Postfix relays to all recepients
Hi, I think I have something bad configured with postfix. I'm sending 1 mail from "r...@dontcare.org" to "u...@domain.org, r...@dontcare.org" while domain.org is main domain where I run postfix. This is workflow of mail: getmail (from ISP) -> sendmail (postifx sendmail; sending to "X-Original-To"->postfix->amavis->dovecot. Now the problem. When I send the mail from "r...@dontcare.org" to "u...@domain.org, r...@dontcare.org" it looks like postifx want to deliver mail to "u...@domain.org" (which is Ok) but ALSO TO "r...@dontcare.org" which it should not (or should it???). Then I get bounce from smtpd for "r...@dontcare.org". Here is part of my log: 2010-02-11 09:57:04 Initializing MultidropPOP3SSLRetriever:s...@local.domain.org:995: Feb 11 09:57:05 local postfix/pickup[9191]: 7C81B11464: uid=5003 from= 2010-02-11 09:57:05 msg 1/1 (3716 bytes) msgid UID37948-1188378705 from to delivered to MDA_external command sendmail (), deleted Feb 11 09:57:05 local postfix/cleanup[9210]: 7C81B11464: message-id=<831968.35374...@web110402.mail.gq1.dontcare.org> Feb 11 09:57:05 local postfix/qmgr[9192]: 7C81B11464: from=, size=3939, nrcpt=2 (queue active) Feb 11 09:57:05 local postfix/pipe[9205]: 7C81B11464: to=, relay=dovecot, delay=0.11, delays=0.05/0.02/0/0.03, dsn=2.0.0, status=sent (delivered via dovecot service) Feb 11 09:57:05 local postfix/smtp[9203]: 7C81B11464: to=, relay=isp.provider.org[xxx.xxx.xxx.xxx]:25, delay=0.43, delays=0.05/0.02/0.29/0.06, dsn=5.0.0, status=bounced (host isp.provider.org[xxx.xxx.xxx.xxx] said: 550 Administrative prohibition (in reply to RCPT TO command)) Feb 11 09:57:05 local postfix/cleanup[9210]: EBE14114B8: message-id=<20100211085705.ebe1411...@local.domain.org> Feb 11 09:57:05 local postfix/bounce[9251]: 7C81B11464: sender non-delivery notification: EBE14114B8 Feb 11 09:57:05 local postfix/qmgr[9192]: EBE14114B8: from=<>, size=5819, nrcpt=1 (queue active) Feb 11 09:57:05 local postfix/qmgr[9192]: 7C81B11464: removed Feb 11 09:57:06 local postfix/smtp[9203]: EBE14114B8: to=, relay=isp.provider.org[xxx.xxx.xxx.xxx]:25, delay=0.36, delays=0.03/0/0.29/0.04, dsn=5.0.0, status=bounced (host isp.provider.org[xxx.xxx.xxx.xxx] said: 550 Administrative prohibition (in reply to RCPT TO command)) Feb 11 09:57:06 local postfix/qmgr[9192]: EBE14114B8: removed Feb 11 09:57:06 local postfix/qmgr[9192]: EBE14114B8: removed What could be wrong? Thanks Trigve
Re: Mail routing based on my own policy
Thank you. I just compiled 2.6.5 with it and wrote a little tcp server with Net::Server. I can use it in transport_maps returning a string "200 snmp:my_mail_host" Andrea Wietse Venema ha scritto: > Ralf Hildebrandt: >> * Andrea Gabellini : >> >>> I already looked at tcp_map, but I have some doubts. >>> >>> First of all tcp_map support is not compiled by default, and I don't >>> know the flag to activate it. Do you know it? >> Not off the top of my head. I used that once and it would just work. >> >>> TCP_TABLE(5) says that the return code must be a numeric value. >> Where? >> >> REPLY FORMAT >>Each reply specifies a status code and text. Replies must be no >> longer >>than 4096 characters including the newline terminator. >> >>500 SPACE text NEWLINE > > etc. > > As a follow-up, the tcp_table(5) "protocol" has not changed since > Postfix 2.1, so I am going to call it stable, and include it with > Postfix 2.7. Despite all the limitations of the "protocol", it is > more useful than not having it at all. > > To make the tcp table available in the stable release, I edited > src/util/dict_open.c, and removed the #ifdef SNAPSHOT and #endif > around the entry with dict_tcp_open as shown below. > > Wietse > > *** /var/tmp/postfix-2.8-20100203/src/util/dict_open.cSat Jan 2 > 18:36:03 2010 > --- ./dict_open.c Tue Feb 9 19:21:30 2010 > *** > *** 223,231 > DICT_TYPE_ENVIRON, dict_env_open, > DICT_TYPE_HT, dict_ht_open, > DICT_TYPE_UNIX, dict_unix_open, > - #ifdef SNAPSHOT > DICT_TYPE_TCP, dict_tcp_open, > - #endif > #ifdef HAS_SDBM > DICT_TYPE_SDBM, dict_sdbm_open, > #endif > --- 223,229 > -- There are two ways to write error-free programs; only the third one works. Ing. Andrea Gabellini Email: andrea.gabell...@telecomitalia.sm Skype: andreagabellini Tel: (+378) 0549 886111 Fax: (+378) 0549 886188 Telecom Italia San Marino S.p.A. Strada degli Angariari, 3 47891 Rovereta Republic of San Marino http://www.telecomitalia.sm
Re: mailing list messages not received
Dne Wednesday 10 of February 2010 19:03:01 Noel Jones napsal(a):
> http://www.postfix.org/FILTER_README.html
Good tip. Indeed my spamchk script uses the -t option. I tried to remove it.
It stopped all mail deliveries. Here is the relevant log snippet:
Feb 11 10:09:43 milos-desktop postfix/sendmail[27082]: fatal: Recipient
addresses must be specified on the command line or
via the -t option
Feb 11 10:09:43 milos-desktop postfix/postdrop[27083]: warning: stdin:
unexpected EOF in data, record type 78 length 76
Feb 11 10:09:43 milos-desktop postfix/postdrop[27083]: fatal: uid=500:
malformed input
Feb 11 10:09:44 milos-desktop postfix/pipe[26943]: 6B496F0E7B:
to=, relay=spamchk, delay=6.4, delays=5.4/
0/0/1.1, dsn=4.3.0, status=deferred (temporary failure. Command output:
sendmail: fatal: Recipient addresses must be speci
fied on the command line or via the -t option postdrop: warning: stdin:
unexpected EOF in data, record type 78 length 76 p
ostdrop: fatal: uid=500: malformed input )
Here is the spamchk line in master.cf:
smtp inet n - n - - smtpd
-o content_filter=spamchk:dummy
Here is the spamchk script:
SENDMAIL="/usr/sbin/sendmail -i -t"
EGREP=/bin/egrep
EX_UNAVAILABLE=69
SPAMLIMIT=10
trap "rm -f /var/tmp/out.$$" 0 1 2 3 15
cat | /usr/bin/spamc -u filter > /var/tmp/out.$$
if $EGREP -q "^X-Spam-Level: \*{$SPAMLIMIT,}" < /var/tmp/out.$$
then
rm -f /var/tmp/out.$$
else
$SENDMAIL "$@" < /var/tmp/out.$$
fi
exit $?
Thus when I remove that "-t" in SENDMAIL="/usr/sbin/sendmail -i -t", it
results in the log snippet above.
