Re: Relaying fails but sending is deferred instead of bouncing mail
On 4/8/2011 2:45 AM, Ralf Hildebrandt wrote: * Jean-Sébastien Kroll-Rabotin: Hi, When my Postfix server sends some mail from addresses in the local domain, permanent errors (5XX) are treated as temporary errors (4XX) and mail is delayed while it should definitely fail. From your logs I cannot see WHEN (at which stage of the SMTP dialoge) the rejection occurs. I think the rejection occurs immediately (before the HELO) Try: smtp_skip_5xx_greeting = no In my experience RBL rejection is quite immediate indeed. Just to source it: [snapshot-2507] For the sake of Sendmail compatibility, the Postfix SMTP client skips over SMTP servers that greet with a 4XX or 5XX reply code, treating them as unreachable servers. To obtain prior behavior (4XX=retry, 5XX=bounce), specify "smtp_skip_4xx_greeting = no" and "smtp_skip_5xx_greeting = no". I imagine the rationale is that if you hit an RBL, it is after all "real-time" and retrying later MAY work; especially if the admin sees the log and takes immediate corrective measures. I have also had the odd experience where one MX server of a domain has weeks-old RBL cached data and another in the same farm is current so it's worth it for Postfix outbound to consider the MX merely unreachable and to "shop around". -Daniel
Solved: Relaying fails but sending is deferred instead of bouncing mail
> [snapshot-2507] For the sake of Sendmail compatibility, the > Postfix SMTP client skips over SMTP servers that greet with a 4XX > or 5XX reply code, treating them as unreachable servers. To obtain > prior behavior (4XX=retry, 5XX=bounce), specify > "smtp_skip_4xx_greeting = no" and "smtp_skip_5xx_greeting = no". Wow, thanks a lot, it solved my problem ! I did not find this config line in the documentation (probably because I searched wrong keywords as I did not know Postfix considered these relays as unreachable) and help on IRC yielded not success. Thank you for your kind help. J.-S. signature.asc Description: PGP signature
Restrict sending one mail per sasl login
Hi all, Is it possible in Postfix to allow just relaying one mail (independent of the number of rcpt) per sasl login?. I perhaps could interested on this... and I doubt if this can be done natively by postfix. Thanks a lot. Bye!!
Re: Relaying fails but sending is deferred instead of bouncing mail
Daniel Bromberg: > Just to source it: > >[snapshot-2507] For the sake of Sendmail compatibility, the >Postfix SMTP client skips over SMTP servers that greet with a 4XX >or 5XX reply code, treating them as unreachable servers. To obtain >prior behavior (4XX=retry, 5XX=bounce), specify "smtp_skip_4xx_greeting >= no" and "smtp_skip_5xx_greeting = no". The rationale is that some people actually expect that a 5XX reply on CONNECT means the client should connect to the a backup server instead. Keep in mind that the primary purpose of Postfix is to deliver mail, not to force people to configure the server per the RFC. Wietse
Re: Restrict sending one mail per sasl login
Am 08.04.2011 14:12, schrieb ego...@ramattack.net: > Is it possible in Postfix to allow just relaying one mail (independent > of the number of rcpt) per sasl login?. I perhaps could interested on > this... and I doubt if this can be done natively by postfix. Use policyd to enforce a sender policy on SASL authenticated senders. p@ smime.p7s Description: S/MIME Cryptographic Signature
How to disable email drlivery on A record
HI All Postfix will try to deliver email based on A record suppose the mx record is missing , so how to diable this . I mean to say postfix should send email based on MX record only and if mx record not bound then immediatly bounce the sender . Regards, Kshitij
Re: How to disable email drlivery on A record
* kshitij mali : > HI All > > > Postfix will try to deliver email based on A record suppose the mx record is > missing , so how to diable this. You can't. It's part of the standard. > I mean to say postfix should send email based on MX record only and if mx > record not bound then immediatly bounce the sender . I use transport_maps for that: holtmail.comerror:5.1.2 You meant hotmail.com, not holtmail.com hotmial.com error:5.1.2 You meant hotmail.com, not hotmial.com hotmail.co error:5.1.2 You meant hotmail.com, not hotmail.co hotmal.com error:5.1.2 You meant hotmail.com, not hotmal.com hormail.com error:5.1.2 You meant hotmail.com, not hormail.com hotmil.com error:5.1.2 You meant hotmail.com, not hotmil.com hotrmail.comerror:5.1.2 You meant hotmail.com, not hotrmail.com hotnail.com error:5.1.2 You meant hotmail.com, not hotnail.com holmail.com error:5.1.2 You meant hotmail.com, not holmail.com hotmsil.com error:5.1.2 You meant hotmail.com, not hotmsil.com hotmali.com error:5.1.2 You meant hotmail.com, not hotmali.com hotmaile.de error:5.1.2 You meant hotmail.de, not hotmaile.de hotmain.com error:5.1.2 You meant hotmail.com, not hotmain.com otmail.com error:5.1.2 You meant hotmail.com, not otmail.com hotamil.com error:5.1.2 You meant hotmail.com, not hotamil.com hotmaill.comerror:5.1.2 You meant hotmail.com, not hotmaill.com homail.com error:5.1.2 You meant hotmail.com, not homail.com hpotmail.de error:5.1.2 You meant hotmail.com, not hpotmail.de -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: How to disable email drlivery on A record
Am 08.04.2011 13:35, schrieb kshitij mali: > HI All > > Postfix will try to deliver email based on A record suppose the mx record is > missing , so how to diable this . > > I mean to say postfix should send email based on MX record only and if mx > record not bound then immediatly bounce > the sender why do you want to make your server unrelieable? there are enough domains out there which have only a a-record and a well working MTA on this address, what you trie to do reslts in bouncing for valid addresses signature.asc Description: OpenPGP digital signature
Re: How to disable email drlivery on A record
On Fri, Apr 08, 2011 at 05:05:45PM +0530, kshitij mali wrote: > HI All > > > Postfix will try to deliver email based on A record suppose the mx record is > missing , so how to diable this . > > I mean to say postfix should send email based on MX record only and if mx > record not bound then immediatly bounce the sender . I don't think it's a good idea, it's part of the standard. We have smaller (legitime) mail servers receiving mails having only A record. Why would I need MX record, if A is ok for me? I only set up MX records when it's needed (the DNS name itself has an A record already but MTA receiving its mail is not at the same address as A record would tell), otherwise I leave it alone with the A record only. I think there is no problem with this practice. - Gábor
Re: postscreen -> client hangup unexpectedly -> PASS NEW ?? ..odd?
