Re: Fighting Backscatter

[Stan Hoeppner]

Brian Evans - Postfix List put forth on 10/20/2010 12:57 PM:

> In your opinion, would check_reverse_client_hostname_access (Postfix
> 2.6+) work better here?
> Many dynamic zombies don't always resolve forward.

Operationally it probably won't make a difference as most ISPs who
bother to assign rdns also bother to create corresponding A records.
The reverse restriction available in 2.6+ is more technically correct
for this PCRE table application since the table is designed to match
rdns strings.

-- 
Stan

virtual users and accepting mail for /^prefix...@.+$/ regex

[Tomasz Chmielewski]

I'm trying to configure Postfix to accept mail for addresses matching the 
/^prefix...@.+$/ regex only.


I can do this with:

virtual_alias_maps = regexp:/etc/postfix/virtual
virtual_maps = regexp:/etc/postfix/virtual
mydestination = $myhostname, localhost.$mydomain, localhost, 
regexp:/etc/postfix/domains


And:

cat virtual:

/^prefix...@.+$/prefixuser


cat domains (since we want to accept mail for all domains):

/.+/OK


However, with that catch-all domain entry, I'm not able to send out mail, since 
everything is delivered locally.

Without the catch-all domain entry, I'm able to send out mail, but Postfix 
won't accept mail for /^prefix...@.+$/ (from remote).


How can I configure postfix to accept mail for /^prefix...@.+$/ users, and be 
able to send out mail to a proper MX?


-- 
Tomasz Chmielewski
http://wpkg.org

Re: virtual users and accepting mail for /^prefix...@.+$/ regex

[Wietse Venema]

Tomasz Chmielewski:
> I'm trying to configure Postfix to accept mail for addresses
> matching the /^prefix...@.+$/ regex only.

/etc/postfix/main.cf:
smtpd_recipient_restrictions =
...
check_recipient_access pcre:/etc/postfix/access.pcre

/etc/postfix/access.pcre:
/^prefix-/ dunno
/./ reject

Also, for every domain Postfix needs to know how to deliver it,
so you cannot use wildcards in virtual_alias_domains etc.

- List the domain in mydestination if it is delivered with the
local(8) delivery agent. To avoid backscatter problems, Postfix
rejects addresses that are not listed in $local_recipient_maps.

- List the domain in relay_domains if Postfix is backup MTA. To
avoid backscatter problems, Postfix rejects addresses that are not
listed in $relay_recipient_maps.

- List the domain in virtual_alias_domains if it's a virtual alias
domain, and also supply a mapping from virtual addresses to addresses
in a "real" domain. To avoid backscatter problems, Postfix rejects
addresses that don't have a virtual-to-real mapping.

- And so on for virtual mailbox domains.

- Postfix delivers all other domains via smtp, the default transport.

Wietse

Default transport

[Patric Falinder]

Hi,

I'm wondering if it's smart to set a "default transport" like this "*...@*" 
to "smtp:[mail.server.com]" so I don't have to specify for every domain 
that I have on the server, and would just have to specify for those who 
need a different transport?


I have a smtp-server that checks for spam etc. and then relays it to 
either my internal pop3/imap-server or an external pop3/imap-server of 
their own.
So I want my internal pop3/imap-server as "default transport", but I'm 
wondering if that opens up some kind of security risk or something?
Like even if the domain doesn't exist on my server, it asks the default 
transport if the user exists and doesn't reject it like it would use to!?



Thanks,
-Patric

Re: Source code change for verp always

[Victor Duchovni]

On Wed, Oct 20, 2010 at 09:20:42PM +0530, Ramprasad wrote:

> On one of my servers (postfix 2.7)  I need to do verp in such a way that
> I need to add recipient-id to envelope sender
> 
> so if sender is r...@senderdomain.tld  -->ram-1...@senderdomain.tld
>  is the numeric id of the recipient. 
> 
> Also I need to do VERP always , irrespective of whether the client sends
> an XVERP command or not. 
> 
> 
> Wietse had suggested that I do a source change to do always VERP which I
> can easily do by making a change to src/smtpd/smtpd.c
> 
> I guess the  src/global/verp_sender.c --  verp_sender() function is
> where the encoding happens. But somehow any change I do does not seem to
> reflect. 

