On proxy_read_maps

[Nikolaos Milas]

Hi,

I've read (e.g. here: 
http://readlist.com/lists/postfix.org/postfix-users/19/99851.html and 
elsewhere) that when we want to use proxymap (like: "proxy:ldap:...", 
then we need to add in main.cf the output of postconf -d | grep 
proxy_read_maps and append any additional parameters.


So in my case (Postfix 2.8.3):

# postconf -d | grep proxy_read_maps
proxy_read_maps = $local_recipient_maps $mydestination 
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps 
$virtual_mailbox_domains $relay_recipient_maps $relay_domains 
$canonical_maps $sender_canonical_maps $recipient_canonical_maps 
$relocated_maps $transport_maps $mynetworks $sender_bcc_maps 
$recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps


...and:

virtual_alias_maps = hash:/etc/postfix/aliases,
 hash:/etc/postfix/aliases.d/virtual_aliases,
 ldap:/etc/postfix/ldap-alias-vacation.cf,
 ldap:/etc/postfix/ldap-aliases.cf

virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf

As a result, if I understand things right, I should define explicitly:

ldap_alias_vacation_map = proxy:ldap:/etc/postfix/ldap-alias-vacation.cf
ldap_alias_map = proxy:ldap:/etc/postfix/ldap-aliases.cf
ldap_virtual_mailbox_map = proxy:ldap:/etc/postfix/ldap-users.cf

proxy_read_maps = $local_recipient_maps, $mydestination, 
$virtual_alias_maps, $virtual_alias_domains, $virtual_mailbox_maps,
 $virtual_mailbox_domains, $relay_recipient_maps, $relay_domains, 
$canonical_maps, $sender_canonical_maps, $recipient_canonical_maps,
 $relocated_maps, $transport_maps, $mynetworks, $sender_bcc_maps, 
$recipient_bcc_maps, $smtp_generic_maps, $lmtp_generic_maps,

 $ldap_alias_vacation_map, $ldap_alias_map, $ldap_virtual_mailbox_map

virtual_alias_maps = hash:/etc/postfix/aliases,
 hash:/etc/postfix/aliases.d/virtual_aliases,
$ldap_alias_vacation_map,
$ldap_alias_map

virtual_mailbox_maps = $ldap_virtual_mailbox_map

Questions:
1. Is my approach right?
2. I am a bit confused in that we are adding in proxy_read_maps e.g. 
BOTH virtual_alias_mapsAND (some of) the values of that setting (here: 
$ldap_alias_vacation_map, $ldap_alias_map). How should I understand the 
need to add (again, as an example) $virtual_alias_mapsin 
proxy_read_maps? (It would seem to me natural to add the affected values 
only: $ldap_alias_vacation_map, $ldap_alias_map). The same goes for 
other similar settings.


Please advise.

Thanks,
Nick

Re: On proxy_read_maps

[Wietse Venema]

Nikolaos Milas:
> So in my case (Postfix 2.8.3):
> 
> # postconf -d | grep proxy_read_maps
> proxy_read_maps = $local_recipient_maps $mydestination 
> $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps 
> $virtual_mailbox_domains $relay_recipient_maps $relay_domains 
> $canonical_maps $sender_canonical_maps $recipient_canonical_maps 
> $relocated_maps $transport_maps $mynetworks $sender_bcc_maps 
> $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps

proxy_read_maps is meant to include all the parameters that have
read-only lookup tables. As Postfix evolves over time, new
tables don't always get added to the proxy_read_maps default value.

However, virtual_alias_maps is already listed in the default.

> ...and:
> 
> virtual_alias_maps = hash:/etc/postfix/aliases,
>   hash:/etc/postfix/aliases.d/virtual_aliases,
>   ldap:/etc/postfix/ldap-alias-vacation.cf,
>   ldap:/etc/postfix/ldap-aliases.cf

There is no proxy: in there. If you use

virtual_alias_maps = proxy:ldap:whatever ...

Then it will automatically be included in the proxy_read_maps
value, and the proxymap dameon will permit lookups.

Wietse

Re: On proxy_read_maps

[Nikolaos Milas]

On 9/3/2012 1:03 μμ, Wietse Venema wrote:


There is no proxy: in there. If you use

 virtual_alias_maps = proxy:ldap:whatever  ...

Then it will automatically be included in the proxy_read_maps
value, and the proxymap dameon will permit lookups.


Thanks Wietse,

Initially, I assumed it would be as you describe (exactly because these 
settings were listed in proxy_read_maps), and I tried simply adding 
"proxy:" in front of my "ldap:..." entries and reloaded, but it failed:


Mar 8 20:06:56 vmail postfix/proxymap[32375]: fatal: open 
/etc/postfix/ldap-alias-vacation.cf: Permission denied
Mar 8 20:06:57 vmail postfix/submission/smtpd[32325]: warning: 
private/proxymap socket: service dict_proxy_open: Success
Mar 8 20:06:57 vmail postfix/master[3162]: warning: process 
/usr/libexec/postfix/proxymap pid 32375 exit status 1
Mar 8 20:06:57 vmail postfix/master[3162]: warning: 
/usr/libexec/postfix/proxymap: bad command startup -- throttling


Therefore, I started searching older threads and found the info I wrote 
about.


For reference:

# ls -la /etc/postfix/ldap-*
-rw-r- 1 root root 774 Oct 26 2010 /etc/postfix/ldap-aliases.cf
-rw-r- 1 root root 358 Aug 24 2010 /etc/postfix/ldap-alias-vacation.cf
-rwxr-x--- 1 root root 495 Aug 24 2010 /etc/postfix/ldap-users.cf

# ls -la /usr/libexec/postfix/proxy*
-rwxr-xr-x 1 root root 726263 May 23 2011 /usr/libexec/postfix/proxymap

Any ideas?

Thanks again,
Nick

Re: On proxy_read_maps

[Wietse Venema]

Nikolaos Milas:
> Mar 8 20:06:56 vmail postfix/proxymap[32375]: fatal: open 
> /etc/postfix/ldap-alias-vacation.cf: Permission denied

The ***POSTFIX*** user must be able to open the file.

Wietse

Re: On proxy_read_maps

[Nikolaos Milas]

On 9/3/2012 1:33 μμ, Nikolaos Milas wrote:


# ls -la /etc/postfix/ldap-*
-rw-r- 1 root root 774 Oct 26 2010 /etc/postfix/ldap-aliases.cf
-rw-r- 1 root root 358 Aug 24 2010 
/etc/postfix/ldap-alias-vacation.cf
-rwxr-x--- 1 root root 495 Aug 24 2010 /etc/postfix/ldap-users.cf 


I would like to add that I also tried to chmod 644 these files, but it 
still failed.


Mar  8 20:11:55 vmail postfix/master[3162]: reload -- version 2.8.3, 
configuration /etc/postfix
Mar  8 20:12:01 vmail postfix/proxymap[32599]: warning: request for 
unapproved table: "ldap:/etc/postfix/ldap-alias-vacation.cf"
Mar  8 20:12:01 vmail postfix/proxymap[32599]: warning: to approve this 
table for read-only access, list 
proxy:ldap:/etc/postfix/ldap-alias-vacation.cf in main.cf:proxy_read_maps
Mar  8 20:12:01 vmail postfix/submission/smtpd[32325]: fatal: proxymap 
service is not configured for table 
"ldap:/etc/postfix/ldap-alias-vacation.cf"


Note: The log excerpt I sent in my previous post might be after I added 
"proxy:" and  before reloading!


Nick

Re: On proxy_read_maps

[Reindl Harald]

Am 09.03.2012 12:44, schrieb Nikolaos Milas:
> On 9/3/2012 1:33 μμ, Nikolaos Milas wrote:
> 
>> # ls -la /etc/postfix/ldap-*
>> -rw-r- 1 root root 774 Oct 26 2010 /etc/postfix/ldap-aliases.cf
>> -rw-r- 1 root root 358 Aug 24 2010 /etc/postfix/ldap-alias-vacation.cf
>> -rwxr-x--- 1 root root 495 Aug 24 2010 /etc/postfix/ldap-users.cf 
> 
> I would like to add that I also tried to chmod 644 these files, but it still 
> failed.
> 
> Mar  8 20:11:55 vmail postfix/master[3162]: reload -- version 2.8.3, 
> configuration /etc/postfix
> Mar  8 20:12:01 vmail postfix/proxymap[32599]: warning: request for 
> unapproved table:
> "ldap:/etc/postfix/ldap-alias-vacation.cf"
> Mar  8 20:12:01 vmail postfix/proxymap[32599]: warning: to approve this table 
> for read-only access, list
> proxy:ldap:/etc/postfix/ldap-alias-vacation.cf in main.cf:proxy_read_maps
> Mar  8 20:12:01 vmail postfix/submission/smtpd[32325]: fatal: proxymap 
> service is not configured for table
> "ldap:/etc/postfix/ldap-alias-vacation.cf"
> 
> Note: The log excerpt I sent in my previous post might be after I added 
> "proxy:" and  before reloading!

