Re: Postscreen update
On 09/13/2010 10:55 PM, Wietse Venema wrote: Postscreen is a single Postfix 2.8 daemon that keeps spambots away from Postfix SMTP server processes, so that more Postfix server resources remain available for handling mail. It will hopefully become part of the next stable Postfix release. After adding DNSBL weights and filters two weeks ago, I rewrote the remainder of postscreen in the past 1+ week, and spent the past several days updating documentation so that people can actually use this thing. The re-born postscreen has been running on several sites since the beginning of the weekend. Postscreen now has a built-in SMTP protocol engine that allows it to log the helo/sender/recipient of rejected mail. With a few good DNSBL lists, this can dramatically reduce the load on Postfix SMTP servers (blocking mail without logging is not an option for everyone). One cautionary note: postscreen is meant to handle mail from MTAs not end-user clients. Its protocol tests are safe for properly- implemented MTAs, but they have not been tested with end-user systems. Of course end-user systems should connect to the submission port, not the port 25 that postscreen listens on... See http://www.porcupine.org/postfix-mirror/POSTSCREEN_README.html for an overview, configuration information and more. The last code drop was postfix-2.8-20100913, which is the same code as snapshot 20100912, but with a bunch of minor documentation fixes. Be sure to review the RELEASE_NOTES file if you are upgrading from an older postscreen version - the DNSBL implementation now reveals the DNSBL domain name in SMTP replies, so it needs to be censored to avoid disclosing ZEN etc. passwords. Wietse Hi Wietse, iam currently using the postfix snapshot with the older postscreen version which was still experimental (the first 2.8 snapshot with postscreen), in combination with greylisting my spam levels dropped so low that i can currently not train the content based spamfilter. So is there a need to update because the release which included postscreen before is experimental ? I read the readme about deep protocol inspection and of course i will use it as soon as its needed since i currently have no spam at all is there a need to upgrade due instability fixes etc ? thx Frank
Re: Postscreen update
* Matt Hayes : > Thanks for the update. I'm working on implementing this now, > however, I'm a bit confused with the postscreen_dnsbl_reply_map > option. Why? It's just for mapping RBL names. Unless you have a paid subscription with spamhaus.org, you don't need it. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Problem not receiving mail with mydestinations not including mydomain
On 2010-09-14 07:24, Richard Chapman wrote: >> >> Sep 13 23:18:48 C5 postfix/smtpd[15614]: connect from unknown[192.168.0.166] >> Sep 13 23:18:48 C5 postfix/smtpd[15614]: 2CA8A1D2145A: >> client=unknown[192.168.0.166], sasl_method=PLAIN, sasl_username=richard >> Sep 13 23:18:48 C5 postfix/cleanup[15617]: 2CA8A1D2145A: >> message-id=<4c8e40d7.6050...@aardvark.com.au> >> Sep 13 23:18:48 C5 postfix/qmgr[12588]: 2CA8A1D2145A: >> from=, size=665, nrcpt=1 (queue active) >> Sep 13 23:18:48 C5 postfix/smtpd[15614]: disconnect from >> unknown[192.168.0.166] >> Sep 13 23:18:51 C5 postfix/smtp[15618]: certificate verification failed for >> smtp.gmail.com: num=20:unable to get local issuer certificate >> Sep 13 23:18:51 C5 postfix/smtp[15618]: certificate verification failed for >> smtp.gmail.com: num=27:certificate not trusted >> Sep 13 23:18:58 C5 postfix/smtp[15618]: 2CA8A1D2145A: >> to=, relay=smtp.gmail.com[74.125.155.109]:587, >> delay=10, delays=0.06/0.02/5.5/4.5, dsn=2.0.0, status=sent (250 2.0.0 OK >> 1284391138 x9sm12249437waj.15) >> Sep 13 23:18:58 C5 postfix/qmgr[12588]: 2CA8A1D2145A: removed >> >> > > As discussed earlier - postfix is completely innocent here. The > problem is with my google apps relay configuration. > >> BTW: Do you know how to fix the "Certificate verification failed" >> warnings above - though they don't seem to have any averse affect on >> mail delivery? I assume I need to establish some root certificate >> trust somehow. >> > > I would still appreciate any advice on this one... Not sure; I guess Google doesn't send the full verification chain and expects you to have the right CA certs loaded, check http://www.postfix.org/TLS_README.html for more information. You can use "openssl s_client -CApath /some/where -showcerts -starttls -connect smtp.gmail.com:587" to show and test the verification chain.
