reject entire email if one recipient is invalid
Hello, Is there a way to configure Postfix to reject the entire message (multi-recipient) if one of its recipients is unauthorized or invalid? Thanks -- View this message in context: http://old.nabble.com/reject-entire-email-if-one-recipient-is-invalid-tp30625158p30625158.html Sent from the Postfix mailing list archive at Nabble.com.
Re: another stupid question about exporting valid users from windows 2008 domain to postfix valid users map
Zitat von Eero Volotinen : Does this still works for windows 2008 ad? : http://postfix.state-of-mind.de/patrick.koetter/mailrelay/#d0e149 or is there better way to do it? In most cases it would be best to query Windows AD by LDAP without the need for script magic and without syncronisation delays. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: delisting from spamcannibal.org
mouss put forth on 1/8/2011 3:53 PM: > Le 08/01/2011 13:28, Samuel Sappa a écrit : >> Sorry if my question doesn't fit the rule in this mailing list, i'm >> not looking for contact from spamcannibal or both yahoo and gmail, i'm >> just asking if there someone else have some experience and would >> kindly share that experience in this mailing list, since i'm using >> postfix too, but maybe my question to general (sorry if my english >> bad) >> once again i'm sorry for this question >> but anyway thank you for you reply >> > > well, it's unclear what problem you have. what is your problem exactly? IIRC, Samuel stated in his original email mouss that he can successfully send to gmail, yahoo, and others, but he can't receive from them. This sounds like he has misconfigured his Postfix server, and that his problem probably has nothing to do with spamcannibal. Samuel, please forward a copy of your "postconf -n" output so we can take a look at it and help you fix your problem. -- Stan
Re: reject entire email if one recipient is invalid
yz1234: > > Hello, > > Is there a way to configure Postfix to reject the entire message > (multi-recipient) if one of its recipients is unauthorized or invalid? This is not implemented in Postfix. You may implement this with a Milter plugin-program. Wietse
Order of policies?
I have the following config: smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_policy_service inet:127.0.0.1:10031 I assumed that it would mean that any attempt to send a mail to a recipient that is not a valid destination would be immediately rejected, and if the recipient was valid, it would be a matter for the grey-listing via policyd. (As in restrictions evaluated left-to-right.) However it appears that the policyd-service is queried first of all. Is this by design, or could it be changed? (Ok, it is not really a vital issue, mostly trying to learn the workings of postfix).
Re: Order of policies?
Jan Johansson: > I have the following config: > > smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination > check_policy_service inet:127.0.0.1:10031 > > I assumed that it would mean that any attempt to send a mail to > a recipient that is not a valid destination would be immediately > rejected, and if the recipient was valid, it would be a matter For that, specify reject_unlisted_recipient before permit_mynetworks. reject_unlisted_recipient (with Postfix version 2.0: check_recipient_maps) Reject the request when the RCPT TO address is not listed in the list of valid recipients for its domain class. See the smtpd_reject_unlisted_recipientparameter description for details. This feature is available in Postfix 2.1 and later. Wietse > for the grey-listing via policyd. (As in restrictions evaluated > left-to-right.) > > However it appears that the policyd-service is queried first of all. Is this > by design, or could it be changed? (Ok, it is not really a vital issue, > mostly trying to learn the workings of postfix).
Re: Ignoring "certificate verification failed ... untrusted issuer"
Zitat von "Mike A. Leonetti" : I set up postfix with: smtp_tls_policy_maps = hash:/etc/postfix/tls_policy And a list of domains with "may" as the policy for each of them. The problem is postfix hates the certificate (because I don't have it listed as a trusted issuer anywhere). So I get this error as expected: Jan 8 01:57:46 Ricochet postfix/smtp[24852]: certificate verification failed for gmail-smtp-in.l.google.com[74.125.91.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority Is there a way to have postfix not care about the issuer and just continue? I am aware that there can be security risks, but they exist anyway if postfix fails back to plaintext. Huh? Postfix does continue anyway if you do not explicitely configure it to not do so with a TLS security level higher than "may". The log shows the above as a warning. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Evaluation order of transport_maps?
