Re: queue manager delaying delivery of message

[lst_hoe02]

Zitat von George Forman :



Hi,

I am running into a problem where (it seems) queue manager
doesn't pickup the queued message for delivery.  SMTPD returns
a 250 OK at  16:26:39. However, oqmgr doesn't pick it up until 16:35:41.
The is no post queue processing on the message.  I turned up logging
on cleanup, qmgr and oqmgr (see below). I could not find any clues
as to why there would be a delay. Any help is greatly appreciated.  - George


Why do you run oqmgr instead of the default qmgr?? I hope you don't  
try to run both of them. Can you show master.cf additionally?


Regards

Andreas



smime.p7s
Description: S/MIME krytographische Unterschrift

Queue-Id in content filter

[Giovanni Mancuso]

Hi,

I'm trying to write a pipe content filter for postfix.
I have a question, Is There a way to put the queue id of email, to this
content filter?

It would be really useful to write a log file and trace the email flow.

Thanks

Re: forward mail with a local copy

[nunatarsuaq]

/etc/aliases:

local_user:local_user, other_u...@domain


--
ToMasz

2009/12/12 mouss :
> K K a écrit :
>> Hi all,
>>
>>
>> I would like to forward all mail as they come(with the same envelope
>> recipient addr.)
>>  - it is not problem to do it with transport_map, for example:
>> domain.tld    smtp:remoteserver
>>
>> BUT i would like to keep a local copy too.(for all addresses)
>> I mean, i have 2 almost identical postfix servers and i need to
>> store mails on both servers.
>> Any ideas how to achieve this ?
>>
>
> try one of the bcc options.
>



-- 
ToMasz

http://skocz.pl/przystanekGL - wspomnienia coraz bardziej odległe...

Re: Authenticated SMTP problem

[Walter Breno]

The problem is that my logs doesn't report any error, here is the log

connect from host[200.xxx.xxx.xxx]
9B2B16015997C: client=host[200.xxx.xxx.xxx], sasl_method=LOGIN,
sasl_username=u...@server.domain.com
9B2B16015997C: hold: header Received: from hostfc480db78a (host
[200.xxx.xxx.xxx])??by server.domain.com (Postfix) with ESMTPA id
9B2B16015997C??for ; Tue, 15 Dec 2009 06:51:52 -0300
(BRT) from host[200.xxx.xxx.xxx]; from= to=<
walter...@gmail.com> proto=ESMTP helo=
disconnect from host[200.xxx.xxx.xxx]

2009/12/14 Noel Jones 

> On 12/14/2009 6:48 AM, Walter Breno wrote:
>
>> i'm sorry about ncomplete mail let's continue
>>
>> i'm trying to use submission port and i set up my master.cf
>> 
>>
>>
>> smtp  inet   n   -   n   -   -   smtpd
>>   -o
>>
>> smtpd_recipient_restrictions=reject_unauth_destination,reject_non_fqdn_recipient,permit
>>   -o smtpd_client_restrictions=reject_unknown_client,permit
>> submission inet   n   -   n   -   -   smtpd
>>   -o smtpd_sasl_auth_enable=yes
>>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>   -o
>>
>> smtpd_sender_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch,reject
>>
>> i want to receive emails on port 25 and send by other port in this case
>> the 587 submission port, then i should configure diferent restrictions
>> to send and receive emails.
>> all restrictions are working correctly i tried to send an email at port
>> 25 and the server refuses as i want.
>> but when i try to send an email by the port 587 the server get the
>> message and the logs register that the messages has been sent but i
>> don't receive the message on the recipient.
>>
>> is another conf that i need to set to get my mail working in this
>> structure?
>>
>
> Please don't top-post.
>
> Since you don't include postfix logging of the error you're getting, I'll
> guess it's the lack of a smtpd_recipient_restrictions override causing your
> unspecified problem.
>
> Your submission entry should look more like:
>
> submission inet n -  n  -   -   smtpd
>  -o smtpd_client_restrictions=
>  -o smtpd_helo_restrictions=
>  -o smtpd_sender_restrictions=
>  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>  ...
> and any other "postconf -n" settings you want to override.
>
>
>
>  -- Noel Jones
>

Re: store and forward and reject_unverified_recipient

[Charles Marcus]

On 12/14/2009, Simon Waters (sim...@zynet.net) wrote:
> On Monday 14 December 2009 14:24:34 Jaroslaw Grzabel wrote:
>>
>> What postfix does ? Reject all messages until
>> I will not be notified and remove the database and let postfix to
>> recreate it again.

