performance of postfix
Hi, we have Postfix with LDAP backend , everything is working good but i think we have some performance issues , but i can't sure :/ ( Our mailbox folders are located Storage Drive mapped at Redhat Enterprise) Every 5.0s: ./qshape.pl Wed May 22 13:37:53 2013 T 5 10 20 40 80 160 320 640 1280 1280+ TOTAL25 25 0 0 0 0 0 0 00 0 our domain name 24 24 0 0 0 0 0 0 0 0 0 u-picardie.fr 1 1 0 0 0 0 0 0 00 0 above is watch command results of qshape command after approx. 5 minutes later results are below Every 5.0s: ./qshape.pl Wed May 22 13:41:20 2013 T 5 10 20 40 80 160 320 640 1280 1280+ TOTAL 0 0 0 0 0 0 0 0 00 0 our server have 45 GB of RAM, and 12 CPU . how can i learn any compare or opinion for our mail server performance. (i think it can work more fast ?? ) thanks in advance -- Selçuk YAZAR
Re: performance of postfix
On 13-05-22 07:53 AM, Selcuk Yazar wrote: Hi, we have Postfix with LDAP backend , everything is working good but i think we have some performance issues , but i can't sure :/ ( Our mailbox folders are located Storage Drive mapped at Redhat Enterprise) Have you looked at your logs to determine where and if your perceived delays are taking place? -- Looking for (employment|contract) work in the Internet industry, preferably working remotely. Building / Supporting the net since 2400 baud was the hot thing. Ask for a resume! ispbuil...@gmail.com
Re: Postfix, Autoreply
On 2013-05-21 8:23 PM, Benny Pedersen wrote: motty cruz skrev den 2013-05-21 02:04: Does anybody have a script that work for autoresponders? try the one in postfixadmin, note it does not reply to maillists blindly Well... I had a lot of trouble with it responding to a lot of things that it shouldn't (facebook junk, etc). The latest trunk version of the vacation script has a new variable and test function that lets the admin easily add new strings to test for in the From/MailFrom (envelope and headers) that will result in not sending the vacation message. I highly recommend using the new version if you decide to use it. It is very effective now for my purposes. -- Best regards, Charles
Re: performance of postfix
Hi, actually i forgot write additional info about our server, also we have policyd deamon (cluebringer) , amavis(SpamAssasin, clamav) and dovecot . when i looked up logs everything looking good for me :) . it flows like waterfall . sometime when one e-mail comes from yahoo groups, it takes minutes to delivery. What is the term do i look up the logs ? as i said i can't sure our performance is good or slow. thanks. On Wed, May 22, 2013 at 1:56 PM, Mike wrote: > On 13-05-22 07:53 AM, Selcuk Yazar wrote: > >> Hi, >> >> we have Postfix with LDAP backend , everything is working good but i >> think we have some performance issues , but i can't sure :/ ( Our mailbox >> folders are located Storage Drive mapped at Redhat Enterprise) >> >> > Have you looked at your logs to determine where and if your perceived > delays are taking place? > > > > -- > Looking for (employment|contract) work in the > Internet industry, preferably working remotely. > Building / Supporting the net since 2400 baud was > the hot thing. Ask for a resume! ispbuil...@gmail.com > > -- Selçuk YAZAR http://www.selcukyazar.blogspot.com
Mail in Submit Queue
My daily run output (freebsd) sent this message (in part) for today. Mail in submit queue: -Queue ID- --Size-- Arrival Time -Sender/Recipient--- 27FC0118B7AF 9831 Tue May 21 14:29:35 MAILER-DAEMON (host eforward3.registrar-servers.com[38.101.213.199] said: 450 4.1.1 : Recipient address rejected: unverified address: unknown user: "arthri...@andrite.com" (in reply to RCPT TO command)) arthri...@andrite.com 45C9A118B7AD10261 Mon May 20 19:14:02 MAILER-DAEMON (host eforward3.registrar-servers.com[38.101.213.199] said: 450 4.1.1 : Recipient address rejected: unverified address: unknown user: "medicalbillingandcodingeducat...@magical-menagerie.net" (in reply to RCPT TO command)) medicalbillingandcodingeducat...@magical-menagerie.net So, I go and sure enough they are in the queue. # postsuper -h 27FC0118B7AF postsuper: 27FC0118B7AF: placed on hold postsuper: Placed on hold: 1 message So I go and check the maillot for yesterday and this is what I find. May 21 14:29:35 mail postfix/cleanup[81455]: 27FC0118B7AF: message-id=<20130521202935.27fc0118b...@mail.covisp.net> May 21 14:29:35 mail postfix/bounce[81551]: 3F635118B777: sender non-delivery notification: 27FC0118B7AF May 21 14:29:35 mail postfix/qmgr[68570]: 27FC0118B7AF: from=<>, size=9831, nrcpt=1 (queue active) May 21 14:29:38 mail postfix/smtp[81526]: 27FC0118B7AF: host eforward2.registrar-servers.com[209.105.246.195] said: 450 4.1.1 : Recipient address rejected: unverified address: unknown user: "arthri...