Re: Recommendations for antivirus

[Jamie Griffin]

* Ned Slider  [2013-01-17 04:25:04 +]:

> On 16/01/13 22:20, Erwan David wrote:
> >Le 16/01/2013 23:17, Terry Gilsenan a écrit :
> >>>-Original Message-
> >>>From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> >>>us...@postfix.org] On Behalf Of TFML
> >>>Sent: Thursday, 17 January 2013 7:55 AM
> >>>To: Postfix users
> >>>Subject: Recommendations for antivirus
> >>>
> >>>I'm running a server on average week we receive 14,000, send 19,000,
> >>>and in total deferred/bounced/rejected 5,000 -- Can you guys recommend
> >>>a good antivirus that will work well with postfix. Meaning efficient in
> >>>processing emails without dropping them into oblivion or kill the
> >>>server CPU and/or Memory? Any suggestions will be fantastic!
> >>>
> >>I recommend Amavisd-new and clam.
> >>
> >>
> >You may also use clamav as a milter.
> >
> 
> Another recommendation for ClamAV.
> 
> As ClamAV is used predominantly in mail setups, their signature
> database seems to do fairly well against email-borne threats.
> Further, it's easy to create and add your own signatures allowing
> you to respond immediately to an outbreak rather than waiting for
> signatures to get added to official updates.
 
 clamav with Sanesecurity signatures - search google for them. easy to install.

-- 
Primary Key: 4096R/1D31DC38 2011-12-03
Key Fingerprint: A4B9 E875 A18C 6E11 F46D  B788 BEE6 1251 1D31 DC38

Re: Recommendations for antivirus

[Frank Bonnet]

On 01/17/2013 09:25 AM, Jamie Griffin wrote:

* Ned Slider  [2013-01-17 04:25:04 +]:


On 16/01/13 22:20, Erwan David wrote:

Le 16/01/2013 23:17, Terry Gilsenan a écrit :

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
us...@postfix.org] On Behalf Of TFML
Sent: Thursday, 17 January 2013 7:55 AM
To: Postfix users
Subject: Recommendations for antivirus

I'm running a server on average week we receive 14,000, send 19,000,
and in total deferred/bounced/rejected 5,000 -- Can you guys recommend
a good antivirus that will work well with postfix. Meaning efficient in
processing emails without dropping them into oblivion or kill the
server CPU and/or Memory? Any suggestions will be fantastic!


I recommend Amavisd-new and clam.



You may also use clamav as a milter.


Another recommendation for ClamAV.

As ClamAV is used predominantly in mail setups, their signature
database seems to do fairly well against email-borne threats.
Further, it's easy to create and add your own signatures allowing
you to respond immediately to an outbreak rather than waiting for
signatures to get added to official updates.
  
  clamav with Sanesecurity signatures - search google for them. easy to install.




I use a paid antivirus that runs very well with postfix : VAMS from 
www.centralcommand.com

It also have an antispam feature but I do not use it.

Re: Recommendations for antivirus

[Robert Schetterer]

Am 16.01.2013 22:55, schrieb TFML:
> I'm running a server on average week we receive 14,000, send 19,000, and in 
> total deferred/bounced/rejected 5,000 -- Can you guys recommend a good 
> antivirus that will work well with postfix. Meaning efficient in processing 
> emails without dropping them into oblivion or kill the server CPU and/or 
> Memory? Any suggestions will be fantastic!
> 
> Regards,
> Alvin 
> 

clamav-milter/clamd works well here, should work without problems with
your small average of mail


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

Re: Backup server

[Robert Schetterer]

Am 17.01.2013 07:59, schrieb Muhammad Yousuf Khan:
> i want to plan a backup postfix server for minimizing the downtime. i
> have read about MX record entry to use as backup server . but this if
> for pure postfix only in my case i will be running round cube, dovecot
> for IMAP storage. how is that possible that i just have to change the
> DNS entry and people start accessing same settings same view of round
> cube with in just 1 or 2 minutes of delay.
> is there anyone can help me? DRBD is kinda complex. just for your
> knowledge i am using local hard drive as storage not external storage.
> 
>  Thanks,
> 

dns loadbalancing does not play very well,
so you want no traditional mx backup mailserver
instead you want some HA Setup with all mail related stuff (
smtp/pop3/imap/webmail ), using drbd/nfs and loadbalancer/directors are
the way you have to go, postfix isnt the harder part for that, so better ask
and serach for HA setup with dovecot first, i.e on dovecot list etc


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

Relay access denied

[Muzaffer]

Hi,

Is there a simpler way of making postfix accept mail for all the domains
I'm hosting, than adding them one by one to $virtual_alias_domains?

