canned" responses to various user-error
scenarios with our email quarantine. It takes two keystrokes to dispatch
a canned response to a confused user. The canned response can politely
suggest that no further correspondence on the issue is expected.

This said, the rewrite is also harmless, so long you draw the line
somewhere sensible.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

delivery notification

[Dr.Pesko]

Hello everyone,

can postfix automatically create delivery notification info for every 
sent message and store it in another mailbox? Thanks.


Best Regards,
Dr.Pesko

Fwd: empty subject, empty body, from: Postfix After-Queue Content Filter...

[Robert Lopez]

This is one of a few problem areas in main.cf I have found. They all seem to
involve at lease the syntax of parameter assignment. The following is from
working email gateways running postfix 2.2.10.

The "value" of the assignment consists of tokens separated by commas and by
comma followed by newlines. It that legal? I would expect only a newline
only after the end of the one line. Again, this works on the older systems
but the newer one I am building does not like it at all. (I think for other
reasons as well.)

mydestination = $myhostname, $mydomain, localhost.localdomain,
  cnm.edu, mail.cnm.edu, .cnm.edu ,
.cnm.edu,
.cnm.edu ,
  nmvc.org, mail.nmvc.org, .nmvc.org ,
.nmvc.org , .nmvc.org ,
  nmvirtualcollege.org, mail.nmvirtualcollege.org,
.nmvirtualcollege.org,
.nmvirtualcollege.org ,
.nmvirtualcollege.org 
  nmln.net, ideal-nm.org, ideal-nm.net, idealnm.org, idealnm.net

-- Forwarded message --
From: Wietse Venema 
Date: Mon, May 18, 2009 at 5:23 PM
Subject: Re: empty subject, empty body, from: Postfix After-Queue Content
Filter...
To: Robert Lopez 
Cc: postfix-users@postfix.org


Robert Lopez:
> A new email gateway I am building is sending email with empty subject,
empty
> body,
> and the internal from starts with "Postfix After-Queue Content Filter:.

You need to undo your changes one by one until you find the one
that causes the problem.

   Wietse

Re: Fwd: empty subject, empty body, from: Postfix After-Queue Content Filter...

[Wietse Venema]

Robert Lopez:
> This is one of a few problem areas in main.cf I have found. They all seem to
> involve at lease the syntax of parameter assignment. The following is from
> working email gateways running postfix 2.2.10.
> 
> The "value" of the assignment consists of tokens separated by commas and by
> comma followed by newlines. It that legal? I would expect only a newline
> only after the end of the one line. Again, this works on the older systems
> but the newer one I am building does not like it at all. (I think for other
> reasons as well.)

main.cf syntax has not changed.

Wietse

Re: Sent Mail Shows FQDN in Email Address

[mouss]

Scott Haneda a écrit :
> On May 18, 2009, at 8:08 PM, LuKreme wrote:
> 
>> On 17-May-2009, at 19:44, Carlos Williams wrote:
>>> u...@mail.myserver.com
>>
>> myserver.com is a real domain name.  Is it YOUR domain name? Somehow I
>> doubt it.
> 
> Thank you for pointing this out.  I feel bad for anyone at domain,
> company, foo, bar, foobar .com etc at least once day.
> 
>> Use example.com, example.net, example.org, etc. Or use an impossible
>> name like mydomain.tld, foobar.tld, &c. when obfuscating. Oh, and
>> obfuscating on this list is generally a waste of time and makes it
>> harder for people to help you.
> 
> Glad you brought this up, often times I am using example.com and then
> ns.example.com and imap.example.com and want to refer to something else
> outside of example.com.  I am pretty sure there is even an RFC that
> states to use example.com.  However, when you want to show a two sided
> problem, you need another, using second.tld is a nice way to do that, so
> thanks.
> 

if you want many domains, just use .example (joe.example, jim.example,
jack.example, ... etc).


> It would be interesting to see some data on 208.77.188.166 (example.com
> A record) to see just what type of traffic they do get.

probably less than reverse DNS queries for private IPs...