Il 08/04/2011 05:29, Noel Jones ha scritto: .. [cut] .. postscreen tests the connection and issues a reject with a 450 "try again" code. At this point, the client has done everything postscreen requires and testing is complete. .. [cut] .. The client was well-behaved and was added to the PASS list. Looks OK to me My error was considering client not 'well-behaving' (see Sahil reply) .. Consider adding some postscreen_dnsbl_sites such as zen.spamhaus.org to reject unwanted mail from sites that pass the protocol tests. I've alredy done some tests with .. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*1 spamtrap.trblspam.com*1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ..or simply.. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- postscreen_dnsbl_threshold = 1 postscreen_dnsbl_sites = zen.spamhaus.org -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- But i've (obviously) noticed an high increase in dns queries (unbound local resolver) and checking my logs i've realized that about 80% of 'defer/reject' would be done by less expensive tests (not rbl dependent). Consider that at the end of my 'accept-chain' i've postfwd2 policy delegation wich selectively score senders (dnsbl|greylist|throttle). In this scenario i can speed-up well dressed dns senders, reject/defer tons of bad client with pcre and reduce dnsbl check to the rest. All this before amavis/SA ..so dns tests are 'reduced twice'. Actually.. to me.. i think postscreen will be a superb tool to kill pregreeter but i'm not going to use its dnsbl features. However, thanks for the hint.. ;) ..have a nice day! Amedeo Rinaldo -- Una volta eliminato l'impossibile, quello che resta, per improbabile che sia, deve essere la verità (Sherlock Holmes)
Re: How to disable email drlivery on A record
Am 08.04.2011 13:48, schrieb Gábor Lénárt: > On Fri, Apr 08, 2011 at 05:05:45PM +0530, kshitij mali wrote: >> HI All >> >> >> Postfix will try to deliver email based on A record suppose the mx record is >> missing , so how to diable this . >> >> I mean to say postfix should send email based on MX record only and if mx >> record not bound then immediatly bounce the sender . > > I don't think it's a good idea, it's part of the standard. We have smaller > (legitime) mail servers receiving mails having only A record. Why would I > need MX record, if A is ok for me? I only set up MX records when it's > needed (the DNS name itself has an A record already but MTA receiving its > mail is not at the same address as A record would tell), otherwise I leave it > alone with the A record only. I think there is no problem with this > practice. in fact you should not do this because it needs two dns-queries for the sending server everytime and you set the MX only once but yes, it is in the standard and postfix will hopefully not support such broken setup signature.asc Description: OpenPGP digital signature
Re: postscreen -> client hangup unexpectedly -> PASS NEW ?? ..odd?
Il 08/04/2011 05:47, Sahil Tandon ha scritto: .. [cut] .. In certain situations, some SMTP clients do not send QUIT; this is logged as a HANGUP but not treated as a protocol test failure. Do not mistake logging of HANGUP to mean test failure. Sahil .. that was exactly what i was missing!! I've looked at that log lines with the eyes of person who already knowed that that client is a bad spam sender .. and i've mistaken. Thanks, have a nice day ..wow it's friday ..so week-end !! ;) Amedeo Rinaldo -- Una volta eliminato l'impossibile, quello che resta, per improbabile che sia, deve essere la verità (Sherlock Holmes)
Re: How to disable email drlivery on A record
On Fri, Apr 08, 2011 at 01:52:29PM +0200, Reindl Harald wrote: > > I don't think it's a good idea, it's part of the standard. We have smaller > > (legitime) mail servers receiving mails having only A record. Why would I > > need MX record, if A is ok for me? I only set up MX records when it's > > needed (the DNS name itself has an A record already but MTA receiving its > > mail is not at the same address as A record would tell), otherwise I leave > > it > > alone with the A record only. I think there is no problem with this > > practice. > > in fact you should not do this because it needs two dns-queries for > the sending server everytime and you set the MX only once Yes that's true, however we have some customers with really low-traffic mail domains but they have totally messed up DNS setup sometimes (having IP address in MX record, CNAME/MX collusion etc - and we have no control over their zones) so only in this case it's a local policy here to suggest the simpliest dns setup, even if it needs an MX lookup first then for A. I would not do this with any other MTAs receiving more mails than only "some".
Re: How to disable email drlivery on A record
kshitij mali: > HI All > > > Postfix will try to deliver email based on A record suppose the mx record is > missing , so how to diable this . This behavior is required by the Internet SMTP standard. This is not configurable. Wietse
Re: postscreen -> client hangup unexpectedly -> PASS NEW ?? ..odd?
Amedeo Rinaldo: > But i've (obviously) noticed an high increase in dns queries (unbound > local resolver) and checking my logs i've realized that about 80% of > 'defer/reject' would be done by less expensive tests (not rbl > dependent). Consider that at the end of my 'accept-chain' i've postfwd2 Why do you believe that postscreen DNSBL lookups are expensive? They happen in parallel; there are no extra delays. You can't compare postscreen lookup with smtpd DNSBL lookups. The lookups by smtpd happen sequentially and for one client at a time and increase the length of an SMTP session, making Postfix more vulnerable to overload problems. With postscreen, DNSBL lookups happen in parallel and for multiple clients the same time, and making Postfix less vulnerable to overload problems. Wietse
Re: postscreen -> client hangup unexpectedly -> PASS NEW ?? ..odd?
