Re: Protection against stolen credentials?

[ram]

On Wed, 2010-04-14 at 21:15 +0200, Ignacio García wrote:

> Hi there. Some days ago 1 of our postfix servers was abused by bot 
> networks using one of our customer's stolen credentials, inadvertently 
> done by a virus/keylogger probably. In few hours more than 2 spam 
> messages were in our queue. Looking at the logs I realized all those 
> outgoing messages came authenticated with the same stolen user 
> credentials and from many different geolocations. Just changing the 
> password solved the problem. This is a very disturbing issue for us, 
> since it is hard to notice there's something going on until the server 
> is already puking spam all over. Does anybody know of an automatic way 
> of preventing this (or at least an automatic way of blocking it in early 
> stages)? We were thinking of something like a script monitoring the logs 
> for same-user authenticated connections from different IPs to create a 
> blacklist of some sort...
> 
> Thanks in advance.
> 
> Ignacio



This is very common problem. Search the archives for older
conversations 
One of them is here

http://groups.google.com/group/mailing.postfix.users/browse_thread/thread/596a160388faba35/862d6abf348b8962

defer: removed spurious QUEUEID log

[Stefan Foerster]

This morning, I got a warning in my logs that I have never seen
before:

postfix-hub/cleanup[27115]: warning: defer: removed spurious 1E0DE10003 log

It was followed by what seemed the normal delivery of a single mail:

postfix-hub/smtpd[27112]: 1E0DE10003: 
client=edge.kvm.incertum.net[192.168.122.13]
postfix-hub/cleanup[27115]: 1E0DE10003: 
message-id=<20100414094410.gq24...@charite.de>
postfix-hub/qmgr[19522]: 1E0DE10003: from=,
size=5399, nrcpt=1 (queue active)
postfix-out/smtp[4869]: 1DF1D1E05F: to=,
relay=mailhub.kvm.incertum.net[192.168.122.2]:25, delay=0.32, 
delays=0.04/0.01/0.01/0.27,
dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 1E0DE10003)
postfix-hub/pipe[27116]: 1E0DE10003: to=,
relay=dovecot, delay=0.53, delays=0.26/0.01/0/0.26, dsn=2.0.0, status=sent
(delivered via dovecot service)
postfix-hub/qmgr[19522]: 1E0DE10003: removed

What exactly happened here? Do I need to worry? If you need the output
of "postconf -n", do you need the output from the "-hub" instance
only?


Stefan

Re: defer: removed spurious QUEUEID log

[Wietse Venema]

Stefan Foerster:
> This morning, I got a warning in my logs that I have never seen
> before:
> 
> postfix-hub/cleanup[27115]: warning: defer: removed spurious 1E0DE10003 log

Long ago, queue file after {incoming/active/deferred}/1E0DE10003 was
deleted, without removing also removing the file defer/1E0DE10003.

> It was followed by what seemed the normal delivery of a single mail:
> 
> postfix-hub/smtpd[27112]: 1E0DE10003: 
> client=edge.kvm.incertum.net[192.168.122.13]

Right, this is a new message that has claimed the name 1E0DE10003,
Postfix must not append mail delivery errors to a file that contains
the errors for the deleted 1E0DE10003 message.

Wietse

Re: All email forward a copy to testing server

[Wietse Venema]

Patric Falinder:
> Ok after a little trail and error I tried to remove the
> "no_address_mappings" from "-o receive_override_options=" in mater.cf
> and it started working:D I did as I first was told, with the options in
> main.cf so I didn't add the -o recipient_bcc_maps =
> regexp:/etc/postfix/recipient_bcc in master.cf. btw, does anyone know
> what no_address_mappings does in receive_override_options?

If in doubt read the documentation:

man 5 postconf
...
receive_override_options (default: empty)
   Enable  or disable recipient validation, built-in content filtering, or
   address mapping. Typically, these are specified in  master.cf  as  com-
   mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
...
   no_address_mappings
  Disable canonical address mapping, virtual alias map  expansion,
  address  masquerading,  and  automatic  BCC  (blind carbon-copy)
  recipients. This is typically specified BEFORE an external  con-
  tent filter.

Wietse

Many IP address outgoing messages

[Eduardo Júnior]

Hi, all


Due the high load of e-mails over my link, I want that
my messages outgoing through more IPs with only postfix box.

I read about that, but not in official documentation.

I want understand how this works and how to implement.

Anyone could point me to the respective doc?


Thanks,

-- 
Eduardo Júnior
GNU/Linux user #423272

:wq

Re: Many IP address outgoing messages

[Noel Jones]

On 4/15/2010 8:04 AM, Eduardo Júnior wrote:

Hi, all


Due the high load of e-mails over my link, I want that
my messages outgoing through more IPs with only postfix box.

I read about that, but not in official documentation.

I want understand how this works and how to implement.

Anyone could point me to the respective doc?


Thanks,



See the postfix 2.7 RELEASE_NOTES, under the section labeled 
"Major changes - sender reputation".  That will point you to 
further reading.


Of course, this feature requires postfix 2.7 or newer.

  -- Noel Jones

Re: Many IP address outgoing messages

[Eero Volotinen]

> Anyone could point me to the respective doc?

how about: 
http://www.kutukupret.com/2009/11/30/postfix-smtp-outgoing-ip-rotator-using-iptables/

--
Eero

Re: Append a custom head via a filter, partially OT

[Noel Jones]

On 4/14/2010 11:02 PM, Gary Smith wrote:

We use a filter to break out and run our spamassassin and other checks. In bash 
shell that process, we have a need to insert a custom unique header per email 
for compliance.  Is there a simple way of doing this without having to go into 
any special mime processing of the message?

Gary Smith




Is there some reason the Message-ID won't work as a unique 
identifier?


You can use a policy server to insert a header based on 
envelope information.

http://www.postfix.org/SMTPD_POLICY_README.html

If your header must be based on the message content, you'll 
need a milter or content_filter.



  -- Noel Jones

RE: Append a custom head via a filter, partially OT

[Gary Smith]

> Is there some reason the Message-ID won't work as a unique
> identifier?
> 

It's about compliance tracking and tagging for specific things.

> You can use a policy server to insert a header based on
> envelope information.
> http://www.postfix.org/SMTPD_POLICY_README.html
> 
> If your header must be based on the message content, you'll
> need a milter or content_filter.
> 

Indeed.  We are hooking into the content_filter as we speak.  We do some 
analytics on the email message and need to append and track content specific 
hit ratios for specific messages.  Basically, think of putting a spam score 
into a message, but instead of checking for spam, we are checking to see if the 
incoming message violates specific guidelines.  I know it might sound a little 
trivial as we could just as easily develop some type of database, but since all 
out email already goes to a compliance archive, we want to keep intact what the 
hit ratio was for that specific message based upon that point in time without 
having to worry about keeping some type of mapping in place.  (that's the 
slightly longer reason).

Re: catch-all not working with postfix dovecot lda

[Noel Jones]

On 4/14/2010 3:42 PM, fakessh wrote:

On Wed, 14 Apr 2010 13:50:34 -0500, Noel Jones
wrote:

On 4/14/2010 1:45 PM, fakessh wrote:

On Wed, 14 Apr 2010 14:12:25 -0400, Charles Marcus
   wrote:



I changed the entries @fakessh to r...@localhost in /etc/postfix/virtual
postmap then a file  to
the postfix restart.

all without success, or rather the same mistake


Then post your new "postconf -n", log entries showing the 
problem, and file contents.


But you already have all the information you need to fix this 
yourself.


Key points are
1) use fully qualified names in virtual_alias_maps. ie.
u...@example1.com   u...@example2.com

*not*
u...@example1.com   user

2) if you want local delivery of the mail, the new domain must 
be listed in mydestination.


