rejecting mails to *.recipient@... for all but a few senders?

[Julio Talaverano]

Hi,

I've got this rather complicated problem:

1) a)  I'd like to block mails to specific internal recipients (e.g. 
*.r...@mycomp.com) but allow 
    only one or more domains to send to them. 
    b) blocking emails sent by these recipients (This is already in place using 
regexp header_checks).

2) At the same time I'd like to allow mails sent to one internal recipient 
(e.g. a...@mycomp.com) 
   only from specific domains but reject mails  from any other domain.

I'm using postfix 2.7.1 on RedHat 5.7


Any ideas?

Many Thanks 
Julio

Re: alias all users in one domain to another domain

[Chris Richards]

On Mon, October 24, 2011 12:28 am, Noel Jones wrote:
> On 10/23/2011 10:06 PM, Chris Richards wrote:
>> My question is this: how do I setup to alias all of my users in domain A
>> so that they also appear in domain B, and do so WITHOUT turning my
>> server
>> into a backscatter source?
>
> virtual_alias_maps is the feature you need.  But *don't* use @domain
> wildcards, rather use 1-1 mapping for each user.
>
> us...@example.com us...@example.org
> us...@example.com us...@example.org
> userN...
>
> Use a script to generate the file.
>
> If you're using SQL maps, you can query for a user in one domain and
> return a result in another domain.  Examples have been posted here
> in the past.

Many thanks Noel.  Doing the 1-1 mapping was what I was thinking, since I
already have that functionality in place.  I just didn't want to have to
remap 1,096 users (although a properly constructed SQL query/insert should
do the trick).

In general I dislike 'magic' SQL queries (like querying for a user in one
domain and returning a result in another) because they hide too much of
what is going on with the server.  Too easy to get bitten by something
that's hidden in the bowels of the beast.

Thanks again.

Chris

Postfix stable release 2.8.6, 2.7.7, 2.6.13, 2.5.16

[Wietse Venema]

[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-2.8.6.html]

Postfix stable release 2.8.6, 2.7.7, 2.6.13 and 2.5.16 are available.
These contain fixes that are also included with the Postfix 2.9
experimental release.

* The Postfix SMTP daemon sent "bare" newline characters instead
  of  when a header_checks REJECT pattern matched
  multi-line header. This bug was introduced with Postfix 1.1.

* The Postfix SMTP daemon sent "bare" newline characters instead
  of  when an smtpd_proxy_filter returned a multi-line
  response. This bug was introduced with Postfix 2.1.

* For compatibility with future EAI (email address
  internationalization) implementations, the Postfix MIME
  processor no longer enforces the strict_mime_encoding_domain
  check on unknown message subtypes such as message/global*.
  This check is disabled by default.

* The Postfix master daemon could report a panic error
  ("master_spawn: at process limit") after the process limit
  for some service was reduced with "postfix reload". This bug
  existed in all Postfix versions.

You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.

Wietse

Protocol error: postfix-2.3 vs. 2.9

[Ralf Hildebrandt]

Uni-muenster.de tries to send mail to us:

We're returning (using postscreen):

220-mail.charite.de ESMTP 
421-4.3.2 All server ports are busy
421 4.3.2 Contact postmas...@charite.de (using a different email address!)  for 
technical assistance. Please provide the following information in your problem 
report: This error message, time (Oct 21 21:24:31), client (128.176.188.24) and 
server (mail.charite.de).

because at that time our 128 smtpds are all busy!

>From my log:
Oct 21 21:24:31 mail postfix/postscreen[14632]: PASS OLD [128.176.188.24]:43296
Oct 21 21:24:31 mail postfix/postscreen[14632]: warning: cannot connect to 
service private/smtpd: Resource temporarily unavailable

and in their log they're getting:

Oct 21 21:24:31 zivmail postfix/smtp[7663]: C51E4BF414: 
to=,
relay=mail.charite.de[141.42.202.200]:25, delay=6.4, delays=0.27/0.01/6.1/0, 
dsn=5.5.0, status=bounced (Protocol error: host
mail.charite.de[141.42.202.200] refused to talk to me: 220-mail.charite.de 
ESMTP 421-4.3.2 All server ports are busy 421 4.3.2
Contact postmas...@charite.de (using a different email address!)  for technical 
assistance. Please provide the following information in your
problem report: This error message, time (Oct 21 21:24:31), client 
(128.176.188.24) and server (mail.charite.de). We speak both English and
German.)

Sending machine ist Postfix-2.3.x
Receiving machine is mail.charite.de Postfix-2.9-20111012

Protocol error??

