dict_fnmatch again

[Michael Tokarev]

A few years ago I implemented a new dict for
Postfix, dict_fnmatch.  It is a shell-style
pattern matcher with patterns placed _inline_,
right in the config file, without any additional
files like pcre/regex (the simplest dictionaries
which does not use indexed files) and others.

The usage is quite simple but perhaps somewhat
ugly:

check_client_access
  fnmatch:*.example.com|*.example.org:554\sGo\saway

This line sums it all up.  The format is:

  fnmatch:[!]pattern[|pattern...]:result

without spaces allowed (because postfix config
parser treats spaces as delimiters) but where
escapes like \s \n etc are recognized.

The good side of this ugliness is that it is
immediately visible what's going on, right when
reading main.cf, -- for short lists anyway.  It
is also a quick way to add something to the
configuration in case of emergency and the like.

It is like an extension for "static" map, but
quite flexible while at it.

Why I'm writing this email is because I installed
distribution-provided Postfix package a few days
ago to one of systems I maintain (before I always
used my own packages), and realized that I quite
used to use this dictionary type which is not
provided by the distribution and by the original
Postfix codebase.

So I thought I'd ask for people's opinion on this
stuff.

Sure it is possible to extend it to take /file/name
argument as usual, but the most important here is
the ability to inline some map contents right into
the config file.  But there, no "syntax sugar" for
you, because of the (quite simple) rules of the
parser.

Current code is available at
 http://www.corpit.ru/mjt/dict_fnmatch.tar.gz
it contains the two C files with implementation
in src/util/, and a shell script that will
patch the dict support into Postfix source
(adding stuff to appropriate Makefile and to
dict_open.c).

Thanks!

/mjt

Relay Options

[Wesley Bruwer]

Hi there,

I am busy configuring a smtp server for our network. I have postfix,
Mailscanner and mailwatch installed, they are all working. If I set on
my PC, that my outgoing mail server is that server, lets say
192.168.100.180. then I can send no problem, scans the mail and
everything. 

the problem comes in when I use a different mail server(for testing I
use 1.1.1.1) in my thunderbird, and then on our office firewall I
forced smtp to that server, I get mail server sent incorrect greeting.

However If I do the same thing, but redirect it to our current postfix
server, the mail sends no problem.

Is there something that I am missing?
-- 




















Regards,

 
Wesley
Bruwer
Network
&
Systems Administrator
 
  


Tel:
+27
(0)
861COMTEL (0861266835)
Fax:
+27
(0) 866565728 

Physical
Address:
Suite
M1,
Island Club, Century City, Cape Town, South
Africa
Postal
Address:
PO Box
38702,
Pinelands, 7450, South
Africa
www.comtel.co.za
 
 

Reject_unlisted_recipient issue

[Oleksii Krykun]

If I use smtpd_reject_unlisted_recipient=yes or
smtpd_recipient_restrictions=reject_unlisted_recipient options all
messages to non-existant addresses are rejected.
But if anybody sends message to multiple addresses in same domain and
one of them doesn't exist then postfix doesn't deliver such messages
anywhere.

How to tell postfix to reject mail to non-existant mailboxes only and
deliver it to valid recipient?

Thanks a lot,
Oleksii

Re: Relay Options

[Jerry]

On Thu, 18 Mar 2010 10:51:03 +0200
Wesley Bruwer  replied:

>Hi there,
>
>I am busy configuring a smtp server for our network. I have postfix, 
>Mailscanner and mailwatch installed, they are all working. If I set on 
>my PC, that my outgoing mail server is that server, lets say 
>192.168.100.180. then I can send no problem, scans the mail and
>everything.
>
>the problem comes in when I use a different mail server(for testing I 
>use 1.1.1.1) in my thunderbird, and then on our office firewall I
>forced smtp to that server, I get mail server sent incorrect greeting.
>
>However If I do the same thing, but redirect it to our current postfix 
>server, the mail sends no problem.
>
>Is there something that I am missing?

Yes:

1) The output of postconf -n
2) Pertinent mail-log entries
3) The fact that 'mailscanner' is not supported

-- 
Jerry
postfix.u...@yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Those who are mentally and emotionally healthy are those who have
learned when to say yes, when to say no and when to say whoopee.

W. S. Krabill

Re: Reject_unlisted_recipient issue

[Wietse Venema]

Oleksii Krykun:
> If I use smtpd_reject_unlisted_recipient=yes or
> smtpd_recipient_restrictions=reject_unlisted_recipient options all
> messages to non-existant addresses are rejected.
> But if anybody sends message to multiple addresses in same domain and
> one of them doesn't exist then postfix doesn't deliver such messages
> anywhere.

Please show concrete evidence that Postfix does not work as promised.

> How to tell postfix to reject mail to non-existant mailboxes only and
> deliver it to valid recipient?

Please follow instructions in the mailing list welcome message.

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.

PCI Compliance

[Jonathan Tripathy]

Hi Folks,

Any ideas on how to set up an "SMTP Proxy Server" to attain PCI Compliance? I 
literally need postfix to just pass through mail to our ISP's smtp server. We 
would then set outlook to use this local smtp proxy server.

I'm not entirly sure if a "relay" server is good here, as how would that handle 
bounced mail??

Thanks,

Jonathan

Re: reroute mail based on headers

[/dev/rob0]

On Wed, Mar 17, 2010 at 05:09:00PM -0500, Kenneth Marshall wrote:
> On Wed, Mar 17, 2010 at 04:53:37PM -0400, Ryan Suarez wrote:
> > Does an entry in header_checks need to be defined for each 
> > recipient?  If so, it wouldn't be feasible due to the number of 
> > addresses we have. Is there another way to accomplish this?

> Can you use a pcre/regex map instead?

Noel was talking about header_checks(5), which by definition must be
a pcre_table(5) or a regexp_table(5). But as covered by other posts
in the thread, it's a bad idea to do header-based routing.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

ot: Postconf's spamrep_byuser for logs older than yesterday

[Voytek Eymont]

I use Postconf's spamrep_byuser to generate daily, well, spam reports by
user,

that works very well, (thank you folks at Postconf)

however, I just got asked for spam rep 'how far back can you go?'

so, basically, I'd like to process all maillogs, around one month worth,
for a particular user.

is there an 'easy' way to modify spamrep to do just that ?
or is there another way to create such one-off request ?



-- 
Voytek

Re: Milter SMFIC_HEADER failure (huh, due to success? :-)

[Wietse Venema]

Sean Reifschneider:
> I'm reporting this primarily because the other searching I've done has
> turned up this same error message, but with nothing that clearly points out
> what the root of the issue really is.  I'm hoping someone can shed some
> light on it.
> 
> We've been having little if any luck tracking down an issue where for a
> small sub-set of users their messages are causing the following to be
> logged:
> 
>can't read SMFIC_HEADER reply packet header: Success
> 
> The closest I've found in searching is this message:
> 
>http://readlist.com/lists/postfix.org/postfix-users/13/67034.html

What about the remedies suggested in the Postfix MILTER_README?

If the Postfix milter_protocol setting specifies a too high
version, the libmilter library simply hangs up without logging
a warning, and you see a Postfix warning message like one of
the following:

warning: milter inet:host:port: can't read packet header: Unknown error : 0
warning: milter inet:host:port: can't read packet header: Success
warning: milter inet:host:port: can't read SMFIC_DATA reply packet header: 
No such file or directory

That's Sendmail libmilter hanging up.

Wietse

Re: PCI Compliance

[Barney Desmond]

On 18 March 2010 21:57, Jonathan Tripathy  wrote:
> Any ideas on how to set up an "SMTP Proxy Server" to attain PCI Compliance?
> I literally need postfix to just pass through mail to our ISP's smtp server.
> We would then set outlook to use this local smtp proxy server.

I work for a hosting company, we find it's usually an iterative
process. This particular question hasn't come up yet (for an SMTP
server), but it'd go something like this:

1. Customer needs certification for a contract, so they hire a company
to perform a PCI audit scan
2. The scan finds "problems", so they come to us with the report,
which says how to fix the problems
3. We read the report, and find things like "server exposes its
hostname in the greeting banner", or "server appears to allow the use
of the VRFY command".
4. We sigh, then go through the motions to "fix" the "problems".
Sometimes the problem descriptions are hopelessly vague, like "this
system /may/ be vulnerable to a known buffer overflow", and the system
is fully patched and up to date. Can't do much about these, so we tell
our customer to take it up with the auditor.
5. Rinse and repeat until all perceived problems are fixed, and/or the
customer stops hassling. :)

So, my apologies that this doesn't really answer your question. If you
need compliance certification then you'll need an audit anyway, at
which point you find out what the requirements are.

