Re: SASL Authentication and debugging..

[Patrick Ben Koetter]

* Simon Brereton :
> > From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> > us...@postfix.org] On Behalf Of Patrick Ben Koetter
> > * Simon Brereton :
> > > Probably not the best place for this, but hopefully someone will
> > tell
> > > me what I'm doing wrong anyway..
> > >
> > > I've gotten the TLS up and working.  And SASL auth seemed to be
> > > working.  I installed saslfinger and everything was fine there.
> > But
> > > when trying to locally inject mail on the submission port, I get:
> > >
> > > Apr 11 20:31:10 jonty postfix/smtpd[28787]: setting up TLS
> > connection
> > > from localhost[127.0.0.1] Apr 11 20:31:10 jonty
> > postfix/smtpd[28787]:
> > > Anonymous TLS connection established from localhost[127.0.0.1]:
> > TLSv1
> > > with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 11 20:31:10 jonty
> > > postfix/smtpd[28787]: warning: localhost[127.0.0.1]: SASL LOGIN
> > > authentication failed: authentication failure Apr 11 20:31:10 jonty
> > > postfix/smtpd[28787]: disconnect from localhost[127.0.0.1]
> > >
> > > I turned the verbosity up in smtpd.conf to try and diagnose this,
> > and
> > > it does nothing (which I guess is my biggest issue).
> > >
> > >   1 # Global Parameters
> > >   2 log_level: 7
> > >   3 pwcheck_method: auxprop
> > >   4 #pwcheck_method: saslauthd
> 
> > >
> > > Saslfinger -s says:
> > 
> > saslfinger also reports much other, useful information which we need
> > to debug your problem. Please post complete output.
> 
> Gladly.I was hoping you'd step in.  Just to let you know, I've tried
> both auxprop and saslauthd as the pwcheck method.
> 
> I even tried rimap - and with courier authdaemon logging turned up to 2, I
> can see the MYSQL is call is successful (i.e. IMAP validates) and still SASL
> says authentication failed.

We'll simplify first, and make it feature-complete later.


> root@jonty:~# saslfinger -s
> saslfinger - postfix Cyrus sasl configuration Wed Apr 13 05:52:12 BST 2011
> version: 1.0.4
> mode: server-side SMTP AUTH
> 
> -- basics --
> Postfix: 2.7.1
> System: Debian GNU/Linux 6.0 \n \l
> 
> -- smtpd is linked to --
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7672000)
> 
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = spamfreeisp.net

$smtpd_sasl_local_domain required or because you found it on a website?


> smtpd_sasl_security_options = noanonymous
> smtpd_tls_CAfile = /root/certauth/cacert.pem
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /etc/postfix/ssl/mail.spamfreeisp.net.cert
> smtpd_tls_key_file = /etc/postfix/ssl/mail.spamfreeisp.net.key

Just as a sidenote: You might want to move your key and certs to /etc/ssl/...
and own them root:ssl-cert and then "adduser postfix ssl-cert" to make it the
"Debian way".


> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> 
> 
> -- listing of /usr/lib/sasl2 --
> total 704
> drwxr-xr-x  2 root root  4096 Mar  8 14:21 .
> drwxr-xr-x 79 root root 32768 Apr  4 19:18 ..
> -rw-r--r--  1 root root 13436 Dec 19 12:29 libanonymous.a
> -rw-r--r--  1 root root  1003 Dec 19 12:29 libanonymous.la
> -rw-r--r--  1 root root 13076 Dec 19 12:29 libanonymous.so
> -rw-r--r--  1 root root 13076 Dec 19 12:29 libanonymous.so.2
> -rw-r--r--  1 root root 13076 Dec 19 12:29 libanonymous.so.2.0.23
> -rw-r--r--  1 root root 15882 Dec 19 12:29 libcrammd5.a
> -rw-r--r--  1 root root   989 Dec 19 12:29 libcrammd5.la
> -rw-r--r--  1 root root 15444 Dec 19 12:29 libcrammd5.so
> -rw-r--r--  1 root root 15444 Dec 19 12:29 libcrammd5.so.2
> -rw-r--r--  1 root root 15444 Dec 19 12:29 libcrammd5.so.2.0.23
> -rw-r--r--  1 root root 45328 Dec 19 12:29 libdigestmd5.a
> -rw-r--r--  1 root root  1012 Dec 19 12:29 libdigestmd5.la
> -rw-r--r--  1 root root 43144 Dec 19 12:29 libdigestmd5.so
> -rw-r--r--  1 root root 43144 Dec 19 12:29 libdigestmd5.so.2
> -rw-r--r--  1 root root 43144 Dec 19 12:29 libdigestmd5.so.2.0.23
> -rw-r--r--  1 root root 13586 Dec 19 12:29 liblogin.a
> -rw-r--r--  1 root root   983 Dec 19 12:29 liblogin.la
> -rw-r--r--  1 root root 13552 Dec 19 12:29 liblogin.so
> -rw-r--r--  1 root root 13552 Dec 19 12:29 liblogin.so.2
> -rw-r--r--  1 root root 13552 Dec 19 12:29 liblogin.so.2.0.23
> -rw-r--r--  1 root root 29140 Dec 19 12:29 libntlm.a
> -rw-r--r--  1 root root   977 Dec 19 12:29 libntlm.la
> -rw-r--r--  1 root root 28528 Dec 19 12:29 libntlm.so
> -rw-r--r--  1 root root 28528 Dec 19 12:29 libntlm.so.2
> -rw-r--r--  1 root root 28528 Dec 19 12:29 libntlm.so.2.0.23
> -rw-r--r--  1 root root 13786 Dec 19 12:29 libplain.a
> -rw-r--r--  1 root root   983 Dec 19 12:29 libplain.la
> -rw-r--r--  1 root root 14096 Dec 19 12:29 libplain.so
> -rw-r--r--  1 root root 14096 Dec 19 12:29 libplain.so.2
> -rw-r--r--  1 root root 14096 Dec 19 12:29 libplain.so.2.0.23
> -rw-r-

Re: authenticated smtp relay and ssl/tls

[Fabien COMBERNOUS]

On 12/04/2011 11:12, Fabien COMBERNOUS wrote:


Hi there,

Is it possible to ask postfix to relay mail to an authenticated smtp 
service ? This remote smtp service is using ssl or tls. I know it is 
possible to relay mail to an authenticated smtp service but without 
ssl/tls.


Any peace of information or howto about this is welcome.

Best regards,


Thank you all for your help.

I get the last informations here :
http://www.zulius.com/how-to/set-up-postfix-with-a-remote-smtp-relay-host/

Now the relay works fine.

Regards.

