Re: Bounce queue times

[Neil Smith]

On Wednesday 07 October 2009 7:30:06 pm Roderick A. Anderson wrote:
> This will probably cause a serious amount of flames but how about just
> doing a HOLD action from header_checks for anything to the domain(s)?
>
> When he returns remove the statement and release the messages.

But that would require me remembering to add and remove the action, and it's 
never a good idea to rely on me doing something...


On Wednesday 07 October 2009 3:38:47 pm Noel Jones wrote:
> Queue lifetimes are global.  To hold mail for one domain
> longer, you need to set up another instance of postfix, and
> send all the long-lived mail there with a transport maps
> entry.  Postfix 2.6 and newer has tools to make multiple
> instances easier, but it can be done manually with any version.
> http://www.postfix.org/MULTI_INSTANCE_README.html

Thanks.  I was hoping it would be something easy, but I suppose these things 
are sent to try us.  I'll probably give it a go when Ubuntu 9.10 comes out, 
which should include Postfix 2.6.

Thanks, both, for the suggestions.

Neil.



-- 
Neil Smith   http://www.njae.me.uk
Milton Keynes Roleplaying Games Club  http://www.mk-rpg.org.uk

mail loops back to myself

[Oliver Schonrock]

We have a situation where postfix will not deliver a "delivery status 
notification" (DSN) when a remote server recjects the message postfix is trying 
to send.

Instead Postfix reports that "mail for news.t1ps.com loops back to myself" 
eventhough postfix is the final destination for the Return-Path address. It 
should deliver the DSN to a local cyrus instance via lmtp.

The problem only occurs when we use a VERP style address for the return path.

We have been on this problem for a week and searched far and wide with no 
success so far. So I have provided quite a bit of detail here below.

Any help is much appreciated.

Oliver


Failure Case

This happens when yahoo/hotmail/aol/etc rejects the original mail with 
554 delivery error: This user doesn't have a yahoo.com account 
(nkaderibi...@yahoo.com).. in reply to end of DATA command

and postfix says:
to=, relay=none, delay=0.01, 
delays=0.01/0/0/0, dsn=5.4.6, status=bounced (mail for news.t1ps.com loops 
back to myself)

Success Case

We have tested the same situation when sending to another postifix instance 
(happens to be on the same physical machine as the first postfix instance). 
Again we are sending to a non-existent address and the second postfix instance 
responds with 

550 5.1.1 : Recipient address rejected: User unknown in 
virtual mailbox table (in reply to RCPT TO command)

In this case postfix delivers the DSN as expected via lmtp to the local cyrus 
instance:
to=, 
relay=smtp.news.t1ps.com[/var/imap/socket/lmtp], delay=0.76, 
delays=0/0.01/0/0.75, dsn=2.1.5, status=sent (250 2.1.5 Ok)

Verp

NOTE: The failure case only happens when we are using a VERP style address in 
Return-Path
The Return-Path for each case is:
Success case: failures+nobody=realtsp@news.t1ps.com
Failure case: failures+nkaderibigbe=yahoo@news.t1ps.com

Note if we don't use VERP, ie "Return-Path: " then 
yahoo works also.

Full maillog extracts, main.cf and master.cf included below.


realtsp.working!

Oct  6 16:46:08 milford postfix/smtpd[58480]: 5027DD6E971: 
client=takapuna.realtsp.com[89.187.108.20], sasl_method=LOGIN, 
sasl_username=*
Oct  6 16:46:08 milford postfix/cleanup[58482]: 5027DD6E971: message-
id=<1254843968.4acb664042...@staging.t1ps.com>
Oct  6 16:46:08 milford postfix/qmgr[57929]: 5027DD6E971: 
from=, size=9468, nrcpt=1 (queue 
active)
Oct  6 16:46:08 milford postfix/smtp[57936]: 5027DD6E971: 
to=, relay=milford.realtsp.com[89.187.108.21]:25, 
delay=0.64, delays=0.63/0/0/0.01, dsn=5.1.1, status=bounced (host 
milford.realtsp.com[89.187.108.21] said: 550 5.1.1 : 
Recipient address rejected: User unknown in virtual mailbox table (in reply to 
RCPT TO command))
Oct  6 16:46:08 milford postfix/bounce[58483]: 5027DD6E971: sender non-delivery 
notification: EA68FD6EAB7
Oct  6 16:46:08 milford postfix/qmgr[57929]: 5027DD6E971: removed


Oct  6 16:46:08 milford postfix/cleanup[58482]: EA68FD6EAB7: message-
id=<20091006154608.ea68fd6e...@smtp.news.t1ps.com>
Oct  6 16:46:08 milford postfix/qmgr[57929]: EA68FD6EAB7: from=<>, size=11600, 
nrcpt=1 (queue active)
Oct  6 16:46:09 milford postfix/lmtp[58484]: EA68FD6EAB7: 
to=, 
relay=smtp.news.t1ps.com[/var/imap/socket/lmtp], delay=0.76, 
delays=0/0.01/0/0.75, dsn=2.1.5, status=sent (250 2.1.5 Ok)
Oct  6 16:46:09 milford postfix/qmgr[57929]: EA68FD6EAB7: removed


yahoo.com...not working!

