Re: Postfix and IDENT (RFC1413)

[Ralf Hildebrandt]

* Byung-Hee HWANG :

> Thanks for good point, Ralf. Then i would like to give you the question
> again. How can i make to enable the above IDENT feature with Postfix?

There is no such thing. And nobody ever needed that. In 10 years.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

how to have amavisd-new dkimproxy and implemented in master.cf and main.cf

[fake...@fakessh.eu]

hi list
hi all

how to have amavisd-new dkimproxy , and implemented 
in master.cf and main.cf

"Buddha" peace themselve

SSL_accept error

[Ebbe Hjorth]

Hi,

I just installed FreeBSD, postfix and dovecot.

I tried to do the setup from purplehat.org, but i keep getting the following
error, please help.


Aug  9 14:22:55 mail02 postfix/smtpd[1969]: SSL_accept error from
mail-ew0-f224.google.com[209.85.219.224]: -1
Aug  9 14:22:55 mail02 postfix/smtpd[1855]: connect from
bzq-79-182-42-58.red.bezeqint.net[79.182.42.58]
Aug  9 14:22:55 mail02 postfix/smtpd[1969]: lost connection after CONNECT
from mail-ew0-f224.google.com[209.85.219.224]


mail02# postconf -n
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
html_directory = /usr/local/share/doc/postfix
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = localhost.$mydomain, localhost
mydomain = apz.dk
myhostname = mail02.apz.dk
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains = proxy:mysql:/usr/local/etc/postfix/
mysql_relay_domains_maps.cf
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,  reject_non_fqdn_hostname,
reject_non_fqdn_sender,  reject_non_fqdn_recipient,
reject_unauth_destination,  reject_unauth_pipelining,
reject_invalid_hostname,  reject_rbl_client list.dsbl.org,
reject_rbl_client bl.spamcop.net,  reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/
mysql_virtual_alias_maps.cf
virtual_gid_maps = static:125
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/
mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 5120
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/
mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 125
virtual_transport = virtual
virtual_uid_maps = static:125

Re: how to have amavisd-new dkimproxy and implemented in master.cf and main.cf

[Thomas Gelf]

http://www.google.com
http://www.altavista.com/
http://www.bing.com
http://www.yahoo.com
http://en.wikipedia.org/wiki/Web_search_engine

fake...@fakessh.eu wrote:
> how to have amavisd-new dkimproxy , and implemented 
> in master.cf and main.cf

Re: how to have amavisd-new dkimproxy and implemented in master.cf and main.cf

[Patrick Ben Koetter]

* fake...@fakessh.eu :
> how to have amavisd-new dkimproxy , and implemented 
> in master.cf and main.cf

Start here:


p...@rick

-- 
All technical answers asked privately will be automatically answered on
the list and archived for public access unless privacy is explicitely
required and justified.

saslfinger (debugging SMTP AUTH):

[SOLVED]Re: how to have amavisd-new dkimproxy and implemented in master.cf and main.cf

[fake...@fakessh.eu]

Le lundi 10 août 2009 17:47, Patrick Ben Koetter a écrit :
> * fake...@fakessh.eu :
> > how to have amavisd-new dkimproxy , and implemented
> > in master.cf and main.cf
>
> Start here:
> 
>
> p...@rick


google est ton ami 


"Buddha" peace themselve

Re: report to consolidate allowed messages

[mouss]

Clunk Werclick a écrit :
> Hello,
> 
> I have been toying with the best way to produce a report of 'allowed'
> messages that have made it all the way through my Postfix. I love the
> Postfix logs, they give such detail on failures and refusals and parsing
> this is quite straightforward. 
> 
> The entertainment commences when I try to figure out how to produce a
> report of 'allowed' messages. This needs to contain just a few pieces of
> key information;
> 
> date/time fromto  subject client IP
> 
> At first, I thought 'this will be easy' but upon closer examination this
> is not as simple as it looks. Where Postfix is multi-process, the bits
> of information are in different places and consolidating this has some
> challenges. In particular matching up (by script) the interaction for a
> transaction between;
> 
> postfix/smtpd
> postfix/cleanup
> postfix/virtual
> postfix/qmgr
> 
> Perhaps there is an easy way to get the five metrics I would like in a
> report?
> 

do you really want the Subject?
- what would this be useful for?
- there may be privacy issues
- it may be encoded or it may contain "non printable" characters (yes,
some mailers "forget" to encode...)


if you don't need the subject, then smtpd restrictions with an action of
WARN will give you what you want in a single line.

if you insist on the Subject, you'll need to do some aggregation. start
by using header_checks to log the Subject. then test by sending a
message to 1 recipient, and then a message to 2 (or more) recipients.
this will show you how it is easy to handle in the single recipient
case, but not in the multi-recipient case.



