Re: Malformed DNS server reply

[Бак Микаел]

Wietse Venema wrote:
>> Hi list,
>>
>> I saw this in my logs:
>>
>> Apr 29 14:58:08 mx postfix/smtpd[4880]: connect from
>> xxx.yyy.zzz[xxx.yyy.zzz.xxx]
>> Apr 29 14:58:09 mx postfix/smtpd[4880]: warning: valid_hostname: empty
>> hostname
>> Apr 29 14:58:09 mx postfix/smtpd[4880]: warning: malformed domain name
>> in resource data of MX record for somedomain.com:
> 
> There is no Internet RFC that says that an empty hostname is valid.
> Postfix was not built by experimentation of "what works". Instead,
> Postfix was built by looking at official email standards. Then, I
> added hacks and workarounds for systems that don't play by the
> rules.
>
>> Apr 29 14:58:09 mx postfix/smtpd[4880]: NOQUEUE: reject: RCPT from
>> xxx.yyy.zzz[xxx.yyy.zzz.xxx]: 450 4.1.8 : Sender
>> address rejected: Malformed DNS server reply; from=
>> to= proto=ESMTP helo=
>> Apr 29 14:58:09 mx postfix/smtpd[4880]: disconnect from
>> fxxx.yyy.zzz[xxx.yyy.zzz.xxx]
>>
>> And:
>>
>> $ host somedomain.com
>> somedomain.com has address yyy.zzz.xxx.yyy
>> somedomain.com mail is handled by 0 .
>>
>> This looks like a Null MX record:
>> http://tools.ietf.org/html/draft-delany-nullmx-00
>>
>> If the domain owner declares that this domain never sends or recieves
>> email, then shouldn't postfix reject the above message with a permanent
>> error?
> 
> Anyone can post a draft. That does not mean that they change
> the rules of the Internet.  
> 
> The SMTP RFC says that the MX record specifies a hostname, and
> there is no RFC that says an empty string is a valid hostname.
> 
> The warning message is an example of a workaround hack that I put
> in for systems that don't supply valid hostnames in their MX records.
> 
>   Wietse

Hi Wietse,

I understand. Thank you for clarifying this.
I was not aware of the ugliness in this method. It seemed like a quite
easy way to implement non-email domains for a DNS admin, but I now
understand what complications this brings to the application developer.

Cheers,
Mikael Bak

Re: Malformed DNS server reply

[Бак Микаел]

Victor Duchovni wrote:
> On Fri, Apr 29, 2011 at 09:39:10AM -0400, Wietse Venema wrote:
> 
>>> This looks like a Null MX record:
>>> http://tools.ietf.org/html/draft-delany-nullmx-00
>>>
>>> If the domain owner declares that this domain never sends or recieves
>>> email, then shouldn't postfix reject the above message with a permanent
>>> error?
>> Anyone can post a draft. That does not mean that they change
>> the rules of the Internet.  
>>
>> The SMTP RFC says that the MX record specifies a hostname, and
>> there is no RFC that says an empty string is a valid hostname.
> 
> This said Null MX records are IMHO a reasonably simple/clean idea. Pity
> it never got officially blessed. I seem to recall that same concession
> to Null MX records was made in a Postfix release a while back...
> 
> 20050726
> 
> Horror: total rewrite of DNS client error handling because
> some misguided proposal attempts to give special meaning
> to some syntactically invalid MX hostname lookup result.
> Not only that, people expect sensible results with
> reject_unknown_sender_domain etc.  Files: dns/dns_lookup.c,
> smtp/smtp_addr.c smtpd/smtpd_check.c, lmtp/lmtp_addr.c.
> 
> [...]
> 
> 20061227
> 
> Bugfix (introduced with Postfix 2.3): the MX hostname syntax
> check was skipped with reject_unknown_helo_hostname and
> reject_unknown_sender/recipient_domain, so that Postfix
> would still accept mail from domains with a zero-length MX
> hostname.  File: smtpd/smtpd_check.c.
> 
> Which release is the OP using?
> 

Hi Victor,

Just for the record. We use postfix-2.7.3.

Relevant part of "postconf -n":

smtpd_recipient_restrictions = permit_mynetworks,
reject_invalid_helo_hostname,reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,reject_non_fqdn_recipient,
reject_non_fqdn_hostname,reject_unauth_destination,
[snip]
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname,
[snip]

But I think I got all my questions answered.
Thanks,
Mikael Bak

antyspam.onet.pl

[Reindl Harald]

has anybody out there ever sent a message to them successfull?

they are blcoking all our servers independent from the network-range
including messages to postmaster and FAIK it is rfc-ignorant answer
with 451 the whole time for all messages until "maximal_queue_lifetime"
is reached

