Postfix or ClamAV milter issue
I wonder if some of you guys could help me identify where an issue lies within my Postfix setup. Let me first say that I have got a completely working Postfix installation that accepts external mail and forwards it on when neccessary and I can also send mail locally using mail/mailx... the problem arrises when I try to use ClamAV milter with Postfix. When I add the ClamAV milter into main.cf, and attempt to deliver an email from an external source, everything works well with no issues. Mail delivery works as designed and is stopped successfully when I try to send an EICAR test virus from external source but when I try to send an email using mail/mailx locally it doesn't get delivered and I get the following in the logs; Aug 27 09:17:22 mailserver postfix/pickup[17976]: 247B7D006E: uid=0 from= Aug 27 09:17:22 mailserver postfix/cleanup[18369]: warning: connect to Milter service unix:/var/clamav/clmilter.socket: Permission denied Aug 27 09:17:22 mailserver postfix/cleanup[18369]: 247B7D006E: milter-reject: CONNECT from localhost[127.0.0.1]: 4.7.1 Service unavailable - try again later; from= Now, due to the fact that local mail IS delivered when I am not using ClamAV, but ISN'T delivered when I do use ClamAV, it may be that it's the configuration of the milter that is the issue rather than the config of Postfix, but I'd like to know why the milter only accepts mail external and not locally. The postconf -n is listed below; alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 3 html_directory = no inet_interfaces = all local_recipient_maps = mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, sausage.co.uk mydomain = sausage.local myhostname = mailserver.sausage.local newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = unix:/var/clamav/clmilter.socket queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_host_lookup = native smtp_sasl_password_maps = hash:/etc/postfix/password smtp_sasl_security_options = smtpd_banner = $myhostname ESMTP $mail_name smtpd_milters = unix:/var/clamav/clmilter.socket smtpd_sasl_auth_enable = yes transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 If anyone could point me in the right direction, I'd be greatful. Thanks John
Re: Postfix or ClamAV milter issue
* John Gardner : > Aug 27 09:17:22 mailserver postfix/pickup[17976]: 247B7D006E: uid=0 > from= > Aug 27 09:17:22 mailserver postfix/cleanup[18369]: warning: connect to > Milter service unix:/var/clamav/clmilter.socket: Permission denied What are the permissions on /var/clamav/clmilter.socket ? for non_smtpd_milters = inet:127.0.0.1:12000 unix:spamass/spamass.sock inet:127.0.0.1:8891 I'm seeing this: # ls -l /var/spool/postfix/spamass/spamass.sock srw-rw 1 postfix postfix 0 2012-07-12 07:49 /var/spool/postfix/spamass/spamass.sock > Aug 27 09:17:22 mailserver postfix/cleanup[18369]: 247B7D006E: > milter-reject: CONNECT from localhost[127.0.0.1]: 4.7.1 Service > unavailable - try again later; from= According to the docs: "You specify SMTP-only Milter applications with the smtpd_milters parameter" "You specify non-SMTP Milter applications with the non_smtpd_milters parameter" What you're showing is non-SMTP (since you're using the sendmail command). > non_smtpd_milters = unix:/var/clamav/clmilter.socket So that's triggering. But I don't understand why it would work with smtpd and at the same time NOT work with sendmail/cleanup. > local_recipient_maps = You shouldn't do that! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Postfix or ClamAV milter issue
Ralf > What are the permissions on /var/clamav/clmilter.socket ? The permissions are; srwxrwxr-x 1 clamav postfix 0 Aug 21 12:30 clmilter.socket Which I believe I found from here: http://www.jasonbrown.us/blog/post_clamav_rhelcentos > According to the docs: > "You specify SMTP-only Milter applications with the smtpd_milters > parameter" > "You specify non-SMTP Milter applications with the non_smtpd_milters > parameter" > What you're showing is non-SMTP (since you're using the sendmail > command). So, are you saying that there is no reason why these options shouldn't work? non_smtpd_milters = unix:/var/clamav/clmilter.socket smtpd_milters = unix:/var/clamav/clmilter.socket >> local_recipient_maps = > You shouldn't do that! The Postfix docs state that "With this setting, the Postfix SMTP server will not reject mail with "User unknown in local recipient table". Don't do this on systems that receive mail directly from the Internet. With today's worms and viruses, Postfix will become a backscatter source: it accepts mail for non-existent recipients and then tries to return that mail as "undeliverable" to the often forged sender address. " In our case, we're at the end of an MPLS connection and the firewall is locked down to only accept mail from a single IP address on port 25 and it's not available to any Internet connections so it should be OK. John
Re: Interim NDR
Ralf Hildebrandt wrote: * Nick Rosier: is it possible to configure Postfix to send an interim non-delivery report? I'm using the default settings so Postfix will try to deliver a mail for 5 days. So if a mail fails to get sent users are only informed after 5 days. I would like to configure Postfix to send a mail after e.g. 4 hours that the delivery has failed and that the system will try to send the message for another 5 days. Is this possible? delay_warning_time = 4h Thanks Ralf, recently noticed some mails got stuck in the queue due to a misconfiguration so at least now the users (and me) will get notified early. I've also modified the notify-classes so I'm also notified and take action when needed. Rgds, N.
Re: [SOLVED] connect to gmail-smtp-in.l.google.com[...]:25: Network is unreachable
Benny Pedersen: [ Charset UTF-8 unsupported, converting... ] > Den 2012-08-24 14:17, Wietse Venema skrev: > > Shane: > >> Excellent! Issue solved with the following line in my main.cf > >> > >> inet_protocols = ipv4 > > > > Postfix as distributed from postfix.org adds that by default. > > in 2.9.x this is not ipv4 but all Postfix 2.9 edits main.cf and adds "inet_protocols = ipv4" if you don't have an inet_protocols line in main.cf. Wietse
Re: [SOLVED] connect to gmail-smtp-in.l.google.com[...]:25: Network is unreachable
Den 2012-08-27 12:52, Wietse Venema skrev: Postfix 2.9 edits main.cf and adds "inet_protocols = ipv4" if you don't have an inet_protocols line in main.cf. why is this done ?, this is breaking that main.cf could be 100% empty to get an postfix running as before, defaults hardcoded settings should work imho, else there will be some users that dont understand why some lines now must be in main.cf and some is just optional :/ the days of have all defaults not listed in main.cf is gone ?