> I am starting to think I may need to plug something in to 'scan' the
> headers of a message after Postfix is done with it or pipe the messages
> through a script?
> 
> To keep things lean and for learning, I am interested to achieve this
> with a some Perl- so my interest is really in finding the 'key' to link
> the information together from what is already produced - or - to work
> out how to get messages to pipe through a script as 'virtual' delivers
> them. Unless Virtual can give me all the information I need (logging
> options)
> 
> Perhaps some of the very clever guru's here have some useful suggestion?
> 
> 

Re: report to consolidate allowed messages

[Willy De la Court]

On Mon, 10 Aug 2009 18:20:32 +0200, mouss  wrote:
> Clunk Werclick a écrit :
>> Hello,
>> 
>> I have been toying with the best way to produce a report of 'allowed'
>> messages that have made it all the way through my Postfix. I love the
>> Postfix logs, they give such detail on failures and refusals and
parsing
>> this is quite straightforward. 
>> 
>> The entertainment commences when I try to figure out how to produce a
>> report of 'allowed' messages. This needs to contain just a few pieces
of
>> key information;
>> 
>> date/timefromto  subject client IP
>> 
>> At first, I thought 'this will be easy' but upon closer examination
this
>> is not as simple as it looks. Where Postfix is multi-process, the bits
>> of information are in different places and consolidating this has some
>> challenges. In particular matching up (by script) the interaction for a
>> transaction between;
>> 
>> postfix/smtpd
>> postfix/cleanup
>> postfix/virtual
>> postfix/qmgr
>> 
>> Perhaps there is an easy way to get the five metrics I would like in a
>> report?
>> 
> 
> do you really want the Subject?
> - what would this be useful for?
> - there may be privacy issues
> - it may be encoded or it may contain "non printable" characters (yes,
> some mailers "forget" to encode...)
> 
> 
> if you don't need the subject, then smtpd restrictions with an action of
> WARN will give you what you want in a single line.
> 
> if you insist on the Subject, you'll need to do some aggregation. start
> by using header_checks to log the Subject. then test by sending a
> message to 1 recipient, and then a message to 2 (or more) recipients.
> this will show you how it is easy to handle in the single recipient
> case, but not in the multi-recipient case.
> 
[SNIP]
>> 
>> Perhaps some of the very clever guru's here have some useful
suggestion?
>> 
>>

With a simple bash script you can find out a lot.

This is my findmsg script the only parameter you need is the Message-Id
without the <>

#!/bin/bash

SEARCH=`grep -E "$1" /var/log/mail.log | \
awk '{ printf "%s|", $6; }' | \
sed "s/://g" | \
sed "s/NOQUEUE|//g" | \
sed "s/|$//g" | \
sed "s/message-id=//g"`

echo $SEARCH

grep -E "$SEARCH" /var/log/mail.log |less

This will give you all log lines for one message. Subject is not included.

And I know this is something that I clobbered together in about 2 mins so
yes it can be optimized.

-- 
Simple things make people happy.
Willy De la Court
PGP Public Key at http://www.linux-lovers.be/download/public_key.asc
PGP Key fingerprint = 784E E18F 7F85 9C7C AC1A D5FB FE08 686C 37C7 A689

Re: SSL_accept error

[Brian Evans - Postfix List]

Ebbe Hjorth wrote:
> Hi,
>  
> I just installed FreeBSD, postfix and dovecot.
>  
> I tried to do the setup from purplehat.org , but
> i keep getting the following error, please help.
>  
> Aug  9 14:22:55 mail02 postfix/smtpd[1969]: SSL_accept error from
> mail-ew0-f224.google.com
> [209.85.219.224]: -1
> Aug  9 14:22:55 mail02 postfix/smtpd[1855]: connect from
> bzq-79-182-42-58.red.bezeqint.net
> [79.182.42.58]
> Aug  9 14:22:55 mail02 postfix/smtpd[1969]: lost connection after
> CONNECT from mail-ew0-f224.google.com
> [209.85.219.224]

See comments below.

