Re: Deliver raw, local emails to a socket?

[Martin Adolfsson]

On 2010-03-26 05:32, Stephens, Kurt wrote:

I'd like to have all local postfix deliveries to
go directly into a TCP or UDS (named pipe) socket,


I wrote a small hack for this a few years back, and it has been in 
production for a few of our customers ever since. (I believe it's fairly 
portable and should compile on most platforms)


You can download it from: http://netilium.org/~mad/sockpipe.c

Its been designed to exit with EX_TEMPFAIL if it can't connect to the 
server, or if the server closes while the program is sending data. That 
way, Postfix will retry later.


Since there is no protocol involved, Postfix has no way of knowing if 
the delivery actually succeeded - you need to make sure that the 
receiving program is able to handle the e-mail if it accepts the connection.


Simply put the compiled program as a transport into master.cf, using the 
pipe cmd:

-
sockdeliv unix  - n n - 1 pipe
  flags=R eol=\r\n user=nobody argv=/../sockpipe  
-

Then use something in the lines of "mailbox_transport = sockdeliv" in 
main.cf.



Regards,
Martin Adolfsson

Difference between default_destination_recipient_limit and smtpd_recipient_limit

[Marcos Lorenzo de Santiago]

I had configured default_destination_recipient_limit to 1500 and I
couldn't send an email destined to 1100 recipients. It was when I
modified this two options when I got it working:

smtpd_recipient_overshoot_limit
smtpd_recipient_limit

I rtfm but I just can't see why it wasn't working, because
default_destination_recipient_limit seems to be the default value for
every postfix service.

... or maybe I am just missing something.

Thanks in advance.

Regards,
Marcos Lorenzo de Santiago.




-- 
---
Hippogriff, n.:   
  An animal (now extinct) which was half horse and half griffin.  
  The griffin was itself a compound creature, half lion and half  
  eagle. The hippogriff was actually, therefore, only one quarter 
  eagle, which is two dollars and fifty cents in gold.
  The study of zoology is full of surprises.  
   -- Ambrose Bierce, "The Devil's Dictionary"
---

Marcos Lorenzo de Santiago
Técnico de Sistemas

Departamento de Nuevas Tecnologías
Ayuntamiento de Getafe
Plaza de la Constitución 1 (28901)

Correo:  marcos.lore...@ayto-getafe.org
Teléfono:912 027 948
Móvil:   608 300 935


signature.asc
Description: Esta parte del mensaje está firmada digitalmente

Re: Difference between default_destination_recipient_limit and smtpd_recipient_limit

[Wietse Venema]

Marcos Lorenzo de Santiago:
> I had configured default_destination_recipient_limit to 1500 and I
> couldn't send an email destined to 1100 recipients. It was when I
> modified this two options when I got it working:
> 
> smtpd_recipient_overshoot_limit
> smtpd_recipient_limit
> 
> I rtfm but I just can't see why it wasn't working, because
> default_destination_recipient_limit seems to be the default value for
> every postfix service.
> 
> ... or maybe I am just missing something.

Indeed. You missed the instructions for reporting a problem
on this mailing list. They were sent to you in the mailing
list welcome message.

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.

Re: Access based on client cert attributes?

[Dick Visser]

On 23/03/2010 16:41, Victor Duchovni wrote:

> Having noticed the many pitfalls of parsing X.509 certs, and written
> careful code to parse them (and avoided Postfix being linked to
> vulnerabilities later found in most certificate parsers), I am reluctant
> to ask Postfix users to write robust X.509 parsing code in their own
> policy service code.

True. On the other hand, the admins responsible for setting the
institution information (most importantly: 'Organisation') in the
certificate are also the ones that need to check for it.
And the most likely scenario will be that you want to check if a
certificate belongs to one of your own users. Since you put that data
in, it should be possible to establish some positive confirmation on that.

I can see that writing a X.509 parser is non-trivial.
Maybe this is totally the wrong idea, but would it be possible to reuse
the SSLRequire code of Apache in a new check_ccert_x, or possibly in a
policy daemon?

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslrequire

That option looks exactly like what we need...

> Do your users actually want to install and use client certs? Do they
> have them in any case for other reasons?

They don't have them now, but they will soon, and so will thousands of
others users: https://www.terena.org/activities/tcs/

Right now nobody has them, so nobody uses them. TERENA has taken the
initiative to break this circle and to make them really available to our
community.

The same approach was used for the TERENA server certificates, which
were introduced a couple of years ago. Currently there are about 30.000
servers in the European research and education area field that use those
certificates.

It is expected that the same will happen with the personal (client)
certificates: once it is very easy and convenient to get one,
certificate based services will get used more and more.

Lots of postmasters in the academic and research networking area will
want to use this. The TERENA Certificate Service is aimed at European
NRENs, which means in principle all students/employees/etc of higher
education and research institutes. So there is a huge potential.


-- 
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
T +31 20 530 44 88 F +31 20 530 44 99
vis...@terena.org | www.terena.org





smime.p7s
Description: S/MIME Cryptographic Signature

Re: how to allow a rejcted domain

[/dev/rob0]

On Fri, Mar 26, 2010 at 12:22:55AM +, Jamie Griffin wrote:
> I'm going to re-read about smtpd_*_restrictions to better 
> understand what i've done because from what you've said I
> could improve my configuration

"Improve" is a value judgment. I think it's fair to say that 
management is easier if you stay within a single stage. But some 
restriction combinations need multiple stages. I didn't see anything
in yours that couldn't be done in one stage, but then, I don't know
what's in your access maps.