May  1 22:12:19 arrakis postfix/qmgr[6635]: 5A20E36034: from=, 
size=14899, nrcpt=1 (queue active)
May  1 22:12:19 arrakis postfix/smtp[6720]: 5A20E36034: 
to=,
relay=mx.poczta.onet.pl[213.180.147.146]:25, delay=0.46, 
delays=0.11/0.03/0.22/0.09, dsn=4.7.1, status=deferred
(host mx.poczta.onet.pl[213.180.147.146] said: 451 4.7.1 Wiadomosc zostala 
odrzucona przez system antyspamowy /
Message has been refused by antispam 
(http://antyspam.onet.pl/odblokuj.html?id=01002P0F015&ip=91.118.73.6) (in
reply to MAIL FROM command))
May  1 22:30:57 arrakis postfix/qmgr[6635]: 5A20E36034: from=, 
size=14899, nrcpt=1 (queue active)
May  1 22:30:57 arrakis postfix/smtp[7224]: 5A20E36034: 
to=,
relay=mx.poczta.onet.pl[213.180.147.146]:25, delay=1118, 
delays=1118/0.05/0.31/0.05, dsn=4.7.1, status=deferred
(host mx.poczta.onet.pl[213.180.147.146] said: 451 4.7.1 Wiadomosc zostala 
odrzucona przez system antyspamowy /
Message has been refused by antispam 
(http://antyspam.onet.pl/odblokuj.html?id=01002P0F018&ip=91.118.73.6) (in
reply to MAIL FROM command))
May  1 22:50:57 arrakis postfix/qmgr[6635]: 5A20E36034: from=, 
size=14899, nrcpt=1 (queue active)
May  1 22:50:58 arrakis postfix/smtp[7515]: 5A20E36034: 
to=,
relay=mx.poczta.onet.pl[213.180.147.146]:25, delay=2319, 
delays=2318/0.05/1.1/0.06, dsn=4.7.1, status=deferred
(host mx.poczta.onet.pl[213.180.147.146] said: 451 4.7.1 Wiadomosc zostala 
odrzucona przez system antyspamowy /
Message has been refused by antispam 
(http://antyspam.onet.pl/odblokuj.html?id=01002P0F014&ip=91.118.73.6) (in
reply to MAIL FROM command))
May  1 23:30:57 arrakis postfix/qmgr[6635]: 5A20E36034: from=, 
size=14899, nrcpt=1 (queue active)
May  1 23:30:57 arrakis postfix/smtp[9057]: 5A20E36034: 
to=,
relay=mx.poczta.onet.pl[213.180.147.146]:25, delay=4718, 
delays=4718/0.04/0.22/0.05, dsn=4.7.1, status=deferred
(host mx.poczta.onet.pl[213.180.147.146] said: 451 4.7.1 Wiadomosc zostala 
odrzucona przez system antyspamowy /
Message has been refused by antispam 
(http://antyspam.onet.pl/odblokuj.html?id=01002P0F007&ip=91.118.73.6) (in
reply to MAIL FROM command))
May  2 00:50:59 arrakis postfix/qmgr[6635]: 5A20E36034: from=, 
size=14899, nrcpt=1 (queue active)
May  2 00:51:00 arrakis postfix/smtp[12104]: 5A20E36034: 
to=,
relay=mx.poczta.onet.pl[213.180.147.146]:25, delay=9521, 
delays=9520/0.07/0.17/0.24, dsn=4.7.1, status=deferred
(host mx.poczta.onet.pl[213.180.147.146] said: 451 4.7.1 Wiadomosc zostala 
odrzucona przez system antyspamowy /
Message has been refused by antispam 
(http://antyspam.onet.pl/odblokuj.html?id=01002P0F010&ip=91.118.73.6) (in
reply to MAIL FROM command))
May  2 02:22:59 arrakis postfix/qmgr[6635]: 5A20E36034: from=, 
size=14899, nrcpt=1 (queue active)
May  2 02:23:00 arrakis postfix/smtp[10167]: 5A20E36034: 
to=,
relay=mx.poczta.onet.pl[213.180.147.146]:25, delay=15041, 
delays=15041/0.04/0.19/0.14, dsn=4.7.1, status=deferred
(host mx.poczta.onet.pl[213.180.147.146] said: 451 4.7.1 Wiadomosc zostala 
odrzucona przez system antyspamowy /
Message has been refused by antispam 
(http://antyspam.onet.pl/odblokuj.html?id=01002P0F007&ip=91.118.73.6) (in
reply to MAIL FROM command))
May  2 03:54:59 arrakis postfix/qmgr[6635]: 5A20E36034: from=, 
size=14899, nrcpt=1 (queue active)
May  2 03:55:00 arrakis postfix/smtp[13109]: 5A20E36034: 
to=,
relay=mx.poczta.onet.pl[213.180.147.146]:25, delay=20561, 
delays=20561/0.08/0.26/0.05, dsn=4.7.1, status=deferred
(host mx.poczta.onet.pl[213.180.147.146] said: 451 4.7.1 Wiadomosc zostala 
odrzucona przez system antyspamowy /
Message has been refused by antispam 
(http://antyspam.onet.pl/odblokuj.html?id=01002P0F009&ip=91.118.73.6) (in
reply to MAIL FROM command))
May  2 05:26:59 arrakis postfix/qmgr[6635]: 5A20E36034: from=, 
size=14899, nrcpt=1 (queue active)
May  2 05:27:00 arrakis postfix/smtp[16056]: 5A20E36034: 
to=,
relay=mx.poczta.onet.pl[213.180.147.146]:25, delay=26081, 
delays=26080/0.04/1/0.14, dsn=4.7.1, status=deferred
(host mx.poczta.onet.pl[213.180.147.146] said: 451 4.7.1 Wiadomosc zostala 
odrzucona przez system antyspamowy /
Message has been refused by antispam 
(http://antyspam.onet.pl/odblokuj.html?id=01002P0F016&ip=91.118.73.6) (in
reply to MAIL FROM command))
May  2 06:58:59 arrakis postfix/qmgr[6635]: 5A20E36034: from=, 
size=14899, nrcpt=1 (queue active)
May  2 06:59:00 arrakis postfix/smtp[18282]: 5A20E36034: 
to=,
relay=mx.poczta.onet.pl[213.180.147.146]:25, delay=31601, 
delays=31601/0.08/0.14/0.13, dsn=4.7.1, status=deferred
(host mx.poczta.onet.pl[213.180.147.146] said: 451 4.7.1 Wiadomosc zostala 
odrzucona przez system antyspamowy /
Message has been refused by antispam 
(http://antyspam.onet.pl/odblokuj.html?id=01002P0F007&ip

Re: antyspam.onet.pl

[Mihira Fernando]

On 05/02/2011 03:31 PM, Reindl Harald wrote:

has anybody out there ever sent a message to them successfull?

they are blcoking all our servers independent from the network-range
including messages to postmaster and FAIK it is rfc-ignorant answer
with 451 the whole time for all messages until "maximal_queue_lifetime"
is reached

[snip]


http://antyspam.onet.pl/odblokuj.html?id=01002P0F009&ip=91.118.73.6

Have you tried filling out that form they have given ?


Mihira.

Re: antyspam.onet.pl

[Reindl Harald]

Am 02.05.2011 12:37, schrieb Mihira Fernando:
> On 05/02/2011 03:31 PM, Reindl Harald wrote:
>> has anybody out there ever sent a message to them successfull?
>>
>> they are blcoking all our servers independent from the network-range
>> including messages to postmaster and FAIK it is rfc-ignorant answer
>> with 451 the whole time for all messages until "maximal_queue_lifetime"
>> is reached
> [snip]
> 
>> http://antyspam.onet.pl/odblokuj.html?id=01002P0F009&ip=91.118.73.6
> Have you tried filling out that form they have given?

yes after google-translate what the want from me and from
english to polish also with google-translate

how stoopid can anybody be to make server-answers form a spamfilter
with 451 in polish and a form nobody out there can read followed
by a RED SUCCESS MESSAGE (finding out success after google translate again)



signature.asc
Description: OpenPGP digital signature

Re: antyspam.onet.pl

[Mihira Fernando]

On 05/02/2011 04:17 PM, Reindl Harald wrote:


Am 02.05.2011 12:37, schrieb Mihira Fernando:

On 05/02/2011 03:31 PM, Reindl Harald wrote:

has anybody out there ever sent a message to them successfull?

they are blcoking all our servers independent from the network-range
including messages to postmaster and FAIK it is rfc-ignorant answer
with 451 the whole time for all messages until "maximal_queue_lifetime"
is reached

[snip]


http://antyspam.onet.pl/odblokuj.html?id=01002P0F009&ip=91.118.73.6

Have you tried filling out that form they have given?

yes after google-translate what the want from me and from
english to polish also with google-translate

how stoopid can anybody be to make server-answers form a spamfilter
with 451 in polish and a form nobody out there can read followed
by a RED SUCCESS MESSAGE (finding out success after google translate again)

They are most likely to be catering only to Poland.  I've seen Russian 
servers doing the same thing.