Regards,

Re: smtp_fallback_relay and greylists

[Rafael Azevedo]

> It says use the same host. It does not say use the same
> myhostname setting.

Thanks once again Wietse! Your help is very appreciated.

I'll try to work on this.

BR,
- Rafael

Messages stucked in maildrop folder

[Rafael Azevedo]

Hi Guys,

I noticed that a specific SMTP has lots of files on maildrop folder, and I dont 
know why postfix is not sending theses messages neither to its destination or 
back to sender.

I tried reading this document (http://www.postfix.org/MAILDROP_README.html) but 
could not understand how to fix this. 

Any help would be very appreciated.

Thanks in advance.
- Rafael

Re: Messages stucked in maildrop folder

[Rafael Azevedo]

Just to share with everyone (in case somebody see this problem in the future), 
it seems to be fixed after I added this to main.cf:
mailbox_command = /usr/bin/maildrop -d ${USER}

After that all messages went through.

BR
- Rafael

- Mensagem original -
De: "Rafael Azevedo" 
Para: "Postfix users" 
Enviadas: Quinta-feira, 17 de Janeiro de 2013 8:52:06
Assunto: Messages stucked in maildrop folder

Hi Guys,

I noticed that a specific SMTP has lots of files on maildrop folder, and I dont 
know why postfix is not sending theses messages neither to its destination or 
back to sender.

I tried reading this document (http://www.postfix.org/MAILDROP_README.html) but 
could not understand how to fix this. 

Any help would be very appreciated.

Thanks in advance.
- Rafael

Re: smtp_fallback_relay and greylists

[Rafael Azevedo]

> It says use the same host. It does not say use the same
> myhostname setting.

Wietse,

Could you please tell me the difference of "same host" and "myhostname"?

What I understood from the document is that its suggested to use the same 
host/ip to re-send the message in cases of greylists. In my case, each postfix 
server uses myhostname to determinate the server's host (each host has its own 
ip).

So I imagined that I should use the same myhostname in smtp_fallback_relay in 
order to have it retrying to send the messages that were deferred because of 
graylists.

Would you please give me a light on this?

Thanks in advance.
- Rafael

Re: Fiddling with smtp_fallback_relay

[Stan Hoeppner]

On 1/16/2013 6:49 PM, Steve Jenkins wrote:
> On Wed, Jan 16, 2013 at 4:35 PM, Stan Hoeppner 
>  wrote:

>> And BTW, if you're not a spammer...

> Gotit - thanks. I am certainly NOT a spammer.

I know you're not Steve.  I should have said "as you're not a spammer.."
instead of "if you're..."

-- 
Stan

Re: smtp_fallback_relay and greylists

[Stan Hoeppner]

On 1/17/2013 5:16 AM, Rafael Azevedo wrote:

> Could you please tell me the difference of "same host" and "myhostname"?

A host is a computer (or virtual machine).  myhostname is a Postfix
parameter.  Now plug these into the context of Wietse's statement to you
and you should understand.

-- 
Stan

Re: smtp_fallback_relay and greylists

[Rafael Azevedo]

> A host is a computer (or virtual machine).  myhostname is a Postfix
> parameter.  Now plug these into the context of Wietse's statement to you
> and you should understand.

Thanks Stan!

But if I point it to another host (different than myhostname) it will send 
through another IP right? I'm not sure how can I get through greylist this way.

This concept is still not clear for me.

- Rafael

Re: Deferred mail

[Wietse Venema]

Muzaffer:
> Hi,
> 
> I fear I might have misconfigured. Here's my logs:
> 
> Jan 17 06:14:20 ommuse postfix/smtp[25504]: BC05AF629A: to=<
> x...@gmail.com>, relay=none, delay=116212,
> delays=116107/0.02/105/0, dsn=4.4.1, status=deferred (connect to
> alt4.gmail-smtp-in.l.google.com[74.125.141.26]:25: Connection timed out)

Another possibility is that your ISP does not allow its customers
to make connections to port 25, as an anti-spam countermeasure.

If this is your relayhost, try "relayhost = [smtp.gmail.com]:587".