custom reject messages
Hi all, id like to modify the message postfix sends to the server when it rejects an email in one of the checks performed. For example, 450 Helo command rejected: Host not found; http://readhereforemore.info that administrators which have no clue about email systems have a bit more information why iam rejecting there mail. does this make sense ? Btw: I use tumgreyspf and it also sends a custom dsn message, is this non standard conform in any way ? Thanks Frank
Re: Postscreen update
Frank Doege: > On 09/13/2010 10:55 PM, Wietse Venema wrote: > > Postscreen is a single Postfix 2.8 daemon that keeps spambots away > > from Postfix SMTP server processes, so that more Postfix server > > resources remain available for handling mail. It will hopefully > > become part of the next stable Postfix release. > > > > After adding DNSBL weights and filters two weeks ago, I rewrote > > the remainder of postscreen in the past 1+ week, and spent the past > > several days updating documentation so that people can actually > > use this thing. The re-born postscreen has been running on several > > sites since the beginning of the weekend. > > > > Postscreen now has a built-in SMTP protocol engine that allows it > > to log the helo/sender/recipient of rejected mail. With a few good > > DNSBL lists, this can dramatically reduce the load on Postfix SMTP > > servers (blocking mail without logging is not an option for everyone). > > > > One cautionary note: postscreen is meant to handle mail from MTAs > > not end-user clients. Its protocol tests are safe for properly- > > implemented MTAs, but they have not been tested with end-user > > systems. Of course end-user systems should connect to the submission > > port, not the port 25 that postscreen listens on... > > > > See http://www.porcupine.org/postfix-mirror/POSTSCREEN_README.html > > for an overview, configuration information and more. > > > > The last code drop was postfix-2.8-20100913, which is the same code > > as snapshot 20100912, but with a bunch of minor documentation fixes. > > > > Be sure to review the RELEASE_NOTES file if you are upgrading from > > an older postscreen version - the DNSBL implementation now reveals > > the DNSBL domain name in SMTP replies, so it needs to be censored > > to avoid disclosing ZEN etc. passwords. > > > > Wietse > Hi Wietse, > > iam currently using the postfix snapshot with the older postscreen > version which was still experimental (the first 2.8 snapshot with > postscreen), in combination with greylisting my spam levels dropped so > low that i can currently not train the content based spamfilter. So is > there a need to update because the release which included postscreen > before is experimental ? I read the readme about deep protocol > inspection and of course i will use it as soon as its needed since i > currently have no spam at all is there a need to upgrade due instability > fixes etc ? If there is any need to update any supported Postfix release then there will be an announcement. The last supported release is Postfix 2.4. Wieste
MX question
General postfix question regarding MX lookups.. Does Postfix do an MX lookup on "inbound mail" as part of "spam" prevention or some other check.. ? Thx Charles
Re: MX question
* CT : > General postfix question regarding MX lookups.. > > Does Postfix do an MX lookup on "inbound mail" as part of > "spam" prevention or some other check.. ? How would that help? What exactly are you trying to achieve? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: MX question
On Tuesday 14 September 2010 13:51:12 CT wrote: > > Does Postfix do an MX lookup on "inbound mail" as part of > "spam" prevention or some other check.. ? Mind has "check_sender_mx_access" so and logs appropriate messages if the MX results are unacceptable. What are you trying to achieve, as it seems unlikely to me that you have a purely academic interest in the mix of DNS requests generated.
