VRFY functionality through the command line

[frantisek holop]

hello there,

i am writing a custom filter tool and i am looking
for a way to verify that the recipient address is
valid--as far as postfix and it's aliases and all
it's maps are concerned.  probably something like
a command line client for verify(8), or a program
to somehow evaluate that the condition

smtpd_recipient_restrictions = reject_unverified_recipient

is fulfilled.

i am not sure if spamassassin or the other spam filters
are doing something like this, the postfix documentation
is quite explicit about verify(8) being very slow on heavy
traffic sites, but this functionality would be very useful
for greyfiltering/greytrapping as well.

going over the logs to see if rcpt is valid is not good
enough for me, because i have strict smtpd_helo_restrictions:

smtpd_helo_restrictions =
permit_mynetworks
check_helo_access hash:/etc/postfix/helo_checks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname

and legitimate but misconfigured servers are caught by this
before the recipient is verified.  i'd like to go over the
logs and catch these false positives to whitelist them.  one
of the signs of these false positives would be to see if the
recipient is legitimate.

thank you for any pointers.

-f
-- 
instant human: just add caffeine, alcohol, and nicotine.

AW: AW: AW: AW: virtual-mailbox-domain: Loops back zo myself

[Daniel Spannbauer]

> -Ursprüngliche Nachricht-
> Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] Im Auftrag von mouss
> Gesendet: Montag, 26. Oktober 2009 22:28
> An: 'Postfix users'
> Betreff: Re: AW: AW: AW: virtual-mailbox-domain: Loops back zo myself
> 
> Daniel Spannbauer a écrit :
> >
> >> bet of the day: something in master.cf overrides your main.cf
> >> config
> >>
> >> show your master.cf.
> >
> >
> > [snip]
> 
> your master.cf shows a content_filter, but this doesn't appear in the
> last post logs.
> 
> you need to check that the postfix that logs the error is the one that
> you can configure. make sure you don't have many postfix installations.
> and if you use multiple instances, check which is which.
> 
> add
> 
> syslog_name=postdaniel
> 
> to your main.cf, restart postfix and test again. then show the logs.

There's is only one instance of postfix running.
Here is again a log of a Mail sent from my Laptop.


Oct 26 23:38:58 a1323 postfix/smtpd[26542]: connect from
fmmailgate03.web.de[217.72.192.234]
Oct 26 23:38:58 a1323 postfix/smtpd[26542]: A688917A5A6:
client=fmmailgate03.web.de[217.72.192.234]
Oct 26 23:38:58 a1323 postfix/cleanup[24923]: A688917A5A6:
message-id=<007301ca568d$1a2f37c0$4e8da7...@de>
Oct 26 23:38:58 a1323 postfix/qmgr[32389]: A688917A5A6:
from=, size=1362, nrcpt=1 (queue active)
Oct 26 23:38:58 a1323 postfix/smtpd[26542]: disconnect from
fmmailgate03.web.de[217.72.192.234]
Oct 26 23:38:58 a1323 postfix/smtp[24918]: A688917A5A6:
to=, relay=none, delay=0.19, delays=0.19/0/0/0, dsn=5.4.6,
status=bounced (mail for mail.domain.de loops back to myself)
Oct 26 23:38:58 a1323 postfix/cleanup[25718]: E514C17A5A8:
message-id=<20091026223858.e514c17a...@mail.domain.de>
Oct 26 23:38:59 a1323 postfix/qmgr[32389]: E514C17A5A8: from=<>, size=3174,
nrcpt=1 (queue active)
Oct 26 23:38:59 a1323 postfix/bounce[26557]: A688917A5A6: sender
non-delivery notification: E514C17A5A8
Oct 26 23:38:59 a1323 postfix/qmgr[32389]: A688917A5A6: removed
Oct 26 23:38:59 a1323 postfix/smtp[26534]: E514C17A5A8:
to=, relay=mx-ha01.web.de[217.72.192.149]:25,
delay=0.19, delays=0.08/0/0.03/0.07, dsn=2.0.0, status=sent (250 OK
id=1N2YDL-0005bj-00)
Oct 26 23:38:59 a1323 postfix/qmgr[32389]: E514C17A5A8: removed
Oct 26 23:39:02 a1323 postfix/pickup[25700]: 3DB3117A5A7: uid=0 from=
Oct 26 23:39:02 a1323 postfix/cleanup[24923]: 3DB3117A5A7:
message-id=<20091026223902.3db3117a...@mail.domain.de>
Oct 26 23:39:02 a1323 postfix/qmgr[32389]: 3DB3117A5A7:
from=, size=1042, nrcpt=1 (queue active)
Oct 26 23:39:02 a1323 postfix/smtpd[26878]: connect from
localhost[127.0.0.1]
Oct 26 23:39:02 a1323 postfix/smtpd[26878]: 9143317A5A6:
client=localhost[127.0.0.1]
Oct 26 23:39:02 a1323 postfix/cleanup[25718]: 9143317A5A6:
message-id=<20091026223902.3db3117a...@mail.domain.de>
Oct 26 23:39:02 a1323 postfix/smtpd[26878]: disconnect from
localhost[127.0.0.1]
Oct 26 23:39:02 a1323 postfix/qmgr[32389]: 9143317A5A6:
from=, size=1477, nrcpt=1 (queue active)
Oct 26 23:39:03 a1323 amavis[24869]: (24869-12) Passed CLEAN,
 -> , Message-ID:
<20091026223902.3db3117a...@mail.domain.de>, mail_id: awt-DMlaMf-G, Hits:
-0.001, size: 1042, queued_as: 9143317A5A6, 666 ms
Oct 26 23:39:03 a1323 postfix/smtp[24918]: 3DB3117A5A7: to=,
orig_to=, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9,
delays=1.3/0/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=24869-12, from
MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9143317A5A6)
Oct 26 23:39:03 a1323 postfix/qmgr[32389]: 3DB3117A5A7: removed
Oct 26 23:39:03 a1323 postfix/pipe[10025]: 9143317A5A6: to=,
relay=dovecot, delay=0.7, delays=0.4/0/0/0.29, dsn=2.0.0, status=sent
(delivered via dovecot service)
Oct 26 23:39:03 a1323 postfix/qmgr[32389]: 9143317A5A6: removed


