INBOX and NFS ?

[Frank Bonnet]

Hello all

I'm thinking to move all users's inboxes from local mailhub filesystem ( 
FreeBSD 9.0 )

to a NFS mounted directory to a NetAPP filer to take advantage of the
netapp facilities.

I use traditional MBOX format and real UNIX users  through LDAP ( 
pam_ldap + nss_ldap )


Actually all users's IMAP folders ( dovecot 2 ) are living in an NFS 
mounted directory and it work like
a charm , but I wonder on how this would be reliable for incoming mail 
that goes to INBOX users.


What would happen with postfix if it cannot access to users's mailboxes ?
( Eg : LAN down or filer stopped )


Thank you

Re: Postscreen, DNSBL, and Windows Phone

[Jerry]

On Tue, 21 Aug 2012 03:07:47 +0200
Benny Pedersen articulated:

> Den 2012-08-20 22:49, Reindl Harald skrev:
> 
> > this is a absolutely common way to specify host:port for all sort
> > of service-types and clients
> 
> microsoft try to sell better manuels as a thing that cost more :=)
   ^^^
You mean that they are engaging in human trafficking? I think you are
referring to "manuals". In any case, over the years I have found that I
can get virtually any info I want about a Microsoft product by using
either their "technet"
 or "MSDN" services
. Google is your
friend. The answer to this problem, as I believe was previously
published here, can be located at:

and
.

-- 
Jerry ✌
postfix-u...@seibercom.net
_
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Re: INBOX and NFS ?

[Wietse Venema]

Frank Bonnet:
> What would happen with postfix if it cannot access to users's mailboxes ?
> ( Eg : LAN down or filer stopped )

If the mailbox file system is hard mounted then the Postfix mail
delivery agent will hang until the LAN comes back or the filer is
rebooted. When a Postfix process hangs longer than some 1000s then
a Postfix watchdog timer will kill it.

If the mailbox file system is soft mounted then Postfix is not
supported.

If the mailbox file system is not mounted then Postfix gets a hard
error (no such file or directory, not a directory, etc.) and returns
the mail to the sender.  That would also happen with non-NFS mounts.
Don't start Postfix before all mail-related file systems are mounted,
regardless of their type.

Wietse

Re: Postscreen, DNSBL, and Windows Phone

[Benny Pedersen]

Den 2012-08-21 11:57, Jerry skrev:

but i dont need this to setup smtp auth in nokia, only windows needs 
it, i keep my symbian os

Re: INBOX and NFS ?

[Benny Pedersen]

Den 2012-08-21 10:02, Frank Bonnet skrev:

What would happen with postfix if it cannot access to users's 
mailboxes ?

( Eg : LAN down or filer stopped )


then it stays in queue until dovecot is ready to deliver

to see it, stop dovecot, then see what postfix do

Re: INBOX and NFS ?

[Frank Bonnet]

On 08/21/2012 01:32 PM, Benny Pedersen wrote:

Den 2012-08-21 10:02, Frank Bonnet skrev:

What would happen with postfix if it cannot access to users's 
mailboxes ?

( Eg : LAN down or filer stopped )


then it stays in queue until dovecot is ready to deliver

to see it, stop dovecot, then see what postfix do





No I do not use Dovecot as delivery agent , I use Postfix.

Re: INBOX and NFS ?

[Denis Witt]

On 21.08.2012 10:02, Frank Bonnet wrote:


What would happen with postfix if it cannot access to users's mailboxes ?
( Eg : LAN down or filer stopped )


Hi,

how are you supposed to get external Mail when your LAN is down? If 
Dovecot isn't running the Mail will stay in the Postfix-Queue for some 
time (regarding on your Config).


If your mountpoint isn't accessible for some reason you could stop 
Dovecot to avoid that mails are bounced.


Bye.

Re: INBOX and NFS ?

[Frank Bonnet]

On 08/21/2012 12:56 PM, Wietse Venema wrote:

Frank Bonnet:

What would happen with postfix if it cannot access to users's mailboxes ?
( Eg : LAN down or filer stopped )

If the mailbox file system is hard mounted then the Postfix mail
delivery agent will hang until the LAN comes back or the filer is
rebooted. When a Postfix process hangs longer than some 1000s then
a Postfix watchdog timer will kill it.

If the mailbox file system is soft mounted then Postfix is not
supported.

If the mailbox file system is not mounted then Postfix gets a hard
error (no such file or directory, not a directory, etc.) and returns
the mail to the sender.  That would also happen with non-NFS mounts.
Don't start Postfix before all mail-related file systems are mounted,
regardless of their type.

Wietse


OK, well understood ,
thanks a lot Wiese :-)

workflow in postfix?

[anant]

Dear List,

Existing setup:

main.cf has mail_size_limit of 30 MB.

we are using smtpd_policy feature and controlling the allowed mail  
size for mails.  That is, if somebody requests to send higher size  
mail, say about 10 MB, we write his email id and allowed size in a  
file, and based on this, he is able to send mail to the recipient a  
higher size mail.  Here we have manual intervention.  By default,  
policy takes care that, no one is allowed to send mail beyond 2 MB.


what is required?

Now, we want to automate it, using some kind of work flow. If somebody  
sends a mail, higher than 2 Mb, postfix can detect it.  Can it  
redirect to some administrator for approval?  If say, approved, by  
mail itself, then it can proceed with delivery to recipient?


Any other ideas are also welcome...

Regards,
Anant.


--
Confidentiality Notice: This e-mail message, including any attachments, is for
the sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
--

Re: workflow in postfix?

[Wietse Venema]

an...@isac.gov.in:
> Now, we want to automate it, using some kind of work flow. If somebody  
> sends a mail, higher than 2 Mb, postfix can detect it.  Can it  
> redirect to some administrator for approval?  If say, approved, by  
> mail itself, then it can proceed with delivery to recipient?

This is what the policy protocol interface was developed for.
I provide the mechanism, you provide the site-specific policy.