> but can i ask quickly, do you mean I can move all of the smtpd 
> restrictions i'm using into $smtpd_recipeint_restrictions ?

With the caveat that "recipient" must be spelled correctly, yes. :)

Reference:
http://www.postfix.org/SMTPD_ACCESS_README.html
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: Directing SPAM mail to a Junk Folder

[Voytek Eymont]

On Fri, March 26, 2010 9:51 am, /dev/rob0 wrote:
> On Fri, Mar 26, 2010 at 08:26:33AM +1100, Voytek Eymont wrote:
>
>> so, if I was to create a mail user 'voytek+spam' in the database,
>> '+spam' mail would end up in voytek+spam mail user maildir ?

> The user for virtual(8) must be the full address:
> voy...@example.comexample.com/voytek/maildir/ voytek+s...@example.com
> example.com/voytek/maildir/.spam/ ot...@example.com

> The concept of "user" is blurred here. To virtual, these are like
> different users. But to your IMAPd, ideally, you are simply delivering mail
> to another folder owned by that virtual user.
>
> There might be SQL tricks you can use to get the +spam queries to
> return the spam mailfolder paths, too. That's beyond the scope of this
> list, and beyond my very modest SQL literacy level. But DB storage is
> cheap, and it's easy to script something like this to populate your
> database for all existing users.

rob0,

many thanks for explanations !! this now seems simpler than I feared!!

I've looked at this in the past on and off, even installed maildrop, but
the virtual delivery agent seem a simpler way

I've created a new mailbox as for 'voytek+spam', edited relevant path,
and, bingo:

voytek's 'spam' IMAP folder gets the '+spam'

thanks again!!

Mar 26 17:29:18 bilby postfix/lmtp[5924]: 2F4E3B44906:
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=6.1,
delays=2.2/0.01/0.01/3.8, dsn=2.0.0, status=sent (250 2.0.0 Ok,
id=02838-15, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
AFFACB448FD)

Mar 26 17:30:06 bilby postfix/virtual[6058]: B8F59B44909:
to=, relay=virtual, delay=936,
delays=936/0.01/0/0.05, dsn=2.0.0, status=sent (delivered to maildir)


I guess I can start setting to deliver individual spam to individual users
with virtual and plus subaddressing

-- 
Voytek

Re: Deliver raw, local emails to a socket?

[Wietse Venema]

Stephens, Kurt:
> I'd like to have all local postfix deliveries to go directly into
> a TCP or UDS (named pipe) socket, that will eventually end up raw
> in database table for subsequent triage.

It's easy enough to take one of the pipe(8) examples in master.cf,
run a netcat-like command, and set main.cf:local_transport
appropriately. 

It's even easier to run such a command from the user's .forward
files.

But you cannot use the To: header address. Proof: you received this
email message, but you are not listed in the message header.

You MUST pass the envelope recipient information (and perhaps sender
for auto-replies) to your database, otherwise you will mis-deliver
list mail, and other BCC recipients.

Wietse

Re: how to allow a rejcted domain

[Dennis Guhl]

On Fri, Mar 26, 2010 at 12:22:55AM +, Jamie Griffin wrote:
> I'm going to re-read about smtpd_*_restrictions to better understand what 
> i've done because from what you've said I could improve my configuration but 
> can i ask quickly, do you mean I can move all of the smtpd restrictions i'm 
> using into $smtpd_recipeint_restrictions ?

Yes, actually it makes your main.cf much more uncluttered and less
error prone.

This are my restrictions, which I use on with various servers serving
some messages per hour up to severel hundred messages per minute:

smtpd_recipient_restrictions = 
check_recipient_access = btree:/etc/postfix/access_rfc-recipient,
# check_client_access = btree:/etc/postfix/access_client,
# check_helo_access btree:/etc/postfix/access_helo,
# check_sender_access btree:/etc/postfix/access_sender,
# check_recipient_access btree:/etc/postfix/access_recipient,
reject_unauth_pipelining,
reject_invalid_helo_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_sasl_authenticated,
permit_mynetworks,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.njabl.org,
reject_rhsbl_client blackhole.securitysage.com,
check_policy_service unix:/public/postgrey,
reject_unverified_recipient,
# permit_mx_backup,
# reject_unauth_destination,
permit

The first two lines are really one line, because of an irritating line
breaking I made a manual wordwrab. And the last permit is yust for
completeness, it is default.

For the rest it is mostly copied from the greman book "Das
Postfix-Buch" written by Peer Heinlein.

The double occurrence of 'check_recipient_access =' assures in the
first entry the unconditionally acceptance from emails to postmaster@
or abuse@ to comply with the RFCs 822 and 2142. The second occurence
can be used to whitelist some faulty senders I whish to receive.

Of course the rbl entries are working for me, but this does not say
they do so for you. On my sites I never became aware of problems with
NiX SPAM (manitu.net) whilst other people report frequend false
positives.

> Jamie.

Dennis

Re: Directing SPAM mail to a Junk Folder

[/dev/rob0]

Please don't top-post replies. Also note, I set Reply-To: to keep
discussions on list. I do not want a CC:.

On Fri, Mar 26, 2010 at 06:03:47AM +0530, Chaminda Indrajith wrote:
> ~user/.forward+spam would be a good solution for me since my
> users are system users.
> 
> Could you give me an example for the following? I can configure
> amavisd-new to do + address extension.
> 
> ## Deliver user+s...@example.com mails to /home/user/Maildir/.Junk
> 
> .Junk is also in Maildir format.