--
Milos Prudek
Re: Setting a different IP address for different users?
* Carl Brewer [2010-02-11 03:51]: > A quick one, I hope, postfix v 2.3.3 on a server with multiple IP addresses. > > Is it possible to have a policy stating that email from a particular > address goes out using a specific IP address, and everything else by > the system's default IP address? I'm having a similar question. I'd like to have e-mails from authenticated users go out through a different IP. Is that possible? -- Vegard Svanberg [*tak...@irc (EFnet)]
Re: Mail in Inbox
On 2010-02-11 Dhiraj Chatpar wrote: > On Thu, Feb 11, 2010 at 12:31, Ansgar Wiechers wrote: >> On 2010-02-11 Dhiraj Chatpar wrote: >>> On Thu, Feb 11, 2010 at 12:02, Ansgar Wiechers wrote: As for how it got there: In-Reply-To and References headers suggest that the mail was sent from one GMail account to another. Which would also explain why there are only private IP addresses involved. >> [...] >>> Received: from mr.google.com ([10.141.106.5]) >>> >>> Doesnt even exist. did you try checking what this IP or the host is? >> >> Which part of "private IP addresses" did you fail to understand? > > Received: from mr.google.com ([10.141.106.5]) So Google has internal DNS that resolves the name mr.google.com to the private IP address 10.141.106.5 on their internal network. What's your point? And would you please stop top-posting? Thanks. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
Re: backscatter issue
Hi Noel,
Thank you for your help!
I have searched our log for 9FE3785BA10 signature and found the beginning.
Please see below. I have searched the log for other similar signatures
with "from=<>"
and it seems each of those problematic e-mails starts with the two
lines as I have put
in the beginning of my log excerpt below. (those two lines have
different signature though)
I still however not sure what is causing this from=<>. As far as I can
understand,
somebody is trying to send e-mails to the root account.
In addition as I log as root I get in the shell "You have mail." message.
And I see that /root/Maildir/cur is pretty big in size.
In a addition in order to stop bounces I have commented in
/etc/postfix/master.cf
#bounceunix - - n - 0 bounce
I think our senders can live without nondelivery notifications I
think. Do you think this will help?
I am attaching at the end of this message some info which I think may
be relevant.
Thank you in advance
lines from the log related with 9FE3785BA10 signature
===
...
Feb 7 10:58:53 uCpbx postfix/local[27212]: 9FE3785BA10:
to=, orig_to=,
relay=local,
delay=3.9, delays=1.8/0.01/0/2.1, dsn=5.2.0, status=bounced (can't
create user output file. Command output: procmail: Couldn't creat
e "/var/spool/mail/nobody" procmail: Couldn't chdir to "/root/Maildir"
procmail: Couldn't read "// " procmail: Unable to treat as di
rectory "/root/Maildir" procmail: Lock failure on "/root/Maildir.lock"
procmail: Error while writing to "/root/Maildir" )
Feb 7 10:58:54 uCpbx postfix/local[27213]: 9FE3785BA10:
to=, orig_to=,
relay=l
ocal, delay=5, delays=1.8/0.03/0/3.1, dsn=5.2.0, status=bounced (can't
create user output file. Command output: procmail: Couldn't c
reate "/var/spool/mail/nobody" procmail: Couldn't chdir to
"/root/Maildir" procmail: Couldn't read "// " procmail: Unable to
treat a
s directory "/root/Maildir" procmail: Lock failure on
"/root/Maildir.lock" procmail: Error while writing to "/root/Maildir"
)
Feb 7 10:58:54 uCpbx postfix/cleanup[27200]:
:message-id=<20100207085854.c69bf85b...@mail.bioidentic.com>
Feb 7 10:58:54 uCpbx postfix/qmgr[3492]: C69BF85BF81: from=<>,
size=10970, nrcpt=1 (queue active)
Feb 7 10:58:54 uCpbx postfix/bounce[27231]: 9FE3785BA10: sender
non-delivery notification: C69BF85BF81
Feb 7 10:58:54 uCpbx postfix/qmgr[3492]: 9FE3785BA10: removed
...
Feb 7 10:59:24 uCpbx postfix/smtp[27233]: C69BF85BF81:
to=, relay=none, delay=30,
delays=0.01/0.01/30/0,
dsn=4.4.1, status=deferred (connect to dvb-brasil.org[62.233.121.75]:
Connection timed out)
...
Feb 7 11:23:28 uCpbx postfix/qmgr[3492]: C69BF85BF81: from=<>,
size=10970, nrcpt=1 (queue active)
...
Feb 7 11:23:58 uCpbx postfix/smtp[28425]: C69BF85BF81:
to=, relay=none, delay=1503,
delays=1473/0.02/30/
0, dsn=4.4.1, status=deferred (connect to
dvb-brasil.org[62.233.121.75]: Connection timed out)
...
Feb 7 11:56:48 uCpbx postfix/qmgr[3492]: C69BF85BF81: from=<>,
size=10970, nrcpt=1 (queue active)
...
Feb 7 17:13:28 uCpbx postfix/qmgr[3492]: C69BF85BF81: from=<>,
size=10970, nrcpt=1 (queue active)
===
Additional info which I think may be relevant to my issue.
==
Do I need to send additional info so we undestand what is going on.
1. I have /root/Maildir
[r...@ucpbx ~]# ls /root/Maildir/
cur new tmp
2. We run CRM system in our server and if I grep in the
/var/www/html/crm folder
[r...@ucpbx crm]# grep root@ ./* -rs
./adodb/tests/test-active-record.php: $db =
NewADOConnection('mysql://r...@localhost/northwind');
./adodb/tests/test-active-recs2.php:$db =
NewADOConnection('mysql://r...@localhost/northwind');
./cron/class.phpmailer.php:var $From = "r...@localhost";
./modules/Emails/class.phpmailer.php:var $From =
"r...@localhost";
This CRM is sending emails as soon as our stock gets low.
3. We also have joomla instaled and in
./libraries/phpmailer/phpmailer.php there is
var $From = 'r...@localhost';
4. In our /etc/aliases we have the following line commented
#root: dpn_ucpbx
===
On Wed, Feb 10, 2010 at 10:10 PM, Noel Jones wrote:
> On 2/10/2010 12:51 PM, Dimitar Penev wrote:
>>
>> Hello All,
>>
>> I am not sure if this mailing list is the best place to ask this question.
>> If not please point me to the better one.
>>
>> I am running postfix based mailserver.
>> Few days ago however I have noticed that some of the emails I am
>> sending fall in the recipient spam filters.
