Re: Relaying email to exchange
Am 15.02.2013 01:30, schrieb Simon Walter: > On 02/15/2013 06:10 AM, Reindl Harald wrote: >> >> no need for two MX records at all > > I think perhaps that is a bit of hasty advice. I'm quite sure given a large > enough infrastructure and traffic load > that you'd want two or more MX records with a different SMTP server sitting > behind each IP address. I could (and > have been) wrong though. in this case the setup sould be done by people which are knowing what they are doing and you have unlikely a exchange as MX having two MX and only one of them filters spam is dumb the two MX must behave identical from outside signature.asc Description: OpenPGP digital signature
Re: Relaying email to exchange
Kevin, On 02/14/2013 09:41 PM, Kevin Blackwell wrote: > I have 2 mx records. The primary is Exchanges edge server that has it's > own internal spam filtering. The secondary is poxtfix server relaying > mail to the edge server as a backup mx record. Are you saying the > postfix server should be behind the Exchange edge server? > A rule of thumb is that if you must have a backup MX you should have the same spam defence as on the primary one. If you can't do that, I suggest you drop the backup MX. Alternatively you can hide the exchange behind a postfix, but the you should let postfix do the spam filtering and disable spam filter on the exchange. You must now ask you the question why you need a backup MX. HTH, Mikael
postfix multiple WAN-IP setup
EHLO list, we have two WAN connections. One has the RDNS entry mx0.example.com the other has mx1.example.com. Is there a way to setup postfix so that he will reply with the correct hostname? I know that you can do this in master.cf but the server is behind a NAT, so Postfix didn't have any knowledge about the WAN-IPs. Thanks for any ideas. Best regards Tom Loewen
Re: Postscreen RBLs
On 11/2/2013 6:47 μμ, Noel Jones wrote: There is no one-size-fits-all, so do what fits at your site. What some folks do is weigh barracuda*1 and a few other dnsbl's such as bl.spamcop.net, bl.spameatingmonkey.net, fresh.spameatingmonkey.net, hostkarma.junkemailfilter.com=127.0.0.2, or ix.dnsbl.manitu.net, all scored at one. That way multiple less-trusted dnsbl's must list a site to reject their mail. Opinions on which dnsbls are safe to block on their own vary greatly. Adjust the postscreen scores as you see fit. Thanks Noel, and everyone else for your feedback. Nick
Graphing mail stats
Hello, Does anyone know of any app like mailgraph, smart enough to combine data from amavis and postfix and provide more detailed stats like: Mail dropped by postscreen Mail dropped by amavis as spam (through spamassassin) Mail dropped by amavis as virus (through clamd) Ideally it would provide a web interface to allow ad hoc queries based on various criteria: time period, stats per sending server/domain etc. Any ideas? Thanks, Nick
Re: postfix multiple WAN-IP setup
On 15/02/2013 16:14, Tom Loewen wrote: EHLO list, we have two WAN connections. One has the RDNS entry mx0.example.com the other has mx1.example.com. Is there a way to setup postfix so that he will reply with the correct hostname? I know that you can do this in master.cf but the server is behind a NAT, so Postfix didn't have any knowledge about the WAN-IPs. You need to inform postfix: Set up virtual interface with different internal IP on postfix machine or listen on different port But all of this work only with proper set up of NAT, route ... Levi Thanks for any ideas. Best regards Tom Loewen smime.p7s Description: S/MIME Cryptographic Signature
Re: postfix multiple WAN-IP setup
Tom Loewen: > EHLO list, > > we have two WAN connections. One has the RDNS entry mx0.example.com the > other has mx1.example.com. Is there a way to setup postfix so that he > will reply with the correct hostname? I know that you can do this in > master.cf but the server is behind a NAT, so Postfix didn't have any > knowledge about the WAN-IPs. http://www.postfix.org/BASIC_CONFIGURATION_README.html#proxy_interfaces You MUST specify external IP addresses with main.cf:proxy_interfaces. This is required to prevent mail from looping between MX hosts, and is required to handle mail for user@[ipaddress]. If you want Postfix to reply with the right hostname without knowing the connection destination address, then send your donations for a project that adds telepathic intelligence to Postfix. Wietse
Re: Graphing mail stats
