Re: No SMTP AUTH when TLS enabled

[Patrick Ben Koetter]

* froinds J :
> What should I use keylength and digest when creating both the CA cert and
> the smtpd cert?

That's an invitation for long discussions...

In Germany, the federal institution "BSI" (administration for security),
recommends 4096 Bit for CA certificates and > 2048 for server certificates.

For ciphers I can't say which is 'the best'. If you plan to use mobiles (cell
phone etc.) a lot you might want to use ECC certificates. They provide the
same security level as the others at a shorter key length, which makes it
easier and faster for weak processors (cell phone) to use them.

> Should I leave the passwords blank?

Create them with and remove the passwords when you export the certificates.
Why? The server (Postfix smtpd) can't type it it when it needs to be unlocked
for usage. ;)

p...@rick





> Thanks
> 
> On Sat, Jan 2, 2010 at 6:04 PM, Patrick Ben Koetter 
> wrote:
> 
> > * froinds J :
> > > Ah you so were right.
> > > I set up postfix to use the certs that cyrus-imapd creates by default and
> > > everything works now.
> > > What's weird is that cyrus-imapd was using the same certs postfix was
> > using
> > > and it didn't complain. I was able to receive email when I turned off TSL
> > > for postfix.
> > > So I guess the problem is that I'm not creating good self-signed
> > > certificates. I've done this more than 20 times following every source on
> > > the internet including the guides in postfix.org. My certs have always
> > > worked with cyrus-imapd and apache, but I always run into trouble with
> > > postfix.
> > >
> > > Can you provide a set of instructions to follow?
> >
> > You can use TinyCA  to setup a CA and the
> > required
> > certificates. Then configure Postfix. When your done, send "postconf -n"
> > output and we will have a look at the config.
> >
> > p...@rick
> >
> >
> >
> >
> > >
> > > Thanks so much.
> > >
> > >
> > >
> > > On Sat, Jan 2, 2010 at 4:02 PM, Patrick Ben Koetter  > >wrote:
> > >
> > > > * froinds J :
> > > > > Oops! I forgot to check SSL.
> > > > > My client now seems to start a TLS session and still nothing. Here is
> > the
> > > > > log with the SSL error.
> > > >
> > > > TLS log. My favourite waste of time. Everything is layed out so
> > clear... :/
> > > >
> > > > There are two lines in your log that make me think (think, not know!)
> > that
> > > > your client doesn't like the server certificate. Read below.
> > > >
> > > >
> >
> > --
> > All technical questions asked privately will be automatically answered on
> > the
> > list and archived for public access unless privacy is explicitely required
> > and
> > justified.
> >
> > saslfinger (debugging SMTP AUTH):
> > 
> >

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: How to ensure that either FROM or TO is local

[Barney Desmond]

Questions similar to yours come up fairly often, I'm not sure why
noone's jumped in yet with a rough solution that will do what you
want. What you've mentioned you want:

> How do I ensure that my mail server can only send mails either to or
> from mydomains?

Consider that there are three situations you want to worry about:
1. Postfix receiving a mail for final delivery as the destination
(local delivery)
2. Postfix receiving a mail for delivery to "somewhere else" on the
internet (relaying)
3. Postfix receiving a mail submitted locally, destined for "somewhere
else" on the internet (this is a special case of (2) because "local"
is usually privileged)

* Assume we ignore (2) because Postfix will not act as an anonymous
relay by default.
* Postfix will only accept mail for local domains, so (1) works as you
expect. Accepting mail for remote domains would be considered relaying
* Postfix (by default) *will* accept mail and relay it to remote
domains, if the client is local. That covers case (3)

I *think* the short, correct answer is to use a policy server:
http://www.postfix.org/SMTPD_POLICY_README.html

Another alternative may be restriction classes, but that can get a bit
messy. I personally wouldn't trust myself to get this right, so I have
no examples of my own to offer.
http://www.postfix.org/RESTRICTION_CLASS_README.html


> When I add the following to main.cf, this should perform the check, so
> only people I know are allowed to send through postfix and they can
> send anywhere. This should also prevent anyone to send mail from an
> address that isn't one of mine.
>
> smtpd_reject_unlisted_recipient = no
> smtpd_reject_unlisted_sender = yes
> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
> smtpd_sender_restrictions =

I've not used the smtpd_reject_unlisted_* options before myself, but I
suspect that won't work as you expect.

> Unfortunately, it does not work.

When you report that something doesn't work, it's best to provide log
entries that support what you're saying. Basically, it's most helpful
if you:
1. Describe what you expected to happen
2. Describe what you saw actually happened.
3. Show the log entries so we can see what happened.

> The output of postconf -n


> mydestination =
This is likely to be wrong. I can see you're using virtual mailboxes,
but not having any local domains at all is odd.

> mynetworks = 0.0.0.0
This is *definitely* very wrong! smtpd_recipient_restrictions will
allow ANY client in mynetworks to relay mail to any destination. I
don't know if using smtpd_reject_unlisted_sender would prevent
anything going wrong here, but this is likely to make you an open
relay.

Re: master.cf - integrating Postfix with DKIM proxy

[Stefan Foerster]

* Michael :
> In reference to the following page:
> http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
> 
> it includes the following:
> submission  inet  n -   n   -   -   smtpd
> -o smtpd_etrn_restrictions=reject
> -o smtpd_sasl_auth_enable=yes
> -o content_filter=dksign:[127.0.0.1]:10027
> -o receive_override_options=no_address_mappings
> -o 
> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
> 
> 
> however I do not send emails from my desktop using port 587, I use port 25 as 
> standard.
> 
> How could I include the line "-o content_filter=dksign:[127.0.0.1]:10027" in 
> a 
> manner where only OUTBOUND emails only are passed through DKIM proxy, and not 
> incoming emails? Yes, I am well aware that SMTP does not draw a distinction 
> between the 2, but I am thinking there must be a way, or do I have to send 
> emails via a port other then 25 to achieve this?