receiving spam where sender is @mydomain
Good evening, I was wonder if there is someone who could help point me in the right direction so I can solve a spam problem I have. I am running a mail server with Ubuntu + Postfix + Maia Mailguard + Dovecot, all has been working well until recently people have started receiving spam email that appear to be sent from my domain. For example From: myn...@example.com To: myn...@example.com Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet 1234 But the return path is along the lines of: Return-Path: (see header and main.cf for mail servers below for more information) Would any one have any suggestions as the best way to block these type of emails. Some information that might be important, some of our users work remotely and so can connect into the gateway running Dovecot and receive (imaps) / send (smtp) (authenticated) from any location in the world, I am not sure if this makes it harder to block the spam. Example header of Spam: Return-Path: Delivered-To: myn...@example.com Received: from mail.example.com (gateway.localhost [10.0.0.1]) by mail-int (Postfix) with ESMTP id 59CC1211180 for ; Tue, 01 Aug 2012 12:00:00 +0100 (IST) Received: from localhost (localhost [127.0.0.1]) by mail.example.com (Postfix) with ESMTP id 43EE4C0F5 for ; Tue, 01 Aug 2012 12:00:00 +0100 (IST) Received: from mail.example.com ([127.0.0.1]) by localhost (mail.example.com [127.0.0.1]) (amavisd-maia, port 20004) with ESMTP id 21183-01-6 for ; Tue, 01 Aug 2012 12:00:00 +0100 (IST) Received: from [xx.xx.xx.xx] (unknown [xx.xx.xx.xx]) by mail.example.com (Postfix) with ESMTP id 946DBC0EB for ; Tue, 01 Aug 2012 12:00:00 +0100 (IST) Received: from by mx1.optonline.net; Tue, 01 Aug 2012 12:00:00 +0100 Date: Tue, 01 Aug 2012 12:00:00 +0100 From: Reply-To: X-Priority: 3 (Normal) Message-ID: <23443546456345...@example.com> To: myn...@example.com Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet 8702 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--27AF424950946E7" X-Virus-Scanned: Maia Mailguard 1.0.2 main.cf for postfix on Gateway ~ # See /usr/share/postfix/main.cf.dist for a commented, more complete version ### relayhost = www.example.com smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no ### from previous confing file: soft_bounce = no queue_directory = /var/spool/postfix mydomain = example.com # debug_peer_level = 2 # SPAM Processing content_filter = amavis:[127.0.0.1]:20004 ## content_filter = smtp-amavis:[127.0.0.1]:20004 ##queue_minfree = 2400 notify_classes = 2bounce,resource,software address_verify_negative_expire_time = 30h bounce_queue_lifetime = 48h maximal_queue_lifetime = 50h delay_warning_time = 20h ### new things: alias_maps = hash:/etc/aliases myorigin = $mydomain myhostname = mail.example.com mynetworks = 127.0.0.0/8, 10.0.0.0/24, xx.xx.xx.xx message_size_limit = 20971520 local_transport = error:No local mail delivery mydestination = # mydestination = $myhostname, localhost.$mydomain, mail.$mydomain, local.$mydomain local_recipient_maps = # local_recipient_maps = hash:/etc/postfix/recipients virtual_maps = hash:/etc/postfix/virtual virtual_alias_maps = $virtual_maps relay_recipient_maps = hash:/etc/postfix/relay_recipients transport_maps = hash:/etc/postfix/transport relay_domains = hash:/etc/postfix/relay_domains recipient_delimiter = smtpd_helo_required = yes smtpd_sender_login_maps = pcre:/etc/postfix/senders_map, hash:/etc/postfix/senders_map_other smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauthenticated_se nder_login_mismatch ## smtpd_recipient_restrictions = check_client_access, hash:/etc/postfix/relay_clients smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_unknown_recipient_domain, reject_unverifie d_recipient smtpd_data_restrictions = reject_unauth_pipelining ### 2012-03-27 # add header for authenticated mail to strip IP smtpd_sasl_authenticated_header = yes header_checks = regexp:/etc/postfix/header_checks.regexp header_checks = pcre:/etc/postfix/header_checks.pcre body_checks = pcre:/etc/postfix/body_checks unverified_recipient_reject_code = 550 ##smtpd_client_connection_count_limit = 5 #default_process_limit = 4 disable_vrfy_command = yes # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous ##smtpd_sasl_local_domain = $mydomain smtpd_sasl_application_name = smtpd #broken_sasl_auth_clients = yes # TLS parameters smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtp_tls_note_starttls_offer = ye
Re: Postfix or ClamAV milter issue
> > What are the permissions on /var/clamav/clmilter.socket ? > > The permissions are; > > srwxrwxr-x 1 clamav postfix 0 Aug 21 12:30 clmilter.socket That looks ok. > So, are you saying that there is no reason why these options shouldn't work? Exactly. Either both or non should work. Hm. Maybe a chroot issue? > non_smtpd_milters = unix:/var/clamav/clmilter.socket > smtpd_milters = unix:/var/clamav/clmilter.socket -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Interim NDR
* Nick Rosier : > recently noticed some mails got stuck in the queue due to a > misconfiguration so at least now the users (and me) will get notified > early. I've also modified the notify-classes so I'm also notified and > take action when needed. I personally look at the queue from time to time and amed my transport_maps, containing LOTS of mistyped domains that look like hotmail.com... -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: receiving spam where sender is @mydomain
Am 27.08.2012 13:17, schrieb Jan Geep: > Good evening, > > I was wonder if there is someone who could help point me in the right > direction so I can solve a spam problem I have. > > I am running a mail server with Ubuntu + Postfix + Maia Mailguard + > Dovecot, all has been working well until recently people have started > receiving spam email that appear to be sent from my domain. > > For example > > From: myn...@example.com > To: myn...@example.com > Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet 1234 > > But the return path is along the lines of: > > Return-Path: > > (see header and main.cf for mail servers below for more information) > > Would any one have any suggestions as the best way to block these type > of emails. Some information that might be important, some of our users > work remotely and so can connect into the gateway running Dovecot and > receive (imaps) / send (smtp) (authenticated) from any location in the > world, I am not sure if this makes it harder to block the spam. you must not block this because from-headers are not relevant for the smtp-protocol, relevant is envelope (return-path) it is valid to have such from headers and happens really often in confirmation-mails, sometimes in list-sofwtare etc. signature.asc Description: OpenPGP digital signature
Re: receiving spam where sender is @mydomain
On 27/08/2012 13:17, Jan Geep wrote : Good evening, I was wonder if there is someone who could help point me in the right direction so I can solve a spam problem I have. I am running a mail server with Ubuntu + Postfix + Maia Mailguard + Dovecot, all has been working well until recently people have started receiving spam email that appear to be sent from my domain. Short answer is: have a look at spf and dkim: http://www.opendkim.org/ http://www.openspf.org/ Regards smime.p7s Description: S/MIME Cryptographic Signature
Re: [SOLVED] connect to gmail-smtp-in.l.google.com[...]:25: Network is unreachable
Benny Pedersen: > Den 2012-08-27 12:52, Wietse Venema skrev: > > > Postfix 2.9 edits main.cf and adds "inet_protocols = ipv4" > > if you don't have an inet_protocols line in main.cf. > > why is this done ? this is breaking that main.cf could be 100% empty It is a forwards compatibility migration procedure. And doing so breaks NOTHING: there is NO DOCUMENTED PROMISE about running Postfix with empty main.cf file. Wietse
Re: exceptions for smtpd_end_of_data_restrictions