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

PATCH: Protocol error: postfix-2.3 vs. 2.9

[Wietse Venema]

Ralf Hildebrandt:
> Oct 21 21:24:31 zivmail postfix/smtp[7663]: C51E4BF414: 
> to=,
> relay=mail.charite.de[141.42.202.200]:25, delay=6.4, delays=0.27/0.01/6.1/0, 
> dsn=5.5.0, status=bounced (Protocol error: host
> mail.charite.de[141.42.202.200] refused to talk to me: 220-mail.charite.de 
> ESMTP 421-4.3.2 All server ports are busy 421 4.3.2
> Contact postmas...@charite.de (using a different email address!)  for 
> technical assistance. Please provide the following information in your
> problem report: This error message, time (Oct 21 21:24:31), client 
> (128.176.188.24) and server (mail.charite.de). We speak both English and
> German.)

This bug was fixed in Postfix 2.7 with the introduction of the
smtp_reply_filter feature, but it was never recorded in the HISTORY
file, and therefore it was never back-ported to earlier Postfix
versions.

Wietse

20111024

Bugfix (introduced: Postfix 2.3): while the Postfix SMTP
client's protocol parser uses the last SMTP reply line as
intended, the error processing routine was taking information
from the beginning of the response. This was causing "Protocol
error" bounces with postscreen responses on Postfix < 2.6.
Reported by Ralf Hildebrandt. File: smtp/smtp_trouble.c.

*** ../postfix-2.6.13/src/smtp/smtp_trouble.c   Thu Dec 13 20:01:56 2007
--- src/smtp/smtp_trouble.c Sat Nov 14 20:59:33 2009
***
*** 288,294 
   * cycles.
   */
  VSTRING_RESET(why->reason);
! if (mta_name && reply && reply[0] != '4' && reply[0] != '5') {
vstring_strcpy(why->reason, "Protocol error: ");
status = "5.5.0";
  }
--- 288,294 
   * cycles.
   */
  VSTRING_RESET(why->reason);
! if (mta_name && status && status[0] != '4' && status[0] != '5') {
vstring_strcpy(why->reason, "Protocol error: ");
status = "5.5.0";
  }

Re: Down To One Problem?

[Jack Fredrikson]

From: john 
To: postfix-users@postfix.org
Sent: Sunday, October 23, 2011 11:56 PM
Subject: Re: Down To One Problem?


> Might I suggest you take a look here Dovecot 2.0 documentation - How to which 
> has several extremely good Dovecot How-tos. Of particular 
> interest to you might be Virtual User Flat Files Postfix which show how to 
> setup Postfix + Dovecot  mail system, it includes a fairly comprehensive 
> recipe covering both the Dovecot and Postfix configurations.

Thank you. I was reading that and I was wondering specifically if the Virtual 
User Flat Files Postfix was what I needed :)
Jack

Re: Down To One Problem?

[Jack Fredrikson]

From: Noel Jones 
To: postfix-users@postfix.org
Sent: Monday, October 24, 2011 1:23 AM
Subject: Re: Down To One Problem?

> It seems you fail to understand some basics, and you continue to mix
> example commands from multiple unrelated solutions.

I plead guilty.

> It appears you've added a bunch of different features all at once,
> dovecot, SASL, virtual mailboxes, SQL maps, etc., and you don't know
> which piece is broken.  We don't either.
>
> - read the documentation.
> - repeat.
> - and again.
>
> - create a simple setup and test.
>
> - add features one at a time, making sure each one works before you
> go to the next step.

Will do.

> Looks as if the user f...@example.com doesn't accept mail.  Is that
> supposed to be a valid user?  Where is that domain listed in your
> postfix config?  Where is the user listed?

Now here you can help me directly. Yes, of course it's supposed to be valid. 
Where should I list the domain? Where should I list the user?
TIA,
Jack

limit recipent per message

[Ejaz]

Hello, 

 

Is it possible by postfix to send 100 recipient per message, also I would
like to maximum limit of the recipient per message by the postfix.  

 

Would any please guide me in this, thanks in advance 

 

Regards, 
__
Mohammed Ejaz 
Sr,Systems Administrator



 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

I've Got To Be Close...

