Re: Relay from local network and EHLO

[mouss]

Le 10/11/2010 17:09, Toomas Vendelin a écrit :

Found it!

proxy_interfaces =

was missing. Works fine now.



I doubt this was the reason that makes the client disconnect after EHLO.

it's more probable that the problem was related to STARTTLS and/or SASL 
configuration. Example: if the client is configured to use STARTTLS but 
postfix isn't, the client will disconnect...





On Wed, Nov 10, 2010 at 4:55 PM, /dev/rob0  wrote:

On Wed, Nov 10, 2010 at 02:45:57PM +0200, Toomas Vendelin wrote:

I've tried to configure postfix to relay mail from the hosts on the
local network to the outside world. In my case the server host is
192.168.50.9 and the host that originates the mail is 192.168.50.14

When I try to send a message from a Mac OS X client using Apple Mail
with 192.168.50.9 as SMTP server setting, I get this in the maillog:

Nov 10 14:14:41 rh2 postfix/smtpd[6981]: connect from unknown[192.168.50.14]
Nov 10 14:14:41 rh2 postfix/smtpd[6981]: lost connection after EHLO
from unknown[192.168.50.14]
Nov 10 14:14:41 rh2 postfix/smtpd[6981]: disconnect from unknown[192.168.50.14]
Nov 10 14:14:41 rh2 postfix/smtpd[6981]: connect from unknown[192.168.50.14]
, at which point mail client continues its attempts to send the
message, which, according to log (no new entries), is silently ignored
by postfix.


All this says is that the client connected, sent EHLO, and lost the
connection. It's impossible to guess why this happened, except it's
almost surely not a Postfix problem at all.


According to the comments in the main.conf, I have to specify this
to allow relay from my local network:
mynetworks = 192.168.50.0/24

I do not know yet how to teach my Mac to say EHLO properly (is it
necessary?), so I have also added an explicit (although it is a
default.):
smtpd_helo_required = no


I'm sure Apple Mail knows how to say EHLO properly. You have seen a
correlation in your logs (connection lost after EHLO) and wrongly
inferred causation.


Output of postconf -n

[snipped as irrelevant at this point]


Mail is sent without issues from the localhost. What am I missing?


Look at networking issues which might cause the connection to be
unstable. Is there a router or firewall inbetween? I'd even try
swapping out cables or a switch if that could be a factor. If it's
wireless, check on signal strength and noise.

What happens with other protocols? Is SMTP the only one with a
problem? Can you ssh to/from the client?

You can add the client IP to debug_peer_list to get verbose logs,
which might provide a hint at what's happening. Or, try looking at
tools such as tcpdump, which can show information about what's
happening at lower levels.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: Does postfix support POP3 & anyone used Cerberus Helpdesk with Postfix

[Jose-Marcio Martins da Cruz]

sunhux G wrote:




Will the messages still be located on the Exch server after POP3 is
disabled?  

No, there's no messages stored on the Exch server : in fact currently
the Cerberus Hdesk software will connect up to the Exch server quite
frequently (I'm not sure how frequent) such that any emails sent to
the MS Exch server will get cleared away from the MS Exch (think
it's within a couple of minutes) & then these emails will be stored
in Cerberus.


My question is, after it is disabled, will you still need to get the
messages off the Exchange server?  

No, I don't need to get the messages off the Exchange server.
Technically, I could have used Gmail to substitute for the Exch
server & Cerberus could interface into Gmail to clear out mails
from Gmail via POP3.  Cerberus may send a ticket to whoever
send emails to the Gmail account so that it would appear to
the sender that the ticket is being sent from the Gmail account.
Gmail supports POP3 if I'm not mistaken. Unfortunately I'm not
allowed to use Gmail due to the sensitivity of the project &
information in the emails & Helpdesk CRs being issued.


Will new helpdesk messages continue to put on the Exchange?  Or
is mail routing being changed so that these helpdesk emails are
routed to your "new" server, whether it be the helpdesk server or other?

If I replace the Exch with Gmail, the Gmail account will only
"temporarily" store emails sent to it for a couple of minutes
before Cerberus clears away the emails from the Gmail account
& then store the emails in Cerberus.


If this mail server will be used only for this, you can just install postfix and a 
simple pop server. You can use dovecot or even Qualcomm qpopper, which 
configuration is simpler. Make sure that all messages sent to this account get 
into the mail server (with some mechanism like MX records, forwarding, or so...).

manage blocked and greylisted IPs

[Pedro Axelrud]

Hello guys,

We have a startup with an email marketing web app, we are very rigid with
our clients to not allow spammers.
One of our client's wants to send a message to two million contacts and I am
worried with some details. I am not worried about the time that will take to
send all those messages, but I am worried about respecting the server's
policies.

