Re: reject_unknown_reverse_client_hostname rejects even if PTR RR is found

[Benny Pedersen]

On Sun, July 12, 2009 22:47, Sahil Tandon wrote:
> On Sun, 12 Jul 2009, Keld Jørn Simonsen wrote:
>
>> >> Anyway if it is a name server timeout, then I think this is always
>> >> handled by a 450 response. In my case the mail was rejected.
>> >
>> > Yes, temporary errors always get a 450 response.
>>
>> Then I do not understand why the message was rejected. A temporary error
>> should not result in a reject, or why should this happen?
>
> A 450 response *is* a reject;

defer not reject

> the 4xx SMTP reply code tells the sending
> server to queue and try again later.

correct, eg try until sending server have solved reverse dns (unknown)

> This contrasts with 5xx rejections
> which are permanent,

one can argue we should not let the sender sever retry on missing reverse dns, 
but it could as well also be errror in recieving side

> i.e. mail is not queued/retried, but returned to sender.

it can bounce whatever it does in remote, there is no control on the recipient 
host for this, forwards is not that cleaver if
forwarded recipient does not accept it

-- 
xpoint

Re: Hourly Limits

[ad...@gg-lab.net]

Benny,

i want to limit mail sent via php mainly, so i can't limit via sasl
simply because users aren't authenticated.

Of course i can't limit the host ip (all mail sent from my webserver).

The most beautiful thing would be limiting system user (each user has
an entry in /etc/passwd). Limiting the sender would be unuseful,
because all spammers randomiza the sender, bypassing the limit.

Now, i know that cPanel with Exim has a limit of this tipe. I'll
request them WHAT is exactly limited (maybe we can replicate with
postfix).

I'll also write to the postfix-policyd mailing list.

Sahil, maybe we can continue here? Postfixfw rules are completely in
topic and maybe we can help someone else...

Thankyou all

2009/7/12 Sahil Tandon :
> On Sat, 11 Jul 2009, ad...@gg-lab.net wrote:
>
>> And, i've also found postfwd, but i can't see how can i use it to
>> limit mails in number.
>
> Assuming you want to limit mails per envelope sender, the following
> (untested) rule should work:
>
>  id=MAX_PER_HOUR ; protocol_state=END-OF-MESSAGE ; \
>    action==rate($$sender/100/3600/450 4.7.1 max 100 mails per hour)
>
> With this, query postfwd in smtpd_end_of_data_restrictions.  If you have more
> questions about postfwd, follow-up off-list or on the postfwd mailing list.
>
> --
> Sahil Tandon 
>

temporary errors for DNS

[Keld Jørn Simonsen]

Hi

I have a few problems with my changed postfix configuration, maybe
somebody could help me?

I am using fetchmail in cooperation with postfix, and I repededly get
the following error:

fetchmail: SMTP error: 450 4.1.8 : Sender
address rejected: Domain not found
reading message k...@sia.dkuug.dk:2 of 4 (950 header octets) not flushed

When  I query my nameserver everything resolves fine. So that is one
problem, why does postfix say Domain not found?

Another problem is the 450 response. I would like it to be 550.

450 indicates a temporary dns error, and I have set
unknown_address_reject_code = 550

Can I change some respons code for the temporary dns error so to check
on the mail fails on this?

How could I best debug the communication between postfix and my named?

Best regards
keld

Re: Need help munging inbound recipient address

[Benny Pedersen]

On Mon, July 13, 2009 05:01, Daniel L'Hommedieu wrote:
> I'm having trouble with a forwarded email setup, and I need to munge
> an inbound recipient address.

stop forwarding mails so, simple no ?

-- 
xpoint

Re: Hourly Limits

[luc...@lastdot.org]

On Sat, Jul 11, 2009 at 7:01 PM, ad...@gg-lab.net wrote:
> Hi,
>
> i have benn googling for hours today, and can't solve this problem:
>
> I'm working on a free-hosting platform. As MTA, of course, i've
> choosen postfix. Now, to prevent abuse, i want to limit the number of
> email each user can send in an our.
>
> Any idea?
>
> Thankyou
>

We solved the problem by using a wrapper around /usr/bin/sendmail
(basically just a php script that checks posix_getcwd and tries to
establish on that what is the hosting user that's sending the email.
The script would increment values in a mysql db for each mail sent,
once it had hit a certain number of sent email it would exit. The nice
thing about it is that it's mta agnostic and you can also get some
stats since all the values are kept in db.

The idea came to me after reading
http://www.unixro.net/?_m=articles&_a=view&id=17

Re: temporary errors for DNS

[Benny Pedersen]

On Mon, July 13, 2009 10:30, Keld Jørn Simonsen wrote:
> Hi
>
> I have a few problems with my changed postfix configuration, maybe
> somebody could help me?
>
> I am using fetchmail in cooperation with postfix, and I repededly get
> the following error:
>
> fetchmail: SMTP error: 450 4.1.8 : Sender
> address rejected: Domain not found
> reading message k...@sia.dkuug.dk:2 of 4 (950 header octets) not flushed

http://moensted.dk/spam/?addr=ezbck.ParteiTv.com&Submit=Submit

you got the email from a diff ip ?

unknown domain is here sia.dkuug.dk

so
dig sia.dkuug.d A
or
dig sia.dkuug.dk MX

it exists ?

> When  I query my nameserver everything resolves fine.

maybe wrong nameserver or bad config ?

> So that is one problem, why does postfix say Domain not found?

becurse its not found in a A rr, or MX rr

> Another problem is the 450 response. I would like it to be 550.
>
> 450 indicates a temporary dns error, and I have set
> unknown_address_reject_code = 550

this is imho full email as recipient that does not exists not just the 
recipient domain

> Can I change some respons code for the temporary dns error so to check
> on the mail fails on this?

better use mda in fetchmail if you get so much problems with postfix :)

> How could I best debug the communication between postfix and my named?

rndc querylog

see logs what happend now

-- 
xpoint

postfix not asking for PTR

[Keld Jørn Simonsen]

iA problem I have again with the DNS (lack of query)


I have in my mail queue:

C074C641AF 2236 Sun Jul 12 15:40:56  k...@rap.rap.dk
(host spike.porcupine.org[168.100.189.2] said: 450 4.1.7 : 
Sender address rejected: unverified address: host
rap.rap.dk[85.81.22.91] said: 450 4.7.1 Client host rejected: cannot find your 
reverse hostname, [168.100.189.2] (in reply to RCPT TO command) (in reply to 
RCPT TO command))
 wie...@porcupine.org

Consulting my named/log I see:

13-Jul-2009 11:11:13.712 client 127.0.0.1#33672: query: porcupine.org IN MX +
13-Jul-2009 11:11:13.724 client 127.0.0.1#33672: query: spike.porcupine.org IN 
A +

But no:

13-Jul-2009 11:12:12.352 client 127.0.0.1#33672: query: 
2.189.100.168.in-addr.arpa IN PTR +

Which is a query by hand.s

Shouldn't postfix query for the reverse hostname?
Could there be a reason for postfix not to query the PTR RR?

Best regards
keld

Re: Hourly Limits

[Benny Pedersen]

On Mon, July 13, 2009 09:51, ad...@gg-lab.net wrote:

> i want to limit mail sent via php mainly, so i can't limit via sasl
> simply because users aren't authenticated.

remove 127.0.0.1 in mynetworks, and make sasl usage from all what got sent from 
this box, problem solved, next step is a policy
server that can handle sasl limits

all else will fail

another way is to seperate web and mail server so 127.0.0.1 is another box :)

> Of course i can't limit the host ip (all mail sent from my webserver).

as Obama says "yes we can" :)

> The most beautiful thing would be limiting system user (each user has
> an entry in /etc/passwd). Limiting the sender would be unuseful,
> because all spammers randomiza the sender, bypassing the limit.

randomize there from: but not envelope sender (apa...@myhostname)

and this email is unknown in my virtual alias for good reason, apache is local 
and stays here at so

> Now, i know that cPanel with Exim has a limit of this tipe. I'll
> request them WHAT is exactly limited (maybe we can replicate with
> postfix).

dont use cpanel here so cant say how thay mix up the problem

> I'll also write to the postfix-policyd mailing list.

i work on something to fail2ban, will need to write some php and extend policyd 
1.80 more to handle this here, point is that none
have done it before so when i make it, it will be the best :)

> Sahil, maybe we can continue here? Postfixfw rules are completely in
> topic and maybe we can help someone else...

exactly

-- 
xpoint

Re: postfix not asking for PTR

[Benny Pedersen]

On Mon, July 13, 2009 11:21, Keld Jørn Simonsen wrote:
> iA problem I have again with the DNS (lack of query)
>
>
> I have in my mail queue:
>
> C074C641AF 2236 Sun Jul 12 15:40:56  k...@rap.rap.dk
> (host spike.porcupine.org[168.100.189.2] said: 450 4.1.7 : 
> Sender address rejected: unverified address: host
> rap.rap.dk[85.81.22.91] said: 450 4.7.1 Client host rejected: cannot find 
> your reverse hostname, [168.100.189.2] (in reply to RCPT
> TO command) (in reply to RCPT TO command))
>  wie...@porcupine.org

you have reject_unverified_semder, but your own mx have no reverse ptr so your 
recipient reject it, maybe i am wrong :)

-- 
xpoint

Re: Hourly Limits

[ad...@gg-lab.net]

Lucian, i saw that solution, but i want something that can globally
limit EVERY mail sent:

i'll also offer smtp access, and a sendmail wrapper isn't a solution.

Benny: ok, so we are speaking about the evenlope sender, so, it seems
this is the solution.

2009/7/13 Benny Pedersen :
>
> On Mon, July 13, 2009 09:51, ad...@gg-lab.net wrote:
>
>> i want to limit mail sent via php mainly, so i can't limit via sasl
>> simply because users aren't authenticated.
>
> remove 127.0.0.1 in mynetworks, and make sasl usage from all what got sent 
> from this box, problem solved, next step is a policy
> server that can handle sasl limits
>
> all else will fail
>
> another way is to seperate web and mail server so 127.0.0.1 is another box :)
>
>> Of course i can't limit the host ip (all mail sent from my webserver).
>
> as Obama says "yes we can" :)
>
>> The most beautiful thing would be limiting system user (each user has
>> an entry in /etc/passwd). Limiting the sender would be unuseful,
>> because all spammers randomiza the sender, bypassing the limit.
>
> randomize there from: but not envelope sender (apa...@myhostname)
>
> and this email is unknown in my virtual alias for good reason, apache is 
> local and stays here at so
>
>> Now, i know that cPanel with Exim has a limit of this tipe. I'll
>> request them WHAT is exactly limited (maybe we can replicate with
>> postfix).
>
> dont use cpanel here so cant say how thay mix up the problem
>
>> I'll also write to the postfix-policyd mailing list.
>
> i work on something to fail2ban, will need to write some php and extend 
> policyd 1.80 more to handle this here, point is that none
> have done it before so when i make it, it will be the best :)
>
>> Sahil, maybe we can continue here? Postfixfw rules are completely in
>> topic and maybe we can help someone else...
>
> exactly
>
> --
> xpoint
>
>

Re: postfix not asking for PTR

[Keld Jørn Simonsen]

On Mon, Jul 13, 2009 at 11:36:21AM +0200, Benny Pedersen wrote:
> 
> On Mon, July 13, 2009 11:21, Keld Jørn Simonsen wrote:
> > iA problem I have again with the DNS (lack of query)
> >
> >
> > I have in my mail queue:
> >
> > C074C641AF 2236 Sun Jul 12 15:40:56  k...@rap.rap.dk
> > (host spike.porcupine.org[168.100.189.2] said: 450 4.1.7 : 
> > Sender address rejected: unverified address: host
> > rap.rap.dk[85.81.22.91] said: 450 4.7.1 Client host rejected: cannot find 
> > your reverse hostname, [168.100.189.2] (in reply to RCPT
> > TO command) (in reply to RCPT TO command))
> >  wie...@porcupine.org
> 
> you have reject_unverified_semder, but your own mx have no reverse ptr so 
> your recipient reject it, maybe i am wrong :)

No, I dont have reject_unverified_sender
porcupine.org 168.100.189.2 rap.rap.dk 85.81.22.91 all resolve
My MX rap.rap.dk resolves

my postfix does not ask my named for a PTR for 168.100.189.2 - although it
says "cannot find your reverse hostname, [168.100.189.2]"

Best regards
keld

Re: temporary errors for DNS

[Keld Jørn Simonsen]

On Mon, Jul 13, 2009 at 11:10:18AM +0200, Benny Pedersen wrote:
> 
> On Mon, July 13, 2009 10:30, Keld Jørn Simonsen wrote:
> > Hi
> >
> > I have a few problems with my changed postfix configuration, maybe
> > somebody could help me?
> >
> > I am using fetchmail in cooperation with postfix, and I repededly get
> > the following error:
> >
> > fetchmail: SMTP error: 450 4.1.8 : Sender
> > address rejected: Domain not found
> > reading message k...@sia.dkuug.dk:2 of 4 (950 header octets) not flushed
> 
> http://moensted.dk/spam/?addr=ezbck.ParteiTv.com&Submit=Submit

Yes, it is spam.