Amedeo Rinaldo: > Il 08/04/2011 05:47, Sahil Tandon ha scritto: > > .. [cut] .. > > In certain situations, some SMTP clients do not send QUIT; this is > > logged as a HANGUP but not treated as a protocol test failure. Do not > > mistake logging of HANGUP to mean test failure. > > Sahil .. that was exactly what i was missing!! > I've looked at that log lines with the eyes of person who already knowed > that that client is a bad spam sender .. and i've mistaken. I have added a note to the POSTSCREEN_README to clarify this. Although the README discusses HANGUP in the section "Other errors", this is an error without punishment. Wietse
Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
> From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of jeremy.als...@imap-mail.com > Hi Victor. > > On Fri, 08 Apr 2011 00:59 -0400, "Victor Duchovni" > wrote: > > Start simple, and add features gradually. There is a steep learning > > curve for a novice to deploy a complex production system with no > prior > > experience. > > It sure feels pretty steep already. I guess I'm glad I'm not just > imagining things. > > I'm pretty sure I want to stick with the single Instance setup. Like > you said, for now at the least. > > I found a pretty good example, Spamassassin + ClamAV + Postfix > WITHOUT Amavis (Debian) > http://www.xtarutaru.com/2009/04/16/spamassassin-clamav-postfix- > without-amavis-debian/ > that along with Daniel's comments that's helping me to make sense of > this a bit better. There's a ton of howtos out there - I'm sure you can find one that suits all your needs. The nice thing about this one is that it'll keep you on the track you've been advised on - i.e. keeping things simple and adding features as you go. I would recommend using amavis for your spam and virus checking though. The Howto you're looking at specifically doesn't use it because of resource constraints on the host. However, it sounds like you don't have that constraint. > I'm still going to read through some more of those Multiple Instance > examples so maybe I can get some idea which road to point myself down > for later. > > If I do any of the Multiple Instance setup is there a good Document > that tells what configuration goes into what file? Does > configuration flow down from the 1st one you setup ? So that > PostScreen configuration, which looks to do some of the work I want > done, goes into which config file? Personally, I don't think you need multiple instances. If the book you got was The Book of Postfix, then it was written by contributors to this list - and you can't go wrong. Setting up my own mail server to handle mail for multiple domains with spam and virus checking is one of the most worthwhile and fun things I've ever done. I really want to encourage you to stay on the learning curve you've chosen. I've been successfully blocking up to 98% of traffic (when the Rustock botnet was running) using a very simple set up but my false negatives are almost non-existent and my false positives are very low. I'm sure there are more valid opinions but my advice for what it's worth is: . Set up postfix to receive and send mail securely (i.e. don't be an open-relay!) . Get your delivery agent set up (Courier/Dovecot) and working . Implement some sort of sender authentication e.g. SASL - though it will depend on your choices above) even if your users will only send mail to the server from inside the network . Some sort of log reporting (pflogsumm/postfix-logwatch) working . Add in the postfix's native spam controls, limiting and checks . Then look at content filtering (spam, virus and other objectionable content) - as you've already learnt this can be handed off to a different server/service, even if they're on the same host . Then look at more advanced controls like grey-listing and postscreen If in doubt, ask and remember that most defaults are there for a reason. Consider the implications before changing them (but some will need to be changed to suit your set-up). Have fun.
DSN virus
Hi! In my Postfix (2.8.2), I want to send DSN when Amavisd-new (2.6.4) find a virus. Below is the log. Apr 8 10:17:35 SERVER amavis[12988]: (12988-09) Blocked INFECTED (Eicar-Test-Signature), [XXX.XXX.XXX.XXX] [XXX.XXX.XXX.XXX] -> , quarantine: virus-1rFPr7cPzGAO, Message-ID: <1302268654.16516.6.camel@rodrigo>, mail_id: 1rFPr7cPzGAO, Hits: -, size: 1146, 101 ms Apr 8 10:17:35 SERVER postfix/lmtp[8920]: E818C3EF80B5: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.16, delays=0.05/0/0/0.1, dsn=2.5.0, status=sent (250 2.5.0 Ok , DSN suppressed (554 5.7.0 Reject, id=12988-09 - INFECTED: Eicar-Test-Signature)) As you can see, the sender (me, in this case) don't recieve the message saying that he sent a virus. How can I configure this? Regards, Rodrigo. -- M. Rodrigo Monteiro "Free as in Freedom, not free as in free beer" "As we are liberated from our own fear, our presence automatically liberates others" Linux User # 403730
Re: DSN virus
On 4/8/2011 9:31 AM, M. Rodrigo Monteiro wrote: > Hi! > > In my Postfix (2.8.2), I want to send DSN when Amavisd-new (2.6.4) > find a virus. Below is the log. > > Apr 8 10:17:35 SERVER amavis[12988]: (12988-09) Blocked INFECTED > (Eicar-Test-Signature), [XXX.XXX.XXX.XXX] [XXX.XXX.XXX.XXX] > -> , > quarantine: virus-1rFPr7cPzGAO, Message-ID: > <1302268654.16516.6.camel@rodrigo>, mail_id: 1rFPr7cPzGAO, Hits: -, > size: 1146, 101 ms > Apr 8 10:17:35 SERVER postfix/lmtp[8920]: E818C3EF80B5: > to=, relay=127.0.0.1[127.0.0.1]:10024, > delay=0.16, delays=0.05/0/0/0.1, dsn=2.5.0, status=sent (250 2.5.0 Ok > , DSN suppressed (554 5.7.0 Reject, > id=12988-09 - INFECTED: Eicar-Test-Signature)) > > As you can see, the sender (me, in this case) don't recieve the > message saying that he sent a virus. > > How can I configure this? > > > > Regards, > Rodrigo. > Rodrigo, amavisd-new would control that notification, not postfix. -Matt
Re: DSN virus
On Fri, Apr 08, 2011 at 10:31:02AM -0300, M. Rodrigo Monteiro wrote: > Hi! > > In my Postfix (2.8.2), I want to send DSN when Amavisd-new (2.6.4) > find a virus. Below is the log. You don't want to generate "your mail was infected" notices to the sender, these are a terrible idea. Infected email predominantly has a forged sender. You will be spamming innocent victims of forgery, and sane sites may take punitive actions with respect to your MTA. -- Viktor.