Let's say that for various reasons a system ends up having two identical entries in transport maps. Is there a fixed logic as to which takes precedence? As an example (I entered my own address instead of the address in question): j...@mupp.net smtp:mail.kontinuitet.com j...@mupp.net smtp:haven.skyddsrummet.net Right now it _appears_ as the second choice is the one used, is that something that can be taken for granted? I have gotten the impression that transports are evaluated until the first match? Naturally the correct solution is to stop the backend system from having duplicated data, and that will be the case eventually. But for the moment that is just how things are.
Re: Evaluation order of transport_maps?
Jan Johansson: > Let's say that for various reasons a system ends up having two > identical entries in transport maps. By definition you can't have that in a hashed file, *SQL database, or LDAP. Other Postfix lookup tables such as regexp or pcre will return the first match, as documented. Wietse > Is there a fixed logic as to which takes precedence? > > As an example (I entered my own address instead of the address in question): > j...@mupp.net smtp:mail.kontinuitet.com > j...@mupp.net smtp:haven.skyddsrummet.net > > Right now it _appears_ as the second choice is the one used, is that > something that can be taken for granted? I have gotten the impression that > transports are evaluated until the first match? > > Naturally the correct solution is to stop the backend system from having > duplicated data, and that will be the case eventually. But for the moment > that is just how things are.
SV: Evaluation order of transport_maps?
>By definition you can't have that in a hashed file, *SQL database, or LDAP. >Other Postfix lookup tables such as regexp or pcre will return the first >match, as documented. Come to think about it. That makes sense. Sorry about that. So, in the meantime, a dirty workaround is to do it like this then 1. Make sure the transport-map indata file is created in such a fashion that the entries from the "new" mail server is written "first" to the file 2. Do _not_ use the -r option to postmap. 3. Ignore the warnings about dublicate entries, until such a time that the old mail server has been completely archived and decommissioned. After dumping the resulting db-file it would appear that this method (dirty as it may be) only leaves the entry from the "new" mail server in the transport map.
MS AD integration
hi all is there any way to postfix could query the mail users directly from Active Directory? what is required for this thanks -bharathan
SV: MS AD integration
>hi all >is there any way to postfix could query the mail users directly from Active >Directory? >what is required for this >Thanks Sure, plenty of ways, but do you _really_ want this? The reason I myself prefer to periodically transfer a dump of all proxy-addresses from the AD/Exchange environment and parse that into Postfix is that should you ever face a larger spam attack, and have tons of queries against the AD your AD/exchange will bog down. Also, I answered this as late as yesterday on the list, the search feature is a good thing ;) But, here is my reply on how I export Proxy-addresses from AD (2008R2). I use a slightly modified version of https://exchangepedia.com/blog/stuff/ListEmailAddresses.zip (I just changed it do not output a dialog, just the resulting text file) Then I use a a small PHP-script to parse the files into transport, relay_domains, relay_recipients
Re: MS AD integration
On Sun, Jan 9, 2011 at 7:41 PM, Jan Johansson wrote: > >hi all > > >is there any way to postfix could query the mail users directly from > Active Directory? > > >what is required for this > > >Thanks > > > > Sure, plenty of ways, but do you _*really*_ want this? > > > > The reason I myself prefer to periodically transfer a dump of all > proxy-addresses from the AD/Exchange environment and parse that into Postfix > is that should you ever face a larger spam attack, and have tons of queries > against the AD your AD/exchange will bog down. > > > > Also, I answered this as late as yesterday on the list, the search feature > is a good thing ;) > > > > But, here is my reply on how I export Proxy-addresses from AD (2008R2). > > I use a slightly modified version of > https://exchangepedia.com/blog/stuff/ListEmailAddresses.zip (I just > changed it do not output a dialog, just the resulting text file) > > > > Then I use a a small PHP-script to parse the files into transport, > relay_domains, relay_recipients > > > > hi but i was thinking of a scenario where the exchange is not there; can i make postfix query the DC AD database; thanks
Postdrop does not support MySQL lookups? / Limit outgoing mails.
