Subdomain Migration

[ramesh]

Hi All,

I would like have suggestion for changing subdomain (belongs to ISP) to own 
domain, the scenario as below.

Presently we have subdomain from ISP ( @xxx.isp.net)
email id : ram...@xxx.isp.net

ISP charges huge amount,thou others ISP charges less. so we have planned to 
migrate to our own registered domain and terminate existing ISP.

Now my requirement is email coming to ram...@xxx.isp.net (Mail server connected 
to present ISP) should forward to ram...@mydomain.co.in (Mail server connected 
to new ISP)

Please send me suggestion to follow or URL's explain briefly.

Thanks.

Regards,
Ramesh

RE: Active Directory and virtual delivery agent

[Aaron Roberts]

> -Original Message-
> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Jeroen Geilman
> Sent: 15 August 2010 20:54
> To: postfix-users@postfix.org
> Subject: Re: Active Directory and virtual delivery agent
> 
> On 08/13/2010 03:18 PM, Aaron Roberts wrote:
> > Hi,
> > I'm looking for a bit of inspiration...
> >
> > I have a number of linux boxes using winbind to provide UNIX system
> users from a Win2008R2 Active Directory domain.  I'm using winbind's
> RID idmap backend thing to provide consistent UNIX UIDs and GIDs across
> multiple servers.  For non-windows people, the RID is a 32 bit integer
> which uniquely identifies an object in a domain, and forms the right-
> most part of the Active Directory forest-wide SID.
> >
> > A SID looks like:
> > S-1-5-21-993118751-601841214-1674189692-1134
> >
> > The RID, in the above case, is 1134.
> >
> > My UNIX UIDs are always (RID + 1000).
> >
> > I want my virtual_uid_maps to fetch, from Active Directory using
> table_ldap, something like:
> >
> >   ((RID derived from the objectSID attribute) + 1000).
> >
> > I would also like my virtual_mailbox_maps to fetch, from Active
> Directory using table_ldap, something like:
> >   (primaryGroupID attribute)/(samaccountname attribute)/inbox
> >
> > Can the postfix LDAP client do maths and/or concatenate retrieved
> attributes or should I be doing that elsewhere and storing the results
> as new attributes?
> >
> 
> You can do anything that is valid in an LDAP query.
> The former will probably be difficult if not impossible; the second
> should be fairly simple.
> 
> If you are storing mailbox information in LDAP, why not store the
> actual
> address -> physical mailbox location ?
> You can script that quite easily.

Thanks for your input, I was trying to avoid modifying the AD schema but
it's beginning to look preferable from a lot of different angles.

Thank you,
  Aaron

Re: Active Directory and virtual delivery agent

[zhong ming wu]

On Fri, Aug 13, 2010 at 9:18 AM, Aaron Roberts  wrote:
> Hi,
>        I'm looking for a bit of inspiration...
>
> I have a number of linux boxes using winbind to provide UNIX system users 
> from a Win2008R2 Active Directory domain.  I'm using winbind's RID idmap 
> backend thing to provide consistent UNIX UIDs and GIDs across multiple 
> servers.  For non-windows people, the RID is a 32 bit integer which uniquely 
> identifies an object in a domain, and forms the right-most part of the Active 
> Directory forest-wide SID.
>
> A SID looks like:
> S-1-5-21-993118751-601841214-1674189692-1134
>
> The RID, in the above case, is 1134.
>
> My UNIX UIDs are always (RID + 1000).

I always thought unix uid (or at leaset linux) is unsigned short;
won't you run into problem at one point with this?

RE: Active Directory and virtual delivery agent

[Aaron Roberts]

> -Original Message-
> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of zhong ming wu
> Sent: 16 August 2010 12:02
> To: Postfix users
> Subject: Re: Active Directory and virtual delivery agent
> 
> On Fri, Aug 13, 2010 at 9:18 AM, Aaron Roberts
>  wrote:
> > Hi,
> >        I'm looking for a bit of inspiration...
> >
> > I have a number of linux boxes using winbind to provide UNIX system
> users from a Win2008R2 Active Directory domain.  I'm using winbind's
> RID idmap backend thing to provide consistent UNIX UIDs and GIDs across
> multiple servers.  For non-windows people, the RID is a 32 bit integer
> which uniquely identifies an object in a domain, and forms the right-
> most part of the Active Directory forest-wide SID.
> >
> > A SID looks like:
> > S-1-5-21-993118751-601841214-1674189692-1134
> >
> > The RID, in the above case, is 1134.
> >
> > My UNIX UIDs are always (RID + 1000).
> 
> I always thought unix uid (or at leaset linux) is unsigned short;
> won't you run into problem at one point with this?

I understand that linux, since 2.4, supports 32 bit UIDs.

Aaron

Re: cidr table on mysql database

[Stan Hoeppner]

Jack Knowlton put forth on 8/15/2010 4:53 PM:

> Is it possible to store a CIDR access table on a mysql database?

I'm pretty sure the answer is, NO.

The solution to your problem is sticking the Postfix access table files you
want shared across your MX farm on an NFS/CIFS server and mounting the share
into, say, the directory

/etc/postfix/tables 

on each MX host.

"man 5 cidr_table"

You will need to automount the remote NFS/CIFS share at boot, so you'll need
to add an entry to fstab, use autofs, or execute a startup script with the
appropriate mount command.  I'd recommend doing it via fstab, appending an
entry such as this to the bottom of the /etc/fstab file:

nfsserver_ip:/postfix-access-files  /etc/postfix/tables  nfs

See your operating system's documentation for mounting remote nfs filesystems
via fstab.

-- 
Stan

Re: Problem with Postfix and LDAP...

[Brian Evans - Postfix List]

 On 8/15/2010 4:47 PM, Christopher Kurtis Koeber wrote:


Aug 15 16:32:57 WTS-ZIMBRA postfix/qmgr[18608]: 248B53220E2:
from=, size=288, nrcpt=1 (queue active)
Aug 15 16:32:57 WTS-ZIMBRA postfix/virtual[18620]: 248B53220E2:
to=,
orig_to=, relay=virtual,
delay=23, delays=23/0.03/0/0.08, dsn=5.1.1, status=bounced (unknown user:
"dbayasekara8...@wts-zimbra.wesleysem.edu")

OK, your original command shows nothing but I am tring to send mail to
"students.wesleyseminary.edu" which is defined in
my virtual_mailbox_domains.cf file.


Please notice the lines above.  A mail is sent to 
"dbayasekara8...@students.wesleyseminary.edu" but then is aliased to 
"dbayasekara8...@wts-zimbra.wesleysem.edu" before it reaches your 
virtual_mailbox_maps.  This probably occurs in virtual_alias_maps.