> you got the email from a diff ip ?

I am getting it via fetchmail from one of my mail servers, the one at 
sia.dkuug.dk

> unknown domain is here sia.dkuug.dk

Why is it not ezbck.ParteiTv.com ? fetchmail reports:
"onfnp...@ezbck.parteitv.com>: Sender address rejected: Domain not found"

> so
> dig sia.dkuug.d A
> or
> dig sia.dkuug.dk MX
> 
> it exists ?

Yes, the A record exists (in the .dk domain, you missed the "k" there),
but MX sia.dkuug.dk does not exist. Should it? There is a MX for
dkuug.dk


> > When  I query my nameserver everything resolves fine.
> 
> maybe wrong nameserver or bad config ?

Hmm, I think postfix on my system uses the nameservers as recorded in 
/etc/resolv.conf? So it is the same nameserver set.

> > So that is one problem, why does postfix say Domain not found?
> 
> becurse its not found in a A rr, or MX rr

The A RR of sia.dkuug.dk is found. I get most of my mail from that
server. 

> > Another problem is the 450 response. I would like it to be 550.
> >
> > 450 indicates a temporary dns error, and I have set
> > unknown_address_reject_code = 550
> 
> this is imho full email as recipient that does not exists not just the 
> recipient domain
> 
> > Can I change some respons code for the temporary dns error so to check
> > on the mail fails on this?
> 
> better use mda in fetchmail if you get so much problems with postfix :)
> 
> > How could I best debug the communication between postfix and my named?
> 
> rndc querylog
> 
> see logs what happend now

my named log says:

13-Jul-2009 12:52:25.615 client 127.0.0.1#33692: query: mail.dkuug.dk IN A +
13-Jul-2009 12:52:25.833 client 127.0.0.1#33692: query: ezbck.ParteiTv.com IN 
MX +
13-Jul-2009 12:52:25.833 client 127.0.0.1#33692: query: ezbck.ParteiTv.com IN 
MX +
13-Jul-2009 12:52:25.834 client 127.0.0.1#33692: query: ezbck.parteitv.com IN 
MX +
13-Jul-2009 12:52:25.834 client 127.0.0.1#33692: query: ezbck.parteitv.com IN 
MX +
13-Jul-2009 12:52:25.835 client 127.0.0.1#33692: query: ezbck.parteitv.com IN A 
+
13-Jul-2009 12:52:25.835 client 127.0.0.1#33692: query: ezbck.parteitv.com IN A 
+
13-Jul-2009 12:52:25.835 client 127.0.0.1#33692: query: ezbck.parteitv.com IN 
 +
13-Jul-2009 12:52:25.837 client 127.0.0.1#33692: query: ezbck.parteitv.com IN 
 +

So it finds bot an A and an MX record for  ezbck.ParteiTv.com - why does
fetchmail/my postfix (SMTP) then say: 

"onfnp...@ezbck.parteitv.com>: Sender address rejected: Domain not found"

Best regards
keld

Re: temporary errors for DNS

[Charles Marcus]

On 7/13/2009, Keld Jørn Simonsen (k...@dkuug.dk) wrote:
> I am getting it via fetchmail



If you are getting it through fetchmail, then the message has already
been delivered... so you MUST NOT reject it later, *especially* if it is
spam - unless of course you really *want* to end up blacklisted...

-- 

Best regards,

Charles

Re: temporary errors for DNS

[Wietse Venema]

Keld J?rn Simonsen:
> 450 indicates a temporary dns error, and I have set
> unknown_address_reject_code = 550

unknown_address_reject_code is for permanent errors.

In your case, the system library getnameinfo() returns a
temporary error, therefore Postfix will reply with 450.

Since you also can't look up the name for my own server 168.100.189.2,
I suspect one or more of the following:

- Incorrect system permissions of / /etc /etc/resolv.conf
  /etc/nsswitch.conf or the files and directories referenced by
  /etc/nsswitch.conf.

  Files must be world readable, and directories must have world
  read-execute permission.

- Running Postfix chrooted without providing the necessary files
  in the chroot jail.

Wietse

Re: Hourly Limits

[ad...@gg-lab.net]

Here some details on cpanel limits:

http://forums.cpanel.net/email-exim/73464-how-does-new-max-emails-per-hour-tracking-work-2.html

2009/7/13 ad...@gg-lab.net :
> Lucian, i saw that solution, but i want something that can globally
> limit EVERY mail sent:
>
> i'll also offer smtp access, and a sendmail wrapper isn't a solution.
>
> Benny: ok, so we are speaking about the evenlope sender, so, it seems
> this is the solution.
>
> 2009/7/13 Benny Pedersen :
>>
>> On Mon, July 13, 2009 09:51, ad...@gg-lab.net wrote:
>>
>>> i want to limit mail sent via php mainly, so i can't limit via sasl
>>> simply because users aren't authenticated.
>>
>> remove 127.0.0.1 in mynetworks, and make sasl usage from all what got sent 
>> from this box, problem solved, next step is a policy
>> server that can handle sasl limits
>>
>> all else will fail
>>
>> another way is to seperate web and mail server so 127.0.0.1 is another box :)
>>
>>> Of course i can't limit the host ip (all mail sent from my webserver).
>>
>> as Obama says "yes we can" :)
>>
>>> The most beautiful thing would be limiting system user (each user has
>>> an entry in /etc/passwd). Limiting the sender would be unuseful,
>>> because all spammers randomiza the sender, bypassing the limit.
>>
>> randomize there from: but not envelope sender (apa...@myhostname)
>>
>> and this email is unknown in my virtual alias for good reason, apache is 
>> local and stays here at so
>>
>>> Now, i know that cPanel with Exim has a limit of this tipe. I'll
>>> request them WHAT is exactly limited (maybe we can replicate with
>>> postfix).
>>
>> dont use cpanel here so cant say how thay mix up the problem
>>
>>> I'll also write to the postfix-policyd mailing list.
>>
>> i work on something to fail2ban, will need to write some php and extend 
>> policyd 1.80 more to handle this here, point is that none
>> have done it before so when i make it, it will be the best :)
>>
>>> Sahil, maybe we can continue here? Postfixfw rules are completely in
>>> topic and maybe we can help someone else...
>>
>> exactly
>>
>> --
>> xpoint
>>
>>
>

Re: Need help munging inbound recipient address

[Daniel L'Hommedieu]

On Jul 13, 2009, at 4:51, Benny Pedersen wrote:

On Mon, July 13, 2009 05:01, Daniel L'Hommedieu wrote:

I'm having trouble with a forwarded email setup, and I need to munge
an inbound recipient address.


stop forwarding mails so, simple no ?


Simple, yes, but it does not address my issue.  As I mentioned in my  
previous posting, I need to forward the mail since GroupWise's IMAP  
server is not compatible with OS X's Mail.app IMAP client.  I didn't  
specifically mention it, but the OS X version of the GroupWise mail  
client is horrid, so using it is not an option.


So, working within the constraint that I must forward the email to a  
machine running a functional IMAP server, is there any way to get  
postfix to correct the address that GroupWise hoses?


Thanks.

Daniel

Re: temporary errors for DNS

[Keld Jørn Simonsen]

On Mon, Jul 13, 2009 at 07:18:03AM -0400, Wietse Venema wrote:
> Keld Jørn Simonsen:
> > 450 indicates a temporary dns error, and I have set
> > unknown_address_reject_code = 550
> 
> unknown_address_reject_code is for permanent errors.
> 
> In your case, the system library getnameinfo() returns a
> temporary error, therefore Postfix will reply with 450.
> 
> Since you also can't look up the name for my own server 168.100.189.2,
> I suspect one or more of the following:
> 
> - Incorrect system permissions of / /etc /etc/resolv.conf
>   /etc/nsswitch.conf or the files and directories referenced by
>   /etc/nsswitch.conf.
> 
>   Files must be world readable, and directories must have world
>   read-execute permission.

They look ok. And postfix does get answers from named. I receive all my
mail via my local postfix, and I could not have done this email without 
postfix/named working - which it does most of the time.

> - Running Postfix chrooted without providing the necessary files
>   in the chroot jail.

Postfix is not chrooted.

best regards
keld

Re: temporary errors for DNS

[Wietse Venema]

Wietse Venema:
[ Charset UNKNOWN-8BIT unsupported, converting... ]
> Keld J_rn Simonsen:
> > 450 indicates a temporary dns error, and I have set
> > unknown_address_reject_code = 550
> 
> unknown_address_reject_code is for permanent errors.
> 
> In your case, the system library getnameinfo() returns a
> temporary error, therefore Postfix will reply with 450.
> 
> Since you also can't look up the name for my own server 168.100.189.2,
> I suspect one or more of the following:
> 
> - Incorrect system permissions of / /etc /etc/resolv.conf
>   /etc/nsswitch.conf or the files and directories referenced by
>   /etc/nsswitch.conf.
> 
>   Files must be world readable, and directories must have world
>   read-execute permission.
> 
> - Running Postfix chrooted without providing the necessary files
>   in the chroot jail.

For this one, see also:
http://www.postfix.org/DEBUG_README.html#no_chroot

>   Wietse
> 
> 

Re: temporary errors for DNS

[Keld Jørn Simonsen]

On Mon, Jul 13, 2009 at 07:07:01AM -0400, Charles Marcus wrote:
> On 7/13/2009, Keld Jørn Simonsen (k...@dkuug.dk) wrote:
> > I am getting it via fetchmail
> 
> 
> 
> If you are getting it through fetchmail, then the message has already
> been delivered... so you MUST NOT reject it later, *especially* if it is
> spam - unless of course you really *want* to end up blacklisted...

OK, I want to DISCARD it then. Is that possible?

And why would I end up being blacklisted for rejecting spam, already
received at one of my mailboxes?

Best regards
keld

Re: temporary errors for DNS

[Wietse Venema]

Keld J?rn Simonsen:
[ Charset ISO-8859-1 unsupported, converting... ]
> On Mon, Jul 13, 2009 at 07:18:03AM -0400, Wietse Venema wrote:
> > Keld J?rn Simonsen:
> > > 450 indicates a temporary dns error, and I have set
> > > unknown_address_reject_code = 550
> > 
> > unknown_address_reject_code is for permanent errors.
> > 
> > In your case, the system library getnameinfo() returns a
> > temporary error, therefore Postfix will reply with 450.
> > 
> > Since you also can't look up the name for my own server 168.100.189.2,
> > I suspect one or more of the following:
> > 
> > - Incorrect system permissions of / /etc /etc/resolv.conf
> >   /etc/nsswitch.conf or the files and directories referenced by
> >   /etc/nsswitch.conf.
> > 
> >   Files must be world readable, and directories must have world
> >   read-execute permission.
> 
> They look ok.

If you are not willing to show the evidence, then we cannot
help you find the mistake.

> And postfix does get answers from named. I receive all my
> mail via my local postfix, and I could not have done this email without 
> postfix/named working - which it does most of the time.

Postfix does not need named to RECEIVE email.

> > - Running Postfix chrooted without providing the necessary files
> >   in the chroot jail.
> 
> Postfix is not chrooted.

If you are not willing to show the evidence, then we cannot
help you find the mistake.

Wietse

Re: temporary errors for DNS

[John Peach]

On Mon, 13 Jul 2009 14:25:01 +0200
Keld J__rn Simonsen  wrote:

> On Mon, Jul 13, 2009 at 07:07:01AM -0400, Charles Marcus wrote:
> > On 7/13/2009, Keld J__rn Simonsen (k...@dkuug.dk) wrote:
> > > I am getting it via fetchmail
> > 
> > 
> > 
> > If you are getting it through fetchmail, then the message has
> > already been delivered... so you MUST NOT reject it later,
> > *especially* if it is spam - unless of course you really *want* to
> > end up blacklisted...
> 
> OK, I want to DISCARD it then. Is that possible?
> 
> And why would I end up being blacklisted for rejecting spam, already
> received at one of my mailboxes?

http://lmgtfy.com/?q=backscatter


-- 
John

Re: Hourly Limits

[Sahil Tandon]

On Jul 13, 2009, at 5:54 AM, "ad...@gg-lab.net"   
wrote:



Lucian, i saw that solution, but i want something that can globally
limit EVERY mail sent:

i'll also offer smtp access, and a sendmail wrapper isn't a solution.