Hi, I am trying to limit the number of outgoing messages a single local Unix user (web hosting customer) can send in a single day. My first thought was to create a policy server for this, but unfortuneately Postfix does not supply the originating UID to the policy server, and the "sender" field can be easily forged. So I'm looking for a different way, and found Postdrop does have a "authorized_submit_users" parameter. The idea was to have that call a MySQL stored function that administers the number of sent messages in the database, and returns a boolean indicating wheter the user is allowed to send more messages. Unfortuneately, that does not seem to work either. When I create a config file with my database details, and add it to main.cf: == authorized_submit_users=mysql:/etc/postfix/mysql_outgoing_limit.cf == it gives an error when trying to send mail: == sendmail: fatal: unsupported dictionary type: mysql == This despite that MySQL support is built-in and postdrop is linked to libmysqlclient: == # postconf -m btree cidr environ hash mysql nis proxy regexp static unix # ldd /usr/sbin/postdrop libmysqlclient.so.15 => /usr/local/lib/mysql/libmysqlclient.so.15 (0x2aaba000) libz.so.1 => /lib64/libz.so.1 (0x2ac31000) libm.so.6 => /lib64/tls/libm.so.6 (0x2ad46000) libdb-4.3.so => /usr/lib64/tls/libdb-4.3.so (0x2ae9d000) libnsl.so.1 => /lib64/libnsl.so.1 (0x2b091000) libresolv.so.2 => /lib64/libresolv.so.2 (0x2b1a7000) libc.so.6 => /lib64/tls/libc.so.6 (0x2b2bb000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x2b4e7000) libpthread.so.0 => /lib64/tls/libpthread.so.0 (0x2b62) /lib64/ld-linux-x86-64.so.2 (0x4000) == Is there any way to make postdrop support MySQL dictionaries, or to limit locally sent e-mail another way? -- Yours sincerely, Floris Bos
Re: Postdrop does not support MySQL lookups? / Limit outgoing mails.
Floris Bos: > Hi, > > I am trying to limit the number of outgoing messages a single local Unix user > (web hosting customer) can send in a single day. > My first thought was to create a policy server for this, but unfortuneately > Postfix does not supply the originating UID to the policy server, and the > "sender" field can be easily forged. The policy server is for SMTP mail. postdrop is for the Postfuix sendmail command (i.e. local submission). > So I'm looking for a different way, and found Postdrop does have a > "authorized_submit_users" parameter. > The idea was to have that call a MySQL stored function that administers the > number of sent messages in the database, and returns a boolean indicating > wheter the user is allowed to send more messages. > > > Unfortuneately, that does not seem to work either. > When I create a config file with my database details, and add it to main.cf: > > == > authorized_submit_users=mysql:/etc/postfix/mysql_outgoing_limit.cf Instead of guessing, try to read the documentation. man 5 postconf | less +/authorized_submit_users Wietse
Re: Postdrop does not support MySQL lookups? / Limit outgoing mails.
Floris Bos: > authorized_submit_users=mysql:/etc/postfix/mysql_outgoing_limit.cf > == > > it gives an error when trying to send mail: > > == > sendmail: fatal: unsupported dictionary type: mysql This means that MySQL support is not compiled into your Postfix sendmail command. Wietse
Re: MS AD integration
Zitat von K bharathan : On Sun, Jan 9, 2011 at 7:41 PM, Jan Johansson wrote: >hi all >is there any way to postfix could query the mail users directly from Active Directory? >what is required for this >Thanks Sure, plenty of ways, but do you _*really*_ want this? The reason I myself prefer to periodically transfer a dump of all proxy-addresses from the AD/Exchange environment and parse that into Postfix is that should you ever face a larger spam attack, and have tons of queries against the AD your AD/exchange will bog down. Also, I answered this as late as yesterday on the list, the search feature is a good thing ;) But, here is my reply on how I export Proxy-addresses from AD (2008R2). I use a slightly modified version of https://exchangepedia.com/blog/stuff/ListEmailAddresses.zip (I just changed it do not output a dialog, just the resulting text file) Then I use a a small PHP-script to parse the files into transport, relay_domains, relay_recipients hi but i was thinking of a scenario where the exchange is not there; can i make postfix query the DC AD database; For sure. Microsoft AD has a LDAP interface so you simply have to configure Postfix to use LDAP lookups (http://www.postfix.org/LDAP_README.html) and query for the correct attribute with a "LDAP" user able to read it. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
RE: MS AD integration
>is there any way to postfix could query the mail users directly from Active >Directory? Another reason not to use direct queries is that is for some reason the AD is down, postfix will reject emails destined to it. If use query the AD say once an hour into a hash, postfix will accept the mail and queue it until the AD is ready to accept it. Regards, D.
