reject sender login mismatch only for some accaounts

[ram]

Can I implement smtp_sender_login_maps such a way that 

* for selective accountids  reject_sender_login_mismatch 
* And the for the rest Permit any sender id if authenticated 

relays not connecting msexchange

[K bharathan]

till yesterday there're no probs; suddenly two of my postfix relays not
connecting the exchange2003; i cannot ping or telnet from the relays to
exchange; exchange has got symantec endpoint protection and its firewall;
what could've gone wrong!

Multiple Milters

[Ihsan Dogan]

Hello,

I'm running two spamfilters on two machines, which are accessed with
milter. In case of an error (eg: the first milter service is not running),
I would like that Postfix wold use the second one on the other host.

I was expecting something something like this:
smtpd_milters = inet:[127.0.0.1],[1.2.3.4]:41001

Is such a setup possible with Postfix?





Regards,
Ihsan Dogan

-- 
ih...@dogan.ch  http://blog.dogan.ch/

Re: reject sender login mismatch only for some accaounts

[Darren Pilgrim]

ram wrote:
Can I implement smtp_sender_login_maps such a way that 

* for selective accountids  reject_sender_login_mismatch 
* And the for the rest Permit any sender id if authenticated 


smtp_sender_login_maps works the other way around (it maps MAIL FROM to 
SASL login).  What you want involves an infinite set of MAIL FROM 
addresses, so it can't be mapped.  You'll need a policy server to enable 
or disable reject_sender_login_mismatch on a per-user basis either by 
direct lookup and returning REJECT/DUNNO or returning a restriction 
class containing reject_sender_login_mismatch for those users requiring it.

Re: handling non MX entry domains

[Truth Seeker]

> Alternatively, the OP could use a transport map to reroute
> stuck messages to
> the error transport and "bounce" them back to the sender
> with an
> informative message.
> 

what is this OP you mean?
how can we do this? may be this is what i am exactly looking for...




  

Re: Spamassasin in Postfix Server

[Truth Seeker]

Any response for this queries is really appreciated!!!


--- On Wed, 6/10/09, Truth Seeker  wrote:

> From: Truth Seeker 
> Subject: Spamassasin in Postfix Server
> To: postfix-users@postfix.org
> Date: Wednesday, June 10, 2009, 11:54 AM
> 
> 
> Dear Pros.
> 
> The following is my setup
> 
> 
> H.O
>  ^
>  | 
>  |
> point
>  to
> point 
>  |
>  |
> 
> Postfix    <---> Firewall <--->
> External Mail Hosting
> Mail Server  
> 
> 
> Postfix Mail Server (postfix-2.3.3-2) on CentOS 5.2;
> a. receives mails from local client via outlook and send to
> out side (internet) directly
> b. receives through fetchmail program, which fetches from
> External mail hosting
> c. NO ANTI SPAM 
> d. smtpd_recipient_restrictions is working for both
> internal and external mails (fetchmail).
> e. average 3500 mails are processed per day in mail server
> (send+receive) and the total volume is average 3.2 GB (2.8
> GB min and max 3.6 GB)
> 
> 
> As our mails from H.O is getting delayed through fetchmail
> (more than 100 users), i was thinking to re route the
> messages from H.O to this branch office through our point to
> point link. So in this case my doubts are;
> 
> 1. in this case, i need to configure spamassasin on the
> Postfix Mail Server right??? instead of simply leaving it
> like this.
> 
> 2. I found so many links which explains configuring
> spamassasin on Postfix server, but many of them are going in
> diff ways with diff versions and distributions. can u please
> suggest me a most suitable link for my requirement.
> 
> 3. Do i need to take any other precaution for my postfix
> server (as 60 - 70 % of mails to this branch is from Head
> Office) while i starting to recieve it through point-point
> (there is no firewall in this connection)
> 
> 4. do i need to put an additional smtp server with
> spamassasin to receive mail through point-point for a better
> secure and stable environment.
> 
> 5. does this spam assasin will effect my
> smtpd_recipient_restrictions which is currently working fine
> on my postfix server
> 
> Thanking you people in advance...
> 
> 
> -
> --
> ---
> Always try to find truth!!!
> 
> 
> 
>       
> 
> 

Re: Spamassasin in Postfix Server

[Robert Schetterer]

Truth Seeker schrieb:
> 
> Any response for this queries is really appreciated!!!
> 
> 
> --- On Wed, 6/10/09, Truth Seeker  wrote:
> 
>> From: Truth Seeker 
>> Subject: Spamassasin in Postfix Server
>> To: postfix-users@postfix.org
>> Date: Wednesday, June 10, 2009, 11:54 AM
>>
>>
>> Dear Pros.
>>
>> The following is my setup
>>
>>
>> H.O
>>  ^
>>  | 
>>  |
>> point
>>  to
>> point 
>>  |
>>  |
>>
>> Postfix<---> Firewall <--->
>> External Mail Hosting
>> Mail Server  
>>
>>
>> Postfix Mail Server (postfix-2.3.3-2) on CentOS 5.2;
>> a. receives mails from local client via outlook and send to
>> out side (internet) directly
>> b. receives through fetchmail program, which fetches from
>> External mail hosting
>> c. NO ANTI SPAM 
>> d. smtpd_recipient_restrictions is working for both
>> internal and external mails (fetchmail).
>> e. average 3500 mails are processed per day in mail server
>> (send+receive) and the total volume is average 3.2 GB (2.8
>> GB min and max 3.6 GB)
>>
>>
>> As our mails from H.O is getting delayed through fetchmail
>> (more than 100 users), i was thinking to re route the
>> messages from H.O to this branch office through our point to
>> point link. So in this case my doubts are;
>>
>> 1. in this case, i need to configure spamassasin on the
>> Postfix Mail Server right??? instead of simply leaving it
>> like this.
>>
>> 2. I found so many links which explains configuring
>> spamassasin on Postfix server, but many of them are going in
>> diff ways with diff versions and distributions. can u please
>> suggest me a most suitable link for my requirement.
>>
>> 3. Do i need to take any other precaution for my postfix
>> server (as 60 - 70 % of mails to this branch is from Head
>> Office) while i starting to recieve it through point-point
>> (there is no firewall in this connection)
>>
>> 4. do i need to put an additional smtp server with
>> spamassasin to receive mail through point-point for a better
>> secure and stable environment.
>>
>> 5. does this spam assasin will effect my
>> smtpd_recipient_restrictions which is currently working fine
>> on my postfix server
>>
>> Thanking you people in advance...
>>
>>
>> -
>> --
>> ---
>> Always try to find truth!!!
>>
>>
>>
>>   
>>
>>
> 
> 
>   
> 

i am not sure about what your mail setup really means
it doesnt not look right to me
but that maybe a understanding problem


why not simply use getmail
with spamassassin on your internal mailserver
http://pyropus.ca/software/getmail/faq.html#faq-integrating
very easy to setup

if you can configure your outside mailserver
using clamav with sanesecurity sigs
and rbls as well as other postfix antispam features
should do the job fine, do not use catch alls there,
always have a valid recipient list
you may bypass outbound virus scanning for internal mailservers ip or
sasl user ( recommended )


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: relays not connecting msexchange

[Charles Marcus]

On 6/11/2009 3:12 AM, K bharathan wrote:
> till yesterday there're no probs; suddenly two of my postfix relays not
> connecting the exchange2003; i cannot ping or telnet from the relays to
> exchange; exchange has got symantec endpoint protection and its
> firewall; what could've gone wrong!

