Re: Migration Postfix Server

[Patrick Ben Koetter]

* Giuseppe Perna :
> I need to migrate mail from Postfix from my old server to the new server.
> I was wondering if there was a document for this operation.
> 
> my system is in mbox format.

Copy the mbox file over to your new system and you are done.


-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: REJECT and save a copy of spam?

[Jamie Paul Griffin]

[ Patrick Ben Koetter wrote on Fri 14.Sep'12 at  7:31:10 +0200 ]

> * Chris Adams :
> > I'm configuring Postfix with SpamAssassin, using Spampd as a
> > before-queue filter.  I put "/^X-Spam-Flag: YES/ REJECT Spam detected"
> > in /etc/postfix/header_checks, and that works (spam is rejected during
> > SMTP as desired).
> > 
> > However, it would be nice to _also_ keep a copy of the rejected messages
> > somewhere for later analysis.  Either deliver them to a special local
> > user, hold in the queue, or whatever else is convenient.  Is there an
> > easy way to do this?
> > 
> > I guess I could modify Spampd to save a copy of spam messages, but I was
> > hoping there might be a way to configure Postfix to do this.
> > 
> > If it matters, this is Postfix 2.6.6 on CentOS 6.
> 
> Postfix can't do that. amavis can do if you run it pre-queue.
> 
> p@rick
 
+1 - use amavisd-new. It's the best tool to achieve what you need and a lot 
more. 

Re: REJECT and save a copy of spam?

[Stan Hoeppner]

On 9/13/2012 9:59 PM, Chris Adams wrote:
> I'm configuring Postfix with SpamAssassin, using Spampd as a
> before-queue filter.  I put "/^X-Spam-Flag: YES/ REJECT Spam detected"
> in /etc/postfix/header_checks, and that works (spam is rejected during
> SMTP as desired).
> 
> However, it would be nice to _also_ keep a copy of the rejected messages
> somewhere for later analysis.  Either deliver them to a special local
> user, hold in the queue, or whatever else is convenient.  Is there an
> easy way to do this?

Before queue filtering is more expensive that post queue filtering.  It
makes more sense in this case to simply accept all mail and forget about
REJECTing what SA marks as spam.  Run a post queue filter and save all
spam to a spam folder with a procmail, sieve, etc, script.

The only time a human will see the REJECT is on a false positive.
Spammers don't look at rejects.  So why bother telling a spamming MTA
you rejected the message when you actually accepted it?  This simply
adds unnecessary expense to your mail transactions with zero benefit to you.

-- 
Stan

Re: REJECT and save a copy of spam?

[Nick Rosier]

Patrick Ben Koetter wrote:

* Chris Adams:

I'm configuring Postfix with SpamAssassin, using Spampd as a
before-queue filter.  I put "/^X-Spam-Flag: YES/ REJECT Spam detected"
in /etc/postfix/header_checks, and that works (spam is rejected during
SMTP as desired).

However, it would be nice to _also_ keep a copy of the rejected messages
somewhere for later analysis.  Either deliver them to a special local
user, hold in the queue, or whatever else is convenient.  Is there an
easy way to do this?

I guess I could modify Spampd to save a copy of spam messages, but I was
hoping there might be a way to configure Postfix to do this.

If it matters, this is Postfix 2.6.6 on CentOS 6.


Postfix can't do that. amavis can do if you run it pre-queue.
Agreed, you should use amavisd-new to do this. But why would you want to 
run it pre-queue?


Amavis/SA are CPU intensive. A better way, IMHO, is to use a combination 
of postscreen, policyd (e.g. policyd-weight), greylisting (e.g. sqlgrey) 
and have Amavis/SA only handle mail that "gets through".

See http://www.postfix.org/POSTSCREEN_README.html for multi-layer defense.

You'll block 9x% of all obvious spam without wasting CPU or bandwidth. 
And you can quarantine those that get through for later analysis.


Rgds,
N.

Re: REJECT and save a copy of spam?

[Wietse Venema]

Stan Hoeppner:
> On 9/13/2012 9:59 PM, Chris Adams wrote:
> > I'm configuring Postfix with SpamAssassin, using Spampd as a
> > before-queue filter.  I put "/^X-Spam-Flag: YES/ REJECT Spam detected"
> > in /etc/postfix/header_checks, and that works (spam is rejected during
> > SMTP as desired).
> > 
> > However, it would be nice to _also_ keep a copy of the rejected messages
> > somewhere for later analysis.  Either deliver them to a special local
> > user, hold in the queue, or whatever else is convenient.  Is there an
> > easy way to do this?
> 
> Before queue filtering is more expensive that post queue filtering. 

That depends. The amount of memory/number of CPU cycles/etc to
examine a message is the same. 

The difference is:

- With post-queue filters you have complete control over the number
  of filters that can run at the same time, and you can use larger
  time limits.

- With before-queue filters, the number of running filters can be
  the same as the number of inbound SMTP sessions, and you have to
  be sure that filters finish quickly.  You can reduce the number
  of running filters with "smtpd_proxy_options=speed_adjust", so
  that Postfix receives the entire message before invoking the
  filter; people have reported reductions in the number of filter
  processes of 40%.

But this matters only if you really want to give a REJECT response
to the remote SMTP client.