Your fix may be as simple as adding "localhost.$mydomain" to 
mydestination.



  -- Noel Jones

Limit outgoing SMTP

[Claudio Prono]

Hi to all, 

Just a question, there is any method to limit the outgoing mails ?
Something like domain.com allowed, domain.net not allowed, or
u...@domain.com allowed, u...@domain.net not allowed. And this can be
done for each user?

If is possible, there is any web based or similar tool to manage this thing?

Any help is really appreciated.

Cordially,

Claudio Prono.

-- 

Claudio Prono OPST
System Developer   
  Gsm: +39-349-54.33.258
@PSS Srl  Tel: +39-011-32.72.100
Via San Bernardino, 17Fax: +39-011-32.46.497
10141 Torino - ITALY  http://atpss.net/disclaimer

PGP Key - http://keys.atpss.net/c_prono.asc

DKIM-milter only for outgoing

[Birta Levente]

Hi all

My postfix server is set up with amavisd-new and dkim-milter.

In the  main.cf:

content_filter = smtp-amavis:[127.0.0.1]:10024

smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209
milter_protocol = 2
milter_default_action = accept



With this configuration the DKIM signature is added even to the incoming 
mails and I don't see any reason to do that.


How can I set up the server to add DKIM signature only for the outgoing 
mails?


thanks

Levi

Re: DKIM-milter only for outgoing

[Tomoyuki Murakami]

From: Birta Levente 
Subject: DKIM-milter only for outgoing
Date: Thu, 15 Apr 2010 17:23:12 +0300

> My postfix server is set up with amavisd-new and dkim-milter.
>
> In the  main.cf:
>
> content_filter = smtp-amavis:[127.0.0.1]:10024
>
> smtpd_milters = inet:localhost:20209
> non_smtpd_milters = inet:localhost:20209
> milter_protocol = 2
> milter_default_action = accept

> With this configuration the DKIM signature is added even to the
> incoming mails and I don't see any reason to do that.

For dkim-filter, you can limit the signing domain by -d option.
In Postfix, you should separate the services for incoming and
outgoing(submission). If you do so, you can move the milter
setting from main.cf to master.cf and setting like,

smtpinet   n  -  n   -   - smtpd
-o .
-o ..

submission inet n   -   n  -   -  smtpd
-o smtpd_etern_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o ...
-o smtpd_milters=inet:127.0.0.1:20209

 ... I'm not sure how these are appropriate, but this setting
 smtpd_milters only for submission and work for me fine in normal
 operation.

--
Tomo.


pgpTbmczhKqgd.pgp
Description: PGP signature

Re: Protection against stolen credentials?

[Ignacio García]

El 15/04/10 12:41, ram escribió:


The points mentioned should help you especially ratelimits , and FBL's

Are you planning to do outgoing scanning.


Hi Ram. I believe ratelimits and FBLs can help, but just partially. FBLs 
are of great help, but they work only after much harm has been done. For 
instance, right now we use FBLs to get warnings of this kind of problem 
(besides checking the logs, of course, which does not happen 24 
hours/day). When we got our first warning we had more than 20k spam 
messages in the queue. OTOH, ratelimiting could work well. However, we 
have several customers with internal/intranet mail servers in their own 
facilities (with residnetial connections and dynamic IPs) who use our 
mail servers as authenticated SMTP relays to send external mail to the 
Internet, so limiting the number of outbound emails can be a problem for us.


The way I think this could be solved is by having a program that:

1.- Checks the logs for authenticated smtp usage and saves 
smtp_authenticated_user, originating IPs, and country, which is 
dicovered using ip geolocation.
2.- During the following minutes, if IP from same authenticated user is 
different, then geolocate new IP, and if country is also different then 
set it as possible credential theft.
3.- If Step 2 repeats few times in few minutes (or even worse, if a 
third country is detected), then we sure have stolen credentials.
4.- Add smtp_authenticated_user to a blacklist, could add a simple 
header_checks entry to reject messages with smtp_authenticated_user 
header. That way account is still active and able to receive messages. 
However, outbound messaging is disabled.
5.- We could use a granulated scoring system. For instance, we are in 
Spain, and 99.9% of our customers are in Spain. So, even if more 
different IPs are used in short period of times, but all originate in 
Spain, it's fair to assume this person may be having connectivity 
problems or several devices connected (computer, 3g phone, pda) and 
running at the same time, so we cut them some slack :)


We are already brainstorming this. However, were are good sysadmins but 
I cannot say the same about complex programming. We'll see what happens.


Regards,

Ignacio

Re: defer: removed spurious QUEUEID log

[Stefan Foerster]

* Wietse Venema :
> Stefan Foerster:
> > It was followed by what seemed the normal delivery of a single mail:
> > 
> > postfix-hub/smtpd[27112]: 1E0DE10003: 
> > client=edge.kvm.incertum.net[192.168.122.13]
> 
> Right, this is a new message that has claimed the name 1E0DE10003,
> Postfix must not append mail delivery errors to a file that contains
> the errors for the deleted 1E0DE10003 message.

I see.

Indeed, 1E0DE10003 was from April 6th, 2006, around noon. The
long term storage logs don't contain any sender/recipient/relay
information, only anonymized data, but I can see that the deferral was
the result of a connection timeout. Apart from that one message and a
lot of hostname verification failures, the logs for that day don't
show any signs of trouble (as per the DEBUG_README).

I guess there's not really a viable way of discovering what happend
that day, even with the logs, is there? Do I need to investigate this
further?


Stefan

Re: Limit outgoing SMTP

[Wietse Venema]

Claudio Prono:
> Hi to all, 
> 
> Just a question, there is any method to limit the outgoing mails ?
> Something like domain.com allowed, domain.net not allowed, or
> u...@domain.com allowed, u...@domain.net not allowed. And this can be
> done for each user?

Postfix enforces such limits while RECEIVING mail:

http://www.postfix.org/SMTPD_ACCESS_README.html

To stop mail from out-of-control web applications, use spam filters
as discussed today in the "lost credentials" thread.

> If is possible, there is any web based or similar tool to manage this thing?

Gui support is not included.

Wietse

Re: defer: removed spurious QUEUEID log

[Wietse Venema]

Stefan Foerster:
> * Wietse Venema :
> > Stefan Foerster:
> > > It was followed by what seemed the normal delivery of a single mail:
> > > 
> > > postfix-hub/smtpd[27112]: 1E0DE10003: 
> > > client=edge.kvm.incertum.net[192.168.122.13]
> > 
> > Right, this is a new message that has claimed the name 1E0DE10003,
> > Postfix must not append mail delivery errors to a file that contains
> > the errors for the deleted 1E0DE10003 message.
> 
> I see.
> 
> Indeed, 1E0DE10003 was from April 6th, 2006, around noon. The
> long term storage logs don't contain any sender/recipient/relay
> information, only anonymized data, but I can see that the deferral was
> the result of a connection timeout. Apart from that one message and a
> lot of hostname verification failures, the logs for that day don't
> show any signs of trouble (as per the DEBUG_README).
> 
> I guess there's not really a viable way of discovering what happend
> that day, even with the logs, is there? Do I need to investigate this
> further?

I just looked at some code that I wrote in 1997 so.

Normally the queue manager deletes a defer logfile when it brings
a message into the active queue, and the bounce daemon deletes the
defer logfile after sending a "mail too old" bounce message.

If the defer file still exists without the message file, some of
the following happened:

- The queue file was deleted by hand without deleting the bounce/defer
logfile for that message. In this case, nothing is list since the
message would not be delivered.

- After restoring a mail queue from elsewhere, postsuper was renaming
files to make the 'queue id' match the message file inode number,
and was interrupted before it got to rename the defer file. In this
case nothing is lost, because at least one more mail delivery attempt
will be made.