I am using amavisd-new for DKIM signing (I was using it anyways, so I
saw no potential gain in including another piece of software, e.g.
dkimproxy, into the toolchain). Using a custom package, one can match
for a header line which states that the mail was received by one's own
MTA using SMTP AUTH (RFC 3848). So the first step is to define a new
policy bank in amavisd-new:

#v+
$policy_bank{'MINI-SUBMISSION'} = {
originating => 1,
};
#v-

Then add a custom script loading this policy bank (this example will
match "mail.incertum.net". Code base contributed by Alexander Wirt,
bad PCRE is my fault, not his):

#v+
package Amavis::Custom;
use strict;

BEGIN {
import Amavis::Conf qw(:platform :confvars c cr ca $myhostname);
import Amavis::Util qw(do_log untaint safe_encode safe_decode);
import Amavis::rfc2821_2822_Tools;
import Amavis::Notify qw(build_mime_entity);
}

sub new {
my($class,$conn,$msginfo) = @_;
my($self) = bless {}, $class;

my $sasl_owned = 0;

foreach my $line (@{$msginfo->{'orig_header'}}) {
$line =~ s/\n\t/ /g;
$sasl_owned = 1 if $line =~ m/^Received:.*by 
mail.incertum.net.*with ESMTP(S)?A.*/i;
}

if ($sasl_owned) {
do_log(2, sprintf("Load SASL policy bank"));
Amavis::load_policy_bank('MINI-SUBMISSION')
}

return $self;
}

1;  # insure a defined return
#v-

This way, offering AUTH on the port 25, one could offer "MX and
submission services" within one Postfix instance.

I _think_ (and I'm really not 100% sure if this would work) another
possibility would be to use a feature introduced with Postfix 2.7,
namely sender_dependent_default_transport_maps. You could define a
transport which passes all mail to the DKIM proxy. The proxy itself
would have to reinject the mails to a dedicated smtpd(8) clone,
defined in master.cf, with and empty sender_dependent_default_transport_maps
(or at least one which doesn't include the entry for your DKIM proxy).
Then populate the map referenced in sender_dependent_default_transport_maps
with all your domains you want to sign. As I said, this might be a bad
idea.

> On this topic has anyone found a good DKIM signing solution that will work 
> with multiple domains?

I don't understand that question. You can only sign domains for which
you have the private key.


Stefan

Re: master.cf - integrating Postfix with DKIM proxy

[Stefan Foerster]

* Stefan Foerster :
> I _think_ (and I'm really not 100% sure if this would work) another
> possibility would be to use a feature introduced with Postfix 2.7,
> namely sender_dependent_default_transport_maps. You could define a
> transport which passes all mail to the DKIM proxy. The proxy itself
> would have to reinject the mails to a dedicated smtpd(8) clone,
> defined in master.cf, with and empty sender_dependent_default_transport_maps
> (or at least one which doesn't include the entry for your DKIM proxy).
> Then populate the map referenced in sender_dependent_default_transport_maps
> with all your domains you want to sign. As I said, this might be a bad
> idea.

Bad idea. As stated in the release notes, 
sender_dependent_default_transport_maps
don't support the "nexthop" feature of a regular transport map entry.
You could try with sender_dependent_relayhost_maps, available as of
Postfix 2.3.


Stefan

Re: How to ensure that either FROM or TO is local

[Serge Fonville]

Thx for the reply

> Questions similar to yours come up fairly often, I'm not sure why
> noone's jumped in yet with a rough solution that will do what you
> want. What you've mentioned you want:
>
>> How do I ensure that my mail server can only send mails either to or
>> from mydomains?
>
> I *think* the short, correct answer is to use a policy server:
> http://www.postfix.org/SMTPD_POLICY_README.html
I will look into those then

>> When I add the following to main.cf, this should perform the check, so
>> only people I know are allowed to send through postfix and they can
>> send anywhere. This should also prevent anyone to send mail from an
>> address that isn't one of mine.
>>
>> smtpd_reject_unlisted_recipient = no
>> smtpd_reject_unlisted_sender = yes
>> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
>> smtpd_sender_restrictions =
>> Unfortunately, it does not work.
>
> When you report that something doesn't work, it's best to provide log
> entries that support what you're saying. Basically, it's most helpful
> if you:
> 1. Describe what you expected to happen
> 2. Describe what you saw actually happened.
> 3. Show the log entries so we can see what happened.
With the current configuration I'd expect some sort of 'denied'
message for MAIL FROM: when it is not in mydomains
instead I get '250 2.1.0 Ok' when specifying a MAIL FROM that is not
in mydomains

For example:
Config:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination =
myhostname = server01.fonville-it.nl
mynetworks = 0.0.0.0
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = no
smtpd_reject_unlisted_sender = yes
smtpd_sender_restrictions =
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_mailbox_domains = mail.fonville-it.nl, fonville-it.nl
virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailbox-maps.cf
virtual_transport = zarafa

Telnet session;
220 server01.fonville-it.nl ESMTP Postfix (Ubuntu)
ehlo fonville-it.nl
250-server01.fonville-it.nl
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: 
250 2.1.0 Ok
RCPT TO: 
250 2.1.5 Ok
RSET
250 2.0.0 Ok
MAIL FROM: 
250 2.1.0 Ok
RCPT TO: 
554 5.7.1 <: Relay access denied
QUIT
221 2.0.0 Bye

Log:
Jan  3 14:36:10 server01 postfix/smtpd[9110]: connect from localhost[127.0.0.1]
Jan  3 14:36:38 server01 postfix/smtpd[9110]: DF06F5302F:
client=localhost[127.0.0.1]
Jan  3 14:37:08 server01 postfix/smtpd[9110]: NOQUEUE: reject: RCPT
from localhost[127.0.0.1]: 554 5.7.1 : Relay
access denied; from=
to= proto=ESMTP helo=
Jan  3 14:37:13 server01 postfix/smtpd[9110]: disconnect from
localhost[127.0.0.1]

No particular logging is present, /var/log/mail.log only shows what is
also visible in the telnet session

>> mydestination =
> This is likely to be wrong. I can see you're using virtual mailboxes,
> but not having any local domains at all is odd.
I removed these in the many attempts

>> mynetworks = 0.0.0.0
> This is *definitely* very wrong! smtpd_recipient_restrictions will
> allow ANY client in mynetworks to relay mail to any destination. I
> don't know if using smtpd_reject_unlisted_sender would prevent
> anything going wrong here, but this is likely to make you an open
> relay.
I am aware of open relay, that's why it is no longer internet accessible


Thanks a lot for all the help so far

Regards,

Serge Fonivlle
-- 
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en

Re: master.cf - integrating Postfix with DKIM proxy

[mouss]

Michael a écrit :
> In reference to the following page:
> http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
> 
> it includes the following:
> submission  inet  n -   n   -   -   smtpd
> -o smtpd_etrn_restrictions=reject
> -o smtpd_sasl_auth_enable=yes
> -o content_filter=dksign:[127.0.0.1]:10027
> -o receive_override_options=no_address_mappings
> -o 
> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
> 
> 
> however I do not send emails from my desktop using port 587, I use port 25 as 
> standard.
> 
> How could I include the line "-o content_filter=dksign:[127.0.0.1]:10027" in 
> a 
> manner where only OUTBOUND emails only are passed through DKIM proxy, and not 
> incoming emails? Yes, I am well aware that SMTP does not draw a distinction 
> between the 2, but I am thinking there must be a way, or do I have to send 
> emails via a port other then 25 to achieve this?
> 

better move to 587, which is the standard submission port.