--


Regards

Daniel




> 
> 
> 
> __ Hinweis von ESET NOD32 Antivirus, Signaturdatenbank-Version
> 4545 (20091026) __
> 
> E-Mail wurde geprüft mit ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
 

__ Hinweis von ESET NOD32 Antivirus, Signaturdatenbank-Version 4546
(20091027) __

E-Mail wurde geprüft mit ESET NOD32 Antivirus.

http://www.eset.com
 

Please criticize my basic filtering config

[Harakiri]

Hello,

can a postfix guru please look over my easy configuration? I wanted to create 
some very easy antispam defense using only postfix (postgrey).

I created a new smtpd_restriction_classes, which i appended to 
smtpd_recipient_restrictions.

my_filtering = check_recipient_access 
proxy:pgsql:/etc/myconfig/recipient_check, check_policy_service 
inet:127.0.0.1:6, check_client_access pcre:/etc/myconfig/rbl_check

At first i check if the internal recipient exists with a SQL lookup, it either 
returns REJECT if the user isnt found, or DUNNO if the user is found (to 
proceed with additional checks). I heard the use of proxy: is recommended for 
performance reason - i want to use this lookup for up to 50 messages/sec - is 
proxymap the right thing todo in this case?

After the recipient check, i check for greylisting, default config of postgrey. 
Finally im doing an rbl check with reject_rbl_client zen.spamhaus.org.

Is this the correct order? Is this performance wise the best i could do?

Thank you


  

Re: Spam Attack on Postmaster

[Carlos Williams]

On Thu, Sep 24, 2009 at 11:05 AM, Noel Jones  wrote:
> Some older versions of postfix give special treatment to the postmaster
> address.  To disable this special treatment, add
> # main.cf
> address_verify_sender = $double_bounce_sender

So when you note "older" I am going to assume 2.3.x qualifies, right?

Basically I should simply add the following anywhere in my 'main.cf'
config file, right?

*address_verify_sender = $double_bounce_sender*

Re: AW: AW: AW: AW: virtual-mailbox-domain: Loops back zo myself

[Brian Evans - Postfix List]

Daniel Spannbauer wrote:
> 
>> -Ursprüngliche Nachricht-
>> Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-
>> us...@postfix.org] Im Auftrag von mouss
>> Gesendet: Montag, 26. Oktober 2009 22:28
>> An: 'Postfix users'
>> Betreff: Re: AW: AW: AW: virtual-mailbox-domain: Loops back zo myself
>>
>> Daniel Spannbauer a écrit :
 bet of the day: something in master.cf overrides your main.cf
 config

 show your master.cf.
>>>
>>> [snip]
>> your master.cf shows a content_filter, but this doesn't appear in the
>> last post logs.
>>

> a1323:~ # cat /etc/postfix/master.cf
> #
> # Postfix master process configuration file.  For details on the format
> # of the file, see the Postfix master(5) manual page.
> #
> # ==
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #   (yes)   (yes)   (yes)   (never) (100)
> # ==
> smtp  inet  n   -   n   -   -   smtpd
> -o content_filter=amavisfeed:

Since you do not define a destination for the content filter, it makes
assumptions and attempts to lookup the destination.  So, you are
delivering the content right back to postfix with the same hostname.
Postfix detects this as a mail loop.


Either fix the destination/port of the filter or remove this from master.cf.
[snip]


> amavisfeed unix -   -   n   -   2   smtp
> -o lmtp_data_done_timeout=1200
> -o lmtp_send_xforward_command=yes
> -o disable_dns_lookups=yes


BTW lmtp* options have no effect on the SMTP client.

> 
> There's is only one instance of postfix running.
> Here is again a log of a Mail sent from my Laptop.
> 
> 
> Oct 26 23:38:58 a1323 postfix/smtpd[26542]: connect from
> fmmailgate03.web.de[217.72.192.234]
> Oct 26 23:38:58 a1323 postfix/smtpd[26542]: A688917A5A6:
> client=fmmailgate03.web.de[217.72.192.234]
> Oct 26 23:38:58 a1323 postfix/cleanup[24923]: A688917A5A6:
> message-id=<007301ca568d$1a2f37c0$4e8da7...@de>
> Oct 26 23:38:58 a1323 postfix/qmgr[32389]: A688917A5A6:
> from=, size=1362, nrcpt=1 (queue active)
> Oct 26 23:38:58 a1323 postfix/smtpd[26542]: disconnect from
> fmmailgate03.web.de[217.72.192.234]
> Oct 26 23:38:58 a1323 postfix/smtp[24918]: A688917A5A6:
> to=, relay=none, delay=0.19, delays=0.19/0/0/0, dsn=5.4.6,
> status=bounced (mail for mail.domain.de loops back to myself)

Re: Invitation to connect on LinkedIn

[Sahil Tandon]

Hey Siju stop spamming all your mailing lists with this crap.  Thanks  
much.

Re: Please criticize my basic filtering config

[Sahil Tandon]

On Oct 27, 2009, at 8:06 AM, Harakiri  wrote:


Hello,

can a postfix guru please look over my easy configuration? I wanted  
to create some very easy antispam defense using only postfix  
(postgrey).