According to your previous mail:


Aug 15 13:57:45 WTS-ZIMBRA postfix/smtpd[17373]: maps_find: 
virtual_alias_maps:ldap:/etc/postfix/ldap-aliases.cf(0,lock|fold_fix):dbayasekara8...@students.wesleyseminary.edu
  = dbayasekara8469


This will alias the mail to "dbayasekara8...@$myorigin".
Thus, your virtual_mailbox_map fails as you noticed below in querying 
with postmap.


I'm not sure what you are trying to accomplish by setting 
virtual_alias_maps. However, I strongly suggest returning a fully 
qualified address if you do not want to append $myorigin to each mail.



postmap outputs:

--
# postmap -q dbayasekara8...@wts-zimbra.wesleysem.edu
ldap:/etc/postfix/ldap-maps.cf
# postmap -q dbayasekara8...@students.wesleyseminary.edu
ldap:/etc/postfix/ldap-maps.cf
/home/studentemail/students.wesleyseminary.edu/dbayasekara8469
--



You also may have an error in your results for virtual_mailbox_maps.


Postconf -n:

--
virtual_mailbox_base = /home/studentemail/
--


virtual_mailbox_base will prepend to your results from virtual_mailbox_maps.
The files will attempt to be put at 
"/home/studentemail/home/studentemail/students.wesleyseminary.edu/dbayasekara8469"


If this is what you want, great.  If not, you should fix it.


So the questions I have are (1) what do I need to do to send mail to the
domains defined in virtual_domains.cf
and (2) how can I get get the lookups via LDAP working for the domains
defined in that file?

Thank you for your time.

Re: Speed up queue injection

[Ram]

On Sun, 2010-08-15 at 17:35 +0200, J. Roeleveld wrote:
> On Friday 13 August 2010 19:58:38 Noel Jones wrote:
> > On 8/13/2010 8:22 AM, J. Roeleveld wrote:
> > > On Friday 13 August 2010 14:23:51 Wietse Venema wrote:
> > >> Ralf Hildebrandt:
> > >>> * Ram:
> >  Mail in plain text format , mime encoded message
> > >>> 
> > >>> OK!
> > >>> 
> >  Currenlty I get  40/s - 45/s
> > >>> 
> > >>> That sounds normal. Any filtering (in these cases you should inject in
> > >>> a way that bypasses and filters)
> > >>> 
> >  But I want it to be atleast 100/s
> > >>> 
> > >>> Two machineS?
> > >>> relay boxes
> > >>> 
> >  Delivery is not at all an issue , because postfix gives it to further
> >  relay boxes which are under our control again.
> > >>> 
> > >>> Why not inject to the further relay boxes?
> > >>> 
> >  Do I need to increase the hardware
> > >>> 
> > >>> It could be :)
> > >> 
> > >> Other options: increase input concurrency, or play with in_flow_delay.
> > >> Note that increasing your input rates will cause output rates to drop.
> > >> It's all about competing for disk access.
> > >> 
> > >>  Wietse
> > > 
> > > Further options, I think:
> > > - Disable filtering (provided the only possible connections are related
> > > to these emails
> > 
> > Presumably the client would be in mynetworks, which should
> > bypass most or all restrictions, so this is unlikely to make
> > much difference.  Unless you're doing something silly like
> > 1000 body_check rules or using a content_filter or milter.
> > 
> > > - put the queue on a ram-disk (8GB Ram, might leave 6GB for the queue,
> > > would this be sufficient?)
> > 
> > Putting the queue on ramdisk is only for spammers who don't
> > particularly care if their mail is lost.
> > 
> > But putting the queue on an enterprise-quality SSD would
> > almost certainly help.


But Enterprise quality SSD's are so expensive. I can get an additional
server and still save money. 

It seems I will have to break my app scatter the mail creation across
multiple servers to acheieve higher injection. 



Thanks
Ram 

Re: cidr table on mysql database

[Walter Pinto]

I completely misunderstood his request, sorry.

Re: Speed up queue injection

[Stan Hoeppner]

Ram put forth on 8/16/2010 8:19 AM:

> But Enterprise quality SSD's are so expensive. I can get an additional
> server and still save money. 

I call BS:

http://www.newegg.com/Product/Product.aspx?Item=N82E16820167023

$214 USD is _not_ expensive at all, and only a fraction of the cost of a
server.  Putting your queue on a decent filesystem such as XFS on this device
will yield you over 8,000 random read/write IO/s (using the delayed logging
mount option in 2.6.35 would effectively get you over 15k IO/s, but that
feature isn't production quality yet).

For comparison, a single 10k/15k SSA drive will get you about 300-400 random
IO/s.  And to add insult to injury, such an SAS drive from any of SUN, Dell,
HP, or IBM will run you well north of $700 and in the case of EMC that single
drive will cost you $2000.  That's no joke.  EMC _IS_ a joke.

This is an 80GB SSD which should be far more than plenty of space for queue
files.  8,000 files per second into and out of your queue for ~$200 USD is
ridiculously fast and ridiculously cheap.  I don't see how you can say no to
this solution.  For ~$200 USD it is at bare minimum worth buying one and
testing it yourself.

Whether you consider it "enterprise" quality or not, it's Intel, and it ain't
gonna fail.  If I was running an MX farm that needed maximum performance, I'd
already have one of these in each server, many months ago. ;)

-- 
Stan

Re: Problem with Postfix and LDAP...

[Christopher Koeber]

Well, maybe it will help to describe what I am trying to do.

I have a list of folks in my OpenLDAP server that I would like accounts for.
These accounts are for the 'students.wesleyseminary.edu' domain.

I also have folks in a 'wesleyministrynetwork.com' domain that I would like
mail to be sent to. These folks are going to be in a different
organizational unit.

Obviously, I also will need to have the postmaster/mailerdaemon/etc.
accounts working as well.

Now, from the documentation that I looked at, the virtual maps/alias
settings that I loaded in seemed like the best bet.

Is that correct, or do I need to go in a different direction?

I am willing to make any change on the Postfix settings or the server as
necessary.

I will also go through the suggestions as you mentioned below.

Thank you for the help.

Regards,
Christopher Koeber


On Mon, Aug 16, 2010 at 9:01 AM, Brian Evans - Postfix List <
grkni...@scent-team.com> wrote:

>  On 8/15/2010 4:47 PM, Christopher Kurtis Koeber wrote:
>
>>
>> Aug 15 16:32:57 WTS-ZIMBRA postfix/qmgr[18608]: 248B53220E2:
>> from=, size=288, nrcpt=1 (queue active)
>> Aug 15 16:32:57 WTS-ZIMBRA postfix/virtual[18620]: 248B53220E2:
>> to=,
>> orig_to=, relay=virtual,
>> delay=23, delays=23/0.03/0/0.08, dsn=5.1.1, status=bounced (unknown user:
>> "dbayasekara8...@wts-zimbra.wesleysem.edu")
>>
>> OK, your original command shows nothing but I am tring to send mail to
>> "students.wesleyseminary.edu" which is defined in
>> my virtual_mailbox_domains.cf file.
>>
>
> Please notice the lines above.  A mail is sent to "
> dbayasekara8...@students.wesleyseminary.edu" but then is aliased to "
> dbayasekara8...@wts-zimbra.wesleysem.edu" before it reaches your
> virtual_mailbox_maps.  This probably occurs in virtual_alias_maps.
>
> According to your previous mail:
>
>  Aug 15 13:57:45 WTS-ZIMBRA postfix/smtpd[17373]: maps_find:
>> virtual_alias_maps:ldap:/etc/postfix/ldap-aliases.cf(0,lock|fold_fix):
>> dbayasekara8...@students.wesleyseminary.edu  = dbayasekara8469
>>
>
> This will alias the mail to "dbayasekara8...@$myorigin".
> Thus, your virtual_mailbox_map fails as you noticed below in querying with
> postmap.
>
> I'm not sure what you are trying to accomplish by setting
> virtual_alias_maps. However, I strongly suggest returning a fully qualified
> address if you do not want to append $myorigin to each mail.
>
>
>  postmap outputs:
>>
>> --
>> # postmap -q dbayasekara8...@wts-zimbra.wesleysem.edu
>> ldap:/etc/postfix/ldap-maps.cf
>> # postmap -q dbayasekara8...@students.wesleyseminary.edu
>> ldap:/etc/postfix/ldap-maps.cf
>> /home/studentemail/students.wesleyseminary.edu/dbayasekara8469
>> --
>>
>>
> You also may have an error in your results for virtual_mailbox_maps.
>
>  Postconf -n:
>>
>> --
>>
>> virtual_mailbox_base = /home/studentemail/
>> --
>>
>
> virtual_mailbox_base will prepend to your results from
> virtual_mailbox_maps.
> The files will attempt to be put at "/home/studentemail/home/studentemail/
> students.wesleyseminary.edu/dbayasekara8469"
>
> If this is what you want, great.  If not, you should fix it.
>
>
>  So the questions I have are (1) what do I need to do to send mail to the
>> domains defined in virtual_domains.cf
>> and (2) how can I get get the lookups via LDAP working for the domains
>> defined in that file?
>>
>> Thank you for your time.
>>
>>
>

Re: Speed up queue injection

[Noel Jones]

On 8/16/2010 9:36 AM, Stan Hoeppner wrote:

Ram put forth on 8/16/2010 8:19 AM:


But Enterprise quality SSD's are so expensive. I can get an additional
server and still save money.


I call BS:

http://www.newegg.com/Product/Product.aspx?Item=N82E16820167023


...  Yeah, it's fast.


Whether you consider it "enterprise" quality or not, it's Intel, and it ain't
gonna fail.  If I was running an MX farm that needed maximum performance, I'd
already have one of these in each server, many months ago. ;)



The Intel X25-E series is enterprise-grade.  The 64G model 
sells for $700~$800.  Quite a bit more expensive than the 
consumer X25-M series, but better suited for server use, and 
still far less than a decent server.


Can't say for sure without testing, but I wouldn't be 
surprised if the SSD is faster than two servers sharing the load.



  --  Noel Jones

Re: cidr table on mysql database

[Bill Weiss]

Jack Knowlton(jknowl...@vp44.com)@Sun, Aug 15, 2010 at 11:53:33PM +0200:
> Hi all.
> Is it possible to store a CIDR access table on a mysql database? It would
> be very useful so I could have a centralized list to serve all MXs'
> instead of rsync'ing files each time.
> Thanks,

If you're comfortable with PostgreSQL, it has a native CIDR type that you
might find useful:
http://www.postgresql.org/docs/8.2/static/datatype-net-types.html

-- 
Bill Weiss
 
I once bought some crack, now I'm down with the CIA
-- Sublime

Re: Need advise on ISP postfix mail server

[brian moore]

On Fri, 13 Aug 2010 11:46:53 +0700
Makara  wrote:

> Puthick, no authentication require for sending mail out because of
> users knowledge  limitation. We would like to solve the problem without
> implement smtp authentication.

use one of the pop-before-smtp packages.  It's admittedly a kludge,
but it worked "well enough" most of the time before SMTP Auth was
available.

Add SMTP auth as well, if users have problems sending then set them
to SMTP Auth on a case-by-case basis.  New customers you can have
set up for SMTP Auth by default.

These days, it is not hard to enable auth on clients.  It's usually
a check box, "My server requires authentication" and it should be
easy to put together a web page explaining this to your users.

SpamAssassin and rate limiting are useful tools, but running an open
relay is very dangerous and will eventually be discovered: most open
relay blacklists don't care whether or not you are transmitting spam
or not -- you will get blacklisted if your mail server is found, and
it will be found.

Security should be a feature you can explain to your customers as
a benefit: "we do this because if we don't, your mail will be less
deliverable, and we want to ensure you can send mail to your friends
and family."

Re: Problem with Postfix and LDAP...

[Brian Evans - Postfix List]

 On 8/16/2010 10:45 AM, Christopher Koeber wrote:

Well, maybe it will help to describe what I am trying to do.

I have a list of folks in my OpenLDAP server that I would like 
accounts for. These accounts are for the 'students.wesleyseminary.edu 
' domain.


I also have folks in a 'wesleyministrynetwork.com 
' domain that I would like mail to 
be sent to. These folks are going to be in a different organizational 
unit.


Obviously, I also will need to have the postmaster/mailerdaemon/etc. 
accounts working as well.


Now, from the documentation that I looked at, the virtual maps/alias 
settings that I loaded in seemed like the best bet.


Is that correct, or do I need to go in a different direction?


I believe you are heading in the right direction, but you must 
understand my comments.


When a bare username is retrieved from a map, $myorigin is appended to 
it automatically.
$myorigin defaults to $myhostname  
(http://www.postfix.org/postconf.5.html#myorigin)


virtual_ALIAS_maps apply to ALL mail passed through the system and are 
applied before delivery.


virtual_MAILBOX_maps validate *and* point to the mailbox (when using the 
virtual(8) delivery) for users that are included in the domains for 
virtual_MAILBOX_domains


If you do not need to apply alternate names (aka aliases) to users, do 
not use virtual_ALIAS_maps.
It is recommended to use virtual_ALIAS_maps for the accounts you pointed 
out above and *not* include normal users that virtual_MAILBOX_maps will 
do for you.


When you do have a virtual_ALIAS_maps match, make sure it is fully 
qualified:

Example:
postmas...@wts-zimbra.wesleysem.edu  real.u...@wts-zimbra.wesleysem.edu




I am willing to make any change on the Postfix settings or the server 
as necessary.


I will also go through the suggestions as you mentioned below.

Thank you for the help.

