Re: How to replace underscores in hostnames to a valid character?

[Jerry]

On Sat, 20 Nov 2010 02:45:13 +0100
mouss  articulated:

> Le 19/11/2010 22:22, Jeroen Geilman a écrit :
> > On 11/18/2010 03:11 PM, Jerry wrote:
> >> To a point I would agree with you. I have often wondered what moron
> >> came up with certain "standards" that are now in effect.
> >
> >
> > That would be the morons without whom you would not HAVE internet.
> >
> > Get a clue, please.
> >
> 
> I think you misread Jerry's post. his first statement is
> "unfortunate" because it encourages ignoring the rest. but his last
> statement says:
> 
> "Ignoring its existence, at least in my opinion, is not a viable
> option."

Thank you mouss. I probably could have worded my response better;
however, I did feel it was obvious what the intent was.

In any case, this is an example of what I consider to be over thinking a
problem.  Personally, I have been a
life long suporter of the "KISS" principal. This RFC seems to only
overly complicate the issue. I read somewhere that supposedly on
12/01/2010,  will only be accepting reports in this
form. Considering that they don't do much with reports in any form to
begin with, when added to the very real possibility that they will not
be receiving reports in rfc5965 format any time soon, I believe I can
safely state that the Yahoo abuse staff will have a very carefree/work
free holiday season.


Then again, that is just my 2¢. Feel free to object.

-- 
Jerry ✌
postfix-u...@seibercom.net
_
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

E-mail more than 889 characters in line 1 DKIM Authentication Error

[vfx9as]

hi

E-mail more than 889 characters on line 1 DKIM authentication error in
trouble

sendmail8.14.4 does not matter.

It is expected over the milter-mail after entering,
I think the idea of being sent from the line and then split in the process.

E-mail and entered, after the signing process (line breaks), so being sent
I think the idea will always fail authentication.

What causes, how to deal with what could be?

If that is working correctly, what Irasshaimasu.

postfix-2.7.1 and uses the opendkim2.2.1.

For example:
Authentication Error
printf "From: root \ n \ n 90s" 990 | sendmail root

Authentication OK
printf "From: root \ n \ n 89s" 989 | sendmail root

Re: E-mail more than 889 characters in line 1 DKIM Authentication Error

[Wietse Venema]

vfx9as:
> hi
> 
> E-mail more than 889 characters on line 1 DKIM authentication error in
> trouble

Please fix your app to stop sending insanely long lines.

Please see RFC 5321 section "4.5.3.1.6. Text Line"

   The maximum total length of a text line including the  is 1000
   octets (not counting the leading dot duplicated for transparency).
   This number may be increased by the use of SMTP Service Extensions.

Please see http://www.postfix.org/postconf.5.html#smtp_line_length_limit

   The maximal length of message header and body lines that  Postfix  will
   send via SMTP.  Longer lines are broken by inserting "".
   This minimizes the damage to MIME formatted mail.

   By default, the line length is limited to 990 characters, because  some
   server implementations cannot receive mail with long lines.

You can change this to 998. Sending longer lines violates RFC 5321
and its predecessors.

Wietse

> sendmail8.14.4 does not matter.
> 
> It is expected over the milter-mail after entering,
> I think the idea of being sent from the line and then split in the process.
> 
> E-mail and entered, after the signing process (line breaks), so being sent
> I think the idea will always fail authentication.
> 
> What causes, how to deal with what could be?
> 
> If that is working correctly, what Irasshaimasu.
> 
> postfix-2.7.1 and uses the opendkim2.2.1.
>
> For example:
> Authentication Error
> printf "From: root \ n \ n 90s" 990 | sendmail root
> 
> Authentication OK
> printf "From: root \ n \ n 89s" 989 | sendmail root

Re: Mail to root user on gateway behind security appliance

[mouss]

Le 19/11/2010 21:14, Stan Hoeppner a écrit :




Why is Postfix ignoring the alias entry for root?



First, /etc/aliases only applies to "local" domains. but OP has

mydestination =
local_transport = error:local mail delivery is disabled



Second, non fqdn addresses get "fixed" by postfix. In particular, OP has

# postconf myorigin
myorigin = $myhostname
# postconf myhostname
myhostname = mail.example.org

so mail for  goes to 



I have run newaliases and restarted postfix and I can see that the
aliases.db has been updated.


This is really hard to say without seeing the actual contents of
/etc/aliases, /usr/bin/newaliases.postfix, and
/etc/postfix/relay_recipients, and unobfuscated log entries.




