Re: Postfix 2.6.x slow

[Stan Hoeppner]

Eric Vaughn put forth on 10/5/2009 7:17 PM:
> Are there any new features to postfix 2.6.x that would cause it to be slow?
> 
> Other than the obvious suspects; stress adaptive behavior, logging,
> ulimit (running out of file descriptors).
> 
> We are a very high volume site, we use postfix only as a proxy to
> decrypt TLS and then pass traffic downstream to other clients.

[snip]

Is the new server plugged into the same switch port(s) as the old
server, or a different switch port, or another switch entirely?  Have
you confirmed the NIC(s) are running at the same link speed as the old
server, and running FDX and with no/minimal packet loss?  Have you
swapped patch cables yet?  Is the new server bound with the same IP
address(es) as the old server, and if not, is it on the same routing
subnet as the old server?  If the disk is SCSI, have you confirmed the
controller and disk are sync'ing at the highest mode supported by each?
 Are you using any kind of remote lookup (e.g. LDAP) per connection to a
remote host that might be injecting latency possibly due to a different
network path than before?  Are you doing a DNS lookup (or multiple) per
connection that may now be injecting latency for some reason, different
route maybe?  Did you point the new host at a different set of DNS
servers than the old host?  Is the kernel tick rate (config_hz)
different going from CentOS 5.0 to 5.3?  Are there any other kernel or
daemon timing difference between 5.0 and 5.3?

That's about all I can think of for now.  You've probably already
covered all of these but I'm throwing them out there just in case.  I've
been in your shoes before, and sometimes it's something "obvious" that
we just completely overlook, then pull our hair out (if you have any
unlike me) for days until the solution pops into our heads.

Good luck.

--
Stan

Re: Postfix 2.6.x slow

[Wietse Venema]

Eric Vaughn:
> The list of changes (we upgraded a spare server to swap in as a replacement):
> OLD   NEW
> Centos 5.0.   Centos 5.3 (yum update all)
> i386.  x64
> 2.4 ghrz cpu. 2.83 ghrz cpu
> 4 gigs ram.   4 gigs ram
> Openssl 0.9.8b   0.9.8e (with all security updates included with "yum 
> update all", which should have all available openssl patches)

My goodness, they replaced everything.

I think you first want to find out that Postfix can resolve DNS
properly. Do some tests inbound (smtpd) and outbound (smtp). A 5s
delay sounds like a bad resolv.conf file (or even bad resolver
libraries under /var/spool/postfix). Turn off chroot in master.cf.
Turn off all kinds of other stuff until performance changes then
investigate the guilty component.

Unfortunately I cannot provide lots if hand-holding. It's
not part of the deal.

Wietse

Re: ipv6 and smart(er) relaying

[Dave Täht]

wie...@porcupine.org (Wietse Venema) writes:

> Dave T?ht:
>> wie...@porcupine.org (Wietse Venema) writes:
>> 
>> > Dave Taht:
>> >> So what I think I want to do is setup fallback relaying as follows:
>> >> 
>> >> MX 5  mylaptop.example.org # if my laptop's up send mail there
>> >> MX 10 mytinyarmbox.example.org # if not, try my arm box
>> >> MX 20 mysmarthost.example.org # otherwise, default to my well connected 
>> >> host
>> > ...
>> >> Problem 1) I am under the impression from a foggy memory of reading some
>> >> RFC or other, that at minimum, 2 MX records will be tried. So adding a
>> >> third might introduce problems with some MTAs that ONLY do 2 MX records,
>> >> in that far off day when more stuff speaks ipv6 directly, or when it
>> >> fails to fallback to my third, primary smarthost.
>> >
>> > SMTP is defined in RFCs and the ones concerning SMTP are RFC 821,
>> > RFC 2821, and RFC 5321. By now, most mail systems in existence will
>> > be build after RFC 2821, which says "the SMTP client SHOULD try at
>> > least two addresses". With three MX hosts you're operating outside
>> > the recommendation.
>> 
>> Many hosts seem to have more than 2 MX records. Gmail, for example,
>
> Unlike your unsupported configuration, gmail etc. do NOT require
> that a client tries MORE THAN TWO addresses.
>
>   Wietse

I implemented bind9 views to present 2 MX records to the world, and 3 to
my internal servers, with multiple smtp_fallback_relays as per your
suggestions. Postfix is smart enough to figure it all out.