only allow tlsv1 connection from spesific ip addresses
How to configure postfix only allow tlsv1 connections (no plaintext allowed) from defined ip ranges? three hosts are needed to communicate smarthost with tlsv1 only? br, -- Eero
Re: MX question
On 09/14/2010 08:02 AM, Simon Waters wrote: On Tuesday 14 September 2010 13:51:12 CT wrote: Does Postfix do an MX lookup on "inbound mail" as part of "spam" prevention or some other check.. ? Mind has "check_sender_mx_access" so and logs appropriate messages if the MX results are unacceptable. What are you trying to achieve, as it seems unlikely to me that you have a purely academic interest in the mix of DNS requests generated. It was a question that came up in a discussion.. I have had issues in the past when delivering email and I did not have PTR in place.. the email was rejected.. so the question regarding "inbound MX lookups" came up so I figured I would ask.. no nefarious intent here.. Thx for the response.. Charles
Re: MX question
* CT : > It was a question that came up in a discussion.. > > I have had issues in the past when delivering email and I did not > have PTR in place.. the email was rejected.. That's not an MX problem, but a missing PTR. Postfix can check for this using: reject_unknown_reverse_client_hostname oder (more harsh) reject_unknown_client_hostname > so the question regarding "inbound MX lookups" came up so I figured I > would ask.. A MX lookup is performed to check if the sender domain exists; it can be activated using: reject_unknown_sender_domain -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: MX question
Ralf.. > A MX lookup is performed to check if the sender domain exists; it can > be activated using: > > reject_unknown_sender_domain is what I was looking for.. Thank you .. Charles On 09/14/2010 08:18 AM, Ralf Hildebrandt wrote: * CT: It was a question that came up in a discussion.. I have had issues in the past when delivering email and I did not have PTR in place.. the email was rejected.. That's not an MX problem, but a missing PTR. Postfix can check for this using: reject_unknown_reverse_client_hostname oder (more harsh) reject_unknown_client_hostname so the question regarding "inbound MX lookups" came up so I figured I would ask.. A MX lookup is performed to check if the sender domain exists; it can be activated using: reject_unknown_sender_domain
Problems to understand reject_unlisted_recipients
Hi, this is my first post here on that list, so I hope my question(s) are welcome :) I use the current 20100913 snapshot postfix release on a developer server (testing MTA). Nearly all is working flawlessly, except one problem that I found in my daily logs (this is a test, I did) The address is a non existent address. I used my web.de test-account to send a mail to this fake. Here is the result: Sep 11 10:34:27 mx0 postfix/smtpd[29582]: connect from fmmailgate07.web.de[217.72.192.248] Sep 11 10:34:30 mx0 postfix/smtpd[29582]: NOQUEUE: client=fmmailgate07.web.de[217.72.192.248] Sep 11 10:34:30 mx0 amavis[31474]: (31474-03) ESMTP::10024 /var/lib/amavis/tmp/amavis-20100911T014053-31474: -> SIZE=1067 Received: from mx0.roessner-net.de ([127.0.0.1]) by localhost (mx0.roessner-net.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Sat, 11 Sep 2010 10:34:30 +0200 (CEST) Sep 11 10:34:30 mx0 amavis[31474]: (31474-03) Checking: hA1rUC8UbQV7 [217.72.192.248] -> Sep 11 10:34:30 mx0 amavis[31474]: (31474-03) Open relay? Nonlocal recips but not originating: ad4f0.5040...@roessner-net.com Sep 11 10:34:30 mx0 amavis[31474]: (31474-03) p001 1 Content-Type: text/plain, size: 278 B, name: Sep 11 10:34:36 mx0 postfix/smtpd[29591]: initializing the server-side TLS engine Sep 11 10:34:36 mx0 postfix/smtpd[29591]: connect from localhost[127.0.0.1] Sep 11 10:34:36 mx0 postfix/smtpd[29591]: 40FC3520A6: client=localhost[127.0.0.1], orig_client=fmmailgate07.web.de[217.72.192.248] Sep 11 10:34:36 mx0 postfix/cleanup[29592]: 40FC3520A6: message-id=<1096101504.9442502.1284194063641.javamail.fm...