> It refreshes cache at 3 hours by default,

Is there a way to configure it so that it only falls back to the cache
if it doesn't get a responds from the downstream server?

Re: store and forward and reject_unverified_recipient

[Charles Marcus]

On 12/14/2009, Jaroslaw Grzabel (ja...@meil.me) wrote:
> Simon Waters pisze:
>> It refreshes cache at 3 hours by default, so within 3 days jon
>> starts getting email (and spam potentially). This is configurable.
>> 
>> http://www.postfix.org/verify.8.html

> Yeah, and it works on the other way round... if my customer's server
> will go down for more than 3h, my server will store his emails only
> for 3h. After that it will start reject them with 450.

It would probably be a good idea to actually go READ the links you are
provided before commenting on a feature that you clearly don't understand.

Re: Authenticated SMTP problem

[Noel Jones]

On 12/15/2009 6:59 AM, Walter Breno wrote:

The problem is that my logs doesn't report any error, here is the log

connect from host[200.xxx.xxx.xxx]
9B2B16015997C: client=host[200.xxx.xxx.xxx], sasl_method=LOGIN,
sasl_username=u...@server.domain.com 
9B2B16015997C: hold: header Received: from hostfc480db78a (host
[200.xxx.xxx.xxx])??by server.domain.com 
(Postfix) with ESMTPA id 9B2B16015997C??for mailto:walter...@gmail.com>>; Tue, 15 Dec 2009 06:51:52 -0300 (BRT)
from host[200.xxx.xxx.xxx]; from=mailto:u...@domain.com>> to=mailto:walter...@gmail.com>> proto=ESMTP helo=
disconnect from host[200.xxx.xxx.xxx]


Stop top-posting.

This mangled log entries shows the mail was received and put 
on hold.


If that's the last entry for that QUEUEID, then either the 
message is still in your hold queue (check with mailq command) 
or something removed it.


You using mailscanner?  check its logs for the disposition of 
this message.


  -- Noel Jones

Re: store and forward and reject_unverified_recipient

[Noel Jones]

On 12/15/2009 7:30 AM, Charles Marcus wrote:

On 12/14/2009, Simon Waters (sim...@zynet.net) wrote:

On Monday 14 December 2009 14:24:34 Jaroslaw Grzabel wrote:


What postfix does ? Reject all messages until
I will not be notified and remove the database and let postfix to
recreate it again.



It refreshes cache at 3 hours by default,


Is there a way to configure it so that it only falls back to the cache
if it doesn't get a responds from the downstream server?


No, that would defeat the purpose of the cache.

  -- Noel Jones

Re: ps_dict_put: /var/lib/postfix/ps_cache.db update took X ms

[Wietse Venema]

Stefan F?rster:
> While I certainly like the fact that Postfix becomes more and more
> "admin friendly" in that it now also logs warnings about performance
> issues, I'd like to know how many milliseconds a single request to
> update the temporary whitelist may take before a warning is emitted.
> 
> Is it 100ms? I got exactly 882 messages like
> 
> postscreen[5486]: warning: ps_dict_put: /var/lib/postfix/ps_cache.db update 
> took 108 ms
> 
> with values ranging from 101 to 147 within the last 24 hours on a
> moderately busy system.

You can stop the logging with "helpful_warnings = no".  In the last
version I added database delay logging, because someone was using
postscreen on top of MySQL, with rather disastrous consequences.

I can test postscreen in the lab, or on tiny systems, but there is
only one way to find out how postscreen works in the real world.
That its by having people use it. So you are collecting the data
for me.

Postscreen is a single process that can eliminate the obvious bots
without wasting one smtpd process per SMTP client.  But this works
only as long as postscreen does not block for any significant time
on database access (if every database access were to take 100ms,
postscreen could handle no more than 10 SMTP clients per second,
which would be worse than not using postscreen at all).

In your case, the slow operations appear to be writing to database,
which is done only when a client passes the pregreet etc. checks.
I could delete the "update delay" check safely.

I would be much more concerned if lookup operations were experiencing
delays, because those operations are much more common.

