Re: delisting from spamcannibal.org

[Robert Schetterer]

Am 10.01.2011 07:51, schrieb Samuel Sappa:
>> IIRC, Samuel stated in his original email mouss that he can successfully
>> send to gmail, yahoo, and others, but he can't receive from them.
>>
>> This sounds like he has misconfigured his Postfix server, and that his
>> problem probably has nothing to do with spamcannibal.
>>
>> Samuel, please forward a copy of your "postconf -n" output so we can
>> take a look at it and help you fix your problem.
>>
>> --
>> Stan
>>
> My problem with postfix now solved, it's seem (IMHO) my ISP where I
> register my DNS have problem, since both yahoo, gmail and others
> required that recipient FQDN hostname must be resolve/reverse, from
> hostname and to IP and  IP to hostname, the ISP configuration only
> resolve/reverse to domain only not the hostname FQDN, because of that,
> when sending from yahoo and gmail not success.
> But still the spamcannibal cannot resolve/reverse my hostname and
> domain, since my IP still blacklist, my only hope that yahoo, gmail
> and other doesn't using spamcannibal.

dns needs time, sometimes 2 days or more for update ( caching )
also an rbl sometimes needs time to delist

> 
> Thank you so much for your help friends
> 
> 


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Question about Postfix Installation

[Buzai Andras]

Hi,

I want to install Postfix 2.7.2 by compiling it from sources.
In the INSTALL file I saw the following statement:

"In the instructions below, a command written as "#
command" should be executed as the superuser.
 A command written as "% command" should be executed as an
unprivileged user."

My question is:
   The user used to configure/compile the sources is used in anyway in
Postfix later?
   Is there any security risk if I configure/compile all the sources
as the superuser? (I am referring only to the build/installation
process)

Thank you,

Buzai

Re: another stupid question about exporting valid users from windows 2008 domain to postfix valid users map

[lst_hoe02]

Zitat von Ansgar Wiechers :


On 2011-01-09 lst_ho...@kwsoft.de wrote:

Zitat von Eero Volotinen :

Does this still works for windows 2008 ad? :
http://postfix.state-of-mind.de/patrick.koetter/mailrelay/#d0e149

or is there better way to do it?


In most cases it would be best to query Windows AD by LDAP without the
need for script magic and without syncronisation delays.


No, it wouldn't. The reason for this is explained in the section "MAPS
built from LDAP queries" on the same page.


Proper setup LDAP lookups, maybe even with proxymap (persistant  
connection) are really fast and cheap at AD side. So even a Microsoft  
AD should be able to stand dictionary attacks without any problems and  
with a real DDoS to your site you are lost anyway. In fact i have  
never seen or heard of AD suffering because of LDAP lookups from  
Postfix. For those who are in a size with that many users that it may  
be relevant a seperate LDAP replica for the MX servers is no problem  
and much more of a solution.


Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

Re: another stupid question about exporting valid users from windows 2008 domain to postfix valid users map

[Ansgar Wiechers]

On 2011-01-08 Patrick Ben Koetter wrote:
> * Eero Volotinen :
>> Does this still works for windows 2008 ad? :
>> http://postfix.state-of-mind.de/patrick.koetter/mailrelay/#d0e149
>> 
>> or is there better way to do it?
> 
> The script is old. You are probably better off, if you use ldifde.exe
> to query the AD and get LDIF as export format. The rest is sed awk
> magic.

That is one option. The VBScript below should work too.

8<
Const OutputFile = "virtual.txt"

Set rootDSE = GetObject("LDAP://RootDSE")

' open ADO connection
Set adoConn = CreateObject("ADODB.Connection")
adoConn.Provider = "ADsDSOObject"
adoConn.Open "Active Directory Provider"

Set adoCmd = CreateObject("ADODB.Command")
adoCmd.ActiveConnection = adoConn
adoCmd.CommandText = ";(&(objectCategory=person)(objectClass=user));" _
  & "distinguishedName,proxyAddresses;subtree"
adoCmd.Properties("Page Size") = 100
adoCmd.Properties("Timeout") = 30
adoCmd.Properties("Cache Results") = False

Set addresses = CreateObject("Scripting.Dictionary")

' enumerate all users from AD store all smtp addresses in a dictionary
' (to avoid duplicates)
Set adoRS = adoCmd.Execute
Do Until adoRS.EOF
  If Not IsNull(adoRS.Fields("proxyAddresses").Value) Then
For Each addr In adoRS.Fields("proxyAddresses").Value
  If Left(LCase(addr), 5) = "smtp:" And Not addresses.Exists(addr) Then
addresses.Add Mid(addr, 6) & " OK", True
  End If
Next
  End If
  adoRS.MoveNext
Loop
adoRS.Close

adoConn.Close

' create output file with Unix line breaks
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(OutputFile, 2, True)
f.Write Join(addresses, vbLf)
f.Close

WScript.Echo "Finished."
>8

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: Order of policies?

[Mark Alan]

On Sun, 9 Jan 2011 10:17:57 -0500 (EST), Wietse Venema
 wrote:

> Jan Johansson:
> > I have the following config:
> > 
> > smtpd_recipient_restrictions = permit_mynetworks
> > reject_unauth_destination check_policy_service inet:127.0.0.1:10031
> >
> For that, specify reject_unlisted_recipient before permit_mynetworks.

Well then, would the following order make sense?

smtpd_recipient_restrictions = sleep 1,
reject_unlisted_recipient, reject_unauth_pipelining,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination,check_policy_service inet:127.0.0.1:10031

Regards,

M.

Re: Question about Postfix Installation

[edacval]

On 01/10/2011 11:06 AM, Buzai Andras wrote:
> Hi,
Hi
> I want to install Postfix 2.7.2 by compiling it from sources.
> In the INSTALL file I saw the following statement:
>
> "In the instructions below, a command written as "#
> command" should be executed as the superuser.
>  A command written as "% command" should be executed as an
> unprivileged user."
>
> My question is:
>The user used to configure/compile the sources is used in anyway in
> Postfix later?
No.
>Is there any security risk if I configure/compile all the sources
> as the superuser? (I am referring only to the build/installation
> process)
Unlikely but possible.
> Thank you,
>
> Buzai

Re: Question about Postfix Installation

[John Adams]

Am 10.01.2011 10:06, schrieb Buzai Andras:

Hi,

I want to install Postfix 2.7.2 by compiling it from sources.
In the INSTALL file I saw the following statement:

 "In the instructions below, a command written as "#
command" should be executed as the superuser.
  A command written as "% command" should be executed as an
unprivileged user."

My question is:
The user used to configure/compile the sources is used in anyway in
Postfix later?


No.


Is there any security risk if I configure/compile all the sources
as the superuser? (I am referring only to the build/installation
process)


For installing, take a look at the software packaging procedure of your 
distro/OS. This is much cleaner than just run 'make install'.





Thank you,

Buzai

Re: Question about Postfix Installation

[Buzai Andras]

Hi,

I use Ubuntu 10.04 and the package repository does not contain the
latest Postfix release.
Also I prefer installing packages from source. This way I think I can
always learn something new.


On Mon, Jan 10, 2011 at 10:43 AM, John Adams  wrote:
> Am 10.01.2011 10:06, schrieb Buzai Andras:
>>
>> Hi,
>>
>> I want to install Postfix 2.7.2 by compiling it from sources.
>> In the INSTALL file I saw the following statement:
>>
>>             "In the instructions below, a command written as "#
>> command" should be executed as the superuser.
>>              A command written as "% command" should be executed as an
>> unprivileged user."
>>
>> My question is:
>>    The user used to configure/compile the sources is used in anyway in
>> Postfix later?
>
> No.
>
>>    Is there any security risk if I configure/compile all the sources
>> as the superuser? (I am referring only to the build/installation
>> process)
>
> For installing, take a look at the software packaging procedure of your
> distro/OS. This is much cleaner than just run 'make install'.
>
>
>
>> Thank you,
>>
>> Buzai
>
>

Re: Question about Postfix Installation

[Buzai Andras]

>>Is there any security risk if I configure/compile all the sources
>> as the superuser? (I am referring only to the build/installation
>> process)


> Unlikely but possible.

Could you please elaborate this a little? Maybe with an example?


Thank you,

Buzai



On Mon, Jan 10, 2011 at 10:38 AM,   wrote:
> On 01/10/2011 11:06 AM, Buzai Andras wrote:
>> Hi,
> Hi
>> I want to install Postfix 2.7.2 by compiling it from sources.
>> In the INSTALL file I saw the following statement:
>>
>>             "In the instructions below, a command written as "#
>> command" should be executed as the superuser.
>>              A command written as "% command" should be executed as an
>> unprivileged user."
>>
>> My question is:
>>    The user used to configure/compile the sources is used in anyway in
>> Postfix later?
> No.
>>    Is there any security risk if I configure/compile all the sources
>> as the superuser? (I am referring only to the build/installation
>> process)


> Unlikely but possible.
Could you please elaborate this a little? Maybe with an example?