Wietse

Re: Recommendations for antivirus

[DTNX Postmaster]

On Jan 17, 2013, at 09:25, Jamie Griffin wrote:

> * Ned Slider  [2013-01-17 04:25:04 +]:
> 
>> On 16/01/13 22:20, Erwan David wrote:
>>> Le 16/01/2013 23:17, Terry Gilsenan a écrit :
> -Original Message-
> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of TFML
> Sent: Thursday, 17 January 2013 7:55 AM
> To: Postfix users
> Subject: Recommendations for antivirus
> 
> I'm running a server on average week we receive 14,000, send 19,000,
> and in total deferred/bounced/rejected 5,000 -- Can you guys recommend
> a good antivirus that will work well with postfix. Meaning efficient in
> processing emails without dropping them into oblivion or kill the
> server CPU and/or Memory? Any suggestions will be fantastic!
> 
 I recommend Amavisd-new and clam.
 
 
>>> You may also use clamav as a milter.
>>> 
>> 
>> Another recommendation for ClamAV.
>> 
>> As ClamAV is used predominantly in mail setups, their signature
>> database seems to do fairly well against email-borne threats.
>> Further, it's easy to create and add your own signatures allowing
>> you to respond immediately to an outbreak rather than waiting for
>> signatures to get added to official updates.
> 
> clamav with Sanesecurity signatures - search google for them. easy to install.

We use ClamAV here as well with clamav-milter, although we found the 
Sanesecurity signatures to be too strict to use for straight rejection. 
YMMV, of course, be sure to at least test :-)

Cya,
Jona

Re: smtp_fallback_relay and greylists

[Wietse Venema]

Rafael Azevedo:
> > A host is a computer (or virtual machine).  myhostname is a Postfix
> > parameter.  Now plug these into the context of Wietse's statement to you
> > and you should understand.
> 
> Thanks Stan!
> 
> But if I point it to another host (different than myhostname) it
> will send through another IP right? I'm not sure how can I get
> through greylist this way.

host = computer (operating system on top of real or virtual hardware)
MTA = postfix

The text in main.cf assumes that both non-fallback and fallback
MTA run on the same host and that they send mail from the same
source IP address. You could for example:

- Configure both MTAs to use the same smtp_bind_address.

- Configure each MTA with its own IP address and play with NAT.

Wietse

Re: Relay access denied

[Noel Jones]

On 1/17/2013 3:58 AM, Muzaffer wrote:
> Hi,
> 
> Is there a simpler way of making postfix accept mail for all the
> domains I'm hosting, than adding them one by one to
> $virtual_alias_domains?
> 
> Regards,

In addition to listing the domains in main.cf, postfix can read from
an sql database or from an indexed file.  If you have lots of
frequently-changing domains, you are expected to generate this list
automatically or use a shared db.


  -- Noel Jones

Re: Relay access denied

[Muzaffer]

On 17 January 2013 16:17, Noel Jones  wrote:

> On 1/17/2013 3:58 AM, Muzaffer wrote:
> > Hi,
> >
> > Is there a simpler way of making postfix accept mail for all the
> > domains I'm hosting, than adding them one by one to
> > $virtual_alias_domains?
> >
> > Regards,
>
> In addition to listing the domains in main.cf, postfix can read from
> an sql database or from an indexed file.  If you have lots of
> frequently-changing domains, you are expected to generate this list
> automatically or use a shared db.
>
>
>   -- Noel Jones
>

I've just found out a virtual file in the format u...@example.com example
doesn't work with virtual_alias_domains. Guess I need to find another
solution.

Re: Relay access denied

[Ansgar Wiechers]

On 2013-01-17 Muzaffer wrote:
> On 17 January 2013 16:17, Noel Jones  wrote:
>> On 1/17/2013 3:58 AM, Muzaffer wrote:
>>> Is there a simpler way of making postfix accept mail for all the
>>> domains I'm hosting, than adding them one by one to
>>> $virtual_alias_domains?
>>
>> In addition to listing the domains in main.cf, postfix can read from
>> an sql database or from an indexed file.  If you have lots of
>> frequently-changing domains, you are expected to generate this list
>> automatically or use a shared db.
> 
> I've just found out a virtual file in the format u...@example.com
> example doesn't work with virtual_alias_domains. Guess I need to find
> another solution.

Please describe in more detail what you're trying to achieve. Given this
little information it's highly unlikely anyone could come up with a
satisfactory solution/recommendation.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: Relay access denied

[Noel Jones]

On 1/17/2013 10:28 AM, Muzaffer wrote:
> 
> 
> On 17 January 2013 16:17, Noel Jones  > wrote:
> 
> On 1/17/2013 3:58 AM, Muzaffer wrote:
> > Hi,
> >
> > Is there a simpler way of making postfix accept mail for all the
> > domains I'm hosting, than adding them one by one to
> > $virtual_alias_domains?
> >
> > Regards,
> 
> In addition to listing the domains in main.cf ,
> postfix can read from
> an sql database or from an indexed file.  If you have lots of
> frequently-changing domains, you are expected to generate this list
> automatically or use a shared db.
> 
> 
>   -- Noel Jones
> 
> 
> I've just found out a virtual file in the format u...@example.com
>  example doesn't work with
> virtual_alias_domains. Guess I need to find another solution.


