Re: Store Mail Headers?
Aaron C. de Bruyn put forth on 11/8/2010 10:50 PM: > The short question: > I'm looking for a way to store the headers of every message that passes > through my postfix system. Any pointers? > (I've read FAQ #45 and it seems to require me to enter the headers I want > flagged) This would be your quickest, most straightforward solution: always_bcc (default: empty) Optional address that receives a "blind carbon copy" of each message that is received by the Postfix mail system. Note: if mail to the BCC address bounces it will be returned to the sender. Note: automatic BCC recipients are produced only for new mail. To avoid mailer loops, automatic BCC recipients are not generated after Postfix forwards mail internally, or after Postfix generates mail itself. This will copy the entire emails to the specified address. If the target mailbox is in mbox format you can simply write a script to grep the headers you need from the mbox file. Keep two days, two weeks, or two months worth of such email, whatever your time frame needs dictate, then delete the older mails that are no longer needed. If you make this mbox file an IMAP folder, you can simply access it and search it from your current MUA. You can even make it a shared folder so the entire support staff can perform this function. If your internet mail volume is high, this mailbox will grow quickly. Storage is cheap, but it would probably be best to keep this mailbox as small as possible to decrease search times. -- Stan
Re: Postfix client against Windows Exchange server
Am 08.11.2010 17:27, schrieb Michael Sperber: > Walter Pinto writes: > >> You would probably need to compile SASL with the required auth mechanisms. > > Well, the SASL that ships with Mac OS X does have GSSAPI and NTLM > plugins. They just don't seem to get used. > but you can use saslauthd with imap to ask imap service on exchange for auth i.e start saslauthd with rimap -O ex.ch.nage.serverip if this is your intension ( dont read the whole thread ) -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
unknown X-Foo header label in failure template -- ignoring this template
Today I tried to customize a bounce template with an additional X-Foo: blah header, but received the warning message from the bounce daemon: warning: unknown "X-Foo" header label in failure template -- ignoring this template Which headers are deemed worthy? Why can't I add an X-anything: header? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Store Mail Headers?
On Mon, Nov 08, 2010 at 08:50:04PM -0800, Aaron C. de Bruyn wrote: > The short question: > I'm looking for a way to store the headers of every message that passes > through my postfix system. Any pointers? > (I've read FAQ #45 and it seems to require me to enter the headers I want > flagged) > Logging headers to syslog: main.cf: header_checks = pcre:/etc/postfix/header_checks.pcre /etc/postfix/header_checks.pcre: /^.*/ WARN Or use always_bcc or recipient_bcc_maps to bcc the entire email to a mailbox. Devdas Bhagat
postfix and RFC 1912
"Make sure your PTR and A records match. For every IP address, there should be a matching PTR record in the in-addr.arpa domain. If a host is multi-homed, (more than one IP address) make sure that all IP addresses have a corresponding PTR record (not just the first one)." Apparently, I'm led to believe that postfix in doing lookups only takes the first answer it gets, therefore if DNS returns 2 or more, and the first entry for whatever reason has no record then pf fails the lookup under unknown client hostname. Can someone in the know explain why this is so? (please., no assumptions, there only a couple people on this list with factual knowledge, I'm not interested in foo's opinion, or bars opinion, I'm looking for executive's decisive reason )
Re: postfix and RFC 1912
Nick Edwards: > "Make sure your PTR and A records match. For every IP address, there should > be a matching PTR record in the in-addr.arpa domain. If a host is > multi-homed, (more than one IP address) make sure that all IP addresses have > a corresponding PTR record (not just the first one)." > > Apparently, I'm led to believe that postfix in doing lookups only takes the > first answer it gets, therefore if DNS returns 2 or more, and the first > entry for whatever reason has no record then pf fails the lookup under > unknown client hostname. Short andwer: Postfix isn't going to guess which name to use. DNS is not a lottery. Please configure correct FCRDNS for every name. Wietse > Can someone in the know explain why this is so? > (please., no assumptions, there only a couple people on this list with > factual knowledge, I'm not interested in foo's opinion, or bars opinion, > I'm looking for executive's decisive reason )
Re: unknown X-Foo header label in failure template -- ignoring this template
Ralf Hildebrandt: > Which headers are deemed worthy? Why can't I add an X-anything: header? RTFM. BOUNCE(5)BOUNCE(5) ... TEMPLATE FILE FORMAT ... The following headers are supported:
Re: unknown X-Foo header label in failure template -- ignoring this template
* Wietse Venema : > Ralf Hildebrandt: > > Which headers are deemed worthy? Why can't I add an X-anything: header? > > RTFM. > > BOUNCE(5)BOUNCE(5) > ... > TEMPLATE FILE FORMAT > ... >The following headers are supported: Ah OK. Didn't see that, honestly :( -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: couple of doubts about postfix milters
On Tue, Nov 9, 2010 at 10:19 AM, Noel Jones wrote: > On 11/9/2010 6:18 AM, Lima Union wrote: >> >> hi all! as the subject says I have two noob questions: >> (1) if I configure something like 'smtpd_milters = >> inet:localhost:10025 inet:localhost:10034' does Postfix respect the >> order? I mean, will it processs the mail in order, first milter then >> second milter or what? for example, in this case 10025 is the >> sid-milter and 10034 is the clamav-milter. > > Yes, milters are processed in the order specified. > > >> (2) currently I'm running postgrey (under the >> 'smtpd_recipient_restrictions' section) but in a new setup I'd like to >> have this basic order for an Internet relay server: mail from Internet >> -> sid-milter -> postgrey -> clamav-milter, how can I achieve that? I >> don't know how Postfix will route internally the message in this case. > > The order of internal vs. milter processing is not configurable. > > You could switch to a greylist milter, there are several to choose from. > > > -- Noel Jones > Noel, thanks for your answers. Last doubt, as far as I understand from the documentation, the milter processing happends in smtpd(8) before the 'smtpd_recipient_restrictions' (cleanup(8)) check. Thus if I keep my current configuration for my new setup, using smtpd_milters and postgrey (under 'smtpd_recipient_restrictions') I'll have the following routing: mail from Internet -> sid-milter -> clamav-milter -> all the smtpd_recipient _restrictions included postgrey, is this correct? I think that this isn't the optimal solution because the milter checks occur before smtpd_recipient_restrictions where a lot of client/envelope/rbl/etc cleanup is done. I'll be checking for viruses from clients that don't even send a proper ehlo, etc, thus consuming cpu resources. Thanks for any comment about this. Regards, LU
Re: UTF8 header matching problem
On Tue, Nov 09, 2010 at 03:52:33PM +0100, Louis-David Mitterrand wrote: > On Tue, Nov 09, 2010 at 09:44:55AM -0500, Victor Duchovni wrote: > > On Tue, Nov 09, 2010 at 03:37:33PM +0100, Louis-David Mitterrand wrote: > > > > > I get a match from postmap. Yet postfix does not block the message... > > > > You have disabled header checks via "receive_override_options" or by > > overriding "header_checks" in master.cf, ... > > I have neither of those in my config. Other rules in the same > header_checks file work fine. Well, there is no magic. Some earlier rule may be matching this header, or your header checks are not what you think they are, or they are disabled or the header is subtly different from your pattern. -- Viktor.