--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com 
*Tel: +33 (0) 467 992 986*
Kezia Group

masquerade domains and unknown recipient bounces

[Gabriel Craciun]

hi,

is it posible to forward unknown recipient mails to another server that 
has those mailboxes,

me having a non empty local_recipient_maps?

i've been using postfix for a few years now, but i still can't get 
something done.

i know is a long mail but please bear with me.
what i'm trying to do is this:

at this moment i have a postfix server for city.company.domain
named box1.city.company.domain.
the box is at it's full, i can't upgrade it anymore and i won't get a 
better one.

so, i decided to split the load between 2 servers,
sales dept on box2, the rest remain on box1.
the entire process has to be transparent for the sales users,
meaning they don't have to modify the settings on their mail clients.

i added a secondary server box2.city.company.domain,
created a view in dns for them so when they ask for box1 the dns server 
replies with the ip of box2


box1 acts somehow as a gateway, sale_person@city.company.domain is an alias
for sale_per...@box2.city.company.domain

on box2 i enabled masquerade domains:

relayhost = [box1.city.company.domain]
masquerade_classes = envelope_recipient, header_recipient, 
envelope_sender, header_sender

masquerade_domains = city.company.domain
this doesn't work without adding
local_recipient_maps = hash:/etc/postfix/local_rec_maps.cf

- /etc/postfix/local_rec_maps.cf --
@box2.city.company.domain   X


my problem arrives when someone on box2 want's to send an email to an 
account on box1
postfix naturally checks and sees it doesn't have the box1 account and 
the mail bounces


fallback_transport won't work with a non empty local_recipient_maps
and masquerade_domains demands one, so i'm stuck.

on both boxes i use virtual domain and mailbox with mysql backend.
any ideea would be greatly appreciated.

questions about CF writing

[Giovanni Mancuso]

 Hi,

I'm trying to write an after queue content filter, and i have a questions.
If my filter have exit code 75 (for example), in postfix log after 
status= i have in () the output of my filter, but if my filter have exit
code 0, the output is always "status=sent (delivered via filter
service)". Can i write another message in ()? If my filter return a
string, can i put this in postfix log?
 
The second question is: Can i do a postfix queue_id to my filter with
argument? In pipe manual i don't find this macro, but if i add -vvv in
pipe command, i see

Apr 13 11:53:52 suuuper postfix/pipe[2865]: filter socket: wanted
attribute: queue_id
Apr 13 11:53:52 suuuper postfix/pipe[2865]: input attribute name: queue_id
Apr 13 11:53:52 suuuper postfix/pipe[2865]: input attribute value: 173017FD9

Thanks

Re: Filtering spam received from multiple users

[Mikael Bak]

Stan Hoeppner wrote:
> Mikael Bak put forth on 4/12/2011 7:31 AM:
>> Stan Hoeppner wrote:
>> [snip]
 Received: from [190.221.28.39] (unknown [190.221.28.39])
>>> In this example, reject_unknown_reverse_client_hostname would have
>>> generated a 450 rejection.  You should always use
>>> reject_unknown_reverse_client_hostname at minimum, or the more
>>> restrictive reject_unknown_client_hostname, though this one can cause
>>> problems with FPs on occasion.  Best to use it with warn_if_reject for a
>>> while and monitor what it would have rejected.
>>>
>>> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
>>>
>>> However, it appears that 190.221.28.39 has rDNS of
>>>
>>> Name: host39.190-221-28.telmex.net.ar
>>> Address: 190.221.28.39
> 
>> No. The "reject_unknown_reverse_client_hostname" in the above example
>> would not have generated a 450 rejection, since the IP address HAS a
>> reverse dns hostname.
> 
> Yes, it would have.  Note the "unknown" in the Received line.  The rDNS
> lookup failed during the transaction in question, thus this restriction
> would have generated a 450 for this transaction.  Note the following
> that I wrote, due to the fact the host does have rDNS:
> 
>>> so reject_unknown_reverse_client_hostname isn't a permanent solution
>>> here.  
> 
> I think you were a bit hasty in your reply, not carefully reading the
> information I provided.
> 

I think not.
As others already have proven, you made a hasty judgement upon faulty
information.

My only motivation getting into this discussion was to prevent faulty
information to make it to the list archives without correction.

Mikael

Re: questions about CF writing

[Wietse Venema]

Giovanni Mancuso:
>  Hi,
> 
> I'm trying to write an after queue content filter, and i have a questions.
> If my filter have exit code 75 (for example), in postfix log after 
> status= i have in () the output of my filter, but if my filter have exit
> code 0, the output is always "status=sent (delivered via filter
> service)". Can i write another message in ()? If my filter return a
> string, can i put this in postfix log?

This is currently not implemented. Things to consider when 
proposing changes to code:

- The same code is also used in local(8) to deliver mail to
"|command".  Changes to the pipe(8) delivery agent must not break
deliveries with the local(8) delivery agent.

- While the command output after error is returned to the sender
in DSN "failed" notifications, it not necessarily a good idea to
also return command output with DSN "success" notifications.

> The second question is: Can i do a postfix queue_id to my filter with
> argument? In pipe manual i don't find this macro, but if i add -vvv in
> pipe command, i see

No, and there are many reasons for this. First, filter programs
must not access Postfix queue files to implement "extra functionality";
I don't want to make such cheating easy.  Second, the queue ID will
change after the filter sends the message back into Postfix.

Wietse

Re: Filtering spam received from multiple users

[Sahil Tandon]

On Tue, 2011-04-12 at 23:55:18 -0500, Stan Hoeppner wrote:

> Sahil Tandon put forth on 4/12/2011 10:58 PM:
> > On Tue, 2011-04-12 at 16:19:03 -0500, Stan Hoeppner wrote:
> > 
> >> Mikael Bak put forth on 4/12/2011 7:31 AM:
> >>> Stan Hoeppner wrote:
> >>> [snip]
> 
> > Received: from [190.221.28.39] (unknown [190.221.28.39])
> 
>  In this example, reject_unknown_reverse_client_hostname would have
>  generated a 450 rejection.  You should always use
>  reject_unknown_reverse_client_hostname at minimum, or the more
>  restrictive reject_unknown_client_hostname, though this one can cause
>  problems with FPs on occasion.  Best to use it with warn_if_reject for a
>  while and monitor what it would have rejected.
> 
>  http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
> 
>  However, it appears that 190.221.28.39 has rDNS of
> 
>  Name: host39.190-221-28.telmex.net.ar
>  Address: 190.221.28.39
> >>
> >>> No. The "reject_unknown_reverse_client_hostname" in the above example
> >>> would not have generated a 450 rejection, since the IP address HAS a
> >>> reverse dns hostname.
> >>
> >> Yes, it would have.
> > 
> > Not in this case.
> > 
> >>  Note the "unknown" in the Received line.  The rDNS lookup failed
> >>  during the transaction in question, thus this restriction would have
> >>  generated a 450 for this transaction.  Note the following that I
> >>  wrote, due to the fact the host does have rDNS:
> > 
> > The 'unknown' in the Received: header is not due to rDNS problems, but
> > more likely because the name->address mapping (still) fails.
> > 
> >   % dig +short -x 190.221.28.39
> >   host39.190-221-28.telmex.net.ar.
> > 
> >   ... so rDNS is OK; however:
> > 
> >   % host host39.190-221-28.telmex.net.ar
> >   Host host39.190-221-28.telmex.net.ar not found: 3(NXDOMAIN)
> 
> But the test condition is 1) or 2) or 3) isn't it?  Not 1) and 2) and 3)?
> 
> If the latter, you seem to be saying one can have a case with an
> "unknown" stamp for the reverse-name in the log and Received: header,
> but reject_*unknown*_reverse_client_hostname will not reject the connection?

