Postfix 2.9 Snapshot 20111113 warning

[Hari Hendaryanto]

hai,

i used to have this configuration in my postfix

master.cf
127.0.0.1:12345 inet  n   n   n   -   0  spawn
  user=nobody argv=/etc/postfix/blah.py

main.cf
127.0.0.1:12345_time_limit = 3600s

postfix never complaint about this configuration when i reload it.

using Postfix 2.9 Snapshot 2013 it generates warning

# postfix reload
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:12345_time_limit=3600s

postfix/postfix-script: refreshing the Postfix mail system

am i missing something here?


thanks

Powered By http://www.3g-net.net

Re: Increasing number of connections?

[Claudio Kuenzler]

It's possible that amavisd slows down your postfix.
You can try to increase the number of amavis processes in the config:

$max_servers = 5;# number of pre-forked children

The number of amavisd processes is independent of the smtp processes.

On Thu, Nov 17, 2011 at 7:15 AM, Alex  wrote:

> Hi,
>
> >> I built a dual-Xeon quad-core box with 8GB using fedora15 and
> >> postfix-v2.8.5 and during various times during the day connections to
> >> port 25 timeout or are very slow. The majority of times this happens
> >> is under peak loads, but even times when it's not at capacity it may
> >> do this.
> >
> > Often slow smtpd connections are caused by not having enough smtpd
> > processes running.
> >
> > On your hardware, postfix will support thousands of smtpd processes.
> >  Use netstat or lsof to see how many connections postfix is handling
> > when you experience slowdowns.
>
> It's in the hundreds. There is also some amount of iowait, but I don't
> think that's the issue.
>
> When using amavisd-new, shouldn't the number of processes match the
> number of smtpd processes?
>
> I think what I'm concerned about is having postfix receive more
> messages than amavisd can process?
>
> > If zombie spambots are using up most of your available connections,
> > postscreen will likely help.
> > http://www.postfix.org/POSTSCREEN_README.html
>
> Yes, looks like this would be a good thing to do is a general idea.
>
> Thanks again,
> Alex
>

Re: Postfix 2.9 Snapshot 20111113 warning

[lst_hoe02]

Zitat von Hari Hendaryanto :


hai,

i used to have this configuration in my postfix

master.cf
127.0.0.1:12345 inet  n   n   n   -   0  spawn
  user=nobody argv=/etc/postfix/blah.py

main.cf
127.0.0.1:12345_time_limit = 3600s

postfix never complaint about this configuration when i reload it.

using Postfix 2.9 Snapshot 2013 it generates warning

# postfix reload
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter:  
127.0.0.1:12345_time_limit=3600s

postfix/postfix-script: refreshing the Postfix mail system

am i missing something here?


From the changelog:

2012

Cleanup: postconf finally warns about possible mis-typed
main.cf and master.cf parameter names (i.e. parameters that
aren't used anywhere), and it finally displays user-defined
main.cf parameters that *are* used.  File: postconf/postconf.c.


Regards

Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Postfix 2.9 Snapshot 20111113 warning

[Ralf Hildebrandt]

* Hari Hendaryanto :
> hai,
> 
> i used to have this configuration in my postfix
> 
> master.cf
> 127.0.0.1:12345 inet  n   n   n   -   0  spawn
>   user=nobody argv=/etc/postfix/blah.py
> 
> main.cf
> 127.0.0.1:12345_time_limit = 3600s

This parameter does not exist.

$ postconf |grep time_limit
command_time_limit = 1000s
lmtp_connection_cache_time_limit = 2s
lmtp_connection_reuse_time_limit = 300s
postscreen_command_time_limit = ${stress?10}${stress:300}s
smtp_connection_cache_time_limit = 2s
smtp_connection_reuse_time_limit = 300s

Just remove it, it never worked.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Postfix 2.9 Snapshot 20111113 warning

[Stan Hoeppner]

On 11/17/2011 4:27 AM, Ralf Hildebrandt wrote:
> * Hari Hendaryanto :
>> hai,
>>
>> i used to have this configuration in my postfix
>>
>> master.cf
>> 127.0.0.1:12345 inet  n   n   n   -   0  spawn
>>   user=nobody argv=/etc/postfix/blah.py
>>
>> main.cf
>> 127.0.0.1:12345_time_limit = 3600s
> 
> This parameter does not exist.
> 
> $ postconf |grep time_limit
> command_time_limit = 1000s
> lmtp_connection_cache_time_limit = 2s
> lmtp_connection_reuse_time_limit = 300s
> postscreen_command_time_limit = ${stress?10}${stress:300}s
> smtp_connection_cache_time_limit = 2s
> smtp_connection_reuse_time_limit = 300s
> 
> Just remove it, it never worked.

http://www.postfix.org/SMTPD_POLICY_README.html

 1 /etc/postfix/master.cf:
 2 127.0.0.1:9998  inet  n  n  n  -   0   spawn
 3   user=nobody argv=/some/where/policy-server
 4
 5 /etc/postfix/main.cf:
 6 smtpd_recipient_restrictions =
 7 ...
 8 reject_unauth_destination
 9 check_policy_service inet:127.0.0.1:9998
10 ...
11 127.0.0.1:9998_time_limit = 3600

Note #11.  Does this mean this is still valid, or that the docs need
changing?

-- 
Stan

Re: Postfix 2.9 Snapshot 20111113 warning

[Wietse Venema]

Stan Hoeppner:
> http://www.postfix.org/SMTPD_POLICY_README.html
> 
>  1 /etc/postfix/master.cf:
>  2 127.0.0.1:9998  inet  n  n  n  -   0   spawn
>  3   user=nobody argv=/some/where/policy-server
>  4
>  5 /etc/postfix/main.cf:
>  6 smtpd_recipient_restrictions =
>  7 ...
>  8 reject_unauth_destination
>  9 check_policy_service inet:127.0.0.1:9998
> 10 ...
> 11 127.0.0.1:9998_time_limit = 3600
> 
> Note #11.  Does this mean this is still valid, or that the docs need
> changing?

#11 is valid ONLY IF #2 exists. Without #2 it is a non-existent
parameter.

Wietse

Re: Postfix 2.9 Snapshot 20111113 warning

[Hari Hendaryanto]

On 11/17/2011 6:30 PM, Wietse Venema wrote:

Stan Hoeppner:

http://www.postfix.org/SMTPD_POLICY_README.html

  1 /etc/postfix/master.cf:
  2 127.0.0.1:9998  inet  n  n  n  -   0   spawn
  3   user=nobody argv=/some/where/policy-server
  4
  5 /etc/postfix/main.cf:
  6 smtpd_recipient_restrictions =
  7 ...
  8 reject_unauth_destination
  9 check_policy_service inet:127.0.0.1:9998
10 ...
11 127.0.0.1:9998_time_limit = 3600

Note #11.  Does this mean this is still valid, or that the docs need
changing?

#11 is valid ONLY IF #2 exists. Without #2 it is a non-existent
parameter.

Wietse


yes sir, #2 does exist in my case...

Powered By http://www.3g-net.net

Re: more actions for *header_checks/body_checks

[Wietse Venema]

Solar Designer:
> On Wed, Nov 16, 2011 at 08:02:03PM -0500, Wietse Venema wrote:
> > Solar Designer:
> > > OK.  I took a look at the code and I see those difficulties now.  How
> > > about something like the attached patch?  It's totally untested other
> > > than that it compiles, and it's probably wrong (especially considering
> > > that it's the first time I am dealing with this code) - but I think it
> > > illustrates what I am speaking about.
> > 
> > It appears to disable body_checks
> 
> On purpose - after a match resulting in ACCEPT, that is.  I admit that I
> had my specific use case in mind, though.
> 
> > and perhaps Milters too.
> 
> Yes, it looks so.  Instead of CLEANUP_FLAG_FILTER_ALL I think it should
> use CLEANUP_FLAG_FILTER.
> 
> > This is
> > not hard to fix.  The idea of redirecting header callback to a NOOP
> > is interesting (but this needs to be part of the per-message state,
> > as it must not affect the next message).
> 
> DISCARD does the same thing with flags, so I assumed it was per-message.
> No?
> 
> > I think it is not a problem to add an ACCEPT this message action
> > now. You don't have to provide the whole solution.
> 
> Does this mean you're going to implement it?  Sounds great if so.  And
> the default action feature, please - I'd use them together.

ACCEPT in header_checks == turn off header checks for this message.

No Postfix table-driven feature has support for unmatched patterns;
No Postfix table-driven "yes/permit/accept" feature overrides other
table-driven features.

If you really want such things then I suggest using a Perl script
with Net::SMTP as a tiny content filter.

Wietse

Re: Postfix 2.9 Snapshot 20111113 warning

[Ralf Hildebrandt]

* Stan Hoeppner :

>  1 /etc/postfix/master.cf:
>  2 127.0.0.1:9998  inet  n  n  n  -   0   spawn
>  3   user=nobody argv=/some/where/policy-server
>  4
>  5 /etc/postfix/main.cf:
>  6 smtpd_recipient_restrictions =
>  7 ...
>  8 reject_unauth_destination
>  9 check_policy_service inet:127.0.0.1:9998
> 10 ...
> 11 127.0.0.1:9998_time_limit = 3600
> 
> Note #11.  Does this mean this is still valid, or that the docs need
> changing?

For 127.0.0.1:9998_time_limit, wouldn't _time_limit exist?
(i.e. spawn_time_limit, pipe_time_limit). Instead, only command_time_limit 
exists

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

local and rermote delivery for the same domain(s)

[Panagiotis Drakopoulos]

Hi,
I would like to know if the following scenario is possible with postfix:

We have a mailing list server list.domain.com .

my mailing lists have names of the forms m...@domain.com and 
m...@subdomain.domain.com.


All mailing lists and most of their members belong to an ldap directory.

My problem is the way to separate local(mailing lists) from remote users 
for all domains and subdomains.



Thank you
Panagiotis

Re: Postfix 2.9 Snapshot 20111113 warning

[Wietse Venema]

Hari Hendaryanto:
> On 11/17/2011 6:30 PM, Wietse Venema wrote:
> > Stan Hoeppner:
> >> http://www.postfix.org/SMTPD_POLICY_README.html
> >>
> >>   1 /etc/postfix/master.cf:
> >>   2 127.0.0.1:9998  inet  n  n  n  -   0   spawn
> >>   3   user=nobody argv=/some/where/policy-server
> >>   4
> >>   5 /etc/postfix/main.cf:
> >>   6 smtpd_recipient_restrictions =
> >>   7 ...
> >>   8 reject_unauth_destination
> >>   9 check_policy_service inet:127.0.0.1:9998
> >> 10 ...
> >> 11 127.0.0.1:9998_time_limit = 3600
> >>
> >> Note #11.  Does this mean this is still valid, or that the docs need
> >> changing?
> > #11 is valid ONLY IF #2 exists. Without #2 it is a non-existent
> > parameter.
> >
> > Wietse
> >
> yes sir, #2 does exist in my case...

Why don't you show the real evidence, instead of your anonymized version.

Wietse

Re: local and rermote delivery for the same domain(s)

[Wietse Venema]

Panagiotis Drakopoulos:
> Hi,
> I would like to know if the following scenario is possible with postfix:
> 
> We have a mailing list server list.domain.com .
> 
> my mailing lists have names of the forms m...@domain.com and 
> m...@subdomain.domain.com.
> 
> All mailing lists and most of their members belong to an ldap directory.
> 
> My problem is the way to separate local(mailing lists) from remote users 
> for all domains and subdomains.

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#some_local

Wietse

Re: Postfix 2.9 Snapshot 20111113 warning

[Wietse Venema]

Wietse Venema:
> > >> Note #11.  Does this mean this is still valid, or that the docs need
> > >> changing?
> > > #11 is valid ONLY IF #2 exists. Without #2 it is a non-existent
> > > parameter.
> > >
> > >   Wietse
> > >
> > yes sir, #2 does exist in my case...
> 
> Why don't you show the real evidence, instead of your anonymized version.

Well, I tested this at some point. I'll see what change has broken it.