Re: postfix and RFC 1912
Nick Edwards put forth on 11/9/2010 4:33 AM: > "Make sure your PTR and A records match. For every IP address, there should > be a matching PTR record in the in-addr.arpa domain. If a host is > multi-homed, (more than one IP address) make sure that all IP addresses have > a corresponding PTR record (not just the first one)." > > Apparently, I'm led to believe that postfix in doing lookups only takes the > first answer it gets, therefore if DNS returns 2 or more, and the first > entry for whatever reason has no record then pf fails the lookup under > unknown client hostname. Note that RFC 1912 text refers to a multi-homed computer, NOT a computer with one IP address with multiple PTR records. You are drawing a false conclusion WRT Postfix' behavior regarding RFC 1912. In the RFC 1912 scenario above, Postfix behaves correctly. The case you are describing, multiple PTRs per IP address, is not covered in RFC, TTBOMK. There is no requirement nor recommendation for the multiple PTR record scenario. -- Stan
Re: unknown X-Foo header label in failure template -- ignoring this template
* Stan Hoeppner : > > Ah OK. Didn't see that, honestly :( > > I think Ralf's body has been taken over by some alien entity Postfix > nub. A coauthor of "The Book of Postfix" shouldn't be asking so many > questions of late, but answering them. :) In my defense: I'm having a bad cold! > /me peers into Ralf's noggin, looks around, raps on the skull: "Knock, > knock. Ralf, you in there? Hello?" Where did Ralf go? ;) Yuk Yuk! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: ot: iphone setup for smtp-auth self certified
On 11/8/10 8:45 PM, Victor Duchovni at victor.ducho...@morganstanley.com wrote: > On Mon, Nov 08, 2010 at 07:32:25PM -0600, Vernon A. Fort wrote: > >> On Tue, 2010-11-09 at 11:53 +1100, Voytek Eymont wrote: >>> On Tue, November 9, 2010 11:35 am, Larry Stone wrote: >>> There are plenty of instructions out there; try searching for "iphone install certificate". But in short, e-mail the certificate to your iphone and then double-"click" it just like opening any other attachment. The iPhone will then open an "install certificate" dialog. >>> >>> do I simply send the '/etc/postfix/tls/smtpd.crt' file 'as is', >>> is that the one ? >> >> or create a pkcs12 > NO, NO, NO! > > A pkcs12 file carries both the private key and the certificate, in > this case the phone needs only a public certificate to add to its trust > chain. It MUST NOT have access to the server's private key. > > Please don't answer questions in areas where your expertise is very > limited... Victor correctly points out that you should not answer where your expertise is very limited (which applies to me regarding certificates) but since I was following the instructions of (I hope) experts when I did it, those instructions had me send the public root (self-signed certificate authority) certificate to the phone (and other clients that would be accessing the server). I suspect there is more than one way to do it. But I'd wait until someone else says that's a valid way as well and that I haven't created a security mess. -- Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/
Re: status=bounced (Command time limit exceeded: "/usr/bin/procmail")
--- On Mon, 11/8/10, Sahil Tandon wrote: > From: Sahil Tandon > Subject: Re: status=bounced (Command time limit exceeded: "/usr/bin/procmail") > To: postfix-users@postfix.org > Date: Monday, November 8, 2010, 8:35 PM > On Mon, 2010-11-08 at 19:15:42 -0800, > Pablo Chamorro wrote: > > > When I do a simple: 'echo hello | mail -s test > myuser', it goes to the > > Postfix queue and after some time, it gets bounced, > but it seems also > > the email gets to the inbox too. > > > > Nov 8 18:48:35 correo postfix/local[11453]: > 88CAF2D6A74: > > to=, > relay=local, delay=1000, > > delays=0.27/0.05/0/1000, dsn=5.3.0, status=bounced > (Command time limit > > exceeded: "/usr/bin/procmail") > > > > Could you please tell me if there is a solution > different to reduce > > the size of the inbox file? Is there a 'physical' > limit in the inbox > > file size even having mailbox_size_limit = 0? What > might be the cause > > of my problem? I have postfix-2.3.3-2.1.el5_2 under > CentOS 5.4 and > > ext3 as filesystem. > > You appear to have a procmail problem. And by the > way, Postfix 2.3 is > no longer updated, so consider upgrading. Thank you for the advice and the answer. Pablo > > -- > Sahil Tandon >
Re: couple of doubts about postfix milters
On 11/9/2010 6:18 AM, Lima Union wrote: hi all! as the subject says I have two noob questions: (1) if I configure something like 'smtpd_milters = inet:localhost:10025 inet:localhost:10034' does Postfix respect the order? I mean, will it processs the mail in order, first milter then second milter or what? for example, in this case 10025 is the sid-milter and 10034 is the clamav-milter. Yes, milters are processed in the order specified. (2) currently I'm running postgrey (under the 'smtpd_recipient_restrictions' section) but in a new setup I'd like to have this basic order for an Internet relay server: mail from Internet -> sid-milter -> postgrey -> clamav-milter, how can I achieve that? I don't know how Postfix will route internally the message in this case. The order of internal vs. milter processing is not configurable. You could switch to a greylist milter, there are several to choose from. -- Noel Jones
Rewrite sender based on from:
Hi and thanks for your reply, What does it take to write a content filter that does this and will it slow down the postfix server? I guess that all messages has to go pass the filter. Its about 100 shared mailboxes and 300 senders and I know witch users that sends from the shared mailboxes. Any pointers in the right direction is apriciated. Best regards Lennart Johansson >>> mouss 2010-11-07 17:22 >>> Le 07/11/2010 12:09, Lennart Johansson a écrit : > Hi all, > > I have a Postfix server doing relaying for a Lotus Domino system, some (domino)users have there own mailbox + a shared mailbox with its own mail address. > From time to time users sends mail from the shared mailbox and the mail header look like this > > sender: u...@domain.com > from: shared-m...@domain.com > return-path: u...@domain.com > > There is nothing strange about this, and most of the time it works just fine. But if possible I would like to change return-path to the value of from field so that if somebody replies to a mail (or there is a bounce) the mail ends up in the shared mailbox and not in the sending users mailbox. > Does anybody have any suggestions how to accomplish this in postfix? > In principle, reply goes to the From: header address (ore reply-to if present). so you shouldn't have problems with replies. Bounces go the envelope-sender however. to change the envelope sender based on headers, you'll need to write a content filter that does so. But is it worth the pain? -- Meddelandet har kontrollerats mot virus och skadligt innehÃ¥Ãll och förmodas vara säkert. Klicka här för att rapportera det som SPAM. http://mail.lj-teknik.se/cgi-bin/learn-msg.cgi?=B316027EF9.A29A3
couple of doubts about postfix milters
hi all! as the subject says I have two noob questions: (1) if I configure something like 'smtpd_milters = inet:localhost:10025 inet:localhost:10034' does Postfix respect the order? I mean, will it processs the mail in order, first milter then second milter or what? for example, in this case 10025 is the sid-milter and 10034 is the clamav-milter. (2) currently I'm running postgrey (under the 'smtpd_recipient_restrictions' section) but in a new setup I'd like to have this basic order for an Internet relay server: mail from Internet -> sid-milter -> postgrey -> clamav-milter, how can I achieve that? I don't know how Postfix will route internally the message in this case. Thanks in advance. LU
Re: unknown X-Foo header label in failure template -- ignoring this template
Ralf Hildebrandt put forth on 11/9/2010 4:50 AM: > * Wietse Venema : >> Ralf Hildebrandt: >>> Which headers are deemed worthy? Why can't I add an X-anything: header? >> >> RTFM. >> >> BOUNCE(5) >> BOUNCE(5) >> ... >> TEMPLATE FILE FORMAT >> ... >>The following headers are supported: > > Ah OK. Didn't see that, honestly :( I think Ralf's body has been taken over by some alien entity Postfix nub. A coauthor of "The Book of Postfix" shouldn't be asking so many questions of late, but answering them. :) /me peers into Ralf's noggin, looks around, raps on the skull: "Knock, knock. Ralf, you in there? Hello?" Where did Ralf go? ;) -- Stan
Re: unknown X-Foo header label in failure template -- ignoring this template
Zitat von Ralf Hildebrandt : * Stan Hoeppner : > Ah OK. Didn't see that, honestly :( I think Ralf's body has been taken over by some alien entity Postfix nub. A coauthor of "The Book of Postfix" shouldn't be asking so many questions of late, but answering them. :) In my defense: I'm having a bad cold! Never work when being ill. You spent a lot of your valuable health time later on to debug the mess you have done with medicine clouded head... Been there, done that, never again ;-) Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: Do NOT try rDNS Whitelisting
On Tue, Nov 09, 2010 at 03:34:09AM -, John Levine wrote: > >Does it make sense in your view to use the "From:" domain to sign > >*all* mail, and not add that domain to the DNSWL, while reserving > >a sub-domain (that never matches "From:") for the good senders, and > >applying a *second* signature for the "transactional" mail, so that > >the transactional stuff is whitelisted by DNSWL users, and the > >"From:" header authentication nuts get what they want also? > > Sure. It's a deliberate part of DKIM's design that you can apply > multiple signatures. In my tiny system, I put a d=iecc.com signature > on all the individual mail, and also a d= signature on mail > where the From: line has an address in a domain for which I have a > signing key. > > I use d=lists.iecc.com for mailing list mail, to make that a separate > stream, not eligible for the SWL but pretty clean anyway. > > Using different signatures to separate out interestingly different > streams, e.g., transactions, lists, and humans, is just how it's > supposed to work. Sadly, the opendkim library does not support applying two signatures in parallel (set up two signing contexts, pass the message content through once, get two sigatures). So I have to pass the message through the library twice, to apply two signatures. Not a show-stopper, but annoying. -- Viktor.
Re: UTF8 header matching problem
On Tue, Nov 09, 2010 at 09:44:55AM -0500, Victor Duchovni wrote: > On Tue, Nov 09, 2010 at 03:37:33PM +0100, Louis-David Mitterrand wrote: > > > I get a match from postmap. Yet postfix does not block the message... > > You have disabled header checks via "receive_override_options" or by > overriding "header_checks" in master.cf, ... I have neither of those in my config. Other rules in the same header_checks file work fine. Thanks for trying anyway,
Re: UTF8 header matching problem
On Tue, Jul 20, 2010 at 12:29:09PM -0400, Victor Duchovni wrote: > On Tue, Jul 20, 2010 at 10:14:01AM +0200, Louis-David Mitterrand wrote: > > > I can't seem to get postfix to match that header: > > > > Subject: =?UTF-8?Q?Vos_Factures_arrivant_a_=C3=A9ch=C3=A9ance_-_FR0905249?= > > > > with this /etc/postfix/header_check entry (PCRE): > > > > /^(Subject: > > =\?UTF-8\?Q\?Vos_Factures_arrivant_a_=C3=A9ch=C3=A9ance_-_FR0905249\?=)/ > > REJECT > > > > yet a: > > > > postmap -q 'Subject: > > =?UTF-8?Q?Vos_Factures_arrivant_a_=C3=A9ch=C3=A9ance_-_FR0905249?=' > > /etc/postfix/header_check > > > > does match. > > The subject probably gets RFC2049 (re-)encoded by an MTA between your > Postfix server and mailbox server. You need to record the original > Subject, perhaps by putting the message on HOLD or otherwise capturing > a copy before delivery to other MTAs. The original subject is: Nov 9 13:18:16 zenon postfix/cleanup[11310]: 3384E42508017: warning: header Sub ject: =?UTF-8?Q?Vos_Factures_arrivant_a_=C3=A9ch=C3=A9ance_-_FR0905249?= from .. and there is no other postfix involved. > > Does postfix first decode the =?UTF-8? before matching? or did I miss > > something else? > > No, Postfix does not decode the subject. Using the _exact_ header displayed by postfix in its header 'warning': ZENON:~# postmap -q 'Subject: =?UTF-8?Q?Vos_Factures_arrivant_a_=C3=A9ch=C3=A9ance_-_FR0905249?=' pcre:/etc/postfix/header_access_local REJECT nous savons gérer nos échéances! I get a match from postmap. Yet postfix does not block the message... Why?