I could make the delay analysis more sophisticated and log delay
statistics every 10 minutes, with max/min/average/stddev, and
without sounding an alarm.

I could also take the OpenBSD spamd route, and use a kernel-based
packet filter to route "good" clients around postscreen. But, this
greatly increases the development effort because I would have to
maintain up-to-date packet filter documentation for Linux, FreeBSD,
OpenBSD, Solaris, and so on. That means dealing with all the variants
of ipchains, ipfilter and pf.

> Probably unrelated: When does postscreen(8) clean up it's database?
> Periodically? Every X connections? Never? What database sizes are to
> be expected?

The "delete old records" thread is not yet implemented. I suggest
that you rotate the cache file each Saturday night and do "postfix
reload" (the temporary whitelist entries are good for 24 hours
only, so deleting the file at a non-peak time has little impact).

Wietse

Re: Queue-Id in content filter

[Noel Jones]

On 12/15/2009 5:21 AM, Giovanni Mancuso wrote:

Hi,

I'm trying to write a pipe content filter for postfix.
I have a question, Is There a way to put the queue id of email, to this
content filter?


No.



It would be really useful to write a log file and trace the email flow.



If you write your filter with SMTP support, you can use the 
XFORWARD extensions to help correlate your logs.

http://www.postfix.org/XFORWARD_README.html

  -- Noel Jones

Re: Queue-Id in content filter

[Wietse Venema]

Giovanni Mancuso:
> Hi,
> 
> I'm trying to write a pipe content filter for postfix.
> I have a question, Is There a way to put the queue id of email, to this
> content filter?
> 
> It would be really useful to write a log file and trace the email flow.

The queue ID is in the first RECEIVED: message header.

Wietse

Re: How did spam come from localhost??

[Eero Volotinen]

On 12/15/09 5:16 PM, vi...@wlcr.net wrote:

Received: from 58.18.216.190 by example.com; Tue, 15 Dec 2009 13:13:56 +0800


See the first received line: Received: from 58.18.216.190 by 
example.com; Tue, 15 Dec 2009 13:13:56 +0800


localhost line is caused your content filter that lives at 127.0.0.1

--
Eero

Re: store and forward and reject_unverified_recipient

[Charles Marcus]

On 12/15/2009, Noel Jones (njo...@megan.vbhcs.org) wrote:
> On 12/15/2009 7:30 AM, Charles Marcus wrote:
>> On 12/14/2009, Simon Waters (sim...@zynet.net) wrote:
>>> On Monday 14 December 2009 14:24:34 Jaroslaw Grzabel wrote:

 What postfix does ? Reject all messages until I will not be
 notified and remove the database and let postfix to recreate it
 again.

>>> It refreshes cache at 3 hours by default,

>> Is there a way to configure it so that it only falls back to the cache
>> if it doesn't get a responds from the downstream server?

> No, that would defeat the purpose of the cache.

Right... no, I'm really not an idiot, I just play one on mail lists
sometimes (when I type+send before thinking)... ;)

-- 

Best regards,

Charles

How did this happen??

[vince]

Did this email really originate from my server?

How did it get sent?

Has an account been compromised or is Postfix improperly configured?

Thanks!

 

 

 

MESSAGE SOURCE:

=

 

Return-Path: 

Delivered-To: vi...@example.com

Received: from localhost (localhost [127.0.0.1])

by server.example.com (Postfix) with ESMTP id 6E4637D05

for ; Tue, 15 Dec 2009 00:31:08 -0500 (EST)

Content-Type: multipart/report; report-type=delivery-status;

 boundary="--=_1260855068-23802-0"

Content-Transfer-Encoding: 7bit

MIME-Version: 1.0

Subject: Considered UNSOLICITED BULK EMAIL, apparently from you

In-Reply-To: <20091215053103.946b27...@server.example.com>

Message-ID: 

From: "Content-filter at server.example.com" 

To: 

Date: Tue, 15 Dec 2009 00:31:04 -0500 (EST)

 

This is a multi-part message in MIME format...

 

=_1260855068-23802-0

Content-Type: text/plain; charset="iso-8859-1"

Content-Disposition: inline

Content-Transfer-Encoding: 7bit

 

A message from  to:

-> vi...@example.com

 

was considered unsolicited bulk e-mail (UBE).

