Delivery to external domains

[Simon Croome]

Hi,

I have setup a internal postfix server that relays mail from our 
external DMZ server to internal mail hosts, it should accept mail the 
example.com but allow relaying from selected lan hosts to external 
domains for instance o2.co.uk etc, whenever I attempt to relay through 
the postfix server to an external domain it returns Relaying Access 
Denied can anyone help ?


I have posted my main.cf

bounce_notice_recipient = mail.info
2bounce_notice_recipient = mail.info
delay_notice_recipient = mail.info
error_notice_recipient = mail.info
max_idle = 30s
max_use = 20
header_size_limit = 65536
message_size_limit = 104857600
mailbox_size_limit = 209715200

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix

mail_owner = postfix
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname
mynetworks = 194.81.151.0/24
relay_domains = example.com
relayhost =

readme_directory = /usr/share/doc/packages/postfix/README_FILES
smtp_generic_maps = pcre:/etc/postfix/smtp_generic_maps
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
transport_maps = regexp:/etc/postfix/transport.regexp
virtual_maps = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual_alias

unknown_local_recipient_reject_code = 450

smtpd_banner = $myhostname SMTP

debugger_command =
 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
 xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/packages/postfix/samples
html_directory = no
readme_directory = no
smtpd_helo_required = yes

smtpd_client_restrictions = reject_unauth_pipelining, 
reject_multi_recipient_bounce, reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, reject_unauth_destination, 
reject_non_fqdn_sender, reject_invalid_hostname, 
reject_unknown_sender_domain


smtpd_recipient_restrictions = permit_mynetworks, 
reject_non_fqdn_hostname, reject_non_fqdn_sender, 
reject_non_fqdn_recipient, check_sender_access hash:/etc/postfix/access, 
reject_unknown_sender_domain, reject_unknown_recipient_domain, 
reject_unauth_destination


strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_etrn_restrictions = reject
notify_classes = resource,software
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
allow_percent_hack = no
swap_bangpath = no
resolve_dequoted_address = yes
require_home_directory = yes
maps_rbl_reject_code = 571
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 2
smtpd_timeout=50s
smtpd_error_sleep_time=10s
smtpd_delay_reject=yes
smtpd_client_connection_rate_limit=10
smtpd_client_message_rate_limit=20
smtpd_client_recipient_rate_limit=20

Re: Drop mail when X-Something header contains "value" AND destination domain == "somedomain.com"

[Roman Medina-Heigl Hernandez]

mouss escribió:
> Roman Medina-Heigl Hernandez a écrit :
>> The (real) problem is the following: my Amavis/Spamasssin setup analyzes
>> mail and adds X-Spam-* headers accordingly but it does NOT block/drop any
>> mail. Filtering is done at the MDA level via sieve, which analyzes headers
>> and decides what to do with certain mails based on those headers (the
>> advantage is that the user has the last choice, so he/she can decide
>> whether the spam threshold would be, etc).
>>
> 
> that's how I do it. all mail is delivered except:
> - if rejected at postfix level
> - if blocked because of a virus check (even this I used to deliver to a
> specific folder. but I stopped it...).
> 
> dest folder depends on rules implemented in dovecot sieve. default for
> spam is the "Junk" folder.
> 
>> Now, I need my MTA to perform additional functionality: to act as relay for
>> CERTAIN domains (keeping, of course, the *other* domains which my server
>> owns mailboxes for). I do NOT control the final delivery for these "relayed
>> domains" (I do NOT own final MTA with mailboxes), so I'd like to make some
>> blocking based on headers but ONLY for my relayed domains.
>>
>> Postfix supports filtering based on headers but all mail (relayed and not
>> relayed) would be filtered in this case (which is not what I want), I don't
>> know how could I add the "conditional" behaviour: "if mail destination is
>> one of my relayed domains, check headers and drop spam mail; if not, don't
>> check headers". I think Postfix supports the concept of "classes", but I
>> never used them and I don't know if what I need could be done with that
>> feature.
>>
> 
> you need to pass relayed mail via a specific smtp which has its own
> cleanup, in which case you can associate specific header_checks.
> 
> The difficulty in your case is that transport_maps are common to all
> smtpd listeners. so you can't do it with just "ok, move'em first to this
> smtp, then relay after that".
> 
> you could use FILTER as an access check result, but you'll have a
> problem for multi-recipient mail (only one filter is used however is the
> number of recipients).
> 
> now, things may be easier if yoy tell us more about your setup. which
> content filter do you use? do you use amavisd-new? (with amavisd-new,

I'm using Amavisd-new v.2.6.1 and chaining by using the content-filter trick:
- main smtpd
content_filter=amavisfeed:[127.0.0.1]:10024
- secondary smtpd with "-o content_filter=", for receiving the reinjected
mail from amavisd-new.