- The message was renamed with "postsuper -r". Again, nothing lost
since there will be at last one more delivery attempt.

- It it's none of the above, someone lost mail.

Postfix is as careful about not losing mail, as it is about not
losing information about delivery errors. Losing a delivery error
is like losing the message itself - in both cases the recipient
does not receive the message, and the sender is not notified.

Wietse

Re: defer: removed spurious QUEUEID log

[Stefan Foerster]

* Wietse Venema :
> Normally the queue manager deletes a defer logfile when it brings
> a message into the active queue, and the bounce daemon deletes the
> defer logfile after sending a "mail too old" bounce message.
> 
> If the defer file still exists without the message file, some of
> the following happened:
> 
> - The queue file was deleted by hand without deleting the bounce/defer
> logfile for that message. In this case, nothing is list since the
> message would not be delivered.
> 
> - After restoring a mail queue from elsewhere, postsuper was renaming
> files to make the 'queue id' match the message file inode number,
> and was interrupted before it got to rename the defer file. In this
> case nothing is lost, because at least one more mail delivery attempt
> will be made.
> 
> - The message was renamed with "postsuper -r". Again, nothing lost
> since there will be at last one more delivery attempt.
> 
> - It it's none of the above, someone lost mail.
> 
> Postfix is as careful about not losing mail, as it is about not
> losing information about delivery errors. Losing a delivery error
> is like losing the message itself - in both cases the recipient
> does not receive the message, and the sender is not notified.

That means chances are good that I did something stupid that the long
term storage logs don't show, and that said act of stupidity did not
cause harm.

I think I can live with my presumed occasional stupor, as log as it
only resurfaces every four years.

As always, thank you for the insightful technical explanations.


Stefan

Re: errors from postfix

[Oguz Yilmaz]

Even if you solve quotes problem, postfix will deliver message to
olpcx@aol.com. Is this what you want?
You may try smtpname option of fetchmail to deliver to local mail user
on postfix server. Or if you do not change "rcpt to", you may try to
deliver directly to mda with "-m" option.



On Fri, Apr 9, 2010 at 1:10 AM, John Schmitt  wrote:
>
> I use fetchmail to get my email from yahoo & gmail et al.  Lately I've been 
> getting these two messages when fetchmail runs.  What is postfix doing and 
> what is it trying to tell me?  Is this something I should fix on my end?  Is 
> postfix trying to resend some spam I received from yahoo?  Or is it just 
> having trouble delivering spam to my inbox?
>
> I'm running a simple home setup for myself using Fedora 12.
>
> Transcript of session follows.
>
>  Out: 220 mymachine.mydomain.net ESMTP Postfix
>  In:  HELO mymachine
>  Out: 250 mymachine.mydomain.net
>  In:  MAIL FROM:<>
>  Out: 250 2.1.0 Ok
>  In:  RCPT TO:<"???B?\" >
>  Out: 501 5.1.3 Bad recipient address syntax
>  In:  QUIT
>  Out: 221 2.0.0 Bye
>
>
> For other details, see the local mail logfile
>
>
> Date: Thu,  8 Apr 2010 13:02:01 -0700 (PDT)
> From: Mail Delivery System 
> To: Postmaster 
> Subject: Postfix SMTP server: errors from localhost[::1]
>
> Transcript of session follows.
>
>  Out: 220 mymachine.mydomain.net ESMTP Postfix
>  In:  EHLO pop-ssl.plus.mail.a06.yahoodns.net
>  Out: 250-mymachine.mydomain.net
>  Out: 250-PIPELINING
>  Out: 250-SIZE
>  Out: 250-VRFY
>  Out: 250-ETRN
>  Out: 250-STARTTLS
>  Out: 250-ENHANCEDSTATUSCODES
>  Out: 250-8BITMIME
>  Out: 250 DSN
>  In:  MAIL FROM:<"???B?\" > BODY=8BITMIME SIZE=2131
>  Out: 501 5.1.7 Bad sender address syntax
>  In:  RSET
>  Out: 250 2.0.0 Ok
>  In:  QUIT
>  Out: 221 2.0.0 Bye
>
>
> For other details, see the local mail logfile
>
> This is from /var/log/maillog:
>
> Apr  8 13:02:00 mymachine postfix/smtpd[13072]: connect from localhost[::1]
> Apr  8 13:02:00 mymachine postfix/smtpd[13000]: connect from localhost[::1]
> Apr  8 13:02:01 mymachine postfix/cleanup[13003]: 00144E02007: 
> message-id=<20100408200201.00144e02...@mymachine.mydomain.net>
> Apr  8 13:02:01 mymachine postfix/smtpd[13000]: disconnect from localhost[::1]
> Apr  8 13:02:01 mymachine postfix/qmgr[21590]: 00144E02007: 
> from=, size=759, nrcpt=1 (queue active)
> Apr  8 13:02:01 mymachine lmtpunix[12930]: accepted connection
> Apr  8 13:02:01 mymachine lmtpunix[12930]: lmtp connection preauth'd as 
> postman
> Apr  8 13:02:01 mymachine lmtpunix[12930]: duplicate_check: 
> <20100408200201.00144e02...@mymachine.mydomain.net> user.john            0
> Apr  8 13:02:01 mymachine postfix/cleanup[13003]: 20E23E02009: 
> message-id=<20100408200201.20e23e02...@mymachine.mydomain.net>
> Apr  8 13:02:01 mymachine lmtpunix[12930]: duplicate_check: 
> <20100408200201.00144e02...@mymachine.mydomain.net> user.john            0
> Apr  8 13:02:01 mymachine postfix/qmgr[21590]: 20E23E02009: 
> from=, size=957, nrcpt=1 (queue active)
> Apr  8 13:02:01 mymachine postfix/smtpd[13072]: disconnect from localhost[::1]
> Apr  8 13:02:01 mymachine lmtpunix[13071]: accepted connection
> Apr  8 13:02:01 mymachine lmtpunix[13071]: lmtp connection preauth'd as 
> postman
> Apr  8 13:02:01 mymachine lmtpunix[12930]: Delivered: 
> <20100408200201.00144e02...@mymachine.mydomain.net> to mailbox: user.john
> Apr  8 13:02:01 mymachine lmtpunix[12930]: mystore: starting txn 2147490480
> Apr  8 13:02:01 mymachine lmtpunix[12930]: mystore: committing txn 2147490480
> Apr  8 13:02:01 mymachine lmtpunix[12930]: duplicate_mark: 
> <20100408200201.00144e02...@mymachine.mydomain.net> user.john            
> 1270756921 320038
> Apr  8 13:02:01 mymachine lmtpunix[12930]: mystore: starting txn 2147490481
> Apr  8 13:02:01 mymachine lmtpunix[12930]: mystore: committing txn 2147490481
> Apr  8 13:02:01 mymachine lmtpunix[12930]: duplicate_mark: 
> <20100408200201.00144e02...@mymachine.mydomain.net> .jo...@.sieve.       
> 1270756921 0
> Apr  8 13:02:01 mymachine lmtpunix[13071]: duplicate_check: 
> <20100408200201.20e23e02...@mymachine.mydomain.net> user.john            0
> Apr  8 13:02:01 mymachine postfix/lmtp[13008]: 00144E02007: 
> to=, orig_to=, 
> relay=mymachine.mydomain.net[/var/lib/imap/socket/lmtp], delay=0.42, 
> delays=0.06/0/0/0.35, dsn=2.1.5, status=sent (250 2.1.5 Ok)
> Apr  8 13:02:01 mymachine postfix/qmgr[21590]: 00144E02007: removed
>
>

Trouble with virtual_alias_maps and mailman stopped working

[Bruno Ribeiro da Silva]

Hi, I'm having some trouble with my production server, that mailman
stopped working apparently without any modification. I think
everything at my postfix configuration is ok, but what I'm seeing is
that virtual_alias_maps isn't working as expected.
My setup consists in one virtual domain example.com and some
"accounts" from this domain are lists, like samplel...@example.com
According to postfix flow, if I send an e-mail to
samplel...@example.com it will match the line
hash:/var/lib/mailman/data/virtual-mailman in my virtual_alias_maps
and returns samplelist, then it's expected to match samplelist at line
alias_maps = hash:/var/lib/mailman/data/aliases and pipe the e-mail to
"|/var/lib/mailman/mail/mailman post samplelist", but instead postfix
is just sending the e-mail to maildrop with destination like one of my
regular accounts, then maildrop is returning user unknown, of course
because samplel...@example.com isn't a valid user account.
I don't know why postfix isn't matching alias_maps to pipe the mail to mailman.
Someone could help me?