>  
>  
> mail02# postconf -n
[snip]
> smtpd_recipient_restrictions = permit_mynetworks, 
> permit_sasl_authenticated,  reject_non_fqdn_hostname, 
> reject_non_fqdn_sender,  reject_non_fqdn_recipient, 
> reject_unauth_destination,  reject_unauth_pipelining, 
> reject_invalid_hostname,  reject_rbl_client list.dsbl.org
> ,  reject_rbl_client bl.spamcop.net
> ,  reject_rbl_client sbl-xbl.spamhaus.org
> 
>
reject_unauth_pipelining has little value here.
dsbl.org is dead.  You should remove it.
> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
Worthless, suggest removing it to reduce confusion.

> smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
> smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
> smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
This doesn't seem right.
The CA, cert and key files should NOT be the same.
Google is your friend.
A great guide by a frequent poster here is
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
> smtpd_use_tls = yes
This is depreciated as of Postfix 2.3 (though still works).
Preferred is "smtpd_tls_security_level=may"

Re: SSL_accept error

[Sahil Tandon]

On Aug 10, 2009, at 1:16 PM, Brian Evans - Postfix List > wrote:



Ebbe Hjorth wrote:

Hi,

I just installed FreeBSD, postfix and dovecot.

I tried to do the setup from purplehat.org ,  
but

i keep getting the following error, please help.

Aug  9 14:22:55 mail02 postfix/smtpd[1969]: SSL_accept error from
mail-ew0-f224.google.com
[209.85.219.224]: -1
Aug  9 14:22:55 mail02 postfix/smtpd[1855]: connect from
bzq-79-182-42-58.red.bezeqint.net
[79.182.42.58]
Aug  9 14:22:55 mail02 postfix/smtpd[1969]: lost connection after
CONNECT from mail-ew0-f224.google.com
[209.85.219.224]


See comments below.




mail02# postconf -n

[snip]

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,  reject_non_fqdn_hostname,
reject_non_fqdn_sender,  reject_non_fqdn_recipient,
reject_unauth_destination,  reject_unauth_pipelining,
reject_invalid_hostname,  reject_rbl_client list.dsbl.org
,  reject_rbl_client bl.spamcop.net
,  reject_rbl_client sbl-xbl.spamhaus.org



reject_unauth_pipelining has little value here.


If the OP installed postfix from FreeBSD ports, then it's likely 2.6+,  
in which case this is OK here.  See postconf(5) and 2.6.3 release notes.



dsbl.org is dead.  You should remove it.
smtpd_sender_restrictions = permit_sasl_authenticated,  
permit_mynetworks

Worthless, suggest removing it to reduce confusion.


smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem

This doesn't seem right.
The CA, cert and key files should NOT be the same.
Google is your friend.
A great guide by a frequent poster here is
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html

smtpd_use_tls = yes

This is depreciated as of Postfix 2.3 (though still works).
Preferred is "smtpd_tls_security_level=may"

Re: Postfix receives mail for virtual domain on loopback address, but relay access denied on remote connections

[mouss]

jluros a écrit :
> I'm making good progress getting postfix up and running, but having a
> persistent issue with a domain configured through ISPConfig. My virtual
> domain Luros.eu has a catchall address, jlu...@luros.eu which forwards to my
> gmail account. When I test through telnet to port 25 locally (on the
> server), the message gets queued and sent to my gmail. However, when I try
> to telnet to port 25 from my home machine on a DSL connection or through a
> webmail interface on a different system (tried Me.com and Hotmail), I get
> relay access denied after the RCPT TO command.
> [snip]

mail relay is only allowed if the client is in mynetworks or if the
sender is authenticated (SASL). otherwise, you would be an open relay.

- to submit mail from your DSL IP (via smtp), the best way is to setup
SASL and TLS. see the SASL README and the TLS README for how to do this.
(TLS is not strictly necessary, but you don't want passwords flying
around...).

- to submit via a web interface, install one of the available webmail
solutions. RoundCube will probably suit your needs.