- Message from an...@isac.gov.in - Date: Sat, 25 Aug 2012 15:50:33 +0530 From: an...@isac.gov.in Subject: Re: exceptions for smtpd_end_of_data_restrictions To: postfix-users@postfix.org - Message from Noel Jones - Date: Fri, 24 Aug 2012 23:49:25 -0500 From: Noel Jones Reply-To: postfix users Subject: Re: exceptions for smtpd_end_of_data_restrictions To: postfix-users@postfix.org On 8/24/2012 11:10 PM, an...@isac.gov.in wrote: - Message from Noel Jones - Date: Wed, 22 Aug 2012 06:31:10 -0500 From: Noel Jones Reply-To: postfix users Subject: Re: exceptions for smtpd_end_of_data_restrictions To: postfix-users@postfix.org On 8/22/2012 2:14 AM, an...@isac.gov.in wrote: Dear List, I have this in my main.cf smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:9998 This basically checks for mail size and allows/not allows a mail based on contents of a file. Is there a way to say, not to use this policy service, based on some headers of a mail? You can skip the policy based on envelope information by using a check_*_access map before the policy check. You could also likely do this inside the policy server itself. You cannot skip it based on headers. -- Noel Jones Thanks for your inputs.You are all experts, please share some ideas with me to solve my problem. I have described the requirement in detail as below. Let me explain my current setup and my real requirement. I have a front end for accessing and sending mail (say server A). All mails sent from this (server A) are directed to another server (say server B) for virus/spam check using Amavisd. If the mails are addressed to any internet domain other than ours, mails get forwarded to Server C, else mails are delivered locally. A (Front End Mail) -> B (Virus/Spam scanner) -> C (for delivering to Internet). At server B (for local delivery of mails) we have a size limit of 30 MB. At Server C (for delivery to Internet ) we have a size limit of 30 MB, but using policyd feature of Postfix (at smtpd_end_of_data_restrictions), by default we are restricting to 2 MB and based on the contents of a data file (which is manually edited as and when required) which contains Sender address and allowed size, mails get get delivered to outside domains having higher size. Now, I have been asked to develop another front end at same level as Server A (say server D), to enable users to send mails of large size to Internet users, such that, once a mail is composed and submitted for approval, Based on the content, I can approve or disapprove. Once approved, it should go through Server B and finally server C to get delivered to outside domains. My problem lies at Server C where I am running a policy for sending outside mails. How does that mail be allowed without even looking at policy (exception for policy). Please provide guidance or any other alternative strategy to achieve the requirement. But, it is must that, mail should go through the virus scan. Regards, Anant. Have D submit mail to a dedicated amavisd port on B, which can then submit to a separate port on C with no policy. See amavisd docs about listening on multiple ports, policy banks, etc. For the postfix changes on C, the lazy solution is set up another smtpd listener in master.cf with empty smtpd_end_of_data_restrictions; the better full-featured solution is a separate postfix instance giving full control with separate queue, logging, and stats. -- Noel Jones Thanks. I think, this is the only option. I need to work on this. Thanks. Regards, Anant. Dear Noel Jones, I was just browsing through the net and found the following link http://marcelog.github.com/articles/configure_postfix_forward_email_regex_subject_transport_relay.html In my setup, I have different queue setup already for incoming and outgoing in Server C. My policy runs on outgoing queue. If I setup another queue on server C, say 'highersizequeue'. And in outgoing main.cf, I add header check for some specific header and based on that header, I relay that mail to newly created queue (higersizequeue). Is this solution advisable? If you say No, I would stick your earlier suggested option. Regards, Anant. - End message from Noel Jones - -- Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- - End message from an...@isac.gov.in -
Re: high-speed postfix configuration
Thanks, Stan--working on it! /mike On Aug 26, 2012, at 12:06 AM, Stan Hoeppner wrote: > Did you get a chance to digest my suggestions on this yet? I gave you > nearly everything you need to know implement this with Postfix, sans > rewriting the JAVA app for parallel submission. > > -- > Stan >
Re: continous attempted connection/timeouts after ehlo
On 8/26/2012 11:49 PM, li...@sbt.net.au wrote: > On Mon, August 27, 2012 6:27 am, Reindl Harald wrote: > >>> Aug 27 06:00:03 postfix/anvil[4396]: statistics: max connection rate >>> 15/1800s for (smtp:27.115.112.50) at Aug 27 05:59:14 >>> Aug 27 06:00:03 postfix/anvil[4396]: statistics: max connection count 1 >>> for (smtp:27.115.112.50) at Aug 27 05:50:26 Aug 27 06:00:03 >>> postfix/anvil[4396]: statistics: max cache size 51 at Aug >>> 27 05:59:47 >>> >> >> why do you niot read what you post? >> >> ONE connection from 27.115.112.50 >> where do you see excess? > > Reindl, thanks > > sorry, doesn't this mean to warn me of 'high-er' connect rates: 15/1800s ? > > "max connection rate 15/1800s " 15 connections in 30 minutes hardly constitutes an attack. Most likely just a broken spam-bot. Reasonable choices are: 1) just ignore it. A few extra one-at-a-time connections are unlikely to have any noticeable effect on postfix. Eventually the client will stop trying. 2) block the IP via firewall or null-route. Understand that blocking them is more about not seeing this in your logs, and less about protecting your system. Postfix doesn't really care. > so what do I look for in anvil output ? The anvil "statistics:" log entries show the peak rate during the last $anvil_status_update_time. Look for numbers *far* greater than normal. "Normal" will vary by site and mail load. Low-volume sites may benefit from a higher anvil_status_update_time instead of the default 10m, to reduce the noise in the log. Also look for log entries containing "limit exceeded:", which indicates anvil throttled the client. Note these messages don't necessarily indicate abuse, rather it could be that client has a lot of legit mail to deliver, and/or your limits are set too low. If you frequently see these from legit clients, raise your limits. -- Noel Jones
Re: exceptions for smtpd_end_of_data_restrictions
On 8/27/2012 7:56 AM, an...@isac.gov.in wrote: > > - Message from an...@isac.gov.in - >Date: Sat, 25 Aug 2012 15:50:33 +0530 >From: an...@isac.gov.in > Subject: Re: exceptions for smtpd_end_of_data_restrictions > To: postfix-users@postfix.org > > >> - Message from Noel Jones - >> Date: Fri, 24 Aug 2012 23:49:25 -0500 >> From: Noel Jones >> Reply-To: postfix users >> Subject: Re: exceptions for smtpd_end_of_data_restrictions >> To: postfix-users@postfix.org >> >> >>> On 8/24/2012 11:10 PM, an...@isac.gov.in wrote: - Message from Noel Jones - Date: Wed, 22 Aug 2012 06:31:10 -0500 From: Noel Jones Reply-To: postfix users Subject: Re: exceptions for smtpd_end_of_data_restrictions To: postfix-users@postfix.org > On 8/22/2012 2:14 AM, an...@isac.gov.in wrote: >> Dear List, >> >> I have this in my main.cf >> >> smtpd_end_of_data_restrictions = >> check_policy_service inet:127.0.0.1:9998 >> >> >> This basically checks for mail size and allows/not allows a mail >> based on contents of a file. >> >> Is there a way to say, not to use this policy service, based >> on some >> headers of a mail? >> > > > You can skip the policy based on envelope information by using a > check_*_access map before the policy check. You could also likely > do this inside the policy server itself. > > You cannot skip it based on headers. > > > > -- Noel Jones Thanks for your inputs.You are all experts, please share some ideas with me to solve my problem. I have described the requirement in detail as below. Let me explain my current setup and my real requirement. I have a front end for accessing and sending mail (say server A). All mails sent from this (server A) are directed to another server (say server B) for virus/spam check using Amavisd. If the mails are addressed to any internet domain other than ours, mails get forwarded to Server C, else mails are delivered locally. A (Front End Mail) -> B (Virus/Spam scanner) -> C (for delivering to Internet). At server B (for local delivery of mails) we have a size limit of 30 MB. At Server C (for delivery to Internet ) we have a size limit of 30 MB, but using policyd feature of Postfix (at smtpd_end_of_data_restrictions), by default we are restricting to 2 MB and based on the contents of a data