 

Our internal reference code for your message is 23802-16/18oPepObPGMY

 

The message carried your return address, so it was either a genuine mail

from you, or a sender address was faked and your e-mail address abused

by third party, in which case we apologize for undesired notification.

 

We do try to minimize backscatter for more prominent cases of UBE and

for infected mail, but for less obvious cases of UBE some balance

between losing genuine mail and sending undesired backscatter is sought,

and there can be some collateral damage on both sides.

 

First upstream SMTP client IP address: [117.206.44.183] 

According to a 'Received:' trace, the message originated at: [117.206.44.183],

  [117.206.44.183] unknown [117.206.44.183]

 

Return-Path: 

Message-ID: <20091215053103.946b27...@server.example.com>

Subject: For vince special 80% OFF on Pfizer

 

Non-encoded 8-bit data (char A9 hex): From: VIAGRA \251 Online Shop 

Received: from [117.206.44.183] (unknown [117.206.44.183])

by server.example.com (Postfix) with ESMTPS id 946B27D04

for ; Tue, 15 Dec 2009 00:30:42 -0500 (EST)

From: VIAGRA © Online Shop 

To: vi...@example.com

Subject: For vince special 80% OFF on Pfizer

MIME-Version: 1.0

Content-Type: text/html; charset="ISO-8859-1"

Content-Transfer-Encoding: 7bit

Message-Id: <20091215053103.946b27...@server.example.com>

Date: Tue, 15 Dec 2009 00:30:42 -0500 (EST)

 

=_1260855068-23802-0--

 

 

 

 

MAIL LOG:

=

 

Dec 15 00:30:50 server postfix/smtpd[27310]: lost connection after DATA (0 
bytes) from unknown[94.50.246.179]

Dec 15 00:30:50 server postfix/smtpd[27310]: disconnect from 
unknown[94.50.246.179]

Dec 15 00:30:50 server postfix/pickup[25415]: C52F07D05: uid=0 from=

Dec 15 00:30:50 server postfix/cleanup[27347]: C52F07D05: 
message-id=<20091215053050.c52f07...@server.example.com>

Dec 15 00:30:50 server postfix/qmgr[2816]: C52F07D05: from=, 
size=3851, nrcpt=1 (queue active)

Dec 15 00:30:51 server postfix/smtpd[27351]: connect from localhost[127.0.0.1]

Dec 15 00:30:51 server postfix/smtpd[27351]: 467977D04: 
client=localhost[127.0.0.1]

Dec 15 00:30:51 server postfix/cleanup[27347]: 467977D04: 
message-id=<20091215053050.c52f07...@server.example.com>

Dec 15 00:30:51 server postfix/qmgr[2816]: 467977D04: from=, 
size=4275, nrcpt=1 (queue active)

Dec 15 00:30:51 server postfix/smtpd[27351]: disconnect from 
localhost[127.0.0.1]

Dec 15 00:30:51 server postfix/cleanup[27347]: 4928C7D0C: 
message-id=<20091215053050.c52f07...@server.example.com>

Dec 15 00:30:51 server postfix/qmgr[2816]: 4928C7D0C: from=, 
size=4399, nrcpt=1 (queue active)

Dec 15 00:30:51 server postfix/local[27352]: 467977D04: to=, 
relay=local, delay=0.01, delays=0.01/0.01/0/0, dsn=2.0.0, status=sent 
(forwarded as 4928C7D0C)

Dec 15 00:30:51 server postfix/qmgr[2816]: 467977D04: removed

Dec 15 00:30:51 server postfix/smtp[27348]: C52F07D05: to=, 
relay=127.0.0.1[127.0.0.1]:10024, delay=0.51, delays=0.02/0/0/0.49, dsn=2.0.0, 
status=sent (250 2.0.0 Ok, id=24334-14, from MTA([127.0.0.1]:10025): 250 2.0.0 
Ok: queued as 467977D04)

Dec 15 00:30:51 server postfix/qmgr[2816]: C52F07D05: removed

Dec 15 00:30:51 server postfix/pipe[27353]: 4928C7D0C: 
to=, orig_to=, relay=dovecot, delay=0.01, 
delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)

Dec 15 00:30:51 server postfix/qmgr[2816]: 4928C7D0C: removed

Dec 15 00:31:02 server postfix/smtpd[27317]: warning: 
183.44.206.117.list.dsbl.org: RBL lookup error: Host or domain name not found. 
Name service error for name=183.44.206.117.list.dsbl.org type=A: Host not 
found, try again