Per the welcome message you received when you joined the list:

TO REPORT A PROBLEM see:
http://www.postfix.org/DEBUG_README.html#mail

-- 

Best regards,

Charles

Re: Multiple Milters

[Wietse Venema]

Ihsan Dogan:
> 
> Hello,^M
> ^M
> I'm running two spamfilters on two machines, which are accessed with^M
> milter. In case of an error (eg: the first milter service is not running),^M
> I would like that Postfix wold use the second one on the other host.^M
> ^M
> I was expecting something something like this:^M
> smtpd_milters = inet:[127.0.0.1],[1.2.3.4]:41001^M

When you specify multiple milters in smtpd_milters or non_smtpd_milters,
this means that Postfix always use all of them. The syntax is
different than what you have above.

> Is such a setup possible with Postfix?^M

Not supported. Eror control is limited to milter_default_action.

Wietse

> ^M
> ^M
> ^M
> ^M
> Regards,^M
> Ihsan Dogan^M
> ^M
> -- ^M
> ih...@dogan.chhttp://blog.dogan.ch/
> 
> 

order of local_recipient_maps, smtpd_recipient_restrictions

[Stefan Palme]

Hi all,

local_recipient_maps .vs. smtpd_recipient_restrictions - can 
anybody tell me which test happens first on incoming emails?

Thanks and regards
-stefan-

Re: getting an address in virtual_alias_maps to use different transport

[Calvin Browne]

Thanks - I had seen that online - but made several errors setting it up
(like not setting maxproc to one). having corrected those, I am now
queueing the mail one at a time.

Some strange behaviour however - the wait between deliveries seems to
bear no relation to what I set smtp_connect_timeout to be - would there
be another factor involved here that I'm missing?

regards

--Calvin

>Correction in-line.
>
>Wietse Venema:
>> Calvin Browne:
>> > Hi all - need someone to hit me with a clue bat.
>> > 
>> > I have one particular address in a domain that is handled by
>> > virtual_alias_domains through a virtual_alias_maps table. This
>address
>> > gets redirected to an account on another smtp server. I would like
>to
>> > rate limit the delivery perhaps by sending it over its own
>transport?
>> > 
>> > Any clues/pointers appreciated.
>> > mail_version = 2.2.10
>> 
>> A workaround for Postfix < 2.5 is in
>> http://www.postfix.org/QSHAPE_README.html#backlog:
>> 
>

Re: Multiple Milters

[Kouhei Sutou]

Hi,

In <5f0a4d43797f50decd8590a59d9e6...@localhost>
  "Multiple Milters" on Thu, 11 Jun 2009 09:27:11 +0200,
  Ihsan Dogan  wrote:

> I'm running two spamfilters on two machines, which are accessed with
> milter. In case of an error (eg: the first milter service is not running),
> I would like that Postfix wold use the second one on the other host.
> 
> I was expecting something something like this:
> smtpd_milters = inet:[127.0.0.1],[1.2.3.4]:41001
> 
> Is such a setup possible with Postfix?

You can do it with milter manager:
  http://milter-manager.sourceforge.net/


milter-manager.conf:
  manager.connection_spec = "inet:12...@[127.0.0.1]"

  define_applicable_condition("fallback") do |condition|
condition.description = "fallback to secondary milter if primary milter is 
down"
condition.define_connect_stopper do |context, host, address|
  # stop secondary milter if primary milter isn't quieted
  # (if primary milter is quieted, primary-milter is down)
  not context.children["primary-milter"].quitted?
end
  end

  define_milter("primary-milter") do |milter|
milter.description = "primary milter"
milter.connection_spec = "inet:23...@[127.0.0.1]"
  end

  define_milter("secondary-milter") do |milter|
milter.description = "secondary milter"
milter.connection_spec = "inet:41...@[1.2.3.4]"

# apply "fallback" condition to use secondary milter
# only when primary milter is down
milter.applicable_conditions = ["fallback"]
  end

main.cf:
  # only register milter manager.
  smtpd_milters = inet:[127.0.0.1]:12345


Thanks,
--
kou

Re: order of local_recipient_maps, smtpd_recipient_restrictions

[Magnus Bäck]

On Thu, June 11, 2009 1:03 pm, Stefan Palme said:

> local_recipient_maps .vs. smtpd_recipient_restrictions - can
> anybody tell me which test happens first on incoming emails?

You're comparing apples and oranges, but I understand what you mean.
local_recipient_maps specifies lookup tables that Postfix will consult if
the recipient address domain is local (i.e. listed in mydestination). This
check takes place at the end of smtpd_recipient_restrictions, unless you
explicitly place a reject_unlisted_recipient restriction somewhere else.
For example, the configuration below avoids useless RBL lookups for
invalid recipients by making the recipient check first. Typically you'd
want to perform the least expensive checks first.

smtpd_recipient_restrictions =
  permit_mynetworks,
  reject_unauth_destination,
  reject_unlisted_recipient,
  reject_rbl_client zen.spamhaus.org

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: order of local_recipient_maps, smtpd_recipient_restrictions

[Wietse Venema]

Stefan Palme:
> Hi all,
> 
> local_recipient_maps .vs. smtpd_recipient_restrictions - can 
> anybody tell me which test happens first on incoming emails?

If you don't specify

smtpd_*_restrictions = ... reject_unlisted_recipient ...

(which searches local_recipient_maps, relay_recipient_maps etc.),
then by default Postfix will automatically search the recipient
maps after smtpd_recipient_restrictions.