The supported format is documented.
http://www.postfix.org/VIRTUAL_README.html#virtual_alias
http://www.postfix.org/postconf.5.html#virtual_alias_domains


If you need more help, you'll need to describe your problem in more
detail.  To report a problem, please see
http://www.postfix.org/DEBUG_README.html#mail




  -- Noel Jones

prevent sasl auth when login in form user@domain

[Fabio Sangiovanni]

Hello list,

I'm using postfix 2.6.6 with cyrus-sasl (saslauthd + pam_mysql).
Everything works ok, except that I've noticed that users can login successfully 
using their username with an arbitrary @domain part, that is I see login 
success in 2 cases:
- username = user
- username = u...@whatever.domain.here

My user table contains just the user part.

How can I prevent logins in the form user@domain (i need that for further mail 
processing that happens down the line)?

Thanks in advance!

Configuration follows (let me know if you need more information):

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_min_user = yes
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
in_flow_delay = 0
inet_interfaces = 
inet_protocols = ipv4
local_recipient_maps = 
local_transport = error:local delivery is disabled
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 27962028
mydestination = 
mydomain = 
myhostname = 
mynetworks = 
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
debug_peer_list,
fast_flush_domains,
mynetworks,
permit_mx_backup_networks,
qmqpd_authorized_clients,
relay_domains
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = 
relayhost = [my.relay.host.ip]
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP Service Ready
smtpd_discard_ehlo_keywords = dsn
smtpd_hard_error_limit = ${stress?10}${stress:200}
smtpd_helo_required = yes
smtpd_recipient_limit = 1
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
check_recipient_access hash:/etc/postfix/domain.hash,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_soft_error_limit = 100
smtpd_tls_cert_file = 
smtpd_tls_key_file = 
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_scache
unknown_local_recipient_reject_code = 550

# saslauthd command line
/usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 0

# /etc/pam.d/smtp.postfix 
authrequiredpam_mysql.so user= passwd= 
host= db=postfix table=User usercolumn=username 
passwdcolumn=password crypt=md5 [where=User.isEnabled="1" AND 
User.isDeleted="0"]
account sufficient  pam_mysql.so user= passwd= 
host= db=postfix table=User usercolumn=username 
passwdcolumn=password crypt=md5 [where=User.isEnabled="1" AND 
User.isDeleted="0"]

# /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

Re: smtp_fallback_relay and greylists

[Steve Jenkins]

On Thu, Jan 17, 2013 at 5:28 AM, Wietse Venema  wrote:

> host = computer (operating system on top of real or virtual hardware)
> MTA = postfix
>
> The text in main.cf assumes that both non-fallback and fallback
> MTA run on the same host and that they send mail from the same
> source IP address. You could for example:
>
> - Configure both MTAs to use the same smtp_bind_address.
>
> - Configure each MTA with its own IP address and play with NAT.
>

Could this be achieved with a single instance of Postfix on one host
machine configured for 2+ virtual domains with the same domain name (
mailer1.example.com, mailer2.example.com, etc.), or would it need to be two
separate instances of Postfix running on the same host?

Regardless, if they two MTAs used the same smtp_bind_address, wouldn't that
mean that only one of them would match the host's reverse DNS lookup, and
that the other would have mail rejected by remote hosts that verify the
reverse IP matches the sending IP?

Re: smtp_fallback_relay and greylists

[Wietse Venema]

Steve Jenkins:
> Could this be achieved with a single instance of Postfix on one
> host machine configured for 2+ virtual domains with the same domain
> name ( mailer1.example.com, mailer2.example.com, etc.), or would
> it need to be two separate instances of Postfix running on the
> same host?

The idea of smtp_fallback_relay is to NOT share the mail queue.

> Regardless, if they two MTAs used the same smtp_bind_address,
> wouldn't that mean that only one of them would match the host's
> reverse DNS lookup, and that the other would have mail rejected
> by remote hosts that verify the reverse IP matches the sending IP?

smtp_bind_address sets the SOURCE IP address.

Wietse

Re: smtp_fallback_relay and greylists

[Rafael Azevedo]

> smtp_bind_address sets the SOURCE IP address.