>> I have discovered that my ISP IP range is in uceprotect-level
Re: Postfix relays to all recepients
On 2010-02-11 Trigve Siver wrote: > I think I have something bad configured with postfix. I'm sending 1 > mail from "r...@dontcare.org" to "u...@domain.org, r...@dontcare.org" > while domain.org is main domain where I run postfix. This is workflow > of mail: getmail (from ISP) -> sendmail (postifx sendmail; sending to > "X-Original-To"->postfix->amavis->dovecot. Now the problem. > > When I send the mail from "r...@dontcare.org" to "u...@domain.org, > r...@dontcare.org" it looks like postifx want to deliver mail to > "u...@domain.org" (which is Ok) but ALSO TO "r...@dontcare.org" which > it should not (or should it???). You sent the mail to u...@domain.org AND r...@dontcare.org, so, yes, it should. > Then I get bounce from smtpd for "r...@dontcare.org". That's because your relayhost isp.provider.org does not accept the mail for delivery: > Feb 11 09:57:05 local postfix/smtp[9203]: 7C81B11464: to=, > relay=isp.provider.org[xxx.xxx.xxx.xxx]:25, delay=0.43, > delays=0.05/0.02/0.29/0.06, dsn=5.0.0, status=bounced (host > isp.provider.org[xxx.xxx.xxx.xxx] said: 550 Administrative prohibition (in > reply to RCPT TO command)) Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
Re: Postfix relays to all recepients
Hi, thanks for reply > From: Ansgar Wiechers > Subject: Re: Postfix relays to all recepients > > > You sent the mail to u...@domain.org AND r...@dontcare.org, so, yes, it > should. Yes I sent mail to both address, but when I get the mail from provider with getmail program, "X-Original-To" is set to "u...@domain.org", so I think sendmail should only send it to "u...@domain.org"? > Regards > Ansgar Wiechers > -- > "Abstractions save us time working, but they don't save us time learning." > --Joel Spolsky Thanks Trigve
sasl + Relay access denied
hi guys.. i cant send mail with my saslauth user saslauth -d log: saslauthd[6983] :do_auth : auth success: [user=peter] [service=smtp] [realm=] [mech=ldap] saslauthd[6983] :do_request : response: OK postfix log: Feb 11 10:17:32 smtp postfix/smtpd[6987]: connect from unknown[10.0.0.20] Feb 11 10:17:32 smtp postfix/smtpd[6987]: setting up TLS connection from unknown[10.0.0.20] Feb 11 10:17:34 smtp postfix/smtpd[6987]: TLS connection established from unknown[10.0.0.20]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Feb 11 10:17:39 smtp postfix/smtpd[6987]: NOQUEUE: reject: RCPT from unknown[10.0.0.20]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=<[10.0.0.20]> Feb 11 10:17:41 smtp postfix/smtpd[6987]: disconnect from unknown[10.0.0.20] so postfix send the request to sasl and sasl succeded, but there are no messages that postfix geht the ok from the saslauthd any ideas ? postconf -n address_verify_map = btree:/var/spool/postfix/data/verify alias_maps = hash:/etc/aliases, proxy:ldap:/etc/postfix/ldap-aliases.cf body_checks = pcre:/etc/postfix/body_checks bounce_queue_lifetime = 3d broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes header_checks = pcre:/etc/postfix/body_checks html_directory = no inet_interfaces = $myhostname, localhost mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_queue_lifetime = 3d mydestination = $myhostname, localhost.$mydomain, localhost myhostname = smtp.example.com mynetworks = 1.1.1.1/32, 1.1.1.2/32, 127.0.0.0/8 newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES relay_domains = proxy:ldap:/etc/postfix/ldap-relay_domains.cf sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_helo_required = yes smtpd_recipient_restrictions = check_recipient_access btree:/etc/postfix/access_recipient-rfc, check_client_access btree:/etc/postfix/access_client, check_helo_access btree:/etc/postfix/access_helo, check_sender_access btree:/etc/postfix/access_sender, check_recipient_access btree:/etc/postfix/access_recipient, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_sender_login_mismatch, permit_sasl_authenticated, permit_mynetworks, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, reject_unauth_destination, permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap-aliases.cf smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/pki/tls/certs/smtp.example.com.cert smtpd_tls_key_file = /etc/pki/tls/private/smtp.example.com.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_protocols = !SSLv2 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = btree:/etc/postfix/transport unknown_local_recipient_reject_code = 550
Re: Postfix relays to all recepients
> From: Trigve Siver > Sent: Thu, February 11, 2010 11:04:20 AM > > Yes I sent mail to both address, but when I get the mail from provider with > getmail program, "X-Original-To" > is set to "u...@domain.org", so I think sendmail should only send it to > "u...@domain.org"? I think I've solved it. Looks like I was using -t paramater with sendmail inside getmail delivery command which ignore address I pass with command line. Sorry for disturbing. Trigve
Re: mailing list messages not received
Dne Thursday 11 of February 2010 10:31:24 Milos Prudek napsal(a): > Thus when I remove that "-t" in SENDMAIL="/usr/sbin/sendmail -i -t", it > results in the log snippet above. I figured the solution. I changed the original master.cf line for spamchk to include recipient in curly braces in argv=, just like in the webpage you posted. Thank you for your help. -- Milos Prudek ** Do NOT use email for urgent inquiries, please ** For urgent inquiries use Skype (username lampadampa) For very urgent inquiries call my cell phone +420 777592445
fallback relay
We have a client who has an Exchange server on the end of two xDSL lines. We currently deliver via SMTP to the IP address of one of the lines. We would like to have postfix try the other line if the xDSL on the first one is down. Looking at the docs fallback_rely would seem to do the trick. Do I put in the transport map: clientsdomain.co.uk smtp:[xxx.xxx.xxx.xxx] clientsdomain.co.uk relay:[yyy.yyy.yyy.yyy] where x is the main line and y is the fallback line? Thanks Steve thorNET Internet Services, Consultancy &Training www.thornet.co.uk
Re: Fallback issues
Hello, I switch transport_maps of from main.cf. Next I insert fallback_relay = [192.168.1.1], [192.168.1.2] but I can see in logs, that postfix still find MX and don't use specified hosts. Vladislav On Wed, Feb 10, 2010 at 9:20 PM, Wietse Venema wrote: > Vladislav Antolik: >> Thank you for reply, but my version of postfix is 2.2. > > man 5 postconf > > smtp_fallback_relay (default: $fallback_relay) > Optional list of relay hosts for SMTP destinations that can't be found > or that are unreachable. With Postfix 2.2 and earlier this parameter is > called fallback_relay. > >> On Wed, Feb 10, 2010 at 9:03 PM, Wietse Venema wrote: >> > Vladislav Antolik: >> >> Hi, >> >> >> >> I'd like to configure this kind of funcionality. >> >> I have 1 postfix box, which should relay mails to 1 of 2 internal mail >> >> servers(192.168.1.1, 192.168.1.2). >> >> When 1 internal mail server crashes, new incoming mails should be >> >> automatically send to another internal mail server. >> >> I don't want to use MX lookup. >> > >> > Use smtp_fallback_relay. >> > >> >> I tried this configuration: >> >> in transport file >> >> >> >> example.com ? ?:[192.168.1.1] >> >> .example.com ? :[192.168.1.2] >> >> >> >> but without success. >> > >> > This always produces [192.168.1.1] for example.com, and always >> > produces [192.168.1.2] for stuff.example.com. >> > >> > ? ? ? ?Wietse >> > >> >> > >
Re: Setting a different IP address for different users?