this is how i configured proxy_read_maps since years
644 is a very bad idea -> chown root:postfix, chmod 640

[root@srv-rhsoft:~]$ ls /etc/postfix/mysql-*
-rw-r- 1 root postfix 195 2011-04-27 18:59 /etc/postfix/mysql-aliases.cf
-rw-r- 1 root postfix 294 2011-05-28 19:06 /etc/postfix/mysql-forwarders.cf
-rw-r- 1 root postfix 201 2011-04-27 18:59 
/etc/postfix/mysql-mydestination.cf
-rw-r- 1 root postfix 195 2011-04-27 18:59 /etc/postfix/mysql-mynetworks.cf
-rw-r- 1 root postfix 196 2011-04-27 18:59 /etc/postfix/mysql-recipients.cf
-rw-r- 1 root postfix 463 2011-04-27 18:59 
/etc/postfix/mysql-rewritedomains.cf
-rw-r- 1 root postfix 203 2011-04-27 18:59 
/etc/postfix/mysql-rewritesenders.cf
-rw-r- 1 root postfix 327 2011-04-27 18:59 
/etc/postfix/mysql-senderaccess.cf
-rw-r- 1 root postfix 365 2011-05-12 23:32 
/etc/postfix/mysql-sender_relay_hosts_auth.cf
-rw-r- 1 root postfix 202 2011-04-27 18:59 
/etc/postfix/mysql-sender_relay_hosts.cf
-rw-r- 1 root postfix 198 2011-04-27 18:59 /etc/postfix/mysql-spamfilter.cf
-rw-r- 1 root postfix 262 2011-04-27 18:59 /etc/postfix/mysql-transport.cf


proxy_read_maps = proxy:mysql:/etc/postfix/mysql-mynetworks.cf
 proxy:mysql:/etc/postfix/mysql-mydestination.cf
 proxy:mysql:/etc/postfix/mysql-recipients.cf
 proxy:mysql:/etc/postfix/mysql-rewritedomains.cf
 proxy:mysql:/etc/postfix/mysql-rewritesenders.cf
 proxy:mysql:/etc/postfix/mysql-transport.cf
 proxy:mysql:/etc/postfix/mysql-sender_relay_hosts.cf
 proxy:mysql:/etc/postfix/mysql-sender_relay_hosts_auth.cf
 proxy:mysql:/etc/postfix/mysql-aliases.cf
 proxy:mysql:/etc/postfix/mysql-senderaccess.cf
 proxy:mysql:/etc/postfix/mysql-spamfilter.cf
 proxy:mysql:/etc/postfix/mysql-forwarders.cf

smtpd_recipient_restrictions =
 permit_mynetworks
 reject_non_fqdn_recipient
 reject_non_fqdn_sender
 reject_unlisted_sender
 reject_authenticated_sender_login_mismatch
 permit_sasl_authenticated
 reject_unknown_sender_domain
 reject_unknown_recipient_domain
 reject_unauth_destination
 reject_unknown_reverse_client_hostname
 reject_invalid_hostname
 reject_unauth_pipelining
 check_recipient_access proxy:mysql:/etc/postfix/mysql-spamfilter.cf

mynetworks  = 127.0.0.0/8, 
proxy:mysql:/etc/postfix/mysql-mynetworks.cf
mydestination   = 
proxy:mysql:/etc/postfix/mysql-mydestination.cf
local_recipient_maps= 
proxy:mysql:/etc/postfix/mysql-recipients.cf
recipient_canonical_maps= 
proxy:mysql:/etc/postfix/mysql-rewritedomains.cf
sender_canonical_maps   = 
proxy:mysql:/etc/postfix/mysql-rewritesenders.cf
transport_maps  = 
proxy:mysql:/etc/postfix/mysql-transport.cf
sender_dependent_relayhost_maps = 
proxy:mysql:/etc/postfix/mysql-sender_relay_hosts.cf
smtp_sasl_password_maps = 
proxy:mysql:/etc/postfix/mysql-sender_relay_hosts_auth.cf
alias_maps  = 
proxy:mysql:/etc/postfix/mysql-aliases.cf
smtpd_sender_login_maps = 
proxy:mysql:/etc/postfix/mysql-senderaccess.cf
virtual_alias_maps  = 
proxy:mysql:/etc/postfix/mysql-forwarders.cf



signature.asc
Description: OpenPGP digital signature

Re: On proxy_read_maps

[Nikolaos Milas]

For reference:

# postconf -n
alias_database = hash:/etc/postfix/aliases,  
hash:/etc/postfix/aliases.d/virtual_aliases

alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_logging_resolution_limit = 3
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_header_rewrite_clients = static:all
mail_owner = postfix
mailbox_command = /usr/lib/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 41943040
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = noa.gr
myhostname = vmail.noa.gr
mynetworks = 195.251.204.0/24, 195.251.202.0/24, 195.251.203.0/24,  
194.177.194.0/24, 194.177.195.0/24, 127.0.0.0/8, 195.251.5.0/24, 
[2001:648:2011::]/48

myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_canonical_maps = hash:/etc/postfix/domainrecipientmap
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_canonical_maps = hash:/etc/postfix/domainsendermap
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = 
permit_mynetworks,permit_sasl_authenticated,reject

smtpd_delay_reject = yes
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_destinations,  
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,  
reject_unknown_recipient_domain,reject_unverified_recipient

smtpd_restriction_classes = controlled_senders,allowed_list1
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/certs/chain-180.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/cert-180.pem
smtpd_tls_exclude_ciphers = DES,3DES,MD5,aNULL,AES128,CAMELLIA128
smtpd_tls_key_file = /etc/pki/tls/private/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/aliases,  
hash:/etc/postfix/aliases.d/virtual_aliases, 
ldap:/etc/postfix/ldap-alias-vacation.cf,  
ldap:/etc/postfix/ldap-aliases.cf

virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = $mydomain, space.$mydomain,   admin.$mydomain, 
nestor.$mydomain, gein.$mydomain,   meteo.$mydomain, technet.$mydomain, 
astro.$mydomain

virtual_mailbox_limit = 0
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_transport = dovecot
virtual_uid_maps = static:500

Re: On proxy_read_maps

[Reindl Harald]

Am 09.03.2012 12:49, schrieb Nikolaos Milas:
> For reference:
> 
> # postconf -n
> 

why are you not doing simply what the error-message suggests?
add it to "proxy_read_maps", see me mail before

Mar  8 20:12:01 vmail postfix/proxymap[32599]: warning: to approve this table 
for read-only access, list
proxy:ldap:/etc/postfix/ldap-alias-vacation.cf in main.cf:proxy_read_maps
Mar  8 20:12:01 vmail postfix/submission/smtpd[32325]: fatal: proxymap service 
is not configured for table
"ldap:/etc/postfix/ldap-alias-vacation.cf"



signature.asc
Description: OpenPGP digital signature

Re: On proxy_read_maps

[Wietse Venema]

Nikolaos Milas:
> Mar  8 20:12:01 vmail postfix/proxymap[32599]: warning: request for 
> unapproved table: "ldap:/etc/postfix/ldap-alias-vacation.cf"

That is because you screwed up the proxy_read_maps parameter setting.
COMMENT it OUT and THIS ERROR will go away, leaving your INCORRECT
FILE PERMISSION problem. Then, FIX THE FILE PERMISSIONS.

Wietse

Re: On proxy_read_maps

[Nikolaos Milas]

On 9/3/2012 1:49 μμ, Reindl Harald wrote:


644 is a very bad idea ->  chown root:postfix, chmod 640


You are totally right Reindl,

I only did it momentarily, just to check the hypothesis that it was a 
permissions problem.


Thanks for your feedback.

Nick

Re: On proxy_read_maps

[Nikolaos Milas]

On 9/3/2012 1:53 μμ, Wietse Venema wrote:


That is because you screwed up the proxy_read_maps parameter setting.


When I did all tests, I did not set ANY proxy_read_maps values (so it 
should have the default values). All the info I sent about settings of 
the proxy_read_maps parameter was hypothetical.


