Re: Logging mystery
On Fri, 4 Sep 2009, Jozsef Kadlecsik wrote: > On Fri, 4 Sep 2009, Wietse Venema wrote: > > > Postfix logs all deliveries - deliveries not made are not logged. > > We cannot find the messages in the mail queue either. > > The client machine is switched off for the weekend, but we enabled peer > debugging for it. So on Monday hopefully we'll have debug logs. The debug log shows that it's a client issue. When the second soft error is returned to the client in a multi-recipient session, it simply quits: Sep 7 08:40:46 smtp1 postfix/smtpd[4908]: < []: RCPT TO: Sep 7 08:40:46 smtp1 postfix/smtpd[4908]: 110EB188080: reject: RCPT from []: 450 4.1.2 : Recipient address rejected: Domain not found; from= to= proto=ESMTP helo= Sep 7 08:40:46 smtp1 postfix/smtpd[4908]: generic_checks: name=reject_unknown_recipient_domain status=2 Sep 7 08:40:46 smtp1 postfix/smtpd[4908]: > []: 450 4.1.2 : Recipient address rejected: Domain not found Sep 7 08:40:46 smtp1 postfix/smtpd[4908]: watchdog_pat: 0x8ff68f8 Sep 7 08:40:50 smtp1 postfix/smtpd[4908]: < []: RSET Sep 7 08:40:50 smtp1 postfix/smtpd[4908]: > []: 250 2.0.0 Ok Sep 7 08:40:51 smtp1 postfix/smtpd[4908]: < []: RCPT TO: Sep 7 08:40:51 smtp1 postfix/smtpd[4908]: 1C223188080: reject: RCPT from []: 450 4.1.2 : Recipient address rejected: Domain not found; from= to= proto=ESMTP helo= Sep 7 08:40:51 smtp1 postfix/smtpd[4908]: generic_checks: name=reject_unknown_recipient_domain status=2 Sep 7 08:40:51 smtp1 postfix/smtpd[4908]: > []: 450 4.1.2 : Recipient address rejected: Domain not found Sep 7 08:40:51 smtp1 postfix/smtpd[4908]: watchdog_pat: 0x8ff68f8 Sep 7 08:40:51 smtp1 postfix/smtpd[4908]: < []: QUIT Sep 7 08:40:51 smtp1 postfix/smtpd[4908]: > []: 221 2.0.0 Bye The policy daemon is naturally called for every envelope and it logs all of it. However, because the client leaves before sending DATA, Postfix does not log the sender/recipient addresses. That fully explains the difference between the two logs. Such client behaviour simply did not occur to me. Best regards, Jozsef - E-mail : kad...@blackhole.kfki.hu, kad...@mail.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
piped transports error message
Hello, I have a transport that pipes to a perl script. Everything is fine and dandy, but whenever the script fails the whole perl error message gets appended right after the failure_template message. I've checked bounce(5), bounce(8), and pipe(8), and although I admit that I haven't read thoroughly I haven't found anything in this regard. Of course the proper thing is to prevent all errors at the script level, but I'm in a sort of "live while developing" stage, so I would like to conceal the error message since no matter how careful you are, at times something does slip error catching efforts. Is there a way to do it? Did I miss something from the man pages? Thanks in advance, Marcel
Re: relay_domains vs virtual_mailbox_domains
On Fri, 2009-09-04 at 12:32 -0400, Victor Duchovni wrote: > List actual relay users in relay_recipient_maps, and the users aliased > to virtual.invaliud virtual_alias_maps. This takes care of recipient > validation. We dont know the actual users on the relayed domains. One of the reasons they are relayed in so that the client's sysadmins have control of the user base via MS Exchange. -- thorNET Internet Services, Consultancy & Training www.thornet.co.uk
Re: latest postfix vs. postfix 2.3 package?
Zitat von Seth Mattinen : Dave wrote: Hello, I'm running postfix 2.3 via rpm package. This is on a centos box. I know that there are later versions out, and am wondering if there's a feature add-ons page, not just a changelog, something very detailed version to version, that goes in to detail? I'm trying to decide if i should do an upgrade. Thanks. Read the release notes. More detailed : Read the release notes for Postfix 2.4 and 2.5. The most important changes and features are listed there. Regards Andreas
rule reject_unlisted_recipient
Hello Sometimes, our users are sending message to a lot of people (from our domain) without using a mailing list. As the SMTP server is the same to send and receive messages, if there is an error in the list of addresses, the mail is rejected. I hope that with the rules in the following order, the users who are authentified could send the mail even if one of the recipient are not valid but it doesn't seem to work : # Restrictions sur l'expediteur et le destinataire smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender check_recipient_access hash:/etc/postfix/rules/ucllouvain check_recipient_access hash:/etc/postfix/rules/invalid check_recipient_access hash:/etc/postfix/rules/phishing_reply_adresses permit_sasl_authenticated reject_unlisted_recipient permit_mynetworks reject_unknown_recipient_domain reject_unauth_destination reject_multi_recipient_bounce check_recipient_access hash:/etc/postfix/rules/roleaccount_exceptions check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-header check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-permit check_sender_access hash:/etc/postfix/rules/sender_whitelist check_client_access hash:/etc/postfix/rules/client_whitelist check_sender_access pcre:/etc/postfix/rules/pcre_sender_whitelist check_recipient_access hash:/etc/postfix/rules/recipient_whitelist reject_rbl_client zen.dnsbl reject_rbl_client sip.invaluement.dnsbl reject_rbl_client bl.spamcop.net reject_rbl_client safe.dnsbl.sorbs.net permit_auth_destination reject The order rules are : smtpd_helo_restrictions = check_client_access hash:/etc/postfix/rules/access check_recipient_access pcre:/etc/postfix/rules/listes_client_access permit_mynetworks permit_sasl_authenticated reject_invalid_hostname check_client_access hash:/etc/postfix/rules/helo_whitelist check_recipient_access hash:/etc/postfix/rules/roleaccount_exceptions reject_non_fqdn_hostname check_client_access hash:/etc/postfix/files_access/spammers