Yes, but I cant have 2 servers with same smtp_bind_address

- Rafael

Re: smtp_fallback_relay and greylistst

[Wietse Venema]

Rafael Azevedo:
> > smtp_bind_address sets the SOURCE IP address.
> 
> Yes, but I cant have 2 servers with same smtp_bind_address

Yes, you can, as long as the MTAs run on the SAME HOST.

Wietse

Re: Fiddling with smtp_fallback_relay

[Steve Jenkins]

On Thu, Jan 17, 2013 at 3:45 AM, Stan Hoeppner wrote:

> I know you're not Steve.
>

No.. I AM Steve! ;)

Re: Relay access denied

[Muzaffer]

On 17 January 2013 18:40, Ansgar Wiechers  wrote:

> On 2013-01-17 Muzaffer wrote:
> > On 17 January 2013 16:17, Noel Jones  wrote:
> >> On 1/17/2013 3:58 AM, Muzaffer wrote:
> >>> Is there a simpler way of making postfix accept mail for all the
> >>> domains I'm hosting, than adding them one by one to
> >>> $virtual_alias_domains?
> >>
> >> In addition to listing the domains in main.cf, postfix can read from
> >> an sql database or from an indexed file.  If you have lots of
> >> frequently-changing domains, you are expected to generate this list
> >> automatically or use a shared db.
> >
> > I've just found out a virtual file in the format u...@example.com
> > example doesn't work with virtual_alias_domains. Guess I need to find
> > another solution.
>
> Please describe in more detail what you're trying to achieve. Given this
> little information it's highly unlikely anyone could come up with a
> satisfactory solution/recommendation.
>

I'm running a server with Virtualmin, and I'd like to be able to automate
the generation of $virtual_alias_domains. If there is no way other than
adding them manually, that is also not desired but fine.

Regards,
Muzaffer,

>
> Regards
> Ansgar Wiechers
> --
> "Abstractions save us time working, but they don't save us time learning."
> --Joel Spolsky
>

Re: Backup server

[Muhammad Yousuf Khan]

On Thu, Jan 17, 2013 at 1:59 PM, Robert Schetterer  wrote:
> Am 17.01.2013 07:59, schrieb Muhammad Yousuf Khan:
>> i want to plan a backup postfix server for minimizing the downtime. i
>> have read about MX record entry to use as backup server . but this if
>> for pure postfix only in my case i will be running round cube, dovecot
>> for IMAP storage. how is that possible that i just have to change the
>> DNS entry and people start accessing same settings same view of round
>> cube with in just 1 or 2 minutes of delay.
>> is there anyone can help me? DRBD is kinda complex. just for your
>> knowledge i am using local hard drive as storage not external storage.
>>
>>  Thanks,
>>
>
> dns loadbalancing does not play very well,
> so you want no traditional mx backup mailserver
> instead you want some HA Setup with all mail related stuff (
> smtp/pop3/imap/webmail ), using drbd/nfs and loadbalancer/directors are
> the way you have to go, postfix isnt the harder part for that, so better ask
> and serach for HA setup with dovecot first, i.e on dovecot list etc

Thanks i got your point
>
>
> Best Regards
> MfG Robert Schetterer
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64
> Franziskanerstraße 15, 81669 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Joerg Heidrich

Re: smtp_fallback_relay and greylistst

[Wietse Venema]

Rafael Azevedo:
> > Yes, you can, as long as the MTAs run on the SAME HOST.
> 
> Hmm.. Is there anyway we can have multiple postfix instances sharing
> the same queue?

Definitely not.

Wietse

Re: Balancing destination concurrency + rate delay

[Wietse Venema]

Steve Jenkins:
> yahoo_destination_concurrency_limit = 4
> yahoo_destination_recipient_limit = 2
> yahoo_destination_rate_delay = 1s

As documented, rate_delay enforces a delay BETWEEN deliveries to
the same destination, and therefore, the concurrency to that
destination is always 1.  I see no way to enforce delays BETWEEN
simultaneous deliveries to the same destination.

The documentation also has a warning concerning per-destination
recipient limit (the concept of destination depends on the recipient
limit). Different destinations are delivered in parallel.

Wietse

Re: Balancing destination concurrency + rate delay

[Steve Jenkins]

On Thu, Jan 17, 2013 at 1:03 PM, Wietse Venema  wrote:

> Steve Jenkins:
> > yahoo_destination_concurrency_limit = 4
> > yahoo_destination_recipient_limit = 2
> > yahoo_destination_rate_delay = 1s
>
> As documented, rate_delay enforces a delay BETWEEN deliveries to
> the same destination, and therefore, the concurrency to that
> destination is always 1.  I see no way to enforce delays BETWEEN
> simultaneous deliveries to the same destination.
>

Thanks for clearing that up. So I can tinker with destination concurrency
OR rate delay, but not both.