Remember: there is a difference between reject_unknown_client_hostname
and reject_unknown_reverse_client_hostname.  The latter *only* rejects
mail when the client IP address->name mapping fails.  This is *one* of
three conditions that causes Postfix to insert 'unknown' into Received:
headers and reject mail with the reject_unknown_client_hostname
directive.  In the case we are discussing, the 'unknown' in the headers
was there *not* because of rDNS failure, but because the name->address
mapping failed.  As a result, while reject_unknown_client_hostname would
reject the client, reject_unknown_*reverse*_client_hostname would not.
If this is not sufficiently clear at this point, a careful re-reading of
the relevant sections of postconf(5) is in order.

 http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
 http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname

> Wietse Venema put forth on 3/31/2011 11:42 AM:
> 
> > The format is:
> >
> > Received: from helo-hostname (verified-reverse-name [ip-address])

Yes, understand that just because the rDNS is known, does not mean it is
verified.

-- 
Sahil Tandon 

Re: Filtering spam received from multiple users

[Noel Jones]

On 4/12/2011 10:41 PM, Stan Hoeppner wrote:

Noel Jones put forth on 4/12/2011 6:56 PM:

On 4/12/2011 4:19 PM, Stan Hoeppner wrote:

Mikael Bak put forth on 4/12/2011 7:31 AM:

Stan Hoeppner wrote:
[snip]



Received: from [190.221.28.39] (unknown [190.221.28.39])


In this example, reject_unknown_reverse_client_hostname would have
generated a 450 rejection.  You should always use
reject_unknown_reverse_client_hostname at minimum, or the more
restrictive reject_unknown_client_hostname, though this one can cause
problems with FPs on occasion.  Best to use it with warn_if_reject
for a
while and monitor what it would have rejected.

http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname

However, it appears that 190.221.28.39 has rDNS of

Name: host39.190-221-28.telmex.net.ar
Address: 190.221.28.39



No. The "reject_unknown_reverse_client_hostname" in the above example
would not have generated a 450 rejection, since the IP address HAS a
reverse dns hostname.


Yes, it would have.  Note the "unknown" in the Received line.  The rDNS




The "unknown" gives zero information about the client's rDNS.  The


I didn't say it did.  It does tell us there was a related error, and we
know the IP has valid rDNS.


"unknown" signifies that the client does not have correct FCrDNS, which
does not disclose rDNS status.


Combining "unknown" with the fact that "host" returns a valid rDNS name
tells us the likely cause of "unknown" in this case was a temporary DNS
lookup failure.


No.




A client is marked unknown when 1) the client IP address->name mapping
fails, 2) the name->address mapping fails, or 3) the name->address
mapping does not match the client IP address.


Since we know valid rDNS exists via manual sleuthing, it's pretty
reasonable to conclude 1) above occurred, is it not?



Absolutely not.  In this particular case it appears it was 2) 
that failed.


The client is marked "unknown" if *any* of the three tests fail.

Repeat 100 times:
The client is marked "unknown" if *any* of the three tests fail.







The postfix log will show the reason why the client is marked unknown,
but postfix does not indicate the reason in the Received: header.


Always good practice to check logs.  Though in this case enough
information was available in lieu of logs to correctly describe the
issue, and put it in the context of the larger question, which was "best
methods to block spam from this type of host".

Do you disagree?


I disagree.

Postmortem sleuthing shows this client has working rDNS but no 
A record for the rDNS name.  You can't tell this from looking 
at the Received: header.


Your advice that reject_unknown_reverse_client_hostname will 
reject this host is incorrect.  While that restriction is 
useful and safe for most sites, it will probably not reject 
this particular client, which has rDNS but no 
hostname->address mapping.



  -- Noel Jones

Postfix Multi and Sendmail

[Jon Cutting]

I've set up a server that uses postmulti for multiple companies to that I can 
configure a milter to a different archiving solution for each, and I'd like to 
add the possibility to add a disclaimer.

Normally I'd use altermime as a content filter that puts the mail back into the 
queue with the sendmail command. In the case of multiple postfix instances, I 
don't seem to be able to find a way to specify which queue to put the mail back 
into. I'd like the mail to return to the postfix instance from which it 
originated (I.e. if postfix-1031 handed the mail off to the content filter I'd 
like to be able to specify that it is put back into postfix-1031's pickup queue 
with sendmail).

Is there a way to achieve this?

Many thanks,

Jonathan

Re: Postfix Multi and Sendmail

[Noel Jones]

On 4/13/2011 7:58 AM, Jon Cutting wrote:

I've set up a server that uses postmulti for multiple companies to that I can 
configure a milter to a different archiving solution for each, and I'd like to 
add the possibility to add a disclaimer.

Normally I'd use altermime as a content filter that puts the mail back into the 
queue with the sendmail command. In the case of multiple postfix instances, I 
don't seem to be able to find a way to specify which queue to put the mail back 
into. I'd like the mail to return to the postfix instance from which it 
originated (I.e. if postfix-1031 handed the mail off to the content filter I'd 
like to be able to specify that it is put back into postfix-1031's pickup queue 
with sendmail).

Is there a way to achieve this?

Many thanks,

Jonathan


Forward the mail via SMTP by using mini_sendmail as a 
replacement for sendmail.  Specify the destination port with 
the mini_sendmail -pPORT option.


http://acme.com/software/mini_sendmail/
or in most OS packaging systems.


  -- Noel Jones

RE: Postfix Multi and Sendmail

[Jon Cutting]

-Original message-
To: postfix-users@postfix.org; 
From:   Noel Jones 
Sent:   Wed 13-04-2011 14:15
Subject:Re: Postfix Multi and Sendmail
> On 4/13/2011 7:58 AM, Jon Cutting wrote:
> > I've set up a server that uses postmulti for multiple companies to that I 
> > can 
> configure a milter to a different archiving solution for each, and I'd like 
> to 
> add the possibility to add a disclaimer.
> >
> > Normally I'd use altermime as a content filter that puts the mail back into 
> the queue with the sendmail command. In the case of multiple postfix 
> instances, 
> I don't seem to be able to find a way to specify which queue to put the mail 
> back into. I'd like the mail to return to the postfix instance from which it 
> originated (I.e. if postfix-1031 handed the mail off to the content filter 
> I'd 
> like to be able to specify that it is put back into postfix-1031's pickup 
> queue 
> with sendmail).
> >
> > Is there a way to achieve this?
> >
> > Many thanks,
> >
> > Jonathan
> 
> Forward the mail via SMTP by using mini_sendmail as a 
> replacement for sendmail.  Specify the destination port with 
> the mini_sendmail -pPORT option.
> 
> http://acme.com/software/mini_sendmail/
> or in most OS packaging systems.
> 
> 
>-- Noel Jones
> 

Many thanks for the suggestion Noel. I may run into another problem if I send 
it back via SMTP though as my content filter is defined on the smtpd process 
and I may create a loop.