Dec 15 00:31:03 server postfix/smtpd[27317]: 946B27D04: 
client=unknown[117.206.44.183]

Dec 15 00:31:04 server postfix/cleanup[27347]: 946B27D04: 
message-id=<20091215053

Re: store and forward and reject_unverified_recipient

[Mark Goodge]

Noel Jones wrote:

On 12/15/2009 7:30 AM, Charles Marcus wrote:

On 12/14/2009, Simon Waters (sim...@zynet.net) wrote:

On Monday 14 December 2009 14:24:34 Jaroslaw Grzabel wrote:


What postfix does ? Reject all messages until
I will not be notified and remove the database and let postfix to
recreate it again.



It refreshes cache at 3 hours by default,


Is there a way to configure it so that it only falls back to the cache
if it doesn't get a responds from the downstream server?


No, that would defeat the purpose of the cache.


Not entirely. It would defeat one purpose of the cache, but not the 
other one.


The cache has two main functions:

1. To reduce traffic between the gateway and destination server, and 
reduce load on both.


2. To allow the gateway server to correctly handle mail 
acceptance/rejection when the destination server is unreachable.


Configuring it so that it only falls back to the cache when the 
destination server is unreachable would, indeed, defeat the first 
purpose. But it wouldn't defeat the second. And there may be times when 
the first purpose isn't that important, but the second is.


For example, you may have multiple MX records pointing to two or more 
servers outside your firewall, all of which use recipient verification 
against your internal server (which is firewalled to only accept 
connections from your external servers). Your single point of failure 
here is the internal server (and, for that matter, the firewall itself), 
so both the external servers need to be able to handle mail if it's 
offline. To do that, they need to cache the results of verification 
lookups. But, when everything is working properly, you may not need the 
traffic/load minimisation benefits of caching, and you may not want the 
update lag caused by the cache expiry time.


In such a case, you would want to configure the external servers to only 
fall back to the cache when an immediate lookup isn't possible. This may 
be a relatively uncommon scenario, but it's by no means an obscure one.


Mark

Re: store and forward and reject_unverified_recipient

[Wietse Venema]

Mark Goodge:
> Noel Jones wrote:
> > On 12/15/2009 7:30 AM, Charles Marcus wrote:
> >> On 12/14/2009, Simon Waters (sim...@zynet.net) wrote:
> >>> On Monday 14 December 2009 14:24:34 Jaroslaw Grzabel wrote:
> 
>  What postfix does ? Reject all messages until
>  I will not be notified and remove the database and let postfix to
>  recreate it again.
> >>
> >>> It refreshes cache at 3 hours by default,
> >>
> >> Is there a way to configure it so that it only falls back to the cache
> >> if it doesn't get a responds from the downstream server?
> > 
> > No, that would defeat the purpose of the cache.
> 
> Not entirely. It would defeat one purpose of the cache, but not the 
> other one.
> 
> The cache has two main functions:
> 
> 1. To reduce traffic between the gateway and destination server, and 
> reduce load on both.
> 
> 2. To allow the gateway server to correctly handle mail 
> acceptance/rejection when the destination server is unreachable.

If the cache is good enough for 2) then it makes no sense to
skip the cache for 1).

Wietse

Re: store and forward and reject_unverified_recipient

[Mark Goodge]

Wietse Venema wrote:

Mark Goodge:


The cache has two main functions:

1. To reduce traffic between the gateway and destination server, and 
reduce load on both.


2. To allow the gateway server to correctly handle mail 
acceptance/rejection when the destination server is unreachable.


If the cache is good enough for 2) then it makes no sense to
skip the cache for 1).


It would if even the short lag for cached failures (or, for that matter, 
cached successes) to expire is unacceptable. A typical example might be 
a webmail system which allows users to change or create addresses 
whenever they want to, and have those changes instantly reflected in 
what mail is accepted and rejected.