I would not change Postfix. Rather, I would implement a content-filter
or a pre-queue proxy filter, that modifies the SMTP commands that pass
through it. If your VERP transformation needs to insert opaque tags
that don't look like the Postfix sender+recipient=domain form, then this
cannot be done by the Postfix VERP code, your filter will need to modify
the sender address rather than just insert XVERP into the protocol stream,
in that case, the filter MUST be a content filter, as you need to ensure
single-recipient concurrency.

It sounds like you don't have the skill to understand the Postfix code
well enough to change it. Don't. Especially, since it seems that your
problem requires a different solution.

-- 
Viktor.

Re: Source code change for verp always

[Wietse Venema]

Ramprasad:
> On one of my servers (postfix 2.7)  I need to do verp in such a way that
> I need to add recipient-id to envelope sender
> 
> so if sender is r...@senderdomain.tld  -->ram-1...@senderdomain.tld
>  is the numeric id of the recipient. 

Postfix VERP works in a different way. It puts the complete recipient
name and domain into the sender address, instead of a short code that 
identifies the recipient.

Is there a problem with sending VERP as implemented:

originalsender = sen...@senderdomain
recipient = recipi...@recipientdomain
verpsender = sender+recipient=recipientdom...@senderdomain

> Also I need to do VERP always , irrespective of whether the client sends
> an XVERP command or not. 

You could use an SMTP proxy that always sends XVERP, as suggested
by Victor.  There are lots of examples if SMTP proxies in PERL.

Wietse

Re: Default transport

[Victor Duchovni]

On Thu, Oct 21, 2010 at 03:12:09PM +0200, Patric Falinder wrote:

> I'm wondering if it's smart to set a "default transport" like this "*...@*" 
> to 
> "smtp:[mail.server.com]" so I don't have to specify for every domain that I 
> have on the server, and would just have to specify for those who need a 
> different transport?

That's what the "relayhost" configuration parameter is for. It specifies
a default "nexthop". The default transport in Postfix is already "smtp".

-- 
Viktor.

Re: Request for help with redesign of Postfix Configuration File ...

[Christopher Koeber]

On Thu, Oct 21, 2010 at 7:24 AM, Charles Marcus
wrote:

>
> Do you understand what I meant by ^^^ that? It really does make working
> with postfix easier if you comment out 'defaults'... I cut my postconf
> -n output in half by doing this.
>
> Just compare output of postconf -d (gives you the defaults) and postconf
> -n, and comment out any of the settings that are identical.
>
You were right! Half of my config was setting defaults ;)

After making the changes where only I was explicitly setting things to what
I needed them to be versus the default the postfix system seems faster, too!


>
> Well, I guess it could matter, since it reads them in the specified
> order. I would recommend changing it, but only you can say if  your use
> case needs the order reversed for some specific reason. I would
> investigate it further though.
>

I made the change. Better to have it the way other admins would expect it.


>
> Naahh... it won't hurt anything, it's just 'not standard', which would
> kind of bug me if it was my server, but then I'm a bit too picky about
> things sometimes... ;)
>

I see. Might be a good idea to change sometime in the future, then.


>
> Be sure to fix this ^^^ one too...
>
> Oh - in case you didn't know - if you set a parameter twice in postfix,
> 'the last one wins', meaning, the one closest to the end of main.cf...
>
> This is actually a nice behavior - I take advantage of it by simply
> adding a block at the very end of the file, with *all* of my settings
> all together in one place. It makes it much easier to read my settings,
> and I always know mine will take precedence no matter what is defined
> above...
>

Fixed per what I wrote above. Just made my configuration file have my
settings and nothing else.