It's not trivial to simply look up the requirements, because...
PCI-DSS doesn't actually cover specific implementation details. It's
sufficiently vague (probably by design) so that'll it'll stay relevant
as time goes on, and so that current best practices are followed. Have
a look at the PCI spec, it's only half a meg in PDF:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Page 4 is a summary of what you really need to know. Page 6 mentions
segmentation to reduce the scope of what needs to comply - this is
your best bet (if feasible) to sidestep compliance for your mail
server. If you enjoy some light humour, we've elaborated on the
aforementioned process a little:
http://www.anchor.com.au/blog/2008/12/saas-security-scanning-as-a-service/

> I'm not entirly sure if a "relay" server is good here, as how would that
> handle bounced mail??

Indeed, you want to avoid more relays if you can, both for
administration and compliance reasons. Bounced mail isn't so bad, so
long as there's a return path to the sender's mailbox. A naive example
of how this might work:

Sending: outlook -> workstation -> PCI-compliant relay -> ISP's SMTP
server -> recipient
*it bounces because the recipient's mailbox is full*
Recipient -> MX lookup -> Your incoming SMTP server (maybe this is at
your ISP) -> The sender's mailbox -> Picked up by outlook

Re: dict_fnmatch again

[Wietse Venema]

Michael Tokarev:
> A few years ago I implemented a new dict for Postfix, dict_fnmatch.
> It is a shell-style pattern matcher with patterns placed _inline_,
> right in the config file, without any additional files like
> pcre/regex (the simplest dictionaries which does not use indexed
> files) and others.
> 
> The usage is quite simple but perhaps somewhat
> ugly:
> 
> check_client_access
>   fnmatch:*.example.com|*.example.org:554\sGo\saway

I don't think I have any new ideas with respect to this thread.

Some (Linux) distributions ship Postfix maps as dynamically-linked
modules, so you can always add a map type, even when it is not part
of the vendor's Postfix source tree. Unfortunately those same
distributions insist on frequently modifying themselves via an
update mechanism, and that of course discourages the use of local
extensions.

The above notation exposes a bunch of special characters (backslashes
and "|"), making it more of a pain to upgrade the main.cf parser
without making fnmatch harder to use.

I would not bundle CDB, SDBM or other infrastructure code with
Postfix. This has nothing to do with who wrote the code. All code
will have bugs, and I don't want to issue patches for them.

The gain from fnmatch is a few less cycles for initialization, and
a few less characters to type for configuration. It provides no
functionality that isn't available with pcre or regexp.

Wietse

Re: PCI Compliance

[J. Roeleveld]

On Thursday 18 March 2010 13:26:43 Barney Desmond wrote:
> On 18 March 2010 21:57, Jonathan Tripathy  wrote:



> 3. We read the report, and find things like "server exposes its
> hostname in the greeting banner", or "server appears to allow the use
> of the VRFY command".

Does this mean that the service-desk of companies are not compliant either?

1) Check in phonebook for number of VISA credit card service desk
2) Call listed number

They then will answer with:
"Hello, thank you for calling VISA credit card service desk,  
speaking, how may I help you?"

Me: Hi, can you please direct me to 

How is this different from:

**
$ telnet mail.isp.com 25
Trying 10.1.4.50...
Connected to mail.isp.com.
Escape character is '^]'.
220 mailer.isp.com ESMTP Postfix
MAIL TO 
MAIL TO OK
**
I guessed the last 2 lines, but I think it shows what I mean? :)

--
Joost Roeleveld

Re: PCI Compliance

[Barney Desmond]

On 18 March 2010 23:59, J. Roeleveld  wrote:
> Does this mean that the service-desk of companies are not compliant either?

Hehe, in a way. Social engineering is thankfully(?) outside the scope
of PCI-DSS compliance.

> 1) Check in phonebook for number of VISA credit card service desk
> 2) Call listed number
>
> They then will answer with:
> "Hello, thank you for calling VISA credit card service desk, 
> speaking, how may I help you?"
>
> Me: Hi, can you please direct me to 
>
> How is this different from:
>
> **
> $ telnet mail.isp.com 25
> Trying 10.1.4.50...
> Connected to mail.isp.com.
> Escape character is '^]'.
> 220 mailer.isp.com ESMTP Postfix
> MAIL TO 
> MAIL TO OK
> **
> I guessed the last 2 lines, but I think it shows what I mean? :)

Exactly! Disabling VRFY gains nothing because you can test with RCPT
TO instead. There will always be some debate about the value of this
measure ("why not disable it if we can?" vs. "why *bother* if we don't
have to?) - just ignore it and do whatever has to be done, there are
better things to waste energy on.

FW: PCI Compliance

[Jonathan Tripathy]

> Any ideas on how to set up an "SMTP Proxy Server" to attain PCI Compliance?
> I literally need postfix to just pass through mail to our ISP's smtp server.
> We would then set outlook to use this local smtp proxy server.

I work for a hosting company, we find it's usually an iterative
process. This particular question hasn't come up yet (for an SMTP
server), but it'd go something like this:

1. Customer needs certification for a contract, so they hire a company
to perform a PCI audit scan
2. The scan finds "problems", so they come to us with the report,
which says how to fix the problems
3. We read the report, and find things like "server exposes its
hostname in the greeting banner", or "server appears to allow the use
of the VRFY command".
4. We sigh, then go through the motions to "fix" the "problems".
Sometimes the problem descriptions are hopelessly vague, like "this
system /may/ be vulnerable to a known buffer overflow", and the system
is fully patched and up to date. Can't do much about these, so we tell
our customer to take it up with the auditor.
5. Rinse and repeat until all perceived problems are fixed, and/or the
customer stops hassling. :)

So, my apologies that this doesn't really answer your question. If you
need compliance certification then you'll need an audit anyway, at
which point you find out what the requirements are.

It's not trivial to simply look up the requirements, because...
PCI-DSS doesn't actually cover specific implementation details. It's
sufficiently vague (probably by design) so that'll it'll stay relevant
as time goes on, and so that current best practices are followed. Have
a look at the PCI spec, it's only half a meg in PDF:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Page 4 is a summary of what you really need to know. Page 6 mentions
segmentation to reduce the scope of what needs to comply - this is
your best bet (if feasible) to sidestep compliance for your mail
server. If you enjoy some light humour, we've elaborated on the
aforementioned process a little:
http://www.anchor.com.au/blog/2008/12/saas-security-scanning-as-a-service/

> I'm not entirly sure if a "relay" server is good here, as how would that
> handle bounced mail??

Indeed, you want to avoid more relays if you can, both for
administration and compliance reasons. Bounced mail isn't so bad, so
long as there's a return path to the sender's mailbox. A naive example
of how this might work:

Sending: outlook -> workstation -> PCI-compliant relay -> ISP's SMTP
server -> recipient
*it bounces because the recipient's mailbox is full*
Recipient -> MX lookup -> Your incoming SMTP server (maybe this is at
your ISP) -> The sender's mailbox -> Picked up by outlook



Thanks for the long reply, it's appreciated. But..

The network I am dealing with is very small and simple. I am aware about the 
PCI scans, and I have done some in the past. Thankfully, regarding this case, I 
only need an "SMTP Proxy" to be placed in the DMZ, as computers inside the CDE 
(Cardholder Data Environment) arn't allowed to connect to hosts on the internet.

LIterally, all I need to do, is place an HTTP proxy (Squid), an SMTP Proxy, and 
a POP3 Proxy in the DMZ, and that's me. Of course, block all ports into and out 
of the CDE, except allow CDE to connect to SMTP proxy, POP3 Proxy and Squid 
Proxy.

Now, of course, there are other things in the PCI DSS, such as policies and 
processes, however these are out of my scope, as I'm just an external I.T. guy.

BTW, the machines in the CDE will all have anti-virus and automatic updates 
enabled.