Re: antyspam.onet.pl

[Reindl Harald]

Am 02.05.2011 12:49, schrieb Mihira Fernando:

>> how stoopid can anybody be to make server-answers form a spamfilter
>> with 451 in polish and a form nobody out there can read followed
>> by a RED SUCCESS MESSAGE (finding out success after google translate again)
>>
> They are most likely to be catering only to Poland.  
> I've seen Russian servers doing the same thing

so this fg id***s should answer with 550 instead 451 and tell their
users that they can not use their address for fill out webforms or
use them as forwarder-target for international domains :-(



signature.asc
Description: OpenPGP digital signature

milter postfix for the geolocation addresses and headers X-Anti-Abuse

[fakessh]

hello list
hello gurus
hello   Wietse Venema 


I would like to write a milter to postfix to achieve a geolocation addresses 
and headers X-Anti-Abuse

you tell me with mimedefang  is very simple
I have tried with success

but when I've put my achievements in production
the headers X-SenderID disappears

so I wonder why after having added mimedefang header and X-SenderID disappears

Do you know a milter to the geolocation

this may be easy to realize native with postfix

thanks s ///;)
-- 
 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
 gpg --keyserver pgp.mit.edu --recv-key 092164A7


pgpNCANViy8Hm.pgp
Description: PGP signature

Re: milter postfix for the geolocation addresses and headers X-Anti-Abuse

[Wietse Venema]

fakessh:
> hello list
> hello gurus
> hello ? Wietse Venema 
> 
> 
> I would like to write a milter to postfix to achieve a geolocation addresses 
> and headers X-Anti-Abuse
> 
> you tell me with mimedefang  is very simple
> I have tried with success
> 
> but when I've put my achievements in production
> the headers X-SenderID disappears
> 
> so I wonder why after having added mimedefang header and X-SenderID disappears
> 
> Do you know a milter to the geolocation
> 
> this may be easy to realize native with postfix
> 
> thanks s ///;)

Please provide one or more of the following.

a) Free crystal balls.

b) Free telepathic services.

c) Concrete information about this problem.

Wietse

FYI - Postfix 2.8.2 and CentOS 5.6

[Steve Jenkins]

This isn't a Postfix issue, just an FYI for those running updated
versions of Postfix on CentOS.

I recently updated one of my CentOS 5.5 systems (which was running
Postfix 2.8.2 compiled from source) to CentOS 5.6. The Postfix package
appeared nowhere on the upgrade list, and my /etc/yum.conf has
"exclude=postfix*" However, after the upgrade and a reboot, Postfix
wouldn't start. The maillog complained about the "smtpd pass" settings
in master.cf that I had uncommented to enable Postscreen.

A postconf -d | grep version revealed that somehow, my Postfix version
had reverted to 2.3.3 (the default for new CentOS installs). I thought
this was strange, but since I had previously downloaded and compiled
Postfix 2.8.2 on that system, I did a "cd
/usr/local/src/postfix-2.8.2" and a "make upgrade" and was able to
start Postfix 2.8.2 successfully within a few seconds.

I wasn't sure if this was a one time thing, but confirmed the issue
last night when the same thing happened after upgrading another system
from CentOS 5.5 -> 5.6. I haven't been able to find the exact cause
yet, but I at least wanted to post a workaround for the archives in
case anyone else goes searching for this issue.

Thanks,

SteveJ

Re: Enabling sender-dependent authentication only for fallback relay?

[Rich Wales]

Earlier, I wrote:

> I'm starting to ponder the idea of setting up a separate service in
> my master.cf file -- similar to the standard "smtp" service, but with
> a few parameters overridden -- and define that separate service as
> my smtp_fallback_relay, and have the separate service use my *real*
> fallback relay as its relay host, and enable sender-dependent
> authentication in the separate service instead of in my standard
> SMTP service.  But I realize that would be a messy kludge, and I'd
> prefer not to do it this way except as a last resort.

That idea doesn't appear to work -- the separate SMTP service considered
the mail passed to it by the main Postfix instance to be unauthenticated
(because it wasn't coming directly from my user agent?) and insisted it
wouldn't act as an open relay.

I tried the option smtpd_recipient_restrictions= in the separate SMTP
service, but that didn't work -- Postfix demands that this parameter must
contain at least one working instance of reject_unauth_destination, reject,
defer, or defer_if_permit -- i.e., it looks like it simply will not allow
itself to be configured as an open relay, period, even if I'm sure I know
what I'm doing.

And there doesn't seem to be any way for me to use my web hosting service
(Bluehost) as my fallback without doing sender-dependent authentication;
their tech support's suggestion that I try using my master domain account
cPanel login info as a site-wide, sender-independent authentication did
not work.

So I appear to be stuck -- I can't avoid the situation (as I described in
my e-mail from last night; see details there) where a random destination
MX is deciding to ask me for authentication, and it understandably doesn't
like my sender-dependent authentication info intended only for my fallback
relay, and I can't selectively give out or withhold my authentication info
because sender-dependent authentication cares *only* about the sender and
apparently can't be told to care about the identity of the destination host.

Any suggestions would be welcome.

Rich Wales
ri...@richw.org

Re: Enabling sender-dependent authentication only for fallback relay?