RE: MS AD integration
Zitat von Dudi Goldenberg : is there any way to postfix could query the mail users directly from Active Directory? Another reason not to use direct queries is that is for some reason the AD is down, postfix will reject emails destined to it. If use query the AD say once an hour into a hash, postfix will accept the mail and queue it until the AD is ready to accept it. Postfix will "reject" with a temporary SMTP error so the sender is urged to retry later. So the difference is only queuing at the sender side versus queuing at the receiver side. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: Postdrop does not support MySQL lookups? / Limit outgoing mails.
On Sunday, January 09, 2011 08:44:12 pm Wietse Venema wrote: >Instead of guessing, try to read the documentation. > >man 5 postconf | less +/authorized_submit_users The documentation is where I found the option in the first place, and since it mentioned "type:table", I assumed it would support all lookup types. But given I cannot get it to work, I was doubting the documentation, hence my question. > Floris Bos: > > authorized_submit_users=mysql:/etc/postfix/mysql_outgoing_limit.cf > > == > > > > it gives an error when trying to send mail: > > > > == > > sendmail: fatal: unsupported dictionary type: mysql > > This means that MySQL support is not compiled into your Postfix > sendmail command. Do I need any special compile option other than the standard -DHAS_MYSQL (and include/library directory) to get the support into sendmail? The MySQL support is working correctly elsewhere in Postfix (e.g. with "relay_domains"), and ldd shows sendmail is linked to libmysqlclient as well (just as postdrop). So it's not like the sendmail binary came from a different build, or anything. == # which sendmail /usr/sbin/sendmail # ldd /usr/sbin/sendmail libmysqlclient.so.15 => /usr/local/lib/mysql/libmysqlclient.so.15 (0x2abc2000) libz.so.1 => /lib64/libz.so.1 (0x2ad38000) libm.so.6 => /lib64/tls/libm.so.6 (0x2ae4e000) libdb-4.3.so => /usr/lib64/tls/libdb-4.3.so (0x2afa5000) libnsl.so.1 => /lib64/libnsl.so.1 (0x2b198000) libresolv.so.2 => /lib64/libresolv.so.2 (0x2b2af000) libc.so.6 => /lib64/tls/libc.so.6 (0x2b3c3000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x2b5ee000) libpthread.so.0 => /lib64/tls/libpthread.so.0 (0x2b728000) /lib64/ld-linux-x86-64.so.2 (0x2aaab000) == -- Yours sincerely, Floris Bos
Re: Postdrop does not support MySQL lookups? / Limit outgoing mails.
Floris Bos: > > > sendmail: fatal: unsupported dictionary type: mysql > > > > This means that MySQL support is not compiled into your Postfix > > sendmail command. > > Do I need any special compile option other than the standard -DHAS_MYSQL (and > include/library directory) to get the support into sendmail? Hmm. It seems that only "local" file-based databases (hash, btree, regexp, pcre, etc.) are linked into the user commands, not the higher-level databases that require access to the network. This is certainly something that could be changed, but then it means that a) Postfix can't accept local submission when the network is down (for example when the machine is booting). b) EVERYONE on the system would have to be able to read your *SQL etc. password. This does not seem to be a desirable approach for the general case. Wietse
Is there a way to make Postfix 2.7.x stop announcing ETRN?