So, back to postfix, can it do such a thing? Act as a "proxy" and not a "store 
and forward relay"

Re: FW: PCI Compliance

[Reinaldo de Carvalho]

On Thu, Mar 18, 2010 at 10:53 AM, Jonathan Tripathy  wrote:
>
> BTW, the machines in the CDE will all have anti-virus and automatic updates
> enabled.
>
> So, back to postfix, can it do such a thing? Act as a "proxy" and not a
> "store and forward relay"
>
>
>

In theory you can to use 'smtpd_proxy_filter'.

http://www.postfix.org/postconf.5.html#smtpd_proxy_filter


-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

"Don't try to adapt the software to the way you work, but rather
yourself to the way the software works" (myself)

MDN and mupliple recipients

[Dimitrios Karapiperis]

Hi
When someone sends an e-mail to multiple recipients and requests read 
receipt
the MDN mechanism works fine but on the receipt message itself, the 
sender receives that

recipie...@domain.tld, recipie...@domain.tld have read the message
without knowing who exactly is the reader; recipent1 or recipient2;

Is there anyting he/she can do to receive the exact reader and not the 
ambigous that both did it. (2 mails ,as many are the recipients)


I think that the MDN headers are inserted by the client.and postfix has 
little or no impact on the whole porcess.



Dimitrios Karapiperis

Re: delivery temporarily suspended

[Sasa]

I have disabled amavisd-new and the new mail are deliveriy quickly but for 
all mails that stay in queue I have:


mail transport unavailable

??
what I can to delivery all mails ?
Thanks.

--

  Salvatore.




- Original Message - 
From: "Sasa" 

To: "Vladimir Dvorak" 
Cc: 
Sent: Wednesday, March 17, 2010 2:59 PM
Subject: Re: delivery temporarily suspended



...also after increase values I have always:

9B83D1AAD17 1333 Wed Mar 17 14:01:37  milan.notificati...@domain.com 
(conversation with 127.0.0.1[127.0.0.1] timed out while receiving the 
initial server greeting) acco...@domain.biz


...perhaps the parameters (max_servers and maxproc) must be more increase 
?

now the amavis process are:

[r...@mail ~]# ps -ax|grep amavis
Warning: bad syntax, perhaps a bogus '-'? See 
/usr/share/doc/procps-3.2.7/FAQ
5340 ?S  0:00 smtp -n smtp-amavis -t unix -u -o 
smtp_data_done_timeout 1200 -o smtp_send_xforward_command yes -o 
disable_dns_lookups yes -o max_use 20
5384 ?S  0:00 smtp -n smtp-amavis -t unix -u -o 
smtp_data_done_timeout 1200 -o smtp_send_xforward_command yes -o 
disable_dns_lookups yes -o max_use 20
5430 ?S  0:00 smtp -n smtp-amavis -t unix -u -o 
smtp_data_done_timeout 1200 -o smtp_send_xforward_command yes -o 
disable_dns_lookups yes -o max_use 20
5443 ?S  0:00 smtp -n smtp-amavis -t unix -u -o 
smtp_data_done_timeout 1200 -o smtp_send_xforward_command yes -o 
disable_dns_lookups yes -o max_use 20
5464 ?S  0:00 smtp -n smtp-amavis -t unix -u -o 
smtp_data_done_timeout 1200 -o smtp_send_xforward_command yes -o 
disable_dns_lookups yes -o max_use 20

6878 pts/3S+ 0:00 grep amavis
7756 ?S  0:10 amavisd (ch1-07756-01-10)
7880 ?S  0:09 amavisd (ch1-07880-01-9)
8134 ?S  0:00 amavisd (virgin child)
8519 ?S  0:00 amavisd (virgin child)
10403 ?Ss 0:00 
/var/dcc/libexec/dccifd -Iamavis -tREP,20 -tCMN,5, -llog -wwhiteclnt -Uuserdirs 
 -SHELO -Smail_host -SSender -SList-ID
10404 ?Sl 0:05 
/var/dcc/libexec/dccifd -Iamavis -tREP,20 -tCMN,5, -llog -wwhiteclnt -Uuserdirs 
 -SHELO -Smail_host -SSender -SList-ID

19956 ?S  0:05 amavisd (ch1-19956-01-4)
20173 ?S  0:00 amavisd (virgin child)
26686 ?Ss 0:04 amavisd (master)
27907 ?S  0:13 amavisd (ch2-27907-02)
28147 ?S  0:05 amavisd (ch1-28147-01-6)
28292 ?S  0:00 amavisd (virgin child)
28500 ?S  0:04 amavisd (ch1-28500-01-4)
28615 ?S  0:15 amavisd (ch2-28615-02-4)
28753 ?S  0:17 amavisd (ch3-accept)
28830 ?S  0:18 amavisd (ch3-28830-03)
29249 ?S  0:06 amavisd (ch3-accept)
29587 ?S  0:08 amavisd (ch1-29587-01-5)
30247 ?S  0:00 amavisd (ch1-accept)
30306 ?S  0:00 amavisd (ch1-30306-01)
30531 ?S  0:00 amavisd (ch1-accept)
30564 ?S  0:00 amavisd (virgin child)
31505 ?S  0:08 amavisd (ch1-31505-01-7)
31771 ?S  0:00 amavisd (virgin child)


--

  Salvatore.



- Original Message - 
From: "Sasa" 

To: "Vladimir Dvorak" 
Cc: 
Sent: Wednesday, March 17, 2010 2:23 PM
Subject: Re: delivery temporarily suspended



I have modified the value of:

$max_servers=10 --> (from 2 to 10)

and maxproc in master.cf

smtp-amavis unix -  -   n   -   5  smtp --> (from 2 to 5)

now I must:

#postsuper -r ALL
#postfix flush

for to use a new parameter and for requeue the postfix queue ?
sorry for my banal question, but into what syslog file I must view ?
Thanks !

--

  Salvatore.



- Original Message - 
From: "Vladimir Dvorak" 

To: "Sasa" 
Cc: 
Sent: Wednesday, March 17, 2010 1:19 PM
Subject: Re: delivery temporarily suspended


if you restart only amavis, the postfix can't immediatelly recognize 
that amavis is in ready state. after amavis restart you shoud 
'postsuper -r ALL' and then 'postfix flush' to requeue the postfix queue 
and flush it.


The better is to look into syslog (not only maillog).

V.

Sasa napsal(a):

I can this errore in log:

Mar 17 11:47:36 mail postfix/smtp[7690]: 77F5726A1E9: 
to=, orig_to=, 
relay=127.0.0.1[127.0.0.1]:10024, delay=1868, delays=0.36/1568/300/0, 
dsn=4.4.2, status=deferred (conversation with 127.0.0.1[127.0.0.1] 
timed out while receiving the initial server greeting)


I use amavisd-new, if I restart only amavisd service the status not 
change but if restarted amavisd & postfix services aftert this the mail 
are delivered but then after 1/2 hours the problem is still present.

Thanks.

--

  Salvatore.


- Original Message - From: "Sasa" 
To: 
Sent: Wednesday, March 17, 2010 11:45 AM
Subject: delivery temporarily suspended


Hi, I have a smtp/pop3 public mail server, this server is in 
production enviroment form 3/4 years nobody problems but from two days 
I have sometimes that smtpd not responding and I have this error::


2B85826A5B

Re: FW: PCI Compliance

[Mark Goodge]

On 18/03/2010 13:53, Jonathan Tripathy wrote:


So, back to postfix, can it do such a thing? Act as a "proxy" and not a
"store and forward relay"


In SMTP terms, a proxy is effectively the same thing as a 
store-and-forward relay. But yes, Postfix will do this very well. For 
inbound mail, you can set up a transport map so that all incoming mail 
is forward to the "true" mail server inside the CDE. Use recipient 
address verification to make sure that you don't become a backscatter 
source, and it will do exactly what you want with minimal hassle. For 
outbound mail, simply use the DMZ machine as a smarthost for any machine 
inside the CDE (including your Exchange server if appropriate).


Mark

Re: FW: PCI Compliance

[Wietse Venema]

Jonathan Tripathy:
> So, back to postfix, can it do such a thing? Act as a "proxy" and
> not a "store and forward relay"

http://www.postfix.org/SMTPD_PROXY_README.html

Someone will still have to monitor the logfile, and deal with
"postmaster notification" email depending on how the notify_classes
parameter is configured.