[Wietse Venema]

Rich Wales:
> Earlier, I wrote:
> 
> > I'm starting to ponder the idea of setting up a separate service in
> > my master.cf file -- similar to the standard "smtp" service, but with
> > a few parameters overridden -- and define that separate service as
> > my smtp_fallback_relay, and have the separate service use my *real*
> > fallback relay as its relay host, and enable sender-dependent
> > authentication in the separate service instead of in my standard
> > SMTP service.  But I realize that would be a messy kludge, and I'd
> > prefer not to do it this way except as a last resort.
> 
> That idea doesn't appear to work -- the separate SMTP service considered
> the mail passed to it by the main Postfix instance to be unauthenticated
> (because it wasn't coming directly from my user agent?) and insisted it
> wouldn't act as an open relay.
> 
> I tried the option smtpd_recipient_restrictions= in the separate SMTP
> service, but that didn't work -- Postfix demands that this parameter must
> contain at least one working instance of reject_unauth_destination, reject,
> defer, or defer_if_permit -- i.e., it looks like it simply will not allow
> itself to be configured as an open relay, period, even if I'm sure I know
> what I'm doing.
> 
> And there doesn't seem to be any way for me to use my web hosting service
> (Bluehost) as my fallback without doing sender-dependent authentication;
> their tech support's suggestion that I try using my master domain account
> cPanel login info as a site-wide, sender-independent authentication did
> not work.
> 
> So I appear to be stuck -- I can't avoid the situation (as I described in
> my e-mail from last night; see details there) where a random destination
> MX is deciding to ask me for authentication, and it understandably doesn't
> like my sender-dependent authentication info intended only for my fallback
> relay, and I can't selectively give out or withhold my authentication info
> because sender-dependent authentication cares *only* about the sender and
> apparently can't be told to care about the identity of the destination host.
> 
> Any suggestions would be welcome.

There is a lot of "did not work" without concrete detail:
actual configuration, actual error responses.

See my response in a recent thread:
http://archives.neohapsis.com/archives/postfix/2011-05/0020.html

Wietse

Re: Enabling sender-dependent authentication only for fallback relay?

[Victor Duchovni]

On Sun, May 01, 2011 at 09:46:51PM -0700, Rich Wales wrote:

> [Short version of my question:  Is there any way to enable sender-
> dependent authentication *only* when mail is being sent out via my
> smtp_fallback_relay host, and *not* when I am sending mail directly
> to a destination MX?  I do not have any "relayhost" defined because
> I am trying to send mail directly to a destination.]

You have to use a fallback relay setting that sends the mail to a second
Postfix instance on your machine, and have that instance send all mail
to the relay, with sender-dependent authentication.

smtp_fallback_relay=[127.0.0.1]:10035

This would be a full Postfix instance, not just another master.cf entry:

http://www.postfix.org/MULTI_INSTANCE_README.html

-- 
Viktor.

Re: Enabling sender-dependent authentication only for fallback relay?

[Rich Wales]

> There is a lot of "did not work" without concrete detail:  actual
> configuration, actual error responses.  See my response in a recent
> thread: . . .

With all possible respect, Wietse, I believe I already provided ample
concrete detail in my original message from last night.  If you would
prefer to simply ignore my second message (in which I tried to say
that a possible workaround I had considered doesn't seem to work) and
consider only my original message (perhaps ignoring the paragraph near
the end starting with "I'm starting to ponder"), I won't object.

Rich Wales
ri...@richw.org

Spoofing problem

[R F]

I thought I had this one fixed a while back but apparently not. I want to
reject emails like this that are sent from one person but claim to be
another. Ideas? Notice the first line and the last line:

>From rs...@bnpi.com Sun May 1 16:37:58 2011
Return-Path: 
X-Original-To: gammal...@some.net
Delivered-To: gammal...@some.net
Received: from localhost (unknown [127.0.0.1])
by From rs...@bnpi.com Sun May 1 16:37:58 2011
Return-Path: 
X-Original-To: gammal...@some.net
Delivered-To: gammal...@some.net
Received: from localhost (unknown [127.0.0.1])
by some.net (Postfix) with ESMTP id E39BD133032F;
Sun, 1 May 2011 22:37:58 + (UTC)
X-Virus-Scanned: amavisd-new at some.net
X-Spam-Flag: NO
X-Spam-Score: 5.578
X-Spam-Level: *
X-Spam-Status: No, score=5.578 tagged_above=2 required=6.31
tests=[AWL=2.022,
BAYES_50=0.001, FH_DATE_PAST_20XX=3.554,
UNPARSEABLE_RELAY=0.001]
Received: from some.net ([127.0.0.1])
by localhost (some.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Wg4ztsy25WYa; Sun, 1 May 2011 16:37:58 -0600 (MDT)
Received: from 18925211147.user.veloxzone.com.br (unknown [189.25.211.147])
by some.net (Postfix) with ESMTP id 27B2313302AC;
Sun, 1 May 2011 16:37:58 -0600 (MDT)
Received: from 189.25.211.147 (account , <
listser...@some.net>,
,  HELO some.net)
by some.net (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 678368592 for ;
Sun, 1 May 2011 19:37:57 -0300
From: , , ,


Thanks for any ideas.

Re: Spoofing problem

[Ansgar Wiechers]

On 2011-05-02 R F wrote:
> I thought I had this one fixed a while back but apparently not. I want
> to reject emails like this that are sent from one person but claim to
> be another. Ideas? Notice the first line and the last line:
[...]
> Thanks for any ideas.

Quoting from the headers of your own mail to this list:

8<
Return-Path: 
[...]
From: R F 
>8

Rejecting based on difference between from and envelope-from may not be
as good an idea as you think.

Regards
Angar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: Spoofing problem

[Noel Jones]

On 5/2/2011 1:21 PM, R F wrote:

I thought I had this one fixed a while back but apparently
not. I want to reject emails like this that are sent from one
person but claim to be another. Ideas? Notice the first line
and the last line:

 From rs...@bnpi.com  Sun May 1
16:37:58 2011
Return-Path: mailto:rs...@bnpi.com>>


[please post in plain text only next time]

The above is the envelope sender.  You can configure postfix 
to reject your own domain in the envelope sender from outside 
mail.  See numerous posts on this in the archives.
This will reject legit mail, but probably not a great amount. 
 Pick your pain threshold.




From: mailto:sh...@some.net>>,
mailto:listser...@some.net>>,
mailto:e...@some.net>>,
mailto:gammal...@some.net>>

Thanks for any ideas.


This is the From: header, which is what is typically displayed 
when you read the mail.


(and multiple addresses in the From: header is allowed, 
although unusual.  but there should be a Sender: header if 
there are multiple From:)


Fortunately, postfix has no feature to compare headers with 
envelope information.  Such comparison will likely reject a 
great deal of legit mail (such as this message).


You could probably convince SpamAssassin or some milter to do 
such comparison if you're determined, but that doesn't make it 
a good idea.


Your efforts would be better spent on finding more reliable 
ways to detect spam.  Browse the archives for ideas.




   -- Noel Jones

Re: RFE: Make instance name visible in ps output

[Victor Duchovni]

On Sat, Apr 30, 2011 at 10:08:40PM +0200, Patrick Ben Koetter wrote:

> > So to find which master is which instance you need to look in the master.pid
> > files or in /proc, ... If you do look in /proc, each child process has
> > MAIL_CONFIG in its environment...
> 
> I see, and I don't want to sound ungrateful, but I was looking for something
> simpler.