While using Postfix 2.7.1 at an Ubuntu 10.10 server: We disabled ETRN as stated in the 'Configuring the Postfix fast ETRN service' section of the ETRN_README.html (...) smtpd_delay_reject = yes fast_flush_domains = mydestination = localhost.localdomain, localhost mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 relay_domains = $mydestination smtpd_etrn_restrictions = (...) The problem is that Postfix is still announcing 250-ETRN, and we are being hit by very persistent machines that keep issuing: etrn some.domain.tld just to get: 459 : service unavailable Regards, M.
Re: Postdrop does not support MySQL lookups? / Limit outgoing mails.
Hi, On Sunday, January 09, 2011 09:34:10 pm Wietse Venema wrote: > Floris Bos: > > > > sendmail: fatal: unsupported dictionary type: mysql > > > > > > This means that MySQL support is not compiled into your Postfix > > > sendmail command. > > > > Do I need any special compile option other than the standard -DHAS_MYSQL > > (and include/library directory) to get the support into sendmail? > > Hmm. It seems that only "local" file-based databases (hash, btree, > regexp, pcre, etc.) are linked into the user commands, not the > higher-level databases that require access to the network. > > This is certainly something that could be changed, but then it > means that > > a) Postfix can't accept local submission when the network > is down (for example when the machine is booting). Well, in our use case MySQL runs locally, and is started right before Postfix. So that would be acceptable. > b) EVERYONE on the system would have to be able to read > your *SQL etc. password. Wouldn't it be possible to have the check only done in the postdrop executable and not in sendmail? Could make the configuration only readable by the maildrop group then. -- Yours sincerely, Floris Bos
Re: Is there a way to make Postfix 2.7.x stop announcing ETRN?
On 1/9/2011 2:16 PM, Mark Alan wrote: While using Postfix 2.7.1 at an Ubuntu 10.10 server: We disabled ETRN as stated in the 'Configuring the Postfix fast ETRN service' section of the ETRN_README.html (...) smtpd_delay_reject = yes fast_flush_domains = mydestination = localhost.localdomain, localhost mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 relay_domains = $mydestination smtpd_etrn_restrictions = (...) The problem is that Postfix is still announcing 250-ETRN, and we are being hit by very persistent machines that keep issuing: etrn some.domain.tld just to get: 459: service unavailable Regards, M. http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keywords # main.cf smtpd_discard_ehlo_keywords = silent-discard, etrn -- Noel Jones
Re: Postdrop does not support MySQL lookups? / Limit outgoing mails.
Floris Bos: [ Charset ISO-8859-1 unsupported, converting... ] > Hi, > > On Sunday, January 09, 2011 09:34:10 pm Wietse Venema wrote: > > Floris Bos: > > > > > sendmail: fatal: unsupported dictionary type: mysql > > > > > > > > This means that MySQL support is not compiled into your Postfix > > > > sendmail command. > > > > > > Do I need any special compile option other than the standard -DHAS_MYSQL > > > (and include/library directory) to get the support into sendmail? > > > > Hmm. It seems that only "local" file-based databases (hash, btree, > > regexp, pcre, etc.) are linked into the user commands, not the > > higher-level databases that require access to the network. > > > > This is certainly something that could be changed, but then it > > means that > > > > a) Postfix can't accept local submission when the network > > is down (for example when the machine is booting). > > Well, in our use case MySQL runs locally, and is started right before > Postfix. > So that would be acceptable. No it would not. Postfix must be able to accept mail BEFORE it is started, A standard example is where some editor boot-time script sends notices to users that their edit session is saved and how they can recover it. Losing mail is not acceptable at any time. Wietse
Re: Is there a way to make Postfix 2.7.x stop announcing ETRN?
Mark Alan: > While using Postfix 2.7.1 at an Ubuntu 10.10 server: > > We disabled ETRN as stated in the 'Configuring the Postfix fast ETRN service' > section of the ETRN_README.html > > (...) > smtpd_delay_reject = yes > fast_flush_domains = > mydestination = localhost.localdomain, localhost > mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 > relay_domains = $mydestination > smtpd_etrn_restrictions = > (...) > > The problem is that Postfix is still announcing 250-ETRN, and we are > being hit by very persistent machines that keep issuing: > etrn some.domain.tld > just to get: > 459 : service unavailable http://www.postfix.org/postconf.5.html#smtpd_etrn_restrictions Wietse
warning: pipe flag `D' requires dovecot-spamass_destination_recipient_limit = 1
Hi everyone,
Just a quick question. I have Dovecot piping to Spamassassin.