file (which is manually edited as and when required) which contains Sender address and allowed size, mails get get delivered to outside domains having higher size. Now, I have been asked to develop another front end at same level as Server A (say server D), to enable users to send mails of large size to Internet users, such that, once a mail is composed and submitted for approval, Based on the content, I can approve or disapprove. Once approved, it should go through Server B and finally server C to get delivered to outside domains. My problem lies at Server C where I am running a policy for sending outside mails. How does that mail be allowed without even looking at policy (exception for policy). Please provide guidance or any other alternative strategy to achieve the requirement. But, it is must that, mail should go through the virus scan. Regards, Anant. >>> >>> >>> Have D submit mail to a dedicated amavisd port on B, which can then >>> submit to a separate port on C with no policy. >>> >>> See amavisd docs about listening on multiple ports, policy banks, >>> etc. >>> >>> For the postfix changes on C, the lazy solution is set up another >>> smtpd listener in master.cf with empty >>> smtpd_end_of_data_restrictions; the better full-featured solution is >>> a separate postfix instance giving full control with separate queue, >>> logging, and stats. >>> >>> >>> >>> -- Noel Jones >> >> >> Thanks. I think, this is the only option. I need to work on >> this. Thanks. >> >> Regards, >> Anant. >> > > > Dear Noel Jones, > > I was just browsing through the net and found the following link > > http://marcelog.github.com/articles/configure_postfix_forward_email_regex_subject_transport_relay.html > > > In my setup, I have different queue setup already for incoming and > outgoing in Server C. My policy runs on outgoing queue. > > If I setup another queue on server C, say 'highersizequeue'. And > in outgoing main.cf, I add header check for some specific header and > based on that header, I relay that mail to newly created queue > (higersizequeue). That could work. > > Is this solution advisable? If you say No, I would stick your > earlier suggested option. As a general rule, routing deci
proxy filter failover
Greetings! I'm using Posfix for years and like it a lot, but now I'm a bit confused what will be best option for smtpd_proxy_filter failover. One possible option is to use multiple A records on DNS, but dependency on one more service is unwanted thing. Any other options there? -- Regards, KSB
Re: receiving spam where sender is @mydomain
Am 27.08.2012 13:17, schrieb Jan Geep: [...] until recently people have started receiving spam email that appear to be sent from my domain. For example From: myn...@example.com To: myn...@example.com Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet 1234 But the return path is along the lines of: Return-Path: [...] Example header of Spam: Return-Path: Delivered-To: myn...@example.com Received: from mail.example.com (gateway.localhost [10.0.0.1]) by mail-int (Postfix) with ESMTP id 59CC1211180 for ; Tue, 01 Aug 2012 12:00:00 +0100 (IST) Received: from localhost (localhost [127.0.0.1]) by mail.example.com (Postfix) with ESMTP id 43EE4C0F5 for ; Tue, 01 Aug 2012 12:00:00 +0100 (IST) Received: from mail.example.com ([127.0.0.1]) by localhost (mail.example.com [127.0.0.1]) (amavisd-maia, port 20004) with ESMTP id 21183-01-6 for ; Tue, 01 Aug 2012 12:00:00 +0100 (IST) Received: from [xx.xx.xx.xx] (unknown [xx.xx.xx.xx]) by mail.example.com (Postfix) with ESMTP id 946DBC0EB for ; Tue, 01 Aug 2012 12:00:00 +0100 (IST) [...] smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,..., check_sender_access hash:/etc/postfix/not_our_domain_as_sender with /etc/postfix/not_our_domain_as_sender example.com REJECT Sorry, sender not permitted! This is derived from an example on Ralf Hildebrandts site (http://www.arschkrebs.de/postfix/postfix_restriction_classes3_en.shtml) good luck!
Re: receiving spam where sender is @mydomain
Am 27.08.2012 16:30, schrieb Ilja Beeskow: > Am 27.08.2012 13:17, schrieb Jan Geep: >> [...] until recently people have started >> receiving spam email that appear to be sent from my domain. >> >> From: myn...@example.com >> To: myn...@example.com >> Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet 1234 >> >> But the return path is along the lines of: >> >> Return-Path: > > smtpd_recipient_restrictions = permit_sasl_authenticated, > permit_mynetworks,..., check_sender_access > hash:/etc/postfix/not_our_domain_as_sender > > with /etc/postfix/not_our_domain_as_sender > > example.comREJECT Sorry, sender not permitted! FROM-header is not relevant for the SMTP protocol signature.asc Description: OpenPGP digital signature
Re: proxy filter failover
KSB: > Greetings! > I'm using Posfix for years and like it a lot, but now I'm a bit > confused what will be best option for smtpd_proxy_filter failover. > One possible option is to use multiple A records on DNS, but > dependency on one more service is unwanted thing. Any other options > there? Many systems allows multiple /etc/hosts entries with the same name. Linux requires extra configuration (rumor has it that /etc/host.conf needs to contain a line with "multi on"). Wietse
Preventing postscreen from logging local connections?
My postfix server is configured to receive email from authorized non-local MUAs on port 587 using SASL PLAIN SMTP AUTH over TLS. It is also configured to receive general inbound delivery on the usual port 25. The server is also running mailman (I host a mailing list). The mailman daemons inject email locally via port 25. I then started running postscreen. Mailwise everything continues to work fine. postscreen doesn't even see the email the remote MUAs submit over port 587 and the mailing list email is sent normally. The "problem" is now my logwatch reports are being flooded with hundreds and hundreds of lines of: ** Unmatched Entries ** 1 Aug 26 07:10:58 swing-shift postfix/postscreen[9743]: CONNECT from [127.0.0.1]:52466 to [127.0.0.1]:25 1 Aug 26 01:16:41 swing-shift postfix/postscreen[8076]: CONNECT from [127.0.0.1]:47711 to [127.0.0.1]:25 1 Aug 26 13:11:01 swing-shift postfix/postscreen[11765]: CONNECT from [127.0.0.1]:57657 to [127.0.0.1]:25 1 Aug 26 05:46:44 swing-shift postfix/postscreen[8905]: CONNECT from [127.0.0.1]:51279 to [127.0.0.1]:25 I know the real answer is to figure out how to modify the relevant logwatch service script and/or to figure out how to get mailmain to submit on 587. But in the short term, is there any way to reduce postscreen's logging level or do tell it not to log "uninteresting" connections such as those from localhost? -- Rich Carreiror...@carreiro.org
Re: Preventing postscreen from logging local connections?
Rich Carreiro: > But in the short term, is there any way to reduce postscreen's > logging level or do tell it not to log "uninteresting" > connections such as those from localhost? Postfix logging exists so that you can fix a problem LATER. Therefore there are no features to turn off logging for uninteresting hosts. Wietse
Re: Preventing postscreen from logging local connections?
On 08/27/12 11:25, Rich Carreiro wrote: > > I know the real answer is to figure out how to modify the > relevant logwatch service script and/or to figure out how to get > mailmain to submit on 587. Update postfix-logwatch[1], this should already be fixed. [1] http://logreporters.sourceforge.net/
Re: receiving spam where sender is @mydomain
Am 27.08.2012 16:33, schrieb Reindl Harald: Am 27.08.2012 16:30, schrieb Ilja Beeskow: Am 27.08.2012 13:17, schrieb Jan Geep: [...] until recently people have started receiving spam email that appear to be sent from my domain. From: myn...@example.com To: myn...@example.com Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet 1234 But the return path is along the lines of: Return-Path: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,..., check_sender_access hash:/etc/postfix/not_our_domain_as_sender with /etc/postfix/not_our_domain_as_sender example.comREJECT Sorry, sender not permitted! FROM-header is not relevant for the SMTP protocol @Harald: Yes, I know! It's rejecting everybody who says he was anyb...@example.com during the 'MAIL FROM:' smtp command. @Jan: Could you please show us a corresponding log file entry?