Wietse

Re: Postfix 2.9 Snapshot 20111113 warning

[Jerry]

On Thu, 17 Nov 2011 18:28:35 +0700
Hari Hendaryanto articulated:

> On 11/17/2011 6:30 PM, Wietse Venema wrote:
> > Stan Hoeppner:
> >> http://www.postfix.org/SMTPD_POLICY_README.html
> >>
> >>   1 /etc/postfix/master.cf:
> >>   2 127.0.0.1:9998  inet  n  n  n  -   0
> >> spawn 3   user=nobody argv=/some/where/policy-server
> >>   4
> >>   5 /etc/postfix/main.cf:
> >>   6 smtpd_recipient_restrictions =
> >>   7 ...
> >>   8 reject_unauth_destination
> >>   9 check_policy_service inet:127.0.0.1:9998
> >> 10 ...
> >> 11 127.0.0.1:9998_time_limit = 3600
> >>
> >> Note #11.  Does this mean this is still valid, or that the docs
> >> need changing?
> > #11 is valid ONLY IF #2 exists. Without #2 it is a non-existent
> > parameter.
> >
> > Wietse
> >
> yes sir, #2 does exist in my case...

Could you please provide the output from the postfinger tool. This can
be found at http://ftp.wl0.org/SOURCES/postfinger.

-- 
Jerry ✌
postfix-u...@seibercom.net
_
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Re: Postfix 2.9 Snapshot 20111113 warning

[Hari Hendaryanto]

On 11/17/2011 7:03 PM, Wietse Venema wrote:

Hari Hendaryanto:

On 11/17/2011 6:30 PM, Wietse Venema wrote:

Stan Hoeppner:

http://www.postfix.org/SMTPD_POLICY_README.html

   1 /etc/postfix/master.cf:
   2 127.0.0.1:9998  inet  n  n  n  -   0   spawn
   3   user=nobody argv=/some/where/policy-server
   4
   5 /etc/postfix/main.cf:
   6 smtpd_recipient_restrictions =
   7 ...
   8 reject_unauth_destination
   9 check_policy_service inet:127.0.0.1:9998
10 ...
11 127.0.0.1:9998_time_limit = 3600

Note #11.  Does this mean this is still valid, or that the docs need
changing?

#11 is valid ONLY IF #2 exists. Without #2 it is a non-existent
parameter.

Wietse


yes sir, #2 does exist in my case...

Why don't you show the real evidence, instead of your anonymized version.

Wietse


ok, i'm sorry

master.cf
127.0.0.1:2527 inet  n   n   n   -   0  spawn
  user=nobody argv=/etc/postfix/sender.pl

main.cf
127.0.0.1:2527_time_limit = 7200s

log does not say anything

postconf -n doest not show user-defined parameter

# postconf -n | grep 2527
[..]
smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination, 
reject_unlisted_recipient, reject_unauth_pipelining, 
check_sender_access  tcp:127.0.0.1:2527,

[..]
postconf: warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:2527_time_limit=7200s

[..]

postfix reload the only evidences i've got

# postfix reload
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:2527_time_limit=7200s

postfix/postfix-script: refreshing the Postfix mail system

Powered By http://www.3g-net.net

Re: Postfix 2.9 Snapshot 20111113 warning

[Wietse Venema]

Wietse Venema:
> Wietse Venema:
> > > >> Note #11.  Does this mean this is still valid, or that the docs need
> > > >> changing?
> > > > #11 is valid ONLY IF #2 exists. Without #2 it is a non-existent
> > > > parameter.
> > > >
> > > > Wietse
> > > >
> > > yes sir, #2 does exist in my case...
> > 
> > Why don't you show the real evidence, instead of your anonymized version.
> 
> Well, I tested this at some point. I'll see what change has broken it.

Found it. The code works for "unix"-based spawn services. I'll add a
line for "inet"-based ones.

Wietse

Re: Increasing number of connections?

[Noel Jones]

On 11/17/2011 12:15 AM, Alex wrote:
> Hi,
> 
>>> I built a dual-Xeon quad-core box with 8GB using fedora15 and
>>> postfix-v2.8.5 and during various times during the day connections to
>>> port 25 timeout or are very slow. The majority of times this happens
>>> is under peak loads, but even times when it's not at capacity it may
>>> do this.
>>
>> Often slow smtpd connections are caused by not having enough smtpd
>> processes running.
>>
>> On your hardware, postfix will support thousands of smtpd processes.
>>  Use netstat or lsof to see how many connections postfix is handling
>> when you experience slowdowns.
> 
> It's in the hundreds. 

The question is: is the number of connections your system is
handling at peak nearly equal to the number of connections
configured?  If yes, then you need to configure more connections.

If many of the connections are spambots, postscreen will help.
That's what it is designed for.

> When using amavisd-new, shouldn't the number of processes match the
> number of smtpd processes?

When using amavisd-new as a content_filter, the number of postfix
smtp->amavisd feeder processes should be equal to (or maybe one less
than for monitoring) the number of amavisd processes.  This is
independent of the number of smtpd input processes.


> I think what I'm concerned about is having postfix receive more
> messages than amavisd can process?

Yes, that's a concern when using any content_filter, but really a
separate issue.

If you limit the input by using too few smtpd processes, connecting
clients will get timeouts.

Your system should handle 20~30 amavisd-new processes.  Check the
amavisd-new and spamassassin documentation and user lists for
performance tips (90%+ of amavisd-new processing time is spent in
spamassassin).



  -- Noel Jones

Re: Postfix 2.9 Snapshot 20111113 warning

[Wietse Venema]

Wietse Venema:
> Wietse Venema:
> > Wietse Venema:
> > > > >> Note #11.  Does this mean this is still valid, or that the docs need
> > > > >> changing?
> > > > > #11 is valid ONLY IF #2 exists. Without #2 it is a non-existent
> > > > > parameter.
> > > > >
> > > > >   Wietse
> > > > >
> > > > yes sir, #2 does exist in my case...
> > > 
> > > Why don't you show the real evidence, instead of your anonymized version.
> > 
> > Well, I tested this at some point. I'll see what change has broken it.
> 
> Found it. The code works for "unix"-based spawn services. I'll add a
> line for "inet"-based ones.

Fix: delete this test from postconf.c:

/*
 * Skip all endpoints except UNIX-domain sockets.
 */
if (strcmp(argv->argv[1], MASTER_XPORT_NAME_UNIX) != 0)
continue;

Fixed by removing code!

Wietse

Re: Postfix 2.9 Snapshot 20111113 warning

[Hari Hendaryanto]

On 11/17/2011 8:06 PM, Wietse Venema wrote:

Wietse Venema:

Wietse Venema:

Wietse Venema:

Note #11.  Does this mean this is still valid, or that the docs need
changing?

#11 is valid ONLY IF #2 exists. Without #2 it is a non-existent
parameter.

Wietse


yes sir, #2 does exist in my case...

Why don't you show the real evidence, instead of your anonymized version.

Well, I tested this at some point. I'll see what change has broken it.

Found it. The code works for "unix"-based spawn services. I'll add a
line for "inet"-based ones.

Fix: delete this test from postconf.c:

 /*
  * Skip all endpoints except UNIX-domain sockets.
  */
 if (strcmp(argv->argv[1], MASTER_XPORT_NAME_UNIX) != 0)
 continue;

Fixed by removing code!

Wietse


i've recompiled, it works now :)

thanks for the efforts

Powered By http://www.3g-net.net

spamcop abusing mail systems worldwide

[Dan The Man]

Today I had an unhappy unix student try to submit an assignment to me and 
could not. Spamcop has decided to go off blacklisting all yahoo/shaw etc 
servers worldwide.


Solution:
remove: reject_rbl_client bl.spamcop.net
from your smtpd_recipient_restrictions line until they fix their abuse 
issues.



Dan.


--
Dan The Man
CTO/ Senior System Administrator
Websites, Domains and Everything else
http://www.SunSaturn.com
Email: d...@sunsaturn.com

Re: Recipent restrictions

[Noel Jones]

On 11/17/2011 12:13 AM, Dilip Mishra // Viva wrote:
> Hello Group,
> 
> I want to implement some restrictions on postfix by which it would
> reject domains without mx records, as well as those specified in
> access table. These are some domains to I do not want to send mails
> at all. My problem is that, this setting does not work at all, since
> the sending IPs are specified in mynetworks. The moment I change the
> order of the parameters, it starts to reject all mails from all the
> IPs. Please help me to set the correct order of the parameters in
> main.cf :
> 
> *smtpd_recipient_restrictions* = permit_mynetworks,
> permit_sasl_authenticated, permit_inet_interfaces,
> *check_recipient_access hash:/etc/postfix/access*,
> reject_unauth_destination, reject_rbl_client list.dsbl.org
> , reject_rbl_client bl.spamcop.net
> , reject_rbl_client sbl-xbl.spamhaus.org
> ,
> reject_rhsbl_sender dsn.rfc-ignorant.org
> , check_relay_domains
> 
> Dilip


Put restrictions that you want applied to all clients in
smtpd_sender_restrictions, including your check_recipient_access table.

Review your RBL list once in a while.  list.dsbl.org is no longer
operating, most sites should use zen.spamhaus.org rather than
sbl-xbl, and the rfc-ignorant lists are intended for a scoring
system rather than SMTP rejects.

Remove the deprecated check_relay_domains parameter.


Finally, if your configuration isn't working as expected, you need
to show us the non-working config and postfix logs.

If you need more help, please see
http://www.postfix.org/DEBUG_README.html#mail



  -- Noel Jones

Re: spamcop abusing mail systems worldwide

[Tõnu Samuel]

On Thu, 2011-11-17 at 07:35 -0600, Dan The Man wrote:
> 
> Today I had an unhappy unix student try to submit an assignment to me and 
> could not. Spamcop has decided to go off blacklisting all yahoo/shaw etc 
> servers worldwide.
> 
> Solution:
> remove: reject_rbl_client bl.spamcop.net
> from your smtpd_recipient_restrictions line until they fix their abuse 
> issues.

Spammers ARE blacklisted, even they are called "yahoo". Just have good
ISP with good reputation. My servers have never been blacklisted because
I just keep spammers away from them in early stage.

  Tonu

Re: spamcop abusing mail systems worldwide

[Dan The Man]

I agree completely, but I don't think a student failing a course because 
he only has a yahoo/shaw etc address and got a legitimate email bounced 
would agree very much :)


I think my solution should stand, we got all the other rbl's, 
and spamassassin etc, there really no need to have anything legitimate 
dropped till they fix their issues.




Dan.


--
Dan The Man
CTO/ Senior System Administrator
Websites, Domains and Everything else
http://www.SunSaturn.com
Email: d...@sunsaturn.com

On Thu, 17 Nov 2011, Tõnu Samuel wrote:


On Thu, 2011-11-17 at 07:35 -0600, Dan The Man wrote:


Today I had an unhappy unix student try to submit an assignment to me and
could not. Spamcop has decided to go off blacklisting all yahoo/shaw etc
servers worldwide.

Solution:
remove: reject_rbl_client bl.spamcop.net
from your smtpd_recipient_restrictions line until they fix their abuse
issues.


Spammers ARE blacklisted, even they are called "yahoo". Just have good
ISP with good reputation. My servers have never been blacklisted because
I just keep spammers away from them in early stage.

 Tonu

Re: spamcop abusing mail systems worldwide

[John Peach]

On Thu, 17 Nov 2011 08:08:13 -0600 (CST)
Dan The Man  wrote:

> 
> 
> I agree completely, but I don't think a student failing a course
> because he only has a yahoo/shaw etc address and got a legitimate
> email bounced would agree very much :)
> 
> I think my solution should stand, we got all the other rbl's, 
> and spamassassin etc, there really no need to have anything
> legitimate dropped till they fix their issues.