Nick

Re: On proxy_read_maps

[Reindl Harald]

Am 09.03.2012 12:53, schrieb Nikolaos Milas:
> On 9/3/2012 1:49 μμ, Reindl Harald wrote:
> 
>> 644 is a very bad idea ->  chown root:postfix, chmod 640
> 
> You are totally right Reindl,
> I only did it momentarily, just to check the hypothesis that it was a 
> permissions problem

even than it is still a wrong action

do this with a openssh key and sshd will no longer use
it because permissions are too open

usually you can find out the user running the process
with ps aux (if it is running)

[root@srv-rhsoft:~]$ ps aux | grep proxy
root 14432  0.0  0.0 56   904 pts/7S+   13:00   0:00 grep --color 
proxy
postfix  30858  0.0  0.0 142820  3076 ?SMar07   0:00 proxymap -t 
unix -u -o max_use=1 -o max_idle=1h



signature.asc
Description: OpenPGP digital signature

Re: On proxy_read_maps

[Nikolaos Milas]

On 9/3/2012 2:01 μμ, Reindl Harald wrote:


even than it is still a wrong action


I've:

chown -R root:postfix /etc/postfix/

and chmod 640 to files and 750 to directories

Thanks,
Nick

Re: On proxy_read_maps

[Reindl Harald]

Am 09.03.2012 12:53, schrieb Wietse Venema:
> Nikolaos Milas:
>> Mar  8 20:12:01 vmail postfix/proxymap[32599]: warning: request for 
>> unapproved table: "ldap:/etc/postfix/ldap-alias-vacation.cf"
> 
> That is because you screwed up the proxy_read_maps parameter setting.
> COMMENT it OUT and THIS ERROR will go away, leaving your INCORRECT
> FILE PERMISSION problem. Then, FIX THE FILE PERMISSIONS.

his "postconf -n" does not contain "proxy_read_maps"
if you think it is not needed at all than postfix has a bug

i did the follwoing long a go because exavtly the same messages
in the error log after start using "proxy:mysql" and because
"proxymap service is not configured for table" is really clear

there is currently no magic in postfix let this work
without configure "proxy_read_maps" what the OP did not

proxy_read_maps = proxy:mysql:/etc/postfix/mysql-mynetworks.cf
 proxy:mysql:/etc/postfix/mysql-mydestination.cf
 proxy:mysql:/etc/postfix/mysql-recipients.cf
 proxy:mysql:/etc/postfix/mysql-rewritedomains.cf
 proxy:mysql:/etc/postfix/mysql-rewritesenders.cf
 proxy:mysql:/etc/postfix/mysql-transport.cf
 proxy:mysql:/etc/postfix/mysql-sender_relay_hosts.cf
 proxy:mysql:/etc/postfix/mysql-sender_relay_hosts_auth.cf
 proxy:mysql:/etc/postfix/mysql-aliases.cf
 proxy:mysql:/etc/postfix/mysql-senderaccess.cf
 proxy:mysql:/etc/postfix/mysql-spamfilter.cf
 proxy:mysql:/etc/postfix/mysql-forwarders.cf



signature.asc
Description: OpenPGP digital signature

Re: On proxy_read_maps

[Nikolaos Milas]

On 9/3/2012 1:52 μμ, Reindl Harald wrote:


why are you not doing simply what the error-message suggests?
add it to "proxy_read_maps", see me mail before


I understand.

The question is why postfix did not use the proxymap service 
automatically - as Wietse mentioned - when I simply added "proxy:" 
before "ldap:" (and - I clarify again - I did not set any 
proxy_read_maps value).


Nick

Re: Keeping a copy of all mail, and then removing headers from outbound

[Lars Preben Sørsdahl]

>
>
> In that case, it should be safe to have the option in main.cf,
> because LMTP mail delivery uses lmtp_header_checks instead of
> smtp_header_checks.
>

Thanks, Wietse. It worked like a charm.

-- 
Lars Preben Sørsdahl
lars.preben.no

Message bounced by administrator

[Nikolaos Milas]

Hi,

Today somebody (user1, see below) sent a message from outside to our 
org. Our gateway server (Cisco Ironport C-160: mailgw.admin.noa.gr) 
received the message which had 9 recipients, of which one in an outside 
domain, one in the @astro.noa.gr domain and 7 in the @noa.gr domain. 
Those last 8 messages were forwarded to our final Postfix server (2.8.3 
on CentOS 5.7 x86_64) for delivery.


The one in the @astro.noa.gr domain(user2)was delivered fine. The other 
7 bounced with the message: "5.x.0 - Message bounced by administrator 
('000', []) ".


Note that @astro.noa.gr is not treated differently than @noa.gr, nor we 
have noticed such a problem again.


{Comment: The time difference is due to non proper time sync on Cisco 
Ironport.}


I have not seen something like this. Can somebody please provide some 
insight?


Thanks in advance,
Nick

Logs from Postfix (true usernames changed consistently):

Mar  9 04:21:36 vmail postfix/smtpd[16063]: connect from 
mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/smtpd[16063]: 535E4C4D1F8: 
client=mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/cleanup[16059]: 535E4C4D1F8: 
message-id=<69717EF038E74A01B1B77103FAF50F8D@pavillion>
Mar  9 04:21:36 vmail postfix/qmgr[32594]: 535E4C4D1F8: from=, 
size=19392, nrcpt=1 (queue active)
Mar  9 04:21:36 vmail postfix/pipe[16065]: 535E4C4D1F8: 
to=, relay=dovecot, delay=0.15, delays=0.086/0.001/0/0.058, 
dsn=2.0.0, status=sent (delivered via dovecot service)
Mar  9 04:21:36 vmail postfix/qmgr[32594]: 535E4C4D1F8: removed
Mar  9 04:21:36 vmail postfix/smtpd[16069]: connect from 
mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/smtpd[16069]: 82EEDC4D1F8: 
client=mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/cleanup[16059]: 82EEDC4D1F8: 
message-id=<0684c0$u...@mailgw.admin.noa.gr>
Mar  9 04:21:36 vmail postfix/qmgr[32594]: 82EEDC4D1F8: from=<>, size=3269, 
nrcpt=1 (queue active)
Mar  9 04:21:36 vmail postfix/smtpd[16069]: 9EC3CC4D215: 
client=mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/cleanup[16059]: 9EC3CC4D215: 
message-id=<0684c0$u...@mailgw.admin.noa.gr>
Mar  9 04:21:36 vmail postfix/qmgr[32594]: 9EC3CC4D215: from=<>, size=3258, 
nrcpt=1 (queue active)
Mar  9 04:21:36 vmail postfix/smtpd[16069]: A8E73C4D234: 
client=mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/cleanup[16059]: A8E73C4D234: 
message-id=<0684c0$u...@mailgw.admin.noa.gr>
Mar  9 04:21:36 vmail postfix/qmgr[32594]: A8E73C4D234: from=<>, size=3262, 
nrcpt=1 (queue active)
Mar  9 04:21:36 vmail postfix/smtpd[16069]: B3145C4D264: 
client=mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/cleanup[16059]: B3145C4D264: 
message-id=<0684c0$u...@mailgw.admin.noa.gr>
Mar  9 04:21:36 vmail postfix/qmgr[32594]: B3145C4D264: from=<>, size=3264, 
nrcpt=1 (queue active)
Mar  9 04:21:36 vmail postfix/smtpd[16069]: BD551C4D266: 
client=mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/cleanup[16059]: BD551C4D266: 
message-id=<0684c0$u...@mailgw.admin.noa.gr>
Mar  9 04:21:36 vmail postfix/qmgr[32594]: BD551C4D266: from=<>, size=3258, 
nrcpt=1 (queue active)
Mar  9 04:21:36 vmail postfix/smtpd[16069]: C76D8C4D26A: 
client=mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/cleanup[16059]: C76D8C4D26A: 
message-id=<0684c0$u...@mailgw.admin.noa.gr>
Mar  9 04:21:36 vmail postfix/qmgr[32594]: C76D8C4D26A: from=<>, size=3264, 
nrcpt=1 (queue active)
Mar  9 04:21:36 vmail postfix/smtpd[16069]: D0E6CC4D27B: 
client=mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/cleanup[16059]: D0E6CC4D27B: 
message-id=<0684c0$u...@mailgw.admin.noa.gr>
Mar  9 04:21:36 vmail postfix/qmgr[32594]: D0E6CC4D27B: from=<>, size=3273, 
nrcpt=1 (queue active)
Mar  9 04:21:40 vmail postfix/smtp[16071]: 9EC3CC4D215: to=, 
orig_to=, relay=mx.otenet.gr[62.103.147.198]:25, delay=3.5, 
delays=0.024/0.006/3/0.4, dsn=2.0.0, status=sent (250 2.0.0 q292LaYj023447 Message accepted 
for delivery)
Mar  9 04:21:40 vmail postfix/qmgr[32594]: 9EC3CC4D215: removed
Mar  9 04:21:40 vmail postfix/smtp[16060]: 82EEDC4D1F8: to=, 
orig_to=, relay=mx.otenet.gr[62.103.147.198]:25, delay=3.6, 
delays=0.1/0.002/3.1/0.42, dsn=2.0.0, status=sent (250 2.0.0 q292LaxN023445 Message 
accepted for delivery)
Mar  9 04:21:40 vmail postfix/qmgr[32594]: 82EEDC4D1F8: removed
Mar  9 04:21:40 vmail postfix/smtp[16072]: A8E73C4D234: to=, 
orig_to=, relay=mx.otenet.gr[62.103.147.198]:25, delay=3.5, 
delays=0.025/0.005/3/0.41, dsn=2.0.0, status=sent (250 2.0.0 q292LaCF023449 Message 
accepted for delivery)
Mar  9 04:21:40 vmail postfix/qmgr[32594]: A8E73C4D234: removed
Mar  9 04:21:40 vmail postfix/smtp[16073]: B3145C4D264: to=, 
orig_to=, relay=mx.otenet.gr[62.103.147.198]:25, delay=3.5, 
delays=0.024/0.005/3/0.4, dsn=2.0.0, status=sent (250 2.0.0 q292La2Q023451 Message accepted 
for delivery)
Mar  9 04:21:40 vmail postfix/qmgr[32594]: B3145C4D264: removed
Mar  9 04:21:40 vma

mx bind ip

[Nick Edwards]