Mark

Re: store and forward and reject_unverified_recipient

[Wietse Venema]

Mark Goodge:
> Wietse Venema wrote:
> > Mark Goodge:
> >>
> >> The cache has two main functions:
> >>
> >> 1. To reduce traffic between the gateway and destination server, and 
> >> reduce load on both.
> >>
> >> 2. To allow the gateway server to correctly handle mail 
> >> acceptance/rejection when the destination server is unreachable.
> > 
> > If the cache is good enough for 2) then it makes no sense to
> > skip the cache for 1).
> 
> It would if even the short lag for cached failures (or, for that matter, 
> cached successes) to expire is unacceptable. A typical example might be 

If the cache is NOT good enough for 1) then it is NOT good enough
for 2), either. Therefore do NOT use the cache.

Wietse

Re: store and forward and reject_unverified_recipient

[Mark Goodge]

Wietse Venema wrote:

Mark Goodge:

Wietse Venema wrote:

Mark Goodge:

The cache has two main functions:

1. To reduce traffic between the gateway and destination server, and 
reduce load on both.


2. To allow the gateway server to correctly handle mail 
acceptance/rejection when the destination server is unreachable.

If the cache is good enough for 2) then it makes no sense to
skip the cache for 1).
It would if even the short lag for cached failures (or, for that matter, 
cached successes) to expire is unacceptable. A typical example might be 


If the cache is NOT good enough for 1) then it is NOT good enough
for 2), either.


It would be under the scenario that I described.


Therefore do NOT use the cache.


That's the workaround, yes. But it's not the ideal!

Mark

Order (preference) of postscreen processing

[Len Conrad]

To speed up postscreen, is there any advantage in, eg, harvesting high-volume 
pregreet or dnsbl IPs into a blacklist that would be more efficient than 
pregreet or dnsbl dropping?

Len

Re: Authenticated SMTP problem

[Walter Breno]

In fact the problem is not on postfix, i'm using mailscanner and i set
header_checks = regexp:/etc/postfix/header_checks and the content of the
file is: /^Received:/ HOLD, when i comment the line on main.cf the mails are
sended correctly.

Re: ps_dict_put: /var/lib/postfix/ps_cache.db update took X ms

[Stefan Foerster]

* Wietse Venema :
> Stefan Foerster:
> > Is it 100ms? I got exactly 882 messages like
> > 
> > postscreen[5486]: warning: ps_dict_put: /var/lib/postfix/ps_cache.db update 
> > took 108 ms
> > 
> > with values ranging from 101 to 147 within the last 24 hours on a
> > moderately busy system.
> 
> You can stop the logging with "helpful_warnings = no".  In the last
> version I added database delay logging, because someone was using
> postscreen on top of MySQL, with rather disastrous consequences.
> 
> I can test postscreen in the lab, or on tiny systems, but there is
> only one way to find out how postscreen works in the real world.
> That its by having people use it. So you are collecting the data
> for me.

That's perfectly fine for me. If you need more data (e.g. update time
in correlation to DB size, distribution of wait times), please don't
hesitate to ask.

> I could make the delay analysis more sophisticated and log delay
> statistics every 10 minutes, with max/min/average/stddev, and
> without sounding an alarm.

I don't know about other users' opinion, but personally I don't think
those data would be too interesting. With "real" databases, on can
gather performance data at the database level.

If OTOH, the database type used for the postscreen database is known
to deteriorate performance-wise if it's size exceeds a certain
threshold (be it entries or bytes), then a warning would be most
welcome if that threshold is exceeded.

> > Probably unrelated: When does postscreen(8) clean up it's database?
> > Periodically? Every X connections? Never? What database sizes are to
> > be expected?
> 
> The "delete old records" thread is not yet implemented. I suggest
> that you rotate the cache file each Saturday night and do "postfix
> reload" (the temporary whitelist entries are good for 24 hours
> only, so deleting the file at a non-peak time has little impact).

Can I simply truncate the file as in

sh# > /var/lib/postfix/ps_cache.db 

before reloading Postfix? If done correctly, what other impact besides
possibly delaying clients previously known as "good" are to be
expected?


Stefan

Re: ps_dict_put: /var/lib/postfix/ps_cache.db update took X ms

[Wietse Venema]

Stefan Foerster:
> > > Probably unrelated: When does postscreen(8) clean up it's database?
> > > Periodically? Every X connections? Never? What database sizes are to
> > > be expected?
> > 
> > The "delete old records" thread is not yet implemented. I suggest
> > that you rotate the cache file each Saturday night and do "postfix
> > reload" (the temporary whitelist entries are good for 24 hours
> > only, so deleting the file at a non-peak time has little impact).
> 
> Can I simply truncate the file as in
> 
> sh# > /var/lib/postfix/ps_cache.db 
> 
> before reloading Postfix? If done correctly, what other impact besides

Absolutely not, that would completely f..k over the running postscreen
process. When I say rotate I mean change the file name not clobber it.