>
> >> Well, that's about all my inexperience can come up with...
>
> > Thanks so much for your time.
>
> No problem - I remember my first post doing the same exact thing -
> sanity check on my config... :)
>
> Yep. correct.

Regards,
Christopher Koeber


> --
>
> Best regards,
>
> Charles
>

Re: Request for help with redesign of Postfix Configuration File ...

[Victor Duchovni]

On Thu, Oct 21, 2010 at 12:49:32PM -0400, Christopher Koeber wrote:

> After making the changes where only I was explicitly setting things to what
> I needed them to be versus the default the postfix system seems faster, too!

This is an optical illusion. Removing default settings simplifies your
configuration for a human reader, but has no performance impact.

Postfix defaults change from time to time, and unless you have a
particular reason to explicity chose the current default value, it is
best to let future Postfix releases run with the defaults for the release
in question.

-- 
Viktor.

Re: Request for help with redesign of Postfix Configuration File ...

[Christopher Koeber]

On Thu, Oct 21, 2010 at 1:06 PM, Victor Duchovni <
victor.ducho...@morganstanley.com> wrote:

> On Thu, Oct 21, 2010 at 12:49:32PM -0400, Christopher Koeber wrote:
>
> > After making the changes where only I was explicitly setting things to
> what
> > I needed them to be versus the default the postfix system seems faster,
> too!
>
> This is an optical illusion. Removing default settings simplifies your
> configuration for a human reader, but has no performance impact.
>
> Postfix defaults change from time to time, and unless you have a
> particular reason to explicity chose the current default value, it is
> best to let future Postfix releases run with the defaults for the release
> in question.
>
>

I see. It was a nice feeling in my head, then. ;)

In either case, my config file is super simple now so everything seems good.


> --
>Viktor.
>

Re: question about notifications

[John Watson]

I am close to getting the always_bcc option working. I created an alias in
the mysql alias table that has 'autoreply' mapped to '| /path/to/myscript'.
I setup always_bcc to send messages to 'autoreply'. In the /var/log/maillog
I can see that postfix is attempting to cc the message to my alias but
rather than executing the command it is making an address of the form:

 "| /path/to/myscr...@mydomain.com" and then trying to send it on.

 I have looked at content filters and started to look at writing a custom
MDA per
http://blog.josephhall.com/2009/12/create-custom-mda-with-postfix-and-perl.html
but
I really want this always_bcc solution to work.
 Does anyone know how to make postfix execute the command rather than treat
it as an address? I have seen examples that had "| /path/to/command" and it
looked like it was supposed to just work but those examples weren't using
mysql to store the account info.

 Thanks in advance.
 -John Watson.

On Wed, Oct 20, 2010 at 2:15 PM, mouss  wrote:

>  Le 20/10/2010 21:04, John Watson a écrit :
>
>
>> Hello,
>>
>>  I am using postfix in conjunction with squirrelmail to build a business
>> application. One of the requirements that I have is that when an email is
>> received in one of the postfix mail boxes an alert is generated. In our case
>> we will be sending a standard message to another email but in general we
>> might want to run arbitrary code when messages are received by postfix.
>>
>>  It seems that some of the work that has been done with virus scanners
>> uses a server hook to examine all the messages that pass through the server.
>> Can anyone tell me what that is called or provide a pointer to more detail
>> and is this the best way to solve a problem like this?
>>
>>
>>
> you can do that
> - in your MDA (dovecot, maildrop, ...).
> - by specifying a script as an MDA for those mailboxes that you want...
>
> I personally prefer the "run the action later".
> - keep delivery as it is
> - have a script that does pop3 (or imap) periodically. this script can do
> anything you want
>
> the advantage is that
> - bugs in your script won't cause trouble to your delivery
> - if you're under heavy mail stream, you don't add yet more load on your
> server
>
>
>
>
>
>

Re: question about notifications

[Brian Evans - Postfix List]

On 10/21/2010 3:06 PM, John Watson wrote:
I am close to getting the always_bcc option working. I created an 
alias in the mysql alias table that has 'autoreply' mapped to '| 
/path/to/myscript'. I setup always_bcc to send messages to 
'autoreply'. In the /var/log/maillog I can see that postfix is 
attempting to cc the message to my alias but rather than executing the 
command it is making an address of the form:


 "| /path/to/myscr...@mydomain.com " and 
then trying to send it on.