Sure. While I would prefer to see you try it yourself, this will
complete the thread for the archives. I gave Voytek examples for
virtual(8), so here's yours:

u...@server:~$ echo '/home/user/Maildir/.Junk/' > ~/.forward+spam

The file should be owned and readable by this user. Likewise,
/home/user/Maildir/.Junk/ needs rwx permissions for this user. The
trailing slash on the directory name is what tells local(8) that
you're using a maildir.

Most OS's that I have experience with have a /etc/skel directory
which is used to populate the HOME for a new user. You can't use
variables like $USER in a .forward file, and you obviously cannot
have an absolute path in a skel file, but this worked for me:

r...@server:~# echo '~/Maildir/.Junk/' > /etc/skel/.forward+spam

Quoting is necessary there to prevent expansion of "~". Consult
your OS documentation for information on new user creation and
default files.

> >References:
> >   http://www.postfix.org/postconf.5.html#recipient_delimiter
> >   http://www.postfix.org/local.8.html
> >   http://www.postfix.org/aliases.5.html
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

local recipients in ldap dir

[me]

just signed up and have a novice kind of question, sorry :)

I'm reading the docs but somehow can not get the hang of a config,
for a local domain(canonical/mydestination) that recipients list would 
be looked up

in ldap

postmap queries my ldap, returns no errors, but
cannot get whole thing(postfix) to actually work, either errors about:
unknown user, or status is 'sent/delivered' but nothing in inbox

I know that easier would be to make it virtual, this works, but..

- how to configure postfix to lookup up into ldap for local recipients?
- and if yes is it possible to keep mailboxes under one folder, like for 
vmail?


the whole idea is to have these local recipients' mailboxes behaving 
like virtual, no shell accounts
(on a box here postfix runs coupled with dovecot and dovecot does local 
delivery)


regards

Re: Difference between default_destination_recipient_limit and smtpd_recipient_limit

[Marcos Lorenzo de Santiago]

El vie, 26-03-2010 a las 12:06 +0100, Wietse Venema escribió:

> Marcos Lorenzo de Santiago:
> > I had configured default_destination_recipient_limit to 1500 and I
> > couldn't send an email destined to 1100 recipients. It was when I
> > modified this two options when I got it working:
> > 
> > smtpd_recipient_overshoot_limit
> > smtpd_recipient_limit
> > 
> > I rtfm but I just can't see why it wasn't working, because
> > default_destination_recipient_limit seems to be the default value for
> > every postfix service.
> > 
> > ... or maybe I am just missing something.
> 
> Indeed. You missed the instructions for reporting a problem
> on this mailing list. They were sent to you in the mailing
> list welcome message.


externo2:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
default_destination_recipient_limit = 2
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 52428800
mydestination = externo2.ayto-getafe.org, localhost.ayto-getafe.org,
localhost
myhostname = externo2.ayto-getafe.org
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 10.0.0.0/8
172.16.0.0/12 192.168.0.0/16
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination, ayto-getafe.org
relayhost = 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_limit = 2
smtpd_recipient_overshoot_limit = 2
smtpd_sender_restrictions = permit_mynetworks,
reject_non_fqdn_sender, reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/sender_access
smtpd_tls_cert_file = /etc/ssl/certs/mailer.ayto-getafe.org_cert.pem
smtpd_tls_key_file = /etc/ssl/private/mailer.ayto-getafe.org_key.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport


I have no logs to show, sorry. But my question remains as simple as
before:
Could anyone please point me to some document (RFC or so) where that
options and its use are more thoroughly explained than in postfix's
manual?

Sorry for missing info and thank you very much for your time.

Regards,
Marcos Lorenzo de Santiago.




-- 
---
if (argc > 1 && strcmp(argv[1], "-advice") == 0) {
printf("Don't Panic!\n"); 
exit(42); 
} 
(Arnold Robbins in the LJ of February '95, describing RCS)
---

Marcos Lorenzo de Santiago
Técnico de Sistemas

Departamento de Nuevas Tecnologías
Ayuntamiento de Getafe
Plaza de la Constitución 1 (28901)

Correo:  marcos.lore...@ayto-getafe.org
Teléfono:912 027 948
Móvil:   608 300 935


signature.asc
Description: Esta parte del mensaje está firmada digitalmente

AW: whitelist for smtp_recipient_restrictions

[Schwalbe, Oliver]

Hallo Herr Hildebrandt,

Danke für die schnelle Rückantwort.
uceprotect.net habe ich als erste Maßnahme schon deaktiviert, würde aber ganz 
gerne wieder darauf
zurückkommen.
Ich bräuchte aber noch genauere Informationen, wo ich IP ok hinterlegen muß.
Muß ich dafür eine eigene Datei anlegen und darauf verweisen?
Ein Tip wäre hier noch hilfreich.