Thanks!

My /var/lib/mailman/data/virtual-mailman:
# STANZA START: samplelist
# CREATED: Mon Mar 31 16:59:34 2008
samplel...@example.com  samplelist
samplelist-ad...@example.comsamplelist-admin
samplelist-boun...@example.com  samplelist-bounces
samplelist-conf...@example.com  samplelist-confirm
samplelist-j...@example.com samplelist-join
samplelist-le...@example.comsamplelist-leave
samplelist-ow...@example.comsamplelist-owner
samplelist-requ...@example.com  samplelist-request
samplelist-subscr...@example.comsamplelist-subscribe
samplelist-unsubscr...@example.com  samplelist-unsubscribe
# STANZA END: reserva

My /var/lib/mailman/data/aliases:
# STANZA START: samplelist
# CREATED: Mon Mar 31 16:59:34 2008
samplelist: "|/var/lib/mailman/mail/mailman post samplelist"
samplelist-admin:   "|/var/lib/mailman/mail/mailman admin samplelist"
samplelist-bounces: "|/var/lib/mailman/mail/mailman bounces samplelist"
samplelist-confirm: "|/var/lib/mailman/mail/mailman confirm samplelist"
samplelist-join:"|/var/lib/mailman/mail/mailman join samplelist"
samplelist-leave:   "|/var/lib/mailman/mail/mailman leave samplelist"
samplelist-owner:   "|/var/lib/mailman/mail/mailman owner samplelist"
samplelist-request: "|/var/lib/mailman/mail/mailman request samplelist"
samplelist-subscribe:   "|/var/lib/mailman/mail/mailman subscribe samplelist"
samplelist-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe samplelist"
# STANZA END: samplelist


Let me show my postfix configuration:
### main.cf ###
mydestination = example-srv.example.com
myhostname = example-srv.example.com
mydomain = example-srv.example.com
myorigin = $myhostname
mynetworks = 127.0.0.1
relay_domains = mysql:/etc/postfix/mysql/relay_domains.cf
inet_protocols = ipv4
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_mailbox_domains = mysql:/etc/postfix/mysql/mailbox_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql/mailbox_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/alias_maps.cf,

proxy:mysql:/etc/postfix/mysql/forwarding_maps.cf,
 proxy:mysql:/etc/postfix/mysql/list_maps.cf,
 hash:/var/lib/mailman/data/virtual-mailman,
virtual_transport = maildrop
maildrop_destination_recipient_limit=1
recipient_delimiter = +
alias_maps = hash:/var/lib/mailman/data/aliases
alias_database = hash:/var/lib/mailman/data/aliases
local_recipient_maps = $alias_maps
smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions = permit_mynetworks,
 permit_sasl_authenticated,
 reject_unauth_destination,
 reject_unknown_recipient_domain,
 reject_non_fqdn_recipient,
 reject_unauth_pipelining
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_pipelining
smtpd_sender_restrictions = permit_mynetworks,
  permit_sasl_authenticated,
  reject_unknown_sender_domain,
  reject_non_fqdn_sender,
  reject_sender_login_mismatch,
  check_sender_access hash:/etc/postfix/blacklist
  reject_unauth_pipelining
smtpd_client_restrictions = permit_mynetworks,
  permit_sasl_authenticated,
  check_sender_access hash:/etc/postfix/whitelist
  reject_unknown_client,
  reject_unauth_pipelining,
  check_policy_service inet:127.0.0.1:10031,
  reject_rbl_client bl.spamcop.net,
   

Re: Many IP address outgoing messages

[Stan Hoeppner]

Eduardo Júnior put forth on 4/15/2010 8:04 AM:

> Due the high load of e-mails over my link, I want that
> my messages outgoing through more IPs with only postfix box.

If you only have one physical link, how will sending mail from multiple IPs
within the same subnet solve your link congestion problem?

-- 
Stan

block specific IP addresses

[CT]

I have several boxes that "check" my relay every 40 seconds to
check that the server is up.

After multiple attempts to get the number of checks reduced I would
like the know the preferred way to block specific IP addresses in Postfix.

I have no issue with checks.. but every 40 seconds is ridiculous.

OS : CentOS 5.4
Postfix version:  2.5.1

Thx
Charles

Re: block specific IP addresses

[Sahil Tandon]

On Thu, 15 Apr 2010, CT wrote:

> I have several boxes that "check" my relay every 40 seconds to
> check that the server is up.
> 
> After multiple attempts to get the number of checks reduced I would
> like the know the preferred way to block specific IP addresses in Postfix.

http://www.postfix.org/postconf.5.html#check_client_access
http://www.postfix.org/access.5.html

-- 
Sahil Tandon 

Re: Many IP address outgoing messages

[Eduardo Júnior]

Hi,


On Thu, Apr 15, 2010 at 6:35 PM, Stan Hoeppner  wrote:
> Eduardo Júnior put forth on 4/15/2010 8:04 AM:
>
>> Due the high load of e-mails over my link, I want that
>> my messages outgoing through more IPs with only postfix box.
>
> If you only have one physical link, how will sending mail from multiple IPs
> within the same subnet solve your link congestion problem?


Currently my Postfix box outgoing e-mails through only one physical link, but
i have others available.

According to Eero, this can be done by means of firewall, using iptables.

But my main goal is to learn how to do that using Postfix, whose reference was
passed by Noel.


-- 
Eduardo Júnior
GNU/Linux user #423272

:wq

Re: Trouble with virtual_alias_maps and mailman stopped working

[Noel Jones]

On 4/15/2010 3:22 PM, Bruno Ribeiro da Silva wrote:

Hi, I'm having some trouble with my production server, that mailman
stopped working apparently without any modification. I think
everything at my postfix configuration is ok, but what I'm seeing is
that virtual_alias_maps isn't working as expected.
My setup consists in one virtual domain example.com and some
"accounts" from this domain are lists, like samplel...@example.com
According to postfix flow, if I send an e-mail to
samplel...@example.com it will match the line
hash:/var/lib/mailman/data/virtual-mailman in my virtual_alias_maps
and returns samplelist, then it's expected to match samplelist at line
alias_maps = hash:/var/lib/mailman/data/aliases and pipe the e-mail to
"|/var/lib/mailman/mail/mailman post samplelist", but instead postfix
is just sending the e-mail to maildrop with destination like one of my
regular accounts, then maildrop is returning user unknown, of course
because samplel...@example.com isn't a valid user account.
I don't know why postfix isn't matching alias_maps to pipe the mail to mailman.
Someone could help me?

Thanks!