check_helo_access pcre:/etc/postfix/rules/helo_checks check_sender_mx_access cidr:/etc/postfix/rules/bogus_mx_checks permit smtpd_sender_restrictions = check_recipient_access pcre:/etc/postfix/rules/listes_sender_access check_client_access hash:/etc/postfix/rules/squirrel_ip permit_sasl_authenticated permit_mynetworks reject_unknown_recipient_domain check_sender_access hash:/etc/postfix/rules/stluc check_sender_access hash:/etc/postfix/rules/access check_client_access hash:/etc/postfix/rules/access reject_unknown_sender_domain In the logfile, I have : Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: connect from Ulysse.elec.ucl.ac.be[130.104.236.7] Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: setting up TLS connection from Ulysse.elec.ucl.ac.be[130.104.236.7] Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: Anonymous TLS connection established from Ulysse.elec.ucl.ac.be[130.104.236.7]: TLSv1 with cipher AES128-SHA (128/128 bits) Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: NOQUEUE: reject: RCPT from Ulysse.elec.ucl.ac.be[130.104.236.7]: 550 5.1.1 >: Recipient address rejected: User unknown, see http://www.uclouvain.be/repertoires.html ; from= to= proto=ESMTP helo= Is it possible to force postfix to accept the mail and then resend an error message ? Thanks -- Pascal
missing 'client=' in log file
Hi, I'm analyzing logs to find the spam source and I've understood that if someone sends the message, one of the first lines written to the log file is a line containing the queue id and 'client=IP_ADDRESS'. But not every time. Actually this line is missing just in cases the spam is sent. :) How's that possible? Any ideas how can I get the IP address of the sender in such case? Thank you, Martina
Re: missing 'client=' in log file
Martina Tomisova: > Hi, > > I'm analyzing logs to find the spam source and I've understood that if > someone sends the message, one of the first lines written to the log > file is a line containing the queue id and 'client=IP_ADDRESS'. But That is incorrect. The SMTP server logs the client= once per SESSION not once per MESSAGE. > not every time. Actually this line is missing just in cases the spam > is sent. :) How's that possible? Any ideas how can I get the IP > address of the sender in such case? >From the SMTP server's PROCESS ID field in the logfile. Wietse
Re: missing 'client=' in log file
On Monday 07 September 2009 07:25:52 Martina Tomisova wrote: > I'm analyzing logs to find the spam source and I've understood > that if someone sends the message, one of the first lines written > to the log file is a line containing the queue id and > 'client=IP_ADDRESS'. This is only true if the mail came in through smtpd(8). > But not every time. Actually this line is missing just in cases > the spam is sent. :) How's that possible? Any ideas how can I get > the IP address of the sender in such case? It's possible, and common in the case of server compromises, for malware running on your own machine to be spewing spam using sendmail(1) submission. In that case, the first log you would see is like this: Sep 6 11:17:42 chestnut postfix/pickup[10567]: 974581C02EF9: uid=1000 from= In many of these that I have seen, the machine itself is not under control of the attacker; it is merely an exploited PHP Web script being used for spam. If you were rooted, your logs would typically have no evidence of the abuse which is taking place. Do note, all this is mere speculation in your case, since you failed to follow the list guidelines (in the welcome message and DEBUG_README) by not posting the logging in question. If, however, my guess was right, I highly recommend that you stop Postfix and your httpd+PHP immediately, before any more damage is done. You might already be blacklisted. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
Re: missing 'client=' in log file
Wietse Venema: > Martina Tomisova: > > Hi, > > > > I'm analyzing logs to find the spam source and I've understood that if > > someone sends the message, one of the first lines written to the log > > file is a line containing the queue id and 'client=IP_ADDRESS'. But > > That is incorrect. > > The SMTP server logs the client= once per SESSION not once per MESSAGE. Oops, that is incorrect. It *is* a per-message record. If there is no client= logging, then either your syslog server dropped the logging, or the client gave up. Wietse > > not every time. Actually this line is missing just in cases the spam > > is sent. :) How's that possible? Any ideas how can I get the IP > > address of the sender in such case? > > >From the SMTP server's PROCESS ID field in the logfile. > > Wietse > >
Re: missing 'client=' in log file
>> not every time. Actually this line is missing just in cases the spam >> is sent. :) How's that possible? Any ideas how can I get the IP >> address of the sender in such case? > > From the SMTP server's PROCESS ID field in the logfile. I've investigated this and I haven't found any connection between smtp process and smtpd process which usually logs the 'client=' line. I'm pasting sample lines. See lines 197 and 199. That's all I have about the C74FC6A60A0 queue id :/ The common format is pasted below for the non spam message - there is everything I need. ... 