date:20130411

Mark Alan:
> On Thu, 11 Apr 2013 03:01:58 +0300, "Indiana Jones"
>  wrote:
> > # for single address
> >  printf "us...@example1.com us...@example2.com\n"
> > > /etc/postfix/virtual 
> >  # for multiple addresses
> >  printf "us...@example1.com us...@example2.com\nus...@example3.com
> >  us...@example4.com\n" > /etc/postfix/virtual
> > 
> > Thank you very much! 
> > I edited main.cf and created the file /postfix/virtual and followed
> > all these steps, but this way Postfix does not leave copies of the
> > forwarded messages on the server. 
> > I need postfix to leave a copy of the forwarded message so that it
> > can also be collected locally by the recipient! i.e. the recipient
> > wants to receive his incoming mail on the two different addresses
> > simultaneously! 
> > 
> > Could you possibly explain how to do that?
> 
> Try to also map each address to itself:
> 
> us...@example1.com us...@example1.com
> us...@example1.com us...@example2.com
> us...@example3.com us...@example3.com
> us...@example3.com us...@example4.com

That should be:

us...@example1.com us...@example1.com us...@example2.com
us...@example3.com us...@example3.com us...@example4.com

Wietse

Aw: Address Rewriting

2013-04-11 Thread Henning

Sorry, my last mail was Html only. I hope it's better now :-)

Hi,
 
I have a setup with several virtual mailboxes, e.g. local1@, local2@.
 
Now I would like the local mail addresses to have some kind of mapping to 
external addresses:
local1@postfixserver <-> external1@externaldomain1
local2@postfixserver <-> external2@externaldomain2
 
If a mail arrives at postfix from external2 to recipient local1, I would like 
the following to happen: The mail should be forwarded with sender local2@ to 
recipient external1@ .
So incoming header looks like this: from external2, to local1
Outgoing header looks liks this: from local2, to external1
 
Does anyone know, if I can achieve this with postfix?
 
E.g. with some address rewriting feature? 
http://www.postfix.org/ADDRESS_REWRITING_README.html
I am very new to postfix, so I don't completely understand the manual here.  I 
could imagine, that I need to put the mapping local<->external into some 
configuration file?
 
I could imagine, that for incoming mails, adress rewriting will be done for the 
sender: if external2@externaldomain2 is found as sender, then sender will be 
rewritten to local2.
And for all incoming mails to local1 a copy is forwarded to external1
 
Kind Regards
Henning

Re: Forwarding from a particular email address

2013-04-11 Thread Indiana Jones

Quoting "Wietse Venema" :
> Mark Alan:
>> On Thu, 11 Apr 2013 03:01:58 +0300, "Indiana Jones"
>>  wrote:
>>> # for single address
>>> printf "us...@example1.com us...@example2.com\n"
 /etc/postfix/virtual
>>> # for multiple addresses
>>> printf "us...@example1.com us...@example2.com\nus...@example3.com
>>> us...@example4.com\n" > /etc/postfix/virtual
>>> 
>>> Thank you very much!
>>> I edited main.cf and created the file /postfix/virtual and followed
>>> all these steps, but this way Postfix does not leave copies of the
>>> forwarded messages on the server.
>>> I need postfix to leave a copy of the forwarded message so that it
>>> can also be collected locally by the recipient! i.e. the recipient
>>> wants to receive his incoming mail on the two different addresses
>>> simultaneously!
>>> 
>>> Could you possibly explain how to do that?
>> 
>> Try to also map each address to itself:
>> 
>> us...@example1.com us...@example1.com
>> us...@example1.com us...@example2.com
>> us...@example3.com us...@example3.com
>> us...@example3.com us...@example4.com
> 
> That should be:
> 
> us...@example1.com us...@example1.com us...@example2.com
> us...@example3.com us...@example3.com us...@example4.com
> 
> Wietse


Thank you very much indeed to both of you, Alan and Wietse!
Now it works like a charm :)

Adam

[Bug fix in previous email] New Postfix log analyzer tool, statistics, grapher, ... PostgreSQL DB 9.2.x based

2013-04-11 Thread Nicolas HAHN


Dear Postfix Community,

Instead of reading in my previous email:

"The archive I just uploaded this morning deal with Postfix version 
>=2.8.x logs."


Please read:

"The archive I just uploaded this morning deal with Postfix version 
_*<=2.8.x*_ logs."


This is a misstyping from me ;)
<>

New Postfix log analyzer tool, statistics, grapher, ... PostgreSQL DB 9.2.x based

2013-04-11 Thread Nicolas HAHN

Dear Postfix Community,

I'm writing for the first time there but working in the area of SMTP
messaging since a long time. With Postfix, that I really love.

The goal of my e-mail today is just to let you know that I'm working
since some time on my open source GPLv3 project dedicated to _*real
time*_ postfix log analysis, but not only log analysis.

This project need several components to work fine, primarily a Linux
server running Apache, Php, Rsyslog, postgreSQL 9.2, SNMPD, ... A lot of
things are described in the INSTALL file.

If you are interested by such project, you can find it on Sourceforge
there:
https://sourceforge.net/projects/x-itools/files/X-Itools%20releases/E-mail%20Log%20Search%20Engine/

The archive I just uploaded this morning deal with Postfix version
>=2.8.x logs.

This tool is used in the United Nations datacenters, for Messaging
Services, where I'm currently working as a messaging architect
consultant. Depending of the processing power of the server, it is able
to work with a mail flow of 1 million e-mails a day in real time. The
version deployed in the UN also process Exchange servers logs in real
time. The version I've packaged on sourceforge is a little bit in late
(I need time to commit all my code) and is able to process Postfix logs
only as of today.
Some (and me too :-)) say it is much more powerfull than what Postini
from Google is offering, especially if we consider it is working in real
time.

Version available on sourceforge in the tar.gz archive is 0.9.10.
Version starting to process Exchange Servers logs is 0.9.11. It is
comming...

Also, I kept my tool "secret" since 2004 despite the fact I decided to
make it under GPL, using it for my own needs as a small provider myself.
I decided to publish it on sourceforge in 2011, when UN shown a big
interest in it, and then I restarted the development. It means the Wiki
is empty, the doc is enclosed in my brain, ... and all of this needs to
be publicly available. that will take time...

So, if you're interested, I can answer questions and provide help. It
can be quite complex to install because of the dependencies needed.
This project also need, as you may know, volunteers and talents, people
to debug, ... I'm not the most talented coder of the world of course :)
PHP code I produce as a PHP newbie for example, could be greatly
enhanced, secured, and so on. I'm learning PHP the same time I'm coding
this tool and it's not easy as I'm an old school C/C++ coder.

In brief, a continuous effort is needed as usual.

/NOTE: I've removed the attached screenshot because e-mail size is
limited to 4 characters./

Thanks for your attention

Best regards,
Nicolas
<>

check_recipient_access not working

Dear all,

I'm trying to allow our Postfix server to only send e-mails to a few
specified e-mail addresses, i.e., a whitelist. 

I've added the following to main.cf


*smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/recipient_access, reject*

/etc/postfix/recipient_access contains:

*t...@test.com OK*

I run 

*postmap /etc/postfix/recipient_access* 

then

*postfix reload*

However, e-mails all addresses are delivered, and not just to t...@test.com.