I created a new smtpd_restriction_classes, which i appended to  
smtpd_recipient_restrictions.


my_filtering = check_recipient_access proxy:pgsql:/etc/myconfig/ 
recipient_check, check_policy_service inet:127.0.0.1:6,  
check_client_access pcre:/etc/myconfig/rbl_check


At first i check if the internal recipient exists with a SQL lookup,  
it either returns REJECT if the user isnt found, or DUNNO if the  
user is found (to proceed with additional checks). I heard the use  
of proxy: is recommended for performance reason - i want to use this  
lookup for up to 50 messages/sec - is proxymap the right thing todo  
in this case?


After the recipient check, i check for greylisting, default config  
of postgrey. Finally im doing an rbl check with reject_rbl_client zen.spamhaus.org 
.


Is this the correct order?


I reject with zen before greylisting.

Re: Spam Attack on Postmaster

[Noel Jones]

On 10/27/2009 7:22 AM, Carlos Williams wrote:

On Thu, Sep 24, 2009 at 11:05 AM, Noel Jones  wrote:

Some older versions of postfix give special treatment to the postmaster
address.  To disable this special treatment, add
# main.cf
address_verify_sender = $double_bounce_sender


So when you note "older" I am going to assume 2.3.x qualifies, right?

Basically I should simply add the following anywhere in my 'main.cf'
config file, right?

*address_verify_sender = $double_bounce_sender*



Yes.  Well, don't include the stars...

Or you can have postfix add it to main.cf for you by typing 
the command:


# postconf -e 'address_verify_sender=$double_bounce_sender'




  -- Noel Jones

AW: AW: AW: AW: AW: virtual-mailbox-domain: Loops back zo myself

[Daniel Spannbauer]

> -Ursprüngliche Nachricht-
> Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] Im Auftrag von Brian Evans - Postfix List
> Gesendet: Dienstag, 27. Oktober 2009 13:48
> An: Postfix users
> Betreff: Re: AW: AW: AW: AW: virtual-mailbox-domain: Loops back zo
> myself
> 
> Daniel Spannbauer wrote:
> >
> >> -Ursprüngliche Nachricht-
> >> Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> >> us...@postfix.org] Im Auftrag von mouss
> >> Gesendet: Montag, 26. Oktober 2009 22:28
> >> An: 'Postfix users'
> >> Betreff: Re: AW: AW: AW: virtual-mailbox-domain: Loops back zo
> myself
> >>
> >> Daniel Spannbauer a écrit :
> >>>> bet of the day: something in master.cf overrides your main.cf
> >>>> config
> >>>>
> >>>> show your master.cf.
> >>>
> >>> [snip]
> >> your master.cf shows a content_filter, but this doesn't appear in
> the
> >> last post logs.
> >>
> 
> > a1323:~ # cat /etc/postfix/master.cf
> > #
> > # Postfix master process configuration file.  For details on the
> format
> > # of the file, see the Postfix master(5) manual page.
> > #
> > #
> ===
> ===
> > # service type  private unpriv  chroot  wakeup  maxproc command +
> args
> > #   (yes)   (yes)   (yes)   (never) (100)
> > #
> ===
> ===
> > smtp  inet  n   -   n   -   -   smtpd
> > -o content_filter=amavisfeed:
> 
> Since you do not define a destination for the content filter, it makes
> assumptions and attempts to lookup the destination.  So, you are
> delivering the content right back to postfix with the same hostname.
> Postfix detects this as a mail loop.
> 
> 
> Either fix the destination/port of the filter or remove this from
> master.cf.


That was the Problem. Thanks a lot. I search for days now and haven#T seen
it.

Regards

Daniel




> [snip]
> 
> 
> > amavisfeed unix -   -   n   -   2   smtp
> > -o lmtp_data_done_timeout=1200
> > -o lmtp_send_xforward_command=yes
> > -o disable_dns_lookups=yes
> 
> 
> BTW lmtp* options have no effect on the SMTP client.
> 
> >
> > There's is only one instance of postfix running.
> > Here is again a log of a Mail sent from my Laptop.
> >
> > 
> > Oct 26 23:38:58 a1323 postfix/smtpd[26542]: connect from
> > fmmailgate03.web.de[217.72.192.234]
> > Oct 26 23:38:58 a1323 postfix/smtpd[26542]: A688917A5A6:
> > client=fmmailgate03.web.de[217.72.192.234]
> > Oct 26 23:38:58 a1323 postfix/cleanup[24923]: A688917A5A6:
> > message-id=<007301ca568d$1a2f37c0$4e8da7...@de>
> > Oct 26 23:38:58 a1323 postfix/qmgr[32389]: A688917A5A6:
> > from=, size=1362, nrcpt=1 (queue active)
> > Oct 26 23:38:58 a1323 postfix/smtpd[26542]: disconnect from
> > fmmailgate03.web.de[217.72.192.234]
> > Oct 26 23:38:58 a1323 postfix/smtp[24918]: A688917A5A6:
> > to=, relay=none, delay=0.19, delays=0.19/0/0/0,
> dsn=5.4.6,
> > status=bounced (mail for mail.domain.de loops back to myself)
> 
> 
> 
> __ Hinweis von ESET NOD32 Antivirus, Signaturdatenbank-Version
> 4547 (20091027) __
> 
> E-Mail wurde geprüft mit ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
 

__ Hinweis von ESET NOD32 Antivirus, Signaturdatenbank-Version 4547
(20091027) __

E-Mail wurde geprüft mit ESET NOD32 Antivirus.

http://www.eset.com
 

sender_restrictions are filtering ndr mails

[Fiederling, Daniel]

Hello,

we use smtpd_sender_restrictions on our outgoing smtp gateway to filter
mails from users who are not allowed to send mails to external
recipients. We use the following config:

smtpd_sender_restrictions=check_sender_access
hash:/etc/postfix-outbound/sender_restrictions, check_sender_access
regexp:/etc/postfix-outbound/sender_nice_reject.db

The sender_restrictions file contains a list of valid mail addresses
exported from our active directory in the following form:
daniel.fiederl...@warema.de
OK

The sender_nice:_reject.db contians only the following line to generate
a custom error message:
/./ 554 Sie duerfen keine eMails nach Extern senden, bitte wenden
Sie sich an die IT Hotline. / You are not allowed to send mail to
external addresses, please contact the it hotline.