Re: high-speed postfix configuration
I'm copying this response back to the list, as this discussion needs to be in the various list archives for other who may intend to follow in your footsteps. On 8/27/2012 8:09 AM, Mike Mitchell wrote: > I do have to say, I was originally hoping that I could optimize things > merely with some main.cf changes to queueing settings, etc., as I don't > see our hardware having a difficult time dealing with the mail load at > the moment. No one has suggested anything about the process or > concurrency settings at all, and I'm sure there's bound to be another > bottleneck in the actual delivery mechanism. Postfix is an SMTP mail transfer agent designed primarily for internet facing duty. As such it has been designed to prevent a single remote host from overwhelming the system. To get around this safety feature and submit a large amount of mail in a short time frame from a single host, you must make submissions in parallel. The instructions I gave you allow you basically trick Postfix into believing multiple remote hosts are submitting, by using multiple IP addresses. And yes, once you have this part worked out you'll likely find another bottleneck that will need to be addressed. Welcome to mail server tuning 101. > It seems like what we need here, really, is a mailer that can do as much > as possible in memory without writing to the disk. I don't believe such an MTA exists. I'm pretty sure running a memory only queue violates the SMTP protocol. To achieve such a thing you'd probably have to write you own MTA from scratch, or modify an existing one. If you know Perl you may be able to modify qpsmtpd to fit your needs. It's an MTA written entirely in Perl: http://smtpd.develooper.com/ > The messages we're > sending are tiny--50,000 messages would take up a puny amount of RAM, > relative to the 48GB RAM systems we're using. If you're aware of a way > to do this with postfix (or any other mailer, for that matter), I'd love > to get your input. Thanks The first thing that comes to mind is using a ramdisk for the queue directories. But I'm doubting Postfix will work with queue directories on a ramdisk. Wietse can answer this. The problem you have here is that you know what you wish to do and SMTP MTAs aren't going to easily cooperate. You're stuck using SMTP because it's universal and reaches all of your parties. But SMTP is a protocol with many inbuilt guarantees. These guarantees are going to get in your way, specifically store and forward, which is what you're wanting to avoid by doing the queue in memory. As others have said, SMTP isn't the proper protocol for the type of messaging you're wanting to accomplish. But since you're stuck with it, you must optimize and tweak it to satisfy your needs. It may not be easy, but you have no other choice if you must use SMTP. -- Stan
Re: high-speed postfix configuration
All this makes perfect sense, thanks for the additional detail, Stan. /mike On Aug 27, 2012, at 12:06 PM, Stan Hoeppner wrote: > I'm copying this response back to the list, as this discussion needs to > be in the various list archives for other who may intend to follow in > your footsteps. ...
Re: Postfix or ClamAV milter issue
Ralf >> So, are you saying that there is no reason why these options shouldn't work? > Exactly. Either both or non should work. Hm. Maybe a chroot issue? I'm not using a chroot jail, so I'm pretty sure it won't be that... I might have to remove the ClamAV integration with Postfix if I can't solve it, which in our infrastructure isn't a huge problem as it will get scanned as it gets forwarded to our internal SMTP server and the fact that we're only accepting mail incoming from another trusted SMTP server, but it would be nice if we could block mail at this point. Thanks for your help so far Ralf. John
Re: Postfix or ClamAV milter issue
* John Gardner : > Ralf > > >> So, are you saying that there is no reason why these options shouldn't > >> work? > > > Exactly. Either both or non should work. Hm. Maybe a chroot issue? > > I'm not using a chroot jail, so I'm pretty sure it won't be that... I > might have to remove the ClamAV integration with Postfix if I can't > solve it, which in our infrastructure isn't a huge problem as it will > get scanned as it gets forwarded to our internal SMTP server and the > fact that we're only accepting mail incoming from another trusted SMTP > server, but it would be nice if we could block mail at this point. Just remove it from the non_smtpd_milters :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Postfix Multi-Instance on multiple hosts
Good Afternoon. This is to confirm that the information located at http://www.postfix.org/MULTI_INSTANCE_README.html#quick is the right documentation to setup a multi-instance of Postfix within the following environment: A) 4 servers total, each one running a local POSTFIX instance. B) 3 of the servers will need to send mail from web applications (such as registration complete email response, request for new password, etc) to a central POSTFIX instance (all on the same subnet) C) 1 server is to be designated as a central Mail Transfer agent to the internet. This is for inbound and outbound mail. This server also supports a local copy of a mail list serve. D) All servers are on the same internal subnet. Server 1 (central mail transfer for web apps and mail list serve) POSTFIX conf currently is: alias_database = hash:/etc/aliases, hash:/etc/mailman/aliases alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_protocols = all local_recipient_maps = unix:passwd.byname $alias_maps mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, list.$mydomain, localhost.$mydomain mydomain = informs.org myhostname = mail.informs.org myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES recipient_delimiter = + sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination unknown_local_recipient_reject_code = 550 Server 2-4 (web application email services) current postconf -n output. The desire is to send mail to the internet through Server 1 (MTA) alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = or-exchange.com myhostname = mail.or-exchange.com myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relayhost = mail.informs.org sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop unknown_local_recipient_reject_code = 550 Question(s): A) Is 'managing multiple postfix documentation on a single host' the correct way to achieve the central MTA from multiple hosts? B) If this is not the correct way, what is the recommended way to establish the central MTA to support multiple hosts? Each host will have its own POSTFIX install? Thank you, Rose
Re: Postfix Multi-Instance on multiple hosts
Futchko, Rose: > Good Afternoon. This is to confirm that the information located at > http://www.postfix.org/MULTI_INSTANCE_README.html#quick is the right > documentation to setup a multi-instance of Postfix within the following > environment: MULTI_INSTANCE_README describes multiple MTAs that run on the same operating system instance. However, you can apply the concepts of null client (no network listener), service MTA instance, etc. equally well to MTAs running on separate hosts. So, you could have one null client on each host that handles local submission by cron jobs etc., and the central server would also have a service MTA instance that the others route their mail to. Wietse > A) 4 servers total, each one running a local POSTFIX instance. > B) 3 of the servers will need to send mail from web applications (such > as registration complete email response, request for new password, etc) > to a central POSTFIX instance (all on the same subnet) > C) 1 server is to be designated as a central Mail Transfer agent to the > internet. This is for inbound and outbound mail. This server also > supports a local copy of a mail list serve. > D) All servers are on the same internal subnet. > > Server 1 (central mail transfer for web apps and mail list serve) > POSTFIX conf currently is: > > alias_database = hash:/etc/aliases, hash:/etc/mailman/aliases alias_maps > = hash:/etc/aliases, hash:/etc/mailman/aliases command_directory = > /usr/sbin config_directory = /etc/postfix daemon_directory = > /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level > = 2 html_directory = no inet_protocols = all local_recipient_maps = > unix:passwd.byname $alias_maps mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man mydestination = $myhostname, > list.$mydomain, localhost.$mydomain mydomain = informs.org myhostname = > mail.informs.org myorigin = $myhostname newaliases_path = > /usr/bin/newaliases.postfix readme_directory = > /usr/share/doc/postfix-2.6.6/README_FILES > recipient_delimiter = + > sample_directory = /usr/share/doc/postfix-2.6.6/samples > sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop > smtpd_recipient_restrictions = permit_mynetworks > reject_unauth_destination unknown_local_recipient_reject_code = 550 > > > Server 2-4 (web application email services) current postconf -n output. > The desire is to send mail to the internet through Server 1 (MTA) > > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debug_peer_level = 2 > html_directory = no > inet_interfaces = all > inet_protocols = all > mail_owner = postfix > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > mydestination = $myhostname, localhost.$mydomain, localhost mydomain = > or-exchange.com myhostname = mail.or-exchange.com myorigin = $mydomain > newaliases_path = /usr/bin/newaliases.postfix queue_directory = > /var/spool/postfix readme_directory = > /usr/share/doc/postfix-2.6.6/README_FILES > relayhost = mail.informs.org > sample_directory = /usr/share/doc/postfix-2.6.6/samples > sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop > unknown_local_recipient_reject_code = 550 > > Question(s): > A) Is 'managing multiple postfix documentation on a single host' the > correct way to achieve the central MTA from multiple hosts? > B) If this is not the correct way, what is the recommended way to > establish the central MTA to support multiple hosts? Each host will have > its own POSTFIX install? > > Thank you, > Rose
REJECT with Before-Queue Content Filter?