Wietse

Re: TLS SUPPORT: openssl ca debug mssage

[Feel Zhou]

[root@mtayd CA]# yum install openssl-perl
..
[root@mtayd CA]# yum install pki-ca
..
[root@mtayd CA]# pwd
/etc/pki/CA

After yum install, I reboot the system.

[root@mtayd CA]# openssl ca -out postfix_cert.pem -infiles
postfix_public.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
unable to load certificate
139860379301704:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE

Can not creat the postfix_cert.pem. Thanks four your time.

Tom


2012/8/21 Wietse Venema 

> Feel Zhou:
> > Thanks, Wietse and all my friend
> > I just do the command:
> > yum install openssl-perl
> > When I test again
> > still have the same wrong message
>
> Please show the command and output for each step in TLS_README.
> You can capture the session with the script command.
>
> script name-of-file
> $ /some/where/CA.pl ...
> ...and so on...
> $ exit
>
> Wietse
>

..::Rbl not working::..

[Alfonso Alejandro Reyes Jiménez]

Hi everyone.

I've postfix working great but I cant make the rbl works, I have the 
configuration but when I test the configuration it seems not to be working.


I'm testing with http://www.crynwr.com/spam/ Spamhaus has that ip 
address listed but I'm still getting those emails.


Here's the postconf -n result:

[root@mail ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail/
mailbox_size_limit = 524288000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = ibossmonitor.com
message_size_limit = 5242880
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = domain123.com
myhostname = domain123.com
mynetworks = 127.0.0.0/8, 10.1.8.27/32, 10.1.8.23/32, 172.16.18.101/32, 
10.1.215.26/32

myorigin = domain123.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_generic_maps = hash:/etc/postfix/generic
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname Microsoft ESMTP MAIL Service ready
smtpd_helo_required = yes
smtpd_recipient_restrictions = 
permit_mynetworks,permit_sasl_authenticated,reject_rbl_client 
zen.spamhaus.org,reject_rhsbl_sender 
dsn.rfc-ignorant.org,reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = inet:127.0.0.1:12345
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = pcre:/etc/postfix/sender_login.pcre
smtpd_sender_restrictions = 
reject_authenticated_sender_login_mismatch,check_client_access 
hash:/etc/postfix/client_access

smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt
smtpd_tls_key_file = /etc/postfix/cert/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

any ideas? thanks in advance for your help.

Regards.

Alfonso.
--

Re: TLS SUPPORT: openssl ca debug mssage

[/dev/rob0]

On Tue, Aug 21, 2012 at 09:30:47PM +0800, Feel Zhou wrote:
> [root@mtayd CA]# yum install openssl-perl
> ..
> [root@mtayd CA]# yum install pki-ca
> ..
> [root@mtayd CA]# pwd
> /etc/pki/CA
> 
> After yum install, I reboot the system.

No way! Really? All you did there was install a few scripts that have 
absolutely no connection to the running of the system. There was no 
need to reboot for that.

I point this out because it is likely that you would benefit most at 
this time from learning the basics of your OS and how to manage it. 
This whole thread does look like you need a better grasp of such 
things.

> [root@mtayd CA]# openssl ca -out postfix_cert.pem -infiles
> postfix_public.pem

Another basic hint is that you don't need to use the root account to 
manage your openssl CA. Get into the habit of only using root for 
actual administration of the system.

An openssl basic hint is that the CA should not be kept and managed 
on the server itself. You can add another layer of security to it by 
keeping the CA files offline and physically secure. I keep mine on a 
different system behind a NAT gateway, not directly accessible from 
the Internet.

(Of course in mail terms, high security for the TLS CA is not usually 
very important, but if you're using this CA for anything else, it can 
be. And it never hurts to do things right from the beginning.)

And yet another hint is that you are not following Wietse's 
directions. He told you to use the freshly installed CA.pl script 
that ships with OpenSSL.

> Using configuration from /etc/pki/tls/openssl.cnf
> Enter pass phrase for /etc/pki/CA/private/cakey.pem:
> unable to load certificate
> 139860379301704:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
> 
> Can not creat the postfix_cert.pem. Thanks four your time.

"Unable to load certificate" looks like there was something wrong 
with the certificate file. If you want to do this the Postfix "quick 
and dirty" way, we can possibly help you here, but only if you do 
follow the directions. If you want to use openssl(1) ca(1) directly, 
you might have better luck in a forum specific to OpenSSL.

http://www.postfix.org/TLS_README.html#quick-start

Oh, and please do not top-post your replies here. I am leaving 
Wietse's reply quoted, below, in the hopes that you will read it 
again and maybe understand it this time. Thank you and good luck.


> 2012/8/21 Wietse Venema 
> 
> > Feel Zhou:
> > > Thanks, Wietse and all my friend
> > > I just do the command:
> > > yum install openssl-perl
> > > When I test again
> > > still have the same wrong message
> >
> > Please show the command and output for each step in TLS_README.
> > You can capture the session with the script command.
> >
> > script name-of-file
> > $ /some/where/CA.pl ...
> > ...and so on...
> > $ exit
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: ..::Rbl not working::..

[Ralf Hildebrandt]

* Alfonso Alejandro Reyes Jiménez :
> Hi everyone.
> 
> I've postfix working great but I cant make the rbl works, I have the
> configuration but when I test the configuration it seems not to be
> working.

Logs?
 
> I'm testing with http://www.crynwr.com/spam/ Spamhaus has that ip
> address listed but I'm still getting those emails.

Which IP? Logs?

> smtpd_recipient_restrictions =
> permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
> zen.spamhaus.org,reject_rhsbl_sender
> dsn.rfc-ignorant.org,reject_unauth_destination

That looks ok

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: ..::Rbl not working::..