Wietse

Re: delivery temporarily suspended

[Wietse Venema]

Sasa:
> I have disabled amavisd-new and the new mail are deliveriy quickly but for 
> all mails that stay in queue I have:
> 
> mail transport unavailable
> 
> ??
> what I can to delivery all mails ?

http://www.postfix.org/DEBUG_README.html#logging

Re: MDN and mupliple recipients

[Wietse Venema]

Dimitrios Karapiperis:
> Hi
> When someone sends an e-mail to multiple recipients and requests
> read receipt the MDN mechanism works fine but on the receipt
> message itself, the sender receives that recipie...@domain.tld,
> recipie...@domain.tld have read the message without knowing who
> exactly is the reader; recipent1 or recipient2;

Postfix does not send "mail read" notifications.

Wietse

Re: delivery temporarily suspended

[Sasa]

sorry but but what logging I can enable for investigate about my problem ? 
for me is very strange that the new mail are delivered and the old mails in 
queue no.

Thanks.

--

  Salvatore.


- Original Message - 
From: "Wietse Venema" 

To: "Sasa" 
Cc: "Vladimir Dvorak" ; 


Sent: Thursday, March 18, 2010 3:12 PM
Subject: Re: delivery temporarily suspended



Sasa:
I have disabled amavisd-new and the new mail are deliveriy quickly but 
for

all mails that stay in queue I have:

mail transport unavailable

??
what I can to delivery all mails ?


http://www.postfix.org/DEBUG_README.html#logging

Re: delivery temporarily suspended

[Sasa]

for to disable amavis I have removed in master.cf this line:

127.0.0.1:10025 inet n -   n   -   -  smtpd

pheraps for this I have (for mail in spool) the error message ? this line 
must be enable ?

thanks.

--

  Salvatore.


- Original Message - 
From: "Sasa" 

To: "Wietse Venema" 
Cc: "Vladimir Dvorak" ; 


Sent: Thursday, March 18, 2010 3:19 PM
Subject: Re: delivery temporarily suspended


sorry but but what logging I can enable for investigate about my problem ? 
for me is very strange that the new mail are delivered and the old mails 
in queue no.

Thanks.

--

  Salvatore.


- Original Message - 
From: "Wietse Venema" 

To: "Sasa" 
Cc: "Vladimir Dvorak" ; 


Sent: Thursday, March 18, 2010 3:12 PM
Subject: Re: delivery temporarily suspended



Sasa:
I have disabled amavisd-new and the new mail are deliveriy quickly but 
for

all mails that stay in queue I have:

mail transport unavailable

??
what I can to delivery all mails ?


http://www.postfix.org/DEBUG_README.html#logging

Re: delivery temporarily suspended

[Wietse Venema]

Sasa:
> sorry but but what logging I can enable for investigate about my problem ? 
> for me is very strange that the new mail are delivered and the old mails in 
> queue no.

Don't CHANGE the logging. Use the EXISTING logging.

Wietse

> 
> --
> 
>Salvatore.
> 
> 
> - Original Message - 
> From: "Wietse Venema" 
> To: "Sasa" 
> Cc: "Vladimir Dvorak" ; 
> 
> Sent: Thursday, March 18, 2010 3:12 PM
> Subject: Re: delivery temporarily suspended
> 
> 
> > Sasa:
> >> I have disabled amavisd-new and the new mail are deliveriy quickly but 
> >> for
> >> all mails that stay in queue I have:
> >>
> >> mail transport unavailable
> >>
> >> ??
> >> what I can to delivery all mails ?
> >
> > http://www.postfix.org/DEBUG_README.html#logging
> > 
> 
> 
> 

Re: delivery temporarily suspended

[Sasa]

for investigate about my problem I must use:

/usr/sbin/sendmail -bv address
or

strace -p process-id

thanks.

--

  Salvatore.


- Original Message - 
From: "Wietse Venema" 

To: "Sasa" 
Cc: "Wietse Venema" ; "Vladimir Dvorak" 
; 

Sent: Thursday, March 18, 2010 3:41 PM
Subject: Re: delivery temporarily suspended



Sasa:
sorry but but what logging I can enable for investigate about my problem 
?
for me is very strange that the new mail are delivered and the old mails 
in

queue no.


Don't CHANGE the logging. Use the EXISTING logging.

Wietse



--

   Salvatore.


- Original Message - 
From: "Wietse Venema" 

To: "Sasa" 
Cc: "Vladimir Dvorak" ;

Sent: Thursday, March 18, 2010 3:12 PM
Subject: Re: delivery temporarily suspended


> Sasa:
>> I have disabled amavisd-new and the new mail are deliveriy quickly but
>> for
>> all mails that stay in queue I have:
>>
>> mail transport unavailable
>>
>> ??
>> what I can to delivery all mails ?
>
> http://www.postfix.org/DEBUG_README.html#logging
>

Re: delivery temporarily suspended

[Wietse Venema]

Please follow instructions in:

http://www.postfix.org/DEBUG_README.html#logging

Do not change the logging. Use the EXISTING logging.

Wietse

What is "queued as"

[Emmett Culley]

I am seeing that some email appears in the the intended receivers mail box and 
some don't. 

The ones that don't get delivered to the remote mail server have log entries 
like this:

Mar 18 03:15:02 aoakley postfix/smtp[1714]: 6835847611D: 
to=, relay=mail1.domain1.com[xxx.xxx.xx.x]:25, 
delay=0.68, delays=0.06/0.01/0.14/0.47, dsn=2.0.0, status=sent (250 Ok: queued 
as 1499652CD48)

And those that do get delivered have log entries like this:

Mar 18 03:15:36 aoakley postfix/smtp[1712]: 6835847611D: 
to=, relay=mx.domain2.net[yyy.yyy.yy.y]:25, delay=35, 
delays=0.06/0.01/0.16/34, dsn=2.0.0, status=sent (250 OK 
id=f137m907301NGbHLcq564)

I can send email successfully to both domains from other postfix served 
locations without a problem.

Running host against the failing domain I get:

domain1.com has address xxx.xxx.xx.x
domain1.com mail is handled by 0 mail.anotherdomain.net.

I don't see any rejections or bounces that would tell me an email failed to get 
delivered.

Is there more logging that I can enable?

I am running on CentOS 5.4 with the latest stable version of Postfix compiled 
to support MySQL.

Emmett

Re: MDN and mupliple recipients

[Δημήτριος Καραπιπέρης]

O/H Wietse Venema έγραψε:

Dimitrios Karapiperis:
  

Hi
When someone sends an e-mail to multiple recipients and requests
read receipt the MDN mechanism works fine but on the receipt
message itself, the sender receives that recipie...@domain.tld,
recipie...@domain.tld have read the message without knowing who
exactly is the reader; recipent1 or recipient2;



Postfix does not send "mail read" notifications.

Wietse
  



Hi Wietse

You mean that these notifications are not part of the Postfix System?


Any ideas about these notifications?
Just send an e-mail to r...@domain.tld,r...@domain.tld with read receipts.

Check then the receipts.

Thanks in adavnce
Dimitrios

policy service for multiple recipients

[Alex]

Hi All

My problem is describe here 
http://www.mail-archive.com/postfix-users@postfix.org/msg16775.html


Basically I have a mysql table with thousands recipients , on the left 
hand I have recipient and on the right hand I have the action (REJECT) 
and some additional text


u...@domain.tld REJECT Additional text

In case of am multi-recipient message, if I use check_recipient_access 
and one of recipients is found in that table, the all message is 
rejected and affects all recipients of the message.


From docs I understand that if I want to treat different every 
recipient ,I have two solutions :

1 - use a transport table for that recipient, something like :

u...@domain.tld discard

- in this case all recipients in the message pass except the rcpt to: 
 who is discarded. This solution doesn't  help me much 
because I want notify the sender that one of his recipients was rejected 
and second : I need to build a new transport table for those recipients.


2 - the second solution is to use a policy service and the ability to 
use the "instance" attribute.


Is there a policy service for my problem or someone have a better solution?

Thanks
Alex

Move queue

[Sasa]

Hi, I have a mail server with postfix-2.5.6 and now in queue there's more 
2900 mails that I cann't delivery, I would copy the queue from official mail 
server to backup mail server, for this purpose ie I have:


mail server A (official)
mail server B (backup)

on server A I must:

#postfix stop
#cd /var/spool/postfix

copy all directory (restore incoming, active, deferred ) to backup server 
always in "/var/spool/postfix".

