Re: Separate Submission Instance on Same IP as MX
On 08/01/2010 04:11 AM, Mike Morris wrote: Hi, I'm working on a mail server deployment that will only have one server for MX and SASL submission purposes. Generally I like to have separate Postfix instances to handle a specific task. Why ? It's totally useless in this case. SMTP runs on port 25, and rejects anything not_invented_here. Submission runs on port 587, and requires SASL. Simple. In this case I'm running in to problems when the submission instance uses the same IP address as the MX instance. (Due to a limited IP address pool there is currently only one routable IP address assigned to this server.) Using the submission instance to send a message to a recipient address for which the server is also the MX host triggers Postfix' loop detection. Mail for foreign addresses is relayed correctly. I realize this can be done easily enough without using multiple instances. Indeed. Is there a way to work around this so that an MX instance and submission instance can share single IP address? You're going to have to do a lot better than "I want to do this". Use a single instance, and save yourself some time. I've gotten used to the queue, logging, and configuration separation provided by multiple instances and would rather like to use that approach here if I can. Since submission is a separate transport, it does log separately. mail_version = 2.8-20100707 UNSTABLE. sheesh.
RE: Log file checking
> -Original Message- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Stan Hoeppner > Sent: Sunday, August 01, 2010 3:50 AM > To: postfix-users@postfix.org > Subject: Re: Log file checking > > Mark Scholten put forth on 7/31/2010 6:53 PM: > > > I want the following information (per day or per hour, it should be > possible > > to exclude email addresses or to only get information for certain > email > > addresses): > > /usr/sbin/pflogsumm.pl --smtpd_stats /var/log/mail.log > /var/log/mail.log.1 > > Grand Totals > > messages > >3658 received >5323 delivered > 0 forwarded > 480 deferred (2631 deferrals) > 1 bounced >1740 rejected (24%) > 0 reject warnings > 0 held > 0 discarded (0%) > > 25387k bytes received > 49655k bytes delivered > 825 senders > 728 sending hosts/domains > 19 recipients > 18 recipient hosts/domains > > > - Number of email attempts made by other systems > > smtpd > > 5304 connections > 1399 hosts/domains > 10 avg. connect time (seconds) > 14:54:24 total connect time > > > > - Number of messages blocked based on the HELO requirements (I have a > few > > regexp lines with blocked HELOs (botnets/spammers)) > > If these are done with something like "check_helo_access > regexp:/etc/postfix/helo.regexp" then you'd see something like this, > but with > "Helo command rejected: ". I don't do any custom HELO checks, only > client > checks, but the output is otherwise the same in pflogsumm. > > Client host rejected: Dynamic - Please relay via ISP (chello.nl) > (total: 1) >1 dhcp-077-248-074-059.chello.nl > Client host rejected: Dynamic - Please relay via ISP > (embarqhsd.net) > (total: 1) >1 embarqhsd.net > Client host rejected: Dynamic - Please relay via ISP (eunet.rs) > (total: 1) >1 dynamic-78-30-138-239.adsl.eunet.rs > > ** I have separate rejection messages for each expression in my regexp > table. > Pflogsumm counts each one as distinct, and gives a total for each one, > instead of a total for all "custom HELO checks" If you want a singular > total > for yours, you probably don't want to specify rejection text for each, > but use > the Postfix default. Doing so should give you the total you want. > > > - Number of connections greylisted (we use postgrey) > > Recipient address rejected: Greylisted (total: 30) > 30 s...@hardwarefreak.com > > ** greylisting here is used as a last ditch bot blocker. Some call > this "very > selective greylisting". > > > - Number of attempts for an invalid recipient > > Recipient address rejected: User unknown in local recipient table > (total: 24) > 21 4050...@hardwarefreak.com >1 4c4f0705.2050...@hardwarefreak.com >1 4c4f17db.7010...@hardwarefreak.com >1 4c20361c.7090...@hardwarefreak.com > > > - Number of messages blocked based on blacklists > > message reject detail > - > RCPT > Client host rejected: Access denied (total: 262) > 22 annaeyes.com > ... > Client host rejected: Email not accepted from Africa (total: 34) >3 41.140.254.160 > ... > Client host rejected: Mail not accepted from Belarus (total: 4) >3 93.85.201.97 > ... > Client host rejected: Mail not accepted from China (total: 23) >6 60.190.77.242 > ... > Client host rejected: Mail not accepted from Hungary (total: 1) >1 www.imac.hu > Client host rejected: Mail not accepted from Indonesia (total: 14) >6 118.96.252.201 > ... > Client host rejected: Mail not accepted from Korea (total: 32) >3 61.105.220.135 > ... > Client host rejected: Mail not accepted from Malaysia (total: 1) >1 110.74.129.155 > ... > Client host rejected: Mail not accepted from Romania (total: 10) >3 81.181.221.62 > ... > Client host rejected: Mail not accepted from Russia (total: 34) >3 77.34.255.9 > ... > Client host rejected: Mail not accepted from Thailand (total: 6) >3 113.53.213.186 > ... > Client host rejected: Mail not accepted from Ukraine (total: 11) >3 79.135.202.145 > > > - Number of messages blocked by content filter (not really important) > > Here neither. I don't use content filters. If you saw my entire A/S > Postfix > config and my user base you'd understand why. > > > - Number of messages accepted (not blocked at any stage) > > This is a gripe of my own. Once you get an accurate method for > counting this > via the mail log, please share it with the pflogsumm dev. My guess is > that > it's not at all straightforward, due to the multiple delivery methods > available. > > > I did ch