Hi,

I gave a secondary mx with 2 ipv4 and 2 ipv6 ip's.
I have dns'd one of each protocol for mx and ns
Trying to get postfix to play nice with mx on outbound. hostname,
mynetworks etc all setup right.
I have tried smtp_bind_address(6) but for some reason, although it
uses the correct IP,  the relays are denied for spf failure on the
main server, even though they are all permitted in spf RR, ok, evident
by fact that if I remove the option, it works again, I even downed
that IP on the box, and it relayed fine (yeah go figure) so, moved on
to inet_interfaces included 127.0.0.1  ipv4 and ipv6 addresses for mx,
but this uses the wrong ipv4 address when connecting

So, what is the preferred method for assigning the outbound IP ?
Thought about master.cf, but that will require an entry for ipv4 and
another separate for ipv6 from my reading of docs, which seems kinda
silly given sliding respources between the two protocols.


Thanks

Re: mx bind ip

[Wietse Venema]

Nick Edwards:
> I have tried smtp_bind_address(6) but for some reason, although it
> uses the correct IP,  the relays are denied for spf failure on the
> main server, even though they are all permitted in spf RR, ok, evident

So we know that Postfix sends mail with the correct IP address
but you have made some mistake with SPF, or with the configuration
of the system that incorrectly uses SPF.

What have you done to to find out what the mistake is?

Wietse

Re: Message bounced by administrator

[Reindl Harald]

Am 09.03.2012 15:55, schrieb Nikolaos Milas:
> Hi,
> 
> Today somebody (user1, see below) sent a message from outside to our org. Our 
> gateway server (Cisco Ironport C-160:
> mailgw.admin.noa.gr) received the message which had 9 recipients, of which 
> one in an outside domain, one in the
> @astro.noa.gr domain and 7 in the @noa.gr domain. Those last 8 messages were 
> forwarded to our final Postfix server
> (2.8.3 on CentOS 5.7 x86_64) for delivery.
> 
> The one in the @astro.noa.gr domain(user2)was delivered fine. The other 7 
> bounced with the message: "5.x.0 -
> Message bounced by administrator ('000', []) "

i doubt this is not a postfix-message

additionally your postfix log does not contain anything interesting
it seems to be filtered only for lines containing the queue-id



signature.asc
Description: OpenPGP digital signature

Re: mx bind ip

[Reindl Harald]

Am 09.03.2012 16:01, schrieb Nick Edwards:
> Hi,
> 
> I gave a secondary mx with 2 ipv4 and 2 ipv6 ip's.
> I have dns'd one of each protocol for mx and ns
> Trying to get postfix to play nice with mx on outbound. hostname,
> mynetworks etc all setup right.
> I have tried smtp_bind_address(6) but for some reason, although it
> uses the correct IP,  the relays are denied for spf failure on the
> main server, even though they are all permitted in spf RR, ok, evident
> by fact that if I remove the option, it works again, I even downed
> that IP on the box, and it relayed fine (yeah go figure) so, moved on
> to inet_interfaces included 127.0.0.1  ipv4 and ipv6 addresses for mx,
> but this uses the wrong ipv4 address when connecting

as long you are not providing logs showing your
problem and "postconf -n" output nobody can help you

logs from both -> your relay machine and the main-server for
one specific message



signature.asc
Description: OpenPGP digital signature

[SOLVED] Strange behavior of Postfix?

[Leslie León Sinclair]

After Noel Jones tips, I check his postfix config and database in MySQL, 
and found that his mailing list domain was added, and was empty. Of 
course, Postfix is not a member of Merlin´s the Magician family, empty 
domain, empty mailboxes, so, get the error slapping you in the face...


Best regards and, as always:
Thanks Wietse, Noel, and all...
Participe en la XVI Convención de Ingeniería y Arquitectura del 
26 al 30 de noviembre de 2012.
Habana, Cuba: http://www.congresouniversidad.cu
Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu

Re: mx bind ip

[Nick Edwards]

On 3/10/12, Wietse Venema  wrote:
> Nick Edwards:
>> I have tried smtp_bind_address(6) but for some reason, although it
>> uses the correct IP,  the relays are denied for spf failure on the
>> main server, even though they are all permitted in spf RR, ok, evident
>
> So we know that Postfix sends mail with the correct IP address
> but you have made some mistake with SPF, or with the configuration
> of the system that incorrectly uses SPF.
>
> What have you done to to find out what the mistake is?
>


As I said, I've dropped all other IP's except the mx2, so when it is
its only route out, it connects fine, but all goes up that famous
creek once I use these extra settings and I restart networking so the
other IPs are there, even the openspf.net reject message says  sender
is authorized but was rejected and it cant help why, the spf we use is
policy-spf.

Is the smtp bind address correct method? or inet_interfaces?

Nik

Re: mx bind ip

[Nick Edwards]

On 3/10/12, Reindl Harald  wrote:
>
>
> Am 09.03.2012 16:01, schrieb Nick Edwards:
>> Hi,
>>
>> I gave a secondary mx with 2 ipv4 and 2 ipv6 ip's.
>> I have dns'd one of each protocol for mx and ns
>> Trying to get postfix to play nice with mx on outbound. hostname,
>> mynetworks etc all setup right.
>> I have tried smtp_bind_address(6) but for some reason, although it
>> uses the correct IP,  the relays are denied for spf failure on the
>> main server, even though they are all permitted in spf RR, ok, evident
>> by fact that if I remove the option, it works again, I even downed
>> that IP on the box, and it relayed fine (yeah go figure) so, moved on
>> to inet_interfaces included 127.0.0.1  ipv4 and ipv6 addresses for mx,
>> but this uses the wrong ipv4 address when connecting
>
> as long you are not providing logs showing your
> problem and "postconf -n" output nobody can help you
>
> logs from both -> your relay machine and the main-server for
> one specific message
>
>



logs are no good because it simply says rejected (ip) spf -all method.

all other settings wont help either since the two new settings smtp
bind address and inet_interfaces are simply IP's given, as in my OP.

have to go to meeting now so ill check back in later.
ciao

Re: mx bind ip

[Ben Rosengart]

On Sat, Mar 10, 2012 at 02:19:55AM +1000, Nick Edwards wrote:
> 
> Is the smtp bind address correct method? or inet_interfaces?

smtp_bind_address is for sending, inet_interfaces for receiving.

I think you will get better help if you get down to specifics.
Post the relevant IP addresses, the SPF record, and yes, the logs.

Regards,
-- 
  Ben Rosengart   "Like all those possessing a library,
  Sendmail, Inc.   Aurelian was aware that he was guilty of
  +1 718 431 3822  not knowing his in its entirety [...]"
  -- Jorge Luis Borges

NOTICE: If received in error, please destroy and notify sender.
Sender does not waive confidentiality or privilege, and use is prohibited.

Re: mx bind ip

[Wietse Venema]

Nick Edwards:
> Is the smtp bind address correct method? or inet_interfaces?

Everybody already knows that smtp_bind_address and smtp_bind_address6
set the correct IP address for SENDING mail.

If the RECEIVING server flags an error for the correct IP address,
then THAT is the problem you need to fix.

Over and out.

Wietse

Re: mx bind ip

[Reindl Harald]

Am 09.03.2012 17:23, schrieb Nick Edwards:
> On 3/10/12, Reindl Harald  wrote:
>>
>>
>> Am 09.03.2012 16:01, schrieb Nick Edwards:
>>> Hi,
>>>
>>> I gave a secondary mx with 2 ipv4 and 2 ipv6 ip's.
>>> I have dns'd one of each protocol for mx and ns
>>> Trying to get postfix to play nice with mx on outbound. hostname,
>>> mynetworks etc all setup right.
>>> I have tried smtp_bind_address(6) but for some reason, although it
>>> uses the correct IP,  the relays are denied for spf failure on the
>>> main server, even though they are all permitted in spf RR, ok, evident
>>> by fact that if I remove the option, it works again, I even downed
>>> that IP on the box, and it relayed fine (yeah go figure) so, moved on
>>> to inet_interfaces included 127.0.0.1  ipv4 and ipv6 addresses for mx,
>>> but this uses the wrong ipv4 address when connecting
>>
>> as long you are not providing logs showing your
>> problem and "postconf -n" output nobody can help you
>>
>> logs from both -> your relay machine and the main-server for
>> one specific message
>
> logs are no good because it simply says rejected (ip) spf -all method.
> 
> all other settings wont help either since the two new settings smtp
> bind address and inet_interfaces are simply IP's given, as in my OP

logs are good because they show the connection IP!

also you SPF-records are important
do you have different SPF views (WAN/LAN)
are the SPF records on all views sane?