>> Thank you,
>>
>> Buzai
>
>

Re: Question about Postfix Installation

[Reindl Harald]

Am 10.01.2011 11:33, schrieb Buzai Andras:
> Hi,
> 
> I use Ubuntu 10.04 and the package repository does not contain the
> latest Postfix release.
> Also I prefer installing packages from source. This way I think I can
> always learn something new.

nobody said anything against

"software packaging procedure of your distro/OS" is NOT apt-get
it was menat to build an rpm/deb-package instead a dump install
with "make install" your system will get dirty after some updates
because old files are not removed, a package does this clean

To your querstion about superuser:
NERVER EVER build sources as superuser necause
if there are bugs in the build-process you can
damage you system which is impossible with
restricted permissions.

rpmbuild as example should EVER called with explicit user and
if there is a bug in the bzild-process which wants to touch files
outside the build-folder it fails an dnothing happens - do this
as root overwrites files on your build-system, mybe fails later
and you have an undefined state of your system

> On Mon, Jan 10, 2011 at 10:43 AM, John Adams  wrote:
>> Am 10.01.2011 10:06, schrieb Buzai Andras:
>>>
>>> Hi,
>>>
>>> I want to install Postfix 2.7.2 by compiling it from sources.
>>> In the INSTALL file I saw the following statement:
>>>
>>> "In the instructions below, a command written as "#
>>> command" should be executed as the superuser.
>>>  A command written as "% command" should be executed as an
>>> unprivileged user."
>>>
>>> My question is:
>>>The user used to configure/compile the sources is used in anyway in
>>> Postfix later?
>>
>> No.
>>
>>>Is there any security risk if I configure/compile all the sources
>>> as the superuser? (I am referring only to the build/installation
>>> process)
>>
>> For installing, take a look at the software packaging procedure of your
>> distro/OS. This is much cleaner than just run 'make install'.
>>
>>
>>
>>> Thank you,
>>>
>>> Buzai

-- 

Mit besten Grüßen, Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / software-development / cms-solutions
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/



signature.asc
Description: OpenPGP digital signature

Re: delisting from spamcannibal.org

[Larry Stone]

On 1/10/11 12:51 AM, Samuel Sappa at cihuy...@gmail.com wrote:

> My problem with postfix now solved, it's seem (IMHO) my ISP where I
> register my DNS have problem, since both yahoo, gmail and others
> required that recipient FQDN hostname must be resolve/reverse, from
> hostname and to IP and  IP to hostname, the ISP configuration only
> resolve/reverse to domain only not the hostname FQDN, because of that,
> when sending from yahoo and gmail not success.
> But still the spamcannibal cannot resolve/reverse my hostname and
> domain, since my IP still blacklist, my only hope that yahoo, gmail
> and other doesn't using spamcannibal.

You appear to be extremely confused as to how DNS and blacklists work. This
all has nothing to do with Postfix so follow-ups should go to an appropriate
forum for DNS but setting up the reverse DNS (ip address to name) needs to
be done by whoever owns the address space and is completely independent of
the DNS where you have your domain name registered. So it is not that the
"ISP where I register my DNS have problem" but rather I would guess that you
have never asked the owner of the address space to set the proper reverse
mapping.
 
-- 
Larry Stone
lston...@stonejongleux.com
http://www.stonejongleux.com/

Re: "Standard" options when compiling Postfix from source?

[Wietse Venema]

Steve Jenkins:
> Thanks, Wietse. The "vanilla" install of Postfix 2.3.3 on CentOS 5 via yum
> does indeed include an /etc/postfix/makedefs.out file.
> 
> For the benefit of anyone else looking for this info in the archives, the
> AUXLIBS and CCARGS for that CentOS version are:
> 
> AUXLIBS=' -L/usr/lib -lldap -llber -lpcre -L/usr/lib/sasl2 -lsasl2
> -L/usr/kerberos/lib -lssl -lcrypto -ldl -lz  -pie -Wl,-z,relro'
> CCARGS='-fPIC -DHAS_LDAP -DLDAP_DEPRECATED=1 -DHAS_PCRE -I/usr/include/pcre
> -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl -DUSE_TLS
> -I/usr/kerberos/include '
> 
> The 2.3.3 makedefs.out file contains the AUXLIBS "-pie -Wl,-z,relro" and a
> CCARGS of "-fPIC". Google finds lots of references to these options in
> example spec files, but nothing seems to explain what they are. What are
> they, and have they been deprecated in 2.7.2?

Ask the CENTOS people.

Wietse

Re: Question about Postfix Installation

[John Adams]

Am 10.01.2011 13:37, schrieb Reindl Harald:



Am 10.01.2011 11:33, schrieb Buzai Andras:

Hi,

I use Ubuntu 10.04 and the package repository does not contain the
latest Postfix release.
Also I prefer installing packages from source. This way I think I can
always learn something new.


nobody said anything against

"software packaging procedure of your distro/OS" is NOT apt-get
it was menat to build an rpm/deb-package instead a dump install
with "make install" your system will get dirty after some updates
because old files are not removed, a package does this clean

>

To your querstion about superuser:
NERVER EVER build sources as superuser necause
if there are bugs in the build-process you can
damage you system which is impossible with
restricted permissions.


As it may take some time to build up software packaging facility, I 
suggest you make a clean install on a vmware (or whatever you use) 
server and use this virutal host as a software building facility. There, 
you can revert to snapshot if something goes wrong during the scripted 
packaging procedure.
I do use root permissions to build, but I do it on a build host. More 
than that I do preliminary checks of the Makefile's capabilities - if 
there is a Makefile - before I am building. These tests perhaps do not 
apply on you because I don't use Ubuntu or Debian.
Before I deploy a package, I usually test it. Are the permissions right? 
Does it install the files into the right directories? Does it create the 
needed links, devices, ...? When I configure the software and start it, 
does it start up? And then, finally, when I am sure, I deploy it to a 
productive server and always have a way back to the old version if the 
new still does not work.



rpmbuild as example should EVER called with explicit user and
if there is a bug in the bzild-process which wants to touch files
outside the build-folder it fails an dnothing happens - do this
as root overwrites files on your build-system, mybe fails later
and you have an undefined state of your system


To summarize:
* If avoidable, don't use root for software building
* put your software packaging facility away from your productive servers
* before deploying to production, test your new built package

This may sound like overkill. But it's worth the trouble.


On Mon, Jan 10, 2011 at 10:43 AM, John Adams  wrote:

Am 10.01.2011 10:06, schrieb Buzai Andras:


Hi,

I want to install Postfix 2.7.2 by compiling it from sources.
In the INSTALL file I saw the following statement:

 "In the instructions below, a command written as "#
command" should be executed as the superuser.
  A command written as "% command" should be executed as an
unprivileged user."

My question is:
The user used to configure/compile the sources is used in anyway in
Postfix later?


No.


Is there any security risk if I configure/compile all the sources
as the superuser? (I am referring only to the build/installation
process)


For installing, take a look at the software packaging procedure of your
distro/OS. This is much cleaner than just run 'make install'.




Thank you,

Buzai

Re: Question about Postfix Installation

[Wietse Venema]

Reindl Harald:
> To your querstion about superuser:
> NERVER EVER build sources as superuser necause
> if there are bugs in the build-process you can
> damage you system which is impossible with
> restricted permissions.

As per the Postfix INSTALL instructions, compile as unprivileged
(but trusted) user, then "make install" or "make upgrade" as root.
To revert to the previous, "make" and "make upgrade" the earlier
version.

Wietse

Re: Question about Postfix Installation

[Reindl Harald]

Am 10.01.2011 14:11, schrieb John Adams:

> As it may take some time to build up software packaging facility

where is the problem to take the source-package and
try to replace the programsource for a rebuild?

On RHEL/Fedora you take the srpm, install it as builduser, put
the newer tarball under SOURCES, edit the SPECFILE and do
a "rpmbuild -bb postfix.spec", i do this since a long time
necause i rebuild all our core-services with optimized
gcc-flags

To learn building/rebuilding packages for your distro
is good knowhow because it affects other packages too
and later you can deploy your version with a own repo
on thousands of machines if needed, dependencies are
resolved and so on

> I suggest you make a clean install on a vmware

Jep the builduser, environemnt etc. should be a VM
Jere too, one for i386 and one for x86_64 :-)

> I do use root permissions to build, but I do it on a build host

bad practice is everywhere bad practice

some source packages disallowing this as long you do not
modifie the sources, ok a snapshot can revert back
but it is nicer prevent damage instead repair and
be sure if this happens your latest snapshot is old enough
that revert hurts :-)

More than that I do preliminary checks of the
> Makefile's capabilities - if there is a Makefile - before I am building. 
> These tests perhaps do not apply on you
> because I don't use Ubuntu or Debian.
> Before I deploy a package, I usually test it. Are the permissions right? Does 
> it install the files into the right
> directories? Does it create the needed links, devices, ...? When I configure 
> the software and start it, does it
> start up? And then, finally, when I am sure, I deploy it to a productive 
> server and always have a way back to the
> old version if the new still does not work.
> 
>> rpmbuild as example should EVER called with explicit user and
>> if there is a bug in the bzild-process which wants to touch files
>> outside the build-folder it fails an dnothing happens - do this
>> as root overwrites files on your build-system, mybe fails later
>> and you have an undefined state of your system
> 
> To summarize:
> * If avoidable, don't use root for software building
> * put your software packaging facility away from your productive servers
> * before deploying to production, test your new built package
> 
> This may sound like overkill. But it's worth the trouble.
> 
>>> On Mon, Jan 10, 2011 at 10:43 AM, John Adams  wrote:
 Am 10.01.2011 10:06, schrieb Buzai Andras:
>
> Hi,
>
> I want to install Postfix 2.7.2 by compiling it from sources.
> In the INSTALL file I saw the following statement:
>
>  "In the instructions below, a command written as "#
> command" should be executed as the superuser.
>   A command written as "% command" should be executed as an
> unprivileged user."
>
> My question is:
> The user used to configure/compile the sources is used in anyway in
> Postfix later?

 No.

> Is there any security risk if I configure/compile all the sources
> as the superuser? (I am referring only to the build/installation
> process)

 For installing, take a look at the software packaging procedure of your
 distro/OS. This is much cleaner than just run 'make install'.



> Thank you,
>
> Buzai
>>
> 

-- 

Mit besten Grüßen, Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / software-development / cms-solutions
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/



signature.asc
Description: OpenPGP digital signature

Re: Question about Postfix Installation

[John Adams]

Am 10.01.2011 14:23, schrieb Reindl Harald:



Am 10.01.2011 14:11, schrieb John Adams:


As it may take some time to build up software packaging facility


where is the problem to take the source-package and
try to replace the programsource for a rebuild?

On RHEL/Fedora you take the srpm, install it as builduser, put
the newer tarball under SOURCES, edit the SPECFILE and do
a "rpmbuild -bb postfix.spec", i do this since a long time
necause i rebuild all our core-services with optimized
gcc-flags


I use Slackware. There's no deb, no rpm, no spec, no dependency 
checking, no whatever you may have in ubuntu debian centos rhel sles 
etc..., it's not there :)
Just plain old tgz. Great, isn't it? No tight corsett, it gives you all 
the freedom you may ever require.