The tiny arm box is working well now.

Most of my remaining problems re email are DNS related and not relevant
to this list, so I have been making updates to my blog regarding this
project and the problems I've made for myself.

Thanks for the help!

-- 
Dave Taht http://the-edge.blogspot.com

Re: ipv6 and smart(er) relaying

[Dave Täht]

d...@teklibre.org (Dave Täht) writes:

One unanswered question from this series of emails:

>> Dave Taht:
>
> Would you take a patch that would let a crazed administrator disable
> *sending* mail on different protocols?
>
> The simplest version would implement something like:
>
> smtp_try_sendprotocol: all, ipv4, ipv6
>
> A more complex version would let you specify the protocols your
> configuration would try.
>
> smtp_try_sendprotocol_my_networks: all, ipv4, ipv6
> smtp_try_sendprotocol_my_relays: all, ipv4, ipv6
>

Maybe there's a way to do this already...


-- 
Dave Taht http://the-edge.blogspot.com

ipv6 and smart(er) relaying

[Stan Hoeppner]

Dave Täht put forth on 10/6/2009 10:02 AM:
> d...@teklibre.org (Dave Täht) writes:
> 
> One unanswered question from this series of emails:
> 
>>> Dave Taht:
>> Would you take a patch that would let a crazed administrator disable
>> *sending* mail on different protocols?
>>
>> The simplest version would implement something like:
>>
>> smtp_try_sendprotocol: all, ipv4, ipv6
>>
>> A more complex version would let you specify the protocols your
>> configuration would try.
>>
>> smtp_try_sendprotocol_my_networks: all, ipv4, ipv6
>> smtp_try_sendprotocol_my_relays: all, ipv4, ipv6
>>
> 
> Maybe there's a way to do this already...

The world is going to force you to send your SMTP IPv6 email through an
IPv4 gateway for a very, very, very long time.  Your time in this regard
would be much better spent building a new supercharged 440 Hemi to drop
into a '70 Barracuda that you've redone from the frame rails up. ;)
That's a much more worthy use of your time.

--
Stan

Error message delivery status: 450 4.7.1 Client host rejected: cannot find your hostname, [207.xxx.xxx.xxx]

[Carl A jeptha]

Some of our clients contacts are getting the above message. I have check 
the hostname and ip number and they do not correspond.

Are we being to restrictive???

If required I will post my config file.

--
You have a Good Day now,


Carl A Jeptha
http://www.airnet.ca
Office Phone: 905 349-2084
Office Hours: 9:00am - 5:00pm
skype cajeptha

Re: ipv6 and smart(er) relaying

[Dave Täht]

Stan Hoeppner  writes:

> Dave Täht put forth on 10/6/2009 10:02 AM:
>> d...@teklibre.org (Dave Täht) writes:
>> 
>> One unanswered question from this series of emails:
>> 
 Dave Taht:
>>> Would you take a patch that would let a crazed administrator disable
>>> *sending* mail on different protocols?
>>>
>>> The simplest version would implement something like:
>>>
>>> smtp_try_sendprotocol: all, ipv4, ipv6
>>>
>>> A more complex version would let you specify the protocols your
>>> configuration would try.
>>>
>>> smtp_try_sendprotocol_my_networks: all, ipv4, ipv6
>>> smtp_try_sendprotocol_my_relays: all, ipv4, ipv6
>>>
>> 
>> Maybe there's a way to do this already...
>
> The world is going to force you to send your SMTP IPv6 email through an
> IPv4 gateway for a very, very, very long time.  Your time in this regard

It's not going to force ME to send MY mail through an ipv4 gateway, nor
on any other of the networks I run. Setting up ipv6 is too easy nowadays
and direct p2p connectivity from secure site to secure site too useful
to give up.