Re: Separate Submission Instance on Same IP as MX
Mike Morris: > Hi, > > I'm working on a mail server deployment that will only have one server > for MX and SASL submission purposes. Generally I like to have separate > Postfix instances to handle a specific task. In this case I'm running > in to problems when the submission instance uses the same IP address as > the MX instance. (Due to a limited IP address pool there is currently > only one routable IP address assigned to this server.) > > Using the submission instance to send a message to a recipient address > for which the server is also the MX host triggers Postfix' loop > detection. Mail for foreign addresses is relayed correctly. I realize > this can be done easily enough without using multiple instances. Is > there a way to work around this so that an MX instance and submission > instance can share single IP address? I've gotten used to the queue, If you use different MTAs, then use different myhostname AND different inet_interfaces settings. Otherwise it is just too easy to screw up and have a high-speed mail system meltdown/explosion/etc. Postfix is not just about "secure" for some vague definition of secure, it is about making a safe to use, so that it does not rip off your arms and legs when you make a trivial mistake. Wietse
Providing SMTP relay access to roaming laptop without creating an open relay...
Hi folks, In pseudo code here's how I want my outside mail exchange system to behave: if mail_sent_by_outside_host_to_inside_user then relay_to_inside_user elsif mail_sent_by_inside_host_to_inside_user then relay_to_inside_user elsif mail_sent_by_inside_host_to_outside_destination then relay_to_outside_destination elsif mail_being_sent_by_roaming_laptop<-- need this!!! relay_where_it_needs_to_go else reject The part that seems broken (and that is probably a good thing) right now is the roaming laptop part. Since I travel a lot with my laptop both for business and personal purposes and would like my laptop to relay mail through my server when "outside the cloud" so to speak, what is the best approach to this without breaking the MX functionality for my domain? I've read "The Book" on this subject about SASL authentication and my fear is if I implement that I'll not be able to receive un-authenticated hosts (such as the fine server that serves this list) and that would be a bad thing. Can somebody point me in the right direction and hopefully not screw this up? -- Peter L. Berghold, Australian Cattle Dog Owner, Agility Fan, Foodie, Salty Old Dog and Old School Unix Hacker. Skype: cowdawg "Those who fail to learn from history are condemned to repeat it"
Re: Providing SMTP relay access to roaming laptop without creating an open relay...
On Sunday, August 01, 2010 at 19:15 CEST, "Peter L. Berghold" wrote: > In pseudo code here's how I want my outside mail exchange system to > behave: > > if mail_sent_by_outside_host_to_inside_user > then > relay_to_inside_user > elsif > mail_sent_by_inside_host_to_inside_user > then > relay_to_inside_user > elsif > mail_sent_by_inside_host_to_outside_destination > then > relay_to_outside_destination > elsif mail_being_sent_by_roaming_laptop<-- need this!!! > relay_where_it_needs_to_go > else > reject This is a standard setup. Except for the roaming laptop part, it's the default configuration. Adding authentication for laptops we get this: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination This means: * Permit local clients to send email anywhere. * Permit authenticated clients to send email anywhere. * Permit other clients to send email to hosted domains. > The part that seems broken (and that is probably a good thing) right > now is the roaming laptop part. Since I travel a lot with my laptop > both for business and personal purposes and would like my laptop to > relay mail through my server when "outside the cloud" so to speak, > what is the best approach to this without breaking the MX > functionality for my domain? > > I've read "The Book" on this subject about SASL authentication and my > fear is if I implement that I'll not be able to receive > un-authenticated hosts (such as the fine server that serves this list) > and that would be a bad thing. No. While you can configure Postfix to always require SASL authentication, with the configuration above authentication is only required for relay access which is exactly what you want. http://www.postfix.org/SASL_README.html#server_sasl -- Magnus Bäck mag...@dsek.lth.se
Re: Providing SMTP relay access to roaming laptop without creating an open relay...