[/dev/rob0]

On Tue, Aug 21, 2012 at 09:03:47AM -0500,
   Alfonso Alejandro Reyes Jiménez wrote:
> I've postfix working great but I cant make the rbl works, I have 
> the configuration but when I test the configuration it seems not
> to be working.
> 
> I'm testing with http://www.crynwr.com/spam/ Spamhaus has that ip
> address listed but I'm still getting those emails.
> 
> Here's the postconf -n result:
> 
> [root@mail ~]# postconf -n

Irrelevant parts removed, possibly relevant lines here:

> mynetworks = 127.0.0.0/8, 10.1.8.27/32, 10.1.8.23/32,
> 172.16.18.101/32, 10.1.215.26/32

> smtpd_recipient_restrictions =
> permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
> zen.spamhaus.org,reject_rhsbl_sender
> dsn.rfc-ignorant.org,reject_unauth_destination

> any ideas? thanks in advance for your help.

You neglected to show the logs of the acceptance of the crynwr.com 
test mail.

Nevertheless, I do have a WAG for you. Test your server's ability to 
resolve records in zen.spamhaus.org.

[alfonso@mail ~]$ dig 2.0.0.127.zen.spamhaus.org. any

You should see among the output:

;; ANSWER SECTION:
2.0.0.127.zen.spamhaus.org. 300 IN  TXT 
"http://www.spamhaus.org/query/bl?ip=127.0.0.2";
2.0.0.127.zen.spamhaus.org. 300 IN  TXT 
"http://www.spamhaus.org/sbl/query/SBL233";
2.0.0.127.zen.spamhaus.org. 300 IN  A   127.0.0.4
2.0.0.127.zen.spamhaus.org. 300 IN  A   127.0.0.10
2.0.0.127.zen.spamhaus.org. 300 IN  A   127.0.0.2

If you're using a nameserver external to you, such as Google Public 
DNS or any ISP's resolver, there is a very good chance that Spamhaus 
is blocking your queries.

If my guess is right, you can possibly fix it by installing and using 
your own local caching resolver, i.e., BIND named(8) or other 
implementation of DNS recursion. Offer void where taxed or 
restricted, or if your number of queries puts you in excess of 
Spamhaus maximum allowed. (In that case, see about their paid 
service; well worth the small expense per mailbox.)
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: ..::Rbl not working::..

[Brian Evans - Postfix List]

On 8/21/2012 10:03 AM, Alfonso Alejandro Reyes Jiménez wrote:
> Hi everyone.
>
> I've postfix working great but I cant make the rbl works, I have the
> configuration but when I test the configuration it seems not to be
> working.
>
> I'm testing with http://www.crynwr.com/spam/ Spamhaus has that ip
> address listed but I'm still getting those emails.
>

As others have noted, you need a caching DNS resolver (named, unbound,
etc) and you should use dig or host to test.

> smtpd_banner = $myhostname Microsoft ESMTP MAIL Service ready
No benefit to change this.   Lying to computers does nothing.

> smtpd_recipient_restrictions =
> permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
> zen.spamhaus.org,reject_rhsbl_sender
> dsn.rfc-ignorant.org,reject_unauth_destination

I would recommend putting reject_unauth_destination before RBL checks.
This will cut down the number of DNS queries which are limited amounts
for the free access.

Brian

Re: TLS SUPPORT: openssl ca debug mssage

[Wietse Venema]

Feel Zhou:
> [root@mtayd CA]# openssl ca -out postfix_cert.pem -infiles

If you want help, show that you follow the TLS_README
instructions exactly.

$ script output-file-name
$ /some/where/CA.pl -newca
...
$ exit

Then send the contents of output-file-name.

Wietse

Re: ..::Rbl not working::..

[Alfonso Alejandro Reyes Jiménez]

On 8/21/12 9:20 AM, Ralf Hildebrandt wrote:

* Alfonso Alejandro Reyes Jiménez:

Hi everyone.

I've postfix working great but I cant make the rbl works, I have the
configuration but when I test the configuration it seems not to be
working.

Logs?


I'm testing with http://www.crynwr.com/spam/ Spamhaus has that ip
address listed but I'm still getting those emails.

Which IP? Logs?


smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
zen.spamhaus.org,reject_rhsbl_sender
dsn.rfc-ignorant.org,reject_unauth_destination

That looks ok


I'm sorry I forgot that information.

Logs:

Aug 21 08:01:48 mail postfix/smtpd[23635]: warning: 200.77.229.165: 
address not listed for hostname correo2.test.com.mx
Aug 21 08:03:32 mail postfix/smtpd[23635]: warning: 200.77.229.166: 
address not listed for hostname correo3.test.com.mx
Aug 21 08:52:11 mail postfix/smtpd[23847]: warning: 200.13.34.22: 
address not listed for hostname correo4.test.com.mx


I couldn't find more logs about.

The IP that's testing my mail server is 192.203.178.107, I used the 
spamhaus lookup tool to confirm that the IP was listed.


Aug 21 09:33:58 mail postfix/smtpd[24060]: connect from 
sbl.crynwr.com[192.203.178.107]
Aug 21 09:33:58 mail postfix/smtpd[24060]: AB5455D5: 
client=sbl.crynwr.com[192.203.178.107]
Aug 21 09:33:58 mail postfix/cleanup[24065]: AB5455D5: 
message-id=<1345559...@sbl.crynwr.com>
Aug 21 09:33:59 mail postfix/smtpd[24060]: disconnect from 
sbl.crynwr.com[192.203.178.107]
Aug 21 09:33:58 mail postfix/smtpd[24060]: AB5455D5: 
client=sbl.crynwr.com[192.203.178.107]
Aug 21 09:33:58 mail postfix/cleanup[24065]: AB5455D5: 
message-id=<1345559...@sbl.crynwr.com>
Aug 21 09:33:59 mail postfix/qmgr[20868]: AB5455D5: from=<>, size=393, 
nrcpt=1 (queue active)
Aug 21 09:33:59 mail postfix/local[24067]: AB5455D5: 
to=, relay=local, delay=0.87, 
delays=0.48/0.01/0/0.38, dsn=2.0.0, status=sent (delivered to maildir)

Aug 21 09:33:59 mail postfix/qmgr[20868]: AB5455D5: removed

That email was delivered.