OP has (at least) two options:

Option 1)
deliver mail for root to a remote account (j...@example.net). This is 
achieved by adding the following entry to virtual_alias_maps:


r...@mail.example.org   j...@example.net

This way, mail for  will get sent to 


Option 2)
deliver such mail to a local account.

for this, OP needs to remove his local_transport setting and set
mydestination = localhost.example.com
and keep
relay_domains =


and the virtual alias would be
r...@mail.example.org   r...@localhost.example.com

addon:
to avoid accepting mail for *...@localhost.example.com via smtp, simply add 
an access check to smtpd restrictions. for example:


smtpd_sender_restrictions =
check_recipient_access pcre:/etc/postfix/access_recipient.pcre

== access_recipient.pcre
/@localhost\.example\.com$/ REJECT blah blah
# block mail to our IPs
/@\[127/REJECT blah blah
/@\[10\./   REJECT blah blah



This won't stop mail to j...@[local.ip]
you can use a pcre access check if that really matters...

warning: connect to private/anvil: Connection refused

[jayluke]

Mac OS X 10.4.11 server "migrated" over to Mac OS X Server 10.6.

Now, Receiving e-mail into new server is almost non-existant.  It seems a
lot of mail is being received by the Mail Server, but not being delivered
to the client computers.

At your mercy for some assistance thanks !


Nov 20 08:51:32 mail postfix/smtpd[1525]: disconnect from
unknown[211.172.215.191]
Nov 20 08:52:19 mail postfix/smtpd[1277]: connect from
imr-ma05.mx.aol.com[64.12.100.31]
Nov 20 08:52:19 mail postfix/smtpd[1277]: warning: connect to
private/anvil: Connection refused
Nov 20 08:52:19 mail postfix/smtpd[1277]: warning: problem talking to
server private/anvil: Connection refused
Nov 20 08:52:20 mail postfix/smtpd[1277]: warning: connect to
private/anvil: Connection refused
Nov 20 08:52:20 mail postfix/smtpd[1277]: warning: problem talking to
server private/anvil: Connection refused
Nov 20 08:52:20 mail postfix/smtpd[1277]: warning: restriction
`reject_invalid_helo_hostname' after `permit' is ignored
Nov 20 08:52:20 mail postfix/smtpd[1277]: NOQUEUE: reject: RCPT from
imr-ma05.mx.aol.com[64.12.100.31]: 450 4.7.1 :
Recipient address rejected: Service is unavailable; from=
to= proto=ESMTP helo=
Nov 20 08:52:20 mail postfix/smtpd[1277]: warning: restriction
`reject_invalid_helo_hostname' after `permit' is ignored
Nov 20 08:52:20 mail postfix/smtpd[1277]: NOQUEUE: reject: RCPT from
imr-ma05.mx.aol.com[64.12.100.31]: 450 4.7.1 :
Recipient address rejected: Service is unavailable; from=
to= proto=ESMTP helo=
Nov 20 08:52:21 mail postfix/smtpd[1525]: connect from
smtp115-mob.biz.mail.ne1.yahoo.com[98.138.88.252]
Nov 20 08:52:21 mail postfix/smtpd[1525]: warning: connect to
private/anvil: Connection refused
Nov 20 08:52:21 mail postfix/smtpd[1525]: warning: problem talking to
server private/anvil: Connection refused
Nov 20 08:52:22 mail postfix/smtpd[1525]: warning: connect to
private/anvil: Connection refused
Nov 20 08:52:22 mail postfix/smtpd[1525]: warning: problem talking to
server private/anvil: Connection refused
Nov 20 08:52:22 mail postfix/smtpd[1525]: warning: restriction
`reject_invalid_helo_hostname' after `permit' is ignored
Nov 20 08:52:22 mail postfix/smtpd[1525]: NOQUEUE: reject: RCPT from
smtp115-mob.biz.mail.ne1.yahoo.com[98.138.88.252]: 450 4.7.1
: Recipient address rejected: Service is unavailable;
from= to= proto=SMTP
helo=
Nov 20 08:52:22 mail postfix/smtpd[1525]: warning: connect to
private/anvil: Connection refused
Nov 20 08:52:22 mail postfix/smtpd[1525]: warning: problem talking to
server private/anvil: Connection refused
Nov 20 08:52:23 mail postfix/smtpd[1525]: warning: connect to
private/anvil: Connection refused

Re: E-mail more than 889 characters in line 1 DKIM Authentication Error

[vfx9as]

(10/11/20 23:10), Wietse Venema wrote:
> vfx9as:
>> hi
>>
>> E-mail more than 889 characters on line 1 DKIM authentication error in
>> trouble
>
> Please fix your app to stop sending insanely long lines.
>


At present, postfix will send to the split.
Milter currently divided data, postfix will send to the split.
The data is divided milter if there are any problems with me I am.

Since the problem 8.14.4 sendmail, sendmail milter dividing line
appears to have passed.