My "postconf -n" config:

alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
delay_warning_time = 4
disable_vrfy_command = yes
mail_name = mxhs
mailbox_command = procmail -a "$EXTENSION"
message_reject_characters = \0
message_size_limit = 35651584
mydestination = $myhostname localhost localhost.$mydomain
myhostname = mx.hosting-seguridad.com
mynetworks = 127.0.0.2, 127.0.0.3
myorigin = $myhostname
recipient_delimiter = +
relay_domains = hash:/etc/postfix/listas hash:/etc/postfix/mxbackup
relay_recipient_maps = hash:/etc/postfix/relay_recipients
hash:/var/lib/mailman/data/virtual-mailman
relocated_maps = hash:/etc/postfix/relocated
show_user_unknown_table_name = no
smtp_bind_address = XXX
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noplaintext
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
permit_mynetworks,
reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,
 reject_unauth_destination,  reject_unlisted_recipient,
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = $virtual_mailbox_maps
smtpd_tls_CAfile = /etc/ssl/certs/gd_bundle.crt
smtpd_tls_cert_file = /etc/ssl/certs/mail.hosting-seguridad.com.crt
smtpd_tls_key_file = /etc/ssl/private/mail.hosting-seguridad.com.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
transport_maps = hash:/etc/postfix/listas hash:/etc/postfix/mxbackup_migracion
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/valias.mysql,
proxy:mysql:/etc/postfix/vdomainalias_alias.mysql
proxy:mysql:/etc/postfix/vdomainalias_user.mysql
virtual_mailbox_domains = proxy:mysql:/etc/postfix/vdomain.mysql
virtual_mailbox_maps = proxy:mysql:/etc/postfix/vuser.mysql
virtual_transport = lmtp:unix:/private/cyrus

> you have more flexibility). also, what exactly do you want to do with
> header_checks. maybe it's ok to apply them to all inbound mail?

I'd like to drop email if *any* of the following conditions are met:
1/ "X-Amavis-Alert" *contains* "INFECTED" or "BANNED"
2/ "X-Spam-Flag" *contains* "YES"

Relating your 2nd question,

Re: lpr notifications thru postfix

[Wietse Venema]

Jamal Mubarak:
> Well, Mac OS has BSM (Basic Security Module) audit.
> 
> http://www.trustedbsd.org/openbsm.html
> http://developer.apple.com/mac/library/DOCUMENTATION/Darwin/Reference/ManPages/man2/auditon.2.html
> 
> Should  I mess with auditon?

Last time I looked, BSM was not part of Postfix, so your
question is "not supported" here.

Wietse

Re: lmtp_generic_maps for delivery to dovecot

[Noel Jones]

On 5/11/2010 12:34 AM, ram wrote:


On Mon, 2010-05-10 at 10:15 -0500, Noel Jones wrote:

On 5/10/2010 8:33 AM, ram wrote:

Can I use somthing like lmtp_generic_maps for delivery to dovecot



Your question is incomplete.
What are you trying to accomplish?  How does postfix deliver
to dovecot?



I have a master.cf entry for delivery to dovecot.

dovecot   unix  -   n   n   -   -   pipe
   flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f
${sender} -d ${recipient}



The rules are very simple

mails to  *...@local.example.com   send to dovecot:[127.0.0.1]
mails to  *...@otherlocation.example.com send to smtp:[otherlocation]



But the users are created on dovecot  as  u...@example.com.
How can I configure postfix to send mails for *...@local.example.com to
dovecot and strip off the "local."

I use lmtp_generic_maps for a similar thing in postfix+cyrus




Postfix doesn't have a pipe_generic_maps feature, so the only 
way you can fix this in postfix is by delivering to another 
postfix instance, and let that instance deliver to dovecot.


But dovecot is pretty flexible; maybe there's some way to 
change the delivery destination on that end.


  -- Noel Jones

owner-list sometimes not used

[Rik Theys]

Hi,

Consider the following entries in an aliases file:

testlist:   :include:/etc/postfix/testlist
owner-testlist: user1

content of /etc/postfix/testlist:

user1
user2
user3

When we simulate a locked mailbox by creating /var/spool/mail/user2.lock 
and send a mail to the testlist, the following line is added to the mail 
log:


May 11 14:03:55 lucifer postfix/cleanup[8847]: 6260614005B: 
message-id=<20100511120202.12562140...@lucifer.esat.kuleuven.be>
May 11 14:03:55 lucifer postfix/local[8848]: 12562140095: 
to=, orig_to=, relay=local, 
delay=113, delays=113/0/0/0.04, dsn=2.0.0, status=sent (forwarded as 
6260614005B)
May 11 14:03:55 lucifer postfix/qmgr[8594]: 6260614005B: 
from=, size=604, nrcpt=1 (queue active)

May 11 14:03:55 lucifer postfix/qmgr[8594]: 12562140095: removed

The mail gets forwarded and then sent as owner-testlist.

user1 receives the mail and then the mail goes to the deferred queue 
because user2's mailbox is unavailable. Even when the mail server 
retries after a few minutes, the mail is only retried to user2 (not 
user1). This is the expected behaviour.