If you insist (but once again, 587 is simpler and brings other
benefits), you can still use the FILTER statement in an access check:

smtpd_client_restrictions =
check_client_access pcre:/etc/postfix/filter_trusted
permit_mynetwork
permit_sasl_authenticated
check_client_access pcre:/etc/postfix/filter_default


== filter_trusted
/./ FILTER filter:[127.0.0.1]:10586

== filter_default
/./ FILTER filter:[127.0.0.1]:10024

note that with this, content_filter settings are unused.


> On this topic has anyone found a good DKIM signing solution that will work 
> with multiple domains?

If you are not happy with dkim-proxy, you can try dkim-milter or
amavisd-new.

anti spam measures

[Roman Gelfand]

I am running postfix with anti spam filter (policyd-weight, sqlgrey,
grossd, dkim, senderid-milter, dspam) .  With this configuration, I am
down to under 10 spams a day.  Looking at my backend server which is
exchange 2007, I find that all of the remaining spam messages have
spam confidence level of 7 or greater, which implies this is blatant
spam.  Is there spam filter software software that works with postfix
that can perform checks similar to that of exchange 2007 spam
confidence level?

Thanks in advance

Re: anti spam measures

[Steve]

 Original-Nachricht 
> Datum: Sun, 3 Jan 2010 10:02:32 -0500
> Von: Roman Gelfand 
> An: postfix users list 
> Betreff: anti spam measures

> I am running postfix with anti spam filter (policyd-weight, sqlgrey,
> grossd, dkim, senderid-milter, dspam) .  With this configuration, I am
> down to under 10 spams a day.  Looking at my backend server which is
> exchange 2007, I find that all of the remaining spam messages have
> spam confidence level of 7 or greater, which implies this is blatant
> spam.
>
And your current Anti-Spam solution did not tag them as Spam?


> Is there spam filter software software that works with postfix
> that can perform checks similar to that of exchange 2007 spam
> confidence level?
> 
> Thanks in advance

-- 
Preisknaller: GMX DSL Flatrate für nur 16,99 Euro/mtl.!
http://portal.gmx.net/de/go/dsl02

Re: How to ensure that either FROM or TO is local

[Serge Fonville]

>> I *think* the short, correct answer is to use a policy server:
>> http://www.postfix.org/SMTPD_POLICY_README.html
> I will look into those then
I read into http://www.postfix.org/SMTPD_POLICY_README.html, but I do
not see how I can use this to solve my problem.
Perhaps I am missing something...

Any help is greatly appreciated

Regards,

Serge Fonville

-- 
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en

Re: anti spam measures

[Roman Gelfand]

On Sun, Jan 3, 2010 at 10:13 AM, Steve  wrote:
>
>  Original-Nachricht 
>> Datum: Sun, 3 Jan 2010 10:02:32 -0500
>> Von: Roman Gelfand 
>> An: postfix users list 
>> Betreff: anti spam measures
>
>> I am running postfix with anti spam filter (policyd-weight, sqlgrey,
>> grossd, dkim, senderid-milter, dspam) .  With this configuration, I am
>> down to under 10 spams a day.  Looking at my backend server which is
>> exchange 2007, I find that all of the remaining spam messages have
>> spam confidence level of 7 or greater, which implies this is blatant
>> spam.
>>
> And your current Anti-Spam solution did not tag them as Spam?
>
No.  Since, I posted this message, I saw your discussion about s25r.
I am trying it now.  My first impression is that it is making a dent.
You were, at one point, trying out geoip patched policyd-weight where
you added points to a total score based on distance between servers.
If so, would you mind sharing the patched script along with
configuration file?

>
>> Is there spam filter software software that works with postfix
>> that can perform checks similar to that of exchange 2007 spam
>> confidence level?
>>
>> Thanks in advance
>
> --
> Preisknaller: GMX DSL Flatrate für nur 16,99 Euro/mtl.!
> http://portal.gmx.net/de/go/dsl02
>

Thanks again

Re: How to ensure that either FROM or TO is local

[Wietse Venema]

Serge Fonville:
> >> I *think* the short, correct answer is to use a policy server:
> >> http://www.postfix.org/SMTPD_POLICY_README.html
> > I will look into those then
> I read into http://www.postfix.org/SMTPD_POLICY_README.html, but I do
> not see how I can use this to solve my problem.
> Perhaps I am missing something...
> 
> Any help is greatly appreciated

The policy server can reject mail from a remote network with a
local sender address.

Isn't that what you want?

As an added bonus, it can also reject mail from a local network
with a remote sender address. This can help to stop outbound spam
from zombie-infested PCs.

Wietse

Re: How to ensure that either FROM or TO is local

[Serge Fonville]

Wietse,

Thx for the reply

> The policy server can reject mail from a remote network with a
> local sender address.
>
> Isn't that what you want?
>
> As an added bonus, it can also reject mail from a local network
> with a remote sender address. This can help to stop outbound spam
> from zombie-infested PCs.

Yes exactly.

I read into the page again and it seems to be suitable for my purpose.
Unfortunately it also seems to mean I have to write my own policy server..
At least I have a starting point from now on.

Thanks a lot for the help!

Regards,

Serge Fonville




-- 
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en

3000 recipients

[richard lucassen]

Hello list,

I want to send once a week a simple mail to a list of 3000 recipients. I
can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to
higher limits, but is there a better way to handle this?

R.