Spamcop recommend you use it for scoring, not blocking

[snip]

Re: spamcop abusing mail systems worldwide

[Stan Hoeppner]

On 11/17/2011 8:12 AM, John Peach wrote:
> On Thu, 17 Nov 2011 08:08:13 -0600 (CST)
> Dan The Man  wrote:
> 
>>
>>
>> I agree completely, but I don't think a student failing a course
>> because he only has a yahoo/shaw etc address and got a legitimate
>> email bounced would agree very much :)
>>
>> I think my solution should stand, we got all the other rbl's, 
>> and spamassassin etc, there really no need to have anything
>> legitimate dropped till they fix their issues.
> 
> Spamcop recommend you use it for scoring, not blocking

And a default Spamassassin config includes Spamcop for scoring:

http://wiki.apache.org/spamassassin/DnsBlocklists:

Having "reject_rbl_client bl.spamcop.net" on top of scoring with it in
SA caused this problem.  It's not Spamcop's fault the student's email
was rejected.  I dare say it was the mail OP's fault for not having his
server configured properly.

-- 
Stan

Re: spamcop abusing mail systems worldwide

[lst_hoe02]

Zitat von Dan The Man :




Today I had an unhappy unix student try to submit an assignment to  
me and could not. Spamcop has decided to go off blacklisting all  
yahoo/shaw etc servers worldwide.


The subject is wrong. Spamcop simply list mailservers sending a lot of  
spam and Yahoo for example does exactly that. It is the duty of the  
mailserver operator to decide if such a list should be used for  
blocking senders.



Solution:
remove: reject_rbl_client bl.spamcop.net
from your smtpd_recipient_restrictions line until they fix their  
abuse issues.


The abuse issue is that some mailserver operators does not choose  
carefully which RBLs to use. Spamcop does exactly what they claim and  
no, we don't use it because of this.


Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

smtp-sink pipelining slow: TCP Nagle & delayed ACK stalls

[Mark Martinec]

While benchmarking a SMTP content filter, using smtp-source as a traffic
generator and smtp-sink as sink, the message transfer rates were much
worse than expected (about 100 seconds, instead of just a few seconds
for 1000 messages).

It turned out the problem is in a TCP session over a loopback interface
between a content filter and smtp-sink. When pipelining is used and all
the MAIL FROM, RCPT TO, and DATA arrive in one packet, the smtp-sink
responds in two packets: the first is a "250 2.1.0 Ok" response to a
MAIL FROM command, and the second packet carries a response to
the rest: "250 2.1.5 Ok\r\n354 End data with...\r\n".

The trouble is that there is a 0.1 second delay between the two response
packets. The second packet is only sent by smtp-sink after receiving an ACK
to the first, and that only happens after 0.1 seconds due to a delayed ACK
setting of a system (FreeBSD 9.0, net.inet.tcp.delayed_ack=1).

The workarounds are:
- disable net.inet.tcp.delayed_ack globally
or:
- disable pipelining announcement in smtp-sink (option -p)
or:
- ignore pipelining announcement in a content filter

The true solution seems to be to either disable Nagle in smtp-sink
(TCP_NODELAY), or to send all the SMTP responses in one go.

Seems the postfix itself does not suffer from this problem,
only the smtp-sink.

A tcpdump packet capture is available at:
  http://www.ijs.si/~mark/tmp/0.log.gz


Mark

Re: spamcop abusing mail systems worldwide

[Reindl Harald]

Am 17.11.2011 14:56, schrieb Tõnu Samuel:
> On Thu, 2011-11-17 at 07:35 -0600, Dan The Man wrote:
>>
>> Today I had an unhappy unix student try to submit an assignment to me and 
>> could not. Spamcop has decided to go off blacklisting all yahoo/shaw etc 
>> servers worldwide.
>>
>> Solution:
>> remove: reject_rbl_client bl.spamcop.net
>> from your smtpd_recipient_restrictions line until they fix their abuse 
>> issues.
> 
> Spammers ARE blacklisted, even they are called "yahoo". Just have good
> ISP with good reputation. My servers have never been blacklisted because
> I just keep spammers away from them in early stage.

this is a lets say polite: "not real smart argumentation"

if you are blocking major-providers like yahoo, google you can go ahead
and turn your mailserver off and close your company because NO CLIENT will
accept this with no argument and to say it clear: if someone thinks it is
cool to block major-isp's for whatever reason maybe he is doing the wrong job

why?

because a mailserver is primary there do get and send e-mails and not to
block them!



signature.asc
Description: OpenPGP digital signature

Re: spamcop abusing mail systems worldwide

[Dennis Clarke]

>
>
> Today I had an unhappy unix student try to submit an assignment ..

tell your students to use the email address provided by the school on the
school domain. Also, as a policy, I blacklist all yahoo, gmail, hotmail
junk and life is much better at the office.

If someone does not have a valid email address at a reasonable domain then
we don't want to hear from them anyways.

Dennis

Re: spamcop abusing mail systems worldwide

[Reindl Harald]

Am 17.11.2011 15:39, schrieb Dennis Clarke:
>> Today I had an unhappy unix student try to submit an assignment ..
> 
> tell your students to use the email address provided by the school on the
> school domain. Also, as a policy, I blacklist all yahoo, gmail, hotmail
> junk and life is much better at the office.
> 
> If someone does not have a valid email address at a reasonable domain then
> we don't want to hear from them anyways.

never heard a more arrogant statement with so few knowledge!

did you ever realize that you can host your domain at google?
so you are possibly blocking valid addresses from reasonable
domains to - but that is only an additional point

where do you live that you think you are in the position what
other people are using and that they have to register a domain
before they allowed to speak with you?



signature.asc
Description: OpenPGP digital signature

Re: Recipent restrictions

[Simon Brereton]

On 17 November 2011 01:13, Dilip Mishra // Viva
 wrote:
> Hello Group,
> I want to implement some restrictions on postfix by which it would reject
> domains without mx records, as well as those specified in access table.
> These are some domains to I do not want to send mails at all. My problem is
> that, this setting does not work at all, since the sending IPs are specified
> in mynetworks. The moment I change the order of the parameters, it starts to
> reject all mails from all the IPs. Please help me to set the correct order
> of the parameters in main.cf:
> smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
> permit_inet_interfaces, check_recipient_access hash:/etc/postfix/access,
> reject_unauth_destination, reject_rbl_client list.dsbl.org,
> reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org,
> reject_rhsbl_sender dsn.rfc-ignorant.org, check_relay_domains


I would also suggest that you need permit_sasl_authenticated before
permit_mynetworks.  And reject_unauth_destination should maybe also be
higher up.  And what purpose does your relay_domains server at the
end?

Simon

Re: spamcop abusing mail systems worldwide

[Simon Brereton]

On 17 November 2011 09:28,   wrote:
> Zitat von Dan The Man :
>
>>
>>
>> Today I had an unhappy unix student try to submit an assignment to me and
>> could not. Spamcop has decided to go off blacklisting all yahoo/shaw etc
>> servers worldwide.
>
> The subject is wrong. Spamcop simply list mailservers sending a lot of spam
> and Yahoo for example does exactly that. It is the duty of the mailserver
> operator to decide if such a list should be used for blocking senders.

I agree.  In all likelyhood, Spamcop listed the SHAW IP which is where
the email originates from and not the Yahoo IP.  Perhaps the student
will take this as a lesson to choose a better ISP.

>> Solution:
>> remove: reject_rbl_client bl.spamcop.net
>> from your smtpd_recipient_restrictions line until they fix their abuse
>> issues.

It's not *their* issue.  They list servers/IPs that send a significant
amount of spam.  I would suggest the people with the issue are the IP
owners.  Not spamcop.

But as others have said, you're not obliged to use it.  So please don't.

Simon

Re: smtp-sink pipelining slow: TCP Nagle & delayed ACK stalls

[Wietse Venema]

Mark Martinec:
> While benchmarking a SMTP content filter, using smtp-source as a traffic
> generator and smtp-sink as sink, the message transfer rates were much
> worse than expected (about 100 seconds, instead of just a few seconds
> for 1000 messages).
> 
> It turned out the problem is in a TCP session over a loopback interface
> between a content filter and smtp-sink. When pipelining is used and all
> the MAIL FROM, RCPT TO, and DATA arrive in one packet, the smtp-sink
> responds in two packets: the first is a "250 2.1.0 Ok" response to a
> MAIL FROM command, and the second packet carries a response to
> the rest: "250 2.1.5 Ok\r\n354 End data with...\r\n".

Turning off the PIPELINING announcement should work. 

You may also try a global substition:

From:
smtp_flush(state->stream);

To:
SMTP_FLUSH(state->stream);

Where SMTP_FLUSH is defined as:

#define SMTP_FLUSH(fp) do { \
if (vstream_peek(fp) <= 0 && readable(vstream_fileno(fp) <= 0) \
smtp_flush(fp) \
} while (0)

Sorry, no patch, because smtp-sink evolves randomly over time.

Wietse

Re: smtp-sink pipelining slow: TCP Nagle & delayed ACK stalls

[lst_hoe02]

Zitat von Mark Martinec :


While benchmarking a SMTP content filter, using smtp-source as a traffic
generator and smtp-sink as sink, the message transfer rates were much
worse than expected (about 100 seconds, instead of just a few seconds
for 1000 messages).

It turned out the problem is in a TCP session over a loopback interface
between a content filter and smtp-sink. When pipelining is used and all
the MAIL FROM, RCPT TO, and DATA arrive in one packet, the smtp-sink
responds in two packets: the first is a "250 2.1.0 Ok" response to a
MAIL FROM command, and the second packet carries a response to
the rest: "250 2.1.5 Ok\r\n354 End data with...\r\n".

The trouble is that there is a 0.1 second delay between the two response
packets. The second packet is only sent by smtp-sink after receiving an ACK
to the first, and that only happens after 0.1 seconds due to a delayed ACK
setting of a system (FreeBSD 9.0, net.inet.tcp.delayed_ack=1).

The workarounds are:
- disable net.inet.tcp.delayed_ack globally
or:
- disable pipelining announcement in smtp-sink (option -p)
or:
- ignore pipelining announcement in a content filter

The true solution seems to be to either disable Nagle in smtp-sink
(TCP_NODELAY), or to send all the SMTP responses in one go.

Seems the postfix itself does not suffer from this problem,
only the smtp-sink.


Around 2007 on the same list:
http://marc.info/?l=postfix-users&w=2&r=1&s=TCP_CORK&q=b

It was even from the same source as far as i know ;-)

Looks like smtp-source/sink were not adjusted at that time.

Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

Re: spamcop abusing mail systems worldwide

[Mark Goodge]

On 17/11/2011 14:39, Dennis Clarke wrote:





Today I had an unhappy unix student try to submit an assignment ..


tell your students to use the email address provided by the school on the
school domain. Also, as a policy, I blacklist all yahoo, gmail, hotmail
junk and life is much better at the office.

If someone does not have a valid email address at a reasonable domain then
we don't want to hear from them anyways.


Yes, but you're not selling anything or providing any kind of public 
service. So it doesn't matter if people can't email you. Those of us who 
work for commercial organisations or government bodies don't have that 
choice.


Mark
--
 Sent from my Babbage Difference Engine
 http://mark.goodge.co.uk
 http://www.ratemysupermarket.com

Re: smtp-sink pipelining slow: TCP Nagle & delayed ACK stalls

[Wietse Venema]

Wietse Venema:
> Mark Martinec:
> > While benchmarking a SMTP content filter, using smtp-source as a traffic
> > generator and smtp-sink as sink, the message transfer rates were much
> > worse than expected (about 100 seconds, instead of just a few seconds
> > for 1000 messages).
> > 
> > It turned out the problem is in a TCP session over a loopback interface
> > between a content filter and smtp-sink. When pipelining is used and all
> > the MAIL FROM, RCPT TO, and DATA arrive in one packet, the smtp-sink
> > responds in two packets: the first is a "250 2.1.0 Ok" response to a
> > MAIL FROM command, and the second packet carries a response to
> > the rest: "250 2.1.5 Ok\r\n354 End data with...\r\n".
> 
> Turning off the PIPELINING announcement should work. 
> 
> You may also try a global substition:
> 
> From:
> smtp_flush(state->stream);
> 
> To:
> SMTP_FLUSH(state->stream);
> 
> Where SMTP_FLUSH is defined as:
> 
> #define SMTP_FLUSH(fp) do { \
> if (vstream_peek(fp) <= 0 && readable(vstream_fileno(fp) <= 0) \
>   smtp_flush(fp) \
> } while (0)

Make that:

 #define SMTP_FLUSH(fp) do { \
 if (vstream_peek(fp) <= 0 && readable(vstream_fileno(fp)) <= 0) \
   smtp_flush(fp); \
 } while (0)

> Sorry, no patch, because smtp-sink evolves randomly over time.
> 
>   Wietse
> 

Re: spamcop abusing mail systems worldwide

[Tõnu Samuel]

On Thu, 2011-11-17 at 15:48 +0100, Reindl Harald wrote:

> never heard a more arrogant statement with so few knowledge!
> 

I somewhat understand his position. What is ham and what is spam often
depends also some cultural background. For example I have anything with
"From: aol.com" blocked because in my 15 years of internet usage I
cannot remind anything useful coming from that domain. Maybe it
situation is different in USA but in EU I just block it for years
without single false positive yet. 