Oct  6 16:42:01 milford postfix/smtpd[57732]: 33EBBD6EE87: 
client=takapuna.realtsp.com[89.187.108.20], sasl_method=LOGIN, 
sasl_username=
Oct  6 16:42:01 milford postfix/cleanup[57735]: 33EBBD6EE87: message-
id=<1254843721.4acb654923...@staging.t1ps.com>
Oct  6 16:42:01 milford postfix/qmgr[57598]: 33EBBD6EE87: 
from=, size=9480, nrcpt=1 
(queue active)
Oct  6 16:42:10 milford postfix/smtp[57636]: 33EBBD6EE87: 
to=, relay=e.mx.mail.yahoo.com[206.190.53.191]:25, 
delay=9.4, delays=0.02/0/6.5/2.9, dsn=5.0.0, status=bounced (host 
e.mx.mail.yahoo.com[206.190.53.191] said: 554 delivery error: dd This user 
doesn't have a yahoo.com account (nkaderibi...@yahoo.com) [0] - 
mta164.mail.re2.yahoo.com (in reply to end of DATA command))
Oct  6 16:42:10 milford postfix/bounce[57756]: 33EBBD6EE87: sender non-delivery 
notification: A083ED6EA01
Oct  6 16:42:10 milford postfix/qmgr[57598]: 33EBBD6EE87: removed


Oct  6 16:42:10 milford postfix/cleanup[57735]: A083ED6EA01: message-
id=<20091006154210.a083ed6e...@smtp.news.t1ps.com>
Oct  6 16:42:10 milford postfix/qmgr[57598]: A083ED6EA01: from=<>, size=11696, 
nrcpt=1 (queue active)
Oct  6 16:42:10 milford postfix/smtp[57631]: A083ED6EA01: 
to=, relay=none, delay=0.01, 
delays=0.01/0/0/0, dsn=5.4.6, status=bounced (mail for news.t1ps.com loops 
back to myself)
Oct  6 16:42:10 milford postfix/qmgr[57598]: A083ED6EA01: removed

main.cf
===
soft_bounce = no
queue_directory = /var/spool/postfix_rsh
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/p

Checking for NDRs

[Duncan B.]

Hi all,

I am setting up an SMTP backup MX server for a customer, and one of their 
specifications is that we check incoming mail for NDR/bounce mails without 
a valid "watermark".  Surfcontrol adds a header similar to 'X-SEF'
with a UUID on outbound mail, so any mail that's a bounce without this 
UUID header will be invalid.


I will have to use the header_checks regexp directive, but how do I ONLY 
perform this check for a bounce (ie, MAIL FROM: <>) ?


I have reject_multi_recipient_bounce, but also need to perform these 
header checks.



Any help appreciated!

Thanks,

Duncan Baxter

Re: Feature Request

[Wietse Venema]

Phillip Smith:
> 2009/10/8 Wietse Venema 
> > This could easily be scripted and run from cron. Massage the output
> > from host(1) or dig(1) to extract hosts, and use an expect script
> > to do the talking, like http://www.cymru.com/Tools/mtaprobe.exp.
> > The whole thing should not take more than a dozen or so lines.
> 
> I have a script that does it which I call from rc.local but it depends
> on fetchmail, and I've scripted it heavily towards a PostgreSQL
> backend:
> http://www.pastebin.ca/1602946
> 
> I was just wondering if it wouldn't be a nice feature for Postfix to
> have since at the moment it only seems to be doing half the job --
> responding to ETRN requests, but no capability to make the requests.
> Both requesting and responding are part of the MTA/MDA tasks (as
> opposed to MUA tasks).

The number of primary MX hosts with intermittent connectivity does
not justify adding an entirely new mechanism to core Postfix.

There are already several scripts in the Postfix distribution.  If
you can translate this from using PostgreSQL into "postconf -h
virtual_alias_domains mydestination ..." then it may be worthwhile
for the 0.001% of Postfix sites in a similar situation.