Postfix (from and name)

[Márcio Luciano Donada]

Hi,
Got an interesting case today and would like to share an idea with you.
IN case the link [1]. what happens is that from has a name but that name
is an e-mail has just passed and another staff automatically is not
really from. Is there a way to be blocking email like this?

[1]. http://paste.ubuntu.com/593564/

-- 
Márcio Luciano Donada
Aurora Alimentos - T.I. Matriz
Coop. Central Oeste Catarinense

Re: Postfix Multi and Sendmail

[Wietse Venema]

Jon Cutting:
> I've set up a server that uses postmulti for multiple companies
> to that I can configure a milter to a different archiving solution
> for each, and I'd like to add the possibility to add a disclaimer.
> 
> Normally I'd use altermime as a content filter that puts the mail
> back into the queue with the sendmail command. In the case of
> multiple postfix instances, I don't seem to be able to find a way
> to specify which queue to put the mail back into. I'd like the
> mail to return to the postfix instance from which it originated
> (I.e. if postfix-1031 handed the mail off to the content filter
> I'd like to be able to specify that it is put back into postfix-1031's
> pickup queue with sendmail).
> 
> Is there a way to achieve this?

SENDMAIL(1)SENDMAIL(1)
...
   -C config_file

   -C config_dir
  The path name of the Postfix main.cf  file,  or  of  its  parent
  directory.  This  information  is  ignored with Postfix versions
  before 2.3.

  With all Postfix versions, you can specify a directory  pathname
  with  the MAIL_CONFIG environment variable to override the loca-
  tion of configuration files.

The directory must be configured as part of the multi-instance setup.
Postfix won't let users specify a random directory or config file.

Wietse

RE: SASL Authentication and debugging..

[Simon Brereton]

> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Patrick Ben Koetter
> * Simon Brereton :
> > > > Saslfinger -s says:
> > >
> > > saslfinger also reports much other, useful information which we
> need
> > > to debug your problem. Please post complete output.
> >
> > Gladly.I was hoping you'd step in.  Just to let you know, I've
> tried
> > both auxprop and saslauthd as the pwcheck method.
> >
> > I even tried rimap - and with courier authdaemon logging turned up
> to
> > 2, I can see the MYSQL is call is successful (i.e. IMAP validates)
> and
> > still SASL says authentication failed.
> 
> We'll simplify first, and make it feature-complete later.
> 
> 
> > root@jonty:~# saslfinger -s
> > saslfinger - postfix Cyrus sasl configuration Wed Apr 13 05:52:12
> BST
> > 2011
> > version: 1.0.4
> > mode: server-side SMTP AUTH
> >
> > -- basics --
> > Postfix: 2.7.1
> > System: Debian GNU/Linux 6.0 \n \l
> >
> > -- smtpd is linked to --
> > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7672000)
> >
> > -- active SMTP AUTH and TLS parameters for smtpd --
> > broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes
> > smtpd_sasl_local_domain = spamfreeisp.net
> 
> $smtpd_sasl_local_domain required or because you found it on a
> website?

Probably the latter - although I don't think I've touched it much since you 
helped me set it up about 5 years ago.

> > smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile =
> > /root/certauth/cacert.pem smtpd_tls_auth_only = no
> smtpd_tls_cert_file
> > = /etc/postfix/ssl/mail.spamfreeisp.net.cert
> > smtpd_tls_key_file = /etc/postfix/ssl/mail.spamfreeisp.net.key
> 
> Just as a sidenote: You might want to move your key and certs to
> /etc/ssl/...
> and own them root:ssl-cert and then "adduser postfix ssl-cert" to
> make it the "Debian way".

Good point.  Will do that when I get to the end.

> > smtpd_tls_loglevel = 1
> > smtpd_tls_received_header = yes
> > smtpd_tls_session_cache_database =
> > btree:${queue_directory}/smtpd_scache
> > smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes

> > -- content of /etc/postfix/sasl/smtpd.conf --
> 
> Make this as follows and REMOVE the semi-colon at the end of your
> sql_select:-statement:
> 
> pwcheck_method: auxprop
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
> auxprop_plugin: sql
> sql_engine: mysql
> sql_hostnames: localhost
> sql_user: --- replaced ---
> sql_passwd: --- replaced ---
> sql_database: Mail
> sql_select: SELECT Password FROM MailAccounts WHERE Username =
> '%u@%r'

Done.

> > -- active services in /etc/postfix/master.cf -- # service type
> > private unpriv  chroot  wakeup  maxproc command + args
> > #   (yes)   (yes)   (yes)   (never) (100)
> > smtp  inet  n   -   -   -   -   smtpd -v
> > submission inet n   -   n   -   -   smtpd
> >   -o receive_override_options=no_address_mappings
> >   -o content_filter=dksign:[127.0.0.1]:10028
> >   -o smtpd_enforce_tls=yes
> >   -o smtpd_sasl_auth_enable=yes
> >   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> 
> Disable TLS for the moment.
> What do you get when you run "postconf smtpd_delay_reject"?

smtpd_delay_reject = yes

> Post verbose smtpd log that shows an authentication attempt if AUTH
> still fails after the changes.
> 
> Caution
> 
> When posting logs of the SASL negotiations to public lists,
> please keep in
> mind that username/password information is trivial to recover
> from the
> base64-encoded form written to log files.

Part of my problem is that I can't get SASL logging verbosity to the point 
where I can see the passwords!  If I could, that would help.

Two attempts.

Apr 13 14:54:10 jonty postfix/master[28058]: reload -- version 2.7.1, 
configuration /etc/postfix
Apr 13 14:54:10 jonty postfix/anvil[1821]: statistics: max connection rate 
1/60s for (smtp:192.168.1.4) at Apr 13 14:51:58
Apr 13 14:54:10 jonty postfix/anvil[1821]: statistics: max connection count 1 
for (smtp:192.168.1.4) at Apr 13 14:51:58
Apr 13 14:54:10 jonty postfix/anvil[1821]: statistics: max cache size 1 at Apr 
13 14:51:58
Apr 13 14:54:33 jonty postfix/smtpd[1834]: connect from unknown[192.168.1.4]
Apr 13 14:54:46 jonty postfix/smtpd[1834]: warning: SASL authentication 
failure: Password verification failed
Apr 13 14:54:46 jonty postfix/smtpd[1834]: warning: unknown[192.168.1.4]: SASL 
PLAIN authentication failed: authentication failure
Apr 13 14:54:58 jonty postfix/smtpd[1834]: disconnect from unknown[192.168.1.4]
Apr 13 14:55:05 jonty postfix/smtpd[1838]: connect from unknown[192.168.1.4]
Apr 13 14:55:22 jonty postfix/smtpd[1838]: warning: SASL authentication 
failure: Password verification failed
Apr 13 14:55:22 jonty postfix/smtpd[1838]: warning: unknown[192.168.1.4]: SASL 
PLAIN authentication failed: authentication failure
Apr 13 14:55:25 jonty postfix/smtpd[1838]: disconnect from unknown[192.168.1.4]

Turning up the -v on

Big messages stuck in queue (semi-off topic)

[Victoriano Giralt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

We already know it is not Postix's fault, as the reason lies at the
network level, but I'm writing to the list in the hope that someone
might have seen this behaviour, as I have been thrashing over Google
finding nothing useful.