Re: UTF8 header matching problem
On Tue, Nov 09, 2010 at 03:37:33PM +0100, Louis-David Mitterrand wrote: > I get a match from postmap. Yet postfix does not block the message... You have disabled header checks via "receive_override_options" or by overriding "header_checks" in master.cf, ... -- Viktor.
Re: unknown X-Foo header label in failure template -- ignoring this template
* lst_ho...@kwsoft.de : > Never work when being ill. You spent a lot of your valuable health > time later on to debug the mess you have done with medicine clouded > head... No medicine, I merely infect the coworkers. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: ot: iphone setup for smtp-auth self certified
On Tue, Nov 09, 2010 at 06:39:15AM -0600, Larry Stone wrote: > > NO, NO, NO! > > > > A pkcs12 file carries both the private key and the certificate, in > > this case the phone needs only a public certificate to add to its trust > > chain. It MUST NOT have access to the server's private key. > > > > Please don't answer questions in areas where your expertise is very > > limited... > > Victor correctly points out that you should not answer where your expertise > is very limited (which applies to me regarding certificates) but since I was > following the instructions of (I hope) experts when I did it, those > instructions had me send the public root (self-signed certificate authority) > certificate to the phone (and other clients that would be accessing the > server). I suspect there is more than one way to do it. But I'd wait until > someone else says that's a valid way as well and that I haven't created a > security mess. Don't confuse certificates (signed bindings of a public key to a subject identifier) with private keys and/or key-pairs that consist of a private key plus an associated certificate. There is nothing wrong with distributing CA certificates, or even leaf certificates (sans) keys to parties other than the key holder. It is quite wrong to send your key-pair (that's what a pkcs12 container holds) to someone who merely needs to be able to authenticate (rather than impersonate) you. -- Viktor.
Re: couple of doubts about postfix milters
On 11/9/2010 8:39 AM, Lima Union wrote: On Tue, Nov 9, 2010 at 10:19 AM, Noel Jones wrote: On 11/9/2010 6:18 AM, Lima Union wrote: hi all! as the subject says I have two noob questions: (1) if I configure something like 'smtpd_milters = inet:localhost:10025 inet:localhost:10034' does Postfix respect the order? I mean, will it processs the mail in order, first milter then second milter or what? for example, in this case 10025 is the sid-milter and 10034 is the clamav-milter. Yes, milters are processed in the order specified. (2) currently I'm running postgrey (under the 'smtpd_recipient_restrictions' section) but in a new setup I'd like to have this basic order for an Internet relay server: mail from Internet ->sid-milter ->postgrey ->clamav-milter, how can I achieve that? I don't know how Postfix will route internally the message in this case. The order of internal vs. milter processing is not configurable. You could switch to a greylist milter, there are several to choose from. -- Noel Jones Noel, thanks for your answers. Last doubt, as far as I understand from the documentation, the milter processing happends in smtpd(8) before the 'smtpd_recipient_restrictions' (cleanup(8)) check. Thus if I keep my current configuration for my new setup, using smtpd_milters and postgrey (under 'smtpd_recipient_restrictions') I'll have the following routing: mail from Internet -> sid-milter -> clamav-milter -> all the smtpd_recipient _restrictions included postgrey, is this correct? I think that this isn't the optimal solution because the milter checks occur before smtpd_recipient_restrictions where a lot of client/envelope/rbl/etc cleanup is done. clamav-milter operates on the message data, so all postfix smtpd_*_restrictions -- which operate on the envelope -- will get a chance to reject mail before the data is transmitted. sid-milter operates on the envelope. It will probably run before smtpd_recipient_restrictions, but that's not such a big deal since it's a fairly lightweight process (minimal CPU, but it does trigger a DNS lookup). Now that I've had more coffee and can think better, this modifies the answer I gave earlier -- even though you can't specify sid-miler > greylist > clamav-milter, that's how it will effectively run. -- Noel Jones I'll be checking for viruses from clients that don't even send a proper ehlo, etc, thus consuming cpu resources. Thanks for any comment about this. Regards, LU
Re: postfix and thousands unix user
Stan Hoeppner wrote: ahmad riza h nst put forth on 11/8/2010 3:05 AM: our hardware is hp dl180 g6 (a xeon quad core + raid 1 + 4G ram) Ok, that answers one of my previous questions. This system isn't nearly strong enough for thousands of users. IBTD. I had PII/450 with ~768M of RAM, and a single 40G IDE hard drive handling about 250+ accounts (POP+IMAP+webmail, SSL and non) plus passthrough outbound mail filtering for the other ~1300 accounts on the main Novell mail system at peak. Running sendmail. (Admittedly, by that point, it *was* pretty much at its limit... and that *was* with SpamAssassin 2.6 - it took me a while to shuffle around the available hardware enough to be able to upgrade to 3.0 due to the memory demands.) Performance was by no means spectacular at peak, but after tuning and fiddling for a while as new accounts got added and performance problems showed up, it worked well enough that there was rarely much delay on inbound mail processing. That said... Yeah, upgrade the hardware now - I'd even say go for more than 8G of RAM if you can stuff it in, because if you're running a memory hog like SpamAssassin on the same machine as your core mail daemons and webmail, you'll need it sooner or later - and going into swap when running something like SA is a good way to cause *everything* to slow to a halt. -kgd
Permissions issue with virtual maildirs
Hi there! I run Postfix on CentOS 5.5 with virtual domains. Mail is supposed to be delivered to maildirs. Everything worked with a sendmail/mbox setup for the same domain, so MX issues can be eliminated immediately :) I'm trying to set up a virtual mail hosting on a testing machine, following the tutorial at: http://howtoforge.net/linux_postfix_virtual_hosting Here's the issue. Message file cannot be written to tmp folder because of "Permission denied". Needless to say, both owherships and permissions were checked by hand descending from base (/var/spool/vmail) to the bottom. To check misspelled directory names, I've copied the full path and run #cd /var/spool/vmail/minu.biz/toomas/tmp/ - worked fine. I've even tried to chmod -R 0777 /var/spool/vmail (it is a testing machine), but even then I've got the very same "Permission denied". Disabling SELinux didn't work either. Maildirs WERE created in advance, exactly as the message suggests. It's late, and I'm running out of ideas. Please, help. Exerpt from maillog: Nov 9 18:27:45 rh2 postfix/smtpd[5139]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled Nov 9 18:27:45 rh2 postfix/smtpd[5139]: connect from smtp-out.neti.ee[194.126.126.41] Nov 9 18:27:46 rh2 postfix/smtpd[5139]: 0028C1F494: client=smtp-out.neti.ee[194.126.126.41] Nov 9 18:27:46 rh2 postfix/cleanup[5143]: 0028C1F494: message-id=<1f1c29e7-c1cd-4eff-907a-42bd5f491...@vendelin.com> Nov 9 18:27:46 rh2 postfix/smtpd[5139]: disconnect from smtp-out.neti.ee[194.126.126.41] Nov 9 18:27:46 rh2 postfix/qmgr[4738]: 0028C1F494: from=, size=1507, nrcpt=1 (queue active) Nov 9 18:27:46 rh2 postfix/virtual[5144]: warning: maildir access problem for UID/GID=5000/5000: create maildir file /var/spool/vmail/minu.biz/toomas/tmp/1289320066.P5144.rh2.tere.com: Permission denied Nov 9 18:27:46 rh2 postfix/virtual[5144]: warning: perhaps you need to create the maildirs in advance Nov 9 18:27:46 rh2 postfix/virtual[5144]: 0028C1F494: to=, relay=virtual, delay=0.07, delays=0.05/0.01/0/0.01, dsn=4.2.0, status=deferred (maildir delivery failed: create maildir file /var/spool/vmail/minu.biz/toomas/tmp/1289320066.P5144.rh2.tere.com: Permission denied) Output of postconf -n: command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix inet_interfaces = all mail_owner = postfix mydestination = $myhostname, localhost.$mydomain, localhost mydomain = $myhostname myhostname = rh2.tere.com mynetworks = 192.168.50.0/24 myorigin = $mydomain queue_directory = /var/spool/postfix relay_domains = $mydestination virtual_alias_maps = hash:/etc/postfix/valias virtual_gid_maps = static:5000 virtual_mailbox_base = /var/spool/vmail virtual_mailbox_domains = /etc/postfix/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmaps virtual_uid_maps = static:5000
solved - Re: status=bounced (Command time limit exceeded: "/usr/bin/procmail")
--- On Mon, 11/8/10, Sahil Tandon wrote: > From: Sahil Tandon > Subject: Re: status=bounced (Command time limit exceeded: "/usr/bin/procmail") > To: postfix-users@postfix.org > Date: Monday, November 8, 2010, 8:35 PM > On Mon, 2010-11-08 at 19:15:42 -0800, > Pablo Chamorro wrote: > > > When I do a simple: 'echo hello | mail -s test > myuser', it goes to the > > Postfix queue and after some time, it gets bounced, > but it seems also > > the email gets to the inbox too. > > > > Nov 8 18:48:35 correo postfix/local[11453]: > 88CAF2D6A74: > > to=, > relay=local, delay=1000, > > delays=0.27/0.05/0/1000, dsn=5.3.0, status=bounced > (Command time limit > > exceeded: "/usr/bin/procmail") > > > > Could you please tell me if there is a solution > different to reduce > > the size of the inbox file? Is there a 'physical' > limit in the inbox > > file size even having mailbox_size_limit = 0? What > might be the cause > > of my problem? I have postfix-2.3.3-2.1.el5_2 under > CentOS 5.4 and > > ext3 as filesystem. > > You appear to have a procmail problem. And by the > way, Postfix 2.3 is > no longer updated, so consider upgrading. This problem happened yesterday night. Today it seems it's ok, although nothing was done. Thank you very much, Pablo Chamorro > > -- > Sahil Tandon >
Re: couple of doubts about postfix milters
>> Last doubt, as far as I understand from the documentation, the milter >> processing happends in smtpd(8) before the >> 'smtpd_recipient_restrictions' (cleanup(8)) check. Thus if I keep my >> current configuration for my new setup, using smtpd_milters and >> postgrey (under 'smtpd_recipient_restrictions') I'll have the >> following routing: mail from Internet -> sid-milter -> clamav-milter >> -> all the smtpd_recipient _restrictions included postgrey, is this >> correct? I think that this isn't the optimal solution because the >> milter checks occur before smtpd_recipient_restrictions where a lot of >> client/envelope/rbl/etc cleanup is done. > > clamav-milter operates on the message data, so all postfix > smtpd_*_restrictions -- which operate on the envelope -- will get a chance > to reject mail before the data is transmitted. > > sid-milter operates on the envelope. It will probably run before > smtpd_recipient_restrictions, but that's not such a big deal since it's a > fairly lightweight process (minimal CPU, but it does trigger a DNS lookup). > > Now that I've had more coffee and can think better, this modifies the answer > I gave earlier -- even though you can't specify sid-miler > greylist > > clamav-milter, that's how it will effectively run. > > > -- Noel Jones > >> I'll be checking for viruses >> from clients that don't even send a proper ehlo, etc, thus consuming >> cpu resources. >> >> Thanks for any comment about this. >> Regards, LU > > Thanks Noel for your explanation, now it's clear. Best regards, LU.
