How to handle local mail when throttling?

[Adrian Gibanel]

I have setup a throttling postfix based on http://flurdy.com/docs/postfix/ and 
http://tech.groups.yahoo.com/group/postfix-users/message/271370 . 
In the virtual domains tables I have: localhost, localhost.localdomain and 
my.domain.com . 

transport: 
 




hotmail.com hotmailratelimit: 
yahoo.com yahooratelimit: 


main.cf: (I was suggested to post the postconf -n output instead) 
 






alias_database = hash:/etc/postfix/aliases 
alias_maps = hash:/etc/postfix/aliases 
append_dot_mydomain = no 
biff = no 
broken_sasl_auth_clients = yes 
config_directory = /etc/postfix 
default_destination_rate_delay = 15s 
delay_warning_time = 4h 
disable_vrfy_command = yes 
inet_interfaces = all 
mailbox_command = 
mailbox_size_limit = 0 
maximal_backoff_time = 8000s 
maximal_queue_lifetime = 3d 
minimal_backoff_time = 1000s 
mydestination = 
myhostname = my.domain.com 
mynetworks = 1.2.3.4/32 
myorigin = my.domain.com 
readme_directory = no 
recipient_delimiter = + 
relay_domains = 
relayhost = 
smtp_helo_timeout = 60s 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache 
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) 
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, 
reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org 
smtpd_delay_reject = yes 
smtpd_hard_error_limit = 12 
smtpd_helo_required = yes 
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject 
reject_non_fqdn_hostname, reject_invalid_hostname, permit 
smtpd_recipient_limit = 16 
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, 
reject_non_fqdn_recipient, reject_unknown_recipient_domain, 
reject_unauth_destination, permit smtpd_data_restrictions = 
reject_unauth_pipelining 
smtpd_sasl_auth_enable = yes 
smtpd_sasl_local_domain = $myhostname 
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject 
reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, 
permit 
smtpd_soft_error_limit = 3 
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem 
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key 
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache 
smtpd_use_tls = yes 
transport_maps = hash:/etc/postfix/transport 
unknown_local_recipient_reject_code = 450 
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf 
virtual_gid_maps = static:5000 
virtual_mailbox_base = /var/spool/mail/virtual 
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf 
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf 
virtual_uid_maps = static:5000 






master.cf: (Removed comments) 
= 




smtp inet n - - - - smtpd 
hotmailratelimit unix - - - - 1 smtp 
-o smtp_fallback_relay= -o syslog_name=slow_queue -o smtp_helo_timeout=3 
-o smtp_mx_session_limit=1 -o smtp_mx_address_limit=1 
yahooratelimit unix - - - - 1 smtp 
-o smtp_fallback_relay= -o syslog_name=slow_queue -o smtp_helo_timeout=3 
-o smtp_mx_session_limit=1 -o smtp_mx_address_limit=1 
relayratelimit unix - - - - 1 smtp 
-o smtp_fallback_relay= -o syslog_name=slow_queue -o smtp_helo_timeout=3 
-o smtp_mx_session_limit=1 -o smtp_mx_address_limit=1 
pickup fifo n - - 60 1 pickup 
cleanup unix n - - - 0 cleanup 
qmgr fifo n - n 300 1 qmgr 
#qmgr fifo n - - 300 1 oqmgr 
tlsmgr unix - - - 1000? 1 tlsmgr 
rewrite unix - - - - - trivial-rewrite 
bounce unix - - - - 0 bounce 
defer unix - - - - 0 bounce 
trace unix - - - - 0 bounce 
verify unix - - - - 1 verify 
flush unix n - - 1000? 0 flush 
proxymap unix - - n - - proxymap 
proxywrite unix - - n - 1 proxymap 

smtp unix - - - - - smtp 
relay unix - - - - - smtp 
-o smtp_fallback_relay= 
showq unix n - - - - showq 
error unix - - - - - error 
retry unix - - - - - error 
discard unix - - - - - discard 
local unix - n n - - local 
virtual unix - n n - - virtual 
lmtp unix - - - - - lmtp 
anvil unix - - - - 1 anvil 
scache unix - - - - 1 scache 
maildrop unix - n n - - pipe 
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} 

uucp unix - n n - - pipe 
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) 
ifmail unix - n n - - pipe 
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) 
bsmtp unix - n n - - pipe 
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient 
scalemail-backend unix - n n - 2 pipe 
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} 
${user} ${extension} 
mailman unix - n n - - pipe 
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py 
${nexthop} ${user} 

I don't want to throttle the email that goes for my own domain (my.domain.com). 