I host hundreds of client domains and most of then really do not want to
receive stuff from India, Tunisia, Russia, Indonesia, Vietnam, China and
some other very common spam sources. I seriously consider source IP
blocks by country for some mail servers. 

BTW, I do have friends and coworkers who are Chinese, Vietnamese etc. so
I do care about making stuff right. 

  Tõnu

Re: spamcop abusing mail systems worldwide

[Tõnu Samuel]

On Thu, 2011-11-17 at 08:08 -0600, Dan The Man wrote:
> 
> I agree completely, but I don't think a student failing a course because 
> he only has a yahoo/shaw etc address and got a legitimate email bounced 
> would agree very much :)
> 
> I think my solution should stand, we got all the other rbl's, 
> and spamassassin etc, there really no need to have anything legitimate 
> dropped till they fix their issues.

Spam filters work in big part because they cause trouble for spammers.
This also includes spammers who do not think they are spammers or just
stupid enough to accommodate all kind of bots, viruses etc. For example
somehow Gmail managed to include me in some arabic religios mailing
list. There is no way I can find someone in Google to look on my weird
problem. I just report every single mail from this list to SpamCop. I do
this for months and like in every big company nobody cares. Just at some
point when Gmail gets blocked we get similar discussion here in list and
only then maybe someone in Google starts to read abuse@ mailbox. Big
companies ARE ignorant unless they get real trouble where also
executives feel that.

   Tõnu

Re: spamcop abusing mail systems worldwide

[Jose Ildefonso Camargo Tolosa]

Greetings,

On Thu, Nov 17, 2011 at 10:30 AM, Mark Goodge  wrote:
> On 17/11/2011 14:39, Dennis Clarke wrote:
>>
>>>
>>>
>>> Today I had an unhappy unix student try to submit an assignment ..
>>
>> tell your students to use the email address provided by the school on the
>> school domain. Also, as a policy, I blacklist all yahoo, gmail, hotmail
>> junk and life is much better at the office.

Not all schools provides email addresses to their students, and some
students will just decide not to use them... why?, well, because,
after all, these are temporary address, for as long as you are at the
school, you can't keep those for the rest of your life, and thus some
students decide not to use them.

>>
>> If someone does not have a valid email address at a reasonable domain then
>> we don't want to hear from them anyways.
>
> Yes, but you're not selling anything or providing any kind of public
> service. So it doesn't matter if people can't email you. Those of us who
> work for commercial organisations or government bodies don't have that
> choice.

Same here, that's exactly why I don't use a "hard" block policy, I use
scoring (with ASSP) and even use Bayes filters (yeah, those that
requires "training" and stuff), thanks to this combination I get rid
of ~95% of the spam, while keeping over 99% of good mail (I almost
never lose a legit mail because of the mail filter).

yahoo, hotmail, gmail are domains used by all kind of persons (I have
even seen customers that just uses companyn...@gmail.com as their
corporate mail!!), so: just blocking them because a few send spam is
non-sense you need to check message content, that's why I use
Bayes as part of the scoring.

Now, spam fight is everyday harder, because spammers are looking
everyday more like legitimate senders... as a matter of fact,
sometimes what I consider spam is not considered spam by other person,
so... this is actually a complex topic.

Ildefonso.

Re: spamcop abusing mail systems worldwide

[Tõnu Samuel]

On Thu, 2011-11-17 at 15:39 +0100, Reindl Harald wrote:
> > Spammers ARE blacklisted, even they are called "yahoo". Just have good
> > ISP with good reputation. My servers have never been blacklisted because
> > I just keep spammers away from them in early stage.
> 
> this is a lets say polite: "not real smart argumentation"
> 
> if you are blocking major-providers like yahoo, google you can go ahead
> and turn your mailserver off and close your company because NO CLIENT will
> accept this with no argument and to say it clear: if someone thinks it is
> cool to block major-isp's for whatever reason maybe he is doing the wrong job

I report about 500 mails daily to spamcop and this takes important part
of my time. Sorry for being unpolite towards spammers but I believe that
noone should be whitelisted because they are big and fat. They consume
resources of ours. They are parasites.

I know lot about inside stuff. One example I can talk: You might heard
about case in Estonia where Russian criminals made botnet to distribute
spam. Company behind it got first place as IT company in Estonia based
on turnover. They were also important customer of our telecom and other
ISP-s. Yes ISPs got lot of compaints for spamming and virus distribution
from their hosts. But because company paid lot of money they kept these
criminals hosted longer time. This ended only after big blocklists put
permanent ban on /16 size range. As much I know now when years are
passed those block are still in list. This is only thing what works.
Unsure what exactly happened this time but next time Yahoo takes more
care about looking what is sent via their system. Maybe next time they
implement system which limits sending 10 mails in second via webmail or
something else. Anyway complaints are what make them move.

   Tõnu

Re: spamcop abusing mail systems worldwide

[Reindl Harald]

Am 17.11.2011 16:20, schrieb Tõnu Samuel:
> On Thu, 2011-11-17 at 15:39 +0100, Reindl Harald wrote:
>>> Spammers ARE blacklisted, even they are called "yahoo". Just have good
>>> ISP with good reputation. My servers have never been blacklisted because
>>> I just keep spammers away from them in early stage.
>>
>> this is a lets say polite: "not real smart argumentation"
>>
>> if you are blocking major-providers like yahoo, google you can go ahead
>> and turn your mailserver off and close your company because NO CLIENT will
>> accept this with no argument and to say it clear: if someone thinks it is
>> cool to block major-isp's for whatever reason maybe he is doing the wrong job
> 
> I report about 500 mails daily to spamcop and this takes important part
> of my time. Sorry for being unpolite towards spammers but I believe that
> noone should be whitelisted because they are big and fat. They consume
> resources of ours. They are parasites.

if you really report 500 mails each day you should give over your
job to someone with more qualifications because we are hosting some
thousand mail-addresses and i could never report 500 spam-mails per
day because they are not received without blocking major providers

http://www.barracudanetworks.com/

a) intention-filtering, hourly updated rules
b) blacklist
c) block by PTR to get rid of 99% of all spambots

your primary job as admin is to make sure that legal mails are  received and
not to play around the whole day to maximize false-positives, long after
that comes the fight against spam

10 spam mails are less damage than a single false-positive




signature.asc
Description: OpenPGP digital signature

Re: spamcop abusing mail systems worldwide

[Tõnu Samuel]

On Thu, 2011-11-17 at 16:30 +0100, Reindl Harald wrote:

> if you really report 500 mails each day you should give over your
> job to someone with more qualifications because we are hosting some
> thousand mail-addresses and i could never report 500 spam-mails per
> day because they are not received without blocking major providers
> 
> http://www.barracudanetworks.com/
> 
> a) intention-filtering, hourly updated rules
> b) blacklist
> c) block by PTR to get rid of 99% of all spambots

About qualifications - you may put your CV next to
http://www.linkedin.com/in/tonusamuel or shut up. 

About 500 reports - I run spamtraps mainly in .ee domains to keep my eye
on local spammers and to keep blog http://no.spam.ee which is pretty
good measure I would say.

About barracuda - they remotely disabled it for my customer. I would
never recommend products with such backdoors. More info
http://seclists.org/fulldisclosure/2011/Apr/460

   Tõnu

Re: more actions for *header_checks/body_checks

[Solar Designer]

On Thu, Nov 17, 2011 at 06:39:29AM -0500, Wietse Venema wrote:
> Solar Designer:
> > Does this mean you're going to implement it?  Sounds great if so.  And
> > the default action feature, please - I'd use them together.
> 
> ACCEPT in header_checks == turn off header checks for this message.

Right.  (And maybe body checks as well, or maybe this contradicts the
policy stated below...)

> No Postfix table-driven feature has support for unmatched patterns;
> No Postfix table-driven "yes/permit/accept" feature overrides other
> table-driven features.

I suppose adhering to this policy has both pros and cons.

What about something like this? -

/malware sig with occasional false positives/ DEFERRED_REJECT malware detected
/whitelisted sender address/ ACCEPT

where DEFERRED_REJECT would alter the default action for the current
message and ACCEPT would override that?  It'd work as desired (the
whitelisting would take priority) regardless of the order in which the
two patterns are seen in the headers or body.  After the headers and
body are fully processed, we'd have the per-message default action set
to DEFERRED_REJECT, but it would only be applied if the ACCEPT flag is
not set.  We would also have DEFERRED_DISCARD, indeed.

> If you really want such things then I suggest using a Perl script
> with Net::SMTP as a tiny content filter.

Yes, this (or something very much like it) is my primary alternative.
The reason why I brought this to postfix-users instead of just doing
things on the specific system in one way or another was that I felt we
could improve Postfix for others as well.

Alexander

Re: spamcop abusing mail systems worldwide

[Reindl Harald]

Am 17.11.2011 16:36, schrieb Tõnu Samuel:
> On Thu, 2011-11-17 at 16:30 +0100, Reindl Harald wrote:
> 
>> if you really report 500 mails each day you should give over your
>> job to someone with more qualifications because we are hosting some
>> thousand mail-addresses and i could never report 500 spam-mails per
>> day because they are not received without blocking major providers
>>
>> http://www.barracudanetworks.com/
>>
>> a) intention-filtering, hourly updated rules
>> b) blacklist
>> c) block by PTR to get rid of 99% of all spambots
> 
> About qualifications - you may put your CV next to
> http://www.linkedin.com/in/tonusamuel or shut up. 

you are not in the position to tell somebody to shut up after
making recommendations which are unacceptable if you are
working in business and some nice lines on a social network
like "CEO here and there" are really not saying anything
about qualifications

> About 500 reports - I run spamtraps mainly in .ee domains to keep my eye
> on local spammers and to keep blog http://no.spam.ee which is pretty
> good measure I would say.

nice, but does nothing change in the fact that if you are really
the whole day watching for spam-attemnts you are doing something
badly wrong

> About barracuda - they remotely disabled it for my customer. I would
> never recommend products with such backdoors. More info
> http://seclists.org/fulldisclosure/2011/Apr/460

well, something went wrong, shit happens

the spamfirewall is useless without subscription because you would end
in that what you are doing now, using the spam-firewall since 6 years
and had not a single problem and if you are renewing in time such
things simply does not happen



signature.asc
Description: OpenPGP digital signature

Does Postfix recreate spool directories in case of "disparition" of them ?

[Frank Bonnet]

Hello

Postfix creates those "spool" directories at install

# cd /var/spool/postfix
# ll
total 28
drwx--   2 postfix  wheel  512 Nov 17 17:03 active
drwx--   2 postfix  wheel  512 Nov 17 17:03 bounce
drwx--   2 postfix  wheel  512 May 10  2011 corrupt
drwx--  18 postfix  wheel  512 May 11  2011 defer
drwx--  18 postfix  wheel  512 May 11  2011 deferred
drwx--   2 postfix  wheel  512 Oct  4 06:15 flush
drwx--   2 postfix  wheel  512 May 10  2011 hold
drwx--   2 postfix  wheel  512 Nov 17 17:03 incoming
drwx-wx---   2 postfix  maildrop  1536 Nov 17 15:49 maildrop
drwxr-xr-x   2 root wheel  512 May 10  2011 pid
drwx--   2 postfix  wheel  512 Nov 17 15:21 private
drwx--x---   2 postfix  maildrop   512 Nov 17 15:21 public
drwx--   2 postfix  wheel  512 May 10  2011 saved
drwx--   2 postfix  wheel  512 Jun 30 13:23 trace

Does it recreate them if they are not present on the disk ?