195 Jul 23 07:00:32 server_name postfix/local[30842]: AFA756A60A3: to=, relay=local, delay=0.24, delays=0.22/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION") 196 Jul 23 07:00:32 server_name postfix/qmgr[2580]: AFA756A60A3: removed 197 Jul 23 07:01:23 server_name postfix/qmgr[2580]: C74FC6A60A0: from=, size=3518, nrcpt=1 (queue active) 198 Jul 23 07:01:23 server_name postfix/smtp[30845]: connect to mycroft.junyks.cz[82.119.243.12]:25: Connection refused 199 Jul 23 07:01:23 server_name postfix/smtp[30845]: C74FC6A60A0: to=, relay=none, delay=160062, delays=160062/0.01/0.01/0, dsn=4.4.1, status=deferred (connect to mycroft.junyks.cz[82.119.243.12]:25: Connection refused) 200 Jul 23 07:03:09 server_name postfix/smtpd[30847]: connect from unknown[100.100.100.100] 201 Jul 23 07:03:09 server_name postfix/smtpd[30847]: NOQUEUE: reject: RCPT from unknown[100.100.100.100]: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table; from= to= proto=ESMTP helo=<[100.100.100.100]> 202 Jul 23 07:03:09 server_name postfix/smtpd[30847]: disconnect from unknown[100.100.100.100] 203 Jul 23 07:03:19 server_name postfix/smtpd[30847]: connect from ppp-58-9-96-3.revip2.asianet.co.th[58.9.96.3] 204 Jul 23 07:03:20 server_name postfix/smtpd[30847]: NOQUEUE: reject: RCPT from ppp-58-9-96-3.revip2.asianet.co.th[58.9.96.3]: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table; from= to= proto=SMTP helo= ... ... 65827 Jul 28 09:48:27 server_name postfix/smtpd[20964]: disconnect from unknown[100.100.100.100]^M 65828 Jul 28 09:48:42 server_name postfix/smtpd[20964]: connect from unknown[111.111.111.111]^M 65829 Jul 28 09:48:44 server_name postfix/smtpd[20964]: 50F926A60A0: client=unknown[111.111.111.111]^M 65830 Jul 28 09:48:45 server_name postfix/cleanup[20970]: 50F926A60A0: message-id=<4054ysm.61391517d.172124876blsopfhpnnideop...@219.64.114.86.chn.bb-static.vsnl.net.in>^M 65831 Jul 28 09:48:47 server_name postfix/qmgr[2580]: 50F926A60A0: from=, size=9986, nrcpt=1 (queue active)^M 65832 Jul 28 09:48:47 server_name postfix/local[20972]: 50F926A60A0: to=, relay=local, delay=3.7, delays=3.7/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")^M 65833 Jul 28 09:48:47 server_name postfix/qmgr[2580]: 50F926A60A0: removed^M 65834 Jul 28 09:48:48 server_name postfix/smtpd[20964]: disconnect from unknown[111.111.111.111]^M ...
Re: missing 'client=' in log file
There is no pickup process so I believe that the server is OK. Thank you for your warning and I'm sorry for not pasting logs. 2009/9/7 /dev/rob0 : > On Monday 07 September 2009 07:25:52 Martina Tomisova wrote: >> I'm analyzing logs to find the spam source and I've understood >> that if someone sends the message, one of the first lines written >> to the log file is a line containing the queue id and >> 'client=IP_ADDRESS'. > > This is only true if the mail came in through smtpd(8). > >> But not every time. Actually this line is missing just in cases >> the spam is sent. :) How's that possible? Any ideas how can I get >> the IP address of the sender in such case? > > It's possible, and common in the case of server compromises, for > malware running on your own machine to be spewing spam using > sendmail(1) submission. In that case, the first log you would see is > like this: > Sep 6 11:17:42 chestnut postfix/pickup[10567]: 974581C02EF9: > uid=1000 from= > > In many of these that I have seen, the machine itself is not under > control of the attacker; it is merely an exploited PHP Web script > being used for spam. If you were rooted, your logs would typically > have no evidence of the abuse which is taking place. > > Do note, all this is mere speculation in your case, since you > failed to follow the list guidelines (in the welcome message and > DEBUG_README) by not posting the logging in question. > > If, however, my guess was right, I highly recommend that you stop > Postfix and your httpd+PHP immediately, before any more damage is > done. You might already be blacklisted. > -- > Offlist mail to this address is discarded unless > "/dev/rob0" or "not-spam" is in Subject: header >
Re: missing 'client=' in log file
Martina Tomisova: [ Charset ISO-8859-1 unsupported, converting... ] > >> not every time. Actually this line is missing just in cases the spam > >> is sent. :) How's that possible? Any ideas how can I get the IP > >> address of the sender in such case? > > > > From the SMTP server's PROCESS ID field in the logfile. > I've investigated this and I haven't found any connection between smtp > process and smtpd process which usually logs the 'client=' line. I'm > pasting sample lines. See lines 197 and 199. That's all I have about > the C74FC6A60A0 queue id :/ You need to find the FIRST logfile record with C74FC6A60A0. That record was logged 160062 seconds ago (almost 2 days). Wietse Jul 23 07:01:23 server_name postfix/smtp[30845]: C74FC6A60A0: == to=, relay=none, delay=160062 ==
--- Delivery report unavailable ---
Hi list, i recently sent a new issue of a newsletter via postfix 2.5.5 (Debian Lenny). When sending loads of newsletters it's not unusual to get a bunch of bounces, but this time i got a lot of bounces without a bounce reason from my own (sending) postfix. The delivery status notifications look like this: ---snip--- Received: from newsbox.webmatch.de (newsbox.webmatch.de [188.40.88.122]) by wbm2.webbeatz.de (Postfix) with ESMTP id 75BC0EB41A7 for ; Sun, 6 Sep 2009 04:18:08 +0200 (CEST) Received: by newsbox.webmatch.de (Postfix) id 0B9566790753; Sun, 6 Sep 2009 04:18:08 +0200 (CEST) Date: Sun, 6 Sep 2009 04:18:08 +0200 (CEST) From: mailer-dae...@webmatch.de (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: news...@webmatch.de Auto-Submitted: auto-replied MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="4D1DB6737244.1252203488/newsbox.webmatch.de" Content-Transfer-Encoding: 8bit Message-Id: <20090906021808.0b9566790...@newsbox.webmatch.de> This is a MIME-encapsulated message. --4D1DB6737244.1252203488/newsbox.webmatch.de Content-Description: Notification Content-Type: text/plain; charset=us-ascii This is the mail system at host newsbox.webmatch.de. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system --- Delivery report unavailable --- --4D1DB6737244.1252203488/newsbox.webmatch.de Content-Description: Delivery report Content-Type: message/delivery-status Reporting-MTA: dns; newsbox.webmatch.de X-Postfix-Queue-ID: 4D1DB6737244 X-Postfix-Sender: rfc822; news...