See also:
http://www.postfix.org/SMTPD_ACCESS_README.html#global
http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_recipient
http://www.postfix.org/postconf.5.html#reject_unlisted_recipient

Wietse

Re: order of local_recipient_maps, smtpd_recipient_restrictions

[Stefan Palme]

On Thu, 2009-06-11 at 13:54 +0200, Magnus Bäck wrote:
> On Thu, June 11, 2009 1:03 pm, Stefan Palme said:
> 
> > local_recipient_maps .vs. smtpd_recipient_restrictions - can
> > anybody tell me which test happens first on incoming emails?
> 
> You're comparing apples and oranges, but I understand what you mean.
> local_recipient_maps specifies lookup tables that Postfix will consult if
> the recipient address domain is local (i.e. listed in mydestination). This
> check takes place at the end of smtpd_recipient_restrictions, unless you
> explicitly place a reject_unlisted_recipient restriction somewhere else.

Thanks to you and Wietse.

What happens if my smtpd_recipient_restrictions do NOT contain
reject_unlisted_recipients, but contain something like this:

  check_recipient_access pcre:/etc/postfix/filter_incoming

with /etc/postfix/filter_incoming:

  /.*/  FILTER amavis:[127.0.0.1]:10024


Will the local_recipient_maps-test happen BEFORE the mail will be
handed over to the filter? I guess the answer is YES, because there
is no AFTER the filter, because the mail will be reinjected by the
filter as a new mail... - I just want to be sure.

Regards
-stefan-

Re: order of local_recipient_maps, smtpd_recipient_restrictions

[Wietse Venema]

Stefan Palme:
[ Charset ISO-8859-15 unsupported, converting... ]
> On Thu, 2009-06-11 at 13:54 +0200, Magnus B_ck wrote:
> > On Thu, June 11, 2009 1:03 pm, Stefan Palme said:
> > 
> > > local_recipient_maps .vs. smtpd_recipient_restrictions - can
> > > anybody tell me which test happens first on incoming emails?
> > 
> > You're comparing apples and oranges, but I understand what you mean.
> > local_recipient_maps specifies lookup tables that Postfix will consult if
> > the recipient address domain is local (i.e. listed in mydestination). This
> > check takes place at the end of smtpd_recipient_restrictions, unless you
> > explicitly place a reject_unlisted_recipient restriction somewhere else.
> 
> Thanks to you and Wietse.
> 
> What happens if my smtpd_recipient_restrictions do NOT contain
> reject_unlisted_recipients, but contain something like this:

Postfix will enforce smtpd_reject_unlisted_recipient as documented.

Wietse

Re: order of local_recipient_maps, smtpd_recipient_restrictions

[Magnus Bäck]

On Thu, June 11, 2009 2:13 pm, Stefan Palme said:

> On Thu, 2009-06-11 at 13:54 +0200, Magnus Bäck wrote:
>
> > You're comparing apples and oranges, but I understand what you mean.
> > local_recipient_maps specifies lookup tables that Postfix will consult
> > if the recipient address domain is local (i.e. listed in mydestination).
> > This check takes place at the end of smtpd_recipient_restrictions,
> > unless you explicitly place a reject_unlisted_recipient restriction
> > somewhere else.
>
> Thanks to you and Wietse.
>
> What happens if my smtpd_recipient_restrictions do NOT contain
> reject_unlisted_recipients, but contain something like this:
>
>   check_recipient_access pcre:/etc/postfix/filter_incoming
>
> with /etc/postfix/filter_incoming:
>
>   /.*/FILTER amavis:[127.0.0.1]:10024
>
> Will the local_recipient_maps-test happen BEFORE the mail will be
> handed over to the filter? I guess the answer is YES, because there
> is no AFTER the filter, because the mail will be reinjected by the
> filter as a new mail... - I just want to be sure.

Correct. A FILTER action means "filter the message if it's ever accepted".
At the RCPT TO stage Postfix cannot possibly perform any content
inspection since it hasn't seen the message body.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: anvil

[Simon Jones]

2009/6/10 Ralf Hildebrandt :
> * Simon Jones :
>
>> This is the part I'm missing, how do I enable the shit flinger?
>
> You COULD use smtp_source
>
> OR
>
> your could set ridiculous low limits (1/60s) and then test it manually using 
> telnet.
>
> Keep in mind, though:
> smtpd_client_event_limit_exceptions = $mynetworks
>
> so the test must be performed from a client OUTSIDE of $mynetworks
> Or you just say:
>
> smtpd_client_event_limit_exceptions =
>
> --
> Ralf Hildebrandt
> Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
> http://www.computerbeschimpfung.de
> Ballmer should step down in favour of Mr T, because he pity the fool
> who don't got high-end video cards and 4GB RAM for Vista Aero!

Thanks guys, fail2ban looks great - config is being a bitch though but
i have anvil working now!

Jason, when I fire up failt2ban it says "WARNING 'action' not defined
in 'postfix'. Using default value"

i found some info on
http://www.howtoforge.com/forums/showthread.php?t=28781 and followed
it through but i got the same error when firing fail2ban up too, the
postfix.conf files looks ok -

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# postfix

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#  host must be matched by a group named "host". The tag "" can
#  be used for standard IP/hostname matching and is only an alias for
#  (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#
#failregex = reject: RCPT from (.*)\[\]: 554
failregex = reject: RCPT from (.*)\[\]: 5[05][0-4]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

I modded it slightly though - but it does the same weather default or
not, any pointers to what i'm doing wrong?  "action not defined" would
suggest that i've not enabled / configured something correctly but the
files look the same as the examples i've seen on the web.

Re: anvil

[Simon Jones]

2009/6/11 Simon Jones :
> 2009/6/10 Ralf Hildebrandt :
>> * Simon Jones :
>>
>>> This is the part I'm missing, how do I enable the shit flinger?
>>
>> You COULD use smtp_source
>>
>> OR
>>
>> your could set ridiculous low limits (1/60s) and then test it manually using 
>> telnet.
>>
>> Keep in mind, though:
>> smtpd_client_event_limit_exceptions = $mynetworks
>>
>> so the test must be performed from a client OUTSIDE of $mynetworks
>> Or you just say:
>>
>> smtpd_client_event_limit_exceptions =
>>
>> --
>> Ralf Hildebrandt
>> Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
>> http://www.computerbeschimpfung.de
>> Ballmer should step down in favour of Mr T, because he pity the fool
>> who don't got high-end video cards and 4GB RAM for Vista Aero!
>
> Thanks guys, fail2ban looks great - config is being a bitch though but
> i have anvil working now!
>
> Jason, when I fire up failt2ban it says "WARNING 'action' not defined
> in 'postfix'. Using default value"
>
> i found some info on
> http://www.howtoforge.com/forums/showthread.php?t=28781 and followed
> it through but i got the same error when firing fail2ban up too, the
> postfix.conf files looks ok -
>
> # Fail2Ban configuration file
> #
> # Author: Cyril Jaquier
> #
> # $Revision: 510 $
> #
>
> [Definition]
>
> # postfix
>
> # Option:  failregex
> # Notes.:  regex to match the password failures messages in the logfile. The
> #          host must be matched by a group named "host". The tag "" can
> #          be used for standard IP/hostname matching and is only an alias for
> #          (?:::f{4,6}:)?(?P\S+)
> # Values:  TEXT
> #
> #failregex = reject: RCPT from (.*)\[\]: 554
> failregex = reject: RCPT from (.*)\[\]: 5[05][0-4]
>
> # Option:  ignoreregex
> # Notes.:  regex to ignore. If this regex matches, the line is ignored.
> # Values:  TEXT
> #
> ignoreregex =
>
> I modded it slightly though - but it does the same weather default or
> not, any pointers to what i'm doing wrong?  "action not defined" would
> suggest that i've not enabled / configured something correctly but the
> files look the same as the examples i've seen on the web.
>