"smtp -o smtp_bind_address=xx" in main.cf works for sure
__

what type of entries are you using in your SPF record?
i found out that a/mx entries sometimes making troubles and since
we changed our backend to use only ip and let the backend
translate servernames automatically whle generating the
zone-files i never saw a single spf-error the last 2 years

thelounge.net.  86400   IN  SPF "v=spf1 ip4:91.118.73.15 
ip4:91.118.73.20 ip4:91.118.73.17
ip4:91.118.73.6 ip4:91.118.73.32 ip4:91.118.73.38 ip4:91.118.73.30 
ip4:91.118.73.1 ip4:89.207.144.27 -all"

thelounge.net.  86400   IN  TXT "v=spf1 ip4:91.118.73.15 
ip4:91.118.73.20 ip4:91.118.73.17
ip4:91.118.73.6 ip4:91.118.73.32 ip4:91.118.73.38 ip4:91.118.73.30 
ip4:91.118.73.1 ip4:89.207.144.27 -all"








signature.asc
Description: OpenPGP digital signature

Re: Message bounced by administrator

[Nikolaos Milas]

On 9/3/2012 5:16 μμ, Reindl Harald wrote:


i doubt this is not a postfix-message


It can't be from anywhere else (as far as I can tell). We are not 
running any filters, anti-spam or anti-virus on this Postfix server.


I haven't seen any errors on the associated ldap server (used for user 
lookups) either.


I hope Wietse can provide some more info.


additionally your postfix log does not contain anything interesting
it seems to be filtered only for lines containing the queue-id


I have copied the whole content from the maillog regarding the handling 
of this message. I have not filtered anything out.


Thanks,
Nick

Re: Message bounced by administrator

[/dev/rob0]

On Fri, Mar 09, 2012 at 06:35:58PM +0200, Nikolaos Milas wrote:
> On 9/3/2012 5:16, Reindl Harald wrote:
> 
> >i doubt this is not a postfix-message
> 
> It can't be from anywhere else (as far as I can tell).

You said it was Ironport.

> We are not running any filters, anti-spam or anti-virus on
> this Postfix server.
> 
> I haven't seen any errors on the associated ldap server (used
> for user lookups) either.
> 
> I hope Wietse can provide some more info.
> 
> >additionally your postfix log does not contain anything 
> >interesting

This part is true.

> >it seems to be filtered only for lines containing
> >the queue-id
> 
> I have copied the whole content from the maillog regarding the
> handling of this message. I have not filtered anything out.

Indeed, you have pasted a complete log which shows no problem in 
Postfix. The bounces came from outside, not generated by Postfix. 
Your issue is outside Postfix.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Message bounced by administrator

[Reindl Harald]

Am 09.03.2012 17:35, schrieb Nikolaos Milas:
> On 9/3/2012 5:16 μμ, Reindl Harald wrote:
> 
>> i doubt this is not a postfix-message
> 
> It can't be from anywhere else (as far as I can tell). We are not running any 
> filters, 
> anti-spam or anti-virus on this Postfix server.

Mar  9 04:21:36 vmail postfix/smtpd[16063]: connect from 
mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/smtpd[16063]: 535E4C4D1F8: 
client=mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/cleanup[16059]: 535E4C4D1F8: 
message-id=<69717EF038E74A01B1B77103FAF50F8D@pavillion>
Mar  9 04:21:36 vmail postfix/qmgr[32594]: 535E4C4D1F8: from=, 
size=19392, nrcpt=1 (queue active)
Mar  9 04:21:36 vmail postfix/pipe[16065]: 535E4C4D1F8: 
to=, relay=dovecot, delay=0.15,
delays=0.086/0.001/0/0.058, dsn=2.0.0, status=sent (delivered via dovecot 
service)

shows clearly that the message was received and given to dovecot
after that something must happen

Mar  9 04:21:36 vmail postfix/smtpd[16069]: C76D8C4D26A: 
client=mailgw.admin.noa.gr[195.251.204.12]
Mar  9 04:21:36 vmail postfix/cleanup[16059]: C76D8C4D26A: 
message-id=<0684c0$u...@mailgw.admin.noa.gr>
Mar  9 04:21:36 vmail postfix/qmgr[32594]: C76D8C4D26A: from=<>, size=3264, 
nrcpt=1 (queue active)

shows that the bounces are from "mailgw.admin.noa.gr[195.251.204.12]"
you should search the logs there - the machine "vmail" is not responsible

for me it sounds like dovecot is responsible for them after
accepted the messages, sent the bounces to 195.251.204.12
(no idea why - depends on config) and from there they
was simply relayed back to "vmail"

>> additionally your postfix log does not contain anything interesting
>> it seems to be filtered only for lines containing the queue-id
> 
> I have copied the whole content from the maillog regarding the handling of 
> this 
> message. I have not filtered anything out

but there is no single REJCT line or as mentinoed above you are
searhcing in the wrong machines logs, so this machine did not
generate/trigger any bounce




signature.asc
Description: OpenPGP digital signature

Re: Message bounced by administrator

[Wietse Venema]

Nikolaos Milas:
> I hope Wietse can provide some more info.

Negative. The mail is rejected by a non-Postfix machine.

Wietse

Re: On proxy_read_maps

[Nikolaos Milas]

On 9/3/2012 2:07 μμ, Nikolaos Milas wrote:


I've:

chown -R root:postfix /etc/postfix/

and chmod 640 to files and 750 to directories 


Since I did this, I get the error:

Mar  9 21:23:53 vmail postfix/sendmail[1752]: fatal: open 
/etc/postfix/main.cf: Permission denied


# ls -la /etc/postfix/main.cf
-rw-r- 1 root postfix 32806 Mar  8 20:11 /etc/postfix/main.cf

What do I have to do to get sendmail (i.e. sendmail.postfix) running 
correctly?


Thanks,
Nick

Re: On proxy_read_maps

[Reindl Harald]

Am 09.03.2012 20:28, schrieb Nikolaos Milas:
> On 9/3/2012 2:07 μμ, Nikolaos Milas wrote:
> 
>> I've:
>>
>> chown -R root:postfix /etc/postfix/
>>
>> and chmod 640 to files and 750 to directories 
> 
> Since I did this, I get the error:
> 
> Mar  9 21:23:53 vmail postfix/sendmail[1752]: fatal: open 
> /etc/postfix/main.cf: Permission denied
> 
> # ls -la /etc/postfix/main.cf
> -rw-r- 1 root postfix 32806 Mar  8 20:11 /etc/postfix/main.cf
> 
> What do I have to do to get sendmail (i.e. sendmail.postfix) running 
> correctly?

/etc/postfix -> 755

main-configuration which usually do not contain configuration
should have 644 because "sendmail" is running as the user who
starts it

this is exactly the reason for proxy maps (beside better
connection handling)

sensible configuration files containing passwords needs
only postfix-group-permissions and are not readable by
other users while "sendmail" is talking to proxymap
process and so have access to the full configuration

-rw-r--r-- 1 root root 21K 2012-02-22 19:40 access
-rw-r--r-- 1 root root5,1K 2011-04-17 23:03 canonical
-rw-r--r-- 1 root root9,7K 2012-02-22 19:40 generic
-rw-r--r-- 1 root root 22K 2012-02-22 19:40 header_checks
-rw-r--r-- 1 root root6,7K 2012-02-22 19:40 relocated
-rw-r--r-- 1 root root 13K 2012-02-22 19:40 transport
-rw-r--r-- 1 root root 13K 2012-02-22 19:40 virtual
-rw-r--r-- 1 root root4,0K 2009-08-15 21:43 bounce.cf
-rw-r--r-- 1 root root8,6K 2012-02-22 20:10 main.cf
-rw-r--r-- 1 root root4,2K 2011-06-11 14:01 master.cf
-rw-r- 1 root postfix  198 2011-04-27 18:51 mysql-aliases.cf
-rw-r- 1 root postfix  297 2011-05-28 18:37 mysql-forwarders.cf
-rw-r- 1 root postfix  204 2011-04-27 18:52 mysql-mydestination.cf
-rw-r- 1 root postfix  198 2011-04-27 18:42 mysql-mynetworks.cf
-rw-r- 1 root postfix  199 2011-04-27 18:52 mysql-recipients.cf
-rw-r- 1 root postfix  466 2011-04-27 18:52 mysql-rewritedomains.cf
-rw-r- 1 root postfix  206 2011-04-27 18:53 mysql-rewritesenders.cf
-rw-r- 1 root postfix  330 2011-04-27 18:53 mysql-senderaccess.cf
-rw-r- 1 root postfix  368 2011-05-13 00:49 mysql-sender_relay_hosts_auth.cf
-rw-r- 1 root postfix  205 2011-04-27 18:53 mysql-sender_relay_hosts.cf
-rw-r- 1 root postfix  201 2011-04-27 18:53 mysql-spamfilter.cf
-rw-r- 1 root postfix  490 2011-04-27 18:54 mysql-transport-backup-dbmail.cf
-rw-r- 1 root postfix  265 2011-04-27 18:54 mysql-transport.cf






signature.asc
Description: OpenPGP digital signature

Re: On proxy_read_maps

[Nikolaos Milas]

On 9/3/2012 9:28 μμ, Nikolaos Milas wrote:


Since I did this, I get the error:

Mar  9 21:23:53 vmail postfix/sendmail[1752]: fatal: open 
/etc/postfix/main.cf: Permission denied


...