Re: Postfix version 2.6.0 available

[Ihsan Dogan]

Am 12.5.2009 15:17 Uhr, Wietse Venema schrieb:

> Postfix stable release 2.6.0 is available. After Postfix was declared
> "complete" with version 2.3, the focus has moved towards improving
> the code/documentation, and updating it for changing environments.

I've updated the Solaris packages to 2.6.0 and they are available here:
http://ihsan.dogan.ch/postfix/



Ihsan

-- 
ih...@dogan.ch  http://blog.dogan.ch/

Re: delivery notification

[mouss]

Dr.Pesko a écrit :
> Hello everyone,
> 
> can postfix automatically create delivery notification info for every
> sent message and store it in another mailbox? Thanks.
> 

it's unclear what you mean by "delivery notification". if it's DSN, then
the client needs to request it.

but you probably want a vacation program.

Re: RFC 1918 -v- Postfix

[mouss]

David Favro a écrit :
> Friends,
> 
> What would be valuable (or at least interesting) to me is to treat the RDNS
> lookup (peer address->name and subsequent name->address) as a part of
> smtpd_client_restrictions, or in some way delay it until that time.  
> [snip]

The lookup result is used in the Received headers (and in logs as Wietse
 said).

and this can also be used in to implement special checks if the IP has
no reverse. for example, one could decide to block all outbound smtp if
the client IP doesn't resolve. The goal would be to block outbound smtp
from unregistered machines.


When running a mail server, it is recommended to run a local DNS server,
and if you do you can setup a reverse zone for your private IPs. This is
trivial (and is even provided in default setups of BIND in some systems).

alternatively, if your resolver uses /etc/hosts, then you can put the
IPs there. if your smtpd is chrooted, you need to copy this file to the
cage.

and of course, one can also enable the submission service and disable
lookups on this service. if you don't want to change clients, you can
use a NAT redirection (iptables, pf, ... etc) to redirect traffic frm
your LAN going to 25 to the submission IP:port.

Custom 550 5.1.1 message

[Mark Edwards]

I would like to issue a custom message for 550 5.1.1 errors, on a per- 
user basis.  In other words, instead of the generic



Recipient address rejected: User unknown in virtual mailbox table



that goes out now, I want the ability to override that with a message  
saying something like:


	 is no longer valid; please contact  at address>.


Is such a thing possible with Postfix?  Thanks!

Re: Custom 550 5.1.1 message

[Ralf Hildebrandt]

* Mark Edwards :
> I would like to issue a custom message for 550 5.1.1 errors, on a per- 
> user basis.  In other words, instead of the generic
>
>> Recipient address rejected: User unknown in virtual mailbox table
>
>
> that goes out now, I want the ability to override that with a message  
> saying something like:
>
>is no longer valid; please contact  at  address>.
>
> Is such a thing possible with Postfix?  Thanks!

man 5 relocated

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
This software comes with ABSOLUTELY NO WARRANTY. Even if it erases your
hard drive, too bad. Although we did fix that bug from the last release.

Re: Custom 550 5.1.1 message

[Mark Edwards]

On May 19, 2009, at 2:16 PM, Ralf Hildebrandt wrote:


* Mark Edwards :
I would like to issue a custom message for 550 5.1.1 errors, on a  
per-

user basis.  In other words, instead of the generic


Recipient address rejected: User unknown in virtual mailbox table


that goes out now, I want the ability to override that with a message
saying something like:

	 is no longer valid; please contact  at email-

address>.

Is such a thing possible with Postfix?  Thanks!


man 5 relocated


Thanks so much, that was easier than I thought.  I just didn't know  
what to google for.  Cheers!

time stamp changes in the queue

[tom lee]

Hello,
I want to find out if there is a mail in the queue for two days using
"find" command.
However, creation time for the mails under /var/spool/postfix/deferred/
  is always about 40 minutes ahead of my local time,  I also noticed
that the time stamp for the mails in  the queue changes and always be
ahead of local time even after the mail has been in the queue for a
day. Is it designed this way in postfix?

Is there a better way or command to find out queued mails more than 2
days old instead of using find to search /var/spool/postfix/deferred/
?
Thanks in advance.