Is this useful?

  postmulti -ax /bin/sh -c '
$daemon_directory/master -t || {
  echo ${multi_instance_name:--} $(cat $queue_directory/pid/master.pid)
}' |
  while read iname pid
  do
ps -p $(pgrep -P $pid) | sed -e "s/^/$iname /"
  done

For cut/paste the one-line version:

postmulti -ax /bin/sh -c '$daemon_directory/master -t || { echo 
${multi_instance_name:--} $(cat $queue_directory/pid/master.pid); }' | while 
read iname pid; do ps -p $(pgrep -P $pid) | sed -e "s/^/$iname /"; done

-- 
Viktor.

Re: RFE: Make instance name visible in ps output

[Patrick Ben Koetter]

* Victor Duchovni :
> On Sat, Apr 30, 2011 at 10:08:40PM +0200, Patrick Ben Koetter wrote:
> 
> > > So to find which master is which instance you need to look in the 
> > > master.pid
> > > files or in /proc, ... If you do look in /proc, each child process has
> > > MAIL_CONFIG in its environment...
> > 
> > I see, and I don't want to sound ungrateful, but I was looking for something
> > simpler.
> 
> Is this useful?

Definitely! I ran it on a machine that has four instances of whom two weren't
running and it failed on the first one not running. Could it be the script
does not handle such situations?

p@rick


> 
>   postmulti -ax /bin/sh -c '
> $daemon_directory/master -t || {
>   echo ${multi_instance_name:--} $(cat $queue_directory/pid/master.pid)
> }' |
>   while read iname pid
>   do
> ps -p $(pgrep -P $pid) | sed -e "s/^/$iname /"
>   done
> 
> For cut/paste the one-line version:
> 
> postmulti -ax /bin/sh -c '$daemon_directory/master -t || { echo 
> ${multi_instance_name:--} $(cat $queue_directory/pid/master.pid); }' | while 
> read iname pid; do ps -p $(pgrep -P $pid) | sed -e "s/^/$iname /"; done
> 
> -- 
>   Viktor.

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: RFE: Make instance name visible in ps output

[Victor Duchovni]

On Mon, May 02, 2011 at 09:38:08PM +0200, Patrick Ben Koetter wrote:

> * Victor Duchovni :
> > On Sat, Apr 30, 2011 at 10:08:40PM +0200, Patrick Ben Koetter wrote:
> > 
> > > > So to find which master is which instance you need to look in the 
> > > > master.pid
> > > > files or in /proc, ... If you do look in /proc, each child process has
> > > > MAIL_CONFIG in its environment...
> > > 
> > > I see, and I don't want to sound ungrateful, but I was looking for 
> > > something
> > > simpler.
> > 
> > Is this useful?
> 
> Definitely! I ran it on a machine that has four instances of whom two weren't
> running and it failed on the first one not running. Could it be the script
> does not handle such situations?

You of all people should be able to better explain what "failed" means...
The script tests the master.pid lock, and only reports child processes
when the master is running. What went wrong in your case? It is a simple
enough "script" (pretty much a one-liner), likely you can improve it...

-- 
Viktor.

Re: RFE: Make instance name visible in ps output

[Patrick Ben Koetter]

* Victor Duchovni :
> > > Is this useful?
> > 
> > Definitely! I ran it on a machine that has four instances of whom two 
> > weren't
> > running and it failed on the first one not running. Could it be the script
> > does not handle such situations?
> 
> You of all people should be able to better explain what "failed" means...
> The script tests the master.pid lock, and only reports child processes
> when the master is running. What went wrong in your case? It is a simple
> enough "script" (pretty much a one-liner), likely you can improve it...

Apologies for being that terse. I ran the script on a host whose details I may
not expose in public. I'll get hold of a better test environment and I will
improve it if I can.

p@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Enabling sender-dependent authentication only for fallback relay?

[Rich Wales]

> You have to use a fallback relay setting that sends the mail to a second
> Postfix instance on your machine, and have that instance send all mail
> to the relay, with sender-dependent authentication.  This would be a full
> Postfix instance, not just another master.cf entry:

Thanks, Victor.

A followup question, if I may.  Briefly, can you help me understand what is
going on in a situation like mine that will require the use of a second,
completely separate Postfix instance (and precludes doing what I want to do
in a separate master.cf entry)?

Rich Wales
ri...@richw.org

Re: Enabling sender-dependent authentication only for fallback relay?

[Victor Duchovni]

On Mon, May 02, 2011 at 02:00:52PM -0700, Rich Wales wrote:

> > You have to use a fallback relay setting that sends the mail to a second
> > Postfix instance on your machine, and have that instance send all mail
> > to the relay, with sender-dependent authentication.  This would be a full
> > Postfix instance, not just another master.cf entry:
> 
> Thanks, Victor.
> 
> A followup question, if I may.  Briefly, can you help me understand what is
> going on in a situation like mine that will require the use of a second,
> completely separate Postfix instance (and precludes doing what I want to do
> in a separate master.cf entry)?

The mail must be handled by a second separately configured smtp(8) delivery
agent, and therefore, must be placed in a separate queue, which requires
a separate instance.

If the message were handed off to the same queue-manager it would loop.

-- 
Viktor.

Re: Enabling sender-dependent authentication only for fallback relay?

[Rich Wales]

> The mail must be handled by a second separately configured smtp(8)
> delivery agent, and therefore, must be placed in a separate queue,
> which requires a separate instance.  If the message were handed off
> to the same queue-manager it would loop.

Ah.  And, not surprisingly, when I tried to solve my problem using an
alternative smtp in my master.cf, it did precisely that -- the second
smtp threw the message back into the queue, and my one-and-only Postfix
dutifully pulled it out of the queue and processed it all over again
from scratch, leading to a loop.

So I assume there's no way to tag messages in a single Postfix queue
with some sort of "already processed once -- let the secondary smtp
agent take care of this one" marker?  Instead, doing this requires a
separate Postfix instance (with its own separate queue)?

Rich Wales
ri...@richw.org

Re: FYI - Postfix 2.8.2 and CentOS 5.6

[Ned Slider]

On 02/05/11 17:21, Steve Jenkins wrote:

This isn't a Postfix issue, just an FYI for those running updated
versions of Postfix on CentOS.

I recently updated one of my CentOS 5.5 systems (which was running
Postfix 2.8.2 compiled from source) to CentOS 5.6. The Postfix package
appeared nowhere on the upgrade list, and my /etc/yum.conf has
"exclude=postfix*" However, after the upgrade and a reboot, Postfix
wouldn't start. The maillog complained about the "smtpd pass" settings
in master.cf that I had uncommented to enable Postscreen.