What do I have to do to get sendmail (i.e. sendmail.postfix) running 
correctly? 


Note: these errors come from the web mail app, when trying to send mail. 
It's squirrelmail.


I tried raising permissions level to main.cf but it still didn't work. 
With every attempt to send mail from the web interface, I get the above 
error.


I'm getting confused...

Any hint will be appreciated.

Nick

Re: On proxy_read_maps

[Nikolaos Milas]

On 9/3/2012 9:59 μμ, Reindl Harald wrote:


/etc/postfix ->  755


Thank you! You saved me from a very bad headache.

Obviously this was the main cause. I found that /etc/postfix was 750.

Thanks also for the absolutely valuable details on permissions. I 
followed your advice.


I'll now manage to sleep today (hopefully)...

Nick

Re: On proxy_read_maps

[Reindl Harald]

Am 09.03.2012 21:01, schrieb Nikolaos Milas:
> On 9/3/2012 9:28 μμ, Nikolaos Milas wrote:
> 
>> Since I did this, I get the error:
>>
>> Mar  9 21:23:53 vmail postfix/sendmail[1752]: fatal: open 
>> /etc/postfix/main.cf: Permission denied
>>
>> ...
>>
>> What do I have to do to get sendmail (i.e. sendmail.postfix) running 
>> correctly? 
> 
> Note: these errors come from the web mail app, when trying to send mail. It's 
> squirrelmail.
> 
> I tried raising permissions level to main.cf but it still didn't work. With 
> every attempt to send mail from the web
> interface, I get the above error.
> 
> I'm getting confused...
> Any hint will be appreciated

why do you not read my last answer and look it my posted permissions
this dir-listing is from a long running production server

* /etc/postfix -> root:root -> 755
* base-configuration -> root:root -> 644
* proxymap-files -> root:postfix -> 640

-rw-r--r-- 1 root root 21K 2012-02-22 19:40 access
-rw-r--r-- 1 root root5,1K 2011-04-17 23:03 canonical
-rw-r--r-- 1 root root9,7K 2012-02-22 19:40 generic
-rw-r--r-- 1 root root 22K 2012-02-22 19:40 header_checks
-rw-r--r-- 1 root root6,7K 2012-02-22 19:40 relocated
-rw-r--r-- 1 root root 13K 2012-02-22 19:40 transport
-rw-r--r-- 1 root root 13K 2012-02-22 19:40 virtual
-rw-r--r-- 1 root root4,0K 2009-08-15 21:43 bounce.cf
-rw-r--r-- 1 root root8,6K 2012-02-22 20:10 main.cf
-rw-r--r-- 1 root root4,2K 2011-06-11 14:01 master.cf
-rw-r- 1 root postfix  198 2011-04-27 18:51 mysql-aliases.cf
-rw-r- 1 root postfix  297 2011-05-28 18:37 mysql-forwarders.cf
-rw-r- 1 root postfix  204 2011-04-27 18:52 mysql-mydestination.cf
-rw-r- 1 root postfix  198 2011-04-27 18:42 mysql-mynetworks.cf
-rw-r- 1 root postfix  199 2011-04-27 18:52 mysql-recipients.cf
-rw-r- 1 root postfix  466 2011-04-27 18:52 mysql-rewritedomains.cf
-rw-r- 1 root postfix  206 2011-04-27 18:53 mysql-rewritesenders.cf
-rw-r- 1 root postfix  330 2011-04-27 18:53 mysql-senderaccess.cf
-rw-r- 1 root postfix  368 2011-05-13 00:49 mysql-sender_relay_hosts_auth.cf
-rw-r- 1 root postfix  205 2011-04-27 18:53 mysql-sender_relay_hosts.cf
-rw-r- 1 root postfix  201 2011-04-27 18:53 mysql-spamfilter.cf
-rw-r- 1 root postfix  490 2011-04-27 18:54 mysql-transport-backup-dbmail.cf
-rw-r- 1 root postfix  265 2011-04-27 18:54 mysql-transport.cf



signature.asc
Description: OpenPGP digital signature

Re: On proxy_read_maps

[Reindl Harald]

Am 09.03.2012 21:18, schrieb Nikolaos Milas:
> On 9/3/2012 9:59 μμ, Reindl Harald wrote:
> 
>> /etc/postfix ->  755
> 
> Thank you! You saved me from a very bad headache.

no problem

> Obviously this was the main cause. I found that /etc/postfix was 750.
> Thanks also for the absolutely valuable details on permissions. I followed 
> your advice.

keep in mind that after config/permission-changes and updates
a hard restart of the mailservices is often a good idea

some long living process otherwise may still run
and possible problems get triggered delayed

the same happens as example if you upgrade dovecot
without restart - the service may run for a very
long time until new worker processes are started
noticing that running master-process has a
different version - happend on the test-machine
of my co-worker a hour after upgrade :-)

> I'll now manage to sleep today (hopefully)...

good night



signature.asc
Description: OpenPGP digital signature

WHY??>> Subject: Subject:

[Ctdi Unix]

Has anyone ever seen this ...when I type mail at the shell prompt, I
get Subject: Subject: like there is two of something running??


/tmp=>id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
/tmp=>mail freddy
Subject: Subject: test
test
.
Cc:
/tmp=>exit
/tmp/=>id
uid=500(user) gid=500(user) groups=500(user)
/tmp=>mail freddy
Subject: Subject: test
test
.
Cc:
/tmp/=>

Re: WHY??>> Subject: Subject:

[Larry Stone]

On Fri, 9 Mar 2012, Ctdi Unix wrote:


Has anyone ever seen this ...when I type mail at the shell prompt, I
get Subject: Subject: like there is two of something running??


The shell mail command is not part of Postfix. This problem does not 
appear to be related to Postfix in any manner.


-- Larry Stone
   lston...@stonejongleux.com

Re: WHY??>> Subject: Subject:

[Wietse Venema]

Ctdi Unix:
> Has anyone ever seen this ...when I type mail at the shell prompt, I
> get Subject: Subject: like there is two of something running??
> 
> 
> /tmp=>id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> /tmp=>mail freddy
> Subject: Subject: test
> test
> .
> Cc:
> /tmp=>exit

It may be worthwhile to look at /etc/mail.rc or ~/.mailrc
for mis-typed commands in there.

Wietse

Re: mx bind ip

[Nick Edwards]

On 3/10/12, Wietse Venema  wrote:
> Nick Edwards:
>> Is the smtp bind address correct method? or inet_interfaces?
>
> Everybody already knows that smtp_bind_address and smtp_bind_address6
> set the correct IP address for SENDING mail.
>
> If the RECEIVING server flags an error for the correct IP address,
> then THAT is the problem you need to fix.
>

thanks, and not everybody knows it, given by half the google responses
I've read, including some from zimbra :->


> Over and out.
>
Yes, now I have clarification, I will post followup once I get back to
work and nut out the issue, it is now time for bed :->

Clever Virtual Mail Hosting Web Manager

[Romans Malinovskis]

Hi list

Probably quite a few of you are running virtual domain hosting 
http://www.postfix.org/VIRTUAL_README.html. I have started with similar setup, 
but then I merged all tables into one to make management simpler. Unfortunately 
there wasn’t any web admin for managing such a set-up so I wrote one myself in 
PHP / Agile Toolkit. As it might be useful to others, I’m sharing it here:

https://github.com/romaninsh/Agile-Postfix-Admin


Features:
 - create mailboxes, redirects, aliases
 - supports several access levels 0=single user, 9=domain access, 99=all domains
 - simple to install, very small code footprint (all logic in 160 lines of PHP)
 - searching, filtering by domain
 - postfix and courier sample config included

Feel free to use the tool. PHP5.3 required. You are welcome to contribute any 
fixes back by forking me on github. Installation instructions are in README 
file.

Regards,
Romans.

NOTE: This is beta version and it stores passwords in clear text in the 
database. I will add encryption in the further releases. 

Re: Clever Virtual Mail Hosting Web Manager

[Romans Malinovskis]

I must have mentioned that the demo is running here:

http://postfixadmin.agiletoolkit.org

Have a nice weekend everyone.