@mwmweb067> Sep 11 10:34:36 mx0 postfix/smtpd[29591]: disconnect from localhost[127.0.0.1] Sep 11 10:34:36 mx0 postfix/qmgr[27669]: 40FC3520A6: from=, size=1749, nrcpt=1 (queue active) Sep 11 10:34:36 mx0 amavis[31474]: (31474-03) FWD via SMTP: -> ,BODY=7BIT 250 2.0.0 Ok, id=31474-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 40FC3520A6 Sep 11 10:34:36 mx0 amavis[31474]: (31474-03) Passed CLEAN, [217.72.192.248] [109.90.85.83] -> , Message-ID: <1096101504.9442502.1284194063641.javamail.fm...@mwmweb067>, mail_id: hA1rUC8UbQV7, Hits: 0.801, size: 1267, queued_as: 40FC3520A6, 6370 ms Sep 11 10:34:36 mx0 amavis[31474]: (31474-03) TIMING-SA total 5720 ms - parse: 13 (0.2%), extract_message_metadata: 31 (0.5%), get_uri_detail_list: 7 (0.1%), tests_pri_-1000: 22 (0.4%), tests_pri_-950: 4 (0.1%), tests_pri_-900: 4 (0.1%), tests_pri_-400: 52 (0.9%), check_bayes: 49 (0.9%), tests_pri_0: 5309 (92.8%), check_dkim_adsp: 24 (0.4%), check_spf: 60 (1.1%), poll_dns_idle: 49 (0.9%), check_dcc: 4285 (74.9%), check_razor2: 617 (10.8%), check_pyzor: 206 (3.6%), tests_pri_500: 14 (0.3%), learn: 225 (3.9%), get_report: 5 (0.1%) Sep 11 10:34:36 mx0 postfix/smtpd[29582]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok, id=31474-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 40FC3520A6; from= to= proto=ESMTP helo= Sep 11 10:34:36 mx0 postfix/smtpd[29582]: disconnect from fmmailgate07.web.de[217.72.192.248] Sep 11 10:34:36 mx0 amavis[31474]: (31474-03) TIMING [total 6424 ms] - SMTP greeting: 11 (0%)0, SMTP EHLO: 4 (0%)0, SMTP pre-MAIL: 2 (0%)0, lookup_ldap: 18 (0%)1, SMTP pre-DATA-flush: 5 (0%)1, SMTP DATA: 13 (0%)1, check_init: 1 (0%)1, digest_hdr: 5 (0%)1, digest_body_dkim: 1 (0%)1, sql-enter: 74 (1%)2, mime_decode: 48 (1%)3, get-file-type1: 82 (1%)4, parts_decode: 2 (0%)4, check_header: 9 (0%)4, AV-scan-1: 30 (0%)5, spam-wb-list: 7 (0%)5, SA parse: 22 (0%)5, SA check: 5699 (89%)94, update_cache: 18 (0%)94, lookup_ldap: 11 (0%)94, penpals_check: 1 (0%)94, decide_mail_destiny: 1 (0%)94, fwd-connect: 61 (1%)95, fwd-xforward: 3 (0%)95, fwd-mail-pip: 87 (1%)97, fwd-rcpt-pip: 1 (0%)97, fwd-data-chkpnt: 2 (0%)97, write-header: 7 (0%)97, fwd-data-contents: 0 (0%)97, fwd-end-chkpnt: 118 (2%)99, prepare-dsn: 3 (0%)99, main_log_entry: 27 (0%)99, sql-update: 25 (0%)100, update_snmp: 14 (0%)100, SMTP pre-response: 2 (0%)100, SMTP response: 2 (0%)100, unlink-2-files: 1 (0%)100, rundown: 7 (0%)100 Sep 11 10:34:36 mx0 postfix/lmtp[29594]: 40FC3520A6: to=, relay=127.0.0.1[127.0.0.1]:24, delay=0.39, delays=0.19/0.06/0.01/0.13, dsn=5.1.1, status=bounced (host 127.0.0.1[127.0.0.1] said: 550 5.1.1 User doesn't exist: ad4f0.5040...@roessner-net.com (in reply to RCPT TO command)) Sep 11 10:34:36 mx0 postfix/cleanup[29592]: 8F68B520AC: message-id=<20100911083436.8f68b52...@mx0.roessner-net.de> Sep 11 10:34:36 mx0 postfix/qmgr[27669]: 8F68B520AC: from=<>, size=3892, nrcpt=1 (queue active) Sep 11 10:34:36 mx0 postfix/bounce[29595]: 40FC3520A6: sender non-delivery notification: 8F68B520AC Sep 11 10:34:36 mx0 postfix/qmgr[27669]: 40FC3520A6: removed Sep 11 10:34:36 mx0 postfix/qmgr[27669]: 8F68B520AC: removed Sep 11 10:34:36 mx0 postfix/smtp[29596]: 8F68B520AC: to=, relay=mx-ha01.web.de[217.72.192.149]:25, delay=0.2, delays=0.05/0.05/0.06/0.04, dsn=2.0.0, status=sent (250 OK id=1OuLXg-0006PR-00) It see
force startssl on port 25
hi guru of postfix hi mouss and wieste hi all the users of ths list my question is simply is there a way to force startssl on port 25 or it is not a good method many returns are welcome
Re: force startssl on port 25
