date:20090909

Re: relay_domains vs virtual_mailbox_domains

2009-09-09 Thread Clunk Werclick

On Wed, 2009-09-09 at 07:16 +0100, Steve Heaven wrote:
> On Wed, 2009-09-09 at 00:27 +0200, mouss wrote:
> > Steve Heaven a écrit :
> > >
> > 
> > 
> > the old: "try to pass to next, until  final server accepts or rejects"
> > is n more acceptable. recipients must be checked at the "edge".
> > 
> > postfix provides reject_unverified_recipient to help you for that
> > (assuming the next relay really validates the recipient).
> 
> That's the problem. Most of our clients that we relay mail for run
> Microsoft SBS Exchange which doesnt verify probes. It accepts mail for
> any user and sends an undeliverable report back to the sender.

Are you saying that it is not possible to configure it to reject users
that don't exist at the SMTP level? Are you *sure*? So if you telnet in
to it and send mail for anyoldrubb...@domain.co.uk it accepts it?

I would be gobsmacked. Surely this is a simple configuration issue ?
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.

Re: relay_domains vs virtual_mailbox_domains

2009-09-09 Thread Steve Heaven

On Wed, 2009-09-09 at 08:11 +0100, Clunk Werclick wrote:

> Are you saying that it is not possible to configure it to reject users
> that don't exist at the SMTP level? Are you *sure*? So if you telnet in
> to it and send mail for anyoldrubb...@domain.co.uk it accepts it?
> 
> I would be gobsmacked. Surely this is a simple configuration issue ?

It may well be possible, but the default seems to be to accept any user.

Almost all our client's SBS servers (there are about 50 of them) are
managed by non-IT staff, usually just someone in the office who knows
add users, change passwords etc, but little else. So asking them to make
detailed configuration changes is out of the question.

 Steve

-- 
thorNET 
Internet Services, Consultancy & Training
www.thornet.co.uk

Re: relay_domains vs virtual_mailbox_domains

2009-09-09 Thread Mikael Bak

Steve Heaven wrote:
> On Wed, 2009-09-09 at 08:11 +0100, Clunk Werclick wrote:
> 
>> Are you saying that it is not possible to configure it to reject users
>> that don't exist at the SMTP level? Are you *sure*? So if you telnet in
>> to it and send mail for anyoldrubb...@domain.co.uk it accepts it?
>>
>> I would be gobsmacked. Surely this is a simple configuration issue ?
> 
> It may well be possible, but the default seems to be to accept any user.
> 
> Almost all our client's SBS servers (there are about 50 of them) are
> managed by non-IT staff, usually just someone in the office who knows
> add users, change passwords etc, but little else. So asking them to make
> detailed configuration changes is out of the question.
> 

Read "Step 2: Configure recipient filtering in Exchange Server 2003":

http://support.microsoft.com/default.aspx?scid=kb;en-us;886208

If I were you I'd write up a nice howto for my clients describing the
problem and asking them to do these easy configuration steps. And then
both you and your clients will be good internet citizens.

Just my 2 cents.

Have a nice day,
Mikael

Alias members based on LDAP attribute value

2009-09-09 Thread Edgar Fuß

I hope this has not been asked before. I've searched the archive and 
ldap_table(5), LDAP_README and LOCAL_RECIPIENT_README.

I'm looking for a way to specify a fixed alias which expands to (the mail 
attribute of) all LDAP entries with a certain attribute having a certain value.
I. e. mail to ,,foobar'' should go to (the address specified in the mail 
attribute of) all people whose LDAP ,,foo'' attribute has the value ,,bar''.

The problem is that the right hand side of an alias expansion can't contain 
another map, there's nothing like restriction classes to work around that and 
inside the LDAP configuration, I find no way of specifying ,,the key must bee 
foobar''.

Thanks fo any help.

python framework for a policy daemon?

2009-09-09 Thread Ralf Hildebrandt

Is there a ready to use python framework for a policy daemon?
I have a nice idea for a policy daemon :)

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Force smtpauth for all mails including myhostname bound mails

2009-09-09 Thread ram

Hi,

I have a very basic ( and old) postfix installation and I want to accept
mails only after smtpauth 

The rule works fine except when the recipient belongs to $myhostname 


 postconf -n ==


alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = /usr/share/doc/postfix-2.3.4-documentation/html
mail_owner = postfix
mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = mumbai.nstest.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.4-documentation/readme
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated,reject
smtpd_sasl_auth_enable = yes
unknown_local_recipient_reject_code = 550


=


* On successful smtp-auth all mails are accepted ( working As
required ) 
* On failed smtpauth mails to u...@$myhostname still gets accepted 


===
220 mumbai.nstest.com ESMTP Postfix
EHLO netcore.co.in
250-mumbai.nstest.com
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6
djF2MQ==
334 UGFzc3dvcmQ6
cXdlcmFzMWRm
535 5.7.0 Error: authentication failed: authentication failure
MAIL FROM:
250 2.1.0 Ok
RCPT TO:
250 2.1.5 Ok
DATA
354 End data with .

.
250 2.0.0 Ok: queued as 32E07147D31
QUIT
221 2.0.0 Bye
==


How do I prevent this ???



Thanks
Ram

Re: Force smtpauth for all mails including myhostname bound mails

2009-09-09 Thread Mikael Bak

ram wrote:
> 
> I have a very basic ( and old) postfix installation and I want to accept
> mails only after smtpauth 
> 
> The rule works fine except when the recipient belongs to $myhostname 
> 
[snip]
> mydestination = mumbai.nstest.com
[snip]

Hi Ram,
$mydestination is probably why the email gets accepted even without SMTP
AUTH.

http://www.postfix.org/postconf.5.html#mydestination

HTH,
Mikael

Re: python framework for a policy daemon?