@andrite.com" (in reply to RCPT TO command) And now I'm concerned, where did this mail come from, how do I have it, why is there no from? Then there are many 450 errors which I guess are the receiver treating unknown user as a transient error which seems odd, but that's well out of my control. The other message appears to be much the same as the first. I'm obviously concerned there's some sir to of backscatter error, or something else that is using my server as some sort of relay/reflector. Postfix 2.8.14 $ postconf -n alias_database = hash:$config_directory/aliases alias_maps = hash:$config_directory/aliases, hash:/usr/local/mailman/data/aliases allow_percent_hack = no body_checks = pcre:$config_directory/body_checks.pcre bounce_size_limit = 10240 command_directory = /usr/local/sbin config_directory = /etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 disable_vrfy_command = yes header_checks = pcre:$config_directory/header_checks.pcre header_size_limit = 10240 home_mailbox = Maildir/ html_directory = /usr/local/share/doc/postfix inet_interfaces = all mail_owner = postfix mailbox_command = /usr/local/bin/procmail -t -a $EXTENSION mailbox_size_limit = 52428800 mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maps_rbl_reject_code = 521 message_size_limit = 26214400 mime_header_checks = pcre:$config_directory/mime_headers.pcre mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost, ns1.$mydomain, ns2.$mydomain, mail.$mydomain, www.$mydomain, webmail.$mydomain mydomain = covisp.net myhostname = mail.covisp.net mynetworks = 75.148.117.88/29, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases postscreen_access_list = permit_mynetworks, cidr:$config_directory/postscreen_access.cidr postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*2 postscreen_greet_action = enforce queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix recipient_delimiter = + sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop show_user_unknown_table_name = no smtpd_banner = $myhostname ESMTP $mail_name $mail_version smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce,check_sender_access hash:$config_directory/backscatterpermit smtpd_error_sleep_time = 28 smtpd_hard_error_limit = 8 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks,reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit smtpd_recipient_limit = 100 smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_invalid_hostname, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unknown_reverse_client_hostname, warn_if_reject reject_unknown_client_hostname, check_client_access cidr:/var/db/dnswl/postfix-dnswl-permit check_sender_access pcre:$config_directory/sender_access.pcre, check_client_access pcre:$config_directory/check_client_fqdn.pcre, check_recipient_access pcre:$config_directory/recipient_checks.pcre, check_client_access hash:$config_directory/access, permit smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks sm
Re: performance of postfix
On Wed, May 22, 2013 at 01:53:15PM +0300, Selcuk Yazar wrote: > we have Postfix with LDAP backend , everything is working good but i think > we have some performance issues , but i can't sure :/ ( Our mailbox > folders are located Storage Drive mapped at Redhat Enterprise) > > > Every 5.0s: ./qshape.pl Running qshape every 5s is too often. Qshape is disk intensive. Run it every 5 minutes or so. > > Wed May 22 13:37:53 2013 > >T 5 10 20 40 80 160 320 640 1280 1280+ > TOTAL25 25 0 0 0 0 00 000 > our domain name 24 24 0 0 0 0 0 0 000 >u-picardie.fr1 1 0 0 0 0 0 0 000 > > above is watch command results of qshape command after approx. 5 minutes > later results are below > > Every 5.0s: ./qshape.pl > > Wed May 22 13:41:20 2013 > > T 5 10 20 40 80 160 320 640 1280 1280+ > TOTAL 0 0 0 0 0 0 0 0 000 If your content filter is not very fast, bursts of mail will accumulate while they are waiting to be scanned. Then the queue becomes empty. You may also have deferred mail that is retried periodically. You logs have a more complete picture. To improve content filter performance, eliminate remote DNS lookups in the filter, or increate concurrency. If the problem is lack of sufficient CPU resources, try to find a more performant scanner or turn off optional scanning features you don't need. Since mail is not delayed for very long, there is no problem (certainly not with Postfix itself, but scanning could perhaps be tuned). -- Viktor.