On 15/02/2013 16:29, Nikolaos Milas wrote: Hello, Does anyone know of any app like mailgraph, smart enough to combine data from amavis and postfix and provide more detailed stats like: Mail dropped by postscreen Mail dropped by amavis as spam (through spamassassin) Mail dropped by amavis as virus (through clamd) Mailgraph http://mailgraph.schweikert.ch/ is really cool, but need to make some modifications to see postscreen rejects: http://www.birkosan.com/2012/05/mailgraph-with-postfixpostscreen.html Amavisd stats is harder a little bit. I use with cacti through amavisd-new-snmp http://forums.cacti.net/viewtopic.php?f=12&t=46790 Ideally it would provide a web interface to allow ad hoc queries based on various criteria: time period, stats per sending server/domain etc. Any ideas? Thanks, Nick smime.p7s Description: S/MIME Cryptographic Signature
Re: Graphing mail stats
I think mailgraph cant' show different domains. // szevasz Levente :) 2013-02-15 15:53 időpontban Birta Levente ezt írta: > On 15/02/2013 16:29, Nikolaos Milas wrote: > >> Hello, Does anyone know of any app like mailgraph, smart enough to combine data from amavis and postfix and provide more detailed stats like: Mail dropped by postscreen Mail dropped by amavis as spam (through spamassassin) Mail dropped by amavis as virus (through clamd) > > Mailgraph http://mailgraph.schweikert.ch/ [1] is really cool, but need to > make some modifications to see postscreen rejects: > http://www.birkosan.com/2012/05/mailgraph-with-postfixpostscreen.html [2] > > Amavisd stats is harder a little bit. > I use with cacti through amavisd-new-snmp > > http://forums.cacti.net/viewtopic.php?f=12&t=46790 [3] > >> Ideally it would provide a web interface to allow ad hoc queries based on various criteria: time period, stats per sending server/domain etc. Any ideas? Thanks, Nick Links: -- [1] http://mailgraph.schweikert.ch/ [2] http://www.birkosan.com/2012/05/mailgraph-with-postfixpostscreen.html [3] http://forums.cacti.net/viewtopic.php?f=12&t=46790
Re: postfix multiple WAN-IP setup
Am Fri, 15 Feb 2013 09:32:26 -0500 (EST) schrieb Wietse Venema : > You MUST specify external IP addresses with main.cf:proxy_interfaces. > This is required to prevent mail from looping between MX hosts, and > is required to handle mail for user@[ipaddress]. Hi Wietse, thanks. I'll have a look. > If you want Postfix to reply with the right hostname without knowing > the connection destination address, then send your donations for a > project that adds telepathic intelligence to Postfix. How much? :) Best regards Tom
Re: postfix multiple WAN-IP setup
Am Fri, 15 Feb 2013 16:31:52 +0200 schrieb Birta Levente : > But all of this work only with proper set up of NAT, route ... Hi Levi, thanks. I didn't recognize that I could have another Port 25 NAT-Rule on my WAN2-Interface. Best regards Tom
Re: postfix multiple WAN-IP setup
On Fri, Feb 15, 2013 at 03:14:44PM +0100, Tom Loewen wrote: > We have two WAN connections. One has the RDNS entry mx0.example.com the > other has mx1.example.com. Is there a way to setup postfix so that he > will reply with the correct hostname? I know that you can do this in > master.cf but the server is behind a NAT, so Postfix didn't have any > knowledge about the WAN-IPs. This is the wrong question. Nobody cares about the hostname in the 220 banner or in the 250- EHLO response. If there is a howto or other document somewhere that suggests that an SMTP server should have a hostname matching its external IP, ignore it, it is written by an ignorant person. This said, there is a better question to ask about an MTA behind a dual-IP NAT. While incoming mail requires no particular attention, outgoing mail really SHOULD use a HELO that matches the source IP of the SMTP client. Since the MTA is behind a dual NAT that will determine the source IP address dynamically (presumably by determining the "best" route interface for the destination) the MTA cannot predict its source IP address. Therefore, with two external IPs, say 192.0.2.1 and 192.0.2.2, the correct DNS setup is: 192.0.2 zone file: 1.2.0.192.in-arpa. IN PTR smtp.example.com. 1.2.0.192.in-arpa. IN PTR smtp.example.com. example.com zone file: smtp.example.com. IN A 192.0.2.1 smtp.example.com. IN A 192.0.2.2 example.com. IN MX 0 smtp.example.com. that is the give both IPs the *same* name, and configure the (Postfix) MTA with: proxy_interfaces = 192.0.2.1, 192.0.2.2 smtp_helo_name = smtp.example.com In some cases, the second IP address is a backup and is slower or incurs higher traffic costs, ... So you may want different MX preferences for the two IPs, this is still possible with the above: modified example.com zone file: ; ; forward resolution matches PTR records ; smtp.example.com. IN A 192.0.2.1 smtp.example.com. IN A 192.0.2.2 ; ; additional per-IP address names ; smtp1.example.com. IN A 192.0.2.1 smtp2.example.com. IN A 192.0.2.2 ; ; MX records prefer the first IP address over the second ; example.com. IN MX 10 smtp1.example.com. example.com. IN MX 20 smtp2.example.com. This covers all sensible NAT-specific questions about such a setup. Once again, don't waste your time misconfiguring the hostname of the inbound SMTP server. Returning the hostname of the system (even if internal) is just fine. -- Viktor.