Our problem is that we offend rfc complaince because those filtering
rules prevent internal generated non delivery reports to be sent out to
the sender of the failed message. How can I weaken the filter to achive
NDRs being sent out?

I tried regular expressions in sender_nice_reject.db like these without
success:
/^\<\>$/  ok
or
/^$/  ok

Any help or pointers are appreciated.

bye
Daniel

[Postfix] Wrong Time

[Jacopo Cappelli]

On log i have the wrong time(-6h) but the date is ok.
I read that i copy /etc/localtime to the chroot of postfix and i try
but don't work...
cp -p /etc/localtime /var/spool/postfix/etc/localtime
and reload postfix don't work...
I use Debian 5.0.3 tzdata and locales is ok and configured.

Thanks,
Jacopo

-- 
Linux, Windows Xp ed MS-DOS
(anche conosciuti come il Bello, il Brutto ed il Cattivo).
-- Matt Welsh

Re: [Postfix] Wrong Time

[Terry L. Inzauro]

Jacopo Cappelli wrote:
> On log i have the wrong time(-6h) but the date is ok.
> I read that i copy /etc/localtime to the chroot of postfix and i try
> but don't work...
> cp -p /etc/localtime /var/spool/postfix/etc/localtime
> and reload postfix don't work...
> I use Debian 5.0.3 tzdata and locales is ok and configured.
> 
> Thanks,
> Jacopo
> 

what is the UTC setting in /etc/default/rcS?

Re: VRFY functionality through the command line

[Noel Jones]

On 10/27/2009 2:35 AM, frantisek holop wrote:

hello there,

i am writing a custom filter tool and i am looking
for a way to verify that the recipient address is
valid--as far as postfix and it's aliases and all
it's maps are concerned.  probably something like
a command line client for verify(8), or a program
to somehow evaluate that the condition

smtpd_recipient_restrictions = reject_unverified_recipient

is fulfilled.

i am not sure if spamassassin or the other spam filters
are doing something like this, the postfix documentation
is quite explicit about verify(8) being very slow on heavy
traffic sites, but this functionality would be very useful
for greyfiltering/greytrapping as well.

going over the logs to see if rcpt is valid is not good
enough for me, because i have strict smtpd_helo_restrictions:

smtpd_helo_restrictions =
 permit_mynetworks
check_helo_access hash:/etc/postfix/helo_checks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname

and legitimate but misconfigured servers are caught by this
before the recipient is verified.  i'd like to go over the
logs and catch these false positives to whitelist them.  one
of the signs of these false positives would be to see if the
recipient is legitimate.

thank you for any pointers.

-f


Have postfix do recipient validation before your helo checks. 
That way, only valid recipients will be rejected by your other 
rules.


Usually you can do this by putting reject_unlisted_recipient 
just after permit_mynetworks.


  -- Noel Jones

Re: [Postfix] Wrong Time

[Wietse Venema]

Jacopo Cappelli:
> On log i have the wrong time(-6h) but the date is ok.
> I read that i copy /etc/localtime to the chroot of postfix and i try
> but don't work...

Show the evidence. What are the permissions of:

/var/spool/postfix/etc
/var/spool/postfix/etc/localtime

Wietse

Re: [Postfix] Wrong Time

[Jacopo Cappelli]

server:/etc/postfix# ls -alh /var/spool/postfix/etc/
totale 48K
drwxr-xr-x  2 root root 4,0K 27 ott 14:40 .
drwxr-xr-x 20 root root 4,0K  9 set 11:53 ..
-rw-r--r--  1 root root  312 27 ott 14:40 hosts
-rw-r--r--  1 root root 2,6K 27 ott 14:40 localtime
-rw-r--r--  1 root root  475 27 ott 14:40 nsswitch.conf
-rw-r--r--  1 root root   78 27 ott 14:40 resolv.conf
-rw-r--r--  1 root root  19K 27 ott 14:40 services
-rw-r--r--  1 root root   12 27 ott 14:23 timezone

On the other relay it's the same permission :S

2009/10/27 Wietse Venema :
> Jacopo Cappelli:
>> On log i have the wrong time(-6h) but the date is ok.
>> I read that i copy /etc/localtime to the chroot of postfix and i try
>> but don't work...
>
> Show the evidence. What are the permissions of:
>
> /var/spool/postfix/etc
> /var/spool/postfix/etc/localtime
>
>Wietse
>



-- 
Linux, Windows Xp ed MS-DOS
(anche conosciuti come il Bello, il Brutto ed il Cattivo).
-- Matt Welsh

Relay mails to local domains

[punit jain]

Hi ,

I have multiple domains hosted on my postfix server. I am planning to relay
mails for one of the domain test.com to my AS/AV appliance. I tried setting
relayhost = 192.168.180.25 which is IP address of my appliance but it
doesnot relay mails to this IP infact delivers locally: -

Oct 27 18:58:48 mail amavis[29404]: (29404-01) Passed CLEAN, MYNETS LOCAL
[127.0.0.1] [127.0.0.1]  -> , Message-ID: <
1790.10.66.104.83.1256650127.squir...@10.66.118.238>, mail_id: kRjXIvjBVlXq,
Hits: 1.077, size: 704, queued_as: 41E1120CBF, 662 ms
Oct 27 18:58:48 mail postfix/smtp[29636]: 8471D20CBE: to=,
relay=127.0.0.1[127.0.0.1], delay=1, status=sent (250 Ok: queued as
41E1120CBF)
Oct 27 18:58:48 mail postfix/qmgr[29630]: 8471D20CBE: removed
Oct 27 18:58:48 mail postfix/local[29645]: 41E1120CBF: to=,
relay=local, delay=0, status=sent (delivered to maildir)

 What configuration changes are needed ?