Apologies - i mean Terry of course... I have never been too good with names :)

Re: relays not connecting msexchange

[K bharathan]

i get the logs like the following:

Jun 10 15:18:33 relay1 postfix/smtp[9353]: 574501614EC: to=,
relay=none, delay=12531, delays=12501/0.28/30/0, d
sn=4.4.1, status=deferred (connect to 192.168.20.240[192.168.20.240]:
Connection timed out)

Jun 10 15:18:33 relay1 postfix/error[9652]: 67FE8161520: to=<
helpd...@example.com>, relay=none, delay=1552, delays=1522/30/0/0.11,
dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to
192.168.20.240[192.168.20.240]: Connection timed out)

Jun 10 15:18:33 relay1 postfix/smtp[9355]: 4DDDA16121D: to=,
relay=none, delay=470, delays=440/0/30/0, dsn=4.4.
1, status=deferred (connect to 192.168.20.240[192.168.20.240]: Connection
timed out)

when i telnet 192.168.20.240 (exchange) does not respond; but from any host
in the network (where relays sit) i can telnet to 192.168.20.240


On Thu, Jun 11, 2009 at 2:52 PM, Charles Marcus
wrote:

> Please don't reply direct to me, reply to the list...
>
> --
>
> Best regards,
>
> Charles
>

Re: relays not connecting msexchange

[Brian Evans - Postfix List]

K bharathan wrote:
> i get the logs like the following:
>
> Jun 10 15:18:33 relay1 postfix/smtp[9353]: 574501614EC:
> to=mailto:a...@example.com>>, relay=none,
> delay=12531, delays=12501/0.28/30/0, d
> sn=4.4.1, status=deferred (connect to 192.168.20.240[192.168.20.240]
> : Connection timed out)
>
> Jun 10 15:18:33 relay1 postfix/error[9652]: 67FE8161520:
> to=mailto:helpd...@example.com>>, relay=none,
> delay=1552, delays=1522/30/0/0.11,
> dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to
> 192.168.20.240[192.168.20.240]: Connection timed out)
>
> Jun 10 15:18:33 relay1 postfix/smtp[9355]: 4DDDA16121D:
> to=mailto:x...@example.com>>, relay=none, delay=470,
> delays=440/0/30/0, dsn=4.4.
> 1, status=deferred (connect to 192.168.20.240[192.168.20.240]:
> Connection timed out)
>
> when i telnet 192.168.20.240 (exchange) does not respond; but from any
> host in the network (where relays sit) i can telnet to 192.168.20.240
This appears to be a networking/firewall issue.
If you cannot telnet on port 25 to the .20.240 box, Postfix won't be
able to either.

Brian

Re: How is it: mynetworks = 127.0.0.0/8 yet local network users are able to send.

[Sthu Pous]

Thank You for Your time and answer, Wietse:

> > postconf -d
> > 
> > I see mynetworks = 127.0.0.0/8 v.x.y.z/25 192.168.0.0/24
> > 
> > from whence it comes? - I have no mynetworks file.  
> 
> The command "postconf -d" does NOT show main.cf.

Ok, but still how can it be that postconf -n gives me:

mynetworks = 127.0.0.0/8

yet company mail users can send/get their mail w/ outward world can send to
them mail as well?

Re: How is it: mynetworks = 127.0.0.0/8 yet local network users are able to send.

[Sthu Pous]

Thank You for Your time and answer, Barney:

> As mouss suggested, your query is unclear. I can think of two interpretations:
> 1. "I've set mynetworks=127.0.0.0/8 in main.cf but for some reason
> machines on my LAN can relay mail out to the internet, how do I stop
> this?"
> 2. "I've set mynetworks=127.0.0.0/8 in main.cf and I want to allow
> machines on my LAN to relay mail out to the internet, how do I make
> this possible?"

I have (postconf -n):

mynetworks = 127.0.0.0/8

yet company mail users can send/get their mail to/from outward world. And this
is my question.

What I want is this:

company users (having IPs 192.168.0.*) should get/send email;
all the world should only send email to the company users.

Also, my another question is on security topic: is possible (with some
miscofiguration of postfix/amavis/etc) that a hacker from outside world can get
root privileges on my OS? If yes, what are those configuration options that I
should check and what should be there values to provide secure email server?

Can You recommend a good email server manual (regarding postfix) - some
step by step tutorial w/ good explanation of things - as the documentation
that I read from postfix.org is not clear to me - as a lot of explanatory
stuff is out of there (to me)?

Re: How to discern from postfix log between TO and THROUGH sending a correspondence?

[Sthu Pous]

Thank You for Your time and answer, Magnus:

> That's impossible to say based on these log entries. smtpd(8) and
> cleanup(8) do not by default not log accepted recipients.
> 
> Please do not trim logs unless asked to do so.

I think I have discerned them - simply by their

from=<>

and unknown to me ip/address.

Do You know a way how I can track an local application/process that called
postfix to send a messages (on a hacked system)?

Re: message_size_limit

[Simon Schelkshorn]

Hi,

thanks for your fast reply.

@Truth Seeker: I added the message_size_limit statement to the 
definition in master.cf as I intended to increase the message size 
only for mail sent from my local users and not for all messages.