Now, when I put the following in the aliases file:

member1:  user1
member2:  user2
member3:  user3
testlist:   :include:/etc/postfix/testlist
owner-testlist: user1

and in /etc/postfix/testlist:

member1
member2
member3

I touch /var/spool/mail/user2.lock to simulate a locked mailbox.

When I now send a mail to testlist, the mail is not forwarded and resent 
as owner-testlist. The mail is sent to user1 and then deferred. With 
every retry of the mail, the mail gets sent again to user1 and then 
deferred. This happens until user2.lock is removed and the mail is once 
again sent to all addresses on the list.


Is this normal? How can I make sure postfix also uses owner-testlist so 
messages are not delivered multiple times when one of the mailboxes is 
currently unavailable.


May 11 14:04:42 lucifer postfix/cleanup[8847]: D916B140095: 
message-id=<20100511120442.d916b140...@lucifer.esat.kuleuven.be>
May 11 14:04:42 lucifer postfix/qmgr[8594]: D916B140095: 
from=, size=457, nrcpt=1 (queue active)
May 11 14:04:42 lucifer postfix/local[8848]: D916B140095: 
to=, relay=local, delay=0.04, 
delays=0.03/0/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox)
May 11 14:05:01 lucifer postfix/local[8848]: D916B140095: 
to=, relay=local, delay=19, 
delays=0.03/0/0/19, dsn=4.2.0, status=deferred (cannot update mailbox 
/var/mail/user2 for user user2. unable to create lock file 
/var/mail/user2.lock: File exists)
May 11 14:05:14 lucifer postfix/qmgr[8594]: D916B140095: 
from=, size=457, nrcpt=1 (queue active)
May 11 14:05:14 lucifer postfix/local[8751]: D916B140095: 
to=, relay=local, delay=32, delays=32/0/0/0.01, 
dsn=2.0.0, status=sent (delivered to mailbox)
May 11 14:05:34 lucifer postfix/local[8751]: D916B140095: 
to=, relay=local, delay=51, delays=32/0/0/20, 
dsn=4.2.0, status=deferred (cannot update mailbox /var/mail/user2 for 
user user2. unable to create lock file /var/mail/user2.lock: File exists)


Regards,

--
Rik

Re: Postfix ignoring "", won't do fingerprint checking

[Noel Jones]

On 5/10/2010 11:14 PM, Dave O'Larte wrote:

On Mon, May 10, 2010 at 3:31 PM, Noel Jones  wrote:

On 5/10/2010 12:52 PM, Dave O'Larte wrote:


Regarding using the right main.cf:
I've only installed a single Postfix instance, and changes I make to
main.cf  do affect Postfix. (E.g. turning up logging,
etc.) The Postfix log says I'm using the config in /etc/postfix.

The output from postfinger:

# ./postfinger
postfinger - postfix configuration on Mon May 10 17:27:44 UTC 2010
version: 1.30

Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public.  If this is the case it is your responsibility to modify
the output to hide this private information.  [Remove this warning with
the --nowarn option.]

--System Parameters--
mail_version = 2.6.5
hostname = AA-DD-DDD-DDD-DDD
uname = Linux aa-dd-ddd-ddd-ddd d.d.dd-ddd-aaa #7-Ubuntu SMP Tue Oct 13
19:06:04 UTC 2009 i686 GNU/Linux

--Packaging information--
looks like this postfix comes from deb package: postfix-2.6.5-3

--main.cf  non-default parameters--
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 0
mailbox_size_limit = 0
maximal_backoff_time = 10s
maximal_queue_lifetime = 0
mydestination = aa-dd-ddd-ddd-ddd.aaa., localhost
myhostname = aa-dd-ddd-ddd-ddd.aaa.
mynetworks = 127.0.0.0/8  [:::127.0.0.0]/104
[::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_clientcerts = hash:/etc/postfix/relay_client_certs
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_tls_clientcerts, warn_if_reject, reject
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = yes
smtpd_tls_security_level = encrypt
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_fingerprint_digest = sha1
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
virtual_gid_maps = static:1004
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = a.com

virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_uid_maps = static:1004

--master.cf--
smtp  inet  n   -   -   -   -   smtpd
smtps inet  n   -   -   -   -   smtpd
  -o smtpd_sasl_path=smtpd
  -o smtp_tls_security_level=fingerprint
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_auth_only=yes
  -o smtp_tls_note_starttls_offer=yes
  -o smtpd_tls_req_ccert=no
  -o smtpd_tls_received_header=yes
  -o smtpd_sasl_local_domain=
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o broken_sasl_auth_clients=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_client_restrictions=
pickupfifo  n   -   -   60  1   pickup
cleanup   unix  n   -   -   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgrunix  -   -   -   1000?   1   tlsmgr
rewrite   unix  -   -   -   -   -   trivial-rewrite
bounceunix  -   -   -   -   0   bounce
defer unix  -   -   -   -   0   bounce
trace unix  -   -   -   -   0   bounce
verifyunix  -   -   -   -   1   verify
flush unix  n   -   -   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   -   -   -   smtp
relay unix  -   -   -   -   -   smtp
 -o smtp_fallback_relay=
showq unix  n   -   -   -   -   showq
error unix  -   -   -   -   -   error
retry unix  -   -   -   -   -   error
discard   unix  -   -   -   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   -   -   -   lmtp
anvil unix  -   -   -   -   1   anvil
scacheunix  -   -   -   -   1   scache
maildrop  unix  -   n   n   -   -   pipe
   flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp  unix  -   n   n   -   -   pipe
   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmailunix  -   n   n   -   -   pipe
   flags=F user=ftn argv=/usr/lib/ifmail/ifmai

I've told you twice now in private...

[BABEDH-DHRA]

I have sent you 1, one message by accident.  I have not sent anything else
to you.  I will accept your apology in public.

 

Re: I've told you twice now in private...

[Appliantologist]

Alright, alright! I'm sorry, and I won't do it again.

On Tue, May 11, 2010 at 5:56 PM, BABEDH-DHRA  wrote:
> I have sent you 1, one message by accident.  I have not sent anything else
> to you.  I will accept your apology in public.
>
>

Re: owner-list sometimes not used

[Wietse Venema]

Rik Theys:
> Now, when I put the following in the aliases file:
> 
> member1:  user1
> member2:  user2
> member3:  user3
> testlist: :include:/etc/postfix/testlist
> owner-testlist:   user1
> 
> and in /etc/postfix/testlist:
> 
> member1
> member2
> member3
> 
> I touch /var/spool/mail/user2.lock to simulate a locked mailbox.
> 
> When I now send a mail to testlist, the mail is not forwarded and resent 
> as owner-testlist. The mail is sent to user1 and then deferred. With 
> every retry of the mail, the mail gets sent again to user1 and then 
> deferred. This happens until user2.lock is removed and the mail is once 
> again sent to all addresses on the list.

Sorry, don't do that.  Postfix will NOT store mailing list members
in the "new" queue file if that member is an alias.

I haven't had time to fix local delivery agent logic since 1998,
and it is unlikely to be fixed now without unexpectedly breaking
a ton of other things, such as:

- Instead of failing with a mail delivery loop, deliver mail to
  the user FOO when FOO is an alias that contains FOO (or an alias
  for FOO).

- Instead of failing with a mail delivery loop, deliver mail to
  the mailbox FOO when ~FOO/.forward contains FOO (or an alias for
  FOO).

And other Sendmail compatibility.

Wietse

RE: content_filter post processing question

[Gary Smith]

Given the message below, if I fork a process inside a content filter (say in 
python or perl), so I can return the message back to postfix faster (and end 
the content pipe fast with a success exist code), will this have any impact on 
postfix?

> We have a custom content filter in place.  During the execution of this filter
> we create a set of files,  per message, for the purpose of being processes
> after the filter is finished.  The goal in that was to get the mail back into
> postfix ASAP.
> 
> In the background we have a cronjob that goes through the sets of files that
> are created via the filter.  It is pretty inefficient as it processes these
> files one at a time in sequential order.  We are in the process of
> streamlining that and have created an application to process the sets one at a
> time, given the set filename, so we run these in parallel.  This cronjob runs
> on a separate server to reduce load on the postfix boxes.  The problem with
> the cronjob, or any of the process jobs in general, is that this is all on a
> NFS cluster and we spend most of the disk time searching folders for files to
> be processed.
> 
> What I would ideally like to do is to call the new pipeline at the end of the
> content filter as a background process.  I had first intended to just do
> "process.sh > /dev/null &" in order to make it a background process.
> Alternatively I could issue a fork inside the process application and call it
> like a normal file.  I'm not sure what impact either of these will have on
> postfix since it's kicked off from postfix.  If this process that is kicked
> off fails, I still have backup cronjobs that walks the file system.  The
> process we are talking about here is a TCP connection to a separate server
> that will listen, but may have a delayed backlog, but shouldn't take any real
> CPU and limited memory, just time.
> 
> Given this, I'm not even sure if I should even attempt to do it at the end of
> our filter.  Anyone have any thoughts on this approach?

Re: Postfix, Amavisd and DKIM

[Noel Jones]

On 5/10/2010 10:24 PM, The Doctor wrote:

Just reading from amavisd docs on the how set up
DKIM and I was wondering if this section of their documentation
is correct:

Configuring multiple mail paths in Postfix

Here is one way of configuring Postfix for providing two paths through a 
content filter. ...


