Re: Only allow specific sasl-authenticated users to relay

[Reindl Harald]

Am 04.11.2011 04:47, schrieb Chris Richards:
> I've got a situation where some clients on my network apparently have
> computers that have been compromised because every time they change their
> password, spammers on the outside get it and use their email account to
> spam

please do not try to solve such major problems on the wrong place

if you have compromised machines in your network shutdown them,
reinstall them or do anything to get them clean but do not try
to solve one single sign of a major problem on the MTA







signature.asc
Description: OpenPGP digital signature

RE: postfix multiple instances

[Amira Othman]

I have also error when reloading the second instance 
fatal: bind 192.168.1.60 port 25: Address already in use
but each one of instances has different myhostname ans inet_interfaces
settings


> When I try to send mail to account from the second instance I get this
error
> in mallog where myserver2 is virtual domain in the second postfix instance
> 
> relay=none, delay=13, delays=13/0.03/0/0, dsn=5.4.6, status=bounced (mail
> for myserver2.com loops back to myself)

Each instance MUST have a unique myhostname setting.

Each instance MUST have a unique inet_interfaces address list.

Otherwise, the Postfix SMTP client will report "mail loops back to
myself" errors.

Wietse

Re: www.open-spf.org server down ddomain name renewal

[Jacqui Caren]

On 03/11/2011 22:23, David Southwell wrote:

Opening www.open-spf.org aabout two hours ago received the following:

NOTICE: This domain name expired on 10/30/2011 and is pending renewal or
deletion.


+1 just tried from ntlworld (I run my own named) and from a zen link with its 
own
named - same result!

Jacqui

Re: postfix multiple instances

[Wietse Venema]

Amira Othman:
> I have also error when reloading the second instance 
> fatal: bind 192.168.1.60 port 25: Address already in use
> but each one of instances has different myhostname ans inet_interfaces
> settings

The error message "Address already in use" PROVES that you have
multiple mail servers instances with the SAME IP address.

If you want real help, then you must show real evidence of your
myhostname and inet_interfaces settings, not "yes they are different".

Wietse

> 
> > When I try to send mail to account from the second instance I get this
> error
> > in mallog where myserver2 is virtual domain in the second postfix instance
> > 
> > relay=none, delay=13, delays=13/0.03/0/0, dsn=5.4.6, status=bounced (mail
> > for myserver2.com loops back to myself)
> 
> Each instance MUST have a unique myhostname setting.
> 
> Each instance MUST have a unique inet_interfaces address list.
> 
> Otherwise, the Postfix SMTP client will report "mail loops back to
> myself" errors.
> 
>   Wietse
> 
> 

RE: postfix multiple instances

[Amira Othman]

The first instance
myhostname = mail.mysever.com
inet_interfaces = 192.168.56.102
The second instance 

myhostname = mail.mysever2.com
inet_interfaces = 192.168.1.60



> I have also error when reloading the second instance 
> fatal: bind 192.168.1.60 port 25: Address already in use
> but each one of instances has different myhostname ans inet_interfaces
> settings

The error message "Address already in use" PROVES that you have
multiple mail servers instances with the SAME IP address.

If you want real help, then you must show real evidence of your
myhostname and inet_interfaces settings, not "yes they are different".

Wietse

> 
> > When I try to send mail to account from the second instance I get this
> error
> > in mallog where myserver2 is virtual domain in the second postfix
instance
> > 
> > relay=none, delay=13, delays=13/0.03/0/0, dsn=5.4.6, status=bounced
(mail
> > for myserver2.com loops back to myself)
> 
> Each instance MUST have a unique myhostname setting.
> 
> Each instance MUST have a unique inet_interfaces address list.
> 
> Otherwise, the Postfix SMTP client will report "mail loops back to
> myself" errors.
> 
>   Wietse
> 
> 

Plesk or equivalent to manage Postfix ?

[Frank Bonnet]

Hello

Does anyone has ever use Plesk or another graphical interface
to manage Postfix ?

If yes any infos/advices welcome

Thank you

Re: postfix multiple instances

[Wietse Venema]

Amira Othman:
> The first instance
> myhostname = mail.mysever.com
> inet_interfaces = 192.168.56.102
> The second instance 
> 
> myhostname = mail.mysever2.com
> inet_interfaces = 192.168.1.60
> 
> > I have also error when reloading the second instance 
> > fatal: bind 192.168.1.60 port 25: Address already in use

To find out what is using 192.168.1.60, use lsof or netstat.

Wietse

spf configuration woes

[David Southwell]

System freebsd 8

Cannot get spf working with the server. 
Thanks in advance for any assistance.

Here is the information:

The following lines appear in master.cf:
# Applied #1 postfix refereshed ok
 spf-policy unix -   n   n   -   0   spawn
  user=nobody argv=/usr/local/sbin/postfix-policyd-spf-perl

user nobody is in /etc/passwd
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin

in /usr/local/sbin we have:
[root@dns1 /usr/local/sbin]# ls -l |grep postfix
-rwxr-xr-x  1 root  wheel  117601 Nov  3 08:22 postfix
-r-xr-xr-x  1 root  wheel   11526 Nov  3 08:16 postfix-policyd-spf-perl


 If the following lines appear in main.cf 
  check_policy_service unix:private/policyd-spf
  policyd-spf_time_limit = 3600
 In the following context
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination

  check_policy_service unix:private/policyd-spf
 policyd-spf_time_limit = 3600

 check_policy_service inet:127.0.0.1:10023

 
 Here is an example of maillog error reports: 
 