Benny: ok, so we are speaking about the evenlope sender, so, it seems
this is the solution.


What are you trying to do exactly?  Your requirements and situation  
keep changing with every email.  Use examples with all details to  
explain exactly what you want.


Benny - postfwd is sasl_username aware.



2009/7/13 Benny Pedersen :


On Mon, July 13, 2009 09:51, ad...@gg-lab.net wrote:


i want to limit mail sent via php mainly, so i can't limit via sasl
simply because users aren't authenticated.


remove 127.0.0.1 in mynetworks, and make sasl usage from all what  
got sent from this box, problem solved, next step is a policy

server that can handle sasl limits

all else will fail

another way is to seperate web and mail server so 127.0.0.1 is  
another box :)


Of course i can't limit the host ip (all mail sent from my  
webserver).


as Obama says "yes we can" :)

The most beautiful thing would be limiting system user (each user  
has

an entry in /etc/passwd). Limiting the sender would be unuseful,
because all spammers randomiza the sender, bypassing the limit.


randomize there from: but not envelope sender (apa...@myhostname)

and this email is unknown in my virtual alias for good reason,  
apache is local and stays here at so



Now, i know that cPanel with Exim has a limit of this tipe. I'll
request them WHAT is exactly limited (maybe we can replicate with
postfix).


dont use cpanel here so cant say how thay mix up the problem


I'll also write to the postfix-policyd mailing list.


i work on something to fail2ban, will need to write some php and  
extend policyd 1.80 more to handle this here, point is that none

have done it before so when i make it, it will be the best :)


Sahil, maybe we can continue here? Postfixfw rules are completely in
topic and maybe we can help someone else...


exactly

--
xpoint

Re: temporary errors for DNS

[Keld Jørn Simonsen]

On Mon, Jul 13, 2009 at 08:28:16AM -0400, Wietse Venema wrote:
> Keld Jørn Simonsen:
> [ Charset ISO-8859-1 unsupported, converting... ]
> > On Mon, Jul 13, 2009 at 07:18:03AM -0400, Wietse Venema wrote:
> > > Keld J?rn Simonsen:
> > > > 450 indicates a temporary dns error, and I have set
> > > > unknown_address_reject_code = 550
> > > 
> > > unknown_address_reject_code is for permanent errors.
> > > 
> > > In your case, the system library getnameinfo() returns a
> > > temporary error, therefore Postfix will reply with 450.
> > > 
> > > Since you also can't look up the name for my own server 168.100.189.2,
> > > I suspect one or more of the following:
> > > 
> > > - Incorrect system permissions of / /etc /etc/resolv.conf
> > >   /etc/nsswitch.conf or the files and directories referenced by
> > >   /etc/nsswitch.conf.
> > > 
> > >   Files must be world readable, and directories must have world
> > >   read-execute permission.
> > 
> > They look ok.
> 
> If you are not willing to show the evidence, then we cannot
> help you find the mistake.

Sorry, I am new on this list and not fully aware of your conventions.
So here they are:

drwxr-xr-x  20 root root  4096 jul 10 09:32 /
drwxr-xr-x 113 root root 12288 jul 13 14:09 /etc
-rw-r--r--   2 root root  1277 jun 24  2007 /etc/nsswitch.conf
-rw-r--r--   1 root root47 jul 13 14:09 /etc/resolv.conf



> > And postfix does get answers from named. I receive all my
> > mail via my local postfix, and I could not have done this email without 
> > postfix/named working - which it does most of the time.
> 
> Postfix does not need named to RECEIVE email.

I think postfix does need DNS assistance to check a number of thins.
I understand that I don't need to run named on my own machine, as I just
could use any nameserver, but running named here gives me greater
control, and I can poke into logs etc.
> 
> > > - Running Postfix chrooted without providing the necessary files
> > >   in the chroot jail.
> > 
> > Postfix is not chrooted.
> 
> If you are not willing to show the evidence, then we cannot
> help you find the mistake.

OK,  here are the relevant lines of master.cf. I adderd the -v option to
get more debugging. Still it does not show me communication with the
name server. The name server log does show some communication, that
stems from postfix, but it does not show me the responses. I would like
to see what named tells postfix.

# ==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# ==
smtpinetn   -   y   -   -   smtpd -v


best regards
keld

Re: temporary errors for DNS

[John Peach]

On Mon, 13 Jul 2009 15:24:04 +0200
Keld J__rn Simonsen  wrote:

[snip]
> #
> ==
> # service type  private unpriv  chroot  wakeup  maxproc command +
> args #   (yes)   (yes)   (yes)   (never) (100) #
> ==
> smtpinetn   -   y   -   -   smtpd -v
   

It is chrooted.

-- 
John

Re: temporary errors for DNS

[Keld Jørn Simonsen]

On Mon, Jul 13, 2009 at 08:29:28AM -0400, John Peach wrote:
> 
> 
> 
> On Mon, 13 Jul 2009 14:25:01 +0200
> Keld J__rn Simonsen  wrote:
> 
> > On Mon, Jul 13, 2009 at 07:07:01AM -0400, Charles Marcus wrote:
> > > On 7/13/2009, Keld J__rn Simonsen (k...@dkuug.dk) wrote:
> > > > I am getting it via fetchmail
> > > 
> > > 
> > > 
> > > If you are getting it through fetchmail, then the message has
> > > already been delivered... so you MUST NOT reject it later,
> > > *especially* if it is spam - unless of course you really *want* to
> > > end up blacklisted...
> > 
> > OK, I want to DISCARD it then. Is that possible?
> > 
> > And why would I end up being blacklisted for rejecting spam, already
> > received at one of my mailboxes?
> 
> http://lmgtfy.com/?q=backscatter

OK, I know, I did some filters for postfix for such things, available
from my homepage. at http://dkuug.dk/keld

Still would it be possible to discard such mail.

best regards
keld

Re: temporary errors for DNS

[Keld Jørn Simonsen]

On Mon, Jul 13, 2009 at 09:26:44AM -0400, John Peach wrote:
> On Mon, 13 Jul 2009 15:24:04 +0200
> Keld J__rn Simonsen  wrote:
> 
> [snip]
> > #
> > ==
> > # service type  private unpriv  chroot  wakeup  maxproc command +
> > args #   (yes)   (yes)   (yes)   (never) (100) #
> > ==
> > smtpinetn   -   y   -   -   smtpd -v
>
> 
> It is chrooted.

Thanks for spelling it out. I was just building on the defalt configuration
of my distro. There were many other chroot services in the master file, I
changed them and now I will see if that helps. 

Best regards
keld

Re: temporary errors for DNS

[Wietse Venema]

> # ==
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #   (yes)   (yes)   (yes)   (never) (100)
> # ==
> smtpinetn   -   y   -   -   smtpd -v

The SMTP server runs chrooted. Don't do that, unless you know how
to set up and maintain a chroot jail with all the appropriate files.

Wietse

Re: Need help munging inbound recipient address

[Victor Duchovni]

On Sun, Jul 12, 2009 at 11:01:01PM -0400, Daniel L'Hommedieu wrote:

> Greetings, all.
>
> I'm having trouble with a forwarded email setup, and I need to munge an 
> inbound recipient address.
>
> Here's what I have set up: f...@bar.edu is forwarded to o...@rab.net.
>
> bar.edu is running GroupWise as its email server, and GroupWise munges the 
> recipient address for forwarded emails. When email is sent to f...@bar.edu, 
> GroupWise munges the recipient address to be o...@rab.net. GroupWise then 
> forwards the email to...@rab.net.
>
> The whole reason I'm forwarding the email is that GroupWise's IMAP server 
> is not compatible with OS X's Mail.app IMAP client.
>
> When I check email at o...@rab.net, I see it as To o...@rab.net, NOT To 
> f...@bar.edu, as we would expect because that's what the headers say.
>
> This means that if I group-reply, the o...@rab.net address shows up in the 
> CC line. Nobody knows about that address, and I don't want them to know 
> about it... I am using GroupWise's SMTP server for outbound email, and all 
> email shows up as from f...@bar.edu, as it should.
>
> I am running postfix 2.3.3 at the mail server for rab.net, and I want 
> postfix to munge the inbound address from o...@rab.net back to f...@bar.edu.
>
> Is that possible?

main.cf:
# Pick one:
#canonical_maps = hash:/etc/postfix/canonical
#virtual_alias_maps = hash:/etc/postfix/valias
#virtual_alias_domains = ... set me explicitly ...
#
#canonical_maps = cdb:/etc/postfix/canonical
#virtual_alias_maps = cdb:/etc/postfix/valias
#virtual_alias_domains = ... set me explicitly ...
#
#canonical_maps = ldap:/etc/postfix/canonical.cf
#virtual_alias_maps = ldap:/etc/postfix/valias.cf
#virtual_alias_domains = ... set me explicitly ...

canonical:
o...@rab.netf...@bar.edu

valias:
f...@bar.eduo...@rab.net

The headers will read "f...@bar.edu", but the envelope recipient
for delivery (virtual(5) happens after canonical(5)) will still be
o...@rab.net. There are other ways of doing this, but this one is
perhaps the most natural.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: postfix not asking for PTR

[mouss]

Keld Jørn Simonsen a écrit :
> iA problem I have again with the DNS (lack of query)
> 
> 
> I have in my mail queue:
> 
> C074C641AF 2236 Sun Jul 12 15:40:56  k...@rap.rap.dk
> (host spike.porcupine.org[168.100.189.2] said: 450 4.1.7 : 
> Sender address rejected: unverified address: host
> rap.rap.dk[85.81.22.91] said: 450 4.7.1 Client host rejected: cannot find 
> your reverse hostname, [168.100.189.2] (in reply to RCPT TO command) (in 
> reply to RCPT TO command))
>  wie...@porcupine.org
> 

Please show logs instead of queue infos. If I understand it, you sent a
mail to porcupine, which did a sender verification but your system
rejected its mail because it couldn't resolve its PTR. This may be
because of a temporary dns failure.


> Consulting my named/log I see:
> 
> 13-Jul-2009 11:11:13.712 client 127.0.0.1#33672: query: porcupine.org IN MX +
> 13-Jul-2009 11:11:13.724 client 127.0.0.1#33672: query: spike.porcupine.org 
> IN A +
> 
> But no:
> 
> 13-Jul-2009 11:12:12.352 client 127.0.0.1#33672: query: 
> 2.189.100.168.in-addr.arpa IN PTR +
> 
> Which is a query by hand.s
> 
> Shouldn't postfix query for the reverse hostname?
> Could there be a reason for postfix not to query the PTR RR?
> 

postfix looks up the PTR of a client, unless this is disabled (in
main.cf or master.cf). and it does so by using the system resolver. so
if you didn't disable the client dns lookup, then the problem may be in
your system resolver.

Re: Need help munging inbound recipient address

[Daniel L'Hommedieu]

On Jul 13, 2009, at 10:06, Victor Duchovni wrote:

On Sun, Jul 12, 2009 at 11:01:01PM -0400, Daniel L'Hommedieu wrote:

Greetings, all.

I'm having trouble with a forwarded email setup, and I need to  
munge an

inbound recipient address.

Here's what I have set up: f...@bar.edu is forwarded to o...@rab.net.

bar.edu is running GroupWise as its email server, and GroupWise  
munges the
recipient address for forwarded emails. When email is sent to f...@bar.edu 
,
GroupWise munges the recipient address to be o...@rab.net. GroupWise  
then

forwards the email to...@rab.net.

The whole reason I'm forwarding the email is that GroupWise's IMAP  
server

is not compatible with OS X's Mail.app IMAP client.

When I check email at o...@rab.net, I see it as To o...@rab.net, NOT To
f...@bar.edu, as we would expect because that's what the headers say.

This means that if I group-reply, the o...@rab.net address shows up  
in the
CC line. Nobody knows about that address, and I don't want them to  
know
about it... I am using GroupWise's SMTP server for outbound email,  
and all

email shows up as from f...@bar.edu, as it should.