2009-09-09 Thread Gerardo Herzig

Ralf Hildebrandt wrote:
> Is there a ready to use python framework for a policy daemon?
> I have a nice idea for a policy daemon :)
> 
Well, googling around 'python postfix policy' gives me some, but looks
like only do a 'spf' test.

http://sourceforge.net/projects/p-ppolicyserver/
http://www.openspf.org/Software
http://www.tummy.com/Community/software/tumgreyspf/

Anyway, i will love to colaborate with you, if you like.

Cheers.
Gerardo

Re: Force smtpauth for all mails including myhostname bound mails

2009-09-09 Thread Noel Jones


On 9/9/2009 5:58 AM, ram wrote:

Hi,

I have a very basic ( and old) postfix installation and I want to accept
mails only after smtpauth

The rule works fine except when the recipient belongs to $myhostname


 postconf -n ==


alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = /usr/share/doc/postfix-2.3.4-documentation/html
mail_owner = postfix
mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = mumbai.nstest.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.4-documentation/readme
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated,reject


This is the proper smtpd_recipient_restrictions setting for 
the requested behavior.  No SMTP mail will be accepted without 
successful AUTH.



smtpd_sasl_auth_enable = yes
unknown_local_recipient_reject_code = 550


=


* On successful smtp-auth all mails are accepted ( working As
required )
* On failed smtpauth mails to u...@$myhostname still gets accepted


===
220 mumbai.nstest.com ESMTP Postfix
EHLO netcore.co.in
250-mumbai.nstest.com
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6
djF2MQ==
334 UGFzc3dvcmQ6
cXdlcmFzMWRm
535 5.7.0 Error: authentication failed: authentication failure
MAIL FROM:
250 2.1.0 Ok
RCPT TO:
250 2.1.5 Ok
DATA
354 End data with.

.
250 2.0.0 Ok: queued as 32E07147D31
QUIT
221 2.0.0 Bye
==


How do I prevent this ???


... but it didn't work as expected.  Either the main.cf you 
are editing isn't the one that's really active (multiple 
postfix instances), or you have overrides in your master.cf.



  -- Noel Jones

Re: python framework for a policy daemon?

2009-09-09 Thread Boyd Lynn Gerber


On Wed, 9 Sep 2009, Gerardo Herzig wrote:

Ralf Hildebrandt wrote:

Is there a ready to use python framework for a policy daemon?
I have a nice idea for a policy daemon :)


Well, googling around 'python postfix policy' gives me some, but looks
like only do a 'spf' test.

http://sourceforge.net/projects/p-ppolicyserver/
http://www.openspf.org/Software
http://www.tummy.com/Community/software/tumgreyspf/

Anyway, i will love to colaborate with you, if you like.


Take a look at pyspf

http://pypi.python.org/pypi/pyspf/

and

http://www.openspf.org/blobs/pypolicyd-spf-0.7.1.tar.gz

svn is at
http://svn.debian.org/wsvn/python-apps/packages/pypolicyd-spf/



--
Boyd Gerber  801 849-0213
ZENEZ   1042 East Fort Union #135, Midvale Utah  84047

Postfix DKIM

2009-09-09 Thread Mark Johnson

All,

I wonder which DKIM should I use for Postfix? Any suggestion?

I found this:
http://dkimproxy.sourceforge.net


Thanks.

Mark

Re: Postfix DKIM

2009-09-09 Thread Guy

2009/9/9 Mark Johnson :
> I wonder which DKIM should I use for Postfix? Any suggestion?
>
> I found this:
> http://dkimproxy.sourceforge.net

I had problems with high load using dkimproxy. amavisd-new includes
DKIM which has worked well for me.

http://www.ijs.si/software/amavisd/amavisd-new-docs.html

Cheers
Guy

-- 
Don't just do something...sit there!

Re: Postfix DKIM

2009-09-09 Thread Pascal Maes



Le 9 sept. 2009 à 15:58, Mark Johnson a écrit :


All,

I wonder which DKIM should I use for Postfix? Any suggestion?

I found this:
http://dkimproxy.sourceforge.net


Thanks.

Mark



I have encountered some problems with dkimproxy used as a before-queue  
and postfix 2.6.

I'm using dkim-milter now.

Regards,
--
Pascal

Re: Force smtpauth for all mails including myhostname bound mails

2009-09-09 Thread ram


On Wed, 2009-09-09 at 07:37 -0500, Noel Jones wrote:
> On 9/9/2009 5:58 AM, ram wrote:
> > Hi,
> >
> > I have a very basic ( and old) postfix installation and I want to accept
> > mails only after smtpauth
> >
> > The rule works fine except when the recipient belongs to $myhostname
> >
> >
> >  postconf -n ==
> >
> >
> > alias_database = hash:/etc/postfix/aliases
> > alias_maps = hash:/etc/postfix/aliases
> > command_directory = /usr/sbin
> > config_directory = /etc/postfix
> > daemon_directory = /usr/libexec/postfix
> > debug_peer_level = 2
> > html_directory = /usr/share/doc/postfix-2.3.4-documentation/html
> > mail_owner = postfix
> > mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
> > mailq_path = /usr/bin/mailq.postfix
> > manpage_directory = /usr/share/man
> > mydestination = mumbai.nstest.com
> > newaliases_path = /usr/bin/newaliases.postfix
> > queue_directory = /var/spool/postfix
> > readme_directory = /usr/share/doc/postfix-2.3.4-documentation/readme
> > sample_directory = /etc/postfix
> > sendmail_path = /usr/sbin/sendmail.postfix
> > setgid_group = postdrop
> > smtpd_recipient_restrictions = permit_sasl_authenticated,reject
> 
> This is the proper smtpd_recipient_restrictions setting for 
> the requested behavior.  No SMTP mail will be accepted without 
> successful AUTH.
> 
> > smtpd_sasl_auth_enable = yes
> > unknown_local_recipient_reject_code = 550
> >
> >
> > =
> >
> >
> > * On successful smtp-auth all mails are accepted ( working As
> > required )
> > * On failed smtpauth mails to u...@$myhostname still gets accepted
> >
> >
> > ===
> > 220 mumbai.nstest.com ESMTP Postfix
> > EHLO netcore.co.in
> > 250-mumbai.nstest.com
> > 250-PIPELINING
> > 250-SIZE 1024
> > 250-VRFY
> > 250-ETRN
> > 250-AUTH LOGIN PLAIN
> > 250-ENHANCEDSTATUSCODES
> > 250-8BITMIME
> > 250 DSN
> > AUTH LOGIN
> > 334 VXNlcm5hbWU6
> > djF2MQ==
> > 334 UGFzc3dvcmQ6
> > cXdlcmFzMWRm
> > 535 5.7.0 Error: authentication failed: authentication failure
> > MAIL FROM:
> > 250 2.1.0 Ok
> > RCPT TO:
> > 250 2.1.5 Ok
> > DATA
> > 354 End data with.
> >
> > .
> > 250 2.0.0 Ok: queued as 32E07147D31
> > QUIT
> > 221 2.0.0 Bye
> > ==
> >
> >
> > How do I prevent this ???
> 
> .. but it didn't work as expected.  Either the main.cf you 
> are editing isn't the one that's really active (multiple 
> postfix instances), or you have overrides in your master.cf.
> 
> 