This procedure is correct ?
Thanks.

--

  Salvatore.

Re: FW: PCI Compliance

[Victor Duchovni]

On Thu, Mar 18, 2010 at 11:00:14AM -0300, Reinaldo de Carvalho wrote:

> On Thu, Mar 18, 2010 at 10:53 AM, Jonathan Tripathy  
> wrote:
> >
> > BTW, the machines in the CDE will all have anti-virus and automatic updates
> > enabled.
> >
> > So, back to postfix, can it do such a thing? Act as a "proxy" and not a
> > "store and forward relay"
> >
> >
> >
> 
> In theory you can to use 'smtpd_proxy_filter'.
> 
> http://www.postfix.org/postconf.5.html#smtpd_proxy_filter

It works in practice. A few Postfix TLS proxies have been terminating TLS
connections, making access control decisions and forwarding unencrypted
SMTP to a non-Postfix server for many years now.

These systems only run "smtpd" as a proxy, and use various internal
services, but otherwise there is no message processing. There is
no logging from cleanup(8), qmgr(8), smtp(8), ... connectins come
in and then they go out. Mail is never queued on the TLS proxy.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: MDN and mupliple recipients

[Victor Duchovni]

On Thu, Mar 18, 2010 at 05:41:24PM +0200, ?? 
?? wrote:

>> Postfix does not send "mail read" notifications.
>
> You mean that these notifications are not part of the Postfix System?

They can't be. Postfix is a doctor not escalator (oops an MTA not a mail
client). Since you are discussing *read* notifications, and messages are
read by MUAs long after they are delivered into a mail store by the MTA,
the MTA is not involved in read notifications.  It is clear that read
notices are sent (optionally) by the MUA that displays the message to
the user, Postfix may convey such messages to the recipient, but it
is not responsible for their content.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

RE: FW: PCI Compliance

[Jonathan Tripathy]

It works in practice. A few Postfix TLS proxies have been terminating TLS
connections, making access control decisions and forwarding unencrypted
SMTP to a non-Postfix server for many years now.

These systems only run "smtpd" as a proxy, and use various internal
services, but otherwise there is no message processing. There is
no logging from cleanup(8), qmgr(8), smtp(8), ... connectins come
in and then they go out. Mail is never queued on the TLS proxy.

--

How does one configure postfix to act like this?

<>

Re: MDN and mupliple recipients

[Δημήτριος Καραπιπέρης]

O/H Victor Duchovni έγραψε:

On Thu, Mar 18, 2010 at 05:41:24PM +0200, ?? 
?? wrote:

  

Postfix does not send "mail read" notifications.
  

You mean that these notifications are not part of the Postfix System?



They can't be. Postfix is a doctor not escalator (oops an MTA not a mail
client). Since you are discussing *read* notifications, and messages are
read by MUAs long after they are delivered into a mail store by the MTA,
the MTA is not involved in read notifications.  It is clear that read
notices are sent (optionally) by the MUA that displays the message to
the user, Postfix may convey such messages to the recipient, but it
is not responsible for their content.

  


So these messages are "produced" by the MUA and only the MUA who is 
compleltely responsible about the format

of the messages.

right?

Re: MDN and mupliple recipients

[Ansgar Wiechers]

On 2010-03-18 ?? ?? wrote:
> O/H Wietse Venema :
>> Dimitrios Karapiperis:
>>> When someone sends an e-mail to multiple recipients and requests
>>> read receipt the MDN mechanism works fine but on the receipt
>>> message itself, the sender receives that recipie...@domain.tld,
>>> recipie...@domain.tld have read the message without knowing who
>>> exactly is the reader; recipent1 or recipient2;
>>
>> Postfix does not send "mail read" notifications.
>
> You mean that these notifications are not part of the Postfix System?
>
> Any ideas about these notifications?
> Just send an e-mail to r...@domain.tld,r...@domain.tld with read
> receipts.
>
> Check then the receipts.

I'll hazard a guess and say that the sender of the read receipt is most
likely the one who read the original mail.

That said, the handling of read receipts is entirely up to the
(receiving) client. Postfix has nothing to do with this aside from being
the messenger.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: every...@example.com virtual_alias_maps using ldap query

[Ronie Gilberto Henrich]

Hi Reinaldo,

The problem about your solution below is that it will go into a loop.
1) Loop: every...@example.com forward to us...@example.com and
every...@example.com, which forward again to us...@example.com and
every...@example.com, and again, and again, and again...

If you are a developer of the project Postfix, is it easy to add
support for variables (%u) on the left side?
Example:
everyone_query_filter = (&(accountStatus=active)(%u=everyone))

Thanks,
Ronie


 Original Message  
Subject: Re: every...@example.com virtual_alias_maps using ldap query
From: Reinaldo de Carvalho 
To: ro...@ronie.com.br
Date: Wed Mar 17 2010 08:19:47 GMT-0300

  On Tue, Mar 16, 2010 at 10:38 PM, Ronie Gilberto Henrich
 wrote:
  
  
Hi Reinaldo,

Let me explain better how virtual_alias_maps works in this case:
1) Someone send an email to every...@example.com
2) Query ldap:everyone result has to be us...@example.com,
us...@example.com, and so on (all mailboxes in domain example.com)

So, the %u value in everyone_query_filter is "everyone"

Considering your suggestion: (&(accountStatus=active)(uid=%u))
and
dn: uid=user1...:
=
Is "user1"="everyone" ?
FALSE
So, it won't return any mailboxes.


  
  
Sorry, I misunderstand your question. Is not possible create
"everyone" as you request. You need a cron job.

Maybe... (don't tested)

everyone_query_filter = (&(accountStatus=active)(mail=%s))
everyone_result_attribute = uid
everyone_result_format = %...@example.com

This work if you add attribute mail=every...@example.com for each ldap entry.

dn: uid=user1...:
uid=user1
mail=us...@example.com
mail=every...@example.com

dn: uid=user2,...:
uid=user2
mail=us...@example.com
mail=every...@example.com
- Show quoted text -


  
  
Considering also the second part of your suggestion, about adding
the attribute mail=every...@example.com, it has 2 cons:
1) Loop: every...@example.com forward to us...@example.com and
every...@example.com, which forward again to us...@example.com and
every...@example.com, and again, and again, and again...
2) Redundant data, may lead to inconsistencies: no sense in having
all mailboxes with a mail=every...@example.com. If one does not have
every...@example.com, the result list of recipients of an email sent
to every...@example.com won't be all (everyone) mailboxes.


Thanks,
Ronie


 Original Message  
Subject: Re: every...@example.com virtual_alias_maps using ldap query
From: Reinaldo de Carvalho 
To: Postfix 
Date: Tue Mar 16 2010 20:26:54 GMT-0300

On Tue, Mar 16, 2010 at 6:54 PM, Ronie Gilberto Henrich
 wrote:
Hi,

/etc/postfix/main.cf

virtual_alias_maps = ldap:everyone

everyone_server_host = ldaps://localhost
everyone_version = 3
everyone_search_base = ou=%d,ou=Mail,o=example,c=com
everyone_query_filter = (accountStatus=active)
everyone_result_attribute = mail

For only emails sent to every...@example.com to be forwarded to all
mailboxes in example.com, it is necessary to add a filter like
%u=everyone to that ldap query.
I tried the following:
everyone_query_filter = (&(accountStatus=active)(%u=everyone))


everyone_query_filter = (&(accountStatus=active)(uid=%u))
everyone_result_attribute = mail

This work if you add attribute mail=every...@example.com for each
ldap entry.

dn: uid=user1...:
mail=us...@example.com
mail=every...@example.com

dn: uid=user2,...:
mail=us...@example.com
mail=every...@example.com


But it does not work.


Is there any way to add that %u=everyone filter in the ldap query above?
Or any other way to get the same results and still being dynamic?
I mean dynamic by anything but generating hash alias_maps thru cron
scripts.


