Re: rejecting long subject strings with pcre header checks
On 2011-04-29 Troy Piggins wrote:
> Check out Victor's reply to my message. He explains the reason, but
> I was finding the same as you. This works fine so far:
>
> if /^Subject:/
> if !/=\?\S+\?=(\s|$)/
> /\S{60}/REJECT no spaces
> endif
> endif
For the sake of simplicity:
if /^subject: +\S{60}/
!/=\?\S+\?=\s*$/ REJECT no spaces
endif
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Re: odd mail headers in spam
On 04/28/2011 11:47 PM, Gábor Lénárt wrote: Hi, Recently I noticed that I have mails with mail headers like this: Received: perfectly normal things can be seen here because it's already our system Received: from [109.91.80.133] (HELO VKYNBXL) by moln-51ca578dee (8.14.3/8.14.3) with SMTP id 39875026 for dma...@xx.xx; Thu, 28 Apr 2011 12:18:23 +0100Message-ID: <01cc058d9b29143085505b6d@moln51ca578 dee>From: "Lakia Kerry"To: dmason@xx.xxSubject: V!arga porfessional - first sSDate: Thu, 28 Apr 2011 12:18:23 +0100MIME-Version: 1.0Content-Type: multipart/alternative; boundary="=_NextPart_000__01CC058D.9B291430"X-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2900.2075X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3529This is a multi-part message in MIME format.--=_NextPart_000__01CC058D.9B291430Content-Type: text/plain; charset="us-ascii"Content-Transfer-Encoding: quoted-printableon=20the=20blocks=20meaning=20of=20the=20first=20two=20verses=2 0is=20that=20heaven=20and=20earth=20=20http= With this formatting it is impossible to see what is original and what is format fail. I noticed, because some of them are "stucked" in the queue so I checked them with postcat. It seems there are tons of spams like this (I checked some similar happenings, the content itself was about viagra and such), and I am very curious what can cause this: as you can see the intended headers created by the spammer (after those - in smtp hops "after" I ment - headers are OK for sure) are somehow misses line break, so almost everything seems to be given as one Received: header. Since it can't be the goal of the spammer, it's really interesting what caused this. Maybe it's a stupid spam botnet, or so, with major problems implementing SMTP and its friends? :) And if so, who cares ? What did Postfix do with these messages ? Since they may not be RFC-correct, they're either getting these headers fixed or they're being rejected. Either way, postfix will refuse to pass on bad RFC822 messages (with a few caveats, but by and large, people have to write proper email). Anyway, the important part, and maybe a more important question as well: what do you think if I use a header_check which tries to filter out these kind of "things come as one Received: header line for some reason"? What would be the best way for that? Currently I am trying with: /^Received: .*Message-ID:.*From:.*To:/ REJECT Message content seems to be spam. in header_checks pcre table. Does it work ? -- J.
Re: Smarthost as backup transport if direct sending fails?
On 04/29/2011 08:02 AM, Rich Wales wrote: I have a choice between sending out mail directly from my server to a message's destination (MX host), or sending mail via my domain's web hosting service. (Yes, my ISP really does allow me to connect to any SMTP server, and I have a static IP address that isn't currently listed in the Spamhaus PBL or other realtime blacklists.) What I would like to do is to try first to send any outbound mail directly to the destination -- but if that fails due to a blacklist problem (i.e., if the destination doesn't like my mail server), then I want to fall back to sending via my web hosting service's smarthost. If what happens - the destination REJECTs your message ? Postfix will not try another route if that happens; any 5xx status is final, and the message will be bounced. You can set soft_bounce to retry 5xx errors, but this has a much wider impact than just what you want to achieve. The reason I don't want to just send everything out via the smarthost is that my web hosting service's servers occasionally get blacklisted because of spam generated by other customers (not me). Hopefully I can avoid being penalized for someone else's misdeeds by sending out mail directly from my server to the destination. But I've run into one ISP (AT&T) which has somehow gotten my local server's IP address in its blacklist -- and if I'm unable to convince them to delist me, or if this sort of thing happens again sometime, I want Postfix to automatically try "Plan B". In general, is there any way to do what I want? Certainly: - contact AT&T to get your IP unlisted - make sure your sending machine has proper forward confirmed reverse DNS: http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS Unless you're really sending spam or other large amounts of dubious content, a mail server in a proper datacenter (i.e. with a non-residential IP) with proper fcrDNS isn't blacklisted that easily. -- J.