@webmatch.de Arrival-Date: Tue, 1 Sep 2009 04:17:07 +0200 (CEST) --4D1DB6737244.1252203488/newsbox.webmatch.de Content-Description: Undelivered Message Content-Type: message/rfc822 Content-Transfer-Encoding: 8bit Received: from newsbox.webmatch.de (newsbox.webmatch.de [188.40.88.122]) by newsbox.webmatch.de (Postfix) with ESMTP id 4D1DB6737244 for ; Tue, 1 Sep 2009 04:17:07 +0200 (CEST) Recieved: Date: Tue, 1 Sep 2009 04:17:07 +0200 To: annamarisa-k05470021...@mail-vertragscenter.de From: =?UTF-8?Q?=C3=BCltje?= Subject: =?UTF-8?Q?=C3=BCltje_-_Gebrannte_Mandeln?= Message-ID: <0483d9668031329bac1be42fda623...@localhost.localdomain> X-Priority: 3 X-Mailer: PHPMailer [version 1.73] X-Mailer: phplist v2.10.8 X-MessageID: 11 X-ListMember: annamarisa-k05470021...@mail-vertragscenter.de Precedence: bulk Errors-To: news...@webmatch.de MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_0483d9668031329bac1be42fda62382a" ---snap--- Normally the first mimepart contains a failure reason like unknown user, mailbox over quota or the like, but now i got lots of DSNs containing just "--- Delivery report unavailable ---". Does anybody have an idea what causes this and how i can prevent it? Thanx in advance Stefan -- Webmatch GmbH || internet solutions Tel.: (+49) 0221 - 99 80 88 - 11 Fax.: (+49) 0221 - 99 80 88 - 10 Email: sbu...@webmatch.de Web: www.webmatch.de Geschäftsführer: Daniel Doege Sitz der Gesellschaft: Köln Amtsgericht Köln, HRB 60717 USt-IDNr.: DE255045185 Postanschrift: Webmatch GmbH Hohenzollernring 39-41 50672 Köln Deutschland
Re: --- Delivery report unavailable ---
Stefan Bunse: > --4D1DB6737244.1252203488/newsbox.webmatch.de > Content-Description: Notification > Content-Type: text/plain; charset=us-ascii > > This is the mail system at host newsbox.webmatch.de. > > I'm sorry to have to inform you that your message could not > be delivered to one or more recipients. It's attached below. > > For further assistance, please send mail to postmaster. > > If you do so, please include this problem report. You can > delete your own text from the attached returned message. > > The mail system > > --- Delivery report unavailable --- > > --4D1DB6737244.1252203488/newsbox.webmatch.de > Content-Description: Delivery report > Content-Type: message/delivery-status > > Reporting-MTA: dns; newsbox.webmatch.de > X-Postfix-Queue-ID: 4D1DB6737244 [snip] The file /var/spool/postfix/bounce/4D1DB6737244 did not exist. Postfix does not log this, as mail may be deleted with "postsuper -d". Postfix does not give details of queue file errors in its bounce messages. Wietse
Re: piped transports error message
On Mon, 07 Sep 2009, Marcel Montes wrote: > I have a transport that pipes to a perl script. Everything is fine and > dandy, but whenever the script fails the whole perl error message > gets appended right after the failure_template message. > > I've checked bounce(5), bounce(8), and pipe(8), and although I admit > that I haven't read thoroughly I haven't found anything in this regard. > > Of course the proper thing is to prevent all errors at the script level, > but I'm in a sort of "live while developing" stage, so I would like to > conceal the error message since no matter how careful you are, > at times something does slip error catching efforts. > > Is there a way to do it? Did I miss something from the man pages? AFAIK, hiding the error output is not configurable. Concealing important portions of the DSN seems silly and might even be a violation of RFC 3464 (something you might or might not care about). But if you really wanted to go this route, you could hack the way Postfix constructs a bounce message and/or modify pipe(8) to not report back the nature of a script failure. I know this is probably not the answer for which you had hoped, so good luck! Perhaps Wietse will have a more favorable reply. :-) -- Sahil Tandon
Re: relay_domains vs virtual_mailbox_domains
On Mon, 07 Sep 2009, Steve Heaven wrote: > On Fri, 2009-09-04 at 12:32 -0400, Victor Duchovni wrote: > > > List actual relay users in relay_recipient_maps, and the users aliased > > to virtual.invaliud virtual_alias_maps. This takes care of recipient > > validation. > > We dont know the actual users on the relayed domains. One of the reasons > they are relayed in so that the client's sysadmins have control of the > user base via MS Exchange. You should not accept mail for invalid recipients. Use existing functionality to build a cache/database of valid recipients "on the fly". See: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient -- Sahil Tandon
Redirect by subject
Hi I have a mail gateway where I need to separate the destination of the emails by the subject anyone could help me? for example: 1)someone send a email from internet to my domain: to: us...@domain.com 2)the gateway mark it as spam with [spam] Subject: [spam] Enlarge your 3) the postfix (as gateway) check the subject and delivery it locally instead forward it to the original receiver (but keep the user) to: us...@gateway.domain.com Thanks Octavio ¡Obtén la mejor experiencia en la web! Descarga gratis el nuevo Internet Explorer 8. http://downloads.yahoo.com/ieak8/?l=e1
Re: piped transports error message
Sahil Tandon: > On Mon, 07 Sep 2009, Marcel Montes wrote: > > > I have a transport that pipes to a perl script. Everything is fine and > > dandy, but whenever the script fails the whole perl error message > > gets appended right after the failure_template message. > > > > I've checked bounce(5), bounce(8), and pipe(8), and although I admit > > that I haven't read thoroughly I haven't found anything in this regard. > > > > Of course the proper thing is to prevent all errors at the script level, > > but I'm in a sort of "live while developing" stage, so I would like to > > conceal the error message since no matter how careful you are, > > at times something does slip error catching efforts. > > > > Is there a way to do it? Did I miss something from the man pages? > > AFAIK, hiding the error output is not configurable. Concealing important > portions of the DSN seems silly and might even be a violation of RFC 3464 > (something you might or might not care about). But if you really wanted to > go this route, you could hack the way Postfix constructs a bounce message > and/or modify pipe(8) to not report back the nature of a script failure. I > know this is probably not the answer for which you had hoped, so good luck! > > Perhaps Wietse will have a more favorable reply. :-) I have a suggestion. When the script fails, don't lose control and spill the guts all over the place. Instead, catch the error and report an appropriate response. If you don't know how to use Perl's built-in error catching facilities, wrap the Perl script in a shell script and use that as a diaper to absorb the mess. Wietse