Re: DSN virus
M. Rodrigo Monteiro: > Hi! > > In my Postfix (2.8.2), I want to send DSN when Amavisd-new (2.6.4) > find a virus. Below is the log. You will be blacklisted, because you will be sending mail to innocent people whose email address was mis-used by a work or spammer. http://www.postfix.org/BACKSCATTER_README.html Wietse
Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
Simon Brereton put forth on 4/8/2011 8:19 AM: > . Add in the postfix's native spam controls, limiting and checks In this regard, try this out in your initial setup. A brief description and instructions are at the top of the file. It's very easy to implement--one line in main.cf. It will stop most bot spam in lieu of Postscreen, and may stop some spam that Postscreen doesn't. Myself and others here use it with good results. The rare FP will be folks sending you legit mail from MTAs behind consumer broadband IPs. http://www.hardwarefreak.com/fqrdns.pcre Now would be a good time to look into the "everything under smtpd_recipient_restrictions" main.cf style. This is the currently preferred main.cf layout for most setups. Makes things easier on you, the OP. > . Then look at content filtering (spam, virus and other objectionable > content) I'd probably reverse the order or priority of these last two. > . Then look at more advanced controls like grey-listing and postscreen I'd avoid greylisting at all costs unless all other anti bot spam countermeasures fail. With the combination of fqrdns.pcre, postscreen, and the right dnsbls, you shouldn't need greylisting. And all of these combined checks will still be much faster and far less resource intensive than greylisting. -- Stan
RE: DSN virus
> -Original Message- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Victor Duchovni > Sent: Friday, April 08, 2011 3:38 PM > To: M. Rodrigo Monteiro > Cc: postfix-users@postfix.org > Subject: Re: DSN virus > > On Fri, Apr 08, 2011 at 10:31:02AM -0300, M. Rodrigo Monteiro wrote: > > > Hi! > > > > In my Postfix (2.8.2), I want to send DSN when Amavisd-new (2.6.4) > > find a virus. Below is the log. > > You don't want to generate "your mail was infected" notices to the > sender, these are a terrible idea. Infected email predominantly has a > forged sender. You will be spamming innocent victims of forgery, and > sane sites may take punitive actions with respect to your MTA. > > -- > Viktor. The only way is with prequefiltering then the delivery Server becomes the Message back Mit freundlichen Grüßen Drießen -- Software & Computer Uwe Drießen Lembergstraße 33 67824 Feilbingert Tel.: +49 06708 / 660045 Fax: +49 06708 / 661397
Re: postscreen -> client hangup unexpectedly -> PASS NEW ?? ..odd?
Amedeo Rinaldo: > Il 08/04/2011 14:27, Wietse Venema ha scritto: > > Amedeo Rinaldo: > >> But i've (obviously) noticed an high increase in dns queries (unbound > >> local resolver) and checking my logs i've realized that about 80% of > >> 'defer/reject' would be done by less expensive tests (not rbl > >> dependent). Consider that at the end of my 'accept-chain' i've postfwd2 > > > > Why do you believe that postscreen DNSBL lookups are expensive? > > They happen in parallel; there are no extra delays. > > Wietse, i don't really believe 'postscreen DNSBL lookups are expensive' > ..i believe 'DNSBL lookups are expensive' ;) when i can reduce them > (e.g. with the use of well tested PCRE tables.. or selective graylist). > In the scenario when the client will be rejected by pcre or anyway > selectively graylisted (and i obviously hope that bad client > 'only-1_hit-graylisted' will never came back) ..you know.. no further > dns/dnsbl checks are needed. postscreen changes the calculation of "cost". First, postscreen keeps a cache. When a client passes DNSBL tests once, it won't generate any postscreen DNSBL lookups for an hour or so (or whatever postscreen_dnsbl_ttl value is configured). When some stranger connects, they have to wait for pregreet tests anyway, so DNSBL lookups won't hurt performance-wise. Second, PCRE and content inspection mechanisms consume CPU time which increases the length of an SMTP session, meaning you can handle less mail per unit of time. This is an issue for people with large PCRE tables or content inspection mechanisms. CIDR performance is comparably good, though it can be improved. All this does not mean that postscreen solves all problems, but the local "cost" of DNSBL lookup is negligible compared with all the work that Postfix must do once a session is given to an SMTP server process, especially when you get into things such as greylisting and other plugins. Wietse
Re: Restrict sending one mail per sasl login
On Fri, 08 Apr 2011 13:33:44 +0200, Patrick Ben Koetter wrote: Am 08.04.2011 14:12, schrieb ego...@ramattack.net: Is it possible in Postfix to allow just relaying one mail (independent of the number of rcpt) per sasl login?. I perhaps could interested on this... and I doubt if this can be done natively by postfix. Use policyd to enforce a sender policy on SASL authenticated senders. p@ Hi, thanks for you're answer, I know policyd... but in Postfix policy api there's no a field in wich you can see mails sent the same time you logged in... so Policyd is not able to do that... thanks a lot. Bye!
qmgr warning
Apr 8 10:10:30 atlbl6 postfix/qmgr[11959]: warning: connect to transport private/retry: Connection refused This is a new postfix server Version: 2.7.2-12.3 opensuse 11.4 Where would I begin to troubleshoot this? RCR
Re: qmgr warning
* Randy Ramsdell : > Apr 8 10:10:30 atlbl6 postfix/qmgr[11959]: warning: connect to transport > private/retry: Connection refused grep retry /etc/postfix/master.cf what do you see? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: qmgr warning
* Ralf Hildebrandt : > * Randy Ramsdell : > > Apr 8 10:10:30 atlbl6 postfix/qmgr[11959]: warning: connect to transport > > private/retry: Connection refused > > grep retry /etc/postfix/master.cf > > what do you see? # grep retry /etc/postfix/master.cf retry unix - - - - - error should be the result -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: DSN virus
Hi! Thanks for all of your replies. Regards, Rodrigo. -- M. Rodrigo Monteiro "Free as in Freedom, not free as in free beer" "As we are liberated from our own fear, our presence automatically liberates others" Linux User # 403730
Re: qmgr warning
Ralf Hildebrandt wrote: * Ralf Hildebrandt : * Randy Ramsdell : Apr 8 10:10:30 atlbl6 postfix/qmgr[11959]: warning: connect to transport private/retry: Connection refused grep retry /etc/postfix/master.cf what do you see? # grep retry /etc/postfix/master.cf retry unix - - - - - error should be the result Thanks. That was it. It appears the upgrade dealing with the config files were not complete.
Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
Hi Simon and Stan. On Fri, 08 Apr 2011 15:19 +0200, "Simon Brereton" wrote: > There's a ton of howtos out there - I'm sure you can find one that suits > all your needs. The nice thing about this one is that it'll keep you on > the track you've been advised on - i.e. keeping things simple and adding > features as you go. I'm a big believer in learning what to do by learning what not to do, too. I've read enough comments that say Multiple Instance can simplify things, I'd really like to find just one complete example of configuration files for a simple Multiple Instance setup. Something that does "Accepting Server with SSL Certificates + Content Filter + Delivering Server" would be real nice. Looking at one screw at a time isn't helping me figure out how to build my first tractor. > I would recommend using amavis for your spam and virus checking though. I looked at that amavis configuration. That's more meat than I want to chew. And i don't see what it does for me better, faster or cheaper. Like everyone keeps suggesting, I think keeping it as simple as I can is a good thing for me. > Personally, I don't think you need multiple instances. I'm getting pretty clear that you can do it all lots of different ways, and you don't really need any single bit. Just about making smart choices. Mine will likely be different than the next fella's. > If the book you got was The Book of Postfix That's the one. UPS says Monday or Tuesday. > If in doubt, ask and remember that most defaults are there for a reason. > Consider the implications before changing them (but some will need to be > changed to suit your set-up). I see how the defaults are set up, and how you override them as required in main.cf and master.cf files. I still want to see an example of how you do that when you have 2 main.cf and 2 master.cf files. What goes where? These SSL certificates we have need to be plugged into the configuration files. If I do the simple two instance example, do I have to put them in both sets of configuration files? That seems kind of silly to me. I'd think one's the main source for all the config information, and the other inherits or overrides. But I asked about that a bit earlier and I think Daniel said, > From these questions your conceptual framework is wrong. Avoid forming > bad mental frameworks that have to be torn down later. Let the advanced > stuff be a pleasant fuzz. Honestly I'm not real sure what that means. Thought I'd try to figure it out some. On Fri, 08 Apr 2011 08:55 -0500, "Stan Hoeppner" wrote: > http://www.hardwarefreak.com/fqrdns.pcre That's more that 1500 lines of repetitive looking stuff. Although I think it's mainly to do with "answering nicely", feels like a whistle or bell right now. > Now would be a good time to look into the "everything under > smtpd_recipient_restrictions" main.cf style. This is the currently > preferred main.cf layout for most setups. Makes things easier on you, > the OP. Sounds like good advice. I keep bumping into that in online how-to articles. The book looks like it's got something to say about it too. > > . Then look at content filtering (spam, virus and other objectionable > > content) > > I'd probably reverse the order or priority of these last two. I'm not clear on what you mean. Isn't the idea of sending mail from PostFix through something like Spam Assassin to deal with "objectionable content"? > > . Then look at more advanced controls like grey-listing and postscreen Grey-listing I don't know anything about yet. You call postscreen "advanced". Other folks keep saying do it later, too. When I read it's documentation, it sure seems like it's the newest, simplest way I've seen to use blocking lists like Spamhaus and Barracuda. If I don't use postscreen, I don't see how I use those lists. Did I miss something else? Thanks to you both. Jeremy Alsten
Re: qmgr warning
Randy Ramsdell: > Ralf Hildebrandt wrote: > > * Ralf Hildebrandt : > >> * Randy Ramsdell : > >>> Apr 8 10:10:30 atlbl6 postfix/qmgr[11959]: warning: connect to transport > >>> private/retry: Connection refused > >> grep retry /etc/postfix/master.cf > >> > >> what do you see? > > > > # grep retry /etc/postfix/master.cf > > retry unix - - - - - error > > should be the result > > > > Thanks. That was it. It appears the upgrade dealing with the config > files were not complete. I recommend that you use "postfix upgrade-configuration set-permissions" just to be sure that there are no more surprises later. Wietse
Re: postscreen -> client hangup unexpectedly -> PASS NEW ?? ..odd?
Il 08/04/2011 16:06, Wietse Venema ha scritto: .. [cut] .. postscreen changes the calculation of "cost". .. [cut] .. Really intresting point of view, i need to spend more time on it. About resource consuming .. i have to check/match my resource/snmp monitoring to better evaluate. I'm now using few (and quite light resource consuming) pcre rules and they kill about 60-80% of potential dnsbl-ed senders. I've given a rapid sight at system graphics now and during the 2 days of my postscreen dnsbl tests i've noticed more dns look-up and cpus resources pretty unchanged .. But consider the system flow has not been altered to well integrate postscreen (only a rapid test); so i'm sure you are right when you say "postscreen changes the calculation of costs" ! Have someone already done fine check resource consumption comparisons? I'm going to play more with .. Ciao e buon week-end! Amedeo Rinaldo -- Una volta eliminato l'impossibile, quello che resta, per improbabile che sia, deve essere la verità (Sherlock Holmes)
Re: postscreen -> client hangup unexpectedly -> PASS NEW ?? ..odd?