Re: Postfix-2.6.0 RPM

[Carlos Williams]

> I'll see if I can make some time to build some 2.6 rpms, but am likely
> to respond more if there are people who show an interest in these rpms
> I build.

I too am interested and would like to try it. I have never used
anything beyond the vendor supplied version of Postfix but am tired of
waiting for Red Hat to get their packages updated. Running v2.3 is way
too old for my needs.

I appreciate your time and help! Wish I had the know-how on how to
create them since I have the time...

- Carlos

Re: time stamp changes in the queue'

[Wietse Venema]

tom lee:
> Hello,
> I want to find out if there is a mail in the queue for two days using
> "find" command.
> However, creation time for the mails under /var/spool/postfix/deferred/
>   is always about 40 minutes ahead of my local time,  I also noticed
> that the time stamp for the mails in  the queue changes and always be
> ahead of local time even after the mail has been in the queue for a
> day. Is it designed this way in postfix?

Yes.

> Is there a better way or command to find out queued mails more than 2
> days old instead of using find to search /var/spool/postfix/deferred/

Can you describe the problem, instead of the solution (locate
file older than N days)?

Wietse

Re: time stamp changes in the queue'

[tom lee]

>
>> Is there a better way or command to find out queued mails more than 2
>> days old instead of using find to search /var/spool/postfix/deferred/
>
> Can you describe the problem, instead of the solution (locate
> file older than N days)?
>

I need to write a script to scan the queue to be alerted before the
mails start to bounce back.

Thanks.

tom

Re: Webmail

[Jorey Bump]

Carlos Williams wrote, at 05/19/2009 02:04 PM:
> On Tue, May 19, 2009 at 1:50 PM, Just E. Mail  
> wrote:
>> Thank you all.
>>
>> I am going with roundcube:  http://www.roundcube.net
> 
> It's really eacy to install. Main thing is making sure you have PHP
> 5.2+ installed on Apache and also configuring your MySQL database
> which is super easy if you follow the wiki.
> 
> I did this on RHEL / CentOS and it worked great! If you need any more
> assistance, please let me know. There are a few things I wish I had
> known before it went live that I know now. I don't know
> your environment so if you need more info, please let me know!
> 
> PS - They had a great forums but its down now for some reason. Their
> support forums is re-directed to some crazy Pokemon type page...

I routinely block attack probes aimed at Roundcube. These have been
active daily since January. I'm not concerned, because I don't use
Roundcube and I am not intending to malign it here. But I recommend that
you take a close look at its security history in light of these recent
attacks, and see if there has been an adequate response. As with all
applications, especially public facing ones, be sure to keep abreast of
all security updates.

Re: time stamp changes in the queue'

[Wietse Venema]

tom lee:
> >
> >> Is there a better way or command to find out queued mails more than 2
> >> days old instead of using find to search /var/spool/postfix/deferred/
> >
> > Can you describe the problem, instead of the solution (locate
> > file older than N days)?
> >
> 
> I need to write a script to scan the queue to be alerted before the
> mails start to bounce back.

That is what "delay_warning_time" is for.

Wietse

Re: Postfix with PostgreSQL

[Just E. Mail]

mouss wrote:

you can find postfix-2.3.3-2.1.centos.mysql_pgsql.i386.rpm on

http://mirror.centos.org/centos-5/5.3/centosplus/i386/RPMS/

although it is old. the easiest way to install it is by using "rpm -i"
(to avoid any network problem, download it first and install it from disk).
  
After going in circles & squares, I decided to use postfix-2.3.3,which 
comes packed with CentOS 5.3 and easy to install. I also have installed 
PostgreSQL-8.3.7 Client from RPMs. I have installed:  postgresql-libs, 
postgresql, postgresql-devel.


In my first post, I mentioned that I plan to use a PostgreSQL server at 
the backend to store emails.


Now my question: How to  build  Postfix  with   PostgreSQL support?

I noticed that http://www.postfix.org has example of  "Postfix 
PostgreSQL Howto" but it is for Postfix installed source (tar.gz?). Is 
there a similar procedure when Postfix is installed from RPMs.


PS: English is my 2nd language!