Wietse


> possibly delaying clients previously known as "good" are to be
> expected?
> 
> 
> Stefan
> 
> 

Re: Order (preference) of postscreen processing

[Wietse Venema]

Len Conrad:
> 
> To speed up postscreen, is there any advantage in, eg, harvesting
> high-volume pregreet or dnsbl IPs into a blacklist that would be
> more efficient than pregreet or dnsbl dropping?

High-volume pregreet - yes, as long as you use a fast database.

High-volume DNSBL - maybe. The DNS server already does caching.

Future postscreen options could be to move "bad" clients to a
temporary blacklist that is queried by postscreen itself or
perhaps by a kernel-based packet filter.

Wietse

Re: How did this happen??

[Russell Horn]

On Tue, Dec 15, 2009 at 11:23 AM,   wrote:
> Did this email really originate from my server?
>

Do you own or control the IP referenced? 117.206.44.183 would appear
to be in India.

> How did it get sent?

By email.

>
> Has an account been compromised or is Postfix improperly configured?

Possibly. Probably not.

Re: Authenticated SMTP problem

[Jerry]

On Tue, 15 Dec 2009 15:21:53 -0300
Walter Breno  replied:

>In fact the problem is not on postfix, i'm using mailscanner and i set
>header_checks = regexp:/etc/postfix/header_checks and the content of
>the file is: /^Received:/ HOLD, when i comment the line on main.cf the
>mails are sended correctly.

One more reason not to use Mailscanner.


--  
Jerry
postfix.u...@yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

An intellectual is someone whose mind watches itself.


Albert Camus

Re: Authenticated SMTP problem

[Walter Breno]

and what do you recommend to use? proc mail? i'm testing the best set of
tools for my mail server and accepting sujestions, i'm using spamassassin
and clamav here, i'm sorry i know that is off topic but with a good set of
tools the mail server will have best performance.
Thanks for help

Re: Authenticated SMTP problem

[Patrick Ben Koetter]

* Walter Breno :
> and what do you recommend to use? proc mail? i'm testing the best set of

Best practise on the Postfix mailing list is to use only anti-spam tools that
do not interfere with Postfix internals e.g. the queue mechanisms etc.

> tools for my mail server and accepting sujestions, i'm using spamassassin
> and clamav here, i'm sorry i know that is off topic but with a good set of
> tools the mail server will have best performance.

The best is to run a customized set of smtpd_MUMBLE_restrictions. These help you
keep away unwanted messages BEFORE they enter the mail system.

This way your mail system will only accept wanted messages or such that
couldn't be identified as spam. These you can detect using spamassassin and
clamav.

You can either implement both either using the Postfix Sendmail Milter
interface or pre|post queue with amavisd-new.

I personally recommend using amavisd-new, a content policy framework, if you
need to run individualized rulesets for different domains served by your mail
machine.

Vice versa if you only serve on domain or two, you can use the
beforementioned Milters.

Maybe, if you describe your goals into greater detail, we can give you more
precise advise.

p...@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Authenticated SMTP problem

[Walter Breno]

Thanks for the answers, i'm testing the implementation of a modest server, i
have only 15xx accounts near 2000, it's only one domain, i have a
centralized OpenLDAP server where my mail authenticates, i'm using
cyrus-sasl, using submission port to send emails and 25 port to receveive
mail, set smtpd_client_restrictions to require that server sending mail to
my users to have reverse address on dns server, and on submssion port
require sasl authentications between others restrictions to improve some
security and minimize SPAM, my problem starts when i set header_checks to
hold messages for clamav scan, so my mail server stop to send messages, i'll
modify the regexp to hold only incoming mesages that doesn't go to my own
users.
Later i'll search about amavisd-new.
Thanks again and i accept all sugestions

Re: Authenticated SMTP problem

[Brian Evans - Postfix List]