Symptom:
Big (>1736267 bytes) messages are stuck in the queue with this errors:

Apr 13 16:06:04 rusadir postfix/smtp[3026]: 15EA5196117: to=,
relay=system.domain[ad.dr.es.s]:25, delay=15246,
delays=15200/1.2/44/1.1, dsn=4.4.2, status=deferred (lost connection
with system.domain[ad.dr.es.s] while sending message body)

Analytical signs:
Wireshark shows "TCP window full" several times while Postfix is
dutifully trying to send the messages and finally the connection is
reset at TCP level.

System  information:
Linux CentOS 5.5
Kernel 2.6.18-238.5.1.el5
Postfix (just in case)
  mail_version = 2.3.3

plus mandatory postconf -n output, so I can be put to public shame :)
address_verify_map = btree:/var/spool/postfix/verify
address_verify_relayhost =
address_verify_transport_maps =
hash:/etc/postfix/address_verify_transport_maps
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = /usr/share/doc/postfix-2.2.3-documentation/html
mail_owner = postfix
mailbox_size_limit = 104857600
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = $mydomain
masquerade_exceptions = root, postfix
message_size_limit = 104857600
mydestination = $myhostname
mydomain = melilla.es
mynetworks = 127.0.0.0/8, 172.16.0.0/16, 10.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.3-documentation/readme
relay_domains = some.domain
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions =
 reject_unauth_pipelining
 check_client_access hash:/etc/postfix/cliacc
 reject_rbl_client cbl.abuseat.org
 reject_rbl_client zen.spamhaus.org
 reject_rbl_client zombie.dnsbl.sorbs.net
 permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
 permit_mynetworks
 check_client_access hash:/etc/postfix/heloacc
 reject_non_fqdn_hostname
 reject_invalid_hostname
 permit
smtpd_recipient_restrictions =
 reject_unknown_recipient_domain,
 reject_non_fqdn_recipient,
 reject_unauth_pipelining,
 hash:/etc/postfix/check_rec_address
 permit_mynetworks,
 reject_unauth_destination
smtpd_sender_restrictions =
 permit_mynetworks,
 check_sender_access,
 hash:/etc/postfix/access,
 reject_unknown_sender_domain,
 reject_non_fqdn_sender,
 reject_unauth_pipelining,
 permit
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450
unverified_recipient_reject_code = 550

Thanks all
- -- 
Victoriano Giralt
Systems Manager
Central ICT Services
University of Malaga
SPAIN
- -
A: Yes.
> > Q: Are you sure ?
>> >> A: Because it reverses the logical flow of conversation.
>>> >>> Q: Why is top posting annoying in email ?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iD8DBQFNpbNyV6+mDjj1PTgRAo0UAKCDtkKIcVB9F5nHyNgyl1dw2pqvgQCfcvAu
JmxyI+YX78t7DTGezD1EIzU=
=lCVw
-END PGP SIGNATURE-

Re: Big messages stuck in queue (semi-off topic)

[Kenneth Marshall]

On Wed, Apr 13, 2011 at 04:30:17PM +0200, Victoriano Giralt wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> We already know it is not Postix's fault, as the reason lies at the
> network level, but I'm writing to the list in the hope that someone
> might have seen this behaviour, as I have been thrashing over Google
> finding nothing useful.
> 
> Symptom:
> Big (>1736267 bytes) messages are stuck in the queue with this errors:
> 
> Apr 13 16:06:04 rusadir postfix/smtp[3026]: 15EA5196117: to=,
> relay=system.domain[ad.dr.es.s]:25, delay=15246,
> delays=15200/1.2/44/1.1, dsn=4.4.2, status=deferred (lost connection
> with system.domain[ad.dr.es.s] while sending message body)
> 

This system does not exist. This looks fabricated. Post the actual
logs and maybe someone will have an idea. Otherwise, you could try
searching the mailing list archives for the error message to point
to thing to investigate.

Cheers,
Ken

Re: Big messages stuck in queue (semi-off topic)

[Victoriano Giralt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 13/04/11 16:40, Kenneth Marshall wrote:
> This system does not exist. This looks fabricated. Post the actual
Sure it does not exist. It is the only part of the log entry that has
been purposefully altered to protect information that is considered
private and is not relevant to the case, which has been considered
accepted practice for a long time. If you so prefer, we can write it as:

Apr 13 16:06:04 rusadir postfix/smtp[3026]: 15EA5196117:
to=,relay=mta.example.com[10.10.10.10]:25,
delay=15246,delays=15200/1.2/44/1.1, dsn=4.4.2, status=deferred (lost
connection with mta.example.com[10.10.10.10] while sending message body)

Cheers, Vic
- -- 
Victoriano Giralt
Systems Manager
Central ICT Services
University of Malaga
SPAIN
- -
A: Yes.
> > Q: Are you sure ?
>> >> A: Because it reverses the logical flow of conversation.
>>> >>> Q: Why is top posting annoying in email ?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iD8DBQFNpbnKV6+mDjj1PTgRAl0YAKCdZBktkmUXJvjnTSQAjEbUK1oCHgCdHzeq
85A6ewncVtNssRt7P2sWpsI=
=T9eP
-END PGP SIGNATURE-

Re: Big messages stuck in queue (semi-off topic)

[Wietse Venema]

Victoriano Giralt:
> Wireshark shows "TCP window full" several times while Postfix is
> dutifully trying to send the messages and finally the connection is
> reset at TCP level.

This may be the infamous window scaling problem. See below for
workaround.

Wietse

POSTCONF(5)POSTCONF(5)
...
tcp_windowsize (default: 0)
   An optional workaround for  routers  that  break  TCP  window  scaling.
   Specify  a  value > 0 and < 65536 to enable this feature.  With Postfix
   TCP servers (smtpd(8), qmqpd(8)), this feature is  implemented  by  the
   Postfix master(8) daemon.

   To  change  this  parameter without stopping Postfix, [steps deleted]

   If you skip these  steps  with  a  running  Postfix  system,  then  the
   tcp_windowsize  change will work only for Postfix TCP clients (smtp(8),
   lmtp(8)).

   This feature is available in Postfix 2.6 and later.