Re: Mail in Submit Queue
On 22 May 2013, at 7:36, LuKreme wrote: My daily run output (freebsd) sent this message (in part) for today. Mail in submit queue: -Queue ID- --Size-- Arrival Time -Sender/Recipient--- 27FC0118B7AF 9831 Tue May 21 14:29:35 MAILER-DAEMON (host eforward3.registrar-servers.com[38.101.213.199] said: 450 4.1.1 : Recipient address rejected: unverified address: unknown user: "arthri...@andrite.com" (in reply to RCPT TO command)) arthri...@andrite.com 45C9A118B7AD10261 Mon May 20 19:14:02 MAILER-DAEMON (host eforward3.registrar-servers.com[38.101.213.199] said: 450 4.1.1 : Recipient address rejected: unverified address: unknown user: "medicalbillingandcodingeducat...@magical-menagerie.net" (in reply to RCPT TO command)) medicalbillingandcodingeducat...@magical-menagerie.net So, I go and sure enough they are in the queue. # postsuper -h 27FC0118B7AF postsuper: 27FC0118B7AF: placed on hold postsuper: Placed on hold: 1 message So I go and check the maillot for yesterday and this is what I find. May 21 14:29:35 mail postfix/cleanup[81455]: 27FC0118B7AF: message-id=<20130521202935.27fc0118b...@mail.covisp.net> May 21 14:29:35 mail postfix/bounce[81551]: 3F635118B777: sender non-delivery notification: 27FC0118B7AF May 21 14:29:35 mail postfix/qmgr[68570]: 27FC0118B7AF: from=<>, size=9831, nrcpt=1 (queue active) May 21 14:29:38 mail postfix/smtp[81526]: 27FC0118B7AF: host eforward2.registrar-servers.com[209.105.246.195] said: 450 4.1.1 : Recipient address rejected: unverified address: unknown user: "arthri...@andrite.com" (in reply to RCPT TO command) And now I'm concerned, where did this mail come from, how do I have it, why is there no from? 27FC0118B7AF has a null envelope sender because it is a bounce of 3F635118B777. See the 2nd line? Then there are many 450 errors which I guess are the receiver treating unknown user as a transient error which seems odd, but that's well out of my control. Many systems play funny games with bounces because they can. Spammers like andrite.com and providers who cater to them (registrar-servers.com = NameCheap) play particularly irrational games with bounces to slip through the cracks in some unwise spam control tactics. The other message appears to be much the same as the first. I'm obviously concerned there's some sir to of backscatter error, or something else that is using my server as some sort of relay/reflector. Seems like a backscatter problem. The log should have lines about why 27FC0118B7AF was asynchronously bounced which will expose the root cause.