Yes, this is correct.

  -- Noel Jones

check relay_recipients_maps before greylisting ?

[Frank Bonnet]

Hello

I would like to check the relay_recipients_maps BEFORE the greylisting
is it possible ?

Thank you

Re: check relay_recipients_maps before greylisting ?

[Brian Evans - Postfix List]

On 5/11/2010 8:04 AM, Frank Bonnet wrote:
> Hello
>
> I would like to check the relay_recipients_maps BEFORE the greylisting
> is it possible ?
>
> Thank you
>
I believe you want to place reject_unlisted_recipient before your
greylist check.

See http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_recipient
and http://www.postfix.org/postconf.5.html#reject_unlisted_recipient
for details of what this does.

Re: check relay_recipients_maps before greylisting ?

[Wietse Venema]

Frank Bonnet:
> Hello
> 
> I would like to check the relay_recipients_maps BEFORE the greylisting
> is it possible ?

For example:

/etc/postfix/main.cf:
smtpd_recipient_restrictions =
... reject_unlisted_recipient check_policy_service ...

http://www.postfix.org/postconf.5.html#reject_unlisted_recipient

Wietse

Re: I've told you twice now in private...

[Bryan Irvine]

On Tue, May 11, 2010 at 8:00 AM, Appliantologist  wrote:
> Alright, alright! I'm sorry, and I won't do it again.
>
> On Tue, May 11, 2010 at 5:56 PM, BABEDH-DHRA  wrote:
>> I have sent you 1, one message by accident.  I have not sent anything else
>> to you.  I will accept your apology in public.

Except you did it again you top-poster! So now I want one too!

-B

Re: content_filter post processing question

[Wietse Venema]

Gary Smith:
> Given the message below, if I fork a process inside a content
> filter (say in python or perl), so I can return the message back
> to postfix faster (and end the content pipe fast with a success
> exist code), will this have any impact on postfix?

If the filter reports success to Postfix before giving the FILTERED
message to the Postfix queue, then Postfix will remove the UNFILTERED
message from the queue too early, and you will lose mail when (not
if) the filter has a problem.

Wietse

RE: content_filter post processing question

[Gary Smith]

> If the filter reports success to Postfix before giving the FILTERED
> message to the Postfix queue, then Postfix will remove the UNFILTERED
> message from the queue too early, and you will lose mail when (not
> if) the filter has a problem.
> 

The filter re-injects the message back into the queue prior to what I am doing. 
 Basically, I'm saving a copy of the message and the envelope, re-injecting it 
back to postfix, then exiting with 0 (similar to a callout to spamassassin).  
Prior to that exit call, I need to call a script that will process this 
message.  Let's call it the post_content_file script.  I don't care if the 
post_content_filter script succeeds or fails (as I have a backup process to 
handle some of it), I just need to trigger it.  

The idea is at the end of the content_filter, prior to exiting with 0, to call 
a script that will internally fork, then immediately return back to the 
original content_filter, so it can exit.

My question is will this fork process cause any problems with postfix itself?  
I just don't know what the impact of a fork in the content_filter will be.

Gary-

Re: content_filter post processing question

[Victor Duchovni]

On Tue, May 11, 2010 at 10:40:05AM -0700, Gary Smith wrote:

> My question is will this fork process cause any problems with postfix
> itself?  I just don't know what the impact of a fork in the content_filter
> will be.

Just make sure to close stdout and stderr, to avoid writing garbage
into the pipe between Postfix and the filter, used to collect filter
error messages.

With this level of complexity, you really should use the advanced (SMTP)
filter approach not pipe(8) based filters.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

RE: content_filter post processing question

[Gary Smith]

> Just make sure to close stdout and stderr, to avoid writing garbage
> into the pipe between Postfix and the filter, used to collect filter
> error messages.
> 
> With this level of complexity, you really should use the advanced (SMTP)
> filter approach not pipe(8) based filters.
> 

Victor, 

To be honest, I haven't been able to successfully make the SMTP method work.  I 
tried it last summer for something similar and ran into a bunch of small 
problems (can't remember what they were off the top of my head).

If you have any simple samples of hitting a perl or python script using the 
SMTP method, can you send it to me.  I tried what's on the web site (for 
advanced content filtering) but for some reason I just didn't get it (it didn't 
click for me).

postfix and dovecot

[Phil Howard]

I've been exploring, both on my mail-server-to-be, and on the Dovecot
mailing list, just why it is that the Dovecot deliver program is leaving the
domain string empty when formulating the mail location path.  The answer I'm
getting now on that list is that it is a Postfix problem and that I should
ask on THIS list?