Vegard Svanberg: [ Charset ISO-8859-1 unsupported, converting... ] > * Carl Brewer [2010-02-11 03:51]: > > > A quick one, I hope, postfix v 2.3.3 on a server with multiple IP addresses. > > > > Is it possible to have a policy stating that email from a particular > > address goes out using a specific IP address, and everything else by > > the system's default IP address? > > I'm having a similar question. I'd like to have e-mails from > authenticated users go out through a different IP. Is that possible? This requires Postfix 2.7 or later. See the updated FILTER documentation. Wietse
Re: fallback relay
* Steve Heaven : > > We have a client who has an Exchange server on the end of two xDSL > lines. We currently deliver via SMTP to the IP address of one of the > lines. We would like to have postfix try the other line if the xDSL on > the first one is down. > > Looking at the docs fallback_rely would seem to do the trick. > > Do I put in the transport map: > > clientsdomain.co.uk smtp:[xxx.xxx.xxx.xxx] > clientsdomain.co.uk relay:[yyy.yyy.yyy.yyy] > > where x is the main line and y is the fallback line? No. Please note that you're not even using (smtp_)fallback_relay. It's probably easier to set up an (internal) MX record with the appropriate preferences: clientsdomain.co.uk MX 10 xxx.xxx.xxx.xxx clientsdomain.co.uk MX 20 yyy.yyy.yyy.yyy -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Whats the LDAP variable for Source IP Address?
Hello List, there are such LDAP variables such as %s and %d to do ldap based queries. I am looking for the varibale which is the ip adress. I want to check my ldap for IP-Addresses that i allow relay for. I did have a look at http://www.postfix.org/ldap_table.5.html, but was unlucky. Cheers, Mario
Re: fallback relay
Hello, I have the same problem, but I don't want to use MX lookup. Is there any possibility to do it? Vladislav On Thu, Feb 11, 2010 at 12:51 PM, Ralf Hildebrandt wrote: > * Steve Heaven : >> >> We have a client who has an Exchange server on the end of two xDSL >> lines. We currently deliver via SMTP to the IP address of one of the >> lines. We would like to have postfix try the other line if the xDSL on >> the first one is down. >> >> Looking at the docs fallback_rely would seem to do the trick. >> >> Do I put in the transport map: >> >> clientsdomain.co.uk smtp:[xxx.xxx.xxx.xxx] >> clientsdomain.co.uk relay:[yyy.yyy.yyy.yyy] >> >> where x is the main line and y is the fallback line? > > No. Please note that you're not even using (smtp_)fallback_relay. > > It's probably easier to set up an (internal) MX record with the > appropriate preferences: > > clientsdomain.co.uk MX 10 xxx.xxx.xxx.xxx > clientsdomain.co.uk MX 20 yyy.yyy.yyy.yyy > > > -- > Ralf Hildebrandt > Geschäftsbereich IT | Abteilung Netzwerk > Charité - Universitätsmedizin Berlin > Campus Benjamin Franklin > Hindenburgdamm 30 | D-12203 Berlin > Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 > ralf.hildebra...@charite.de | http://www.charite.de > >
Re: fallback relay
* Vladislav Antolik : > Hello, > > I have the same problem, but I don't want to use MX lookup. > Is there any possibility to do it? Only with MX lookups -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
SPF Issues
Hi Folks, I have 3 mail servers all running a postfix based setup, based on workaround.org's fantastic article: http://workaround.org/ispmail/lenny I have install the python SPF checker plugin (Packaged by tumgreyspf). Here is my minor problem: Currently, when my main mx server is down, my backup mx picks up mail and puts it into it's queue. My secondary mx is VPN'ed to my main mx, so mail from the secondary mx is seen as coming from a local LAN IP, and since it's not in my domain TXT SPF record, it says it's not authroised. The temporary solution that I've done, is force my secondary mail server to forward mail to the external interface of my main mx, and add my secondary mx IP to my domain txt spf record. Does anyone know how to "whitelist" a paticular IP when using tumgreyspf with postfix? Thanks Jonny
Re: fallback relay
Ralf Hildebrandt: > * Vladislav Antolik : > > Hello, > > > > I have the same problem, but I don't want to use MX lookup. > > Is there any possibility to do it? > > Only with MX lookups And with (smtp_)fallback_relay. /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transport /etc/postfix/transport: example.com: smtp_example:[4.3.2.1] /etc/postfix/master.cf: smtp_example unix - - n - - smtp -o fallback_relay=[1.2.3.4] If you can't make it work, send mail to the list, see also http://www.postfix.org/DEBUG_README.html#mail as suggested in the mailing list welcome message. Wietse
Unknown Users
Hi Folks, Does anyone know how to make a backup MX server query the primary mx server if a mailbox exsists, before accept the contents of the mail? I have a problem with MAILER-DAEMON messages... Thanks
Re: Unknown Users
2010/2/11 Jonathan Tripathy : > Hi Folks, > > Does anyone know how to make a backup MX server query the primary mx server > if a mailbox exsists, before accept the contents of the mail? > > I have a problem with MAILER-DAEMON messages... for example using address verification: http://www.postfix.org/ADDRESS_VERIFICATION_README.html .. or keeping list of valid users on that machine.. -- Eero
Re: Problems getting Gmail to use my SMTP server rather than theirs
On 11 February 2010 11:54, Rob Tanner wrote: > The problem is the log files are rather large (a quarter million lines since > the 4 am roll this morning, and there are lots of google entries. In other > words I've already spent time just trying to find the entries. Any idea > about particular keywords that I might look for? Not really, but I'd be inclined to capture a chunk of the logs while you manually fire off a message from gmail that should go via your server (I think I'm reading this correctly). I don't know what the error messages might look like, perhaps "TLS" appears in there. Now, I've not used this gmail feature, but perhaps it's connecting to port 587 instead? Do you have the submission port setup, and if so, what settings/restrictions does it have?
Re: Whats the LDAP variable for Source IP Address?
On 2/11/2010 7:01 AM, ml ml wrote:
> Hello List,
>
> there are such LDAP variables such as %s and %d to do ldap based
> queries. I am looking for the varibale which is the ip adress. I want
> to check my ldap for IP-Addresses that i allow relay for.
>
Source IP address can be checked by any table type by using
check_client_access {table}:/path/to/file.