There was a (Red Hat/CentOS) security update to Postfix issued almost 3 
months after the upstream release of 5.6:


https://rhn.redhat.com/errata/RHSA-2011-0422.html

However, because CentOS were slow with the release of 5.6, the base 
update from 5.5 to 5.6, and subsequent errata to 5.6 were all rolled out 
simultaneously, including the Postfix update.


To exclude postfix updates, you'd need to add the exclude line to both 
the [base] and [updates] sections of your 
/etc/yum.repos.d/CentOS-Base.repo config file. From your description I'd 
guess you've perhaps only excluded postfix from [base] and not [updates].


Looking at the install scripts run from the Postfix RPM package in 
CentOS, looks like it's reset itself as the default Postfix install as 
you've surmised.


Running 'rpm -q postfix' would confirm if the latest Postfix RPM package 
slipped through your net during the 5.6 update.

Selective "RCPT TO" restrictions.

[Randy Ramsdell]

I am trying to configure a very selective list on who can send to a 
certain local accounts ( could be many and currently contains maybe 30 ).



Currently, this is covered by:

smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_lists,permit_mynetworks,permit_sasl_authenticated 
 etc...


In this protected list we have this:

us...@localdomain.com permit_mynetworks,permit_sasl_authenticated,reject
.
.
.
user...@localdomain.com


I need to add an allow for specific cases for each 
user{1-100+}@NONlocaldomain.com to send to user{1-100+}@localdomain.com.


Sort of stuck here since the protected_lists only allow the form 
permit_mynetworks,permit_sasl_authenticated,reject and not include 
$allow_some_specific_non_local_user


Help with this would be greatly appreciated.

Thanks,
RCR

Re: FYI - Postfix 2.8.2 and CentOS 5.6

[Steve Jenkins]

On Mon, May 2, 2011 at 2:39 PM, Ned Slider  wrote:
> There was a (Red Hat/CentOS) security update to Postfix issued almost 3
> months after the upstream release of 5.6:
>
> https://rhn.redhat.com/errata/RHSA-2011-0422.html
>
> However, because CentOS were slow with the release of 5.6, the base update
> from 5.5 to 5.6, and subsequent errata to 5.6 were all rolled out
> simultaneously, including the Postfix update.

Ah, yep! That would explain it!

> To exclude postfix updates, you'd need to add the exclude line to both the
> [base] and [updates] sections of your /etc/yum.repos.d/CentOS-Base.repo
> config file. From your description I'd guess you've perhaps only excluded
> postfix from [base] and not [updates].

I actually didn't have it in either - I was under the (apparently
false) impression that just putting the exclude in yum.conf would
apply to any repo. It's in the CentOS-Base.repo file in [base] and
[updates] now, tho. Thank you. :)

> Looking at the install scripts run from the Postfix RPM package in CentOS,
> looks like it's reset itself as the default Postfix install as you've
> surmised.
>
> Running 'rpm -q postfix' would confirm if the latest Postfix RPM package
> slipped through your net during the 5.6 update.

Yep!

% rpm -q postfix
postfix-2.3.3-2.2.el5_6

Thanks for the excellent detective work, Ned. :)

SteveJ

Re: Spoofing problem

[R F]

>
> The above is the envelope sender.  You can configure postfix to reject your 
> own domain in the envelope sender from outside mail.  See numerous posts on 
> this in the archives.
> This will reject legit mail, but probably not a great amount.  Pick your pain 
> threshold.

That is probably something to try, unfortunately have tried google on
this but I can't find anything but your post. Can you point me out
something?

Re: Enabling sender-dependent authentication only for fallback relay?

[Victor Duchovni]

On Mon, May 02, 2011 at 02:33:31PM -0700, Rich Wales wrote:

> > The mail must be handled by a second separately configured smtp(8)
> > delivery agent, and therefore, must be placed in a separate queue,
> > which requires a separate instance.  If the message were handed off
> > to the same queue-manager it would loop.
> 
> Ah.  And, not surprisingly, when I tried to solve my problem using an
> alternative smtp in my master.cf, it did precisely that -- the second
> smtp threw the message back into the queue, and my one-and-only Postfix
> dutifully pulled it out of the queue and processed it all over again
> from scratch, leading to a loop.
> 
> So I assume there's no way to tag messages in a single Postfix queue
> with some sort of "already processed once -- let the secondary smtp
> agent take care of this one" marker?  Instead, doing this requires a
> separate Postfix instance (with its own separate queue)?

Yes, and this is no less efficient, and in fact the configuration is
IMHO simpler, and mailq(1) output is more meaningful, ...

-- 
Viktor.

Re: RFE: Make instance name visible in ps output

[Wietse Venema]

FYI, there exists no standard function to set the "process title".
BSD has setproctitle() in the system library which as the manpage
says, is "implicitly non-standard".

Other systems don't have an equivalent in their system library, as
far as I know.  I prefer not to maintain Postfix's own version.
Such code mucks with the argv array and is totally non-portable.

Wietse

Question re. IP address block of remote user

[Des Dougan]

On a new postfix/dovecot configuration, email is generally working OK. That 
said, I'm seeing "Client host rejected: Access denied" messages in the logs for 
two of the client company principals when they are connecting remotely. I'm 
pretty certain their mail clients are set up correctly to authenticate (but 
will confirm this tomorrow) as the owner is pretty tech-savvy. However, I did 
note in the logs that their local ip in the helo parameter (e.g. 
helo=<[192.168.1.125]>) is the same IP block (192.168.1.x) as the office LAN. 
Is it possible this is what is causing the access to be denied?

My postconf -n output is as follows:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relayhost = [mail.telus.net]
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.iprc.ca.cert
smtpd_tls_key_file = /etc/pki/tls/private/mail.iprc.ca.key
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550


Thanks,

Des

--

Des Dougan
Principal
Dougan Consulting Group Inc.

  http://www.DouganConsulting.tel <-- Get all my contact information here.
  http://www.DouganConsulting.com

Peace of Mind, One Computer at a Time.

---

Imagine anyone on the planet being able to find and then contact you with a 
single click. YourName.tel is all you will give anyone ever again. Want in?

http://registertel.tel/

Re: Enabling sender-dependent authentication only for fallback relay?

[Rich Wales]

> Yes, and this is no less efficient, and in fact the configuration
> is IMHO simpler, and mailq(1) output is more meaningful, ...

Thanks again.

As it turned out, I was able to find a way to authenticate to my web
hosting service's outbound SMTP server using a single username/password
combo -- and thereby stop having to use sender-dependent authentication,
and thus avoid the problems which accompanied the sending of my auth
credentials to random servers, without needing to do anything complex.