Does that make any sense to anyone here?  Just wondering if anyone here has
done Postfix+Dovecot and made it work ... and better yet, documented how to
make the two talk to each other.  What I have so far has (in one
incarnation) gotten mail successfully delivered.  But the path as defined in
Dovecot's mail_location = configuration which had %d in there to fill in the
recipient domain name as part of the path, got an empty string there, even
though the domain name was passed along by Postfix.

I'm not sure what role Postfix would have in that.  But maybe a sanity check
is in order (and this is making me start to go insane).

I've attached outputs from "dovecot -n", "postconf -n", and "postfinger",
with redactions to obscure domain names and IP addresses.


dovecot
Description: Binary data


postconf
Description: Binary data


postfinger
Description: Binary data

Re: postfix and dovecot

[Noel Jones]

On 5/11/2010 1:48 PM, Phil Howard wrote:

I've been exploring, both on my mail-server-to-be, and on the Dovecot
mailing list, just why it is that the Dovecot deliver program is leaving
the domain string empty when formulating the mail location path.  The
answer I'm getting now on that list is that it is a Postfix problem and
that I should ask on THIS list?

Does that make any sense to anyone here?  Just wondering if anyone here
has done Postfix+Dovecot and made it work ... and better yet, documented
how to make the two talk to each other.  What I have so far has (in one
incarnation) gotten mail successfully delivered.  But the path as
defined in Dovecot's mail_location = configuration which had %d in there
to fill in the recipient domain name as part of the path, got an empty
string there, even though the domain name was passed along by Postfix.

I'm not sure what role Postfix would have in that.  But maybe a sanity
check is in order (and this is making me start to go insane).

I've attached outputs from "dovecot -n", "postconf -n", and
"postfinger", with redactions to obscure domain names and IP addresses.



The domain name is not included in local delivery.  You have a 
bunch of domains for local delivery listed in mydestination.


Seems to me that if you want the domain name to be part of 
delivery, the domain should be defined as a 
virtual_mailbox_domain and not listed in mydestination.


http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html
http://www.postfix.org/VIRTUAL_README.html

  -- Noel Jones

Re: content_filter post processing question

[Wietse Venema]

Victor Duchovni:
> On Tue, May 11, 2010 at 10:40:05AM -0700, Gary Smith wrote:
> 
> > My question is will this fork process cause any problems with postfix
> > itself?  I just don't know what the impact of a fork in the content_filter
> > will be.
> 
> Just make sure to close stdout and stderr, to avoid writing garbage
> into the pipe between Postfix and the filter, used to collect filter
> error messages.

Also, if the process does not close/redirect stdout and stderr,
Postfix will still wait for program output, and you won't gain any
speedup from forking off into the background.

> With this level of complexity, you really should use the advanced (SMTP)
> filter approach not pipe(8) based filters.

I agree. pipe-to-command+exit-status is a clumsy way to run a filter.

Wietse

RE: content_filter post processing question

[Gary Smith]

> Also, if the process does not close/redirect stdout and stderr,
> Postfix will still wait for program output, and you won't gain any
> speedup from forking off into the background.
> 
> > With this level of complexity, you really should use the advanced (SMTP)
> > filter approach not pipe(8) based filters.
> 
> I agree. pipe-to-command+exit-status is a clumsy way to run a filter.
> 
>   Wietse

Well, you guys are the experts ;).  I will look into setting up an SMTP proxy 
here in the near future.  For now I'll stick with the out of process cronjob.

Gary-

Re: Postfix, SASL sending mail through Postfix.

[BABEDH-DHRA]

Thanks for having fun with that.  I have to pick up my daughter and hope to
get back tomorrow morning.

 

I will look at this program and hopefully have something for you in the
morning.

 

I know little about this stuff but am throwing myself into it because I have
been disabled for the last year and I need to keep learning.

 

I am running postfix, dovecot and mysql as well as dcc, spamassassan,
amavisd and so on.  I fear having to rebuild my server which has been done
almost every other week because I cannot get this SASL to work.

thanks for having patience.

Re: owner-list sometimes not used

[Wietse Venema]

Wietse Venema:
> Rik Theys:
> > Now, when I put the following in the aliases file:
> > 
> > member1:  user1
> > member2:  user2
> > member3:  user3
> > testlist:   :include:/etc/postfix/testlist
> > owner-testlist: user1
> > 
> > and in /etc/postfix/testlist:
> > 
> > member1
> > member2
> > member3
> > 
> > I touch /var/spool/mail/user2.lock to simulate a locked mailbox.
> > 
> > When I now send a mail to testlist, the mail is not forwarded and resent 
> > as owner-testlist. The mail is sent to user1 and then deferred. With 
> > every retry of the mail, the mail gets sent again to user1 and then 
> > deferred. This happens until user2.lock is removed and the mail is once 
> > again sent to all addresses on the list.
> 
> Sorry, don't do that.  Postfix will NOT store mailing list members
> in the "new" queue file if that member is an alias.
> 
> I haven't had time to fix local delivery agent logic since 1998,
> and it is unlikely to be fixed now without unexpectedly breaking
> a ton of other things, such as:
> 
> - Instead of failing with a mail delivery loop, deliver mail to
>   the user FOO when FOO is an alias that contains FOO (or an alias
>   for FOO).
> 
> - Instead of failing with a mail delivery loop, deliver mail to
>   the mailbox FOO when ~FOO/.forward contains FOO (or an alias for
>   FOO).
> 
> And other Sendmail compatibility.