postscreen questions
I'm trying out postscreen and I have a couple of questions. First off, here's my postscreen setup: postscreen_access_list = permit_mynetworks postscreen_blacklist_action = enforce postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 dnsbl.ahbl.org*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 postscreen_dnsbl_threshold = 3 postscreen_pipelining_enable = yes postscreen_non_smtp_command_enable = yes postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = yes so, the RBLs are getting utilized by postscreen before it even hits the smtp service. So, am I right to assume that the reject_rbl_client lines in my smtpd_recipient_restrictions are no longer needed? Additionally, in my smtpd_recipient_restrictions I have a check_client_access line that points to a list of rbl_override email addresses so that I can receive e-mail from someone even if they are sending e-mail from an IP that's listed on an RBL. I can't seem to find any reference on how to accomplish this with postscreen. Is that even possible or are we relying on the RBL scoring system for postscreen? Thanks in advance smime.p7s Description: S/MIME Cryptographic Signature
Re: performance of postfix
On Wed, May 22, 2013 at 3:58 PM, Viktor Dukhovni wrote: > On Wed, May 22, 2013 at 01:53:15PM +0300, Selcuk Yazar wrote: > > > we have Postfix with LDAP backend , everything is working good but i > think > > we have some performance issues , but i can't sure :/ ( Our mailbox > > folders are located Storage Drive mapped at Redhat Enterprise) > > > > > > Every 5.0s: ./qshape.pl > > Running qshape every 5s is too often. Qshape is disk intensive. > Run it every 5 minutes or so. > > > > > Wed May 22 13:37:53 2013 > > > >T 5 10 20 40 80 160 320 640 1280 1280+ > > TOTAL25 25 0 0 0 0 00 000 > > our domain name 24 24 0 0 0 0 0 0 000 > >u-picardie.fr1 1 0 0 0 0 0 0 000 > > > > above is watch command results of qshape command after approx. 5 > minutes > > later results are below > > > > Every 5.0s: ./qshape.pl > > > > Wed May 22 13:41:20 2013 > > > > T 5 10 20 40 80 160 320 640 1280 1280+ > > TOTAL 0 0 0 0 0 0 0 0 000 > > >If your content filter is not very fast, bursts of mail will accumulate< > >while they are waiting to be scanned. Then the queue becomes empty. > > >You may also have deferred mail that is retried periodically. You logs > >have a more complete picture. > > >To improve content filter performance, eliminate remote DNS lookups > >in the filter, or increate concurrency. If the problem is lack of >sufficient CPU resources, try to find a more performant scanner or > >turn off optional scanning features you don't need. > > >Since mail is not delayed for very long, there is no problem (certainly > >not with Postfix itself, but scanning could perhaps be tuned). > > -- > Viktor. > i found sctipt for log analyze (sourceforge), result are like below. i think we have some queue problem, as i understand, %95 e-mails wait in queue 132 seconds ? postfix logwatch === Delivery Delays Percentiles 0% 25% 50% 75% 90% 95% 98% 100% Before qmgr 0.01 0.33 1.00 3.30 5.30 8.10 65.00 2372.00 In qmgr 0.00 0.00 0.01 21.00110.00132.00 158.00180.00 Conn setup0.00 0.00 0.00 0.00 0.85 9.43 51.00226.00 Transmission 0.00 0.11 4.70 6.20 13.00 18.00 22.00 73.00 Total 0.04 1.10 9.00 46.00123.00154.00 180.00 2373.00
ssl errors in log. error on remote or local side?