If this a mysql map in virtual_alias_maps, then it will not work.  
virtual_alias_maps MUST resolve to an address.
To run a piped command, you MUST EITHER deliver to a domain listed in 
mydestination and then alias to command in alias_maps OR set up a 
transport in master.cf and point the address in transport_maps to the 
specified pipe transport.


See http://www.postfix.org/VIRTUAL_README.html under "Mailing Lists" or 
"Autoreplies" for examples.


Brian


 I have looked at content filters and started to look at writing a 
custom MDA per 
http://blog.josephhall.com/2009/12/create-custom-mda-with-postfix-and-perl.html but 
I really want this always_bcc solution to work.
 Does anyone know how to make postfix execute the command rather than 
treat it as an address? I have seen examples that had "| 
/path/to/command" and it looked like it was supposed to just work but 
those examples weren't using mysql to store the account info.


 Thanks in advance.
 -John Watson.

On Wed, Oct 20, 2010 at 2:15 PM, mouss > wrote:


 Le 20/10/2010 21:04, John Watson a écrit :


Hello,

 I am using postfix in conjunction with squirrelmail to build
a business application. One of the requirements that I have is
that when an email is received in one of the postfix mail
boxes an alert is generated. In our case we will be sending a
standard message to another email but in general we might want
to run arbitrary code when messages are received by postfix.

 It seems that some of the work that has been done with virus
scanners uses a server hook to examine all the messages that
pass through the server. Can anyone tell me what that is
called or provide a pointer to more detail and is this the
best way to solve a problem like this?



you can do that
- in your MDA (dovecot, maildrop, ...).
- by specifying a script as an MDA for those mailboxes that you
want...

I personally prefer the "run the action later".
- keep delivery as it is
- have a script that does pop3 (or imap) periodically. this script
can do anything you want

the advantage is that
- bugs in your script won't cause trouble to your delivery
- if you're under heavy mail stream, you don't add yet more load
on your server

Re: Request for help with redesign of Postfix Configuration File ...

[Jeroen Geilman]

On 10/21/2010 04:02 AM, Christopher Koeber wrote:
On Tue, Oct 19, 2010 at 1:26 PM, Jeroen Geilman > wrote:


On 10/19/2010 06:12 PM, Ben McGinnes wrote:

Not if the students subdomain has different MX details to the main
domain, which appears to be the case here:

;; ANSWER SECTION:
wesleyseminary.edu . 43098  
IN  MX  10 mail1.no-ip.com .
wesleyseminary.edu . 43098  
IN  MX  15 mail2.no-ip.com .
wesleyseminary.edu . 43098  
IN  MX  5 mail.wesleyseminary.edu

.

;; ANSWER SECTION:
students.wesleyseminary.edu
. 1674 INMX  5
students.wesleyseminary.edu .

Probably a good idea in any educational environment.



Yet totally superfluous; the A record suffices.

This is in reference to the myhostname setting?


No.

foo.bar MX 10 foo.bar is unnecessary, as any valid A record can receive 
mail.
Since foo.bar has to be an A record (you're using it as the MX value) 
the MX record is superfluous.


--
J.

recipient limit in policy service

[Christian Roessner]

Hi,

sorry to ask that, but I try to understand a problem that I found by writing a 
policy server. If I put it into smtpd_resipient_restrictions and a remote MTA 
connects, sentds its EHLO, MAIL FROM and then a list of RCPT TOs, postfix 
switches right after the first user to the policy server and waits for the 
reply, then comes back and maybe does 250 Ok and after all further RCPT TOs, 
the policy server is not queried again.