> would be much better spent building a new supercharged 440 Hemi to drop
> into a '70 Barracuda that you've redone from the frame rails up. ;)
> That's a much more worthy use of your time.

Heh. Aformentioned vehicle would also have to have "Damnation Alley"
tires to survive more than a few miles where I live.

I'll think about it... but getting/sending my email reliably during fits
of internet inaccess is far more important than traveling anywhere,

>
> --
> Stan
>

-- 
Dave Taht http://the-edge.blogspot.com
"Most people know my father as the despotic 
 warlord that rules europa but he does have his 
 musing sparky qualities.

 Do you know he really loves waffles?" 
 - Gil Wulfenbach

Re: Error message delivery status: 450 4.7.1 Client host rejected: cannot find your hostname, [207.xxx.xxx.xxx]

[Eero Volotinen]

Carl A jeptha kirjoitti:
Some of our clients contacts are getting the above message. I have check 
the hostname and ip number and they do not correspond.

Are we being to restrictive???

If required I will post my config file.


Sounds like reverse problem in dns. Post your config file (postconf -n)

--
Eero

Re: Error message delivery status: 450 4.7.1 Client host rejected: cannot find your hostname, [207.xxx.xxx.xxx]

[Noel Jones]

On 10/6/2009 10:58 AM, Carl A jeptha wrote:

Some of our clients contacts are getting the above message. I have check
the hostname and ip number and they do not correspond.
Are we being to restrictive???


If you're rejecting mail you want, then you're being too 
restrictive.





If required I will post my config file.



If you need a more specific answer, we need more specific 
information.

http://www.postfix.org/DEBUG_README.html#mail

  -- Noel Jones

Re: Error message delivery status: 450 4.7.1 Client host rejected: cannot find your hostname, [207.xxx.xxx.xxx]

[Eero Volotinen]

Carl A jeptha kirjoitti:
Some of our clients contacts are getting the above message. I have check 
the hostname and ip number and they do not correspond.

Are we being to restrictive???

If required I will post my config file.



You are rejecting clients with non working dns (A and PTR must point 
same record).


Remove reject_unknown_reverse_client_hostname if you want this work or 
ask client to fix reverse chains in dns ;)


--
Eero

Re: Postfix 2.6.x slow

[Victor Duchovni]

On Mon, Oct 05, 2009 at 05:17:54PM -0700, Eric Vaughn wrote:

> Are there any new features to postfix 2.6.x that would cause it to be
> slow?

Eric your post premature. You don't yet have measurements showing Postfix
2.6 to be "slow". Lets get the volume comparisons, and tcpdump captures
of both the incoming TLS, and the outgoing decrypted sessions.

Once I see your Postfix 2.6 actually being slower, and not anecdotal
impressions, we'll take it from there...

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: ipv6 and smart(er) relaying

[Wietse Venema]

Dave T?ht:
> d...@teklibre.org (Dave T?ht) writes:
> 
> One unanswered question from this series of emails:
> 
> >> Dave Taht:
> >
> > Would you take a patch that would let a crazed administrator disable
> > *sending* mail on different protocols?
> >
> > The simplest version would implement something like:
> >
> > smtp_try_sendprotocol: all, ipv4, ipv6
> >
> > A more complex version would let you specify the protocols your
> > configuration would try.
> >
> > smtp_try_sendprotocol_my_networks: all, ipv4, ipv6
> > smtp_try_sendprotocol_my_relays: all, ipv4, ipv6
> >
> 
> Maybe there's a way to do this already...

Postfix sorts the remote SMTP server IP addresses by MX preference,
which are numbers in the range 0..32767. The next step is to avoid
backup MX loops: for this, the Postfix SMTP client must remove all
MX addresses that have the same of worse preference than Postfix's
own IP address.

To give preference for IPvX over IPvY, it is sufficient to tweak
those preference numbers.  For example, one could multiply the MX
preferences by 2, then add 1 if the address belongs to the less
preferred protocol. With this, Postfix can still correctly avoid
backup MX loops (the address elimination becomes a little trickier,
though).