Regards.

Re: ..::Rbl not working::..

[Alfonso Alejandro Reyes Jiménez]

On Tue, Aug 21, 2012 at 09:03:47AM -0500, Alfonso Alejandro Reyes 
Jiménez wrote:

I've postfix working great but I cant make the rbl works, I have
the configuration but when I test the configuration it seems not
to be working.

I'm testing with http://www.crynwr.com/spam/ Spamhaus has that ip
address listed but I'm still getting those emails.

Here's the postconf -n result:

[root@mail ~]# postconf -n

Irrelevant parts removed, possibly relevant lines here:


mynetworks = 127.0.0.0/8, 10.1.8.27/32, 10.1.8.23/32,
172.16.18.101/32, 10.1.215.26/32
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
zen.spamhaus.org,reject_rhsbl_sender
dsn.rfc-ignorant.org,reject_unauth_destination
any ideas? thanks in advance for your help.

You neglected to show the logs of the acceptance of the crynwr.com
test mail.

Nevertheless, I do have a WAG for you. Test your server's ability to
resolve records in zen.spamhaus.org.

[alfonso@mail ~]$ dig 2.0.0.127.zen.spamhaus.org. any

You should see among the output:

;; ANSWER SECTION:
2.0.0.127.zen.spamhaus.org. 300 IN  TXT 
"http://www.spamhaus.org/query/bl?ip=127.0.0.2";
2.0.0.127.zen.spamhaus.org. 300 IN  TXT 
"http://www.spamhaus.org/sbl/query/SBL233";
2.0.0.127.zen.spamhaus.org. 300 IN  A   127.0.0.4
2.0.0.127.zen.spamhaus.org. 300 IN  A   127.0.0.10
2.0.0.127.zen.spamhaus.org. 300 IN  A   127.0.0.2

If you're using a nameserver external to you, such as Google Public
DNS or any ISP's resolver, there is a very good chance that Spamhaus
is blocking your queries.

If my guess is right, you can possibly fix it by installing and using
your own local caching resolver, i.e., BIND named(8) or other
implementation of DNS recursion. Offer void where taxed or
restricted, or if your number of queries puts you in excess of
Spamhaus maximum allowed. (In that case, see about their paid
service; well worth the small expense per mailbox.)

I'm sorry I forgot that information.

Logs:

Aug 21 08:01:48 mail postfix/smtpd[23635]: warning: 200.77.229.165: 
address not listed for hostname correo2.test.com.mx
Aug 21 08:03:32 mail postfix/smtpd[23635]: warning: 200.77.229.166: 
address not listed for hostname correo3.test.com.mx
Aug 21 08:52:11 mail postfix/smtpd[23847]: warning: 200.13.34.22: 
address not listed for hostname correo4.test.com.mx


I couldn't find more logs about.

The IP that's testing my mail server is 192.203.178.107, I used the 
spamhaus lookup tool to confirm that the IP was listed.


Aug 21 09:33:58 mail postfix/smtpd[24060]: connect from 
sbl.crynwr.com[192.203.178.107]
Aug 21 09:33:58 mail postfix/smtpd[24060]: AB5455D5: 
client=sbl.crynwr.com[192.203.178.107]
Aug 21 09:33:58 mail postfix/cleanup[24065]: AB5455D5: 
message-id=<1345559...@sbl.crynwr.com>
Aug 21 09:33:59 mail postfix/smtpd[24060]: disconnect from 
sbl.crynwr.com[192.203.178.107]
Aug 21 09:33:58 mail postfix/smtpd[24060]: AB5455D5: 
client=sbl.crynwr.com[192.203.178.107]
Aug 21 09:33:58 mail postfix/cleanup[24065]: AB5455D5: 
message-id=<1345559...@sbl.crynwr.com>
Aug 21 09:33:59 mail postfix/qmgr[20868]: AB5455D5: from=<>, size=393, 
nrcpt=1 (queue active)
Aug 21 09:33:59 mail postfix/local[24067]: AB5455D5: 
to=, relay=local, delay=0.87, 
delays=0.48/0.01/0/0.38, dsn=2.0.0, status=sent (delivered to maildir)

Aug 21 09:33:59 mail postfix/qmgr[20868]: AB5455D5: removed

That email was delivered.

Thanks for the tip but I have bind running and it seems not to be 
allowed to make queries to spamhaus:


[root@mail ~]# dig 2.0.0.127.zen.spamhaus.org any

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> 
2.0.0.127.zen.spamhaus.org any

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35309
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org.INANY

;; AUTHORITY SECTION:
zen.spamhaus.org.6INSOAneed.to.know.only. 
hostmaster.spamhaus.org. 1208211440 3600 600 432000 150


;; Query time: 71 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 21 09:44:12 2012
;; MSG SIZE  rcvd: 108

[root@mail ~]#

Here's the DNS config part:

[root@mail ~]# vi /etc/resolv.conf

# Generated by NetworkManager
nameserver 127.0.0.1

The BIND forwarding is made to a public dns do you think that could be 
the problem?


Regards.

Re: ..::Rbl not working::..

[Ralf Hildebrandt]

* Alfonso Alejandro Reyes Jiménez :


> The IP that's testing my mail server is 192.203.178.107, I used the
> spamhaus lookup tool to confirm that the IP was listed.

192.203.178.107 is indeed listed.

$ host 107.178.203.192.zen.spamhaus.org
107.178.203.192.zen.spamhaus.org has address 127.0.0.2

try "host 107.178.203.192.zen.spamhaus.org" on your box.