I expected that Postfix uses recipient as multi value in the delegation 
protocol.

I know that it might be a problem, if 20 RCPT TOs are generated, 19 say DUNNO 
and one says REJECT, but this is a problem of the policy server, in my opinion 
:-)

Please keep in mind that English is a foreign language for me. It might sound 
like attack, but it's because of missing words :-)

Is it able to make Postfix waiting until DATA and then giving the full list of 
all RCPT TOs to the policy server. Maybe in the smtpd_data_restrictions? I 
tried it, but I only receive an empty list and the recipient counter. But that 
does not help me.

I really need all recipients in the policy server. Maybe the policy server 
needs to be queried after _each_ given RCPT TO. Maybe it would be able to make 
that configurable?

I think, if the problem (20 user, one reject) happens, a policy server would 
have to decide DUNNO in such a situation.

Or is that something that needs to be implemented in a pre-queue milter?

Any help is welcome

And many thanks in advance

Christian


---
Roessner-Network-Solutions
Bachelor of Science Informatik
Nahrungsberg 81, 35390 Gießen
F: +49 641 5879091, M: +49 176 93118939
USt-IdNr.: DE225643613
http://www.roessner-network-solutions.com



PGP.sig
Description: Signierter Teil der Nachricht

Re: recipient limit in policy service

[Wietse Venema]

Christian Roessner:
> Hi,
> 
> sorry to ask that, but I try to understand a problem that I found
> by writing a policy server. If I put it into smtpd_resipient_restrictions
> and a remote MTA connects, sentds its EHLO, MAIL FROM and then a
> list of RCPT TOs, postfix switches right after the first user to
> the policy server and waits for the reply, then comes back and
> maybe does 250 Ok and after all further RCPT TOs, the policy server
> is not queried again.

You can call the policy daemon from smtpd_data_restrictions (or
smtpd_end_of_data_restrictions if you need to know the actual
message size).

> I expected that Postfix uses recipient as multi value in the
> delegation protocol.

With SMTP. Postfix cannot receive all the RCPT TO commands before
it replies.

Wietse

Postfix 2nd instance

[motty.cruz]

Hello, 
I have two instances of Postfix running on FreeBSD 8.1. First instance of
Postfix received email from outside world and deliver it to Amavisd-new.
After scanning the email Amavisd-new hand it back to 2nd instance of
Postfix. Amavisd-new by default banned *.exe files. I have a genuine email
stock in the banned folder with an .exe attachment. I want to release that
email but I don't want it to go through the scanning process again. Can you
help me release that email to the 2nd instance of Postfix? 

I appreciate your help!

Thanks, 
-Motty

Re: Fighting Backscatter

[Jeroen Geilman]

On 10/21/2010 05:16 AM, Steve Jenkins wrote:


Jeroen Geilman said:


Make sure you understand the difference between 
smtpd_reject_unknown_helo_hostname and 
smtpd_reject_unknown_[reverse_]client_hostname.


Ok -- here's what I understand them each to be:

- reject_unknown_helo_hostname will reject a request if the remote 
mail server doesn't have an A or MX record




Not quite.
It will reject the request if the client's HELO doesn't resolve to an 
IP, i.e. it doesn't have a DNS A record, or isn't a valid hostname or IP 
literal at all.


RFC 5321 details what an EHLO/HELO must look like: 
http://tools.ietf.org/html/rfc5321#section-4.1.1
The above simply verifies that the parameter supplied by the client is, 
in fact, RFC-compliant - by looking it up.


Postfix will perform many, many DNS lookups for each single message, so 
running a nearby - or even local - caching nameserver is not a luxury; 
it's highly recommended.