 
 Nov  3 10:57:51 dns1 postfix/smtpd[20636]: connect from mail-vw0-
 f52.google.com[209.85.212.52]
 Nov  3 10:57:52 dns1 postfix/smtpd[20636]: warning: connect to 
 private/policyd-spf: Connection refused
 Nov  3 10:57:52 dns1 postfix/smtpd[20636]: warning: problem talking to
 server  private/policyd-spf: Connection refused
 Nov  3 10:57:53 dns1 postfix/smtpd[20636]: warning: connect to 
 private/policyd-spf: Connection refused
 Nov  3 10:57:53 dns1 postfix/smtpd[20636]: warning: problem talking to
 server  private/policyd-spf: Connection refused
 Nov  3 10:57:53 dns1 postfix/smtpd[20636]: NOQUEUE: reject: RCPT from mail-
 vw0-f52.google.com[209.85.212.52]: 451 4.3.5 Server configuration problem; 
 from=

Re: spf configuration woes

[Wietse Venema]

David Southwell:
> The following lines appear in master.cf:
>  spf-policy unix -   n   n   -   0   spawn

This says: spf-policy

>  If the following lines appear in main.cf 
>   check_policy_service unix:private/policyd-spf
> policyd-spf_time_limit = 3600

This says: policyd-spf

The names must be the same.

Wietse

Re: spf configuration woes

[David Southwell]

On Friday 04 November 2011 07:23:33 Wietse Venema wrote:
> David Southwell:
> > The following lines appear in master.cf:
> >  spf-policy unix -   n   n   -   0   spawn
> 
> This says: spf-policy
> 
> >  If the following lines appear in main.cf
> >  
> >   check_policy_service unix:private/policyd-spf
> > 
> > policyd-spf_time_limit = 3600
> 
> This says: policyd-spf
> 
> The names must be the same.
> 
>   Wietse
Hi Wietse

You spotted that quickly.

Unfortunately there must be more than that wrong (assuming I made the right 
corrections):

Changed master.cf lines to read:
 policyd-spf unix -   n   n   -   0   spawn
  user=nobody argv=/usr/local/sbin/postfix-policyd-spf-perl

Everything else remains the same HOWEVER:

But still got the following errors when the lines in main.cf were unchecked:

postfix/postfix-script[26646]: refreshing the Postfix mail system
Nov  4 07:32:48 dns1 postfix/master[1328]: reload -- version 2.8.5, 
configuration /usr/local/etc/postfix
Nov  4 07:37:21 dns1 postfix/smtpd[26676]: connect from 
bmdeda7.com[72.51.37.19]
Nov  4 07:37:21 dns1 postfix/smtpd[26676]: NOQUEUE: reject: RCPT from 
bmdeda7.com[72.51.37.19]: 454 4.7.1 : Relay access denied; 
from= to= proto=ESMTP 
helo=
Nov  4 07:37:22 dns1 postfix/smtpd[26676]: disconnect from 
bmdeda7.com[72.51.37.19]
Nov  4 07:37:50 dns1 postfix/smtpd[26676]: connect from 
postbox.kde.org[46.4.96.248]
Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: connect to 
private/policyd-spf: Connection refused
Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: problem talking to server 
private/policyd-spf: Connection refused
Nov  4 07:37:51 dns1 postfix/smtpd[26676]: warning: connect to 
private/policyd-spf: Connection refused
Nov  4 07:37:51 dns1 postfix/smtpd[26676]: warning: problem talking to server 
private/policyd-spf: Connection refused
Nov  4 07:37:51 dns1 postfix/smtpd[26676]: NOQUEUE: reject: RCPT from 
postbox.kde.org[46.4.96.248]: 451 4.3.5 Server configuration problem; 
from= to= proto=ESMTP 
helo=
Nov  4 07:37:51 dns1 postfix/smtpd[26676]: disconnect from 
postbox.kde.org[46.4.96.248]

Re: Plesk or equivalent to manage Postfix ?

[/dev/rob0]

On Friday 04 November 2011 08:13:59 Frank Bonnet wrote:
> Does anyone has ever use Plesk or another graphical interface
> to manage Postfix ?

I'm sure they have.

> If yes any infos/advices welcome

Don't. Such a GUI can only be as good as the GUI creator's 
understanding of Postfix, and IME that does not seem to be very good.

If the actual problem you wish to address is to turn over control of 
user management to non-technical persons, there are other choices. 
Actual management of the MTA itself should never be turned over to 
non-technical persons.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: spf configuration woes

[David Southwell]

On Friday 04 November 2011 07:23:33 Wietse Venema wrote:
> David Southwell:
> > The following lines appear in master.cf:
> >  spf-policy unix -   n   n   -   0   spawn
> 
> This says: spf-policy
> 
> >  If the following lines appear in main.cf
> >  
> >   check_policy_service unix:private/policyd-spf
> > 
> > policyd-spf_time_limit = 3600
> 
> This says: policyd-spf
> 
> The names must be the same.
> 
>   Wietse
Hi Wietse

You spotted that quickly.