> Please see RFC 5321 section "4.5.3.1.6. Text Line"
>
>    The maximum total length of a text line including the  is 1000
>    octets (not counting the leading dot duplicated for transparency).
>    This number may be increased by the use of SMTP Service Extensions.
>
> Please see http://www.postfix.org/postconf.5.html#smtp_line_length_limit
>
>    The maximal length of message header and body lines that  Postfix  will
>    send via SMTP.  Longer lines are broken by inserting "".
>    This minimizes the damage to MIME formatted mail.
>
>    By default, the line length is limited to 990 characters, because  some
>    server implementations cannot receive mail with long lines.
>

In 980 characters or more lines as it will split 1 postfix, and long
lines to fill in
Line characters sent so I do not think 980 RFC violation.

Re: warning: connect to private/anvil: Connection refused

[Larry Stone]

On 11/20/10 8:24 AM, jayl...@lukedesign.com at jayl...@lukedesign.com wrote:

> Mac OS X 10.4.11 server "migrated" over to Mac OS X Server 10.6.
> 
> Now, Receiving e-mail into new server is almost non-existant.  It seems a
> lot of mail is being received by the Mail Server, but not being delivered
> to the client computers.
> 
> At your mercy for some assistance thanks !
> 
> 
> Nov 20 08:51:32 mail postfix/smtpd[1525]: disconnect from
> unknown[211.172.215.191]
> Nov 20 08:52:19 mail postfix/smtpd[1277]: connect from
> imr-ma05.mx.aol.com[64.12.100.31]
> Nov 20 08:52:19 mail postfix/smtpd[1277]: warning: connect to
> private/anvil: Connection refused
> Nov 20 08:52:19 mail postfix/smtpd[1277]: warning: problem talking to
> server private/anvil: Connection refused
> Nov 20 08:52:20 mail postfix/smtpd[1277]: warning: connect to
> private/anvil: Connection refused
> Nov 20 08:52:20 mail postfix/smtpd[1277]: warning: problem talking to
> server private/anvil: Connection refused
> Nov 20 08:52:20 mail postfix/smtpd[1277]: warning: restriction
> `reject_invalid_helo_hostname' after `permit' is ignored
> Nov 20 08:52:20 mail postfix/smtpd[1277]: NOQUEUE: reject: RCPT from
> imr-ma05.mx.aol.com[64.12.100.31]: 450 4.7.1 :
> Recipient address rejected: Service is unavailable; from=
> to= proto=ESMTP helo=
> Nov 20 08:52:20 mail postfix/smtpd[1277]: warning: restriction
> `reject_invalid_helo_hostname' after `permit' is ignored
> Nov 20 08:52:20 mail postfix/smtpd[1277]: NOQUEUE: reject: RCPT from
> imr-ma05.mx.aol.com[64.12.100.31]: 450 4.7.1 :
> Recipient address rejected: Service is unavailable; from=
> to= proto=ESMTP helo=

I recall a similar issue when I upgraded from 10.4.x client to 10.5. Did you
copy your old master.cf instead of starting with Apple's new default? IIRC,
you need to add the anvil service to your master.cf:
anvil unix  -   -   n   -   1   anvil
And I'd double-check that all other needed Postfix services are in master.cf
as 10.6 has a later version of Postfix than 10.4.

However, you have a second problem in the definition of one of your
restrictions as one of those warnings is telling you you have an absolute
permit and then follow it with more restrictions. Processing will always
stop with the permit. But you will need to post your postconf -n for more
help with that issue.

-- 
Larry Stone
lston...@stonejongleux.com
http://www.stonejongleux.com/

Re: Block A Sender in Postfix

[Carlos Mennens]

On Fri, Nov 19, 2010 at 5:46 PM, Jacqui Caren-home
 wrote:
> However I took a peek at the digitalriver.com website and from the content
> it does not look promising. From thier product literature, I suspect they
> have
> provided the facilities (and technology) to allow bluehornet to keep
> spamming you.
> Not sure if this makes them at least partially liable for the spam though.
> Nice thing is digitalriver is a multinational so have a lot to lose :-)

So I'm done trying to ask nicely and it doesn't seem like I'm going to
get any results so now I'd like to get back to my original question,
what's the best way via Postfix to stop them from sending mail to my
Postfix server? How can I block them so their mail is rejected? I'd
like to have a method in '/etc/postfix/' that I can block specific
clients (I'm assuming "clients" is the proper name for servers that
try and communicate with my SMTP server) basic on IP(s).

Can someone please tell me the recommended way to do this in Postfix?
I'm sure most of you veterans have had a time where you had to stop a
specific server from sending your Postfix server email. How do I go
about this?

reject_unauth_destination status=2, should be 0

[Ben]

Hello,

I have a problem of relay access denied with postfix to deliver a mail 
to one domain (only one, all other domains are ok). I ran smtpd in 
verbose mode and I can see that it's the reject_unauth_destination 
generic check that reply with status 2, so postfix reject the mail.