- reject_unknown_client_hostname will reject if a) the remote server 
fails a reverse lookup (IP points to name), b) fails a forward lookup 
(name resolves to IP), or c) if the published DNS settings for the 
hostname state that the IP for the hostname is different than what the 
remote server is reporting it to be.




I get a headache trying to read that, but that's not your fault; the 
original and similar explanation in postconf(5) also gives me a headache :)


- reject_unknown_reverse_client_hostname is less restrictive and will 
reject only if the remove server fails a reverse lookup.




Yup.

reject_unknown_client_hostname is fine for MXen and large providers, but 
it will hurt simple relaying with many false positives.



So here are my current "spam fighting" settings, based on the input 
from this list:


smtpd_helo_required = yes

disable_vrfy_command = yes

smtpd_recipient_restrictions =

permit_sasl_authenticated,

permit_mynetworks,

reject_unauth_destination,

reject_unknown_reverse_client_hostname,

warn_if_reject reject_non_fqdn_helo_hostname,

warn_if_reject reject_invalid_helo_hostname,

warn_if_reject reject_unknown_helo_hostname,

reject_non_fqdn_sender,

reject_unknown_sender_domain,

reject_non_fqdn_recipient,

reject_unknown_recipient_domain,

check_helo_access hash:/etc/postfix/helo_access,

check_client_access pcre:/etc/postfix/fqrdns.pcre,

reject_rbl_client zen.spamhaus.org,

reject_rbl_client psbl.surriel.com,

reject_rhsbl_client dbl.spamhaus.org,

reject_rhsbl_sender dbl.spamhaus.org,

reject_rhsbl_helo dbl.spamhaus.org,

permit



Looking good - you even ordered them to reject as much as possible as 
soon as possible, AND in order of increasing cost.


I noticed Jeroen's smtpd_recipient_restrictions included 
reject_unauth_pipelining, but from what I can tell in the docs I'm 
supposed to put it in smtpd_data_restrictions. Am I misunderstanding that?




This http://www.postfix.org/postconf.5.html#reject_unauth_pipelining 
indicates that older postfix versions needed that to go in the data 
restrictions.


You don't have an older version, so that is not required.
Spammers who won't wait for permission to send pipelined commands will 
probably do other naughty things as well - why wait to reject them ?


Just put every single restriction you can think of in your 
recipient_restrictions, and maybe lower your hard_error_limit a bit, 
too, to enforce your stance on unauth pipelining :)
Unauth pipelining will only reject one message at a time (taking the 
pipeline sequence into account), but hitting your hard_error limit 
disconnects the client - which is probably what you want when a spammer 
starts sending megabytes of pipelined crap your way :)



--
J.

Re: Postfix 2nd instance

[Noel Jones]

On 10/21/2010 4:31 PM, motty.cruz wrote:

Hello,
I have two instances of Postfix running on FreeBSD 8.1. First instance of
Postfix received email from outside world and deliver it to Amavisd-new.
After scanning the email Amavisd-new hand it back to 2nd instance of
Postfix. Amavisd-new by default banned *.exe files. I have a genuine email
stock in the banned folder with an .exe attachment. I want to release that
email but I don't want it to go through the scanning process again. Can you
help me release that email to the 2nd instance of Postfix?

I appreciate your help!

Thanks,
-Motty



Use the amavisd-release function to release the message from 
quarantine.  Amavisd-new will then release it to the second 
postfix instance.


For more info, see the amavisd-new docs or ask on the 
amavis-users list.


  -- Noel Jones

can withholding mails ( postsuper -h ... ) help with tens of thousands of spam mails hogging mailq

[sunhux G]

Question1:
--
Title: tens of thousands of spoof/spam mails hog up mailq :
   will 'postsuper -h' placed in a crontab help ?

I have a case where tens of thousands of spam & spoof emails jammed up my
Linux SMTP mail queue (not that I don't have an anti-spam policy but many
of these mails are innocently/accidentally blasted over by internal
colleagues):
mailq | grep MAILER | wc -l==> tens of thousands

This caused genuine emails (which is usually a couple hundreds only)
to queue up & not being processed because the it will take forever
to scan from the top to the end of the mailq with tens of thousands
of emails.