Re: couple of doubts about postfix milters
Noel Jones wrote: On 11/9/2010 8:39 AM, Lima Union wrote: clamav-milter operates on the message data, so all postfix smtpd_*_restrictions -- which operate on the envelope -- will get a chance to reject mail before the data is transmitted. sid-milter operates on the envelope. It will probably run before smtpd_recipient_restrictions, but that's not such a big deal since it's a fairly lightweight process (minimal CPU, but it does trigger a DNS lookup). Not sure. The MTA sequentially calls each milter at each SMTP step. See : https://www.milter.org/developers/overview#ControlFlow So, e.g., for each recipient, postfix will call each milter one after the other. However, I don't know if postfix checks smtpd_recipient_restrictions before calling milters or after. I suppose before, but I'm not sure. Wietse ??? José-Marcio Now that I've had more coffee and can think better, this modifies the answer I gave earlier -- even though you can't specify sid-miler > greylist > clamav-milter, that's how it will effectively run.
Re: couple of doubts about postfix milters
"Jose-Marcio Martins da Cruz" wrote: >Noel Jones wrote: >> On 11/9/2010 8:39 AM, Lima Union wrote: > >> >> clamav-milter operates on the message data, so all postfix >> smtpd_*_restrictions -- which operate on the envelope -- will get a >> chance to reject mail before the data is transmitted. >> >> sid-milter operates on the envelope. It will probably run before >> smtpd_recipient_restrictions, but that's not such a big deal since >it's >> a fairly lightweight process (minimal CPU, but it does trigger a DNS >> lookup). > > >Not sure. The MTA sequentially calls each milter at each SMTP step. > >See : > > https://www.milter.org/developers/overview#ControlFlow > >So, e.g., for each recipient, postfix will call each milter one after >the other. > >However, I don't know if postfix checks smtpd_recipient_restrictions >before >calling milters or after. I suppose before, but I'm not sure. Wietse >??? > >José-Marcio > > >> >> Now that I've had more coffee and can think better, this modifies the > >> answer I gave earlier -- even though you can't specify sid-miler > >> greylist > clamav-milter, that's how it will effectively run. >> >> On a related note, I think sid-milter does Sender ID normally and that needs the body of the message as it doesn't operate on the envelope. Scott K
Re: couple of doubts about postfix milters
On Tue, Nov 09, 2010 at 06:30:51PM +0100, Jose-Marcio Martins da Cruz wrote: > Noel Jones wrote: >> On 11/9/2010 8:39 AM, Lima Union wrote: > >> clamav-milter operates on the message data, so all postfix >> smtpd_*_restrictions -- which operate on the envelope -- will get a chance >> to reject mail before the data is transmitted. >> sid-milter operates on the envelope. It will probably run before >> smtpd_recipient_restrictions, but that's not such a big deal since it's a >> fairly lightweight process (minimal CPU, but it does trigger a DNS >> lookup). > > > Not sure. The MTA sequentially calls each milter at each SMTP step. > > See : > > https://www.milter.org/developers/overview#ControlFlow > > So, e.g., for each recipient, postfix will call each milter one after the > other. > > However, I don't know if postfix checks smtpd_recipient_restrictions before > calling milters or after. I suppose before, but I'm not sure. Wietse ??? The "RCPT TO" command is passed to the milter after Postfix restriction processing. Even rejected commands are are passed to milters, but the milter is informed that the command (recipient) is rejected. -- Viktor.
Re: couple of doubts about postfix milters
Victor Duchovni wrote: However, I don't know if postfix checks smtpd_recipient_restrictions before calling milters or after. I suppose before, but I'm not sure. Wietse ??? The "RCPT TO" command is passed to the milter after Postfix restriction processing. Even rejected commands are are passed to milters, but the milter is informed that the command (recipient) is rejected. Thanks for confirming this. Yes, this is something I asked for. This allows me to count, inside the milter, how many errors the client did. --
Postfix multi instance
Hello,
I have a server running with two instance of Postfix named postfix-in and
postfix-out however when I enter the following command
# postfix status
postfix-in/postfix-script: the Postfix mail system is running: PID: 1241
postfix-in/postfix-script: the Postfix mail system is running: PID: 1241
outgoing/postfix-script: the Postfix mail system is running: PID: 1242
here is the last line of main.cf in /usr/local/etc/postfix-in
content_filter=smtp-amavis:[127.0.0.1]:10024
alternate_config_directories = /usr/local/etc/postfix-out
multi_instance_name = postfix-in
multi_instance_wrapper = ${command_directory}/postmulti -p --
multi_instance_enable = yes
multi_instance_group = mta
multi_instance_directories = /usr/local/etc/postfix
/usr/local/etc/postfix-out
And main.cf of /usr/local/etc/postfix-out
syslog_name = outgoing
multi_instance_name = postfix-out
multi_instance_wrapper = ${command_directory}/postmulti -p --
multi_instance_enable = yes
multi_instance_directories = /usr/local/etc/postfix-out
multi_instance_group = mta
It looks like I'm running postfix-out twice but I can't find the way to fix
it. Please help!,
Thanks,
Motty
Re: override mx records
Noel Jones wrote: http://www.postfix.org/postconf.5.html#transport_maps Thank you. I know this is an "rtfm" type of question but I appreciate the pointer, just was short on time to figure it out myself. Thanks, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
Re: Permissions issue with virtual maildirs
On 11/09/2010 06:15 PM, Toomas Vendelin wrote: Hi there! I run Postfix on CentOS 5.5 with virtual domains. Mail is supposed to be delivered to maildirs. Don't you mean "I have configured postfix to deliver to maildirs". If that's not what you mean, it's an unwarranted - and quite dangerous - assumption. Everything worked with a sendmail/mbox setup for the same domain, so MX issues can be eliminated immediately :) I never considered MX issues until you brought them up - you haven't mentioned any issue yet. I'm trying to set up a virtual mail hosting on a testing machine, following the tutorial at: http://howtoforge.net/linux_postfix_virtual_hosting Yesh - tutorials often get things wrong, or assume you know more about postfix than you do. I'd suggest the actual documentation instead, located at http://www.postfix.org/VIRTUAL_README.html Here's the issue. Message file cannot be written to tmp folder because of "Permission denied". Which user is postfix delivering virtual mailbox mail as ? Did you check that the UID of the virtual user corresponds with write permissions on the virtual_mailbox_maps location ? Needless to say, both owherships and permissions were checked by hand descending from base (/var/spool/vmail) to the bottom. To check misspelled directory names, I've copied the full path and run #cd /var/spool/vmail/minu.biz/toomas/tmp/ - worked fine. I've even tried to chmod -R 0777 /var/spool/vmail Don't. Ever. Chmod anything to 777. (it is a testing machine), And ? but even then I've got the very same "Permission denied". Run namei -l /var/spool/vmail/minu.biz/toomas/tmp to verify *complete* access. Disabling SELinux didn't work either. Maildirs WERE created in advance, exactly as the message suggests. It's late, and I'm running out of ideas. Please, help. Exerpt from maillog: Nov 9 18:27:46 rh2 postfix/virtual[5144]: warning: maildir access problem for UID/GID=5000/5000: create maildir file /var/spool/vmail/minu.biz/toomas/tmp/1289320066.P5144.rh2.tere.com: Permission denied Nov 9 18:27:46 rh2 postfix/virtual[5144]: warning: perhaps you need to create the maildirs in advance HOW did you create the maildir ? If postfix created the maildir, it would obviously be able to write to it afterwards. Output of postconf -n: command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix inet_interfaces = all mail_owner = postfix mydestination = $myhostname, localhost.$mydomain, localhost mydomain = $myhostname myhostname = rh2.tere.com mynetworks = 192.168.50.0/24 myorigin = $mydomain queue_directory = /var/spool/postfix relay_domains = $mydestination virtual_alias_maps = hash:/etc/postfix/valias virtual_gid_maps = static:5000 virtual_mailbox_base = /var/spool/vmail virtual_mailbox_domains = /etc/postfix/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmaps virtual_uid_maps = static:5000 This mandates that ALL virtual mailboxes MUST be writable by either uid 5000 or gid 5000. Are they ? What is the contents of virtual_mailbox_maps ? You left out one of the principal deciding factors by not including it. -- J.