> > > You can't change the size limit for the SMTP server alone.
> > > It must be a main.cf setting.
> > 
> > Specifically, message_size_limit is enforced by cleanup(8). Adding
> > another cleanup(8) service with a different message_size_limit and
> > choosing it for this particular smtpd(8) with cleanup_service_name
> > should work.
> 
> But wait, there is more...
> 
> The queue manager and the delivery agents can be affected, too.
> Depending on how mail gets into Postfix, recipient records may be
> sitting at the end of a queue file, and when a delivery agent (or
> queue manager) tries to mark a recipient as "done" they get into
> trouble when their "message size limit" setting is too small.
> 
> That was one of the bugs that was introduced by the VDA patch,


Thanks Magnus for showing a way on how to achieve what I was trying 
to get and thanks Wietse for pointing out, that there may be some 
other problems with it.

So I decided to go with the "save" configuration and increased the 
general message size in main.cf.


Simon

Re: anvil

[Victor Duchovni]

On Thu, Jun 11, 2009 at 01:34:15PM +0100, Simon Jones wrote:

> Thanks guys, fail2ban looks great - config is being a bitch though but
> i have anvil working now!

Presumably as an anti-DoS service. It is not an anti-spam feature,
and should not be used that way. The anti-DoS use-case is to prevent
(usually accidental) abuse from one or a small-number of "run-away"
clients that are hammering you with email, volume limits should
be noticeably above your normal peak loads.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: message_size_limit

[Victor Duchovni]

On Thu, Jun 11, 2009 at 04:08:16PM +0200, Simon Schelkshorn wrote:

> Hi,
> 
> thanks for your fast reply.
> 
> @Truth Seeker: I added the message_size_limit statement to the 
> definition in master.cf as I intended to increase the message size 
> only for mail sent from my local users and not for all messages.

Your main.cf message_size_limit must be the *largest* value that you
allow for any source or recipient. Then in master.cf you can reduce
the main.cf in smtpd/cleanup as appropriate. Do NOT reduce the
message size limit in the queue manager or delivery agents.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: anvil

[Terry Carmen]

> On Thu, Jun 11, 2009 at 01:34:15PM +0100, Simon Jones wrote:
>
>> Thanks guys, fail2ban looks great - config is being a bitch though but
>> i have anvil working now!
>
> Presumably as an anti-DoS service. It is not an anti-spam feature,
> and should not be used that way. The anti-DoS use-case is to prevent
> (usually accidental) abuse from one or a small-number of "run-away"
> clients that are hammering you with email, volume limits should
> be noticeably above your normal peak loads.

fail2ban might be more appropriate. It works very well against dictionary
attacks and will stop backscatter spam in it's tracks.

After a number of invalid user attempts, it adds a firewall rule to drop
packets from the sending address for a predetermined amount of time.

Terry

Catchall not working

[Gary Smith]

/etc/postfix/custom/virtual
@bounces.domain.tld bmana...@bounces.domain.tld


Executed:
postmap virtual
postmap -q 'c...@bounces.domain.tld' hash:/etc/postfix/custom/virtual
postmap -q '@bounces.domain.tld' hash:/etc/postfix/custom/virtual
bmana...@bounces.domain.tld

Test with c...@bounces.domain.tld returned nothing.  I would have expected it 
to return bmana...@bounces.domain.tld.

Postfix version is 2.5.5 under CentOS 5.3.  I have yet to add these to the 
/etc/postfix/main as I can even get the test query to work.

Purpose of this is that we send out a lot of email to subscribers and set a 
return address like bounce-emailaddress=theirdomain@bounces.domain.tld.  We 
had this working some time ago and migrated it to a new server about 10 months 
ago and didn't realize that this one wasn't working.

Any ideas?

Policy protocol size attribute and postfix version

[Rob Tanner]

Hi,

This is sort of a two part question.  I am running Postfix version 2.2.10
from RedHat.  It¹s current for Enterprise Linux 4.  Since vendors often use
their own numbering schemes, I don¹t know what Postfix version it really is
in terms of the numbering at postfix.org.   Can anyone tell me?

Second issue.  I¹m going to implement a policy engine and so I¹m logging the
data sent to a snippet of code that¹s simply sending back an ³OK².  What I¹m
noticing is that the size attribute usually has a zero value but sometimes
has a non-zero value.  My read of the documentation says that unless I¹m
running a version of Postfix earlier than v2.2 (postfix.org numbering) it
should always be non-zero.

Can anyone enlighten me on this?

Thanks,
Rob



--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon
503-883-2558

Re: Policy protocol size attribute and postfix version

[Wietse Venema]

Rob Tanner:
> Hi,
> 
> This is sort of a two part question.  I am running Postfix version 2.2.10
> from RedHat.  It?s current for Enterprise Linux 4.  Since vendors often use
> their own numbering schemes, I don?t know what Postfix version it really is
> in terms of the numbering at postfix.org.   Can anyone tell me?
> 
> Second issue.  I?m going to implement a policy engine and so I?m logging the
> data sent to a snippet of code that?s simply sending back an ?OK?.  What I?m
> noticing is that the size attribute usually has a zero value but sometimes
> has a non-zero value.  My read of the documentation says that unless I?m
> running a version of Postfix earlier than v2.2 (postfix.org numbering) it
> should always be non-zero.
> 
> Can anyone enlighten me on this?

The size attribute shows the number that the client sent with the
SMTP MAIL FROM command:

MAIL FROM: SIZE=12345

As of some Postfix version, smtpd_end_of_data_restrictions shows
the actual size of the message after it is received.

I don't keep track of the modifications by vendors. I only hear
when modifications break something in Postfix.

Wietse

RE: Catchall not working

[Gary Smith]

I think a better question that I should have asked, is I need all email for a 
domain to go to a single address on that box.  We are running Cyrus on the 
backend is virtual domain mode so the destination account is 
bmana...@bounces.domain.tld.  This is a dedicated box just for this email.  It 
is not connect directly to the net but rather is receives email from a relay. 

So, given that it's a dedicated box for this domain, and that any email for 
this domain should go to a single account, what should I add to main.cf from 
stock to config to make this work.

Gary


From: owner-postfix-us...@postfix.org [owner-postfix-us...@postfix.org] On 
Behalf Of Gary Smith [g...@primeexalia.com]
Sent: Thursday, June 11, 2009 9:07 AM
To: postfix-users@postfix.org
Subject: Catchall not working

/etc/postfix/custom/virtual
@bounces.domain.tld bmana...@bounces.domain.tld


Executed:
postmap virtual
postmap -q 'c...@bounces.domain.tld' hash:/etc/postfix/custom/virtual
postmap -q '@bounces.domain.tld' hash:/etc/postfix/custom/virtual
bmana...@bounces.domain.tld

Test with c...@bounces.domain.tld returned nothing.  I would have expected it 
to return bmana...@bounces.domain.tld.

Postfix version is 2.5.5 under CentOS 5.3.  I have yet to add these to the 
/etc/postfix/main as I can even get the test query to work.