Re: valid syntax smtpd_recipient_restrictions = check_sender_access ?
On 04/29/2011 05:34 AM, Jurvis LaSalle wrote: In the docs here: http://www.postfix.org/RESTRICTION_CLASS_README.html#external /etc/postfix/main.cf: smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders ...other stuff... Is this a typo or can you use check_sender_access with smtpd_recipient_restrictions? All restrictions are valid where the documentation indicates they are valid. The smtpd_mumble_restrictions are applied to different stages of the SMTP transaction: connect, HELO, mail from, rcpt to, data. Since the sender address is known at the rcpt to stage, it is valid to check the sender at that point. This allows one to do such things as: smtpd_recipient_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/bad_senders, permit If /etc/postfix/bad_senders contains the following: bad_userREJECT You're bad! This means that that sender can send mail only when he connects from a client in $mynetworks. From anywhere else he will be refused. Postfix' access model allows enormous flexibility in what you accept or reject. For simple setups it is often recommended to put all your restrictions in smtpd_recipient_restrictions for ease of maintenance, but as you can see the above could be made arbitrarily complex by putting different restrictions at different stages. -- J.
Re: odd mail headers in spam
On Fri, Apr 29, 2011 at 11:12:43AM +0200, Jeroen Geilman wrote: > >Received: perfectly normal things > > can be seen here > > because it's already our system > >Received: from [109.91.80.133] (HELO VKYNBXL) > > by moln-51ca578dee (8.14.3/8.14.3) with SMTP id 39875026 for > > dma...@xx.xx; Thu, > > 28 Apr 2011 12:18:23 +0100Message-ID: > > <01cc058d9b29143085505b6d@moln51ca578 > > dee>From: > > "Lakia Kerry"To: dmason@xx.xxSubject: > > V!arga porfessional - first sSDate: Thu, > > 28 Apr 2011 12:18:23 +0100MIME-Version: 1.0Content-Type: > > multipart/alternative; > > boundary="=_NextPart_000__01CC058D.9B291430"X-Priority: > > 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express > > 6.00.2900.2075X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3529This > > is > > a multi-part message in MIME > > format.--=_NextPart_000__01CC058D.9B291430Content-Type: text/plain; > > charset="us-ascii"Content-Transfer-Encoding: > > > > quoted-printableon=20the=20blocks=20meaning=20of=20the=20first=20two=20verses=2 > > 0is=20that=20heaven=20and=20earth=20=20http= > > > > With this formatting it is impossible to see what is original and > what is format fail. It's more or less the same as I've written, but the important part, that: ...To: dmason@xx.xxSubject: headers are seems to be written without valid CRLF (as far as I know it should be the way), they are simply appended each other without any deliminator used. So, from point of view of postfix, this madness is interpreted as a single Received: line but with noticable bogus content and the reason is lack of proper deliminators between the header lines the sender (spammer) wanted to specified. > >It seems there are tons of spams like this (I checked some similar > >happenings, the content itself was about viagra and such), and I am very > >curious what can cause this: as you can see the intended headers created by > >the spammer (after those - in smtp hops "after" I ment - headers are OK for > >sure) are somehow misses line break, so almost everything seems to be given > >as one Received: header. Since it can't be the goal of the spammer, it's > >really interesting what caused this. Maybe it's a stupid spam botnet, or so, > >with major problems implementing SMTP and its friends? :) > > > > And if so, who cares ? me, being curious :) But anyway of course this is not the most important question here. > >/^Received: .*Message-ID:.*From:.*To:/ REJECT Message content seems to be > >spam. > > > >in header_checks pcre table. > > > > Does it work ? It seems it does, I can see the rejected messages in the log because of that rule. However I am interested in the opinion of more clever people here on this issue, is it a good solution (or acceptable at least) at all? - Gábor
Re: rejecting long subject strings with pcre header checks
On 4/29/2011 12:27 AM, Voytek Eymont wrote:
On Fri, April 29, 2011 4:15 pm, Voytek Eymont wrote:
#grep "{40}/" header_checks
/^Subject: +[^[:space:]]{40}/ REJECT no spaces in subject
but I'm having a couple issues:
and I'm still getting some, is this that they have a 'CR' or several at
the start ?