Narcissistic Mail Server
I’ve moderate expertise with Postfix and sys admin in general, and after 10 days of beating my head against this particular brick wall am posting this overly long, rather tedious question because I’ve exhausted my other resources but am not quite ready to throw in the towel. That said… Here’s a simplified, sanitized description of the problem, using only two servers. I run an ISP-style setup using OS X Server 10.6 and Postfix. Each server should act as MX backup for the other. Both test servers use virtual domains and OS X Server style aliases held in a shared Open Directory/LDAP domain. Setup Server #1 ip: 111.111.111.001 host name: wheat.glutinous.com test virtual domain:sourdough.com test account: bryan_sourdough_com test address: br...@sourdough.com virtual_alias_maps: [none] virtual_alias_domains: sourdough.com relay_domains: pumpernickle.com Server #2 ip: 111.111.111.002 host name: rye.glutinous.com test virtual domain:pumpernickle.com test account: bryan_pumpernickle_com test address: br...@pumpernickle.com virtual_alias_maps: [none] virtual_alias_domains: pumpernickle.com relay_domains: sourdough.com The Problem The hosts of br...@sourdough.com and br...@pumpernickle.com happily exchange mail with any server on earth except for each other. If br...@sourdough.com sends mail to br...@pumpernickle.com, its host wheat.glutinous.com creates the account bryan_pumpernickle_com on itself, and receives the message itself. It never contacts the destination host of br...@pumpernickle.com (rye.glutinous.com) at all. And vice versa. When asked to speak to each other, the two servers become neurotically introspective, stare into their own navels, and send test messages to themselves. They believe they're responsible for domains that actually belong to other hosts. There are no hidden aliases anywhere that I’ve failed to mention. I’ve queried all the relevant hash files to make sure they respond with the correct information. The only account aliases are held in the shared LDAP domain. For reasons I don’t understand, any server with access to the LDAP directory believes itself solely responsible for every address it can see, without regard for entires in virtual_alias_domains, relay_domains, or MX precedence. (Aside… This behavior changed from OSXS 10.5 to 10.6.) There are no log errors per se, since the hosts all believe they’re behaving perfectly. DNS DNS for all hosts and virtual domains resolve correctly. MX records look like this: sourdough.com. 3600IN MX 10 mail. wheat.glutinous.com. sourdough.com. 3600IN MX 20 mail. rye.glutinous.com. pumpernickle.com. 3600IN MX 10 mail. rye.glutinous.com. pumpernickle.com. 3600IN MX 20 mail. wheat.glutinous.com. A Clue Continuing the example above, if I create the following entry in virtual_users, the problem vanishes and everything works. br...@sourdough.com br...@sourdough.com Unfortunately, this kludge won't scale well - it isn't something I can turn over to the non-geeks who will ultimately manage the day-to-day stuff. Failed Solutions I’ve attempted to solve the problem using transport_maps. For example, on wheat.glutinous.com: main.cf transport_maps = hash:/etc/postfix/transport transport gurgitate.org smtp:[mail.gilded-bat.laughingboot.net] .gurgitate.org smtp:[mail.gilded-bat.laughingboot.net] This has no effect. I’ve also lobotimized main.cf, simplifying it as much as possible, to no avail. The Kindness of Strangers My reach has exceeded my grasp, my brain is fried, and I just don’t get it. I particularly don’t understand why telling wheat.glutinous.com that br...@sourdough.com should be forwarded to itself persuades it behave itself to send the message of to rye.glutinous.com. The output of postconf -n for wheat.glutinous.com is below. I’m going take a break, repair the espresso machine, and pray I can depend on the kindness of strangers. Thanks, Bryan postconf -n for wheat.glutinous.com: biff = no command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes enable_server_options = yes header_checks = pcre:/etc/postfix/custom_header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = localhost mail_owner = _postfix mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_d
Re: Narcissistic Mail Server
On Tue, Nov 09, 2010 at 11:50:41AM -0800, Bryan Harrison wrote: > I?ve moderate expertise with Postfix and sys admin in general, and after 10 > days of beating my head against this particular brick wall am posting this > overly long, rather tedious question because I?ve exhausted my other > resources but am not quite ready to throw in the towel. > I see no log entries of any sort in this rather long explanation. With the right handful of entries from the logs, and a brief paragraph of what you expected to happen + your postconf -n output + any relevant table entries you don't need say much more. Please post a shorter problem description with relevant log entries, postconf -n output and all relevant table entries. -- Viktor.
Re: Postfix multi instance
Le 09/11/2010 20:13, motty.cruz a écrit :
Hello,
I have a server running with two instance of Postfix named postfix-in and
postfix-out however when I enter the following command
# postfix status
postfix-in/postfix-script: the Postfix mail system is running: PID: 1241
postfix-in/postfix-script: the Postfix mail system is running: PID: 1241
outgoing/postfix-script: the Postfix mail system is running: PID: 1242
here is the last line of main.cf in /usr/local/etc/postfix-in
content_filter=smtp-amavis:[127.0.0.1]:10024
alternate_config_directories = /usr/local/etc/postfix-out
multi_instance_name = postfix-in
multi_instance_wrapper = ${command_directory}/postmulti -p --
multi_instance_enable = yes
multi_instance_group = mta
multi_instance_directories = /usr/local/etc/postfix
/usr/local/etc/postfix-out
And main.cf of /usr/local/etc/postfix-out
syslog_name = outgoing
multi_instance_name = postfix-out
multi_instance_wrapper = ${command_directory}/postmulti -p --
multi_instance_enable = yes
multi_instance_directories = /usr/local/etc/postfix-out
multi_instance_group = mta
It looks like I'm running postfix-out twice but I can't find the way to fix
it. Please help!,
what makes you believe that? are you bothered with 'postfix status'
returing 3 lines? if so: Even if you try hard, very hard, it is not
possible to run two different processes with same pid on the same OS. so
your postfix status (pid 1241) refer to a single process.
so if there's any problem, it's with the 'postfix status' command. maybe
you're repeating the instance name somewhere.
Re: [SOLVED] 'mailbox_command' (main.cf) not executed
On 11/08/2010 06:43 PM, Bruno Costacurta wrote:
Why procmail is not executed ? Is there some priority or dependencies
for mailbox_command execution ?
Yes: the mail has to be delivered to a mailbox.
You are delivering mail to spamassassin.
You confused me : spamassassin leaves the messages for local delivery
via /usr/local/sbin/sendmail -i "$@"
Yes, I did.
However, you did not provide your entire flow setup, so it was not
completely transparent to me that you were using spamassassin as a
content_filter.
You did show logs that show spamassassin is processing the mail, but I
never saw the config for re-injection, so there was no reason to suppose
that procmail was ever getting hit.
And indeed everything works fine except the missing filtering via
Procmail.
(note : I'm using virtual users).
I know, that's why it doesn't work.
Virtual mailboxes can not run commands, as I already indicated.
More generally, is mailbox_command mandatory ?
No, it's not mandatory.
It is empty by default.
Can I replace it using in master.cf a syntax like following :
smtp inet n - n - - smtpd -o content_filter=procmail:filter
where procmail service will call, via shell script, spamassassing
before doing its filtering, and do I can avoid the need of
mailbox_command.
No, procmail is not a "service".
You have to create one and then deliver to it:
myprocmail unix - n n - - - pipe user=your.virtual.user argv=procmail
- -a $RECIPIENT -a $EXTENSION [-a $MORE_VARS...]
And then either set the virtual_transport to myprocmail or use
transport_maps for more granular control.
NOTE that procmail MUST deliver the message in this case!
If the message "falls out the bottom" of your recipe, it's GORN.
- --
J.
Thanks for your help. It works now.
Indeed virtual_transport need to be setup, not mailbox_command as
virtual users are used in my Postfix setup.
in main.cf :
...
virtual_transport=myprocmail
...
in master.cf :
...
smtp inet n - - - - smtpd
-o content_filter=spamfilter:dummy
spamfilter unix - n n - - pipe
flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter.sh -f
${sender} -- ${recipient}
myprocmail unix - n n - - pipe
flags=DRX user=spamfilter argv=/usr/bin/procmail ... temporary :
other procmail params still need to be fixed here ...
...
Bye,
Bruno
--
Linux Counter #353844
http://counter.li.org/
Re: Postfix multi instance
On Tue, Nov 09, 2010 at 10:16:31PM +0100, mouss wrote: >> multi_instance_directories = /usr/local/etc/postfix >> /usr/local/etc/postfix-out Did you set this by hand? Or use "postmulti -e create/import/..." to populate the list? The primary instance should not list itself in the multi_instance_directories list. It should only list secondary directories. -- Viktor.