To learn building/rebuilding packages for your distro
is good knowhow because it affects other packages too
and later you can deploy your version with a own repo
on thousands of machines if needed, dependencies are
resolved and so on


I suggest you make a clean install on a vmware


Jep the builduser, environemnt etc. should be a VM
Jere too, one for i386 and one for x86_64 :-)


I do use root permissions to build, but I do it on a build host


bad practice is everywhere bad practice


A bad practice that works for me.


some source packages disallowing this as long you do not
modifie the sources,


Well, if you use the tar ball, you can always use root. Slackware.

ok a snapshot can revert back

but it is nicer prevent damage instead repair and


Exactly. That's why I usually check the Makefile for a very specific 
capability before running 'make install DESTDIR=/installation/path'.



be sure if this happens your latest snapshot is old enough
that revert hurts :-)


My build scripts are svn-ized :) I would just lose the time to delete 
the checkout and type svn up. 2 minutes with a cup of coffee in between?



More than that I do preliminary checks of the

Makefile's capabilities - if there is a Makefile - before I am building. These 
tests perhaps do not apply on you
because I don't use Ubuntu or Debian.
Before I deploy a package, I usually test it. Are the permissions right? Does 
it install the files into the right
directories? Does it create the needed links, devices, ...? When I configure 
the software and start it, does it
start up? And then, finally, when I am sure, I deploy it to a productive server 
and always have a way back to the
old version if the new still does not work.


rpmbuild as example should EVER called with explicit user and
if there is a bug in the bzild-process which wants to touch files
outside the build-folder it fails an dnothing happens - do this
as root overwrites files on your build-system, mybe fails later
and you have an undefined state of your system


To summarize:
* If avoidable, don't use root for software building
* put your software packaging facility away from your productive servers
* before deploying to production, test your new built package

This may sound like overkill. But it's worth the trouble.


On Mon, Jan 10, 2011 at 10:43 AM, John Adams   wrote:

Am 10.01.2011 10:06, schrieb Buzai Andras:


Hi,

I want to install Postfix 2.7.2 by compiling it from sources.
In the INSTALL file I saw the following statement:

  "In the instructions below, a command written as "#
command" should be executed as the superuser.
   A command written as "% command" should be executed as an
unprivileged user."

My question is:
 The user used to configure/compile the sources is used in anyway in
Postfix later?


No.


 Is there any security risk if I configure/compile all the sources
as the superuser? (I am referring only to the build/installation
process)


For installing, take a look at the software packaging procedure of your
distro/OS. This is much cleaner than just run 'make install'.




Thank you,

Buzai

Re: Question about Postfix Installation

[Reindl Harald]

Am 10.01.2011 14:43, schrieb John Adams:

>> On RHEL/Fedora you take the srpm, install it as builduser, put
>> the newer tarball under SOURCES, edit the SPECFILE and do
>> a "rpmbuild -bb postfix.spec", i do this since a long time
>> necause i rebuild all our core-services with optimized
>> gcc-flags
> 
> I use Slackware. 

And he is using Ubuntu

>> I use Ubuntu 10.04 and the package repository does not contain the
>> latest Postfix release

And so we have a case where the distro-package should be
replaced without breaking any dependencies and make
the installation-base dirty without any needs

> There's no deb, no rpm, no spec, no dependency checking, 
> no whatever you may have in ubuntu debian
> centos rhel sles etc..., it's not there :)

with other words: a system from the 1990's
you are not packaging because you do not want, you can not :-)



signature.asc
Description: OpenPGP digital signature

Re: Another "certificate verification failed ... untrusted issuer" question

[Victor Duchovni]

On Sun, Jan 09, 2011 at 10:39:49PM +, IT geek 31 wrote:

> My understanding is to prevent these errors, you obtain the root
> certificate for each server mail certificate your Postfix server
> connects to, append it to a pem file and reference it with
> smtp_tls_CAfile in main.conf.

Not worth it, you just ignore these errors. Their purpose is to enable
you to figure out why a connection that wants to "verify" certs failed,
by reading the logs. Almost nobody verifies TLS certs with email, so
the logging is harmless noise.

My own configuration of Postfix does not log certificate verification
errors for connections where certificate trust chain based authentication
is not performed ("may", "encrypt" or "fingerprint" security levels).

I'll see whether there is interest in adopting the "fine-grained" TLS
logging code in 2.9. This changes the 4 TLS log levels to a list of
features to log or not log, with 1,2,3,4 aliases for the feature lists
that correspond to the legacy levels. Last time I showed this to Wietse
in the 2.3/2.4 time-frame, there were too many other TLS features changing,
and IIRC the feature looked like overkill for most users...

The feature list is below. The recommended loglevel is "summary".
Once again, this is not in the official Postfix release, just code
that may or may not get adopted some day...

   none

  Same as the empty setting, log only handshake failures,
  success is silent.

   summary
  Log summary message on TLS handshake completion.

   untrusted
  Log  all trust chain validation errors, even with sessions that
  don't care whether the server certificate is trusted.

   verbose
  Log verbose peer certificate and status information. This  sub-
  sumes "untrusted" and "summary".

   cache  Log TLS session cache activity.

   certmatch
  Log all names found in the server certificate, even any ignored
  CommonName after finding subjectAltNames or any further subjec-
  tAltnames  found  after  a  matching  name.  With each name log
  whether it meets the matching criteria for the current security
  level. At the "fingerprint" security level, log matching of the
  server certificate fingerprint. This also turns on  "untrusted"
  and "summary".

   debug  Log  detailed step-by-step TLS handshake progress this subsumes
  "untrusted", "summary", "verbose" and  "cache".  For  debugging
  only, not suitable for every-day use.

   handshake-packet-dump
  Same  as  "debug",  plus  hexadecimal and ASCII dump of the TLS
  negotiation process is logged. Expert use only.

   session-packet-dump
  Same as "debug", plus hexadecimal and ASCII  dump  of  complete
  transmission after STARTTLS is logged. Expert use only.

   0  Same as "untrusted". Backwards compatible with Postfix prior to
  2.6.

   1  Same as "0", plus "summary".

   2  Same as "debug".

   3  Same as "handshake-packet-dump".

   4  Same as "session-packet-dump".

-- 
Viktor.

Re: Question about Postfix Installation

[John Adams]

I use Slackware.


And he is using Ubuntu


the basics still apply.


with other words: a system from the 1990's


... which is very up-to-date with it's software, much more than centos 
or debian. And because I like KISS :)



you are not packaging because you do not want, you can not :-)


Nono, packaging is involved there, too. The mechanism is just quite 
simple. Primitive, so to say.

Re: Question about Postfix Installation

[Bastian Blank]

On Mon, Jan 10, 2011 at 11:33:28AM +0100, Buzai Andras wrote:
> I use Ubuntu 10.04 and the package repository does not contain the
> latest Postfix release.

Ubuntu 10.04 contains 2.7.0[1], Ubuntu 10.10 contains 2.7.1[2]. You n

> Also I prefer installing packages from source. This way I think I can
> always learn something new.

Get newer packages and build them. Apply patches and rebuild the
packages.

Bastian

[1]: https://launchpad.net/ubuntu/lucid/+source/postfix
[2]: https://launchpad.net/ubuntu/maverick/+source/postfix

-- 
Insufficient facts always invite danger.
-- Spock, "Space Seed", stardate 3141.9

Re: "Sorting" mail between different servers?

[Victor Duchovni]

On Sat, Jan 08, 2011 at 07:53:58PM +, Jan Johansson wrote:

> >/etc/postfix/transport:
> >someu...@example.com smtp:[172.31.254.160]
> >otheru...@example.comsmtp:[172.31.254.150]
> >
> ># postmap /etc/postfix/transports
> ># postfix reload
> 
> 
> Thanks. I got the answer a bit earlier on the list. I was under the 
> (incorrect) impression that transport only worked on domain level. 

It is best used that way, especially if per-user lookups involve LDAP,
MySQL or similar. A more complex, but more performant solution is to
rewrite each type of user to a suitable domain that is routed to the
right place. Then, if absolutely necessary use smtp_generic_maps to
rewrite back to the original address during SMTP delivery, but better
to have each destination accept non-public internal "route" addresses.

-- 
Viktor.

Re: Another "certificate verification failed ... untrusted issuer" question

[Jerry]

On Mon, 10 Jan 2011 09:20:08 -0500
Victor Duchovni  articulated:

> I'll see whether there is interest in adopting the "fine-grained" TLS
> logging code in 2.9.

Just my 2¢; however, I think it would be worth while.

-- 
Jerry ✌
postfix-u...@seibercom.net
_
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Critics are like eunuchs in a harem: they know how it is done, they have
seen it done every day, but they are unable to do it themselves.

Brendan Behan

Forward all local delivered mail to specific address

[Markus Treinen]

Hello list,
I have a nicely running Postfix installation which uses both virtual and 
local users.
To prevent local mail being delivered to spool files, I have to alias 
(via /etc/aliases) the relevant users to a virtual user, which is not 
very elegant.
What I want to do is forward all mail, that _would_ be delivered locally 
to a single virtual account, without aliasing every single UNIX user.
I tried using "luser_relay", but for that to work, 
"local_recipient_maps" must be empty. But that would prevent local 
aliases in /etc/aliases to work.


What I have:
- virtual delivery for all my domains (as configured via MySQL)
- all virtual mail is aliased to some_u...@virtual.local
- all mail for @virtual.local is delivered via dovecot
- mail for local users is aliased using /etc/aliases
- some local users are aliased to virtual addresses
- existing UNIX users not being aliased are delivered via local 
transport to spool files


What I want:
- forward all mail for existing UNIX users, that are not aliased, to 
some virtual address

- mail for nonexisting UNIX users should be rejected
- aliasing for local users is important, because regular UNIX users 
should get forwarded separately


What I configured as workaround:
- I set mailbox_command to invoke sendmail to forward mail to a set 
address, instead of being saved to a spool file
- this workaround looks rather nasty, in fact, mail is processed (and 
filtered, etc.) twice before being delivered


Is there a better way to forward these mails? Perhaps via mailbox_transport?