Hello everybody,
Please excuse my probably rather novice question but I couldn't find any hint
on this. The document at http://www.postfix.org/SMTPD_PROXY_README.html says it
should be possible to reject an email with a before-queue content filter ...
but how would I exactly accomplish this?
What I want to do is reject what spamassassin considers spam (ok, I know the
cons, but I really want to do it this way), so what I have in my master.cf is:
smtp inet n - n - - smtpd
-o content_filter=spamfilter:dummy
spamfilter unix - n n - - pipe
flags=Rq user=spamfilter argv=/.../spamfilter -f ${sender} -- ${recipient}
And in spamfilter I have this:
#!/bin/bash
/usr/bin/spamc | /usr/lib/sendmail -i "$@"
exit $?
So how would I have to change my spamfilter in order to have Postfix reject
what spamassassin considers spam? A header check on /X-Spam-Level: \*{5,}/ does
not work; as in this step Postfix has already accepted the email; it would
generate backscatter instead, not what I want...
Thanks a lot for some advice!
Re: REJECT with Before-Queue Content Filter?
On 8/27/2012 3:03 PM, Juerg Reimann wrote: > Hello everybody, > > Please excuse my probably rather novice question but I couldn't find any hint > on this. The document at http://www.postfix.org/SMTPD_PROXY_README.html says > it should be possible to reject an email with a before-queue content filter > ... but how would I exactly accomplish this? > > What I want to do is reject what spamassassin considers spam (ok, I know the > cons, but I really want to do it this way), so what I have in my master.cf is: If I were you, I would use spamass-milter or similar because it does exactly what you describe. Personally, I use amavisd-milter to do virus scanning as well as spam checking at the front door. Just understand that milters are global as per the documentation. I'm sure there are before-queue filters out there, but you cannot use a pipe. You must create/find a front-end that speaks SMTP as noted at the bottom of the SMTPD_PROXY_README. Brian
Re: REJECT with Before-Queue Content Filter?
On 8/27/2012 2:03 PM, Juerg Reimann wrote:
> Hello everybody,
>
> Please excuse my probably rather novice question but I couldn't find any hint
> on this. The document at http://www.postfix.org/SMTPD_PROXY_README.html says
> it should be possible to reject an email with a before-queue content filter
> ... but how would I exactly accomplish this?
>
> What I want to do is reject what spamassassin considers spam (ok, I know the
> cons, but I really want to do it this way), so what I have in my master.cf is:
>
> smtp inet n - n - - smtpd
> -o content_filter=spamfilter:dummy
> spamfilter unix - n n - - pipe
> flags=Rq user=spamfilter argv=/.../spamfilter -f ${sender} -- ${recipient}
This is what postfix refers to as a "simple content filter", and
cannot be used as a before-queue filter.
http://www.postfix.org/FILTER_README.html#simple_filter
To use spamassassin in a before-queue filter, SA will need to be
called either from a milter, or from an "advanced content filter"
that speaks SMTP.
amavisd-new is frequently recommended as a reliable and flexible
advanced content filter that is suitable for use as an
smtpd_proxy_filter.
spamass-milter is frequently recommended as a simple milter for
spamassassin integration.
Although the setup and protocol of smtpd_proxy_filter vs. milter is
very different, overall system load/efficiency is largely the same,
making the choice mostly a feature set of a particular product.
-- Noel Jones
Re: REJECT with Before-Queue Content Filter?
On 2012.08.27. 22:15, Brian Evans - Postfix List wrote: I'm sure there are before-queue filters out there, but you cannot use a pipe. You must create/find a front-end that speaks SMTP as noted at the bottom of the SMTPD_PROXY_README. Brian For example spampd. __ KSB
Re: REJECT with Before-Queue Content Filter?
* Juerg Reimann :
> Hello everybody,
>
> Please excuse my probably rather novice question but I couldn't find any hint
> on this. The document at http://www.postfix.org/SMTPD_PROXY_README.html says
> it should be possible to reject an email with a before-queue content filter
> ... but how would I exactly accomplish this?
>
> What I want to do is reject what spamassassin considers spam (ok, I know the
> cons, but I really want to do it this way), so what I have in my master.cf is:
>
> smtp inet n - n - - smtpd
> -o content_filter=spamfilter:dummy
> spamfilter unix - n n - - pipe
> flags=Rq user=spamfilter argv=/.../spamfilter -f ${sender} -- ${recipient}
That's not possible to use in a smtp_proxy_filter setup, since it uses
a "pipe" instead of a filter that speaks SMTP.
Use a milter or amavisd-new (or, for that matter, any filter solution
that speaks SMTP).
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
ralf.hildebra...@charite.de | http://www.charite.de
Re: Preventing postscreen from logging local connections?
On Mon, Aug 27, 2012 at 11:25:29AM -0400, Rich Carreiro wrote: > I know the real answer is to figure out how to modify the > relevant logwatch service script and/or to figure out how to get > mailmain to submit on 587. The real answer is trivial. My Mailman submits on 587. mm_cfg.py :: SMTPPORT = 587 http://list.org/mailman-install/customizing.html > But in the short term, is there any way to reduce postscreen's > logging level or do tell it not to log "uninteresting" > connections such as those from localhost? Your "short term" fix would take longer than DTRT, but the more proper kludge would be to pipe to grep -v before your logwatch. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Maildir permissions issue.
In an attempt to allow rsync to backup email to another server in another
location, I seem to have messed something up, but I'll be darned if I can find
it I'd really appreciate any help. The user is attymatter. Attymatter's
home is /attymatter/home/attymatter :
attymatter:x:1000:1000::/attymatter/home/attymatter:/bin/sh (from /etc/passwd)
The error is:
warning: maildir access problem for UID/GID=1000/1000: create maildir file
/attymatter/home/attymatter/Maildir/tmp/1346111764.P8226.ip-10-86-18-6:
Permission denied
Aug 27 23:56:04postfix/local[8226]: warning: perhaps you need to create the
maildirs in advance
Aug 27 23:56:04postfix/local[8226]: 121C8B429D:
to=, orig_to=<10...@princelaw.attymatter.com>,
relay=local, delay=0.26, delays=0.24/0.01/0/0.01, dsn=5.2.0, status=bounced
(maildir delivery failed: create maildir file
/attymatter/home/attymatter/Maildir/tmp/1346111764.P8226.ip-10-86-18-6:
Permission denied)
and
dovecot: chdir(/attymatter/home/attymatter) failed with uid 1000: Permission
denied
user with UID 1000 is attymatter
[root]# su attymatter
sh-4.1$ id
uid=1000(attymatter) gid=1000(attymatter) groups=1000(attymatter)
Stat for /attymatter/home/attymatter/Maildir/tmp:
[root@ip-10-86-18-6 attymatter]# su attymatter
sh-4.1$ stat /attymatter/home/attymatter/Maildir/tmp/
File: `/attymatter/home/attymatter/Maildir/tmp/'
Size: 6 Blocks: 0 IO Block: 4096 directory
Device: ca80h/51840dInode: 577803008 Links: 2
Access: (0770/drwxrwx---) Uid: ( 1000/attymatter) Gid: ( 505/ editors)
Access: 2012-08-27 09:30:00.629979113 +
Modify: 2012-08-28 00:27:14.672084869 +
Change: 2012-08-28 00:27:14.672084869 +
I can create a file there:
sh-4.1$ touch /attymatter/home/attymatter/Maildir/tmp/test
sh-4.1$ cd /attymatter/home/attymatter/Maildir/tmp/
sh-4.1$ ls -lah
total 4.0K
drwxrwx--- 2 attymatter editors 17 Aug 28 00:29 .
drwxrwx--- 16 attymatter editors4.0K Aug 27 12:30 ..