hello list, i find error entries like these in my logs: postfix/smtp[16790]: warning: TLS library problem: 16790:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340: does that mean openssl or something is broken on my machine? thanks marko
Re: Postfix, Autoreply
Thank your suggestions, do you mind pointing to a source for vacation script? I'm using FreeBSD I tried to use Autoreply Software from here: http://www.postfix.org/addon.html#autoreply but one requires Java and the other works with LDAP, I don't have LDAP and I'm not willing to use Java. Thank you for your help! On Wed, May 22, 2013 at 4:11 AM, Charles Marcus wrote: > On 2013-05-21 8:23 PM, Benny Pedersen wrote: > >> motty cruz skrev den 2013-05-21 02:04: >> >> Does anybody have a script that work for autoresponders? >>> >> >> try the one in postfixadmin, note it does not reply to maillists blindly >> > > Well... I had a lot of trouble with it responding to a lot of things that > it shouldn't (facebook junk, etc). > > The latest trunk version of the vacation script has a new variable and > test function that lets the admin easily add new strings to test for in the > From/MailFrom (envelope and headers) that will result in not sending the > vacation message. > > I highly recommend using the new version if you decide to use it. It is > very effective now for my purposes. > > -- > > Best regards, > > Charles > > >
Re: postscreen questions
On 5/22/2013 8:41 AM, Deeztek Support wrote: > I'm trying out postscreen and I have a couple of questions. First > off, here's my postscreen setup: > > postscreen_access_list = permit_mynetworks > postscreen_blacklist_action = enforce > postscreen_dnsbl_action = enforce > postscreen_greet_action = enforce > postscreen_dnsbl_sites = zen.spamhaus.org*3 > b.barracudacentral.org*2 > bl.spameatingmonkey.net*2 > dnsbl.ahbl.org*2 > bl.spamcop.net > dnsbl.sorbs.net > psbl.surriel.com > bl.mailspike.net > swl.spamhaus.org*-4 > list.dnswl.org=127.[0..255].[0..255].0*-2 > list.dnswl.org=127.[0..255].[0..255].1*-3 > list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 > postscreen_dnsbl_threshold = 3 > postscreen_pipelining_enable = yes > postscreen_non_smtp_command_enable = yes > postscreen_bare_newline_action = enforce > postscreen_bare_newline_enable = yes > > so, the RBLs are getting utilized by postscreen before it even hits > the smtp service. So, am I right to assume that the > reject_rbl_client lines in my smtpd_recipient_restrictions are no > longer needed? No, not needed. But some folks like to leave them in anyway because 1) they're "free" if the DNS response is currently cached and 2) postscreen internally caches "PASS" status, possibly after a bad client is newly listed in an rbl. > > Additionally, in my smtpd_recipient_restrictions I have a > check_client_access line that points to a list of rbl_override email > addresses so that I can receive e-mail from someone even if they are > sending e-mail from an IP that's listed on an RBL. I can't seem to > find any reference on how to accomplish this with postscreen. Is > that even possible or are we relying on the RBL scoring system for > postscreen? (I'm wondering why a check_client_access map points to a list of email addresses, but maybe you misspoke) There is no conditional whitelisting available in postscreen. Only use highly trusted (by *YOU*) RBLs in postscreen, or use scoring so that multiple listing are required for rejection. Secondly, remember postscreen is intended as a quick-and-simple zombie killer, its only purpose is to reduce the workload on the more complex filters further downstream. -- Noel Jones
Re: performance of postfix
On Wed, May 22, 2013 at 04:45:42PM +0300, Selcuk Yazar wrote: > > >If your content filter is not very fast, bursts of mail will accumulate< > > >while they are waiting to be scanned. Then the queue becomes empty. > > > > > >You may also have deferred mail that is retried periodically. You logs > > >have a more complete picture. > > > > > >To improve content filter performance, eliminate remote DNS lookups > > >in the filter, or increate concurrency. If the problem is lack of > > >sufficient CPU resources, try to find a more performant scanner or > > >turn off optional scanning features you don't need. > > > > > >Since mail is not delayed for very long, there is no problem (certainly > > >not with Postfix itself, but scanning could perhaps be tuned). > > I found a script for log analyze (sourceforge), result are like below. I > think we have some queue problem, as I understand, %95 e-mails wait in > queue 132 seconds ? No, less than 5% of messages spend more than 132s in the active queue. Most messages spend less than 21s, with 50%s delivered immediately. > postfix logwatch > > === Delivery Delays Percentiles > > 0% 25% 50% 75% 90% 95% > 98% 100% > > In qmgr 0.00 0.00 0.01 21.00110.00132.00 > 158.00180.00 > Conn setup0.00 0.00 0.00 0.00 0.85 9.43 > 51.00226.00 > Transmission 0.00 0.11 4.70 6.20 13.00 18.00 > 22.00 73.00 > Total 0.04 1.10 9.00 46.00123.00154.00 > 180.00 2373.00 > To understand what is actually going on, you'll have to *read* the logs, not just look at summaries. You'll probably find occasional latency sending messages through the content filter. If that's a problem, tune the content filter to remove DNS lookups or raise its concurrency. If the content filter is using all available CPU resources, tune it to do less, or find a more efficient one. Before any of that, locate the log entries showing delayed deliveries, read them, and figure out the reasons for the delay. -- Viktor.