Danke für die Unterstützung

MfG
Schwalbe



 



>-Ursprüngliche Nachricht-
>Von: owner-postfix-us...@postfix.org
>[mailto:owner-postfix-us...@postfix.org]im Auftrag von Ralf Hildebrandt
>Gesendet: Donnerstag, 25. März 2010 08:19
>An: postfix-users@postfix.org
>Betreff: Re: whitelist for smtp_recipient_restrictions
>
>
>* Schwalbe, Oliver :
>> Hi community,
>>  
>> in the last time i have some problems with smtp-senders who 
>are blocked
>> by dnsbl-lists like uceprotect.net.
>> The owner of the mailservers assured me not to generate and send any
>> SPAM. How can i implement a whitelist for some friendly senderdomains
>> to bypass the reject_rbl_client rule?
>>  
>> Here my smtp_recipient_restrictions entries:
>>  
>> smtp_recipient_restrictions=permit_mynetworks,
>>  reject_invalid_hostname,
>>  reject_non_fqdn_hostname,
>>  reject_non_fqdn_sender,
>>  
>reject_unknown_sender_domain,
>>  
>reject_unknown_recipient_domain,
>>  reject_unauth_pipelining,
>>  reject_unauth_destination,
>>  reject_rbl_client 
>zen.spamhaus.org,
>>  reject_rbl_client 
>bl.spamcop.net,
>>  reject_rbl_client 
>dnsbl.njabl.org,
>
>check_client_access hash:/etc/postfix/whitelist
>
>>  reject rbl_client 
>dnsbl-1.uceprotect.net
>>  permit
>
>with:
>
>IP OK
>
>Or rather remove dnsbl-1.uceprotect.net, since they really suck.
>
>-- 
>Ralf Hildebrandt
>  Geschäftsbereich IT | Abteilung Netzwerk
>  Charité - Universitätsmedizin Berlin
>  Campus Benjamin Franklin
>  Hindenburgdamm 30 | D-12203 Berlin
>  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
>  ralf.hildebra...@charite.de | http://www.charite.de
>   
>

Re: local recipients in ldap dir

[Jerry]

On Fri, 26 Mar 2010 13:13:36 +, me  articulated:

> just signed up and have a novice kind of question, sorry :)
> 
> I'm reading the docs but somehow can not get the hang of a config,
> for a local domain(canonical/mydestination) that recipients list
> would be looked up
> in ldap
> 
> postmap queries my ldap, returns no errors, but
> cannot get whole thing(postfix) to actually work, either errors about:
> unknown user, or status is 'sent/delivered' but nothing in inbox
> 
> I know that easier would be to make it virtual, this works, but..
> 
> - how to configure postfix to lookup up into ldap for local
> recipients?
> - and if yes is it possible to keep mailboxes under one folder, like
> for vmail?
> 
> the whole idea is to have these local recipients' mailboxes behaving 
> like virtual, no shell accounts
> (on a box here postfix runs coupled with dovecot and dovecot does
> local delivery)

You missed the instructions for reporting a problem on this mailing
list. They were sent to you in the mailing list welcome message.

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

Also check out: http://www.postfix.org/DEBUG_README.html

I would recommend that you download 'postfinger' and post its output
here. http://ftp.wl0.org/SOURCES/postfinger


-- 
Jerry
postfix.u...@yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

You are only young once, but you can stay immature indefinitely.

Re: Pflogsumm Version 1.1.3 Released

[Jim Seymour]

> Date: Fri, 26 Mar 2010 02:00:10 -0300
> From: Julio Cesar Covolato 
> To: Jim Seymour , owner-postfix-us...@postfix.org
> Subject: Re: Pflogsumm Version 1.1.3 Released
> 
> Hi Jim!
> 
> Any improviment to suport the reinjection from amavisd?

Nope.  If I had, it would've been mentioned in the ChangeLog.
As stated in Pflogsumm's FAQ #14: I was not able to make anything
work that didn't otherwise harm the output.

John Fawcett has created a Pflogsumm pre-processor/-filter that
he claims works.  It's mentioned in that same FAQ.  I've sent him
an individual heads-up, so he can synchronize his code with the
latest Pflogsumm release if he wishes.  (His code I think won't
process RFC 3339 timestamps.)

Btw: I took a quick look, this morning, to see if it would
be feasible to integrate John's work directly into Pflogsumm.
Doesn't look like it--not without a major restructuring of Pflogsumm,
which is an effort I'm not willing to undertake at this time.

> 
> Thanks

You're welcome.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

Re: local recipients in ldap dir

[Victor Duchovni]

On Fri, Mar 26, 2010 at 01:13:36PM +, me wrote:

> I'm reading the docs but somehow can not get the hang of a config,
> for a local domain(canonical/mydestination) that recipients list would be 
> looked up in ldap

http://www.postfix.org/VIRTUAL_README.html
http://www.postfix.org/DATABASE_README.html
http://www.postfix.org/ldap_table.5.html

> - how to configure postfix to lookup up into ldap for local recipients?

"Local recipients" are *by definition* shell accounts, in that information
about them is obtained via getpwnam(3) (/etc/passwd and nsswitch.conf).

This said, you can use "mailbox_transport" and/or "mailbox_transport_maps"
to deliver email to local addresses that may lack an account. See
the local(8) manpage for details.

> the whole idea is to have these local recipients' mailboxes behaving like 
> virtual, no shell accounts
> (on a box here postfix runs coupled with dovecot and dovecot does local 
> delivery)

You still need a way to validate such accounts, at which point why bother
adding the domain to mydestination and calling it "local"? You can just
virtual_mailbox_domains much more easily in most cases.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Postfix redirection after aliase resolution

[Bob Sauvage]

Hi people !

I have a postfix server and I want to redirect my mails to another server (Spam 
filter) after the aliase resolution. Because this spam filter can only filter 
100 adresses.

When the other server has completed its work, it sends this mail to my Postfix 
server (on another SMTP process and another port of course).
And finally the mails will be delivered. 

Is this possible ? 

Thanks a lot !