Unfortunately there must be more than that wrong (assuming I made the right 
corrections):

Changed master.cf lines to read:
 policyd-spf unix -   n   n   -   0   spawn
  user=nobody argv=/usr/local/sbin/postfix-policyd-spf-perl

Everything else remains the same HOWEVER:

But still got the following errors when the lines in main.cf were unchecked:

postfix/postfix-script[26646]: refreshing the Postfix mail system
Nov  4 07:32:48 dns1 postfix/master[1328]: reload -- version 2.8.5, 
configuration /usr/local/etc/postfix
Nov  4 07:37:21 dns1 postfix/smtpd[26676]: connect from 
bmdeda7.com[72.51.37.19]
Nov  4 07:37:21 dns1 postfix/smtpd[26676]: NOQUEUE: reject: RCPT from 
bmdeda7.com[72.51.37.19]: 454 4.7.1 : Relay access denied; 
from= to= proto=ESMTP 
helo=
Nov  4 07:37:22 dns1 postfix/smtpd[26676]: disconnect from 
bmdeda7.com[72.51.37.19]
Nov  4 07:37:50 dns1 postfix/smtpd[26676]: connect from 
postbox.kde.org[46.4.96.248]
Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: connect to 
private/policyd-spf: Connection refused
Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: problem talking to server 
private/policyd-spf: Connection refused
Nov  4 07:37:51 dns1 postfix/smtpd[26676]: warning: connect to 
private/policyd-spf: Connection refused
Nov  4 07:37:51 dns1 postfix/smtpd[26676]: warning: problem talking to server 
private/policyd-spf: Connection refused
Nov  4 07:37:51 dns1 postfix/smtpd[26676]: NOQUEUE: reject: RCPT from 
postbox.kde.org[46.4.96.248]: 451 4.3.5 Server configuration problem; 
from= to= proto=ESMTP 
helo=
Nov  4 07:37:51 dns1 postfix/smtpd[26676]: disconnect from 
postbox.kde.org[46.4.96.248]

Re: Plesk or equivalent to manage Postfix ?

[Frank Bonnet]

On 11/04/2011 03:48 PM, /dev/rob0 wrote:

On Friday 04 November 2011 08:13:59 Frank Bonnet wrote:

Does anyone has ever use Plesk or another graphical interface
to manage Postfix ?

I'm sure they have.


If yes any infos/advices welcome

Don't. Such a GUI can only be as good as the GUI creator's
understanding of Postfix, and IME that does not seem to be very good.

If the actual problem you wish to address is to turn over control of
user management to non-technical persons, there are other choices.
Actual management of the MTA itself should never be turned over to
non-technical persons.


My problem is I MUST do this ( delegate minor tasks to a non technical 
person )

of course I will install/configure the server myself for the first startup.
But some tasks such user's creation / destruction could be delegated
through an interface that avoid mistakes ( I don't want to let them 
modify something by hands !!!)

Re: Plesk or equivalent to manage Postfix ?

[Frank Bonnet]

On 11/04/2011 03:54 PM, Frank Bonnet wrote:

On 11/04/2011 03:48 PM, /dev/rob0 wrote:

On Friday 04 November 2011 08:13:59 Frank Bonnet wrote:

Does anyone has ever use Plesk or another graphical interface
to manage Postfix ?

I'm sure they have.


If yes any infos/advices welcome

Don't. Such a GUI can only be as good as the GUI creator's
understanding of Postfix, and IME that does not seem to be very good.

If the actual problem you wish to address is to turn over control of
user management to non-technical persons, there are other choices.
Actual management of the MTA itself should never be turned over to
non-technical persons.


My problem is I MUST do this ( delegate minor tasks to a non technical 
person )
of course I will install/configure the server myself for the first 
startup.

But some tasks such user's creation / destruction could be delegated
through an interface that avoid mistakes ( I don't want to let them 
modify something by hands !!!)




BTW this thread will soom become off topics so we should
continue offlist if you want

Thanks

Re: spf configuration woes

[Wietse Venema]

David Southwell:
[ Charset ISO-8859-1 unsupported, converting... ]
> On Friday 04 November 2011 07:23:33 Wietse Venema wrote:
> > David Southwell:
> > > The following lines appear in master.cf:
> > >  spf-policy unix -   n   n   -   0   spawn
> > 
> > This says: spf-policy
> > 
> > >  If the following lines appear in main.cf
> > >  
> > >   check_policy_service unix:private/policyd-spf
> > > 
> > > policyd-spf_time_limit = 3600
> > 
> > This says: policyd-spf
> > 
> > The names must be the same.
> > 
> > Wietse
> Hi Wietse
> 
> You spotted that quickly.
> 
> Unfortunately there must be more than that wrong (assuming I made the right 
> corrections):
> 
> Changed master.cf lines to read:
>  policyd-spf unix -   n   n   -   0   spawn
>   user=nobody argv=/usr/local/sbin/postfix-policyd-spf-perl

You need to save the file before doing "postfix reload".

> Everything else remains the same HOWEVER:
> 
> But still got the following errors when the lines in main.cf were unchecked:
> 
> postfix/postfix-script[26646]: refreshing the Postfix mail system
> Nov  4 07:32:48 dns1 postfix/master[1328]: reload -- version 2.8.5, 
> configuration /usr/local/etc/postfix

You need to edit master.cf in /usr/local/etc/postfix.

You need to think about such details, because computers are stupid.