Wietse

Re: mail loops back to myself

[Wietse Venema]

Oliver Schonrock:
> to=, relay=none, delay=0.01, 
> delays=0.01/0/0/0, dsn=5.4.6, status=bounced (mail for news.t1ps.com loops 
> back to myself)

Your problem is almost certainly in this file:
transport_maps   = regexp:/usr/local/etc/postfix_rsh/transport

Wietse

Re: sender_canonical_maps vs. smtpd_proxy_filter

[Ralf Hildebrandt]

* Victor Duchovni :

> This parameter is clearly documented to have the syntax of a restriction
> class. (It has "check_address_map" as the implicit restriction for bare
> tables).

Didn't know that. It works now.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Checking for NDRs

[Victor Duchovni]

On Thu, Oct 08, 2009 at 10:13:33AM +, Duncan B. wrote:

>
> Hi all,
>
> I am setting up an SMTP backup MX server for a customer, and one of their 
> specifications is that we check incoming mail for NDR/bounce mails without 
> a valid "watermark".  Surfcontrol adds a header similar to 'X-SEF'
> with a UUID on outbound mail, so any mail that's a bounce without this UUID 
> header will be invalid.
>
> I will have to use the header_checks regexp directive, but how do I ONLY 
> perform this check for a bounce (ie, MAIL FROM: <>) ?

You need a suitable content_filter or milter. No built-in Postfix feature
checks for the absence of a header, let alone conditions such a check
on the envelope sender address.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: mail loops back to myself

[Oliver Schonrock]

On Thursday 08 Oct 2009 12:54:48 Wietse Venema wrote:
> Oliver Schonrock:
> > to=, relay=none,
> > delay=0.01, delays=0.01/0/0/0, dsn=5.4.6, status=bounced (mail for
> > news.t1ps.com loops back to myself)
> 
> Your problem is almost certainly in this file:
> transport_maps   = regexp:/usr/local/etc/postfix_rsh/transport

Brilliant! Got it in one! 

Our Transport regex's were matching the VERP addresses.
Once we tightened them it works as expected.

Many thanks Wietse

Re: Checking for NDRs

[Duncan B.]

On Thu, 8 Oct 2009, Victor Duchovni wrote:



I am setting up an SMTP backup MX server for a customer, and one of their
specifications is that we check incoming mail for NDR/bounce mails without
a valid "watermark".  Surfcontrol adds a header similar to 'X-SEF'
with a UUID on outbound mail, so any mail that's a bounce without this UUID
header will be invalid.

I will have to use the header_checks regexp directive, but how do I ONLY
perform this check for a bounce (ie, MAIL FROM: <>) ?


You need a suitable content_filter or milter. No built-in Postfix feature
checks for the absence of a header, let alone conditions such a check
on the envelope sender address.


Hi Viktor,

I was trying to do something like the following in header_checks
if /^From:.*<>/
!/^X-SEF/ REJECT
endif

Obviously the wrong syntax, but you're saying you can't use the '!' symbol 
to check for absence of a header?


Will have to have a look into some content filters to do this then, but 
wanted something light-weight as it's only a backup MX, which will get 
absolutely hammered with higher-priority MX targetted SPAM!


Cheers
Duncan

Re: Checking for NDRs

[Brian Evans - Postfix List]

Duncan B. wrote:
> On Thu, 8 Oct 2009, Victor Duchovni wrote:
>
>
>>> I am setting up an SMTP backup MX server for a customer, and one of
>>> their
>>> specifications is that we check incoming mail for NDR/bounce mails
>>> without
>>> a valid "watermark".  Surfcontrol adds a header similar to 'X-SEF'
>>> with a UUID on outbound mail, so any mail that's a bounce without
>>> this UUID
>>> header will be invalid.
>>>
>>> I will have to use the header_checks regexp directive, but how do I
>>> ONLY
>>> perform this check for a bounce (ie, MAIL FROM: <>) ?
>>
>> You need a suitable content_filter or milter. No built-in Postfix
>> feature
>> checks for the absence of a header, let alone conditions such a check
>> on the envelope sender address.
>
> Hi Viktor,
>
> I was trying to do something like the following in header_checks
> if /^From:.*<>/
> !/^X-SEF/ REJECT
> endif
The above if is invalid.
You cannot check two different headers at the same time.
Postfix inspects headers one at a time.

In addition, the From header does not mean it will match MAIL FROM.

Re: Checking for NDRs

[Duncan B.]

On Thu, 8 Oct 2009, Brian Evans - Postfix List wrote:


I will have to use the header_checks regexp directive, but how do I
ONLY
perform this check for a bounce (ie, MAIL FROM: <>) ?