Re: Recipient address rewrite at delivery , after content filter

[mouss]

Ovidiu Bivolaru a écrit :
> Hello everyone,
> 
> I've Postfix setup as a gateway machine (using content_filter,
> relay_domains and transport_maps). I would like to receive messages for
> "domain.com", process them with content filter using recipients
> @domain.com, then at delivery time convert recipient addresses to
> g.domain.com and deliver them to smarthost using either relay_host,
> either transport_maps.
> I was trying to use virtual_alias_maps (@domain   @g.domain.com), but
> recipients address is converted before content_filter (-o
> receive_override_options=no_address_mappings for 10026).  Can you help
> me with suggestion on how to convert envelope recipient address from
> u...@domain.com to u...@g.domain.com at delivery time (after
> content_filter) ? Thank you!

do the opposite. set no_address_mapping for 25 and not for 10026.

Re: ptr records set to localhost spammers

[mouss]

Robert Schetterer a écrit :
> Hi,
> some nets have
> set their ptr records to localhost
> this causes problems to several mailservers
> i see no problems at mine but
> just asked to clear
> 
> dig -x 123.27.178.4
> 
> ; <<>> DiG 9.3.5-P1 <<>> -x 123.27.178.4
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46689
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> 
> ;; QUESTION SECTION:
> ;4.178.27.123.in-addr.arpa. IN  PTR
> 
> ;; ANSWER SECTION:
> 4.178.27.123.in-addr.arpa. 86266 IN PTR localhost.
> 
> i only get warnings ( like ever )
> 
> Aug  6 15:04:31 mxback postfix/smtpd[30131]: warning: 123.27.178.4:
> address not listed for hostname localhost
> Aug  6 15:04:31 mxback postfix/smtpd[30131]: connect from
> unknown[123.27.178.4]
> 
> 
> is this a hard coded match ( ptrs to localhost are resolved unknown? )
> so i.e reject_unknown_reverse_client_hostname
> will reject it ever ?
> 
> after all this was warned by german heise pc magazin
> http://www.heise.de/newsticker/Namens-Trick-oeffnet-Mailserver--/meldung/143123


I use somthing like this:

smtpd_recipient_restrictions =
...
check_reverse_client_hostname_access ${hash}/access_host
check_helo_access ${hash}/access_host
...

to reject things like:

localhost
unreachable
.localhost
.arpa
.invalid
.inv
.test
.local
.lokaal
.localdomain
.lan
.private
.root
.adsl
.firewall
.speedportw700v
.belkin
.kornet
...


be them found in helo or in the PTR. I also use a pcre version to reject
"." as PTR (among other things).

Re: ptr records set to localhost spammers

[fake...@fakessh.eu]

"Buddha" peace themselve

that he spent the other day with the attack on the ml

double bouncing for killer

a post on our list, a UBE, I said that I had to send an email with my DK DKIM 
signatures
They spoke on TV in the evening, the newspaper that the attack came from 
france
I do not mention the great person company has been hosting French attack

my RPS has my key was' down 'for several days
Le lundi 10 août 2009 21:03, mouss a écrit :
> Robert Schetterer a écrit :
> > Hi,
> > some nets have
> > set their ptr records to localhost
> > this causes problems to several mailservers
> > i see no problems at mine but
> > just asked to clear
> >
> > dig -x 123.27.178.4
> >
> > ; <<>> DiG 9.3.5-P1 <<>> -x 123.27.178.4
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46689
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> >
> > ;; QUESTION SECTION:
> > ;4.178.27.123.in-addr.arpa. IN  PTR
> >
> > ;; ANSWER SECTION:
> > 4.178.27.123.in-addr.arpa. 86266 IN PTR localhost.
> >
> > i only get warnings ( like ever )
> >
> > Aug  6 15:04:31 mxback postfix/smtpd[30131]: warning: 123.27.178.4:
> > address not listed for hostname localhost
> > Aug  6 15:04:31 mxback postfix/smtpd[30131]: connect from
> > unknown[123.27.178.4]
> >
> >
> > is this a hard coded match ( ptrs to localhost are resolved unknown? )
> > so i.e reject_unknown_reverse_client_hostname
> > will reject it ever ?
> >
> > after all this was warned by german heise pc magazin
> > http://www.heise.de/newsticker/Namens-Trick-oeffnet-Mailserver--/meldung/
> >143123
>
> I use somthing like this:
>
> smtpd_recipient_restrictions =
>   ...
>   check_reverse_client_hostname_access ${hash}/access_host
> check_helo_access ${hash}/access_host
>   ...
>
> to reject things like:
>
> localhost
> unreachable
> .localhost
> .arpa
> .invalid
> .inv
> .test
> .local
> .lokaal
> .localdomain
> .lan
> .private
> .root
> .adsl
> .firewall
> .speedportw700v
> .belkin
> .kornet
> ...
>
>
> be them found in helo or in the PTR. I also use a pcre version to reject
> "." as PTR (among other things).