So I suspected the virtual map config. Here an extract of postconf :

virtual_alias_domains = $virtual_alias_maps
virtual_alias_expansion_limit = 1000
virtual_alias_maps = $virtual_maps
virtual_alias_recursion_limit = 1000
virtual_destination_concurrency_limit = 
$default_destination_concurrency_limit

virtual_destination_recipient_limit = $default_destination_recipient_limit
virtual_gid_maps = proxy:mysql:/etc/postfix/mygid.cf
virtual_mailbox_base = /
virtual_mailbox_domains = $virtual_mailbox_maps
virtual_mailbox_limit = 5120
virtual_mailbox_lock = fcntl
virtual_mailbox_maps = proxy:mysql:/etc/postfix/myvirtual.cf
virtual_minimum_uid = 1000
virtual_transport = virtual
virtual_uid_maps = static:33

Is it normal that virtual_maps is not defined ? It appears in main.cf, 
but not in postconf. May be it's the problem, but it works with others 
domains...


I suspected an encoding problem with the SQL query (the domain contains 
hyphens), so I tried to query the SQL db with the data contained in 
/etc/postfix/myvirtual.cf, but it seems to be OK (it returns a result).


Where can I get more information on the way reject_unauth_destination 
works ? Is it possible to get log from this component ?
If anyone have an idea on what cause this behavior, I'll be glad to hear 
from him ! :)


Thanks,

Ben

Re: reject_unauth_destination status=2, should be 0

[Wietse Venema]

Ben:
> Hello,
> 
> I have a problem of relay access denied with postfix to deliver a mail 
> to one domain (only one, all other domains are ok). I ran smtpd in 

Does the domain name match mydestination? If yes, show evidence.

Does the domain name match virtual_alias_domains? If yes, show evidence.

Does the domain name match virtual_mailbox_domains? If yes, show evidence.

Does the domain name match relay_domains? If yes, show evidence.

Wietse

Re: Block A Sender in Postfix

[Pete]

On Sat, Nov 20, 2010 at 10:57:58AM -0500, Carlos Mennens wrote:

[snip]


> So I'm done trying to ask nicely and it doesn't seem like I'm going to
> get any results so now I'd like to get back to my original question,
> what's the best way via Postfix to stop them from sending mail to my
> Postfix server? How can I block them so their mail is rejected? I'd
> like to have a method in '/etc/postfix/' that I can block specific
> clients (I'm assuming "clients" is the proper name for servers that
> try and communicate with my SMTP server) basic on IP(s).
> 
> Can someone please tell me the recommended way to do this in Postfix?
> I'm sure most of you veterans have had a time where you had to stop a
> specific server from sending your Postfix server email. How do I go
> about this?

Hello,

Apologies if I've missed the point of your question but here's how I
successfully do what I *think* you're trying to do :

Here's my /etc/postfix/main.cf :

smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  reject_unauth_pipelining,
  check_client_access hash:/etc/postfix/smtp_client_access,
  check_sender_access hash:/etc/postfix/smtp_sender_access,
  reject_unknown_sender_domain,
  reject_rbl_client zen.spamhaus.org,
  reject_invalid_hostname


For the 'smtp_client_access' and 'smtp_sender_access' references to work you
first need to create them using a text editor (mine's Vim) and then run as
root :

postmap hash:smtp_client_access

With the same applying for the 'smtp_sender_access' file. That command
assumes you're in the /etc/postfix directory. Restart Postfix after applying
the command/s.

The format of my smtp_client_access file is like so :

.dodgyhost.tld REJECT Spam sewer.
.evilspammer.tld   REJECT Spam sewer.

The format of my smtp_sender_access file is like so :

barrelshoot.tld REJECT No thanks.
al...@example.tld   OK
example.tld REJECT No thanks.
freespam.tldREJECT Go away.
interesting101@ OK


HTH.

Regards,

Pete.

Re: reject_unauth_destination status=2, should be 0

[Ben]

Le 20/11/2010 18:26, Wietse Venema a écrit :

Ben:

Hello,

I have a problem of relay access denied with postfix to deliver a mail
to one domain (only one, all other domains are ok). I ran smtpd in


Does the domain name match mydestination? If yes, show evidence.

Does the domain name match virtual_alias_domains? If yes, show evidence.

Does the domain name match virtual_mailbox_domains? If yes, show evidence.

Does the domain name match relay_domains? If yes, show evidence.

Wietse

Thank you for your reply. How can I show you evidence ? I've attached a 
log extract showing the process.