*postfix -n* gives

*alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost,
hilljaa5.miniserver.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/recipient_access, reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
*

I'm not sure what log you want as I can't find a list of what would be
needed.

Does anyone have any suggestions, please, as to what I'm doing wrong.

Thanks,

Stephen






--
View this message in context: 
http://postfix.1071664.n5.nabble.com/check-recipient-access-not-working-tp56950.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Setting up secure submission for remote users

On Apr 8, 2013, at 13:26, Jeroen Geilman  wrote:

> I would personally recommend using dovecot for SASL, especially if you don't 
> need client SASL (from postfix to remote servers); dovecot is way, way easier 
> to set up, and evolves quite nicely

My hesitation is that I already have an auth system setup and I hate to end up 
in a position where either it's no longer working or I have to have everyone 
reset their passwords.

OTOH, I can't get PBS to work at all with 2.8 (they disagree over the db file 
format), but that is not necessarily a bad thing. I added my fixed IP for my 
home server to mynetworks, and anyone else can use webmail if they can't send 
via their ISP/gmail I guess.

Re: check_recipient_access not working

pifoot:
> *smtpd_recipient_restrictions = check_recipient_access 
> hash:/etc/postfix/recipient_access, reject*
> 
> /etc/postfix/recipient_access contains:
> 
> *t...@test.com OK*

Hopefully the "*" are not included.

You can test the access table with:

$ postmap -q t...@test.com hash:/etc/postfix/recipient_access

The result should be

OK

If the result is different then the access table won't work.

Wietse

Stripping Received: headers

2013-04-11 Thread Geoff Shang


Hi,

I'm trying to strip Received: headers from mail at various parts of our 
processing, for security reasons.


I'm starting with mail that comes in from authenticated clients.  I tried 
doing the following:


master.cf:

submission inet n   -   -   -   -   smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o header_checks=pcre:/etc/postfix/header_checks

/etc/postfix/header_checks:

/^Received:/IGNORE

I ran this through Postmap with a query from a message I sent myself, and 
the IGNORE key is correctly returned.  But if I actually send myself a 
message, it comes through with the Received: line intact.


I did some searching and found 
http://marc.info/?l=postfix-users&m=122106227124195&w=2


I'm curious to know why this would work and the above wouldn't.  Am I just 
trying to do it too early in the process?


A related question, is it possible to prevent Postfix from generating 
lines like this?


Geoff.

Re: check_recipient_access not working

Thank you for your reply. No, the * aren't included. It was because I put the
commands and files in bold on the original posting.

Running that command doesn't produce any output. Have you any idea why that
should be?

Many thanks,

Stephen



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/check-recipient-access-not-working-tp56950p56954.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: check_recipient_access not working

Many thanks for your reply.

Apologies. The command DOES return OK for the whitelisted e-mail address. It
returns nothing at all for an e-mail address not in the whitelist. However,
e-mail addresses not in the hash file are still sent and not rejected.

Thanks,

Stephen



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/check-recipient-access-not-working-tp56950p56956.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: check_recipient_access not working

pifoot:
> Thank you for your reply. No, the * aren't included. It was because I put the
> commands and files in bold on the original posting.
> 
> Running that command doesn't produce any output. Have you any idea why that
> should be?

Update the Berkeley DB file with:

$ postmap hash:/path/to/file

Then test with:

$ postmap -q emailaddress hash:/path/to/file

You can "dump" the contents of the Berkeley DB file with:

$ postmap -s hash:/path/to/file

Wietse

Re: check_recipient_access not working

2013-04-11 Thread Brian Evans


On 4/11/2013 10:49 AM, pifoot wrote:

Many thanks for your reply.

Apologies. The command DOES return OK for the whitelisted e-mail address. It
returns nothing at all for an e-mail address not in the whitelist. However,
e-mail addresses not in the hash file are still sent and not rejected.


You have not provided any logs of a mail transaction.
We could only guess without it.

How is this mail being sent? Is it net based or through the sendmail(1) 
command?


Brian

Re: Stripping Received: headers

Geoff Shang:
> submission inet n   -   -   -   -   smtpd
>-o smtpd_enforce_tls=yes
>-o smtpd_sasl_auth_enable=yes
>-o smtpd_client_restrictions=permit_sasl_authenticated,reject
>-o milter_macro_daemon_name=ORIGINATING
>-o header_checks=pcre:/etc/postfix/header_checks

As documented header_checks is not an smtpd(8) feature, it is
a cleanup(8) feature.

The easiest way to give separate treatment to mail from the 
internal network versus mail from outside is to use separate
Postfix instances. 

Otherwise, 

submission inet n   -   -   -   -   smtpd
-o cleanup_service=submission_cleanup

submission_cleanup unix n   cleanup
-o header_checks=pcre:/etc/postfix/header_checks

would do the job.

Wietse

Re: Stripping Received: headers

2013-04-11 Thread Benny Pedersen


Geoff Shang skrev den 2013-04-11 16:33:

Hi,

I'm trying to strip Received: headers from mail at various parts of
our processing, for security reasons.

I'm starting with mail that comes in from authenticated clients.  I
tried doing the following:

master.cf:

submission inet n   -   -   -   -   smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o header_checks=pcre:/etc/postfix/header_checks


header_checks is incomming on smtpd, but you use submission

so you must change to to smtp_header_checks

http://www.postfix.org/header_checks.5.html



/etc/postfix/header_checks:

/^Received:/IGNORE


this one is to gready, dont use it on header_checks



I ran this through Postmap with a query from a message I sent myself,
and the IGNORE key is correctly returned.  But if I actually send
myself a message, it comes through with the Received: line intact.

I did some searching and found
http://marc.info/?l=postfix-users&m=122106227124195&w=2

I'm curious to know why this would work and the above wouldn't.  Am I
just trying to do it too early in the process?

A related question, is it possible to prevent Postfix from generating
lines like this?


what problems do you like to resolve ?



Geoff.


--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Defer SMTP and Pipe Later

2013-04-11 Thread Robert Gabriel

Hello all,

Forgive me as this might seem like an absurd question:

Is it possible to defer SMTP transport and then send the message

to a pipe later so I can keep a "copy" of the message in case needing

to resend as the remote pipe output might be unreliable?

The message should remain in the deferred queue after pipe command.

Maybe I'm thinking of this the wrong way, any help appreciated.

Thank you.

Re: check_recipient_access not working

2013-04-11 Thread Stephen West

Thank you for your reply.

The messages are sent from /usr/sbin/sendmail

The log contains:

Apr 11 16:50:26 hilljaa5 postfix/qmgr[2563]: 0B60181F0: from=<
h...@removed.com>, size=310, nrcpt=1 (queue active)
Apr 11 16:50:26 hilljaa5 postfix/smtp[2569]: 0B60181F0: to=,
relay=test.test2.com[31.222.146.154]:25, delay=2.7, delays=2.1/0/0.62/0.01,
dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 34DC9FD82B6)
Apr 11 16:50:26 hilljaa5 postfix/qmgr[2563]: 0B60181F0: removed

Thanks,

Stephen



On 11 April 2013 15:54, Brian Evans  wrote:

> On 4/11/2013 10:49 AM, pifoot wrote:
>
>> Many thanks for your reply.
>>
>> Apologies. The command DOES return OK for the whitelisted e-mail address.
>> It
>> returns nothing at all for an e-mail address not in the whitelist.
>> However,
>> e-mail addresses not in the hash file are still sent and not rejected.
>>
>>  You have not provided any logs of a mail transaction.
> We could only guess without it.
>
> How is this mail being sent? Is it net based or through the sendmail(1)
> command?
>
> Brian
>

Re: check_recipient_access not working

2013-04-11 Thread Brian Evans


On 4/11/2013 11:52 AM, Stephen West wrote:

Thank you for your reply.