Re: A little bit of spam is getting through

[brian moore]

On Thu, 25 Mar 2010 22:13:05 -0600
Josh Cason  wrote:

> So when I type grep the original message. In this case as  
> listed above. It list the server ip number as comming in with some  
> outside e-mail address we don't have.

If it's coming from the server IP or localhost, you've most likely
got some naughty CGI/PHP/whatever script on your server generating it.

(Or someone has a shell account and doing it, but that's rare these
days.)

Is there a web server on this machine?  Do you allow users to run PHP or
CGI?  Are you running a webmail package of some sort and have users
that think it's wise to send their credentials to Nigeria?

Look at log entries in your web server access logs to see if somoene is
loading a suspicious looking page around this time (grep for 'POST' in
the logs to narrow it down).

Postfix LDAP "Temporary lookup failure"

[Matias Surdi]

Hi,

I'm running postfix with a ldap vmailbox database for incomming mails.

The problem is that I'm receiving mails to non existent accounts, or ,
with an accented (non ascii) character and instead of rejecting the
mail postfix is replying the client with a 451 error, here is the
session transcript, with modified domains for privacy reasons:


Transcript of session follows.

Out: 220 mail.example.com ESMTP
In:  EHLO agamemnon.external.com
Out: 250-mail.example.com
Out: 250-PIPELINING
Out: 250-SIZE 2048
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-AUTH PLAIN LOGIN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In:  STARTTLS
Out: 220 2.0.0 Ready to start TLS
In:  EHLO agamemnon.external.com
Out: 250-mail.example.com
Out: 250-PIPELINING
Out: 250-SIZE 2048
Out: 250-ETRN
Out: 250-AUTH PLAIN LOGIN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In:  MAIL FROM:
Out: 250 2.1.0 Ok
In:  RCPT TO:<"?myuser"@example.com>
Out: 451 4.3.0 < myu...@example.com>: Temporary lookup failure
In:  QUIT
Out: 221 2.0.0 Bye


Additionaly, on the postfix log I can see:

Mar 26 15:44:17 calipso postfix/smtpd[27237]: warning:
dict_ldap_lookup: Search error 34: Invalid DN syntax


And on the LDAP server I'm getting:
Mar 26 15:44:17 sanson slapd[1688]: conn=204424 op=3 do_search:
invalid dn (uid=myuser,ou=users,dc=example,dc=com)


As you can see, the recipient address is malformed, but postfix is
replying with the wrong error code, although I think this may be more
related to ldap problem than to a postfix one.


here is the vmailbox map config file:

server_host = ldapserver.local
search_base = uid=%u,ou=users,dc=example,dc=com
query_filter = 
(&(mail...@example.com)(memberOf=cn=service_email,ou=groups,dc=example,dc=com))
result_format = ./example.com/%s/
result_attribute = uid
scope = base
bind = yes
bind_dn = uid=serviceauth,ou=users,dc=example,dc=com
bind_pw = pass
version = 3



Any help will be very appreciated.




-- 
Matias Emanuel Surdi.

Re: Postfix LDAP "Temporary lookup failure"

[Quanah Gibson-Mount]

--On Friday, March 26, 2010 6:28 PM +0100 Matias Surdi 
 wrote:




Additionaly, on the postfix log I can see:

Mar 26 15:44:17 calipso postfix/smtpd[27237]: warning:
dict_ldap_lookup: Search error 34: Invalid DN syntax


Looks like dict_ldap_lookup is failing to properly encode the data before 
querying LDAP.


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

Re: Access based on client cert attributes?

[Victor Duchovni]

On Fri, Mar 26, 2010 at 12:52:55PM +0100, Dick Visser wrote:

> > Having noticed the many pitfalls of parsing X.509 certs, and written
> > careful code to parse them (and avoided Postfix being linked to
> > vulnerabilities later found in most certificate parsers), I am reluctant
> > to ask Postfix users to write robust X.509 parsing code in their own
> > policy service code.
> 
> True. On the other hand, the admins responsible for setting the
> institution information (most importantly: 'Organisation') in the
> certificate are also the ones that need to check for it.

If there is no TTP (trusted third party, e.g. an external CA) in the loop,
fingerprints work much more simply. Why do I need a TTP to authenticate
my own users? Using X.509 certs for this is IMHO unwise. SASL (especially
GSSAPI for sites with Kerberos) is much more usable than X.509 client
certs in any case.

> I can see that writing a X.509 parser is non-trivial.
> Maybe this is totally the wrong idea, but would it be possible to reuse
> the SSLRequire code of Apache in a new check_ccert_x, or possibly in a
> policy daemon?
> 
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslrequire

Much too complex I think.

> > Do your users actually want to install and use client certs? Do they
> > have them in any case for other reasons?
> 
> They don't have them now, but they will soon, and so will thousands of
> others users: https://www.terena.org/activities/tcs/

Sorry, I am deeply skeptical of all PKI initiatives.

> Right now nobody has them, so nobody uses them. TERENA has taken the
> initiative to break this circle and to make them really available to our
> community.

My prediction is that Terena will fail for the same reasons as everyone
that tried this before. The PKI model is deeply flawed.

> It is expected that the same will happen with the personal (client)
> certificates: once it is very easy and convenient to get one,
> certificate based services will get used more and more.

I expect that you'll not find this to be the case.

> Lots of postmasters in the academic and research networking area will
> want to use this. The TERENA Certificate Service is aimed at European
> NRENs, which means in principle all students/employees/etc of higher
> education and research institutes. So there is a huge potential.