RE: Postfix with PostgreSQL

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Just E. Mail
> Sent: Wednesday, 20 May 2009 10:10 AM
> To: postfix-users@postfix.org
> Subject: Re: Postfix with PostgreSQL
> 
> In my first post, I mentioned that I plan to use a PostgreSQL 
> server at the backend to store emails.
> 
> Now my question: How to  build  Postfix  with   PostgreSQL support?
> 
> I noticed that http://www.postfix.org has example of  
> "Postfix PostgreSQL Howto" but it is for Postfix installed 
> source (tar.gz?). Is there a similar procedure when Postfix 
> is installed from RPMs.
> 
> PS: English is my 2nd language!
> 

Straight from "The Book of Postfix":

Execute:

$ ldd `/usr/sbin/postconf -h daemon_directory`/smtpd

On my RHEL system, I get the following, which is perfect since I didn't
add any PostgreSQL support to my build.

libldap-2.2.so.7 => /usr/lib64/libldap-2.2.so.7
(0x0035f9c0)
liblber-2.2.so.7 => /usr/lib64/liblber-2.2.so.7
(0x0035f9e0)
libpcre.so.0 => /lib64/libpcre.so.0 (0x0035f9a0)
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0035f7f0)
libssl.so.4 => /lib64/libssl.so.4 (0x0035f910)
libcrypto.so.4 => /lib64/libcrypto.so.4 (0x0035f930)
libz.so.1 => /usr/lib64/libz.so.1 (0x0035f830)
libdb-4.2.so => /lib64/tls/libdb-4.2.so (0x0035f8d0)
libnsl.so.1 => /lib64/libnsl.so.1 (0x0035f890)
libresolv.so.2 => /lib64/libresolv.so.2 (0x0035f8b0)
libc.so.6 => /lib64/tls/libc.so.6 (0x0035f7a0)
libdl.so.2 => /lib64/libdl.so.2 (0x0035f7d0)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0035f850)
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
(0x0035f8f0)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x0035f960)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x0035f870)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3
(0x0035f980)
libpthread.so.0 => /lib64/tls/libpthread.so.0
(0x0035f810)
/lib64/ld-linux-x86-64.so.2 (0x0035f780)

Postfix 2.6.1 available (file corruption)

[Wietse Venema]

Postfix stable release 2.6.1 fixes one defect in Milter support.
This does not affect Postfix versions 2.5 and earlier.

- Queue file corruption under very specific conditions: (smtpd_milters
  or non_smtpd_milters) enabled, AND delay_warning_time enabled,
  AND mail delivery delays, AND short envelope sender addresses
  (e.g., sendmail command-line submissions with bare usernames as
  the sender, but not bounce messages).

  The queue file would be corrupted when the delay_warning_time
  record was marked as "done" after sending the "your mail is
  delayed" notice.  The defect was introduced with Postfix 2.3, but
  it could not cause corruption before the change dated 20090427.

You can find Postfix version 2.6.1 at the mirrors listed at
http://www.postfix.org/

The same code is also available as Postfix snapshot 2.7-20090519.
Postfix versions 2.5 and earlier are not affected.

Wietse

Re: time stamp changes in the queue'

[tom lee]

> >
>>
>> I need to write a script to scan the queue to be alerted before the
>> mails start to bounce back.
>
> That is what "delay_warning_time" is for.


Thanks. for my case, my postfix server is the relay server. once the
relay server cannot connect to the relayhost listed in relay server
main.cf,
It cannot send out the email to the delay_notice_recipient under this situation.

Is there a way that I can run a command or script to do the job
instead of using delay_warning_time?

Thanks.

Tom

Re: time stamp changes in the queue'

[tom lee]

>>
>> I need to write a script to scan the queue to be alerted before the
>> mails start to bounce back.
>
> That is what "delay_warning_time" is for.

delay_warning_time will let the sender get the email about the status
of mail in the queue.
what I want to do is to avoid to notify the sender but the
delay_notice_recipient.
is there a way to disable the warning to the sender?

Thanks.