Thanks and regards,
Ronie


  
  


  

Re: FW: PCI Compliance

[Victor Duchovni]

On Thu, Mar 18, 2010 at 04:14:31PM -, Jonathan Tripathy wrote:

> > It works in practice. A few Postfix TLS proxies have been terminating TLS
> > connections, making access control decisions and forwarding unencrypted
> > SMTP to a non-Postfix server for many years now.
> > 
> > These systems only run "smtpd" as a proxy, and use various internal
> > services, but otherwise there is no message processing. There is
> > no logging from cleanup(8), qmgr(8), smtp(8), ... connectins come
> > in and then they go out. Mail is never queued on the TLS proxy.
> 
> How does one configure postfix to act like this?

http://www.postfix.org/SMTPD_PROXY_README.html

If this is not an MX host:

main.cf:
smtpd_proxy_filter = inet:[real-smtp-server]:real-port

# Plus the usual "restrictions" settings and any (incoming) TLS
# settings for the SMTP server. There is no support for outgoing
# TLS in the SMTP server.
#
# ...

If the real server is missing various EHLO features, you should turn
them off also on the Postfix proxy (mostly DSN and 8BITMIME) and adjust
the message size limit to match the real server.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: every...@example.com virtual_alias_maps using ldap query

[Victor Duchovni]

On Thu, Mar 18, 2010 at 01:31:11PM -0300, Ronie Gilberto Henrich wrote:

>The problem about your solution below is that it will go into a loop.

Only if you go out of your way to make it loop. The address
expansion in virtual(5) is recursive, but it stops as soon as address
expands to itself.

If "everyone" is a group object that expands to a list of users, just
make sure the query returns all users and no groups.

If you want the group be "dynamic", you can use LDAP URI valued groups and
"special_result_attribute" to process such URIs. If the list of users
is not too large, this works reasonably well. Once you are processing
thousands of users, you should consider operating a list server to
which such addresses are routed, and do the expansion there...

Giving all users an "every...@example.com" address is a bit ugly, just
use objectClasses or sub-trees to determine who is in scope.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: policy service for multiple recipients

[Victor Duchovni]

On Thu, Mar 18, 2010 at 05:41:32PM +0200, Alex wrote:

> Basically I have a mysql table with thousands recipients , on the left hand 
> I have recipient and on the right hand I have the action (REJECT) and some 
> additional text
>
> u...@domain.tld   REJECT Additional text
>
> In case of am multi-recipient message, if I use check_recipient_access and 
> one of recipients is found in that table, the all message is rejected and 
> affects all recipients of the message.

>From false premises (the above is not true), you get false conclusions.
Postfix rejects just the recipient in question. If the sending SMTP
client fails to process the rejection of a single recipient out of many
correctly, then this client is the problem. Generally, only MUAs and other
"submission" SMTP talkers have such issues. If you are an MSA for poorly

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: MDN and mupliple recipients

[Wietse Venema]

> H Wietse Venema:
> > Postfix does not send "mail read" notifications.
> 
> Hi Wietse
> 
> You mean that these notifications are not part of the Postfix System?

Postfix sends *delivery* notifications; for examples of these, see
the output from the "postconf -b" command.

*Delivery* notifications are send when mail is *delivered*.

Wietse

Re: policy service for multiple recipients

[Noel Jones]

On 3/18/2010 10:41 AM, Alex wrote:

Hi All

My problem is describe here
http://www.mail-archive.com/postfix-users@postfix.org/msg16775.html

Basically I have a mysql table with thousands recipients , on the left
hand I have recipient and on the right hand I have the action (REJECT)
and some additional text

u...@domain.tld REJECT Additional text

In case of am multi-recipient message, if I use check_recipient_access
and one of recipients is found in that table, the all message is
rejected and affects all recipients of the message.


No, that's not how postfix works.  Only the "current" 
recipient is rejected.  Every other recipient gets their own 
chance to be accepted or rejected.


If postfix does not behave this way for you, then you've 
misconfigured something.  Feel free to follow these directions 
to ask for help:

http://www.postfix.org/DEBUG_README.html#mail



 From docs I understand that if I want to treat different every
recipient ,I have two solutions :


You're reading a different part of the docs that does not 
apply to smtpd_recipient_restrictions, or an action other than 
REJECT.



  -- Noel Jones

Re: every...@example.com virtual_alias_maps using ldap query

[Ronie Gilberto Henrich]

Hi Victor,

Thanks also for your reply.

Isn't it a simpler way to accomplish that?
Something like a support for variables (%u) on the left side?

Example:
everyone_query_filter = (&(accountStatus=active)(%u=everyone))


Thanks,
Ronie


 Original Message  
Subject: Re: every...@example.com virtual_alias_maps using ldap query
From: Victor Duchovni 
To: postfix-users@postfix.org
Date: Thu Mar 18 2010 13:45:50 GMT-0300

On Thu, Mar 18, 2010 at 01:31:11PM -0300, Ronie Gilberto Henrich wrote:

   The problem about your solution below is that it will go into a loop.

Only if you go out of your way to make it loop. The address
expansion in virtual(5) is recursive, but it stops as soon as address
expands to itself.

If "everyone" is a group object that expands to a list of users, just
make sure the query returns all users and no groups.

If you want the group be "dynamic", you can use LDAP URI valued
groups and
"special_result_attribute" to process such URIs. If the list of users
is not too large, this works reasonably well. Once you are processing
thousands of users, you should consider operating a list server to
which such addresses are routed, and do the expansion there...

Giving all users an "every...@example.com" address is a bit ugly, just
use objectClasses or sub-trees to determine who is in scope.

Re: What is "queued as"

[Victor Duchovni]

On Thu, Mar 18, 2010 at 08:18:50AM -0700, Emmett Culley wrote:

> The ones that don't get delivered to the remote mail server have log
> entries like this:
> 
> Mar 18 03:15:02 aoakley postfix/smtp[1714]: 6835847611D: 
> to=, relay=mail1.domain1.com[xxx.xxx.xx.x]:25, 
> delay=0.68, delays=0.06/0.01/0.14/0.47, dsn=2.0.0, status=sent (250 Ok: 
> queued as 1499652CD48)
> 

It is unrelated to the symptoms you describe. If, however, the other side has
a cooperative postmaster, you can ask them to check their logs for the
queue-id shown after "queued as".

> And those that do get delivered have log entries like this:
> 
> Mar 18 03:15:36 aoakley postfix/smtp[1712]: 6835847611D: 
> to=, relay=mx.domain2.net[yyy.yyy.yy.y]:25, delay=35, 
> delays=0.06/0.01/0.16/34, dsn=2.0.0, status=sent (250 OK 
> id=f137m907301NGbHLcq564)

A different MTA (likely Exim), whose queue-ids have a different format.

> I can send email successfully to both domains from other postfix served
> locations without a problem.

You are sending email successfully to both systems. One of them chooses
to not present to the user, but that is entirely out of your hands.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: every...@example.com virtual_alias_maps using ldap query

[Victor Duchovni]

On Thu, Mar 18, 2010 at 01:54:08PM -0300, Ronie Gilberto Henrich wrote:

> Isn't it a simpler way to accomplish that?

No.

> Something like a support for variables (%u) on the left side?
> 
> Example:
> everyone_query_filter = (&(accountStatus=active)(%u=everyone))

This is not "simpler" it is simply wrong. The substituted LDAP search
filter is parsed by LDAP server, not Postfix. Postfix will not try
to interpret a subset of the conditions in the LDAP filter.

To make "every...@example.com" an address, create an LDAP object
with that address.

If the LDAP object needs to expans to all user addresses, make it an
LDAP-URI valued group. If the group is large (thousands of recipients), do
the expansion on a dedicated list server, not your primary Postfix queue.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Mail rejected on "Received From"

[Kay]

Hi guys,

I often see mail being rejected by recipient servers because an IP in a 
Received From header is blacklisted somewhere.


This strikes me as a rather bad practise, since it undermines the whole 
idea of SMTP authentication.


Here's an example reject:

550 5.7.1 This system has been configured to reject your mail. An IP 
address (xx.xx.xx.xx) found in the message's 'Received:' headers is 
listed by the lookup site 'sbl-xbl.spamhaus.org.'.


xx.xx.xx.xx is the client's IP, a regular dynamic IP on a broadband 
connection.  Which shouldn't have any relevance.


To make matters worse, the offending recipient site does not accept mail 
for abuse/postmaster or any of the usual aliases.


How do you engage hosts like these to resolve such issues?