The messages are sent from /usr/sbin/sendmail


Any mail sent through the sendmail(1) command is not subject to smtpd_* 
rules.


The only option on restriction is which users can send mail through the 
authorized_submit_users parameter.


Brian



The log contains:

Apr 11 16:50:26 hilljaa5 postfix/qmgr[2563]: 0B60181F0: 
from=mailto:h...@removed.com>>, size=310, nrcpt=1 
(queue active)
Apr 11 16:50:26 hilljaa5 postfix/smtp[2569]: 0B60181F0: 
to=mailto:t...@test.com>>, relay=test.test2.com 
[31.222.146.154]:25, delay=2.7, 
delays=2.1/0/0.62/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued 
as 34DC9FD82B6)

Apr 11 16:50:26 hilljaa5 postfix/qmgr[2563]: 0B60181F0: removed

Thanks,

Stephen



On 11 April 2013 15:54, Brian Evans > wrote:


On 4/11/2013 10:49 AM, pifoot wrote:

Many thanks for your reply.

Apologies. The command DOES return OK for the whitelisted
e-mail address. It
returns nothing at all for an e-mail address not in the
whitelist. However,
e-mail addresses not in the hash file are still sent and not
rejected.

You have not provided any logs of a mail transaction.
We could only guess without it.

How is this mail being sent? Is it net based or through the
sendmail(1) command?

Brian

Re: check_recipient_access not working

Ah. I see. Thank you very much for that.


On 11 April 2013 17:05, Brian Evans - Postfix List [via Postfix] <
ml-node+s1071664n56963...@n5.nabble.com> wrote:

> On 4/11/2013 11:52 AM, Stephen West wrote:
>
> Thank you for your reply.
>
> The messages are sent from /usr/sbin/sendmail
>
>
> Any mail sent through the sendmail(1) command is not subject to smtpd_*
> rules.
>
> The only option on restriction is which users can send mail through the
> authorized_submit_users parameter.
>
> Brian
>
>
> The log contains:
>
> Apr 11 16:50:26 hilljaa5 postfix/qmgr[2563]: 0B60181F0: from=<[hidden
> email] >, size=310,
> nrcpt=1 (queue active)
> Apr 11 16:50:26 hilljaa5 postfix/smtp[2569]: 0B60181F0: to=<[hidden 
> email]>,
> relay=test.test2.com[31.222.146.154]:25, delay=2.7,
> delays=2.1/0/0.62/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
> 34DC9FD82B6)
> Apr 11 16:50:26 hilljaa5 postfix/qmgr[2563]: 0B60181F0: removed
>
>  Thanks,
>
> Stephen
>
>
>
> On 11 April 2013 15:54, Brian Evans <[hidden 
> email]
> > wrote:
>
>> On 4/11/2013 10:49 AM, pifoot wrote:
>>
>>> Many thanks for your reply.
>>>
>>> Apologies. The command DOES return OK for the whitelisted e-mail
>>> address. It
>>> returns nothing at all for an e-mail address not in the whitelist.
>>> However,
>>> e-mail addresses not in the hash file are still sent and not rejected.
>>>
>>>  You have not provided any logs of a mail transaction.
>> We could only guess without it.
>>
>> How is this mail being sent? Is it net based or through the sendmail(1)
>> command?
>>
>> Brian
>>
>
>
>
>
> --
>  If you reply to this email, your message will be added to the discussion
> below:
>
> http://postfix.1071664.n5.nabble.com/check-recipient-access-not-working-tp56950p56963.html
>  To unsubscribe from check_recipient_access not working, click 
> here
> .
> NAML
>




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/check-recipient-access-not-working-tp56950p56964.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Stripping Received: headers

2013-04-11 Thread Noel Jones

On 4/11/2013 10:05 AM, Benny Pedersen wrote:
> Geoff Shang skrev den 2013-04-11 16:33:
>> Hi,
>>
>> I'm trying to strip Received: headers from mail at various parts of
>> our processing, for security reasons.
>>
>> I'm starting with mail that comes in from authenticated clients.  I
>> tried doing the following:
>>
>> master.cf:
>>
>> submission inet n   -   -   -   -   smtpd
>>   -o smtpd_enforce_tls=yes
>>   -o smtpd_sasl_auth_enable=yes
>>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>   -o milter_macro_daemon_name=ORIGINATING
>>   -o header_checks=pcre:/etc/postfix/header_checks
> 
> header_checks is incomming on smtpd, but you use submission

No, header_checks are performed on all incoming mail.

As already explained, the problem above is that "-o
header_checks=..." has no effect on smtpd(5).

> 
> so you must change to to smtp_header_checks

smtp_header_checks are performed on outgoing mail during smtp(5)
delivery.

But you're sort of on the right track.  You can use
smtp_header_checks to remove the Received: headers from
authenticated mail before external delivery with something like:
/^Received: .*by myserver.example.com \(Postfix\) with ESMTPS?A
id.*$/  IGNORE

Geoff, please note I've seen some overanxious anti-spam systems that
consider mail with no Received: headers as spam.



  -- Noel Jones




> 
> http://www.postfix.org/header_checks.5.html
> 
>>
>> /etc/postfix/header_checks:
>>
>> /^Received:/IGNORE
> 
> this one is to gready, dont use it on header_checks
> 
>>
>> I ran this through Postmap with a query from a message I sent myself,
>> and the IGNORE key is correctly returned.  But if I actually send
>> myself a message, it comes through with the Received: line intact.
>>
>> I did some searching and found
>> http://marc.info/?l=postfix-users&m=122106227124195&w=2
>>
>> I'm curious to know why this would work and the above wouldn't.  Am I
>> just trying to do it too early in the process?
>>
>> A related question, is it possible to prevent Postfix from generating
>> lines like this?
> 
> what problems do you like to resolve ?
> 
>>
>> Geoff.
>

Re: Stripping Received: headers

2013-04-11 Thread Benny Pedersen


Noel Jones skrev den 2013-04-11 18:29:


No, header_checks are performed on all incoming mail.


+1


As already explained, the problem above is that "-o
header_checks=..." has no effect on smtpd(5).


yes it included as it used all incomming, but not directly with smtpd


so you must change to to smtp_header_checks


smtp_header_checks are performed on outgoing mail during smtp(5)
delivery.


is submission not using smtp_header_checks ?


But you're sort of on the right track.  You can use
smtp_header_checks to remove the Received: headers from
authenticated mail before external delivery with something like:
/^Received: .*by myserver.example.com \(Postfix\) with ESMTPS?A
id.*$/  IGNORE


yep will soon try to apply it here


Geoff, please note I've seen some overanxious anti-spam systems that
consider mail with no Received: headers as spam.


can one show an example main.cf that remove all recieved headers on 
remote senders ?, there would allways be one last hop imho


--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Re: Stripping Received: headers

2013-04-11 Thread DTNX Postmaster

On Apr 11, 2013, at 18:29, Noel Jones  wrote:

>> so you must change to to smtp_header_checks
> 
> smtp_header_checks are performed on outgoing mail during smtp(5)
> delivery.
> 
> But you're sort of on the right track.  You can use
> smtp_header_checks to remove the Received: headers from
> authenticated mail before external delivery with something like:
> /^Received: .*by myserver.example.com \(Postfix\) with ESMTPS?A
> id.*$/  IGNORE
> 
> Geoff, please note I've seen some overanxious anti-spam systems that
> consider mail with no Received: headers as spam.