Re: [Postfix] Wrong Time

[Wietse Venema]

Jacopo Cappelli:
> server:/etc/postfix# ls -alh /var/spool/postfix/etc/
> totale 48K
> drwxr-xr-x  2 root root 4,0K 27 ott 14:40 .
> drwxr-xr-x 20 root root 4,0K  9 set 11:53 ..
> -rw-r--r--  1 root root  312 27 ott 14:40 hosts
> -rw-r--r--  1 root root 2,6K 27 ott 14:40 localtime
> -rw-r--r--  1 root root  475 27 ott 14:40 nsswitch.conf
> -rw-r--r--  1 root root   78 27 ott 14:40 resolv.conf
> -rw-r--r--  1 root root  19K 27 ott 14:40 services
> -rw-r--r--  1 root root   12 27 ott 14:23 timezone
> 
> On the other relay it's the same permission :S

Try without SeLinux, AppArmor, and other "security" add-ons.
They are not covered by the Postfix warranty.

Wietse

Re: [Postfix] Wrong Time

[Dan Schaefer]

Wietse Venema wrote:

Try without SeLinux, AppArmor, and other "security" add-ons.
They are not covered by the Postfix warranty.

Wietse
  

Postfix has a warranty? :) It's a free product...

--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: [Postfix] Wrong Time

[Wietse Venema]

Dan Schaefer:
> Wietse Venema wrote:
> > Try without SeLinux, AppArmor, and other "security" add-ons.
> > They are not covered by the Postfix warranty.
> >   
> Postfix has a warranty? :) It's a free product...

The warranty that defects will be fixed, for supported releases
(currently, 2.3 and later). Whether vendors pick up those fixes
is beyond my control.

Support for SeLinux or AppArmor configuration is not included with
this warranty.

Wietse

Re: [Postfix] Wrong Time

[Victor Duchovni]

On Tue, Oct 27, 2009 at 10:51:07AM -0400, Dan Schaefer wrote:

> Wietse Venema wrote:
>> Try without SeLinux, AppArmor, and other "security" add-ons.
>> They are not covered by the Postfix warranty.
>>
>>  Wietse
>
> Postfix has a warranty? :) It's a free product...

There is no contractual warranty, but there is, typically better than
commercial, best-effort support, which is not extended to damage inflicted
by non-cooperative system environments.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: [Postfix] Wrong Time

[Linux Addict]

On Tue, Oct 27, 2009 at 10:51 AM, Dan Schaefer wrote:

> Wietse Venema wrote:
>
>> Try without SeLinux, AppArmor, and other "security" add-ons.
>> They are not covered by the Postfix warranty.
>>
>>Wietse
>>
>>
> Postfix has a warranty? :) It's a free product...
>
> --
> Dan Schaefer
> Web Developer/Systems Analyst
> Performance Administration Corp.
>
>

This issue(-0600) is usually caused by an application/script sends mail
without setting time offset.

Re: Please criticize my basic filtering config

[Harakiri]

--- On Tue, 10/27/09, Sahil Tandon  wrote:

> From: Sahil Tandon 

> 
> I reject with zen before greylisting.
> 

Hi,

thanks for your reply - i had thought about it - but since RBL is an external 
service - it takes more time to go through, therefor i used greylisting before 
RBL since its a local lookup. Most spam is already catched through greylisting 
first, not RBL in my oppinion.


  

Default parameter values in postfix configuration file.

[Manoj Burande]

Hello All,

  I am a newbie for Postfix Mail server. Can anybody please suggest me
on Postfix's default parameter's configuration values. I have one
query relating to the same as,

   On my machine I am getting hundreds of default Postfix
configuration parameter values after running the "#postconf -d". Is
it means that I need to change it to override the default values?
or only required parameter values in "/etc/postfix/main.cf" defined
by me will only considered for postfix configuration?

Please guide me what to do with this?

Thanks in advance.


-- 
Manoj M. Burande,
Artificial Machines Pvt Ltd,
System Administrator.

Reverse DNS Rejection Problem

[Dennis Putnam]

I have my Postfix configured to require proper DNS resolution in both  
directions. However, I have a situation that is giving me problems  
perhaps due to multiple PTR records for the IP address. I am getting  
the error:


450 Client host rejected: cannot find your hostname

When I 'dig' the hostname the IP address matches that of the server  
making contact with my Postfix. When I 'dig -x' that same IP address,  
among the many PTR records, the hostname used in the 'HELO' matches.  
The from doesn't match but that is not what it is comparing, right?


Can someone tell me what might get going on here? I am running version  
2.1.5 so perhaps that is part of the problem.


Thanks.

Dennis Putnam
Sr. IT Systems Administrator
AIM Systems, Inc.
11675 Rainwater Dr., Suite 200
Alpharetta, GA  30009
Phone: 678-240-4112
Main Phone: 678-297-0700
FAX: 678-297-2666 or 770-576-1000
The information contained in this e-mail and any attachments is  
strictly confidential. If you are not the intended recipient, any use,  
dissemination, distribution, or duplication of any part of this e-mail  
or any attachment is prohibited. If you are not the intended  
recipient, please notify the sender by return e-mail and delete all  
copies, including the attachments.