For the time being, I'm happy. :-)  Thanks to everyone for their help.

Rich Wales
ri...@richw.org

Re: Question re. IP address block of remote user

[Sahil Tandon]

On Mon, 2011-05-02 at 18:09:48 -0700, Des Dougan wrote:

> On a new postfix/dovecot configuration, email is generally working OK.
> That said, I'm seeing "Client host rejected: Access denied" messages
> in the logs for two of the client company principals when they are
> connecting remotely. 

Show an exact excerpt from the logs that relates to the problematic
rejection.

> I'm pretty certain their mail clients are set up correctly to
> authenticate (but will confirm this tomorrow) as the owner is pretty
> tech-savvy. 

Postfix logs successful SASL authentication; do you see evidence of
this in the logs?

-- 
Sahil Tandon 

Re: Question re. IP address block of remote user

[Des Dougan]

On May 2011, at 6:58 PM, Sahil Tandon wrote:

> On Mon, 2011-05-02 at 18:09:48 -0700, Des Dougan wrote:
> 
>> On a new postfix/dovecot configuration, email is generally working OK.
>> That said, I'm seeing "Client host rejected: Access denied" messages
>> in the logs for two of the client company principals when they are
>> connecting remotely. 
> 
> Show an exact excerpt from the logs that relates to the problematic
> rejection.
> 
>> I'm pretty certain their mail clients are set up correctly to
>> authenticate (but will confirm this tomorrow) as the owner is pretty
>> tech-savvy. 
> 
> Postfix logs successful SASL authentication; do you see evidence of
> this in the logs?
> 
> -- 
> Sahil Tandon 

Sahil,

Thanks for your reply. I see this in the logs:

May  2 17:30:56 enterprise dovecot: imap-login: Login: user=, 
method=PLAIN, rip=DD.DD.DDD.DDD, lip=192.168.1.5, TLS
May  2 17:30:57 enterprise postfix/smtpd[2142]: connect from 
S01065475d08916e7.AA..net[DD.DD.DDD.DDD]
May  2 17:30:57 enterprise postfix/smtpd[2142]: NOQUEUE: reject: RCPT from 
S01065475d08916e7.AA..net[DD.DD.DDD.DDD]: 554 5.7.1 
: Client host rejected: 
Access denied; from= to= proto=ESMTP 
helo=<[192.168.1.121]>
May  2 17:30:57 enterprise postfix/smtpd[2142]: disconnect from 
S01065475d08916e7.AA..net[DD.DD.DDD.DDD]

So the user is logging in OK on the first line, as I understand it, but the 
message being attempted is not going out; this is the user's laptop and she is 
able to send when in the office, hence my question about the IP block. I am 
able to access remotely and send successfully from my system.


Thanks,

Des
--

Des Dougan
Principal
Dougan Consulting Group Inc.

  http://www.DouganConsulting.tel <-- Get all my contact information here.
  http://www.DouganConsulting.com

Peace of Mind, One Computer at a Time.

---

Imagine anyone on the planet being able to find and then contact you with a 
single click. YourName.tel is all you will give anyone ever again. Want in?

http://registertel.tel/

Re: Question re. IP address block of remote user

[Sahil Tandon]

On Mon, 2011-05-02 at 19:16:42 -0700, Des Dougan wrote:

> On May 2011, at 6:58 PM, Sahil Tandon wrote:
> 
> > On Mon, 2011-05-02 at 18:09:48 -0700, Des Dougan wrote:
> > 
> >> On a new postfix/dovecot configuration, email is generally working OK.
> >> That said, I'm seeing "Client host rejected: Access denied" messages
> >> in the logs for two of the client company principals when they are
> >> connecting remotely. 
> > 
> > Show an exact excerpt from the logs that relates to the problematic
> > rejection.
> > 
> >> I'm pretty certain their mail clients are set up correctly to
> >> authenticate (but will confirm this tomorrow) as the owner is pretty
> >> tech-savvy. 
> > 
> > Postfix logs successful SASL authentication; do you see evidence of
> > this in the logs?
> 
> Thanks for your reply. I see this in the logs:
> 
> May  2 17:30:56 enterprise dovecot: imap-login: Login: user=, 
> method=PLAIN, rip=DD.DD.DDD.DDD, lip=192.168.1.5, TLS

This is DOVECOT. 

> May  2 17:30:57 enterprise postfix/smtpd[2142]: connect from 
> S01065475d08916e7.AA..net[DD.DD.DDD.DDD]
> May  2 17:30:57 enterprise postfix/smtpd[2142]: NOQUEUE: reject: RCPT from 
> S01065475d08916e7.AA..net[DD.DD.DDD.DDD]: 554 5.7.1 
> : Client host rejected: 
> Access denied; from= to= proto=ESMTP 
> helo=<[192.168.1.121]>
> May  2 17:30:57 enterprise postfix/smtpd[2142]: disconnect from 
> S01065475d08916e7.AA..net[DD.DD.DDD.DDD]

Do you have POSTFIX logs that show successful authentication? 

-- 
Sahil Tandon 

Re: Question re. IP address block of remote user

[Des Dougan]

On May 2011, at 7:26 PM, Sahil Tandon wrote:

> On Mon, 2011-05-02 at 19:16:42 -0700, Des Dougan wrote:
> 
>> On May 2011, at 6:58 PM, Sahil Tandon wrote:
>> 
>>> On Mon, 2011-05-02 at 18:09:48 -0700, Des Dougan wrote:
>>> 
 On a new postfix/dovecot configuration, email is generally working OK.
 That said, I'm seeing "Client host rejected: Access denied" messages
 in the logs for two of the client company principals when they are
 connecting remotely. 
>>> 
>>> Show an exact excerpt from the logs that relates to the problematic
>>> rejection.
>>> 
 I'm pretty certain their mail clients are set up correctly to
 authenticate (but will confirm this tomorrow) as the owner is pretty
 tech-savvy. 
>>> 
>>> Postfix logs successful SASL authentication; do you see evidence of
>>> this in the logs?
>> 
>> Thanks for your reply. I see this in the logs:
>> 
>> May  2 17:30:56 enterprise dovecot: imap-login: Login: user=, 
>> method=PLAIN, rip=DD.DD.DDD.DDD, lip=192.168.1.5, TLS
> 
> This is DOVECOT. 
> 
>> May  2 17:30:57 enterprise postfix/smtpd[2142]: connect from 
>> S01065475d08916e7.AA..net[DD.DD.DDD.DDD]
>> May  2 17:30:57 enterprise postfix/smtpd[2142]: NOQUEUE: reject: RCPT from 
>> S01065475d08916e7.AA..net[DD.DD.DDD.DDD]: 554 5.7.1 
>> : Client host rejected: 
>> Access denied; from= to= proto=ESMTP 
>> helo=<[192.168.1.121]>
>> May  2 17:30:57 enterprise postfix/smtpd[2142]: disconnect from 
>> S01065475d08916e7.AA..net[DD.DD.DDD.DDD]
> 
> Do you have POSTFIX logs that show successful authentication? 
> 
> -- 
> Sahil Tandon 

Like this?:

May  2 17:30:53 enterprise postfix/smtpd[2142]: connect from 
S01065475d08916e7.AA..net[DD.DD.DDD.DDD]

Sorry I missed it previously.