Thanks in advance for all answers.
Markus


/etc/aliases:
root: user1
postmaster: root
abuse: postmaster
user1: us...@virtual.local

postconf -n:
alias_maps = $alias_database
biff = no
config_directory = /etc/postfix
content_filter = filter:[127.0.0.1]:10025
header_checks = pcre:/etc/postfix/header_checks
inet_protocols = all
mailbox_command = /usr/sbin/sendmail root+${LOCAL}
mydestination = $myhostname localhost.$mydomain localhost
myhostname = hostname
recipient_delimiter = +
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_unauth_pipelining
reject_invalid_helo_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_client_hostname
check_sender_access hash:/etc/postfix/sender_access
check_policy_service unix:external/postgrey
smtpd_sasl_path = external/dovecot-auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/hostname.crt.pem
smtpd_tls_key_file = /etc/ssl/private/hostname.key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_high_cipherlist = HIGH:!ADH:!MD5:!SSLv2:@STRENGTH
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-aliases.cf
virtual_gid_maps = static:500
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:500

master.cf:
smtp  inet  n   -   -   -   -   smtpd
smtps inet  n   -   -   -   -   smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickupfifo  n   -   -   60  1   pickup
cleanup   unix  n   -   -   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   -   300 1   oqmgr
tlsmgrunix  -   -   -   1000?   1   tlsmgr
rewrite   unix  -   -   -   -   -   trivial-rewrite
bounceunix  -   -   -   -   0   bounce
defer unix  -   -   -   -   0   bounce
trace unix  -   -   -   -   0   bounce
verifyunix  -   -   -   -   1   verify
flush unix  n   -   -   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   -   -   -   smtp
relay unix  -   -   -   -   -   smtp
-o smtp_fallback_relay=
showq unix  n   -   -   -   -   showq
error unix  -   -   -   -   -   error
retry unix  -   -   -   -   -   error
discard   unix  -   -   -   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  - 

Re: verify db with mysql

[Stefan]

On Thursday, 6th Januar 2011, 21:02:17 Victor Duchovni wrote:
> On Thu, Jan 06, 2011 at 04:56:48PM +0100, Stefan Jakobs wrote:
> > > In this case, it is not as critical to set such a flag, but it is
> > > important to allow the existing scan to continue to completion, and
> > > ignore or (just note) new requests until it does. Once a scan
> > > completes, new scans can proceed either immediately (saved flag) or
> > > when next requested.
> > 
> > That's what I have implemented. If a cleanup process is already running
> > and a second cleanup process starts then the second process will quit as
> > if the database was empty and it will log a warning
> 
> No warning is necessary. With a large database the cleanup thread may
> run longer than the scheduled interval between threads. This is fine.

OK, I attached the final(?) version of the mysql-write-support patch.
Is there any chance that the patch will make it into a stable Postfix release?

Regards
Stefan

diff -ur postfix-2.7.1.orig/man/man5/mysql_table.5 postfix-2.7.1/man/man5/mysql_table.5
--- postfix-2.7.1.orig/man/man5/mysql_table.5	2008-07-21 13:50:13.0 +0200
+++ postfix-2.7.1/man/man5/mysql_table.5	2010-12-11 20:39:20.0 +0100
@@ -126,6 +126,15 @@
 .nf
 dbname = customer_database
 .fi
+.IP "\fBcache_tblname\fR"
+The name of the cache table. Postfix will perform cache cleanups
+on this table. Example:
+.nf
+cache_tblname = verify 
+.fi
+.IP
+This parameter is available with Postfix MySQL write support patch.
+
 .IP "\fBquery\fR"
 The SQL query template used to search the database, where \fB%s\fR
 is a substitute for the address Postfix is trying to resolve,
@@ -191,6 +200,139 @@
 parameter is not specified.
 
 NOTE: DO NOT put quotes around the query parameter.
+.IP "\fBinsert\fR"
+The SQL insert template used to insert a input key, value pair into the
+database, where \fB%s\fR is a substitute for the input key and \fB%v\fR
+is a substitute for the value, e.g.
+.nf
+insert = INSERT verify SET address='%s', data='%v'
+.fi
+
+This parameter supports the following '%' expansions:
+.RS
+.IP "\fB\fB%%\fR\fR"
+This is replaced by a literal '%' character.
+.IP "\fB\fB%s\fR\fR"
+This is replaced by the input key.
+SQL quoting is used to make sure that the input key does not
+add unexpected metacharacters.
+.IP "\fB\fB%v\fR\fR"
+This is replaced by the corresponding value.
+SQL quoting is used to make sure that the value does not
+add unexpected metacharacters.
+.IP "\fB\fB%u\fR\fR"
+When the input key is an address of the form u...@domain, \fB%u\fR
+is replaced by the SQL quoted local part of the address.
+Otherwise, \fB%u\fR is replaced by the entire search string.
+If the localpart is empty, the insert is suppressed and returns
+no results.
+.IP "\fB\fB%d\fR\fR"
+When the input key is an address of the form u...@domain, \fB%d\fR
+is replaced by the SQL quoted domain part of the address.
+Otherwise, the insert is suppressed and returns no results.
+.IP "\fB\fB%[SVUD]\fR\fR"
+The upper-case equivalents of the above expansions behave in the
+\fBinsert\fR parameter identically to their lower-case counter-parts.
+.IP "\fB\fB%[1-9]\fR\fR"
+The patterns %1, %2, ... %9 are replaced by the corresponding
+most significant component of the input key's domain. If the
+input key is \fiu...@mail.example.com\fr, then %1 is \fBcom\fR,
+%2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
+unqualified or does not have enough domain components to satisfy
+all the specified patterns, the insert is suppressed and returns
+no results.
+.RE
+.IP
+This parameter is available with Postfix MySQL write support patch.
+
+NOTE: DO NOT put quotes around the query parameter.
+.IP "\fBupdate\fR"
+The SQL update template used to update a input key, value pair in the
+database, where \fB%s\fR is a substitute for the input key and \fB%v\fR
+is a substitute for the value, e.g.
+.nf
+update = UPDATE verify SET data='%v' WHERE address='%s'
+.fi
+
+This parameter supports the following '%' expansions:
+.RS
+.IP "\fB\fB%%\fR\fR"
+This is replaced by a literal '%' character.
+.IP "\fB\fB%s\fR\fR"
+This is replaced by the input key.
+SQL quoting is used to make sure that the input key does not
+add unexpected metacharacters.
+.IP "\fB\fB%v\fR\fR"
+This is replaced by the corresponding value.
+SQL quoting is used to make sure that the value does not
+add unexpected metacharacters.
+.IP "\fB\fB%u\fR\fR"
+When the input key is an address of the form u...@domain, \fB%u\fR
+is replaced by the SQL quoted local part of the address.
+Otherwise, \fB%u\fR is replaced by the entire search string.
+If the localpart is empty, the update is suppressed and returns
+no results.
+.IP "\fB\fB%d\fR\fR"
+When the input key is an address of the form u...@domain, \fB%d\fR
+is replaced by the SQL quoted domain part of the address.
+Otherwise, the update is suppressed and returns no results.
+.IP "\fB\fB%[SVUD]\fR\fR"
+The upper-case equivalents of the above expansions behave in th

SV: "Sorting" mail between different servers?

[Jan Johansson]

>It is best used that way, especially if per-user lookups involve LDAP, MySQL 
>or similar. A more complex, but more performant solution is to rewrite each 
>type of user to a suitable domain that is routed to the >r>ght place. Then, if 
>absolutely necessary use smtp_generic_maps to rewrite back to the original 
>address during SMTP delivery, but better to have each destination accept 
>non-public internal "route" >addresses.

I ended up just collating the email addresses from each receiving server, and 
do an auto-updating transport with a line for each user. Not pretty, but works 
;)

Re: Forward all local delivered mail to specific address

[Jeroen Geilman]

On 1/10/11 4:28 PM, Markus Treinen wrote:

Hello list,
I have a nicely running Postfix installation which uses both virtual 
and local users.
To prevent local mail being delivered to spool files, I have to alias 
(via /etc/aliases) the relevant users to a virtual user, which is not 
very elegant.


It's ass-backwards.

If you need SOME local users to deliver, but not ALL, put the domain in 
one of the virtual classes and alias the ones you DO want to deliver 
locally, to a local account.
If you don't want ANY mail to be delivered locally, then do not use 
externally-reachable local domains.


What I want to do is forward all mail, that _would_ be delivered 
locally to a single virtual account, without aliasing every single 
UNIX user.


You just said that you don't want mail to be delivered locally. So don't 
deliver mail locally.


I tried using "luser_relay", but for that to work, 
"local_recipient_maps" must be empty. 


Where did you read that ?

luser_relay works fine with the default: local_recipient_maps = 
proxy:unix:passwd.byname $alias_maps



But that would prevent local aliases in /etc/aliases to work.

What I have:
- virtual delivery for all my domains (as configured via MySQL)


So, no locally delivered domains at all. Sounds like you already have 
what you want.



- all virtual mail is aliased to some_u...@virtual.local
- all mail for @virtual.local is delivered via dovecot


That sounds incredibly complicated.
Any particular reason you're not simply delivering your virtual domains 
to dovecot ?

Or with the default postfix virtual(8) MDA ?


- mail for local users is aliased using /etc/aliases


There is absolutely no sane reason to do this.
If you want SOME "local users" to get mail, alias them from virtual to 
local:


j...@virtual.domainj...@localhost

the expanded local alias will stil lundergo local(8) alias expansion, so 
there is nothing you can't do with such a setup.


Note that, by definition, "local users" have system accounts with owned 
mailboxes.
If you mean anything else by the term "local users", we're not going to 
see eye to eye.