I have not deleted them by error :-) , I plan to try using a ramdisk
for those directories.

Thank you

Re: spamcop abusing mail systems worldwide

[Dick Visser]

On 2011-11-17 16:05, Tõnu Samuel wrote:

> What is ham and what is spam often depends also some cultural background.

It does indeed. Having "Dick" as first name in a mostly English-oriented
environment doesn't work in my favor ;-)


-- 
Dick Visser
System & Network Engineer
TERENA Secretariat
Singel 468D, 1017 AW Amsterdam
The Netherlands
T +31 20 530 44 88 F +31 20 530 44 99
vis...@terena.org | www.terena.org




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Does Postfix recreate spool directories in case of "disparition" of them ?

[/dev/rob0]

On Thursday 17 November 2011 10:08:32 Frank Bonnet wrote:
> Postfix creates those "spool" directories at install
> 
> # cd /var/spool/postfix
> # ll
> total 28
snip
> Does it recreate them if they are not present on the disk ?

"man postfix", see "check" and "start".

> I have not deleted them by error :-) , I plan to try using a
> ramdisk for those directories.

Oh my! This sounds like a terrible idea! What will happen to 
undelivered mail in a power outage or other system crash?

What is the real problem you hope for this ramdisk to solve?
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: spamcop abusing mail systems worldwide

[Jose Ildefonso Camargo Tolosa]

Posting to list, sorry!

On Thu, Nov 17, 2011 at 11:00 AM, Reindl Harald  wrote:
>
>
> Am 17.11.2011 16:20, schrieb Tõnu Samuel:
>> On Thu, 2011-11-17 at 15:39 +0100, Reindl Harald wrote:
 Spammers ARE blacklisted, even they are called "yahoo". Just have good
 ISP with good reputation. My servers have never been blacklisted because
 I just keep spammers away from them in early stage.
>>>
>>> this is a lets say polite: "not real smart argumentation"
>>>
>>> if you are blocking major-providers like yahoo, google you can go ahead
>>> and turn your mailserver off and close your company because NO CLIENT will
>>> accept this with no argument and to say it clear: if someone thinks it is
>>> cool to block major-isp's for whatever reason maybe he is doing the wrong 
>>> job
>>
>> I report about 500 mails daily to spamcop and this takes important part
>> of my time. Sorry for being unpolite towards spammers but I believe that
>> noone should be whitelisted because they are big and fat. They consume
>> resources of ours. They are parasites.
>
> if you really report 500 mails each day you should give over your
> job to someone with more qualifications because we are hosting some
> thousand mail-addresses and i could never report 500 spam-mails per
> day because they are not received without blocking major providers
>
> http://www.barracudanetworks.com/
>
> a) intention-filtering, hourly updated rules
> b) blacklist
> c) block by PTR to get rid of 99% of all spambots

Neat, but expensive, and in my experience with Barracuda it has a high
false-positive rate (ie, tends to block legit mail) that's one of
the reasons I tolerate ASSP (it has some quirks, but it rocks as an
spam filter).

Re: spamcop abusing mail systems worldwide

[/dev/rob0]

Enough of this thread. Really.

Spamcop is risky if used for outright rejection. This is not new 
information, and as pointed out, Spamcop themselves say so. The 
subject line is pure ignorance, "abusing mail systems," absurd.

Reliance on email where you do not control both ends is also risky.

We can all look at what some other site does, and say, "I wouldn't do 
that." Maybe to some extent it is useful to share our reasons for 
feeling that way, although it's not fully on topic here.

But we do not have the right to judge them: it's their server, their 
rules. And getting all angry about what rules they choose is nothing 
short of STUPID, as is the defensive reaction over being criticized 
for the choices you have made.

Take it off list.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: more actions for *header_checks/body_checks

[Wietse Venema]

Solar Designer:
> On Thu, Nov 17, 2011 at 06:39:29AM -0500, Wietse Venema wrote:
> > Solar Designer:
> > > Does this mean you're going to implement it?  Sounds great if so.  And
> > > the default action feature, please - I'd use them together.
> > 
> > ACCEPT in header_checks == turn off header checks for this message.
> 
> Right.  (And maybe body checks as well, or maybe this contradicts the
> policy stated below...)
> 
> > No Postfix table-driven feature has support for unmatched patterns;
> > No Postfix table-driven "yes/permit/accept" feature overrides other
> > table-driven features.
> 
> I suppose adhering to this policy has both pros and cons.

Let's for a monent look at what the system does well and why. The
system is designed for blocking stuff. There are N rule sets that
can block/discard independently (smtpd_client_restrictions etc.,
header_checks etc.,). If any of them blocks, mail is not queued.
It's a vetoing system. All the other actions such as filter or
redirect are just riding along on the train.

This model is a good fit for vetoing. If is a poor fit for lots of
other things including 1) conditional decisions and 2) "don't reject"
decisions that override other rulesets. So let's not do that.

You have a need for conditional decisions, which could be modeled
as a "maybe reject" action that only takes effect if some other
action (accept) in the same rule set does not fire.

But why stop here? Why not have "maybe filter", "maybe redirect",
and so on that are also dependent on the absence of some other
action (what other action?  OK, so we do "ifnot accept reject",
"ifnot filter redirect", etc. to make the condition explicit.
Yes, it is possible. No, it is not a good idea.  The resulting
system would be an incomprehensible mess.

In addition you have a need for a positive decision (already a poor
fit for a vetoing system!) in one rule set to override decisions of
other rulesets (here, an accept in header_checks that overrides
rule sets that happen to be co-located in the cleanup daemon).

I'm not saying that your needs are wrong. I am saying that you
need to use a model that is a good fit. It would be a mistake to
change a model that is a poor fit, such as a veto-based system.

It is very well possible that your needs require a model with rules
that have precedences. For example, one receives the entire message,
and applies all the rules in order of precedence and stops at the
first final decision (ACCEPT or REJECT).

Postfix does not work that way. It does not have to solve all
problems. That is what the extension interfaces (including SMTP)
are for.

Wietse

Re: Does Postfix recreate spool directories in case of "disparition" of them ?

[Frank Bonnet]

Le 11/17/2011 05:23 PM, /dev/rob0 a écrit :

On Thursday 17 November 2011 10:08:32 Frank Bonnet wrote:

Postfix creates those "spool" directories at install

# cd /var/spool/postfix
# ll
total 28

snip

Does it recreate them if they are not present on the disk ?

"man postfix", see "check" and "start".


I have not deleted them by error :-) , I plan to try using a
ramdisk for those directories.

Oh my! This sounds like a terrible idea! What will happen to
undelivered mail in a power outage or other system crash?

not really important it is a TEST not running on production server of course


What is the real problem you hope for this ramdisk to solve?

same as above

Re: spamcop abusing mail systems worldwide

[Jerry]

On Thu, 17 Nov 2011 17:19:48 +0100
Dick Visser articulated:

> On 2011-11-17 16:05, Tõnu Samuel wrote:
> 
> > What is ham and what is spam often depends also some cultural
> > background.
> 
> It does indeed. Having "Dick" as first name in a mostly
> English-oriented environment doesn't work in my favor ;-)

I have seen the name "Barbra" flagged also. True story: NY State once
refused to issue a personalized tag; ie license plate to a woman whose
first name was "Barbra". Personally, I have never figured out why the
word "bra" should be considered offensive.

-- 
Jerry ♔
postfix-u...@seibercom.net
_
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Re: Does Postfix recreate spool directories in case of "disparition" of them ?

[Wietse Venema]

Frank Bonnet:
> Hello
> 
> Postfix creates those "spool" directories at install
> 
> # cd /var/spool/postfix
> # ll

It creates them with "postfix start" (or "check"). This means you
have to run one of these commands before you can submit mail via
the Postfix sendmail command line.

Wietse

Re: Does Postfix recreate spool directories in case of "disparition" of them ?

[Frank Bonnet]

Le 17/11/2011 19:01, Wietse Venema a écrit :

Frank Bonnet:

Hello

Postfix creates those "spool" directories at install

# cd /var/spool/postfix
# ll


It creates them with "postfix start" (or "check"). This means you
have to run one of these commands before you can submit mail via
the Postfix sendmail command line.

Wietse


OK thank you Wietse.

postfix, dovecot, and virtual quotas

[David Mehler]

Hello,

I've got a postfix system serving virtual mailbox domains. It's using
Dovecot as an LDA, and I'm wanting to hook in quotas. My thinking is
that I have to do this in the LDA, but I'm curious about the
virtual_mailbox_limit parameter in main.cf? Is it used for quota or
size limits when using dovecot as an LDA?

Thanks.
Dave.

Re: Increasing number of connections?

[Jeroen Geilman]

On 2011-11-17 07:15, Alex wrote:

Hi,


I built a dual-Xeon quad-core box with 8GB using fedora15 and
postfix-v2.8.5 and during various times during the day connections to
port 25 timeout or are very slow. The majority of times this happens
is under peak loads, but even times when it's not at capacity it may
do this.

Often slow smtpd connections are caused by not having enough smtpd
processes running.

On your hardware, postfix will support thousands of smtpd processes.
  Use netstat or lsof to see how many connections postfix is handling
when you experience slowdowns.

It's in the hundreds. There is also some amount of iowait, but I don't
think that's the issue.

When using amavisd-new, shouldn't the number of processes match the
number of smtpd processes?


Hell no, amavisd can kill your system dead.
It will take 100MB per process easily, and each of these takes much more 
time to complete than any comparable SMTP transaction - or postfix queue 
process.
If you are using more than about 50 amavisd threads, you'll be depleting 
those 8GB very quickly.


As said previously, postscreen to stop the 90% spam connections, a few 
hundred smtpds, and 50 or so amavisd threads should be doable.


Mail will be queued before amavis can get to it, but that is the nature 
of the beast - 8GB is very little memory for a modern server system.


Max out the board to 32 or 48GB, whatever it takes - it will cost far 
less than any other solution.



--
J.

Re: postfix, dovecot, and virtual quotas

[Reindl Harald]

Am 17.11.2011 19:45, schrieb David Mehler:
> I've got a postfix system serving virtual mailbox domains. It's using
> Dovecot as an LDA, and I'm wanting to hook in quotas. My thinking is
> that I have to do this in the LDA, but I'm curious about the
> virtual_mailbox_limit parameter in main.cf? Is it used for quota or
> size limits when using dovecot as an LDA?

no

quotas have to be done on dovecot-side



signature.asc
Description: OpenPGP digital signature

Re: postfix, dovecot, and virtual quotas

[Wietse Venema]

Reindl Harald:
> Am 17.11.2011 19:45, schrieb David Mehler:
> > I've got a postfix system serving virtual mailbox domains. It's using
> > Dovecot as an LDA, and I'm wanting to hook in quotas. My thinking is
> > that I have to do this in the LDA, but I'm curious about the
> > virtual_mailbox_limit parameter in main.cf? Is it used for quota or
> > size limits when using dovecot as an LDA?
> 
> no
> 
> quotas have to be done on dovecot-side

However it will be helpful if the Postfix SMTP server can query
an access table (perhaps via MySQL) with over-quota users. This
reduces the chances that Postfix has to return undeliverable mail.

Wietse

Re: more actions for *header_checks/body_checks

[Solar Designer]

Wietse -

Thank you for explaining your position on this in so much detail!  You
definitely have a pretty strong and reasonable opinion here.  I was
essentially after mail filtering capabilities analogous to those of a
network packet filter and I felt that those would reasonably fit into
Postfix proper, but indeed I accept your opinion that they don't.

I've included some comments below.  These are not meant to argue with
you, but merely to communicate my thoughts on the matter, even though
these probably do not matter as you've already made the determination.

On Thu, Nov 17, 2011 at 11:38:02AM -0500, Wietse Venema wrote:
> Let's for a monent look at what the system does well and why. The
> system is designed for blocking stuff. There are N rule sets that
> can block/discard independently (smtpd_client_restrictions etc.,
> header_checks etc.,). If any of them blocks, mail is not queued.
> It's a vetoing system. All the other actions such as filter or
> redirect are just riding along on the train.