LDAP/*sql maps then use the %s parameter as the IP will be passed as the
lookup key using check_client_access
Re: Unknown Users
Quoting Jonathan Tripathy : Hi Folks, Does anyone know how to make a backup MX server query the primary mx server if a mailbox exsists, before accept the contents of the mail? I have a problem with MAILER-DAEMON messages... Thanks That might not be the right problem to fix. If the primary mx is down, the backup mx might not have anything to query. You might want to have the primary mx export a list of valid users periodically as a text file, then have the backup server pick it up with rsync, then postfix can use it to validate recipients. Terry
Re: Unknown Users
Greetings, On Thu, Feb 11, 2010 at 10:11 AM, wrote: > Quoting Jonathan Tripathy : > >> Hi Folks, >> >> Does anyone know how to make a backup MX server query the primary mx >> server if a mailbox exsists, before accept the contents of the mail? >> >> I have a problem with MAILER-DAEMON messages... >> >> Thanks > > That might not be the right problem to fix. If the primary mx is down, the > backup mx might not have anything to query. > > You might want to have the primary mx export a list of valid users > periodically as a text file, then have the backup server pick it up with > rsync, then postfix can use it to validate recipients. Or, maybe: integrate both MXs to *one* user database, like LDAP, or *SQL, and have replication, then make the destination verification use that database, if the primary MX is death, the secondary will still have a valid, and up-to-date DB to verify its destinations. I hope this helps, Ildefonso Camargo
Re: backscatter issue
On 2/11/2010 3:50 AM, Dimitar Penev wrote: Hi Noel, Thank you for your help! I have searched our log for 9FE3785BA10 signature and found the beginning. Please see below. I have searched the log for other similar signatures with "from=<>" and it seems each of those problematic e-mails starts with the two lines as I have put in the beginning of my log excerpt below. (those two lines have different signature though) I still however not sure what is causing this from=<>. As far as I can understand, somebody is trying to send e-mails to the root account. In addition as I log as root I get in the shell "You have mail." message. And I see that /root/Maildir/cur is pretty big in size. In a addition in order to stop bounces I have commented in /etc/postfix/master.cf #bounceunix - - n - 0 bounce I think our senders can live without nondelivery notifications I think. Do you think this will help? I am attaching at the end of this message some info which I think may be relevant. Thank you in advance lines from the log related with 9FE3785BA10 signature === ... Feb 7 10:58:53 uCpbx postfix/local[27212]: 9FE3785BA10: to=, orig_to=, relay=local, delay=3.9, delays=1.8/0.01/0/2.1, dsn=5.2.0, status=bounced (can't create user output file. Command output: procmail: Couldn't creat e "/var/spool/mail/nobody" procmail: Couldn't chdir to "/root/Maildir" procmail: Couldn't read "// " procmail: Unable to treat as di rectory "/root/Maildir" procmail: Lock failure on "/root/Maildir.lock" procmail: Error while writing to "/root/Maildir" ) Feb 7 10:58:54 uCpbx postfix/local[27213]: 9FE3785BA10: to=, orig_to=, relay=l ocal, delay=5, delays=1.8/0.03/0/3.1, dsn=5.2.0, status=bounced (can't create user output file. Command output: procmail: Couldn't c reate "/var/spool/mail/nobody" procmail: Couldn't chdir to "/root/Maildir" procmail: Couldn't read "// " procmail: Unable to treat a s directory "/root/Maildir" procmail: Lock failure on "/root/Maildir.lock" procmail: Error while writing to "/root/Maildir" Looks as if procmail can't deliver mail for the root user. That's what you need to fix. I don't use procmail, but I think you might have better luck if you alias root's mail to a different non-root user. -- Noel Jones
Re: SPF Issues
On 11-Feb-2010, at 06:16, Jonathan Tripathy wrote: > > Does anyone know how to "whitelist" a paticular IP when using tumgreyspf with > postfix? Put the spf check later in your restrictions. After permit_mynetworks would be good. -- THE PLEDGE OF ALLEGIANCE DOES NOT END WITH HAIL SATAN Bart chalkboard Ep. 1F16
fatal: no SASL authentication mechanisms
Im trying to setup SASL+TLS+dovecot. Overall Ive gotten things somewhat working, but have a couple questions since Im new to this aspect of postfix. I get 'fatal: no SASL authentication mechanisms' in maillog I ran saslfinger and it showed no mechanisms, my /usr/lib/sasl2/smtpd.conf contains: pwcheck_method: saslauthd mech_list: plain login saslauthd is installed and running I dont think it matters, but I have what many others said they were missing: cyrus-sasl-plain installed. Am I supposed to add other 'mechanisms' and if so, how do I do so? Which packages do I add etc? Thanks! my postconf -n: ddress_verify_map = hash:/etc/postfix/address_verify_map alias_maps = hash:/etc/postfix/aliases allow_percent_hack = yes append_at_myorigin = yes append_dot_mydomain = yes broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 default_transport = smtp disable_vrfy_command = yes empty_address_recipient = MAILER-DAEMON header_checks = regexp:/etc/postfix/header_checks html_directory = no ignore_mx_lookup_error = no in_flow_delay = 1s inet_interfaces = all mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 1500 mydestination = $myhostname, localhost.$mydomain $mydomain myhostname = mydomain.com mynetworks = 127.0.0.0/8 mynetworks_style = subnet myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix notify_classes = resource,software parent_domain_matches_subdomains = queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES relay_domains = $mynetworks sample_directory = /usr/share/doc/postfix-2.4.5/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_always_send_ehlo = no smtp_connect_timeout = 30s smtp_data_done_timeout = 600s smtp_data_init_timeout = 120s smtp_data_xfer_timeout = 180s smtp_destination_concurrency_limit = 10 smtp_helo_timeout = 300s smtp_mail_timeout = 300s smtp_never_send_ehlo = no smtp_pix_workaround_delay_time = 10s smtp_pix_workaround_threshold_time = 500s smtp_quit_timeout = 300s smtp_rcpt_timeout = 300s smtp_sasl_mechanism_filter = login smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_skip_5xx_greeting = yes smtp_skip_quit_response = yes smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/client_access smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_hard_error_limit = 6 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks,check_client_access hash:/etc/postfix/good_clients, hash:/etc/postfix/access, hash:/etc/postfix/bad_ips, reject_unknown_helo_hostname, reject_non_fqdn_hostname, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname,reject_unknown_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_restriction_classes = restrictive, permissive smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_soft_error_limit = 4 smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_domains = nim-phila.org virtual_alias_maps = hash:/etc/postfix/virtual
Re: fatal: no SASL authentication mechanisms
On Thu, Feb 11, 2010 at 03:13:52PM -0800, Jeff Lacki wrote: > I get 'fatal: no SASL authentication mechanisms' in maillog > smtpd_tls_auth_only = yes Do you know what this parameter setting does? -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
Re: fatal: no SASL authentication mechanisms
>> I get 'fatal: no SASL authentication mechanisms' in maillog >> smtpd_tls_auth_only = yes > Do you know what this parameter setting does? Not exactly, Ive been reading all kinds of docs and since Im new to some of it, Im a little confused between SASL and TLS. I've used postfix for a while but never dove into the encrypted aspects of things for security. Now Im trying to get secure. I was reading http://www.postfix.org/SASL_README.html to get SASL+TLS (hopefully) setup to allow specific users to relay through my server securely, but maybe Im completely going down the wrong path? I appreciate the help.