Wietse

Re: spf configuration woes

[David Southwell]

On Friday 04 November 2011 08:01:19 Wietse Venema wrote:
> David Southwell:
> [ Charset ISO-8859-1 unsupported, converting... ]
> 
> > On Friday 04 November 2011 07:23:33 Wietse Venema wrote:
> > > David Southwell:
> > > > The following lines appear in master.cf:
> > > >  spf-policy unix -   n   n   -   0   spawn
> > > 
> > > This says: spf-policy
> > > 
> > > >  If the following lines appear in main.cf
> > > >  
> > > >   check_policy_service unix:private/policyd-spf
> > > > 
> > > > policyd-spf_time_limit = 3600
> > > 
> > > This says: policyd-spf
> > > 
> > > The names must be the same.
> > > 
> > >   Wietse
> > 
> > Hi Wietse
> > 
> > You spotted that quickly.
> > 
> > Unfortunately there must be more than that wrong (assuming I made the
> > right corrections):
> > 
> > Changed master.cf lines to read:
> >  policyd-spf unix -   n   n   -   0   spawn
> >  
> >   user=nobody argv=/usr/local/sbin/postfix-policyd-spf-perl
> 
> You need to save the file before doing "postfix reload".
> 
> > Everything else remains the same HOWEVER:
> > 
> > But still got the following errors when the lines in main.cf were
> > unchecked:
> > 
> > postfix/postfix-script[26646]: refreshing the Postfix mail system
> > Nov  4 07:32:48 dns1 postfix/master[1328]: reload -- version 2.8.5,
> > configuration /usr/local/etc/postfix
> 
> You need to edit master.cf in /usr/local/etc/postfix.
> 
> You need to think about such details, because computers are stupid.
> 
>   Wietse

Umph I am not that stupid! The results were from /usr/local/etc/postfix as 
shown! - I didnt realise you would assume the error came from such an 
ommission  otherwise I would have assured you to the contrary!

david



David

Re: Plesk or equivalent to manage Postfix ?

[Antoine Nguyen]

On 04/11/2011 15:54, Frank Bonnet wrote:

On 11/04/2011 03:48 PM, /dev/rob0 wrote:

On Friday 04 November 2011 08:13:59 Frank Bonnet wrote:

Does anyone has ever use Plesk or another graphical interface
to manage Postfix ?

I'm sure they have.


If yes any infos/advices welcome

Don't. Such a GUI can only be as good as the GUI creator's
understanding of Postfix, and IME that does not seem to be very good.

If the actual problem you wish to address is to turn over control of
user management to non-technical persons, there are other choices.
Actual management of the MTA itself should never be turned over to
non-technical persons.


My problem is I MUST do this ( delegate minor tasks to a non technical 
person )
of course I will install/configure the server myself for the first 
startup.

But some tasks such user's creation / destruction could be delegated
through an interface that avoid mistakes ( I don't want to let them 
modify something by hands !!!)


For domains and mailboxes management, you can take a look at 
http://modoboa.org/.


--
Antoine Nguyen
Modoboa developer
http://modoboa.org

Re: spf configuration woes

[David Southwell]

On Friday 04 November 2011 08:01:19 Wietse Venema wrote:
> David Southwell:
> [ Charset ISO-8859-1 unsupported, converting... ]
> 
> > On Friday 04 November 2011 07:23:33 Wietse Venema wrote:
> > > David Southwell:
> > > > The following lines appear in master.cf:
> > > >  spf-policy unix -   n   n   -   0   spawn
> > > 
> > > This says: spf-policy
> > > 
> > > >  If the following lines appear in main.cf
> > > >  
> > > >   check_policy_service unix:private/policyd-spf
> > > > 
> > > > policyd-spf_time_limit = 3600
> > > 
> > > This says: policyd-spf
> > > 
> > > The names must be the same.
> > > 
> > >   Wietse
> > 
> > Hi Wietse
> > 
> > You spotted that quickly.
> > 
> > Unfortunately there must be more than that wrong (assuming I made the
> > right corrections):
> > 
> > Changed master.cf lines to read:
> >  policyd-spf unix -   n   n   -   0   spawn
> >  
> >   user=nobody argv=/usr/local/sbin/postfix-policyd-spf-perl
> 
> You need to save the file before doing "postfix reload".
> 
> > Everything else remains the same HOWEVER:
> > 
> > But still got the following errors when the lines in main.cf were
> > unchecked:
> > 
> > postfix/postfix-script[26646]: refreshing the Postfix mail system
> > Nov  4 07:32:48 dns1 postfix/master[1328]: reload -- version 2.8.5,
> > configuration /usr/local/etc/postfix
> 
> You need to edit master.cf in /usr/local/etc/postfix.
> 
> You need to think about such details, because computers are stupid.
> 
>   Wietse

Umph I am not that stupid! The results were from /usr/local/etc/postfix as 
shown! - I didnt realise you would assume the error came from such an 
ommission  otherwise I would have assured you to the contrary!

david



David

Re: Plesk or equivalent to manage Postfix ?

[Patrick Lists]

On 11/04/2011 02:13 PM, Frank Bonnet wrote:

Hello

Does anyone has ever use Plesk or another graphical interface
to manage Postfix ?


Maybe http://sourceforge.net/projects/postfixadmin/

Regards,
Patrick

Re: spf configuration woes

[Kris Deugau]

David Southwell wrote:

But still got the following errors when the lines in main.cf were unchecked:


[snip]

Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: connect to
private/policyd-spf: Connection refused


You need to find out why your policy server isn't responding to Postfix.

Since it's set up for a Unix socket, you likely either have a 
permissions issue (eg, running as the wrong user) or the policy server 
isn't running.