> Aug 21 09:33:58 mail postfix/smtpd[24060]: connect from 
> sbl.crynwr.com[192.203.178.107]
> Aug 21 09:33:58 mail postfix/smtpd[24060]: AB5455D5: 
> client=sbl.crynwr.com[192.203.178.107]
> Aug 21 09:33:58 mail postfix/cleanup[24065]: AB5455D5: 
> message-id=<1345559...@sbl.crynwr.com>
> Aug 21 09:33:59 mail postfix/smtpd[24060]: disconnect from 
> sbl.crynwr.com[192.203.178.107]
> Aug 21 09:33:58 mail postfix/smtpd[24060]: AB5455D5: 
> client=sbl.crynwr.com[192.203.178.107]
> Aug 21 09:33:58 mail postfix/cleanup[24065]: AB5455D5: 
> message-id=<1345559...@sbl.crynwr.com>
> Aug 21 09:33:59 mail postfix/qmgr[20868]: AB5455D5: from=<>, size=393, 
> nrcpt=1 (queue active)
> Aug 21 09:33:59 mail postfix/local[24067]: AB5455D5: 
> to=, relay=local, delay=0.87, delays=0.48/0.01/0/0.38, 
> dsn=2.0.0, status=sent (delivered to maildir)
> Aug 21 09:33:59 mail postfix/qmgr[20868]: AB5455D5: removed
> 
> That email was delivered.
> 
> Regards.
> 

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: ..::Rbl not working::..

[Alfonso Alejandro Reyes Jiménez]

On 8/21/12 9:25 AM, Brian Evans - Postfix List wrote:

On 8/21/2012 10:03 AM, Alfonso Alejandro Reyes Jiménez wrote:

Hi everyone.

I've postfix working great but I cant make the rbl works, I have the
configuration but when I test the configuration it seems not to be
working.

I'm testing with http://www.crynwr.com/spam/ Spamhaus has that ip
address listed but I'm still getting those emails.


As others have noted, you need a caching DNS resolver (named, unbound,
etc) and you should use dig or host to test.


smtpd_banner = $myhostname Microsoft ESMTP MAIL Service ready

No benefit to change this.   Lying to computers does nothing.


smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
zen.spamhaus.org,reject_rhsbl_sender
dsn.rfc-ignorant.org,reject_unauth_destination

I would recommend putting reject_unauth_destination before RBL checks.
This will cut down the number of DNS queries which are limited amounts
for the free access.

Brian
Thanks for the tips, we have bind running on the server forwarded to a 
public DNS server. We are not lying to computers we are lying to nessus 
and that kind of software, is part of the systems hardening but thanks 
for the tip.


I will follow your recomendation about the reject_unauth_destination.

Any other tip?

Regards.

Re: ..::Rbl not working::..

[Alfonso Alejandro Reyes Jiménez]

On 8/21/12 9:46 AM, Ralf Hildebrandt wrote:

* Alfonso Alejandro Reyes Jiménez:



The IP that's testing my mail server is 192.203.178.107, I used the
spamhaus lookup tool to confirm that the IP was listed.

192.203.178.107 is indeed listed.

$ host 107.178.203.192.zen.spamhaus.org
107.178.203.192.zen.spamhaus.org has address 127.0.0.2

try "host 107.178.203.192.zen.spamhaus.org" on your box.


Aug 21 09:33:58 mail postfix/smtpd[24060]: connect from 
sbl.crynwr.com[192.203.178.107]
Aug 21 09:33:58 mail postfix/smtpd[24060]: AB5455D5: 
client=sbl.crynwr.com[192.203.178.107]
Aug 21 09:33:58 mail postfix/cleanup[24065]: AB5455D5: 
message-id=<1345559...@sbl.crynwr.com>
Aug 21 09:33:59 mail postfix/smtpd[24060]: disconnect from 
sbl.crynwr.com[192.203.178.107]
Aug 21 09:33:58 mail postfix/smtpd[24060]: AB5455D5: 
client=sbl.crynwr.com[192.203.178.107]
Aug 21 09:33:58 mail postfix/cleanup[24065]: AB5455D5: 
message-id=<1345559...@sbl.crynwr.com>
Aug 21 09:33:59 mail postfix/qmgr[20868]: AB5455D5: from=<>, size=393, nrcpt=1 
(queue active)
Aug 21 09:33:59 mail postfix/local[24067]: AB5455D5: to=, 
relay=local, delay=0.87, delays=0.48/0.01/0/0.38, dsn=2.0.0, status=sent (delivered 
to maildir)
Aug 21 09:33:59 mail postfix/qmgr[20868]: AB5455D5: removed

That email was delivered.

Regards.


Thanks it seems to be an issue with spamhaus, here's the result:

[root@mail ~]# host 107.178.203.192.zen.spamhaus.org
Host 107.178.203.192.zen.spamhaus.org not found: 3(NXDOMAIN)
[root@mail ~]#

Any tips that can solve this issue? (I know this is not a bind list, but 
anyone may had the same issue)


Thanks for your help.

Regards.

Re: ..::Rbl not working::..

[Ralf Hildebrandt]

* Alfonso Alejandro Reyes Jiménez :

> Thanks it seems to be an issue with spamhaus, here's the result:
> 
> [root@mail ~]# host 107.178.203.192.zen.spamhaus.org
> Host 107.178.203.192.zen.spamhaus.org not found: 3(NXDOMAIN)
> [root@mail ~]#

Use a proper DNS server (like somebody on this thread already suggested)

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: ..::Rbl not working::..

[Alfonso Alejandro Reyes Jiménez]

On 8/21/12 9:57 AM, Ralf Hildebrandt wrote:

* Alfonso Alejandro Reyes Jiménez:


Thanks it seems to be an issue with spamhaus, here's the result:

[root@mail ~]# host 107.178.203.192.zen.spamhaus.org
Host 107.178.203.192.zen.spamhaus.org not found: 3(NXDOMAIN)
[root@mail ~]#

Use a proper DNS server (like somebody on this thread already suggested)

Thanks as I was telling I have one, but I think the issue is with the 
forwarding it's been made to a public dns server. Should I change it to 
a particular one? (ex spamhaus)


Regards.