My /var/lib/mailman/data/virtual-mailman:
# STANZA START: samplelist
# CREATED: Mon Mar 31 16:59:34 2008
samplel...@example.com  samplelist
samplelist-ad...@example.comsamplelist-admin
samplelist-boun...@example.com  samplelist-bounces
samplelist-conf...@example.com  samplelist-confirm
samplelist-j...@example.com samplelist-join
samplelist-le...@example.comsamplelist-leave
samplelist-ow...@example.comsamplelist-owner
samplelist-requ...@example.com  samplelist-request
samplelist-subscr...@example.comsamplelist-subscribe
samplelist-unsubscr...@example.com  samplelist-unsubscribe
# STANZA END: reserva


The result addresses above should include a domain listed in 
mydestination.


samplel...@example.com samplel...@localhost.example.com
...

mydestination = localhost.example.com ...


  -- Noel Jones

Re: Trouble with virtual_alias_maps and mailman stopped working

[Ansgar Wiechers]

On 2010-04-15 Bruno Ribeiro da Silva wrote:
> Hi, I'm having some trouble with my production server, that mailman
> stopped working apparently without any modification. I think
> everything at my postfix configuration is ok, but what I'm seeing is
> that virtual_alias_maps isn't working as expected.

Check your logs. Postfix logs all relevant aspects of any mail
transaction. What does it say there?

[...]
> samplel...@example.com  samplelist

Change "samplelist" to "samplel...@example-srv.example.com".

Since example.com is not your $mydestination: is it defined as a virtual
mailbox domain?

Also post the output of "postconf -n" rather than your main.cf.

Regards
Ansgar Wiechers
-- 
"Another option [for defragmentation] is to back up your important files,
erase the hard disk, then reinstall Mac OS X and your backed up files."
--http://docs.info.apple.com/article.html?artnum=25668

Re: block specific IP addresses

[Stan Hoeppner]

CT put forth on 4/15/2010 4:43 PM:
> I have several boxes that "check" my relay every 40 seconds to
> check that the server is up.
> 
> After multiple attempts to get the number of checks reduced I would
> like the know the preferred way to block specific IP addresses in Postfix.
> 
> I have no issue with checks.. but every 40 seconds is ridiculous.

To accomplish the task in Postfix, blocking only SMTP connections from those
IP addresses:

edit: /etc/postfix/main.cf

smtpd_[client/recipient]_restrictions =
...
check_client_access hash:/etc/postfix/blacklist
...

# [client/recipient] selection depends on whether you use the "everything
under smtpd_recipient_restrictions" style main.cf layout.

create: /etc/postfix/blacklist

...
1.2.3.4 REJECT
4.3.2.1 REJECT
3.2.1.4 REJECT
...

/$ postmap /etc/postfix/blacklist
/$ postfix reload

Simply eh?

Or to deny all port access from those IPs, if using Linux, use Netfilter:

/$ iptables -I INPUT -s 1.2.3.4 -j DROP
/$ iptables -I INPUT -s 4.3.2.1 -j DROP
/$ iptables -I INPUT -s 3.2.1.4 -j DROP

iptables inputs are non persistent across reboots.  Without knowing what
OS/distro you're using, I'll give generic instructions on running this at
system startup instead of rc.* instructions.

As root, create something like /usr/bin/load_iptables.sh and make sure the
execute bit is set.

#! /bin/sh
iptables -I INPUT -s 1.2.3.4 -j DROP
iptables -I INPUT -s 4.3.2.1 -j DROP
iptables -I INPUT -s 3.2.1.4 -j DROP

As root create this crontab entry usually with "crontab -e"

@reboot /usr/bin/load_iptables.sh

Now all packets from those IPs will be dropped.  Hope this helps.

-- 
Stan

Re: catch-all not working with postfix dovecot lda

[fakessh]

On Thu, 15 Apr 2010 08:33:43 -0500, Noel Jones 
wrote:
> On 4/14/2010 3:42 PM, fakessh wrote:
>> On Wed, 14 Apr 2010 13:50:34 -0500, Noel Jones
>> wrote:
>>> On 4/14/2010 1:45 PM, fakessh wrote:
 On Wed, 14 Apr 2010 14:12:25 -0400, Charles Marcus
wrote:
>>
>>
>> I changed the entries @fakessh to r...@localhost in
/etc/postfix/virtual
>> postmap then a file  to
>> the postfix restart.
>>
>> all without success, or rather the same mistake
> 
> Then post your new "postconf -n", log entries showing the 
> problem, and file contents.


my postcon -n
[r...@r13151 ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
body_checks = regexp:/etc/postfix/body_checks.cf
bounce_notice_recipient = postmaster
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = dksign:[127.0.0.1]:10028
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_privs = nobody
double_bounce_sender = no
header_checks = regexp:/etc/postfix/header_checks.cf
home_mailbox = Maildir/
html_directory = no
in_flow_delay = 10
inet_interfaces = all
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maps_rbl_domains = bl.spamcop.net
mime_header_checks = regexp:/etc/postfix/mime_header_checks.cf
mydestination = $myhostname, localhost.$mydomain
mydomain = r13151.ovh.net
mynetworks = 127.0.0.0/8 ,87.98.186.232
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_run_delay = 2000s
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_delimiter = +
relay_domains = 
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_loglevel = 3
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions =
permit_mynetworks,reject_unknown_reverse_client_hostname,reject_unauth_pipelining,
reject_non_fqdn_recipient ,  permit
smtpd_milters = inet:[127.0.0.1]:10040
smtpd_recipient_restrictions = permit_mynetworks  permit_inet_interfaces
permit_sasl_authenticated  reject_unverified_recipient
reject_non_fqdn_sender reject_non_fqdn_recipient
reject_unknown_sender_domain reject_unknown_recipient_domain
reject_unknown_reverse_client_hostname reject_unauth_destination
reject_unauth_pipelining reject_rbl_client zen.spamhaus.org
reject_sender_login_mismatch check_policy_service unix:postgrey/socket
check_sender_access hash:/etc/postfix/check_backscatterer 
check_policy_service unix:private/spfpolicy reject_rbl_client
bl.spamcop.net reject_rhsbl_sender  dbl.spamhaus.org  reject_rbl_client
cbl.abuseat.org  reject_rbl_client b.barracudacentral.org
smtpd_reject_unlisted_sender = no
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/sub.class4.server.ca.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/newcerts/01.pem
smtpd_tls_key_file = /etc/pki/tls/private/r13151.ovh.net.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains = fakessh.eu renelacroute.fr nicolaspichot.fr
virtual_alias_maps = hash:/etc/postfix/virtual

> 
> But you already have all the information you need to fix this 
> yourself.
> 
> Key points are
> 1) use fully qualified names in virtual_alias_maps. ie.
> u...@example1.com   u...@example2.com
> 
> *not*
> u...@example1.com   user

my jed /etc/postfix/virtual
#
# AUTHOR(S)
#Wietse Venema
#IBM T.J. Watson Research
#P.O. Box 704
#Yorktown Heights, NY 10598, USA
#
#
VIRTUAL(5$
postmas...@fakessh.eu   r...@localhost.r13151.ovh.net
fake...@fakessh.eu fake...@localhost.r13151.ovh.net
webm...@fakessh.eu webm...@localhost.r13151.ovh.net
se...@fakessh.eu   se...@localhost.r13151.ovh.net
@fakessh   r...@localhost.r13151.ovh.net
renelacro...@renelacroute.fr renelacro...@localhost.r13151.ovh.net
@renelacroute.fr   r...@localhost.r13151.ovh.net
postmas...@renelacroute.fr   r...@localhost.r13151.ovh.net
nicolaspic...@nicolaspichot.fr   nicolaspic...@localhost.r13151.ovh.net
@nicolaspichot.fr   r...@localhost.r13151.ovh.net


> 
> 2) if you want local delivery of the mail, the new domain must 
> be listed in mydestination.
> 
i use local delivery agent
[r...@r13151 ~]# rpm -qa | grep dovecot
dovecot-sieve-devel-0.1.15-4.el5
dovecot-siev

Re: catch-all not working with postfix dovecot lda

[fakessh]