-
From: Giulietta Gonano
To:
Subject:
AdboeeAndCooerelDealls-BuyWith70%DiccsounttAndStartDownloaoadingRightAway
Date: Fri, 29 Apr 2011 02:55:52 +
Importance: Normal
In-Reply-To:
References:
,,
MIME-Version: 1.0
X-OriginalArrivalTime: 29 Apr 2011 02:55:52.0843 (UTC)
FILETIME=[F3EF4DB0:01CC0618]
=
From: Cammie Plasket
To:
Subject:
StaitstcicsSshowThatMenDon'TLiveeAsLongAssWommenAnddAreMoreAtRiiskOfAcciidents,Injuieres.
Date: Fri, 29 Apr 2011 02:15:50 +
Importance: Normal
In-Reply-To:
=
Try
/^Subject:[[:space:]]+[^[:space:]]{40}/ REJECT no spaces in
subject
-- Noel Jones
Re: odd mail headers in spam
G?bor L?n?rt: > > >/^Received: .*Message-ID:.*From:.*To:/ REJECT Message content seems to be > > >spam. > > > > > >in header_checks pcre table. It is theoretically possible that Message-ID: etc. appear in a Received: header inside () which are used for comments, but this is unlikely. There are protocols that list multiple message header labels in one message header. One example is DKIM. Your rule wont match DKIM heders, as DKIM prepends its own header label. Wietse
Re: rejecting long subject strings with pcre header checks
On 4/29/2011 6:17 AM, Noel Jones wrote:
On 4/29/2011 12:27 AM, Voytek Eymont wrote:
On Fri, April 29, 2011 4:15 pm, Voytek Eymont wrote:
#grep "{40}/" header_checks
/^Subject: +[^[:space:]]{40}/ REJECT no spaces in subject
but I'm having a couple issues:
and I'm still getting some, is this that they have a 'CR' or
several at
the start ?
-
From: Giulietta Gonano
To:
Subject:
AdboeeAndCooerelDealls-BuyWith70%DiccsounttAndStartDownloaoadingRightAway
Date: Fri, 29 Apr 2011 02:55:52 +
Importance: Normal
In-Reply-To:
References:
,,
MIME-Version: 1.0
X-OriginalArrivalTime: 29 Apr 2011 02:55:52.0843 (UTC)
FILETIME=[F3EF4DB0:01CC0618]
=
From: Cammie Plasket
To:
Subject:
StaitstcicsSshowThatMenDon'TLiveeAsLongAssWommenAnddAreMoreAtRiiskOfAcciidents,Injuieres.
Date: Fri, 29 Apr 2011 02:15:50 +
Importance: Normal
In-Reply-To:
=
Try
/^Subject:[[:space:]]+[^[:space:]]{40}/ REJECT no spaces in
subject
-- Noel Jones
this is safer -- it shouldn't match valid encoded subjects.
IF !/=\?[^[:space:]]+\?=([[:space:]]|$)/
/[^[:space:]]{40}/REJECT long subject with no spaces
ENDIF
-- Noel Jones
Sender dependent issue
Hello I'm trying to achieve the following : 1. email arrives to lo...@domain.com ,should be delivered locally to account local 2. email arrives from anyth...@anything.com to anyth...@domain.com (excluding 'lo...@domain.com') ,the email should be forwarded to remote smtp ([10.0.0.202]:52345) using user/pass from sasl_passwd file Config files are : /etc/postfix/main.cf myhostname = mail2.routo-messaging.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = domain.com,localhost relayhost = mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all virtual_alias_maps = hash:/etc/postfix/virtual smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd *** /etc/postfix/virtual lo...@domain.com local *** /etc/postfix/sender_relay anyth...@anything.com[10.0.0.202]:52345 *** /etc/postfix/sasl_passwd anyth...@anything.comusername:password *** Is this setup possible ? Sincerely Dragan Zubac
Re: Sender dependent issue
Dragan Zubac: > Hello > > I'm trying to achieve the following : > > 1. email arrives to lo...@domain.com ,should be delivered locally to > account local /etc/postfix/main.cf: virtual_alias_maps = hash:/etc/postfix/virtual # DO NOT LIST domain.com IN VIRTUAL_ALIAS_DOMAINS # DO NOT LIST domain.com IN VIRTUAL_MAILBOX_DOMAINS # DO NOT LIST domain.com IN MYDESTINATION mydestination = $myhostname localhost.$mydomain localhost ... /etc/postfix/virtual: lo...@domain.comlocal@localhost > 2. email arrives from anyth...@anything.com to anyth...@domain.com > (excluding 'lo...@domain.com') ,the email should be forwarded to remote > smtp ([10.0.0.202]:52345) using user/pass from sasl_passwd file /etc/postfix/main.cf: relayhost = [10.0.0.202]:52345 Wietse
New Version Postfix
Hi Team, Please confirm the latest version of postfix.