Re: ..::Rbl not working::..

[Ralf Hildebrandt]

* Alfonso Alejandro Reyes Jiménez :

> Thanks as I was telling I have one, but I think the issue is with the
> forwarding

Yes. Why are you forwarding at all? Simply let you DNS recurse & cache.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: ..::Rbl not working::..

[Brian Evans - Postfix List]

On 8/21/2012 11:02 AM, Alfonso Alejandro Reyes Jiménez wrote:
>
> On 8/21/12 9:57 AM, Ralf Hildebrandt wrote:
>> * Alfonso Alejandro Reyes Jiménez:
>>
>>> Thanks it seems to be an issue with spamhaus, here's the result:
>>>
>>> [root@mail ~]# host 107.178.203.192.zen.spamhaus.org
>>> Host 107.178.203.192.zen.spamhaus.org not found: 3(NXDOMAIN)
>>> [root@mail ~]#
>> Use a proper DNS server (like somebody on this thread already suggested)
>>
> Thanks as I was telling I have one, but I think the issue is with the
> forwarding it's been made to a public dns server. Should I change it
> to a particular one? (ex spamhaus)
>
> Regards.

If you are running BIND named, you shouldn't need to forward.
It knows how to query directly.
If your provider blocks DNS requests, then you need to take it up with them.

Brian

Re: ..::Rbl not working::..

[/dev/rob0]

On Tue, Aug 21, 2012 at 09:45:50AM -0500,
   Alfonso Alejandro Reyes Jiménez wrote:
> Thanks for the tip but I have bind running and it seems not to be
> allowed to make queries to spamhaus:
> 
> [root@mail ~]# dig 2.0.0.127.zen.spamhaus.org any
> 
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>>
> 2.0.0.127.zen.spamhaus.org any
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35309
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;2.0.0.127.zen.spamhaus.org.INANY
> 
> ;; AUTHORITY SECTION:
> zen.spamhaus.org.6INSOAneed.to.know.only.
> hostmaster.spamhaus.org. 1208211440 3600 600 432000 150
> 
> ;; Query time: 71 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Aug 21 09:44:12 2012
> ;; MSG SIZE  rcvd: 108
> 
> [root@mail ~]#
> 
> Here's the DNS config part:
> 
> [root@mail ~]# vi /etc/resolv.conf
> 
> # Generated by NetworkManager
> nameserver 127.0.0.1
> 
> The BIND forwarding is made to a public dns do you think that could
> be the problem?

rob0 quoted from upthread:
> >If you're using a nameserver external to you, such as Google 
> >Public DNS or any ISP's resolver, there is a very good chance that 
> >Spamhaus is blocking your queries.
> >
> >If my guess is right, you can possibly fix it by installing and 
> >using your own local caching resolver, i.e., BIND named(8) or 
> >other implementation of DNS recursion. Offer void where taxed or 

That was my guess. Now it seems to be confirmed. Remove the 
forwarders from named.conf(5), ensure that recursion is allowed at 
least for "localhost"[1], "rndc reload", test again. If the test 
fails again, you might have to flush the cache. Another rndc(8) 
subcommand can do that also.

We're off topic here. If you need further help with BIND, follow up 
on the bind-users mailing list at ISC.org. Or, see my URL below; I 
can fix this for a minimal fee.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: ..::Rbl not working::..

[lst_hoe02]

Zitat von Alfonso Alejandro Reyes Jiménez :


On 8/21/12 9:57 AM, Ralf Hildebrandt wrote:

* Alfonso Alejandro Reyes Jiménez:


Thanks it seems to be an issue with spamhaus, here's the result:

[root@mail ~]# host 107.178.203.192.zen.spamhaus.org
Host 107.178.203.192.zen.spamhaus.org not found: 3(NXDOMAIN)
[root@mail ~]#

Use a proper DNS server (like somebody on this thread already suggested)

Thanks as I was telling I have one, but I think the issue is with  
the forwarding it's been made to a public dns server. Should I  
change it to a particular one? (ex spamhaus)


Note that public recursor like for example 8.8.8.8 typically exceed  
the limit of queries spamhaus is willing to accept per source and are  
therefore blocked. For RBL queries you really should not use a public  
forwarder.


Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

Re: ..::Rbl not working::..

[Alfonso Alejandro Reyes Jiménez]

On 8/21/12 10:06 AM, /dev/rob0 wrote:

On Tue, Aug 21, 2012 at 09:45:50AM -0500,
Alfonso Alejandro Reyes Jiménez wrote:

Thanks for the tip but I have bind running and it seems not to be
allowed to make queries to spamhaus:

[root@mail ~]# dig 2.0.0.127.zen.spamhaus.org any

;<<>>  DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2<<>>
2.0.0.127.zen.spamhaus.org any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35309
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org.INANY

;; AUTHORITY SECTION:
zen.spamhaus.org.6INSOAneed.to.know.only.
hostmaster.spamhaus.org. 1208211440 3600 600 432000 150

;; Query time: 71 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 21 09:44:12 2012
;; MSG SIZE  rcvd: 108

[root@mail ~]#

Here's the DNS config part:

[root@mail ~]# vi /etc/resolv.conf

# Generated by NetworkManager
nameserver 127.0.0.1

The BIND forwarding is made to a public dns do you think that could
be the problem?

rob0 quoted from upthread:

If you're using a nameserver external to you, such as Google
Public DNS or any ISP's resolver, there is a very good chance that
Spamhaus is blocking your queries.

If my guess is right, you can possibly fix it by installing and
using your own local caching resolver, i.e., BIND named(8) or
other implementation of DNS recursion. Offer void where taxed or

That was my guess. Now it seems to be confirmed. Remove the
forwarders from named.conf(5), ensure that recursion is allowed at
least for "localhost"[1], "rndc reload", test again. If the test
fails again, you might have to flush the cache. Another rndc(8)
subcommand can do that also.