I am running postfix 2.3.3 at the mail server for rab.net, and I want
postfix to munge the inbound address from o...@rab.net back to f...@bar.edu 
.


Is that possible?


   main.cf:
# Pick one:
#canonical_maps = hash:/etc/postfix/canonical
#virtual_alias_maps = hash:/etc/postfix/valias
#virtual_alias_domains = ... set me explicitly ...
#
#canonical_maps = cdb:/etc/postfix/canonical
#virtual_alias_maps = cdb:/etc/postfix/valias
#virtual_alias_domains = ... set me explicitly ...
#
#canonical_maps = ldap:/etc/postfix/canonical.cf
#virtual_alias_maps = ldap:/etc/postfix/valias.cf
#virtual_alias_domains = ... set me explicitly ...

   canonical:
o...@rab.netf...@bar.edu

   valias:
f...@bar.eduo...@rab.net

The headers will read "f...@bar.edu", but the envelope recipient
for delivery (virtual(5) happens after canonical(5)) will still be
o...@rab.net. There are other ways of doing this, but this one is
perhaps the most natural.


Thanks Victor.

I ended up using a simple recipe in procmail, which is really probably  
the better way to do what I wanted anyway.  Here's the recipe:


:0 fhw
* ^Received:.*bar.edu.*
| sed -e 's/o...@rab.net/f...@bar.edu/'

Sure, all of the headers get changed, but I don't really care about  
that - all I really care about is having the original email address in  
the headers, so it is of no consequence to me that the "Received"  
headers show that email was received for the f...@bar.edu address and  
not the o...@rab.net address.


FWIW I had tried the canonical map as you suggest (I thought I had  
mentioned that), but all that seemed to do was forward the mail back  
to the .edu address, which put the mail into a loop until I removed  
the map.


Daniel

Re: Need help munging inbound recipient address

[Victor Duchovni]

On Mon, Jul 13, 2009 at 10:34:00AM -0400, Daniel L'Hommedieu wrote:

>>main.cf:
>>  # Pick one:
>>  #canonical_maps = hash:/etc/postfix/canonical
>>  #virtual_alias_maps = hash:/etc/postfix/valias
>>  #virtual_alias_domains = ... set me explicitly ...
>>  #
>>  #canonical_maps = cdb:/etc/postfix/canonical
>>  #virtual_alias_maps = cdb:/etc/postfix/valias
>>  #virtual_alias_domains = ... set me explicitly ...
>>  #
>>  #canonical_maps = ldap:/etc/postfix/canonical.cf
>>  #virtual_alias_maps = ldap:/etc/postfix/valias.cf
>>  #virtual_alias_domains = ... set me explicitly ...
>>
>>canonical:
>>  o...@rab.netf...@bar.edu
>>
>>valias:
>>  f...@bar.eduo...@rab.net
>>
>> The headers will read "f...@bar.edu", but the envelope recipient
>> for delivery (virtual(5) happens after canonical(5)) will still be
>> o...@rab.net. There are other ways of doing this, but this one is
>> perhaps the most natural.
>
> Thanks Victor.
>
> I ended up using a simple recipe in procmail, which is really probably the 
> better way to do what I wanted anyway.  Here's the recipe:
>
> :0 fhw
> * ^Received:.*bar.edu.*
> | sed -e 's/o...@rab.net/f...@bar.edu/'
>
> Sure, all of the headers get changed, but I don't really care about that - 
> all I really care about is having the original email address in the 
> headers, so it is of no consequence to me that the "Received" headers show 
> that email was received for the f...@bar.edu address and not the o...@rab.net 
> address.
>
> FWIW I had tried the canonical map as you suggest (I thought I had 
> mentioned that), but all that seemed to do was forward the mail back to the 
> .edu address, which put the mail into a loop until I removed the map.

Which is *exactly* why I add the virtual(5) reverse mapping, so that
the envelope recipient is "de-canonicalized". The procmail regexp recipe
is fragile. Do as you see fit, but I recommend the canonical+virtual
approach.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Need help munging inbound recipient address

[Daniel L'Hommedieu]

On Jul 13, 2009, at 10:42, Victor Duchovni wrote:

On Mon, Jul 13, 2009 at 10:34:00AM -0400, Daniel L'Hommedieu wrote:

  main.cf:
# Pick one:
#canonical_maps = hash:/etc/postfix/canonical
#virtual_alias_maps = hash:/etc/postfix/valias
#virtual_alias_domains = ... set me explicitly ...
#
#canonical_maps = cdb:/etc/postfix/canonical
#virtual_alias_maps = cdb:/etc/postfix/valias
#virtual_alias_domains = ... set me explicitly ...
#
#canonical_maps = ldap:/etc/postfix/canonical.cf
#virtual_alias_maps = ldap:/etc/postfix/valias.cf
#virtual_alias_domains = ... set me explicitly ...

  canonical:
o...@rab.netf...@bar.edu

  valias:
f...@bar.eduo...@rab.net

The headers will read "f...@bar.edu", but the envelope recipient
for delivery (virtual(5) happens after canonical(5)) will still be
o...@rab.net. There are other ways of doing this, but this one is
perhaps the most natural.


Thanks Victor.

FWIW I had tried the canonical map as you suggest (I thought I had
mentioned that), but all that seemed to do was forward the mail  
back to the

.edu address, which put the mail into a loop until I removed the map.


Which is *exactly* why I add the virtual(5) reverse mapping, so that
the envelope recipient is "de-canonicalized". The procmail regexp  
recipe

is fragile. Do as you see fit, but I recommend the canonical+virtual
approach.


Hi Victor.

I must be doing something wrong here, because it isn't working as I  
expect.  Here's what I see happening:
- email to non-groupwise-...@bar.edu (on a server running sendmail)  
shows up on my system as being to both non-groupwise-...@bar.edu AND o...@rab.net 
.
- email to groupwise-...@bar.edu (my email address on the groupwise  
server, which started this whole mess) shows up as to o...@rab.net.


Based on your instructions, here is what I added to my main.cf:
canonical_maps = hash:/etc/postfix/recipient_canonical
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
virtual_alias_domains = bar.edu

Here is my canonical map:
o...@rab.net f...@bar.edu

Here is my virtual alias:
f...@bar.edu o...@rab.net

For this test, I have disabled the procmail recipe.

Any ideas on what I'm doing wrong?

Thanks.

Daniel

Re: Need help munging inbound recipient address

[Daniel L'Hommedieu]

Begin forwarded message:

On Jul 13, 2009, at 10:42, Victor Duchovni wrote:

On Mon, Jul 13, 2009 at 10:34:00AM -0400, Daniel L'Hommedieu wrote:

 main.cf:
# Pick one:
#canonical_maps = hash:/etc/postfix/canonical
#virtual_alias_maps = hash:/etc/postfix/valias
#virtual_alias_domains = ... set me explicitly ...
#
#canonical_maps = cdb:/etc/postfix/canonical
#virtual_alias_maps = cdb:/etc/postfix/valias
#virtual_alias_domains = ... set me explicitly ...
#
#canonical_maps = ldap:/etc/postfix/canonical.cf
#virtual_alias_maps = ldap:/etc/postfix/valias.cf
#virtual_alias_domains = ... set me explicitly ...

 canonical:
o...@rab.netf...@bar.edu

 valias:
f...@bar.eduo...@rab.net

The headers will read "f...@bar.edu", but the envelope recipient
for delivery (virtual(5) happens after canonical(5)) will still be
o...@rab.net. There are other ways of doing this, but this one is
perhaps the most natural.


Thanks Victor.

FWIW I had tried the canonical map as you suggest (I thought I had
mentioned that), but all that seemed to do was forward the mail  
back to the
.edu address, which put the mail into a loop until I removed the  
map.


Which is *exactly* why I add the virtual(5) reverse mapping, so that
the envelope recipient is "de-canonicalized". The procmail regexp  
recipe

is fragile. Do as you see fit, but I recommend the canonical+virtual
approach.


Hi Victor.

I must be doing something wrong here, because it isn't working as I  
expect.  Here's what I see happening:
- email to non-groupwise-...@bar.edu (on a server running sendmail)  
shows up on my system as being to both non-groupwise-...@bar.edu AND o...@rab.net 
.
- email to groupwise-...@bar.edu (my email address on the groupwise  
server, which started this whole mess) shows up as to o...@rab.net.


Based on your instructions, here is what I added to my main.cf:
canonical_maps = hash:/etc/postfix/recipient_canonical
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
virtual_alias_domains = bar.edu

Here is my canonical map:
o...@rab.net f...@bar.edu

Here is my virtual alias:
f...@bar.edu o...@rab.net

For this test, I have disabled the procmail recipe.

Any ideas on what I'm doing wrong?

Thanks.

Daniel


Well, one thing I note is that it is only correcting email that  
originates locally.  If I send mail to groupwise-...@bar.edu and relay  
through my postfix mail server, the mail ends up in the mailbox for o...@rab.net 
, correctly addressed "to" groupwise-...@bar.edu.  However, if I relay  
through bar.edu's SMTP server, then the address is not getting set.   
I'm sure that's a setting in main.cf and will start looking for that,  
but wanted to give the additional info.


Thanks.

Daniel

Re: Need help munging inbound recipient address

[Victor Duchovni]

On Mon, Jul 13, 2009 at 11:24:09AM -0400, Daniel L'Hommedieu wrote:

> I must be doing something wrong here, because it isn't working as I expect. 
>  Here's what I see happening:
> - email to non-groupwise-...@bar.edu (on a server running sendmail) shows 
> up on my system as being to both non-groupwise-...@bar.edu AND o...@rab.net.
> - email to groupwise-...@bar.edu (my email address on the groupwise server, 
> which started this whole mess) shows up as to o...@rab.net.
>
> Based on your instructions, here is what I added to my main.cf:
>   canonical_maps = hash:/etc/postfix/recipient_canonical
>   virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
>   virtual_alias_domains = bar.edu

*DO NOT* add "bar.edu" to virtual_alias_domains. Set it explicitly empty
if you have no virtual alias domains.

> Here is my canonical map:
>   o...@rab.net f...@bar.edu
>
> Here is my virtual alias:
>   f...@bar.edu o...@rab.net

Both "postmapped" I hope.

> For this test, I have disabled the procmail recipe.
>
> Any ideas on what I'm doing wrong?

Without logs? Not psychic today I am afraid. :-(

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Hourly Limits

[ad...@gg-lab.net]

Hi,


i don't think my situation keeps changing-

That's simple: on my evinronment users can send email via CGI + PHP +
SMTP (sasl), and i want to limit them "globally".

Example: user giorgio can send 100 emails. I want him locked also on
CGI, if he send 100 emails with PHP.

I can't:

- use a custom php sendmail wrapper -> it would only work with php
- limit the sender -> a randomized from would broke my limit
- limit the host -> all mail are sent from localhost
- limit via sasl -> i can't request all users to authenticate

Limiting the envelope user, is perfect for me. But, i'm asking if
there is a simplier solution.

2009/7/13 Sahil Tandon :
> On Jul 13, 2009, at 5:54 AM, "ad...@gg-lab.net"  wrote:
>
>> Lucian, i saw that solution, but i want something that can globally
>> limit EVERY mail sent:
>>
>> i'll also offer smtp access, and a sendmail wrapper isn't a solution.
>>
>> Benny: ok, so we are speaking about the evenlope sender, so, it seems
>> this is the solution.
>
> What are you trying to do exactly?  Your requirements and situation keep
> changing with every email.  Use examples with all details to explain exactly
> what you want.
>
> Benny - postfwd is sasl_username aware.
>
>>
>> 2009/7/13 Benny Pedersen :
>>>
>>> On Mon, July 13, 2009 09:51, ad...@gg-lab.net wrote:
>>>
 i want to limit mail sent via php mainly, so i can't limit via sasl
 simply because users aren't authenticated.
>>>
>>> remove 127.0.0.1 in mynetworks, and make sasl usage from all what got
>>> sent from this box, problem solved, next step is a policy
>>> server that can handle sasl limits
>>>
>>> all else will fail
>>>
>>> another way is to seperate web and mail server so 127.0.0.1 is another
>>> box :)
>>>
 Of course i can't limit the host ip (all mail sent from my webserver).
>>>
>>> as Obama says "yes we can" :)
>>>
 The most beautiful thing would be limiting system user (each user has
 an entry in /etc/passwd). Limiting the sender would be unuseful,
 because all spammers randomiza the sender, bypassing the limit.
>>>
>>> randomize there from: but not envelope sender (apa...@myhostname)
>>>
>>> and this email is unknown in my virtual alias for good reason, apache is
>>> local and stays here at so
>>>
 Now, i know that cPanel with Exim has a limit of this tipe. I'll
 request them WHAT is exactly limited (maybe we can replicate with
 postfix).
>>>
>>> dont use cpanel here so cant say how thay mix up the problem
>>>
 I'll also write to the postfix-policyd mailing list.
>>>
>>> i work on something to fail2ban, will need to write some php and extend
>>> policyd 1.80 more to handle this here, point is that none
>>> have done it before so when i make it, it will be the best :)
>>>
 Sahil, maybe we can continue here? Postfixfw rules are completely in
 topic and maybe we can help someone else...
>>>
>>> exactly
>>>
>>> --
>>> xpoint
>>>
>>>
>

Re: Hourly Limits

[Sahil Tandon]

On Jul 13, 2009, at 11:51 AM, "ad...@gg-lab.net"   
wrote:



Hi,


i don't think my situation keeps changing-

That's simple: on my evinronment users can send email via CGI + PHP +
SMTP (sasl), and i want to limit them "globally".