On Fri, 16 Apr 2010 00:26:25 +0200, fakessh  wrote:
> On Thu, 15 Apr 2010 08:33:43 -0500, Noel Jones 
> wrote:
>> On 4/14/2010 3:42 PM, fakessh wrote:
>>> On Wed, 14 Apr 2010 13:50:34 -0500, Noel Jones
>>> wrote:
 On 4/14/2010 1:45 PM, fakessh wrote:
> On Wed, 14 Apr 2010 14:12:25 -0400, Charles Marcus
>wrote:
>>>
>>>
>>> I changed the entries @fakessh to r...@localhost in
> /etc/postfix/virtual
>>> postmap then a file  to
>>> the postfix restart.
>>>
>>> all without success, or rather the same mistake
>> 
>> Then post your new "postconf -n", log entries showing the 
>> problem, and file contents.
> 
> 
> my postcon -n
> [r...@r13151 ~]# postconf -n
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> body_checks = regexp:/etc/postfix/body_checks.cf
> bounce_notice_recipient = postmaster
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = dksign:[127.0.0.1]:10028
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> default_privs = nobody
> double_bounce_sender = no
> header_checks = regexp:/etc/postfix/header_checks.cf
> home_mailbox = Maildir/
> html_directory = no
> in_flow_delay = 10
> inet_interfaces = all
> mail_spool_directory = /var/spool/mail
> mailbox_command = /usr/libexec/dovecot/deliver
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> maps_rbl_domains = bl.spamcop.net
> mime_header_checks = regexp:/etc/postfix/mime_header_checks.cf
> mydestination = $myhostname, localhost.$mydomain
> mydomain = r13151.ovh.net
> mynetworks = 127.0.0.0/8 ,87.98.186.232
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> queue_run_delay = 2000s
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> recipient_delimiter = +
> relay_domains = 
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_sasl_security_options = noanonymous
> smtp_sasl_tls_security_options = noanonymous
> smtp_sender_dependent_authentication = yes
> smtp_tls_loglevel = 3
> smtp_tls_session_cache_database =
> btree:/var/lib/postfix/smtp_tls_session_cache
> smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
> smtpd_client_restrictions =
>
permit_mynetworks,reject_unknown_reverse_client_hostname,reject_unauth_pipelining,
> reject_non_fqdn_recipient ,  permit
> smtpd_milters = inet:[127.0.0.1]:10040
> smtpd_recipient_restrictions = permit_mynetworks  permit_inet_interfaces
> permit_sasl_authenticated  reject_unverified_recipient
> reject_non_fqdn_sender reject_non_fqdn_recipient
> reject_unknown_sender_domain reject_unknown_recipient_domain
> reject_unknown_reverse_client_hostname reject_unauth_destination
> reject_unauth_pipelining reject_rbl_client zen.spamhaus.org
> reject_sender_login_mismatch check_policy_service unix:postgrey/socket
> check_sender_access hash:/etc/postfix/check_backscatterer 
> check_policy_service unix:private/spfpolicy reject_rbl_client
> bl.spamcop.net reject_rhsbl_sender  dbl.spamhaus.org  reject_rbl_client
> cbl.abuseat.org  reject_rbl_client b.barracudacentral.org
> smtpd_reject_unlisted_sender = no
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> smtpd_tls_CAfile = /etc/pki/tls/sub.class4.server.ca.pem
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/pki/tls/newcerts/01.pem
> smtpd_tls_key_file = /etc/pki/tls/private/r13151.ovh.net.key
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database =
> btree:/var/lib/postfix/smtpd_tls_session_cache
> smtpd_use_tls = yes
> soft_bounce = no
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550
> virtual_alias_domains = fakessh.eu renelacroute.fr nicolaspichot.fr
> virtual_alias_maps = hash:/etc/postfix/virtual
> 
>> 
>> But you already have all the information you need to fix this 
>> yourself.
>> 
>> Key points are
>> 1) use fully qualified names in virtual_alias_maps. ie.
>> u...@example1.com   u...@example2.com
>> 
>> *not*
>> u...@example1.com   user
> 
> my jed /etc/postfix/virtual
> #
> # AUTHOR(S)
> #Wietse Venema
> #IBM T.J. Watson Research
> #P.O. Box 704
> #Yorktown Heights, NY 10598, USA
> #
> #
> VIRTUAL(5$
> postmas...@fakessh.eu   r...@localhost.r13151.ovh.net
> fake...@fakessh.eu fake...@localhost.r13151.ovh.net
> webm...@fakessh.eu webm...@localhost.r13151.ovh.net
> se...@fakessh.eu   se...@localhost.r13151.ovh.net
> @fakessh   r...@localhost.r13151.ovh.net
> renelacro...@renelacroute.fr renelacro...@localhost.r13151.ovh.net
> @renelacroute.fr   r...@localhost.r13151.ovh.net
> postmas...@renelacroute.fr   r...@localhost.r13151.ovh.net
> nicolaspic...@nicolaspichot.fr   nicolaspic...@localhost.r13151.ovh.

Re: Many IP address outgoing messages

[Stan Hoeppner]

Eduardo Júnior put forth on 4/15/2010 4:52 PM:

> On Thu, Apr 15, 2010 at 6:35 PM, Stan Hoeppner  wrote:
>> Eduardo Júnior put forth on 4/15/2010 8:04 AM:
>>
>>> Due the high load of e-mails over my link, I want that
>>> my messages outgoing through more IPs with only postfix box.
>>
>> If you only have one physical link, how will sending mail from multiple IPs
>> within the same subnet solve your link congestion problem?
> 
> 
> Currently my Postfix box outgoing e-mails through only one physical link, but
> i have others available.

A single DSL line can pump a half million messages/day.  Why do you have so
many outgoing messages that you're clogging your pipe?  This doesn't seem
like normal mail flow.

-- 
Stan

Re: block specific IP addresses

[mouss]

CT a écrit :
> I have several boxes that "check" my relay every 40 seconds to
> check that the server is up.
> 
> After multiple attempts to get the number of checks reduced I would
> like the know the preferred way to block specific IP addresses in Postfix.
> 
> I have no issue with checks.. but every 40 seconds is ridiculous.
> 

the first answer is: try to reach their abuse/postmaster. if you fail,
then firewall them. if so, just DROP their traffic (this will cause more
delay on their side). you can also redirect their traffic to a "slow
silly server" ("torture server").

crl support?

[zhong ming wu]

Dear List

I don't find anywhere in TLS documentation how to make postfix respect a crl
so that client's whose certs have been revoked cannot use the submission server.

Can someone please confirm that this feature is supported or not?