In our case, the problem was with overzealous ones that filter on all 
Received: headers, and therefore block legitimate mail because the 
authenticated client is connecting from an access provider range listed 
by Spamhaus, or something similar.

Our solution so far is to strip a few of the internal Received: 
headers, and 'REPLACE' the one that contains the connecting IP with a 
'Received: by hostname.domain.tld (from authenticated client)' header. 
Since the submission hosts never send directly, it will always have at 
least three or four Received: headers when offered to the destination 
MX.

Since the regular expression is fairly specific, this is done with 
'header_checks' in our case.

HTH,
Jona

Logging SMTPD ports

2013-04-11 Thread Robert Sharp


Hi

I have postfix set up with smtpd processes on three ports: 25 for the 
wild world out there, 587 for submission from local users and other MTAs 
on the LAN, and 10025 for re-injection from amavis. I am doing some log 
analysis and I think it would be really, really helpful if smtpd could 
log its port. That way I can easily distinguish between message threads 
without trying second passes based on message or queue IDs. I would 
imagine it is a fairly easy thing to implement? Can it be done through 
some setting somewhere that I have not yet found?


Robert

Re: Logging SMTPD ports

2013-04-11 Thread Viktor Dukhovni

On Thu, Apr 11, 2013 at 06:12:02PM +0100, Robert Sharp wrote:

> I have postfix set up with smtpd processes on three ports: 25 for
> the wild world out there, 587 for submission from local users and
> other MTAs on the LAN, and 10025 for re-injection from amavis. I am
> doing some log analysis and I think it would be really, really
> helpful if smtpd could log its port. That way I can easily
> distinguish between message threads without trying second passes
> based on message or queue IDs. I would imagine it is a fairly easy
> thing to implement? Can it be done through some setting somewhere
> that I have not yet found?

http://www.postfix.org/MULTI_INSTANCE_README.html

Two front-end instances (inside input, outside input) plus one
back-end instance (post-amavis re-injection output).  Trust me,
this is much better than mere logging of input ports.

-- 
Viktor.

Re: Stripping Received: headers



Am 11.04.2013 18:55, schrieb Benny Pedersen:
>> smtp_header_checks are performed on outgoing mail during smtp(5)
>> delivery.
> 
> is submission not using smtp_header_checks?

has your submission service smtp or smtpd in master.cf?
mine has smtpd as all other working ones out there



signature.asc
Description: OpenPGP digital signature

Re: Logging SMTPD ports

Viktor Dukhovni:
> On Thu, Apr 11, 2013 at 06:12:02PM +0100, Robert Sharp wrote:
> 
> > I have postfix set up with smtpd processes on three ports: 25 for
> > the wild world out there, 587 for submission from local users and
> > other MTAs on the LAN, and 10025 for re-injection from amavis. I am
> > doing some log analysis and I think it would be really, really
> > helpful if smtpd could log its port. That way I can easily
> > distinguish between message threads without trying second passes
> > based on message or queue IDs. I would imagine it is a fairly easy
> > thing to implement? Can it be done through some setting somewhere
> > that I have not yet found?
> 
> http://www.postfix.org/MULTI_INSTANCE_README.html
> 
> Two front-end instances (inside input, outside input) plus one
> back-end instance (post-amavis re-injection output).  Trust me,
> this is much better than mere logging of input ports.

Otherwise, this example may help:

submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  ...
smtps inet  n   -   n   -   -   smtpd
  -o syslog_name=postfix/smtps
  ...

Wietse

Re: Stripping Received: headers



Am 11.04.2013 19:20, schrieb Reindl Harald:
> 
> 
> Am 11.04.2013 18:55, schrieb Benny Pedersen:
>>> smtp_header_checks are performed on outgoing mail during smtp(5)
>>> delivery.
>>
>> is submission not using smtp_header_checks?
> 
> has your submission service smtp or smtpd in master.cf?
> mine has smtpd as all other working ones out there

to make it clear:

submission is nothing else as smtpd on port 587
and if you want not rely on /etc/services you would
even write 587 instead submission

the only difference between port 25 and 587 is
usually that you require authentication on 587

[harry@srv-rhsoft:~]$ cat /etc/services | grep submission
submission  587/tcp msa # mail message submission
submission  587/udp msa # mail message submission



signature.asc
Description: OpenPGP digital signature

Re: Multiple recipient_delimiter address extensions?

2013-04-11 Thread Jeroen Geilman


On 04/05/2013 08:17 PM, Wietse Venema wrote:

/dev/rob0:


Thanks. A very minor complaint is that you have always been very
consistent IIRC regarding plural and singular in parameter names, but
now "recipient_delimiter" can be multiple characters. :) (I do

Yes and no. Postfix still supports only one user/extension separator
per address.

A feature name that contains the word "delimiters" would send the
message that Postfix supports "multiple delimiters" within an address.


$recipient_delimiter_alternatives ?

--
J.

Is postfix misconfiguration to send to wrong domain?

2013-04-11 Thread Robert Lopez

I am concerned a configuration that has been unchanged for a few years may
have an error that is now showing up as a problem.

I received this email that is a non-delivery notice sent to us (
postmas...@cnm.edu) that a non-delivery notice our gateway sent could not
be delivered:

From: postmas...@ors-cpa.com
To: postmas...@cnm.edu
Subject: Undeliverable: lech
Sent: Thu 4/11/2013 5:18 AM

Generating server: orscpa.local

smashab...@ors-cpa.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

Original message headers:

Received: from server45.appriver.com (69.20.58.226) by rm.ors-cpa.com
 (10.10.10.2) with Microsoft SMTP Server id 14.2.342.3; Thu, 11 Apr 2013
 07:15:26 -0400
Received: from [10.238.9.54] (HELO inbound.appriver.com)  by
 server45.appriver.com (CommuniGate Pro SMTP 5.3.12)  with ESMTP id
2123501502
 for smashab...@ors-cpa.com; Thu, 11 Apr 2013 07:15:26 -0400
X-Note-AR-ScanTimeLocal: 4/11/2013 7:15:26 AM
X-Note-AR-Scan: None - PIPE
Received: by inbound.appriver.com (CommuniGate Pro PIPE 5.4.1)  with PIPE id
 412972783; Thu, 11 Apr 2013 07:15:26 -0400
Received: from mg04.cnm.edu ([198.133.182.64] verified)  by
 inbound.appriver.com (CommuniGate Pro SMTP 5.4.1)  with ESMTP id 412972755
 for smashab...@ors-cpa.com; Thu, 11 Apr 2013 07:15:24 -0400
Received: by mg04.cnm.edu (Postfix)id 08002661BF9; Thu, 11 Apr 2013
05:15:24
 -0600 (MDT)
Date: Thu, 11 Apr 2013 05:15:24 -0600
From: Mail Delivery System 
Subject: Undelivered Mail Returned to Sender
To: 
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="152B0661BC5.1365678924/mg04.cnm.edu"
Message-ID: <2013041524.08002661...@mg04.cnm.edu>
X-Note-AR-ScanTimeLocal: 4/11/2013 7:15:24 AM
X-Policy: ors-cpa.com
X-Primary: smashab...@ors-cpa.com
X-Note: This Email was scanned by AppRiver SecureTide
X-Virus-Scan: V-X0M0
X-Note-SnifferID: 0
X-Note: TCH-CT/SI:0-132/SG:6 4/11/2013 7:15:00 AM
X-GBUdb-Analysis: 0, 198.133.182.64, Ugly c=0 p=0 Source New
X-Signature-Violations: 0-0-0-6732-c
X-Note-419: 31.2498 ms. Fail:0 Chk:1344 of 1344 total
X-Note: SCH-CT/SI:0-1344/SG:1 4/11/2013 7:15:22 AM
X-Warn: BOUNCEBLOCK Contains questionable phrase
X-Warn: RETURNPATH No Return Path Listed.
X-Warn: WEIGHT10
X-Warn: WEIGHT15
X-Note: Spam Tests Failed: BOUNCEBLOCK, RETURNPATH, WEIGHT10, WEIGHT15
X-Country-Path: ->UNITED STATES->UNITED STATES
X-Note-Sending-IP: 198.133.182.64
X-Note-Reverse-DNS: mail.cnm.edu
X-Note-Return-Path:
X-Note: User Rule Hits:
X-Note: Global Rule Hits: G319 G320 G321 G322 G326 G327 G373 G415 G426 G427
G434
X-Note: Encrypt Rule Hits:
X-Note: Mail Class: VALID
Return-Path: mailer-dae...@cnm.edu


These are the logfile lines for the email we initially could not deliver:


Apr 11 05:15:11 mg04 postfix/smtpd[29756]: connect from
adsl-070-154-182-039.sip.msy.bellsouth.net[70.154.182.39]
Apr 11 05:15:11 mg04 postfix/smtpd[29756]: 701E1661BFF: client=
adsl-070-154-182-039.sip.msy.bellsouth.net[70.154.182.39]
Apr 11 05:15:11 mg04 postfix/cleanup[28238]: 701E1661BFF: hold: header
Received: from adsl-070-154-182-039.sip.msy.bellsouth.net (
adsl-070-154-182-039.sip.msy.bellsouth.net [70.154.182.39])??by
mg04.cnm.edu(Postfix) with ESMTP id 701E1661BFF??for <
mmoo...@cnm.edu>; Thu, from
adsl-070-154-182-039.sip.msy.bellsouth.net[70.154.182.39];
from= to= proto=ESMTP helo=<
adsl-070-154-182-039.sip.msy.bellsouth.net>
Apr 11 05:15:11 mg04 postfix/cleanup[28238]: 701E1661BFF:
message-id=
Apr 11 05:15:11 mg04 postfix/cleanup[28238]: 701E1661BFF: warning: header
Subject: lech from adsl-070-154-182-039.sip.msy.bellsouth.net[70.154.182.39];
from= to= proto=ESMTP helo=<
adsl-070-154-182-039.sip.msy.bellsouth.net>
Apr 11 05:15:11 mg04 postfix/smtpd[29756]: disconnect from
adsl-070-154-182-039.sip.msy.bellsouth.net[70.154.182.39]
Apr 11 05:15:12 mg04 MailScanner[16316]: Message 701E1661BFF.5998D from
70.154.182.39 (smashab...@ors-cpa.com) to cnm.edu is spam, SpamAssassin
(not cached, score=9.628, required 6, autolearn=disabled,
DATE_IN_PAST_06_12 1.85, FH_HELO_EQ_D_D_D_D 0.50, HELO_DYNAMIC_DHCP 1.52,
HELO_DYNAMIC_IPADDR 2.94, RDNS_DYNAMIC 0.10, STOX_REPLY_TYPE 0.00,
TVD_FINGER_02 2.72)
Apr 11 05:15:15 mg04 MailScanner[16316]: Spam Actions: message
701E1661BFF.5998D actions are deliver,header
Apr 11 05:15:20 mg04 MailScanner[16316]: Requeue: 701E1661BFF.5998D to
152B0661BC5
Apr 11 05:15:20 mg04 postfix/qmgr[25178]: 152B0661BC5: from=<
smashab...@ors-cpa.com>, size=1112, nrcpt=1 (queue active)
Apr 11 05:15:23 mg04 postfix/smtp[28222]: 152B0661BC5: to=<
mmoo...@cnm.edu.test-google-a.com>, orig_to=, relay=
gmail-smtp-in.l.google.com[173.194.76.26]:25, delay=13,
delays=9.3/0/0.22/3.2, dsn=5.1.1, status=bounced (host
gmail-smtp-in.l.google.com[173.194.76.26] said: 550-5.1.1 The email account
that you tried to reach does not exist. Please try 550-5.1.1
double-checking the recipient's email address for typos or 550-5.1.1
unnecessary spaces. Learn more at 550 5.1.1
http://support.googl

Re: Is postfix misconfiguration to send to wrong domain?

2013-04-11 Thread Jan P. Kessler

Hi,

> And these are the logfile lines for our sending of the non-delivery
> notice we sent. One item in these log lines I do not understand at all
> is "relay=server50.appriver.com
> [204.232.236.138]:25". I do not
> understand where were that information is sourced. It looks to me that
> we sent the non-delivery to a wrong location.

No, that is correct. Source of that routing information is the MX record
for the target domain:

# host -t mx ors-cpa.com
ors-cpa.com mail is handled by 10 server50.appriver.com.
ors-cpa.com mail is handled by 20 server51.appriver.com.

Re: Multiple recipient_delimiter address extensions?

Jeroen Geilman:
> On 04/05/2013 08:17 PM, Wietse Venema wrote:
> > /dev/rob0:
> >>
> >> Thanks. A very minor complaint is that you have always been very
> >> consistent IIRC regarding plural and singular in parameter names, but
> >> now "recipient_delimiter" can be multiple characters. :) (I do
> > Yes and no. Postfix still supports only one user/extension separator
> > per address.
> >
> > A feature name that contains the word "delimiters" would send the
> > message that Postfix supports "multiple delimiters" within an address.
> 
> $recipient_delimiter_alternatives ?

That is better. After working through feature update, I noticed
that the delimiter is also applied to sender addresses, so I am
declined to replace the recipient_ portion.

Perhaps this is a path into the future:

recipient_delimiter
This is no longer a main.cf parameter. It is used only in the
$forward_path, where it expands into the user/extension separator
that was found in the recipient email address.

address_delimiter_alternatives (default: $recipient_delimiter)
This is a new main.cf parameter, containing the set of characters
that may separate a user name from an address extension (user+foo)
in a sender or recipient address.  The default setting maintains
backwards compatibility fo rexisting configurations.

Wietse

Re: Is postfix misconfiguration to send to wrong domain?

2013-04-11 Thread Robert Lopez

That was a fast response Jan. Thanks. Is the overall situation suggestive
of any misconfiguration here?