Peter L. Berghold: > Hi folks, > > In pseudo code here's how I want my outside mail exchange system to > behave: > On the Postfix server: /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated <- for the roaming laptop ... reject_unauth_destination ... Then configure the Postfix server for SASL (to authenticate the roaming laptop) and perhaps TLS encryption (to protect the login sequence). http://www.postfix.org/SASL_README.html#server_sasl http://www.postfix.org/TLS_README.html#server_tls Wietse
Re: Providing SMTP relay access to roaming laptop without creating an open relay...
On 01/08/10 18:56, Wietse Venema wrote: and perhaps TLS encryption (to protect the login Do not underestimate the importance of enabling TLS :)
Re: Log file checking
Mark Scholten put forth on 8/1/2010 5:46 AM: > Getting it in a single number is important for me, however looking at the > http://logreporters.sourceforge.net/ link you did give I see that all but > one thing is given the way I want it. This last option isn't given the way I > like it, but that can be done by parsing the output from postfix-logwatch to > combine the last information. Thank you for giving the link. Actually Sahil deserves that credit--I didn't know of logwatch until he mentioned it. And just like you, I prefer the logwatch output over pflogsumm. I've already converted everything over to it here. Thanks again Sahil. -- Stan
Re: Separate Submission Instance on Same IP as MX
On 08/01/2010 02:37 AM, Jeroen Geilman wrote: > On 08/01/2010 04:11 AM, Mike Morris wrote: >> Hi, >> >> I'm working on a mail server deployment that will only have one server >> for MX and SASL submission purposes. Generally I like to have separate >> Postfix instances to handle a specific task. > > Why ? > It's totally useless in this case. > SMTP runs on port 25, and rejects anything not_invented_here. > Submission runs on port 587, and requires SASL. > Simple. I don't believe it is "totally useless" to use separate instances for distinct services. Configurations can get complex. Outgoing mail may be handled differently than incoming mail. Using multiple instances can simplify the task. While it may not *work* in this case, using multiple instances for MX and submission services is far from *useless*. > >> mail_version = 2.8-20100707 >> > > UNSTABLE. > sheesh. > Plenty of people would argue that Postfix experimental releases are quite stable. In this case I would like to test and make use of postscreen.
Re: Separate Submission Instance on Same IP as MX
On 08/01/2010 09:29 AM, Wietse Venema wrote: > Mike Morris: >> Hi, >> >> I'm working on a mail server deployment that will only have one server >> for MX and SASL submission purposes. Generally I like to have separate >> Postfix instances to handle a specific task. In this case I'm running >> in to problems when the submission instance uses the same IP address as >> the MX instance. (Due to a limited IP address pool there is currently >> only one routable IP address assigned to this server.) >> >> Using the submission instance to send a message to a recipient address >> for which the server is also the MX host triggers Postfix' loop >> detection. Mail for foreign addresses is relayed correctly. I realize >> this can be done easily enough without using multiple instances. Is >> there a way to work around this so that an MX instance and submission >> instance can share single IP address? I've gotten used to the queue, > > If you use different MTAs, then use different myhostname AND > different inet_interfaces settings. Otherwise it is just too easy > to screw up and have a high-speed mail system meltdown/explosion/etc. > > Postfix is not just about "secure" for some vague definition of > secure, it is about making a safe to use, so that it does not rip > off your arms and legs when you make a trivial mistake. > > Wietse Fair enough. I'll see what can be done about a second IP address. -Mike
reject unknown hosts