Wietse

Using Postfix WARN Action Properly

[Rich Shepard]

   The Postfix book tells me that using the WARN option on a restriction
(such as in the /etc/postfix/header_checks file) logs the warning while
delivering the message. However, there is apparently no marking of the
message so it's clearly identified as one that tripped that warning.

   I want to examine delivered messages that contain
"Content-Transfer-Encoding: base64" in the header. Adding that string to the
header_checks file with a WARN option does not explicitly identify those
messages.

   Use of the warn action is not giving me the results I want. How should I
be doing this? Alternatively, if I use the HOLD option instead, where are
those messages held until I can examine them?

Rich

Re: Using Postfix WARN Action Properly

[Ralf Hildebrandt]

* Rich Shepard :
>The Postfix book tells me that using the WARN option on a restriction
> (such as in the /etc/postfix/header_checks file) logs the warning while
> delivering the message. However, there is apparently no marking of the
> message so it's clearly identified as one that tripped that warning.

Usually you can identify the message using sender, recipient and/or
message-id:

Oct  6 22:59:28 mail postfix/cleanup[2703]: 75B5C1C360A: warning: header 
Subject: AARON LORDSON ON A TALENT SHOW !! from
server009.hostspectrum.com[64.92.105.16]; from= 
to= proto=ESMTP helo=

using the QueueID I can retrieve the message-id:

Oct  6 22:59:28 mail postfix/cleanup[2703]: 75B5C1C360A: 
message-id=<201f6b9c8267c0517c1cd88b1fb52...@lordsons-macbook-pro.local>

>I want to examine delivered messages that contain
> "Content-Transfer-Encoding: base64" in the header. 

Basically that would be all messages...

> Adding that string to the header_checks file with a WARN option does
> not explicitly identify those messages.
> 
>Use of the warn action is not giving me the results I want. How should I
> be doing this? Alternatively, if I use the HOLD option instead, where are
> those messages held until I can examine them?

What exactly is it that you want to do.
In real life almost ALL mails are base64 encoded...

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de


signature.asc
Description: Digital signature

Re: Using Postfix WARN Action Properly

[Wietse Venema]

Rich Shepard:
> The Postfix book tells me that using the WARN option on a restriction
> (such as in the /etc/postfix/header_checks file) logs the warning while
> delivering the message. However, there is apparently no marking of the
> message so it's clearly identified as one that tripped that warning.
> 
> I want to examine delivered messages that contain
> "Content-Transfer-Encoding: base64" in the header. Adding that string to the
> header_checks file with a WARN option does not explicitly identify those
> messages.

Perhaps "warn" is not the right concept for inspecting mail.
Options more directly related to mail inspection would be:

holdFreeze the mail in the queue until acted upon.

filter  Divert the message into some external program.

filter has its own documentation, FILTER_README, also on-line
as http://www.postfix.org/FILTER_README.html.

> Use of the warn action is not giving me the results I want. How should I
> be doing this? Alternatively, if I use the HOLD option instead, where are
> those messages held until I can examine them?

Frozen mail can be inspected with "postcat -q queueid", or
deleted/requeued with the "postsuper" command.

Wietse

Re: Using Postfix WARN Action Properly

[Rich Shepard]

On Tue, 6 Oct 2009, Ralf Hildebrandt wrote:


   I want to examine delivered messages that contain
"Content-Transfer-Encoding: base64" in the header.


Basically that would be all messages...


Ralf,

  I asked locally about that because much of the spam I receive is coded
base64 while almost all other traffic is either encoded 7bits or doesn't
have a Content-Transfer-Encoding specification in the header.


What exactly is it that you want to do. In real life almost ALL mails are
base64 encoded...


  I want to explore the possibility of using this to identify spam that is
obfuscated and passes the other postfix UCE filters. There are some
persistent spammers with the same text string in the body of the message
that I can initially catch with a body_checks filter. But, soon the messages
make it into my inbox despite that phrase being in the body_checks. Looking
at the headers of these I see the "Content-Transfer-Encoding: base64" line,
and I don't see it in other messages in my inbox. I think that alpine
automatically decodes them after postfix hands them off to procmail so the
UCE filters stop working.