Thanks
K

Re: Mail rejected on "Received From"

[Noel Jones]

On 3/18/2010 1:43 PM, Kay wrote:

Hi guys,

I often see mail being rejected by recipient servers because an IP in a
Received From header is blacklisted somewhere.

This strikes me as a rather bad practise, since it undermines the whole
idea of SMTP authentication.

Here's an example reject:

550 5.7.1 This system has been configured to reject your mail. An IP
address (xx.xx.xx.xx) found in the message's 'Received:' headers is
listed by the lookup site 'sbl-xbl.spamhaus.org.'.

xx.xx.xx.xx is the client's IP, a regular dynamic IP on a broadband
connection. Which shouldn't have any relevance.

To make matters worse, the offending recipient site does not accept mail
for abuse/postmaster or any of the usual aliases.

How do you engage hosts like these to resolve such issues?

Thanks
K


Yes, this is very annoying.  I communicate with a couple 
misguided souls with similar rules.  I imagine they all use 
the same filtering software and just click some box without 
understanding what it does.


Anyway, I use the following smtp_header_checks rule which 
seems to fix the problem.  I use smtp_header_checks so that 
the mangling only happens on external delivery.

http://www.postfix.org/postconf.5.html#smtp_header_checks

/^Received: (.*by host\.example\.com \(Postfix\) with ESMTPS?A 
id.*)$/  REPLACE X-Submission: $1


Of course, replace host\.example\.com with your own host name.
It's possible that some hosts will still choke on this, in 
which case you will need to use IGNORE to remove the offending 
header instead of just rewriting it, but I don't suggest 
removing headers without good reason.


Of course it's a good idea to contact the other postmaster and 
try to convince them of their error, but I haven't had much 
luck with that...  Part of the problem is no one there seems 
to know what a "postmaster" is.  Maybe you'll fair better.


  -- Noel Jones

Re: Mail rejected on "Received From"

[/dev/rob0]

On Thu, Mar 18, 2010 at 06:43:29PM +, Kay wrote:
> I often see mail being rejected by recipient servers because
> an IP in a Received From header is blacklisted somewhere.
> 
> This strikes me as a rather bad practise, since it undermines
> the whole idea of SMTP authentication.
> 
> Here's an example reject:
> 
> 550 5.7.1 This system has been configured to reject your mail.
> An IP address (xx.xx.xx.xx) found in the message's 'Received:'
> headers is listed by the lookup site 'sbl-xbl.spamhaus.org.'.
> 
> xx.xx.xx.xx is the client's IP, a regular dynamic IP on a
> broadband connection.  Which shouldn't have any relevance.

I have mixed feelings about this. Yes, it is a misuse of a DNSBL, but
if the IP is on SBL, indeed, the sender is probably a spammer, even
in the unlikely event that the mail itself is not spam. I'd be fine
with rejecting that. I don't do this, but I think it's reasonable.
(I'd test it out before going live with it.)

When it gets to XBL, things are less clear. If the sender is the
person responsible for the spamming host, the sender does need to
fix the problem. But many times the sender is an innocent bystander
(bypasser) using a poorly-run public hotspot or hotel connection. I
lived in an XBL-listed hotel[1] for two months once! No point in
complaining to the manager (I actually did try!) because it's all
contracted out to lousy companies. They can't do anything even if
they can understand what you're saying (which is of course not
likely; I failed to explain it to my hotel manager.) So there, I'd
err on the side of caution.

When it gets to PBL it is insanely, maddenly, stupid.

> To make matters worse, the offending recipient site does not accept
> mail for abuse/postmaster or any of the usual aliases.
> 
> How do you engage hosts like these to resolve such issues?

Noel's workaround is good. OTOH, sites that are stupid get what the
postmaster deserves. It's too bad that there are so many poorly-run
mail hosts. All we can do is commiserate and suggest you nominate
these sites for rbl-ignorant.org.



[1] I ran into that problem early on and fixed the issue myself by
relaying my outbound mail through my VPN to my own mail host.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

RE: Mail rejected on "Received From"

[Kaleb Hosie]

Maybe this is not the best practice, however I don't block any incoming mail 
(destined for a legit address) for the same reason. I use a program called 
SpamAssassin Quarantine and I let it scan for the spam.

Spam is put in quarantine and doesn't effect the users. It sends out an email 
every day letting the user release the mail.

Hope that helps


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Kay
Sent: Thursday, March 18, 2010 2:43 PM
To: postfix-users@postfix.org
Subject: Mail rejected on "Received From"

Hi guys,

I often see mail being rejected by recipient servers because an IP in a 
Received From header is blacklisted somewhere.

This strikes me as a rather bad practise, since it undermines the whole idea of 
SMTP authentication.

Here's an example reject:

550 5.7.1 This system has been configured to reject your mail. An IP address 
(xx.xx.xx.xx) found in the message's 'Received:' headers is listed by the 
lookup site 'sbl-xbl.spamhaus.org.'.

xx.xx.xx.xx is the client's IP, a regular dynamic IP on a broadband connection. 
 Which shouldn't have any relevance.

To make matters worse, the offending recipient site does not accept mail for 
abuse/postmaster or any of the usual aliases.

How do you engage hosts like these to resolve such issues?

Thanks
K

Re: Mail rejected on "Received From"

[Aaron Wolfe]

On Thu, Mar 18, 2010 at 4:53 PM, Kaleb Hosie  wrote:
> Maybe this is not the best practice, however I don't block any incoming mail 
> (destined for a legit address) for the same reason. I use a program called 
> SpamAssassin Quarantine and I let it scan for the spam.
>

content scanning every message is not practical for sites with a large
volume of mail.  even if you have the resources to do this, users tend
to ignore the quarantine reports, and since senders are not notified
that their message has been not been received, you get mails that
"just go missing".  better in many cases to let the sender know (via
an SMTP rejection, *not* any sort of NDR).
nothing is perfect, it's a judgment call based on what your users
expect and what hardware you have available to try and provide it.

> Spam is put in quarantine and doesn't effect the users. It sends out an email 
> every day letting the user release the mail.
>
> Hope that helps
>
>
> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Kay
> Sent: Thursday, March 18, 2010 2:43 PM
> To: postfix-users@postfix.org
> Subject: Mail rejected on "Received From"
>
> Hi guys,
>
> I often see mail being rejected by recipient servers because an IP in a 
> Received From header is blacklisted somewhere.
>
> This strikes me as a rather bad practise, since it undermines the whole idea 
> of SMTP authentication.
>
> Here's an example reject:
>
> 550 5.7.1 This system has been configured to reject your mail. An IP address 
> (xx.xx.xx.xx) found in the message's 'Received:' headers is listed by the 
> lookup site 'sbl-xbl.spamhaus.org.'.
>
> xx.xx.xx.xx is the client's IP, a regular dynamic IP on a broadband 
> connection.  Which shouldn't have any relevance.
>
> To make matters worse, the offending recipient site does not accept mail for 
> abuse/postmaster or any of the usual aliases.
>
> How do you engage hosts like these to resolve such issues?
>
> Thanks
> K
>

master.cf override main.cf parameters exception list?

[zhong ming wu]

Hi List

I find that not all parameters in main.cf can be overridden in
master.cf with -o.

So far I find that for example header_check , smtpd_data_restrictions,
and inet_interfaces cannot be overridden in master.cf
Is there a list of such parameters documented somewhere?

I am using three different postfix personalities defined in master.cf.
 One for local processes listening at loopback
address.  Another for public facing mx host listening on smtp port.
Another for authenticated clients using submission port
for relay

I am currently trying to achieve the following:  remove "Received:"
header from submission
port mails using header_checks=regexp/etc/postfix/map

First I have no header_checks in main.cf and specify
header_checks=regexp/etc/postfix/map
only for submission server.  This does not do anything to any of three servers.

Next I put header_checks=regexp/etc/postfix/map in main.cf

Then except for submission server i put
   header_checks=
in master.cf.  This removes the header from every servers.

As an aside : I find that both postconf -d and postconf -n gives
config_directory which are the same even though I deliberately removed
config_directory line from main.cf because postconf -d and postconf -n
give the same value.

Thanks for your explanation and clarification.

mr.wu

Re: RBL whitelist?