You need a suitable content_filter or milter. No built-in Postfix
feature
checks for the absence of a header, let alone conditions such a check
on the envelope sender address.



I was trying to do something like the following in header_checks
if /^From:.*<>/
!/^X-SEF/ REJECT
endif

The above if is invalid.
You cannot check two different headers at the same time.
Postfix inspects headers one at a time.

In addition, the From header does not mean it will match MAIL FROM.


I know it's invalid, as it's not working :-)

Ok, it was correctly matching 'MAIL FROM: <>' at one point, but couldn't 
get it to act upon that result.  I guess that's why!


Are you able to point towards some docs as to how I can achieve what I 
need, to search for existence of a particular header



Thanks
Duncan

Re: Checking for NDRs

[Victor Duchovni]

On Thu, Oct 08, 2009 at 03:17:27PM +, Duncan B. wrote:

> Are you able to point towards some docs as to how I can achieve what I 
> need, to search for existence of a particular header

Which part of "No built-in Postfix feature checks for the absence of a
header, let alone conditions such a check on the envelope sender address"
was unclear when I answered your question?

You need a (pre or post-queue) content filter or milter or tell customer
you can not provide the requested feature.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Checking for NDRs

[Wietse Venema]

Duncan B.:
> Are you able to point towards some docs as to how I can achieve what I 
> need, to search for existence of a particular header

Postfix built-in pattern matching doesn't work that way. You need
an external filter (or milter).

Wietse

Re: ipv6 and smart(er) relaying

[LuKreme]

On 7-Oct-2009, at 13:40, Dave Täht wrote:


I imagine you all were big fans of NETBUI and IPX/SPX too.



Nah, I WANT IPv6 to work, but the fact of the matter is, it's not. The  
ISPs have no interest in supporting it, and until it is simple for  
users to get static IPv6 addresses and rDNS on those addresses the  
appeal of it is just not going to expand in any meaningful way.


And yes, a jump for 0.002% to 0.03% is huge, relatively. But still  
insignificant when looked at in absolute terms. Where's IPv6 now?  
0.04% or so. Not even half a tenth of a percent.


Can I run my mailserver on my DHCP cable with NAT and talk to the  
world only through IPv6?


No? Well, then what good is it?

I'll go out on a limb and say that SMTP email will NEVER move to IPv6.  
If email moves to IPv6 it will be based on something totally new.


--
Why live in the world when you can live in your head?

Re: ipv6 and smart(er) relaying

[LuKreme]

On 7-Oct-2009, at 14:48, Wietse Venema wrote:


This is no longer about Postfix.  Take it off-list, please.



Sorry, replied before reading this.

--
"What's a Velvet Underground?" "You wouldn't like it." "Oh,
Be-bop."

Need help with configuration ...

[Rene Bartsch]

Hi,

I'm running the combination of Postfix, Postfix-GLD (Greylisting) and 
DBMail(MDA) as a stand-alone
Internet host on a Ubuntu-9.04 system. The file 'sql-recipients.cf' provides 
the MySQL access
information for the list of mail-aliases in DBMail and 'sql-domains.cf' 
provides the list of
virtual domains extracted from the mail-aliases.


What Postfix shall do:

- listen on all public and private IPs for incoming SMTP-connections

- relay mail from the internet to DBmail via LMTP on loopback device if the 
recipient address
matches a mail-alias and the recipient restrictions are met (FQDN, GLD, SPF, 
etc.)

- relay mail from private networks to DBMail via LMTP on loopback device if the 
recipient address
matches a mail-alias an the sender domain matches a virtual domain. No other 
restrictions

- relay from private networks to the internet if the sender domain matches a 
virtual domain. No
other restrictions

- Do NOT relay anything from internet to internet (avoid open relay)

- use only public IP xxx.xxx.xxx.xxx for relaying mail to the internet

- Use TLS-encryption and -authentification whenever possible on internet 
connections (does it make
sense to force TLS or are there too many non-TLS mail servers out there?) but 
don't use it with
private networks



What Postfix currently doesn't do:

- it relays mail to the internet but only accepts mail for 'mydomain' 
('mydestination' commented out)
- it accepts mail for all virtual domains but does not relay to the internet
(Message not sent. Server replied:

   Action not performed: mailbox not available
   550 5.1.1 : Recipient address rejected: User unknown in 
local recipient table)
  ('mydestination' NOT commented out)

- it uses TLS on any connection and does not allow unecrypted and 
unauthenticated access to
private networks