When I send an email to one user it seems to works, but when I have
multiple recipients in the Email is gives this error.
Does anyone know what it really means?
Best wishes, J
Jan 9 21:59:06 logout postfix/pipe[15100]: C80028249C:
to=, relay=dovecot-spamass, delay=0.17, delays=0.16/0/0/0,
dsn=4.3.5, status=deferred (mail system configuration error)
Jan 9 21:59:06 logout postfix/pipe[15100]: C80028249C:
to=, relay=dovecot-spamass, delay=0.17, delays=0.16/0/0/0,
dsn=4.3.5, status=deferred (mail system configuration error)
Jan 9 21:59:06 logout postfix/pipe[15100]: warning: pipe flag `D'
requires dovecot-spamass_destination_recipient_limit = 1
Here is the config:
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
maps_rbl_domains = sbl.spamhaus.org
mydestination = localhost.localdomain, localhost
myhostname = m1
mynetworks = mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_rate_limit = 30
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
reject_unlisted_recipient, reject_unlisted_sender,
regexp:/etc/postfix/helo.regexp, permit
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
virtual_alias_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot-spamass
Re: warning: pipe flag `D' requires dovecot-spamass_destination_recipient_limit = 1
JKL: [ Charset UTF-8 unsupported, converting... ] > Hi everyone, > > Just a quick question. I have Dovecot piping to Spamassassin. > When I send an email to one user it seems to works, but when I have > multiple recipients in the Email is gives this error. > > Does anyone know what it really means? > > Best wishes, J > > > Jan 9 21:59:06 logout postfix/pipe[15100]: C80028249C: > to=, relay=dovecot-spamass, delay=0.17, delays=0.16/0/0/0, > dsn=4.3.5, status=deferred (mail system configuration error) > Jan 9 21:59:06 logout postfix/pipe[15100]: C80028249C: > to=, relay=dovecot-spamass, delay=0.17, delays=0.16/0/0/0, > dsn=4.3.5, status=deferred (mail system configuration error) > Jan 9 21:59:06 logout postfix/pipe[15100]: warning: pipe flag `D' > requires dovecot-spamass_destination_recipient_limit = 1 You must put spamass_destination_recipient_limit = 1 in main.cf! Wietse
Re: Is there a way to make Postfix 2.7.x stop announcing ETRN?
On Sun, 09 Jan 2011 14:49:11 -0600, Noel Jones wrote: > http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keywords > > # main.cf > smtpd_discard_ehlo_keywords = silent-discard, etrn That works. Problem solved. Thank you very much Noel. M.
Re: warning: pipe flag `D' requires dovecot-spamass_destination_recipient_limit = 1
On 01/09/2011 10:26 PM, Wietse Venema wrote: > JKL: > [ Charset UTF-8 unsupported, converting... ] >> Hi everyone, >> >> Just a quick question. I have Dovecot piping to Spamassassin. >> When I send an email to one user it seems to works, but when I have >> multiple recipients in the Email is gives this error. >> >> Does anyone know what it really means? >> >> Best wishes, J >> >> >> Jan 9 21:59:06 logout postfix/pipe[15100]: C80028249C: >> to=, relay=dovecot-spamass, delay=0.17, delays=0.16/0/0/0, >> dsn=4.3.5, status=deferred (mail system configuration error) >> Jan 9 21:59:06 logout postfix/pipe[15100]: C80028249C: >> to=, relay=dovecot-spamass, delay=0.17, delays=0.16/0/0/0, >> dsn=4.3.5, status=deferred (mail system configuration error) >> Jan 9 21:59:06 logout postfix/pipe[15100]: warning: pipe flag `D' >> requires dovecot-spamass_destination_recipient_limit = 1 > You must put > > spamass_destination_recipient_limit = 1 > > in main.cf! > > Wietse Thank-you Wietse. In my case the whole line should be: dovecot-spamass_destination_recipient_limit = 1
Re: Ignoring "certificate verification failed ... untrusted issuer"
(2011年01月09日 10:28), lst_ho...@kwsoft.de wrote: > Zitat von "Mike A. Leonetti" : > >> I set up postfix with: >> >>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy >> And a list of domains with "may" as the policy for each of them. The >> problem is postfix hates the certificate (because I don't have it listed >> as a trusted issuer anywhere). >> >> So I get this error as expected: >>> Jan 8 01:57:46 Ricochet postfix/smtp[24852]: certificate verification >>> failed for gmail-smtp-in.l.google.com[74.125.91.27]:25: untrusted >>> issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority >> Is there a way to have postfix not care about the issuer and just >> continue? I am aware that there can be security risks, but they exist >> anyway if postfix fails back to plaintext. > > Huh? > Postfix does continue anyway if you do not explicitely configure it to > not do so with a TLS security level higher than "may". The log shows > the above as a warning. > > Regards > > Andreas > > Oh! So it's my misunderstanding! It will still continue with TLS then? Great.