Re: fatal: no SASL authentication mechanisms
Jeff Lacki: > >> I get 'fatal: no SASL authentication mechanisms' in maillog > > >> smtpd_tls_auth_only = yes > > > Do you know what this parameter setting does? > > Not exactly, Ive been reading all kinds of docs and since > Im new to some of it, Im a little confused between > SASL and TLS. I've used postfix for a while but never > dove into the encrypted aspects of things for security. > Now Im trying to get secure. > > I was reading http://www.postfix.org/SASL_README.html > > to get SASL+TLS (hopefully) setup to allow specific > users to relay through my server securely, but maybe > Im completely going down the wrong path? > > I appreciate the help. Instead of random websites, you may want to take a look at the much updated and expanded SASL_README file. http://www.postfix.org/SASL_README.html Wietse
Postfix + Google APPS SMTP relaying issues
I setup a nagios system and i'm trying to use postfix to relay the notifications through our google apps setup to our group. I have turned debugging 3 on but i'm still not quite sure what to make of the results: >> Feb 11 18:23:18 nagios postfix/smtp[22559]: flush_add: site powerdnn.com id >> 261085EEB34 >> Feb 11 18:23:18 nagios postfix/smtp[22559]: match_list_match: powerdnn.com: >> no match >> Feb 11 18:23:18 nagios postfix/smtp[22559]: flush_add: site powerdnn.com id >> 261085EEB34 status 4 >> Feb 11 18:23:18 nagios postfix/smtp[22559]: > smtp.gmail.com[74.125.47.109]: >> QUIT >> Feb 11 18:23:18 nagios postfix/smtp[22559]: name_mask: resource >> Feb 11 18:23:18 nagios postfix/smtp[22559]: name_mask: software >> Feb 11 18:23:18 nagios postfix/smtp[22559]: vstream_fflush_some: fd 14 flush >> 6 >> Feb 11 18:23:18 nagios postfix/smtp[22559]: vstream_fflush_some: fd 14 flush >> 0 >> Feb 11 18:23:18 nagios postfix/smtp[22559]: disposing SASL state information >> Feb 11 18:23:18 nagios postfix/smtp[22560]: vstream_buf_get_ready: fd 14 got >> 30 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: < smtp.gmail.com[74.125.47.109]: >> 220 2.0.0 Ready to start TLS >> Feb 11 18:23:18 nagios postfix/smtp[22560]: event_request_timer: reset >> 0x2b7516f42d80 0x2b75300f66a0 100 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: send attr request = lookup >> Feb 11 18:23:18 nagios postfix/smtp[22560]: send attr cache_type = smtp >> Feb 11 18:23:18 nagios postfix/smtp[22560]: send attr cache_id = >> smtp:74.125.47.109:587:mx.google.com >> Feb 11 18:23:18 nagios postfix/smtp[22560]: vstream_fflush_some: fd 9 flush >> 78 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: private/tlsmgr: wanted >> attribute: status >> Feb 11 18:23:18 nagios postfix/smtp[22560]: vstream_buf_get_ready: fd 9 got >> 28 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: input attribute name: status >> Feb 11 18:23:18 nagios postfix/smtp[22560]: input attribute value: 4294967294 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: private/tlsmgr: wanted >> attribute: session >> Feb 11 18:23:18 nagios postfix/smtp[22560]: input attribute name: session >> Feb 11 18:23:18 nagios postfix/smtp[22560]: input attribute value: (end) >> Feb 11 18:23:18 nagios postfix/smtp[22560]: private/tlsmgr: wanted >> attribute: (list terminator) >> Feb 11 18:23:18 nagios postfix/smtp[22560]: input attribute name: (end) >> Feb 11 18:23:18 nagios postfix/smtp[22560]: event_request_timer: reset >> 0x2b7516f42d80 0x2b75300f66a0 100 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: send attr request = seed >> Feb 11 18:23:18 nagios postfix/smtp[22560]: send attr size = 32 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: vstream_fflush_some: fd 9 flush >> 22 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: private/tlsmgr: wanted >> attribute: status >> Feb 11 18:23:18 nagios postfix/smtp[22560]: vstream_buf_get_ready: fd 9 got >> 60 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: input attribute name: status >> Feb 11 18:23:18 nagios postfix/smtp[22560]: input attribute value: 0 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: private/tlsmgr: wanted >> attribute: seed >> Feb 11 18:23:18 nagios postfix/smtp[22560]: input attribute name: seed >> Feb 11 18:23:18 nagios postfix/smtp[22560]: input attribute value: >> otVwJ/tS/cmnV4KewvLuwBbNRdm3oeqKcxK6rybd2nc= >> Feb 11 18:23:18 nagios postfix/smtp[22560]: private/tlsmgr: wanted >> attribute: (list terminator) >> Feb 11 18:23:18 nagios postfix/smtp[22560]: input attribute name: (end) >> Feb 11 18:23:18 nagios postfix/smtp[22560]: certificate verification failed >> for smtp.gmail.com: num=20:unable to get local issuer certificate >> Feb 11 18:23:18 nagios postfix/smtp[22560]: certificate verification failed >> for smtp.gmail.com: num=27:certificate not trusted >> Feb 11 18:23:18 nagios postfix/smtp[22560]: certificate verification failed >> for smtp.gmail.com: num=21:unable to verify the first certificate >> Feb 11 18:23:18 nagios postfix/smtp[22560]: > smtp.gmail.com[74.125.47.109]: >> EHLO monitor.powerdnn.com >> Feb 11 18:23:18 nagios postfix/smtp[22560]: vstream_fflush_some: fd 14 flush >> 27 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: vstream_buf_get_ready: fd 14 got >> 148 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: < smtp.gmail.com[74.125.47.109]: >> 250-mx.google.com at your service, [70.184.222.17] >> Feb 11 18:23:18 nagios postfix/smtp[22560]: < smtp.gmail.com[74.125.47.109]: >> 250-SIZE 35651584 >> Feb 11 18:23:18 nagios postfix/smtp[22560]: < smtp.gmail.com[74.125.47.109]: >> 250-8BITMIME >> Feb 11 18:23:18 nagios postfix/smtp[22560]: < smtp.gmail.com[74.125.47.109]: >> 250-AUTH LOGIN PLAIN >> Feb 11 18:23:18 nagios postfix/smtp[22560]: < smtp.gmail.com[74.125.47.109]: >> 250-ENHANCEDSTATUSCODES >> Feb 11 18:23:18 nagios postfix/smtp[22560]: < smtp.gmail.com[74.125.47.109]: >> 250 PIPELINING >> Feb 11 18:23:18 nagios postfix/smtp[22560]: server features: 0x102f size >> 35651584 >> Feb 11 18:23:18 nagios post
Re: Postfix + Google APPS SMTP relaying issues
Jay Bendon: > I setup a nagios system and i'm trying to use postfix to relay the > notifications through our google apps setup to our group. > I have turned debugging 3 on but i'm still not quite sure what to make > of the results: Don't do that. Run Postfix in NORMAL MODE and look for the warning messages. Wietse
Re: Postfix + Google APPS SMTP relaying issues
I think i mis-spoke i set: debug_peer_level = 3 and debug_peer_list = smtp.gmail.com prior to setting that all i was getting was this error in the log: Feb 11 18:23:18 nagios postfix/smtp[22559]: 261085EEB34: to=, relay=smtp.gmail.com[74.125.47.109]:587, delay=1040, delays=1039/0.03/0.57/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.gmail.com[74.125.47.109]: no mechanism available) -- Always glad to help, --Jay Bendon - Bendon Consults On Thu, Feb 11, 2010 at 7:04 PM, Wietse Venema wrote: > Jay Bendon: >> I setup a nagios system and i'm trying to use postfix to relay the >> notifications through our google apps setup to our group. >> I have turned debugging 3 on but i'm still not quite sure what to make >> of the results: > > Don't do that. Run Postfix in NORMAL MODE and look for the warning > messages. > > Wietse >
Re: Postfix + Google APPS SMTP relaying issues
Jay Bendon: > I think i mis-spoke > > i set: > > debug_peer_level = 3 > and > debug_peer_list = smtp.gmail.com > > prior to setting that all i was getting was this error in the log: > > Feb 11 18:23:18 nagios postfix/smtp[22559]: 261085EEB34: > to=, relay=smtp.gmail.com[74.125.47.109]:587, > delay=1040, delays=1039/0.03/0.57/0, dsn=4.7.0, status=deferred (SASL > authentication failed; cannot authenticate to server > smtp.gmail.com[74.125.47.109]: no mechanism available) Postfix also logged this message: Feb 11 18:23:18 nagios postfix/smtp[22560]: warning: SASL authentication failure: No worthy mechs found You would have found this if you had taken my advice to turn of the verbose logging. Now you can proceed to http://www.postfix.org/SASL_README.html and find the description of the remedy for this. Wietse