Re: email delivery delay : fatal: shared lock active

[Zozime Rakotondrazafy]

Just to add a bit but important information: postfix is run with mailboxes 
(maildir) on GFS (cluster environment).
After some tweaks with the cluster configuration, test with ping_pong gives a 
performance of 2000locks/s, I wonder if it's enough for postfix with a system 
of 5000+ user mailboxes...

Zozime


--- On Mon, 4/11/11, Wietse Venema  wrote:

> From: Wietse Venema 
> Subject: Re: email delivery delay : fatal: shared lock active
> To: "Postfix users" 
> Date: Monday, April 11, 2011, 4:35 PM
> Zozime Rakotondrazafy:
> > Hello there,
> > 
> > 
> > We have been facing this problem for few weeks and
> could not find
> > the right solution yet... One of our customers' system
> is experiencing
> > a persistent email delivery delay (either for local or
> oustide
> > recipients) and after making multiple changes to
> postfix settings,
> > we keep on having the same error messages in the log:
> "fatal:
> > shared lock active".
> 
> No, the error message is:
> 
>     fatal: shared lock active/9978637B4A
> 
> Where active/9978637B4A is the relative pathname of the
> queue file.
> 
> > Mar 30 07:51:30 mailserver postfix/local[24516]:
> fatal: shared lock active/9978637B4A: Resource temporarily
> unavailable
> > Mar 30 07:51:30 mailserver postfix/local[24519]:
> 9978637B4A: to=,
> relay=local, delay=0.26, 
> > Mar 30 07:51:30 mailserver postfix/local[26515]:
> 9978637B4A: to=,
> relay=local, delay=0.27, 
> 
> Process 26515 got a shared lock, process 24516 got no lock,
> and
> process 24519 got a shared lock.
> 
> Check your kernel parameters.  Perhaps your OS has a
> very limited
> number of locks available. This may be the result of very
> cheap
> shared hosting.
> 
>     Wietse
>

Re: Postfix Multi and Sendmail

[Noel Jones]

On 4/13/2011 8:40 AM, Jon Cutting wrote:

-Original message-
To: postfix-users@postfix.org;
From:   Noel Jones
Sent:   Wed 13-04-2011 14:15
Subject:Re: Postfix Multi and Sendmail

On 4/13/2011 7:58 AM, Jon Cutting wrote:

I've set up a server that uses postmulti for multiple companies to that I can

configure a milter to a different archiving solution for each, and I'd like to
add the possibility to add a disclaimer.


Normally I'd use altermime as a content filter that puts the mail back into

the queue with the sendmail command. In the case of multiple postfix instances,
I don't seem to be able to find a way to specify which queue to put the mail
back into. I'd like the mail to return to the postfix instance from which it
originated (I.e. if postfix-1031 handed the mail off to the content filter I'd
like to be able to specify that it is put back into postfix-1031's pickup queue
with sendmail).


Is there a way to achieve this?

Many thanks,

Jonathan


Forward the mail via SMTP by using mini_sendmail as a
replacement for sendmail.  Specify the destination port with
the mini_sendmail -pPORT option.

http://acme.com/software/mini_sendmail/
or in most OS packaging systems.


-- Noel Jones



Many thanks for the suggestion Noel. I may run into another problem if I send 
it back via SMTP though as my content filter is defined on the smtpd process 
and I may create a loop.


Wietse already gave you a solution using "sendmail -C config", 
but for completeness I'll answer that you prevent looping by 
using a second smtpd listener with "-o content_filter=" as in 
the Advanced Content Filter examples.



  -- Noel Jones

Re: email delivery delay : fatal: shared lock active

[Wietse Venema]

Wietse:
> No, the error message is:
> 
> ? ? fatal: shared lock active/9978637B4A
> 
> Where active/9978637B4A is the relative pathname of the
> queue file.
> 
> > Mar 30 07:51:30 mailserver postfix/local[24516]:
> fatal: shared lock active/9978637B4A: Resource temporarily
> unavailable
> > Mar 30 07:51:30 mailserver postfix/local[24519]:
> 9978637B4A: to=,
> relay=local, delay=0.26, 
> > Mar 30 07:51:30 mailserver postfix/local[26515]:
> 9978637B4A: to=,
> relay=local, delay=0.27, 
> 
> Process 26515 got a shared lock, process 24516 got no lock, and
> process 24519 got a shared lock.
>
> Check your kernel parameters. Perhaps your OS has a very limited
> number of locks available. This may be the result of very cheap
> shared hosting.

Zozime Rakotondrazafy:
> Just to add a bit but important information: postfix is run with
> mailboxes (maildir) on GFS (cluster environment).  After some
> tweaks with the cluster configuration, test with ping_pong gives
> a performance of 2000locks/s, I wonder if it's enough for postfix
> with a system of 5000+ user mailboxes...

Now, you should test SHARED locks on the SAME FILE.

Wietse

amavis / emails in queue?

[Bailey, Damian S.]

Hey all,

 

Troubling question.

 

I made some changes to our SA tagging / blocking score this morning,
then restarted amavis.  I had emails piling up in queue just now, like
so:

 

 

 

I did a sudo /etc/init.d/amavis restart

 

And by the time I could run sudo qshape -s, the queue came up clear.

 

Were these mails stuck in amavis, there were now dropped?

 

I'm not very familiar with amavis, so I'm unsure what logs to check.  My
mail.log showed (queue active) on all mail ...emails were eventually
getting through, just severely delayed.

 

Thanks for any help.

 

Damian Bailey | baile...@lcps.k12.va.us

Lead Technician | LCPS Technology

540.894.4373x8220

Shipping Address:

Louisa County Public Schools

953 Davis Hwy

Mineral VA 23117

 

<>

Re: amavis / emails in queue?

[aly . khimji]

You might want to up the verbose log level in the amavisd.conf, and check your 
maillog to see if amavisd its having
(example: connecting to sql if u have it back ended that way). I know the 
regular log level sometimes isn't enough.

Might be a good place to start.

HTH

Aly

Sent from my BlackBerry device on the Rogers Wireless Network

-Original Message-
From: "Bailey, Damian S." 
Sender: owner-postfix-us...@postfix.org
Date: Wed, 13 Apr 2011 12:05:26 
To: 
Subject: amavis / emails in queue?

Hey all,

 

Troubling question.

 

I made some changes to our SA tagging / blocking score this morning,
then restarted amavis.  I had emails piling up in queue just now, like
so:

 

 

 

I did a sudo /etc/init.d/amavis restart

 

And by the time I could run sudo qshape -s, the queue came up clear.

 

Were these mails stuck in amavis, there were now dropped?

 

I'm not very familiar with amavis, so I'm unsure what logs to check.  My
mail.log showed (queue active) on all mail ...emails were eventually
getting through, just severely delayed.

 

Thanks for any help.