Another "certificate verification failed ... untrusted issuer" question
My understanding is to prevent these errors, you obtain the root certificate for each server mail certificate your Postfix server connects to, append it to a pem file and reference it with smtp_tls_CAfile in main.conf. This could obviously take a while. On a Windows installation you can refer to a certificates store in the registry. Is there an easier way to do this on a *nix box?
Re: reject entire email if one recipient is invalid
Le 09/01/2011 15:01, Wietse Venema a écrit : > yz1234: >> >> Hello, >> >> Is there a way to configure Postfix to reject the entire message >> (multi-recipient) if one of its recipients is unauthorized or invalid? > > This is not implemented in Postfix. You may implement this with > a Milter plugin-program. > > Wietse If OP can use check_recipient_access (instead of reject_unlisted_recipient) then he can use PREPEND to add a header and use header_checks to reject if header is found.
"Standard" options when compiling Postfix from source?
Up to now, we've been running Postfix 2.3.3 that was installed on a number of CentOS 5.5 production servers with a simple "yum install postfix" We want to run an updated version, so I compiled 2.7.2 from source using the information at http://postfix.wl0.org/en/building-rpms/ When creating the postfix.spec file, the only additional option I explicitly added was: export POSTFIX_PCRE=1 Everything seemed to go fine and the CentOS 5.5 test box I built and installed it on appears to be sending test mails as expected. However, I want to compile in the same options that are included in the "default" 2.3.3 version that we're running on our production servers. However, I couldn't find a postconf option in the docs to show which options were included at compile time. Is there a command that will show them, or a list somewhere that shows which ones were included in Postfix 2.3.3 installed by yum on CentOS 5? Thanks in advance, Steve
Re: Another "certificate verification failed ... untrusted issuer" question
On 1/9/2011 4:39 PM, IT geek 31 wrote: My understanding is to prevent these errors, you obtain the root certificate for each server mail certificate your Postfix server connects to, append it to a pem file and reference it with smtp_tls_CAfile in main.conf. This could obviously take a while. On a Windows installation you can refer to a certificates store in the registry. Is there an easier way to do this on a *nix box? You obtain a list of common root certificates and point postfix to that. Your system probably already has such a list if you have a web browser installed. Some OS vendors make common certificates available as a separate package. See your favorite web search engine for more information. However, verifying certificates for email is of little value if you are willing to accept unencrypted connections, and you'll also find that *many* legit organizations use self-signed, outdated, or otherwise unverifiable certificates. If you require verified encrypted connections, you should read http://www.postfix.org/TLS_README.html paying particular attention to the various "secure" discussions and warnings, and you should obtain the required certificates manually. -- Noel Jones
Re: "Standard" options when compiling Postfix from source?