Example: user giorgio can send 100 emails. I want him locked also on
CGI, if he send 100 emails with PHP.

I can't:

- use a custom php sendmail wrapper -> it would only work with php
- limit the sender -> a randomized from would broke my limit
- limit the host -> all mail are sent from localhost
- limit via sasl -> i can't request all users to authenticate

Limiting the envelope user, is perfect for me. But, i'm asking if
there is a simplier solution.


The postfwd policy server solution works with the envelope sender.   
But for that to work you need mail coming in on an smtpd listener for  
the policy server to be queried, which won't be the case when you have  
mail being submitted via pickup service.





2009/7/13 Sahil Tandon :
On Jul 13, 2009, at 5:54 AM, "ad...@gg-lab.net"   
wrote:



Lucian, i saw that solution, but i want something that can globally
limit EVERY mail sent:

i'll also offer smtp access, and a sendmail wrapper isn't a  
solution.


Benny: ok, so we are speaking about the evenlope sender, so, it  
seems

this is the solution.


What are you trying to do exactly?  Your requirements and situation  
keep
changing with every email.  Use examples with all details to  
explain exactly

what you want.

Benny - postfwd is sasl_username aware.



2009/7/13 Benny Pedersen :


On Mon, July 13, 2009 09:51, ad...@gg-lab.net wrote:

i want to limit mail sent via php mainly, so i can't limit via  
sasl

simply because users aren't authenticated.


remove 127.0.0.1 in mynetworks, and make sasl usage from all what  
got

sent from this box, problem solved, next step is a policy
server that can handle sasl limits

all else will fail

another way is to seperate web and mail server so 127.0.0.1 is  
another

box :)

Of course i can't limit the host ip (all mail sent from my  
webserver).


as Obama says "yes we can" :)

The most beautiful thing would be limiting system user (each  
user has

an entry in /etc/passwd). Limiting the sender would be unuseful,
because all spammers randomiza the sender, bypassing the limit.


randomize there from: but not envelope sender (apa...@myhostname)

and this email is unknown in my virtual alias for good reason,  
apache is

local and stays here at so


Now, i know that cPanel with Exim has a limit of this tipe. I'll
request them WHAT is exactly limited (maybe we can replicate with
postfix).


dont use cpanel here so cant say how thay mix up the problem


I'll also write to the postfix-policyd mailing list.


i work on something to fail2ban, will need to write some php and  
extend

policyd 1.80 more to handle this here, point is that none
have done it before so when i make it, it will be the best :)

Sahil, maybe we can continue here? Postfixfw rules are  
completely in

topic and maybe we can help someone else...


exactly

--
xpoint

Re: Need help munging inbound recipient address

[Daniel L'Hommedieu]

On Jul 13, 2009, at 11:46, Victor Duchovni wrote:

On Mon, Jul 13, 2009 at 11:24:09AM -0400, Daniel L'Hommedieu wrote:

I must be doing something wrong here, because it isn't working as I  
expect.

Here's what I see happening:
- email to non-groupwise-...@bar.edu (on a server running sendmail)  
shows
up on my system as being to both non-groupwise-...@bar.edu AND o...@rab.net 
.
- email to groupwise-...@bar.edu (my email address on the groupwise  
server,

which started this whole mess) shows up as to o...@rab.net.

Based on your instructions, here is what I added to my main.cf:
canonical_maps = hash:/etc/postfix/recipient_canonical
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
virtual_alias_domains = bar.edu


*DO NOT* add "bar.edu" to virtual_alias_domains. Set it explicitly  
empty

if you have no virtual alias domains.


OK, I misunderstood what you had said earlier.


Here is my canonical map:
o...@rab.net f...@bar.edu

Here is my virtual alias:
f...@bar.edu o...@rab.net


Both "postmapped" I hope.


Yes, both postmapped, and postfix was reloaded.


For this test, I have disabled the procmail recipe.

Any ideas on what I'm doing wrong?


Without logs? Not psychic today I am afraid. :-(


Sure, I can send them - just let me know what I should send.  Pretty  
much all of the entries look like this:


Jul 13 11:53:06 hostname postfix/local[6159]: 0650B3059C: to=>, relay=local, delay=0.13, delays=0.11/0/0/0.03, dsn=2.0.0,  
status=sent (delivered to command: /usr/bin/procmail)


Also, I hope you won't mind if I send unedited logs to you privately,  
with the request that the logs themselves not be forwarded to the list.


One other thing I should note is that my virtual map (virtual_maps,  
not to be confused with virtual_alias_maps) is no longer working.  I  
run virtual domains on my server and have many addresses forwarded  
offsite; those forwards no longer work.


Daniel

Re: Need help munging inbound recipient address

[Victor Duchovni]

On Mon, Jul 13, 2009 at 12:00:33PM -0400, Daniel L'Hommedieu wrote:

> Jul 13 11:53:06 hostname postfix/local[6159]: 0650B3059C: to=, 
> relay=local, delay=0.13, delays=0.11/0/0/0.03, dsn=2.0.0, status=sent 
> (delivered to command: /usr/bin/procmail)

This looks good. What is in headers of the message in question? Did
any "o...@rab.net" addresses fail to be mapped to "f...@bar.edu"?

> Also, I hope you won't mind if I send unedited logs to you privately, with 
> the request that the logs themselves not be forwarded to the list.

The logs don't need to be "unedited", just make clear and consistent
substitutions for any addresses you do not wish to disclose.

Ditto for the primary message headers, which should be posted here also,
with the same substitutions.

> One other thing I should note is that my virtual map (virtual_maps, not to 
> be confused with virtual_alias_maps) is no longer working.

The "virtual_maps" feature is obsolete, it was long ago replaced with
virtual_alias_maps, and a backwards-compatible default was assigned:

virtual_alias_maps = $virtual_maps

> I run virtual 
> domains on my server and have many addresses forwarded offsite; those 
> forwards no longer work.

Add all your previous tables to virtual_alias_maps, stop using
"virtual_maps".

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Wrong FQDN in "From"

[Jaime Kikpole]

I just migrated most users from one server to another one.  However, a
few things still need to work on the first server.  One of them is a
web-based program named Request Tracker (RT).

When RT sends an email to me, it is coming from
r...@atlas.cairodurham.org.  I am trying to make that say
r...@cns.cairodurham.org, instead.

The reverse DNS lookup is atlas, but there is also a CNAME for cns.
The original email coming out of RT says "From: "Enoch Root via RT"
".  However, it seems to be rewrtiten as
"From: "Enoch Root via RT" " by the time it
arrives in my inbox.

The mail logs show w...@atlas.cairodurham.org making a connection to
send email.  The webapp is installed on the same host as postfix.

I have the following settings:
atlas:etc>grep cairo *
RT_SiteConfig.pm:Set($rtname , "cairodurham.org");
RT_SiteConfig.pm:Set($Organization , "cairodurham.org");
RT_SiteConfig.pm:Set($RTAddressRegexp ,
'^{rt|help|rt-commen...@{cns.|}cairodurham.org$');
RT_SiteConfig.pm:Set($CorrespondAddress , 'r...@cns.cairodurham.org');
RT_SiteConfig.pm:Set($CommentAddress , 'rt-comm...@cns.cairodurham.org');
RT_SiteConfig.pm:Set($WebBaseURL , "http://cns.cairodurham.org";);
atlas:etc>grep atlas *
atlas:etc>

What do you guys think?  Am I missing something obvious here?

Thanks in advance,
Jaime

-- 
Network Administrator
Cairo-Durham Central School District
http://cns.cairodurham.org

Backup mx config

[Martijn de Munnik]

Hi List,

A script just screwed my main.cf of a backup mx. Unfortunately I don't
have a backup of the main.cf. I restored the main.cf but one thing is
still not working as before. The relay*_for_stevie files contain the
domains and emailaddresses which accept mail on stevie.youngguns.nl.
When I test the backup mx with an invalid domain I get an 5** error, but
if I test the backup mx an invalid address but valid domain I see they
messages is greylisted. Off course this should also be denied 5**.

What is wrong in this config?

BTW I just configured bacula to also include the postfix config ;)

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
maximal_backoff_time = 8000s
maximal_queue_lifetime = 15d
minimal_backoff_time = 1000s
mydestination = marcus.youngguns.nl, localhost.youngguns.nl, localhost
myhostname = marcus.youngguns.nl
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = hash:/etc/postfix/relaydomains_for_stevie
relay_recipient_maps = hash:/etc/postfix/relayaddresses_for_stevie
smtp_helo_timeout = 60s
smtp_send_xforward_command = yes
smtp_skip_quit_response = yes
smtpd_banner = Welkom bij $myhostname, stuur ook eens een kaartje!
smtpd_client_connection_count_limit = 10
smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org,
reject_rbl_client
blackholes.easynet.nl,reject_unauth_pipelining,
reject_unknown_client,  permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,warn_if_reject
reject_non_fqdn_hostname,   reject_invalid_hostname,permit
smtpd_recipient_limit = 25
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,  reject_unauth_pipelining,
reject_non_fqdn_recipient,  reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_invalid_hostname,
reject_unknown_recipient_domain,reject_rbl_client
zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,   reject_rbl_client
psbl.surriel.com,
check_policy_service inet:127.0.0.1:2525permit
smtpd_sender_restrictions = permit_mynetworks,  warn_if_reject
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_unauth_pipelining,   permit
smtpd_soft_error_limit = 3
soft_bounce = no
unknown_local_recipient_reject_code = 450

Met vriendelijke groet,

Martijn de Munnik

-- 
YoungGuns
Kasteleinenkampweg 7b
5222 AX 's-Hertogenbosch
T. 073 623 56 40
F. 073 623 56 39
www.youngguns.nl
KvK 18076568

Re: Wrong FQDN in "From"

[Noel Jones]

Jaime Kikpole wrote:

I just migrated most users from one server to another one.  However, a
few things still need to work on the first server.  One of them is a
web-based program named Request Tracker (RT).

When RT sends an email to me, it is coming from
r...@atlas.cairodurham.org.  I am trying to make that say
r...@cns.cairodurham.org, instead.

The reverse DNS lookup is atlas, but there is also a CNAME for cns.
The original email coming out of RT says "From: "Enoch Root via RT"
".  However, it seems to be rewrtiten as
"From: "Enoch Root via RT" " by the time it
arrives in my inbox.


Don't use a CNAME in a mail address.

  -- Noel Jones

Re: Wrong FQDN in "From"

[Victor Duchovni]

On Mon, Jul 13, 2009 at 12:34:00PM -0500, Noel Jones wrote:

> Jaime Kikpole wrote:
>> I just migrated most users from one server to another one.  However, a
>> few things still need to work on the first server.  One of them is a
>> web-based program named Request Tracker (RT).
>> When RT sends an email to me, it is coming from
>> r...@atlas.cairodurham.org.  I am trying to make that say
>> r...@cns.cairodurham.org, instead.
>> The reverse DNS lookup is atlas, but there is also a CNAME for cns.
>> The original email coming out of RT says "From: "Enoch Root via RT"
>> ".  However, it seems to be rewrtiten as
>> "From: "Enoch Root via RT" " by the time it
>> arrives in my inbox.
>
> Don't use a CNAME in a mail address.