We're off topic here. If you need further help with BIND, follow up
on the bind-users mailing list at ISC.org. Or, see my URL below; I
can fix this for a minimal fee.


That did the trick thanks to everyone that tried to  help me with my issue.

Regards.

Alfonso.

Re: ..::Rbl not working::..

[/dev/rob0]

On Tue, Aug 21, 2012 at 10:06:34AM -0500, I wrote:
> That was my guess. Now it seems to be confirmed. Remove the 
> forwarders from named.conf(5), ensure that recursion is allowed at 
> least for "localhost"[1], "rndc reload", test again. If the test 
> fails again, you might have to flush the cache. Another rndc(8) 
> subcommand can do that also.

Ooops, I meant to put a footnote there:

[1] "localhost" in named.conf terms is a built-in ACL which includes 
any IP address bound on the server itself. See the BIND 9 ARM, 
Chapter 6, "acl Statement Definition and Usage".
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Maintaining the address verification cache for positives

[DTNX Postmaster]

Hello list,

We use the address verification features to relay to and from backend 
servers. This works great, but I seem to be missing or misunderstanding 
some part of how the maintenance of the verification cache works with 
regard to positive results.

For example, when an existing account is deleted on the backend server, 
Postfix will have the positive result, and maintain it for quite some 
time using the default settings;

$ /usr/sbin/postconf -d |grep address_verify_positive_
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d

We tried setting 'address_verify_positive_refresh_time' to a low value 
to test with, but that does not update the cache. This is apparently by 
design, no doubt for good reasons.

How do others deal with this? Set 'address_verify_positive_expire_time' 
to a value significantly lower than the default? Force expiry from the 
cache manually, somehow? Delete the cache and reload Postfix, which is 
what we've done so far?

Also, what purpose does the refresh timer serve if there is no update 
done due to optimistic caching? When would one use this setting?

Thanks,
Jona

Re: TLS SUPPORT: openssl ca debug mssage

[Feel Zhou]

Thanks for rob0's proposal
I need to read avary word of tow document
http://www.postfix.org/TLS_README.html
http://www.postfix.org/TLS_LEGACY_README.html


sorry ,in my system, I can't find the CA.pl
I have no idea how to find it,

[root@mtayd local]# pwd
/usr/local
[root@mtayd local]# ls
bin  etc  games  include  lib  lib64  libexec  sbin  share  src

so I use another command, but I don't know it right or not.
[root@mtayd CA]# openssl genrsa -des3 -out cakey.pem

Tom


2012/8/21 Wietse Venema 

> Feel Zhou:
> > [root@mtayd CA]# openssl ca -out postfix_cert.pem -infiles
>
> If you want help, show that you follow the TLS_README
> instructions exactly.
>
> $ script output-file-name
> $ /some/where/CA.pl -newca
> ...
> $ exit
>
> Then send the contents of output-file-name.
>
> Wietse
>

Re: ..::Rbl not working::..

[Benny Pedersen]

Den 2012-08-21 16:53, Alfonso Alejandro Reyes Jiménez skrev:


[root@mail ~]# host 107.178.203.192.zen.spamhaus.org
Host 107.178.203.192.zen.spamhaus.org not found: 3(NXDOMAIN)
[root@mail ~]#


dig +trace 107.178.203.192.zen.spamhaus.org

where does it fail ?

then contact the nameservers that reject you queries

Re: ..::Rbl not working::..

[Benny Pedersen]

Den 2012-08-21 17:02, Alfonso Alejandro Reyes Jiménez skrev:


Thanks as I was telling I have one, but I think the issue is with the
forwarding it's been made to a public dns server. Should I change it
to a particular one? (ex spamhaus)


no just remove ALL forwarding !

Re: ..::Rbl not working::..

[Alfonso Alejandro Reyes Jiménez]

On 8/21/12 11:23 AM, Benny Pedersen wrote:

Den 2012-08-21 17:02, Alfonso Alejandro Reyes Jiménez skrev:


Thanks as I was telling I have one, but I think the issue is with the
forwarding it's been made to a public dns server. Should I change it
to a particular one? (ex spamhaus)


no just remove ALL forwarding !



Thanks now it's working.

Regards,

Re: TLS SUPPORT: openssl ca debug mssage

[Wietse Venema]

Feel Zhou:
> sorry ,in my system, I can't find the CA.pl
> I have no idea how to find it,

If you don't have CA.pl (installed with "yum install openssl-perl"
or otherwise), then there is no reason to continue this discussion.

Wietse

Re: The ultimate email server

[Mikkel Bang]

2012/8/15 Peter N. M. Hansteen 

>
> I beg to differ. spamd(8) in any configuration is a lot more lightweight
> than
> content filtering. You most likely will need content filtering in addition
> to greylisting+greytrapping, but stopping them earlier is a real plus.
> See eg http://undeadly.org/cgi?action=article&sid=20120604050025


Thanks a lot everyone! After thinking long and hard about all your advice I
finally ended up with:

OpenBSD + postfix-anti-UCE.txt + undeadly's spamd setup (which includes
greylisting+greytrapping) + dspam: https://gist.github.com/3417519

Feedback would be much appreciated.

Thanks!

Mikkel

Re: The ultimate email server

[francis picabia]

I use postfix with postscreen, spamhaus and other RBLs, nolist greylisting,
sqlgrey greylisting, amavisd-new (which calls in spamassassin), and clamav.

Freshclam and sa-update are run daily by cron.

Here are my stats today on the primary MX (actually secondary due to nolist)

Aug 21
Connect: 13840
Delivered: 12190
Reject total:   10986
Reject blocklists:   7710
Reject Reverse DNS:   222
Reject address or overquota:   1396
Early Hangup:   2466
Pregreeted:   777
Greylisted:   1543
Tagged:   936
Quarantined:   608
Infected: 3

The numbers might be strange when looking at connect versus
the other totals, but remember one connection can send
multiple emails.