Ben

Re: reject_unauth_destination status=2, should be 0

[Ben]

Le 20/11/2010 18:26, Wietse Venema a écrit :

Ben:

Hello,

I have a problem of relay access denied with postfix to deliver a mail
to one domain (only one, all other domains are ok). I ran smtpd in


Does the domain name match mydestination? If yes, show evidence.

Does the domain name match virtual_alias_domains? If yes, show evidence.

Does the domain name match virtual_mailbox_domains? If yes, show evidence.

Does the domain name match relay_domains? If yes, show evidence.

Wietse

Thank you for your reply. How can I show you evidence ? I've attached a 
log extract showing the process.


Ben
Nov 19 17:34:50 kappa postfix/smtpd[23554]: >>> START Recipient address RESTRICTIONS <<<
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=permit_mynetworks
Nov 19 17:34:50 kappa postfix/smtpd[23554]: permit_mynetworks: mail-ww0-f47.google.com 74.125.82.47
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_hostname: mail-ww0-f47.google.com ~? 127.0.0.1
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_hostaddr: 74.125.82.47 ~? 127.0.0.1
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_hostname: mail-ww0-f47.google.com ~? 127.0.0.1
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_hostaddr: 74.125.82.47 ~? 127.0.0.1
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_list_match: mail-ww0-f47.google.com: no match
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_list_match: 74.125.82.47: no match
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=permit_mynetworks status=0
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=permit_sasl_authenticated
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=permit_sasl_authenticated status=0
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_invalid_hostname
Nov 19 17:34:50 kappa postfix/smtpd[23554]: reject_invalid_hostname: mail-ww0-f47.google.com
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_invalid_hostname status=0
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_non_fqdn_hostname
Nov 19 17:34:50 kappa postfix/smtpd[23554]: reject_non_fqdn_hostname: mail-ww0-f47.google.com
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_non_fqdn_hostname status=0
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_non_fqdn_sender
Nov 19 17:34:50 kappa postfix/smtpd[23554]: reject_non_fqdn_address: m...@gmail.com
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_non_fqdn_sender status=0
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_non_fqdn_recipient
Nov 19 17:34:50 kappa postfix/smtpd[23554]: reject_non_fqdn_address: i...@test-and-test.com
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_non_fqdn_recipient status=0
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_unknown_recipient_domain
Nov 19 17:34:50 kappa postfix/smtpd[23554]: reject_unknown_address: i...@test-and-test.com
Nov 19 17:34:50 kappa postfix/smtpd[23554]: ctable_locate: leave existing entry key i...@test-and-test.com
Nov 19 17:34:50 kappa postfix/smtpd[23554]: reject_unknown_mailhost: test-and-test.com
Nov 19 17:34:50 kappa postfix/smtpd[23554]: lookup test-and-test.com type MX flags 0
Nov 19 17:34:50 kappa postfix/smtpd[23554]: dns_query: test-and-test.com (MX): OK
Nov 19 17:34:50 kappa postfix/smtpd[23554]: dns_get_answer: type MX for test-and-test.com
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_unknown_recipient_domain status=0
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_unauth_pipelining
Nov 19 17:34:50 kappa postfix/smtpd[23554]: reject_unauth_pipelining: RCPT
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_unauth_pipelining status=0
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_unauth_destination
Nov 19 17:34:50 kappa postfix/smtpd[23554]: reject_unauth_destination: i...@test-and-test.com
Nov 19 17:34:50 kappa postfix/smtpd[23554]: permit_auth_destination: i...@test-and-test.com
Nov 19 17:34:50 kappa postfix/smtpd[23554]: ctable_locate: leave existing entry key i...@test-and-test.com
Nov 19 17:34:50 kappa postfix/smtpd[23554]: NOQUEUE: reject: RCPT from mail-ww0-f47.google.com[74.125.82.47]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=
Nov 19 17:34:50 kappa postfix/smtpd[23554]: generic_checks: name=reject_unauth_destination status=2
Nov 19 17:34:50 kappa postfix/smtpd[23554]: > mail-ww0-f47.google.com[74.125.82.47]: 554 5.7.1 : Relay access denied
Nov 19 17:34:50 kappa postfix/smtpd[23554]: < mail-ww0-f47.google.com[74.125.82.47]: QUIT
Nov 19 17:34:50 kappa postfix/smtpd[23554]: > mail-ww0-f47.google.com[74.125.82.47]: 221 2.0.0 Bye

Re: reject_unauth_destination status=2, should be 0

[Victor Duchovni]

On Sat, Nov 20, 2010 at 06:49:52PM +0100, Ben wrote:

>>> I have a problem of relay access denied with postfix to deliver a mail
>>> to one domain (only one, all other domains are ok). I ran smtpd in
>>
>> Does the domain name match mydestination? If yes, show evidence.
>>
>> Does the domain name match virtual_alias_domains? If yes, show evidence.
>>
>> Does the domain name match virtual_mailbox_domains? If yes, show evidence.
>>
>> Does the domain name match relay_domains? If yes, show evidence.
>>
>>  Wietse
>>
> Thank you for your reply. How can I show you evidence ? I've attached a log 
> extract showing the process.