[Jack Fredrikson]

Hi;
I'm still getting this (and *only* this) error:
Oct 24 08:18:01 myserver postfix/pipe[21761]: 5CC9F5790195: to=, 
relay=dovecot, delay=0.66, delays=0.64/0/0/0.02, dsn=4.3.0, status=deferred 
(temporary failure)

queue_directory = /var/spool/postfix
myorigin = $mydomain
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
unknown_local_recipient_reject_code = 550
debug_peer_list =
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = no
mydomain = myserver.com
mydestination =
    $mydomain,
    $myhostname,
    localhost.$mydomain
mail_spool_directory = /var/spool/mail
home_mailbox = Mailbox
disable_vrfy_command = yes
show_user_unknown_table_name = no
data_directory = /var/lib/postfix
myhostname  = myserver.com
inet_interfaces = localhost, $myhostname
mynetworks  = $config_directory/mynetworks
relay_domains   = 
proxy:mysql:$config_directory/mysql_relay_domains_maps.cf
virtual_mailbox_base    = /var/vmail
virtual_mailbox_domains = bar.com another.com myserver.com
virtual_mailbox_maps    = hash:/etc/postfix/vmailbox
virtual_alias_maps  = hash:/etc/postfix/virtual
virtual_minimum_uid = 89
virtual_uid_maps    = static:89
virtual_gid_maps    = static:89
virtual_transport   = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_auth_enable  = yes
smtpd_recipient_restrictions = permit_mynetworks,
  permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients    = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_application_name = smtpd
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
disable_vrfy_command    = yes
non_fqdn_reject_code    = 504
invalid_hostname_reject_code    = 450
maps_rbl_reject_code    = 554
alias_maps = hash:/etc/aliases
reject_unknown_client   = false
reject_unknown_hostname = false
mailbox_command = /usr/local/libexec/dovecot/deliver

Please advise.
TIA,
Jack

Re: I've Got To Be Close...

[Jack Fredrikson]

I forgot to add:

/etc/postfix/vmailbox includes lines such as:
f...@bar.com    bar.com/foo

and I have run these commands:

postmap /etc/postfix/vmailbox
postfix reload

TIA,
Jack

Re: I've Got To Be Close...

[Simon Brereton]

On 24 October 2011 11:20, Jack Fredrikson  wrote:
> Hi;
> I'm still getting this (and *only* this) error:
> Oct 24 08:18:01 myserver postfix/pipe[21761]: 5CC9F5790195:
> to=, relay=dovecot, delay=0.66, delays=0.64/0/0/0.02,
> dsn=4.3.0, status=deferred (temporary failure)

Sounds like your file permissions on the mail spool are wrong.  Check
your a) your dovecot conf and test with 666 and b) make sure dovecot
(since that's what you're using to do the delivery) is the owner of
that directory.

Somewhere in this section...

> master {
>   path = /var/run/dovecot/auth-master
>   mode = 0660
>   user = vmail
>   group = mail
> }
> client {
>   path = /var/spool/postfix/private/auth
>   mode = 0660
>   user = postfix
>   group = mail
> }

And this is probably better off discussed on the dovecot list now that
you seem to have gotten postfix sorted out.

Although, since you expressed an intention to do spam filtering, I'd
suggest once you have resolved this problem come back here with a
postconf -n and ask for some hardening tips.  But you can start here:

http://linxnet.com/postfix_contrib.html

Simon



> queue_directory = /var/spool/postfix
> myorigin = $mydomain
> command_directory = /usr/sbin
> daemon_directory = /usr/libexec/postfix
> mail_owner = postfix
> inet_interfaces = all
> unknown_local_recipient_reject_code = 550
> debug_peer_list =
> sendmail_path = /usr/sbin/sendmail.postfix
> newaliases_path = /usr/bin/newaliases
> mailq_path = /usr/bin/mailq
> setgid_group = postdrop
> html_directory = no
> manpage_directory = /usr/local/man
> sample_directory = /etc/postfix
> readme_directory = no
> mydomain = myserver.com
> mydestination =
>     $mydomain,
>     $myhostname,
>     localhost.$mydomain
> mail_spool_directory = /var/spool/mail
> home_mailbox = Mailbox
> disable_vrfy_command = yes
> show_user_unknown_table_name = no
> data_directory = /var/lib/postfix
> myhostname  = myserver.com
> inet_interfaces = localhost, $myhostname
> mynetworks  = $config_directory/mynetworks
> relay_domains   =
> proxy:mysql:$config_directory/mysql_relay_domains_maps.cf
> virtual_mailbox_base    = /var/vmail
> virtual_mailbox_domains = bar.com another.com myserver.com
> virtual_mailbox_maps    = hash:/etc/postfix/vmailbox
> virtual_alias_maps  = hash:/etc/postfix/virtual
> virtual_minimum_uid = 89
> virtual_uid_maps    = static:89
> virtual_gid_maps    = static:89
> virtual_transport   = dovecot
> dovecot_destination_recipient_limit = 1
> smtpd_sasl_auth_enable  = yes
> smtpd_recipient_restrictions = permit_mynetworks,
>   permit_sasl_authenticated, reject_unauth_destination
> smtpd_sasl_security_options = noanonymous
> broken_sasl_auth_clients    = yes
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = /var/spool/postfix/private/auth
> smtpd_sasl_application_name = smtpd
> smtpd_soft_error_limit = 10
> smtpd_hard_error_limit = 20
> smtpd_helo_required = yes
> disable_vrfy_command    = yes
> non_fqdn_reject_code    = 504
> invalid_hostname_reject_code    = 450
> maps_rbl_reject_code    = 554
> alias_maps = hash:/etc/aliases
> reject_unknown_client   = false
> reject_unknown_hostname = false
> mailbox_command = /usr/local/libexec/dovecot/deliver
>
> Please advise.
> TIA,
> Jack
>
>