On 9/14/2010 1:11 PM, fakessh wrote: > hi guru of postfix > hi mouss and wieste > > hi all the users of ths list > > my question is simply > > is there a way to force startssl on port 25 > or it is not a good method > > many returns are welcome > I don't recommend doing that as not all MTAs on the internet will be able to or want to do SSL from MTA to MTA. If you want to offer it, that's fine, but I wouldn't force it. -Matt
Re: force startssl on port 25
On Tue, 14 Sep 2010 13:17:56 -0400, Matt Hayes wrote: > On 9/14/2010 1:11 PM, fakessh wrote: >> hi guru of postfix >> hi mouss and wieste >> >> hi all the users of ths list >> >> my question is simply >> >> is there a way to force startssl on port 25 >> or it is not a good method >> >> many returns are welcome >> > > > I don't recommend doing that as not all MTAs on the internet will be > able to or want to do SSL from MTA to MTA. > > If you want to offer it, that's fine, but I wouldn't force it. > thanks for your response no force it thanks merci en france > -Matt
Re: Seeking recommendation for before-queue content filter capable of removing headers
On 13.09.10 16:15, Mark Martinec wrote: > With the help of custom hooks this can be achieved by amavisd itself Thank you for the sample code and for your detailed explanations regarding the configuration options. > The reason the DKIM document suggests not to sign Received header > fields is for fear that MTAs in the chain may modify them and thus > break a signature. In my experience this practically never happens. My guess is that I am not the only person who wishes to remove Received headers to hide internal mail routing. Anyway, I am content with amavisd allowing me to easily configure which headers are to be signed. -Ralph
Re: force startssl on port 25
> -Original Message- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of fakessh > Sent: Tuesday, September 14, 2010 7:11 PM > To: Postfix users > Subject: force startssl on port 25 > > hi guru of postfix > hi mouss and wieste > > hi all the users of ths list > > my question is simply > > is there a way to force startssl on port 25 > or it is not a good method > > many returns are welcome I suggest you to use: smtpd_tls_security_level = may Best regards, Morten
Re: only allow tlsv1 connection from spesific ip addresses
On 09/14/2010 03:06 PM, Eero Volotinen wrote: How to configure postfix only allow tlsv1 connections (no plaintext allowed) from defined ip ranges? three hosts are needed to communicate smarthost with tlsv1 only? If these hosts are using you as their smarthost, simply whitelist their IPs. I don't know why TLS would be required. -- J.
Re: custom reject messages
On 09/14/2010 12:13 PM, Frank Doege wrote: Hi all, id like to modify the message postfix sends to the server when it rejects an email in one of the checks performed. For example, 450 Helo command rejected: Host not found; http://readhereforemore.info Any check_*_access map can return an error code and a custom reply message. A restriction class can, too. that administrators which have no clue about email systems have a bit more information why iam rejecting there mail. does this make sense ? Btw: I use tumgreyspf and it also sends a custom dsn message, is this non standard conform in any way ? I don't understand what you mean by "custom DSN". A DSN is a normal email message, its contents aren't written down anywhere. There is an RFC about them, however. Thanks Frank
Re: Problems to understand reject_unlisted_recipients
On 09/14/2010 04:42 PM, Christian Rößner wrote: Sep 11 10:34:36 mx0 postfix/lmtp[29594]: 40FC3520A6: to=, relay=127.0.0.1[127.0.0.1]:24, delay=0.39, delays=0.19/0.06/0.01/0.13, dsn=5.1.1, status=bounced (host 127.0.0.1[127.0.0.1] Who is that ? said: 550 5.1.1 User doesn't exist: ad4f0.5040...@roessner-net.com (in reply to RCPT TO command)) It isn't postfix - postfix is SENDING the message there. -- J.