This is all covered in BASIC_CONFIGURATION_README.

http://www.postfix.org/BASIC_CONFIGURATION_README.html

The overly verbose logs are pointless. Mail is correctly rejected when
all of the below are true.

- The client IP address is not listed in $mynetworks. Hosts/subnets on
  networks you manage, and you want to allow to send outbound email,
  shuld be listed in $mynetworks.

- The SMTP client did not authenticate, or you did not add
  permit_sasl_authenticated near permit_mynetworks at the top of
  smtpd_recipient_restrictions.

- The recipient domain is not configured as a final or relay domain
  on your system.
  
See http://www.postfix.org/ADDRESS_CLASS_README.html
See http://www.postfix.org/SMTPD_ACCESS_README.html

To show evidence of the last, you post the output of

postconf mydestination relay_domains \
virtual_alias_domains virtual_mailbox_domains

*AND* show output of "postmap -q key table" commands for the domain
in question and the relevant table.

As for "virtual_maps", the parameter is obsolete, but if you happen
to define it in main.cf, it is still used as a backwards-compatible
default for both $virtual_alias_maps and $virtual_alias_domains. You
are encouraged to set these explicitly and avoid the obsolete default.

With any problem report, post complete log entries, with only address
local-parts modified for privacy.

http://www.postfix.org/DEBUG_README.html

-- 
Viktor.

Re: reject_unauth_destination status=2, should be 0

[Ben]

Le 20/11/2010 19:03, Victor Duchovni a écrit :

On Sat, Nov 20, 2010 at 06:49:52PM +0100, Ben wrote:


I have a problem of relay access denied with postfix to deliver a mail
to one domain (only one, all other domains are ok). I ran smtpd in


Does the domain name match mydestination? If yes, show evidence.

Does the domain name match virtual_alias_domains? If yes, show evidence.

Does the domain name match virtual_mailbox_domains? If yes, show evidence.

Does the domain name match relay_domains? If yes, show evidence.

Wietse


Thank you for your reply. How can I show you evidence ? I've attached a log
extract showing the process.


This is all covered in BASIC_CONFIGURATION_README.

 http://www.postfix.org/BASIC_CONFIGURATION_README.html

The overly verbose logs are pointless. Mail is correctly rejected when
all of the below are true.

 - The client IP address is not listed in $mynetworks. Hosts/subnets on
   networks you manage, and you want to allow to send outbound email,
   shuld be listed in $mynetworks.

 - The SMTP client did not authenticate, or you did not add
   permit_sasl_authenticated near permit_mynetworks at the top of
   smtpd_recipient_restrictions.

 - The recipient domain is not configured as a final or relay domain
   on your system.

See http://www.postfix.org/ADDRESS_CLASS_README.html
See http://www.postfix.org/SMTPD_ACCESS_README.html

To show evidence of the last, you post the output of

 postconf mydestination relay_domains \
virtual_alias_domains virtual_mailbox_domains

*AND* show output of "postmap -q key table" commands for the domain
in question and the relevant table.

As for "virtual_maps", the parameter is obsolete, but if you happen
to define it in main.cf, it is still used as a backwards-compatible
default for both $virtual_alias_maps and $virtual_alias_domains. You
are encouraged to set these explicitly and avoid the obsolete default.

With any problem report, post complete log entries, with only address
local-parts modified for privacy.

 http://www.postfix.org/DEBUG_README.html

Thank you for your help ! The recipient domain should be configured as 
final, but is not. I think that's the problem.


I joined the information you asked to avoid line breaking.