Re: I've Got To Be Close...

[Jack Fredrikson]

From: Simon Brereton 
To: postfix users 
Sent: Monday, October 24, 2011 12:02 PM
Subject: Re: I've Got To Be Close...

> And this is probably better off discussed on the dovecot list now that
> you seem to have gotten postfix sorted out.
>
> Although, since you expressed an intention to do spam filtering, I'd
> suggest once you have resolved this problem come back here with a
> postconf -n and ask for some hardening tips.  But you can start here:
>
> http://linxnet.com/postfix_contrib.html

Thanks Simon et.al :)
Jack

Re: Down To One Problem?

[/dev/rob0]

On Monday 24 October 2011 08:49:49 Jack Fredrikson wrote:
> From: Noel Jones 
> > Looks as if the user f...@example.com doesn't accept mail.  Is
> > that supposed to be a valid user?  Where is that domain listed
> > in your postfix config?  Where is the user listed?
> 
> Now here you can help me directly. Yes, of course it's supposed to
> be valid. Where should I list the domain? Where should I list the
> user? TIA,

Again: http://www.postfix.org/ADDRESS_CLASS_README.html
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: rejecting mails to *.recipient@... for all but a few senders?

[/dev/rob0]

On Monday 24 October 2011 05:48:32 Julio Talaverano wrote:
> I've got this rather complicated problem:

You're in luck! There are similar examples in the documentation.

> 1) a)  I'd like to block mails to specific internal recipients
> (e.g. *.r...@mycomp.com) but allow only one or more domains to
> send to them.
> b) blocking emails sent by these recipients (This is already in
> place using regexp header_checks).
> 
> 2) At the same time I'd like to allow mails sent to one internal
> recipient (e.g. a...@mycomp.com) only from specific domains but
> reject mails  from any other domain.
> 
> I'm using postfix 2.7.1 on RedHat 5.7
> 
> 
> Any ideas?

http://www.postfix.org/RESTRICTION_CLASS_README.html
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: PATCH: Protocol error: postfix-2.3 vs. 2.9

[Wietse Venema]

Wietse Venema:
> Ralf Hildebrandt:
> > Oct 21 21:24:31 zivmail postfix/smtp[7663]: C51E4BF414: 
> > to=,
> > relay=mail.charite.de[141.42.202.200]:25, delay=6.4, 
> > delays=0.27/0.01/6.1/0, dsn=5.5.0, status=bounced (Protocol error: host
> > mail.charite.de[141.42.202.200] refused to talk to me: 220-mail.charite.de 
> > ESMTP 421-4.3.2 All server ports are busy 421 4.3.2
> > Contact postmas...@charite.de (using a different email address!)  for 
> > technical assistance. Please provide the following information in your
> > problem report: This error message, time (Oct 21 21:24:31), client 
> > (128.176.188.24) and server (mail.charite.de). We speak both English and
> > German.)
> 
> This bug was fixed in Postfix 2.7 with the introduction of the
> smtp_reply_filter feature, but it was never recorded in the HISTORY
> file, and therefore it was never back-ported to earlier Postfix
> versions.

There are two sides to this story. One side is that in Postfix
2.3..2.6 the SMTP client's error handling had a bug that was exposed
by postscreen's peculiar manner of blocking clients. But that is
not the real problem.

The other side of the story is that postscreen's error handling is
questionable.  When postscreen is unable to hand off a connection
to an smtpd process after sending the "220-" partial greeting,
postscreen sends a 421 response and hangs up. Now, sending 220-
followed by 421 violates SMTP. And that is the real problem.