Re: New Version Postfix
Am 29.04.2011 15:09, schrieb Ravindra Gupta // Viva: > Hi Team, > > Please confirm the latest version of postfix. there is nothing to confirm the download-page says 2.8.2 http://www.postfix.org/download.html signature.asc Description: OpenPGP digital signature
Malformed DNS server reply
Hi list, I saw this in my logs: Apr 29 14:58:08 mx postfix/smtpd[4880]: connect from xxx.yyy.zzz[xxx.yyy.zzz.xxx] Apr 29 14:58:09 mx postfix/smtpd[4880]: warning: valid_hostname: empty hostname Apr 29 14:58:09 mx postfix/smtpd[4880]: warning: malformed domain name in resource data of MX record for somedomain.com: Apr 29 14:58:09 mx postfix/smtpd[4880]: NOQUEUE: reject: RCPT from xxx.yyy.zzz[xxx.yyy.zzz.xxx]: 450 4.1.8 : Sender address rejected: Malformed DNS server reply; from= to= proto=ESMTP helo= Apr 29 14:58:09 mx postfix/smtpd[4880]: disconnect from fxxx.yyy.zzz[xxx.yyy.zzz.xxx] And: $ host somedomain.com somedomain.com has address yyy.zzz.xxx.yyy somedomain.com mail is handled by 0 . This looks like a Null MX record: http://tools.ietf.org/html/draft-delany-nullmx-00 If the domain owner declares that this domain never sends or recieves email, then shouldn't postfix reject the above message with a permanent error? TIA, Mikael Bak
Re: New Version Postfix
* Ravindra Gupta // Viva : > Hi Team, > > Please confirm the latest version of postfix. Confirmed!
Re: New Version Postfix
On Fri, 29 Apr 2011 18:39:45 +0530 Ravindra Gupta // Viva articulated: > Hi Team, > > Please confirm the latest version of postfix. Hi Ravindra, Please check out: http://www.postfix.com/announcements.html While you are at it, lose the HTML posting format style. -- Jerry ✌ postfix-u...@seibercom.net _ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
Re: Malformed DNS server reply
> Hi list, > > I saw this in my logs: > > Apr 29 14:58:08 mx postfix/smtpd[4880]: connect from > xxx.yyy.zzz[xxx.yyy.zzz.xxx] > Apr 29 14:58:09 mx postfix/smtpd[4880]: warning: valid_hostname: empty > hostname > Apr 29 14:58:09 mx postfix/smtpd[4880]: warning: malformed domain name > in resource data of MX record for somedomain.com: There is no Internet RFC that says that an empty hostname is valid. Postfix was not built by experimentation of "what works". Instead, Postfix was built by looking at official email standards. Then, I added hacks and workarounds for systems that don't play by the rules. > Apr 29 14:58:09 mx postfix/smtpd[4880]: NOQUEUE: reject: RCPT from > xxx.yyy.zzz[xxx.yyy.zzz.xxx]: 450 4.1.8 : Sender > address rejected: Malformed DNS server reply; from= > to= proto=ESMTP helo= > Apr 29 14:58:09 mx postfix/smtpd[4880]: disconnect from > fxxx.yyy.zzz[xxx.yyy.zzz.xxx] > > And: > > $ host somedomain.com > somedomain.com has address yyy.zzz.xxx.yyy > somedomain.com mail is handled by 0 . > > This looks like a Null MX record: > http://tools.ietf.org/html/draft-delany-nullmx-00 > > If the domain owner declares that this domain never sends or recieves > email, then shouldn't postfix reject the above message with a permanent > error? Anyone can post a draft. That does not mean that they change the rules of the Internet. The SMTP RFC says that the MX record specifies a hostname, and there is no RFC that says an empty string is a valid hostname. The warning message is an example of a workaround hack that I put in for systems that don't supply valid hostnames in their MX records. Wietse
Re: Malformed DNS server reply