Thats precisely what I thought that someone had messed some other
setting. 
That is why I wiped off postfix, rm-ed the directories ,  reinstalled
the same rpm 



And added only this to main.cf 
-
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,reject
mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
mydestination = mumbai.nstest.com
---



Still mails to myhostname get accepted without password 
Also If I configure $myhostname to some other domain then it works ..
but thats not what I want 

There is no other postfix instance , and absolutely no change in
master.cf




Thanks
Ram



















>-- Noel Jones

Re: Postfix DKIM

2009-09-09 Thread Mark Martinec

> I'm using dkim-milter now.

Btw, the dkim-milter seems rather abandoned now,
its development has been picked up by OpenDKIM
(same author, who previously worked on dkim-milter).

  http://www.opendkim.org/

So, either amavisd-new or OpenDKIM should be fine.

  Mark

Re: Force smtpauth for all mails including myhostname bound mails

2009-09-09 Thread Victor Duchovni

On Wed, Sep 09, 2009 at 08:06:09PM +0530, ram wrote:

> > > RCPT TO:
> > > 250 2.1.5 Ok

Mail to "$address_verify_sender" (qualified with @$myorigin if a bare
user name) is not subject to recipient restrictions, by default. In
many versions of Postfix, "postmaster" is the default value of
$address_verify_sender.

If you don't use SAV or RAV, set:

address_verify_sender = <>

and  will no longer be exempt from recipient
restrictions.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Postfix DKIM

2009-09-09 Thread Joe


Mark Johnson wrote:

All,

I wonder which DKIM should I use for Postfix? Any suggestion?

I found this:
http://dkimproxy.sourceforge.net
  
I've been using dkim-milter - it's a sendmail milter but works fine with 
postfix -


http://sourceforge.net/projects/dkim-milter/

Joe

Weird postfix looping for some emails

2009-09-09 Thread Preston Lord

Hi All,

We are having an issue with postfix where some messages keep looping to the
local recipient every hour or so. Servers that we consistently have trouble
with are apple.com servers : in this example bz1.apple.com .

I will post the details below, but the server bz1.apple.com sends them
message fine, we receive it in the users account, but in the logs of
bz1.apple.com it shows as unresponsive so it sends again a while later, and
then again, and again, creating a loop.

I have tried disabling amavis-new and postgrey and even adding the IP of
bz1.apple.com  to mynetworks, all with the same result.


Here is a debug log from 1 example transaction:

Sep  9 10:08:29 mx postfix/smtpd[641]: connect from
bz1.apple.com[17.254.13.36]
Sep  9 10:08:29 mx postfix/smtpd[641]: match_hostname: bz1.apple.com ~?
17.254.13.36
Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]: 220
mx.static.intricatenetworks.com ESMTP Postfix (Debian/GNU)
Sep  9 10:08:29 mx postfix/smtpd[641]: < bz1.apple.com[17.254.13.36]: EHLO
bz1.apple.com
Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
250-mx.static.intricatenetworks.com
Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
250-PIPELINING
Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
250-SIZE 2048
Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
250-VRFY
Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
250-ETRN
Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
250-AUTH PLAIN LOGIN CRAM-MD5
Sep  9 10:08:29 mx postfix/smtpd[641]: match_list_match: bz1.apple.com: no
match
Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
250-AUTH=PLAIN LOGIN CRAM-MD5
Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
250-ENHANCEDSTATUSCODES
Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
250-8BITMIME
Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]: 250
DSN
Sep  9 10:08:34 mx postfix/smtpd[641]: < bz1.apple.com[17.254.13.36]: MAIL
FROM: SIZE=27230 ENVID=ADR3410549502
Sep  9 10:08:34 mx postfix/smtpd[641]: extract_addr: input:

Sep  9 10:08:34 mx postfix/smtpd[641]: smtpd_check_addr:
addr=donotre...@apple.com
Sep  9 10:08:34 mx postfix/smtpd[641]: send attr address =
donotre...@apple.com
Sep  9 10:08:34 mx postfix/smtpd[641]: input attribute value:
donotre...@apple.com
Sep  9 10:08:34 mx postfix/smtpd[641]: rewrite_clnt: local:
donotre...@apple.com -> donotre...@apple.com
Sep  9 10:08:34 mx postfix/smtpd[641]: send attr address =
donotre...@apple.com
Sep  9 10:08:34 mx postfix/smtpd[641]: input attribute value: apple.com
Sep  9 10:08:34 mx postfix/smtpd[641]: input attribute value:
donotre...@apple.com
Sep  9 10:08:34 mx postfix/smtpd[641]: resolve_clnt: `' ->
`donotre...@apple.com' -> transp=`smtp' host=`apple.com'
rcpt=`donotre...@apple.com' flags= class=default
Sep  9 10:08:34 mx postfix/smtpd[641]: ctable_locate: install entry key
donotre...@apple.com
Sep  9 10:08:34 mx postfix/smtpd[641]: extract_addr: in:
, result: donotre...@apple.com
Sep  9 10:08:34 mx postfix/smtpd[641]: match_list_match: bz1.apple.com: no
match
Sep  9 10:08:34 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]: 250
2.1.0 Ok
Sep  9 10:08:35 mx postfix/smtpd[641]: < bz1.apple.com[17.254.13.36]: RCPT
TO: ORCPT=rfc822;pl...@swt.ca NOTIFY=FAILURE
Sep  9 10:08:35 mx postfix/smtpd[641]: check_mail_access:
donotre...@apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: ctable_locate: move existing entry
key donotre...@apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: check_access: donotre...@apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: check_domain_access: apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: reject_non_fqdn_address:
donotre...@apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: reject_unknown_address:
donotre...@apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: ctable_locate: leave existing entry
key donotre...@apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: reject_unknown_mailhost: apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: lookup apple.com type MX flags 0
Sep  9 10:08:35 mx postfix/smtpd[641]: dns_query: apple.com (MX): OK
Sep  9 10:08:35 mx postfix/smtpd[641]: dns_get_answer: type MX for apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: dns_get_answer: type MX for apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: dns_get_answer: type MX for apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: dns_get_answer: type MX for apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: dns_get_answer: type MX for apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: dns_get_answer: type MX for apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: dns_get_answer: type MX for apple.com
Sep  9 10:08:35 mx postfix/smtpd[641]: permit_mynetworks: bz1.apple.com
17.254.13.36
Sep  9 10:08:35 mx postfix/smtpd[641]: match_hostname: bz1.apple.com ~?
17.254.13.36
Sep  9 10:08:35 mx postfix/smtpd[641]: permit_inet_interfaces: bz1.appl

Re: Weird postfix looping for some emails

2009-09-09 Thread Kenneth Marshall

Hi Preston,

Your delivery looks normal. You need to logs from the other
end of the connection that is re-trying the message incorrectly.
Maybe they are not seeing the final response do to a firewall
issue or your delivery is part of a group that is retried because
someone else's delivery in the group fails. Try contacting the
Postmaster are apple.com to see if you can get some help from
their end.

Regards,
Ken

On Wed, Sep 09, 2009 at 11:58:05AM -0600, Preston Lord wrote:
> Hi All,
> 
> We are having an issue with postfix where some messages keep looping to the
> local recipient every hour or so. Servers that we consistently have trouble
> with are apple.com servers : in this example bz1.apple.com .
> 
> I will post the details below, but the server bz1.apple.com sends them
> message fine, we receive it in the users account, but in the logs of
> bz1.apple.com it shows as unresponsive so it sends again a while later, and
> then again, and again, creating a loop.
> 
> I have tried disabling amavis-new and postgrey and even adding the IP of
> bz1.apple.com  to mynetworks, all with the same result.
> 
> 
> Here is a debug log from 1 example transaction:
> 
> Sep  9 10:08:29 mx postfix/smtpd[641]: connect from
> bz1.apple.com[17.254.13.36]
> Sep  9 10:08:29 mx postfix/smtpd[641]: match_hostname: bz1.apple.com ~?
> 17.254.13.36
> Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]: 220
> mx.static.intricatenetworks.com ESMTP Postfix (Debian/GNU)
> Sep  9 10:08:29 mx postfix/smtpd[641]: < bz1.apple.com[17.254.13.36]: EHLO
> bz1.apple.com
> Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
> 250-mx.static.intricatenetworks.com
> Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
> 250-PIPELINING
> Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
> 250-SIZE 2048
> Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
> 250-VRFY
> Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
> 250-ETRN
> Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
> 250-AUTH PLAIN LOGIN CRAM-MD5
> Sep  9 10:08:29 mx postfix/smtpd[641]: match_list_match: bz1.apple.com: no
> match
> Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
> 250-AUTH=PLAIN LOGIN CRAM-MD5
> Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
> 250-ENHANCEDSTATUSCODES
> Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]:
> 250-8BITMIME
> Sep  9 10:08:29 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]: 250
> DSN
> Sep  9 10:08:34 mx postfix/smtpd[641]: < bz1.apple.com[17.254.13.36]: MAIL
> FROM: SIZE=27230 ENVID=ADR3410549502
> Sep  9 10:08:34 mx postfix/smtpd[641]: extract_addr: input:
> 
> Sep  9 10:08:34 mx postfix/smtpd[641]: smtpd_check_addr:
> addr=donotre...@apple.com
> Sep  9 10:08:34 mx postfix/smtpd[641]: send attr address =
> donotre...@apple.com
> Sep  9 10:08:34 mx postfix/smtpd[641]: input attribute value:
> donotre...@apple.com
> Sep  9 10:08:34 mx postfix/smtpd[641]: rewrite_clnt: local:
> donotre...@apple.com -> donotre...@apple.com
> Sep  9 10:08:34 mx postfix/smtpd[641]: send attr address =
> donotre...@apple.com
> Sep  9 10:08:34 mx postfix/smtpd[641]: input attribute value: apple.com
> Sep  9 10:08:34 mx postfix/smtpd[641]: input attribute value:
> donotre...@apple.com
> Sep  9 10:08:34 mx postfix/smtpd[641]: resolve_clnt: `' ->
> `donotre...@apple.com' -> transp=`smtp' host=`apple.com'
> rcpt=`donotre...@apple.com' flags= class=default
> Sep  9 10:08:34 mx postfix/smtpd[641]: ctable_locate: install entry key
> donotre...@apple.com
> Sep  9 10:08:34 mx postfix/smtpd[641]: extract_addr: in:
> , result: donotre...@apple.com
> Sep  9 10:08:34 mx postfix/smtpd[641]: match_list_match: bz1.apple.com: no
> match
> Sep  9 10:08:34 mx postfix/smtpd[641]: > bz1.apple.com[17.254.13.36]: 250
> 2.1.0 Ok
> Sep  9 10:08:35 mx postfix/smtpd[641]: < bz1.apple.com[17.254.13.36]: RCPT
> TO: ORCPT=rfc822;pl...@swt.ca NOTIFY=FAILURE
> Sep  9 10:08:35 mx postfix/smtpd[641]: check_mail_access:
> donotre...@apple.com
> Sep  9 10:08:35 mx postfix/smtpd[641]: ctable_locate: move existing entry
> key donotre...@apple.com
> Sep  9 10:08:35 mx postfix/smtpd[641]: check_access: donotre...@apple.com
> Sep  9 10:08:35 mx postfix/smtpd[641]: check_domain_access: apple.com
> Sep  9 10:08:35 mx postfix/smtpd[641]: reject_non_fqdn_address:
> donotre...@apple.com
> Sep  9 10:08:35 mx postfix/smtpd[641]: reject_unknown_address:
> donotre...@apple.com
> Sep  9 10:08:35 mx postfix/smtpd[641]: ctable_locate: leave existing entry
> key donotre...@apple.com
> Sep  9 10:08:35 mx postfix/smtpd[641]: reject_unknown_mailhost: apple.com
> Sep  9 10:08:35 mx postfix/smtpd[641]: lookup apple.com type MX flags 0
> Sep  9 10:08:35 mx postfix/smtpd[641]: dns_query: apple.com (MX): OK
> Sep  9 10:08:35 mx postfix/smtpd[641]: dns_get_answer: type MX for apple.com
> Sep  9 10:08:35 mx postfix/smtpd[641