However, I don't want to delete away those spam/spoof mails, just
want to move them to somewhere else (say another queue) so that I
can review & in case there  are genuine ones, I'll redeliver them
later.

I thought of:
mailq | grep -i mailer | awk '{print ($1)}' | grep -v "@" >
listofsuspectmails.txt

for each queue id or mail entry id in listofsuspectmails.txt,  I'll do a
  postsuper -h entry_id
to hold the suspect email & after reviewing if I want to release, issue
  postsuper -H entry_id

Question is :
are the 'held' mails still something that will be scanned (& thus
prolonged the scan time) or scanning of mail queue will skip
'witheld' mails?  If I have 10 'witheld' emails & they're still
being scanned, it will defeat this purpose of me witholding the
mails.

Currently we manually do a " postsuper -d entry_id " to delete away
emails (which can be automated with a Shell script but I don't want
to automate deletion as we may delete possibly genuine emails) after
examining the emails


2nd question:
--
Title : Linux OS files that hold postfix incoming & outgoing mails

Does anyone know the equivalent of sendmail's /var/spool/mqueue and
.../clientqueue  files in postfix?

I plan to use a script to extract out the 'witheld' postfix mails, sieve
through
it & generate out a list of 'witheld' mails to be deleted.  Then use a
looping
Shell script to read thru this list to 'postsuper -d " to delete away these
'witheld' mails.  I would like to take a backup of these files first, delete
the
'witheld' mails & just in case I regret the decision later, I can restore
back
the mail or mail queue files to recover them back.

Re: can withholding mails ( postsuper -h ... ) help with tens of thousands of spam mails hogging mailq

[Noel Jones]

On 10/21/2010 8:36 PM, sunhux G wrote:


Question1:
--
Title: tens of thousands of spoof/spam mails hog up mailq :
will 'postsuper -h' placed in a crontab help ?

I have a case where tens of thousands of spam & spoof emails
jammed up my
Linux SMTP mail queue (not that I don't have an anti-spam
policy but many
of these mails are innocently/accidentally blasted over by
internal colleagues):
mailq | grep MAILER | wc -l==> tens of thousands



A queue full of undeliverable bounces is caused by accepting 
mail you can't deliver.  Don't do that.



[snip discussion about sending mail to the hold queue]


Question is :
are the 'held' mails still something that will be scanned (& thus
prolonged the scan time) or scanning of mail queue will skip


Postfix ignores mail in the hold queue.  Moving the offending 
mail to the hold queue will solve your immediate performance 
problems.


But going forward, solve the right problem.


2nd question:
--
Title : Linux OS files that hold postfix incoming & outgoing mails




http://www.postfix.org/postcat.1.html
http://www.postfix.org/QSHAPE_README.html



  -- Noel Jones

Re: can withholding mails ( postsuper -h ... ) help with tens of thousands of spam mails hogging mailq

[Reinaldo de Carvalho]