Re: rule reject_unlisted_recipient
On 9/7/2009 7:07 AM, Pascal Maes wrote: Hello Sometimes, our users are sending message to a lot of people (from our domain) without using a mailing list. As the SMTP server is the same to send and receive messages, if there is an error in the list of addresses, the mail is rejected. I hope that with the rules in the following order, the users who are authentified could send the mail even if one of the recipient are not valid but it doesn't seem to work : # Restrictions sur l'expediteur et le destinataire smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender check_recipient_access hash:/etc/postfix/rules/ucllouvain check_recipient_access hash:/etc/postfix/rules/invalid check_recipient_access hash:/etc/postfix/rules/phishing_reply_adresses permit_sasl_authenticated reject_unlisted_recipient permit_mynetworks reject_unknown_recipient_domain reject_unauth_destination reject_multi_recipient_bounce check_recipient_access hash:/etc/postfix/rules/roleaccount_exceptions check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-header check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-permit check_sender_access hash:/etc/postfix/rules/sender_whitelist check_client_access hash:/etc/postfix/rules/client_whitelist check_sender_access pcre:/etc/postfix/rules/pcre_sender_whitelist check_recipient_access hash:/etc/postfix/rules/recipient_whitelist reject_rbl_client zen.dnsbl reject_rbl_client sip.invaluement.dnsbl reject_rbl_client bl.spamcop.net reject_rbl_client safe.dnsbl.sorbs.net permit_auth_destination reject The order rules are : smtpd_helo_restrictions = check_client_access hash:/etc/postfix/rules/access check_recipient_access pcre:/etc/postfix/rules/listes_client_access permit_mynetworks permit_sasl_authenticated reject_invalid_hostname check_client_access hash:/etc/postfix/rules/helo_whitelist check_recipient_access hash:/etc/postfix/rules/roleaccount_exceptions reject_non_fqdn_hostname check_client_access hash:/etc/postfix/files_access/spammers check_helo_access pcre:/etc/postfix/rules/helo_checks check_sender_mx_access cidr:/etc/postfix/rules/bogus_mx_checks permit smtpd_sender_restrictions = check_recipient_access pcre:/etc/postfix/rules/listes_sender_access check_client_access hash:/etc/postfix/rules/squirrel_ip permit_sasl_authenticated permit_mynetworks reject_unknown_recipient_domain check_sender_access hash:/etc/postfix/rules/stluc check_sender_access hash:/etc/postfix/rules/access check_client_access hash:/etc/postfix/rules/access reject_unknown_sender_domain In the logfile, I have : Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: connect from Ulysse.elec.ucl.ac.be[130.104.236.7] Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: setting up TLS connection from Ulysse.elec.ucl.ac.be[130.104.236.7] Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: Anonymous TLS connection established from Ulysse.elec.ucl.ac.be[130.104.236.7]: TLSv1 with cipher AES128-SHA (128/128 bits) Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: NOQUEUE: reject: RCPT from Ulysse.elec.ucl.ac.be[130.104.236.7]: 550 5.1.1 : Recipient address rejected: User unknown, see http://www.uclouvain.be/repertoires.html; from= to= proto=ESMTP helo= Is it possible to force postfix to accept the mail and then resend an error message ? Thanks This user did not authenticate. Maybe you also need to move permit_mynetworks above reject_unlisted_recipient. -- Noel Jones
issue with a single dot and sendmail
Hi all, I'm using getmail to fetch mails from our provider. I use the "MDA_external" option in order to use /usr/sbin/sendmail as delivery agent, but I have problem with email with a single "." (dot) in a line. For example sendmail doesn't tranfer this text (it truncate the mail at the ".") """ test . """ An email has the following line: """ delle oscillazioni sulla superhat è perché c’era poco gas. """ Getmail fetch two line from the provider (it split a single long line into two ones): """ delle oscillazioni sulla superhat =C3=A8 perch=C3=A9 c=E2=80=99era poco gas= . """ and so, passing this text to sendmail, all the other part of the mail (with attachments!) is deleted.. As far as I know the single dot is used by smtp/pop protocol to terminate the message, so It should -I think- transparently replace a single dot with a double dot during the Another example: the file mail.txt contains the following test: """ From: "myaddress" To: myem...@atwork.com Subject: first row. . second rows . """ If I use "cat mail.txt |sendmail -t " I get only the first row. I how can I send a single dot line with sendmail? Thanks Alessandro PS: I'm using sendmail of postfix 2.5.5 package
Re: issue with a single dot and sendmail
On Mon, 07 Sep 2009, Alessandro wrote: > As far as I know the single dot is used by smtp/pop protocol to > terminate the message, so It should -I think- transparently replace a > single dot with a double dot during the > > > Another example: the file mail.txt contains the following test: > """ > From: "myaddress" > To: myem...@atwork.com > Subject: > > first row. > . > second rows > . > """ > > If I use "cat mail.txt |sendmail -t " I get only the first row. > > I how can I send a single dot line with sendmail? RTFM. From sendmail(1): -i When reading a message from standard input, don't treat a line with only a . character as the end of input. -- Sahil Tandon