Re: Permissions issue with virtual maildirs
Le 09/11/2010 18:15, Toomas Vendelin a écrit : Hi there! I run Postfix on CentOS 5.5 with virtual domains. Mail is supposed to be delivered to maildirs. Everything worked with a sendmail/mbox setup for the same domain, so MX issues can be eliminated immediately :) I'm trying to set up a virtual mail hosting on a testing machine, following the tutorial at: http://howtoforge.net/linux_postfix_virtual_hosting Here's the issue. Message file cannot be written to tmp folder because of "Permission denied". Needless to say, both owherships and permissions were checked by hand descending from base (/var/spool/vmail) to the bottom. To check misspelled directory names, I've copied the full path and run #cd /var/spool/vmail/minu.biz/toomas/tmp/ - worked fine. I've even tried to chmod -R 0777 /var/spool/vmail (it is a testing machine), but even then I've got the very same "Permission denied". Disabling SELinux didn't work either. Maildirs WERE created in advance, exactly as the message suggests. It's late, and I'm running out of ideas. Please, help. Exerpt from maillog: Nov 9 18:27:45 rh2 postfix/smtpd[5139]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled This is unrelated to your problem, but you should remove NIS from your config. configure alias_maps explicitely: $ postconf -d |grep nis alias_maps = hash:/etc/aliases, nis:mail.aliases $ postconf -e alias_maps=hash:/etc/aliases Nov 9 18:27:45 rh2 postfix/smtpd[5139]: connect from smtp-out.neti.ee[194.126.126.41] Nov 9 18:27:46 rh2 postfix/smtpd[5139]: 0028C1F494: client=smtp-out.neti.ee[194.126.126.41] Nov 9 18:27:46 rh2 postfix/cleanup[5143]: 0028C1F494: message-id=<1f1c29e7-c1cd-4eff-907a-42bd5f491...@vendelin.com> Nov 9 18:27:46 rh2 postfix/smtpd[5139]: disconnect from smtp-out.neti.ee[194.126.126.41] Nov 9 18:27:46 rh2 postfix/qmgr[4738]: 0028C1F494: from=, size=1507, nrcpt=1 (queue active) Nov 9 18:27:46 rh2 postfix/virtual[5144]: warning: maildir access problem for UID/GID=5000/5000: create maildir file /var/spool/vmail/minu.biz/toomas/tmp/1289320066.P5144.rh2.tere.com: Permission denied try running $ touch /var/spool/vmail/minu.biz/toomas/tmp/test.test as a user with uid=gid=5000. Nov 9 18:27:46 rh2 postfix/virtual[5144]: warning: perhaps you need to create the maildirs in advance Nov 9 18:27:46 rh2 postfix/virtual[5144]: 0028C1F494: to=, relay=virtual, delay=0.07, delays=0.05/0.01/0/0.01, dsn=4.2.0, status=deferred (maildir delivery failed: create maildir file /var/spool/vmail/minu.biz/toomas/tmp/1289320066.P5144.rh2.tere.com: Permission denied) Output of postconf -n: command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix inet_interfaces = all mail_owner = postfix mydestination = $myhostname, localhost.$mydomain, localhost mydomain = $myhostname myhostname = rh2.tere.com mynetworks = 192.168.50.0/24 myorigin = $mydomain queue_directory = /var/spool/postfix relay_domains = $mydestination virtual_alias_maps = hash:/etc/postfix/valias virtual_gid_maps = static:5000 virtual_mailbox_base = /var/spool/vmail virtual_mailbox_domains = /etc/postfix/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmaps virtual_uid_maps = static:5000
RE: Postfix multi instance
I created it by hand! I was scared to break my configuration, that why I did not user "postmulti -e create/import.." command as suggested in http://www.postfix.org/MULTI_INSTANCE_README.html#default_instance I deleted the primary instance and it works fine. Thank you Viktor, -Motty -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Victor Duchovni Sent: Tuesday, November 09, 2010 1:25 PM To: postfix-users@postfix.org Subject: Re: Postfix multi instance On Tue, Nov 09, 2010 at 10:16:31PM +0100, mouss wrote: >> multi_instance_directories = /usr/local/etc/postfix >> /usr/local/etc/postfix-out Did you set this by hand? Or use "postmulti -e create/import/..." to populate the list? The primary instance should not list itself in the multi_instance_directories list. It should only list secondary directories. -- Viktor.
Re: Narcissistic Mail Server
> Please post a shorter problem description with relevant log entries, postconf > -n output and all relevant table entries. I accept full responsibility for the fact that my post was so wordy it was easy to miss that it contains everything you've requested except the log entries. ;) Once more, with improved brevity... Thanks, Bryan Problem wheat.glutinous.com fails to relay mail addressed to br...@pumpernickle.com to rye.glutinous.com. Instead, it regards itself as responsible for for pumpernickle.com and keeps the mail for itself. Hosts & Tables: Server #1 host name: wheat.glutinous.com ip: 111.111.111.001 virtual domain: sourdough.com ldap account: bryan_sourdough_com address:br...@sourdough.com virtual_alias_maps: [none - handled by a single shared LDAP domain] virtual_alias_domains: sourdough.com relay_domains: pumpernickle.com Server #2 host name: rye.glutinous.com ip: 111.111.111.002 virtual domain: pumpernickle.com ldap account: bryan_pumpernickle_com address:br...@pumpernickle.com virtual_alias_maps: [none - handled by a single shared LDAP domain] virtual_alias_domains: pumpernickle.com relay_domains: sourdough.com Log from wheat.glutinous.com: Tuesday, November 2, 2010 12:14:24 PM America/Los_Angeles Nov 2 12:14:27 wheat postfix/smtpd[48573]: connect from wheat.glutinous.com[111.111.111.001] Nov 2 12:14:27 wheat postfix/smtpd[48573]: 5177C28C01B: client=wheat.glutinous.com[111.111.111.001], sasl_method=PLAIN,sasl_username=br...@sourdough.com Nov 2 12:14:27 wheat postfix/cleanup[48580]: 5177C28C01B: message-id= Nov 2 12:14:27 wheat postfix/qmgr[48547]: 5177C28C01B: from=, size=2815, nrcpt=1 (queue active) Nov 2 12:14:27 wheat postfix/smtpd[48585]: connect from localhost[127.0.0.1] Nov 2 12:14:27 wheat postfix/smtpd[48585]: C12B528C032: client=localhost[127.0.0.1] Nov 2 12:14:27 wheat postfix/cleanup[48580]: C12B528C032: message-id= Nov 2 12:14:27 wheat postfix/qmgr[48547]: C12B528C032: from=, size=3346, nrcpt=1 (queue active) Nov 2 12:14:27 wheat postfix/smtp[48581]: 5177C28C01B: to=, orig_to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.52, delays=0.05/0.07/0.01/0.39, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=48549-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as C12B528C032) Nov 2 12:14:27 wheat postfix/qmgr[48547]: 5177C28C01B: removed Nov 2 12:14:27 wheat postfix/pipe[48588]: C12B528C032: to=, relay=dovecot, delay=0.14, delays=0/0.05/0/0.08, dsn=2.0.0, status=sent (delivered via dovecot service) Nov 2 12:14:27 wheat postfix/qmgr[48547]: C12B528C032: removed postconf -n for wheat.glutinous.com: biff = no command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes enable_server_options = yes header_checks = pcre:/etc/postfix/custom_header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = localhost mail_owner = _postfix mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maps_rbl_domains = message_size_limit = 52428800 mydomain = sourdough.com mydomain_fallback = localhost myhostname = wheat.glutinous.com mynetworks = 127.0.0.0/8111.111.111.001 111.111.111.002 newaliases_path = /usr/bin/newaliases owner_request_special = no permit_mx_backup_networks = $mynetworks queue_directory = /private/var/spool/postfix readme_directory = /usr/share/doc/postfix recipient_delimiter = + relay_domains = hash:/etc/postfix/relay_domains relay_recipient_maps = relayhost = sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = _postdrop smtpd_client_restrictions = permit_sasl_authenticated permit_mynetworks reject_rbl_client zen.spamhaus.org permit smtpd_data_restrictions = permit_mynetworks reject_unauth_pipelining reject_multi_recipient_bounce permit smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks check_helo_access hash:/etc/postfix/helo_access reject_non_fqdn_helo_hostname reject_invalid_helo_hostnamepermit smtpd_pw_server_security_options = cram-md5 login plain smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated permit_mx_backup reject_unauth_destination reject_non_fqdn_hostname
Re: Postfix multi instance
On Tue, Nov 09, 2010 at 01:40:34PM -0800, motty.cruz wrote: > I created it by hand! I was scared to break my configuration, that why I did > not user "postmulti -e create/import.." command as suggested in > http://www.postfix.org/MULTI_INSTANCE_README.html#default_instance You were scared to do it using the supported tooling so you decided to wing-it by hand. Makes sense, ... :-) The commands: postmulti -e init postmulti -e import postmulti -e create are very safe and are non-destructive. They just populate the new "multi_instance_mumble" parameters. -- Viktor.
Re: Narcissistic Mail Server
On Tue, Nov 09, 2010 at 01:51:22PM -0800, Bryan Harrison wrote: > Nov 2 12:14:27 wheat postfix/cleanup[48580]: 5177C28C01B: > message-id= This cleanup service rewrote the original recipient: orig_to= to the final recipient: > to=, as evidenced by this log entry, which shows the message en-route to amavsid-new: > Nov 2 12:14:27 wheat postfix/smtp[48581]: 5177C28C01B: > to=, > orig_to=, > relay=127.0.0.1[127.0.0.1]:10024, > delay=0.52, delays=0.05/0.07/0.01/0.39, dsn=2.0.0, status=sent > (250 2.0.0 Ok, id=48549-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: > queued as C12B528C032) After which point the damage is already done. > Nov 2 12:14:27 wheat postfix/pipe[48588]: C12B528C032: > to=, > relay=dovecot, delay=0.14, delays=0/0.05/0/0.08, dsn=2.0.0, status=sent > (delivered via dovecot service) Perhaps the original domain is incorrectly listed in $mydestination, and the bare user-name "bryan" is listed in "virtual_alias_maps". Or else canonical mappings or similar input-stage rewriting applies to this recipient address. -- Viktor.