-- 
___
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+--+
| Richard Lucassen, Utrecht|
| Public key and email address:|
| http://www.lucassen.org/mail-pubkey.html |
+--+

Re: 3000 recipients

[Patrick Ben Koetter]

* richard lucassen :
> I want to send once a week a simple mail to a list of 3000 recipients. I
> can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to
> higher limits, but is there a better way to handle this?

Chosse a client/write a script that breaks the list of 3.000 recipients down
to batches of 50 recipients. IIRC that's the maximum (RFC) number of
recipients any SMTP server must accept.

p...@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: 3000 recipients

[Mark Goodge]

richard lucassen wrote:

Hello list,

I want to send once a week a simple mail to a list of 3000 recipients. I
can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to
higher limits, but is there a better way to handle this?


Yes. Install a proper mailing list management system, such as Mailman or 
majordomo. 3000 recipients is waaay too many to do in a single shot 
using Bcc.


Mark

Re: anti spam measures

[Kenneth Marshall]

On Sun, Jan 03, 2010 at 10:02:32AM -0500, Roman Gelfand wrote:
> I am running postfix with anti spam filter (policyd-weight, sqlgrey,
> grossd, dkim, senderid-milter, dspam) .  With this configuration, I am
> down to under 10 spams a day.  Looking at my backend server which is
> exchange 2007, I find that all of the remaining spam messages have
> spam confidence level of 7 or greater, which implies this is blatant
> spam.  Is there spam filter software software that works with postfix
> that can perform checks similar to that of exchange 2007 spam
> confidence level?
> 
> Thanks in advance
> 
Hi Roman,

To truly check how the Exchange 2007 spam confidence level works,
try passing all of the mail from postfix to the Exchange server. I
would be almost certain that more than 10 messages will make it
through a day. If not, then just use the Exchange processing and
you are done. If you do try the test, I would be interested in
the results so please post them.

Regards,
Ken

Re: 3000 recipients

[richard lucassen]

On Sun, 3 Jan 2010 20:50:21 +0100
Patrick Ben Koetter  wrote:

> * richard lucassen :
> > I want to send once a week a simple mail to a list of 3000
> > recipients. I can set smtpd_recipient_limit and
> > smtpd_recipient_overshoot_limit to higher limits, but is there a
> > better way to handle this?
> 
> Chosse a client/write a script that breaks the list of 3.000
> recipients down to batches of 50 recipients. IIRC that's the maximum
> (RFC) number of recipients any SMTP server must accept.

That was the first solution that I thought of, but before reinventing
the wheel, I was wondering if someone else had already invented this
wheel :)

Btw: the defaultsettings of smtpd_recipient_limit and
smtpd_recipient_overshoot_limit are as high as 1000. 

R.

-- 
___
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+--+
| Richard Lucassen, Utrecht|
| Public key and email address:|
| http://www.lucassen.org/mail-pubkey.html |
+--+

Re: 3000 recipients

[Mark Goodge]

richard lucassen wrote:

On Sun, 03 Jan 2010 19:57:41 +
Mark Goodge  wrote:


I want to send once a week a simple mail to a list of 3000
recipients. I can set smtpd_recipient_limit and
smtpd_recipient_overshoot_limit to higher limits, but is there a
better way to handle this?



Yes. Install a proper mailing list management system, such as Mailman
or  majordomo. 3000 recipients is waaay too many to do in a single
shot  using Bcc.


Ok, but a mlm is quite some overkill IMHO, just wondering if there was
an intermediate solution. This is for a blind person who handles the
"mailinglist" himself, so solutions are rather limited.

But anyway, I can always write a small shell script that does the job.
Should not be a very big problem.


Your biggest problem, with that number of recipients, is handling 
bounces and unsubscriptions. Splitting the recipients into chunks is 
easy enough, but dealing with all the invalid and/or expired addresses 
is what makes it more complex. And if you don't handle them correctly, 
then you're getting into dangerous territory - that's where legitimate 
lists start being treated as spam, especially if any of the recipients 
have addresses with the major webmail operators such as Hotmail and Yahoo.


Most decent MLMs allow you to import subscribers from a simple text 
list, so from a user point of view it's no harder (and often easier) 
than maintaining it in the addressbook of an email client for Bcc 
purposes. It's more complex for the administrator, but if you're 
competent enough to administer Postfix then it's hardly likely to be a 
problem for you!


Mark

Re: 3000 recipients

[Kenneth Marshall]

On Sun, Jan 03, 2010 at 09:14:03PM +0100, richard lucassen wrote:
> On Sun, 03 Jan 2010 19:57:41 +
> Mark Goodge  wrote:
> 
> > > I want to send once a week a simple mail to a list of 3000
> > > recipients. I can set smtpd_recipient_limit and
> > > smtpd_recipient_overshoot_limit to higher limits, but is there a
> > > better way to handle this?
> > 
> > Yes. Install a proper mailing list management system, such as Mailman
> > or  majordomo. 3000 recipients is waaay too many to do in a single
> > shot  using Bcc.
> 
> Ok, but a mlm is quite some overkill IMHO, just wondering if there was
> an intermediate solution. This is for a blind person who handles the
> "mailinglist" himself, so solutions are rather limited.
> 
> But anyway, I can always write a small shell script that does the job.
> Should not be a very big problem.
> 
> R.
> 

What about using an aliases entry to read the addresses from a file:

mylist: :include:/file/name
mylist-owner:   listowner

Then the user just needs permission to update the file and mail
to mylist will be broken out to the addresses in /file/name.