Thanks

Re: [Dovecot] catch-all not working with postfix dovecot lda

[fakessh]

On Fri, 16 Apr 2010 09:07:55 +1000, Noel Butler 
wrote:
> Postfix must first "know the user(s)"
> therefore this isa  postfix issue and not dovecot
> dovecot deliver assumes the MTA has verified the user to accept mail
> from and does not do further authentication
> 
> 

how to build a catch-all with dovecot lda
the question then. is not a postfix issue

> On Fri, 2010-04-16 at 01:00 +0200, fakessh wrote:
> 
>> its tha archive to the cross post to postfix-users
>> help me
>> 
>> http://www.mail-archive.com/postfix-users@postfix.org/msg22963.html
>> 
>> 
>> 
>> On Fri, 16 Apr 2010 00:26:25 +0200, fakessh  wrote:
>> 
>> On Thu, 15 Apr 2010 08:33:43 -0500, Noel Jones
>>  wrote:
>> 
>> On 4/14/2010 3:42 PM, fakessh wrote:
>> 
>> On Wed, 14 Apr 2010 13:50:34 -0500, Noel
>> Jones wrote:
>> 
>> On 4/14/2010 1:45 PM, fakessh wrote:
>> 
>> On Wed, 14 Apr 2010 14:12:25 -0400, Charles Marcus
>>  wrote: 
>> 
>> I changed the entries @fakessh to r...@localhost in 
>> 
>> /etc/postfix/virtual
>> 
>> postmap then a file to the postfix restart. all without
>> success, or rather the same mistake 
>> 
>> Then post your new "postconf -n", log entries showing the
>> problem,
>> and file contents. 
>> 
>> my postcon -n [r...@r13151 ~]# postconf -n alias_database =
>> hash:/etc/aliases alias_maps = hash:/etc/aliases body_checks =
>> regexp:/etc/postfix/body_checks.cf bounce_notice_recipient = postmaster
>> broken_sasl_auth_clients = yes command_directory = /usr/sbin
>> config_directory = /etc/postfix content_filter =
dksign:[127.0.0.1]:10028
>> daemon_directory = /usr/libexec/postfix debug_peer_level = 2
>> default_privs
>> = nobody double_bounce_sender = no header_checks =
>> regexp:/etc/postfix/header_checks.cf home_mailbox = Maildir/
>> html_directory
>> = no in_flow_delay = 10 inet_interfaces = all mail_spool_directory =
>> /var/spool/mail mailbox_command = /usr/libexec/dovecot/deliver
>> mailq_path =
>> /usr/bin/mailq.postfix manpage_directory = /usr/share/man
>> maps_rbl_domains
>> = bl.spamcop.net mime_header_checks =
>> regexp:/etc/postfix/mime_header_checks.cf mydestination = $myhostname,
>> localhost.$mydomain mydomain = r13151.ovh.net mynetworks = 127.0.0.0/8
>> ,87.98.186.232 myorigin = $mydomain newaliases_path =
>> /usr/bin/newaliases.postfix queue_run_delay = 2000s readme_directory =
>> /usr/share/doc/postfix-2.3.3/README_FILES recipient_delimiter = +
>> relay_domains = sample_directory = /usr/share/doc/postfix-2.3.3/samples
>> sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop
>> smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options
=
>> noanonymous smtp_sender_dependent_authentication = yes
smtp_tls_loglevel
>> =
>> 3 smtp_tls_session_cache_database =
>> btree:/var/lib/postfix/smtp_tls_session_cache smtpd_banner =
$myhostname
>> ESMTP $mail_name ($mail_version) smtpd_client_restrictions = 
>> 
>>
permit_mynetworks,reject_unknown_reverse_client_hostname,reject_unauth_pipelining,
>> 
>> reject_non_fqdn_recipient , permit smtpd_milters =
>> inet:[127.0.0.1]:10040 smtpd_recipient_restrictions = permit_mynetworks
>> permit_inet_interfaces permit_sasl_authenticated
>> reject_unverified_recipient reject_non_fqdn_sender
>> reject_non_fqdn_recipient reject_unknown_sender_domain
>> reject_unknown_recipient_domain reject_unknown_reverse_client_hostname
>> reject_unauth_destination reject_unauth_pipelining reject_rbl_client
>> zen.spamhaus.org reject_sender_login_mismatch check_policy_service
>> unix:postgrey/socket check_sender_access
>> hash:/etc/postfix/check_backscatterer check_policy_service
>> unix:private/spfpolicy reject_rbl_client bl.spamcop.net
>> reject_rhsbl_sender
>> dbl.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client
>> b.barracudacentral.org smtpd_reject_unlisted_sender = no
>> smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes
>> smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth
>> smtpd_sasl_type = dovecot smtpd_tls_CAfile =
>> /etc/pki/tls/sub.class4.server.ca.pem smtpd_tls_auth_only = yes
>> smtpd_tls_cert_file = /etc/pki/tls/newcerts/01.pem smtpd_tls_key_file =
>> /etc/pki/tls/private/r13151.ovh.net.key smtpd_tls_received_header = yes
>> smtpd_tls_session_cache_database =
>> btree:/var/lib/postfix/smtpd_tls_session_cache smtpd_use_tls = yes
>> soft_bounce = no tls_random_source = dev:/dev/urandom
>> unknown_local_recipient_reject_code = 550 virtual_alias_domains =
>> fakessh.eu renelacroute.fr nicolaspichot.fr virtual_alias_maps =
>> hash:/etc/postfix/virtual
>> 
>> But you already have all the information you need to fix this
>> yourself. Key points are 1) use fully qualified names in
>> virtual_alias_maps. ie. u...@example1.com u...@example2.com *not*
>> u...@example1.com user 
>> 
>> my jed /etc/postfix/virtual # # AUTHOR(S) # Wietse Venema # IBM
T.J.
>> Watson Research # P.O. Box 704 # Yorktow

Fwd: Re: [Dovecot] catch-all not working with postfix dovecot lda (fwd)

[fakessh]

it may be a problem in dealing with amavisd perl milter

Subject: Re: [Dovecot] catch-all not working with postfix dovecot lda

On Fri, 16 Apr 2010 09:07:55 +1000, Noel Butler 
wrote:
> Postfix must first "know the user(s)"
> therefore this isa  postfix issue and not dovecot
> dovecot deliver assumes the MTA has verified the user to accept mail
> from and does not do further authentication
>
>

how to build a catch-all with dovecot lda
the question then. is not a postfix issue