If PKI for the masses suddenly takes off, we can revisit Postfix support
for this.

In the mean time, what's available to policy services is the issuer name
(CN or O) and subject CN. I am disinclined to send the peer certificate
blob to policy services or build-in a complex language to evaluate
client certs.

We could perhaps agree on a robust encoding of the issuer and subject
DN, and make these available to policy services (duplicating the current
issuer name and subject name, which are components of each).

I can probably help more users at lower implementation cost by allowing
access checks on the public-key fingerprint instead of the certificate
fingerprint, which would allow clients that renew CA certs with the
same underlying private/public key pair to continue to access a given
Postfix server.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: Postfix LDAP "Temporary lookup failure"

[Victor Duchovni]

On Fri, Mar 26, 2010 at 10:31:50AM -0700, Quanah Gibson-Mount wrote:

> --On Friday, March 26, 2010 6:28 PM +0100 Matias Surdi 
>  wrote:
>
>
>> Additionaly, on the postfix log I can see:
>>
>> Mar 26 15:44:17 calipso postfix/smtpd[27237]: warning:
>> dict_ldap_lookup: Search error 34: Invalid DN syntax
>
> Looks like dict_ldap_lookup is failing to properly encode the data before 
> querying LDAP.

No idle speculation please. Postfix encodes the LDAP query with particular
care, but Postfix is only responsible for encoding the variable parts
of the query and search base that it inserts via "%s", "%d", "%u",
... The fixed parts of the query and search base must be configured
correctly by the administrator. This also applies to any DNs found
in special_result_attribute values.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: Postfix LDAP "Temporary lookup failure"

[Victor Duchovni]

On Fri, Mar 26, 2010 at 06:28:50PM +0100, Matias Surdi wrote:

> The problem is that I'm receiving mails to non existent accounts, or ,
> with an accented (non ascii) character and instead of rejecting the
> mail postfix is replying the client with a 451 error, here is the
> session transcript, with modified domains for privacy reasons:

SMTP is not a UTF-8 protocol, it is an ASCII protocol, and envelopes
with non-ASCII characters are malformed. In your case, you should
reject these via a suitable check before passing them to LDAP.

> In:  RCPT TO:<"?myuser"@example.com>
> Out: 451 4.3.0 < myu...@example.com>: Temporary lookup failure

Don't pass non-ASCII user names to your LDAP table.

> search_base = uid=%u,ou=users,dc=example,dc=com

In RFC 2253, all attribute values are assumed to be UTF-8. Postfix has
no idea what character-encoding (UTF-8, ISO-8859-1, ...) corresponds to
a non-ASCII envelope recipient, and so cannot translate this value to
UTF-8. The value provided is encoded in the query verbatim. In this case,
your server objects to the malformed UTF-8 string in the search base.

Use a fixed search base with a "scope" of "sub" or "one".

search_base = ou=users,dc=example,dc=com

and add (uid=%u) to your search filter if necessary.

> search_base = uid=%u,ou=users,dc=example,dc=com
> query_filter = 
> (&(mail...@example.com)(memberOf=cn=service_email,ou=groups,dc=example,dc=com))
> result_format = ./example.com/%s/
> result_attribute = uid
> scope = base

Perhaps the LDAP server will tolerate non-ASCII data in the query value
and return "not-found".

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: Postfix LDAP "Temporary lookup failure"

[Wietse Venema]

Victor Duchovni:
> On Fri, Mar 26, 2010 at 06:28:50PM +0100, Matias Surdi wrote:
> 
> > The problem is that I'm receiving mails to non existent accounts, or ,
> > with an accented (non ascii) character and instead of rejecting the
> > mail postfix is replying the client with a 451 error, here is the
> > session transcript, with modified domains for privacy reasons:
> 
> SMTP is not a UTF-8 protocol, it is an ASCII protocol, and envelopes
> with non-ASCII characters are malformed. In your case, you should
> reject these via a suitable check before passing them to LDAP.
> 
> > In:  RCPT TO:<"?myuser"@example.com>
> > Out: 451 4.3.0 < myu...@example.com>: Temporary lookup failure
> 
> Don't pass non-ASCII user names to your LDAP table.

Hmm. If the Postfix LDAP driver handles only non-ASCII query keys
then we should have a smarter response from the mail system.

One obvious response is to return a "not found" result. We have
prior art with this. When Postfix is asked to look up an empty
string, some Berkeley DB implementations return an error, so we
don't do such lookups and return "not found" instead of a non-peristent
error.

> In RFC 2253, all attribute values are assumed to be UTF-8. Postfix has
> no idea what character-encoding (UTF-8, ISO-8859-1, ...) corresponds to
> a non-ASCII envelope recipient, and so cannot translate this value to
> UTF-8. The value provided is encoded in the query verbatim. In this case,
> your server objects to the malformed UTF-8 string in the search base.

Fortunately, UTF-8 is a "stateful" encoding so it knows that this
non-ASCII character is out-of-order, but I would prefer not to make
the query at all.

Wietse

Spam from the same domain

[listadecorreo]

Hello

in the last month I revived a lot of spam from user_non_ex...@mydomain 
to user_ex...@mydomain. can I block all received externals mails 
from my domain to my domain... 


I use postfix with amavis (spamassassin/clamav)

thanks in advance

Re: Spam from the same domain

[Mark Goodge]

On 26/03/2010 20:54, listadecorreo wrote:


Hello

in the last month I revived a lot of spam from user_non_ex...@mydomain
to user_ex...@mydomain. can I block all received externals mails
from my domain to my domain...