Tagged is the spam tag count, while severely high spam scores
are quarantined with virtually no false positives).

Without nolist greylisting, the connect stat would be about
600,000 to 800,000 per day.

Early hangup and pregreeted are both features
from postscreen.  Where postscreen and greylisting really help
is on the secondary MX.  Here are today's stats on the
lower priority MX.

Aug 21
Connect: 773
Delivered: 53
Reject total:   4057
Reject Blocklists:   3327
Reject Reverse DNS:   110
Reject address or overquota:   33
Early Hangup:   1351
Pregreeted:   420
Greylisted:   545
Tagged:   75
Quarantined:   75
Infected: 0

Look at that.  Only 53 delivered half way through the day.
Before postscreen and greylisting, it was delivering about
5000 to 9000 emails per day.  They were all spam because
after the change, there are no calls asking where a missing
email is.

I also track these stats in cacti with the total for each day.

Re: The ultimate email server

[Mikkel Bang]

Thanks for the reply Francis!

Here on OpenBSD, spamd takes care of the greylisting so I'm all set there.

After much going back and forth regarding amavisd-new+spamassassin, I came
to the conclusion that it was an overly complex solution, written in a
dying language, that during the course of time loses its effectiveness:

http://cowboyrushforth.com/2008-10-31/dspam_experiement

As for clamav, seems it only manages to stop ancient viruses (which are
rarely in circulation these days), and doesn't stand a chance against all
these new trojans created by many of the world's most brilliant minds.

Mikkel

2012/8/21 francis picabia 

> I use postfix with postscreen, spamhaus and other RBLs, nolist greylisting,
> sqlgrey greylisting, amavisd-new (which calls in spamassassin), and clamav.
>
> Freshclam and sa-update are run daily by cron.
>
> Here are my stats today on the primary MX (actually secondary due to
> nolist)
>
> Aug 21
> Connect: 13840
> Delivered: 12190
> Reject total:   10986
> Reject blocklists:   7710
> Reject Reverse DNS:   222
> Reject address or overquota:   1396
> Early Hangup:   2466
> Pregreeted:   777
> Greylisted:   1543
> Tagged:   936
> Quarantined:   608
> Infected: 3
>
> The numbers might be strange when looking at connect versus
> the other totals, but remember one connection can send
> multiple emails.
>
> Tagged is the spam tag count, while severely high spam scores
> are quarantined with virtually no false positives).
>
> Without nolist greylisting, the connect stat would be about
> 600,000 to 800,000 per day.
>
> Early hangup and pregreeted are both features
> from postscreen.  Where postscreen and greylisting really help
> is on the secondary MX.  Here are today's stats on the
> lower priority MX.
>
> Aug 21
> Connect: 773
> Delivered: 53
> Reject total:   4057
> Reject Blocklists:   3327
> Reject Reverse DNS:   110
> Reject address or overquota:   33
> Early Hangup:   1351
> Pregreeted:   420
> Greylisted:   545
> Tagged:   75
> Quarantined:   75
> Infected: 0
>
> Look at that.  Only 53 delivered half way through the day.
> Before postscreen and greylisting, it was delivering about
> 5000 to 9000 emails per day.  They were all spam because
> after the change, there are no calls asking where a missing
> email is.
>
> I also track these stats in cacti with the total for each day.
>

Re: The ultimate email server

[Jamie Paul Griffin]

[ Mikkel Bang wrote on Tue 21.Aug'12 at 21:06:20 +0200 ]

> Thanks for the reply Francis!
> 
> Here on OpenBSD, spamd takes care of the greylisting so I'm all set there.
> 
> After much going back and forth regarding amavisd-new+spamassassin, I came
> to the conclusion that it was an overly complex solution, written in a
> dying language, that during the course of time loses its effectiveness:
> 
> http://cowboyrushforth.com/2008-10-31/dspam_experiement
> 
> As for clamav, seems it only manages to stop ancient viruses (which are
> rarely in circulation these days), and doesn't stand a chance against all
> these new trojans created by many of the world's most brilliant minds.
> 
> Mikkel

If you use the Sane Security Signatures with clamav that makes a big difference.

Re: The ultimate email server

[Daniele Nicolodi]

On 21/08/2012 19:34, Mikkel Bang wrote:
> Thanks a lot everyone! After thinking long and hard about all your
> advice I finally ended up with:
> 
> OpenBSD + postfix-anti-UCE.txt + undeadly's spamd setup (which
> includes greylisting+greytrapping) + dspam: https://gist.github.com/3417519
> 
> Feedback would be much appreciated.

Am I missing something or in this setup dspam is not used to reject spam
but only to classify messages? I would like to give dspam a try, but in
the the documentation no hints are given on how  use dspam to reject
spam, and this is an important requirement, IMHO.

Cheers,
Daniele

Re: The ultimate email server

[Jamie Paul Griffin]

[ Daniele Nicolodi wrote on Tue 21.Aug'12 at 23:22:20 +0200 ]

> On 21/08/2012 19:34, Mikkel Bang wrote:
> > Thanks a lot everyone! After thinking long and hard about all your
> > advice I finally ended up with:
> > 
> > OpenBSD + postfix-anti-UCE.txt + undeadly's spamd setup (which
> > includes greylisting+greytrapping) + dspam: https://gist.github.com/3417519
> > 
> > Feedback would be much appreciated.
> 
> Am I missing something or in this setup dspam is not used to reject spam
> but only to classify messages? I would like to give dspam a try, but in
> the the documentation no hints are given on how  use dspam to reject
> spam, and this is an important requirement, IMHO.

I did not find dspam useful when I tried it. Yes it did tag spam which I 
filtered using procmail and it can be trained using different methods but in 
the end got rid of it and went back to amavisd-new with spamassassin, as well 
as clamav and the Sanesecurity signatures which I can confirm has been and is 
effective. For me at least.