Tom

Re: time stamp changes in the queue'

[Wietse Venema]

tom lee:
> > >
> >>
> >> I need to write a script to scan the queue to be alerted before the
> >> mails start to bounce back.
> >
> > That is what "delay_warning_time" is for.
> 
> 
> Thanks. for my case, my postfix server is the relay server. once the
> relay server cannot connect to the relayhost listed in relay server
> main.cf,
> It cannot send out the email to the delay_notice_recipient under this 
> situation.

Postfix WILL send the "delayed mail" notification to the email SENDER.

Postfix WILL NOT send to delay_notice_recipient unless YOU configure
it to do so.

Wietse

Re: Postfix with PostgreSQL

[Barney Desmond]

2009/5/20 Just E. Mail :
>
>> mouss wrote:
>>
>> you can find postfix-2.3.3-2.1.centos.mysql_pgsql.i386.rpm on
>>
>> http://mirror.centos.org/centos-5/5.3/centosplus/i386/RPMS/
>>
>> although it is old. the easiest way to install it is by using "rpm -i"
>> (to avoid any network problem, download it first and install it from
>> disk).
>>
>
> After going in circles & squares, I decided to use postfix-2.3.3,which comes
> packed with CentOS 5.3 and easy to install. I also have installed
> PostgreSQL-8.3.7 Client from RPMs. I have installed:  postgresql-libs,
> postgresql, postgresql-devel.
>
> In my first post, I mentioned that I plan to use a PostgreSQL server at the
> backend to store emails.
>
> Now my question: How to  build  Postfix  with   PostgreSQL support?

You've got it in your quote from mouss, right there. Seeing as you're
sticking with version 2.3.3, you can use the centos RPM built with
postgres support.
>> you can find postfix-2.3.3-2.1.centos.mysql_pgsql.i386.rpm on
>> http://mirror.centos.org/centos-5/5.3/centosplus/i386/RPMS/

Query re logs

[MacShane, Tracy]

We've been having an intermittent problem with mail originating from a
specific domain, which may or may not be related to a specific host or
message type. It seems that the sending host is timing out before it
finishes the message transmission. I enabled debug logging (and bumped
up the smtp timeout back to 300s) for this domain.

Just to be sure I'm not barking up the wrong tree, would I expect to see
a log entry for the EOM in the verbose log from the sending server if it
existed? Here're some snipped logs:

May 20 10:22:22 smtp3 postfix/smtpd[17136]: connect from
dfw-mailout1.example.com[199.xxx.xxx.xx]
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 220
smtp3.ourdomain.example.net ESMTP Postfix
May 20 10:22:22 smtp3 postfix/smtpd[17136]: <
dfw-mailout1.example.com[199.xxx.xxx.xx]: EHLO dfw-mailout1.example.com
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]:
250-smtp3.ourdomain.example.net
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250-PIPELINING
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250-SIZE 10485760
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250-ETRN
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250-ENHANCEDSTATUSCODES
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250-8BITMIME
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250 DSN
May 20 10:22:23 smtp3 postfix/smtpd[17136]: <
dfw-mailout1.example.com[199.xxx.xxx.xx]: MAIL
From: SIZE=486707
May 20 10:22:23 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250 2.1.0 Ok
May 20 10:22:23 smtp3 postfix/smtpd[17136]: <
dfw-mailout1.example.com[199.xxx.xxx.xx]: RCPT
To:
May 20 10:22:24 smtp3 postfix/smtpd[17136]: 3697B2080A4:
client=dfw-mailout1.example.com[199.xxx.xxx.xx]
May 20 10:22:24 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250 2.1.5 Ok
May 20 10:22:24 smtp3 postfix/smtpd[17136]: <
dfw-mailout1.example.com[199.xxx.xxx.xx]: DATA
May 20 10:22:24 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 354 End data with
.
May 20 10:27:25 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 421 4.4.2
smtp3.ourdomain.example.net Error: timeout exceeded


It seems pretty clear to me that we didn't receive an EOM (especially
since the timeout-exceeded caused the disconnection), but since I'm
going to be telling them it's a problem at their end, I'd like to be
sure I'm not telling them a pile of rubbish. 

I'm also going to try some tcpdump logging to see what I can find - any
recommendations for what I should be looking for?

Thanks.