It's very easy to block mails from fake_u...@domain to real_u...@domain. 
Just turn on sender address verification for your own domains. See 
http://www.postfix.org/ADDRESS_VERIFICATION_README.html for details on 
how it's configured.


Blocking forged mails from real_u...@domain to real_u...@domain is 
harder, as if any of your users use SMTP servers other than your own 
then it's very hard to distinguish between that and forgeries.


Mark

Re: Postfix LDAP "Temporary lookup failure"

[Victor Duchovni]

On Fri, Mar 26, 2010 at 04:54:00PM -0400, Wietse Venema wrote:

> > Don't pass non-ASCII user names to your LDAP table.
> 
> Hmm. If the Postfix LDAP driver handles only non-ASCII query keys
> then we should have a smarter response from the mail system.

Agreed. By the time I read your message, I had already implemented this
idea. Arguably, something similar should be done for MySQL and PgSQL,
since even with the databases willing to convert local encodings to
UTF-8, the data Postfix sends into the query is not known to be in the
local character-set, and so all such queries are dubious.

How useful is support for non-ASCII "RCPT TO" and "MAIL FROM"? It seems
to me that it may be best to just reject them as invalid SMTP syntax long
before we get to the database layer.

Index: src/global/dict_ldap.c
--- src/global/dict_ldap.c  10 Mar 2010 04:39:57 -  1.1.1.1.12.1
+++ src/global/dict_ldap.c  26 Mar 2010 21:10:55 -
@@ -1180,12 +1180,21 @@
 static VSTRING *result;
 int rc = 0;
 int sizelimit;
+const char *cp;
 
 dict_errno = 0;
 
 if (msg_verbose)
msg_info("%s: In dict_ldap_lookup", myname);
 
+for (cp = name; *cp; ++cp)
+   if (!ISASCII(*cp)) {
+   if (msg_verbose)
+   msg_info("%s: %s: Skipping lookup of non-ASCII key '%s'",
+myname, dict_ldap->parser->name, name);
+   return (0);
+   }
+
 /*
  * Optionally fold the key.
  */
@@ -1203,7 +1212,8 @@
  */
 if (db_common_check_domain(dict_ldap->ctx, name) == 0) {
if (msg_verbose)
-   msg_info("%s: Skipping lookup of '%s'", myname, name);
+   msg_info("%s: %s: Skipping lookup of key '%s': domain mismatch",
+myname, dict_ldap->parser->name, name);
return (0);
 }
 #define INIT_VSTR(buf, len) do { \

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: Spam from the same domain

[Daniel L'Hommedieu]

On Mar 26, 2010, at 17:14, Mark Goodge wrote:
> On 26/03/2010 20:54, listadecorreo wrote:
>> 
>> Hello
>> 
>> in the last month I revived a lot of spam from user_non_ex...@mydomain
>> to user_ex...@mydomain. can I block all received externals mails
>> from my domain to my domain...
> 
> It's very easy to block mails from fake_u...@domain to real_u...@domain. Just 
> turn on sender address verification for your own domains. See 
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html for details on how 
> it's configured.
> 
> Blocking forged mails from real_u...@domain to real_u...@domain is harder, as 
> if any of your users use SMTP servers other than your own then it's very hard 
> to distinguish between that and forgeries.

Mark,

I find that using the Zen spamhaus list does a very good job at blocking mail 
from real_u...@example.com, for my domains example.com.

Daniel

Re: Spam from the same domain

[Steve]

 Original-Nachricht 
> Datum: Fri, 26 Mar 2010 21:54:43 +0100
> Von: listadecorreo 
> An: postfix-users@postfix.org
> Betreff: Spam from the same domain

> 
> Hello
> 
> in the last month I revived a lot of spam from user_non_ex...@mydomain 
> to user_ex...@mydomain. can I block all received externals mails 
> from my domain to my domain... 
> 
Are your users sending mail over your infrastructure? Do you force them to use 
SMTP AUTH/SASL? If so then you might have a look at 
reject_sender_login_mismatch to stop forgeries from your own domain.


> I use postfix with amavis (spamassassin/clamav)
> 
> thanks in advance

-- 
Sicherer, schneller und einfacher. Die aktuellen Internet-Browser -
jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/atbrowser

Catch-all alias not working correctly

[Da-Huntha]

Hello everyone,

I've recently set-up a backup server and chose postfix to handle the mail.
It's running on Debian 5 Kernel 2.6.26-2-686
While I got postfix running it won't handle my catch-all alias settings
correctly.

Here's my basic set-up:

# /etc/mailname
domain.com

# /etc/postfix/virtual
m...@domain.com me
@domain.com spam
@domain2.com spam

Both me and spam are UNIX accounts, both domains are in the mydestination
setting.

Thanks in advance if you are willing to help me. Next up I'll post my
postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = domain.com, domain2.com, hostname, localhost.localdomain,
localhost
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mynetworks_style = host
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 450
virtual_alias_maps = hash:/etc/postfix/virtual

Re: Catch-all alias not working correctly

[Da-Huntha]

Oops, I forgot to mention the problem: All mail goes to the catch-all
address, so even mail destined for m...@domain.com.