Rich

Re: Using Postfix WARN Action Properly

[Rich Shepard]

On Tue, 6 Oct 2009, Wietse Venema wrote:


Perhaps "warn" is not the right concept for inspecting mail. Options more
directly related to mail inspection would be:

holdFreeze the mail in the queue until acted upon.



Frozen mail can be inspected with "postcat -q queueid", or
deleted/requeued with the "postsuper" command.


Wietse,

  Thank you. I'll try this instead of the warn action.

Rich

postfix mail.cf help please

[Owen Townsend]

Hi postfix-users@postfix.org:

Note - This email is same as prior email (subject mail.cf help please)
- resending because I had not complete the list subscription process 
when I sent the 1st 1

 (saw a note that said such emails would be ignored)

--- same as prior email (if you got it) 


Can you help me with the postfix configuration file attached.

I want to  mail from Linux logged in user accounts to the internet
and more importantly from Korn shell scripts to the internet.
so scripts running by cron could email error situations to people at home.
I want to receive this from the internet on my Thunderbird on same or 
any system


linux comes with sendmail activated, but my book
- Red Hat Linux Networking & System Administration
- 3rd edition Terry Collings & Kurt Wall
strongly recommend 'postfix' (easier configuration)
so I switched as per pages 479 - 483
- mounted redhat system disc & used rpm to install postfix:
mount /dev/cdrom /mnt
rpm -ivh /mnt/Server/postfix-2.3.3-2.x86_64.rpm

I have attached the config file /etc/postfix/main.cf
The only thing I changed was relayhost about line 320

disable_dns_lookup = yes
relayhost = [192.168.0.1]   <-- my router gateway
relayhost=[74.55.86.74] <-- smtp.webfaction.com

See page 482 & 483 of Collings & Wall
'running postfix behind firewall or gateway'
for 'internal network that does not have direct connection to internet' 
This

seems to describe my situation
-  using a router  whose gateway adress to the internet is 192.168.0.1

Page 483 gave the example of 192.168.0.1, so I tried that 1st then
smtp.webfaction.com [74.55.86.74] BUT neither works

For following tests I set my router to DMZ for my linux computer
I am mailing from user 'uvadm' to o...@uvsoftware.ca (my email at ISP 
webfaction.com)

I have attached results extracted from /var/log/maillog

test#1 - with relayhost = [192.168.0.1]
 - router DMZ set to 192.168.0.4 (my linux computer)
mail o...@uvsoftware.ca - see results in maillog5 attached
test#2 - with relayhost = [74.55.86.74] (smtp.webfaction.com)

 - router DMZ set to 127.0.0.1 (my linux computer)
mail o...@uvsoftware.ca - see results in maillog6 attached
I am using Thunderbird to receive emails from internet

I do not want to receive any email on the postfix system
mail between logged on users works OK

Note - I see 'sendmail' msgs in the logs, so to prove sendmail is NOT 
running

 and 'postfix' is running, I have attached sys_listall
   - which is ps/grep for sendmail & postifx
 and chkconfig --list for sendmail & postfix

Hope you can help me with the postfix configuration.

Thanks, Owen

Re: Using Postfix WARN Action Properly

[Stan Hoeppner]

Rich Shepard put forth on 10/6/2009 4:38 PM:
> On Tue, 6 Oct 2009, Ralf Hildebrandt wrote:
> 
>>>I want to examine delivered messages that contain
>>> "Content-Transfer-Encoding: base64" in the header.
>>
>> Basically that would be all messages...
> 
> Ralf,
> 
>   I asked locally about that because much of the spam I receive is coded
> base64 while almost all other traffic is either encoded 7bits or doesn't
> have a Content-Transfer-Encoding specification in the header.

Hi Rich,

Would you please forward me a few copies (off list), with full headers,
of the spams causing you this grief, and also a list of all the IPs that
have sent you this particular kind of spam.