At this point the best I could do is make the alias expansion
behavior configurable with a backwards-compatible default setting.

Specifically, this would involve a switch that turns off alias
expansion once Postfix starts delivery to an alias FOO that has an
owner-FOO alias. This would solve the problem for mailing lists,
but could create mail delivery loops that currently don't exist.

Once this switch is fielded we can see if int introduces any surprises.

Wietse

Re: owner-list sometimes not used

[Wietse Venema]

Wietse Venema:
> > Sorry, don't do that.  Postfix will NOT store mailing list members
> > in the "new" queue file if that member is an alias.
> > 
> > I haven't had time to fix local delivery agent logic since 1998,
> > and it is unlikely to be fixed now without unexpectedly breaking
> > a ton of other things, such as:
> > 
> > - Instead of failing with a mail delivery loop, deliver mail to
> >   the user FOO when FOO is an alias that contains FOO (or an alias
> >   for FOO).
> > 
> > - Instead of failing with a mail delivery loop, deliver mail to
> >   the mailbox FOO when ~FOO/.forward contains FOO (or an alias for
> >   FOO).
> > 
> > And other Sendmail compatibility.
> 
> At this point the best I could do is make the alias expansion
> behavior configurable with a backwards-compatible default setting.
> 
> Specifically, this would involve a switch that turns off alias
> expansion once Postfix starts delivery to an alias FOO that has an
> owner-FOO alias. This would solve the problem for mailing lists,
> but could create mail delivery loops that currently don't exist.
> 
> Once this switch is fielded we can see if it introduces any surprises.

This would break recipient duplicate elimination when delivering
mail to a nested list (i.e. one mailing list has a member that is
the name of another mailing list), so this is not a useful solution.

Another possibility is to change alias processing so that it sends
recipient addresses to the "new" queue file (i.e. everything except
delivery to command or file).

Wietse

RE: content_filter post processing question

[Gary Smith]

> 
> Just make sure to close stdout and stderr, to avoid writing garbage
> into the pipe between Postfix and the filter, used to collect filter
> error messages.
> 
> With this level of complexity, you really should use the advanced (SMTP)
> filter approach not pipe(8) based filters.

Looking around there are some pretty simple samples of what I want to 
accomplish (in both perl and python).  I do have one question about the format 
of the SMTP protocol as to how incoming connections are handled.

When it comes to envelope, specifically "mail from:" and "rcpt to:", my 
understanding is that these will never have comments in them and be just plain 
email addresses j...@example.com, bou...@jack@bou...@example.com, etc, but 
never "jack"  (or  (i.e. the <> ).  In the 
sample python server, it passes in mailfrom and rcptto's and I'm just trying to 
get a feel for the format to expect those addresses in.

Can one of the protocol experts confirm?

Re: content_filter post processing question

[Wietse Venema]

Gary Smith:
> > 
> > Just make sure to close stdout and stderr, to avoid writing garbage
> > into the pipe between Postfix and the filter, used to collect filter
> > error messages.
> > 
> > With this level of complexity, you really should use the advanced (SMTP)
> > filter approach not pipe(8) based filters.
> 
> Looking around there are some pretty simple samples of what I want
> to accomplish (in both perl and python).  I do have one question
> about the format of the SMTP protocol as to how incoming connections
> are handled.
> 
> When it comes to envelope, specifically "mail from:" and "rcpt
> to:", my understanding is that these will never have comments in
> them and be just plain email addresses j...@example.com,
> bou...@jack@bou...@example.com, etc, but never "jack" 
> (or  (i.e. the <> ).  In the sample python
> server, it passes in mailfrom and rcptto's and I'm just trying to
> get a feel for the format to expect those addresses in.

That depends on how Postfix is configured.

Remember, Postfix passes the RCPT TO and MAIL FROM commands to the
filter as received. By default, Postfix allows non-standard forms
(such as your examples). If this is a problem then you will need
to configure "strict_rfc821_envelopes = yes" in main.cf.

Wietse

Invitation to connect on LinkedIn

[sino zhou]

LinkedIn
sino zhou requested to add you as a connection on LinkedIn:
--

James,

I'd like to add you to my professional network on LinkedIn.