Thanx for any hint,

Renne




master.cf:

 snip 
---

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# ==
#smtp  inet  n   -   -   -   -   smtpd
smtp  inet  n   -   n   -   -   smtpd
#submission inet n   -   -   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps inet  n   -   -   -   -   smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628  inet  n   -   -   -   -   qmqpd
pickupfifo  n   -   -   60  1   pickup
cleanup   unix  n   -   -   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   -   300 1   oqmgr
tlsmgrunix  -   -   -   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   -   -   0   bounce
defer unix  -   -   -   -   0   bounce
trace unix  -   -   -   -   0   bounce
verifyunix  -   -   -   -   1   verify
flush unix  n   -   -   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   -   -   -   smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix  -   -   -   -   -   smtp
-o smtp_fallback_relay=
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   -   -   -   showq
error unix  -   -   -   -   -   error
retry unix  -   -   -   -   -   error
discard   unix  -   -   -   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   -   -   -   lmtp
anvil unix  -   -   -   -   1   anvil
scacheunix  -   -   -   -   1   scache
#
# 
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find

Re: Need help with configuration ...

[Brian Evans - Postfix List]

Rene Bartsch wrote:
> Hi,
>
> I'm running the combination of Postfix, Postfix-GLD (Greylisting) and 
> DBMail(MDA) as a stand-alone
> Internet host on a Ubuntu-9.04 system. The file 'sql-recipients.cf' provides 
> the MySQL access
> information for the list of mail-aliases in DBMail and 'sql-domains.cf' 
> provides the list of
> virtual domains extracted from the mail-aliases.
>   

According to your config below, you are trying to use local as virtual.
Don't do this.

Before making any changes, read and understand
http://www.postfix.org/VIRTUAL_README.html#in_virtual_other
> What Postfix shall do:
>
> - listen on all public and private IPs for incoming SMTP-connections
>
> - relay mail from the internet to DBmail via LMTP on loopback device if the 
> recipient address
> matches a mail-alias and the recipient restrictions are met (FQDN, GLD, SPF, 
> etc.)
>
> - relay mail from private networks to DBMail via LMTP on loopback device if 
> the recipient address
> matches a mail-alias an the sender domain matches a virtual domain. No other 
> restrictions
>
> - relay from private networks to the internet if the sender domain matches a 
> virtual domain. No
> other restrictions
>
> - Do NOT relay anything from internet to internet (avoid open relay)
>
> - use only public IP xxx.xxx.xxx.xxx for relaying mail to the internet
>
> - Use TLS-encryption and -authentification whenever possible on internet 
> connections (does it make
> sense to force TLS or are there too many non-TLS mail servers out there?) but 
> don't use it with
> private networks
>
>
>
> What Postfix currently doesn't do:
>
> - it relays mail to the internet but only accepts mail for 'mydomain' 
> ('mydestination' commented out)
> - it accepts mail for all virtual domains but does not relay to the internet
> (Message not sent. Server replied:
>
>Action not performed: mailbox not available
>550 5.1.1 : Recipient address rejected: User unknown 
> in local recipient table)
>   ('mydestination' NOT commented out)
>
> - it uses TLS on any connection and does not allow unecrypted and 
> unauthenticated access to
> private networks
>
> Thanx for any hint,
>
> Renne
>
>
> main.cf:
>   

We prefer 'postconf -n' as stated in the link from the welcome message
to the list.
>
>  snip 
> ---
>
> mydomain  = 
> myhostname= $mydomain
> myorigin  = $mydomain
> mynetworks= 10.214.224.0/24 10.214.234.0/24 127.0.0.0/8
> mydestination = mysql:/etc/postfix/sql-domains.cf
>   
This should be "virtual_mailbox_domains =
mysql:/etc/postfix/sql-domains.cf" if they are truly virtual.
ONLY set domains that will be delivered using *nix accounts in
mydestination.

> mailbox_transport= dbmail-lmtp:127.0.0.1:24
>   
virtual_transport = dbmail-lmtp:127.0.0.1:24
> local_recipient_maps = mysql:/etc/postfix/sql-recipients.cf
>   

This breaks a lot of things.
Change local_recipient_maps to virtual_mailbox_maps
> smtpd_tls_security_level = encrypt
>   
Choose "may" over "encrypt" or you will lose a lot of internet mail.
As noted in the commented master.cf, it is acceptable to add "-o
smtpd_tls_security_level=encrypt" in master.cf on the submission transport.

Mail loops back to myself help

[Jsilliman]

I am having an issue where I cannot receive any mail from the outside
without it bouncing back, nor can I telnet to my local Postfix mail port and
send mail without receiving this error message:

to=, relay=none, delay=0.06, delays=0.02/0.03/0/0,
dsn=5.4.6, status=bounced (mail for mail.example.com loops back to myself)

I've spent hours researching this issue and just can't nail it down.  The
hostname is not the mail server name. I can send email out.  The MX record
is okay.