Thanks.

--
Stan

P.S.  Please also join the spam-l spam fighters mailing list:
http://spam-l.com/mailman/listinfo/spam-l

Re: postfix mail.cf help please

[Noel Jones]

On 10/6/2009 4:42 PM, Owen Townsend wrote:

Hi postfix-users@postfix.org:

Note - This email is same as prior email (subject mail.cf help please)
- resending because I had not complete the list subscription process
when I sent the 1st 1
(saw a note that said such emails would be ignored)

--- same as prior email (if you got it)

Can you help me with the postfix configuration file attached.


Nothing attached.  more comments below.



I want to mail from Linux logged in user accounts to the internet
and more importantly from Korn shell scripts to the internet.
so scripts running by cron could email error situations to people at home.
I want to receive this from the internet on my Thunderbird on same or
any system


Please see
http://www.postfix.org/documentation.html
http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/SOHO_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html

For example configurations.


disable_dns_lookup = yes


Don't do that.


relayhost = [192.168.0.1] <-- my router gateway
relayhost=[74.55.86.74] <-- smtp.webfaction.com


There need to be spaces around the " = "



See page 482 & 483 of Collings & Wall


We don't have that book.



Note - I see 'sendmail' msgs in the logs, so to prove sendmail is NOT
running


If "sendmail" is logged, you are still using sendmail, not 
postfix.




Hope you can help me with the postfix configuration.



If you need more help, please follow the directions you 
received when you signed up for the list a few minutes ago. 
Here's another copy:

http://www.postfix.org/DEBUG_README.html#mail


  -- Noel Jones

Re: ipv6 and smart(er) relaying

[Dave Täht]

wie...@porcupine.org (Wietse Venema) writes:

> Dave T?ht:
>> d...@teklibre.org (Dave T?ht) writes:
>> 
>> One unanswered question from this series of emails:
>> 
>> >> Dave Taht:
>> >
>> > Would you take a patch that would let a crazed administrator disable
>> > *sending* mail on different protocols?
>> >
>> > The simplest version would implement something like:
>> >
>> > smtp_try_sendprotocol: all, ipv4, ipv6
>> >
>> > A more complex version would let you specify the protocols your
>> > configuration would try.
>> >
>> > smtp_try_sendprotocol_my_networks: all, ipv4, ipv6
>> > smtp_try_sendprotocol_my_relays: all, ipv4, ipv6
>> >
>> 
>> Maybe there's a way to do this already...
>
> Postfix sorts the remote SMTP server IP addresses by MX preference,
> which are numbers in the range 0..32767. The next step is to avoid
> backup MX loops: for this, the Postfix SMTP client must remove all
> MX addresses that have the same of worse preference than Postfix's
> own IP address.
>
> To give preference for IPvX over IPvY, it is sufficient to tweak
> those preference numbers.  For example, one could multiply the MX
> preferences by 2, then add 1 if the address belongs to the less
> preferred protocol. With this, Postfix can still correctly avoid
> backup MX loops (the address elimination becomes a little trickier,
> though).


In my case, the mail servers involved are generally behind ipv4 NAT and
thus will not have a correct reverse lookup. 

If they try to connect at all with other ipv4 servers on the net, some
will no doubt be rejected (rightly) due to anti-spam measures. 

They need to iterate through the ipv6 enabled components of the mx list,
then fall back to the dual homed smart host(s).

They do (all but one that I'm trying to get fixed today (and coping with
reverse DNS is a major hassle with ipv6)) have a valid reverse for ipv6
addresses.

You make a good point about the possibility of invoking a mx loop if
filtering of mx records and smart hosts is combined. I will try to wrap
my head around it and the code this weekend.

-- 
Dave Taht http://the-edge.blogspot.com

So--how do I set up localhost to not require authentication

[Patrick Horgan]

I'd like email from localhost to not require certificates or 
authentication--especially since we assume that people on the machine, 
or tunneling to the machine have already passed some level of 
authentication.  How do I do it?