On 12/15/2009 4:03 PM, Walter Breno wrote:
>
> Thanks for the answers, i'm testing the implementation of a modest
> server, i have only 15xx accounts near 2000, it's only one domain, i
> have a centralized OpenLDAP server where my mail authenticates, i'm
> using cyrus-sasl, using submission port to send emails and 25 port to
> receveive mail, set smtpd_client_restrictions to require that server
> sending mail to my users to have reverse address on dns server, and on
> submssion port require sasl authentications between others
> restrictions to improve some security and minimize SPAM, my problem
> starts when i set header_checks to hold messages for clamav scan, so
> my mail server stop to send messages, i'll modify the regexp to hold
> only incoming mesages that doesn't go to my own users.
> Later i'll search about amavisd-new.
> Thanks again and i accept all sugestions

What we are trying to say is that "Holding for scan" using the Hold
queue is not supported.
The supported methods are milters and pre/post-queue filters

amavisd-new is an example that can fit into all 3 categories with the
post-queue as the most popular.
amavisd-milter is a separate project that continues the work of the
amavis milter which is part of amavisd-new
clamav-milter is an example of a milter for antivirus only.
milter-spamd is an example of a milter for SpamAssassin scanning only.

These are only examples. Most milters work with Postfix, but always test
before deploying.

IMO, The "best way" on a low volume site is to use milter interface to
allow rejects at SMTP end-of-data time.

Re: Authenticated SMTP problem

[Patrick Ben Koetter]

* Walter Breno :
> Thanks for the answers, i'm testing the implementation of a modest server, i
> have only 15xx accounts near 2000, it's only one domain, i have a
> centralized OpenLDAP server where my mail authenticates, i'm using
> cyrus-sasl, using submission port to send emails and 25 port to receveive
> mail, set smtpd_client_restrictions to require that server sending mail to
> my users to have reverse address on dns server, and on submssion port
> require sasl authentications between others restrictions to improve some
> security and minimize SPAM, my problem starts when i set header_checks to
> hold messages for clamav scan, so my mail server stop to send messages, i'll

Don't use HOLD to filter out virus messages. Either REJECT them in session
using clamav-milter or amavisd-new or throw them away in post-queue mode. I
personally recommend running amavisd-new in pre-queue mode. A 1.500 account
machine should be able to handle that.


> modify the regexp to hold only incoming mesages that doesn't go to my own
> users.
> Later i'll search about amavisd-new.

Amavisd-new can query a LDAP server for individual recipient settings. A
schema comes with the software.

p...@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: forward mail with a local copy

[mouss]

nunatarsuaq a écrit :
> /etc/aliases:
> 
> local_user:local_user, other_u...@domain
> 

please do not top post. google if you don't see what this means.

anyway, reread OP and focus on "with the same envelope recipient addr".

the bcc options are the easiest way to do what he wants with stock
postfix functionality.

> 
> --
> ToMasz
> 
> 2009/12/12 mouss :
>> K K a écrit :
>>> Hi all,
>>>
>>>
>>> I would like to forward all mail as they come(with the same envelope
>>> recipient addr.)
>>>  - it is not problem to do it with transport_map, for example:
>>> domain.tldsmtp:remoteserver
>>>
>>> BUT i would like to keep a local copy too.(for all addresses)
>>> I mean, i have 2 almost identical postfix servers and i need to
>>> store mails on both servers.
>>> Any ideas how to achieve this ?
>>>
>> try one of the bcc options.
>>
> 
> 
> 

One domain report e-mails not getting through

[The Doctor]

People are sending to a name domain and yet most of their suppliers
are getting bouncing stating error in domain.

I check the DNS record and the MX is correct.

The virtual and the amin.cf files are also correct.

Where else sould I look?
-- 
Member - Liberal International  This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist 
rising! 
http://twitter.com/rootnl2k http://www.myspace.com/502748630 
Merry Christmas 2009 and Happy New Year 2010

Re: One domain report e-mails not getting through

[Sahil Tandon]

On Tue, 15 Dec 2009, The Doctor wrote:

> People are sending to a name domain and yet most of their suppliers
> are getting bouncing stating error in domain.

This makes no sense; show some logs that correspond to the 'problem' you
are trying to solve.

> I check the DNS record and the MX is correct.

Let us decide.

> The virtual and the amin.cf files are also correct.

Paste 'postconf -n' and follow the various other guidelines outlined in
DEBUG_README.

> Where else sould I look?

DEBUG_README.

-- 
Sahil Tandon