Re: Postfix, Autoreply
Please don't top-post - response inline below... On 2013-05-22 10:25 AM, motty cruz wrote: On Wed, May 22, 2013 at 4:11 AM, Charles Marcus mailto:cmar...@media-brokers.com>> wrote: On 2013-05-21 8:23 PM, Benny Pedersen wrote: motty cruz skrev den 2013-05-21 02:04: Does anybody have a script that work for autoresponders? try the one in postfixadmin, note it does not reply to maillists blindly Well... I had a lot of trouble with it responding to a lot of things that it shouldn't (facebook junk, etc). The latest trunk version of the vacation script has a new variable and test function that lets the admin easily add new strings to test for in the From/MailFrom (envelope and headers) that will result in not sending the vacation message. I highly recommend using the new version if you decide to use it. It is very effective now for my purposes. Thank your suggestions, do you mind pointing to a source for vacation script? I'm using FreeBSD Thank you for your help! My apologies... I see that Rudi still hasn't merged the last version of these changes to the trunk version. I just pinged him to see if he will do so, but until then, here is his latest version: https://github.com/valkum/postfixadmin/blob/cdcccddbe2e1d6758cd63899e7b8973156f1412a/VIRTUAL_VACATION/vacation.pl It has been running on my system for months now, and works great. Reduced the number of bogus responses from many per day per user, to virtually none, with my expanded custom no_reply string: $noreply_pattern = 'alert|autoreply|auto-reply|bounce|constantcontact|do-not-reply|facebook|linkedin|list-|listserv|mailer|majordomo|myspace|newsletter|noreply|no-reply|owner\-|\-(owner|request|bounces)|postmaster|request\-|twitter'; -- Best regards, Charles
Re: ssl errors in log. error on remote or local side?
On Wed, May 22, 2013 at 03:57:49PM +0200, Marko Weber | ZBF wrote: > I find error entries like these in my logs: > > postfix/smtp[16790]: warning: TLS library problem: > 16790:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > number:s3_pkt.c:340: > > does that mean openssl or something is broken on my machine? No, unless this happens for a large fraction of TLS connections. Most errors of this form are bugs in the peer SSL stack or problems induced by in-flight data corruption (perhaps mangled by a buggy firewall). Make sure your library is patched to the latest update. -- Viktor.
Re: ssl errors in log. error on remote or local side?
Am 2013-05-22 17:54, schrieb Viktor Dukhovni: On Wed, May 22, 2013 at 03:57:49PM +0200, Marko Weber | ZBF wrote: I find error entries like these in my logs: postfix/smtp[16790]: warning: TLS library problem: 16790:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340: does that mean openssl or something is broken on my machine? No, unless this happens for a large fraction of TLS connections. Most errors of this form are bugs in the peer SSL stack or problems induced by in-flight data corruption (perhaps mangled by a buggy firewall). Make sure your library is patched to the latest update. hello viktor, i am on gentoo linux with openssl 1.0.1c. i remerge the openssl and restart postfix. marko
Re: ssl errors in log. error on remote or local side?
On 2013-05-22 12:10 PM, Marko Weber | ZBF wrote: i am on gentoo linux with openssl 1.0.1c. Me too... i remerge the openssl and restart postfix. No need - you missed the significance of Viktor's 'no'... This is nothing to worry about *unless* you are getting a significant number of these errors. I see occasional similar errors in my logs all the time... -- Best regards, Charles Marcus I.T. Director Media Brokers International, Inc. 678.514.6224 | 678.514.6299 fax
Re: ssl errors in log. error on remote or local side?