-kgd

Re: spf configuration woes

[David Southwell]

On Friday 04 November 2011 08:01:19 Wietse Venema wrote:
> David Southwell:
> [ Charset ISO-8859-1 unsupported, converting... ]
> 
> > On Friday 04 November 2011 07:23:33 Wietse Venema wrote:
> > > David Southwell:
> > > > The following lines appear in master.cf:
> > > >  spf-policy unix -   n   n   -   0   spawn
> > > 
> > > This says: spf-policy
> > > 
> > > >  If the following lines appear in main.cf
> > > >  
> > > >   check_policy_service unix:private/policyd-spf
> > > > 
> > > > policyd-spf_time_limit = 3600
> > > 
> > > This says: policyd-spf
> > > 
> > > The names must be the same.
> > > 
> > >   Wietse
> > 
> > Hi Wietse
> > 
> > You spotted that quickly.
> > 
> > Unfortunately there must be more than that wrong (assuming I made the
> > right corrections):
> > 
> > Changed master.cf lines to read:
> >  policyd-spf unix -   n   n   -   0   spawn
> >  
> >   user=nobody argv=/usr/local/sbin/postfix-policyd-spf-perl
> 
> You need to save the file before doing "postfix reload".
> 
> > Everything else remains the same HOWEVER:
> > 
> > But still got the following errors when the lines in main.cf were
> > unchecked:
> > 
> > postfix/postfix-script[26646]: refreshing the Postfix mail system
> > Nov  4 07:32:48 dns1 postfix/master[1328]: reload -- version 2.8.5,
> > configuration /usr/local/etc/postfix
> 
> You need to edit master.cf in /usr/local/etc/postfix.
> 
> You need to think about such details, because computers are stupid.
> 
>   Wietse
Any other suggestions ? Could there be anything wrong with the time-limit 
statement? I have tried a few variations on that but to no avail. As soon as 
the spf lines are turned on I get the server configuration failure.

David

Re: spf configuration woes

[David Southwell]

On Friday 04 November 2011 09:24:40 Kris Deugau wrote:
> David Southwell wrote:
> > But still got the following errors when the lines in main.cf were 
unchecked:
> [snip]
> 
> > Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: connect to
> > private/policyd-spf: Connection refused
> 
> You need to find out why your policy server isn't responding to Postfix.
> 
> Since it's set up for a Unix socket, you likely either have a
> permissions issue (eg, running as the wrong user) or the policy server
> isn't running.
> 
> -kgd
Sounds sensible. Any advice on how I can check that out?

David

Re: Only allow specific sasl-authenticated users to relay

[Viktor Dukhovni]

On Thu, Nov 03, 2011 at 10:47:18PM -0500, Chris Richards wrote:

> Am I right in guessing that if I do something like the following:
> 
> smtpd_sender_restrictions = permit_mynetworks,
>   check_sender_access mysql:/etc/postfix/mysql_sender_access.cf,
>   permit_sasl_authenticated,
>   reject;
> 
> where check_sender_access returns 'dunno' for 'trusted' clients and 'no'
> for 'untrusted' clients, that the result will be to fall through to
> permit_sasl_auth for the 'trusted' clients and fail entirely for the
> 'untrusted' clients who are OUTSIDE, but still permit normal relay for
> clients who are INSIDE?

If this is an MX host, you need to allow mail to your own domains
before you "reject" to, otherwise only your own users will be
able to send you email.

Since the sender address and the SASL login account are not
necessarily the same. You also need to use
reject_authenticated_sender_login_mismatch. So the whole thing
boils down to:

smtpd_sender_restrictions =
   permit_auth_destination,
   permit_mynetworks,
   check_sender_access mysql:/etc/postfix/mysql_sender_access.cf,
   reject_authenticated_sender_login_mismatch,
   permit_sasl_authenticated

You then also need smtpd_sender_login_maps and each authenticated user
will be constrained to only use the designated sender addresses. If that's
too much pain or is overly restrictive, perhaps as others have tried to
point out you may be solving the wrong problem, just configure the
authentication layer to lock the abused accounts and work on preventing
re-compromise of any accounts you plan to re-enable.

-- 
Viktor.

Re: spf configuration woes

[Wietse Venema]

David Southwell:
> On Friday 04 November 2011 09:24:40 Kris Deugau wrote:
> > David Southwell wrote:
> > > But still got the following errors when the lines in main.cf were 
> unchecked:
> > [snip]
> > 
> > > Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: connect to
> > > private/policyd-spf: Connection refused
> > 
> > You need to find out why your policy server isn't responding to Postfix.
> > 
> > Since it's set up for a Unix socket, you likely either have a
> > permissions issue (eg, running as the wrong user) or the policy server
> > isn't running.
> > 
> > -kgd
> Sounds sensible. Any advice on how I can check that out?

You can use lsof or netstat to find out what is listening.

On FreeBSD (which I recall is the platform) the error "Connection
refused" means that no process is listening on the port.

Hence, my suspicion about editing the wrong file or saving the file
at the wrong time.

Wietse

Re: spf configuration woes

[David Southwell]

On Friday 04 November 2011 10:24:54 Wietse Venema wrote:
> David Southwell:
> > On Friday 04 November 2011 09:24:40 Kris Deugau wrote:
> > > David Southwell wrote:
> > > > But still got the following errors when the lines in main.cf were
> > 
> > unchecked:
> > > [snip]
> > > 
> > > > Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: connect to
> > > > private/policyd-spf: Connection refused
> > > 
> > > You need to find out why your policy server isn't responding to
> > > Postfix.
> > > 
> > > Since it's set up for a Unix socket, you likely either have a
> > > permissions issue (eg, running as the wrong user) or the policy server
> > > isn't running.
> > > 
> > > -kgd
> > 
> > Sounds sensible. Any advice on how I can check that out?
> 
> You can use lsof or netstat to find out what is listening.
> 
> On FreeBSD (which I recall is the platform) the error "Connection
> refused" means that no process is listening on the port.
> 
> Hence, my suspicion about editing the wrong file or saving the file
> at the wrong time.
> 
>   Wietse