Amedeo Rinaldo: > Il 08/04/2011 16:06, Wietse Venema ha scritto: > >> .. [cut] .. > > postscreen changes the calculation of "cost". > >.. [cut] .. > > > Really intresting point of view, i need to spend more time on it. > > About resource consuming .. i have to check/match my resource/snmp > monitoring to better evaluate. I'm now using few (and quite light > resource consuming) pcre rules and they kill about 60-80% of potential > dnsbl-ed senders. I've given a rapid sight at system graphics now and > during the 2 days of my postscreen dnsbl tests i've noticed more dns > look-up and cpus resources pretty unchanged .. Postfix uses little CPU, so that is not necessarily a good metric. A better base for comparisons is "latency", the time to complete operations including (especially) network read and writes. Smtpd processes work on one thing at a time, which maximizes latency. Postscreen works on things in parallel, which reduces latency. This is possible because postscreen does only simple things. > But consider the system flow has not been altered to well integrate > postscreen (only a rapid test); so i'm sure you are right when you say > "postscreen changes the calculation of costs" ! > > Have someone already done fine check resource consumption comparisons? > I'm going to play more with .. > > Ciao e buon week-end! Enjouy the weekend. Wietse
Re: Restrict sending one mail per sasl login
On 4/8/2011 10:42 AM, ego...@ramattack.net wrote: On Fri, 08 Apr 2011 13:33:44 +0200, Patrick Ben Koetter wrote: Am 08.04.2011 14:12, schrieb ego...@ramattack.net: Is it possible in Postfix to allow just relaying one mail (independent of the number of rcpt) per sasl login?. I perhaps could interested on this... and I doubt if this can be done natively by postfix. Use policyd to enforce a sender policy on SASL authenticated senders. p@ Hi, thanks for you're answer, I know policyd... but in Postfix policy api there's no a field in wich you can see mails sent the same time you logged in... so Policyd is not able to do that... thanks a lot. Bye! You mean preventing connection reuse by an authorized client? This might be possible, but why would it be useful? -- Noel Jones
mysql lookup on another host performance q?
I have a small*1 Postfix server with virtual users/domains in MySQL on same host service is now being transferred to a new machine, with postfix on one host, mysql on another host I've set it up like so with 'proxy:mysql'*2 to the mysql machine : seems to work OK, but I'm concerned about possible performance or other issue with the mysql on another host any suggestions on such appreciated --- virtual_transport = virtual virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf *small like so: Per-Day Traffic Summary --- date received delivered deferredbounced rejected Apr 4 2011 2411 2975 61 13 1290 Apr 5 2011 2707 3400111 11 1347 Apr 6 2011 2681 3440106 6 1373 -- Voytek
Re: mysql lookup on another host performance q?
Am 09.04.2011 00:04, schrieb Voytek Eymont: > I have a small*1 Postfix server with virtual users/domains in MySQL on > same host > > service is now being transferred to a new machine, with postfix on one > host, mysql on another host > > I've set it up like so with 'proxy:mysql'*2 to the mysql machine : > > seems to work OK, but I'm concerned about possible performance or other > issue with the mysql on another host > > any suggestions on such appreciated > > --- > virtual_transport = virtual > virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf > virtual_mailbox_base = /var/mail/vhosts > virtual_mailbox_domains = > proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf > virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf > > *small like so: > Per-Day Traffic Summary > --- > date received delivered deferredbounced rejected > > Apr 4 2011 2411 2975 61 13 1290 > Apr 5 2011 2707 3400111 11 1347 > Apr 6 2011 2681 3440106 6 1373 this are so few mails for postfix that speed does not matter :-) mysql on a remote-host can be much slower but should not be a problem unless you have real high traffic signature.asc Description: OpenPGP digital signature
Re: mysql lookup on another host performance q?
I agree, you are already using proxying so that should help. If you have heavy load you can look into mysql tuning(on db server). But as is you should be fine. Aly Sent from my BlackBerry device on the Rogers Wireless Network -Original Message- From: Reindl Harald Sender: owner-postfix-us...@postfix.org Date: Sat, 09 Apr 2011 00:11:23 To: Subject: Re: mysql lookup on another host performance q? Am 09.04.2011 00:04, schrieb Voytek Eymont: > I have a small*1 Postfix server with virtual users/domains in MySQL on > same host > > service is now being transferred to a new machine, with postfix on one > host, mysql on another host > > I've set it up like so with 'proxy:mysql'*2 to the mysql machine : > > seems to work OK, but I'm concerned about possible performance or other > issue with the mysql on another host > > any suggestions on such appreciated > > --- > virtual_transport = virtual > virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf > virtual_mailbox_base = /var/mail/vhosts > virtual_mailbox_domains = > proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf > virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf > > *small like so: > Per-Day Traffic Summary > --- > date received delivered deferredbounced rejected > > Apr 4 2011 2411 2975 61 13 1290 > Apr 5 2011 2707 3400111 11 1347 > Apr 6 2011 2681 3440106 6 1373 this are so few mails for postfix that speed does not matter :-) mysql on a remote-host can be much slower but should not be a problem unless you have real high traffic
Minor typo in documentation
Hello, In http://www.postfix.org/postconf.5.html#smtp_sasl_auth_cache_name the fourth sentence is: As long as the smtp_sasl_password_maps information does no change... That should be: As long as the smtp_sasl_password_maps information does not change, (s/no/not)
Performance or delivery problems caused by "sleep"?
Hello, I'm thinking about trying the example suggested in the documentation for "sleep": /etc/postfix/main.cf: smtpd_client_restrictions = sleep 1, reject_unauth_pipelining smtpd_delay_reject = no In general, I try to order smtpd_*_restrictions with the least costly first, so this would be an exception. Has "sleep" shown to be: * effective? * cause performance issues? * cause any delivery problems? Or is this merely a poor-man's greylisting? Am I better off with a policy server that can selectively implement a greylisting delay? On a related note, is there any reason this example adds "reject_unauth_pipelining" after "sleep"? Is using "sleep" alone with nothing else OK? I'm using version 2.3.3, and the docs say "reject_unauth_pipelining" is only recommended in smtpd_data_restrictions for older versions (but doesn't say why or if it will hurt to have it anywhere else). Thank you.
Restricting ETRN?
Hello, I'm concerned about having ETRN wide open. I am not very familiar with ETRN and have no use for it in our environment. It seems harmless, but if most of one's recipient/sender/client/helo/etc. restrictions are in places they won't be seen by someone trying to fiddle maliciously with ETRN, is it better to put something in smtpd_etrn_restrictions? Maybe: smtpd_etrn_restrictions = permit_mynetworks, reject Or even: smtpd_etrn_restrictions = reject Or does the smtpd_junk_command_limit take care of this concern? Thanks.