On Wed, May 22, 2013 at 12:15:24PM -0400, Charles Marcus wrote: > On 2013-05-22 12:10 PM, Marko Weber | ZBF wrote: > >i am on gentoo linux with openssl 1.0.1c. > > Me too... > > >i remerge the openssl and restart postfix. > > No need - you missed the significance of Viktor's 'no'... > > This is nothing to worry about *unless* you are getting a > significant number of these errors. I see occasional similar errors > in my logs all the time... 1.0.1c has some known issues, you should use 1.0.1e. -- Viktor.
Re: ssl errors in log. error on remote or local side?
On 2013-05-22 12:19 PM, Viktor Dukhovni wrote: 1.0.1c has some known issues, you should use 1.0.1e. Hmmm... generally, gentoo is very good at keeping up with security or critical functionality issues. 1.0.1c has been stable for quite some time. Maybe they have added patches to address whatever concerns you are talking about... -- Best regards, Charles
Re: ssl errors in log. error on remote or local side?
--On Wednesday, May 22, 2013 12:30 PM -0400 Charles Marcus wrote: On 2013-05-22 12:19 PM, Viktor Dukhovni wrote: 1.0.1c has some known issues, you should use 1.0.1e. Hmmm... generally, gentoo is very good at keeping up with security or critical functionality issues. 1.0.1c has been stable for quite some time. Maybe they have added patches to address whatever concerns you are talking about... Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can absolutely confirm that Gentoo has applied all of the patches from both of those releases to their build, I would strongly advise you to roll your own 1.0.1e release. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Postfix, Autoreply
thank you soo much Charles, I was able to download that script you pointed in the last email, now this maybe dumb questions but I would like to deploy this script on the spam filter level before reaching our imap/pop server. At the spam filter level I don't have a database for users, I was hoping to find something simple that can be implemented at the spam filter level when email bound to user on vacation can be reply automatically. maybe i dream about having this feature or i have seen it before? I really appreciated your help! Thanks Again, On Wed, May 22, 2013 at 8:30 AM, Charles Marcus wrote: > Please don't top-post - response inline below... > > > On 2013-05-22 10:25 AM, motty cruz > wrote: > > On Wed, May 22, 2013 at 4:11 AM, Charles Marcus > wrote: > >> On 2013-05-21 8:23 PM, Benny Pedersen wrote: >> >>> motty cruz skrev den 2013-05-21 02:04: >>> >>> Does anybody have a script that work for autoresponders? >>> >>> try the one in postfixadmin, note it does not reply to maillists blindly >>> >> >> Well... I had a lot of trouble with it responding to a lot of things >> that it shouldn't (facebook junk, etc). >> >> The latest trunk version of the vacation script has a new variable and >> test function that lets the admin easily add new strings to test for in the >> From/MailFrom (envelope and headers) that will result in not sending the >> vacation message. >> >> I highly recommend using the new version if you decide to use it. It is >> very effective now for my purposes. >> > > Thank your suggestions, do you mind pointing to a source for vacation > script? I'm using FreeBSD > > Thank you for your help! > > > My apologies... I see that Rudi still hasn't merged the last version of > these changes to the trunk version. I just pinged him to see if he will do > so, but until then, here is his latest version: > > > https://github.com/valkum/postfixadmin/blob/cdcccddbe2e1d6758cd63899e7b8973156f1412a/VIRTUAL_VACATION/vacation.pl > > It has been running on my system for months now, and works great. Reduced > the number of bogus responses from many per day per user, to virtually > none, with my expanded custom no_reply string: > > $noreply_pattern = > 'alert|autoreply|auto-reply|bounce|constantcontact|do-not-reply|facebook|linkedin|list-|listserv|mailer|majordomo|myspace|newsletter|noreply|no-reply|owner\-|\-(owner|request|bounces)|postmaster|request\-|twitter'; > > -- > > Best regards, > > Charles > > > >
Re: ssl errors in log. error on remote or local side?