Am 29.04.2011 15:15, schrieb Бак Микаел: > Apr 29 14:58:08 mx postfix/smtpd[4880]: connect from > xxx.yyy.zzz[xxx.yyy.zzz.xxx] > Apr 29 14:58:09 mx postfix/smtpd[4880]: warning: valid_hostname: empty > hostname > Apr 29 14:58:09 mx postfix/smtpd[4880]: warning: malformed domain name > in resource data of MX record for somedomain.com: > Apr 29 14:58:09 mx postfix/smtpd[4880]: NOQUEUE: reject: RCPT from > xxx.yyy.zzz[xxx.yyy.zzz.xxx]: 450 4.1.8 : Sender > address rejected: Malformed DNS server reply; from= > to= proto=ESMTP helo= > Apr 29 14:58:09 mx postfix/smtpd[4880]: disconnect from > fxxx.yyy.zzz[xxx.yyy.zzz.xxx] normally i write a mail to the admin or abuse of the network if the mail-config of them is totally broken if isee such things in my logs, i know it will not heal the world but maybe some ignorant admins wake up > And: > > $ host somedomain.com > somedomain.com has address yyy.zzz.xxx.yyy > somedomain.com mail is handled by 0 . > > This looks like a Null MX record: > http://tools.ietf.org/html/draft-delany-nullmx-00 > > If the domain owner declares that this domain never sends or recieves > email, then shouldn't postfix reject the above message with a permanent > error? as wietse said: this is a draft the indication that the domain does not send mail should be done in a SPF like the following, but this does not interest postfix and is only a hint form spam-scoring we to this automatically in our dns-backends while generating zone-files for domains without mx-records domain.tld. 7200IN TXT "v=spf1 -all" signature.asc Description: OpenPGP digital signature
Re: Sender dependent issue
Hello Here're the changed config files : /etc/postfix/main.cf myhostname = mx.domain.com myorigin = /etc/mailname mailbox_command = procmail -a "$EXTENSION" virtual_alias_maps = hash:/etc/postfix/virtual mydestination = $myhostname localhost.$mydomain localhost $mydomain relayhost = [10.0.0.202]:52345 smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd ** /etc/postfix/virtual lo...@domain.com local@localhost ** /etc/postfix/sender_relay zubacdra...@gmail.com[10.0.0.202]:52345 ** /etc/postfix/sasl_password zubacdra...@gmail.com username:password ** Now I send one email to 'lo...@domain.com' and it get delivered : Apr 29 14:46:54 mx postfix/smtpd[21720]: connect from f2zubac.test.com[10.0.0.250] Apr 29 14:46:54 mx postfix/smtpd[21720]: 3408B6A0065: client=f2zubac.test.com[10.0.0.250] Apr 29 14:46:54 mx postfix/cleanup[21724]: 3408B6A0065: message-id=<4dbac12e.10...@test.com> Apr 29 14:46:54 mx postfix/qmgr[21672]: 3408B6A0065: from=, size=919, nrcpt=1 (queue active) Apr 29 14:46:54 mx postfix/smtpd[21720]: disconnect from f2zubac.test.com[10.0.0.250] Apr 29 14:46:54 mx postfix/local[21725]: 3408B6A0065: to=, orig_to=, relay=local, delay=0.33, delays=0.26/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION") Apr 29 14:46:54 mx postfix/qmgr[21672]: 3408B6A0065: removed one email to noex...@domain.com and get rejected as expected : Apr 29 14:48:42 mx postfix/smtpd[22073]: connect from f2zubac.test.com[10.0.0.250] Apr 29 14:48:42 mx postfix/smtpd[22073]: NOQUEUE: reject: RCPT from f2zubac.test.com[10.0.0.250]: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table; from= to= proto=ESMTP helo= Apr 29 14:48:42 mx postfix/smtpd[22073]: disconnect from f2zubac.test.com[10.0.0.250] and now one email from 'zubacdra...