So now I suppose my follow-up question is what's more likely to keep the
big MTAs happier? Delays between individual deliveries or limited
concurrency?


> The documentation also has a warning concerning per-destination
> recipient limit (the concept of destination depends on the recipient
> limit). Different destinations are delivered in parallel.
>

I read that warning, but wasn't sure I understood it properly. I know that
setting destination recipient limit to anything above one defines a
"destination" as a domain, so by setting it to 2 we're saying "wait 1s
between every delivery to a Yahoo domain," right? And if every message sent
is unique, would that mean there'd be no difference between a setting of 2
and the default of 50 in this case?

Re: RBLs, submission port, and permit_sasl_authenticated

[Quanah Gibson-Mount]

--On Wednesday, January 09, 2013 10:53 AM -0800 Quanah Gibson-Mount 
 wrote:



Submission and "smtps" perform essentially the same function, and
should get identical settings, with the obvious addition of tls
wrappermode for smtps.


Perfect, thank you very much!


Ok, I've modified my master.cf for the smtpd daemons to the following. 
Does it appear in general, more sane?


smtp  inet  n   -   n   -   -   smtpd
   -o content_filter=scan:[127.0.0.1]:10029
465inet  n   -   n   -   -   smtpd
   -o content_filter=scan:[127.0.0.1]:10029
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=
   -o smtpd_data_restrictions=
   -o smtpd_end_of_data_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=
   -o smtpd_sender_restrictions=
submission inet n  -   n   -   -   smtpd
   -o content_filter=scan:[127.0.0.1]:10029
   -o smtpd_etrn_restrictions=reject
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_tls_security_level=may
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o smtpd_data_restrictions=
   -o smtpd_end_of_data_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=
   -o smtpd_sender_restrictions=
[127.0.0.1]:10025 inet n  -   n   -   -  smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o virtual_mailbox_maps=
   -o virtual_alias_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_delay_reject=no
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_data_restrictions=
   -o smtpd_end_of_data_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_milters=
   -o smtpd_sender_restrictions=
   -o smtpd_relay_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks_style=host
   -o mynetworks=127.0.0.0/8,[::1]/128
   -o strict_rfc821_envelopes=yes
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o smtpd_client_connection_count_limit=0
   -o smtpd_client_connection_rate_limit=0
   -o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

   -o local_header_rewrite_clients=
[127.0.0.1]:10029 inet n - n - - smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o virtual_mailbox_maps=
   -o virtual_alias_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_delay_reject=no
   -o smtpd_milters=inet:localhost:8465
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_sender_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_relay_restrictions=
   -o smtpd_data_restrictions=
   -o smtpd_end_of_data_restrictions=

Thanks!

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: RBLs, submission port, and permit_sasl_authenticated

[Noel Jones]

On 1/17/2013 3:56 PM, Quanah Gibson-Mount wrote:
> --On Wednesday, January 09, 2013 10:53 AM -0800 Quanah Gibson-Mount
>  wrote:
> 
>>> Submission and "smtps" perform essentially the same function, and
>>> should get identical settings, with the obvious addition of tls
>>> wrappermode for smtps.
>>
>> Perfect, thank you very much!
> 
> Ok, I've modified my master.cf for the smtpd daemons to the
> following. Does it appear in general, more sane?
> 
> smtp  inet  n   -   n   -   -   smtpd
>-o content_filter=scan:[127.0.0.1]:10029
> 465inet  n   -   n   -   -   smtpd
>-o content_filter=scan:[127.0.0.1]:10029
>-o smtpd_tls_wrappermode=yes
>-o smtpd_sasl_auth_enable=yes
>-o smtpd_client_restrictions=
>-o smtpd_data_restrictions=
>-o smtpd_end_of_data_restrictions=
>-o smtpd_helo_restrictions=
>-o smtpd_recipient_restrictions=
>-o smtpd_relay_restrictions=

I don't think postfix will start (or at least won't start this
service) with both smtpd_recipient_restricions and
smtpd_relay_restrictions set empty.

For submission/smtps, one of these needs to be set eg.

  smtpd_relay_restrictions=permit_sasl_authenticated,reject

It's also customary to set
-o milter_macro_daemon_name=ORIGINATING
in case a milter gets put in the loop,

and I find it very useful to set the syslog name
-o syslog_name=postfix/smtps
(similar for postfix/submission).