Steve Jenkins: > Up to now, we've been running Postfix 2.3.3 that was installed on a number > of CentOS 5.5 production servers with a simple "yum install postfix" > > We want to run an updated version, so I compiled 2.7.2 from source using the > information at http://postfix.wl0.org/en/building-rpms/ > > When creating the postfix.spec file, the only additional option I explicitly > added was: > > export POSTFIX_PCRE=1 > > Everything seemed to go fine and the CentOS 5.5 test box I built and > installed it on appears to be sending test mails as expected. However, I > want to compile in the same options that are included in the "default" 2.3.3 > version that we're running on our production servers. > > However, I couldn't find a postconf option in the docs to show which options > were included at compile time. Is there a command that will show them, or a > list somewhere that shows which ones were included in Postfix 2.3.3 > installed by yum on CentOS 5? Postfix from postfix.org stores the compile-time options in /etc/postfix/makedefs.out. If your vendor distributes that file, look for the EXPORT line. Here is an example: EXPORT = AUXLIBS=' -L/usr/local/lib -lpcre' CCARGS=' -DHAS_PCRE -I/usr/local/include -DSNAPSHOT' OPT='-O' DEBUG='-g' The AUXLIBS and CCARGS are what you would specify on the "make makefiles" command line. Wietse
RE: "Standard" options when compiling Postfix from source?
> -Original Message- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Wietse Venema > Sent: Sunday, January 09, 2011 8:03 PM > Subject: Re: "Standard" options when compiling Postfix from source? > Postfix from postfix.org stores the compile-time options in > /etc/postfix/makedefs.out. If your vendor distributes that file, look for the > EXPORT line. Here is an example: > > EXPORT= AUXLIBS=' -L/usr/local/lib -lpcre' CCARGS=' -DHAS_PCRE - > I/usr/local/include -DSNAPSHOT' OPT='-O' DEBUG='-g' > > The AUXLIBS and CCARGS are what you would specify on the "make > makefiles" command line. Thanks, Wietse. The "vanilla" install of Postfix 2.3.3 on CentOS 5 via yum does indeed include an /etc/postfix/makedefs.out file. For the benefit of anyone else looking for this info in the archives, the AUXLIBS and CCARGS for that CentOS version are: AUXLIBS=' -L/usr/lib -lldap -llber -lpcre -L/usr/lib/sasl2 -lsasl2 -L/usr/kerberos/lib -lssl -lcrypto -ldl -lz -pie -Wl,-z,relro' CCARGS='-fPIC -DHAS_LDAP -DLDAP_DEPRECATED=1 -DHAS_PCRE -I/usr/include/pcre -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl -DUSE_TLS -I/usr/kerberos/include ' The 2.3.3 makedefs.out file contains the AUXLIBS "-pie -Wl,-z,relro" and a CCARGS of "-fPIC". Google finds lots of references to these options in example spec files, but nothing seems to explain what they are. What are they, and have they been deprecated in 2.7.2? Thanks, Steve
Re: delisting from spamcannibal.org
> IIRC, Samuel stated in his original email mouss that he can successfully > send to gmail, yahoo, and others, but he can't receive from them. > > This sounds like he has misconfigured his Postfix server, and that his > problem probably has nothing to do with spamcannibal. > > Samuel, please forward a copy of your "postconf -n" output so we can > take a look at it and help you fix your problem. > > -- > Stan > My problem with postfix now solved, it's seem (IMHO) my ISP where I register my DNS have problem, since both yahoo, gmail and others required that recipient FQDN hostname must be resolve/reverse, from hostname and to IP and IP to hostname, the ISP configuration only resolve/reverse to domain only not the hostname FQDN, because of that, when sending from yahoo and gmail not success. But still the spamcannibal cannot resolve/reverse my hostname and domain, since my IP still blacklist, my only hope that yahoo, gmail and other doesn't using spamcannibal. Thank you so much for your help friends -- Regards Samuel Sappa,
Re: another stupid question about exporting valid users from windows 2008 domain to postfix valid users map
On 2011-01-09 lst_ho...@kwsoft.de wrote: > Zitat von Eero Volotinen : >> Does this still works for windows 2008 ad? : >> http://postfix.state-of-mind.de/patrick.koetter/mailrelay/#d0e149 >> >> or is there better way to do it? > > In most cases it would be best to query Windows AD by LDAP without the > need for script magic and without syncronisation delays. No, it wouldn't. The reason for this is explained in the section "MAPS built from LDAP queries" on the same page. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