@gmail.com' ,should be relayed to [10.0.0.202]:52345: Apr 29 14:50:41 mx postfix/smtpd[22394]: connect from mail-fx0-f51.google.com[209.85.161.51] Apr 29 14:50:41 mx postfix/smtpd[22394]: NOQUEUE: reject: RCPT from mail-fx0-f51.google.com[209.85.161.51]: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table; from= to= proto=ESMTP helo= Apr 29 14:50:41 mx postfix/smtpd[22394]: disconnect from mail-fx0-f51.google.com[209.85.161.51] Shouldn't last email be forwarded to [10.0.0.202]:52345,since it is specified in /etc/postfix/sender_relay ? Sincerely On 04/29/11 14:26, Wietse Venema wrote: > Dragan Zubac: >> Hello >> >> I'm trying to achieve the following : >> >> 1. email arrives to lo...@domain.com ,should be delivered locally to >> account local > /etc/postfix/main.cf: > virtual_alias_maps = hash:/etc/postfix/virtual > # DO NOT LIST domain.com IN VIRTUAL_ALIAS_DOMAINS > # DO NOT LIST domain.com IN VIRTUAL_MAILBOX_DOMAINS > # DO NOT LIST domain.com IN MYDESTINATION > mydestination = $myhostname localhost.$mydomain localhost ... > > /etc/postfix/virtual: > lo...@domain.com local@localhost > >> 2. email arrives from anyth...@anything.com to anyth...@domain.com >> (excluding 'lo...@domain.com') ,the email should be forwarded to remote >> smtp ([10.0.0.202]:52345) using user/pass from sasl_passwd file > /etc/postfix/main.cf: > relayhost = [10.0.0.202]:52345 > > Wietse >
Re: Sender dependent issue
Dragan Zubac: > Apr 29 14:50:41 mx postfix/smtpd[22394]: NOQUEUE: reject: RCPT from > mail-fx0-f51.google.com[209.85.161.51]: 550 5.1.1 > : Recipient address rejected: User unknown > in local recipient table; from= Don't list gmail in mydestination. Wietse
Re: Sender dependent issue
Hello If you refer to parameter 'mydestination' in /etc/postfix/main.cf it contains the following values : mydestination = $myhostname localhost.$mydomain localhost $mydomain myhostname = mx.domain.com In which parameter have you spotted gmail listed as a parameter value ? Sincerely On 04/29/11 16:04, Wietse Venema wrote: > Dragan Zubac: >> Apr 29 14:50:41 mx postfix/smtpd[22394]: NOQUEUE: reject: RCPT from >> mail-fx0-f51.google.com[209.85.161.51]: 550 5.1.1 >> : Recipient address rejected: User unknown >> in local recipient table; from= > Don't list gmail in mydestination. > > Wietse >
Re: Sender dependent issue
Dragan Zubac: > On 04/29/11 16:04, Wietse Venema wrote: > > Dragan Zubac: > >> Apr 29 14:50:41 mx postfix/smtpd[22394]: NOQUEUE: reject: RCPT from > >> mail-fx0-f51.google.com[209.85.161.51]: 550 5.1.1 > >> : Recipient address rejected: User unknown > >> in local recipient table; from= > > Don't list gmail in mydestination. The trivial-rewrite server finds gmail.com in mydestination. Because of this, the SMTP server requries that the user zubacdragan exists in $local_recipient_maps. Don't do that. Wietse
Re: rejecting long subject strings with pcre header checks
On Fri, Apr 29, 2011 at 09:30:32AM +0200, Ansgar Wiechers wrote:
> On 2011-04-29 Troy Piggins wrote:
> > Check out Victor's reply to my message. He explains the reason, but
> > I was finding the same as you. This works fine so far:
> >
> > if /^Subject:/
> > if !/=\?\S+\?=(\s|$)/
> > /\S{60}/REJECT no spaces
> > endif
> > endif
>
> For the sake of simplicity:
>
> if /^subject: +\S{60}/
> !/=\?\S+\?=\s*$/ REJECT no spaces
> endif
This is not completely equivalent, it will fail when RFC2047 is used to
encode a part of the subject, but unencoded text follows the encoded part.
Change the "\s*$" to "(?:\s|$)".
The rule I posted avoids firing on subjects that contain encoded strings
anywhere in the subject, not just at the end.
--
Viktor.