Sendmail often rewrites these. Postfix typically leaves CNAME domains
alone. The OP should avoid these, but otherwise, should find out *where*
along the delivery path the CNAME is replaced with the underlying name.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Backup mx config

[Noel Jones]

Martijn de Munnik wrote:

Hi List,

A script just screwed my main.cf of a backup mx. Unfortunately I don't
have a backup of the main.cf. I restored the main.cf but one thing is
still not working as before. The relay*_for_stevie files contain the
domains and emailaddresses which accept mail on stevie.youngguns.nl.
When I test the backup mx with an invalid domain I get an 5** error, but
if I test the backup mx an invalid address but valid domain I see they
messages is greylisted. Off course this should also be denied 5**.

What is wrong in this config?


Comments below...



receive_override_options = no_address_mappings


Not recommended unless you also have content_filter set.


relay_domains = hash:/etc/postfix/relaydomains_for_stevie


OK.


relay_recipient_maps = hash:/etc/postfix/relayaddresses_for_stevie


Good, you appear to have a list of valid recipients for your 
relay_domains.



smtp_send_xforward_command = yes


This is usually set in specific master.cf services, not 
main.cf.  You don't usually want to send XFORWARD information 
to the whole world.



smtpd_banner = Welkom bij $myhostname, stuur ook eens een kaartje!


This should be
  = $myhostname ESTMP your text here


smtpd_client_connection_count_limit = 10


WARNING: The purpose of this feature is to limit abuse. It 
must not be used to regulate legitimate mail traffic.



smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org,
reject_rbl_client
blackholes.easynet.nl,reject_unauth_pipelining,
reject_unknown_client,  permit


The easynet blacklist has been dead for years. 
reject_unknown_client is a very strict check and is known to 
reject legit mail.  reject_unauth_pipelining probably doesn't 
do any good here, but it won't hurt anything.



smtpd_data_restrictions = reject_unauth_pipelining


OK.


smtpd_delay_reject = yes


yes is the default.  Don't change it.


smtpd_helo_restrictions = permit_mynetworks,warn_if_reject
reject_non_fqdn_hostname,   reject_invalid_hostname,permit


OK.


smtpd_recipient_limit = 25


only if you have 25 or fewer users.


smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,  


add here:
  reject_unlisted_recipient


reject_unauth_pipelining,
reject_non_fqdn_recipient,  reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_invalid_hostname,
reject_unknown_recipient_domain,reject_rbl_client
zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,   reject_rbl_client
psbl.surriel.com,
check_policy_service inet:127.0.0.1:2525permit


reject_unauth_pipelining is not effective here.


smtpd_sender_restrictions = permit_mynetworks,  warn_if_reject
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_unauth_pipelining,   permit


reject_unauth_pipelining is not effective here.  I notice you 
have several duplicated restrictions.  No need to list things 
such as reject_non_fqdn_sender more than once.



smtpd_soft_error_limit = 3
soft_bounce = no
unknown_local_recipient_reject_code = 450


Change this to 550 once postfix correctly recognizes valid 
recipients.


  -- Noel Jones

Fax Gateway Usage with Hylafax

[Daniel L. Miller]

I'm trying to implement an email-to-fax gateway using Postfix + 
Hylafax.  Hylafax's provide faxmail command does function - but it 
doesn't accomplish what I want.  In particular, I would like to:


1.  Send an e-mail with one or more attachments intended for faxing.  
The attachments will already be in hylafax-recognizable format 
(postscript, pdf, or tiff).
2.  The sent e-mail will include the target fax number in the recipient 
address.
3.  The subject of the e-mail will be used as the subject on the fax 
cover page.
4.  The body of the e-mail will be used as the comments on the fax cover 
page.  The body will be text only, font is irrelevant.


Currently, I can use a simple pipe transport to the "faxmail" utility, as:
faxunix-nn-1pipe
   flags= user=fax argv=/usr/bin/faxmail -N -T -d ${user}

This obtains the destination fax number from the mail recipient, and 
passes along the message for processing.  However, because of how 
faxmail processes the mail, it results in the following:

1.  The body of the email does not appear in the cover page.
2.  An intermediate fax page is generated (between the cover page and 
the attachments) that contains anything present in the mail body, plus 
some headers.


I didn't know if there was a Postfix facility, or a known third-party 
tool, that could take an e-mail message, and strip off everything EXCEPT 
the attachments.  Similarly, if there was a tool that could extract the 
"clean" body of the message without attachments or headers.

--
Daniel

Re: Need help munging inbound recipient address (It worked, thanks)

[Daniel L'Hommedieu]

On Jul 13, 2009, at 12:10, Victor Duchovni wrote:

On Mon, Jul 13, 2009 at 12:00:33PM -0400, Daniel L'Hommedieu wrote:

Jul 13 11:53:06 hostname postfix/local[6159]: 0650B3059C: to=>,

relay=local, delay=0.13, delays=0.11/0/0/0.03, dsn=2.0.0, status=sent
(delivered to command: /usr/bin/procmail)


This looks good. What is in headers of the message in question? Did
any "o...@rab.net" addresses fail to be mapped to "f...@bar.edu"?


I was seeing some odd behaviour earlier today, but I have since  
restarted postfix (as opposed to simply issuing a "postfix reload").   
I am unable to get any unexpected behaviour now - everything is  
working as I expect it to:
- mail originating at my server for f...@bar.edu does not leave my  
server and is direct to the local account, with an envelope recipient  
of f...@bar.edu
- mail originating elsewhere for f...@bar.edu arrives at my server in  
the mailbox of o...@rab.net, but with an envelope recipient of f...@bar.edu
- mail originating elsewhere for the non-GroupWise address arrives in  
the same mailbox, and it has the correct envelope recipient (sendmail  
does not hose it)


I'm not sure what changed, but my guess is that I did a full restart  
instead of simply a reload.


One other thing I should note is that my virtual map (virtual_maps,  
not to

be confused with virtual_alias_maps) is no longer working.


The "virtual_maps" feature is obsolete, it was long ago replaced with
virtual_alias_maps, and a backwards-compatible default was assigned:

virtual_alias_maps = $virtual_maps


I run virtual
domains on my server and have many addresses forwarded offsite; those
forwards no longer work.


Add all your previous tables to virtual_alias_maps, stop using
"virtual_maps".


Thanks, I have modified my configuration as you suggest.

Daniel

Re: Hourly Limits

[ad...@gg-lab.net]

Ok, so, in other words: that's a solution but not the better solution.

Now, i can ALSO use thge sendmail wrapper. I need to have a look at
postfwd code to see if and where i can increment mail counters.

In this way, i will use postfwd for mail coming from CGI scripts and
Remote SMTP, and the wrapper for mail coming from php. But, with an
unique counter.

Any other idea?

2009/7/13 Sahil Tandon :
> On Jul 13, 2009, at 11:51 AM, "ad...@gg-lab.net"  wrote:
>
>> Hi,
>>
>>
>> i don't think my situation keeps changing-
>>
>> That's simple: on my evinronment users can send email via CGI + PHP +
>> SMTP (sasl), and i want to limit them "globally".
>>
>> Example: user giorgio can send 100 emails. I want him locked also on
>> CGI, if he send 100 emails with PHP.
>>
>> I can't:
>>
>> - use a custom php sendmail wrapper -> it would only work with php
>> - limit the sender -> a randomized from would broke my limit
>> - limit the host -> all mail are sent from localhost
>> - limit via sasl -> i can't request all users to authenticate
>>
>> Limiting the envelope user, is perfect for me. But, i'm asking if
>> there is a simplier solution.
>
> The postfwd policy server solution works with the envelope sender.  But for
> that to work you need mail coming in on an smtpd listener for the policy
> server to be queried, which won't be the case when you have mail being
> submitted via pickup service.
>
>
>>
>> 2009/7/13 Sahil Tandon :
>>>
>>> On Jul 13, 2009, at 5:54 AM, "ad...@gg-lab.net"  wrote:
>>>
 Lucian, i saw that solution, but i want something that can globally
 limit EVERY mail sent:

 i'll also offer smtp access, and a sendmail wrapper isn't a solution.

 Benny: ok, so we are speaking about the evenlope sender, so, it seems
 this is the solution.
>>>
>>> What are you trying to do exactly?  Your requirements and situation keep
>>> changing with every email.  Use examples with all details to explain
>>> exactly
>>> what you want.
>>>
>>> Benny - postfwd is sasl_username aware.
>>>

 2009/7/13 Benny Pedersen :
>
> On Mon, July 13, 2009 09:51, ad...@gg-lab.net wrote:
>
>> i want to limit mail sent via php mainly, so i can't limit via sasl
>> simply because users aren't authenticated.
>
> remove 127.0.0.1 in mynetworks, and make sasl usage from all what got
> sent from this box, problem solved, next step is a policy
> server that can handle sasl limits
>
> all else will fail
>
> another way is to seperate web and mail server so 127.0.0.1 is another
> box :)
>
>> Of course i can't limit the host ip (all mail sent from my webserver).
>
> as Obama says "yes we can" :)
>
>> The most beautiful thing would be limiting system user (each user has
>> an entry in /etc/passwd). Limiting the sender would be unuseful,
>> because all spammers randomiza the sender, bypassing the limit.
>
> randomize there from: but not envelope sender (apa...@myhostname)
>
> and this email is unknown in my virtual alias for good reason, apache
> is
> local and stays here at so
>
>> Now, i know that cPanel with Exim has a limit of this tipe. I'll
>> request them WHAT is exactly limited (maybe we can replicate with
>> postfix).
>
> dont use cpanel here so cant say how thay mix up the problem
>
>> I'll also write to the postfix-policyd mailing list.
>
> i work on something to fail2ban, will need to write some php and extend
> policyd 1.80 more to handle this here, point is that none
> have done it before so when i make it, it will be the best :)
>
>> Sahil, maybe we can continue here? Postfixfw rules are completely in
>> topic and maybe we can help someone else...
>
> exactly
>
> --
> xpoint
>
>
>>>
>

Re: Errors after upgrades

[LuKreme]

On 12-Jul-2009, at 16:32, LuKreme wrote:

On Jul 12, 2009, at 8:41 AM, Sahil Tandon  wrote:
Sounds like a MySQL (not Postfix) issue; debug there.  Are there  
any other

type of mysql error lines in the log?


Nope, and the errors are rare. OTOH, I use MySQL almost exclusively  
for postfix.


Well, it's been 2 days since the last one, maybe it was a left over  
artifact of the update and something hadn't gotten restarted properly.



--
What the hell's goin' on in the engine room? Were there
monkeys? Some terrifying space monkeys maybe got loose?

Re: Backup mx config

[Martijn de Munnik]

Hi Noel, List,

Thanks for your reply! I changed things according to your settings but  
I guess I overlooked a thing? Still they backup mailserver relays  
everything for *...@validdomain.org. Invalid domains are not relayed.


alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
maximal_backoff_time = 8000s
maximal_queue_lifetime = 15d
minimal_backoff_time = 1000s
mydestination = marcus.youngguns.nl, localhost.youngguns.nl, localhost
myhostname = marcus.youngguns.nl
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
recipient_delimiter = +
relay_domains = hash:/etc/postfix/relaydomains_for_stevie
relay_recipient_maps = hash:/etc/postfix/relayaddresses_for_stevie
smtp_helo_timeout = 60s
smtp_skip_quit_response = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 10
smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org,  permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, 	warn_if_reject  
reject_non_fqdn_hostname, 	reject_invalid_hostname, 	permit
smtpd_recipient_restrictions = permit_mynetworks,	 
reject_unlisted_recipient,	reject_non_fqdn_recipient,	 
reject_non_fqdn_hostname,	reject_non_fqdn_sender,	 
reject_invalid_hostname,  	reject_rbl_client zen.spamhaus.org,	 
reject_rbl_client bl.spamcop.net,	reject_rbl_client psbl.surriel.com,	 
reject_unauth_destination,	reject_unknown_recipient_domain,	 
check_policy_service inet:127.0.0.1:2525	permit
smtpd_sender_restrictions = permit_mynetworks, 	 
reject_unknown_sender_domain, 	permit

smtpd_soft_error_limit = 3
soft_bounce = yes
unknown_local_recipient_reject_code = 450

On Jul 13, 2009, at 7:57 PM, Noel Jones wrote:


Martijn de Munnik wrote:

Hi List,
A script just screwed my main.cf of a backup mx. Unfortunately I  
don't

have a backup of the main.cf. I restored the main.cf but one thing is
still not working as before. The relay*_for_stevie files contain the
domains and emailaddresses which accept mail on stevie.youngguns.nl.
When I test the backup mx with an invalid domain I get an 5**  
error, but
if I test the backup mx an invalid address but valid domain I see  
they

messages is greylisted. Off course this should also be denied 5**.
What is wrong in this config?