Today we use two dedicated servers as mailservers, each one with four IPs. I
want to make some benchmarks to check if we need more and how many.
We use different transports according to the domain, but what limits it's
sending rate is *transport_destination_rate_delay *that is a fixed value,
and also we use the *transport_destination_concurrency_limit *with
*transport_concurrency_negative_feedback
*and *transport_concurrency_positive_feedback *to control the sending rates
according to recipient policies.

But I am worried that with this quantity of messages only this restrictions
wont be able to manage the recipient's policies and our deliverability would
be terrible. One problem that postfix don't deal is when an IP is blocked by
an ISP, message rate should drop a lot while the IP does not get unblocked.
Also when one IP gets greylisted it should stop sending to that domain or
send only a few messages while greylisted.

I want to ask you if is there any optimization in the configs or any postfix
extensions that can help me deal with this.


Thank you

Pedro Axelrud
http://mailee.me
http://softa.com.br
http://flavors.me/pedroaxl

Re: manage blocked and greylisted IPs

[Jeroen Geilman]

On 11/11/2010 03:14 PM, Pedro Axelrud wrote:

Hello guys,

We have a startup with an email marketing web app, we are very rigid 
with our clients to not allow spammers.

One of our client's wants to send a message to two million contacts


HOW will they be sending these messages ?
That's the most important factor.
If they try to maildrop 2M messages (or 2000 messages with 1000 
recipients each) into your postfix server, without consultation with 
you, things will get hairy.
If they wish to send a bulk mail to 2M recipients, you probably want to 
tell them to implement a steady delivery mechanism on their end.


There's several ways that can go; you could require that they spread out 
destinations over multiple messages, to spread the concurrency load.
Or the exact opposite: require them to group recipients by domain into 
separate messages, so you can take advantage of the fact that postfix 
will also deliver them as one message.


The right solution will probably be somewhere in the middle; but it 
won't require you to process and queue 2 million messages.
It should be perfectly doable with about 2 messages or so, each with 
100 recipients.


and I am worried with some details. I am not worried about the time 
that will take to send all those messages, but I am worried about 
respecting the server's policies.


Today we use two dedicated servers as mailservers, each one with four 
IPs. I want to make some benchmarks to check if we need more and how many.
We use different transports according to the domain, but what limits 
it's sending rate is /transport_destination_rate_delay /that is a 
fixed value, and also we use the 
/transport_destination_concurrency_limit /with 
/transport_concurrency_negative_feedback /and 
/transport_concurrency_positive_feedback /to control the sending rates 
according to recipient policies.


But I am worried that with this quantity of messages only this 
restrictions wont be able to manage the recipient's policies and our 
deliverability would be terrible.


That's what they are designed for, so normally, they should work fine.

However, deliverability isn't exactly under your control; bad or 
obstinate MTAs may make trouble where there technically isn't any (a 
well-known one would be Yahoo).
It helps markedly if you know this in advance and configure a 
slower-delivering transport for these domains.


You say the time taken to deliver 2M messages isn't a factor - so why 
risk deferrals or rejections by edging close to the (unknown) limits of 
remote servers ?


Just throttle postfix back to deliver ~10 messages per second, and 
slightly less than that amount concurrently per destination.


This would take less than an hour to deliver 2 messages - that's 
insignificant for most purposes.



One problem that postfix don't deal is when an IP is blocked by an 
ISP, message rate should drop a lot while the IP does not get unblocked.


Yes it does. Postfix keeps tabs on undeliverable locations, and doesn't 
try again unnecessarily.


Note that there is a big difference between *blocking* an IP, i.e. the 
mail server is unreachable, and postfix temporarily marks it as such, 
and *rejecting* messages, which means postfix can connect to the server 
just fine, but receives a 4xx status code, which according to the RFCs 
means postfix must queue the mail and try again later.


The latter incurs overhead, and may produce large queues with 
misconfigured servers or bad recipient lists. The former has little impact.


Also when one IP gets greylisted it should stop sending to that domain 
or send only a few messages while greylisted.


Again, most if this is auto-tuned.
As long as the mail is in your deferred queue it doesn't impact delivery 
of subsequent messages - unless the deferred queue grows to unmanageable 
sizes.


You may want to very specifically raise your minimal_backoff_time 
setting so the first retry doesn't happen until, say, an hour later (the 
default is 5 minutes).
This would spread out deferred messages (move them away from being 
retried while still delivering original mail to that location).




I want to ask you if is there any optimization in the configs or any 
postfix extensions that can help me deal with this.


Sure, there are a lot of settings; you may want to start here:

http://www.postfix.org/TUNING_README.html

There are source/sink benchmark tools at the end of that, allowing you 
to simulate high volumes.



--
J.