On Thu, Apr 11, 2013 at 1:22 PM, Jan P. Kessler wrote:

>  Hi,
>
>
>  And these are the logfile lines for our sending of the non-delivery
> notice we sent. One item in these log lines I do not understand at all is
> "relay=server50.appriver.com[204.232.236.138]:25". I do not understand
> where were that information is sourced. It looks to me that we sent the
> non-delivery to a wrong location.
>
>
> No, that is correct. Source of that routing information is the MX record
> for the target domain:
>
> # host -t mx ors-cpa.com
> ors-cpa.com mail is handled by 10 server50.appriver.com.
> ors-cpa.com mail is handled by 20 server51.appriver.com.
>
>


-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

Re: Stripping Received: headers

2013-04-11 Thread Noel Jones

On 4/11/2013 11:55 AM, Benny Pedersen wrote:
> Noel Jones skrev den 2013-04-11 18:29:

>> smtp_header_checks are performed on outgoing mail during smtp(5)
>> delivery.
> 
> is submission not using smtp_header_checks ?

No.

submission uses the smtpd(5) service to receive mail, which uses
header_checks (indirectly, through the cleanup service).

smtp_header_checks are used by the smtp(5) transport when sending
mail to remote systems.

http://www.postfix.org/OVERVIEW.html

  -- Noel Jones

Re: Is postfix misconfiguration to send to wrong domain?

2013-04-11 Thread Noel Jones

On 4/11/2013 2:42 PM, Robert Lopez wrote:
> That was a fast response Jan. Thanks. Is the overall situation
> suggestive of any misconfiguration here?

[please don't top-post]

It appears you're generating a bounce for spam.  Don't do that; the
spam sender address is often forged causing your notice to go to
some innocent third party.

This makes you a backscatter source.  As a backscatter source, your
queue can become clogged with undeliverable bounces and your server
may be blacklisted by others.

With an after queue content filter, the only valid choice you have
is to tag and deliver the message (or in some cases, discard it, but
that's not legal some places and not good practice everywhere else).

  -- Noel Jones

> 
> 
> On Thu, Apr 11, 2013 at 1:22 PM, Jan P. Kessler
> mailto:post...@jpkessler.info>> wrote:
> 
> Hi,
> 
> 
>> And these are the logfile lines for our sending of the
>> non-delivery notice we sent. One item in these log lines I do
>> not understand at all is "relay=server50.appriver.com
>> [204.232.236.138]:25". I do not
>> understand where were that information is sourced. It looks to
>> me that we sent the non-delivery to a wrong location.
> 
> No, that is correct. Source of that routing information is the
> MX record for the target domain:
> 
> # host -t mx ors-cpa.com 
> ors-cpa.com  mail is handled by 10
> server50.appriver.com .
> ors-cpa.com  mail is handled by 20
> server51.appriver.com .
> 
> 
> 
> 
> -- 
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106

Serving Dovecot mailbox quota status to Postfix

2013-04-11 Thread Ralf Hildebrandt

I wrote a little something about how to prevent delivery to mailboxes
over quota while still being in the SMTP dialogue:
http://sys4.de/en/blog/2013/04/08/postfix-dovecot-mailbox-quota/
(Postfix/Dovecot)

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

Re: Is postfix misconfiguration to send to wrong domain?

2013-04-11 Thread Robert Lopez

On Thu, Apr 11, 2013 at 2:23 PM, Noel Jones  wrote:

> On 4/11/2013 2:42 PM, Robert Lopez wrote:
> > That was a fast response Jan. Thanks. Is the overall situation
> > suggestive of any misconfiguration here?
>
> [please don't top-post]
>
> It appears you're generating a bounce for spam.  Don't do that; the
> spam sender address is often forged causing your notice to go to
> some innocent third party.
>
> This makes you a backscatter source.  As a backscatter source, your
> queue can become clogged with undeliverable bounces and your server
> may be blacklisted by others.
>
> With an after queue content filter, the only valid choice you have
> is to tag and deliver the message (or in some cases, discard it, but
> that's not legal some places and not good practice everywhere else).
>
>
>
>
>   -- Noel Jones
>
>
>
>
> >
> >
> > On Thu, Apr 11, 2013 at 1:22 PM, Jan P. Kessler
> > mailto:post...@jpkessler.info>> wrote:
> >
> > Hi,
> >
> >
> >> And these are the logfile lines for our sending of the
> >> non-delivery notice we sent. One item in these log lines I do
> >> not understand at all is "relay=server50.appriver.com
> >> [204.232.236.138]:25". I do not
> >> understand where were that information is sourced. It looks to
> >> me that we sent the non-delivery to a wrong location.
> >
> > No, that is correct. Source of that routing information is the
> > MX record for the target domain:
> >
> > # host -t mx ors-cpa.com 
> > ors-cpa.com  mail is handled by 10
> > server50.appriver.com .
> > ors-cpa.com  mail is handled by 20
> > server51.appriver.com .
> >
> >
> >
> >
> > --
> > Robert Lopez
> > Unix Systems Administrator
> > Central New Mexico Community College (CNM)
> > 525 Buena Vista SE
> > Albuquerque, New Mexico 87106
>
>
Is postscreen able to identify email as spam to prevent bouncing it? Is
there a way to alter my postfix configuration to prevent bouncing it?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

Re: Serving Dovecot mailbox quota status to Postfix

2013-04-11 Thread Ralf Hildebrandt

* Ralf Hildebrandt :
> I wrote a little something about how to prevent delivery to mailboxes
> over quota while still being in the SMTP dialogue:
> http://sys4.de/en/blog/2013/04/08/postfix-dovecot-mailbox-quota/
> (Postfix/Dovecot)

To be precise: Postfix/Dovecot-2.2

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

Re: Forwarding from a particular email address

2013-04-11 Thread Mark Alan

On Thu, 11 Apr 2013 06:56:13 -0400 (EDT), Wietse Venema
 wrote:

> That should be:
> 
> us...@example1.com us...@example1.com us...@example2.com
> us...@example3.com us...@example3.com us...@example4.com

Makes sense and perhaps it seems obvious for the postfix developers, but
I do not remember seeing such usage case (a /etc/postfix/virtual
file with user1 -> user1 user2) in the postfix documentation, namely,
neither at:
http://www.postfix.org/ADDRESS_REWRITING_README.html
nor at:
http://www.postfix.org/VIRTUAL_README.html.

M.

Re: Logging SMTPD ports

2013-04-11 Thread OsburnSharp on Ebay


On 11/04/13 18:23, Wietse Venema wrote:

Viktor Dukhovni:

On Thu, Apr 11, 2013 at 06:12:02PM +0100, Robert Sharp wrote:


I have postfix set up with smtpd processes on three ports: 25 for
the wild world out there, 587 for submission from local users and
other MTAs on the LAN, and 10025 for re-injection from amavis. I am
doing some log analysis and I think it would be really, really
helpful if smtpd could log its port. That way I can easily
distinguish between message threads without trying second passes
based on message or queue IDs. I would imagine it is a fairly easy
thing to implement? Can it be done through some setting somewhere
that I have not yet found?

http://www.postfix.org/MULTI_INSTANCE_README.html

Two front-end instances (inside input, outside input) plus one
back-end instance (post-amavis re-injection output).  Trust me,
this is much better than mere logging of input ports.

Otherwise, this example may help:

submission inet n   -   n   -   -   smtpd
   -o syslog_name=postfix/submission
   ...
smtps inet  n   -   n   -   -   smtpd
   -o syslog_name=postfix/smtps
   ...


Thank you! This is exactly what I need.