Make sense but I do not thinbk that is problem. I have been most careful about 
that bit.
Pardon my ignorance but where is port configured and how is the process 
started?
Thanks for your help
David

Re: spf configuration woes

[David Southwell]

On Friday 04 November 2011 10:24:54 Wietse Venema wrote:
> David Southwell:
> > On Friday 04 November 2011 09:24:40 Kris Deugau wrote:
> > > David Southwell wrote:
> > > > But still got the following errors when the lines in main.cf were
> > 
> > unchecked:
> > > [snip]
> > > 
> > > > Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: connect to
> > > > private/policyd-spf: Connection refused
> > > 
> > > You need to find out why your policy server isn't responding to
> > > Postfix.
> > > 
> > > Since it's set up for a Unix socket, you likely either have a
> > > permissions issue (eg, running as the wrong user) or the policy server
> > > isn't running.
> > > 
> > > -kgd
> > 
> > Sounds sensible. Any advice on how I can check that out?
> 
> You can use lsof or netstat to find out what is listening.
> 
> On FreeBSD (which I recall is the platform) the error "Connection
> refused" means that no process is listening on the port.
> 
> Hence, my suspicion about editing the wrong file or saving the file
> at the wrong time.
> 
>   Wietse


I tried to test policyd-spf-perl manually with results as can be seen below. 
This does seem to confirm the notion that for some as yet unbeknown reason the 
process is not being launched.

Any ideas where I should be looking?

[root@dns1 /usr/local/sbin]# postfix-policyd-spf-perl
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
helo_name=hforge.com
queue_id=8045F2AB23
sender=info@hforge.com
recipient=da...@vizion2000.net
client_address=81.169.1.52
client_name=h.server***.net

action=PREPEND Received-SPF: none (hforge.com: No applicable sender policy 
available) receiver=dns1.vizion2000.net; identity=mailfrom; envelope-
from="info@hforge.com"; helo=hforge.com; client-ip=81.169.1.52

Re: spf configuration woes

[David Southwell]

On Friday 04 November 2011 10:24:54 Wietse Venema wrote:
> David Southwell:
> > On Friday 04 November 2011 09:24:40 Kris Deugau wrote:
> > > David Southwell wrote:
> > > > But still got the following errors when the lines in main.cf were
> > 
> > unchecked:
> > > [snip]
> > > 
> > > > Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: connect to
> > > > private/policyd-spf: Connection refused
> > > 
> > > You need to find out why your policy server isn't responding to
> > > Postfix.
> > > 
> > > Since it's set up for a Unix socket, you likely either have a
> > > permissions issue (eg, running as the wrong user) or the policy server
> > > isn't running.
> > > 
> > > -kgd
> > 
> > Sounds sensible. Any advice on how I can check that out?
> 
> You can use lsof or netstat to find out what is listening.
> 
> On FreeBSD (which I recall is the platform) the error "Connection
> refused" means that no process is listening on the port.
> 
> Hence, my suspicion about editing the wrong file or saving the file
> at the wrong time.
> 
>   Wietse


I tried to test policyd-spf-perl manually with results as can be seen below. 
This does seem to confirm the notion that for some as yet unbeknown reason the 
process is not being launched.

Any ideas where I should be looking?

[root@dns1 /usr/local/sbin]# postfix-policyd-spf-perl
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
helo_name=hforge.com
queue_id=8045F2AB23
sender=info@hforge.com
recipient=da...@vizion2000.net
client_address=81.169.1.52
client_name=h.server***.net

action=PREPEND Received-SPF: none (hforge.com: No applicable sender policy 
available) receiver=dns1.vizion2000.net; identity=mailfrom; envelope-
from="info@hforge.com"; helo=hforge.com; client-ip=81.169.1.52

Re: spf configuration woes

[Fernando Maior]

On Fri, Nov 4, 2011 at 3:57 PM, David Southwell wrote:

> On Friday 04 November 2011 10:24:54 Wietse Venema wrote:
> > David Southwell:
> > > On Friday 04 November 2011 09:24:40 Kris Deugau wrote:
> > > > David Southwell wrote:
> > > > > But still got the following errors when the lines in main.cf were
> > >
> > > unchecked:
> > > > [snip]
> > > >
> > > > > Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: connect to
> > > > > private/policyd-spf: Connection refused
> > > >
> > > > You need to find out why your policy server isn't responding to
> > > > Postfix.
> > > >
> > > > Since it's set up for a Unix socket, you likely either have a
> > > > permissions issue (eg, running as the wrong user) or the policy
> server
> > > > isn't running.
> > > >
> > > > -kgd
> > >
> > > Sounds sensible. Any advice on how I can check that out?
> >
> > You can use lsof or netstat to find out what is listening.
> >
> > On FreeBSD (which I recall is the platform) the error "Connection
> > refused" means that no process is listening on the port.
> >
> > Hence, my suspicion about editing the wrong file or saving the file
> > at the wrong time.
> >
> >   Wietse
>
>
> I tried to test policyd-spf-perl manually with results as can be seen
> below.
> This does seem to confirm the notion that for some as yet unbeknown reason
> the
> process is not being launched.
>
> Any ideas where I should be looking?
>
> [root@dns1 /usr/local/sbin]# postfix-policyd-spf-perl
> request=smtpd_access_policy
> protocol_state=RCPT
> protocol_name=SMTP
> helo_name=hforge.com
> queue_id=8045F2AB23
> sender=info@hforge.com
> recipient=da...@vizion2000.net
> client_address=81.169.1.52
> client_name=h.server***.net
>
> action=PREPEND Received-SPF: none (hforge.com: No applicable sender
> policy
> available) receiver=dns1.vizion2000.net; identity=mailfrom; envelope-
> from="info@hforge.com"; helo=hforge.com; client-ip=81.169.1.52
>
>
> Usually, when you can run a process as root and cannot start it
as a background service, the problem is that the user that is the
owner of the service does not have enough permissions to open
or access some resource (usually pid file, run file, socket file or
config file).