Purpose of this is that we send out a lot of email to subscribers and set a 
return address like bounce-emailaddress=theirdomain@bounces.domain.tld.  We 
had this working some time ago and migrated it to a new server about 10 months 
ago and didn't realize that this one wasn't working.

Any ideas?

Re: Catchall not working

[Noel Jones]

Gary Smith wrote:

/etc/postfix/custom/virtual
@bounces.domain.tld bmana...@bounces.domain.tld


Executed:
postmap virtual
postmap -q 'c...@bounces.domain.tld' hash:/etc/postfix/custom/virtual
postmap -q '@bounces.domain.tld' hash:/etc/postfix/custom/virtual
bmana...@bounces.domain.tld

Test with c...@bounces.domain.tld returned nothing.  I would have expected it 
to return bmana...@bounces.domain.tld.


This is normal.  The postmap -q test tool does not perform a 
"search order" as documented in various postfix functions.

Postmap -q performs the query specified and nothing else.



Postfix version is 2.5.5 under CentOS 5.3.  I have yet to add these to the 
/etc/postfix/main as I can even get the test query to work.

Purpose of this is that we send out a lot of email to subscribers and set a 
return address like bounce-emailaddress=theirdomain@bounces.domain.tld.  We 
had this working some time ago and migrated it to a new server about 10 months 
ago and didn't realize that this one wasn't working.

Any ideas?


Seems using main.cf setting
recipient_delimiter = -
rather than a catch-all would be a better solution.  That way 
all mail addressed to bounc...@example.tld is delivered to 
bou...@example.tld while preserving the original address.


  -- Noel Jones

RE: Catchall not working

[Gary Smith]

Noel, 

Thanks for the follow up (and sorry about the top post).  So if I understand 
the postconf.5 manual, the recipient_delimiter will strip the bounce- off the 
email address and deliver it bou...@bounces.domain.tld as the originating email 
address instead of bounce-user=theirdomain@bounces.domain.tld.

ie. deliver bounce-user=theirdomain@bounces.domain.tld to 
bou...@bounces.domain.tld and while keeping the original address of 
bounce-user=theirdomain@bounces.domain.tld intact.  That's how I'm reading 
how recipient_delimiter works, which is what I want it to do.  Am I 
understanding this correctly?   If so, that's pretty easy.

Gary

From: owner-postfix-us...@postfix.org [owner-postfix-us...@postfix.org] On 
Behalf Of Noel Jones [njo...@megan.vbhcs.org]
Sent: Thursday, June 11, 2009 9:52 AM
To: postfix-users@postfix.org
Subject: Re: Catchall not working

Seems using main.cf setting
recipient_delimiter = -
rather than a catch-all would be a better solution.  That way
all mail addressed to bounc...@example.tld is delivered to
bou...@example.tld while preserving the original address.

   -- Noel Jones

Re: Catchall not working

[Noel Jones]

Gary Smith wrote:
Noel, 


Thanks for the follow up (and sorry about the top post).  So if I understand 
the postconf.5 manual, the recipient_delimiter will strip the bounce- off the 
email address and deliver it bou...@bounces.domain.tld as the originating email 
address instead of bounce-user=theirdomain@bounces.domain.tld.

ie. deliver bounce-user=theirdomain@bounces.domain.tld to 
bou...@bounces.domain.tld and while keeping the original address of 
bounce-user=theirdomain@bounces.domain.tld intact.  That's how I'm reading 
how recipient_delimiter works, which is what I want it to do.  Am I 
understanding this correctly?   If so, that's pretty easy.



Yup.  That's all there is to it.

  -- Noel Jones

Re: How to discern from postfix log between TO and THROUGH sending a correspondence?

[Victor Duchovni]

On Thu, Jun 11, 2009 at 08:45:34PM +0700, Sthu Pous wrote:

> Do You know a way how I can track an local application/process that called
> postfix to send a messages (on a hacked system)?

The only thing recorded by Postfix is either the SMTP client source IP
address (and optionally the source port) or the Unix uid of the process
that invoked sendmail(1). With SMTP, if the client uses SASL auth,
that's also in the logs.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: what is the meaning???

[Barney Desmond]

009/6/10 Truth Seeker :
> now to do flushing for a particular domain, i am trying to configure fast 
> flush service. in the documentation i found the following line, which i am 
> confused.
>
> could anyone explain this further
>
> As mentioned in the introduction, the mail is delivered by connecting to the 
> customer's SMTP server; it is not sent over the connection that was used to 
> send the ETRN command.
>
> i feel like they are mentioning about two connection?
> i didnt understand which are these two connections?
> then i feel like whenever we are sending a mail to a domain, its usual that 
> it will try to connect to that particular mail server to deliver it. in such 
> a case, why here they mentioned about 2 connections???

Disclaimer: I've never used fast flush before, I don't know much about it.

Imagine a system, "X", that receives mail on behalf of a domain, it is
not the final destination for that domain. The final destination, "Y",
has an intermittent connection, like satellite or dialup. Rather than
queueing mail for the domain and attempting to push it, it just holds
it. When the final destination comes online, it can connect to "X" via
SMTP and issue the ETRN command. That's it. "Y" may send mail via "X",
or it may not.

When "X" gets the ETRN command it attempts to deliver the queued up
mail to "Y", because it must now be online. This effectively turns
SMTP from a best-effort "push" protocol, to an on-demand "pull"
protocol. It just happens to be convenient that the ETRN command can
be issued via an SMTP channel.


Someone please correct me if I've gotten any of this wrong.

Re: Policy protocol size attribute and postfix version

[Ralf Hildebrandt]

* Rob Tanner :
> Hi,
> 
> This is sort of a two part question.  I am running Postfix version 2.2.10
> from RedHat.  It¹s current for Enterprise Linux 4.  Since vendors often use
> their own numbering schemes, I don¹t know what Postfix version it really is
> in terms of the numbering at postfix.org.   Can anyone tell me?

postconf -d |grep version

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
If we can dispel the delusion that learning about computers should be
an activity of fiddling with array indexes and worrying whether X is
an integer or a real number, we can begin to focus on programming as a
source of ideas.

RE: Catchall not working

[Gary Smith]

Noel, 

I created a file /etc/postfix/custom/mydestination and put my entry in there 
(hash) and added the following lines to /etc/postfix/main.cf

(only changes made to a stock 2.5.5 config)
mydestination   = 
$myhostname,localhost.$mydomain,localhost,hash:/etc/postfix/custom/mydestination
recipient-delimiter = -
mailbox_command = /usr/bin/procmail

For some reason, when I do a postconf -n I get the mydestination line without 
the hash.  I don't understand why.  I probably don't need the rest of the 
entries for mydestination either.  I copied them from another config.  Anyway, 
does anyone know whey mydestination isn't seeing the 
hash:/etc/postfix/custom/mydestination entry?