Re: Weird postfix looping for some emails

2009-09-09 Thread Wietse Venema

Preston Lord:
> Hi All,
> 
> We are having an issue with postfix where some messages keep looping to the
> local recipient every hour or so. Servers that we consistently have trouble
> with are apple.com servers : in this example bz1.apple.com .
> 
> I will post the details below, but the server bz1.apple.com sends them
> message fine, we receive it in the users account, but in the logs of
> bz1.apple.com it shows as unresponsive so it sends again a while later, and
> then again, and again, creating a loop.
> 
> I have tried disabling amavis-new and postgrey and even adding the IP of
> bz1.apple.com  to mynetworks, all with the same result.
> 
> 
> Here is a debug log from 1 example transaction:

A few comments:

I would not look at this unless you turn off the debug logging.

It would also help if you could explain the relationship between
the different hostnames that appear in the logging. 

The problem may originate on one of the other systems whose logging
is not presented in the problem report.

Finally, it appears that there are multiple messages in the log,
each having a different Message ID. With a loop, I would expect to
see the same message repeatedly.

Wietse

Exempting localhost from STARTTLS

2009-09-09 Thread Gerard

I use fetchmail to harvest mail from a couple of accounts. I added this
to the main.cf file and fetchmail stopped delivering mail.

smtpd_tls_security_level = encrypt

This was the error message:

fetchmail: SMTP error: 530 5.7.0 Must issue a STARTTLS command first
fetchmail: SMTP server requires STARTTLS, keeping message.
fetchmail:  not flushed

I then added this to the main.cf file:

smtpd_sasl_exceptions_networks = localhost

I thought that would correct the problem; however, it doesn't. Mail
from the regular users on the network is delivered to the server's IP:
192.168.1.103

Is there any way I can get this to work?

~ $ postconf -n
alias_database = hash:/usr/local/etc/postfix/aliases
alias_maps = hash:/usr/local/etc/postfix/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
delay_warning_time = 2h
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = seibercom.net
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /usr/local/etc/postfix
sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/sender_relay
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
smtp_tls_CApath = /usr/local/etc/postfix/certs
smtp_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem
smtp_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_tls_session_cache
smtpd_authorized_verp_clients = $mynetworks
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_milters = unix:/var/run/clamav/clmilter.sock
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks 
reject_unauth_destination reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem
smtpd_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550

-- 
Gerard
postfix.u...@yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Some of the things that live the longest
in peoples' memories never really happened.

Re: Exempting localhost from STARTTLS

2009-09-09 Thread Wietse Venema

Gerard:
> I use fetchmail to harvest mail from a couple of accounts. I added this
> to the main.cf file and fetchmail stopped delivering mail.
> 
> smtpd_tls_security_level = encrypt
> 
> This was the error message:
> 
> fetchmail: SMTP error: 530 5.7.0 Must issue a STARTTLS command first
> fetchmail: SMTP server requires STARTTLS, keeping message.

/etc/postfix/master.cf:
192.168.1.1:smtp  inet  n   -   -   -   -   smtpd
127.0.0.1:smtpinet  n   -   -   -   -   smtpd
-o smtpd_tls_security_level=may

> I then added this to the main.cf file:
> 
> smtpd_sasl_exceptions_networks = localhost

That controls SASL not TLS.

Wietse

Re: Exempting localhost from STARTTLS

2009-09-09 Thread Victor Duchovni

On Wed, Sep 09, 2009 at 03:19:11PM -0400, Gerard wrote:

> I use fetchmail to harvest mail from a couple of accounts. I added this
> to the main.cf file and fetchmail stopped delivering mail.
> 
> smtpd_tls_security_level = encrypt

This requires all clients to use SSL/TLS.

> I then added this to the main.cf file:
> 
> smtpd_sasl_exceptions_networks = localhost

This suppresses SASL authentication for local hosts, but SASL is not SSL.

> I thought that would correct the problem; however, it doesn't. Mail
> from the regular users on the network is delivered to the server's IP:
> 192.168.1.103
> 
> Is there any way I can get this to work?