Re: manage blocked and greylisted IPs

[Mark Goodge]

On 11/11/2010 14:56, Jeroen Geilman wrote:

On 11/11/2010 03:14 PM, Pedro Axelrud wrote:

Hello guys,

We have a startup with an email marketing web app, we are very rigid
with our clients to not allow spammers.
One of our client's wants to send a message to two million contacts


HOW will they be sending these messages ?
That's the most important factor.
If they try to maildrop 2M messages (or 2000 messages with 1000
recipients each) into your postfix server, without consultation with
you, things will get hairy.
If they wish to send a bulk mail to 2M recipients, you probably want to
tell them to implement a steady delivery mechanism on their end.

There's several ways that can go; you could require that they spread out
destinations over multiple messages, to spread the concurrency load.
Or the exact opposite: require them to group recipients by domain into
separate messages, so you can take advantage of the fact that postfix
will also deliver them as one message.

The right solution will probably be somewhere in the middle; but it
won't require you to process and queue 2 million messages.
It should be perfectly doable with about 2 messages or so, each with
100 recipients.


If they're running a legitimate and properly managed opt-in mailing list 
then every message will have one, and only one, recipient, as it will 
contain both individual unsubscribe details for that subscriber and 
header tracking to ensure that they can identify any subscriber who 
mistakenly reports it as spam to their ISP or where any message bounces.


So yes, they're going to have to send 2 million messages. There's no 
practical way round that. And if they're not following best practice for 
opt-in mailing lists (including bounce tracking and individual opt-out 
links), then the OP shouldn't be letting them use his mail servers as 
otherwise, he's going to be the one getting the spam complaints.


Mark
--
http://mark.goodge.co.uk

Re: manage blocked and greylisted IPs

[Pedro Axelrud]

>
> Yeah, what Mark said is totally correct, the message is almost the same to
> the two million recipients, but each delivery has one recipient and
> different links to track clicks, let him/her u_n_s_u_b_s_c_r_i_b_e (my reply
> before this got bounced because it have these word so they thought I want to
> get off the list) and all those things. In each server we have a daemon that
> get all the data from database, generate each message and queue it through
> local smtp.
>
> Thank you Jeroen, the idea of changing the *minimal_backoff_time* is
> great, we should have thought about that before. Also thanks for the doc
> I'll give a look right now.
>
>
> Pedro Axelrud
> http://mailee.me
> http://softa.com.br
> http://flavors.me/pedroaxl
>
>
> On Thu, Nov 11, 2010 at 13:11, Mark Goodge  wrote:
>
>> On 11/11/2010 14:56, Jeroen Geilman wrote:
>>
>>> On 11/11/2010 03:14 PM, Pedro Axelrud wrote:
>>>
 Hello guys,

 We have a startup with an email marketing web app, we are very rigid
 with our clients to not allow spammers.
 One of our client's wants to send a message to two million contacts

>>>
>>> HOW will they be sending these messages ?
>>> That's the most important factor.
>>> If they try to maildrop 2M messages (or 2000 messages with 1000
>>> recipients each) into your postfix server, without consultation with
>>> you, things will get hairy.
>>> If they wish to send a bulk mail to 2M recipients, you probably want to
>>> tell them to implement a steady delivery mechanism on their end.
>>>
>>> There's several ways that can go; you could require that they spread out
>>> destinations over multiple messages, to spread the concurrency load.
>>> Or the exact opposite: require them to group recipients by domain into
>>> separate messages, so you can take advantage of the fact that postfix
>>> will also deliver them as one message.
>>>
>>> The right solution will probably be somewhere in the middle; but it
>>> won't require you to process and queue 2 million messages.
>>> It should be perfectly doable with about 2 messages or so, each with
>>> 100 recipients.
>>>
>>
>> If they're running a legitimate and properly managed opt-in mailing list
>> then every message will have one, and only one, recipient, as it will
>> contain both individual unsubscribe details for that subscriber and header
>> tracking to ensure that they can identify any subscriber who mistakenly
>> reports it as spam to their ISP or where any message bounces.
>>
>> So yes, they're going to have to send 2 million messages. There's no
>> practical way round that. And if they're not following best practice for
>> opt-in mailing lists (including bounce tracking and individual opt-out
>> links), then the OP shouldn't be letting them use his mail servers as
>> otherwise, he's going to be the one getting the spam complaints.
>>
>> Mark
>> --
>> http://mark.goodge.co.uk
>>
>
>

RE: confused on reject_unknown_recipient_domain

[PA]

Jeroen, thank you for your post its very informative and its what I was
looking for.

 

Paul.

 

From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Jeroen Geilman
Sent: Wednesday, November 10, 2010 6:48 PM
To: postfix-users@postfix.org
Subject: Re: confused on reject_unknown_recipient_domain

 

On 11/10/2010 11:49 PM, PA wrote: 

1st thanks for reading this email.