--
J.

RE: Relay restrictions

[Michael.Larsen]

I've been poring over this email for five days now, and just can't wrap my mind 
around what Viktor's example configuration is doing. I understand what he 
*says* it's doing, but I can't look at the configuration and "see" it. Can 
someone explain?

Specifically, I don't see where the "AND" and "OR" parts of the restrictions 
evaluation are stated or implied.

Also, what does the "catchall" in allowed-hosts do?

0.0.0.0/0 discard_all, permit

It seems to me it would discard everything that isn't explicitly allowed in the 
lines above it, regardless of the sender/recipient restrictions defined in 
main.cf. Where am I going wrong here?


-Original Message-
From: Victor Duchovni [mailto:victor.ducho...@morganstanley.com] 
Sent: Friday, December 31, 2010 12:56 PM
To: Larsen, Michael W.
Cc: postfix-users@postfix.org
Subject: Re: Relay restrictions

On Fri, Dec 31, 2010 at 12:52:04PM -0600, michael.lar...@wellsfargo.com wrote:

> Thanks for your reply. How does this configuration determine if all
> mail from a client should be relayed, or only the mail allowed by the
> allowed-sender/allowed-recipient rules? There are some hosts I don't
> want subjected to those rules.

Clients that are listed in the CIDR table (above the 0.0.0.0/0 catchall
at the bottom of the file) with a "permit" action, can do as they please.

At your request, this configuration never rejects mail, if the sender
and recipient are both "special" mail is relayed from any client. Otherwise,
mail is discarded if it is not from a specifically authorized client.

> > In that case change the client restrictions to "OR", but keep sender
> > and recipient as "AND".
> > 
> > main.cf:
> > 
> > indexed = ${default_database_type}:${config_directory}/
> > cidr = cidr:${config_directory}/
> > 
> > smtpd_restriction_classes = discard_all
> > discard_all = static:discard
> > 
> > smtpd_sender_restrictions =
> > check_sender_access ${indexed}allowed-senders
> > check_client_access ${cidr}allowed-clients,
> > 
> > smtpd_recipient_restrictions =
> > check_recipient_access ${indexed}allowed-recipients,
> > check_client_access ${cidr}allowed-clients,
> > #
> > # Required to appease validation logic, in-practice,
> > # allowed-clients will perimit all IPs, some to deliver
> > # and the rest to discard.
> > #
> > reject
> > 
> > allowed-clients:
> > 192.0.2.1   permit
> > 0.0.0.0/0   discard_all, permit
> 
> -- 
>   Viktor.
> 

-- 
Viktor.

Re: Relay restrictions

[Victor Duchovni]

On Mon, Jan 10, 2011 at 01:09:18PM -0600, michael.lar...@wellsfargo.com wrote:

> I've been poring over this email for five days now, and just can't wrap
> my mind around what Viktor's example configuration is doing. I understand
> what he *says* it's doing, but I can't look at the configuration and
> "see" it. Can someone explain?
> 
> Specifically, I don't see where the "AND" and "OR" parts of the
> restrictions evaluation are stated or implied.

Each smtpd_mumble_restrictions primitive (for mumble = client, helo,
sender, recipient, data, end_of_data) is evaluated in turn. They
must ALL permit the transaction, so that's the AND.

Within each restriction list, any "OK" result short-circuits the rule,
so permit actions within a restriction list implement "OR".

> Also, what does the "catchall" in allowed-hosts do?
> 
>   0.0.0.0/0 discard_all, permit
> 
> It seems to me it would discard everything that isn't explicitly allowed
> in the lines above it, regardless of the sender/recipient restrictions
> defined in main.cf. Where am I going wrong here?

Exactly, provided the lookup is actually made! But in the proposed
configuration, the lookup is never made when the sender AND recipient
are both allowed for all clients.

The "check_client_access" is only processed if the sender or recipient
check does not return an unconditional (short-circuit) OK.

> > main.cf:
> > 
> > indexed = ${default_database_type}:${config_directory}/
> > cidr = cidr:${config_directory}/
> > 
> > smtpd_restriction_classes = discard_all
> > discard_all = static:discard
> > 
> > smtpd_sender_restrictions =
> > check_sender_access ${indexed}allowed-senders
> > check_client_access ${cidr}allowed-clients,
> > 
> > smtpd_recipient_restrictions =
> > check_recipient_access ${indexed}allowed-recipients,
> > check_client_access ${cidr}allowed-clients,
> > #
> > # Required to appease validation logic, in-practice,
> > # allowed-clients will perimit all IPs, some to deliver
> > # and the rest to discard.
> > #
> > reject
> > 
> > allowed-clients:
> > 192.0.2.1   permit
> > 0.0.0.0/0   discard_all, permit

-- 
Viktor.

Re: Transport maps with LDAP.

[Lauro Costa G. Borges]

Citando Victor Duchovni :


Make sure you have a robust, low-latency LDAP infrastructure. The
trivial-rewrite service will query LDAP to determine the address class of
each domain, and qmgr(8) uses trivial-rewrite to resolve every recipient,
so LDAP becomes performance critical.


Suppose I relay for both domain1.org and domain2.org.

Mail arrives to b...@domain1.org (and b...@domain1.org has an alias to
bla...@domain2.org).


What do you mean by "has an alias"?


   I'll try to explain with an example:


I have these 2 domains:

 region1.company.com

 company.com

   Suppose every email to sa...@region1.company.com should also go to
sa...@company.com, then sa...@region1.company.com sends a copy to
sa...@company.com.





 I would like the result to the query to be the domain I searched, AND the
other domains, since, in the case I have an alias, domain2.org also needs
to be listed as a domain a relay for.


You are confused. Transport lookups are single valued. The lookup result
in relay_domains is entirely ignored, ony the existence of the lookup
key in the table is signficant.


   Ok, but what happens is this:

   A new email arrives to sa...@region1.company.com, when it enters the
mail system, 2 messages are put in the queue, right? One for
sa...@region1.company.com, and another to sa...@company.com. But the
transport map lookup is executed only for "region1.company.com", so
the mail to "sa...@company.com" does not have a transport, I guess.




If you want to relay for a domain, make sure that a lookup for that
domain returns a result when queried against the table that implements
relay_domains.


   This is working ok, to every domain I relay for. The only problem  
is when aliases are used.





I think when Postfix notices it also has to deliver to
bla...@domain2.org, it does NOT make another search, and the only transport
it knows about at that moment, is "domain1.org relay:[1.2.3.10]". It seems
Postfix doesn't know about the transport to domain2.org


This is completely wrong. First, you have to explain what you mean by
an "alias", where you want the mail to be delivered, what actually
happens (detailed unmangled logs) and show your configuration.

http://www.postfix.org/DEBUG_README.html#mail



   ldap-transport.cf

   version = 3
server_host = ldap://ldap.company.com:389
search_base=ou=mail,ou=services,dc=company,dc=com
result_attribute=associatedDomain
result_format=%s relay:[150.170.6.15]  #COMMENT (THIS IS the IMAP  
machine's ip)

query_filter=(&(objectclass=domainRelatedObject)(associatedDomain=%s))
scope = sub

- ldap-users.cf

version = 3
server_host = ldap://ldap.company.com:389
search_base=ou=%d,ou=mail,ou=services,dc=company,dc=com
result_attribute=rfc822MailMember
query_filter=(& (cn=%u)(objectclass=nisMailAlias)(AccountActive=TRUE) )
scope = sub

- ldap-domains.cf

version = 3
server_host = ldap://ldap.company.com:389
search_base=ou=mail,ou=services,dc=company,dc=com
result_attribute=associatedDomain
query_filter=(&(objectclass=domainRelatedObject)(associatedDomain=%u))
scope = sub


- main.cf

append_dot_mydomain = no
readme_directory = no
transport_maps = ldap:/etc/postfix/ldap-transport.cf
myhostname = mx.company.com
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-users.cf
local_recipient_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-users.cf
virtual_alias_maps = ldap:/etc/postfix/ldap-users.cf
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_maps = ldap:/etc/postfix/ldap-users.cf
relay_recipient_maps = ldap:/etc/postfix/ldap-users.cf
mydestination = $myhostname, localhost.$mydomain,
ldap:/etc/postfix/ldap-domains.cf
relay_domains = ldap:/etc/postfix/ldap-domains.cf
smtpd_recipient_restrictions =  permit_mynetworks,
check_policy_service inet:127.0.0.1:10023,
reject_unauth_destination
relayhost =
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 150.170.6.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox =
smtpd_sasl_auth_enable = no
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
smtpd_sasl_authenticated_header = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = no
smtpd_sender_restrictions =
mailbox_command =
smtp_use_tls = no
smtpd_tls_received_header = no
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = no
tls_random_source = dev:/dev/urandom
content_filter=smtp-amavis:[127.0.0.1]:10024
message_size_limit = 3000


--- LOGS


 lauro1...@gmail.com sent a message to sa...@region1.company.com.

 All mail to sa...@region1.company.com should also be sent to  
sa...@company.com (which I relay for), and externalem...@yahoo.com,  
which I do not relay for. Message to externalem...@yahoo.com is sent  
with success, but to sa...@company.com not!


Jan 10 17:40:48 mx amavis[1030]: (01030-02) Passed CLEAN,  
[150.170.6.10] [150.1

Re: Transport maps with LDAP.

[Victor Duchovni]

On Mon, Jan 10, 2011 at 06:35:23PM -0200, Lauro Costa G. Borges wrote:

>>> Mail arrives to b...@domain1.org (and b...@domain1.org has an alias to
>>> bla...@domain2.org).
>>
>> What do you mean by "has an alias"?
>
>I'll try to explain with an example:
>
>
> I have these 2 domains:
>
>  region1.company.com
>
>  company.com
>
>Suppose every email to sa...@region1.company.com should also go to
> sa...@company.com, then sa...@region1.company.com sends a copy to
> sa...@company.com.

This still does not explain what "has an alias" means. What actual
*mechanisms* and *settings* are used to implement such an "alias"?