Comments below...


receive_override_options = no_address_mappings


Not recommended unless you also have content_filter set.


relay_domains = hash:/etc/postfix/relaydomains_for_stevie


OK.


relay_recipient_maps = hash:/etc/postfix/relayaddresses_for_stevie


Good, you appear to have a list of valid recipients for your  
relay_domains.



smtp_send_xforward_command = yes


This is usually set in specific master.cf services, not main.cf.   
You don't usually want to send XFORWARD information to the whole  
world.



smtpd_banner = Welkom bij $myhostname, stuur ook eens een kaartje!


This should be
 = $myhostname ESTMP your text here


smtpd_client_connection_count_limit = 10


WARNING: The purpose of this feature is to limit abuse. It must not  
be used to regulate legitimate mail traffic.



smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org,
reject_rbl_client
blackholes.easynet.nl,reject_unauth_pipelining,
reject_unknown_client,  permit


The easynet blacklist has been dead for years. reject_unknown_client  
is a very strict check and is known to reject legit mail.   
reject_unauth_pipelining probably doesn't do any good here, but it  
won't hurt anything.



smtpd_data_restrictions = reject_unauth_pipelining


OK.


smtpd_delay_reject = yes


yes is the default.  Don't change it.


smtpd_helo_restrictions = permit_mynetworks,warn_if_reject
reject_non_fqdn_hostname,   reject_invalid_hostname, 
permit


OK.


smtpd_recipient_limit = 25


only if you have 25 or fewer users.


smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,


add here:
 reject_unlisted_recipient


reject_unauth_pipelining,
reject_non_fqdn_recipient,  reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_invalid_hostname,
reject_unknown_recipient_domain,reject_rbl_client
zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,   reject_rbl_client
psbl.surriel.com,
check_policy_service inet:127.0.0.1:2525permit


reject_unauth_pipelining is not effective here.


smtpd_sender_restrictions = permit_mynetworks,  warn_if_reject
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_unauth_pipelining,   permit


reject_unauth_pipelining is not effective here.  I notice you have  
several duplicated restrictions.  No need to list things such as  
reject_non_fqdn_sender more than once.



smtpd_soft_error_limit = 3
soft_bounce = no
unknown_local_recipient_reject_code = 450


Change this to 550 once postfix correctly recognizes valid recipients.

 -- Noel 

Re: Backup mx config

[Noel Jones]

Martijn de Munnik wrote:

Hi Noel, List,

Thanks for your reply! I changed things according to your settings but I 
guess I overlooked a thing? Still they backup mailserver relays 
everything for *...@validdomain.org. Invalid domains are not relayed.




Please don't top-post.

Valid recipients for relay_domains should be listed in 
relay_recipient_maps, check that file.


http://www.postfix.org/postconf.5.html#relay_recipient_maps
http://www.postfix.org/ADDRESS_CLASS_README.html

Recipient validation can also be thwarted by a catch-all in 
virtual_alias_maps or *canonical_maps, but you don't seem to 
be using either of those (unless you've defined them in 
master.cf - don't do that).


Hmm, the backward-compatible default value of 
virtual_alias_maps is the deprecated parameter $virtual_maps, 
so that won't show in postconf output.  If you have 
virtual_maps defined in your main.cf, make sure there aren't 
any catch-all mappings.


  -- Noel Jones

Re: Backup mx config

[Martijn de Munnik]

On Jul 13, 2009, at 10:59 PM, Noel Jones wrote:


Martijn de Munnik wrote:

Hi Noel, List,
Thanks for your reply! I changed things according to your settings  
but I guess I overlooked a thing? Still they backup mailserver  
relays everything for *...@validdomain.org. Invalid domains are not  
relayed.


Please don't top-post.

Valid recipients for relay_domains should be listed in  
relay_recipient_maps, check that file.


http://www.postfix.org/postconf.5.html#relay_recipient_maps
http://www.postfix.org/ADDRESS_CLASS_README.html

Hi,

I'm sure that file is correct, it used to work before I broke the  
main.cf. The relay*_for_stevie files haven't been touched since then.  
So I guess it must be something in my main.cf, that's the only changed  
file.


Recipient validation can also be thwarted by a catch-all in  
virtual_alias_maps or *canonical_maps, but you don't seem to be  
using either of those (unless you've defined them in master.cf -  
don't do that).


Hmm, the backward-compatible default value of virtual_alias_maps is  
the deprecated parameter $virtual_maps, so that won't show in  
postconf output.  If you have virtual_maps defined in your main.cf,  
make sure there aren't any catch-all mappings.


 -- Noel Jones

Re: temporary errors for DNS

[Keld Jørn Simonsen]

On Mon, Jul 13, 2009 at 03:39:57PM +0200, Keld Jørn Simonsen wrote:
> On Mon, Jul 13, 2009 at 09:26:44AM -0400, John Peach wrote:
> > On Mon, 13 Jul 2009 15:24:04 +0200
> > Keld J__rn Simonsen  wrote:
> > 
> > [snip]
> > > #
> > > ==
> > > # service type  private unpriv  chroot  wakeup  maxproc command +
> > > args #   (yes)   (yes)   (yes)   (never) (100) #
> > > ==
> > > smtpinetn   -   y   -   -   smtpd -v
> >
> > 
> > It is chrooted.
> 
> Thanks for spelling it out. I was just building on the defalt configuration
> of my distro. There were many other chroot services in the master file, I
> changed them and now I will see if that helps. 

This seems to have solved most of my problems with postfix/named.
Even te problem sending mail to Wietse was solved.

Are there distros that are known to have a postfix package that is set
up correctly wrt chroot?

best regards
Keld

Re: temporary errors for DNS

[Rod Dorman]

On Monday, July 13, 2009, 17:49:10, Keld Jørn Simonsen wrote:
>   ...
> Are there distros that are known to have a postfix package that is set
> up correctly wrt chroot?

OpenBSD


-- 
r...@polylogics.com "The avalanche has already started, it is too
Rod Dorman  late for the pebbles to vote." - Ambassador Kosh

Re: temporary errors for DNS

[Keld Jørn Simonsen]

On Mon, Jul 13, 2009 at 11:49:10PM +0200, Keld Jørn Simonsen wrote:
> On Mon, Jul 13, 2009 at 03:39:57PM +0200, Keld Jørn Simonsen wrote:
> > > 
> > > It is chrooted.
> > 
> > Thanks for spelling it out. I was just building on the defalt configuration
> > of my distro. There were many other chroot services in the master file, I
> > changed them and now I will see if that helps. 
> 
> This seems to have solved most of my problems with postfix/named.
> Even te problem sending mail to Wietse was solved.

Well, still problems, but of the more understandable type.

Jul 14 00:11:58 rap postfix/smtpd[1054]: NOQUEUE: reject: RCPT from 
rap.rap.dk[127.0.0.1]: 450 4.1.8 : Sender address 
rejected: Domain not found; from= 
to= proto=ESMTP helo= Jul 14 00:11:58 rap 
postfix/smtpd[1054]: > rap.rap.dk[127.0.0.1]: 450
4.1.8 : Sender address rejected: Domain not found


host server30.reverya.com gives:
Host server30.reverya.com not found: 2(SERVFAIL)

So this would probably never resolve, but fail with a 450 error.
I would like to discard it. I hade 3 mails like that earlier today, 
with a nonresolvable domain, and they will keep lying in my IMAP box
till I do special things to delete tem. 

Is there a way to disambiguate between DNS timeouts and DNS errors,
and discard the latter?

best regards
keld

Re: temporary errors for DNS

[Keld Jørn Simonsen]

On Mon, Jul 13, 2009 at 06:19:40PM -0400, Rod Dorman wrote:
> On Monday, July 13, 2009, 17:49:10, Keld Jørn Simonsen wrote:
> >   ...
> > Are there distros that are known to have a postfix package that is set
> > up correctly wrt chroot?
> 
> OpenBSD

Well, I confine myself to Linux, as I am doing some kernel work, and
other system work there, so I was wondering if there were any Linux distros,
and preferaably rpm based, which does correct packaging of a chrooted
postfix?

best regards
keld

Re: temporary errors for DNS

[Joe]

Keld Jørn Simonsen wrote:

On Mon, Jul 13, 2009 at 06:19:40PM -0400, Rod Dorman wrote:
  

On Monday, July 13, 2009, 17:49:10, Keld Jørn Simonsen wrote:


  ...
Are there distros that are known to have a postfix package that is set
up correctly wrt chroot?
  

OpenBSD



Well, I confine myself to Linux, as I am doing some kernel work, and
other system work there, so I was wondering if there were any Linux distros,
and preferaably rpm based, which does correct packaging of a chrooted
postfix?
  


I use suse (rpm based) and ubuntu (deb based) and they both work nicely 
out of the box as chrooted postfix servers.


Joe

Re: temporary errors for DNS

[Wietse Venema]

Keld J?rn Simonsen:
> Is there a way to disambiguate between DNS timeouts and DNS errors,
> and discard the latter?

Postfix is only the messenger of the bad news. When the server
responds, Postfix acts accordingly. When the server does not
reply, Postfix assumes that this is a temporary error, because
assuming otherwise would cause a lot of mail to fail.

Wietse

Re: temporary errors for DNS

[Noel Jones]

Keld Jørn Simonsen wrote:

Jul 14 00:11:58 rap postfix/smtpd[1054]: NOQUEUE: reject: RCPT from rap.rap.dk[127.0.0.1]: 450 4.1.8 
: Sender address rejected: Domain not found; 
from= to= proto=ESMTP helo= 
Jul 14 00:11:58 rap postfix/smtpd[1054]: > rap.rap.dk[127.0.0.1]: 450
4.1.8 : Sender address rejected: Domain not found


host server30.reverya.com gives:
Host server30.reverya.com not found: 2(SERVFAIL)

So this would probably never resolve, but fail with a 450 error.
I would like to discard it. I hade 3 mails like that earlier today, 
with a nonresolvable domain, and they will keep lying in my IMAP box
till I do special things to delete tem. 


Is there a way to disambiguate between DNS timeouts and DNS errors,
and discard the latter?


No.

Probably the best choice for you is to add SpamAssassin and 
let it decide which mail to discard.


I suppose you could use a sufficiently flexible postfix policy 
service - maybe postfwd - to discard mail with DNS SERVFAIL. 
I also expect that will eventually bite you in the buttocks.



  -- Noel Jones

Re: Backup mx config

[Martijn de Munnik]

On Jul 13, 2009, at 11:12 PM, Martijn de Munnik wrote:



On Jul 13, 2009, at 10:59 PM, Noel Jones wrote:


Martijn de Munnik wrote:

Hi Noel, List,
Thanks for your reply! I changed things according to your settings  
but I guess I overlooked a thing? Still they backup mailserver  
relays everything for *...@validdomain.org. Invalid domains are not  
relayed.


Please don't top-post.

Valid recipients for relay_domains should be listed in  
relay_recipient_maps, check that file.


http://www.postfix.org/postconf.5.html#relay_recipient_maps
http://www.postfix.org/ADDRESS_CLASS_README.html

Hi,

I'm sure that file is correct, it used to work before I broke the  
main.cf. The relay*_for_stevie files haven't been touched since  
then. So I guess it must be something in my main.cf, that's the only  
changed file.
Mmm I guess this was always wrong in my config, I need to fix the  
file...




Recipient validation can also be thwarted by a catch-all in  
virtual_alias_maps or *canonical_maps, but you don't seem to be  
using either of those (unless you've defined them in master.cf -  
don't do that).


Hmm, the backward-compatible default value of virtual_alias_maps is  
the deprecated parameter $virtual_maps, so that won't show in  
postconf output.  If you have virtual_maps defined in your main.cf,  
make sure there aren't any catch-all mappings.


-- Noel Jones

Re: Backup mx config

[Martijn de Munnik]

Hi,


On Jul 13, 2009, at 7:57 PM, Noel Jones wrote:


Martijn de Munnik wrote:


smtpd_recipient_limit = 25


only if you have 25 or fewer users.


I thought this means a user can send an e-mail to 25 users max at once?