Regards,
Christopher Koeber


On Mon, Aug 16, 2010 at 9:01 AM, Brian Evans - Postfix List 
mailto:grkni...@scent-team.com>> wrote:


 On 8/15/2010 4:47 PM, Christopher Kurtis Koeber wrote:


Aug 15 16:32:57 WTS-ZIMBRA postfix/qmgr[18608]: 248B53220E2:
from=mailto:ckoe...@wesleyseminary.edu>>, size=288, nrcpt=1 (queue
active)
Aug 15 16:32:57 WTS-ZIMBRA postfix/virtual[18620]: 248B53220E2:
to=mailto:dbayasekara8...@wts-zimbra.wesleysem.edu>>,
orig_to=mailto:dbayasekara8...@students.wesleyseminary.edu>>,
relay=virtual,
delay=23, delays=23/0.03/0/0.08, dsn=5.1.1, status=bounced
(unknown user:
"dbayasekara8...@wts-zimbra.wesleysem.edu
")

OK, your original command shows nothing but I am tring to send
mail to
"students.wesleyseminary.edu
" which is defined in
my virtual_mailbox_domains.cf
 file.


Please notice the lines above.  A mail is sent to
"dbayasekara8...@students.wesleyseminary.edu
" but then is
aliased to "dbayasekara8...@wts-zimbra.wesleysem.edu
" before it
reaches your virtual_mailbox_maps.  This probably occurs in
virtual_alias_maps.

According to your previous mail:

Aug 15 13:57:45 WTS-ZIMBRA postfix/smtpd[17373]: maps_find:
virtual_alias_maps:ldap:/etc/postfix/ldap-aliases.cf

(0,lock|fold_fix):dbayasekara8...@students.wesleyseminary.edu
  =
dbayasekara8469


This will alias the mail to "dbayasekara8...@$myorigin".
Thus, your virtual_mailbox_map fails as you noticed below in
querying with postmap.

I'm not sure what you are trying to accomplish by setting
virtual_alias_maps. However, I strongly suggest returning a fully
qualified address if you do not want to append $myorigin to each
mail.


postmap outputs:

--
# postmap -q dbayasekara8...@wts-zimbra.wesleysem.edu

ldap:/etc/postfix/ldap-maps.cf 
# postmap -q dbayasekara8...@students.wesleyseminary.edu

ldap:/etc/postfix/ldap-maps.cf 
/home/studentemail/students.wesleyseminary.edu/dbayasekara8469

--


You also may have an error in your results for virtual_mailbox_maps.

Postconf -n:

--


virtual_mailbox_base = /home/studentemail/
--

Re: Speed up queue injection

[Stan Hoeppner]

Noel Jones put forth on 8/16/2010 10:03 AM:
> On 8/16/2010 9:36 AM, Stan Hoeppner wrote:
>> Ram put forth on 8/16/2010 8:19 AM:
>>
>>> But Enterprise quality SSD's are so expensive. I can get an additional
>>> server and still save money.
>>
>> I call BS:
>>
>> http://www.newegg.com/Product/Product.aspx?Item=N82E16820167023
>>
> ...  Yeah, it's fast.
>>
>> Whether you consider it "enterprise" quality or not, it's Intel, and
>> it ain't
>> gonna fail.  If I was running an MX farm that needed maximum
>> performance, I'd
>> already have one of these in each server, many months ago. ;)
>>
> 
> The Intel X25-E series is enterprise-grade.  The 64G model sells for
> $700~$800.  Quite a bit more expensive than the consumer X25-M series,
> but better suited for server use, and still far less than a decent server.
> 
> Can't say for sure without testing, but I wouldn't be surprised if the
> SSD is faster than two servers sharing the load.

"Enterprise grade" or not, this 80GB SSD's 160GB big brother tests out at over
17,000 random write IO/s.  I don't find test data for the 80GB model, but
given Intel's spec claims for each and extrapolating, the 80GB model should be
only 25% slower, equaling 12,750 random write IO/s.  At that rate, it should
easily give the OP a 10x increase in queue throughput assuming he's currently
using a 4 x 15k RPM SAS drive RAID 0 stripe for his queue.  If his queue is
currently on a single 15k SAS drive, his throughput increase using this 80GB
Intel SSD would be over 42x.

"Enterprise grade" usually has far more to do with these things and little to
do with performance or failure rates:

1.  Warranty period
2.  Longer availability period before EOL--longer spares availability
3.  More extensive interoperability testing, or sometimes far less testing,
but a certification that the device will work with other brand's model "X"
devices.

Google uses less than 1/10th of 1% "Enterprise grade" hardware, using the
typical definition of "Enterprise grade", in their operations.  And Google is
the undisputed single largest operator of servers on the planet.  I think that
qualifies them as an "Enterprise". ;)

"Enterprise" is a marketing term, not a technical one.  Too many people are
cowed and convinced that they "need" "Enterprise" gear.  This is far from the
truth for well over 99% of server OPs.

-- 
Stan

Configuring internal mail relay

[Michael.Larsen]

I need to implement a relay on a test network that will discard all mail 
destined for corporate email addresses _except_ the corporate email addresses 
that are explicitly allowed. The reason is that my test network is subject to 
quotas, and I have to throttle the traffic through the corporate email servers 
to keep testing going. Stan has been graciously helping me offline to try 
implementing a whitelist/blacklist system, but we're still running into 
problems with the configuration - most likely because I'm unable to adequately 
articulate my needs. Essentially what I'm after is:

Relay mail from _specific_ test network application hosts to _specific_ 
corporate email addresses (whitelist)
Relay mail from _one specific_ test network host to _any corporate email 
address_ (whitelist)
"DISCARD" (rather than reject) all other mail traffic that hits my relay 
(blacklist)

I may have to implement the second condition for other hosts down the road.

Excluding paths, main.cf looks like this:

inet_protocols = all
biff = no
myhostname = pointshooter
delay_warning_time = 1h
message_strip_characters = \0
inet_interfaces = all
mydestination =
mydomain = apptest.wellsfargo.com
defer_transports =
mynetworks_style = subnet
disable_dns_lookups = no
relayhost = testmail
content_filter =
mailbox_command =
mailbox_transport =
strict_8bitmime = no
disable_mime_output_conversion = no
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_client_access hash:/etc/postfix/whitelist_access
check_sender_access hash:/etc/postfix/whitelist_access
check_recipient_access hash:/etc/postfix/whitelist_access
check_client_access hash:/etc/postfix/blacklist_access
check_sender_access hash:/etc/postfix/blacklist_access
check_recipient_access hash:/etc/postfix/blacklist_access
smtpd_helo_required = yes
smtpd_helo_restrictions =
strict_rfc821_envelopes = yes
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no
alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 0

The problem I'm having is with reject_unauth_destination. If I specify the 
corporate domain name in relay.db, any email address with that domain name 
relays, which is exactly the opposite of what I want. _Without_ the corporate 
domain name in relay.db, everything is rejected before whitelist/blacklist are 
checked. I want to relay only the "from hosts"/"to email addresses" specified 
in the whitelist, and DISCARD everything else. Is this possible?

Re: Problem with Postfix and LDAP...