Re: lost my Delivered-To: header

[Tim Coote]

I responded to this thread immediately, but it's taken me until now,  
pestering mail-abuse.com and my isp, to get the IP address of my  
mailserver off the mail-abuse.com dul database, where it was  
erroneously dropped. An interesting, if annoying, denial of service.


Still hoping that someone can help.

Tim

On 4 Aug 2009, at 01:41, Sahil Tandon wrote:


On Mon, 03 Aug 2009, Tim Coote wrote:

You've been using Postfix long enough to include 'postconf -n' and  
the other

information as outlined in DEBUG_README. :-)

Fair point. I'd hoped it was easier than that. See below.




The bounce is sensible; you add a Delivered-To: header before the  
mail is
actually delivered by the appropriate delivery agent, which by  
design bounces
mail that is destined for f...@bar.org when f...@bar.org already  
appears in the

Delivered-To:.
Maybe I wasn't clear enough about this. With no D flag, there's no  
Delivered-To: at all. With the D flag it gets bounced. Therefore is  
D flag creating >1 Delivered-To: ?  Or I'm not looking at the right  
thing (grep on file in Cyrus IMAP directory.




The header was not 'removed'; for example, local(8) and virtual(8)  
still add

the header when delivering mail to intended recipients.

There's no particular reason for trying to generate the Delivered- 
To:
header through the callout to the content filter, but it seemed an  
easy

place to plug it in.


It is a bad place to plug it in given the way loop detection works.
Ok. So where's a good place? Maybe a moot point if it's actually  
being put in but I cannot see it.




Show 'postconf -n', some log output of the bounce, and the rest of  
master.cf.

--begin postconf (virtual alias domain redacted)--
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = spambayes
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550
virtual_alias_domains = xxx.yyy.zzz.tld
virtual_alias_maps = hash:/etc/postfix/virtual

-- end postconf--
-- begin master.cf (comment lines redacted, last line has the flags  
definition)--

smtp  inet  n   -   n   -   -   smtpd
-o content_filter=spambayes:dummy
pickupfifo  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial- 
rewrite

bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   n   -   -   smtp
relay unix  -   -   n   -   -   smtp
-o smtp_fallback_relay=
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache
spambayes unix  -   n   n   -   -   pipe
flags=O user=tim argv=/usr/local/bin/sbwrapper.sh ${sender} $ 
{recipient}


-- end master.cf--

Sahil Tandon 



Tim Coote

Re: SSL_accept error

[Sahil Tandon]

On Mon, 10 Aug 2009, Ebbe Hjorth wrote:

> 2009/8/10 Sahil Tandon 
> 
> >  On Aug 10, 2009, at 1:16 PM, Brian Evans - Postfix List <
> > grkni...@scent-team.com> wrote:
> >
> > Ebbe Hjorth wrote:
> >>
> >>> Hi,
> >>>
> >>> I just installed FreeBSD, postfix and dovecot.
> >>>
> >>> I tried to do the setup from purplehat.org , but
> >>> i keep getting the following error, please help.
> >>>
> >>> Aug  9 14:22:55 mail02 postfix/smtpd[1969]: SSL_accept error from
> >>> mail-ew0-f224.google.com
> >>> [209.85.219.224]: -1
> >>> Aug  9 14:22:55 mail02 postfix/smtpd[1855]: connect from
> >>> bzq-79-182-42-58.red.bezeqint.net
> >>> [79.182.42.58]
> >>> Aug  9 14:22:55 mail02 postfix/smtpd[1969]: lost connection after
> >>> CONNECT from mail-ew0-f224.google.com
> >>> [209.85.219.224]
> >>>
> >>
> >> See comments below.
> >>
> >>
> >>>
> >>> mail02# postconf -n
> >>>
> >> [snip]
> >>
> >>> smtpd_recipient_restrictions = permit_mynetworks,
> >>> permit_sasl_authenticated,  reject_non_fqdn_hostname,
> >>> reject_non_fqdn_sender,  reject_non_fqdn_recipient,
> >>> reject_unauth_destination,  reject_unauth_pipelining,
> >>> reject_invalid_hostname,  reject_rbl_client list.dsbl.org
> >>> ,  reject_rbl_client bl.spamcop.net
> >>> ,  reject_rbl_client sbl-xbl.spamhaus.org
> >>> 
> >>>
> >>> reject_unauth_pipelining has little value here.
> >>
> >
> > If the OP installed postfix from FreeBSD ports, then it's likely 2.6+, in
> > which case this is OK here.  See postconf(5) and 2.6.3 release notes.
> >
> 
> OP?