On Fri, Mar 26, 2010 at 11:14 PM, Da-Huntha wrote:

> Hello everyone,
>
> I've recently set-up a backup server and chose postfix to handle the mail.
> It's running on Debian 5 Kernel 2.6.26-2-686
> While I got postfix running it won't handle my catch-all alias settings
> correctly.
>
> Here's my basic set-up:
>
> # /etc/mailname
> domain.com
>
> # /etc/postfix/virtual
> m...@domain.com me
> @domain.com spam
> @domain2.com spam
>
> Both me and spam are UNIX accounts, both domains are in the mydestination
> setting.
>
> Thanks in advance if you are willing to help me. Next up I'll post my
> postconf -n:
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> config_directory = /etc/postfix
> inet_interfaces = all
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> mydestination = domain.com, domain2.com, hostname, localhost.localdomain,
> localhost
> mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
> mynetworks_style = host
> myorigin = /etc/mailname
> readme_directory = no
> recipient_delimiter = +
> relayhost =
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> unknown_local_recipient_reject_code = 450
> virtual_alias_maps = hash:/etc/postfix/virtual
>

Can Receive jpeg but can`t send

[Rafael Andrade]

Hello Members,

I would like to know if there is a method so I can have the following 
configuration on my MTA:


The user foobar can receive attached jpeg files, but cannot send 
attached jpegs.  I need this because some employees must receive some 
files in a specific extension, but cannot send files in that same 
extension.


Thanks in advance

Rafael

Re: Postfix redirection after aliase resolution

[Ansgar Wiechers]

On 2010-03-26 Bob Sauvage wrote:
> I have a postfix server and I want to redirect my mails to another
> server (Spam filter) after the aliase resolution. Because this spam
> filter can only filter 100 adresses.
> 
> When the other server has completed its work, it sends this mail to my
> Postfix server (on another SMTP process and another port of course).
> And finally the mails will be delivered. 
> 
> Is this possible ? 

http://www.postfix.org/SMTPD_PROXY_README.html
http://www.postfix.org/FILTER_README.html
http://www.postfix.org/MILTER_README.html

Regards
Ansagar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: whitelist for smtp_recipient_restrictions

[Ralf Hildebrandt]

* Schwalbe, Oliver :
> 
> Hallo Herr Hildebrandt,
> 
> Danke für die schnelle Rückantwort.
> uceprotect.net habe ich als erste Maßnahme schon deaktiviert, würde aber ganz 
> gerne wieder darauf
> zurückkommen.
> Ich bräuchte aber noch genauere Informationen, wo ich IP ok hinterlegen muß.
> Muß ich dafür eine eigene Datei anlegen und darauf verweisen?

Yes, like I wrote in my answer:
--->check_client_access hash:/etc/postfix/whitelist

echo "IP OK" > /etc/postfix/whitelist
postmap /etc/postfix/whitelist

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Spam from the same domain

[Ansgar Wiechers]

On 2010-03-26 Steve wrote:
> Von: listadecorreo 
>> in the last month I revived a lot of spam from
>> user_non_ex...@mydomain to user_ex...@mydomain. can I block all
>> received externals mails from my domain to my domain... 
^^^
> Are your users sending mail over your infrastructure? Do you force
> them to use SMTP AUTH/SASL? If so then you might have a look at
> reject_sender_login_mismatch to stop forgeries from your own domain.

The OP wants to block external, not internal senders.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: Spam from the same domain

[Steve]

 Original-Nachricht 
> Datum: Sat, 27 Mar 2010 00:13:25 +0100
> Von: Ansgar Wiechers 
> An: postfix-users@postfix.org
> Betreff: Re: Spam from the same domain

> On 2010-03-26 Steve wrote:
> > Von: listadecorreo 
> >> in the last month I revived a lot of spam from
> >> user_non_ex...@mydomain to user_ex...@mydomain. can I block all
> >> received externals mails from my domain to my domain... 
> ^^^
> > Are your users sending mail over your infrastructure? Do you force
> > them to use SMTP AUTH/SASL? If so then you might have a look at
> > reject_sender_login_mismatch to stop forgeries from your own domain.
> 
> The OP wants to block external, not internal senders.
> 
I have perfectly understood what the OP wants. And my answer is still valid. I 
have reject_sender_login_mismatch active on my servers and trying from remote 
(or local) to send a mail with my email address or any email address under one 
of my domains as the sender without being authenticated against Postfix does 
not work (replaced sensitive information to protect the innocent):
-
netbox ~ # telnet mail.mydomain.tld 25
Trying 12.23.34.56...
Connected to mail.mydomain.tld.
Escape character is '^]'.
220 cluster2.mydomain.tld ESMTP Postfix (2.7.0)
ehlo some.remote.name.tld
250-cluster2.mydomain.tld
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:
553 5.7.1 : Sender address rejected: not logged in
rset
250 2.0.0 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
netbox ~ #
-

And the same goes if the sender does not exist:
-
netbox ~ # telnet mail.mydomain.tld 25
Trying 12.23.34.57...
Connected to mail.mydomain.tld.
Escape character is '^]'.
220 cluster1.mydomain.tld ESMTP Postfix (2.7.0)
ehlo some.remote.name.tld
250-cluster1.mydomain.tld
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:
553 5.7.1 : Sender address rejected: not logged in
rset
250 2.0.0 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
netbox ~ #
-

So if I am not totally wrong understanding the OP then the above would work for 
blocking external mails that claim to be from  and are 
send to . But only if he has a mechanism available in 
Postfix to identify logged in users and if he forces any of his users to first 
be authenticated before being able to send mails.

Please feel free to correct me if my suggestion is not valid.


> Regards
> Ansgar Wiechers
> -- 
// Steve
-- 
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01