Re: issue with a single dot and sendmail
On 9/7/2009 11:58 AM, Alessandro wrote: I how can I send a single dot line with sendmail? man sendmail, look for the -i option. http://www.postfix.org/sendmail.1.html -- Noel Jones
Re: rule reject_unlisted_recipient
Le 7 sept. 2009 à 18:10, Noel Jones a écrit : On 9/7/2009 7:07 AM, Pascal Maes wrote: Hello Sometimes, our users are sending message to a lot of people (from our domain) without using a mailing list. As the SMTP server is the same to send and receive messages, if there is an error in the list of addresses, the mail is rejected. I hope that with the rules in the following order, the users who are authentified could send the mail even if one of the recipient are not valid but it doesn't seem to work : # Restrictions sur l'expediteur et le destinataire smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender check_recipient_access hash:/etc/postfix/rules/ucllouvain check_recipient_access hash:/etc/postfix/rules/invalid check_recipient_access hash:/etc/postfix/rules/ phishing_reply_adresses permit_sasl_authenticated reject_unlisted_recipient permit_mynetworks reject_unknown_recipient_domain reject_unauth_destination reject_multi_recipient_bounce check_recipient_access hash:/etc/postfix/rules/roleaccount_exceptions check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-header check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-permit check_sender_access hash:/etc/postfix/rules/sender_whitelist check_client_access hash:/etc/postfix/rules/client_whitelist check_sender_access pcre:/etc/postfix/rules/pcre_sender_whitelist check_recipient_access hash:/etc/postfix/rules/recipient_whitelist reject_rbl_client zen.dnsbl reject_rbl_client sip.invaluement.dnsbl reject_rbl_client bl.spamcop.net reject_rbl_client safe.dnsbl.sorbs.net permit_auth_destination reject The order rules are : smtpd_helo_restrictions = check_client_access hash:/etc/postfix/rules/access check_recipient_access pcre:/etc/postfix/rules/listes_client_access permit_mynetworks permit_sasl_authenticated reject_invalid_hostname check_client_access hash:/etc/postfix/rules/helo_whitelist check_recipient_access hash:/etc/postfix/rules/roleaccount_exceptions reject_non_fqdn_hostname check_client_access hash:/etc/postfix/files_access/spammers check_helo_access pcre:/etc/postfix/rules/helo_checks check_sender_mx_access cidr:/etc/postfix/rules/bogus_mx_checks permit smtpd_sender_restrictions = check_recipient_access pcre:/etc/postfix/rules/listes_sender_access check_client_access hash:/etc/postfix/rules/squirrel_ip permit_sasl_authenticated permit_mynetworks reject_unknown_recipient_domain check_sender_access hash:/etc/postfix/rules/stluc check_sender_access hash:/etc/postfix/rules/access check_client_access hash:/etc/postfix/rules/access reject_unknown_sender_domain In the logfile, I have : Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: connect from Ulysse.elec.ucl.ac.be[130.104.236.7] Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: setting up TLS connection from Ulysse.elec.ucl.ac.be[130.104.236.7] Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: Anonymous TLS connection established from Ulysse.elec.ucl.ac.be[130.104.236.7]: TLSv1 with cipher AES128-SHA (128/128 bits) Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: NOQUEUE: reject: RCPT from Ulysse.elec.ucl.ac.be[130.104.236.7]: 550 5.1.1 : Recipient address rejected: User unknown, see http://www.uclouvain.be/repertoires.html; from= to= proto=ESMTP helo= Is it possible to force postfix to accept the mail and then resend an error message ? Thanks This user did not authenticate. Maybe you also need to move permit_mynetworks above reject_unlisted_recipient. -- Noel Jones Well, I made a new test from home this evening. I'm using the port 587 and I need to be authentified. A mail with a valid address gives : Received: from [192.168.1.12] (76.123-241-81.adsl-dyn.isp.belgacom.be [81.241.123.76]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: pm...@smtp2.sgsi.ucl.ac.be) by smtp2.sgsi.ucl.ac.be (Postfix) with ESMTPSA id C8613EBF7E So I think that I'm well authentified. In master.cf, we have submission inet n - n - 100 smtpd -o smtpd_etrn_restrictions=reject -o smtpd_use_tls=yes -o smtpd_tls_auth_only=yes -o smtpd_starttls_timeout=300s -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_security_options=noanonymous -o smtpd_helo_restrictions =permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_client_restrictions =permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sender_restrictions =permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_milters=unix:/var/run/clamav/milter-clamav.socket,unix:/var/ run/dkim/dkim-milter.socket Now I send an email to an incorrect address. Here is the debug listing from the session (long, sorry) Sep 7 20:14:51 smtp-2 postfix/smtpd[27734]: vstream_buf_get_ready: fd 9 got 38 Sep 7 20:14:51 smtp-2 postfix/smtpd[27734]: < 76.123-241-81.adsl- dyn.isp.belgacom.be[81.241.123.76]: MAIL FROM: Sep 7 20:14:51 smtp-2 postfix/smtpd[27734]: extract_addr: input: > Sep 7 20:14:51 smtp-2 postfix/smtpd[27734
Re: rule reject_unlisted_recipient