Agreed.

> This model is a good fit for vetoing. If is a poor fit for lots of
> other things including 1) conditional decisions and 2) "don't reject"
> decisions that override other rulesets.

Yes.

> So let's not do that.

OK, yet I felt that we could do a little bit of that at one specific
layer only.

> You have a need for conditional decisions, which could be modeled
> as a "maybe reject" action that only takes effect if some other
> action (accept) in the same rule set does not fire.

Right.

> But why stop here? Why not have "maybe filter", "maybe redirect",
> and so on that are also dependent on the absence of some other
> action (what other action?  OK, so we do "ifnot accept reject",
> "ifnot filter redirect", etc. to make the condition explicit.
> Yes, it is possible. No, it is not a good idea.  The resulting
> system would be an incomprehensible mess.

Yes, I had these thoughts/concerns, too.  I think I'd stop at supporting
those other default actions, but not adding the if/ifnot logic at that
level.  For such logic, if desired, I had proposed MARK actions and
matching on marks and not-marks.  This would be similar to the way in
which and to extent to which network packet filters may be configured.

Individual header/body lines may be analogous to individual network
packets, and messages to network connections.  State from line (packet)
matches may be passed onto decisions for messages (connections).

I felt that this would not be too hard and too messy to implement on top
of what we readily have in Postfix.

> In addition you have a need for a positive decision (already a poor
> fit for a vetoing system!) in one rule set to override decisions of
> other rulesets (here, an accept in header_checks that overrides
> rule sets that happen to be co-located in the cleanup daemon).

I feel that header_checks and body_checks are very closely related to
each other (and share code).  I think it could be reasonable to consider
them one ruleset, within which this packet filter like logic would be
present.  In fact, they're even documented in just one man page.

> I'm not saying that your needs are wrong. I am saying that you
> need to use a model that is a good fit. It would be a mistake to
> change a model that is a poor fit, such as a veto-based system.

Maybe, but it's tempting to enhance the existing model if it can be done
with little complexity to the code.

> It is very well possible that your needs require a model with rules
> that have precedences. For example, one receives the entire message,
> and applies all the rules in order of precedence and stops at the
> first final decision (ACCEPT or REJECT).

I don't have an immediate need for that, but, yes, it would arguably
resemble a network packet filter more closely.  On the other hand, with
the messages-connections analogy, I'd have to use MARKs either way and
not care about the order of lines-packets.

> Postfix does not work that way. It does not have to solve all
> problems. That is what the extension interfaces (including SMTP)
> are for.

I definitely agree that Postfix should not (and can not) solve all
problems.  The question is where to stop.  I felt that minor additions
to the existing feature set and code, yet that would make the built-in
filtering sufficient in a lot more cases, would be appropriate.  You
have pointed out that this would cross some boundaries unrelated to
Postfix code complexity.  I accept this.

Thanks again,

Alexander

Re: Increasing number of connections?

[Henrik K]

On Thu, Nov 17, 2011 at 07:46:26PM +0100, Jeroen Geilman wrote:
> 
> Hell no, amavisd can kill your system dead.
> It will take 100MB per process easily, and each of these takes much

Terrible misinformation. Amavisd-new preloads pretty much everything before
forking, which means childs just share that common 100MB chunk
(copy-on-write). Additional memory is only consumed when child is actively
processing something (maybe 10MB tops).

Migration from one server to another - best practices?

[Dennis Carr]

I'm about to do a migration from one server to another - old server runs 
Debian Lenny, new one runs Squeeze, both with respective current versions 
of postfix.


Long and short is that I'm basically preparing to migrate everything, 
including users and a mailman configuration, to the new box.  Basic 
strategy I have is to shut down smtp on the old server during the course 
of the migration, and once postfix is configured on the new box with the 
users and mailman aliases, switch the old box over to being a secondary mx 
for a few days while DNS settles down.


Is there a better way to do this, or some sort of online guide I can 
follow that can guide me through the process?


-Dennis Carr

Re: spamcop abusing mail systems worldwide

[Dennis Clarke]

> On 17/11/2011 14:39, Dennis Clarke wrote:
>>
>>>
>>>
>>> Today I had an unhappy unix student try to submit an assignment ..
>>
>> tell your students to use the email address provided by the school on
>> the
>> school domain. Also, as a policy, I blacklist all yahoo, gmail, hotmail
>> junk and life is much better at the office.
>>
>> If someone does not have a valid email address at a reasonable domain
>> then
>> we don't want to hear from them anyways.
>
> Yes, but you're not selling anything or providing any kind of public
> service.

Doing both, quite well and quite a while now. Regardless, I would think
that the school would provide email service, web based interface of some
sort or similar, which would any issues of the delivery of a paper.

As for yahoo, hotmail and other cesspools, I block them, and life and
revenue goes on just fine.

dc



-- 
--
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x1D936C72FA35B44B
+-+---+
| Dennis Clarke   | Solaris and Linux and Open Source |
| dcla...@blastwave.org   | Respect for open standards.   |
+-+---+

Re: spamcop abusing mail systems worldwide

[Jose Ildefonso Camargo Tolosa]

Ok, I agree with /dev/rob0 , this has gone way off topic for this list.

All of us are free to handle spam as we decide to do it, if Dennis
wants to block @yahoo.* @gmail.com @hotmail.com , that's his decision.
 In my case, the amount of spam I receive from these domains is
minimal (and is catch by bayesian and/or IPBL and/or HELO filtering) ,
and thus: I have never considered to block these, also, I have
customers whose address are on these domains, but: that's me, his
history can be very different to mine, maybe he gets hundreds or
thousands of spams from these domains a day!.

Dennis, yes *some* schools provide internal emails, others don't...
sometimes because they can't afford giving the service, or because
they just don't want to! either way, the reality is that you can't
force the world into doing what you want  the university where I
studied decided to move their mail from an internal server to
gmail!!!, I, of course, let them know that I considered it a bad idea,
but they still decided to do it

I have seen sites blocking whole countries, because they don't care
about receiving mail from these countries (and they started to get
spam from there)... I'm open to global market, and blocking mail from
any country would not make sense for me, but for other people it is a
part of their spam solution.

Other people want to spend a lot of money on commercial spam
solutions: they are free to do it!, I mean, it is not my money they
are spending, it is theirs! as long as it works: good for them! (there
is also people paying others to maintain their open source-based
anti-spam system, and that's also good).

So, people, lets just agree on something: lets respect what everyone
does, and lets not label anyone for what they decide to do, we can
give our opinion in a respectful way, and let the other person think
about it, then he/she can decide to keep doing what he/she does, or
maybe change the way of doing things but lets respect each other,
I think that's important.

Sincerely,

Ildefonso Camargo



On Thu, Nov 17, 2011 at 4:18 PM, Dennis Clarke  wrote:
>
>> On 17/11/2011 14:39, Dennis Clarke wrote:
>>>


 Today I had an unhappy unix student try to submit an assignment ..
>>>
>>> tell your students to use the email address provided by the school on
>>> the
>>> school domain. Also, as a policy, I blacklist all yahoo, gmail, hotmail
>>> junk and life is much better at the office.
>>>
>>> If someone does not have a valid email address at a reasonable domain
>>> then
>>> we don't want to hear from them anyways.
>>
>> Yes, but you're not selling anything or providing any kind of public
>> service.
>
> Doing both, quite well and quite a while now. Regardless, I would think
> that the school would provide email service, web based interface of some
> sort or similar, which would any issues of the delivery of a paper.
>
> As for yahoo, hotmail and other cesspools, I block them, and life and
> revenue goes on just fine.
>
> dc
>
>
>
> --
> --
> http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x1D936C72FA35B44B
> +-+---+
> | Dennis Clarke           | Solaris and Linux and Open Source |
> | dcla...@blastwave.org   | Respect for open standards.       |
> +-+---+
>
>

mail defered on local network

[Tim Dunphy]

Hello list,

 I am attempting to build a basic postfix setup that is able to send mail to 
the internet. Receiving email is not a priority. 

 I've verified that this basic setup DOES work on an Amazon EC2 instance and 
can be used to send email to anyplace it would like. However when I transfer 
the config (main.cf and master.cf) to our work network the messages are 
deferred and rejected by any mail server it encounters. I'd like very much to 
understand why this is happening and to get this config to work on our local 
network.

  If I perform a telnet mail test on my local network the message is rejected 
and deferred no matter what mail server it tries to communicate with:

  [monitor03:root:/etc/postfix]#telnet localhost 25
   Trying 127.0.0.1...
   Connected to localhost.
   Escape character is '^]'.
   220 monitor03.localdomain ESMTP Postfix
   HELO monitor03
   250 monitor03.localdomain
   MAIL FROM: 
   250 2.1.0 Ok
   RCPT TO: 
   250 2.1.5 Ok
   DATA
   354 End data with .
   Subject: test message
   test test test
   .
   250 2.0.0 Ok: queued as E45C2136357
   quit
   221 2.0.0 Bye
   Connection closed by foreign host.

   This is what happens in the mail log when this test is performed:

   Nov 17 16:25:39 monitor03 postfix/smtp[26004]: E45C2136357: 
to=, relay=none, delay=4755,  
delays=4755/0.02/0.05/0, dsn=4.4.1, status=deferred (connect to 
alt4.gmail-smtp-in.l.google.com[74.125.43.27]:25:  Connection refused)

   If I perform a telnet test from the cloud instance the message is sent and 
received:

  [root@cloud postfix]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 cloud.localdomain ESMTP Postfix
HELO cloud
250 cloud.localdomain
MAIL FROM: 
250 2.1.0 Ok
RCPT TO: 
250 2.1.5 Ok
DATA
354 End data with .
Subject: test message
test test test
.
250 2.0.0 Ok: queued as 99FBC89E0
quit
221 2.0.0 Bye
Connection closed by foreign host.


   This is what that session looks like in the mail log:

Nov 17 14:57:53 ip-10-125-10-29 postfix/qmgr[20746]: 99FBC89E0: 
from=, size=373, nrcpt=1 (queue active)
Nov 17 14:57:54 ip-10-125-10-29 postfix/smtp[3794]: 99FBC89E0: 
to=, 
relay=bleachers2.mlb.com[66.192.34.20]:25, delay=26, delays=25/0.01/0.52/0.05, 
dsn=2.0.0, status=sent (250 ok:  Message 71193152 accepted)
Nov 17 14:57:54 ip-10-125-10-29 postfix/qmgr[20746]: 99FBC89E0: removed

  Here are the the settings from the config which is shared by the working and 
and non working environment:

  main.cf:
  
  myorigin = $mydomain
  proxy_interfaces = 10.40.27.251 ## <-- the ip address of the problem server
  mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
  unknown_local_recipient_reject_code = 550
  mynetworks_style = subnet
  relay_domains = $mydestination
  debugger_command =
 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
 ddd $daemon_directory/$process_name $process_id & sleep 5
  sendmail_path = /usr/sbin/sendmail.postfix
  newaliases_path = /usr/bin/newaliases.postfix
  mailq_path = /usr/bin/mailq.postfix
  setgid_group = postdrop
  alias_database = hash:/etc/postfix/aliases
  alias_maps = hash:/etc/postfix/aliases

 
  
  And these are the contents of the master.cf file


# ==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# ==
smtp  inet  n   -   n   -   -   smtpd
pickupfifo  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   n   -   -   smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix  -   -   n   -   -   smtp
-o smtp_fallback_relay=
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   

Re: reject_non_fqdn_helo_hostname usefulness, safety

[mouss]

Le 11/11/2011 00:45, Steve Fatula a écrit :
> This check says that the RFC requires a fully qualified hostname for HELO. 
> Most internet searches show this to be a "safe" check that shouldn't really 
> kill any real mail. Lately, noticed no ebay mail was coming through, looked 
> through the logs and see entires like:
> 
> Nov  9 20:30:58 host2 postfix/smtpd[16167]: NOQUEUE: reject: RCPT from 
> mxpool19.ebay.com[66.135.197.25]: 504 5.5.2 : Helo command rejected: 
> need fully-qualified hostname; from= 
> to= proto=ESMTP helo=
> 
> 
> mx88 is of course not a FQDN. So, it was correctly rejected per the setting. 
> Obviously, I can try and whitelist all the ebay servers, but, it's a slight 
> pain. Could be a moving target, etc. This would allow me to keep the setting, 
> but
> 
> Since this did block mail from a rather well known common mailer, I am 
> starting to wonder how safe this check really is. Perhaps it's not so safe. 
> Yes, that is a configuration error on ebays part, but, I don't think you 
> really want to block ebay mail.
> 
> Are you finding this is not as safe a check as it should be, since presumably 
> the RFC requires it, still, people make mistakes? Is it really of much use 
> these days anyway for blocking spam?