 

Recently I been getting hit with a lot of dictionary attacks and I was
wondering if someone can shed some light on this. 

I using the following postfix options:

 

smtpd_sender_restrictions = permit_mynetworks, reject_unauth_pipelining,
reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client
bl.spamcop.net, reject_rbl_client b.barracudacentral.org, permit

 

smtpd_recipient_restrictions = regexp:/etc/postfix/recipient_regexp,
reject_unauth_pipelining, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

 

It may make it clearer what is happening if you put all these restrictions
in smtpd_recipient_restrictions.
Unless you changed the default of delay_reject = yes, they are all evaluated
at the recipient stage anyway.
It would also mean less duplication of effort.




 

Notice the email is 1st rejected because of
"reject_unknown_recipient_domain" 


No, two recipients were rejected (that you have shown; include the FULL log
next time)
The other 47 were not.




but then the same email (same message IS) is accepted with 47 recipients. I
thought that once there was an unknown recipient domain that the whole email
would be rejected/deferred back to the sender.


No. Each recipient is either accepted or rejected; a rejection counts
towards the error limit. Once that is reached, the next rejected recipient
(or any other SMTP error) WILL dump the entire message.
You have only two rejected recipients, which is less than your error limit.
The other 47 recipients were fine, according to your configuration.

Stricter checks on mail submitted via SASL will prevent such abuse.




I'm confused as to why the email was delivered??


Because it contained 47 valid recipients and did not trigger sufficient
restrictions to exceed your hard_error_limit.




 

Nov 10 04:10:04 mrelay1 postfix/smtpd[25678]: E287230E8F0:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=Paramus

Nov 10 04:10:07 mrelay1 postfix/smtpd[25678]: E287230E8F0: reject: RCPT from
unknown[94.242.206.37]: 450 4.1.2

: Recipient address rejected: Domain not
found; from=   to=

 proto=ESMTP helo=

Nov 10 04:10:10 mrelay1 postfix/smtpd[25678]: E287230E8F0: reject: RCPT from
unknown[94.242.206.37]: 450 4.1.2  
: Recipient address rejected: Domain not found; from=
  to= 
 proto=ESMTP helo=

 

Nov 10 04:10:23 mrelay1 postfix/cleanup[25677]: E287230E8F0:
message-id=20101110091004.e287230e...@mrelay1..xx

Nov 10 04:10:23 mrelay1 postfix/qmgr[4833]: E287230E8F0: from=
 , size=11697, nrcpt=47 (queue
active)

 

I'm having a hard time trying to stop spammers from relaying mail through
this server.


The first step would be to disable / reset the password / require strong
passwords on SASL accounts.
This one is obviously compromised - or the client's PC is infected.




We need sasl auth and I can't set any unknown clients restrictions 


You don't need to, if you set up a proper submission listener separate from
the MTA-to-MTA smtpd listener.




because we have customers who connect from ips that don't have a
reverse/forward DNS like some Comcast ips. I was wondering if someone has
any suggestions.


You could change it to this:

smtpd_helo_required = yes
smtpd_sender_restrictions = 

smtpd_recipient_restrictions = reject_unauth_pipelining,
reject_unknown_reverse_helo_hostname, reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname, reject_non_fqdn_sender,
reject_unknown_reverse_client_hostname, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,
regexp:/etc/postfix/recipient_regexp, reject_unauth_destination,
reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org,
permit


Then you uncomment the submission listener in master.cf:


submission inet n  -   -   -   -   smtpd


This runs on port 587.
You can require both SASL and TLS on this port, and set restrictions that
only apply to this listener:


submission inet n  -   -   -   -   smtpd 

  -o smtpd_tls_security_options=encrypt
  -o smtpd_sasl_auth_enable=yes

  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

 

The HELO and *domain checks on the regular port 25 listener will stop a LOT
of spam.





-- 
J.

Re: manage blocked and greylisted IPs

[Jeroen Geilman]

On 11/11/2010 05:10 PM, Pedro Axelrud wrote:


Yeah, what Mark said is totally correct, the message is almost the
same to the two million recipients, but each delivery has one
recipient and different links to track clicks, let him/her
u_n_s_u_b_s_c_r_i_b_e (my reply before this got bounced because it
have these word so they thought I want to get off the list) and
all those things.




In each server we have a daemon that get all the data from
database, generate each message and queue it through local smtp.



That would have been useful to know the FIRST time.



Thank you Jeroen, the idea of changing the
/minimal_backoff_time/ is great, we should have thought about that
before. Also thanks for the doc I'll give a look right now.