Regards,
Ken

Re: 3000 recipients

[Kenneth Marshall]

On Sun, Jan 03, 2010 at 08:23:50PM +, Mark Goodge wrote:
> richard lucassen wrote:
>> On Sun, 03 Jan 2010 19:57:41 +
>> Mark Goodge  wrote:
 I want to send once a week a simple mail to a list of 3000
 recipients. I can set smtpd_recipient_limit and
 smtpd_recipient_overshoot_limit to higher limits, but is there a
 better way to handle this?
>
>>> Yes. Install a proper mailing list management system, such as Mailman
>>> or  majordomo. 3000 recipients is waaay too many to do in a single
>>> shot  using Bcc.
>> Ok, but a mlm is quite some overkill IMHO, just wondering if there was
>> an intermediate solution. This is for a blind person who handles the
>> "mailinglist" himself, so solutions are rather limited.
>> But anyway, I can always write a small shell script that does the job.
>> Should not be a very big problem.
>
> Your biggest problem, with that number of recipients, is handling bounces 
> and unsubscriptions. Splitting the recipients into chunks is easy enough, 
> but dealing with all the invalid and/or expired addresses is what makes it 
> more complex. And if you don't handle them correctly, then you're getting 
> into dangerous territory - that's where legitimate lists start being 
> treated as spam, especially if any of the recipients have addresses with 
> the major webmail operators such as Hotmail and Yahoo.
>
> Most decent MLMs allow you to import subscribers from a simple text list, 
> so from a user point of view it's no harder (and often easier) than 
> maintaining it in the addressbook of an email client for Bcc purposes. It's 
> more complex for the administrator, but if you're competent enough to 
> administer Postfix then it's hardly likely to be a problem for you!
>
> Mark
>

I will second that using a real MLM is usually a much, much better option
that will allow you to prevent collateral damage to your mail reputation
when there is a delivery problem. For example, when using the aliases
option, you should only allow the one address/user to send mail to the
alias or you open up an avenue for spammers to abuse your system.

Regards,
Ken

Re: anti spam measures

[Steve]

 Original-Nachricht 
> Datum: Sun, 3 Jan 2010 12:50:26 -0500
> Von: Roman Gelfand 
> An: Steve 
> CC: postfix-users@postfix.org
> Betreff: Re: anti spam measures

> On Sun, Jan 3, 2010 at 10:13 AM, Steve  wrote:
> >
> >  Original-Nachricht 
> >> Datum: Sun, 3 Jan 2010 10:02:32 -0500
> >> Von: Roman Gelfand 
> >> An: postfix users list 
> >> Betreff: anti spam measures
> >
> >> I am running postfix with anti spam filter (policyd-weight, sqlgrey,
> >> grossd, dkim, senderid-milter, dspam) .  With this configuration, I am
> >> down to under 10 spams a day.  Looking at my backend server which is
> >> exchange 2007, I find that all of the remaining spam messages have
> >> spam confidence level of 7 or greater, which implies this is blatant
> >> spam.
> >>
> > And your current Anti-Spam solution did not tag them as Spam?
> >
> No.
>
Since DSPAM is the Anti-Spam engine you are using, you should train DSPAM to 
catch those Spam mails.


> Since, I posted this message, I saw your discussion about s25r.
> I am trying it now.  My first impression is that it is making a dent.
>
It's a cheep (in terms of resources) way to block a lot of unwanted mails.


> You were, at one point, trying out geoip patched policyd-weight where
> you added points to a total score based on distance between servers.
>
Yes. I implemented that into policyd-weight after reading about SNARE 
(Spatio-temporal Network-level Automatic Reputation Engine).


> If so, would you mind sharing the patched script along with
> configuration file?
> 
I have no problem sharing this code but to be honest: The discussion does not 
belong here in the Postfix mailing list.


> >
> >> Is there spam filter software software that works with postfix
> >> that can perform checks similar to that of exchange 2007 spam
> >> confidence level?
> >>
> >> Thanks in advance
> >
> > --
> > Preisknaller: GMX DSL Flatrate für nur 16,99 Euro/mtl.!
> > http://portal.gmx.net/de/go/dsl02
> >
> 
> Thanks again
>
Please let's move that discussion out of the Postfix mailing list since it 
really does not belong here. Okay?
-- 
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01

Re: 3000 recipients

[richard lucassen]

On Sun, 03 Jan 2010 19:57:41 +
Mark Goodge  wrote:

> > I want to send once a week a simple mail to a list of 3000
> > recipients. I can set smtpd_recipient_limit and
> > smtpd_recipient_overshoot_limit to higher limits, but is there a
> > better way to handle this?
> 
> Yes. Install a proper mailing list management system, such as Mailman
> or  majordomo. 3000 recipients is waaay too many to do in a single
> shot  using Bcc.

Ok, but a mlm is quite some overkill IMHO, just wondering if there was
an intermediate solution. This is for a blind person who handles the
"mailinglist" himself, so solutions are rather limited.

But anyway, I can always write a small shell script that does the job.
Should not be a very big problem.

R.

-- 
___
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+--+
| Richard Lucassen, Utrecht|
| Public key and email address:|
| http://www.lucassen.org/mail-pubkey.html |
+--+

Re: 3000 recipients

[richard lucassen]

On Sun, 3 Jan 2010 14:28:11 -0600
Kenneth Marshall  wrote:

[mlm]

> I will second that using a real MLM is usually a much, much better
> option that will allow you to prevent collateral damage to your mail
> reputation when there is a delivery problem. For example, when using
> the aliases option, you should only allow the one address/user to send
> mail to the alias or you open up an avenue for spammers to abuse your
> system.

Ok, thanks guys, you have convinced me to use a mlm. I'll dive into that
matter. I've only played with ezmlm some 10 years ago when I was using
qmail, but I haven't looked at these mlm's ever since.

Which mlm would you recommend to use for this purpose? I use Debian
Lenny with (of course) Postfix.

R.

-- 
___
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+--+
| Richard Lucassen, Utrecht|
| Public key and email address:|
| http://www.lucassen.org/mail-pubkey.html |
+--+

Re: 3000 recipients

[Mark Goodge]

richard lucassen wrote:

On Sun, 3 Jan 2010 14:28:11 -0600
Kenneth Marshall  wrote:

[mlm]


I will second that using a real MLM is usually a much, much better
option that will allow you to prevent collateral damage to your mail
reputation when there is a delivery problem. For example, when using
the aliases option, you should only allow the one address/user to send
mail to the alias or you open up an avenue for spammers to abuse your
system.


Ok, thanks guys, you have convinced me to use a mlm. I'll dive into that
matter. I've only played with ezmlm some 10 years ago when I was using
qmail, but I haven't looked at these mlm's ever since.

Which mlm would you recommend to use for this purpose? I use Debian
Lenny with (of course) Postfix.


My personal preference is Mailman. I run that on Debian with Postfix, 
and it was pretty simple to install.