Original Poster.

> The postfix installed is postfix-2.6.2_1 - Im not sure which part what you
> mean about "this is OK"?

The part which is quoted directly above my response.  Specifically the
reference to reject_unauth_pipelining.

-- 
Sahil Tandon 

Re: ptr records set to localhost spammers

[Robert Schetterer]

mouss schrieb:
> Robert Schetterer a écrit :
>> Hi,
>> some nets have
>> set their ptr records to localhost
>> this causes problems to several mailservers
>> i see no problems at mine but
>> just asked to clear
>>
>> dig -x 123.27.178.4
>>
>> ; <<>> DiG 9.3.5-P1 <<>> -x 123.27.178.4
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46689
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>>
>> ;; QUESTION SECTION:
>> ;4.178.27.123.in-addr.arpa. IN  PTR
>>
>> ;; ANSWER SECTION:
>> 4.178.27.123.in-addr.arpa. 86266 IN PTR localhost.
>>
>> i only get warnings ( like ever )
>>
>> Aug  6 15:04:31 mxback postfix/smtpd[30131]: warning: 123.27.178.4:
>> address not listed for hostname localhost
>> Aug  6 15:04:31 mxback postfix/smtpd[30131]: connect from
>> unknown[123.27.178.4]
>>
>>
>> is this a hard coded match ( ptrs to localhost are resolved unknown? )
>> so i.e reject_unknown_reverse_client_hostname
>> will reject it ever ?
>>
>> after all this was warned by german heise pc magazin
>> http://www.heise.de/newsticker/Namens-Trick-oeffnet-Mailserver--/meldung/143123
> 
> 
> I use somthing like this:
> 
> smtpd_recipient_restrictions =
>   ...
>   check_reverse_client_hostname_access ${hash}/access_host
> check_helo_access ${hash}/access_host
>   ...
> 
> to reject things like:
> 
> localhost
> unreachable
> .localhost
> .arpa
> .invalid
> .inv
> .test
> .local
> .lokaal
> .localdomain
> .lan
> .private
> .root
> .adsl
> .firewall
> .speedportw700v
> .belkin
> .kornet
> ...
> 
> 
> be them found in helo or in the PTR. I also use a pcre version to reject
> "." as PTR (among other things).
> 
Hi, wow thats a lot i only use localhost,
do you catch a lot of spam with the others ?


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

header_checks usage

[taphy]

Hi all,
I have defined header_checks test. Question why it works if I' testing it
locally and doesn't work when I do my test via smtp?

this is simple definition in/etc/postfix/
/^Received:/IGNORE
!/^To: [0-9]+@/   WARN# any message to non-digital accounts should be
dropped

example of good work:
I did it from  the same host where postfix works:
postfix]# echo test | mail  1...@mydomain.com
log file entries:
postfix/pickup[7519]: 37347481CE: uid=0 from=
postfix/cleanup[7525]: 37347481CE:
message-id=<20090811004031.3734748...@mydomain.com>
postfix/nqmgr[7520]: 37347481CE: from=, size=187, nrcpt=1
(queue active)
postfix/local[7527]: 37347481CE: to=,
orig_to=<1...@mydomain.com>, relay=local, delay=1, status=sent (mailbox)

postfix]# echo test | mail  ta...@mydomain.com
postfix/pickup[7519]: 86E27481CE: uid=0 from=
postfix/cleanup[7532]: 86E27481CE: warning: header To: ta...@mydomain.com
from local; from= to=: some errors
postfix/cleanup[7532]: 86E27481CE:
message-id=<20090811004225.86e2748...@mydomain.com>
postfix/nqmgr[7520]: 86E27481CE: from=, size=189, nrcpt=1
(queue active)
postfix/local[7533]: 86E27481CE: to=, relay=local,
delay=0, status=sent (mailbox)

not successful example:
did it from other host
test]# telnet 192.168.11.129 25
Trying 192.168.11.129...
Connected to 192.168.11.129.
Escape character is '^]'.
220 mydomain.com ESMTP Postfix
helo taphy
250 mydomain.com
mail from: t...@do.test
250 Ok
rcpt to: ta...@mydomain.com
250 Ok
data
354 End data with .
test
.
250 Ok: queued as 54B33481CE
quit
221 Bye
Connection closed by foreign host.