 

Damian Bailey | baile...@lcps.k12.va.us

Lead Technician | LCPS Technology

540.894.4373x8220

Shipping Address:

Louisa County Public Schools

953 Davis Hwy

Mineral VA 23117

 


<>

Re: Big messages stuck in queue (semi-off topic)

[Victoriano Giralt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 13/04/11 17:16, Wietse Venema wrote:
> Victoriano Giralt:
>> Wireshark shows "TCP window full" several times while Postfix is
>> dutifully trying to send the messages and finally the connection is
>> reset at TCP level.
> 
> This may be the infamous window scaling problem. See below for
> workaround.
Thank you Wietse. No joy :(

I've upgraded to 2.8.2 and set tcp_windowsize following Postfix
documentation. I've fully stopped Postfix, verified by a process list,
and started again. The symptoms persist :(

Anyhow, I'll pass the information on to the networking team in case
there have been any recent changes on the routers.

- -- 
Victoriano Giralt
Systems Manager
Central ICT Services
University of Malaga
SPAIN
- -
A: Yes.
> > Q: Are you sure ?
>> >> A: Because it reverses the logical flow of conversation.
>>> >>> Q: Why is top posting annoying in email ?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iD8DBQFNpdHhV6+mDjj1PTgRAtO4AJ4oDplwOW58CQSPSFefjfSpSd0FcACfVeD3
SOUyEef/1BcW+ta+X7Pt7oQ=
=3HAK
-END PGP SIGNATURE-

Re: Postfix (from and name)

[Reinaldo de Carvalho]

2011/4/13 Márcio Luciano Donada :
> Hi,
> Got an interesting case today and would like to share an idea with you. IN
> case the link [1]. what happens is that from has a name but that name is an
> e-mail has just passed and another staff automatically is not really from.
> Is there a way to be blocking email like this?
>
> [1]. http://paste.ubuntu.com/593564/
>

Nothing wrong with this message. Don't blame headers (like From:) this
is not parsed by Postfix. Postfix enforce the SMTP protocol (RFC5323)
and mandatory headers and sintax from Internet Message Format
(RFC5322) and not require that MAIL FROM (SMTP Protocol) is equal to
From: (IMF).

To parse headers you need a external integrated by milter or content filter.

-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

"While not fully understand a software, don't try to adapt this
software to the way you work, but rather yourself to the way the
software works" (myself)

Re: Big messages stuck in queue (semi-off topic)

[Wietse Venema]

Victoriano Giralt:
-- Start of PGP signed section.
> On 13/04/11 17:16, Wietse Venema wrote:
> > Victoriano Giralt:
> >> Wireshark shows "TCP window full" several times while Postfix is
> >> dutifully trying to send the messages and finally the connection is
> >> reset at TCP level.
> > 
> > This may be the infamous window scaling problem. See below for
> > workaround.
> Thank you Wietse. No joy :(
> 
> I've upgraded to 2.8.2 and set tcp_windowsize following Postfix
> documentation. I've fully stopped Postfix, verified by a process list,
> and started again. The symptoms persist :(
> 
> Anyhow, I'll pass the information on to the networking team in case
> there have been any recent changes on the routers.

A tcpdump trace will make clear if this is window scaling ot
something else.  There have been several trace analyses on the
mailing list over the past several years.

Wietse

RE: amavis / emails in queue?

[Bailey, Damian S.]

Aly,

 

Thanks for the reply.  I wonder if my restart of amavis did it - I used:

 

"service amavis restart"

 

This morning after changing my config files.  Recently, I did:

 

sudo /etc/init.d/amavis restart

 

The problem seemed to clear up at that point.  I don't know that there's
a difference, but I'm not 100% into linux / Ubuntu yet.

 

Damian Bailey | baile...@lcps.k12.va.us

Lead Technician | LCPS Technology

540.894.4373x8220

Shipping Address:

Louisa County Public Schools

953 Davis Hwy

Mineral VA 23117

 

From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of
aly.khi...@gmail.com
Sent: Wednesday, April 13, 2011 12:18 PM
To: postfix-users@postfix.org
Subject: Re: amavis / emails in queue?

 

You might want to up the verbose log level in the amavisd.conf, and
check your maillog to see if amavisd its having
(example: connecting to sql if u have it back ended that way). I know
the regular log level sometimes isn't enough.

Might be a good place to start.

HTH

Aly

Sent from my BlackBerry device on the Rogers Wireless Network



From: "Bailey, Damian S."  

Sender: owner-postfix-us...@postfix.org 

Date: Wed, 13 Apr 2011 12:05:26 -0400

To: 

Subject: amavis / emails in queue?

 

Hey all,

 

Troubling question.

 

I made some changes to our SA tagging / blocking score this morning,
then restarted amavis.  I had emails piling up in queue just now, like
so:

 

 

 

I did a sudo /etc/init.d/amavis restart

 

And by the time I could run sudo qshape -s, the queue came up clear.

 

Were these mails stuck in amavis, there were now dropped?

 

I'm not very familiar with amavis, so I'm unsure what logs to check.  My
mail.log showed (queue active) on all mail ...emails were eventually
getting through, just severely delayed.

 

Thanks for any help.

 

Damian Bailey | baile...@lcps.k12.va.us

Lead Technician | LCPS Technology

540.894.4373x8220

Shipping Address:

Louisa County Public Schools

953 Davis Hwy

Mineral VA 23117

 

<>

Re: amavis / emails in queue?

[Noel Jones]

On 4/13/2011 11:05 AM, Bailey, Damian S. wrote:

Hey all,

Troubling question.

I made some changes to our SA tagging / blocking score this
morning, then restarted amavis. I had emails piling up in
queue just now, like so:

I did a sudo /etc/init.d/amavis restart

And by the time I could run sudo qshape –s, the queue came up
clear.

Were these mails stuck in amavis, there were now dropped?


Amavis doesn't queue mail, so mail can't be "stuck in amavis". 
  Mail may have been in the postfix queue waiting for amavis, 
but qshape doesn't show the next-hop, just the final 
destination.  Amavis doesn't drop mail (except for 
spam/viruses when you've set D_DISCARD), so the mail was most 
likely delivered or possibly bounced to the sender.


At any rate, postfix does the delivery, so disposition should 
be in the postfix log.



  -- Noel Jones

Re: amavis / emails in queue?

[Jeroen Geilman]

On 04/13/2011 06:05 PM, Bailey, Damian S. wrote:

  
  

  
  
  Hey all,
   
  Troubling question.
   
  I made some changes to our SA tagging / blocking
score this
morning, then restarted amavis.  I had emails piling up in queue just
now, like
so:
   
  
   
  I did a sudo /etc/init.d/amavis restart
   
  And by the time I could run sudo qshape –s, the
queue
came up clear.
   
  Were these mails stuck in amavis, there were now
dropped?
  


No, they were being deferred by the large ESPs (gmail, hotmail et al)
as evidenced by the qshape output.

These events are all logged by postfix.


-- 
J.