Hostname = server1.example.com
Mail name = mail.example.com


Output of postconf -f:

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_size_limit = 0
mydestination = localhost, localhost.localdomain, mail.silliman.com
myhostname = server1.silliman.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/
mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_maildir_extended = yes
virtual_maildir_limit_message = "The user you are trying to reach is over
quota."
virtual_overquota_bounce = yes
virtual_uid_maps = static:5000

Re: Mail loops back to myself help

[Wietse Venema]

Jsilliman:
> I am having an issue where I cannot receive any mail from the outside
> without it bouncing back, nor can I telnet to my local Postfix mail port and
> send mail without receiving this error message:
> 
> to=, relay=none, delay=0.06, delays=0.02/0.03/0/0,
> dsn=5.4.6, status=bounced (mail for mail.example.com loops back to myself)

You almost cetainly screwed up one of your mysql tables.

Replace your mysql tables by plain hash: files. Only AFTER Postfix
works as intended, replace one table at a time with mysql.

http://www.postfix.org/DATABASE_README.html#preparing

Wietse

Postfix snapshot 20091008 with postscreen

[Wietse Venema]

Postfix snapshot 20091008 includes an updated version of the
postscreen daemon. This means it is no longer limited to the
non-production releases.

To make postscreen safe to deploy, it has a permanent whitelist
(default: $mynetworks) that avoids running SMTP protocol tests on
broken network appliances. It also has a permanent blacklist for
networks that you never want to talk to.

In the default "observation" mode, postscreen logs bad client
information but does not drop connections, and can be used to
"pre-fetch" DNSBL information in parallel.

In the non-default "enforcement mode", postscreen drops "bad"
clients, and thus off-loads the SMTP daemons. To make it generally
usable I still have to add the dummy SMTP protocol engine that logs
the senders and recipients of rejected connections. Hopefully that
will be in place later in the Postfix 2.7 development cycle.

Wietse

HISTORY file entries:

20090918

Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies
turned off, there was no automatic flush-before-read on
the smtpd-to-milter stream, because the read was done on
the cleanup-to-milter stream. Problem reported by Stephen
Warren.  File: milter/milter8.c.

20091005

Bugfix: core dump while printing error message for malformed
% sequence in LDAP, MySQL or PostgreSQL configuration.
File: global/db_common.c. Fix by Victor Duchovni.

20091006

Feature: "postscreen_whitelist_networks = $mynetworks" (the
default) to avoid problems with buggy SMTP implementations
in network appliances.  Note: this feature never uses the
remote SMTP client hostname.  Files: global/addr_match_list.[hc],
postscreen/postscreen.c.

Feature: postscreen_blacklist_networks (default: empty) to
permanently blacklist hosts or networks. Address syntax is
as with mynetworks. Note: this feature never uses the remote
SMTP client hostname.  File: postscreen/postscreen.c.

Feature: postscreen_blacklist_action (default: continue)
to control what happens with a permanently blacklisted
client.

20091007

Feature: hostname-based check_client_{mx,ns}_access,
check_reverse_client_hostname_{mx,ns}_access (the client
IP address is not used). Rob Foehl.  Files: smtpd/smtpd_check.c,
global/mail_params.h, proto/postconf.proto, mantools/postlink.

20091008

Documentation: restructured the postscreen(8) manpage as
a sequence of tests. File: postscreen/postscreen.c.

Re: Postfix snapshot 20091008 with postscreen

[Wietse Venema]

Wietse Venema:
> Postfix snapshot 20091008 includes an updated version of the
> postscreen daemon. This means it is no longer limited to the
> non-production releases.

In case you haven't seen earlier posts on this topic, postscreen
was released first in a number of Postfix non-production snapshots
over the past summer. Below is a summary, taken from the release
notes.

Wietse

postscreen(8) is a server that is turned off by default.  When
enabled it runs a number of time-consuming checks in parallel for
all incoming SMTP connections, before clients are allowed to talk
to a real Postfix SMTP server.  It detects clients that start
talking too soon, or clients that appear on DNS blocklists, or
clients that hang up without sending any command.

By doing these checks in a single postscreen(8) process, Postfix
can avoid wasting one SMTP server process per connection. A side
benefit of postscreen(8)'s DNSBL lookups is that DNS records are
already cached before the Postfix SMTP server looks them up later.

postscreen(8) maintains a temporary whitelist of positive decisions.
Once an SMTP client is whitelisted, it is immediately forwarded
to a real Postfix SMTP server process without further checking.