The transport table is not an aliasing mechanism. Rewriting mechanisms
are explained in:

http://www.postfix.org/ADDRESS_REWRITING_README.html

>>> I would like the result to the query to be the domain I searched, AND 
>>> the other domains, since, in the case I have an alias, domain2.org also
>>> needs to be listed as a domain a relay for.
>>
>> You are confused. Transport lookups are single valued. The lookup result
>> in relay_domains is entirely ignored, ony the existence of the lookup
>> key in the table is signficant.
>
>Ok, but what happens is this:
>
>  A new email arrives to sa...@region1.company.com, when it enters the
> mail system, 2 messages are put in the queue, right?

No, only one, a single message stores multiple recipient records.

> One for
> sa...@region1.company.com, and another to sa...@company.com.

Only if you have used virtual(5) to rewrite the input address to
a pair of output addresses.


> But the
> transport map lookup is executed only for "region1.company.com", so
> the mail to "sa...@company.com" does not have a transport, I guess.

No. Each recipient address in a message is subjected to a separate
(1-to-1) transport lookup.

>> This is completely wrong. First, you have to explain what you mean by
>> an "alias", where you want the mail to be delivered, what actually
>> happens (detailed unmangled logs) and show your configuration.
>>
>> http://www.postfix.org/DEBUG_README.html#mail
>
> ldap-transport.cf:
>
>   version = 3
>   server_host = ldap://ldap.company.com:389
>   search_base=ou=mail,ou=services,dc=company,dc=com
>   scope = sub
>   result_attribute=associatedDomain
>   query_filter=(&(objectclass=domainRelatedObject)(associatedDomain=%s))
>   result_format=%s relay:[150.170.6.15]

This table definition is grossly wrong. The VALUE of an LDAP transport
lookup MUST be JUST the "transport:nexthop" pair, associadted with the
lookup table. If you don't have any LDAP attributes that store the
transport:nexthop string, then you use a *fixed* result_format with
no "%s" part.

> Jan 10 17:40:49 mx postfix/qmgr[14897]: warning: connect to transport 
> private/company.com relay: No such file or directory

Indeed, your transport table is incorrectly defined.

-- 
Viktor.

TLS Not Available, Bad Syntax

[Bryan Harrison]

I've recently migrated services to a new mailserver, which has of course 
promptly started kicking out dire errors that didn't show during testing.

Here's an example transcript, postconf -n is below

Out: 220 gilded-bat.laughingboot.net ESMTP Postfix
In:  EHLO [10.2.45.174]
Out: 250-gilded-bat.laughingboot.net
Out: 250-PIPELINING
Out: 250-SIZE 6291456
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In:  STARTTLS
Out: 454 4.7.0 TLS not available due to local problem
In:  ???
Out: 502 5.5.2 Error: command not recognized
In:  ??
Out: 502 5.5.2 Error: command not recognized
In:
Out: 500 5.5.2 Error: bad syntax

If there's more information in the logs, I'm not finding it, but I'm relatively 
inexperienced with postfix and so may well be missing something.

I'd be happy to disable SSL/TLS for now, just to get things running clean.

Thanks for any help you can provide.  I'm not sure how to proceed.

-Bryan


address_verify_map = hash:$data_directory/verify_cache
address_verify_sender = postmas...@laughingboot.net
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
enable_server_options = yes
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 6291456
mydestination = $myhostname localhost.$mydomain localhost
mydomain = laughingboot.net
mydomain_fallback = localhost
myhostname = gilded-bat.laughingboot.net
mynetworks = 127.0.0.0/865.101.147.66   75.146.60.115   75.146.60.123   
75.146.60.124   75.146.60.125
newaliases_path = /usr/bin/newaliases
owner_request_special = no
permit_mx_backup_networks = $mynetworks
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = hash:/etc/postfix/relay_domains
relay_recipient_maps = 
relayhost = 
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_sasl_authenticated permit_mynetworks 
reject_rbl_client zen.spamhaus.org permit
smtpd_data_restrictions = permit_mynetworks reject_unauth_pipelining
reject_multi_recipient_bounce   permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks   
check_helo_access hash:/etc/postfix/helo_access reject_non_fqdn_helo_hostname   
reject_invalid_helo_hostnamepermit
smtpd_pw_server_security_options = cram-md5,login,plain,gssapi
smtpd_recipient_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks   
permit_sasl_authenticated   permit_mx_backup
reject_unauth_destinationcheck_policy_service unix:private/policy   
reject_non_fqdn_hostnamereject_invalid_hostname 
reject_unlisted_recipient   reject_rhsbl_recipient zen.spamhaus.org 
warn_if_reject reject_unknown_recipient_domain  warn_if_reject 
reject_unverified_recipient  permit
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = permit_sasl_authenticated   permit_mynetworks   
reject_non_fqdn_sender  reject_rhsbl_sender zen.spamhaus.org
reject_unknown_sender_domainreject_unverified_senderpermit
smtpd_tls_exclude_ciphers = SSLv2   aNULL   ADH eNULL
smtpd_tls_loglevel = 0
smtpd_use_pw_server = yes
smtpd_use_tls = no
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains = $virtual_alias_maps 
hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual_users

Re: TLS Not Available, Bad Syntax

[Ralf Hildebrandt]

* Bryan Harrison :
> I've recently migrated services to a new mailserver, which has of course 
> promptly started kicking out dire errors that didn't show during testing.

You are running gilded-bat.laughingboot.net?

> If there's more information in the logs, I'm not finding it, but I'm 
> relatively inexperienced with postfix and so may well be missing something.

egrep "(error|warning|fatal):" /var/log/mail.log


-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: TLS Not Available, Bad Syntax

[Jeroen Geilman]

On 1/10/11 10:04 PM, Bryan Harrison wrote:
I've recently migrated services to a new mailserver, which has of 
course promptly started kicking out dire errors that didn't show 
during testing.


Here's an example transcript, postconf -n is below

Out: 220 gilded-bat.laughingboot.net
 ESMTP Postfix
In:  EHLO [10.2.45.174]
Out: 250-gilded-bat.laughingboot.net

Out: 250-PIPELINING
Out: 250-SIZE 6291456
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In:  STARTTLS
Out: 454 4.7.0 TLS not available due to local problem



Of course, you cannot actually *START* TLS from a telnet commandline; 
I'd suggest you use OpenSSL's s_client to test an encrypted connection.


Do you have logs that show problem with TLS ?
Examples are not nearly as relevant as logs showing the actual problem 
as it occurs.



If there's more information in the logs,


The above is not in any logs, it is a telnet transcript.

Postfix logs to the mail facility of syslog, look in your OS' 
documentation on how that is configured.



smtpd_enforce_tls = no
smtpd_pw_server_security_options = cram-md5,login,plain,gssapi
smtpd_tls_exclude_ciphers = SSLv2aNULLADHeNULL
smtpd_tls_loglevel = 0
smtpd_use_pw_server = yes
smtpd_use_tls = no


These settings are very old; which version of postfix are you using ?



--
J.

not to split message across multiple domain?

[Zhou, Yan]

Hi there, 

I am using local transport to process messages from Postfix. When
message arrives, Postfix will call a script, passing in the message,
which we will process. 

If user sends a message with multiple recipients (in two different
domains) to Postfix, I noticed that Postfix will create two messages,
one for each domain. The number of separate messages Postfix creates is
equivalent to number of different domains. 

Is there a way to force Postfix to create a single message for all
recipients, no matter how many different domains are there?  In other
words, if the sender sends a single message, Postfix will generate one
single message.

Thanks,
 Yan






Confidentiality Notice: The information contained in this electronic 
transmission is confidential and may be legally privileged. It is intended only 
for the addressee(s) named above. If you are not an intended recipient, be 
aware that any disclosure, copying, distribution or use of the information 
contained in this transmission is prohibited and may be unlawful. If you have 
received this transmission in error, please notify us by telephone (513) 
229-5500 or by email (postmas...@medplus.com). After replying, please erase it 
from your computer system.

Re: TLS Not Available, Bad Syntax

[Victor Duchovni]

On Mon, Jan 10, 2011 at 01:04:02PM -0800, Bryan Harrison wrote:

> I've recently migrated services to a new mailserver, which has of course
> promptly started kicking out dire errors that didn't show during testing.
> 
> Here's an example transcript, postconf -n is below
> 
> Out: 220 gilded-bat.laughingboot.net ESMTP Postfix
> In:  EHLO [10.2.45.174]
> Out: 250-gilded-bat.laughingboot.net
> Out: 250-PIPELINING
> Out: 250-SIZE 6291456
> Out: 250-ETRN
> Out: 250-STARTTLS
> Out: 250-ENHANCEDSTATUSCODES
> Out: 250-8BITMIME
> Out: 250 DSN
> In:  STARTTLS
> Out: 454 4.7.0 TLS not available due to local problem

Your server is misconfigured, perhaps no certificate and/or matching
private key, ...

> In:  ???
> Out: 502 5.5.2 Error: command not recognized

The client is broken, and sends an SSL HELLO even though STARTTLS was
rejected. Server logs are MUCH MORE useful than session transcripts.

> smtpd_pw_server_security_options = cram-md5,login,plain,gssapi
> smtpd_use_pw_server = yes

Apple's Postfix.

> smtpd_tls_exclude_ciphers = SSLv2 aNULL   ADH eNULL

Why? eNULL is automatically excluded, and ADH is good to enable,
there's no harm in aNULL, especially if you don't configure keys!

As for SSLv2 if your OpenSSL or Postfix is new enough, that's automatic,
otherwise, best to turn off the protocol, not the ciphersuites, but
if opportustic protocol controls are in your Postfix version,
that's the only element here that makes some sense.

> smtpd_tls_loglevel = 0
> smtpd_use_tls = no

No certificate or key configured. I don't see a setting for
"smtpd_tls_security_level", perhaps there's more in master.cf, but
that would not be a good place to specify the keys...

-- 
Viktor.

Re: not to split message across multiple domain?