Re: Malformed DNS server reply
On Fri, Apr 29, 2011 at 09:39:10AM -0400, Wietse Venema wrote: > > This looks like a Null MX record: > > http://tools.ietf.org/html/draft-delany-nullmx-00 > > > > If the domain owner declares that this domain never sends or recieves > > email, then shouldn't postfix reject the above message with a permanent > > error? > > Anyone can post a draft. That does not mean that they change > the rules of the Internet. > > The SMTP RFC says that the MX record specifies a hostname, and > there is no RFC that says an empty string is a valid hostname. This said Null MX records are IMHO a reasonably simple/clean idea. Pity it never got officially blessed. I seem to recall that same concession to Null MX records was made in a Postfix release a while back... 20050726 Horror: total rewrite of DNS client error handling because some misguided proposal attempts to give special meaning to some syntactically invalid MX hostname lookup result. Not only that, people expect sensible results with reject_unknown_sender_domain etc. Files: dns/dns_lookup.c, smtp/smtp_addr.c smtpd/smtpd_check.c, lmtp/lmtp_addr.c. [...] 20061227 Bugfix (introduced with Postfix 2.3): the MX hostname syntax check was skipped with reject_unknown_helo_hostname and reject_unknown_sender/recipient_domain, so that Postfix would still accept mail from domains with a zero-length MX hostname. File: smtpd/smtpd_check.c. Which release is the OP using? -- Viktor.
Re: Smarthost as backup transport if direct sending fails?
My sending host does, in fact, have proper FCrDNS. I've contacted AT&T in an attempt to get my IP address off their block list. They haven't replied yet, and since I contacted them only yesterday, it's too early to tell if they are going to do it or not. Distinguishing "block list" rejections (which I would want to retry via my smarthost) from other sorts of rejections (such as "no such user") could, I agree, be an issue. In theory, I might want to try looking at the SMTP rejection notice and do a "retry via smarthost" for anything that did not contain one of a limited set of extended status codes (such as the 5.1.x codes). I'm not sure if Postfix has any way of being told to do this sort of thing or not. Rich Wales ri...@richw.org
Re: Malformed DNS server reply
Victor Duchovni: > On Fri, Apr 29, 2011 at 09:39:10AM -0400, Wietse Venema wrote: > > > > This looks like a Null MX record: > > > http://tools.ietf.org/html/draft-delany-nullmx-00 > > > > > > If the domain owner declares that this domain never sends or recieves > > > email, then shouldn't postfix reject the above message with a permanent > > > error? > > > > Anyone can post a draft. That does not mean that they change > > the rules of the Internet. > > > > The SMTP RFC says that the MX record specifies a hostname, and > > there is no RFC that says an empty string is a valid hostname. > > This said Null MX records are IMHO a reasonably simple/clean idea. Pity > it never got officially blessed. I seem to recall that same concession > to Null MX records was made in a Postfix release a while back... How clean can it be? It requires that an RFC-compliant program must change from two-valued logic (an RFC-compliant MX record exists or does not exist) into three-valued logic (no MX record, RFC-compliant MX record, non-compliant MX record) which leads to cascading code inconsistency and consequently new bugs. I think it is bad engineering when take some invalid form and then give it legitimate meaning. This rewards sloppy programs that play fast and loose, and punishes programs that enforce the rules. Wietse
Re: Smarthost as backup transport if direct sending fails?