Wietse

> It
> makes more sense in this case to simply accept all mail and forget about
> REJECTing what SA marks as spam.  Run a post queue filter and save all
> spam to a spam folder with a procmail, sieve, etc, script.
> 
> The only time a human will see the REJECT is on a false positive.
> Spammers don't look at rejects.  So why bother telling a spamming MTA
> you rejected the message when you actually accepted it?  This simply
> adds unnecessary expense to your mail transactions with zero benefit to you.
> 
> -- 
> Stan
> 
> 

Re: REJECT and save a copy of spam?

[Chris Adams]

Once upon a time, Wietse Venema  said:
> But this matters only if you really want to give a REJECT response
> to the remote SMTP client.

I would prefer to do that for this particular setup.  This is a
low-traffic domain, mostly just forwarding to other domains; there are a
couple of mailing lists and a ticket system; no mail gets normal local
delivery.  Nobody would normally be checking a spam box, so any messages
that hit would effectively disappear.

In the old setup (sendmail+mimedefang+SA), it has been useful that
"spam" is rejected so that legit senders get a notice, and that the
message gets saved (so I can review when somebody complains).

Thanks; I guess I'll take a look at amavis.
-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: REJECT and save a copy of spam?

[Wietse Venema]

Chris Adams:
> Once upon a time, Wietse Venema  said:
> > But this matters only if you really want to give a REJECT response
> > to the remote SMTP client.
> 
> I would prefer to do that for this particular setup.  This is a
> low-traffic domain, mostly just forwarding to other domains; there are a
> couple of mailing lists and a ticket system; no mail gets normal local
> delivery.  Nobody would normally be checking a spam box, so any messages
> that hit would effectively disappear.
> 
> In the old setup (sendmail+mimedefang+SA), it has been useful that
> "spam" is rejected so that legit senders get a notice, and that the
> message gets saved (so I can review when somebody complains).
> 
> Thanks; I guess I'll take a look at amavis.

Postfix supports Milter too. There are some differences but it might
just work.

Wietse

Re: REJECT and save a copy of spam?

[Chris Adams]

Once upon a time, Wietse Venema  said:
> Postfix supports Milter too. There are some differences but it might
> just work.

Oh yeah, I know that (I just wrote a milter for some servers at work
running postfix).  I was trying to avoid the extra overhead (and config
management work) of mimedefang/amavis since I was just looking for basic
spam blocking.

Thanks.
-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Feature request: new parameter no_result_format for ldap and sql maps

[Michael Storz]

Problem:


Because of a very slow provisioning driver for exchange - creating a 
user needs several seconds - the data in our OpenLDAP and the 
Exchange/Active Directory are often out of sync, especially when 
creating accounts for new students at the beginning of a semester. To 
let the new 'Welcome Message' wait instead of bouncing, we check if the 
data in both directories is consistent via check_recipient_access and 
two LDAP queries.


If the account is in OpenLDAP

- and in Exchange then the result of the check should be DUNNO to 
evaluate the next restrictions.

- is not in Exchange then the result should be a temporary reject.

Unfortunately this seems not to be possible because the ldap query only 
gives back an action if sonething is found and not if something is NOT 
found.


I then tried to put the second LDAP-query into a restriction class:

rc_check_exchange_sans_forward =
# OK wenn Empfaenger im AD/Exchange korrekt
check_recipient_access 
proxy:ldap:/lrz/common/postfix/check_exchange_user_sans_forward_ads.ldap

# DEFER aller anderen
check_recipient_access 
pcre:/lrz/common/postfix/check_exchange_user_defer.pcre


check_exchange_user_defer.pcre

# Catchall
/./ 450 User not yet available in Exchange

It works, but then all further restrictions are not evaluated.Therfore 
we use an extra Postfix instance just for this check which is a little 
bit of an overkill.



Solution:
=

If a new parameter no_result_format would exist, we could define the 
ldap procedure with


result_format = DUNNO
no_result_format = 450 User not yet available in Exchange

which is very straightforward and understandable.

The semantics of no_result_format would be very similar to 
result_format. With LDAP_SUCCESS and no results this new parameter would 
be used as the result. Because there is no result value from the 
LDAP-query the lower-case, upper-case and decimal digit expansions would 
use the input key.


Does this make sense?

Thanks,
Michael Storz

Re: REJECT and save a copy of spam?

[Daniele Nicolodi]

On 14/09/2012 16:46, Chris Adams wrote:
> Once upon a time, Wietse Venema  said:
>> Postfix supports Milter too. There are some differences but it might
>> just work.
> 
> Oh yeah, I know that (I just wrote a milter for some servers at work
> running postfix).  I was trying to avoid the extra overhead (and config
> management work) of mimedefang/amavis since I was just looking for basic
> spam blocking.

Hello,

I wrote some python code that implements a very simple milter to filter
incoming emails, using a python SpamAssassin spamd client (to avoid the
overhead of forking a process and handling the streaming of data). The
difference with other similar project you can find on the web is the
fact that the milter speaks directly with spamd instead of forking a
child process (and that the code is IMHO much nicer).

I never found time to polish the code and publish it, but I'll be happy
to share it.  I think it may be useful for low volume mail servers. I
use it for handling my personal domain mail traffic.

Cheers,
Daniele

Re: Feature request: new parameter no_result_format for ldap and sql maps

[Wietse Venema]

Michael Storz:
> If a new parameter no_result_format would exist, we could define the 
> ldap procedure with
> 
> result_format = DUNNO
> no_result_format = 450 User not yet available in Exchange
> 
> which is very straightforward and understandable.

Except that this returns false rejects with for example address
extensions. Postfix looks up user+extension@domain before looking
up user@domain.

Wietse