[Christopher Koeber]

On Mon, Aug 16, 2010 at 1:22 PM, Brian Evans - Postfix List <
grkni...@scent-team.com> wrote:

>  On 8/16/2010 10:45 AM, Christopher Koeber wrote:
>
>> Well, maybe it will help to describe what I am trying to do.
>>
>> I have a list of folks in my OpenLDAP server that I would like accounts
>> for. These accounts are for the 'students.wesleyseminary.edu <
>> http://students.wesleyseminary.edu>' domain.
>>
>> I also have folks in a 'wesleyministrynetwork.com <
>> http://wesleyministrynetwork.com>' domain that I would like mail to be
>> sent to. These folks are going to be in a different organizational unit.
>>
>>
>> Obviously, I also will need to have the postmaster/mailerdaemon/etc.
>> accounts working as well.
>>
>> Now, from the documentation that I looked at, the virtual maps/alias
>> settings that I loaded in seemed like the best bet.
>>
>> Is that correct, or do I need to go in a different direction?
>>
>
> I believe you are heading in the right direction, but you must understand
> my comments.
>
> When a bare username is retrieved from a map, $myorigin is appended to it
> automatically.
> $myorigin defaults to $myhostname  (
> http://www.postfix.org/postconf.5.html#myorigin)
>
> virtual_ALIAS_maps apply to ALL mail passed through the system and are
> applied before delivery.
>
> virtual_MAILBOX_maps validate *and* point to the mailbox (when using the
> virtual(8) delivery) for users that are included in the domains for
> virtual_MAILBOX_domains
>
> If you do not need to apply alternate names (aka aliases) to users, do not
> use virtual_ALIAS_maps.
> It is recommended to use virtual_ALIAS_maps for the accounts you pointed
> out above and *not* include normal users that virtual_MAILBOX_maps will do
> for you.
>
> When you do have a virtual_ALIAS_maps match, make sure it is fully
> qualified:
> Example:
> postmas...@wts-zimbra.wesleysem.edu  real.u...@wts-zimbra.wesleysem.edu
>

Great, I don't get a bounceback

Thanks, but the email hasn't been delivered to an actual mailbox. My guess
is that the mapping for the users to the mailbox hasn't been worked out.

OK, I am not sure if I am doing this correctly. I have the following
configured for postconf -n:

--
alias_maps = hash:/etc/mail/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib64/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 20
home_mailbox = .Maildir/
html_directory = /usr/share/doc/postfix-2.6.6/html
inet_interfaces = all
local_destination_concurrency_limit = 2
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
local_transport = virtual
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination =
mydomain = students.wesleyseminary.edu
myhostname = wts-zimbra.wesleysem.edu
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/readme
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = students.wesleyseminary.edu ESMTP $mail_name ($mail_version)
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,  reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
virtual_gid_maps = static:$studentemail-gid
virtual_mailbox_base = /
virtual_mailbox_domains = /etc/postfix/virtual_domains.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap-maps.cf
virtual_minimum_uid = 1000
virtual_uid_maps = static:$studentemail-uid
--

So, here is what I have for my ldap-aliases.cf:

--
server_host = wts-studdir.wesleysem.edu
search_base = ou=Students,dc=wesleyseminary,dc=edu
version=3
timeout = 10
size_limit = 1
bind = yes
bind_dn = Bind_DN
bind_pw = password
query_filter = (mail=%s)
result_attribute = mail
--

My question is where doe

Re: Speed up queue injection

[Wietse Venema]

Stan Hoeppner:
> Google uses less than 1/10th of 1% "Enterprise grade" hardware, using the
> typical definition of "Enterprise grade", in their operations.  And Google is
> the undisputed single largest operator of servers on the planet.  I think that
> qualifies them as an "Enterprise". ;)

Indeed, but then Google's scale of operations is not representative
of most enterprises.  Large companies (I work for one) can self-insure
for small accidents, small companies can't.

Wietse

Re: Problem with Postfix and LDAP...

[Brian Evans - Postfix List]

 On 8/16/2010 3:40 PM, Christopher Koeber wrote:
On Mon, Aug 16, 2010 at 1:22 PM, Brian Evans - Postfix List 
mailto:grkni...@scent-team.com>> wrote:


 On 8/16/2010 10:45 AM, Christopher Koeber wrote:

Well, maybe it will help to describe what I am trying to do.

I have a list of folks in my OpenLDAP server that I would like
accounts for. These accounts are for the
'students.wesleyseminary.edu

' domain.

I also have folks in a 'wesleyministrynetwork.com

' domain that I would like
mail to be sent to. These folks are going to be in a different
organizational unit.


Obviously, I also will need to have the
postmaster/mailerdaemon/etc. accounts working as well.

Now, from the documentation that I looked at, the virtual
maps/alias settings that I loaded in seemed like the best bet.

Is that correct, or do I need to go in a different direction?


I believe you are heading in the right direction, but you must
understand my comments.

When a bare username is retrieved from a map, $myorigin is
appended to it automatically.
$myorigin defaults to $myhostname
 (http://www.postfix.org/postconf.5.html#myorigin)

virtual_ALIAS_maps apply to ALL mail passed through the system and
are applied before delivery.

virtual_MAILBOX_maps validate *and* point to the mailbox (when
using the virtual(8) delivery) for users that are included in the
domains for virtual_MAILBOX_domains

If you do not need to apply alternate names (aka aliases) to
users, do not use virtual_ALIAS_maps.
It is recommended to use virtual_ALIAS_maps for the accounts you
pointed out above and *not* include normal users that
virtual_MAILBOX_maps will do for you.

When you do have a virtual_ALIAS_maps match, make sure it is fully
qualified:
Example:
postmas...@wts-zimbra.wesleysem.edu

real.u...@wts-zimbra.wesleysem.edu



Great, I don't get a bounceback

Thanks, but the email hasn't been delivered to an actual mailbox. My 
guess is that the mapping for the users to the mailbox hasn't been 
worked out.


Logs?


OK, I am not sure if I am doing this correctly. I have the following 
configured for postconf -n:


--
alias_maps = hash:/etc/mail/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib64/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 20
home_mailbox = .Maildir/
html_directory = /usr/share/doc/postfix-2.6.6/html
inet_interfaces = all
local_destination_concurrency_limit = 2
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
local_transport = virtual
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination =
mydomain = students.wesleyseminary.edu 


myhostname = wts-zimbra.wesleysem.edu 
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/readme
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = students.wesleyseminary.edu 
 ESMTP $mail_name ($mail_version)
smtpd_recipient_restrictions = permit_sasl_authenticated,  
permit_mynetworks,  reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf 


virtual_gid_maps = static:$studentemail-gid
virtual_mailbox_base = /
virtual_mailbox_domains = /etc/postfix/virtual_domains.cf 

virtual_mailbox_maps = ldap:/etc/postfix/ldap-maps.cf 


virtual_minimum_uid = 1000
virtual_uid_maps = static:$studentemail-uid
--

So, here is what I have for my ldap-aliases.cf 

Re: Active Directory and virtual delivery agent

[Jeroen Geilman]

On 08/16/2010 11:24 AM, Aaron Roberts wrote:

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
us...@postfix.org] On Behalf Of Jeroen Geilman
Sent: 15 August 2010 20:54
To: postfix-users@postfix.org
Subject: Re: Active Directory and virtual delivery agent

On 08/13/2010 03:18 PM, Aaron Roberts wrote:
 

Hi,
I'm looking for a bit of inspiration...