> Hi list
> 
> Probably quite a few of you are running virtual domain hosting 
> http://www.postfix.org/VIRTUAL_README.html. I have started with similar 
> setup, but then I merged all tables into one to make management simpler. 
> Unfortunately there wasn’t any web admin for managing such a set-up so I 
> wrote one myself in PHP / Agile Toolkit. As it might be useful to others, I’m 
> sharing it here:
> 
> https://github.com/romaninsh/Agile-Postfix-Admin
> 
> 
> Features:
>  - create mailboxes, redirects, aliases
>  - supports several access levels 0=single user, 9=domain access, 99=all 
> domains
>  - simple to install, very small code footprint (all logic in 160 lines of 
> PHP)
>  - searching, filtering by domain
>  - postfix and courier sample config included
> 
> Feel free to use the tool. PHP5.3 required. You are welcome to contribute any 
> fixes back by forking me on github. Installation instructions are in README 
> file.
> 
> Regards,
> Romans.
> 
> NOTE: This is beta version and it stores passwords in clear text in the 
> database. I will add encryption in the further releases. 

Re: mx bind ip

[Nick Edwards]

On 3/10/12, Reindl Harald  wrote:
>
>
> Am 09.03.2012 17:23, schrieb Nick Edwards:
>> On 3/10/12, Reindl Harald  wrote:
>>>
>>>
>>
>> logs are no good because it simply says rejected (ip) spf -all method.
>>
>> all other settings wont help either since the two new settings smtp
>> bind address and inet_interfaces are simply IP's given, as in my OP
>
> logs are good because they show the connection IP!
>
> also you SPF-records are important
> do you have different SPF views (WAN/LAN)
> are the SPF records on all views sane?
>
> "smtp -o smtp_bind_address=xx" in main.cf works for sure

> __
>
> what type of entries are you using in your SPF record?
> i found out that a/mx entries sometimes making troubles and since
> we changed our backend to use only ip and let the backend
> translate servernames automatically whle generating the
> zone-files i never saw a single spf-error the last 2 years

SPF is setup correctly, I've been setting up SPF for  a great many
years , even back in the old qmail days, I know our SPF records are
perfect (I am no newbie to mail systems, just not 100% expert in
postfix)

> thelounge.net.  86400   IN  SPF "v=spf1 ip4:91.118.73.15
> ip4:91.118.73.20 ip4:91.118.73.17
> ip4:91.118.73.6 ip4:91.118.73.32 ip4:91.118.73.38 ip4:91.118.73.30
> ip4:91.118.73.1 ip4:89.207.144.27 -all"
>
> thelounge.net.  86400   IN  TXT "v=spf1 ip4:91.118.73.15
> ip4:91.118.73.20 ip4:91.118.73.17
> ip4:91.118.73.6 ip4:91.118.73.32 ip4:91.118.73.38 ip4:91.118.73.30
> ip4:91.118.73.1 ip4:89.207.144.27 -all"
>
>

yes but I also include  'mx' and I never use 'a' or ptr, they are
IMHO too wide, BTW, I hope you also use spf2.0 settings as well, makes
it easier to get higher confidence level in sending to
hotmail/live.com :->

Given what Wietse has said, I am tending more towards spfpolicy.pl on
master, but I'm too tired and it's late, so I'll investigate more
after some sleep.

Nik

"unused parameter" warnings with postfix 2.9.1

[Reindl Harald]

i recently upgraded my test-vm to Fedora 16
the following messages appear in the syslog (with Fedora 15 they was not there)
why they are unused and why they are not in /var/log/maillog?


Mar 10 02:16:45 testserver postfix[1935]: /usr/sbin/postconf: warning: 
/etc/postfix/main.cf: unused parameter:
barracuda_smtpd_recipient_restrictions=check_policy_service 
unix:/var/spool/postfix/dbmail-postfix-policyd/socket
permit_mynetworks reject

Mar 10 02:16:45 testserver postfix[1935]: /usr/sbin/postconf: warning: 
/etc/postfix/main.cf: unused parameter:
lmtp_max_idle=600

Mar 10 02:16:45 testserver postfix[1935]: /usr/sbin/postconf: warning: 
/etc/postfix/main.cf: unused parameter:
smtp_tls_received_header=yes

Mar 10 02:16:45 testserver postfix[1935]: /usr/sbin/postconf: warning: 
/etc/postfix/main.cf: unused parameter:
smtpd_tls_cipherlist=HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

Mar 10 02:16:45 testserver postfix[1935]: /usr/sbin/postconf: warning: 
/etc/postfix/main.cf: unused parameter:
barracuda_smtpd_recipient_restrictions=check_policy_service 
unix:/var/spool/postfix/dbmail-postfix-policyd/socket
permit_mynetworks reject



signature.asc
Description: OpenPGP digital signature

Re: "unused parameter" warnings with postfix 2.9.1

[Wietse Venema]

Reindl Harald:
> i recently upgraded my test-vm to Fedora 16
> the following messages appear in the syslog (with Fedora 15 they was not 
> there)
> why they are unused

Because they are not used. For example, smtpd_tls_cipherlist
does not exist, and barracuda_smtpd_recipient_restrictions
also does not exist. Likewise for smtp_tls_received_header.

I added these checks because it is easy to mis-type a name
and then people wonder why it does not work.

> and why they are not in /var/log/maillog?

Because postconf, like postcat, sends error messages to stderr only.
The latter is intentional, but the former may be an oversight. It
has never been reported before.

Wietse

> 
> Mar 10 02:16:45 testserver postfix[1935]: /usr/sbin/postconf: warning: 
> /etc/postfix/main.cf: unused parameter:
> barracuda_smtpd_recipient_restrictions=check_policy_service 
> unix:/var/spool/postfix/dbmail-postfix-policyd/socket
> permit_mynetworks reject
> 
> Mar 10 02:16:45 testserver postfix[1935]: /usr/sbin/postconf: warning: 
> /etc/postfix/main.cf: unused parameter:
> lmtp_max_idle=600
> 
> Mar 10 02:16:45 testserver postfix[1935]: /usr/sbin/postconf: warning: 
> /etc/postfix/main.cf: unused parameter:
> smtp_tls_received_header=yes
> 
> Mar 10 02:16:45 testserver postfix[1935]: /usr/sbin/postconf: warning: 
> /etc/postfix/main.cf: unused parameter:
> smtpd_tls_cipherlist=HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
> 
> Mar 10 02:16:45 testserver postfix[1935]: /usr/sbin/postconf: warning: 
> /etc/postfix/main.cf: unused parameter:
> barracuda_smtpd_recipient_restrictions=check_policy_service 
> unix:/var/spool/postfix/dbmail-postfix-policyd/socket
> permit_mynetworks reject
> 
-- End of PGP section, PGP failed!

Re: "unused parameter" warnings with postfix 2.9.1

[Reindl Harald]

Am 10.03.2012 02:35, schrieb Wietse Venema:
> Because they are not used. For example, smtpd_tls_cipherlist
> does not exist

ok, got an old documentation i assume

> and barracuda_smtpd_recipient_restrictions
> also does not exist. 

was mentioned by you because "permit_mynetworks, reject"
does not work in "master.cf"

10.0.0.15:10026   inet   n   -   n   -   -   smtpd
 -o mynetworks=10.0.0.20
 -o smtpd_client_connection_count_limit=75
 -o smtpd_recipient_restrictions=$barracuda_smtpd_recipient_restrictions

> Because postconf, like postcat, sends error messages to stderr only.
> The latter is intentional, but the former may be an oversight. It
> has never been reported before.

as said - i never saw this warnings on Fedora 15 with the same config
and also postfix 2.9.1 - the last hours upgraded to Fedora 16
and wondered why tehre are postfix warnings in /var/log/messages
while /var/log/maillog has only the usual startup lines



signature.asc
Description: OpenPGP digital signature

Re: mx bind ip

[Noel Butler]

On Sat, 2012-03-10 at 11:08 +1000, Nick Edwards wrote:

> On 3/10/12, Reindl Harald  wrote:

> > what type of entries are you using in your SPF record?
> > i found out that a/mx entries sometimes making troubles and since
> > we changed our backend to use only ip and let the backend
> > translate servernames automatically whle generating the
> > zone-files i never saw a single spf-error the last 2 years
> 


Good advice on not using A (for many reasons), though I've never seen a
problem with MX myself.


> SPF is setup correctly, I've been setting up SPF for  a great many
> years , even back in the old qmail days, I know our SPF records are



When did you add these extra IP's? Recently?
What is the actual connecting IP type to the master, IPv4, or IPv6?
Does your primary mail server query a server that uses DNS views?
Are you perchance using another DNS server in your tests that your
primary mail server is not?

You've been asked by others to supply actual details, if you don't want
to make them public, try sending offlist, we can sit here for the next 6
months playing guessing games, if someone other than you has factual
live information, they can perhaps run live tests using their DNS etc,
kinda like a look at it with fresh eyes.