Try:

smtpd_tls_security_level = may

and if you want to insist that some clients use SSL/TLS, do so via
"reject_plaintext_session" after permitting clients that don't need
to use SSL/TLS:

http://www.postfix.org/postconf.5.html#reject_plaintext_session

For example:

smtpd_client_restrictions =
permit_inet_interfaces,
reject_plaintext_session

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Alias members based on LDAP attribute value

2009-09-09 Thread Victor Duchovni

On Wed, Sep 09, 2009 at 10:37:04AM +0200, Edgar Fuß wrote:

> I hope this has not been asked before. I've searched the archive and 
> ldap_table(5), LDAP_README and LOCAL_RECIPIENT_README.
> 
> I'm looking for a way to specify a fixed alias which expands to (the
> mail attribute of) all LDAP entries with a certain attribute having a
> certain value.
>
> I. e. mail to ,,foobar'' should go to (the address specified in the
> mail attribute of) all people whose LDAP ,,foo'' attribute has the
> value ,,bar''.

Postfix supports LDAP DN references and URI expansion. Attributes listed
in "special_result_attribute" can be "DN-valued" or (query) "URI-valued".
So you can store the "foo=bar" query in a "special_result_attribute"
of an object whose primary lookup key is foobars, and a special
result attribute specifies the desired query as an LDAP URL.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Postfix DKIM

2009-09-09 Thread 牛粥

Mark Johnson  writes:

> All,
>
> I wonder which DKIM should I use for Postfix? Any suggestion?

Please read first RFCs. Then you'll realize why we use DKIM.

Sincerely,

-- 
"What do you wish me to do?"
"I want you to use all your powers, all your skill, as you love me. I do not
wish his mother to see him as he is. See how they have massacred my son."
-- Amerigo Bonasera and Vito Corleone, "Chapter 18", page 257

Re: Postfix DKIM

2009-09-09 Thread Evan Platt


At 03:11 PM 9/9/2009, you wrote:

Mark Johnson  writes:

> All,
>
> I wonder which DKIM should I use for Postfix? Any suggestion?

Please read first RFCs. Then you'll realize why we use DKIM.


That totally wasn't the question the OP was asking.. :)

RE: Postfix DKIM

2009-09-09 Thread Dave

Hi,
I'd recommend either dkimproxy if your using a proxy setup or
amavisd-new if you've already got amavisd going that way might be easier.
Hth
Dave.

-Original Message-
From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Evan Platt
Sent: Wednesday, September 09, 2009 6:15 PM
To: postfix-users@postfix.org
Subject: Re: Postfix DKIM

At 03:11 PM 9/9/2009, you wrote:
>Mark Johnson  writes:
>
> > All,
> >
> > I wonder which DKIM should I use for Postfix? Any suggestion?
>
>Please read first RFCs. Then you'll realize why we use DKIM.

That totally wasn't the question the OP was asking.. :)

Re: Postfix DKIM

2009-09-09 Thread 牛粥

Evan Platt  writes:

> At 03:11 PM 9/9/2009, you wrote:
>>Mark Johnson  writes:
>>
>> > All,
>> >
>> > I wonder which DKIM should I use for Postfix? Any suggestion?
>>
>>Please read first RFCs. Then you'll realize why we use DKIM.
>
> That totally wasn't the question the OP was asking.. :)

Thanks for advice! 

By the way, i thought that it is needed to folks starting to use
DKIM. Actually, at least, i needed that progress (reading RFCs) ;; 

Sincerely,

-- 
"You won't have time to go see Genco."
-- Vito Corleone, "Chapter 1", page 41

Re: Postfix DKIM

2009-09-09 Thread Thomas Gelf

牛粥 wrote:
 I wonder which DKIM should I use for Postfix? Any suggestion?
>>> Please read first RFCs. Then you'll realize why we use DKIM.
>> That totally wasn't the question the OP was asking.. :)
> Thanks for advice! 
> By the way, i thought that it is needed to folks starting to use
> DKIM. Actually, at least, i needed that progress (reading RFCs) ;;

I did so. I've entirely read RFC 4871, 5617, 5672, many others and
also current drafts regarding DKIM deployments. I can confirm that
the answer to his question is not to be found in any of them.

Best regards,
Thomas Gelf

-- 
 mail: tho...@gelf.net
  web: http://thomas.gelf.net/

Re: piped transports error message

2009-09-09 Thread Marcel Montes


Sahil Tandon さんは書きました:

AFAIK, hiding the error output is not configurable.  Concealing important
portions of the DSN seems silly and might even be a violation of RFC 3464
(something you might or might not care about).  
I've checked the RFC, and about RFC3462 (about the report format) and I 
think that all it says is that

it must be a human readable message.

But if you really wanted to go this route, you could hack the way Postfix
constructs a bounce message and/or modify pipe(8) to not report back the
nature of a script failure.
Yes, hacking your way out is always an option in open source, but what I 
mean with conceal was to
actually not show the perl error (ie: things like "Global symbol 
"$whatever" requires explicit package

name... at line X", etc.) but display a custom message.

Something like "registration script failed" which is more user friendly, 
to the point, and -in my opinion-

"human readable" than a compile/runtime error message.

I know this is probably not the answer for which you had hoped, so good luck!

Perhaps Wietse will have a more favorable reply. :-)
  
No, but made me consider things I wasn't considering at all at first and 
I appreciate that.


Thanks for your time.

Re: piped transports error message

2009-09-09 Thread Marcel Montes


Wietse Venema さんは書きました:

I have a suggestion. When the script fails, don't lose control and
spill the guts all over the place.

Instead, catch the error and report an appropriate response. 

Yes, that's the ideal thing to do. In fact I'm doing it.
What I'm actually doing wrong is being lazy and developing the in 
production script, which is

-of course- the reason it returns compile/runtime errors.

For instance, if I mistype a variable name, save it, run to script from 
the shell to check if it
works and see that it fails, and some mail comes in that span of time, 
the compile/runtime

error gets mailed.


If you don't know how to use Perl's built-in error catching facilities,
wrap the Perl script in a shell script and use that as a diaper to
absorb the mess.