I have a number of linux boxes using winbind to provide UNIX system
   

users from a Win2008R2 Active Directory domain.  I'm using winbind's
RID idmap backend thing to provide consistent UNIX UIDs and GIDs across
multiple servers.  For non-windows people, the RID is a 32 bit integer
which uniquely identifies an object in a domain, and forms the right-
most part of the Active Directory forest-wide SID.
 

A SID looks like:
S-1-5-21-993118751-601841214-1674189692-1134

The RID, in the above case, is 1134.

My UNIX UIDs are always (RID + 1000).

I want my virtual_uid_maps to fetch, from Active Directory using
   

table_ldap, something like:
 

   ((RID derived from the objectSID attribute) + 1000).

I would also like my virtual_mailbox_maps to fetch, from Active
   

Directory using table_ldap, something like:
 

   (primaryGroupID attribute)/(samaccountname attribute)/inbox

Can the postfix LDAP client do maths and/or concatenate retrieved
   

attributes or should I be doing that elsewhere and storing the results
as new attributes?
 
   

You can do anything that is valid in an LDAP query.
The former will probably be difficult if not impossible; the second
should be fairly simple.

If you are storing mailbox information in LDAP, why not store the
actual
address ->  physical mailbox location ?
You can script that quite easily.
 

Thanks for your input, I was trying to avoid modifying the AD schema but
it's beginning to look preferable from a lot of different angles.

   

Why would you want to *modify* the horrible AD schema ?

AD contains plenty of obscure 
"office-phone-except-when-my-wife-is-calling" attribute fields - abuse 
one of them :)
This has the incredible advantage that the data is actually *visible* in 
a user's account tab!
I would hunt for an unused User attribute before rolling my own - and 
possibly breaking AD.


J.


Thank you,
   Aaron
   

Re: Active Directory and virtual delivery agent

[Jeroen Geilman]

On 08/16/2010 01:52 PM, Aaron Roberts wrote:

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
us...@postfix.org] On Behalf Of zhong ming wu
Sent: 16 August 2010 12:02
To: Postfix users
Subject: Re: Active Directory and virtual delivery agent

On Fri, Aug 13, 2010 at 9:18 AM, Aaron Roberts
  wrote:
 

Hi,
I'm looking for a bit of inspiration...

I have a number of linux boxes using winbind to provide UNIX system
   

users from a Win2008R2 Active Directory domain.  I'm using winbind's
RID idmap backend thing to provide consistent UNIX UIDs and GIDs across
multiple servers.  For non-windows people, the RID is a 32 bit integer
which uniquely identifies an object in a domain, and forms the right-
most part of the Active Directory forest-wide SID.
 

A SID looks like:
S-1-5-21-993118751-601841214-1674189692-1134

The RID, in the above case, is 1134.

My UNIX UIDs are always (RID + 1000).
   

I always thought unix uid (or at leaset linux) is unsigned short;
won't you run into problem at one point with this?
 

I understand that linux, since 2.4, supports 32 bit UIDs.
   


Not only supports, but has.
As are PIDs, FDs, etc. etc.


Aaron
   

Re: Configuring internal mail relay

[Noel Jones]

On 8/16/2010 1:54 PM, michael.lar...@wellsfargo.com wrote:

I need to implement a relay on a test network that will
discard all mail destined for corporate email addresses
_/except//_/ the corporate email addresses that are explicitly
allowed. The reason is that my test network is subject to
quotas, and I have to throttle the traffic through the
corporate email servers to keep testing going. Stan has been
graciously helping me offline to try implementing a
whitelist/blacklist system, but we’re still running into
problems with the configuration – most likely because I’m
unable to adequately articulate my needs. Essentially what I’m
after is:
Relay mail from _/specific/_ test network application hosts to
_/specific/_ corporate email addresses (whitelist)
Relay mail from _/one specific/_ test network host to _/any
corporate //email// address/_ (whitelist)
“DISCARD” (rather than reject) all other mail traffic that
hits my relay (blacklist)

...

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_client_access hash:/etc/postfix/whitelist_access
check_sender_access hash:/etc/postfix/whitelist_access
check_recipient_access hash:/etc/postfix/whitelist_access
check_client_access hash:/etc/postfix/blacklist_access
check_sender_access hash:/etc/postfix/blacklist_access
check_recipient_access hash:/etc/postfix/blacklist_access

...
> The problem I’m having is with reject_unauth_destination. If I
> specify the corporate domain name in relay.db, any email


Move reject_unauth_destination to below your white/black 
lists.  Once you do that, you're on your own to insure you 
don't create an open relay, but your access maps give you full 
control over who is allowed to relay.


If you need two-factor tests, you can use 
smtpd_restriction_classes.  The basic idea is explained here:

http://www.postfix.org/RESTRICTION_CLASS_README.html



I want to relay ­only the “from hosts”/”to email
addresses” specified in the whitelist, and DISCARD everything
else. Is this possible?


Sure...  But you'll need to do some work yourself.
Postfix restrictions are a simple first-match-wins.  Your 
general outline will look like:


smtpd_recipient_restrictions =
  ... local whitelist ...
  ... local whitelist ...
  static:discard
  reject_unauth_destination

Don't use permit_mynetworks (or set mynetworks=127.0.0.1). 
Then use as many whitelists as you need to allow the 
clients/senders/etc. you want.  Use smtpd_restriction_classes 
for multiple-factor tests.  Using the above outline, anything 
not specifically allowed with an OK is discarded; you don't 
even need a specific blacklist unless you want to put a 
never-relay blacklist before the whitelist.

Multiple instances and amavisd-new integration

[Alex]

Hi,

I'm trying to get postfix-2.5.5 and amavisd-new-2.3.3 working together
with two postfix instances, /etc/postfix and /etc/postfix-out. I'm
receiving the following error:

Aug 16 18:05:05 smtp01 postfix/error[1655]: 07C7335815B:
to=, relay=none, delay=1152,
delays=1152/0.07/0/0.02, dsn=4.3.0, status=deferred (mail transport unavailable)

I believe this is a problem with the first instance, and its inability
to communicate with amavisd, correct? netstat shows me the following:

# netstat -tapn | egrep '10024|10025|25'
tcp0  0 127.0.0.1:25  0.0.0.0:*
LISTEN  3161/master
tcp0  0 64.XX.XX.23:25   0.0.0.0:*
LISTEN  3046/master
tcp0  0 64.XX.XX.22:25   0.0.0.0:*
LISTEN  3046/master
tcp0  0 127.0.0.1:10024 0.0.0.0:*
LISTEN  781/amavisd (master
tcp0  0 127.0.0.1:10025 0.0.0.0:*
LISTEN  3161/master

Is it necessary to have another IP other than loopback to do this
properly? I had this working properly with a much older version of
postfix, but the upgrade killed it so I'm starting over.