Re: only allow tlsv1 connection from spesific ip addresses
2010/9/15 Jeroen Geilman : > On 09/14/2010 03:06 PM, Eero Volotinen wrote: >> >> How to configure postfix only allow tlsv1 connections (no plaintext >> allowed) from defined ip ranges? three hosts are needed to communicate >> smarthost with tlsv1 only? >> >> > > If these hosts are using you as their smarthost, simply whitelist their IPs. > I don't know why TLS would be required. Due to security reasons. -- Eero
Re: only allow tlsv1 connection from spesific ip addresses
On 9/14/2010 8:06 AM, Eero Volotinen wrote: How to configure postfix only allow tlsv1 connections (no plaintext allowed) from defined ip ranges? three hosts are needed to communicate smarthost with tlsv1 only? br, -- Eero Postfix TLS controls are described here http://www.postfix.org/TLS_README.html Supply more details of what you intend to accomplish if you need more help. -- Noel Jones
Re: only allow tlsv1 connection from spesific ip addresses
On Tue, Sep 14, 2010 at 04:06:34PM +0300, Eero Volotinen wrote: > How to configure postfix only allow tlsv1 connections (no plaintext > allowed) from defined ip ranges? three hosts are needed to communicate > smarthost with tlsv1 only? The Postfix SMTP server has no per-client TLS cipher/protocol policy. The reasons are described in: http://www.postfix.org/TLS_README.html#client_tls_limits TLS security policy is left primarily to the client. You can configure a custom SMTP listener that only offers TLSv1 and imposes other appropriate restrictions, and configure the clients in question to send mail into that custom listener (ip:port). -- Viktor.
Re: Problems to understand reject_unlisted_recipients
Jeroen Geilman put forth on 9/14/2010 5:56 PM: > On 09/14/2010 04:42 PM, Christian Rößner wrote: >> Sep 11 10:34:36 mx0 postfix/lmtp[29594]: 40FC3520A6: >> to=, relay=127.0.0.1[127.0.0.1]:24, >> delay=0.39, delays=0.19/0.06/0.01/0.13, dsn=5.1.1, status=bounced >> (host 127.0.0.1[127.0.0.1] > > Who is that ? ad4f0.5040...@roessner-net.com is a message-ID, not an email address. >> said: 550 5.1.1 User doesn't exist: >> ad4f0.5040...@roessner-net.com (in reply to RCPT TO command)) > > It isn't postfix - postfix is SENDING the message there. Spammers scrape the web for email addresses, and end up grabbing message-IDs as well when they scour public mailing list archive posts. They don't ignore headers, so they end up scraping message-IDs as well as real email addresses. Then they send spam to that message-ID thinking it's an email address. The RHS is correct, so your Postfix server initially accepts it. You're apparently relaying to a content filter before doing recipient address verification. If you performed address verification first, the connection would be rejected with "User unknown in local recipient table" or similar, depending on your Postfix configuration (local, virtual, relay, etc). -- Stan
Re: custom reject messages
On 09/15/2010 01:47 AM, Jeroen Geilman wrote: On 09/14/2010 12:13 PM, Frank Doege wrote: Hi all, id like to modify the message postfix sends to the server when it rejects an email in one of the checks performed. For example, 450 Helo command rejected: Host not found; http://readhereforemore.info Any check_*_access map can return an error code and a custom reply message. A restriction class can, too. that administrators which have no clue about email systems have a bit more information why iam rejecting there mail. does this make sense ? Btw: I use tumgreyspf and it also sends a custom dsn message, is this non standard conform in any way ? I don't understand what you mean by "custom DSN". A DSN is a normal email message, its contents aren't written down anywhere. There is an RFC about them, however. Thanks Frank Hello Jeroen, thanks for your answer. The problem is the following, i see some legitimate mail beeing rejected by my mailserver because some other administrators are not capable of setting the name of their mailserver right (helo doesnt has an A record for example). Now i think its just fine to reject this mail instead of accepting such mailservers, i would however like to give a small note why iam rejecting there mail. These administrators cant configure a mail server right so i dont think they understand "helo command rejected..." so id like to add a link where they can find more information. If iam right the sender receives a message from the server beeing rejected after several trys in the form of "iam giving up now, " there i would like that he sees a custom link http://whyismymailrejected Maybe if many users are asking why there mail didnt got delivered they wake up and fix there servers. Thanks, Frank