Don't do this for a normal MTA; start a second instance for spamming if 
this will be a regular thing.

Keep everything nicely separated.


--
J.

[OFF-TOPIC] Does 2.7 RPM Work on RHEL 6?

[Carlos Mennens]

I know there's an un-official 2.7 Postfix RPM that I believe Simon
created for RHEL 5 64-bit but does anyone know if there's a RHEL 6
64-bit version available or if the RHEL 5 version will install / work
on RHEL 6?

Re: [OFF-TOPIC] Does 2.7 RPM Work on RHEL 6?

[Victor Duchovni]

On Thu, Nov 11, 2010 at 01:46:06PM -0500, Carlos Mennens wrote:

> I know there's an un-official 2.7 Postfix RPM that I believe Simon
> created for RHEL 5 64-bit but does anyone know if there's a RHEL 6
> 64-bit version available or if the RHEL 5 version will install / work
> on RHEL 6?

Simon also publishes SRPMs, so you can build an equivalent RPM on any
latest/greatest release of an O/S, for which Simon has not yet uploaded
a binary package. You really should always do that, and not trust that
some downloaded collection of bits is not booby-trapped.

-- 
Viktor.

Re: [OFF-TOPIC] Does 2.7 RPM Work on RHEL 6?

[Carlos Mennens]

On Thu, Nov 11, 2010 at 2:07 PM, Victor Duchovni
 wrote:
> Simon also publishes SRPMs, so you can build an equivalent RPM on any
> latest/greatest release of an O/S, for which Simon has not yet uploaded
> a binary package. You really should always do that, and not trust that
> some downloaded collection of bits is not booby-trapped.

This would be no problem except I've never attempted this before and
just did some searching on the web for tutorials I can follow since I
don't have any experience and honestly I couldn't find much. Does
anyone know that level of difficultly involved from turning SRPM's
into a RPM file I can use / distribute to others? I have the time and
dedication but lack the experience and knowledge.

Re: [OFF-TOPIC] Does 2.7 RPM Work on RHEL 6?

[Jeroen Geilman]

On 11/11/2010 08:16 PM, Carlos Mennens wrote:

On Thu, Nov 11, 2010 at 2:07 PM, Victor Duchovni
  wrote:
   

Simon also publishes SRPMs, so you can build an equivalent RPM on any
latest/greatest release of an O/S, for which Simon has not yet uploaded
a binary package. You really should always do that, and not trust that
some downloaded collection of bits is not booby-trapped.
 

This would be no problem except I've never attempted this before and
just did some searching on the web for tutorials I can follow since I
don't have any experience and honestly I couldn't find much. Does
anyone know that level of difficultly involved from turning SRPM's
into a RPM file I can use / distribute to others? I have the time and
dedication but lack the experience and knowledge.
   


Really not that difficult: you need the dev versions of all software postfix 
depends on (mostly openssl AFAIK) and just.. build it.
Building an RMP from an SRPM can be as simple as adding the right options to 
rpm.
I haven't used RPM-based software for years, but IIRC it supports direct 
building from the package manager, similar to Debian.



--
J.

Re: [OFF-TOPIC] Does 2.7 RPM Work on RHEL 6?

[mouss]

Le 11/11/2010 20:16, Carlos Mennens a écrit :

On Thu, Nov 11, 2010 at 2:07 PM, Victor Duchovni
  wrote:

Simon also publishes SRPMs, so you can build an equivalent RPM on any
latest/greatest release of an O/S, for which Simon has not yet uploaded
a binary package. You really should always do that, and not trust that
some downloaded collection of bits is not booby-trapped.


This would be no problem except I've never attempted this before and
just did some searching on the web for tutorials I can follow since I
don't have any experience and honestly I couldn't find much. Does
anyone know that level of difficultly involved from turning SRPM's
into a RPM file I can use / distribute to others? I have the time and
dedication but lack the experience and knowledge.




http://perso.b2b2c.ca/sarrazip/dev/rpm-building-crash-course.html

http://wiki.centos.org/HowTos/RebuildSRPM

Re: [OFF-TOPIC] Does 2.7 RPM Work on RHEL 6?

[Victoriano Giralt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

mouss wrote:
|> anyone know that level of difficultly involved from turning SRPM's
|> into a RPM file I can use / distribute to others? I have the time and
|> dedication but lack the experience and knowledge.
|
|
|
| http://perso.b2b2c.ca/sarrazip/dev/rpm-building-crash-course.html
|
| http://wiki.centos.org/HowTos/RebuildSRPM
and, finally, Simon's SRPMS have almost all information required to build
them inside the .spec file.