Previously I had the transport as: 

hotmail.com hotmailratelimit: 
yahoo.com yahooratelimit: 
my.domain.com relayratelimit: 


(added relayratelimit line) but then I had the warning: warning: do not list 
domain in BOTH virtual_mailbox_domains and relay_domains and when I sent an 
email to my.domain.com from outsid

Question respecting relay_domains and transport map on mail hub

[James B. Byrne]

In our configuration the final delivery mail server is not listed in
the MX records for the various domains that we host.  Instead the
highest priority MX hosts relay directly to the common final delivery
host using transport maps and disabling MX lookups:

example.com   relay:[delivery.domain.tld]
.example.com  relay:[delivery.domain.tld]

example2.com  relay:[delivery.domain.tld]
.example2.com relay:[delivery.domain.tld]

The public MX hosts are the same for all of the domains that we host
as is the final delivery host.

Experimentation seems to indicate that a relays_domain map that
contains example.com is redundant in this situation but, given my
inexperience with Postfix, I would like to have this inference
confirmed or denied by someone who knows for sure.

Given the requirement for the transport map on the MX hosts does the
relay_domains value need to be set at all?




-- 
***  E-Mail is NOT a SECURE channel  ***
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

Re: Question respecting relay_domains and transport map on mail hub

[Wietse Venema]

James B. Byrne:
> Given the requirement for the transport map on the MX hosts does the
> relay_domains value need to be set at all?

If the destination is not on the machine itself, the destination
should be listed in relay_domains.

transport_maps is not a substitute for relay_domains (think, for
example, of sites that have special configuration for hotmail etc.;
such sites do not automaticaly "relay" everyone elses mail to
hotmail).

There are some useful hints and tips in the firewall/gateway
example in STANDARD_CONFIGURATION_README.html

Wietse

Re: Question respecting relay_domains and transport map on mail hub

[James B. Byrne]

On Wed, June 13, 2012 12:23, Wietse Venema wrote:
> James B. Byrne:
>> Given the requirement for the transport map on the MX hosts does the
>> relay_domains value need to be set at all?
>
> If the destination is not on the machine itself, the destination
> should be listed in relay_domains.

Thank you for the clarification.  I understand from reading the
documentation all that relays_domains contains is a list of those
domains for which Postfix will accept mail and either deliver or
forward.  My confusion arises from our requirement to use transport
maps to effect forwarding to a specific host without using MX data.

> transport_maps is not a substitute for relay_domains

I will retain the relay_domains list as you advise. However, it
appears that transport map configuration nonetheless works for domains
without an entry in the relays_domains list, thus my inquiry.  Is this
simply happenstance?  Is there some exception or failure condition
that may occur if a domain listed in the transport map as using the
relay transport does not also have an entry in the relay_domains list?

> There are some useful hints and tips in the firewall/gateway
> example in STANDARD_CONFIGURATION_README.html

I have gone through this reference (among many others) repeatedly this
past few weeks. I fear I presently lack the experience to relate much
of what I read there to what actually is going on.  I have managed to
get the new setup working insofar as I can tell.  Now I am going over
everything I have done in an attempt to understand which bits were
necessary and which were not.