Re: Default parameter values in postfix configuration file.

[Noel Jones]

On 10/27/2009 10:08 AM, Manoj Burande wrote:

Hello All,

   I am a newbie for Postfix Mail server. Can anybody please suggest me
on Postfix's default parameter's configuration values. I have one
query relating to the same as,

On my machine I am getting hundreds of default Postfix
configuration parameter values after running the "#postconf -d". Is
it means that I need to change it to override the default values?
or only required parameter values in "/etc/postfix/main.cf" defined
by me will only considered for postfix configuration?

Please guide me what to do with this?

Thanks in advance.




The "postconf -d" command lists the compiled-in default values 
of postfix  -- currently over 600 settings.  The vast majority 
of these will never need to be adjusted by most users.


Postfix uses carefully chosen defaults that should operate 
well in a wide variety of situations.  Parameters that are 
commonly adjusted are listed in the sample main.cf included 
with postfix, other parameters can be added to main.cf as 
necessary for your environment.


Please see the BASIC_CONFIGURATION_README for details of what 
should be set, see the other documentation for what the other 
parameters do.

http://www.postfix.org/documentation.html

An excellent place to start is
http://www.postfix.org/BASIC_CONFIGURATION_README.html

A list of what all those parameters do can be found here:
http://www.postfix.org/postconf.5.html
But again, most of these should never be changed from their 
default setting.


  -- Noel Jones

Re: Reverse DNS Rejection Problem

[Wietse Venema]

Dennis Putnam:
> I have my Postfix configured to require proper DNS resolution in both  
> directions. However, I have a situation that is giving me problems  
> perhaps due to multiple PTR records for the IP address. I am getting  
> the error:
> 
> 450 Client host rejected: cannot find your hostname
> 
> When I 'dig' the hostname the IP address matches that of the server  
> making contact with my Postfix. When I 'dig -x' that same IP address,  
> among the many PTR records, the hostname used in the 'HELO' matches.  
> The from doesn't match but that is not what it is comparing, right?
> 
> Can someone tell me what might get going on here? I am running version  
> 2.1.5 so perhaps that is part of the problem.

Postfix takes the first hostname that is returned by the getnameinfo()
system library function. If that first name does not resolve to
the client IP address, then Postfix will not try the the second
etc, name.

Wietse

Postfix and Google Docs Repositories

[Michael Katz]

Have some software to very selectively store email attachments in Google 
Docs repository directly from Postfix using web services API of Google. 
  Please contact me if interested to test.


Thanks,
Mike Katz
http://mailspect.com

Re: [Postfix] Wrong Time

[Wietse Venema]

Jacopo Cappelli:
> Only security is grsec but don't block anything of Postfix.

Logging the "wrong time" means one of the following:

1) The timezone file is not accessible (no file, no permission).
   Use strace to see what system call fails.

2) The file contains the wrong data. Use cmp(1) to find out
   if it differs from a good file.

3) The process has the wrong TZ environment. Specify the TZ in
   /etc/postfix/main.cf.
   import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ=XXX LANG=C

Wietse

Re: [Postfix] Wrong Time

[Victor Duchovni]

On Tue, Oct 27, 2009 at 12:28:52PM -0400, Wietse Venema wrote:

> Jacopo Cappelli:
> > Only security is grsec but don't block anything of Postfix.
> 
> Logging the "wrong time" means one of the following:
> 
> 1) The timezone file is not accessible (no file, no permission).
>Use strace to see what system call fails.
> 
> 2) The file contains the wrong data. Use cmp(1) to find out
>if it differs from a good file.
> 
> 3) The process has the wrong TZ environment. Specify the TZ in
>/etc/postfix/main.cf.
>import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ=XXX LANG=C

  4) The process effective user or group id is not equal to the
 corresponding real id (setuid/setgid binary or ancestor process),
 and so the process scrubs TZ from its environment for security
 reasons. In this case, explicitly adding TZ=... in main.cf,
 as above will help.

 Typically, only postdrop(1) (which only logs unexpected errors)
 runs in this way.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Reverse DNS Rejection Problem

[Charles Marcus]

On 10/27/2009, Dennis Putnam (dennis.put...@aimaudit.com) wrote:
> I have my Postfix configured to require proper DNS resolution in both
> directions. However, I have a situation that is giving me problems
> perhaps due to multiple PTR records for the IP address. I am getting the
> error:
> 
> 450 Client host rejected: cannot find your hostname

Per the welcome message you received when you joined the list:

TO REPORT A PROBLEM see:
http://www.postfix.org/DEBUG_README.html#mail

At a minimum, postfix version and output of postconf -n should be
provided...

> Can someone tell me what might get going on here? I am running
> version 2.1.5 so perhaps that is part of the problem.

Its a problem, for sure, but maybe not the cause of *this* problem.

Upograding is most definitely in order, regardless...

> 11675 Rainwater Dr., Suite 200
> Alpharetta, GA  30009

Howdy neighbor... I'm in Alpharetta too (Old Milton & 400)... :)

-- 

Best regards,

Charles

Re: Reverse DNS Rejection Problem

[Dennis Putnam]

Thanks or the reply. That sucks. Is there a way around this, short of  
turning that off or whitelisting?


On Oct 27, 2009, at 11:34 AM, Wietse Venema wrote:


Dennis Putnam:

I have my Postfix configured to require proper DNS resolution in both
directions. However, I have a situation that is giving me problems
perhaps due to multiple PTR records for the IP address. I am getting
the error:

450 Client host rejected: cannot find your hostname

When I 'dig' the hostname the IP address matches that of the server
making contact with my Postfix. When I 'dig -x' that same IP address,
among the many PTR records, the hostname used in the 'HELO' matches.
The from doesn't match but that is not what it is comparing, right?