Re: Postfix + Google APPS SMTP relaying issues
On Thu, 11 Feb 2010, Jay Bendon wrote: > Feb 11 18:23:18 nagios postfix/smtp[22559]: 261085EEB34: > to=, relay=smtp.gmail.com[74.125.47.109]:587, > delay=1040, delays=1039/0.03/0.57/0, dsn=4.7.0, status=deferred (SASL > authentication failed; cannot authenticate to server > smtp.gmail.com[74.125.47.109]: no mechanism available) Upon joining this mailing list, you were informed about DEBUG_README, a document which contains guidelines for troubleshooting common problems and asking for helping on this mailing list. As requested in that document, please provide: Output from "postconf -n". Please do not send your main.cf file, or 500+ lines of postconf output. If the problem is SASL related, consider including the output from the saslfinger tool. This can be found at http://postfix.state-of-mind.de/patrick.koetter/saslfinger/. -- Sahil Tandon
Re: fatal: no SASL authentication mechanisms
On Thu, Feb 11, 2010 at 03:55:52PM -0800, Jeff Lacki wrote: > >> smtpd_tls_auth_only = yes > > > Do you know what this parameter setting does? > > Not exactly, Ive been reading all kinds of docs and since > Im new to some of it, Im a little confused between > SASL and TLS. I've used postfix for a while but never > dove into the encrypted aspects of things for security. > Now Im trying to get secure. The parameter, is documented at http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only if you take a moment to reflect on the "yes" setting, you will understand why tools that probe the list of available SASL algorithms may find none. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
Re: Postfix + Google APPS SMTP relaying issues
Thanks Sahil, I actually had that attached but was getting bounced for too long of an email to the mailing list. I ran "saslfinger -c" and did not receive any errors. The man pages indicated that it should also tell what type of connections the smtp server should accept however this did not seem to happen, though i could be mis-interpreting the output. Here is my postconf -n output: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 3 debug_peer_list = smtp.gmail.com home_mailbox = Maildir/ html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost mydomain = powerdnn.com myhostname = monitor.powerdnn.com mynetworks_style = host myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES relay_domains = relayhost = [smtp.gmail.com]:587 sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_tls_cert_file = /etc/pki/tls/gmail_relay/gmail.pem smtp_tls_enforce_peername = no smtp_tls_key_file = /etc/pki/tls/gmail_relay/gmail.key smtp_tls_note_starttls_offer = yes smtp_tls_scert_verifydepth = 5 smtp_use_tls = yes smtpd_tls_ask_ccert = yes smtpd_tls_req_ccert = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 -- Always glad to help, --Jay Bendon - Bendon Consults On Thu, Feb 11, 2010 at 7:23 PM, Sahil Tandon wrote: > On Thu, 11 Feb 2010, Jay Bendon wrote: > >> Feb 11 18:23:18 nagios postfix/smtp[22559]: 261085EEB34: >> to=, relay=smtp.gmail.com[74.125.47.109]:587, >> delay=1040, delays=1039/0.03/0.57/0, dsn=4.7.0, status=deferred (SASL >> authentication failed; cannot authenticate to server >> smtp.gmail.com[74.125.47.109]: no mechanism available) > > Upon joining this mailing list, you were informed about DEBUG_README, a > document which contains guidelines for troubleshooting common problems > and asking for helping on this mailing list. As requested in that > document, please provide: > > Output from "postconf -n". Please do not send your main.cf file, or 500+ > lines of postconf output. > > If the problem is SASL related, consider including the output from the > saslfinger tool. This can be found at > http://postfix.state-of-mind.de/patrick.koetter/saslfinger/. > > -- > Sahil Tandon >
Re: Postfix + Google APPS SMTP relaying issues
Postfix also logged this message, amidst your verbose logging. Feb 11 18:23:18 nagios postfix/smtp[22560]: warning: SASL authentication failure: No worthy mechs found For a remedy, see http://www.postfix.org/SASL_README.html Wietse
Re: Postfix + Google APPS SMTP relaying issues
Thanks Wietse, I used what was recommended by the readme and that resulted in the same error. I also tried a few other settings in there and no better results. -- Always glad to help, --Jay Bendon - Bendon Consults -Senior Engineer +1-402-321-7388 On Thu, Feb 11, 2010 at 7:57 PM, Wietse Venema wrote: > Postfix also logged this message, amidst your verbose logging. > > Feb 11 18:23:18 nagios postfix/smtp[22560]: warning: SASL authentication > failure: No worthy mechs found > > For a remedy, see http://www.postfix.org/SASL_README.html > > Wietse > > > >
Re: fatal: no SASL authentication mechanisms
> >> smtpd_tls_auth_only = yes
>
> > Do you know what this parameter setting does?
>
After hours of digging into this, that particular message
seems to have come up because I didnt want plaintext
coming across in the smtp connection so I set:
smtpd_sasl_security_options = noanonymous, noplaintext
By having noplaintext I got the msg because my
dovecot and SASL configs weren't setup to handle
anything but plain and login, so...
in /etc/dovecot.conf
auth default {
mechanisms = plain login digest-md5
}
in smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login digest-md5
Adding digest-md5 solved that error message.
The SASL doc didnt explain about setting up
smtpd_sasl_security_options with noplaintext (afaik) in
what I was reading per the mechanisms so I got lost.
Im just posting this for the next guy who might have
a problem.
Thanks for your pointers.
Re: fatal: no SASL authentication mechanisms
On Thu, Feb 11, 2010 at 06:22:55PM -0800, Jeff Lacki wrote:
> > >> smtpd_tls_auth_only = yes
> >
> > > Do you know what this parameter setting does?
>
> After hours of digging into this, that particular message
> seems to have come up because I didnt want plaintext
> coming across in the smtp connection so I set:
>
> smtpd_sasl_security_options = noanonymous, noplaintext
>
> By having noplaintext I got the msg because my
> dovecot and SASL configs weren't setup to handle
> anything but plain and login, so...
>
> in /etc/dovecot.conf
> auth default {
> mechanisms = plain login digest-md5
> }
>
> in smtpd.conf:
Irrelevant; that is a Cyrus SASL file. You seem to have confused
Dovecot and Cyrus. Look only at the Dovecot section in the Postfix
SASL_README, and you will see no mention at all of saslauthd nor
Cyrus configuration files.
> The SASL doc didnt explain about setting up
> smtpd_sasl_security_options with noplaintext (afaik) in
> what I was reading per the mechanisms so I got lost.
SASL_README presents a basic setup of Dovecot SASL. Advanced Dovecot
features are documented at http://wiki.dovecot.org/ .
> Im just posting this for the next guy who might have
> a problem.
Let's hope he doesn't waste time on Cyrus, if he's wanting to use
Dovecot. :)
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
554 5.7.1 relay access denied
Im going out of my mind trying to get relaying working for my users who want to use my domain as their smtp outgoing server. Ive setup SASL and TLS successfully (I believe). I have the following: relay_transport = hash:/etc/postfix/transport and in transport I have: .mydomain.com : I see my test run connecting but then getting denied for relaying: Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: connect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx] Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: setting up TLS connection from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx] Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: Anonymous TLS connection established from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits) Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: NOQUEUE: reject: RCPT from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=<[192.168.2.11]> Feb 12 06:02:23 202010-1 postfix/smtpd[23305]: disconnect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx] I appreciate your help.