Mark

Re: 3000 recipients

[Jose-Marcio Martins da Cruz]

richard lucassen wrote:

On Sun, 3 Jan 2010 14:28:11 -0600
Kenneth Marshall  wrote:

[mlm]


I will second that using a real MLM is usually a much, much better
option that will allow you to prevent collateral damage to your mail
reputation when there is a delivery problem. For example, when using
the aliases option, you should only allow the one address/user to send
mail to the alias or you open up an avenue for spammers to abuse your
system.


Ok, thanks guys, you have convinced me to use a mlm. I'll dive into that
matter. I've only played with ezmlm some 10 years ago when I was using
qmail, but I haven't looked at these mlm's ever since.

Which mlm would you recommend to use for this purpose? I use Debian
Lenny with (of course) Postfix.


Sympa ?

http://www.sympa.org

JM



R.




--

Re: 3000 recipients

[Patrick Ben Koetter]

* richard lucassen :
> On Sun, 3 Jan 2010 14:28:11 -0600
> Kenneth Marshall  wrote:
> 
> [mlm]
> 
> > I will second that using a real MLM is usually a much, much better
> > option that will allow you to prevent collateral damage to your mail
> > reputation when there is a delivery problem. For example, when using
> > the aliases option, you should only allow the one address/user to send
> > mail to the alias or you open up an avenue for spammers to abuse your
> > system.
> 
> Ok, thanks guys, you have convinced me to use a mlm. I'll dive into that
> matter. I've only played with ezmlm some 10 years ago when I was using
> qmail, but I haven't looked at these mlm's ever since.
> 
> Which mlm would you recommend to use for this purpose? I use Debian
> Lenny with (of course) Postfix.

Use mailman and configure mailman to produce alias files for Postfix. Make
Postfix a member of the group "list". Then link the alias file from your 
main.cf.

p...@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: How to ensure that either FROM or TO is local

[/dev/rob0]

On Sun, Jan 03, 2010 at 09:58:15PM +1100, Barney Desmond wrote:
> > mynetworks = 0.0.0.0
> This is *definitely* very wrong! smtpd_recipient_restrictions will
> allow ANY client in mynetworks to relay mail to any destination. I

While it was intended, no doubt, to be very wrong, it failed. Lacking
a valid CIDR expression, that only matches the single IPv4 address of
0.0.0.0, which, having special meaning in networking, is unroutable.
A setting of equivalent functionality is "mynetworks =".

The OP would be well advised to review the BASIC_CONFIGURATION_README,
listing in $mynetworks the client networks which should be allowed to
relay.

If the OP does not wish to allow any to relay on the basis of IP
address unless using a "local sender", as the $SUBJECT suggests, the
solution is pretty simple.

main.cf :
mynetworks = real.IP.add.ress/CIDR[, ...]
smtpd_recipient_restrictions = reject_unlisted_sender,
permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination[, ...]

> don't know if using smtpd_reject_unlisted_sender would prevent
> anything going wrong here, but this is likely to make you an open
> relay.

If the wrong thing had been done correctly ;) I think this would have
worked too, that is, if I understood the OP's goal correctly.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: 3000 recipients

[vg_us]

--
From: "Jose-Marcio Martins da Cruz" 
Sent: Sunday, January 03, 2010 4:13 PM
To: 
Subject: Re: 3000 recipients


richard lucassen wrote:

On Sun, 3 Jan 2010 14:28:11 -0600
Kenneth Marshall  wrote:

[mlm]


I will second that using a real MLM is usually a much, much better
option that will allow you to prevent collateral damage to your mail
reputation when there is a delivery problem. For example, when using
the aliases option, you should only allow the one address/user to send
mail to the alias or you open up an avenue for spammers to abuse your
system.


Ok, thanks guys, you have convinced me to use a mlm. I'll dive into that
matter. I've only played with ezmlm some 10 years ago when I was using
qmail, but I haven't looked at these mlm's ever since.

Which mlm would you recommend to use for this purpose? I use Debian
Lenny with (of course) Postfix.


Sympa ?

http://www.sympa.org

JM


I used sympa for years - great software, but maybe an overkill in this case. 
however - it handles bounces nicely...


- Vadim





R.




--

Re: 3000 recipients

[Glenn English]

On Jan 3, 2010, at 1:14 PM, richard lucassen wrote:

>> 3000 recipients is waaay too many to do in a single
>> shot  using Bcc.
> 
> Ok, but a mlm is quite some overkill IMHO, just wondering if there was
> an intermediate solution. This is for a blind person who handles the
> "mailinglist" himself, so solutions are rather limited.

I know nothing about your situation, but "blind" caught my attention. Over the 
past couple years, I wrote a program to try to interface some blind kids to a 
computer, at a pretty basic level and for a specific set of tasks -- 
http://www.auraluserinterface.com. The kids in TX were quite empowered by it, 
even though it's far from ready for prime time. If you think it might help the 
list manager, let me know and I'll see if I can't make it run mailman list adds 
and deletes via ssh or http...

-- 
Glenn English
g...@slsware.com

Re: anti spam measures

[Roman Gelfand]

On Sun, Jan 3, 2010 at 2:59 PM, Kenneth Marshall  wrote:
> On Sun, Jan 03, 2010 at 10:02:32AM -0500, Roman Gelfand wrote:
>> I am running postfix with anti spam filter (policyd-weight, sqlgrey,
>> grossd, dkim, senderid-milter, dspam) .  With this configuration, I am
>> down to under 10 spams a day.  Looking at my backend server which is
>> exchange 2007, I find that all of the remaining spam messages have
>> spam confidence level of 7 or greater, which implies this is blatant
>> spam.  Is there spam filter software software that works with postfix
>> that can perform checks similar to that of exchange 2007 spam
>> confidence level?
>>
>> Thanks in advance
>>
> Hi Roman,
>
> To truly check how the Exchange 2007 spam confidence level works,
> try passing all of the mail from postfix to the Exchange server. I
> would be almost certain that more than 10 messages will make it
> through a day. If not, then just use the Exchange processing and
> you are done. If you do try the test, I would be interested in
> the results so please post them.

No question, exchange 2007 leaves a lot to be desired compared to
postfix, dspam and other filtering features.  Believe me I have tried
both.   Without the edge server, I was getting in access of 400 spams
a day.  With the current setup I was getting at most 10 spams a day.
Out of those ten spams, the spam confidence level ranged between 7-9
which tells exchange, without a doubt, this is spam.  My thoughts are,
it can't be that exchange caught it and postfix and friends didn't.
Therefore, it must something to do with my postfix configuration
and/or additional filtering servers and their configurations.