Try looking for:

1) which user/group is the owner of the service when you started
it in background as a daemon.

2) see if that user/group has enough permissions to access the
files it should access with read AND write permissions. Look for
pid files, socket files and at last for config file.

Fernando Maior

Re: Plesk or equivalent to manage Postfix ?

[Patrick Ben Koetter]

* Frank Bonnet :
> On 11/04/2011 03:48 PM, /dev/rob0 wrote:
> >On Friday 04 November 2011 08:13:59 Frank Bonnet wrote:
> >>Does anyone has ever use Plesk or another graphical interface
> >>to manage Postfix ?
> >I'm sure they have.
> >
> >>If yes any infos/advices welcome
> >Don't. Such a GUI can only be as good as the GUI creator's
> >understanding of Postfix, and IME that does not seem to be very good.
> >
> >If the actual problem you wish to address is to turn over control of
> >user management to non-technical persons, there are other choices.
> >Actual management of the MTA itself should never be turned over to
> >non-technical persons.
> 
> My problem is I MUST do this ( delegate minor tasks to a non
> technical person )
> of course I will install/configure the server myself for the first startup.
> But some tasks such user's creation / destruction could be delegated

Modoboa is  a web based application to create, administrate, and use virtual
domain hosting platforms.

Modoboa stores its data in a SQL backend (like MySQL or PostgreSQL). Using
this database, you can integrate Modoboa with other mail components, such as
Postfix or Dovecot.

It is written in Python and uses the Django and Mootools frameworks.

And last but not least, Modoboa is open source and is licensed under the
MIT-license.
http://www.http://modoboa.org/


-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

How to relay email to a different smtp server if received on a different (reinjection) port

[martijn.list]

Hi,

I have a after queue content filter. The content filter injects the
email back into Postfix after filtering the email, aka reinjection port.
After reinjecting the email, I would like Postfix to relay the email to
a different host than the default relay host, i.e., if email is received
by Postfix on the reinjection port, relay the email to server 192.168.6.6.

One solution seems to define a content_filter for the reinjection
handler in master.cf:

external unix -   -   n   -   4  smtp

127.0.0.1:10026 inet  n   -   n   -   10  smtpd
-o content_filter=external:192.168.6.6:25
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8

The content filter reinjects the email back into Postfix on
127.0.0.1:10026. Postfix then again filters the email and uses the
external processor which sends the email to 192.168.6.6:25.

Is this the best way to do this or are there better/more elegant ways to
do this?

Kind regards,

Martijn Brinkers

Re: spf configuration woes

[Wietse Venema]

David Southwell:
> > > > > Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: connect to
> > > > > private/policyd-spf: Connection refused
> > 
> > You can use lsof or netstat to find out what is listening.

Have you tried that already?

> > On FreeBSD (which I recall is the platform) the error "Connection
> > refused" means that no process is listening on the port.
> > 
> > Hence, my suspicion about editing the wrong file or saving the file
> > at the wrong time.

> Pardon my ignorance but where is port configured and how is the process 
> started?

The port (/some/where/private/policyd-spf) is configured in master.cf.

You use lsof or netstat to verify that something is listening on
that port. 

If nothing is listening, then you made an error configuring master.cf.

Wietse

Signing injected mail

[Simon Brereton]

Hi

Amavis checks both incoming and outgoing mail.  DKIMPROXY signs
outgoing mail (sadly, before Amavis, so amavis verifies the signature
- but I'm okay with that for now) on the submission port.

Mail that is injected (i.e. from CRON, applications, etc), still
passes through amavis (obviously) but doesn't get signed.  I would
like to sign those mails as well.

As I was writing this, it occurred to me that the way to do that is to
add the content filter in master.cf

   -o content_filter=dksign:[127.0.0.1]:10028

I think I need to add that to the pickup line - is that correct?  If
not, where do I add it so that mails that are injected are added?

Thanks.

Simon

Re: spf configuration woes

[Benny Pedersen]

On Fri, 4 Nov 2011 07:45:47 -0700, David Southwell wrote:

 policyd-spf unix -   n   n   -   0   spawn
  user=nobody argv=/usr/local/sbin/postfix-policyd-spf-perl


nobody have no write permissions in postfix private socket dir


Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: connect to
private/policyd-spf: Connection refused


since sockert is missing

Re: Plesk or equivalent to manage Postfix ?

[Benny Pedersen]

On Fri, 04 Nov 2011 14:13:59 +0100, Frank Bonnet wrote:

Does anyone has ever use Plesk or another graphical interface
to manage Postfix ?


postfixadmin just works, so i keep my problem :-)

Re: spf configuration woes

[Wietse Venema]

Benny Pedersen:
> On Fri, 4 Nov 2011 07:45:47 -0700, David Southwell wrote:
> >  policyd-spf unix -   n   n   -   0   spawn
> >   user=nobody argv=/usr/local/sbin/postfix-policyd-spf-perl
> 
> nobody have no write permissions in postfix private socket dir

No, the Postfix master daemon creates the socket. it runs with
system privileges.

> > Nov  4 07:37:50 dns1 postfix/smtpd[26676]: warning: connect to
> > private/policyd-spf: Connection refused
> 
> since sockert is missing

Yes, because of a master.cf configuration error.