Re: virtual-regex problem
I have checked my syntax and added another email matching string. It works only if wild card match is not present. As soon as wildcard is added other matches stop working. I can see in the maillog that initially regex is happening and then wildcard takes over. Is there anything else I can look at it? Thank you
Re: virtual-regex problem
On 2/15/2013 10:34 AM, Alex wrote: > I have checked my syntax and added another email matching string. It > works only if wild card match is not present. As soon as wildcard is > added other matches stop working. I can see in the maillog that > initially regex is happening and then wildcard takes over. Is there > anything else I can look at it? Thank you > As documented, virtual_alias_maps lookups are recursive, meaning the map is searched repeatedly until either there is no result, or the result is the same as the lookup key. To keep the wildcard from grabbing everything (wildcards are evil), your map must have extra entries to "protect" the addresses you don't want grabbed by the wildcard. This is called a 1-1 mapping entry. Your map must be structured similar to: A -> B # rewrite A to B B -> B # 1-1 mapping to protect B from wildcard wildcard# wildcard matches everything Your map is missing the 1-1 mapping entry, so the wildcard matches everything. -- Noel Jones
Re: Graphing mail stats
On 15/2/2013 4:53 μμ, Birta Levente wrote: Mailgraph http://mailgraph.schweikert.ch/ is really cool, but need to make some modifications to see postscreen rejects: http://www.birkosan.com/2012/05/mailgraph-with-postfixpostscreen.html Thanks, I have patched mailgraph for long queue IDs and it works fine with those now (as mentioned in the above post). However, although I have successfully patched both mailgraph.pl and mailgraph.cgi, it doesn't seem to work. (I did it twice to confirm.) In the place of the "Bounced-Virus-... etc" diagram nothing appears except a "mailgraph" word. Only the "Sent-Received" diagram appears properly. Any ideas? Thanks, Nick
Re: virtual-regex problem
It seems that regex is indeed working, but something is forcing email into local host instead of outside. This only happens with wildcard in place. Here is an extract from maillog: Feb 15 14:30:54 qa6 postfix/error[9898]: A6EC61F88989: to=, orig_to=, relay=none, delay=0.02, delays=0.01/0/0/0.01, dsn=5.0.0, status=bounced (User unknown in virtual alias table)
Re: virtual-regex problem
On 2/15/2013 4:35 PM, Alex wrote: > It seems that regex is indeed working, but something is forcing email > into local host instead of outside. This only happens with wildcard in > place. > > Here is an extract from maillog: > > Feb 15 14:30:54 qa6 postfix/error[9898]: A6EC61F88989: > to=, orig_to=, relay=none, > delay=0.02, delays=0.01/0/0/0.01, dsn=5.0.0, status=bounced (User > unknown in virtual alias table) > Postfix is documented here: http://www.postfix.org/documentation.html -- Noel Jones
Re: virtual-regex problem
Hi Noel, Furthermore wildcard seems to have an effect only on email addresses for the parent domain of the postfix host. If I send email to @yahoo and regex changes it to @gmail.com, this works fine. If I send email to @mydomain regex changes it to wildcard. Does it make sense?
Re: virtual-regex problem
On 2/15/2013 5:25 PM, Alex wrote: > Hi Noel, > > Furthermore wildcard seems to have an effect only on email addresses > for the parent domain of the postfix host. > If I send email to @yahoo and regex changes it to @gmail.com, this works fine. > If I send email to @mydomain regex changes it to wildcard. > > Does it make sense? > I'm sure postfix is doing exactly what you've told it to do. Postfix is documented here: http://www.postfix.org/documentation.html -- Noel Jones
Re: virtual-regex problem
No doubt about it. I just wish I can understand how to change it. :) Any ideas?
Re: virtual-regex problem
On Fri, Feb 15, 2013 at 02:35:31PM -0800, Alex wrote: > It seems that regex is indeed working, but something is forcing > email into local host instead of outside. This only happens with > wildcard in place. > > Here is an extract from maillog: > > Feb 15 14:30:54 qa6 postfix/error[9898]: A6EC61F88989: > to=, orig_to=, relay=none, > delay=0.02, delays=0.01/0/0/0.01, dsn=5.0.0, status=bounced (User > unknown in virtual alias table) Did you see my post yesterday? Pay close attention to the setting (unsetting, actually) of virtual_alias_domains. http://www.postfix.org/ADDRESS_CLASS_README.html#virtual_alias_class http://www.postfix.org/VIRTUAL_README.html#virtual_alias http://www.postfix.org/postconf.5.html#virtual_alias_domains http://www.postfix.org/postconf.5.html#virtual_alias_maps -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Re: virtual-regex problem
Solved. One typo. I guess I was staring at the file to long.
Re: Restrict some users to local recipients only?
On 02/14/2013 12:23 AM, Patrick wrote: > I have a customer who would like to configure the Postfix server he uses > such that certain users can only send to local users. Use a restriction class that implements this; examples are included here: http://www.postfix.org/RESTRICTION_CLASS_README.html I'm wondering if > there are any built-in facilities for restricting which delivery agents can > be used by particular users? Delivery agents deliver queued mail. The decision to accept the mail for a particular destination has already been made at that point. -- J.