  -- Noel Jones

Re: RBLs, submission port, and permit_sasl_authenticated

[Quanah Gibson-Mount]

--On Thursday, January 17, 2013 4:12 PM -0600 Noel Jones 
 wrote:



On 1/17/2013 3:56 PM, Quanah Gibson-Mount wrote:

--On Wednesday, January 09, 2013 10:53 AM -0800 Quanah Gibson-Mount
 wrote:


Submission and "smtps" perform essentially the same function, and
should get identical settings, with the obvious addition of tls
wrappermode for smtps.


Perfect, thank you very much!


Ok, I've modified my master.cf for the smtpd daemons to the
following. Does it appear in general, more sane?

smtp  inet  n   -   n   -   -   smtpd
   -o content_filter=scan:[127.0.0.1]:10029
465inet  n   -   n   -   -   smtpd
   -o content_filter=scan:[127.0.0.1]:10029
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=
   -o smtpd_data_restrictions=
   -o smtpd_end_of_data_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=


Hi Noel,



I don't think postfix will start (or at least won't start this
service) with both smtpd_recipient_restricions and
smtpd_relay_restrictions set empty.


Yeah, I just ran into that in testing the changes in more detail.


For submission/smtps, one of these needs to be set eg.

  smtpd_relay_restrictions=permit_sasl_authenticated,reject


Thanks, done, and it looks much better. ;)


It's also customary to set
-o milter_macro_daemon_name=ORIGINATING
in case a milter gets put in the loop,


Ok, that is quite helpful to know.


and I find it very useful to set the syslog name
-o syslog_name=postfix/smtps
(similar for postfix/submission).


That's really helpful, thank you. :)

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: RBLs, submission port, and permit_sasl_authenticated

[Quanah Gibson-Mount]

--On Thursday, January 17, 2013 2:26 PM -0800 Quanah Gibson-Mount 
 wrote:



Hi Noel,



I don't think postfix will start (or at least won't start this
service) with both smtpd_recipient_restricions and
smtpd_relay_restrictions set empty.


Yeah, I just ran into that in testing the changes in more detail.


For submission/smtps, one of these needs to be set eg.

  smtpd_relay_restrictions=permit_sasl_authenticated,reject

That's really helpful, thank you. :)


Hi Noel,

With testing, I have the following for 465/submission.  Thanks again for 
the pointers!  I used reject_unauth_destination because with just "reject", 
some of my mail tests failed.


465inet  n   -   n   -   -   smtpd
   -o content_filter=scan:[127.0.0.1]:10029
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=
   -o smtpd_data_restrictions=
   -o smtpd_end_of_data_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_recipient_restrictions=
   -o 
smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination

   -o smtpd_sender_restrictions=
   -o syslog_name=postfix/smtps
   -o milter_macro_daemon_name=ORIGINATING
submission inet n  -   n   -   -   smtpd
   -o content_filter=scan:[127.0.0.1]:10029
   -o smtpd_etrn_restrictions=reject
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_tls_security_level=may
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o smtpd_data_restrictions=
   -o smtpd_end_of_data_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_recipient_restrictions=
   -o 
smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination

   -o smtpd_sender_restrictions=
   -o syslog_name=postfix/submission
   -o milter_macro_daemon_name=ORIGINATING


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: RBLs, submission port, and permit_sasl_authenticated

[Noel Jones]

On 1/17/2013 4:42 PM, Quanah Gibson-Mount wrote:
> 
> With testing, I have the following for 465/submission.  Thanks again
> for the pointers!  I used reject_unauth_destination because with
> just "reject", some of my mail tests failed.


That implies you were sending unauthenticated mail to a local domain
via smtps.  As a general rule, that's something you want to prevent
since it bypasses all your carefully crafted antispam controls.  I
have seen a few attempts to deliver spammy-looking unauthenticated
mail via smtps/465, haven't noticed it on submission/587 (but never
really looked for it).

So reject_unauth_destination is OK for testing, but for production I
would strongly suggest leaving it at reject.

If you need to send unauthenticated mail over smtps/submission on an
ongoing basis, you can define a very limited -o mynetworks=...
setting and add permit_mynetworks before the reject.



  -- Noel Jones

troubleshooting inability to receive email: should I see a process running on port 25?

[Tracy Wise]

Hi I'm setting up a dedicated server from 1&1 Internet which has CentOS 6.3
with Postfix 2.8.4 and Plesk 11.0.9 pre-installed.