Robert

Re: Forwarding from a particular email address

Mark Alan:
> On Thu, 11 Apr 2013 06:56:13 -0400 (EDT), Wietse Venema
>  wrote:
> 
> > That should be:
> > 
> > us...@example1.com us...@example1.com us...@example2.com
> > us...@example3.com us...@example3.com us...@example4.com
> 
> Makes sense and perhaps it seems obvious for the postfix developers, but
> I do not remember seeing such usage case (a /etc/postfix/virtual
> file with user1 -> user1 user2) in the postfix documentation, namely,
> neither at:
> http://www.postfix.org/ADDRESS_REWRITING_README.html
> nor at:
> http://www.postfix.org/VIRTUAL_README.html.

This is in an unexpected place:

TABLE SEARCH ORDER
   With lookups from indexed files such as DB or DBM,  or  from  networked
   tables  such  as  NIS,  LDAP or SQL, patterns are tried in the order as
   listed below:

   user@domain address, address, ...
  Redirect mail for user@domain to address.   This  form  has  the
  highest precedence.

   ...other examples omitted...

The text under "TABLE FORMAT" needs some tweaking.

   pattern result
  When  pattern  matches  a mail address, replace it by the corre-
  sponding result.

Maybe:

   pattern address, address, ... 
  When  pattern  matches  a mail address, replace it by the corre-
  sponding address(es).

Would do the job.

Wietse

Re: Is postfix misconfiguration to send to wrong domain?

2013-04-11 Thread Jan P. Kessler


> Is postscreen able to identify email as spam to prevent bouncing it?
> Is there a way to alter my postfix configuration to prevent bouncing it?

This is not a matter of 'spam detection'. You have to verify for valid
(means existing) recipients *before* you accept mail.

Look for reject_unlisted_recipient or reject_unverified_recipients in
the postfix docs.

Re: Is postfix misconfiguration to send to wrong domain?

Robert Lopez:
> Is postscreen able to identify email as spam to prevent bouncing it? Is
> there a way to alter my postfix configuration to prevent bouncing it?

Both postscreen and a before-queue content filter block mail before
it is allowed into the Postfix queue.

Postfix will therefore not return such mail to the (usually) forged
sender.

http://www.postfix.org/SMTPD_PROXY_README.html

Wietse

Re: Is postfix misconfiguration to send to wrong domain?

2013-04-11 Thread Jan P. Kessler


>> Is postscreen able to identify email as spam to prevent bouncing it?
>> Is there a way to alter my postfix configuration to prevent bouncing it?
> This is not a matter of 'spam detection'. You have to verify for valid
> (means existing) recipients *before* you accept mail.
>
> Look for reject_unlisted_recipient or reject_unverified_recipients in
> the postfix docs.

To be more precise:
- verify your recipients
- do not reject mails by content filters (as said: use prequeue filters
or tag spam mails)
- and most important: do not rewrite recipients to non existing
third-party accounts (here: google)!

Apr 11 05:15:23 mg04 postfix/smtp[28222]: 152B0661BC5:
to=mailto:mmoo...@cnm.edu.test-google-a.com>>, orig_to=mailto:mmoo...@cnm.edu>>, relay=gmail-smtp-in.l.google.com
[173.194.76.26]:25, delay=13,
delays=9.3/0/0.22/3.2, dsn=5.1.1, status=bounced (host
gmail-smtp-in.l.google.com
[173.194.76.26] said: 550-5.1.1 The
email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1
http://support.google.com/mail/bin/answer.py?answer=6596
j8si3846254qaz.28 - gsmtp (in reply to RCPT TO command))

Re: Is postfix misconfiguration to send to wrong domain?

On Apr 11, 2013, at 15:56, "Jan P. Kessler"  wrote:
> do not reject mails by content filters (as said: use prequeue filters
> or tag spam mails)

to be clear, do not bounce emails based on content filters AFTER the SMTP 
transaction. You can certainly reject email based on any criteria you wish 
during the SMTP phase.

In fact, anymore, bouncing mail at all is more trouble than it is worth. Any 
criteria that would cause an email to bounce should be checked before the SMTP 
phase closes and cause a reject instead.

postfix and Berkeley DB

# ldd /usr/local/libexec/postfix/smtpd  
/usr/local/libexec/postfix/smtpd:
libmysqlclient.so.16 => /usr/local/lib/mysql/libmysqlclient.so.16 
(0x280cf000)
libz.so.3 => /lib/libz.so.3 (0x28139000)
libm.so.4 => /lib/libm.so.4 (0x2814a000)
libssl.so.7 => /usr/local/lib/libssl.so.7 (0x2816)
libcrypto.so.7 => /usr/local/lib/libcrypto.so.7 (0x281ad000)
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x2830a000)
libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x28321000)
libc.so.6 => /lib/libc.so.6 (0x28354000)
libcrypt.so.3 => /lib/libcrypt.so.3 (0x2843b000)
# file /etc/postfix/virtual.db 
/etc/postfix/virtual.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)

So, postfix appears to be using Berkeley DB but is not linked against it?

# cat /usr/local/bin/where
#! /bin/bash
for i in `ls /var/db/pkg | grep -i $1`; do echo $i "is in" `pkgdb -o $i`; done
# where Berkeley
p5-BerkeleyDB-0.41 is in databases/p5-BerkeleyDB databases/p5-BerkeleyDB
# 

--

Re: Setting up secure submission for remote users

On Apr 8, 2013, at 13:26, Jeroen Geilman  wrote:

> The clue is that there should be no permit_ rules before /or/ after 
> permit_sasl_authenticated, and the last rule should be an explicit "reject".

Quick question on this, not ever a permit mynetworks?

(I mean, I can't think of a reason mynetworks would need to use submission, but 
is there any reason not to allow it?)

Re: Setting up secure submission for remote users



Am 12.04.2013 00:04, schrieb LuKreme:
> On Apr 8, 2013, at 13:26, Jeroen Geilman  wrote:
> 
>> The clue is that there should be no permit_ rules before /or/ after 
>> permit_sasl_authenticated, and the last rule should be an explicit "reject".
> 
> Quick question on this, not ever a permit mynetworks?
> 
> (I mean, I can't think of a reason mynetworks would need to use submission, 
> but is there any reason not to allow it?)

mynetworks may be OK in most cases but

* without authentication use port 25 and mynetworks
* if a client is using submission it is good practice to have a user in the logs

mynetworks should be genrally used with care and only for specific
address instead whole networks with sooner or later potentially
infected clients which can be banned if using auth even if the
malware leaks auth data and abuse it from outside



signature.asc
Description: OpenPGP digital signature

Re: postfix and Berkeley DB



Am 12.04.2013 00:35, schrieb LuKreme:
> # ldd /usr/local/libexec/postfix/smtpd  
> /usr/local/libexec/postfix/smtpd:
> libmysqlclient.so.16 => /usr/local/lib/mysql/libmysqlclient.so.16 
> (0x280cf000)
> libz.so.3 => /lib/libz.so.3 (0x28139000)
> libm.so.4 => /lib/libm.so.4 (0x2814a000)
> libssl.so.7 => /usr/local/lib/libssl.so.7 (0x2816)
> libcrypto.so.7 => /usr/local/lib/libcrypto.so.7 (0x281ad000)
> libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x2830a000)
> libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x28321000)
> libc.so.6 => /lib/libc.so.6 (0x28354000)
> libcrypt.so.3 => /lib/libcrypt.so.3 (0x2843b000)
> # file /etc/postfix/virtual.db 
> /etc/postfix/virtual.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
> So, postfix appears to be using Berkeley DB but is not linked against it?