Re: Performance or delivery problems caused by "sleep"?
email builder put forth on 4/8/2011 10:14 PM: > Hello, > > I'm thinking about trying the example suggested in the documentation for > "sleep": > > > /etc/postfix/main.cf: > smtpd_client_restrictions = > sleep 1, reject_unauth_pipelining > smtpd_delay_reject = no To achieve what goal? Stopping bot spam? There are much better methods available today. > In general, I try to order smtpd_*_restrictions with the least costly first, > so Good habit. > this would be an exception. Has "sleep" shown to be: > > * effective? > * cause performance issues? > * cause any delivery problems? AIUI, this will delay every smtpd connection by 1 second. Since each smtpd process can only process one transaction at a time, on a busy server you'll end up with lots of smtpd processes eating resources, and possibly mail delays if you reach the process limit of 100--incoming connections must wait for an smtpd to become available. As to the effectiveness of sleep in combating bot spam, I have no idea as I've never tried it. > Or is this merely a poor-man's greylisting? In essence, yes. > Am I better off with a policy > server that can selectively implement a greylisting delay? No, you're better off using postscreen and or http://www.hardwarefreak.com/fqrdns.pcre instead of greylisting, which has its own set of performance and resource problems. > I'm using version 2.3.3 You *need* to upgrade. 2.3.3 is ancient and no longer supported. You need 2.8 to get access to postscreen. fqrdns.pcre will work with any version containing pcre support. I'm making an educated guess that you're using CentOS 5.5. I believe the following is a binary rpm for rhel5 x86-64 (CentOS 5), which should be the package you need assuming you're running 64bit CentOS. http://ftp.wl0.org/official/2.8/RPMS-rhel5-x86_64/postfix-2.8.2-1.rhel5.x86_64.rpm This rpm is labeled "experimental" by Simon likely simply because it hasn't seen wide use yet. If you want 2.8 and postscreen, this is likely the quickest way to get there. Or you can download the source from postfix.org and build it yourself. -- Stan
Re: Restricting ETRN?
email builder put forth on 4/8/2011 10:18 PM: > I'm concerned about having ETRN wide open. I am not very familiar with ETRN > and > have no use for it in our environment. It seems harmless, but if most of > one's > recipient/sender/client/helo/etc. restrictions are in places they won't be > seen > by someone trying to fiddle maliciously with ETRN, is it better to put > something > in smtpd_etrn_restrictions? http://www.postfix.org/ETRN_README.html http://www.postfix.org/postconf.5.html#authorized_flush_users -- Stan
Re: Restricting ETRN?
> > I'm concerned about having ETRN wide open. I am not very familiar with > > ETRN >and > > > have no use for it in our environment. It seems harmless, but if most of >one's > > > recipient/sender/client/helo/etc. restrictions are in places they won't be >seen > > > by someone trying to fiddle maliciously with ETRN, is it better to put >something > > > in smtpd_etrn_restrictions? > > http://www.postfix.org/ETRN_README.html > http://www.postfix.org/postconf.5.html#authorized_flush_users I confess to only having skimmed ETRN_README, because it's not something we make use of. I may have missed it, but that document doesn't seem to talk much about the implications of its access to the outside. I was concerned because my tests seem to show that by default it is allowable by anyone (and indeed, authorized_flush_users's default is "anyone"). Are you suggesting changing authorized_flush_users to an empty value? What's wrong with the examples I gave? Or is this of no concern and/or does the junk command limit take care of it?
Re: Performance or delivery problems caused by "sleep"?
On 4/8/2011 10:14 PM, email builder wrote: Hello, I'm thinking about trying the example suggested in the documentation for "sleep": /etc/postfix/main.cf: smtpd_client_restrictions = sleep 1, reject_unauth_pipelining smtpd_delay_reject = no In general, I try to order smtpd_*_restrictions with the least costly first, so this would be an exception. Has "sleep" shown to be: * effective? Not particularly. The sleep command was an early attempt to reject bots that start talking before it's their turn. The idea is: sleep 1 (don't say anything for a while - pick up the phone without saying hello) reject_unauth_pipelining (if the caller starts talking before we greet them, they are a bot/recording so hang up) Problems with sleep (ie. good reasons to not use it): - not many bots fall for the trick. - requires "smtpd_delay_reject = no" which can create other issues with logging and restriction flow, particularly for casual postfix users. - penalizes every client on every connection - ties up a valuable smtpd process with doing nothing. The postscreen feature in postfix 2.8 eliminates those problems, and adds other features not possible/practical in the regular smtpd listener. Your best choice is to upgrade to current postfix. If you can't do that, a greylist policy service is probably the next best thing. On a related note, is there any reason this example adds "reject_unauth_pipelining" after "sleep"? The reject_unauth_pipelining is what causes the bad clients to be rejected. Is using "sleep" alone with nothing else OK? Using sleep by itself won't break anything, but it doesn't do anything except slow everything down. Slowing the server down gives no benefit, and in the case of a server that's close to overload, could push it over the edge. I'm using version 2.3.3, and the docs say "reject_unauth_pipelining" is only recommended in smtpd_data_restrictions for older versions (but doesn't say why or if it will hurt to have it anywhere else). You should really upgrade. The final update for the postfix 2.3 series before EOL was 2.3.19 in Aug 2009. If 2.3.3 is the best your vendor can provide, you should complain strongly. In older postfix versions with recommended default smtpd_delay_reject = yes, the reject_unauth_pipelining restriction is only effective in smtpd_data_restrictions. It doesn't hurt anything if used in other sections, it just doesn't do anything. That's also why the example shows setting smtpd_delay_reject = no. -- Noel Jones
Address Rewrite Problem
Hi, We have Running Postfix with Virtual Domains. I need some address rewriting for Incoming and Outgoing Emails and using Canonical Maps we have done this task: --- main.cf config: sender_canonical_maps = hash:/etc/postfix/canonical-sender recipient_canonical_maps = hash:/etc/postfix/canonical-rcpt --- canonical-sender: @example.com@example.net --- canonical-rcpt @example.info @example.net We have an Exchange for our local Emails and Exchange uses Postfix as Smarthost. Address Rewriting is Working properly for Emails from Exchange to Outside network, but For Emails from Exchange to Postfix Virtually hosted Domains or Postfix Local Mailbox's the rules doesn't Affect ! Could you please somebody help me? Thanks in Anticipation. Nasser
Re: Performance or delivery problems caused by "sleep"?