Re: reject_unknown_reverse_client_hostname rejects even if PTR RR is found

[Sahil Tandon]

On Mon, 13 Jul 2009, Benny Pedersen wrote:

> On Sun, July 12, 2009 22:47, Sahil Tandon wrote:
> > On Sun, 12 Jul 2009, Keld Jørn Simonsen wrote:
> >
> >> >> Anyway if it is a name server timeout, then I think this is always
> >> >> handled by a 450 response. In my case the mail was rejected.
> >> >
> >> > Yes, temporary errors always get a 450 response.
> >>
> >> Then I do not understand why the message was rejected. A temporary error
> >> should not result in a reject, or why should this happen?
> >
> > A 450 response *is* a reject;
> 
> defer not reject

An irrelevant semantic debate.  See postconf(5); it is colloquially common to
refer to these as *reject* codes.  What matters is the numerical SMTP
reply code and what it communicates to the client.

> > the 4xx SMTP reply code tells the sending
> > server to queue and try again later.
> 
> correct, eg try until sending server have solved reverse dns (unknown)

More generally, a 4yz response simply indicates a transient error, not
necessarily one related to reverse dns.  The client should try again.

> > This contrasts with 5xx rejections
> > which are permanent,
> 
> one can argue we should not let the sender sever retry on missing reverse
> dns, but it could as well also be errror in recieving side

This (not letting sending server retry in case of DNS problems) would be a
bad argument. 

-- 
Sahil Tandon 

Re: postscreen test

[Wietse Venema]

Helga Mayer:
> 
> Hi,
> 
> I'm testing postscreen on our secondary smtp server.
> First results:
> https://rz-static.uni-hohenheim.de/hmayer/tmp/Screenshot-68.png
> There are hardly anymore rejects. I did not yet adjust mailgraph for the 
> drops.

That is an interesting picture. It looks like dropping the pregreeters
made your reject rates already go down quite a bit. Of course it
is known that spammers prefer to use secondary MX hosts because
these hosts often serve many domains and therefore have more
permissive settings.

This weekend I finally found time to update the non-production
release.  This version should support "no DNS blocklists" without
panic, and it also has better support for "postfix reload".

There are still plenty of rough edges. It does not yet remove entries
from the btree database so the file needs to be renamed periodically,
and it does not yet log the sender/recipient of rejected mail. For
that reason alone I don't recommend turning on DNS blocklist lookups
except for gathering statistics.

I'm still open for program name suggestions. If someone has a better
name than "swatter" or "halligan" let me know. Once the name changes,
all the configuration parameters will change, too.

Wietse

Re: Backup mx config

[Noel Jones]

Martijn de Munnik wrote:

Hi,


On Jul 13, 2009, at 7:57 PM, Noel Jones wrote:


Martijn de Munnik wrote:


smtpd_recipient_limit = 25


only if you have 25 or fewer users.


I thought this means a user can send an e-mail to 25 users max at once?



After $smtpd_recipient_limit + 1 RCPT TO commands, your server 
will respond "too many recipients" to subsequent RCPT TO 
commands.  This is a temporary error; the first 25 recipients 
are accepted & delivered.  The sending client is free to try 
additional recipients later.


If the other end is an MTA, it will likely try the remaining 
recipients "later", based on its retry schedule.  This can 
cause significant delays to legit multi-recipient mail, and 
can increase load on your system.


If the other end is an end-user program, it may give the user 
some cryptic message.  This can annoy legit users trying to 
send to a list of people.


If the other end is a spammer, you've already accepted 25 
recipients, and they're free to reconnect and try more.


This is not an effective anti-spam control if that's what 
you're trying to use it for.  You'll probably have better 
results with a fairly low smtpd_hard_error_limit and working 
recipient validation (clients are disconnected after 
$smtpd_hard_error_limit bad recipients).


  -- Noel Jones

Re: Wrong FQDN in "From"

[Jaime Kikpole]

On Mon, Jul 13, 2009 at 1:47 PM, Victor
Duchovni wrote:
>> Don't use a CNAME in a mail address.

Why not?  After all, how would you handle vhosts if you can't send as
the CNAME record?


> Sendmail often rewrites these. Postfix typically leaves CNAME domains
> alone. The OP should avoid these, but otherwise, should find out *where*
> along the delivery path the CNAME is replaced with the underlying name.

I'm the OP.  Based on the data I have, I believe that what goes into
postfix uses the CNAME but what comes out is using the A record.  I do
have a little doubt, though, as the /var/log/maillog file shows
"w...@atlas.cairodurham.org" connecting to postfix.

If I "grep cairo main.cf*" and "grep atlas main.cf*", I don't see
anything that should be rewriting this.

I just tried a test with "telnet localhost 25" to be sure about this.
That test appears to have worked out the way that I want.  IOW, that
it came from local_u...@cns.cairodurham.org.  This gave me some
doubts.  However, when I change DNS so that both atlas.cairodurham.org
and cns.cairodurham.org are A records (and the reverse DNS points to
atlas) and try to send email from Request Tracker again, I find that
it works the way that I want.

So its caused by some combination of factors which includes the CNAME
and Request Tracker.  (Remember, using telnet to manually build and
send a message sent it as cns.cairodurham.org before the DNS changed.)

Any reason I shouldn't leave the DNS like this?

Also, that question about virtual hosting of several email domains was
not rhetorical.  How is a sysadmin supposed to configure their DNS for
such a thing?

Thanks,
Jaime

-- 
Network Administrator
Cairo-Durham Central School District
http://cns.cairodurham.org

Re: Wrong FQDN in "From"

[Noel Jones]

Jaime Kikpole wrote:

On Mon, Jul 13, 2009 at 1:47 PM, Victor
Duchovni wrote:

Don't use a CNAME in a mail address.


Why not?  After all, how would you handle vhosts if you can't send as
the CNAME record?



Sendmail often rewrites these. Postfix typically leaves CNAME domains
alone. The OP should avoid these, but otherwise, should find out *where*
along the delivery path the CNAME is replaced with the underlying name.


I'm the OP.  Based on the data I have, I believe that what goes into
postfix uses the CNAME but what comes out is using the A record.  I do
have a little doubt, though, as the /var/log/maillog file shows
"w...@atlas.cairodurham.org" connecting to postfix.

If I "grep cairo main.cf*" and "grep atlas main.cf*", I don't see
anything that should be rewriting this.

I just tried a test with "telnet localhost 25" to be sure about this.
That test appears to have worked out the way that I want.  IOW, that
it came from local_u...@cns.cairodurham.org.  This gave me some
doubts.  However, when I change DNS so that both atlas.cairodurham.org
and cns.cairodurham.org are A records (and the reverse DNS points to
atlas) and try to send email from Request Tracker again, I find that
it works the way that I want.

So its caused by some combination of factors which includes the CNAME
and Request Tracker.  (Remember, using telnet to manually build and
send a message sent it as cns.cairodurham.org before the DNS changed.)

Any reason I shouldn't leave the DNS like this?

Also, that question about virtual hosting of several email domains was
not rhetorical.  How is a sysadmin supposed to configure their DNS for
such a thing?

Thanks,
Jaime



The easy fix is "don't use a CNAME in a mail address".

In the distant past it was a requirement to canonicalize a 
CNAME in addresses.  If I remember right, postfix dropped this 
behavior around version 2.0.  Although it's no longer a 
requirement, some software continues to do this or old 
software may be in the path.  For general mail sent over the 
internet, avoid using CNAME because you can't control when or 
if it will get rewritten.


The hard fix is to track a message from creation and 
submission to transmission to delivery and find what software 
is changing the name and fix it.


Since you've already successfully tested with telnet directly 
to postfix, it would seem the problem is with creation or 
submission.


  -- Noel Jones

$smtpd_hard_error_limit (was Re: Backup mx config)

[Andrew Thompson]

Noel Jones wrote:
This is not an effective anti-spam control if that's what you're 
trying to use it for.  You'll probably have better results with a 
fairly low smtpd_hard_error_limit and working recipient validation 
(clients are disconnected after $smtpd_hard_error_limit bad recipients).


I'd like to hear some opinions of acceptable(other than the default) 
values for $smtpd_hard_error_limit, as well as if anyone's been able to 
pin any service disrupting issues on it's setting.


--
Andrew Thompson

Re: $smtpd_hard_error_limit (was Re: Backup mx config)

[Noel Jones]

Andrew Thompson wrote:

Noel Jones wrote:
This is not an effective anti-spam control if that's what you're 
trying to use it for.  You'll probably have better results with a 
fairly low smtpd_hard_error_limit and working recipient validation 
(clients are disconnected after $smtpd_hard_error_limit bad recipients).


I'd like to hear some opinions of acceptable(other than the default) 
values for $smtpd_hard_error_limit, as well as if anyone's been able to 
pin any service disrupting issues on it's setting.




I think "optimal" depends on the size of your site.

The danger is a legit mailing list with more than 
$smtpd_hard_error_limit bad users (or more typically, old 
users that are no longer valid) can be significantly delayed.
Mail shouldn't be lost because of this setting, but there is 
no guarantee about how random site X will respond to being 
disconnected.


Probably anything in the range of 1..10 would be reasonable 
for small-to-medium sites, depending on your taste for 
possible delays and how many users you have.


I made the completely arbitrary choice of 3 for my sites (the 
largest is less than 2000 users), and have noticed no ill 
effects after several years.


  -- Noel Jones

reject 450 NOQUEUE issue

[Jeff Lacki]

Im not nearly as versed in postfix as I would like to
be.  Ive tried to figure this log message out but Im not 
sure whats really going on:

Jul 13 23:36:08 mysvr postfix/smtpd[14133]: NOQUEUE: reject: RCPT from 
mms.nextel.com[170.206.225.68]: 450 4.7.1 : 
Helo command rejected: Host not found; from=<> to= 
proto=ESMTP helo=

Im unsure if this is nextel.com replying back telling me
that my helo is invalid due to an invalid host and/or
my from=<> is a seperate issue.  Can someone point me in
the right direction?  If its my from=<> how do I set that?
What am I missing in the script below?

Ive got a perl script emailing an SMS text message
to @messaging.nextel.com using the following 
perl function:

sub send_email_msg_sms
{
my $helo = shift;
my $to = shift;
my $from = shift;
my $subject = shift;
my $msg = shift;

open(MAIL,"|$SENDMAIL -t -F $from") || die "Opening sendmail pipe\n";
print MAIL "HELO: $helo\n";
print MAIL "To: $to\n";
print MAIL "From: $from\n";
print MAIL "Subject: $subject\n";
print MAIL "\n";
print MAIL $msg;
print MAIL "\n";
close(MAIL);
}

Thanks in advance,
Jeff

Re: reject 450 NOQUEUE issue

[Sahil Tandon]

On Mon, 13 Jul 2009, Jeff Lacki wrote:

> Im not nearly as versed in postfix as I would like to
> be.  Ive tried to figure this log message out but Im not 
> sure whats really going on:
> 
> Jul 13 23:36:08 mysvr postfix/smtpd[14133]: NOQUEUE: reject: RCPT from 
> mms.nextel.com[170.206.225.68]: 450 4.7.1 : 
> Helo command rejected: Host not found; from=<> to= 
> proto=ESMTP helo=
> 
> Im unsure if this is nextel.com replying back telling me
> that my helo is invalid due to an invalid host and/or

smtpd (not smtp) is logging the above line.  Your server is rejecting the
message.

http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname

  % host adcvibq01.messaging.nextel.com
  Host adcvibq01.messaging.nextel.com not found: 3(NXDOMAIN)

-- 
Sahil Tandon 

Re: reject 450 NOQUEUE issue

[Sahil Tandon]

On Mon, 13 Jul 2009, Sahil Tandon wrote:

> On Mon, 13 Jul 2009, Jeff Lacki wrote:
> 
> > Im not nearly as versed in postfix as I would like to
> > be.  Ive tried to figure this log message out but Im not 
> > sure whats really going on:
> > 
> > Jul 13 23:36:08 mysvr postfix/smtpd[14133]: NOQUEUE: reject: RCPT from
> > mms.nextel.com[170.206.225.68]: 450 4.7.1
> > : Helo command rejected: Host not found;
> > from=<> to= proto=ESMTP
> > helo=
> > 
> > Im unsure if this is nextel.com replying back telling me
> > that my helo is invalid due to an invalid host and/or
> 
> smtpd (not smtp) is logging the above line.  Your server is rejecting the
> message.
> 
> http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname
> 
>   % host adcvibq01.messaging.nextel.com
>   Host adcvibq01.messaging.nextel.com not found: 3(NXDOMAIN)

And FWIW, the from=<> suggests that the nextel.com server is trying to
deliver a bounce to nob...@myserver.com.

-- 
Sahil Tandon