Halo, I have question about rejection. Some unknown hostnames get 4.x.x defer, others get 5xx, I would like all blocks at 5.x.x, yes, I know consequences of this, I run mail servers (sendmail) for 15 years, now we move to postfix for mysql management of company email I have problem replicate sendmail settings Relevant sections of postconf -n: smtpd_sender_restrictions =check_recipient_access hash:/etc/postfix/access.never_to smtpd_recipient_restrictions = reject_unknown_sender_domain reject_unknown_recipient_domainpermit_mynetworks permit_sasl_authenticatedreject_unauth_destination check_recipient_access hash:/etc/postfix/access.tocheck_sender_access hash:/etc/postfix/access.fromscheck_client_access hash:/etc/postfix/access.hostsreject_unknown_client_hostname reject_unknown_helo_hostnamereject_invalid_helo_hostname reject_non_fqdn_helo_hostnamereject_non_fqdn_sender reject_non_fqdn_recipientreject_unlisted_recipient reject_unlisted_sender reject_rbl_client cbl.abuseat.org reject_rbl_client dnsbl.sorbs.netreject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.ahbl.org check_policy_service unix:private/spfpolicy soft_bounce = no unknown_address_reject_code = 550 unknown_client_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_sender_reject_code = 550 Now we see many of: NOQUEUE: reject: RCPT from unknown[202.150.184.185]: 550 5.7.1 Client host rejected: cannot find your hostname, [202.150.184.185]; from=< cornmeal...@rehau.com> to= proto=ESMTP helo= But.. then I also see many of: NOQUEUE: reject: RCPT from unknown[194.xx.xx.xx]: 450 4.7.1 Client host rejected: cannot find your hostname, [194.xx.xx.xx]; from= to= proto=ESMTP helo= In 4.x.x above me, the sender are known to us, his hostname presented exist, but no PTR RR (he is get fixed but take time), it is we prefer to 5xx, so he and others like him not wait 5 days to find mail never went, I was think unknown_client_reject_code = 550 would be this solve, but not? Anyway to have this so? My Thaks
Invalid warning list domain in BOTH mydestination and virtual_mailbox_domains
This warning does not make any sense at all since there is no such thing listed in mydestination. Any ideas? postfix/trivial-rewrite[7525]: warning: do not list domain mx.asda.gr in BOTH mydestination and virtual_mailbox_domains # postconf | grep mydest mydestination = localhost.asda.gr, localhost
Re: Separate Submission Instance on Same IP as MX
Mike Morris: [ Charset ISO-8859-1 unsupported, converting... ] > On 08/01/2010 09:29 AM, Wietse Venema wrote: > > Mike Morris: > >> Hi, > >> > >> I'm working on a mail server deployment that will only have one server > >> for MX and SASL submission purposes. Generally I like to have separate > >> Postfix instances to handle a specific task. In this case I'm running > >> in to problems when the submission instance uses the same IP address as > >> the MX instance. (Due to a limited IP address pool there is currently > >> only one routable IP address assigned to this server.) > >> > >> Using the submission instance to send a message to a recipient address > >> for which the server is also the MX host triggers Postfix' loop > >> detection. Mail for foreign addresses is relayed correctly. I realize > >> this can be done easily enough without using multiple instances. Is > >> there a way to work around this so that an MX instance and submission > >> instance can share single IP address? I've gotten used to the queue, > > > > If you use different MTAs, then use different myhostname AND > > different inet_interfaces settings. Otherwise it is just too easy > > to screw up and have a high-speed mail system meltdown/explosion/etc. > > > > Postfix is not just about "secure" for some vague definition of > > secure, it is about making a safe to use, so that it does not rip > > off your arms and legs when you make a trivial mistake. > > > > Wietse > > > Fair enough. I'll see what can be done about a second IP address. Or enable the commented-out submission service (port 587) in the default master.cf file. With this, use port 587 for submission, and port 25 for final delivery. Wietse
Re: reject unknown hosts
On Mon, Aug 2, 2010 at 9:45 AM, Edward avanti wrote: > > > > > In 4.x.x above me, the sender are known to us, his hostname presented > exist, but no PTR RR (he is get fixed but take time), it is we prefer to > 5xx, so he and others like him not wait 5 days to find mail never went, I > was think unknown_client_reject_code = 550 would be this solve, but not? > Anyway to have this so? > > It appear from more investigation this cause is SERVFAIL always send 4xx, can postifx override to 5xx with setting for SERVFAIL ? Many Thaks