Des

--

Des Dougan
Principal
Dougan Consulting Group Inc.

  http://www.DouganConsulting.tel <-- Get all my contact information here.
  http://www.DouganConsulting.com

Peace of Mind, One Computer at a Time.

---

Imagine anyone on the planet being able to find and then contact you with a 
single click. YourName.tel is all you will give anyone ever again. Want in?

http://registertel.tel/

Re: Question re. IP address block of remote user

[Des Dougan]

On May 2011, at 7:26 PM, Sahil Tandon wrote:

> On Mon, 2011-05-02 at 19:16:42 -0700, Des Dougan wrote:
> 
>> On May 2011, at 6:58 PM, Sahil Tandon wrote:
>> 
>>> On Mon, 2011-05-02 at 18:09:48 -0700, Des Dougan wrote:
>>> 
 On a new postfix/dovecot configuration, email is generally working OK.
 That said, I'm seeing "Client host rejected: Access denied" messages
 in the logs for two of the client company principals when they are
 connecting remotely. 
>>> 
>>> Show an exact excerpt from the logs that relates to the problematic
>>> rejection.
>>> 
 I'm pretty certain their mail clients are set up correctly to
 authenticate (but will confirm this tomorrow) as the owner is pretty
 tech-savvy. 
>>> 
>>> Postfix logs successful SASL authentication; do you see evidence of
>>> this in the logs?
>> 
>> Thanks for your reply. I see this in the logs:
>> 
>> May  2 17:30:56 enterprise dovecot: imap-login: Login: user=, 
>> method=PLAIN, rip=DD.DD.DDD.DDD, lip=192.168.1.5, TLS
> 
> This is DOVECOT. 
> 
>> May  2 17:30:57 enterprise postfix/smtpd[2142]: connect from 
>> S01065475d08916e7.AA..net[DD.DD.DDD.DDD]
>> May  2 17:30:57 enterprise postfix/smtpd[2142]: NOQUEUE: reject: RCPT from 
>> S01065475d08916e7.AA..net[DD.DD.DDD.DDD]: 554 5.7.1 
>> : Client host rejected: 
>> Access denied; from= to= proto=ESMTP 
>> helo=<[192.168.1.121]>
>> May  2 17:30:57 enterprise postfix/smtpd[2142]: disconnect from 
>> S01065475d08916e7.AA..net[DD.DD.DDD.DDD]
> 
> Do you have POSTFIX logs that show successful authentication? 
> 
> -- 
> Sahil Tandon 

OK, just sent a test from my desktop, and see a successful sasl authentication 
that I'm not seeing for the other user. I'll follow up with them re. their 
client configuration. 

Thanks for your help.

Des
--

Des Dougan
Principal
Dougan Consulting Group Inc.

  http://www.DouganConsulting.tel <-- Get all my contact information here.
  http://www.DouganConsulting.com

Peace of Mind, One Computer at a Time.

---

Imagine anyone on the planet being able to find and then contact you with a 
single click. YourName.tel is all you will give anyone ever again. Want in?

http://registertel.tel/

Re: Question re. IP address block of remote user

[Sahil Tandon]

On Mon, 2011-05-02 at 19:37:50 -0700, Des Dougan wrote:

> > Do you have POSTFIX logs that show successful authentication? 
> 
> Like this?:
> 
> May  2 17:30:53 enterprise postfix/smtpd[2142]: connect from 
> S01065475d08916e7.AA..net[DD.DD.DDD.DDD]

No, that is just a connection.  Successful SASL authentication would be
logged similar to the below example, assuming you use PLAIN:

postfix/smtpd[60467]: B15C7120E5: client=example.org[XXX.XXX.XXX.XXX], 
sasl_method=PLAIN, sasl_username=foobar

-- 
Sahil Tandon 

Re: Question re. IP address block of remote user

[Des Dougan]

On May 2011, at 7:42 PM, Sahil Tandon wrote:

> On Mon, 2011-05-02 at 19:37:50 -0700, Des Dougan wrote:
> 
>>> Do you have POSTFIX logs that show successful authentication? 
>> 
>> Like this?:
>> 
>> May  2 17:30:53 enterprise postfix/smtpd[2142]: connect from 
>> S01065475d08916e7.AA..net[DD.DD.DDD.DDD]
> 
> No, that is just a connection.  Successful SASL authentication would be
> logged similar to the below example, assuming you use PLAIN:
> 
> postfix/smtpd[60467]: B15C7120E5: client=example.org[XXX.XXX.XXX.XXX], 
> sasl_method=PLAIN, sasl_username=foobar
> 
> -- 
> Sahil Tandon 

Thanks, Sahil.

Des

--

Des Dougan
Principal
Dougan Consulting Group Inc.

  http://www.DouganConsulting.tel <-- Get all my contact information here.
  http://www.DouganConsulting.com

Peace of Mind, One Computer at a Time.

---

Imagine anyone on the planet being able to find and then contact you with a 
single click. YourName.tel is all you will give anyone ever again. Want in?

http://registertel.tel/

Re: Spoofing problem

[Noel Jones]

On 5/2/2011 7:10 PM, R F wrote:


The above is the envelope sender.  You can configure postfix to reject your own 
domain in the envelope sender from outside mail.  See numerous posts on this in 
the archives.
This will reject legit mail, but probably not a great amount.  Pick your pain 
threshold.


That is probably something to try, unfortunately have tried google on
this but I can't find anything but your post. Can you point me out
something?


The idea is to allow authorized users first -- mynetworks and 
SASL authenticated -- then reject anyone else using your 
domain as the sender.  A bare-bones example:


# main.cf
smtpd_recipient_restrictions =
  permit_mynetworks
# uncomment next line if you use SASL
#  permit_sasl_authenticated
  reject_unauth_destination
  check_sender_access hash:/etc/postfix/sender_access


# sender_access
my.example.com  REJECT sender domain not authorized


- remember to issue "postfix reload" after editing main.cf.
- remember to "postmap sender_access" after editing it.



  -- Noel Jones