Can someone tell me what might get going on here? I am running  
version

2.1.5 so perhaps that is part of the problem.


Postfix takes the first hostname that is returned by the getnameinfo()
system library function. If that first name does not resolve to
the client IP address, then Postfix will not try the the second
etc, name.

Wietse





Dennis Putnam
Sr. IT Systems Administrator
AIM Systems, Inc.
11675 Rainwater Dr., Suite 200
Alpharetta, GA  30009
Phone: 678-240-4112
Main Phone: 678-297-0700
FAX: 678-297-2666 or 770-576-1000
The information contained in this e-mail and any attachments is  
strictly confidential. If you are not the intended recipient, any use,  
dissemination, distribution, or duplication of any part of this e-mail  
or any attachment is prohibited. If you are not the intended  
recipient, please notify the sender by return e-mail and delete all  
copies, including the attachments.

Re: Relay mails to local domains

[Magnus Bäck]

On Tuesday, October 27, 2009 at 15:35 CET,
 punit jain  wrote:

> I have multiple domains hosted on my postfix server. I am planning to
> relay mails for one of the domain test.com to my AS/AV appliance. I
> tried setting relayhost = 192.168.180.25 which is IP address of my
> appliance but it doesnot relay mails to this IP infact delivers
> locally: -

relayhost only affects what happens if Postfix determines that a
particular messages should be delivered remotely via SMTP. It does
not alter which transport method Postfix chooses.

To filter all messages (regardless of domain), use content_filter.

Per-domain content filtering requires transport table mappings, which
require multiple Postfix instances if Postfix also should take care of
the final delivery (i.e. you have Postfix -> filter -> Postfix).

[...]

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Reverse DNS Rejection Problem

[Victor Duchovni]

On Tue, Oct 27, 2009 at 01:14:05PM -0400, Dennis Putnam wrote:

> Thanks or the reply. That sucks. Is there a way around this, short of 
> turning that off or whitelisting?

Don't use "reject_unknown_client" uncondionally. Use it selectively
in a

check_client_access cidr:/etc/postfix/client_access.cidr

rule that subjects "high-value" CIDR blocks (lots of junk with no
reverse mappings in a block, with some legit clients "mixed-in"
whose PTRs are valid), for example:

192.0.2.0/24reject_unknown_client

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Reverse DNS Rejection Problem

[Dennis Putnam]

That is not much different than whitelisting, right? I still have to  
maintain a list of permitted networks, do I not?


On Oct 27, 2009, at 1:24 PM, Victor Duchovni wrote:


On Tue, Oct 27, 2009 at 01:14:05PM -0400, Dennis Putnam wrote:


Thanks or the reply. That sucks. Is there a way around this, short of
turning that off or whitelisting?


Don't use "reject_unknown_client" uncondionally. Use it selectively
in a

check_client_access cidr:/etc/postfix/client_access.cidr

rule that subjects "high-value" CIDR blocks (lots of junk with no
reverse mappings in a block, with some legit clients "mixed-in"
whose PTRs are valid), for example:

192.0.2.0/24reject_unknown_client

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.





Dennis Putnam
Sr. IT Systems Administrator
AIM Systems, Inc.
11675 Rainwater Dr., Suite 200
Alpharetta, GA  30009
Phone: 678-240-4112
Main Phone: 678-297-0700
FAX: 678-297-2666 or 770-576-1000
The information contained in this e-mail and any attachments is  
strictly confidential. If you are not the intended recipient, any use,  
dissemination, distribution, or duplication of any part of this e-mail  
or any attachment is prohibited. If you are not the intended  
recipient, please notify the sender by return e-mail and delete all  
copies, including the attachments.

Setup Question with multiple Interfaces and domains.

[Marcelo Iturbe]

Hello,
I have the following need:
- Setup a postfix server wich has 2 interfaces
- All emails where the SENDER is @domainA.com is to be sent from interface 1

- All emails where the SENDER is @domainB.com is to be sent from interface 2
- Interface 1 will only receive email which is for domainA.com
- Interface 2 will only receive email which is for domainB.com

Can this be done?
Would this be installing 2 parallel versions of postfix and each one binds
to a diferent interface?

Would the simplest thing be to just virtualize the box?

Thanks for your feedback

Re: Please criticize my basic filtering config

[LuKreme]

On 27-Oct-2009, at 09:00, Harakiri wrote:

--- On Tue, 10/27/09, Sahil Tandon  wrote:


From: Sahil Tandon 




I reject with zen before greylisting.



Hi,

thanks for your reply - i had thought about it - but since RBL is an  
external service - it takes more time to go through,


I dunno about that, DNS is very fast. I would not be surprised if it  
was sometimes faster than parsing a greylist database for a triplet.


therefor i used greylisting before RBL since its a local lookup.  
Most spam is already catched through greylisting first, not RBL in  
my opinion.


I find that rejecting with zen first is far and away the best option.  
In fact, I see so little help from greylisting I am seriously  
considering removing it from my arsenal.


--
I AM SO VERY TIRED
Bart chalkboard Ep. AABF20

Re: Setup Question with multiple Interfaces and domains.

[Frappy John]

I hope you realize that the sender (with the cooperation of his ISP)
determines which mail server his outgoing mail goes through. It often isn't
associated with the domain name of his email address.

Having said that, you should have no problem in configuring a single
instance of postfix to support multiple domain names (virtual domains),
complete with their own (virtual) mail server addresses. Thus
sen...@domaina.com could send his mail throughmail.domainA.com and
sen...@domainb.com could send hers through mail.domainB.com where both mail
servers are in reality the same.