Though I've added the main domain name (and set the server hostname to be
the same), and a mailbox for that domain, in Plesk, and set Plesk to
activate mail for the domain, no one is able to send an email to the
server.  I tried to telnet to port 25 of my server and it says Connection
refused.  I did "sudo netstat -nlp" and I can't find any process running on
port 25.

Should there be a postfix process running on port 25, in order for me to
receive mail?  If so then at least I know what direction to go in
troubleshooting.

Any guidance would be greatly appreciated.

Thanks!

Tracy

Re: troubleshooting inability to receive email: should I see a process running on port 25?

[Reindl Harald]

Am 18.01.2013 05:50, schrieb Tracy Wise:
> Should there be a postfix process running on port 25, in order for me to 
> receive mail?  If so then at least I know
> what direction to go in troubleshooting.
> 
> Any guidance would be greatly appreciated

main.cf:
inet_interfaces = all

master.cf:
smtpinet  n   -   n   -   -  smtpd
___

however, you should carefully read documentations before
starting to setup a from the internet reachable smtpd!

http://www.postfix.org/documentation.html
http://www.postfix.org/BASIC_CONFIGURATION_README.html



signature.asc
Description: OpenPGP digital signature

Re: troubleshooting inability to receive email: should I see a process running on port 25?

[Tracy Wise]

Thanks Reindl.

I do indeed have that line in main.cf.

However in master.cf there is a slight difference.  Mine says:

smtp  unix  -   -   n   -   -   smtp

Notice "unix" instead of "inet".  Do you think that's the problem?  But I
would think it should be set right out of the box with Plesk pre-installed,
or that there should be a setting in Plesk to enable it.

And am I right in assuming that there should be a process running on port
25?

On Fri, Jan 18, 2013 at 12:55 PM, Reindl Harald wrote:

>
>
> Am 18.01.2013 05:50, schrieb Tracy Wise:
> > Should there be a postfix process running on port 25, in order for me to
> receive mail?  If so then at least I know
> > what direction to go in troubleshooting.
> >
> > Any guidance would be greatly appreciated
>
> main.cf:
> inet_interfaces = all
>
> master.cf:
> smtpinet  n   -   n   -   -  smtpd
> ___
>
> however, you should carefully read documentations before
> starting to setup a from the internet reachable smtpd!
>
> http://www.postfix.org/documentation.html
> http://www.postfix.org/BASIC_CONFIGURATION_README.html
>
>

Re: troubleshooting inability to receive email: should I see a process running on port 25?

[Reindl Harald]

Am 18.01.2013 06:13, schrieb Tracy Wise:
> Thanks Reindl.
> 
> I do indeed have that line in main.cf .
> 
> However in master.cf  there is a slight difference.  Mine 
> says:
> 
> smtp  unix  -   -   n   -   -   smtp

this is NOT the smtpd line
why do you not post your config file to help others helping you?

> Notice "unix" instead of "inet".  Do you think that's the problem?

no, that one is for sending messages FROM your server
that is why i referred to the basic documentation!

>  But I would think it should be set right out of
> the box with Plesk pre-installed, or that there should be a setting in Plesk 
> to enable it.

sorry, this is the postfix-list not the plesk one

> And am I right in assuming that there should be a process running on port 25?

surely - vut as default a sane setup does not listen on the network
because it is HIGHLY dangerous before a secure configuration to
get a spam-relay



signature.asc
Description: OpenPGP digital signature

Re: troubleshooting inability to receive email: should I see a process running on port 25?

[Muzaffer Tolga Ozses]

 myPhone'dan gönderdim

18 Oca 2013 tarihinde 07:25 saatinde, Reindl Harald
 şunları yazdı:

>
>
> Am 18.01.2013 06:13, schrieb Tracy Wise:
>> Thanks Reindl.
>>
>> I do indeed have that line in main.cf .
>>
>> However in master.cf  there is a slight difference.  Mine 
>> says:
>>
>> smtp  unix  -   -   n   -   -   smtp
>
> this is NOT the smtpd line
> why do you not post your config file to help others helping you?
>
>> Notice "unix" instead of "inet".  Do you think that's the problem?
>
> no, that one is for sending messages FROM your server
> that is why i referred to the basic documentation!
>
>> But I would think it should be set right out of
>> the box with Plesk pre-installed, or that there should be a setting in Plesk 
>> to enable it.
>
> sorry, this is the postfix-list not the plesk one
>
>> And am I right in assuming that there should be a process running on port 25?
>
> surely - vut as default a sane setup does not listen on the network
> because it is HIGHLY dangerous before a secure configuration to
> get a spam-relay
>

Hi, please post your postconf -n output.

M