I have inet_interfaces in the first instance configured to be the two
23 and 22 addresses on the 64 network, and in the second instance it
is configured to 127.0.0.1. Connecting to loopback on ports 25, 10024,
and 10025 using telnet are successful. This happens with currently
queued messages as well as new incoming messages.

I have the filter defined in main.cf in the first instance:

content_filter = smtp-amavis:[127.0.0.1]:10024

I have the smtp-amavis filter defined in master.cf in the second instance:

smtp-amavis unix -  -   n   -   2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

127.0.0.1:10025inet  n   -   y   -   -   smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o cleanup_service_name=cleanup2
-o myhostname=localhost
-o mynetworks=127.0.0.0/8
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject

cleanup2   unixn   -   y   -   0   cleanup
-o header_checks=pcre:/etc/postfix/header_checks_out
-o mime_header_checks=
-o nested_header_checks=
-o body_checks=
-o canonical_maps=
-o sender_canonical_maps=
-o recipient_canonical_maps=
-o masquerade_domains=
-o content_filter=

Could this have something to do with my transport maps? I have a few listed:

# The 22 address
alex.example.com smtp:[127.0.0.1]:10024

# The 23 address
susan.example.com smtp:[127.0.0.1]:10024

# Probably covers everything, so the above really isn't necessary?
*   smtp:[127.0.0.1]:10024

example.com   smtp:[127.0.0.1]:10024
.example.com  smtp:[127.0.0.1]:10024

Some of the examples and documentation I have read use lmtp instead of
smtp. Why would someone choose one over the other?

I hope someone has some ideas of what to do next...
Thanks,
Alex

Re: Multiple instances and amavisd-new integration

[Noel Jones]

On 8/16/2010 5:28 PM, Alex wrote:

Hi,

I'm trying to get postfix-2.5.5 and amavisd-new-2.3.3 working together
with two postfix instances, /etc/postfix and /etc/postfix-out. I'm
receiving the following error:

Aug 16 18:05:05 smtp01 postfix/error[1655]: 07C7335815B:
to=, relay=none, delay=1152,
delays=1152/0.07/0/0.02, dsn=4.3.0, status=deferred (mail transport unavailable)

I believe this is a problem with the first instance, and its inability
to communicate with amavisd, correct? netstat shows me the following:

# netstat -tapn | egrep '10024|10025|25'
tcp0  0 127.0.0.1:25  0.0.0.0:*
LISTEN  3161/master
tcp0  0 64.XX.XX.23:25   0.0.0.0:*
LISTEN  3046/master
tcp0  0 64.XX.XX.22:25   0.0.0.0:*
LISTEN  3046/master
tcp0  0 127.0.0.1:10024 0.0.0.0:*
LISTEN  781/amavisd (master
tcp0  0 127.0.0.1:10025 0.0.0.0:*
LISTEN  3161/master

Is it necessary to have another IP other than loopback to do this
properly? I had this working properly with a much older version of
postfix, but the upgrade killed it so I'm starting over.

I have inet_interfaces in the first instance configured to be the two
23 and 22 addresses on the 64 network, and in the second instance it
is configured to 127.0.0.1. Connecting to loopback on ports 25, 10024,
and 10025 using telnet are successful. This happens with currently
queued messages as well as new incoming messages.

I have the filter defined in main.cf in the first instance:

content_filter = smtp-amavis:[127.0.0.1]:10024

I have the smtp-amavis filter defined in master.cf in the second instance:



If you tell the first instance to send to smtp-amavis:, it 
needs to know what that means.  Make sure to define 
smtp-amavis in the first instance master.cf


Your logging will be a lot easier to read if you use 
syslog_name to tag each instance.


# postfix 1 main.cf
syslog_name = postfix-1

# postfix-2 main.cf
syslog_name = postfix-2

Or use whatever names make sense to you.




Could this have something to do with my transport maps? I have a few listed:




Not directly.  Often multiple postfix instances is used for 
per-recipient filtering, which can only be done via 
transport_maps.  It appears to be your content_filter 
directive that causes the problem.


Usually when a system is configured for multiple postfix 
instances like this, there is no need for a specific 
content_filter directive.




# The 22 address
alex.example.com smtp:[127.0.0.1]:10024

# The 23 address
susan.example.com smtp:[127.0.0.1]:10024

# Probably covers everything, so the above really isn't necessary?
*   smtp:[127.0.0.1]:10024


This should send everything to your amavis content_filter.

It looks to me as if you can simply remove the content_filter 
setting from your main.cf to fix the problem.





example.com   smtp:[127.0.0.1]:10024
.example.com  smtp:[127.0.0.1]:10024

Some of the examples and documentation I have read use lmtp instead of
smtp. Why would someone choose one over the other?


Years ago lmtp was slightly faster because it would cache 
(reuse) connections.  Since both smtp and lmtp now cache 
connections, there is no longer any advantage to lmtp with 
amavisd-new.


It's best to stick with the official docs.  Random how-to's 
you find on the internet may not be peer-reviewed nor updated.


  -- Noel Jones

Re: Configuring internal mail relay

[Stan Hoeppner]

Noel Jones put forth on 8/16/2010 4:46 PM:

> Move reject_unauth_destination to below your white/black lists.

Thanks for the quick advice for Michael, Noel.

I should have thought of this, however I didn't realize until asking Michael
to bring this thread back on list that he was dealing with all RFC 1918
addresses.  Up to that point I did _not_ want to recommend something that
might make his server an open relay, thus why I recommended he come back on
list for help for more experienced OPs.

At least I can claim I gave him good advice. :)

Good job Noel.

-- 
Stan

Re: Speed up queue injection

[Stan Hoeppner]

Wietse Venema put forth on 8/16/2010 2:36 PM:
> Stan Hoeppner:
>> Google uses less than 1/10th of 1% "Enterprise grade" hardware, using the
>> typical definition of "Enterprise grade", in their operations.  And Google is
>> the undisputed single largest operator of servers on the planet.  I think 
>> that
>> qualifies them as an "Enterprise". ;)
> 
> Indeed, but then Google's scale of operations is not representative
> of most enterprises.  Large companies (I work for one) can self-insure
> for small accidents, small companies can't.

Wietse have you done any testing with SSDs?  If not, would you like to?  I'm
sure various vendors would be glad to loan you some.  Get a mix of "consumer"
and "enterprise" SSDs.  And make sure you get one of the Intel X25-E 80GB
units. :)

-- 
Stan

Re: Multiple instances and amavisd-new integration

[Alex]

Hi,

> If you tell the first instance to send to smtp-amavis:, it needs to know
> what that means.  Make sure to define smtp-amavis in the first instance
> master.cf

Looks like that was the change I needed. I now understand, thanks.