On Tue, Oct 27, 2009 at 3:32 PM, Marcelo Iturbe wrote:

>
> Hello,
> I have the following need:
> - Setup a postfix server wich has 2 interfaces
> - All emails where the SENDER is @domainA.com is to be sent from interface
> 1
> - All emails where the SENDER is @domainB.com is to be sent from interface
> 2
> - Interface 1 will only receive email which is for domainA.com
> - Interface 2 will only receive email which is for domainB.com
>
> Can this be done?
> Would this be installing 2 parallel versions of postfix and each one binds
> to a diferent interface?
>
> Would the simplest thing be to just virtualize the box?
>
> Thanks for your feedback
>
>

Re: Reverse DNS Rejection Problem

[Phillip Smith]

2009/10/28 Dennis Putnam 

> Thanks or the reply. That sucks. Is there a way around this, short of
> turning that off or whitelisting?


Tell the admin of the remote domain to fix their PTR records and/or MX helo
configuration because in the meantime, you're going to have to implement a
dirty hack to make their server work.

[Postfix] Wrong Time

[Stan Hoeppner]

Dan Schaefer put forth on 10/27/2009 9:51 AM:
> Wietse Venema wrote:
>> Try without SeLinux, AppArmor, and other "security" add-ons.
>> They are not covered by the Postfix warranty.
>>
>> Wietse
>>   
> Postfix has a warranty? :) It's a free product...

Yes, even Wietse has a sense of humor, though it's so dry many don't
catch it.  I, however, much appreciate it. ;)

--
Stan

Re: Setup Question with multiple Interfaces and domains.

[Marcelo Iturbe]

Hello,
Thank you for your quick response.

I apologize if I was not completely clear. I have set up virtual domains and
domain aliasing before, all going through the same interface sharing the
same IP.

In this case, I need domainA.com (thus mail.domainA.com) and domainB.com
(thus mail.domainB.com) to go out using different IP addresses.

So network Card 1 will have IP address of 200.nn.nnn.30 and Network Card 2
will have IP address of 206.nnn.nnn.65

In the case that domainA.com gets blacklisted by IP, domainB.com will not be
affected.

Despite the fact that both domains are on the same physical machine, they
must not share any mail information or records (SPF, MX, A, CNAME etc)

Regards

2009/10/27 Frappy John 

> I hope you realize that the sender (with the cooperation of his ISP)
> determines which mail server his outgoing mail goes through. It often isn't
> associated with the domain name of his email address.
>
> Having said that, you should have no problem in configuring a single
> instance of postfix to support multiple domain names (virtual domains),
> complete with their own (virtual) mail server addresses. Thus
> sen...@domaina.com could send his mail throughmail.domainA.com and
> sen...@domainb.com could send hers through mail.domainB.com where both
> mail servers are in reality the same.
>
> On Tue, Oct 27, 2009 at 3:32 PM, Marcelo Iturbe 
> wrote:
>
>>
>> Hello,
>> I have the following need:
>> - Setup a postfix server wich has 2 interfaces
>> - All emails where the SENDER is @domainA.com is to be sent from interface
>> 1
>> - All emails where the SENDER is @domainB.com is to be sent from interface
>> 2
>> - Interface 1 will only receive email which is for domainA.com
>> - Interface 2 will only receive email which is for domainB.com
>>
>> Can this be done?
>> Would this be installing 2 parallel versions of postfix and each one binds
>> to a diferent interface?
>>
>> Would the simplest thing be to just virtualize the box?
>>
>> Thanks for your feedback
>>
>>
>

Re: VRFY functionality through the command line

[frantisek holop]

hmm, on Tue, Oct 27, 2009 at 09:24:23AM -0500, Noel Jones said that
> Have postfix do recipient validation before your helo checks. That way, 
> only valid recipients will be rejected by your other rules.
>
> Usually you can do this by putting reject_unlisted_recipient just after 
> permit_mynetworks.

the reason why i would like to keep the helo checks as the first
ones is that they make up 90% of all the rejections, while
all the other restrictions are the remaining 10%.

but it is also true that at the moment i don't know how much
of this 90% would get rejected also based on the recipient.
for that, it would be nice to have the tool i am asking about :]

maybe i could apply your suggestion for a while and have some
stats based on the new logs.

-f
-- 
who is general failure?  and why is he reading my disks?

Re: VRFY functionality through the command line

[Noel Jones]

On 10/27/2009 8:55 PM, frantisek holop wrote:

hmm, on Tue, Oct 27, 2009 at 09:24:23AM -0500, Noel Jones said that

Have postfix do recipient validation before your helo checks. That way,
only valid recipients will be rejected by your other rules.

Usually you can do this by putting reject_unlisted_recipient just after
permit_mynetworks.


the reason why i would like to keep the helo checks as the first
ones is that they make up 90% of all the rejections, while
all the other restrictions are the remaining 10%.

but it is also true that at the moment i don't know how much
of this 90% would get rejected also based on the recipient.
for that, it would be nice to have the tool i am asking about :]

maybe i could apply your suggestion for a while and have some
stats based on the new logs.

-f


The big problem is that it's not particularly easy to create a 
command-line tool that replicates postfix's recipient validation.


One could use a series of "postmap -q ..." commands to 
replicate part of postfix's recipient validation and table 
search order, but reproducing everything postfix does is more 
complicated than that.


... which is why I suggest just letting postfix do the 
validation for you.


The postfix "sendmail -bv recipi...@example.com" command will 
tell you if a recipient is deliverable, but the result is 
mailed to you, not returned on the command line.


  -- Noel Jones