On 9/7/2009 2:17 PM, Pascal Maes wrote: Le 7 sept. 2009 à 18:10, Noel Jones a écrit : On 9/7/2009 7:07 AM, Pascal Maes wrote: Hello Sometimes, our users are sending message to a lot of people (from our domain) without using a mailing list. As the SMTP server is the same to send and receive messages, if there is an error in the list of addresses, the mail is rejected. I hope that with the rules in the following order, the users who are authentified could send the mail even if one of the recipient are not valid but it doesn't seem to work : # Restrictions sur l'expediteur et le destinataire smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender check_recipient_access hash:/etc/postfix/rules/ucllouvain check_recipient_access hash:/etc/postfix/rules/invalid check_recipient_access hash:/etc/postfix/rules/phishing_reply_adresses permit_sasl_authenticated reject_unlisted_recipient permit_mynetworks reject_unknown_recipient_domain reject_unauth_destination reject_multi_recipient_bounce check_recipient_access hash:/etc/postfix/rules/roleaccount_exceptions check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-header check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-permit check_sender_access hash:/etc/postfix/rules/sender_whitelist check_client_access hash:/etc/postfix/rules/client_whitelist check_sender_access pcre:/etc/postfix/rules/pcre_sender_whitelist check_recipient_access hash:/etc/postfix/rules/recipient_whitelist reject_rbl_client zen.dnsbl reject_rbl_client sip.invaluement.dnsbl reject_rbl_client bl.spamcop.net reject_rbl_client safe.dnsbl.sorbs.net permit_auth_destination reject The order rules are : smtpd_helo_restrictions = check_client_access hash:/etc/postfix/rules/access check_recipient_access pcre:/etc/postfix/rules/listes_client_access permit_mynetworks permit_sasl_authenticated reject_invalid_hostname check_client_access hash:/etc/postfix/rules/helo_whitelist check_recipient_access hash:/etc/postfix/rules/roleaccount_exceptions reject_non_fqdn_hostname check_client_access hash:/etc/postfix/files_access/spammers check_helo_access pcre:/etc/postfix/rules/helo_checks check_sender_mx_access cidr:/etc/postfix/rules/bogus_mx_checks permit smtpd_sender_restrictions = check_recipient_access pcre:/etc/postfix/rules/listes_sender_access check_client_access hash:/etc/postfix/rules/squirrel_ip permit_sasl_authenticated permit_mynetworks reject_unknown_recipient_domain check_sender_access hash:/etc/postfix/rules/stluc check_sender_access hash:/etc/postfix/rules/access check_client_access hash:/etc/postfix/rules/access reject_unknown_sender_domain In the logfile, I have : Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: connect from Ulysse.elec.ucl.ac.be[130.104.236.7] Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: setting up TLS connection from Ulysse.elec.ucl.ac.be[130.104.236.7] Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: Anonymous TLS connection established from Ulysse.elec.ucl.ac.be[130.104.236.7]: TLSv1 with cipher AES128-SHA (128/128 bits) Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: NOQUEUE: reject: RCPT from Ulysse.elec.ucl.ac.be[130.104.236.7]: 550 5.1.1 : Recipient address rejected: User unknown, see http://www.uclouvain.be/repertoires.html; from= to= proto=ESMTP helo= Is it possible to force postfix to accept the mail and then resend an error message ? Thanks This user did not authenticate. Maybe you also need to move permit_mynetworks above reject_unlisted_recipient. -- Noel Jones Well, I made a new test from home this evening. I'm using the port 587 and I need to be authentified. A mail with a valid address gives : Received: from [192.168.1.12] (76.123-241-81.adsl-dyn.isp.belgacom.be [81.241.123.76]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: pm...@smtp2.sgsi.ucl.ac.be) by smtp2.sgsi.ucl.ac.be (Postfix) with ESMTPSA id C8613EBF7E So I think that I'm well authentified. In master.cf, we have submission inet n - n - 100 smtpd -o smtpd_etrn_restrictions=reject -o smtpd_use_tls=yes -o smtpd_tls_auth_only=yes -o smtpd_starttls_timeout=300s -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_security_options=noanonymous -o smtpd_helo_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_milters=unix:/var/run/clamav/milter-clamav.socket,unix:/var/run/dkim/dkim-milter.socket Now I send an email to an incorrect address. Here is the debug listing from the session (long, sorry) ... Any idea ? Looks as if the user didn't authenticate. Everything you need is in the regular logs. Don't post debug output unless requested. -- Noel Jones
R: Re: issue with a single dot and sendmail
>Da: sa...@tandon.net >-i When reading a message from standard input, don't treat a line with >only a . character as the end of input. Oops.. so simple! Sorry, I didn't see this option Thanks! Alessandro
Re: rule reject_unlisted_recipient
Le 7 sept. 2009 à 21:50, Noel Jones a écrit : On 9/7/2009 2:17 PM, Pascal Maes wrote: Le 7 sept. 2009 à 18:10, Noel Jones a écrit : On 9/7/2009 7:07 AM, Pascal Maes wrote: Hello Sometimes, our users are sending message to a lot of people (from our domain) without using a mailing list. As the SMTP server is the same to send and receive messages, if there is an error in the list of addresses, the mail is rejected. I hope that with the rules in the following order, the users who are authentified could send the mail even if one of the recipient are not valid but it doesn't seem to work : # Restrictions sur l'expediteur et le destinataire smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender check_recipient_access hash:/etc/postfix/rules/ucllouvain check_recipient_access hash:/etc/postfix/rules/invalid check_recipient_access hash:/etc/postfix/rules/ phishing_reply_adresses permit_sasl_authenticated reject_unlisted_recipient permit_mynetworks reject_unknown_recipient_domain reject_unauth_destination reject_multi_recipient_bounce check_recipient_access hash:/etc/postfix/rules/ roleaccount_exceptions check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-header check_client_access cidr:/etc/postfix/rules/hi-med-dnswl-permit check_sender_access hash:/etc/postfix/rules/sender_whitelist check_client_access hash:/etc/postfix/rules/client_whitelist check_sender_access pcre:/etc/postfix/rules/pcre_sender_whitelist check_recipient_access hash:/etc/postfix/rules/recipient_whitelist reject_rbl_client zen.dnsbl reject_rbl_client sip.invaluement.dnsbl reject_rbl_client bl.spamcop.net reject_rbl_client