- sino

Accept invitation from sino zhou
http://www.linkedin.com/e/qB3B5040SVrp2HIWv-3fZ6Ke54Thhyz_sjk8viB/blk/I2033067122_2/1BpC5vrmRLoRZcjkkZt5YCpnlOt3RApnhMpmdzgmhxrSNBszYOnP8OcjsSc3cPc399bStDnP5Mq4NybP4NdjsOcPcVcz4LrCBxbOYWrSlI/EML_comm_afe/

View invitation from sino zhou
http://www.linkedin.com/e/qB3B5040SVrp2HIWv-3fZ6Ke54Thhyz_sjk8viB/blk/I2033067122_2/39vcz8NdPoMcPcMcAALqnpPbOYWrSlI/svi/
--

DID YOU KNOW you can be the first to know when a trusted member of your network 
changes jobs? With Network Updates on your LinkedIn home page, you'll be 
notified as members of your network change their current position. Be the first 
to know and reach out!
http://www.linkedin.com/

 
--
(c) 2010, LinkedIn Corporation

RE: content_filter post processing question

[Gary Smith]

> > When it comes to envelope, specifically "mail from:" and "rcpt
> > to:", my understanding is that these will never have comments in
> > them and be just plain email addresses j...@example.com,
> > bou...@jack@bou...@example.com, etc, but never "jack" 
> > (or  (i.e. the <> ).  In the sample python
> > server, it passes in mailfrom and rcptto's and I'm just trying to
> > get a feel for the format to expect those addresses in.
> 
> That depends on how Postfix is configured.
> 
> Remember, Postfix passes the RCPT TO and MAIL FROM commands to the
> filter as received. By default, Postfix allows non-standard forms
> (such as your examples). If this is a problem then you will need
> to configure "strict_rfc821_envelopes = yes" in main.cf.
> 

Wietse, I see what you are saying.  What are the potential risks of losing 
legitimate email turning it on?  Or, better question WWWD?  I have yet to see a 
non-conformer in the saved envelopers that we have, so I suspect that most 
modern MTA's are should conform.

Gary-

Re: content_filter post processing question

[Wietse Venema]

Gary Smith:
> 
> > > When it comes to envelope, specifically "mail from:" and "rcpt
> > > to:", my understanding is that these will never have comments in
> > > them and be just plain email addresses j...@example.com,
> > > bou...@jack@bou...@example.com, etc, but never "jack" 
> > > (or  (i.e. the <> ).  In the sample python
> > > server, it passes in mailfrom and rcptto's and I'm just trying to
> > > get a feel for the format to expect those addresses in.
> > 
> > That depends on how Postfix is configured.
> > 
> > Remember, Postfix passes the RCPT TO and MAIL FROM commands to the
> > filter as received. By default, Postfix allows non-standard forms
> > (such as your examples). If this is a problem then you will need
> > to configure "strict_rfc821_envelopes = yes" in main.cf.
> > 
> 
> Wietse, I see what you are saying.  What are the potential risks
> of losing legitimate email turning it on?  Or, better question
> WWWD?  I have yet to see a non-conformer in the saved envelopers
> that we have, so I suspect that most modern MTA's are should
> conform.

If you are talking only to MTAs then the odds of false rejects are
small.

BTW Postfix does not log MAIL FROM/RCPT commands. Postfix logs the
addresses that it pulls out from the MAIL FROM/RCPT commands.

Wietse

Re: lmtp_generic_maps for delivery to dovecot

[ram]

> Postfix doesn't have a pipe_generic_maps feature, so the only 
> way you can fix this in postfix is by delivering to another 
> postfix instance, and let that instance deliver to dovecot.
> 
> But dovecot is pretty flexible; maybe there's some way to 
> change the delivery destination on that end.
> 
>-- Noel Jones


Thats exactly what I looked for in the first place ...
I was hoping for a dovecot feature , but there doesnt seem to be one. 

A "pipe_generic_maps" would be a really welcome feature, considering
that postfix does far more complex things this should be pretty simple. 




Thanks
Ram

Empty 'local_recipient_maps =' and security

[Aniruddha]

Hi,

I have set up postfix with a mail_transport to Zarafa. To fix an '
Recipient address rejected: User unknown in local recipient table'
error I have to put an empty  'local_recipient_maps ='  in postfix's
main.cf. I do wonder about the security implications of setting this
option. If I understand the documentation correctly it isn't wise to
set this option to empty. Is this correct? Besides the information
below I can't find much information about this option.Thanks in
advance!

Documentation
To turn off unknown local recipient rejects by the SMTP server, specify:

/etc/postfix/main.cf:
local_recipient_maps =

That is, an empty value. With this setting, the Postfix SMTP server
will not reject mail with "User unknown in local recipient table".
Don't do this on systems that receive mail directly from the Internet.
With today's worms and viruses, Postfix will become a backscatter
source: it accepts mail for non-existent recipients and then tries to
return that mail as "undeliverable" to the often forged sender
address.

http://www.postfix.org/LOCAL_RECIPIENT_README.html