-rw-rw-r-- 1 attymatter attymatter0 Aug 28 00:29 test
main.cnf:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 5
debug_peer_list = attymatter.com, princelaw.com, unconundrum.com
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 0
mydestination = domU-12-31-38-01-61-61.compute-1.internal/,
localhost.compute-1.internal, localhost, $myhostname, $mydomain
myhostname = aws2.unconundrum.com
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relayhost = mail.princelaw.com
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_connect_timeout = 240s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains
Thanks again in advance
delivering to cyrus for unix-users
Hello Folks, I'm using postfix-2.9.20120102-sasl2 with cyrus-imapd-2.4.13p0 on OpenBSD v5.1. There are unix-users and pure-cyrus-users on the system. Most of the unix-users have mail delivered to an identical cyrus-user, but for a few "local" transport should be used. What is the best way to arbitrarily configure whether postfix delivers a mail addressed to a unix-user either using the "local" transport or to cyrus? I have tried leaving mailbox_transport at the default, and creating a transport_map for every unix-user for which mail should be delivered to cyrus, like this: cyrus: -or with lmtp transport- lmtp:unix:/path/to/socket these both work, but they're cumbersome. I've tried setting mailbox_transport = lmtp:unix:/path/to/socket and then adding a transport_map for the few unix-users for which "local" transport should be used, but this does not work. cheers, Rob Urban
Re: Maildir permissions issue.
On Aug 27, 2012, at 8:36 PM, "Warren H. Prince" wrote: > In an attempt to allow rsync to backup email to another server in another > location, I seem to have messed something up, but I'll be darned if I can > find it I'd really appreciate any help. The user is attymatter. > Attymatter's home is /attymatter/home/attymatter : I found the issue. The root of the path was not owned by the user account not sure how this worked in the past, and I couldn't change the owner of the root, so I move the Maildir to the normal home directory and all is well...
Re: delivering to cyrus for unix-users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/27/2012 8:10 PM, IMAP List Administration wrote: > Hello Folks, > > I'm using postfix-2.9.20120102-sasl2 with cyrus-imapd-2.4.13p0 > on OpenBSD v5.1. > > There are unix-users and pure-cyrus-users on the system. Most > of the unix-users have mail delivered to an identical > cyrus-user, but for a few "local" transport should be used. > > What is the best way to arbitrarily configure whether postfix > delivers a mail addressed to a unix-user either using the > "local" transport or to cyrus? > > I have tried leaving mailbox_transport at the default, and > creating a transport_map for every unix-user for which mail > should be delivered to cyrus, like this: > > cyrus: > > -or with lmtp transport- > > lmtp:unix:/path/to/socket > > these both work, but they're cumbersome. Yes, that's the right idea. > > I've tried setting > > mailbox_transport = lmtp:unix:/path/to/socket > > and then adding a transport_map for the few unix-users for > which "local" transport should be used, but this does not > work. To do it this way, use local_transport rather than mailbox_transport. See the http://www.postfix.org/MAILDROP_README.html document for hints on configuring an external delivery agent. The postfix interface is the same, only the external command differs. -- Noel Jones -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQPCNrAAoJEJGRUHb5Oh6glG8H/RWaElaKwSNDl2d5E1NLlTMx 08qiIKp0RyKDwdM3tzLOz2UVRf1hdosNXQgXF4dFoemBWo5aemzsTOyvN4yQe7+Y 5M27tEUAgQN9SbM3v06GspM5qsfRVkjC5V1tXCQMIJVeM74AjAtoCBhZP8mPX9cr LdcbmA9YtuuHFx31fpypMWkUTNXcwk26b2uKpdMK1Bi4C/kIRoHUgTKzAZLXu/Lk jFrCUFjPupP32CveCYdt1QE7qSxxac28lUafXkUPWU5fLlHzOOHPHBJd5yDIoRnh JLwcluw8XeO9qiGyvkQPQdlC5tWzn95uUNjal8RXJ0FkgZ2BVInWVhmvwAIqJEU= =qvtk -END PGP SIGNATURE-
RE: Postfix Multi-Instance on multiple hosts
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema Sent: Monday, August 27, 2012 3:00 PM To: Postfix users Subject: Re: Postfix Multi-Instance on multiple hosts Futchko, Rose: > Good Afternoon. This is to confirm that the information located at > http://www.postfix.org/MULTI_INSTANCE_README.html#quick is the right > documentation to setup a multi-instance of Postfix within the > following > environment: >>>MULTI_INSTANCE_README describes multiple MTAs that run on the same operating system instance. >>>However, you can apply the concepts of null client (no network listener), service MTA instance, etc. equally well to MTAs running on separate hosts. >>>So, you could have one null client on each host that handles local submission by cron jobs etc., and the central server would also have a service MTA instance that the others route their mail to. Wietse Thank you, Wietse -- that makes sense. If the above does not work (which I assume it will), is there another configuration I should consider to establish the central MTA and support multiple hosts on the same subnet? Kind Regards, Rose > A) 4 servers total, each one running a local POSTFIX instance. > B) 3 of the servers will need to send mail from web applications (such > as registration complete email response, request for new password, > etc) to a central POSTFIX instance (all on the same subnet) > C) 1 server is to be designated as a central Mail Transfer agent to > the internet. This is for inbound and outbound mail. This server also > supports a local copy of a mail list serve. > D) All servers are on the same internal subnet. > > Server 1 (central mail transfer for web apps and mail list serve) > POSTFIX conf currently is: > > alias_database = hash:/etc/aliases, hash:/etc/mailman/aliases > alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases > command_directory = /usr/sbin config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix data_directory = > /var/lib/postfix debug_peer_level = 2 html_directory = no > inet_protocols = all local_recipient_maps = unix:passwd.byname > $alias_maps mailq_path = /usr/bin/mailq.postfix manpage_directory = > /usr/share/man mydestination = $myhostname, list.$mydomain, > localhost.$mydomain mydomain = informs.org myhostname = > mail.informs.org myorigin = $myhostname newaliases_path = > /usr/bin/newaliases.postfix readme_directory = > /usr/share/doc/postfix-2.6.6/README_FILES > recipient_delimiter = + > sample_directory = /usr/share/doc/postfix-2.6.6/samples > sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop > smtpd_recipient_restrictions = permit_mynetworks > reject_unauth_destination unknown_local_recipient_reject_code = 550 > > > Server 2-4 (web application email services) current postconf -n output. > The desire is to send mail to the internet through Server 1 (MTA) > > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix data_directory = > /var/lib/postfix debug_peer_level = 2 html_directory = no > inet_interfaces = all inet_protocols = all mail_owner = postfix > mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man > mydestination = $myhostname, localhost.$mydomain, localhost mydomain = > or-exchange.com myhostname = mail.or-exchange.com myorigin = $mydomain > newaliases_path = /usr/bin/newaliases.postfix queue_directory = > /var/spool/postfix readme_directory = > /usr/share/doc/postfix-2.6.6/README_FILES > relayhost = mail.informs.org > sample_directory = /usr/share/doc/postfix-2.6.6/samples > sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop > unknown_local_recipient_reject_code = 550 > > Question(s): > A) Is 'managing multiple postfix documentation on a single host' the > correct way to achieve the central MTA from multiple hosts? > B) If this is not the correct way, what is the recommended way to > establish the central MTA to support multiple hosts? Each host will > have its own POSTFIX install? > > Thank you, > Rose
Re: receiving spam where sender is @mydomain