By default, the program logs only statistics, and it does not run
any checks on clients in mynetworks (primarily, to avoid problems
with buggy SMTP implementations in network appliances).  The logging
function alone is already useful for research.

postscreen(8) can be configured to drop clients that start talking
too soon, or clients that appear on DNS blocklists. For details,
see the release notes.

forward russian emails

[Peter Macko]

Emails for certain local recipient that contain russian characters in subject 
or in body should be forwarded to another email address.

Shell I start looking for solution in postfix or in MailScanner?

 

Thank you
  
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010

Re: forward russian emails

[Victor Duchovni]

On Thu, Oct 08, 2009 at 08:51:37PM +, Peter Macko wrote:

> Emails for certain local recipient that contain russian characters in
> subject or in body should be forwarded to another email address.

In Postfix this is tricky, because you first have to separate mail
for local recipients into a separate "stream", so that that the filter
in question does not mis-route similar mail for external recipients.

This is doable, but requires a two-stage "pipe-line" with local
recipients re-injected into smtpd for a second round of scanning,
with appropriate mime_header_checks.

Classifying MIME content with regular expresions is tricky. A content
filter may be a better bet.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Need help with configuration ...

[Rene Bartsch]

> Rene Bartsch wrote:
>> Hi,
>> I'm running the combination of Postfix, Postfix-GLD (Greylisting) and 
>> DBMail(MDA) as a
stand-alone
>> Internet host on a Ubuntu-9.04 system. The file 'sql-recipients.cf' provides 
>> the MySQL access
information for the list of mail-aliases in DBMail and 'sql-domains.cf' 
provides the list of
virtual domains extracted from the mail-aliases.
> According to your config below, you are trying to use local as virtual. Don't 
> do this.

According to http://www.dbmail.org/dokuwiki/doku.php/setup_postfix I shall do 
this.

The configuration of the DBmail-Wiki allows me to send mail, but I can't 
receive mail (remote
SMTP-client receives the error message "Relay access denied (in reply to RCPT 
TO command)" by
postfix).

postconf -n:

- snip 


append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
local_recipient_maps = mysql:/etc/postfix/sql-virtual_mailbox_maps.cf 
mail_owner = postfix
mailbox_transport = dbmail-lmtp:127.0.0.1:24
mydomain = 
myhostname = www.
mynetworks = 10.214.224.0/24 10.214.234.0/24 127.0.0.0/8
myorigin = $mydomain
readme_directory = no
recipient_delimiter = +
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

- snap 





If I use virtual as you proposed, remote clients can send mail to postfix, but 
postfix doesn't
relay mail from local (loopback or private network) users to the internet.

(Message not sent. Server replied:
   Action not performed: mailbox not available
   550 5.1.1 : Recipient address rejected: User 
unknown in virtual
mailbox table


postconf -n:

- snip 


append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
mail_owner = postfix
mydomain = 
myhostname = www.
mynetworks = 10.214.224.0/24 10.214.234.0/24 127.0.0.0/8
myorigin = $mydomain
readme_directory = no
recipient_delimiter = +
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
virtual_mailbox_domains = mysql:/etc/postfix/sql-virtual_mailbox_domains.cf 
virtual_mailbox_maps =
mysql:/etc/postfix/sql-virtual_mailbox_maps.cf virtual_transport = 
dbmail-lmtp:127.0.0.1:24

- snap 




Best regards,

renne

Re: Need help with configuration ...

[Wietse Venema]

Rene Bartsch:
> > Rene Bartsch wrote:
> >> Hi,
> >> I'm running the combination of Postfix, Postfix-GLD (Greylisting) and 
> >> DBMail(MDA) as a
> stand-alone
> >> Internet host on a Ubuntu-9.04 system. The file 'sql-recipients.cf' 
> >> provides the MySQL access
> information for the list of mail-aliases in DBMail and 'sql-domains.cf' 
> provides the list of
> virtual domains extracted from the mail-aliases.
> > According to your config below, you are trying to use local as virtual. 
> > Don't do this.
> 
> According to http://www.dbmail.org/dokuwiki/doku.php/setup_postfix I shall do 
> this.

Please review http://www.postfix.org/ADDRESS_CLASS_README.html.

This give you all the reasons why you get "USER UNKNOWN" and "RELAY
ACCESS DENIED" errors, and how to avoid them.

For example, you get "user unknown in virtual mailbox table" because
the domain name is listed in main.cf:virtual_mailbox_domains but
the recipient is not listed in main.cf:virtual_mailbox_maps.