Patrick

Re: So--how do I set up localhost to not require authentication

[Noel Jones]

On 10/6/2009 7:16 PM, Patrick Horgan wrote:

I'd like email from localhost to not require certificates or
authentication--especially since we assume that people on the machine,
or tunneling to the machine have already passed some level of
authentication. How do I do it?

Patrick



# main.cf
mynetworks = 127.0.0.1

and everywhere that you have "permit_sasl_authenticated", make 
sure it now says "permit_mynetworks, permit_sasl_authenticated".



  -- Noel Jones

Re: So--how do I set up localhost to not require authentication

[Patrick Horgan]

Noel Jones wrote:

# main.cf
mynetworks = 127.0.0.1

and everywhere that you have "permit_sasl_authenticated", make sure it 
now says "permit_mynetworks, permit_sasl_authenticated".
Is the order significant, i.e. is permit_mynetworks, 
permit_sasl_authenticated the same as 
permit_sasl_authenticated,permit_mynetworks?


Patrick

Re: So--how do I set up localhost to not require authentication

[Sahil Tandon]

On Tue, 06 Oct 2009, Patrick Horgan wrote:

> Noel Jones wrote:
> ># main.cf
> >mynetworks = 127.0.0.1
> >
> >and everywhere that you have "permit_sasl_authenticated", make
> >sure it now says "permit_mynetworks, permit_sasl_authenticated".
> Is the order significant, i.e. is permit_mynetworks,

The order of restrictions is generally significant.

> permit_sasl_authenticated the same as
> permit_sasl_authenticated,permit_mynetworks?

No.  The first example does not allow networks specified in $mynetworks
to relay through your server without authentication.

-- 
Sahil Tandon 

Re: So--how do I set up localhost to not require authentication

[Patrick Horgan]

Sahil Tandon wrote:

  
Is the order significant, i.e. is permit_mynetworks,

  
  
The order of restrictions is generally significant.

  
  
permit_sasl_authenticated the same as
permit_sasl_authenticated,permit_mynetworks?

  
  
No.  The first example does not allow networks specified in $mynetworks
to relay through your server without authentication.
  

Really!  I'm surprised, I would have thought the rule would be first
matched.   So permit_mynetworks,permit_sasl_authenticated won't allow
$mynetworks through without authentication?  Just asking for
verification because I'm so surprised!  (And because it seems to be
working just fine right now!)

patrick

Re: So--how do I set up localhost to not require authentication

[Noel Jones]

On 10/6/2009 8:06 PM, Patrick Horgan wrote:

Sahil Tandon wrote:


Is the order significant, i.e. is permit_mynetworks,



The order of restrictions is generally significant.



permit_sasl_authenticated the same as
permit_sasl_authenticated,permit_mynetworks?



No.  The first example does not allow networks specified in $mynetworks
to relay through your server without authentication.


Really! I'm surprised, I would have thought the rule would be first
matched. So permit_mynetworks,permit_sasl_authenticated won't allow
$mynetworks through without authentication? Just asking for verification
because I'm so surprised! (And because it seems to be working just fine
right now!)

patrick


You misunderstood Sahil's answer.

Hopefully to clarify, Yes the order of restrictions is 
significant; first "permit" or "reject" match wins.


However, in the case of {permit_sasl_authenticated, 
permit_mynetworks} vs. {permit_mynetworks, 
permit_sasl_authenticated} the order is not significant.  If a 
client matches either of the restrictions, it will be 
considered "permit".  If the rule doesn't match at all 
(DUNNO), then continue processing with the next rule.



  -- Noel Jones

Feature Request

[Phillip Smith]

Where is the best place to file a feature request? I can't find
anything on the website, although I may be a little slow in that
regard!

Illegal seek

[Steve Heaven]

We have noticed several entries like:

postfix/postdrop[5917]: warning: uid=0: Illegal seek

in our logs. Is this anything we should be worried about?

Thanks

Steve

-- 
thorNET 
Internet Services, Consultancy & Training
www.thornet.co.uk