Wietse
  


I'm just setting another piping transport to a development script, and 
leave the production one
alone until I know it's running smoothly which is what I should have 
done in the first place.


Still, I think I *will* wrap the production script with a shell script 
as an additional safeguard.


What does postfix actually add to the bounce message?
The STDERR output if the return status is not 0?

Formatting of 544- ... lines in "Undelivered Mail Returned to Sender"

2009-09-09 Thread Robin Whittle

Thanks, as always, for Postfix!  I have been using it for at least ten
years what I describe below is the first time I have questioned how
well it works.  This is version 2.3.3 on CentOS 5.1.

When Postfix (or any other MTA) attempts to send a message to another
MTA, and that remote MTA rejects the message, with a 544 code, I
understand that the first MTA is supposed to report the error with
a message to the sender.  Postfix does this, but the way it formats
the error message text sent by the remote MTA may not be correct.

I am not sure whether this is specified in an RFC, but I understand
that for every part of the remote MTA's response which starts with
"544-" there should be a new line in the message to the sender.
This behaviour is relied upon by at least one spam rejection system,
in order that the sender gets a nicely formatted explanation and
instructions on how to have the message delivered.

This software is Karl Denninger's Spamblock-Sys:

  http://www.denninger.net/spamblock.htm

It rejects every message with a sender address which the system does
not yet recognise.  Sending a message to k...@denninger.net will
generate such an error response, unless of course the sender address
is already recognised.

Below is the first part of the error message generated by Yahoo's qmail,
which is formatted as Karl intends it to be:

= = = = = = = = =

Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
70.169.168.7 failed after I sent the message.
Remote host said: 554-Subject: SUSPECTED Spam QUARRANTINED - please read for 
further information
554-
554-The SPAMBLOCK-SYS spam protection system has QUARRANTINED your
554-message to the following user:
554-
554-
554-PLEASE READ THIS ENTIRE MESSAGE FOR FURTHER INSTRUCTIONS.
. . .

= = = = = = = = =


Postfix produces a message like this:

= = = = = = = = =

This is the mail system at host xxx.yyy.zzz.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to 

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

: host mail.denninger.net[70.169.168.7] said: 554-Subject:
SUSPECTED Spam QUARRANTINED - please read for further information 554-
554-The SPAMBLOCK-SYS spam protection system has QUARRANTINED your
554-message to the following user: 554- 554- 554-PLEASE
READ THIS ENTIRE MESSAGE FOR FURTHER INSTRUCTIONS. 554- 554-I employ an
application known as "SPAMBLOCK-SYS" to protect my  554-email against
. . .

= = = = = = = = =

(BTW, I think it is BAD for computer programs to send messages
humans using "I" to refer to the program.  Program's can't be
"I" - they are mechanisms, not living things.  It's even worse
when programs generate text such as "I'm sorry".)


Karl assures me his server is putting out newlines for every
instance instance of "544-":

   Postfix is removing the carriage returns.
   That's broken - Spamblock is emitting CR/LF pairs.

I can't see any non-default config items (postconf -n)
which would affect this.

I am not sure whether the behaviour Karl is expecting is required
by an RFC.  Is it reasonable to expect the MTA to format the
message as qmail does and as Karl expects?

Thanks again for Postfix!

   - Robin

Re: Postfix DKIM

2009-09-09 Thread KLaM Postmaster

Mark Johnson wrote:
> All,
>
> I wonder which DKIM should I use for Postfix? Any suggestion?
>
> I found this:
> http://dkimproxy.sourceforge.net
>
>
> Thanks.
>
> Mark
I found the easiest way by far, was to use the DKIM feature of amavisd-new 
 simple to setup and 
work like a charm.

JLA

hardisk space is running low, 10% left

2009-09-09 Thread liyas m

Dear all,

I have xserve set as email server running postfix. The client is
squirrelmail. It seems that a lot spammer are attacking the server and the
system hardisk is getting eaten up 1% per day. I have checked the log file
(deleted some of the files) and updated to the latest update available..

Anybody have an idea what seem to be the problem.
df -h give this

FilesystemSize   Used  Avail Capacity  Mounted on
/dev/disk0s3  372G   334G38G90%/
devfs 101K   101K 0B   100%/dev
fdesc 1.0K   1.0K 0B   100%/dev
   512K   512K 0B   100%/.vol
/dev/disk2s3  931G   428G   503G46%/Volumes/OneTouch4 1

Thanks for the help

Postfix not sending SMFIC_RCPT to milter, libmilter rejecting state transition

2009-09-09 Thread Stephen Warren

I'm writing a milter using pymilter-0.9.3, which interfaces to
libmilter1.0.1 (from sendmail 8.14.3) and running under postfix-2.6.5.
This is on Ubuntu jaunty (I have built the newer pymilter and postfix
versions in a PPA. The same postfix behaviour was observed with the
stock postfix 2.5.x package).

However, it seems that under some circumstances, postfix and libmilter
will fail to inter-operate in a couple of ways.

My milter doesn't care about "RCPT TO", and hence doesn't define an
envrcpt() function in the pymilter class. This leads pymilter/libmilter
to negotiate an SMFIP value of 0x4a790. I can confirm this value from
both libmilter and postfix logs. This decodes to:

Set:

SMFIP_NOBODY, SMFIP_NR_HDR, SMFIP_NOUNKNOWN, SMFIP_NODATA, SMFIP_SKIP,
SMFIP_NR_HELO, SMFIP_NR_RCPT, SMFIP_NR_EOH

Not set:

SMFIP_NOCONNECT, SMFIP_NOHELO, SMFIP_NOMAIL, SMFIP_NORCPT, SMFIP_NOHDRS,
SMFIP_NOEOH, SMFIP_RCPT_REJ, SMFIP_NR_CONN, SMFIP_NR_MAIL,
SMFIP_NR_DATA, SMFIP_NR_UNKN, SMFIP_NR_BODY, SMFIP_HDR_LEADSPC

In particular, note that SMFIP_NORCPT is NOT set, although SMFIP_NR_RCPT is.