logfile entries (nothing was done at all by header_checks..):
postfix/smtpd[7540]: connect from unknown[192.168.11.1]
postfix/smtpd[7540]: 54B33481CE: client=unknown[192.168.11.1]
postfix/cleanup[7542]: 54B33481CE:
message-id=<20090811005124.54b3348...@mydomain.com>
postfix/nqmgr[7520]: 54B33481CE: from=, size=169, nrcpt=1
(queue active)
postfix/local[7544]: 54B33481CE: to=, relay=local,
delay=13, status=sent (mailbox)
postfix/smtpd[7540]: disconnect from unknown[192.168.11.1]

Many thanks in advance for any suggestions


-- 
View this message in context: 
http://www.nabble.com/header_checks-usage-tp24910095p24910095.html
Sent from the Postfix mailing list archive at Nabble.com.

Re: header_checks usage

[Sahil Tandon]

On Mon, 10 Aug 2009, taphy wrote:

> I have defined header_checks test. Question why it works if I' testing it
> locally and doesn't work when I do my test via smtp?

Because your tests are misguided and lead you to the wrong conclusion.

> this is simple definition in/etc/postfix/
> /^Received:/IGNORE
> !/^To: [0-9]+@/   WARN# any message to non-digital accounts should be
> dropped
> 
> example of good work:
> I did it from  the same host where postfix works:
> postfix]# echo test | mail  1...@mydomain.com

In this case, the To: header is set.

> log file entries:
> postfix/pickup[7519]: 37347481CE: uid=0 from=
> postfix/cleanup[7525]: 37347481CE:
> message-id=<20090811004031.3734748...@mydomain.com>
> postfix/nqmgr[7520]: 37347481CE: from=, size=187, nrcpt=1
> (queue active)
> postfix/local[7527]: 37347481CE: to=,
> orig_to=<1...@mydomain.com>, relay=local, delay=1, status=sent (mailbox)
> 
> postfix]# echo test | mail  ta...@mydomain.com
> postfix/pickup[7519]: 86E27481CE: uid=0 from=
> postfix/cleanup[7532]: 86E27481CE: warning: header To: ta...@mydomain.com
> from local; from= to=: some errors
> postfix/cleanup[7532]: 86E27481CE:
> message-id=<20090811004225.86e2748...@mydomain.com>
> postfix/nqmgr[7520]: 86E27481CE: from=, size=189, nrcpt=1
> (queue active)
> postfix/local[7533]: 86E27481CE: to=, relay=local,
> delay=0, status=sent (mailbox)
> 
> not successful example:
> did it from other host
> test]# telnet 192.168.11.129 25
> Trying 192.168.11.129...
> Connected to 192.168.11.129.
> Escape character is '^]'.
> 220 mydomain.com ESMTP Postfix
> helo taphy
> 250 mydomain.com
> mail from: t...@do.test
> 250 Ok
> rcpt to: ta...@mydomain.com
> 250 Ok
> data
> 354 End data with .
> test
> .

You never set ANY headers.

> 250 Ok: queued as 54B33481CE
> quit
> 221 Bye
> Connection closed by foreign host.
> 
> logfile entries (nothing was done at all by header_checks..):

This is expected.  In an SMTP conversation, RCPT TO:  sets the
ENVELOPE recipient, and has absolutely no relation to the header.  If you
wish to specify headers, you must do so after DATA.

-- 
Sahil Tandon 

Re: header_checks usage

[taphy]

Hi Sahil, thanks for your reply, it is very much appreciated  :) definitely
need read manuals more accurate..
(so it is working)
 
-- 
View this message in context: 
http://www.nabble.com/header_checks-usage-tp24910095p24911219.html
Sent from the Postfix mailing list archive at Nabble.com.