> Given what Wietse has said, I am tending more towards spfpolicy.pl on
> master, but I'm too tired and it's late, so I'll investigate more
> after some sleep.
> 


poppy, unless you have modified it (read as totally fscked it up)




signature.asc
Description: This is a digitally signed message part

Re: "unused parameter" warnings with postfix 2.9.1

[Wietse Venema]

Reindl Harald:
> Am 10.03.2012 02:35, schrieb Wietse Venema:
> > Because they are not used. For example, smtpd_tls_cipherlist
> > does not exist
> 
> ok, got an old documentation i assume

Nope, then there would be a backwards compatibility feature.

> 10.0.0.15:10026   inet   n   -   n   -   -   smtpd
>  -o mynetworks=10.0.0.20
>  -o smtpd_client_connection_count_limit=75
>  -o smtpd_recipient_restrictions=$barracuda_smtpd_recipient_restrictions

When I put the above in master.cf, and define
barracuda_smtpd_recipient_restrictions=whatever in main.cf, then
postconf does not complain about barracuda_smtpd_recipient_restrictions
so you must be making some mistake.

Wietse

Re: centos 5 postfix rpms?

[The_Ace]

On Thu, Mar 8, 2012 at 12:32 PM, Nikolaos Milas  wrote:

> On 8/3/2012 6:40 πμ, Eero Volotinen wrote:
>
>  What is the best / reliable site to find newer postfix rpm packages
>> for centos 5 / rhel 5? by default it ships postfix 2.3.x and it's a
>> bit antique version.
>>
>>
> Hi Eero,
>
> These are considered fine: 
> http://postfix.wl0.org/en/**available-packages/,
> yet they diverge from standard (include VDA patch and possibly more
> non-standard options). But you can download the src.rpm and build RPMs
> yourself disabling any undesired options (see directions:
> http://postfix.wl0.org/en/**building-rpms/
> ).
>
> Other SRPMs I know:
> http://www.kutukupret.com/**downloads-page/
> http://www.invoca.ch/pub/**packages/postfix/RPMS/ils-5/**SRPMS/
>
> Until now, I have not been able to find ready-made CentOS Postfix RPMs
> with standard-only options.
>
> You could also compile from source as described here:
> http://stevejenkins.com/blog/**2011/01/building-postfix-2-8-**
> on-rhel5-centos-5-from-source/
>
> I currently use the latter methodology since a year or so on a number of
> systems and it works fine.
>
> However, if someone can point to ready-made RPMs with standard-only
> options, I would be interested as well, as building from source does not
> scale well.
>
> Note that this has been discussed again in this list. See for example:
> http://www.mailinglistarchive.**com/html/postfix-users@**
> postfix.org/2011-10/msg00094.**html
>
> Best regards,
> Nick
>


CentSLT repos http://centos.alt.ru/ has Postfix 2.9.1
http://centos.alt.ru/repository/centos/readme.txt

Regards,
Mihira.
-- 
The mysteries of the Universe are revealed when you break stuff.

Re: centos 5 postfix rpms?

[ml]

Le samedi 10 mars 2012 à 09:28 +0530, The_Ace a écrit :
> On Thu, Mar 8, 2012 at 12:32 PM, Nikolaos Milas  wrote:
> On 8/3/2012 6:40 πμ, Eero Volotinen wrote:
> 
> What is the best / reliable site to find newer postfix
> rpm packages
> for centos 5 / rhel 5? by default it ships postfix
> 2.3.x and it's a
> bit antique version.
> 
> 
> 
> Hi Eero,
> 
> These are considered fine:
> http://postfix.wl0.org/en/available-packages/, yet they
> diverge from standard (include VDA patch and possibly more
> non-standard options). But you can download the src.rpm and
> build RPMs yourself disabling any undesired options (see
> directions: http://postfix.wl0.org/en/building-rpms/).
> 
> Other SRPMs I know:
> http://www.kutukupret.com/downloads-page/
> http://www.invoca.ch/pub/packages/postfix/RPMS/ils-5/SRPMS/
> 
> Until now, I have not been able to find ready-made CentOS
> Postfix RPMs with standard-only options.
> 
> You could also compile from source as described here:
> 
> http://stevejenkins.com/blog/2011/01/building-postfix-2-8-on-rhel5-centos-5-from-source/
> 
> I currently use the latter methodology since a year or so on a
> number of systems and it works fine.
> 
> However, if someone can point to ready-made RPMs with
> standard-only options, I would be interested as well, as
> building from source does not scale well.
> 
> Note that this has been discussed again in this list. See for
> example:
> 
> http://www.mailinglistarchive.com/html/postfix-users@postfix.org/2011-10/msg00094.html
> 
> Best regards,
> Nick
> 
> 
> CentSLT repos http://centos.alt.ru/ has Postfix 2.9.1
> http://centos.alt.ru/repository/centos/readme.txt
> 
> Regards,
> Mihira.
> -- 
> The mysteries of the Universe are revealed when you break stuff.
> 

build the antique spec for postfix rpm it is easy in reading the doc
and other

centosalt its poor repo
do not use

maybe build own rpm -s

watch my doc for centos 5

http://ns.fakessh.eu/rpms/

-- 
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC2626742
 gpg --keyserver pgp.mit.edu --recv-key C2626742

 http://urlshort.eu fakessh @
 http://gplus.to/sshfake
 http://gplus.to/sshswilting
 http://gplus.to/john.swilting
 https://lists.fakessh.eu/mailman/
 This list is moderated by me, but all applications will be accepted
 provided they receive a note of presentation


signature.asc
Description: Ceci est une partie de message numériquement signée

Re: centos 5 postfix rpms?

[The_Ace]

2012/3/10 ml 

> Le samedi 10 mars 2012 à 09:28 +0530, The_Ace a écrit :
> > On Thu, Mar 8, 2012 at 12:32 PM, Nikolaos Milas  wrote:
> > On 8/3/2012 6:40 πμ, Eero Volotinen wrote:
> >
> > What is the best / reliable site to find newer postfix
> > rpm packages
> > for centos 5 / rhel 5? by default it ships postfix
> > 2.3.x and it's a
> > bit antique version.
> >
> >
> >
> > Hi Eero,
> >
> > These are considered fine:
> > http://postfix.wl0.org/en/available-packages/, yet they
> > diverge from standard (include VDA patch and possibly more
> > non-standard options). But you can download the src.rpm and
> > build RPMs yourself disabling any undesired options (see
> > directions: http://postfix.wl0.org/en/building-rpms/).
> >
> > Other SRPMs I know:
> > http://www.kutukupret.com/downloads-page/
> > http://www.invoca.ch/pub/packages/postfix/RPMS/ils-5/SRPMS/
> >
> > Until now, I have not been able to find ready-made CentOS
> > Postfix RPMs with standard-only options.
> >
> > You could also compile from source as described here:
> >
> http://stevejenkins.com/blog/2011/01/building-postfix-2-8-on-rhel5-centos-5-from-source/
> >
> > I currently use the latter methodology since a year or so on a
> > number of systems and it works fine.
> >
> > However, if someone can point to ready-made RPMs with
> > standard-only options, I would be interested as well, as
> > building from source does not scale well.
> >
> > Note that this has been discussed again in this list. See for
> > example:
> >
> http://www.mailinglistarchive.com/html/postfix-users@postfix.org/2011-10/msg00094.html
> >
> > Best regards,
> > Nick
> >
> >
> > CentSLT repos http://centos.alt.ru/ has Postfix 2.9.1
> > http://centos.alt.ru/repository/centos/readme.txt
> >
> > Regards,
> > Mihira.
> > --
> > The mysteries of the Universe are revealed when you break stuff.
> >
>
> build the antique spec for postfix rpm it is easy in reading the doc
> and other
>
> centosalt its poor repo
> do not use
>
> maybe build own rpm -s
>
> watch my doc for centos 5
>
> http://ns.fakessh.eu/rpms/
>
> --


Oh. Whats wrong with centalt repos ?

Mihira.

LoadShared Failover

[Michael Maymann]

Hi List,

I would like to setup a LoadShared Failover internal mail-relay solution
(only for sending mail internal->external).

My thoughts:
- Setup virtual+physical server in same VLAN (different physical locations)
with same OS+Postfix+config
- Configure DNS RoundRobin
- Have logging from both servers pointing to same NFS-dir and have awstats
create statistics from there
Internal traffic:
- Requests would all be received on RoundRobin_IP, and therefore LoadShared
between the servers
- Answers would all be send through Server_IP
External traffic:
- All traffic is done through Server_IP

1. Are the clients ok with answers coming from different IP than send-to
... or how do I prevent this from disrupting client<->server communication
- some PostFix/other magic ?)

2. What happens if one of my servers dies. Will RoundRobin still try to
send traffic to it, and if so how will clients react on this ?

3. Would Bonding be a better solution for my purpose ?

4. Is there already a RHEL6 howto somewhere, that you can recommend ?

5. What is best practice ?


Thanks in advance :-) !
~maymann