The correct fix is to complete the 220 handshake as required by
SMTP, and to reply with 421 only after the client sends its first
command (unless the client sends QUIT). This eliminates cases
where postscreen violates SMTP, resulting in undefined behavior.

That will be the final fix for this problem. I'll cook up something
later this week.

Wietse

> 20111024
> 
>   Bugfix (introduced: Postfix 2.3): while the Postfix SMTP
>   client's protocol parser uses the last SMTP reply line as
>   intended, the error processing routine was taking information
>   from the beginning of the response. This was causing "Protocol
>   error" bounces with postscreen responses on Postfix < 2.6.
>   Reported by Ralf Hildebrandt. File: smtp/smtp_trouble.c.
> 
> *** ../postfix-2.6.13/src/smtp/smtp_trouble.c Thu Dec 13 20:01:56 2007
> --- src/smtp/smtp_trouble.c   Sat Nov 14 20:59:33 2009
> ***
> *** 288,294 
>* cycles.
>*/
>   VSTRING_RESET(why->reason);
> ! if (mta_name && reply && reply[0] != '4' && reply[0] != '5') {
>   vstring_strcpy(why->reason, "Protocol error: ");
>   status = "5.5.0";
>   }
> --- 288,294 
>* cycles.
>*/
>   VSTRING_RESET(why->reason);
> ! if (mta_name && status && status[0] != '4' && status[0] != '5') {
>   vstring_strcpy(why->reason, "Protocol error: ");
>   status = "5.5.0";
>   }
> 

Need recommendation for Postfix/dovecot implementation for 200,000 users

[Poh Yong Hwang]

Hi all,

New to this mailing list here.

I have a requirement to setup a mail system for 200,000 users and it needs
to be Postfix for SMTP and dovecot 2 for IMAP.

May I know what is the best setup for such an implementation? Can postfix be
clustered?

Thanks!
Yongsan

Re: limit recipent per message

[Kirill Bychkov]

Please read the manual:
http://www.postfix.org/postconf.5.html#default_destination_recipient_limit
and
http://www.postfix.org/TUNING_README.html
chapter: Tuning the number of recipients per delivery


On 24 October 2011 18:43, Ejaz  wrote:

>  Hello, 
>
> ** **
>
> Is it possible by postfix to send 100 recipient per message, also I would
> like to maximum limit of the recipient per message by the postfix.  
>
> ** **
>
> Would any please guide me in this, thanks in advance 
>
> ** **
>
> Regards,
> __
> Mohammed Ejaz
> Sr,Systems Administrator
>
> 
>
> ** **
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* , and is
> believed to be clean.
>



-- 
Кирилл.

Re: Need recommendation for Postfix/dovecot implementation for 200,000 users

[Stan Hoeppner]

On 10/24/2011 9:30 PM, Poh Yong Hwang wrote:
> Hi all,
> 
> New to this mailing list here.
> 
> I have a requirement to setup a mail system for 200,000 users and it needs
> to be Postfix for SMTP and dovecot 2 for IMAP.
> 
> May I know what is the best setup for such an implementation? Can postfix be
> clustered?


Clustering of SMTP servers is accomplished by setting equal MX priority
in DNS for a given domain's MX hosts.  For example:

~$ dig mx ibm.com
...
ibm.com.3600IN  MX  10 e1.ny.us.ibm.com.
ibm.com.3600IN  MX  10 e3.ny.us.ibm.com.
ibm.com.3600IN  MX  10 e32.co.us.ibm.com.
ibm.com.3600IN  MX  10 e2.ny.us.ibm.com.
ibm.com.3600IN  MX  10 e4.ny.us.ibm.com.
ibm.com.3600IN  MX  10 e5.ny.us.ibm.com.
ibm.com.3600IN  MX  10 e6.ny.us.ibm.com.
ibm.com.3600IN  MX  10 e33.co.us.ibm.com.
ibm.com.3600IN  MX  10 e35.co.us.ibm.com.
ibm.com.3600IN  MX  10 e31.co.us.ibm.com.
ibm.com.3600IN  MX  10 e34.co.us.ibm.com.

This is a cluster of 10 inbound mail servers, though I'm not sure if
they're running Postfix.  Wietse maybe can tell us as he works for IBM.
 The banner is ambiguous, possibly security through obscurity at play?

As to the Deovecot configuration for 200K mailboxes you should ask on
the Dovecot mailing list.

-- 
Stan