I just saw one spam email where the policyd-weight is -8.5, as this ip
is not blacklised,  and SPF is PASS, but exchange's spam confidence
level is 8.

BTW.. Just for the features alone it is worth switching to postfix.  I
think it is light years ahead and without all the fluff.

Thanks>
> Regards,
> Ken
>

Re: 3000 recipients

[Patrick Ben Koetter]

* Glenn English :
> 
> On Jan 3, 2010, at 1:14 PM, richard lucassen wrote:
> 
> >> 3000 recipients is waaay too many to do in a single
> >> shot  using Bcc.
> > 
> > Ok, but a mlm is quite some overkill IMHO, just wondering if there was
> > an intermediate solution. This is for a blind person who handles the
> > "mailinglist" himself, so solutions are rather limited.
> 
> I know nothing about your situation, but "blind" caught my attention. Over
> the past couple years, I wrote a program to try to interface some blind kids
> to a computer, at a pretty basic level and for a specific set of tasks --
> http://www.auraluserinterface.com. The kids in TX were quite empowered by
> it, even though it's far from ready for prime time. If you think it might
> help the list manager, let me know and I'll see if I can't make it run
> mailman list adds and deletes via ssh or http...

Mailman 3 will have a web interface that adheres Web Content Accessibility
Guidelines (WCAG). We're at the very beginning, but it is on the roadmap.

p...@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: anti spam measures

[Roman Gelfand]

On Sun, Jan 3, 2010 at 3:37 PM, Steve  wrote:
>
>  Original-Nachricht 
>> Datum: Sun, 3 Jan 2010 12:50:26 -0500
>> Von: Roman Gelfand 
>> An: Steve 
>> CC: postfix-users@postfix.org
>> Betreff: Re: anti spam measures
>
>> On Sun, Jan 3, 2010 at 10:13 AM, Steve  wrote:
>> >
>> >  Original-Nachricht 
>> >> Datum: Sun, 3 Jan 2010 10:02:32 -0500
>> >> Von: Roman Gelfand 
>> >> An: postfix users list 
>> >> Betreff: anti spam measures
>> >
>> >> I am running postfix with anti spam filter (policyd-weight, sqlgrey,
>> >> grossd, dkim, senderid-milter, dspam) .  With this configuration, I am
>> >> down to under 10 spams a day.  Looking at my backend server which is
>> >> exchange 2007, I find that all of the remaining spam messages have
>> >> spam confidence level of 7 or greater, which implies this is blatant
>> >> spam.
>> >>
>> > And your current Anti-Spam solution did not tag them as Spam?
>> >
>> No.
>>
> Since DSPAM is the Anti-Spam engine you are using, you should train DSPAM to 
> catch those Spam mails.

I do train DSPAM and it works great.  However, if I could block it
before it gets to DSPAM, why not.  I wouldn't feel bad if exchange
told me this is perfectly good email.  I am, looking, to do away with
exchange server altogether.

Thanks
>
>
>> Since, I posted this message, I saw your discussion about s25r.
>> I am trying it now.  My first impression is that it is making a dent.
>>
> It's a cheep (in terms of resources) way to block a lot of unwanted mails.
>
>
>> You were, at one point, trying out geoip patched policyd-weight where
>> you added points to a total score based on distance between servers.
>>
> Yes. I implemented that into policyd-weight after reading about SNARE 
> (Spatio-temporal Network-level Automatic Reputation Engine).
>
>
>> If so, would you mind sharing the patched script along with
>> configuration file?
>>
> I have no problem sharing this code but to be honest: The discussion does not 
> belong here in the Postfix mailing list.
>
>
>> >
>> >> Is there spam filter software software that works with postfix
>> >> that can perform checks similar to that of exchange 2007 spam
>> >> confidence level?
>> >>
>> >> Thanks in advance
>> >
>> > --
>> > Preisknaller: GMX DSL Flatrate für nur 16,99 Euro/mtl.!
>> > http://portal.gmx.net/de/go/dsl02
>> >
>>
>> Thanks again
>>
> Please let's move that discussion out of the Postfix mailing list since it 
> really does not belong here. Okay?

Understood.

> --
> GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
> Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
>

Re: anti spam measures

[mouss]

Roman Gelfand a écrit :
> I am running postfix with anti spam filter (policyd-weight, sqlgrey,
> grossd, dkim, senderid-milter, dspam) .  With this configuration, I am
> down to under 10 spams a day.  Looking at my backend server which is
> exchange 2007, I find that all of the remaining spam messages have
> spam confidence level of 7 or greater, which implies this is blatant
> spam.  Is there spam filter software software that works with postfix
> that can perform checks similar to that of exchange 2007 spam
> confidence level?
> 

we can't really tell since we didn't see the messages that made it
through postfix+friends.

if the messages contained a URI listed at uribl or surbl, then you could
try using uribl/surbl via milter-link or via spamassassin (via
amavisd-new).

anyway, You can add spamassassin (via amavisd-new) to your chain and see
 if it improves your filtering.

at one time, the question becomes: is the additional effort worth the pain?

Re: anti spam measures

[Steve]

 Original-Nachricht 
> Datum: Sun, 03 Jan 2010 23:37:18 +0100
> Von: mouss 
> An: postfix users list 
> Betreff: Re: anti spam measures

> Roman Gelfand a écrit :
> > I am running postfix with anti spam filter (policyd-weight, sqlgrey,
> > grossd, dkim, senderid-milter, dspam) .  With this configuration, I am
> > down to under 10 spams a day.  Looking at my backend server which is
> > exchange 2007, I find that all of the remaining spam messages have
> > spam confidence level of 7 or greater, which implies this is blatant
> > spam.  Is there spam filter software software that works with postfix
> > that can perform checks similar to that of exchange 2007 spam
> > confidence level?
> > 
> 
> we can't really tell since we didn't see the messages that made it
> through postfix+friends.
> 
> if the messages contained a URI listed at uribl or surbl, then you could
> try using uribl/surbl via milter-link or via spamassassin (via
> amavisd-new).
> 
> anyway, You can add spamassassin (via amavisd-new) to your chain and see
>  if it improves your filtering.
> 
I am for sure one of the people that should keep his mouth shut since I have a 
to strong bias but SpamAssassin? Why? He is using DSPAM and if I would purpose 
him another free solution then only something like CMR114 or OSBF-Lua.