- --
Victoriano Giralt
Systems Manager
Central ICT Services
University of Malaga
SPAIN
- -
A: Yes.
| > Q: Are you sure ?
|> >> A: Because it reverses the logical flow of conversation.
|>> >>> Q: Why is top posting annoying in email ?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFM3E0gV6+mDjj1PTgRAi09AJ4928tpQ5C/86KSUHqm5cGq5qw/KgCbBDng
AirJuHE3lL7gD+Ptr59ZXJs=
=d5I5
-END PGP SIGNATURE-

Re: manage blocked and greylisted IPs

[Pedro Axelrud]

Sorry, I don't exacly got it. What is the problem of having a high
minimal_backoff_time in a normal a MTA?
You suggest me to have a fallback_relay only to try to deliver that
messages, right?


Thanks


Pedro Axelrud
http://mailee.me
http://softa.com.br
http://flavors.me/pedroaxl


On Thu, Nov 11, 2010 at 15:36, Jeroen Geilman  wrote:

>  On 11/11/2010 05:10 PM, Pedro Axelrud wrote:
>
>  Yeah, what Mark said is totally correct, the message is almost the same
>> to the two million recipients, but each delivery has one recipient and
>> different links to track clicks, let him/her u_n_s_u_b_s_c_r_i_b_e (my reply
>> before this got bounced because it have these word so they thought I want to
>> get off the list) and all those things.
>>
>
>   In each server we have a daemon that get all the data from database,
>> generate each message and queue it through local smtp.
>>
>
> That would have been useful to know the FIRST time.
>
>
>
>>  Thank you Jeroen, the idea of changing the *minimal_backoff_time* is
>> great, we should have thought about that before. Also thanks for the doc
>> I'll give a look right now.
>>
>
> Don't do this for a normal MTA; start a second instance for spamming if
> this will be a regular thing.
> Keep everything nicely separated.
>
>
> --
> J.
>
>

Re: manage blocked and greylisted IPs

[Jeroen Geilman]

On 11/11/2010 09:12 PM, Pedro Axelrud wrote:
Sorry, I don't exacly got it. What is the problem of having a high 
minimal_backoff_time in a normal a MTA?


Delays in mail delivery ?

You suggest me to have a fallback_relay only to try to deliver that 
messages, right?


I didn't, but it's not a bad idea.
However, you'd have to HAVE a fallback_relay - that's unlikely if you're 
sending to remote servers.


-- 
J.
 





And please don't top-post.


--
J.

Re: manage blocked and greylisted IPs

[Victor Duchovni]

On Thu, Nov 11, 2010 at 06:12:44PM -0200, Pedro Axelrud wrote:

> Sorry, I don't exacly got it. What is the problem of having a high
> minimal_backoff_time in a normal a MTA?
> You suggest me to have a fallback_relay only to try to deliver that
> messages, right?

This causes high latency for messages that encounter a "glitch" in the
initial delivery. It also means that deferred queue runs brings more
messages into the active queue in each pass, since more junk accumulates
in a longer interval, as a result the active queue sees larger spikes
of undeliverable mail on a less-frequent basis, which is sub-optimal.

-- 
Viktor.

Re: [OFF-TOPIC] Does 2.7 RPM Work on RHEL 6?

[Voytek Eymont]

On Fri, November 12, 2010 6:16 am, Carlos Mennens wrote:
> On Thu, Nov 11, 2010 at 2:07 PM, Victor Duchovni
>  wrote:

> This would be no problem except I've never attempted this before and
> just did some searching on the web for tutorials I can follow since I don't
> have any experience and honestly I couldn't find much. Does anyone know
> that level of difficultly involved from turning SRPM's into a RPM file I
> can use / distribute to others? I have the time and dedication but lack
> the experience and knowledge.

Carlos,

on a couple (if not more) occasions, I've used Simon's SRPMs to make RPMs
with my desired options (that were not in Simon's default), using info on
Simon's site, it was proverbially eezy, peezy

so, the level is easy if not easier, documentation provided is excellent,
you should be able to follow up each step 'just like that'



-- 
Voytek

spf, greylist rec?

[Jay G. Scott]

first, my problem from october is resolved, thanks to the help i got
from this list.  basically i lacked the requisite knowledge.  i'm
getting closer to competent, thanks.
(was: postfix not delivering all by itself.  (it is now.))

i'm considering adding greylisting and SPF to postfix.
(ah, FWIW i already have postfix working w/ sophos' puremessage.
i am NOT using sophos' postfix.  i'm using 2.7.1 that i compiled
for myself.)  there are a handful of things out there that
do greylisting and spf w/ postfix.  does anyone have any recommendation
of one vs. the others?  it's fairly likely that i'll be forced
to leave greylisting out.  i ran greylist-milter (IIRC) on a test
box and they got all freaked out over the first legit email
being delayed for ...  whatever it was.  still a sore point
w/ me.  ANYWAY, if i'm only allowed to do SPF, does the answer
change?

thanks again.

j.

postfix/smtpd[4313]: NOQUEUE: reject: RCPT from (certain providers) Relay access denied;

[John Hinton]

I am new to Postfix. Sorry :(

This is a hosting server and I am having problems with only some users 
sending email and only from what appears to be certain ISPs. The one I'm 
working on at the moment is rr.com


First, I can set up an email account for this same user and send just 
fine. I am not on rr.com. It looks like maybe I'm having the same issue 
with myvzw.com.