unlikely generated with the build from the ldd-output

libdb-5.3.so => /lib64/libdb-5.3.so (0x7f28243c5000)

rpm -q --file /lib64/libdb-5.3.so
libdb-5.3.21-3.fc18.x86_64

Name: libdb
Arch: x86_64
Version : 5.3.21
Release : 3.fc18
Size: 1.7 M
Repo: installed
Summary : The Berkeley DB database library for C
URL : http://www.oracle.com/database/berkeley-db/
License : BSD

ldd /usr/libexec/postfix/smtpd
linux-vdso.so.1 =>  (0x7fff8478)
libpcre.so.1 => /lib64/libpcre.so.1 (0x7f28257d2000)
libmysqlclient.so.18 => /usr/lib64/mysql/libmysqlclient.so.18 
(0x7f28252db000)
libm.so.6 => /lib64/libm.so.6 (0x7f2824fd9000)
libsasl2.so.2 => /lib64/libsasl2.so.2 (0x7f2824dbe000)
libssl.so.10 => /lib64/libssl.so.10 (0x7f2824b55000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x7f2824779000)
libdb-5.3.so => /lib64/libdb-5.3.so (0x7f28243c5000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x7f28241ac000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x7f2823f92000)
libgomp.so.1 => /lib64/libgomp.so.1 (0x7f2823d83000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x7f2823b67000)
libc.so.6 => /lib64/libc.so.6 (0x7f28237ae000)

libz.so.1 => /lib64/libz.so.1 (0x7f2823596000)
libdl.so.2 => /lib64/libdl.so.2 (0x7f2823392000)
librt.so.1 => /lib64/librt.so.1 (0x7f2823189000)
libstdc++.so.6 => /lib64/libstdc++.so.6 (0x7f2822e86000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x7f2822c4f000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x7f2822a0b000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x7f2822726000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x7f2822522000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x7f28222f6000)
/lib64/ld-linux-x86-64.so.2 (0x7f2825cde000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x7f28220e)
libfreebl3.so => /lib64/libfreebl3.so (0x7f2821e73000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x7f2821c68000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x7f2821a64000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x7f2821841000)



signature.asc
Description: OpenPGP digital signature

Re: postfix and Berkeley DB

Reindl Harald opined on Thursday 11-Apr-2013@17:03:50
> 
> 
> Am 12.04.2013 00:35, schrieb LuKreme:
>> # ldd /usr/local/libexec/postfix/smtpd  
>> /usr/local/libexec/postfix/smtpd:
>>libmysqlclient.so.16 => /usr/local/lib/mysql/libmysqlclient.so.16 
>> (0x280cf000)
>>libz.so.3 => /lib/libz.so.3 (0x28139000)
>>libm.so.4 => /lib/libm.so.4 (0x2814a000)
>>libssl.so.7 => /usr/local/lib/libssl.so.7 (0x2816)
>>libcrypto.so.7 => /usr/local/lib/libcrypto.so.7 (0x281ad000)
>>libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x2830a000)
>>libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x28321000)
>>libc.so.6 => /lib/libc.so.6 (0x28354000)
>>libcrypt.so.3 => /lib/libcrypt.so.3 (0x2843b000)
>> # file /etc/postfix/virtual.db 
>> /etc/postfix/virtual.db: Berkeley DB 1.85 (Hash, version 2, native 
>> byte-order)
>> So, postfix appears to be using Berkeley DB but is not linked against it?
> 
> unlikely generated with the build from the ldd-output

I don’t understand what you mean. That is the output of my mailserver running 
postfix 2.8

> libdb-5.3.so => /lib64/libdb-5.3.so (0x7f28243c5000)
> 
> rpm -q --file /lib64/libdb-5.3.so
> libdb-5.3.21-3.fc18.x86_64

Well, I do have libdb.so:

# locate libdb.so
/usr/local/lib/db42/libdb.so
/usr/local/lib/db44/libdb.so
/usr/local/lib/db48/libdb.so

>libdb-5.3.so => /lib64/libdb-5.3.so (0x7f28243c5000)

And I was expecting a line like that, only "libdb.so => 
/usr/local/lib/db48/libdv.so", only it is not there. Postfix seems to be using 
it anyway, though I am not sure which version of libdb corresponds to Berkeley 
DB 1.85. I’m pretty sure it is not 4.8.


-- 
"@Drhorrible is not following you" Whew! that's a relief, I was sure
some super villain was following me. Hope it's not Dick Cheney.

Re: postfix and Berkeley DB



Am 12.04.2013 02:00, schrieb LuKreme:
> Reindl Harald opined on Thursday 11-Apr-2013@17:03:50
>>
>>
>> Am 12.04.2013 00:35, schrieb LuKreme:
>>> # ldd /usr/local/libexec/postfix/smtpd  
>>> /usr/local/libexec/postfix/smtpd:
>>>libmysqlclient.so.16 => /usr/local/lib/mysql/libmysqlclient.so.16 
>>> (0x280cf000)
>>>libz.so.3 => /lib/libz.so.3 (0x28139000)
>>>libm.so.4 => /lib/libm.so.4 (0x2814a000)
>>>libssl.so.7 => /usr/local/lib/libssl.so.7 (0x2816)
>>>libcrypto.so.7 => /usr/local/lib/libcrypto.so.7 (0x281ad000)
>>>libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x2830a000)
>>>libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x28321000)
>>>libc.so.6 => /lib/libc.so.6 (0x28354000)
>>>libcrypt.so.3 => /lib/libcrypt.so.3 (0x2843b000)
>>> # file /etc/postfix/virtual.db 
>>> /etc/postfix/virtual.db: Berkeley DB 1.85 (Hash, version 2, native 
>>> byte-order)
>>> So, postfix appears to be using Berkeley DB but is not linked against it?
>>
>> unlikely generated with the build from the ldd-output
> 
> I don’t understand what you mean. That is the output of my mailserver running 
> postfix 2.8

i can not imagine that this file is created by the postfix
of which you posted the ld-output because it is not linked
against it

>> libdb-5.3.so => /lib64/libdb-5.3.so (0x7f28243c5000)
>>
>> rpm -q --file /lib64/libdb-5.3.so
>> libdb-5.3.21-3.fc18.x86_64
> 
> Well, I do have libdb.so:
> 
> # locate libdb.so
> /usr/local/lib/db42/libdb.so
> /usr/local/lib/db44/libdb.so
> /usr/local/lib/db48/libdb.so

which doe snot matter because it depends how postfix was compiled

>> libdb-5.3.so => /lib64/libdb-5.3.so (0x7f28243c5000)
> 
> And I was expecting a line like that, only "libdb.so => 
> /usr/local/lib/db48/libdv.so", only it is not there. 
> Postfix seems to be using it anyway

postconf -m
btree (berkeley)
cidr
environ
fail
hash (berkeley)
internal
memcache
mysql

nis

pcre
proxy
regexp
socketmap
static
tcp
texthash
unix

http://www.postfix.org/DB_README.html

> though I am not sure which version of libdb corresponds to Berkeley DB 1.85. 
> I’m pretty sure it is not 4.8

the 1.85 is not the libdb version, the file command is generic



signature.asc
Description: OpenPGP digital signature

Re: Setting up secure submission for remote users