On Mon, Aug 27, 2012 at 06:00:01PM +0200, Ilja Beeskow wrote: > Am 27.08.2012 16:33, schrieb Reindl Harald: > >Am 27.08.2012 16:30, schrieb Ilja Beeskow: > >>Am 27.08.2012 13:17, schrieb Jan Geep: > >>>[...] until recently people have started > >>>receiving spam email that appear to be sent from my domain. > >>> > >>> From: myn...@example.com > >>> To: myn...@example.com > >>> Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet 1234 > >>> > >>>But the return path is along the lines of: > >>> > >>> Return-Path: > >> > >>smtpd_recipient_restrictions = permit_sasl_authenticated, > >>permit_mynetworks,..., check_sender_access > >>hash:/etc/postfix/not_our_domain_as_sender > >> > >>with /etc/postfix/not_our_domain_as_sender > >> > >>example.comREJECT Sorry, sender not permitted! > > > >FROM-header is not relevant for the SMTP protocol > > > > @Harald: Yes, I know! It's rejecting everybody who says he was > anyb...@example.com during the 'MAIL FROM:' smtp command. Jan said he wanted to reject mail with From: headers of his domain, and that Return-Path: (the envelope sender) was some other address. Your check_sender_access lookup will be applied against the envelope sender address. Usually there are better ways to deal with spam. It's impossible to identify a certain header that is always (or never) spam. Don't even try. Spend your efforts elsewhere. Jim Seymour's cheatsheet (linked from the third-party HOWTO page at www.postfix.org) is a good starting point. Postscreen, with DNSBL scoring, is also effective. > @Jan: Could you please show us a corresponding log file entry? Chances are very high that the client host was listed in the Zen or BRBL DNSBLs. This junk is usually the work of botnets. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Re: exceptions for smtpd_end_of_data_restrictions
- Message from Noel Jones - Date: Mon, 27 Aug 2012 08:57:11 -0500 From: Noel Jones Reply-To: postfix users Subject: Re: exceptions for smtpd_end_of_data_restrictions To: postfix-users@postfix.org On 8/27/2012 7:56 AM, an...@isac.gov.in wrote: - Message from an...@isac.gov.in - Date: Sat, 25 Aug 2012 15:50:33 +0530 From: an...@isac.gov.in Subject: Re: exceptions for smtpd_end_of_data_restrictions To: postfix-users@postfix.org - Message from Noel Jones - Date: Fri, 24 Aug 2012 23:49:25 -0500 From: Noel Jones Reply-To: postfix users Subject: Re: exceptions for smtpd_end_of_data_restrictions To: postfix-users@postfix.org On 8/24/2012 11:10 PM, an...@isac.gov.in wrote: - Message from Noel Jones - Date: Wed, 22 Aug 2012 06:31:10 -0500 From: Noel Jones Reply-To: postfix users Subject: Re: exceptions for smtpd_end_of_data_restrictions To: postfix-users@postfix.org On 8/22/2012 2:14 AM, an...@isac.gov.in wrote: Dear List, I have this in my main.cf smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:9998 This basically checks for mail size and allows/not allows a mail based on contents of a file. Is there a way to say, not to use this policy service, based on some headers of a mail? You can skip the policy based on envelope information by using a check_*_access map before the policy check. You could also likely do this inside the policy server itself. You cannot skip it based on headers. -- Noel Jones Thanks for your inputs.You are all experts, please share some ideas with me to solve my problem. I have described the requirement in detail as below. Let me explain my current setup and my real requirement. I have a front end for accessing and sending mail (say server A). All mails sent from this (server A) are directed to another server (say server B) for virus/spam check using Amavisd. If the mails are addressed to any internet domain other than ours, mails get forwarded to Server C, else mails are delivered locally. A (Front End Mail) -> B (Virus/Spam scanner) -> C (for delivering to Internet). At server B (for local delivery of mails) we have a size limit of 30 MB. At Server C (for delivery to Internet ) we have a size limit of 30 MB, but using policyd feature of Postfix (at smtpd_end_of_data_restrictions), by default we are restricting to 2 MB and based on the contents of a data file (which is manually edited as and when required) which contains Sender address and allowed size, mails get get delivered to outside domains having higher size. Now, I have been asked to develop another front end at same level as Server A (say server D), to enable users to send mails of large size to Internet users, such that, once a mail is composed and submitted for approval, Based on the content, I can approve or disapprove. Once approved, it should go through Server B and finally server C to get delivered to outside domains. My problem lies at Server C where I am running a policy for sending outside mails. How does that mail be allowed without even looking at policy (exception for policy). Please provide guidance or any other alternative strategy to achieve the requirement. But, it is must that, mail should go through the virus scan. Regards, Anant. Have D submit mail to a dedicated amavisd port on B, which can then submit to a separate port on C with no policy. See amavisd docs about listening on multiple ports, policy banks, etc. For the postfix changes on C, the lazy solution is set up another smtpd listener in master.cf with empty smtpd_end_of_data_restrictions; the better full-featured solution is a separate postfix instance giving full control with separate queue, logging, and stats. -- Noel Jones Thanks. I think, this is the only option. I need to work on this. Thanks. Regards, Anant. Dear Noel Jones, I was just browsing through the net and found the following link http://marcelog.github.com/articles/configure_postfix_forward_email_regex_subject_transport_relay.html In my setup, I have different queue setup already for incoming and outgoing in Server C. My policy runs on outgoing queue. If I setup another queue on server C, say 'highersizequeue'. And in outgoing main.cf, I add header check for some specific header and based on that header, I relay that mail to newly created queue (higersizequeue). That could work. Is this solution advisable? If you say No, I would stick your earlier suggested option. As a general rule, routing decisions shouldn't be based on headers. You'll need to insure that you do not unintentionally match the wrong header. Even experts fat-finger regexp; it's harder than it looks. I think the separate ports discussed earlier is a better and safer solution. There is much less possibility of unintended routing that way. -- Noel Jones THANK YOU. - End message from Noel Jones
multiple instances of postfix
Dear List, right now, in one of my servers, only one instance of postfix is running. This is already integrated with amavisd-new running on the same server. My question is, if I create another instance of postfix, do I need to create another instance of amavisd-new/Clamav? Regards, Anant. -- Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. --
postfix mailman transport file missing
when I installed mailman, I don't see a transport as described here: Associate the domain lists.example.com to the mailman transport with the transport map. Edit the file /etc/postfix/transport: lists.example.com mailman: https://help.ubuntu.com/community/Mailman root dur:~# root dur:~# ll /etc/postfix/ total 120 drwxr-xr-x 3 root root 4096 Aug 26 04:21 ./ drwxr-xr-x 170 root root 12288 Aug 27 15:29 ../ -rw-r--r-- 1 root root 373 Aug 14 01:44 dynamicmaps.cf -rw-r--r-- 1 root root 2092 Aug 26 04:21 main.cf -rw-r--r-- 1 root root 1280 Aug 16 23:59 main.cf.1.orig -rw-r--r-- 1 root root 3298 Aug 25 16:59 main.cf.2.mysql -rw-r--r-- 1 root root 1323 Aug 26 00:38 main.cf.3.dovecot -rw-r--r-- 1 root root 5563 Aug 14 01:43 master.cf -rw-r--r-- 1 root root 150 Aug 17 00:21 mysql_alias.cf -rw-r--r-- 1 root root 150 Aug 17 00:22 mysql_domains.cf -rw-r--r-- 1 root root 150 Aug 17 00:21 mysql_mailbox.cf -rw-r--r-- 1 root root 19707 Apr 13 13:33 postfix-files -rwxr-xr-x 1 root root 8729 Oct 6 2011 postfix-script* -rwxr-xr-x 1 root root 26498 Apr 13 13:33 post-install* drwxr-xr-x 2 root root 4096 Apr 13 13:33 sasl/ root dur:~# what does it mean that the file is missing? thanks, Thuifr