Wietse

Command time limit exceeded: "/usr/bin/procmail"

[Noah]

Hi,

I am getting bounces to one of my accounts on my personal server from an 
account that is forwarding mail.   I administrate the entire server.


I am not invoking spamc or spamassassin system-wide nor by my account.

I am running postfix+amavisd+spamassassin to catch spam.

the system wide procmailrc looks like this
$ cat /etc/procmailrc
LOGFILE=/var/log/procmail.log
#Uncomment below for troubleshooting
VERBOSE=YES
LOGABSTRACT=YES

I just turned on logrotate for the log file

 ls -l /var/log/procmail.log
-rw--- 1 root mail 33821491 Nov  2 23:11 /var/log/procmail.log


After search the /var/log/procmail.log file I was unable to find a 
corresponding error message nor was I able to find a log for the message 
that was attempted delivery.  Does anybody have ideas about what else to 
check please?



Here is my users' ~/.procmailrc

$ cat .procmailrc
PATH=/usr/local/bin:/bin:/usr/bin:$PATH
HOME=/home/
MAILIN=$HOME/mail
DEFAULT=/var/mail/
#MAILDIR=$HOME/Mail
#LOGFILE=$MAILDIR/from
LOCKFILE=/var/mail/.lock
NULL=/dev/null

I can see the bounce claiming "Command time limit exceeded: 
"/usr/bin/procmail"" back to my secondary account is originating from my 
machine by looking directly at the SMTP header.  there is absolutely no 
spammers and spam email involved in this situation.


and there is a corresponding (Command time limit exceeded: 
"/usr/bin/procmail") log entry in /var/log/mail.log


so what can I do to circumvent procmail from claiming a time out.  is 
there a global server setting I can configure?

move from mbox to Maildir?

[Noah]

Hi there,

I have problems with a lot of memory needed for indexing my mbox by 
dovecot and wondering if I transitioned from mbox to Maildir if that 
would help with the indexing processing?  If so is there a good tutorial 
for moving postfix from mbox to Maildir?


Cheers,

Noah

Re: move from mbox to Maildir?

[John Hinton]

On 11/4/2011 8:44 PM, Noah wrote:

Hi there,

I have problems with a lot of memory needed for indexing my mbox by 
dovecot and wondering if I transitioned from mbox to Maildir if that 
would help with the indexing processing?  If so is there a good 
tutorial for moving postfix from mbox to Maildir?


Cheers,

Noah

Noah,

I used a program called imapsync. So far it has moved complete IMAP 
folder structures and emails from mbox to Maildir. Flags 
(read/unread/etc) were kept. It has done a really good job with very few 
errors. Mostly, clients who created folders that aren't acceptable 
between my Sendmail mbox systems and my Postfix Maildir systems.


Speed increase has been revolutionary! Same with the reduction in server 
loads. Also makes feasible rsync backups of users' emails.


There are a number of packagers providing imapsync for major Linux 
flavors. It is a command line operation... basically calling the script 
and feeding host1, user1, password1 to host2,user2, password2. It then 
outputs results as they happen and gives a report at the end with total 
errors reported.


If you are going to make the transition on the live single system, I'm 
not sure imapsync can do it. There are other scripts for that. Google is 
your friend.


--
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions

Re: move from mbox to Maildir?

[Noah]

If you are going to make the transition on the live single system, I'm
not sure imapsync can do it. There are other scripts for that. Google is
your friend.


Hi,

okay thanks John for the feedback and knowledge about your experience. 
Its valuable to know.  I can google the search of course but I am hoping 
somebody could recommend a good mbox to Maildir transition script so I 
know I am getting something that works really well.  I am keeping 
everything on the same server.


Cheers,
Noah

Re: move from mbox to Maildir?

[Benny Pedersen]

On Fri, 04 Nov 2011 18:28:27 -0700, Noah wrote:


okay thanks John for the feedback and knowledge about your
experience. Its valuable to know.  I can google the search of course
but I am hoping somebody could recommend a good mbox to Maildir
transition script so I know I am getting something that works really
well.  I am keeping everything on the same server.


http://www.google.dk/search?gcx=w&ix=c2&sourceid=chrome&ie=UTF-8&q=imap2maildir

try finding imapsync in your distro, or maybe if dovecot 2.x then there 
is a dsync, that will copy one mailbox from eg mbox format to another 
login and thus convert from mbox to eg maildirm usefull if one like to 
migrade from postfix maildir to dovecot maildir or courier-imap to 
dovecot, this can be shell scripted


i have self some perl scripts to help manage content when new users 
want to move there mail, most users say thanks for my help, so this is 
more worth then money for me :)


http://www.google.dk/search?aq=f&gcx=w&ix=c2&sourceid=chrome&ie=UTF-8&q=imapsync

Re: Command time limit exceeded: "/usr/bin/procmail"

[Stan Hoeppner]

On 11/4/2011 7:43 PM, Noah wrote:


> and there is a corresponding (Command time limit exceeded:
> "/usr/bin/procmail") log entry in /var/log/mail.log
> 
> so what can I do to circumvent procmail from claiming a time out.  is
> there a global server setting I can configure?

Find and fix the problem with procmail.  Have you looked in your
procmail log?  If so you didn't paste relevant snippets here.  In fact
you didn't paste any relevant Postfix log lines either, but only header
snippets, which are mostly useless for troubleshooting the MTA.  The
list welcome message instructs you to post actual Postfix logging, NOT
headers.

-- 
Stan