AFAICT, the check is safe. wait for some time and see if they don't fix
their setup.

A lot of "write a web app that sends mail" sites get into such problems
when they upgrade their web apps. (yep, the solution is easy: use an
outbound relay that detects issues and either rejects or fixes the
problems. unfortunately, many sites send directly or they configure
their outbound relay too lazily...).


if they get many errors, they notice the problem and fix it. so keep
rejecting them. (if they don't notice or fix the problem quickly, that's
a different matter. post here and/or on spam-l so that someone gets a
contact there...).

Re: mail defered on local network

[Simon Brereton]

On 17 November 2011 17:14, Tim Dunphy  wrote:
> Hello list,
>
>  I am attempting to build a basic postfix setup that is able to send mail to 
> the internet. Receiving email is not a priority.
>
>  I've verified that this basic setup DOES work on an Amazon EC2 instance and 
> can be used to send email to anyplace it would like. However when I transfer 
> the config (main.cf and master.cf) to our work network the messages are 
> deferred and rejected by any mail server it encounters. I'd like very much to 
> understand why this is happening and to get this config to work on our local 
> network.
>
>  If I perform a telnet mail test on my local network the message is rejected 
> and deferred no matter what mail server it tries to communicate with:
>
>  [monitor03:root:/etc/postfix]#telnet localhost 25
>   Trying 127.0.0.1...
>   Connected to localhost.
>   Escape character is '^]'.
>   220 monitor03.localdomain ESMTP Postfix
>   HELO monitor03
>   250 monitor03.localdomain
>   MAIL FROM: 
>   250 2.1.0 Ok
>   RCPT TO: 
>   250 2.1.5 Ok
>   DATA
>   354 End data with .
>   Subject: test message
>   test test test
>   .
>   250 2.0.0 Ok: queued as E45C2136357
>   quit
>   221 2.0.0 Bye
>   Connection closed by foreign host.
>
>   This is what happens in the mail log when this test is performed:
>
>   Nov 17 16:25:39 monitor03 postfix/smtp[26004]: E45C2136357: 
> to=, relay=none, delay=4755,      
> delays=4755/0.02/0.05/0, dsn=4.4.1, status=deferred (connect to 
> alt4.gmail-smtp-in.l.google.com[74.125.43.27]:25:  Connection refused)

4.4.1 is a transient network failure.
http://www.ietf.org/rfc/rfc1893.txt

What happens if you do your telnet test from the host to google directly?

Also, for a direct comparison send the email from the working server
to google (even though I believe you that it's a generic problem).

Simon

Re: Migration from one server to another - best practices?

[Simon Brereton]

On 17 November 2011 14:02, Dennis Carr  wrote:
> I'm about to do a migration from one server to another - old server runs
> Debian Lenny, new one runs Squeeze, both with respective current versions of
> postfix.
>
> Long and short is that I'm basically preparing to migrate everything,
> including users and a mailman configuration, to the new box.  Basic strategy
> I have is to shut down smtp on the old server during the course of the
> migration, and once postfix is configured on the new box with the users and
> mailman aliases, switch the old box over to being a secondary mx for a few
> days while DNS settles down.
>
> Is there a better way to do this, or some sort of online guide I can follow
> that can guide me through the process?

I'm pretty much the last person who's approach you should listen too,
but this is how I did it.
You don't say if the mbox/maildirs are also on the same server.  If
not, this could be easier for you.

-  Copy over the configuration and start the service
-  Optionally rsync any mailboxes/maildirs
-  Confirm delivery is working through the new system
-  Change over the DNS to point to the new box (MX 10) and the old one
as backup (MX 20)
-  When mails start hitting the new one (probably around 2 hours
depending on your DNS TTL, turn off the old one.
-  Optionally rsync (with a --delete option) any maildir/mailboxes for
any mail that was delivered between the DNS switch and turning off the
old server.

Simon

Re: Migration from one server to another - best practices?

[Patrick Ben Koetter]

* Simon Brereton :
> On 17 November 2011 14:02, Dennis Carr  wrote:
> > I'm about to do a migration from one server to another - old server runs
> > Debian Lenny, new one runs Squeeze, both with respective current versions of
> > postfix.
> >
> > Long and short is that I'm basically preparing to migrate everything,
> > including users and a mailman configuration, to the new box.  Basic strategy
> > I have is to shut down smtp on the old server during the course of the
> > migration, and once postfix is configured on the new box with the users and
> > mailman aliases, switch the old box over to being a secondary mx for a few
> > days while DNS settles down.

Set DNS TTL for your MX to 1 hour.

Setup and configure the new server. Use rsync to migrate mailman data and
mailboxes (or dsync for mailboxes if you plan to use Dovecto too).

When the old DNS TTL has expired shutdown the old SMTP. Do a last sync and put
the new SMTP server to work.

p@rick


-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Increasing number of connections?

[Alex]

Hi,

>> When using amavisd-new, shouldn't the number of processes match the
>> number of smtpd processes?
>
> When using amavisd-new as a content_filter, the number of postfix
> smtp->amavisd feeder processes should be equal to (or maybe one less
> than for monitoring) the number of amavisd processes.  This is
> independent of the number of smtpd input processes.

I think I may be still a bit confused.

Can you confirm that this is the relevant section I should be
adjusting to prevent timeouts connecting to port 25:

smtp  inet  n   -   n   -   -   smtpd
-o receive_override_options=no_address_mappings

I also increased the number of amavisd feeder processes to 24 today,
and it seemed to handle the load:

smtp-amavis unix-   -   n   -   24 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

127.0.0.1:10025 inet n-   n   -   24 smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=

Thanks again,
Alex

Re: spamcop abusing mail systems worldwide

[Tõnu Samuel]

On Thu, 2011-11-17 at 16:47 -0430, Jose Ildefonso Camargo Tolosa wrote:
> Ok, I agree with /dev/rob0 , this has gone way off topic for this list.

I just keep reading all this discussion. Yes this is not postfix topic
but for any kind of decision I am highly interested in reasoning, not
decision. This is why I read this thread with high interest. Also many
of us may have important experience to share. For example at some point
we had massive amount of Chinese spam coming in and I looked for ways to
block it. One thing I tested was blocking on charset GB2312 using
something like "Subject:  ???somethingGB2312". This was good attempt I
heard many other people came to same idea but this failed for me. Reason
was that when someone from China wrote in English, even then sometime
such character set was indicated for something like single space. I do
not remember exact details but just want to tell that those charset
identifiers often happen to be in mails which are all latin.

This is why I read thread with big interest. Someone blocking gmail?
Hmm, what is his experience? Not much complaints? hmm..

One more thing I learned from keeping BL for Estonia. I do process spam
and make BL or "list". I do not make rules how others should use the
list. Same about spamcop. They keep list. How one uses this list is
decicion of mailhost. If mailhost decides to trust it (what I do), then
mailhost decicion is to DROP, REJECT, ACCEPT or react somehow different.

Sorry if this thread already went too long and far from postfix but I
just try to argue and listen carefully for arguments.

  Tõnu

Re: Increasing number of connections?

[Noel Jones]

On 11/17/2011 7:37 PM, Alex wrote:
> Hi,
> 
>>> When using amavisd-new, shouldn't the number of processes match the
>>> number of smtpd processes?
>>
>> When using amavisd-new as a content_filter, the number of postfix
>> smtp->amavisd feeder processes should be equal to (or maybe one less
>> than for monitoring) the number of amavisd processes.  This is
>> independent of the number of smtpd input processes.
> 
> I think I may be still a bit confused.
> 
> Can you confirm that this is the relevant section I should be
> adjusting to prevent timeouts connecting to port 25:
> 
> smtp  inet  n   -   n   -   -   smtpd
> -o receive_override_options=no_address_mappings

Yes, adjust the above service to control how many network smtpd
listeners you have.


> 
> I also increased the number of amavisd feeder processes to 24 today,
> and it seemed to handle the load:
> 
> smtp-amavis unix-   -   n   -   24 smtp
>...

The above controls the number of feeder processes from postfix to
amavisd.  This number should match the number of amavisd-new
processes (or optionally one less than the amavisd-new process
limit).  This number should never be higher than the number of
amavisd-new processes.


> 127.0.0.1:10025 inet n-   n   -   24 smtpd
> ...

This smtpd listener is for amavisd-new to reinject mail back to
postfix.  The process limit on this service must be equal to or
greater than the number of amavisd-new processes.  You can safely
leave this service's process count at the "-" default setting
(assuming your main.cf $default_process_limit (default 100) is
greater than the number of amavisd-new processes).


  -- Noel Jones

Re: Recipent restrictions

[Dilip Mishra // Viva]

Thanks for replies, will try the changes and let u know the issues.
On Thu, Nov 17, 2011 at 8:18 PM, Simon Brereton <
simon.brere...@buongiorno.com> wrote:

> On 17 November 2011 01:13, Dilip Mishra // Viva
>  wrote:
> > Hello Group,
> > I want to implement some restrictions on postfix by which it would reject
> > domains without mx records, as well as those specified in access table.
> > These are some domains to I do not want to send mails at all. My problem
> is
> > that, this setting does not work at all, since the sending IPs are
> specified
> > in mynetworks. The moment I change the order of the parameters, it
> starts to
> > reject all mails from all the IPs. Please help me to set the correct
> order
> > of the parameters in main.cf:
> > smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,
> > permit_inet_interfaces, check_recipient_access hash:/etc/postfix/access,
> > reject_unauth_destination, reject_rbl_client list.dsbl.org,
> > reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org
> ,
> > reject_rhsbl_sender dsn.rfc-ignorant.org, check_relay_domains
>
>
> I would also suggest that you need permit_sasl_authenticated before
> permit_mynetworks.  And reject_unauth_destination should maybe also be
> higher up.  And what purpose does your relay_domains server at the
> end?
>
> Simon
>



-- 
Incase of any further queries, Please feel free to mail me or contact me on
the numbers provided below.

Thanks & Regards,
Dilip H.Mishra
Server Administrator

Viva Infomedia Pvt. Ltd.
242, Oshiwara Industrial Centre,
Opp. Oshiwara Bus Depot, New Link Road,
Goregaon West, Mumbai 400104.

Direct: +91.22.4293 0162
Board: +91.22.4293 0100

Email : dilip.mis...@vivaconnect.in
Web  : www.vivaconnect.in

Viva Infomedia: Awarded as Best SME (E-Commerce) at CNBC Emerging India
Awards 2009

Disclaimer:
This e-mail and any files transmitted with it are for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies and the original message. Any
unauthorized review, use, disclosure,dissemination, forwarding, printing or
copying of this email or any action taken in reliance on this e-mail is
strictly prohibited and may be unlawful. The recipient acknowledges that
Viva Infomedia Pvt.Ltd. or its subsidiaries and associated companies are
unable to exercise control or ensure or guarantee the integrity of/over the
contents of the information contained in e-mail transmissions and further
acknowledges that any views expressed in this message are those of the
individual sender and no binding nature of the message shall be implied or
assumed unless the sender does so expressly with due authority of Viva
Infomedia Pvt.Ltd. Before opening any attachments please check them for
viruses and defects.

Re: Increasing number of connections?