Rich Wales: > My sending host does, in fact, have proper FCrDNS. > > I've contacted AT&T in an attempt to get my IP address off their block > list. They haven't replied yet, and since I contacted them only > yesterday, it's too early to tell if they are going to do it or not. > > Distinguishing "block list" rejections (which I would want to retry via > my smarthost) from other sorts of rejections (such as "no such user") > could, I agree, be an issue. In theory, I might want to try looking at > the SMTP rejection notice and do a "retry via smarthost" for anything > that did not contain one of a limited set of extended status codes > (such as the 5.1.x codes). I'm not sure if Postfix has any way of > being told to do this sort of thing or not. Postfix allows you to transform remote server responses into arbitrary other responses. Thus, you can change a 5XX (hard reject) into something else. http://www.postfix.org/postconf.5.html#smtp_reply_filter Wietse smtp_reply_filter (default: empty) A mechanism to transform replies from remote SMTP servers one line at a time. This is a last-resort tool to work around server replies that break inter-operability with the Postfix SMTP client. Other uses involve fault injection to test Postfix's handling of invalid responses. Notes: * In the case of a multi-line reply, the Postfix SMTP client uses the final reply line's numerical SMTP reply code and enhanced status code. * The numerical SMTP reply code (XYZ) takes precedence over the enhanced status code (X.Y.Z). When the enhanced status code initial digit differs from the SMTP reply code initial digit, or when no enhanced status code is present, the Postfix SMTP client uses a generic enhanced status code (X.0.0) instead. Specify the name of a "type:table" lookup table. The search string is a single SMTP reply line as received from the remote SMTP server, except that the trailing are removed. Examples: /etc/postfix/main.cf: smtp_reply_filter = pcre:/etc/postfix/reply_filter /etc/postfix/reply_filter: # Transform garbage into "250-filler..." so that it looks like # one line from a multi-line reply. It does not matter what we # substitute here as long it has the right syntax. The Postfix # SMTP client will use the final line's numerical SMTP reply # code and enhanced status code. !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage This feature is available in Postfix 2.7.
Re: New Version Postfix
On 04/29/2011 03:09 PM, Ravindra Gupta // Viva wrote: Hi Team, Please confirm the latest version of postfix. I'm sorry Dave, I cannot confirm that. -- J.
Re: Smarthost as backup transport if direct sending fails?
> Postfix allows you to transform remote server responses into > arbitrary other responses. Thus, you can change a 5XX (hard reject) into > something else. . . . This feature is available in Postfix 2.7. I'm running 2.8.1, so that's potentially good news for me. Thanks. Assuming that I can use smtp_reply_filter to mark "block list" rejections in a distinctive manner (and prevent them from being treated as hard rejects), is there any way for me to convince Postfix to send these messages to an alternate smarthost? Rich Wales ri...@richw.org
Re: Smarthost as backup transport if direct sending fails?
Rich Wales: > > Postfix allows you to transform remote server responses into > > arbitrary other responses. Thus, you can change a 5XX (hard reject) into > > something else. . . . This feature is available in Postfix 2.7. > > I'm running 2.8.1, so that's potentially good news for me. Thanks. > > Assuming that I can use smtp_reply_filter to mark "block list" rejections > in a distinctive manner (and prevent them from being treated as hard > rejects), is there any way for me to convince Postfix to send these > messages to an alternate smarthost? The idea is to use /etc/postfix/main.cf: smtp_fallback_relay = smarthost.provider.example smtp_reply_filter = ...your filter... This sends all mail to the smarthost that fails with a 4xx SMTP reply (whether due to your reply filter, or otherwise). The smtp_fallback_relay feature also sends mail to the smarthost when the destination can't be found. That's not what you need, but that's because smtp_fallback_relay was implemented for a different use case, there was not a whole lot of time for proper engineering, and thus the behavior was hard-coded. Wietse
Re: Concurrency on overloaded server.
On Thu, Apr 28, 2011 at 07:02:06PM -0400, Homer Wilson Smith wrote: > Apparently cached smtp connections on the sending server (to the > popper) are brought down early if there is nothing to send. > > Also apparently there is a minimum of 5 connections, had > smtp_destination_concurrency_limit set to 1 just for yuks, and still got 5 > or 6 established according to netstat. The destination concurrency limit is per destination nexthop, not per destination MX host. If a bunch of domains under your control have the same MX hosts, you can add a transport entry to tell the queue manager that this is the case: example.com relay:example.com example.org relay:example.com example.net relay:example.com example.edu relay:example.com ... with the above, the MX records for example.com will be used for all the domains, and concurrency, caching, ... will all be for the single example.com nexthop. -- Viktor.
Re: Smarthost as backup transport if direct sending fails?
OK, thanks, Wietse. I've set up my web hosting service's smarthost as my smtp_fallback_relay (instead of making it my relayhost as before), and I'm trying the following as my smtp_reply_filter: if !/^5[0-9][0-9][ -]5\.1\.[0-9] / /^5(.*)$/ 4$1 endif which should change any 5xx-series reply code to a 4xx-series code, except it will keep the reply unchanged if there is a 5.1.x (address status error) enhanced status code. Rich Wales ri...@richw.org