-- 
***  E-Mail is NOT a SECURE channel  ***
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

Re: Question respecting relay_domains and transport map on mail hub

[Wietse Venema]

James B. Byrne:
> 
> On Wed, June 13, 2012 12:23, Wietse Venema wrote:
> > James B. Byrne:
> >> Given the requirement for the transport map on the MX hosts does the
> >> relay_domains value need to be set at all?
> >
> > If the destination is not on the machine itself, the destination
> > should be listed in relay_domains.
> 
> Thank you for the clarification.  I understand from reading the
> documentation all that relays_domains contains is a list of those
> domains for which Postfix will accept mail and either deliver or
> forward.  My confusion arises from our requirement to use transport

Please do not confuse RECEIVE controls with DELIVERY controls.

transport_maps determines how to DELIVER a domain.

relay_domains determines what domains to RECEIVE for forwarding,

Wietse

Re: Question respecting relay_domains and transport map on mail hub

[James B. Byrne]

On Wed, June 13, 2012 13:40, Wietse Venema wrote:

> Please do not confuse RECEIVE controls with DELIVERY controls.
>
> transport_maps determines how to DELIVER a domain.
>
> relay_domains determines what domains to RECEIVE for forwarding,
>

Thank you.  I now understand why my test passed when it should not
have.  It originated from the mail hub so the receiving element was
not exercised at all.


-- 
***  E-Mail is NOT a SECURE channel  ***
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

Re: How to handle local mail when throttling?

[Noel Jones]

On 6/13/2012 4:34 AM, Adrian Gibanel wrote:
> I have setup a throttling postfix based on
> http://flurdy.com/docs/postfix/ and
> http://tech.groups.yahoo.com/group/postfix-users/message/271370 .
> In the virtual domains tables I have: localhost,
> localhost.localdomain and my.domain.com .
> 
> transport:
> 
> 
> hotmail.com hotmailratelimit:
> yahoo.com   yahooratelimit:
> 
> main.cf: (I was suggested to post the postconf -n output instead)
> 
> 
> alias_database = hash:/etc/postfix/aliases
> alias_maps = hash:/etc/postfix/aliases
> append_dot_mydomain = no
> biff = no
> broken_sasl_auth_clients = yes
> config_directory = /etc/postfix
> default_destination_rate_delay = 15s

You've set the default delay to 15s for all deliveries.  Don't do that.

rather use:
  hotmailratelimit_destination_rate_delay = 15s
  yahooratelimit_destination_rate_delay = 15s

http://www.postfix.org/postconf.5.html#default_destination_rate_delay

and see the "slow" transport examples under
http://www.postfix.org/QSHAPE_README.html#backlog



> delay_warning_time = 4h
> disable_vrfy_command = yes
> inet_interfaces = all
> mailbox_command = 
> mailbox_size_limit = 0
> maximal_backoff_time = 8000s
> maximal_queue_lifetime = 3d
> minimal_backoff_time = 1000s

The default minimal backoff is now 300s, which is probably a better
choice.


> smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client blackholes.easynet.nl, reject_rbl_client
> dnsbl.njabl.org

It's customary to proceed the RBL checks with "permit_mynetworks,
permit_sasl_authenticated" so you don't reject legit clients.

and blackholes.easynet.nl has not been operational for several
years.  Review all your RBLs periodically.



> smtpd_recipient_limit = 16

Artificially limiting the number of recipients per connection just
makes your server work harder.

> smtpd_recipient_restrictions = reject_unauth_pipelining,
> permit_mynetworks, reject_non_fqdn_recipient,
> reject_unknown_recipient_domain, reject_unauth_destination, permit
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sender_restrictions = permit_mynetworks, warn_if_reject
> reject_non_fqdn_sender, reject_unknown_sender_domain,
> reject_unauth_pipelining, permit
> smtpd_soft_error_limit = 3
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> transport_maps = hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 450

This should be 550 unless you're having some problem.


> virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
> virtual_gid_maps = static:5000
> virtual_mailbox_base = /var/spool/mail/virtual
> virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
> virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
> virtual_uid_maps = static:5000
> 
> 
> 
> master.cf: (Removed comments)
> =
> 
> smtp  inet  n   -   -   -   -   smtpd
> hotmailratelimit  unix  -   -   -   -   1   smtp
> -o smtp_fallback_relay= -o syslog_name=slow_queue -o
> smtp_helo_timeout=3
> -o smtp_mx_session_limit=1 -o smtp_mx_address_limit=1

It seems counterproductive to set the session limit and mx address
limit to 1.  These should be left at the defaults.