I dumped the communication between postfix and the milter using
wireshark. Ignoring "D" commands to define macros, I see C
(SMFIC_CONNECT), H (SMFIC_HELO), M (SMFIC_MAIL), L (SMFIC_HEADER), N
(SMFIC_EOH), E (SMFIC_BODYEOB). I see the same thing from libmilter's
debug output.

The problem here is that there's no R (SMFIC_RCPT) command at all,
despite the message have non-rejected recipients on the postfix side,
and despite SMFIP_NORCPT NOT being set in the negotiated flags.

This appears to be a bug in postfix. I can't see why this is happening
from the postfix source; src/milter/milter*.c doesn't seem to have
anything that would skip sending this command. The only thing I can
think of is that the output vstream/vbuf isn't being flushed out
correctly due to SMFIP_NR_RCPT being set. Note that I do see a few lines
in the postfix log that confirm postfix is attempting to send this command:

Sep  9 23:16:11 severn postfix/smtpd[18705]: event: SMFIC_RCPT; macros:
{rcpt_addr}=swar...@wwwdotorg.org {rcpt_host}=severn
.wwwdotorg.org {rcpt_mailer}=local
Sep  9 23:16:11 severn postfix/smtpd[18705]: skipping reply for event
SMFIC_RCPT from milter inet:2092

The second of these only happens after the command (request) in question
is queued into the vstream/vbuf by postfix. It should only skip waiting
for the reply, not sending the command/request.

I wouldn't care about this, except that libmilter has some "state"
validation code, which only allows a "transition" from a given command
type to specific other command types. The transition from SMFIC_MAIL to
SMFIC_HEADER without SMFIC_RCPT in-between is deemed illegal.
Consequently, libmilter calls the abort callback. However, this doesn't
seem to do anything useful, such as send an error back to postfix, drop
the socket, etc. Instead, libmilter simply never sends anything back,
leaving postfix to time out communicating with the milter. Specifically,
the postfix logs say:

Sep  9 23:16:21 severn postfix/cleanup[18710]: warning: milter
inet:2092: can't read SMFIC_BODYEOB reply packet header: Conn
ection timed out

Sep  9 23:16:21 severn postfix/cleanup[18710]: CBC29E45B7:
milter-reject: END-OF-MESSAGE from unknown[99.99.99.1]: 4.7.1 Ser
vice unavailable - try again later; from=
to= proto=ESMTP helo=

This seems like a bug in libmilter; the milter protocol allows
SMFIP_NORCPT to be set, which should request skipping the SMFIC_RCPT
message). However, if that is done, libmilter will reject the transition.

Does anyone have any clues what's up? It seems a little unlikely that
nobody ever written a milter that doesn't care about RCPTs. I feel I've
got to be missing something!

To work around this, I simply defined a stub envrcpt() function in my
pymilter class. This causes an SMFIP value of 0x42790 to be negotiated,
which is the same as before except SMFIP_NR_RCPT is not set. In turn,
this causes postfix to send the SMFIC_RCPT command to the milter, and
everything works OK.

Any help greatly appreciated!

Re: hardisk space is running low, 10% left

2009-09-09 Thread Paul Beard



On Sep 9, 2009, at 10:42 PM, liyas m wrote:

I have xserve set as email server running postfix. The client is  
squirrelmail. It seems that a lot spammer are attacking the server  
and the system hardisk is getting eaten up 1% per day. I have  
checked the log file (deleted some of the files) and updated to the  
latest update available..



Not really a postfix problem as a spam problem. Consider tightening up  
how you filter inbound mail and/or adding greylisting or some other  
techniques.

--
Paul Beard
contact info: www.paulbeard.org/paulbeard.vcf

Are you trying to win an argument or solve a problem?

Problem with spam messages

2009-09-09 Thread an...@iguanait.com

Hi,

in our two mail servers i see last weeks this:

non-SMTP command from 250.84.221.62.dyn.idknet.com[62.221.84.250]:
From: ? VIAGRA ? Official Site

How can i block these accesses?

our system is :

Centos 5.3 - postfix-2.3.3-2.1.el5_2 -
amavisd-maia-2.2.1-2_1.0.2.centos5 - clamd-0.95.2-4.el5.rf -
spamassassin-3.2.5-1.el5.rf.

this is our configuration:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_process_limit = 200
default_transport = smtp
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
local_recipient_maps = hash:/etc/mailman/aliases,
ldap:/etc/postfix/ldap-aliases.cf
mail_owner = postfix
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
max_use = 10
message_size_limit = 16777216
mydestination = $myhostname,localhost.$mydomain,localhost,
localhost.localdomain
mydomain = $myhostname
myhostname = myhost.domain.tld
mynetworks = 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_delimiter = +
relay_domains = $myhostname,localhost,  hash:/etc/postfix/relay_domains
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,  check_client_access hash:/etc/postfix/access,
reject_unauth_pipelining,   reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,   reject_rbl_client combined.njabl.org,
permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/access_helo,
reject_invalid_hostname,reject_unauth_pipelining,   permit
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
permit_mynetworks,  permit_sasl_authenticated,  
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/access_recipient,
reject_unknown_recipient_domain,reject_unauth_pipelining,   permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf
smtpd_sender_restrictions = reject_non_fqdn_sender, permit_mynetworks,
permit_sasl_authenticated,  check_sender_access
hash:/etc/postfix/access_sender,check_client_access
cidr:/etc/postfix/access_client,reject_sender_login_mismatch,
reject_unknown_sender_domain,   reject_unauth_pipelining,   permit
smtpd_tls_CAfile = /etc/pki/tls/certs/gd_intermediate_bundle.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport,
hash:/etc/postfix/transport_domains
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/destination_domains
virtual_alias_maps = hash:/etc/postfix/virtual,
ldap:/etc/postfix/ldap-aliases.cf


Thanks in advanced!

37 matches

Mail list logo