[Jeroen Geilman]

On 1/10/11 10:13 PM, Zhou, Yan wrote:

Hi there,

I am using local transport to process messages from Postfix. When
message arrives, Postfix will call a script, passing in the message,
which we will process.

If user sends a message with multiple recipients (in two different
domains) to Postfix, I noticed that Postfix will create two messages,
one for each domain. The number of separate messages Postfix creates is
equivalent to number of different domains.

Is there a way to force Postfix to create a single message for all
recipients, no matter how many different domains are there?  In other
words, if the sender sends a single message, Postfix will generate one
single message.


You could set your relay_transport to the script in question.

Note that this is one of the few instances where altering 
relay_transport is warranted.




Thanks,
  Yan






Confidentiality Notice: The information contained in this electronic 
transmission is confidential and may be legally privileged. It is intended only 
for the addressee(s) named above. If you are not an intended recipient, be 
aware that any disclosure, copying, distribution or use of the information 
contained in this transmission is prohibited and may be unlawful. If you have 
received this transmission in error, please notify us by telephone (513) 
229-5500 or by email (postmas...@medplus.com). After replying, please erase it 
from your computer system.


Okeydokey, erased!


--
J.

Re: TLS Not Available, Bad Syntax

[Bryan Harrison]

Thanks for the blindingly quick reply.

> * Bryan Harrison :
>> I've recently migrated services to a new mailserver, which has of course 
>> promptly started kicking out dire errors that didn't show during testing.
> 
> You are running gilded-bat.laughingboot.net?

Yes.

> 
>> If there's more information in the logs, I'm not finding it, but I'm 
>> relatively inexperienced with postfix and so may well be missing something.
> 
> egrep "(error|warning|fatal):" /var/log/mail.log
> 

See below, and thanks.

Jan 10 12:59:26 gilded-bat postfix/smtpd[2962]: warning: 115.73.168.41: 
hostname adsl.viettel.vn verification failed: nodename nor servname provided, 
or not known
Jan 10 12:59:31 gilded-bat postfix/smtpd[2998]: warning: 72.9.103.93: hostname 
72-9-103-93.reverse.ezzi.net verification failed: nodename nor servname 
provided, or not known
Jan 10 12:59:36 gilded-bat postfix/smtpd[2962]: warning: 189.35.48.61: hostname 
bd23303d.virtua.com.br verification failed: nodename nor servname provided, or 
not known
Jan 10 13:00:39 gilded-bat postfix/smtpd[3076]: warning: No server certs 
available. TLS won't be enabled
Jan 10 13:00:39 gilded-bat postfix/smtpd[3076]: warning: 166.205.141.237: 
hostname 166-205-141-237.mobile.mymmode.com verification failed: nodename nor 
servname provided, or not known
Jan 10 13:00:45 gilded-bat postfix/smtpd[2962]: warning: 125.163.36.208: 
hostname 208.subnet125-163-36.speedy.telkom.net.id verification failed: 
nodename nor servname provided, or not known
Jan 10 13:01:11 gilded-bat postfix/smtpd[2962]: warning: 166.205.141.237: 
hostname 166-205-141-237.mobile.mymmode.com verification failed: nodename nor 
servname provided, or not known
Jan 10 13:01:41 gilded-bat postfix/smtpd[2976]: warning: 166.205.141.237: 
hostname 166-205-141-237.mobile.mymmode.com verification failed: nodename nor 
servname provided, or not known
Jan 10 13:02:34 gilded-bat postfix/smtpd[3104]: warning: 189.114.29.204: 
hostname 189.114.29.204.static.host.gvt.net.br verification failed: nodename 
nor servname provided, or not known
Jan 10 13:03:15 gilded-bat postfix/smtpd[3191]: warning: No server certs 
available. TLS won't be enabled
Jan 10 13:03:15 gilded-bat postfix/smtpd[3191]: warning: 166.205.141.237: 
hostname 166-205-141-237.mobile.mymmode.com verification failed: nodename nor 
servname provided, or not known
Jan 10 13:03:24 gilded-bat postfix/smtpd[2943]: warning: 189.62.135.210: 
hostname bd3e87d2.virtua.com.br verification failed: nodename nor servname 
provided, or not known
Jan 10 13:03:47 gilded-bat postfix/smtpd[2943]: warning: 166.205.141.237: 
hostname 166-205-141-237.mobile.mymmode.com verification failed: nodename nor 
servname provided, or not known
Jan 10 13:04:18 gilded-bat postfix/smtpd[2962]: warning: 166.205.141.237: 
hostname 166-205-141-237.mobile.mymmode.com verification failed: nodename nor 
servname provided, or not known
Jan 10 13:05:11 gilded-bat postfix/smtpd[2998]: warning: 189.145.114.121: 
hostname dsl-189-145-114-121-dyn.prod-infinitum.com.mx verification failed: 
nodename nor servname provided, or not known
Jan 10 13:05:44 gilded-bat postfix/smtpd[2976]: warning: 92.10.246.251: 
hostname host-92-10-246-251.as43234.net verification failed: nodename nor 
servname provided, or not known
Jan 10 13:05:51 gilded-bat postfix/smtpd[3268]: warning: No server certs 
available. TLS won't be enabled
Jan 10 13:05:51 gilded-bat postfix/smtpd[3268]: warning: 166.205.141.237: 
hostname 166-205-141-237.mobile.mymmode.com verification failed: nodename nor 
servname provided, or not known
Jan 10 13:06:01 gilded-bat postfix/smtpd[2976]: warning: 187.41.55.207: 
hostname 18741055207.user.veloxzone.com.br verification failed: nodename nor 
servname provided, or not known
Jan 10 13:06:24 gilded-bat postfix/smtpd[2962]: warning: 166.205.141.237: 
hostname 166-205-141-237.mobile.mymmode.com verification failed: nodename nor 
servname provided, or not known
Jan 10 13:06:54 gilded-bat postfix/smtpd[2998]: warning: 166.205.141.237: 
hostname 166-205-141-237.mobile.mymmode.com verification failed: nodename nor 
servname provided, or not known
Jan 10 13:07:09 gilded-bat postfix/smtpd[2943]: warning: 77.72.251.34: hostname 
c-251-34.idea-tele.com verification failed: nodename nor servname provided, or 
not known
Jan 10 13:08:16 gilded-bat postfix/smtpd[3334]: warning: 174.124.70.13: 
hostname 174-124-70-13.dyn.centurytel.net verification failed: nodename nor 
servname provided, or not known
Jan 10 13:08:28 gilded-bat postfix/smtpd[3362]: warning: No server certs 
available. TLS won't be enabled
Jan 10 13:08:28 gilded-bat postfix/smtpd[3362]: warning: 166.205.141.237: 
hostname 166-205-141-237.mobile.mymmode.com verification failed: nodename nor 
servname provided, or not known
Jan 10 13:09:00 gilded-bat postfix/smtpd[3338]: warning: 166.205.141.237: 
hostname 166-205-141-237.mobile.mymmode.com verification failed: nodename nor 
servname provided, or not known
Jan 10 13:09:09 gilded-bat postfix/smtpd[3

Re: TLS Not Available, Bad Syntax

[Jeroen Geilman]

On 1/10/11 10:40 PM, Bryan Harrison wrote:



Jan 10 13:00:39 gilded-bat postfix/smtpd[3076]: warning: No server certs 
available. TLS won't be enabled


As Victor correctly surmised.


--
J.

Re: TLS Not Available, Bad Syntax

[Ralf Hildebrandt]

* Bryan Harrison :

> Jan 10 13:00:39 gilded-bat postfix/smtpd[3076]: warning: No server certs 
> available. TLS won't be enabled
> Jan 10 13:03:15 gilded-bat postfix/smtpd[3191]: warning: No server certs 
> available. TLS won't be enabled
> Jan 10 13:05:51 gilded-bat postfix/smtpd[3268]: warning: No server certs 
> available. TLS won't be enabled
> Jan 10 13:08:28 gilded-bat postfix/smtpd[3362]: warning: No server certs 
> available. TLS won't be enabled

ookay. Maybe install some x.509 certificates!

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Order of policies?

[mouss]

Le 10/01/2011 10:33, Mark Alan a écrit :
> On Sun, 9 Jan 2011 10:17:57 -0500 (EST), Wietse Venema
>  wrote:
> 
>> Jan Johansson:
>>> I have the following config:
>>>
>>> smtpd_recipient_restrictions = permit_mynetworks
>>> reject_unauth_destination check_policy_service inet:127.0.0.1:10031
>>>
>> For that, specify reject_unlisted_recipient before permit_mynetworks.
> 
> Well then, would the following order make sense?
> 
> smtpd_recipient_restrictions = sleep 1,
> reject_unlisted_recipient, reject_unauth_pipelining,
> reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
> reject_non_fqdn_sender, reject_non_fqdn_recipient,
> reject_unknown_sender_domain, reject_unknown_recipient_domain,
> permit_sasl_authenticated, permit_mynetworks,
> reject_unauth_destination,check_policy_service inet:127.0.0.1:10031
> 

make that


smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_non_fqdn_recipient
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
sleep 1
reject_unlisted_recipient
reject_unlisted_sender
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
#reject_unknown_sender_domain
#reject_rbl_client zen.spamhaus.org
check_policy_service${policy_service}

details:

- I am assuming that: you should queue errors for your own users (so
permit_* comes soon)
- reject_unknown_recipient_domain is only uselful in an MSA. and even
then... (you want to bounce not reject. because MUAs are bad when it
comes to reject).
- reject_unauth_pipelining is useless here. check the pipelining specs.
(RCPT TO is an async command...)
- exeperience here shows that reject_unknown_sender_domain only rejects
legit mail.

Re: not to split message across multiple domain?