> yahooratelimit  unix  -   -   -   -   1   smtp
> -o smtp_fallback_relay= -o syslog_name=slow_queue -o
> smtp_helo_timeout=3
> -o smtp_mx_session_limit=1 -o smtp_mx_address_limit=1

It seems counterproductive to set the session limit and mx address
limit to 1.  These should be left at the defaults.

> relayratelimit  unix  -   -   -   -   1   smtp
> -o smtp_fallback_relay= -o syslog_name=slow_queue -o
> smtp_helo_timeout=3
> -o smtp_mx_session_limit=1 -o smtp_mx_address_limit=1

It seems counterproductive to set the session limit and mx address
limit to 1.  These should be left at the defaults.

> 
> I don't want to throttle the email that goes for my own domain
> (my.domain.com).
> 

Removing the default_destination_rate_delay will fix that.




  -- Noel Jones

address_verify_map

[Daniel L. Miller]

Can a SQL database be used for the recipient verification storage?

--
Daniel

Re: address_verify_map

[Wietse Venema]

Daniel L. Miller:
> Can a SQL database be used for the recipient verification storage?

Not unless someone has implemented Postfix support for SQL updates.

Wietse

setting aliases properly

[jeffrey j donovan]

Greetings
it has been a long time since I've done this, and could use some guidance.

I have one domain ( example.com ) and 7 systems.

mx1.example.com
Av1.example.com
relay1.example.com
relay2.exmple.com
imap/pop1
imap/pop2
imap/pop3

each understand their own /etc/aliases file. if I send a message to 
someal...@machine.example.com it works fine.
when i try to send to aliasn...@example.com, all the machines kick it to the MX 
server ( which has a transportmap for example.com ) and I get a loop.

aliasname:  lukeskywal...@host.example.com

can i specify

aliasn...@example.com:  lukeskywal...@host.example.com

right now my MX server is only working when i specify the host name in the 
message.

if there is something I should set in main.cf ? 

mydestination = $myhostname, localhost.$mydomain, localhost, example.com, 
$mydomain
mydomain = example.com
mydomain_fallback = localhost
myhostname = mx1.example.com
mynetworks = 127.0.0.0/8
mynetworks_style = host
myorigin = $myhostname


-j

Re: setting aliases properly

[jeffrey j donovan]

On Jun 13, 2012, at 9:39 PM, jeffrey j donovan wrote:

> Greetings
> it has been a long time since I've done this, and could use some guidance.
> 
> I have one domain ( example.com ) and 7 systems.
> 
> mx1.example.com
> Av1.example.com
> relay1.example.com
> relay2.exmple.com
> imap/pop1
> imap/pop2
> imap/pop3
> 
> each understand their own /etc/aliases file. if I send a message to 
> someal...@machine.example.com it works fine.
> when i try to send to aliasn...@example.com, all the machines kick it to the 
> MX server ( which has a transportmap for example.com ) and I get a loop.
> 
> aliasname:lukeskywal...@host.example.com
> 
> can i specify
> 
> aliasn...@example.com:lukeskywal...@host.example.com
> 
> right now my MX server is only working when i specify the host name in the 
> message.
> 
> if there is something I should set in main.cf ? 
> 
> mydestination = $myhostname, localhost.$mydomain, localhost, example.com, 
> $mydomain
> mydomain = example.com
> mydomain_fallback = localhost
> myhostname = mx1.example.com
> mynetworks = 127.0.0.0/8
> mynetworks_style = host
> myorigin = $myhostname
> 
> 
> -j


answering my own question; is this what i need to change ?
http://www.postfix.org/postconf.5.html

myorigin (default: $myhostname)
The domain name that locally-posted mail appears to come from, and that locally 
posted mail is delivered to. The default, $myhostname, is adequate for small 
sites. If you run a domain with multiple machines, you should (1) change this 
to $mydomain and (2) set up a domain-wide alias database that aliases each user 
to user@that.users.mailhost.

Example:

myorigin = $mydomain


okay part (2) of that answer  set up a domain-wide alias database that aliases 
each user to user@that.users.mailhost
how do i do that properly ?

-j