On Thu, Oct 21, 2010 at 10:36 PM, sunhux G  wrote:
>
> Question1:
> --
> Title: tens of thousands of spoof/spam mails hog up mailq :
>    will 'postsuper -h' placed in a crontab help ?
>
> I have a case where tens of thousands of spam & spoof emails jammed up my
> Linux SMTP mail queue (not that I don't have an anti-spam policy but many
> of these mails are innocently/accidentally blasted over by internal
> colleagues):
> mailq | grep MAILER | wc -l    ==> tens of thousands
>
> This caused genuine emails (which is usually a couple hundreds only)
> to queue up & not being processed because the it will take forever
> to scan from the top to the end of the mailq with tens of thousands
> of emails.
>
> However, I don't want to delete away those spam/spoof mails, just
> want to move them to somewhere else (say another queue) so that I
> can review & in case there  are genuine ones, I'll redeliver them
> later.
>
> I thought of:
> mailq | grep -i mailer | awk '{print ($1)}' | grep -v "@" >
> listofsuspectmails.txt
>
> for each queue id or mail entry id in listofsuspectmails.txt,  I'll do a
>       postsuper -h entry_id
> to hold the suspect email & after reviewing if I want to release, issue
>       postsuper -H entry_id
>
> Question is :
> are the 'held' mails still something that will be scanned (& thus
> prolonged the scan time) or scanning of mail queue will skip
> 'witheld' mails?  If I have 10 'witheld' emails & they're still
> being scanned, it will defeat this purpose of me witholding the
> mails.
>
> Currently we manually do a " postsuper -d entry_id " to delete away
> emails (which can be automated with a Shell script but I don't want
> to automate deletion as we may delete possibly genuine emails) after
> examining the emails
>
>
> 2nd question:
> --
> Title : Linux OS files that hold postfix incoming & outgoing mails
>
> Does anyone know the equivalent of sendmail's /var/spool/mqueue and
> .../clientqueue  files in postfix?
>
> I plan to use a script to extract out the 'witheld' postfix mails, sieve
> through
> it & generate out a list of 'witheld' mails to be deleted.  Then use a
> looping
> Shell script to read thru this list to 'postsuper -d " to delete away these
> 'witheld' mails.  I would like to take a backup of these files first, delete
> the
> 'witheld' mails & just in case I regret the decision later, I can restore
> back
> the mail or mail queue files to recover them back.
>
>
>

1. You are a backscatter (e.g. accepting email to unknown users).

2. or Some account has been compromissed and used to sent spam.

3. look this queue GUi: http://sourceforge.net/dbimage.php?id=215498
(korreio.sf.net)

-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

"While not fully understand a software, don't try to adapt this
software to the way you work, but rather yourself to the way the
software works" (myself)

Re: can withholding mails ( postsuper -h ... ) help with tens of thousands of spam mails hogging mailq

[Matt Hayes]

On 10/21/2010 10:52 PM, Reinaldo de Carvalho wrote:







1. You are a backscatter (e.g. accepting email to unknown users).

2. or Some account has been compromissed and used to sent spam.

3. look this queue GUi: http://sourceforge.net/dbimage.php?id=215498
(korreio.sf.net)



Nice software, only problem I see is it doesn't work with python-qt4

-Matt

Re: can withholding mails ( postsuper -h ... ) help with tens of thousands of spam mails hogging mailq

[sunhux G]

Next question:

Does anyone know the equivalent of sendmail's /var/spool/mqueue and
.../clientqueue  files in postfix?

I plan to use a script to extract out the 'witheld' postfix mails, sieve
through
it & generate out a list of 'witheld' mails to be deleted.  Then use a
looping
Shell script to read thru this list to 'postsuper -d " to delete away these
'witheld' mails.  I would like to take a backup of these files first, delete
the
'witheld' mails & just in case I regret the decision later, I can restore
back
the mail or mail queue files to recover them back.

Can those mails that are tagged as "MAILER-DAEMON"   be resumed &
resent to another address - any way to tweak this?

** Lastly, how do I restore the backup files to say another server &
   use postfix to read them

Re: Request for help with redesign of Postfix Configuration File ...

[Christopher Koeber]

On Thu, Oct 21, 2010 at 4:52 PM, Jeroen Geilman  wrote:

>
> No.
>
> foo.bar MX 10 foo.bar is unnecessary, as any valid A record can receive
> mail.
> Since foo.bar has to be an A record (you're using it as the MX value) the
> MX record is superfluous.
>
> --
> J.
>
>


I guess I am being overly cautious since when I set up networks I always add
an MX record for the domain to the mail server.

I never knew that if an A record points to the mail host then you don't need
the MX record for said host.

Should I remove the record?

Regards,
Christopher Koeber