Re: postfix and RFC 1912
Le 09/11/2010 11:33, Nick Edwards a écrit : "Make sure your PTR and A records match. For every IP address, there should be a matching PTR record in the in-addr.arpa domain. If a host is multi-homed, (more than one IP address) make sure that all IP addresses have a corresponding PTR record (not just the first one)." what that says 'or should have said) is: foreach $ip in (list of the IPs of your machine) foreach $ptr in (list of names returned by resolving $ip) foreach $ip2 in (list of IPs returned by resolving $ptr) Then $ip2 = $ip so: - for a given IP, you'd better use a single PTR. The use of multiple PTRs is allowed by the standard, but you'll need to ask yourself: do you really ned it. many people think that web multi-hosting requires multiples PTRs. That's wrong. web multi-hosting is based on multiple A records for one name (not the opposite). - if you really use multiple PTRs, say 192.0.2.1 PTR name1.example.com. 192.0.2.1 PTR name2.example.com. then make sure to have both names resolve to the IP (and _only_ to that IP): name1.example.com. A 192.0.2.1 name2.example.com. A 192.0.2.1 if your system sends mail, then to avoid problems, create a single PTR for its IP, and make this PTR resolve to that IP and only to that IP. $ host 91.121.103.130 130.103.121.91.in-addr.arpa domain name pointer imlil.netoyen.net. $ host imlil.netoyen.net imlil.netoyen.net has address 91.121.103.130 now, other services run on this box. for example: $ host www.netoyen.net www.netoyen.net has address 91.121.103.130 but the IP doesn't resolve to www or anything other than the machine "name" (which is not related to any service). Apparently, I'm led to believe that postfix in doing lookups only takes the first answer it gets, therefore if DNS returns 2 or more, and the first entry for whatever reason has no record then pf fails the lookup under unknown client hostname. postfix (and other software) will not check all the values returned by DNS. Otherwise, I could setup 200 PTR records for one IP (each PTR in its own domain, so that resolving multiple PTRs requires queries to different servers), and for each ptr, configure 200 A records. do you want postfix to check the 200 x 200 possibilities? that's self DoS and an opportunity for a "mirror" attack... Let me state a principle: one client request should not result in N queries, unless N is small (the value depends on context. the real thing is: watch for potential of abuse). Anyway, to make a long story short: there are two opposing views: - FCrDNS fans: their view is explained above. - FCrDNS opponents: they don't care about this story. Their primary argument is that rDNS verification brings nothing, and only creates problems. with IPv6 + zeroconfig + ..., FCrDNS is even less attractive (more problematic). feel free to chose your side. but it doesn't really matter. FCrDNS may be important for a whitelist, but then you can do whatever tests you want (it's an "offline" operation). other than that, rejecting mail because the client doesn't resolve or has FCrDNS problems will cause many FPs (even with "correctly" configured servers: DNS failure may happen at the receiving side or somewhere in between). Can someone in the know explain why this is so? (please., no assumptions, there only a couple people on this list with factual knowledge, I'm not interested in foo's opinion, or bars opinion, I'm looking for executive's decisive reason )
Re: ot: iphone setup for smtp-auth self certified
On Tue, November 9, 2010 11:35 am, Larry Stone wrote: > On 11/8/10 5:07 PM, Voytek Eymont at li...@sbt.net.au wrote: > There are plenty of instructions out there; try searching for "iphone > install certificate". But in short, e-mail the certificate to your iphone > and then double-"click" it just like opening any other attachment. The > iPhone will then open an "install certificate" dialog. thanks, everyone Charles on courier list suggested a perhaps more universal way to import as: - 1. Upload your cert to a web accessible directory 2. Browse to that directory using Safari on the iPhone 3. Click the cert from the browser 4. Click to accept/permanently install the cert in the current profile The mail client will no longer complain about the cert Haven't tested this on the iPhone 4 yet, but works for all up to the 3GS... - now, all I need is to borrow an iphone again. -- Voytek
Re: Narcissistic Mail Server
Thanks. I'm reassured to find you thinking along the same lines. > and the bare user-name "bryan" is listed in "virtual_alias_maps". Alas, not. In the test configuration, I've deliberately left virtual_alias_maps empty. The aliases are all in a shared LDAP domain, and there is no "bryan" there. > Perhaps the original domain is incorrectly listed in $mydestination I have no mydestination entry. Can I use one to force the correct behavior? > else canonical mappings or similar input-stage rewriting applies to this > recipient address. There's only one place I can imagine such a problem originating... I suspect that the upgrade from OS X Server 10.5 to 10.6 has broken something, or at least treats aliases differently, and that a problem has been introduced somewhere in the interaction between OD and Postfix. Which is to say, this isn't a Postfix problem per se. Using the example setup, I can force the correct behavior with this virtual_alias_maps entry: br...@pumpernickle.com br...@pumpernickle.com But this approach won't scale well - I'd prefer not to manage duplicate directory info for hundreds of email addresses. Can you suggest any less labor-intensive way I might configure Postfix to force the correct behavior? Thanks again, Bryan ___ On Nov 9, 2010, at 1:59 PM, Victor Duchovni wrote: > On Tue, Nov 09, 2010 at 01:51:22PM -0800, Bryan Harrison wrote: > >> Nov 2 12:14:27 wheat postfix/cleanup[48580]: 5177C28C01B: >> message-id= > > This cleanup service rewrote the original recipient: > >orig_to= > > to the final recipient: > >> to=, > > as evidenced by this log entry, which shows the message en-route to > amavsid-new: > >> Nov 2 12:14:27 wheat postfix/smtp[48581]: 5177C28C01B: >> to=, >> orig_to=, >> relay=127.0.0.1[127.0.0.1]:10024, >> delay=0.52, delays=0.05/0.07/0.01/0.39, dsn=2.0.0, status=sent >> (250 2.0.0 Ok, id=48549-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: >> queued as C12B528C032) > > After which point the damage is already done. > >> Nov 2 12:14:27 wheat postfix/pipe[48588]: C12B528C032: >> to=, >> relay=dovecot, delay=0.14, delays=0/0.05/0/0.08, dsn=2.0.0, status=sent >> (delivered via dovecot service) > > Perhaps the original domain is incorrectly listed in $mydestination, > and the bare user-name "bryan" is listed in "virtual_alias_maps". Or > else canonical mappings or similar input-stage rewriting applies to > this recipient address. > > -- > Viktor. ___
Re: postfix and thousands unix user
Kris Deugau put forth on 11/9/2010 11:07 AM: > That said... Yeah, upgrade the hardware now - I'd even say go for more > than 8G of RAM if you can stuff it in, because if you're running a > memory hog like SpamAssassin on the same machine as your core mail > daemons and webmail, you'll need it sooner or later - and going into > swap when running something like SA is a good way to cause *everything* > to slow to a halt. He's not running SA on this box so that's not an issue. From what I understand he is planning on supporting multiple hundreds of simultaneous IMAP users, and ton top of that, local webmail users with his httpd/webmail app running on this same system. In that case, he'll need all the CPU he can stuff into the box as well as tons of RAM. CGI based webmail apps are CPU/RAM hogs with many concurrent users. The Proliant Dl180 g6 box he has will scale to 192GB RAM in 12 DIMM slots, but getting it there gets expensive due to the cost/DIMM at 16GB density. Using fairly inexpensive 4GB DIMMS he could occupy 6 of the 12 slots for a 24GB capacity. That should be plenty for the requirements the OP has described so far. If not for the webmail requirement, he could get by with much less CPU and RAM, and only have to worry about disk array performance, which is the main bottleneck for IMAP. For the number and type of users he's talking about, as I mentioned before, he should have at least 8 spindles of hardware RAID5/6 to carry the load without bogging down. However, the OP has made it clear that this is an expansion system for new customers, and the load will start at zero and build as clients are added. It will not apparently have high user load until some point in the future. If indeed at some point it will be handling a mix of 1000 or more concurrent IMAP and webmail users, it would be beneficial to load the box up with performance now, rather than downing the system for upgrades later, IMO. -- Stan
Re: postfix and thousands unix user
On 11/09/2010 04:45 PM, Stan Hoeppner wrote: The Proliant Dl180 g6 box he has will scale to 192GB RAM in 12 DIMM slots, but getting it there gets expensive due to the cost/DIMM at 16GB density. Using fairly inexpensive 4GB DIMMS he could occupy 6 of the 12 slots for a 24GB capacity. That should be plenty for the requirements the OP has described so far. There's probably a point where adding a second server will be more cost effective... Is there really a _need_ to load this all on one host? -will
Re: postfix and thousands unix user
On Wed, Nov 10, 2010 at 7:57 AM, Will Fong wrote: > On 11/09/2010 04:45 PM, Stan Hoeppner wrote: >> >> The Proliant Dl180 g6 box he has will scale to 192GB RAM in 12 DIMM >> slots, but getting it there gets expensive due to the cost/DIMM at 16GB >> density. Using fairly inexpensive 4GB DIMMS he could occupy 6 of the 12 >> slots for a 24GB capacity. That should be plenty for the requirements >> the OP has described so far. > > There's probably a point where adding a second server will be more cost > effective... Is there really a _need_ to load this all on one host? hi guys, currently we go on with the setup and yesterday we setup dovecot to serv imap and pop3, really it's a bit confusion for us since we use pam and passwd as a driver for userdb and passdb on dovecot.conf, in short word, finally we found that we need to make use of auth_username_translation = @. so we can login to imap or pop with usual email address like t...@domain.net since it add up as test.domain.net on unix account. in the future if we find that the server isn't up to carry the load then we simply would add another server, but for now we pretty confident the server will run perhaps for a few years from now. and thanks for all of these discussion :) > > -will > > -- http://blog.rizahnst.org
Re: postfix and thousands unix user