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = localhost
inet_protocols = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES
sample_directory = /usr/share/doc/postfix-2.5.5/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550





From: owner-postfix-us...@postfix.org [owner-postfix-us...@postfix.org] On 
Behalf Of Noel Jones [njo...@megan.vbhcs.org]
Sent: Thursday, June 11, 2009 10:12 AM
To: Gary Smith; postfix users list
Subject: Re: Catchall not working

Gary Smith wrote:
> Noel,
>
> Thanks for the follow up (and sorry about the top post).  So if I understand 
> the postconf.5 manual, the recipient_delimiter will strip the bounce- off the 
> email address and deliver it bou...@bounces.domain.tld as the originating 
> email address instead of bounce-user=theirdomain@bounces.domain.tld.
>
> ie. deliver bounce-user=theirdomain@bounces.domain.tld to 
> bou...@bounces.domain.tld and while keeping the original address of 
> bounce-user=theirdomain@bounces.domain.tld intact.  That's how I'm 
> reading how recipient_delimiter works, which is what I want it to do.  Am I 
> understanding this correctly?   If so, that's pretty easy.
>

Yup.  That's all there is to it.

   -- Noel Jones

Re: Catchall not working

[Noel Jones]

Gary Smith wrote:
Noel, 


I created a file /etc/postfix/custom/mydestination and put my entry in there 
(hash) and added the following lines to /etc/postfix/main.cf

(only changes made to a stock 2.5.5 config)
mydestination   = 
$myhostname,localhost.$mydomain,localhost,hash:/etc/postfix/custom/mydestination
recipient-delimiter = -
mailbox_command = /usr/bin/procmail

For some reason, when I do a postconf -n I get the mydestination line without 
the hash.  I don't understand why.  I probably don't need the rest of the 
entries for mydestination either.  I copied them from another config.  Anyway, 
does anyone know whey mydestination isn't seeing the 
hash:/etc/postfix/custom/mydestination entry?



probably because you have mydestination defined multiple times 
in main.cf


   -- Noel Jones

Message with 300,000+ recips via alias_maps

[dan trainor]

Hello, all -

I've sent an email through Postfix which has one recipient, which is an
alias via alias_maps (mysql lookup table).  I've had just a little bit of
experience with this type of delivery, but not a lot of experience with this
many final recipients.

Right now I see the message sitting in the 'active' queue, but its been
sitting for some time.

At this point I'm not entirely sure what's going on.  I would have expected
the message to be delivered to its final recipients by now, but it has not
done so.

If nothing more, I was hoping to get a little explanation on what happens
when a message of this type - single recipient federated out to many, many
final recipients via alias_maps.

Is a delay of this period of time normal?  I've troubleshot to the extent
that I would for any other message, and other messages which use this same
lookup method with far fewer recipients, and even those messages are
delivered almost immedaitely.

Thanks for your time; it is greatly appreciated.

Thanks
-dant

RE: Catchall not working

[Gary Smith]

Bingo...  That will teach me to not put my quick changes in the top of the 
file...

Thanks, 

Gary


From: owner-postfix-us...@postfix.org [owner-postfix-us...@postfix.org] On 
Behalf Of Noel Jones [njo...@megan.vbhcs.org]
Sent: Thursday, June 11, 2009 12:52 PM
To: postfix users list
Subject: Re: Catchall not working

Gary Smith wrote:
> Noel,
>
> I created a file /etc/postfix/custom/mydestination and put my entry in there 
> (hash) and added the following lines to /etc/postfix/main.cf
>
> (only changes made to a stock 2.5.5 config)
> mydestination   = 
> $myhostname,localhost.$mydomain,localhost,hash:/etc/postfix/custom/mydestination
> recipient-delimiter = -
> mailbox_command = /usr/bin/procmail
>
> For some reason, when I do a postconf -n I get the mydestination line without 
> the hash.  I don't understand why.  I probably don't need the rest of the 
> entries for mydestination either.  I copied them from another config.  
> Anyway, does anyone know whey mydestination isn't seeing the 
> hash:/etc/postfix/custom/mydestination entry?
>

probably because you have mydestination defined multiple times
in main.cf

-- Noel Jones

Re: Message with 300,000+ recips via alias_maps

[Wietse Venema]

dan trainor:
> Hello, all -
> 
> I've sent an email through Postfix which has one recipient, which is an
> alias via alias_maps (mysql lookup table).  I've had just a little bit of
> experience with this type of delivery, but not a lot of experience with this
> many final recipients.
> 
> Right now I see the message sitting in the 'active' queue, but its been
> sitting for some time.

Is this before or after alias expansion? It can take some time to
expand 300k aliases from SQL. In fact, the local delivery agent
may be terminated by a watchdog timer (daemon_timeout = 18000s).

I suspect that SQL is taking its time.

A minor concern: the expansion of 300k aliases will be written to
a new queue file, so it needs to fit within the message_size_limit
setting.

Once the new queue file is complete, the queue manager will
be quite busy scheduling deliveries.

You may want to dry-run test this without outgoing mail enabled.

Wietse

> At this point I'm not entirely sure what's going on.  I would have expected
> the message to be delivered to its final recipients by now, but it has not
> done so.
> 
> If nothing more, I was hoping to get a little explanation on what happens
> when a message of this type - single recipient federated out to many, many
> final recipients via alias_maps.
> 
> Is a delay of this period of time normal?  I've troubleshot to the extent
> that I would for any other message, and other messages which use this same
> lookup method with far fewer recipients, and even those messages are
> delivered almost immedaitely.
> 
> Thanks for your time; it is greatly appreciated.
> 
> Thanks
> -dant

RE: Catchall not working

[Gary Smith]

Noel, 

Here is what I ended with.  I had to add a virtual_alias_maps as the email 
address is different the the one we have been sending (and because of the auth 
system on this box)

mydestination   = $myhostname, localhost.$mydomain, localhost, 
hash:/etc/postfix/custom/mydestination
recipient-delimiter = -
virtual_alias_maps  = hash:/etc/postfix/custom/virtual
mailbox_command = /usr/bin/procmail

mailbox_transport   = lmtp:unix:/var/lib/imap/socket/lmtpunix
virtual_transport   = lmtp:unix:/var/lib/imap/socket/lmtpunix

All of the test emails we have sent in are all going to the proper email 
account now with the boucen-user=theirdomain@bounces.domain.tld in the from 
field (untouched which is nice).