Ben

Nov 19 17:34:50 kappa postfix/smtpd[23554]: connection established
Nov 19 17:34:50 kappa postfix/smtpd[23554]: master_notify: status 0
Nov 19 17:34:50 kappa postfix/smtpd[23554]: name_mask: resource
Nov 19 17:34:50 kappa postfix/smtpd[23554]: name_mask: software
Nov 19 17:34:50 kappa postfix/smtpd[23554]: xsasl_cyrus_server_create: SASL service=smtp, realm=postfix
Nov 19 17:34:50 kappa postfix/smtpd[23554]: name_mask: noanonymous
Nov 19 17:34:50 kappa postfix/smtpd[23554]: connect from mail-ww0-f47.google.com[74.125.82.47]
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_list_match: mail-ww0-f47.google.com: no match
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_list_match: 74.125.82.47: no match
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_list_match: mail-ww0-f47.google.com: no match
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_list_match: 74.125.82.47: no match
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_hostname: mail-ww0-f47.google.com ~? 127.0.0.1
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_hostaddr: 74.125.82.47 ~? 127.0.0.1
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_hostname: mail-ww0-f47.google.com ~? 127.0.0.1
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_hostaddr: 74.125.82.47 ~? 127.0.0.1
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_list_match: mail-ww0-f47.google.com: no match
Nov 19 17:34:50 kappa postfix/smtpd[23554]: match_list_match: 74.125.82.47: no match
Nov 19 17:34:50 kappa postfix/smtpd[23554]: send attr request = connect
Nov 19 17:34:50 kappa postfix/smtpd[23554]: send attr ident = smtp:74.125.82.47
Nov 19 17:34:50 kappa postfix/smtpd[23554]: private/anvil: wanted attribute: status
Nov 19 17:34:50 kappa postfix/smtpd[23554]: input attribute name: status
Nov 19 17:34:50 kappa postfix/smtpd[23554]: input attribute value: 0
Nov 19 17:34:50 kappa postfix/smtpd[23554]: private/anvil: wanted attribute: count
Nov 19 17:34:50 kappa postfix/smtpd[23554]: input attribute name: count
Nov 19 17:34:50 kappa postfix/smtpd[23554]: input attribute value: 1
Nov 19 17:34:50 kappa postfix/smtpd[23554]: private/anvil: wanted attribute: rate
Nov 19 17:34:50 kappa postfix/smtpd[23554]: input attribute name: rate
Nov 19 17:34:50 kappa postfix/smtpd[23554]: input attribute value: 1
Nov 19 17:34:50 kappa postfix/smtpd[23554]: private/anvil: wanted attribute: (list terminator)
Nov 19 17:34:50 kappa postfix/smtpd[23554]: input attribute name: (end)
Nov 19 17:34:50 kappa postfix/smtpd[23554]: > mail-ww0-f47.google.com[74.125.82.47]: 220 panel.me ESMTP
Nov 19 17:34:50 kappa postfix/smtpd[23554]: < mail-ww0-f47.google.com[74.125.82.47]: EHLO mail-ww0-f47.google.com
Nov 19 17:34:50 kappa postfix/smtpd[

Re: reject_unauth_destination status=2, should be 0

[Victor Duchovni]

On Sat, Nov 20, 2010 at 07:45:41PM +0100, Ben wrote:

> Thank you for your help ! The recipient domain should be configured as 
> final, but is not. I think that's the problem.
>
> I joined the information you asked to avoid line breaking.

Turn off verbose logging, it is not needed, and obscures the logging
that's actually useful.

> Nov 19 17:34:50 kappa postfix/smtpd[23554]: NOQUEUE: reject: RCPT from 
> mail-ww0-f47.google.com[74.125.82.47]: 554 5.7.1 : 
> Relay access denied; from= to= 
> proto=ESMTP helo=

This is sufficient, the domain "test-and-test.com" is not listed in
any of the final (or "relay") address classes

> $ postconf mydestination relay_domains virtual_alias_domains 
> virtual_mailbox_domains virtual_alias_maps virtual_mailbox_maps 
> smtpd_recipient_restrictions
> mydestination = $myhostname, localhost.$mydomain, localhost
> relay_domains = $mydestination

Generally, you should set "relay_domains" explicitly to a
non-default value (often empty) and remove "relay_domains" from
parent_domain_matches_subdomains (which should be empty or just

parent_domain_matches_subdomains = smtpd_access_maps

).

> virtual_alias_domains = $virtual_alias_maps
> virtual_mailbox_domains = $virtual_mailbox_maps
> virtual_alias_maps = $virtual_maps

You should set virtual_alias_maps explicitly to whatever you have
virtual_maps set to. You should set virtual_alias_domains to a list of
domains explicitly listed in main.cf, unless the list is large and or
changes often. Even then, you should use a separate table from
virtual_alias_maps.

> virtual_mailbox_maps = proxy:mysql:/etc/postfix/myvirtual.cf

This defines mailbox locations for individual users.

> $ postmap -q i...@test-and-test.com proxy:mysql:/etc/postfix/myvirtual.cf
> /var/mail/i/info_test-and-test.com

This user has a mailbox. That does not make the *domain* final. You
need to list the *domain* in virtual_mailbox_domains.

-- 
Viktor.

Re: E-mail more than 889 characters in line 1 DKIM Authentication Error

[Wietse Venema]

vfx9as:
> In 980 characters or more lines as it will split 1 postfix, and long
> lines to fill in
> Line characters sent so I do not think 980 RFC violation.