You can see that I am also running amavisd-new. I do have a subscription 
to Spamhaus, but am not pulling in the PBL data.


From my logs, I get this (with only the actual domains changed to 
protect the innocent)


Nov 11 13:49:11 orion postfix/smtpd[7737]: NOQUEUE: reject: RCPT from 
rrcs-96-11-199-15.central.biz.rr.com[96.11.199.15]: 554 5.7.1 
: Relay access denied; from= 
to= proto=ESMTP helo=


I have checked that this IP address is not listed on any blacklist.

Here's my conf.

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisd-new:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = orion.ew3d.com
myhostname = orion.ew3d.com
mynetworks = 64.203.174.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
rbl_reply_maps = hash:/etc/postfix/dnsbl-reply-map
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = reject_rbl_client sbl.dnsbl,
reject_rbl_client xbl.dnsbl
smtpd_recipient_restrictions = 
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/pki/tls/certs/orion.ew3d.com.cert
smtpd_tls_key_file = /etc/pki/tls/private/orion.ew3d.com.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

Thanks for any help!

--
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions

Re: postfix/smtpd[4313]: NOQUEUE: reject: RCPT from (certain providers) Relay access denied;

[Brian Evans - Postfix List]

On 11/11/2010 4:24 PM, John Hinton wrote:

I am new to Postfix. Sorry :(

This is a hosting server and I am having problems with only some users 
sending email and only from what appears to be certain ISPs. The one 
I'm working on at the moment is rr.com


First, I can set up an email account for this same user and send just 
fine. I am not on rr.com. It looks like maybe I'm having the same 
issue with myvzw.com.


You can see that I am also running amavisd-new. I do have a 
subscription to Spamhaus, but am not pulling in the PBL data.


From my logs, I get this (with only the actual domains changed to 
protect the innocent)


Nov 11 13:49:11 orion postfix/smtpd[7737]: NOQUEUE: reject: RCPT from 
rrcs-96-11-199-15.central.biz.rr.com[96.11.199.15]: 554 5.7.1 
: Relay access denied; from= 
to= proto=ESMTP helo=




Relay access denied means it was rejected by reject_unauth_destination.
This means, by your configuration, it's not in sbl or xbl, it's not from 
within mynetworks and it is not sasl authenticated and was not destined 
for any domain not destined for your system.


If this a trusted client, they should be instructed to use SASL 
authentication.

If not, it is most likely a zombie PC spewing trash into the void.

Brian


I have checked that this IP address is not listed on any blacklist.

Here's my conf.

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = orion.ew3d.com
myhostname = orion.ew3d.com
mynetworks = 64.203.174.0/24, 127.0.0.0/8

smtpd_client_restrictions = reject_rbl_client sbl.dnsbl,
reject_rbl_client xbl.dnsbl
smtpd_recipient_restrictions = 
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination


Thanks for any help!

Re: postfix/smtpd[4313]: NOQUEUE: reject: RCPT from (certain providers) Relay access denied;

[Noel Jones]

On 11/11/2010 3:24 PM, John Hinton wrote:

I am new to Postfix. Sorry :(

This is a hosting server and I am having problems with only
some users sending email and only from what appears to be
certain ISPs. The one I'm working on at the moment is rr.com

First, I can set up an email account for this same user and
send just fine. I am not on rr.com. It looks like maybe I'm
having the same issue with myvzw.com.

You can see that I am also running amavisd-new. I do have a
subscription to Spamhaus, but am not pulling in the PBL data.

 From my logs, I get this (with only the actual domains
changed to protect the innocent)

Nov 11 13:49:11 orion postfix/smtpd[7737]: NOQUEUE: reject:
RCPT from rrcs-96-11-199-15.central.biz.rr.com[96.11.199.15]:
554 5.7.1 : Relay access denied;
from= to= proto=ESMTP
helo=


The client was rejected by reject_unauth_destination; it's 
neither a member of mynetworks nor did they provide AUTH 
credentials.



message_size_limit = 0


Not a good idea.  Put some kind of limit; even insanely large 
is better than no limit.




smtpd_client_restrictions = reject_rbl_client sbl.dnsbl,
reject_rbl_client xbl.dnsbl


You should proceed your RBL checks with 
"permit_sasl_authenticated" so that authorized clients aren't 
rejected just because they are on some RBL.




smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination


OK.