On 4/8/2011 10:57 PM, Stan Hoeppner wrote: email builder put forth on 4/8/2011 10:14 PM: Or is this merely a poor-man's greylisting? In essence, yes. No, not at all. Greylisting breaks the connection and forces the client to reconnect after a cool-down period before accepting mail. Greylisting has been quite effective against spambots, but at the price of delaying mail from legit clients. Just about all greylist implementations have some sort of auto-whitelist function to not penalize proven good clients. The sleep restrictoin only delays postfix responses, does not break the connection, and even when first invented was not particularly effective against bots. I expect it's even less effective now, but I don't know anyone that's tried it lately. -- Noel Jones
Re: Restricting ETRN?
On 4/8/2011 11:29 PM, email builder wrote: Or is this of no concern and/or does the junk command limit take care of it? If you have no use for ETRN just set smtpd_etrn_restrictions = reject or maybe better smtpd_etrn_restrictions = static:502 and then forget about it. ETRN is not a particularly interesting attack/abuse vector with postfix. Don't spend much time worrying about it. -- Noel Jones
Re: Restricting ETRN?
- Original Message > From: Noel Jones > To: postfix-users@postfix.org > Sent: Fri, April 8, 2011 9:44:12 PM > Subject: Re: Restricting ETRN? > > On 4/8/2011 11:29 PM, email builder wrote: > > > > Or is this of no concern and/or does the junk command limit take care of it? > > If you have no use for ETRN just set > smtpd_etrn_restrictions = reject > or maybe better > smtpd_etrn_restrictions = static:502 > and then forget about it. > > ETRN is not a particularly interesting attack/abuse vector with postfix. >Don't spend much time worrying about it. OK, thanks Stan and Noel. Much appreciated.
Re: Performance or delivery problems caused by "sleep"?
> > I'm thinking about trying the example suggested in the documentation for > > "sleep": > > > > > > /etc/postfix/main.cf: > > smtpd_client_restrictions = > > sleep 1, reject_unauth_pipelining > > smtpd_delay_reject = no > > > > In general, I try to order smtpd_*_restrictions with the least costly > > first, >so > > this would be an exception. Has "sleep" shown to be: > > > >* effective? > > Not particularly. The sleep command was an early attempt to reject bots > that >start talking before it's their turn. The idea is: > sleep 1 (don't say anything for a while - pick up the phone without saying >hello) > reject_unauth_pipelining (if the caller starts talking before we greet them, >they are a bot/recording so hang up) > > Problems with sleep (ie. good reasons to not use it): > - not many bots fall for the trick. > - requires "smtpd_delay_reject = no" which can create other issues with >logging and restriction flow, particularly for casual postfix users. > - penalizes every client on every connection > - ties up a valuable smtpd process with doing nothing. > > The postscreen feature in postfix 2.8 eliminates those problems, and adds >other features not possible/practical in the regular smtpd listener. > > Your best choice is to upgrade to current postfix. If you can't do that, a >greylist policy service is probably the next best thing. > > > On a related note, is there any reason this example adds > > "reject_unauth_pipelining" after "sleep"? > > The reject_unauth_pipelining is what causes the bad clients to be rejected. > > > Is using "sleep" alone with nothing > > else OK? > > Using sleep by itself won't break anything, but it doesn't do anything > except >slow everything down. > > Slowing the server down gives no benefit, and in the case of a server that's >close to overload, could push it over the edge. Ah, excellent responses Noel and Stan. I understand very well now. I really appreciate the detailed explanations. > > I'm using version 2.3.3, and the docs say "reject_unauth_pipelining" > > is only recommended in smtpd_data_restrictions for older versions (but >doesn't > > say why or if it will hurt to have it anywhere else). > > You should really upgrade. The final update for the postfix 2.3 series > before >EOL was 2.3.19 in Aug 2009. > > If 2.3.3 is the best your vendor can provide, you should complain strongly. OK I hear that loud and clear. There's a few hitches involved (DB support, etc), but that's probably all the more argument to simply move to one of Simon's packages. Maybe that's the best choice. We'll work on that, but I must say that one of the things I appreciate the most about postfix is that we can languish in a stale version that's not even being supported and we're still not vulnerable to any security issues. > In older postfix versions with recommended default smtpd_delay_reject = yes, >the reject_unauth_pipelining > restriction is only effective in smtpd_data_restrictions. It doesn't hurt >anything if used in other sections, it just > doesn't do anything. That's also why the example shows setting >smtpd_delay_reject = no. >
use of smtp(d)_tls_CAfile with opportunistic TLS?
Hello, I'm wondering about the usefulness of smtp(d)_tls_CAfile(path) when using opportunistic encryption in both incoming and outgoing connections. The TLS_README suggests that certificate and key files be left empty for opportunistic smtp processes, but it doesn't talk specifically about smtp_tls_CAfile(path). Am I correct to infer that both smtp(d)_tls_CAfile settings only serve a purpose when you want to verify client/server certificates? If that's the case, why does the example at the bottom of TLS_README use both the CAfile settings with only opportunistic encryption? Our system seems to work without any CAfile/CApath settings under opportunistic encryption both incoming and outgoing. Is there a performance or security difference between using them or not? Sorry in advance if my shaky grasp of TLS is the problem here. Thank you!
Rev DNS not match SMTP Banner, will it bite me ?
I'm setting up a mail server on a virtual server smtp banner is set to myhost.mydomain reverse dns resolves to the data centre IP address is that going to cause me problems in the future ? - mxtoolbox: OK - 111.111.222.333 resolves to server.domain.tld Warning - Reverse DNS does not match SMTP Banner -- Voytek