Re: Postfix (from and name)

[Jeroen Geilman]

On 04/13/2011 03:40 PM, Márcio Luciano Donada wrote:

Hi,
Got an interesting case today and would like to share an idea with 
you. IN case the link [1]. what happens is that from has a name but 
that name is an e-mail has just passed and another staff automatically 
is not really from. Is there a way to be blocking email like this?

Not natively.
Postfix implements the SMTP protocol, as specified in RFC 5321.
It accepts and produces messages in standard internet message format, as 
defined in RFC 5322.


Neither mandates that the envelope sender must bear any resemblance to 
the From: header in the message, and there are many cases where this is 
undesirable.


That said, there are plenty of options to apply external processing to 
messages, such as milters, content filters, and policy daemons.


One or more of those will surely allow you to match the From: header to 
the sender address.




[1]. http://paste.ubuntu.com/593564/


Please don't do that - it's annoying to have to reference something 
off-list when answering a (potentially simple) question.


Just follow the instructions for help as shown in the welcome message 
you received when you subscribed to this list, repeated here:


http://www.postfix.org/DEBUG_README.html#mail


With regards to your question:

envelope-from=advbacaltc...@terra.com.br; helo=MGMSP02;
From: "jferre...@mgmoperadora.com.br"

They *are* identical.
The friendly name is ignored/irrelevant, as long as there is also a 
valid address.


If you want to force the /friendly name/ to the sender address that's 
*also* in the From: header - remove it, so that:


From: "jferre...@mgmoperadora.com.br"

becomes:

From:


But this has limited practical use.

Any decent mail client knows the difference and will indicate which part 
is the name, and which part is the address.


--
J.

Re: Nulls not being stripped from incoming mail

[Jeroen Geilman]

On 04/13/2011 07:43 AM, Rich Wales wrote:

Thanks, Jeroen, for your critique of my master.cf file.

Per your suggestions, I'm removing the no_header_body_checks from my
smtp configuration.  I'm also moving the smtpd_recipient_restrictions
into my main.cf, and making sure it's overridden as needed for all
other parts of my master.cf file.

Doing this appears to have resolved my original problem with unwanted
nulls in incoming mail.  I know the real solution is for Google to
clean up their mail system, but . . . .

I'll also make it a project to clean up superfluous stuff in master.cf,
though I plan to go slow and make sure I don't break anything.

Thanks again.

Rich Wales
ri...@richw.org
   

You're welcome; glad to hear it's working properly now.


--
J.

Re: Occasional email rejections with no shown explanation

[Jeroen Geilman]

On 04/12/2011 08:09 PM, Eric Cunningham wrote:
Hi, on occassion, I'm noting rejected emails without any specific 
reason logged.  Without a reason, it's hard to pinpoint a fix to allow 
legit emails through.  Here's an example from my mail log:



Apr 12 13:15:10 postal2 postfix/smtpd[22543]: connect from 
hsarelay1t.mail.mylife.com[216.52.223.210]
Apr 12 13:15:10 postal2 postfix/smtpd[22543]: NOQUEUE: reject: RCPT 
from hsarelay1t.mail.mylife.com[216.52.223.210]: 554 5.7.1 
: Sender address rejected: Access denied; 
from= to= proto=ESMTP 
helo=
Apr 12 13:15:10 postal2 postfix/smtpd[22543]: disconnect from 
hsarelay1t.mail.mylife.com[216.52.223.210]


I would like to allow emails from this particular sender but have not 
been able to do so though the usual allowances in my 
smtpd_recipient_restrictions.


You're not showing any of these restrictions.

Include the contents of all these access maps, and, specifically, the 
definition of your restriction class (postconf does not output 
non-standard settings.)



  The recipient address is legit and working for other senders.  Any 
ideas as to what could cause this?


You're matching and rejecting the *sender* address /somewhere/.


--
J.

Re: amavis / emails in queue?

[Noel Jones]

On 4/13/2011 1:02 PM, Jeroen Geilman wrote:

On 04/13/2011 06:05 PM, Bailey, Damian S. wrote:


Hey all,

Troubling question.

I made some changes to our SA tagging / blocking score this
morning, then restarted amavis. I had emails piling up in
queue just now, like so:

I did a sudo /etc/init.d/amavis restart

And by the time I could run sudo qshape –s, the queue came
up clear.

Were these mails stuck in amavis, there were now dropped?



No, they were being deferred by the large ESPs (gmail, hotmail
et al) as evidenced by the qshape output.


The qshape output shows the final destination, not the next 
hop.  So it's speculation whether these messages are delayed 
waiting for the content filter or by the destination; qshape 
output is identical in either case.


One good reason to use multiple postfix instances is to make 
it clear where mail is waiting.


You can get part way there with the traditional one instance 
by using "-o syslog_name=some_tag" on the various master.cf 
listeners and transports.



These events are all logged by postfix.


Yes, the logs will show where the delay is.




  -- Noel Jones

Re: Filtering spam received from multiple users

[Stan Hoeppner]

Noel Jones put forth on 4/13/2011 7:38 AM:

> Repeat 100 times:
> The client is marked "unknown" if *any* of the three tests fail.

Got it.  Thanks for clarifying this Noel, and Sahil.  The postconf
documentation covers both reject parameters, but it doesn't explain the
criteria used to decide when "unknown" is places in the Received:
header.  This is why I made the error.

> Your advice that reject_unknown_reverse_client_hostname will reject this
> host is incorrect.  While that restriction is useful and safe for most
> sites, it will probably not reject this particular client, which has
> rDNS but no hostname->address mapping.

And if you noticed in my original response, I listed 2 other better
methods to block spam from this example, and similar, hosts.  That fact
should not be lost in this noise.

-- 
Stan

RE: SASL Authentication and debugging..

[Simon Brereton]

> -Original Message-
> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Simon Brereton
 
> I turned up mysql logging and did another test - and no query
> appeared in the mysql log!  In an effort to prove to myself, I did an
> imap login attempt (which also uses mysql) and the query appears in
> the mysql log.  It looks to me as if SASL isn't talking to mysql (but
> then I had the same impression it wasn't listening to the imap server
> when I tried rimap too).


It would help to have the sasl mysql libraries installed!  Doh.

So, if saslauth won't work, not matter what you do - debug with sasldb and if 
that works out of the box you probably don't have the library installed.

Simon

Re: Filtering spam received from multiple users

[Noel Jones]

On 4/13/2011 5:07 PM, Stan Hoeppner wrote:

Noel Jones put forth on 4/13/2011 7:38 AM:


Repeat 100 times:
The client is marked "unknown" if *any* of the three tests fail.


Got it.  Thanks for clarifying this Noel, and Sahil.  The postconf
documentation covers both reject parameters, but it doesn't explain the
criteria used to decide when "unknown" is places in the Received:
header.  This is why I made the error.


The criteria to label a client "unknown" is here:
http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname 

although it doesn't specifically say so, the same criteria is 
used for Received: headers, logging, policy services, access 
tables, and anywhere else postfix uses a verified hostname.


All client hostnames used in postfix are verified unless the 
docs for an individual feature specifically say otherwise.



  -- Noel Jones