Likewise, you get "relay access denied" because the domain is not
listed in mydestination, virtual_mailbox_domains, virtual_alias_domains
or relay_domains.

Just do what the POSTFIX documentation says.

Wietse

Re: Postfix snapshot 20091008 with postscreen

[Miguel Di Ciurcio Filho]

Wietse Venema wrote:
> Postfix snapshot 20091008 includes an updated version of the
> postscreen daemon. This means it is no longer limited to the
> non-production releases.
> 

Nice!

There is a cool feature on OpenBSD's spamd that makes zombies suffer a lot:

-S secs Stutter at greylisted connections for the specified amount of
seconds, after which the connection is not stuttered at.
The default is 10; maximum is 90.


-s secs Delay each character sent to the client by the specified amount
of seconds.  The default is 1; maximum is 10.

http://www.openbsd.org/cgi-bin/man.cgi?query=spamd&sektion=8

Discarding the greylist feature, sending data very slowly makes zombies
suffer and does not eat our bandwidth.

1) Wait X seconds to send the pre-greeting to detect out of order commands
2) If the client has waited accordingly, optionally, send another
"220-text..." greeting line but slowly, like spamd does.
3) If the client is still there, whitelist it for a day.

Another suggestion: rise the default postscreen_greet_wait from 4 to 10
seconds, or even 15 or 20. I've been using smtpd_error_sleep_time=30s
and so far I had no problems for years and it is very effective keeping
dictionary floods away.

With a setup like this I believe greylisting is not that relevant any more.

Great work.

Miguel




signature.asc
Description: OpenPGP digital signature

Re: Postfix snapshot 20091008 with postscreen

[Reinaldo de Carvalho]

On Thu, Oct 8, 2009 at 9:00 PM, Miguel Di Ciurcio Filho
 wrote:
>
> Another suggestion: rise the default postscreen_greet_wait from 4 to 10
> seconds, or even 15 or 20. I've been using smtpd_error_sleep_time=30s
> and so far I had no problems for years and it is very effective keeping
> dictionary floods away.
>

The sleep time grows cpu time consume and established connections.
Enforce no sleep time and a very low hard limit (to drop connection)
has better performace.

> With a setup like this I believe greylisting is not that relevant any more.
>
> Great work.
>
> Miguel
>
>
>



-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

"Don't try to adapt the software to the way you work, but rather
yourself to the way the software works" (myself)

Re: Postfix snapshot 20091008 with postscreen

[Wietse Venema]

Miguel Di Ciurcio Filho:
> Wietse Venema wrote:
> > Postfix snapshot 20091008 includes an updated version of the
> > postscreen daemon. This means it is no longer limited to the
> > non-production releases.
> > 
> 
> Nice!
> 
> There is a cool feature on OpenBSD's spamd that makes zombies suffer a lot:

Note, I am primarily interested in keeping the bots away from the
real SMTP server. Unlike spamd and other solutions, I am not so
much interested in keeping botnets busy. People who want to do that
can install spamd. It works with pretty much every MTA.

> Discarding the greylist feature, sending data very slowly makes zombies
> suffer and does not eat our bandwidth.
> 
> 1) Wait X seconds to send the pre-greeting to detect out of order commands

If the client is a pre-greeter, the sooner I find out the better.
I want to have the option to quickly drop a connection, or to
quickly capture sender/recipient information so that people can
monitor what mail is being blocked (capturing this information is
next on the todo list; this requires a dummy SMTP engine that could
also be used for greylisting, and if people must, for tarpitting).

> Another suggestion: rise the default postscreen_greet_wait from 4 to 10
> seconds, or even 15 or 20. I've been using smtpd_error_sleep_time=30s
> and so far I had no problems for years and it is very effective keeping
> dictionary floods away.
> 
> With a setup like this I believe greylisting is not that relevant any more.

You can adjust the pre-greet wait time to 30s if you like, but I
would not consider that a safe default setting for everyone.

You can find early postscreen results at http://www.postfix.org/wip.html

Wietse

Re: Postfix snapshot 20091008 with postscreen

[Stan Hoeppner]

Wietse Venema put forth on 10/8/2009 1:51 PM:
> Postfix snapshot 20091008 includes an updated version of the
> postscreen daemon. This means it is no longer limited to the
> non-production releases.

Does postscreen run one process per connection, allowing balanced
scheduling across cpus/cores, or is it just one process handling all
connections?  If only one process, do you see possible benefit to
pinning its affinity to a single cpu/core in a high traffic
multi-cpu/core MX, and excluding all other processes from that cpu/core?

--
Stan