  -- Noel Jones

Re: postfix/smtpd[4313]: NOQUEUE: reject: RCPT from (certain providers) Relay access denied;

[John Hinton]

On 11/11/2010 4:45 PM, Noel Jones wrote:

On 11/11/2010 3:24 PM, John Hinton wrote:

I am new to Postfix. Sorry :(

This is a hosting server and I am having problems with only
some users sending email and only from what appears to be
certain ISPs. The one I'm working on at the moment is rr.com

First, I can set up an email account for this same user and
send just fine. I am not on rr.com. It looks like maybe I'm
having the same issue with myvzw.com.

You can see that I am also running amavisd-new. I do have a
subscription to Spamhaus, but am not pulling in the PBL data.

 From my logs, I get this (with only the actual domains
changed to protect the innocent)

Nov 11 13:49:11 orion postfix/smtpd[7737]: NOQUEUE: reject:
RCPT from rrcs-96-11-199-15.central.biz.rr.com[96.11.199.15]:
554 5.7.1 : Relay access denied;
from= to= proto=ESMTP
helo=


The client was rejected by reject_unauth_destination; it's neither a 
member of mynetworks nor did they provide AUTH credentials.



message_size_limit = 0


Not a good idea.  Put some kind of limit; even insanely large is 
better than no limit.




smtpd_client_restrictions = reject_rbl_client sbl.dnsbl,
reject_rbl_client xbl.dnsbl


You should proceed your RBL checks with "permit_sasl_authenticated" so 
that authorized clients aren't rejected just because they are on some 
RBL.




smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination


OK.


  -- Noel Jones


Thank you all. How embarrassing. Turns out this is just a "stupid 
Outlook not accepting settings" problem. We will delete and recreate the 
account if needed.


Also, thanks so much for the tuning tips! I guess I wasn't so far off 
for doing it on my own. I'm really good with Sendmail, but the learning 
curve with Postfix is a bit steep (yes, and it was with Sendmail as 
well). Mostly 'learning' what the logs are saying is the tough part. 
Very different animals.


Now, off to 'tweak' my conf.

--
John Hinton

Re: [OFF-TOPIC] Does 2.7 RPM Work on RHEL 6?

[fakessh @]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Le 11.11.2010 22:10, Voytek Eymont a écrit :
> 
> On Fri, November 12, 2010 6:16 am, Carlos Mennens wrote:
>> On Thu, Nov 11, 2010 at 2:07 PM, Victor Duchovni
>>  wrote:
> 
>> This would be no problem except I've never attempted this before and
>> just did some searching on the web for tutorials I can follow since I don't
>> have any experience and honestly I couldn't find much. Does anyone know
>> that level of difficultly involved from turning SRPM's into a RPM file I
>> can use / distribute to others? I have the time and dedication but lack
>> the experience and knowledge.
> 
> Carlos,
> 
> on a couple (if not more) occasions, I've used Simon's SRPMs to make RPMs
> with my desired options (that were not in Simon's default), using info on
> Simon's site, it was proverbially eezy, peezy
> 
> so, the level is easy if not easier, documentation provided is excellent,
> you should be able to follow up each step 'just like that'
> 
> 
> 

i am empaqueted simom mudd rpm's for many compliance with rhel and
centos i use with many succes in my host
the adresse
http://ns.fakessh.eu/postfix-2.7.1-1.pcre.pgsql.mysql.sasl2.dovecot.vda.rhel5.src.rpm

http://ns.fakessh.eu/postfix-2.7.1-1.pcre.pgsql.mysql.sasl2.dovecot.vda.rhel5.i386.rpm
- -- 
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
gpg --keyserver pgp.mit.edu --recv-key 092164A7
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/

iD8DBQFM3IiKtXI/OwkhZKcRAmKAAJ9J4ZOlhk9XYlshGhScL9RPKtkxyQCffgSH
uS+Q0K3ugfskIturOxsLC3o=
=Q3mH
-END PGP SIGNATURE-

Re: Does postfix support POP3 & anyone used Cerberus Helpdesk with Postfix

[sunhux G]

>What I want to know is, who/what is routing these messages, currently,
>to an Exchange mailbox, and will they be changing that routing to a
>mailbox that YOU specify when they "break" your use of Exchange?
This routing is done by Cerberus, I can configure Cerberus to grab
mails from any another location that support POP3

In other words, if you install Postfix and a popd on your current help
desk server box, and tell _the_responsible_OPs_ to route those emails to
helpd...@yourbox.yourcompnay.
tld will they oblige you?

Yes, the users can  be informed to send their emails to another location


U