> at one time, the question becomes: is the additional effort worth the
> pain?
> 
Good question.
-- 
Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser

Re: possible bugs in the documentation

[Christoph Anton Mitterer]

Hi Wietse.

The following could be another case were the scripts you've mentioned  
create incorrect links:
http://www.postfix.org/MAILDROP_README.html#direct links in the first  
sentence with the word maildrop to  
http://www.postfix.org/QSHAPE_README.html#maildrop_queue . But I think  
the word refers to the maildrop MDA while the link target is about the  
maildrop queue as used by the pickup service.


Thanks,
Chris.


This message was sent using IMP, the Internet Messaging Program.

Re: anti spam measures

[Stan Hoeppner]

Roman Gelfand put forth on 1/3/2010 3:44 PM:

> I do train DSPAM and it works great.  However, if I could block it
> before it gets to DSPAM, why not.  I wouldn't feel bad if exchange
> told me this is perfectly good email.  I am, looking, to do away with
> exchange server altogether.

Is managing local block lists above your "effort threshold"?  If the answer is 
no...

I've been building some local lists for about 1.5+ years now and it has pretty
much completely clobbered my snowshoe problem.  I get one to two spams a day in
the inbox these days, if that.  I go many days in a row with none.  Every few
weeks or so I'll see 5-10 spams in the inbox due to a run from a previously
unknown snowshoe spammer IP or /27 or /24 range.  I block it and sail mostly
spam free again for another few weeks.

I don't use any content filtering software, period, only smtpd checks, postgrey
daemon, and zen.spamhaus.org.  I filter about 10 countries and all of Africa
using ipdeny.com cidr blocks and I do some rdns name regex rejections.
Interestingly, I've not had a rejection from spamhaus in months.  Heck, I don't
even know if Postfix is querying zen anymore.  I've nothing of zen in my logs
since Sept 25, 2009.  Postfix only logs zen rejections, not unsuccessful lookups
(at my default logging level anyway).

Anyway, I'm almost entirely spam free, whilst making use of no content filtering
or dnsbls (although I do have on dnsbl configured, as mentioned previously).  I
run a small vanity server so YMMV.  It's a pretty simple A/S setup but very
effective.  ~/spammer is my main anti-snowshoe file, mostly US IP space.  It
currently has 789 netblocks listed from /29s to a /12.  I heard your gasp "Uahh!
 You block a /12? OMG! OMG!.  This /12 happens to belong to a cable ISP:

OrgName:Mediacom Communications Corp
CIDR:   173.16.0.0/12
NetName:MEDIACOM-RESIDENTIAL-CUST

It was not in spamhaus PBL or any other "dynamic IP" dnsbls at the time I
blocked it.  It's entirely residential and should be policy blocked.  Anyway,
here's my config in case you may any of it useful.  I can provide static block
lists in off list email or on a web page if you like.

header_checks = pcre:/etc/postfix/header_checks
mime_header_checks = pcre:/etc/postfix/mime_header_checks
smtpd_helo_required = yes
cidr=cidr:/etc/postfix/cidr_files
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_recipient_access hash:/etc/postfix/whitelist
check_sender_access hash:/etc/postfix/whitelist
check_client_access hash:/etc/postfix/whitelist
check_client_access hash:/etc/postfix/blacklist
check_client_access regexp:/etc/postfix/fqrdns.regexp
check_client_access pcre:/etc/postfix/ptr-tld.pcre
check_client_access ${cidr}/countries
check_client_access ${cidr}/spammer
check_client_access ${cidr}/misc-spam-srcs
reject_unknown_client_hostname
reject_non_fqdn_sender
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
reject_unlisted_recipient
reject_rbl_client zen.spamhaus.org
check_policy_service inet:127.0.0.1:6
--
Stan

Client did not present a certificate

[Michael]

I have not been able to get any message other then "Client did not present a 
certificate" in message headers despite loading a Commodo email certificate 
in to Kmail.

postconf -n

alias_maps = hash:/etc/aliases
body_checks = pcre:/etc/postfix/pcre_body_checks
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
header_checks = pcre:/etc/postfix/pcre_header_checks
html_directory = /etc/postfix/HTML
inet_interfaces = 202.89.44.100, localhost
local_recipient_maps = $alias_maps, $virtual_mailbox_maps
mail_owner = postfix
mailbox_size_limit = 2048
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 1024
mydestination = $myhostname, localhost.$mydomain, mail.$mydomain, 
mysql:/etc/postfix/mysql-mydestination.cf
myhostname = mail.nettrust.net.nz
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /etc/postfix/README
relay_domains = mysql:/etc/postfix/mysql-relaydomains.cf
sample_directory = /etc/postfix/SAMPLE
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictions = reject_invalid_hostname, 
reject_non_fqdn_sender, reject_non_fqdn_recipient, 
reject_unknown_sender_domain,   check_recipient_access 
hash:/etc/postfix/recipient_access,  reject_unknown_recipient_domain,   
reject_unauth_pipelining,   reject_unauth_destination,  
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_starttls_timeout = 300s
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
transport_maps = mysql:/etc/postfix/mysql-transport.cf, 
hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-gids.cf
virtual_mailbox_base = /var/spool/mail
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_minimum_uid = 1000
virtual_uid_maps = mysql:/etc/postfix/mysql-uids.cf

Re: 3000 recipients

[ram]

On Sun, 2010-01-03 at 20:37 +0100, richard lucassen wrote:
> Hello list,
> 
> I want to send once a week a simple mail to a list of 3000 recipients. I
> can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to
> higher limits, but is there a better way to handle this?
> 
> R.
> 
Do these 3000 recipients exist on your server or outside ? 

If outside and this is a common mail being sent to all users , then just
set your postfix server to accept the mail , send the mails in smaller
batches of 10 recipients each.
( default_destination_recipient_limit=10 ? ) 


Handling bounces,abuse complaints  etc will have to be managed

Re: 3000 recipients

[LuKreme]

On Jan 3, 2010, at 13:14, richard lucassen   
wrote:



but a mlm is quite some overkill IMHO


An mlm is certainly not overkill for 3,000 recipients.