safe.dnsbl.sorbs.net permit_auth_destination reject The order rules are : smtpd_helo_restrictions = check_client_access hash:/etc/postfix/rules/access check_recipient_access pcre:/etc/postfix/rules/listes_client_access permit_mynetworks permit_sasl_authenticated reject_invalid_hostname check_client_access hash:/etc/postfix/rules/helo_whitelist check_recipient_access hash:/etc/postfix/rules/ roleaccount_exceptions reject_non_fqdn_hostname check_client_access hash:/etc/postfix/files_access/spammers check_helo_access pcre:/etc/postfix/rules/helo_checks check_sender_mx_access cidr:/etc/postfix/rules/bogus_mx_checks permit smtpd_sender_restrictions = check_recipient_access pcre:/etc/postfix/rules/listes_sender_access check_client_access hash:/etc/postfix/rules/squirrel_ip permit_sasl_authenticated permit_mynetworks reject_unknown_recipient_domain check_sender_access hash:/etc/postfix/rules/stluc check_sender_access hash:/etc/postfix/rules/access check_client_access hash:/etc/postfix/rules/access reject_unknown_sender_domain In the logfile, I have : Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: connect from Ulysse.elec.ucl.ac.be[130.104.236.7] Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: setting up TLS connection from Ulysse.elec.ucl.ac.be[130.104.236.7] Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: Anonymous TLS connection established from Ulysse.elec.ucl.ac.be[130.104.236.7]: TLSv1 with cipher AES128-SHA (128/128 bits) Sep 7 11:38:13 smtp-3 postfix/smtpd[23156]: NOQUEUE: reject: RCPT from Ulysse.elec.ucl.ac.be[130.104.236.7]: 550 5.1.1 : Recipient address rejected: User unknown, see http://www.uclouvain.be/repertoires.html; from= to= proto=ESMTP helo= Is it possible to force postfix to accept the mail and then resend an error message ? Thanks This user did not authenticate. Maybe you also need to move permit_mynetworks above reject_unlisted_recipient. -- Noel Jones Well, I made a new test from home this evening. I'm using the port 587 and I need to be authentified. A mail with a valid address gives : Received: from [192.168.1.12] (76.123-241-81.adsl-dyn.isp.belgacom.be [81.241.123.76]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: pm...@smtp2.sgsi.ucl.ac.be) by smtp2.sgsi.ucl.ac.be (Postfix) with ESMTPSA id C8613EBF7E So I think that I'm well authentified. In master.cf, we have submission inet n - n - 100 smtpd -o smtpd_etrn_restrictions=reject -o smtpd_use_tls=yes -o smtpd_tls_auth_only=yes -o smtpd_starttls_timeout=300s -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_security_options=noanonymous -o smtpd_helo_restrictions =permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_client_restrictions =permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sender_restrictions =permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_milters=unix:/var/run/clamav/milter-clamav.socket,unix:/var/ run/dkim/dkim-milter.socket Now I send an email to an incorrect address. Here is the debug listing from the session (long, sorry) ... Any idea ? Looks as if the user didn't authenticate. Everything you need is in the regular logs. Don't post debug output unless requested. -- Noel Jones It looks like but if I use Thunderbird to send the mail, it asks me for
Re: rule reject_unlisted_recipient
On 9/7/2009 3:42 PM, Pascal Maes wrote: I don't understand why it seems that I'm not doing authentication. When you authenticate, postfix will log "client name[IP], sasl_method=..., sasl_username=..." Or maybe you're rejecting the mail before the client has a chance to authenticate. Showing unaltered "postconf -n" and unaltered normal logging should help solve the mystery. -- Noel Jones
Re: latest postfix vs. postfix 2.3 package?
Dave a écrit : > Hello, > I'm running postfix 2.3 via rpm package. This is on a centos box. I > know that there are later versions out, and am wondering if there's a > feature add-ons page, not just a changelog, something very detailed version > to version, that goes in to detail? I'm trying to decide if i should do an > upgrade. > take it differently: 1- if it is easy to upgrade, upgrade last time I had to manage a centos, I created an environment for other stuff that I needed to rebuild, and then I had no reason not to include postfix. 2- if you need to upgrade, upgrade 3- in all other cases, do nothing. I find it amazing that linux users still have such problems. I don't see such problems on the not-so-used *BSD...
Re: chaining filters
Dave a écrit : > Hello, > I've got postfix running on CentOS. It's hooked in to amavisd-new > which is installed as an after-queue content filter. Postfix relays to > amavisd-new on port 10024 and amavisd-new sends messages back to postfix on > port 10025. This is all working, now i want to add dkim signing with > dkimproxy. the easy way for you is to use amavisd-new for dkim. a second option is to use dkim as a milter. but if you insist on proxy mode, you can still use dkim-proxy, but then you'll need to understand amavisd policy banks OR postfix FILTER to pass slected mail to where you want. > That is listening on port 10027 and relaying back on port 10028. > I am not certain how to chain these filters together. the simple thing is to tell amavisd-new to forward mail to 10027. of course, it would have been easier to let make dkim-proxy listen on 10024 and amavisd-new on 10023... > I'd also like amavisd > to work only on incoming messages since everything going out is trust > worthy, and i am hoping not to break anything. your best choice is to enable port 587 (submission) and to configure the coresponding service to pass mail to amavisd-new on a specif port (10586 for example) where only virus filtering is enabled. all this and more is explained in amavisd-new docs. if the docs aren't clear, please provide your comments so that they can be improved. > If anyone has this combo working i'd like to hear about it. > Thanks. > Dave. >