[mouss]

Le 10/01/2011 22:13, Zhou, Yan a écrit :
> Hi there, 
> 
> I am using local transport to process messages from Postfix. When
> message arrives, Postfix will call a script, passing in the message,
> which we will process. 
> 
> If user sends a message with multiple recipients (in two different
> domains) to Postfix, I noticed that Postfix will create two messages,
> one for each domain. The number of separate messages Postfix creates is
> equivalent to number of different domains. 
> 
> Is there a way to force Postfix to create a single message for all
> recipients, no matter how many different domains are there?  In other
> words, if the sender sends a single message, Postfix will generate one
> single message.
> 

if a message is to be sent to many domains, then it will use multiple
network connections. thus, multiple messages.

in short, there is no way to send a message to mo...@domain1.example and
mo...@domain2.example using a single connection unless both domains are
hosted on the same server (same MX).

what problem are you trying to solve exactly?

Re: not to split message across multiple domain?

[Wietse Venema]

Zhou, Yan:
> Hi there, 
> 
> I am using local transport to process messages from Postfix. When
> message arrives, Postfix will call a script, passing in the message,
> which we will process. 
> 
> If user sends a message with multiple recipients (in two different
> domains) to Postfix, I noticed that Postfix will create two messages,
> one for each domain. The number of separate messages Postfix creates is
> equivalent to number of different domains. 

Postfix scheduled the delivery by domain. This means that all
the domains in mydestination deliver separately. One could
call this a missed opportunity for optimization:

Jan 10 17:11:34 hostname postfix/qmgr[1978]: 9A5F99247AD:
from=, size=376, nrcpt=2 (queue active)
Jan 10 17:11:34 hostname postfix/local[10566]: 9A5F99247AD:
to=, orig_to=,
relay=local, delay=0.36, delays=0.27/0.06/0/0.03, dsn=2.0.0,
status=sent (delivered to mailbox)
Jan 10 17:11:36 hostname postfix/local[10567]: 9A5F99247AD:
to=, orig_to=,
relay=local, delay=1.5, delays=0.27/0.07/0/1.2, dsn=2.0.0,
status=sent (delivered to mailbox)

With delivery agents other than local(8) such optimization may not
be safe because Postfix doesn't really know if the delivery is
local (for example someone could override virtual_transport with
something that delivers different domains via LMTP).

Wietse

Network Ideas

[Jonathan Tripathy]

Hi Everyone,

Not really an issue directly related to postfix, however I'm sure I can 
get some goods ideas here.


I wish to host managed email servers for some customers. Each customer 
will have their own email server which will be an all-in-one virtual 
machine running postfix, dovecot and some webmail suite.


Even though each customer will have their own server, I do not wish to 
give each email server it's own public facing IP. I wish to avail the 
use of proxy servers so all customers use the same public IP. As for the 
"smtp-in" from the public internet, this isn't a problem as I can set up 
many mx servers (using postfix of course) which will store-and-forward 
the mail to the correct server (using transport maps). As for the IMAP 
access from the customer, I was thinking of using perdition which is an 
IMAP proxy - I believe that this will suit my needs.


I am confused however on what to use for the "smtp-out" proxy. The 
customers will have to authenticate with their receptive email server, 
however they will have to go via a proxy of some sort as they won't have 
direct access to their server instance. It probably can't be a 
store-and-forward proxy either.


Does anyone have any idea on what I could use here?

Many Thanks

Re: not to split message across multiple domain?

[Robert Linden]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Yan,

Zhou, Yan wrote:
> Hi there, 
> 
> I am using local transport to process messages from Postfix. When
> message arrives, Postfix will call a script, passing in the message,
> which we will process. 
> 
> If user sends a message with multiple recipients (in two different
> domains) to Postfix, I noticed that Postfix will create two messages,
> one for each domain. The number of separate messages Postfix creates is
> equivalent to number of different domains. 
> 
> Is there a way to force Postfix to create a single message for all
> recipients, no matter how many different domains are there?  In other
> words, if the sender sends a single message, Postfix will generate one
> single message.

that sounds a lot like a question I had a few weeks ago. You will find
it, and the solution, in the list-archive:
http://www.mail-archive.com/postfix-users@postfix.org/msg30618.html
Maybe it helps in your case too.

All the best,
rob

- --
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH
Geschäftsführer: Boris Esser, Elmar Geese
HRB AG Bonn 5168 - USt-ID (VAT): DE122264941

Heilsbachstraße 24,  53123 Bonn,   Telefon: +49 228 52675-0
Thiemannstraße 36 a, 12059 Berlin, Telefon: +49 30 5682943-30
Internet: http://www.tarent.de/  * Telefax: +49 228 52675-25
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQGcBAEBAgAGBQJNK4syAAoJEFED1aBv35T+vrkL/RUWtiEJ0L194SqTMTGIgpXG
g9jm8D29LCUS+UTcT5TvhLNPLATjoHJf8QE+jnVPtmW5bw4scrBIZLuBoRH2+5nl
DR49H2hH/PzhzTPz5XTNmvBaRsINXI33+O6KfYgTJNpry1G7TBbiLuyZZkZFuAD8
ynHHX/PP3BvASj/axeMGdBbIjaUrbymJLMCKAn2bYDdS1QOyuSKkvpKVCJAhDLxf
skQTGx56WAxEi+7n51JZGGlM4VZ1zYMjNHDreRgy1AgC0H4KcSSJeQ92J8JxFaoZ
P0RAv2nrUuoOc3+FbOdGZbkAbz9CcDZxzXIZ2BN0ej+4H8NrW0xD7oJEcuZeoUos
qwd08emj8aOkIfQTDwPTnN3aASgbzopvUDVvRdfTwA+03LG/SNJcnKofR+Dmiuug
B+b7xEf33TmXKyvEmTpImpqZxGS7j+2US6q8srDkKv2I8+zrfHiOm7q9UWK1lI+h
rtgza0dCc8fWGxX6fC6IsCeflHBt4zuc0eTiqPmo8w==
=Hb6O
-END PGP SIGNATURE-

MX Priority

[Ramesh]

Hi,

I have few queries about changing mail priority level. presently we have taking 
mail service from mail service provider, we want to bring up our own mail 
server as primary.

 mx entries

example.com mail is handled by 0 example.com.
example.com mail is handled by 10 mailhub.example.com.

Yesterday i've changed priority 0 to 20, making mailhub as lowest priority 10, 
primary mail server for example.com

when i send mail to x...@example.com  from yahoo
maillog in mailhub shows 554 5.7.1 (Relay access denied) but i can send mail 
from mailhub through webmail.

I would like to know...
1)If we change mx priority, how much time it will take to update priority level?
2)If it takes more time during this period where new mails queued?

Please suggest me things to follow for migrating primary to secondary mail 
server.

Thanks and Regards,
Ramesh

Re: MX Priority

[Noel Jones]

On 1/10/2011 11:13 PM, Ramesh wrote:


Hi,

I have few queries about changing mail priority level. presently we have taking 
mail service from mail service provider, we want to bring up our own mail 
server as primary.

  mx entries

example.com mail is handled by 0 example.com.
example.com mail is handled by 10 mailhub.example.com.

Yesterday i've changed priority 0 to 20, making mailhub as lowest priority 10, 
primary mail server for example.com

when i send mail to x...@example.com  from yahoo
maillog in mailhub shows 554 5.7.1 (Relay access denied) but i can send mail 
from mailhub through webmail.



"relay access denied" means that example.com is not listed in 
mydestination, virtual_domains, virtual_alias_domains, or 
relay_domains.  Postfix doesn't think it's responsible for 
that domain.




I would like to know...
1)If we change mx priority, how much time it will take to update priority level?


Depends on your DNS TTL and if the remote site has your 
records cached.  Anywhere from a couple minutes to a couple 
weeks for sites that have the old records cached.  No delay 
for sites that don't have your records cached.




2)If it takes more time during this period where new mails queued?


Mail will be sent to the old primary if that's what remote 
sites have cached.




Please suggest me things to follow for migrating primary to secondary mail 
server.


It's customary to reduce your DNS TTL a few days prior to 
planned changes.





Thanks and Regards,
Ramesh





   -- Noel Jones

Re: MX Priority

[ramesh srinivas]

Hi Noel,

example.com listed in main.conf here is entries, after listing relay_domains, i 
can see maillog, mailhub starts relaying to  old primary mail server.

mydomain = example.com
mydestination = $myhostname, localhost.$mydomain, mailhub.example.com
relay_domains = $mydomain

As you suggested i will  check DNS TTL 

So we can pull mails  from old mail server till priority level updates?

Thanks for suggestions.

Regards,
Ramesh




--- On Tue, 11/1/11, Noel Jones  wrote:

From: Noel Jones 
Subject: Re: MX Priority
To: postfix-users@postfix.org
Date: Tuesday, 11 January, 2011, 10:54 AM

On 1/10/2011 11:13 PM, Ramesh wrote:
>
> Hi,
>
> I have few queries about changing mail priority level. presently we have 
> taking mail service from mail service provider, we want to bring up our own 
> mail server as primary.
>
>   mx entries
>
> example.com mail is handled by 0 example.com.
> example.com mail is handled by 10 mailhub.example.com.
>
> Yesterday i've changed priority 0 to 20, making mailhub as lowest priority 
> 10, primary mail server for example.com
>
> when i send mail to x...@example.com  from yahoo
> maillog in mailhub shows 554 5.7.1 (Relay access denied) but i can send mail 
> from mailhub through webmail.
>

"relay access denied" means that example.com is not listed in 
mydestination, virtual_domains, virtual_alias_domains, or 
relay_domains.  Postfix doesn't think it's responsible for 
that domain.


> I would like to know...
> 1)If we change mx priority, how much time it will take to update priority 
> level?

Depends on your DNS TTL and if the remote site has your 
records cached.  Anywhere from a couple minutes to a couple 
weeks for sites that have the old records cached.  No delay 
for sites that don't have your records cached.


> 2)If it takes more time during this period where new mails queued?

Mail will be sent to the old primary if that's what remote 
sites have cached.

>
> Please suggest me things to follow for migrating primary to secondary mail 
> server.

It's customary to reduce your DNS TTL a few days prior to 
planned changes.


>
> Thanks and Regards,
> Ramesh
>



    -- Noel Jones