> Your logging will be a lot easier to read if you use syslog_name to tag each
> instance.

Yes, I had done this previously

> Usually when a system is configured for multiple postfix instances like
> this, there is no need for a specific content_filter directive.

That's great, thanks.

Thanks so much for the information, and your help.

Best regards,
Alex

Re: Speed up queue injection

[Stan Hoeppner]

Stan Hoeppner put forth on 8/16/2010 6:56 PM:
> Wietse Venema put forth on 8/16/2010 2:36 PM:
>> Stan Hoeppner:
>>> Google uses less than 1/10th of 1% "Enterprise grade" hardware, using the
>>> typical definition of "Enterprise grade", in their operations.  And Google 
>>> is
>>> the undisputed single largest operator of servers on the planet.  I think 
>>> that
>>> qualifies them as an "Enterprise". ;)
>>
>> Indeed, but then Google's scale of operations is not representative
>> of most enterprises.  Large companies (I work for one) can self-insure
>> for small accidents, small companies can't.
> 
> Wietse have you done any testing with SSDs?  If not, would you like to?  I'm
> sure various vendors would be glad to loan you some.  Get a mix of "consumer"
> and "enterprise" SSDs.  And make sure you get one of the Intel X25-E 80GB
> units. :)

I should have made clear that they will do this for you, because you are,
well, you.  ;)  I'm a nobody, so they won't loan me the hardware. :(  I need
to see if I can get a gig doing reviews for hardware sites.  I kinda grew out
of being a hardwarefreak a while back or I'd probably be doing reviews now. :(

-- 
Stan

Relay access denied: simple question

[Alberto Lepe]

Hello!

One of the mail users have problems sending mails to other domains. Looking
at the logs, they display:

Aug 17 09:49:55 mail postfix/smtpd[24050]: NOQUEUE: reject: RCPT from *.
technowave.ne.jp[210.150.98.251]: 554 5.7.1 :
Relay access denied; from=
to= proto=SMTP helo=

(real emails are hidden)

Other users from the same domain (yutaka-japan.com) are not having problems
with their accounts.

Questions:
1) Why "helo" does not returns a domain name?
- is that correct / normal?
- "Y4" is a proxy server?
2) Does this user has "yutaka-japan.com" as mail server in his/her mail
client config?
- Is there any way to know that?

The normal way which I solve this kind of problem is adding that IP
(210.150.98.251) to mynetworks setting.
But I feel that is not the best way to do it. I would like to know why this
is happening... I have no direct access to user's mail client settings
so I have to assume his/her settings are correct.

Thank you.

A.Lepe

Re: Relay access denied: simple question

[Matt Hayes]

On 08/16/2010 10:44 PM, Alberto Lepe wrote:

Hello!

One of the mail users have problems sending mails to other domains.
Looking at the logs, they display:

Aug 17 09:49:55 mail postfix/smtpd[24050]: NOQUEUE: reject: RCPT from
*.technowave.ne.jp [210.150.98.251]: 554
5.7.1 http://asmo.co.jp>>: Relay access
denied; from=http://yutaka-japan.com>> to=http://asmo.co.jp>> proto=SMTP helo=

(real emails are hidden)

Other users from the same domain (yutaka-japan.com
) are not having problems with their accounts.

Questions:
1) Why "helo" does not returns a domain name?
 - is that correct / normal?
 - "Y4" is a proxy server?
2) Does this user has "yutaka-japan.com " as
mail server in his/her mail client config?
 - Is there any way to know that?

The normal way which I solve this kind of problem is adding that IP
(210.150.98.251) to mynetworks setting.
But I feel that is not the best way to do it. I would like to know why
this is happening... I have no direct access to user's mail client settings
so I have to assume his/her settings are correct.

Thank you.

A.Lepe



You should really look into using submission for user relayed email. 
This authenticates the sender and by all means DON'T keep adding IPs to 
mynetworks as it allows them to relay EVERYTHING.


-Matt

[SOLVED] Re: Relay access denied: simple question

[Alberto Lepe]

On Tue, Aug 17, 2010 at 12:00 PM, Matt Hayes wrote:

>
>
> On 08/16/2010 10:44 PM, Alberto Lepe wrote:
>
>> Hello!
>>
>> One of the mail users have problems sending mails to other domains.
>> Looking at the logs, they display:
>>
>> Aug 17 09:49:55 mail postfix/smtpd[24050]: NOQUEUE: reject: RCPT from
>> *.technowave.ne.jp [210.150.98.251]: 554
>> 5.7.1 http://asmo.co.jp>>: Relay access
>>
>> denied; from=> > to=> > proto=SMTP helo=
>>
>>
>> (real emails are hidden)
>>
>> Other users from the same domain (yutaka-japan.com
>> ) are not having problems with their accounts.
>>
>>
>> Questions:
>> 1) Why "helo" does not returns a domain name?
>> - is that correct / normal?
>> - "Y4" is a proxy server?
>> 2) Does this user has "yutaka-japan.com " as
>>
>> mail server in his/her mail client config?
>> - Is there any way to know that?
>>
>> The normal way which I solve this kind of problem is adding that IP
>> (210.150.98.251) to mynetworks setting.
>> But I feel that is not the best way to do it. I would like to know why
>> this is happening... I have no direct access to user's mail client
>> settings
>> so I have to assume his/her settings are correct.
>>
>> Thank you.
>>
>> A.Lepe
>>
>
>
> You should really look into using submission for user relayed email. This
> authenticates the sender and by all means DON'T keep adding IPs to
> mynetworks as it allows them to relay EVERYTHING.
>
> -Matt
>

It seems that "submission" is commented by default in postfix (ubuntu),
which I just uncommented it.
Anyway, after rechecking the client settings with the user, resulted that
they were mistaken: Problem solved.

Thank you Matt.
(BTW. I won't be using the "mynetwork" fix anymore.)

specify local and non local destination

[Alfred Tuinman]

Hi,

If we specify mydestination to be $mydomain all mail is considered
local. This is fine for most of us but there are a few roaming users.
Only for those users we would like all mail to be sent outside.

How do I handle this?

Regards,

Alfred

Re: Configuring internal mail relay

[Bjørn Ruberg]

On 08/17/2010 01:45 AM, Stan Hoeppner wrote:

Noel Jones put forth on 8/16/2010 4:46 PM:


Move reject_unauth_destination to below your white/black lists.


Thanks for the quick advice for Michael, Noel.

I should have thought of this, however I didn't realize until asking Michael
to bring this thread back on list that he was dealing with all RFC 1918
addresses.  Up to that point I did _not_ want to recommend something that
might make his server an open relay, thus why I recommended he come back on
list for help for more experienced OPs.


For future reference, in a mailing list context "OP" means "original 
post(er)" :-)


--
Bjørn