Please read RFC 5322 Section 2.2.3. Long Header Fields

   Each header field is logically a single line of characters comprising
   the field name, the colon, and the field body.  For convenience
   however, and to deal with the 998/78 character limitations per line,
   the field body portion of a header field can be split into a
   multiple-line representation; this is called "folding".  The general
   rule is that wherever this specification allows for folding white
   space (not simply WSP characters), a CRLF may be inserted before any
   WSP.

   For example, the header field:

   Subject: This is a test

   can be represented as:

   Subject: This
is a test

There is more text. If you want to play with email, I strongly
recommend reading the whole document so that you won't look like
a fool.

Wietse

Re: Block A Sender in Postfix

[Noel Jones]

On 11/20/2010 11:35 AM, Pete wrote:

On Sat, Nov 20, 2010 at 10:57:58AM -0500, Carlos Mennens wrote:

[snip]



So I'm done trying to ask nicely and it doesn't seem like I'm going to
get any results so now I'd like to get back to my original question,
what's the best way via Postfix to stop them from sending mail to my
Postfix server? How can I block them so their mail is rejected? I'd
like to have a method in '/etc/postfix/' that I can block specific
clients (I'm assuming "clients" is the proper name for servers that
try and communicate with my SMTP server) basic on IP(s).

Can someone please tell me the recommended way to do this in Postfix?
I'm sure most of you veterans have had a time where you had to stop a
specific server from sending your Postfix server email. How do I go
about this?


Hello,

Apologies if I've missed the point of your question but here's how I
successfully do what I *think* you're trying to do :

Here's my /etc/postfix/main.cf :

smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   reject_unauth_pipelining,
   check_client_access hash:/etc/postfix/smtp_client_access,
   check_sender_access hash:/etc/postfix/smtp_sender_access,
   reject_unknown_sender_domain,
   reject_rbl_client zen.spamhaus.org,
   reject_invalid_hostname


For the 'smtp_client_access' and 'smtp_sender_access' references to work you
first need to create them using a text editor (mine's Vim) and then run as
root :

postmap hash:smtp_client_access

With the same applying for the 'smtp_sender_access' file. That command
assumes you're in the /etc/postfix directory.


OK so far...


Restart Postfix after applying
the command/s.


It is not necessary to restart postfix after rebuilding a 
hash: file; postfix will notice the changes and reload the 
modified file.


http://www.postfix.org/DATABASE_README.html#detect

Postfix should be restarted after editing main.cf or master.cf.




The format of my smtp_client_access file is like so :

.dodgyhost.tld REJECT Spam sewer.
.evilspammer.tld   REJECT Spam sewer.


The default setting of parent_domain_matches_subdomains 
includes smtpd_access_maps.


That means the above must not have a leading dot unless you've 
changed the defaults.  (your entries won't break anything, but 
they will never match)


See the table search order documented in:
http://www.postfix.org/access.5.html





The format of my smtp_sender_access file is like so :

barrelshoot.tld REJECT No thanks.
al...@example.tld   OK
example.tld REJECT No thanks.
freespam.tldREJECT Go away.
interesting101@ OK


OK.


  -- Noel Jones

Re: Block A Sender in Postfix

[Pete]

On Sat, Nov 20, 2010 at 05:53:40PM -0600, Noel Jones wrote:
> On 11/20/2010 11:35 AM, Pete wrote:
> >On Sat, Nov 20, 2010 at 10:57:58AM -0500, Carlos Mennens wrote:
> >>Can someone please tell me the recommended way to do this in Postfix?
> >>I'm sure most of you veterans have had a time where you had to stop a
> >>specific server from sending your Postfix server email. How do I go
> >>about this?

[snip]

> >
> >The format of my smtp_client_access file is like so :
> >
> >.dodgyhost.tld  REJECT Spam sewer.
> >.evilspammer.tld   REJECT Spam sewer.
> 
> The default setting of parent_domain_matches_subdomains 
> includes smtpd_access_maps.
> 
> That means the above must not have a leading dot unless you've 
> changed the defaults.  (your entries won't break anything, but 
> they will never match)
> 
> See the table search order documented in:
> http://www.postfix.org/access.5.html

Noel,

Thanks very much for that. I've rebuilt my smtp_client_access file, without
restarting Postfix.


Regards,

Pete.

Re: E-mail more than 889 characters in line 1 DKIM Authentication Error

[vfx9as]

2010/11/21 Wietse Venema :
> vfx9as:
>> In 980 characters or more lines as it will split 1 postfix, and long
>> lines to fill in
>> Line characters sent so I do not think 980 RFC violation.
>
> Please read RFC 5322 Section 2.2.3. Long Header Fields

"Body" problem
No headers

2010/11/20 vfx9as :
> For example:
> Authentication Error
> printf "From:root\n\n%0990s" 990 | sendmail root
>
> Authentication OK
> printf "From:root\n\n%0989s" 989 | sendmail root
>
>
>
"From:root" is header

"000989" is body.