[Alex]

Hi,

>> Can you confirm that this is the relevant section I should be
>> adjusting to prevent timeouts connecting to port 25:
>>
>> smtp      inet  n       -       n       -       -       smtpd
>>         -o receive_override_options=no_address_mappings
>
> Yes, adjust the above service to control how many network smtpd
> listeners you have.
[snipped]

Thanks so much for your help.
Best,
Alex

Re: Rewriting question

[Dilip Mishra // Viva]

Sorry for jumping in guys but I seem to face a similar problem where there
are domains which gets changed. For eg: some may move from abc.net to
abc.org etc.

What I need is to replace such domains on my MTA's. How should I perfectly
achieve it? Also, how long could be the file?

On Tue, Nov 15, 2011 at 7:29 PM, Noel Jones  wrote:

> On 11/15/2011 3:44 AM, Adrian P. van Bloois wrote:
> > Hi All,
> > I'd like to catch ALL mail addressed to someth...@somedomain.blad and
> > rewrite that to something@certaindomain.
> > The point is .bla, I don't know what's in front of this. rH
> > how can I best do that?
> >
> >   Regards
> >   Adrian
> >
> >
>
>
> The general answer is to use a regexp or pcre table.  For a more
> specific answer, we would need to know *exactly* what you're trying
> to rewrite and why it needs rewriting.
>
> http://www.postfix.org/ADDRESS_REWRITING_README.html
> http://www.postfix.org/regexp_table.5.html
> http://www.postfix.org/pcre_table.5.html
>
>
>
>  -- Noel Jones
>



-- 
Incase of any further queries, Please feel free to mail me or contact me on
the numbers provided below.

Thanks & Regards,
Dilip H.Mishra
Server Administrator

Viva Infomedia Pvt. Ltd.
242, Oshiwara Industrial Centre,
Opp. Oshiwara Bus Depot, New Link Road,
Goregaon West, Mumbai 400104.

Direct: +91.22.4293 0162
Board: +91.22.4293 0100

Email : dilip.mis...@vivaconnect.in
Web  : www.vivaconnect.in

Viva Infomedia: Awarded as Best SME (E-Commerce) at CNBC Emerging India
Awards 2009

Disclaimer:
This e-mail and any files transmitted with it are for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies and the original message. Any
unauthorized review, use, disclosure,dissemination, forwarding, printing or
copying of this email or any action taken in reliance on this e-mail is
strictly prohibited and may be unlawful. The recipient acknowledges that
Viva Infomedia Pvt.Ltd. or its subsidiaries and associated companies are
unable to exercise control or ensure or guarantee the integrity of/over the
contents of the information contained in e-mail transmissions and further
acknowledges that any views expressed in this message are those of the
individual sender and no binding nature of the message shall be implied or
assumed unless the sender does so expressly with due authority of Viva
Infomedia Pvt.Ltd. Before opening any attachments please check them for
viruses and defects.

Re: Rewriting question

[Claudio Kuenzler]

Take a look at this: http://www.postfix.org/ADDRESS_REWRITING_README.html
There are a lot of examples and you'll find what you're looking for.

If you want to change the domain for incoming and outgoing e-mails you can
do this with canonical_maps. If you only want to apply the rules for
incoming mails, use recipient_canonical_maps or for outgoing mails
sender_canonical_maps.
The table/file you define after the parameter can contain the complete
domain name (as wildcard) or full e-mail address which you want to rewrite:

canonical_map:
@abc.net @abc.org   <- for all e-mail addresses
of abc.net
ma...@abc.net  ma...@abc.org  <- only single e-mail address


On Fri, Nov 18, 2011 at 7:35 AM, Dilip Mishra // Viva <
dilip.mis...@vivainfomedia.com> wrote:

> Sorry for jumping in guys but I seem to face a similar problem where there
> are domains which gets changed. For eg: some may move from abc.net to
> abc.org etc.
>
> What I need is to replace such domains on my MTA's. How should I perfectly
> achieve it? Also, how long could be the file?
>
>
> On Tue, Nov 15, 2011 at 7:29 PM, Noel Jones wrote:
>
>> On 11/15/2011 3:44 AM, Adrian P. van Bloois wrote:
>> > Hi All,
>> > I'd like to catch ALL mail addressed to someth...@somedomain.blad and
>> > rewrite that to something@certaindomain.
>> > The point is .bla, I don't know what's in front of this. rH
>> > how can I best do that?
>> >
>> >   Regards
>> >   Adrian
>> >
>> >
>>
>>
>> The general answer is to use a regexp or pcre table.  For a more
>> specific answer, we would need to know *exactly* what you're trying
>> to rewrite and why it needs rewriting.
>>
>> http://www.postfix.org/ADDRESS_REWRITING_README.html
>> http://www.postfix.org/regexp_table.5.html
>> http://www.postfix.org/pcre_table.5.html
>>
>>
>>
>>  -- Noel Jones
>>
>
>
>
> --
> Incase of any further queries, Please feel free to mail me or contact me
> on the numbers provided below.
>
> Thanks & Regards,
> Dilip H.Mishra
> Server Administrator
>
> Viva Infomedia Pvt. Ltd.
> 242, Oshiwara Industrial Centre,
> Opp. Oshiwara Bus Depot, New Link Road,
> Goregaon West, Mumbai 400104.
>
> Direct: +91.22.4293 0162
> Board: +91.22.4293 0100
>
> Email : dilip.mis...@vivaconnect.in
> Web  : www.vivaconnect.in
>
> Viva Infomedia: Awarded as Best SME (E-Commerce) at CNBC Emerging India
> Awards 2009
>
> Disclaimer:
> This e-mail and any files transmitted with it are for the sole use of the
> intended recipient(s) and may contain confidential and privileged
> information. If you are not the intended recipient, please contact the
> sender by reply e-mail and destroy all copies and the original message. Any
> unauthorized review, use, disclosure,dissemination, forwarding, printing or
> copying of this email or any action taken in reliance on this e-mail is
> strictly prohibited and may be unlawful. The recipient acknowledges that
> Viva Infomedia Pvt.Ltd. or its subsidiaries and associated companies are
> unable to exercise control or ensure or guarantee the integrity of/over the
> contents of the information contained in e-mail transmissions and further
> acknowledges that any views expressed in this message are those of the
> individual sender and no binding nature of the message shall be implied or
> assumed unless the sender does so expressly with due authority of Viva
> Infomedia Pvt.Ltd. Before opening any attachments please check them for
> viruses and defects.
>
>
>

Re: Rewriting question

[Viktor Dukhovni]

On Fri, Nov 18, 2011 at 07:56:07AM +0100, Claudio Kuenzler wrote:

> Take a look at this: http://www.postfix.org/ADDRESS_REWRITING_README.html
> There are a lot of examples and you'll find what you're looking for.

Yes, the document is a good place to start.

> If you want to change the domain for incoming and outgoing e-mails you can
> do this with canonical_maps.

No, this advice is probably not wise.

> The table/file you define after the parameter can contain the complete
> domain name (as wildcard) or full e-mail address which you want to rewrite:
> 
> canonical_map:
> @abc.net @abc.org   <- for all e-mail addresses
> of abc.net
> ma...@abc.net  ma...@abc.org  <- only single e-mail address

Wildcard canonical mappings break recipient validation and are strongly
discouraged.

> If you only want to apply the rules for
> incoming mails, use recipient_canonical_maps or for outgoing mails
> sender_canonical_maps.

This is really quite wrong, as sender_canonical_maps applies to the
"From:" and envelope sender addresses regardless of whether the message
is incoming or outgoing.

Likewise "recipient_canonical_maps" applies to the "To:/Cc:" and
envelope recipient addresses regardless of whether the message is
incoming or outgoing.

Finally, it is almost always wrong to apply different rewriting
rules to "From:" vs. "To:/Cc:" headers. Rather there is a normal
form for headers one to present to the outside world, and sometimes
a different form for internal consumption.

Therefore, rewriting of all headers should as necessary depend on
the destination, and so must happen in the delivery agent, via
"smtp_generic_maps". One can use different smtp delivery agent
instances for inbound vs. outbound delivery.

Wildcard rewrites in smtp_generic_maps happen long after recipient
validation, and pose no issues.

-- 
Viktor.

Re: spamcop abusing mail systems worldwide

[Robert Schetterer]

Am 18.11.2011 03:41, schrieb Tõnu Samuel:
> On Thu, 2011-11-17 at 16:47 -0430, Jose Ildefonso Camargo Tolosa wrote:
>> Ok, I agree with /dev/rob0 , this has gone way off topic for this list.
> 
> I just keep reading all this discussion. Yes this is not postfix topic
> but for any kind of decision I am highly interested in reasoning, not
> decision. This is why I read this thread with high interest. Also many
> of us may have important experience to share. For example at some point
> we had massive amount of Chinese spam coming in and I looked for ways to
> block it. One thing I tested was blocking on charset GB2312 using
> something like "Subject:  ???somethingGB2312". This was good attempt I
> heard many other people came to same idea but this failed for me. Reason
> was that when someone from China wrote in English, even then sometime
> such character set was indicated for something like single space. I do
> not remember exact details but just want to tell that those charset
> identifiers often happen to be in mails which are all latin.
> 
> This is why I read thread with big interest. Someone blocking gmail?
> Hmm, what is his experience? Not much complaints? hmm..
> 
> One more thing I learned from keeping BL for Estonia. I do process spam
> and make BL or "list". I do not make rules how others should use the
> list. Same about spamcop. They keep list. How one uses this list is
> decicion of mailhost. If mailhost decides to trust it (what I do), then
> mailhost decicion is to DROP, REJECT, ACCEPT or react somehow different.
> 
> Sorry if this thread already went too long and far from postfix but I
> just try to argue and listen carefully for arguments.
> 
>   Tõnu
> 

All things that had to been told, are told about this issue
why arent you discuss offlist ?

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: Rewriting question

[Claudio Kuenzler]

Victor, take a look at my e-mail sent 3 days ago in the same thread. I
already mentioned the smtp_generic_maps there (order before canonical).

Now it depends on what Dilip wants to achieve, we didn't get enough
details.
smtp_generic_maps won't work, if you still need to receive e-mails for the
old domain (here abc.net) and forward them to a remote host where the
mailboxes are stored.
If the mailboxes are stored on the postfix server then this should be
smtp_generic_maps, I agree.

On Fri, Nov 18, 2011 at 8:06 AM, Viktor Dukhovni  wrote:

> On Fri, Nov 18, 2011 at 07:56:07AM +0100, Claudio Kuenzler wrote:
>
> > Take a look at this:
> http://www.postfix.org/ADDRESS_REWRITING_README.html
> > There are a lot of examples and you'll find what you're looking for.
>
> Yes, the document is a good place to start.
>
> > If you want to change the domain for incoming and outgoing e-mails you
> can
> > do this with canonical_maps.
>
> No, this advice is probably not wise.
>
> > The table/file you define after the parameter can contain the complete
> > domain name (as wildcard) or full e-mail address which you want to
> rewrite:
> >
> > canonical_map:
> > @abc.net @abc.org   <- for all e-mail
> addresses
> > of abc.net
> > ma...@abc.net  ma...@abc.org  <- only single e-mail address
>
> Wildcard canonical mappings break recipient validation and are strongly
> discouraged.
>
> > If you only want to apply the rules for
> > incoming mails, use recipient_canonical_maps or for outgoing mails
> > sender_canonical_maps.
>
> This is really quite wrong, as sender_canonical_maps applies to the
> "From:" and envelope sender addresses regardless of whether the message
> is incoming or outgoing.
>
> Likewise "recipient_canonical_maps" applies to the "To:/Cc:" and
> envelope recipient addresses regardless of whether the message is
> incoming or outgoing.
>
> Finally, it is almost always wrong to apply different rewriting
> rules to "From:" vs. "To:/Cc:" headers. Rather there is a normal
> form for headers one to present to the outside world, and sometimes
> a different form for internal consumption.
>
> Therefore, rewriting of all headers should as necessary depend on
> the destination, and so must happen in the delivery agent, via
> "smtp_generic_maps". One can use different smtp delivery agent
> instances for inbound vs. outbound delivery.
>
> Wildcard rewrites in smtp_generic_maps happen long after recipient
> validation, and pose no issues.
>
> --
>Viktor.
>