Will Fong put forth on 11/9/2010 6:57 PM: > On 11/09/2010 04:45 PM, Stan Hoeppner wrote: >> The Proliant Dl180 g6 box he has will scale to 192GB RAM in 12 DIMM >> slots, but getting it there gets expensive due to the cost/DIMM at 16GB >> density. Using fairly inexpensive 4GB DIMMS he could occupy 6 of the 12 >> slots for a 24GB capacity. That should be plenty for the requirements >> the OP has described so far. > There's probably a point where adding a second server will be more cost > effective... Is there really a _need_ to load this all on one host? That dependss on how many concurrent users they eventually have on a regular basis before load stop growing. If they peak at a given maximum concurrent user load, say 2000, a single host system can be setup to meet that load with good performance. If it keeps growing you must scale up by add more processors, RAM, disk, or replacing the box with a larger one, with even more processors, RAM, and disk. Rinse repeat. This is obviously expensive. Scaling out is far more cost effective for very large systems as each node can be less powerful and thus cheaper. The Proliant system the OP is using can be had in the U.S. for less than $1300 USD. Using a local boot disk and a software iSCSI initiator, dozens of such systems could access the same mail store on an iSCSI storage array device via the GFS2 cluster filesystem. Or, using the kernel NFS client and accessing a shared NFS mail store. Here, care must be taken to acquire a high performance NFS filer--a home grown Linux NFS server probably isn't going to cut it. Scaling out with IMAP requires shared mailbox storage, thus this must be planed for up front, bot as an after thought. Now, if you're talking about simply adding new IMAP servers and each one handles mail for a different set of domains, you can sure do that. It's a horrible idea from a resource utilization, load balancing, redundancy, and power consumption standpoint, but it is one possible method. And the upfront costs are less. My main problem with this scenario is you end up with a lot of idle resources. -- Stan
Re: Narcissistic Mail Server
On Tue, Nov 09, 2010 at 03:13:01PM -0800, Bryan Harrison wrote: > Viktor: > > Perhaps the original domain is incorrectly listed in > > $mydestination > > I have no mydestination entry. Can I use one to force the correct > behavior? Not listing mydestination in main.cf means you get the default setting for mydestination, which is rarely what people want for mydestination. That's a setting which should not be left to chance (the vagaries of gethostbyname() resolution.)[1] You might benefit from review of the Basic Configuration README. Check your settings for those configuration items. [1] That might sound like a criticism of the default for mydestination, but it is not. The default is as good as possible, but human supervision is necessary to set up a MTA. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
Re: Narcissistic Mail Server
/dev/rob0: > On Tue, Nov 09, 2010 at 03:13:01PM -0800, Bryan Harrison wrote: > > Viktor: > > > Perhaps the original domain is incorrectly listed in > > > $mydestination > > > > I have no mydestination entry. Can I use one to force the correct > > behavior? > > Not listing mydestination in main.cf means you get the default > setting for mydestination, which is rarely what people want for > mydestination. That's a setting which should not be left to chance > (the vagaries of gethostbyname() resolution.)[1] To avoid brain-dead failure modes, the mydestination default uses gethostname(2) (the node name in the local kernel) not gethostbyname(3) (some remote lookup service). Using gethostbyname(3) would cause Postfix processes to hang when the network is down. Wietse > You might benefit from review of the Basic Configuration README. > Check your settings for those configuration items. > > > [1] That might sound like a criticism of the default for > mydestination, but it is not. The default is as good as > possible, but human supervision is necessary to set up a MTA. > -- > Offlist mail to this address is discarded unless > "/dev/rob0" or "not-spam" is in Subject: header > >
Re: Do NOT try rDNS Whitelisting
>Sadly, the opendkim library does not support applying two signatures in >parallel (set up two signing contexts, pass the message content through >once, get two sigatures). So I have to pass the message through the >library twice, to apply two signatures. Not a show-stopper, but annoying. If we ask Murray nicely, that shouldn't be too hard for him to fix. R's, John
Rewriting the envelope_sender
Hey everyone,
Does anyone have any good documentation on how to rewrite the
envelope_sender based on an regexp map?
I need to do the following. I have an application that is broken, and
sets the "mail from" envelope-sender value to "From:user"@domain.tld.
Obviously the quotes and use of From: in this field is a violation of
RFC822.
Reading the regexp man page suggests that the following would work in
sender_canonical_maps:
/\"From:(.*)\"@(.*)/REPLACE$...@${2}
However, this does not seem to get matched in any way.
Anyone have any ideas?
--
Steve King
Senior Linux Engineer - Advance Internet, Inc.
Cisco Certified Network Professional
CompTIA Linux+ Certified Professional
CompTIA A+ Certified Professional
Re: Permissions issue with virtual maildirs
Jeroen, thank you for taking time to answer. The problem was that I have put /sbin/nologin for a login shell instead of /bin/false. Don't ask, why on Earth did I do that (I'm asking that myself). Anyway, with this changed, mail goes through as expected. The moral being, don't work too long hours. Picking your points: > Don't you mean "I have configured postfix to deliver to maildirs". > If that's not what you mean, it's an unwarranted - and quite dangerous - > assumption. I've meant "I have configured postfix to deliver to maildirs", indeed. > Yesh - tutorials often get things wrong, or assume you know more about > postfix than you do. > I'd suggest the actual documentation instead, located at > http://www.postfix.org/VIRTUAL_README.html Nobody's perfect. Yes, I've read the "official HOWTO" as well. In this particular case, the HowtoForge.com tutorial was both correct and better written. It was me who "got the things wrong". > Run namei -l /var/spool/vmail/minu.biz/toomas/tmp to verify *complete* > access. I've got: namei: invalid option -- l usage: namei [-mx] pathname [pathname ...] > HOW did you create the maildir ? > If postfix created the maildir, it would obviously be able to write to it > afterwards. With mkdir. > This mandates that ALL virtual mailboxes MUST be writable by either uid 5000 > or gid 5000. Are they ? Yes. I should have written it explicitly, of course. > What is the contents of virtual_mailbox_maps ? > You left out one of the principal deciding factors by not including it. My mistake. Fortunately, as we know by now, it was irrelevant in this case.
Re: postfix and thousands unix user
The only difference I would have on this server is I would make it a 10 raid and not raid5. This is a much more higher performing with all the writes to maildir. Its also better fault tolerance. On Mon, Nov 8, 2010 at 7:25 AM, Stan Hoeppner wrote: > ahmad riza h nst put forth on 11/8/2010 4:08 AM: > > >> You won't have local system accounts. Just setup Postfix and Dovecot to > >> query your current mysql domain and user database. It may take some > >> tweaking, but what doesn't? ;) > >> > > > > thanks for your reply stan, > > > > the problem is we have to use webmin + virtualmin for user interface > > (control panel), and it seems virtualmin doesn't support postfix > > virtual user via mysql db, indeed they do it alias with unix system > > users. > > "Have to"? There are alternatives, such as > http://www.ispconfig.org/ispconfig-3/ > > In the absence of Virtualmin support for your mysql user db, how are you > going to populate the local UNIX user account database on the new > system? Does a tool already exist allowing you to do so? If not, and > you will have to write such a tool, I suggest you focus your efforts on > writing a tool/plugin to allow Virtualmin to directly read/write your > mysql user db. > > >> Are you using Dovecot for IMAP and POP or just POP? > > > > IMAP and POP. > > > >> > >>> our hardware is hp dl180 g6 (a xeon quad core + raid 1 + 4G ram) > >> > >> Ok, that answers one of my previous questions. This system isn't nearly > >> strong enough for thousands of users. You should: > >> > >> 1. Bump the RAM up to at least 8GB > >> 2. Install the second matching quad core processor > >> > > > > i understand, but we only use this server for mailboxes only, so there > > will be no spamassassin or clamav etc on the server, we have separate > > mail filtering (mx) on another servers. > > As you should. So, can you disable those buttons so your users can't > access them? Or will you allow them to press the buttons, but they > won't really do anything? The SA config in Virtualmin is per user is it > not? > > > currently we have another mailbox server (it hp dl 180 g6 too) with > > qmail and vpopmail, there are about 11 thousands virtual user on the > > server and it still running well at this time, thats why we think > > postfix and dovecot can do it with same hardware. > > Ahh, then you're ignorant of IMAP processing and communications > patterns. The load generated by IMAP clients versus POP clients cat be > well over 100 fold, especially if the clients are not syncing messages > locally. Each click on a mail folder or email generates a packet to the > IMAP server and a response packet back to the client. Multiply that by > 1000 concurrent clients. The communication pattern is more akin to > telnet or SSH. POP is more similar to FTP. One is constantly > interactive. The other creates a burst as is then done. IMAP generates > an order of magnitude more load on a server than POP does. You've > apparently not heard of body searches on IMAP mailboxes. Once client > can tie up an entire server CPU core for 10-20 seconds at a time > searching an IMAP folder containing 5,000-10,000 messages in it. This > is probably the heaviest hitting IMAP feature your users could take > advantage, although there are others that will suck up server resources. > POP has none of these features, so load is directly correlated to the > number of concurrent logins and new messages in the queue. There are > many more performance variables WRT IMAP servers. > > > i will read this, thanks. > > > >> http://wiki2.dovecot.org/LDA > >> http://wiki2.dovecot.org/LDA/Postfix > >> http://wiki2.dovecot.org/Pigeonhole/Sieve > >> http://wiki2.dovecot.org/Pigeonhole/ManageSieve > > Join the Dovecot mailing list. Post what you're requirements are, how > many users you have, what you plan to do, and what hardware you plan to > use. Ask for advice on the mysql userdb issue WRT Virtualmin. Ask for > opinions on what hardware you need to host 11,000 IMAP users. > > http://www.dovecot.org/mailinglists.html > > -- > Stan >