> On Fri, 2010-04-16 at 01:00 +0200, fakessh wrote:
>
>> its tha archive to the cross post to postfix-users
>> help me
>>
>> http://www.mail-archive.com/postfix-users@postfix.org/msg22963.html
>>
>>
>>
>> On Fri, 16 Apr 2010 00:26:25 +0200, fakessh  wrote:
>>
>> On Thu, 15 Apr 2010 08:33:43 -0500, Noel Jones
>>  wrote:
>>
>> On 4/14/2010 3:42 PM, fakessh wrote:
>>
>> On Wed, 14 Apr 2010 13:50:34 -0500, Noel
>> Jones wrote:
>>
>> On 4/14/2010 1:45 PM, fakessh wrote:
>>
>> On Wed, 14 Apr 2010 14:12:25 -0400, Charles Marcus
>>  wrote:
>>
>> I changed the entries @fakessh to r...@localhost in
>>
>> /etc/postfix/virtual
>>
>> postmap then a file to the postfix restart. all without
>> success, or rather the same mistake
>>
>> Then post your new "postconf -n", log entries showing the
>> problem,
>> and file contents.
>>
>> my postcon -n [r...@r13151 ~]# postconf -n alias_database =
>> hash:/etc/aliases alias_maps = hash:/etc/aliases body_checks =
>> regexp:/etc/postfix/body_checks.cf bounce_notice_recipient = postmaster
>> broken_sasl_auth_clients = yes command_directory = /usr/sbin
>> config_directory = /etc/postfix content_filter =
dksign:[127.0.0.1]:10028
>> daemon_directory = /usr/libexec/postfix debug_peer_level = 2
>> default_privs
>> = nobody double_bounce_sender = no header_checks =
>> regexp:/etc/postfix/header_checks.cf home_mailbox = Maildir/
>> html_directory
>> = no in_flow_delay = 10 inet_interfaces = all mail_spool_directory =
>> /var/spool/mail mailbox_command = /usr/libexec/dovecot/deliver
>> mailq_path =
>> /usr/bin/mailq.postfix manpage_directory = /usr/share/man
>> maps_rbl_domains
>> = bl.spamcop.net mime_header_checks =
>> regexp:/etc/postfix/mime_header_checks.cf mydestination = $myhostname,
>> localhost.$mydomain mydomain = r13151.ovh.net mynetworks = 127.0.0.0/8
>> ,87.98.186.232 myorigin = $mydomain newaliases_path =
>> /usr/bin/newaliases.postfix queue_run_delay = 2000s readme_directory =
>> /usr/share/doc/postfix-2.3.3/README_FILES recipient_delimiter = +
>> relay_domains = sample_directory = /usr/share/doc/postfix-2.3.3/samples
>> sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop
>> smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options
=
>> noanonymous smtp_sender_dependent_authentication = yes
smtp_tls_loglevel
>> =
>> 3 smtp_tls_session_cache_database =
>> btree:/var/lib/postfix/smtp_tls_session_cache smtpd_banner =
$myhostname
>> ESMTP $mail_name ($mail_version) smtpd_client_restrictions =
>>
>>
permit_mynetworks,reject_unknown_reverse_client_hostname,reject_unauth_pipelining,
>>
>> reject_non_fqdn_recipient , permit smtpd_milters =
>> inet:[127.0.0.1]:10040 smtpd_recipient_restrictions = permit_mynetworks
>> permit_inet_interfaces permit_sasl_authenticated
>> reject_unverified_recipient reject_non_fqdn_sender
>> reject_non_fqdn_recipient reject_unknown_sender_domain
>> reject_unknown_recipient_domain reject_unknown_reverse_client_hostname
>> reject_unauth_destination reject_unauth_pipelining reject_rbl_client
>> zen.spamhaus.org reject_sender_login_mismatch check_policy_service
>> unix:postgrey/socket check_sender_access
>> hash:/etc/postfix/check_backscatterer check_policy_service
>> unix:private/spfpolicy reject_rbl_client bl.spamcop.net
>> reject_rhsbl_sender
>> dbl.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client
>> b.barracudacentral.org smtpd_reject_unlisted_sender = no
>> smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes
>> smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth
>> smtpd_sasl_type = dovecot smtpd_tls_CAfile =
>> /etc/pki/tls/sub.class4.server.ca.pem smtpd_tls_auth_only = yes
>> smtpd_tls_cert_file = /etc/pki/tls/newcerts/01.pem smtpd_tls_key_file =
>> /etc/pki/tls/private/r13151.ovh.net.key smtpd_tls_received_header = yes
>> smtpd_tls_session_cache_database =
>> btree:/var/lib/postfix/smtpd_tls_session_cache smtpd_use_tls = yes
>> soft_bounce = no tls_random_source = dev:/dev/urandom
>> unknown_local_recipient_reject_code = 550 virtual_alias_domains =
>> fakessh.eu renelacroute.fr nicolaspichot.fr virtual_alias_maps =
>> hash:/etc/postfix/virtual
>>
>> But you already have all the information you need to fix this
>> yourself. Key points are 1) use fully qualified names in
>> virtual_alias_maps. ie. u...@example1.com u...@example2.com *not*
>> u...@example1.com user
>>
>> my jed /etc

Re: block specific IP addresses

[groups]

Stan Hoeppner wrote, On 04/15/2010 05:16 PM:

CT put forth on 4/15/2010 4:43 PM:

I have several boxes that "check" my relay every 40 seconds to
check that the server is up.

After multiple attempts to get the number of checks reduced I would
like the know the preferred way to block specific IP addresses in Postfix.

I have no issue with checks.. but every 40 seconds is ridiculous.


To accomplish the task in Postfix, blocking only SMTP connections from those
IP addresses:

edit: /etc/postfix/main.cf

smtpd_[client/recipient]_restrictions =
...
check_client_access hash:/etc/postfix/blacklist
...

# [client/recipient] selection depends on whether you use the "everything
under smtpd_recipient_restrictions" style main.cf layout.

create: /etc/postfix/blacklist

...
1.2.3.4 REJECT
4.3.2.1 REJECT
3.2.1.4 REJECT
...

/$ postmap /etc/postfix/blacklist
/$ postfix reload

Simply eh?


Stan...
I had ran across your suggestion in my searches but figured I would
ask to be sure I was heading down the right path...

These IP's are on my trusted subnets but I *wasn't* sure of was that if 
I did create the blacklist if I also have to create a whitelist for my 
"trusted subnets"

Looks like I don't..

and yes very simple.. I like simple.. since there are only
a handful of "top pollers"
and ..Exactly what I was looking for..

Syntax follow up question...

1.2.3.4  REJECT
or
1.2.3.4  REJECT

Thx
charles

Re: block specific IP addresses

[groups]

mouss wrote, On 04/15/2010 06:03 PM:

CT a écrit :

I have several boxes that "check" my relay every 40 seconds to
check that the server is up.

After multiple attempts to get the number of checks reduced I would
like the know the preferred way to block specific IP addresses in Postfix.

I have no issue with checks.. but every 40 seconds is ridiculous.



the first answer is: try to reach their abuse/postmaster. if you fail,
then firewall them. if so, just DROP their traffic (this will cause more
delay on their side). you can also redirect their traffic to a "slow
silly server" ("torture server").


Mouss..
I could use a host based fw.. but would rather use Postfx as there
are only a handful of pollers..

Thx
Charles

Re: crl support?

[Wietse Venema]

zhong ming wu:
> Dear List
> 
> I don't find anywhere in TLS documentation how to make postfix respect a crl
> so that client's whose certs have been revoked cannot use the submission 
> server.
> 
> Can someone please confirm that this feature is supported or not?

If it is not in the documentation, then it is not implemented.

Wietse

Re: crl support?

[Victor Duchovni]

On Thu, Apr 15, 2010 at 07:16:58PM -0400, zhong ming wu wrote:

> I don't find anywhere in TLS documentation how to make postfix respect a crl
> so that client's whose certs have been revoked cannot use the submission 
> server.

The supported model for submission servers that use client certs is to
list all supported fingerprints in a table. With fingerprint security,
you don't need CRLs. Alternatively, you can extract all the revoked
certs from the CRL, and use check_ccert_access to deny access, while
allowing everyone else signed by the CA.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: Limit outgoing SMTP

[listadecorreo]

Wietse Venema wrote:

Claudio Prono:
  
Hi to all, 


Just a question, there is any method to limit the outgoing mails ?
Something like domain.com allowed, domain.net not allowed, or
u...@domain.com allowed, u...@domain.net not allowed. And this can be
done for each user?



Postfix enforces such limits while RECEIVING mail:

http://www.postfix.org/SMTPD_ACCESS_README.html

To stop mail from out-of-control web applications, use spam filters
as discussed today in the "lost credentials" thread.

  

If is possible, there is any web based or similar tool to manage this thing?



Gui support is not included.

Wietse

  


I use this procedure to acomplish who one domain can send internet email 
and one domain can send only local mail.


r...@imss:~$ vi /etc/postfix/main.cf

smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/Custom/sender_deny
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

smtpd_client_restrictions =
permit_sasl_authenticated,
reject_unknown_client


smtpd_restriction_classes = local_only
local_only = check_recipient_access 
hash:/etc/postfix/Custom/local_domains, reject


r...@imss:~$ cat /etc/postfix/Custom/local_domains
###
# Acuerdate: postmap /etc/postfix/Custom/local_domains
###

xxx.lan OK
xxx.es OK

###
# Acuerdate: postmap /etc/postfix/Custom/sender_deny
###

os...@xxx.lan local_only

###
# Acuerdate: postmap /etc/postfix/Custom/virtual
###

os...@xxx.es oscar.xxx
os...@xxx.lan oscar.xxx

hold queue management

[Rudy Gevaert]

Hello postfix users,

I have question concerning the hold queue.

I have a smtpd_*_restriction map that puts certain mails in the hold
queue. (E.g. phishing messages).

My idea was to then update the restriction to DISCARD or REJECT the
message and to move the mails out of the hold queue.

However, the re-queued mail gets delivered to the mailbox.  Is this
default behavior?  Can it be changed?

Thanks in advance,

Rudy