[Jan P. Kessler]

This whitelist is 1409 records long, so indeed as you say very small. I
suppose I could download it and host it locally. Apparently AXFR is not
allowed, but plain text HTTP download is, so that's good enough.
Then I would only need an efficient and robust way for postfix to use 
it.


If they let you download a list of IPs, just use your favorite 
sed/awk/perl to change it into an access table.


The question is: Will this be really more reliable than using a policy 
service that simply queries dns for this task?

Re: Anvil logs explained

[Ralf Hildebrandt]

* Erik Logtenberg :
> Hi,
> 
> I have a small question about anvil: every now and then it logs three
> lines about statistics. I don't quite understand what they mean. This is
> an example:
> 
> 1/60s for (mx.mydomain.eu:smtp:168.100.1.7) at Mar 17 00:27:28
> Mar 17 00:30:49 mx postfix/anvil[28510]: statistics: max connection rate

The maximum connection rate is one connection during a 60s period.
YOur server is not very busy

> Mar 17 00:30:49 mx postfix/anvil[28510]: statistics: max connection
> count 1 for (mx.mydomain.eu:smtp:168.100.1.7) at Mar 17 00:27:28

There is at most 1 simultaneous connection during a 60s period.
Your server is not very busy

> Also anvil doesn't log these statistics for every connection made, just
> every so many minutes. Is there something special about the specific IP
> address that it logs?

It's just the client which set the maximum

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: RBL whitelist?

[Erik Logtenberg]

>>> This whitelist is 1409 records long, so indeed as you say very small. I
>>> suppose I could download it and host it locally. Apparently AXFR is not
>>> allowed, but plain text HTTP download is, so that's good enough.
>>> Then I would only need an efficient and robust way for postfix to use
>>> it.
>>
>> If they let you download a list of IPs, just use your favorite
>> sed/awk/perl to change it into an access table.
> 
> The question is: Will this be really more reliable than using a policy
> service that simply queries dns for this task?

By the way, in the mean time I followed the advice given by Stan
Hoeppner and Noel Jones and made a daily cronjob which wget's the
blacklist, puts some OK's in there and then postmaps the list to a hash
map, which is then used with a check_client_access rule in
smtpd_recipient_restrictions.

This works okay, and fairly reliable, because I added a couple of sanity
checks before actually switching over to the new whitelist. If some
sanity check fails (for instance the number of IP's is outside a sane
range or if postmap chockes on it), then the cronjob will just keep the
current whitelist in place.

Re: master.cf override main.cf parameters exception list?

[/dev/rob0]

On Thu, Mar 18, 2010 at 06:12:32PM -0400, zhong ming wu wrote:
> I find that not all parameters in main.cf can be overridden in
> master.cf with -o.
> 
> So far I find that for example header_check , smtpd_data_restrictions,
> and inet_interfaces cannot be overridden in master.cf
> Is there a list of such parameters documented somewhere?

Correlation does not indicate causation. You have made an observation
and drawn a false conclusion from it.

> I am using three different postfix personalities defined in master.cf.

"Personalities" is not a valid concept here, but I think my guess 
might point you in the right direction.

>  One for local processes listening at loopback
> address.  Another for public facing mx host listening on smtp port.
> Another for authenticated clients using submission port
> for relay
> 
> I am currently trying to achieve the following:  remove "Received:"
> header from submission
> port mails using header_checks=regexp/etc/postfix/map
> 
> First I have no header_checks in main.cf and specify
> header_checks=regexp/etc/postfix/map
> only for submission server.  This does not do anything to any of
> three servers.

You cannot set header_checks for a smtpd(8) daemon. But you can set
$cleanup_service_name and use an alternate cleanup(8) daemon for an
alternate smtpd.
http://www.postfix.org/postconf.5.html#cleanup_service_name

The -o options only override settings specific to the particular
daemon you're trying to change. See the man page for each daemon.
This page might help you understand the Big Picture:
http://www.postfix.org/OVERVIEW.html

You also mentioned trying to override smtpd_data_restrictions and
inet_interfaces. The former, as hinted by the smtpd_* naming
convention, is a setting for smtpd.

The latter is a setting used by master(8), and as such, is global to 
the Postfix instance. There is, however, no need to override it for
any daemon; you simply tell that daemon via its master(5) entry to
bind to the appropriate IP address:

192.0.2.25:587   inet  n   -   n   -   -   smtpd
-o setting=value [ ... ]
This gives you a smtpd listener on 192.0.2.25:587.
 
smtp unix  -   -   n   -   -   smtp
-o smtp_bind_address=192.0.2.25 -o setting=value [ ... ]
This gives you a smtp(8) client sending from 192.0.2.25. 
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: Milter SMFIC_HEADER failure (huh, due to success? :-)

[Sean Reifschneider]

On 03/18/2010 05:57 AM, Wietse Venema wrote:
> If the Postfix milter_protocol setting specifies a too high
> version, the libmilter library simply hangs up without logging

We've tried protocol versions 2, 4, and 6 with the same error.  We've also
tried two different versions of the libmilter: 8.13 and 8.14.  We're trying
version 3 of the protocol right now, but it will take a while to know for
sure what the result of that is.  It only happens for a few specific users
who only send mail a few times a day.

My experience in the past has been that having the wrong protocol version
causes problems on all the milter interactions.  In this case the milter is
working fine for almost all the requests, except for a couple of users (out
of thousands).

Thanks,
Sean
-- 
Sean Reifschneider, Member of Technical Staff 
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability



signature.asc
Description: OpenPGP digital signature

Re: every...@example.com virtual_alias_maps using ldap query

[Ronie Gilberto Henrich]

 Original Message  
Subject: Re: every...@example.com virtual_alias_maps using ldap query
From: Victor Duchovni 
To: Ronie Gilberto Henrich 
Cc: postfix-users@postfix.org
Date: Thu Mar 18 2010 14:00:45 GMT-0300

  
Something like a support for variables (%u) on the left side?

Example:
everyone_query_filter = (&(accountStatus=active)(%u=everyone))

  
  
This is not "simpler" it is simply wrong. The substituted LDAP search
filter is parsed by LDAP server, not Postfix. Postfix will not try
to interpret a subset of the conditions in the LDAP filter.

To make "every...@example.com" an address, create an LDAP object
with that address.

If the LDAP object needs to expans to all user addresses, make it an
LDAP-URI valued group. If the group is large (thousands of recipients), do
the expansion on a dedicated list server, not your primary Postfix queue.

  

You mean something like the ldap object below?
mail=every...@example.com,ou=Mail,o=example,c=com
ObjectClass=referral
ref=ldaps://localhost/ou=Mail,o=example,c=com

I did that and it does list all ou=Mail,o=example,c=com mail accounts.

Then I modified my ldap:everyone mappings to the folowing:
virtual_alias_maps = ldap:everyone
everyone_server_host = ldaps://localhost
everyone_version = 3
everyone_search_base = ou=Mail,o=example,c=com
everyone_query_filter = (mail=%s)
everyone_result_attribute = mail

But it does not work.
550 : Recipient address rejected: User
unknown;

Any ideas of what I am doing wrong?

Thanks,
Ronie

Re: Milter SMFIC_HEADER failure (huh, due to success? :-)

[Wietse Venema]

Sean Reifschneider:
> On 03/18/2010 05:57 AM, Wietse Venema wrote:
> > If the Postfix milter_protocol setting specifies a too high
> > version, the libmilter library simply hangs up without logging
> 
> We've tried protocol versions 2, 4, and 6 with the same error.  We've also
> tried two different versions of the libmilter: 8.13 and 8.14.  We're trying
> version 3 of the protocol right now, but it will take a while to know for
> sure what the result of that is.  It only happens for a few specific users
> who only send mail a few times a day.
> 
> My experience in the past has been that having the wrong protocol version
> causes problems on all the milter interactions.  In this case the milter is
> working fine for almost all the requests, except for a couple of users (out
> of thousands).

Unfortunately, it seems that my crystal ball isn't working today.

Wietse

Re: Milter SMFIC_HEADER failure (huh, due to success? :-)

[Sean Reifschneider]

FYI: Using protocol version 3 is also causing the same errors to be logged.
So we've tried 2, 3, 4, and 6.

Thanks,
Sean
-- 
Sean Reifschneider, Member of Technical Staff 
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability



signature.asc
Description: OpenPGP digital signature