Combination of two permissions with AND operator
I need to allow to send mails throw my Postfix SMTP server only for users from mynetwork with valid SMTP authentication. But I can't understand how to combine two permissions in smtp_recipient_restriction options: permit_mynetworks and permit_sasl_authenticated. If I write smtp_recipient_restriction = permit_mynetworks permit_sasl_authenticated then both clients from my network and clients with valid password can send mails, because in fact this permissions concatenated with OR operator. How can I concatenate it with AND operator? I need AND not only for this situation, but also for group permit_sasl_authenticated and permit_tls_clientcerts in another server etc.
Problem with transport
Hi! I got a little problem with my postfix setup. I currently have Postfix, MySQL, amavisd-maia (Maia Mailguard), spamassassin, f-secure and dovecot installed. I have all my users/domains information in the database that are going to be delivered to my pop3/imap. But I also want to be some sort of "spamcheck relay" for other servers so their mail gets delivered to my server, get checked for spam and then I send them to their mailserver. I don't know if I should post all my configs here in the mail, cause the mail will get very long, so I will just link to my post on Linuxquestions.org where I have also posted this problem: http://www.linuxquestions.org/questions/linux-server-73/postfix-transport-788433/ anyway, I have these two settings: virtual_transport = virtual transport_maps = hash:/etc/postfix/transport in the transport -file I have: example.com smtp:[smtp.example.com] but when I get a mail from t...@example.org it checks the database if the user exists, which it doesn't becuase I am just gonna spam check it and send it the the real mailserver. error message: Feb 11 11:49:38 example.com postfix/smtpd[24775]: NOQUEUE: reject: RCPT from blu0-omc2-s8.blu0.hotmail.com[65.55.111.83]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from= to= proto=ESMTP helo= I read this in the postfix doc: virtual_transport (default: virtual) The default mail delivery transport and next-hop destination for final delivery to domains listed with $virtual_mailbox_domains. *This information can be overruled with the transport(5) table.* Specify a string of the form transport:nexthop, where transport is the name of a mail delivery transport defined in master.cf. The :nexthop destination is optional; its syntax is documented in the manual page of the corresponding delivery agent. but don't understand what I have to do to make it work? Can anyone help me with this? Thanks!
Re: fatal: no SASL authentication mechanisms
* Jeff Lacki : > > Im trying to setup SASL+TLS+dovecot. Overall Ive > gotten things somewhat working, but have a couple questions > since Im new to this aspect of postfix. > > I get 'fatal: no SASL authentication mechanisms' in maillog > I ran saslfinger and it showed no mechanisms, > > my /usr/lib/sasl2/smtpd.conf contains: > > pwcheck_method: saslauthd > mech_list: plain login Forget saslfinger for Dovecot. It was made for debugging Cyrus SASL only. Also forget /usr/lib/sasl2/smtpd.conf. It configures Cyrus SASL, but you want Dovecot SASL. You have smtpd_sasl_type = dovecot, which is correct. You also have smtpd_tls_auth_only = yes, which only let's you AUTH once a TLS connection has been established. Turn it off, while you test. Have you verified SMTP AUTH works without TLS? If you get "fatal: no SASL authentication mechanisms" then Dovecot likely doesn't export any mechanisms to Postfix. To have it do so you will have to tweak Dovecots configuration. p...@rick > saslauthd is installed and running > > I dont think it matters, but I have what many others > said they were missing: cyrus-sasl-plain installed. > > Am I supposed to add other 'mechanisms' and if so, > how do I do so? Which packages do I add etc? > > Thanks! > > my postconf -n: > > ddress_verify_map = hash:/etc/postfix/address_verify_map > alias_maps = hash:/etc/postfix/aliases > allow_percent_hack = yes > append_at_myorigin = yes > append_dot_mydomain = yes > broken_sasl_auth_clients = yes > canonical_maps = hash:/etc/postfix/canonical > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debug_peer_level = 2 > default_transport = smtp > disable_vrfy_command = yes > empty_address_recipient = MAILER-DAEMON > header_checks = regexp:/etc/postfix/header_checks > html_directory = no > ignore_mx_lookup_error = no > in_flow_delay = 1s > inet_interfaces = all > mail_owner = postfix > mail_spool_directory = /var/spool/mail > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 1500 > mydestination = $myhostname, localhost.$mydomain $mydomain > myhostname = mydomain.com > mynetworks = 127.0.0.0/8 > mynetworks_style = subnet > myorigin = $myhostname > newaliases_path = /usr/bin/newaliases.postfix > notify_classes = resource,software > parent_domain_matches_subdomains = > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES > relay_domains = $mynetworks > sample_directory = /usr/share/doc/postfix-2.4.5/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtp_always_send_ehlo = no > smtp_connect_timeout = 30s > smtp_data_done_timeout = 600s > smtp_data_init_timeout = 120s > smtp_data_xfer_timeout = 180s > smtp_destination_concurrency_limit = 10 > smtp_helo_timeout = 300s > smtp_mail_timeout = 300s > smtp_never_send_ehlo = no > smtp_pix_workaround_delay_time = 10s > smtp_pix_workaround_threshold_time = 500s > smtp_quit_timeout = 300s > smtp_rcpt_timeout = 300s > smtp_sasl_mechanism_filter = login > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_sasl_security_options = noanonymous > smtp_skip_5xx_greeting = yes > smtp_skip_quit_response = yes > smtp_tls_note_starttls_offer = yes > smtp_use_tls = yes > smtpd_client_restrictions = permit_mynetworks, check_client_access > hash:/etc/postfix/client_access > smtpd_data_restrictions = reject_unauth_pipelining, permit > smtpd_hard_error_limit = 6 > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks,check_client_access > hash:/etc/postfix/good_clients, hash:/etc/postfix/access, > hash:/etc/postfix/bad_ips, reject_unknown_helo_hostname, > reject_non_fqdn_hostname, reject_unauth_destination, > reject_unauth_pipelining, > reject_invalid_hostname,reject_unknown_hostname > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_unauth_destination > smtpd_restriction_classes = restrictive, permissive > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_local_domain = > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous, noplaintext > smtpd_sasl_tls_security_options = $smtpd_sasl_security_options > smtpd_sasl_type = dovecot > smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders > smtpd_sender_restrictions = reject_unknown_sender_domain > smtpd_soft_error_limit = 4 > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_session_cache_timeout = 3600s > smtpd_use_tls = yes > tls_random_source = dev:/dev/urandom > unknown_local_recipient_reject_code = 550 > unverified_recipient_reject_code = 550 > virtual
Postfix Addon Software
Hi, I'am from the french ministry of defense and we have a opensource project about trusted messaging system. The aims of the global project is to build more trusted email system with components as Thunderbird and PostFix. All of the project is call TRUSTEDBIRD with the agreement of the Mozilla Foundation : www.trustedbird.org We developped somes script for to setup an email gateway managing several priorities (with Postfix and Qpsmtpd) and Qos over the nerwork. Sould it be possible to have informations listed on the Posfix Addon Software page with the subtitle Management of priority ? You can find informations about the addon here : http://www.trustedbird.org/tb/Priority_email_gateway Best regards -- LCL Frédéric SUEL Ministère de la défense (French ministry of defense) DGSIC frederic.s...@dgsic.defense.gouv.fr fs...@etca.fr (full internet access) (33)01.42.31.99.95 <>