Thanks for your help.

Gary


From: owner-postfix-us...@postfix.org [owner-postfix-us...@postfix.org] On 
Behalf Of Noel Jones [njo...@megan.vbhcs.org]
Sent: Thursday, June 11, 2009 12:52 PM
To: postfix users list
Subject: Re: Catchall not working

Gary Smith wrote:
> Noel,
>
> I created a file /etc/postfix/custom/mydestination and put my entry in there 
> (hash) and added the following lines to /etc/postfix/main.cf
>
> (only changes made to a stock 2.5.5 config)
> mydestination   = 
> $myhostname,localhost.$mydomain,localhost,hash:/etc/postfix/custom/mydestination
> recipient-delimiter = -
> mailbox_command = /usr/bin/procmail
>
> For some reason, when I do a postconf -n I get the mydestination line without 
> the hash.  I don't understand why.  I probably don't need the rest of the 
> entries for mydestination either.  I copied them from another config.  
> Anyway, does anyone know whey mydestination isn't seeing the 
> hash:/etc/postfix/custom/mydestination entry?
>

probably because you have mydestination defined multiple times
in main.cf

-- Noel Jones

Re: Message with 300,000+ recips via alias_maps

[dan trainor]

On Thu, Jun 11, 2009 at 1:32 PM, Wietse Venema  wrote:

> dan trainor:
> > Hello, all -
> >
> > I've sent an email through Postfix which has one recipient, which is an
> > alias via alias_maps (mysql lookup table).  I've had just a little bit of
> > experience with this type of delivery, but not a lot of experience with
> this
> > many final recipients.
> >
> > Right now I see the message sitting in the 'active' queue, but its been
> > sitting for some time.
>
> Is this before or after alias expansion? It can take some time to
> expand 300k aliases from SQL. In fact, the local delivery agent
> may be terminated by a watchdog timer (daemon_timeout = 18000s).
>
> I suspect that SQL is taking its time.
>
> A minor concern: the expansion of 300k aliases will be written to
> a new queue file, so it needs to fit within the message_size_limit
> setting.
>
> Once the new queue file is complete, the queue manager will
> be quite busy scheduling deliveries.
>
> You may want to dry-run test this without outgoing mail enabled.
>
>Wietse
>

Good evening, Wietse -

Shortly after sending that message out, I realized that this was happening.
I do in fact see the 'local' transport very busy, eating as much CPU as it
can muster.

The message sitting in the queue has been placed there before alias
expansion I would assume.  I say that assuming the sleeping thread in MySQL
from the Postfix map resolution process is the result of already having
queried MySQL, and also that there is only one message in that 'active'
queue which does not have those aliases expanded.

I'm going to give it some more time, and see what happens first - the
'local' transport finishes up as the result of the message(s) being sent,
being killed by daemon_timeout, or something else.

That's a good point regarding message size limit; I did not think about
that.  This would clearly be the cumulation of those final recipient
addresses in the message itself, as documented by "...including envelope
information."

Thanks again for your time.

Thanks!
-dant

Re: Upgrade TOTAL screw-up - Part One

[William Michael]

 snip ===


It was not obvious how to turn off html, so I selected UTF-8 option for
gmail...hopefully the e-mail(s) will be more readable.

Stripped configuration still yields:

Jun 11 16:34:12 dns1 postfix/master[3308]: reload configuration /etc/postfix
Jun 11 16:34:12 dns1 postfix/smtpd[4165]: connect to subsystem
private/proxymap: Connection refused
Jun 11 16:34:12 dns1 postfix/smtpd[4165]: warning: connect #9 to subsystem
private/proxymap: Connection refused
Jun 11 16:34:22 dns1 postfix/smtpd[4165]: connect to subsystem
private/proxymap: Connection refused
Jun 11 16:34:22 dns1 postfix/smtpd[4165]: warning: connect #10 to subsystem
private/proxymap: Connection refused
Jun 11 16:34:32 dns1 postfix/smtpd[4165]: connect to subsystem
private/proxymap: Connection refused
Jun 11 16:34:32 dns1 postfix/smtpd[4165]: fatal: connect #11 to subsystem
private/proxymap: Connection refused
Jun 11 16:34:33 dns1 postfix/master[3308]: warning: process
/usr/lib/postfix/smtpd pid 4165 exit status 1
Jun 11 16:34:33 dns1 postfix/master[3308]: warning: /usr/lib/postfix/smtpd:
bad command startup -- throttling

Postfinger now says:

dns1:/etc/postfix# /home/bill/postfinger.sh
postfinger - postfix configuration on Thu Jun 11 16:41:01 PDT 2009
version: 1.30

--System Parameters--
mail_version = 2.3.8
hostname = dns1
uname = Linux dns1 2.6.18-6-k7 #1 SMP Tue May 5 01:21:08 UTC 2009 i686
GNU/Linux

--Packaging information--
looks like this postfix comes from deb package: postfix-2.3.8-2+etch1

--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
debug_peer_level = 5
header_checks = regexp:/etc/postfix/header_checks
mailbox_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = mail.light-family.com, localhost, localhost.localdomain
myhostname = mail.light-family.com
mynetworks = 66.124.156.120/29, 127.0.0.0/8 [::1]/128
myorigin = $mydomain
nested_header_checks = regexp:/etc/postfix/nested_header_checks
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
unknown_local_recipient_reject_code = 450

--master.cf--
smtp  inet  n   -   n   -   -   smtpd -v

-- end of postfinger output --


WTF am I doing wrong ??

Content filter - 2 entries?

[Vasilios Tzanoudakis]

Hello all,

Is there any way that i can use 2 content filters? system works for ONE 
of the entries below (main.cf).
I have also tried content_filter = scan:127.0.0.1:10025, spamassassin 
with no luck (getting mail transport unavailable)

I use clamsmtp for clamav connection.

thanks in advance

Bill

ps: As you can undestand i need to avoid Amavis like hell ;-)


main.cf
=
#content_filter = scan:127.0.0.1:10025
content_filter = spamassassin

master.cf
=
spamassassin unix - n   n   -   -   pipe
   user=nobody argv=/usr/local/spamassasin/bin/spamc -f -e
   /usr/sbin/sendmail.postfix -oi -f ${sender} ${recipient}

scan  unix  -   -   n   -   16  smtp
   -o smtp_send_xforward_command=yes
   -o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -   n   -   16  smtpd
   -o content_filter=
   -o 
receive_override_options=no_unknown_recipient_checks,no_header_body_checks

   -o smtpd_helo_restrictions=
   -o smtpd_client_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks_style=host
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8