On 2013-05-22 12:38 PM, Quanah Gibson-Mount wrote: --On Wednesday, May 22, 2013 12:30 PM -0400 Charles Marcus wrote: On 2013-05-22 12:19 PM, Viktor Dukhovni wrote: 1.0.1c has some known issues, you should use 1.0.1e. Hmmm... generally, gentoo is very good at keeping up with security or critical functionality issues. 1.0.1c has been stable for quite some time. Maybe they have added patches to address whatever concerns you are talking about... Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can absolutely confirm that Gentoo has applied all of the patches from both of those releases to their build, I would strongly advise you to roll your own 1.0.1e release. --Quanah Ok, but I'd prefer to check this out first and get gentoo to update/stabilize 1.0.1e... Any pointers/links to anything outlining said serious problems? Thanks for the heads up... -- Best regards, Charles
/var/spool/postfix/private file permissons
Hi, The guidelines for setting up postfix with dovecot SASL recommends setting the file permissions on /var/spool/postfix/private/auth to 660. Yet all the other sockets in the .../private directory have 666 permissions. Does it matter ? They are all owned by postfix:postfix and the parent directory is owned by postfix:root with permission 700. This is on a CentOS6.4 system peter Peter Skensved Email : pe...@sno.phy.queensu.ca Dept. of Physics, Queen's University, Kingston, Ontario, Canada
Re: postscreen questions
On 22 May 2013, at 11:02, Noel Jones wrote: so, the RBLs are getting utilized by postscreen before it even hits the smtp service. So, am I right to assume that the reject_rbl_client lines in my smtpd_recipient_restrictions are no longer needed? No, not needed. But some folks like to leave them in anyway because 1) they're "free" if the DNS response is currently cached and 2) postscreen internally caches "PASS" status, possibly after a bad client is newly listed in an rbl. And 3) there are more fine-tuned configurations available via the core Postfix settings to handle cases where you can tolerate "false positive" hits for some addresses but not others. For example: my own system serving family and friends has a handful of older addresses whose history has left them with massive spam loads, but the overwhelming volume of its legitimate mail is aimed at other addresses using a couple of different "tagging" patterns that are aliases for those legacy addresses. Because the tagged addresses are shared in narrower ways, they rarely get spam of any sort and are easily burned when they do. I use DNSBLs that can be overaggressive which alone each fall short of my postscreen limit, but which also are in a reject_rbl_client rules AFTER a check_recipient_access rule which OK's the alias patterns. The result is that mail to tagged addresses has more lenient treatment with respect to those FP-prone DNSBLs and I don't have to work out the issue of how and whether to whitelist legit mail from problematic mixed sources in Postfix.
postfix and dovecot SASL
I've set up dovecot to provide SASL for postfix and as far as I can tell everything is working correctly. However, when I do a ehlo localhost I don't see it announcing anything about AUTH : Connected to localhost. Escape character is '^]'. 220 xxx.yyy.QueensU.CA ESMTP Postfix ehlo localhost 250-xxx.yyy.QueensU.CA 250-PIPELINING 250-SIZE 4096 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN Am I missing something in the configuration of postfix ( or dovecot ) ? The log files tell me that it authenticates and entering the wrong password makes it fail etc. peter
Re: Postfix, Autoreply
Again - please do not top-post. If you don't know what that means, google is your friend. On 2013-05-22 12:42 PM, motty cruz wrote: thank you soo much Charles, I was able to download that script you pointed in the last email, You're welcome. now this maybe dumb questions but I would like to deploy this script on the spam filter level before reaching our imap/pop server. At the spam filter level I don't have a database for users, ?? Think about what you just said. How are you going to control sending Vacation messages for only specific users (some will have it enabled, some won't), if you don't have access to the user database? Also, you need to clarify what you mean by 'spam filter'. There are certain spam checks that are very cheap and can be applied early in the smtp transaction (before recipient verification). But more expensive *content* filters should never be wasted on invalid users, so should only be applied *after* recipient verification. Determining whether or not to send a Vacation message is one of the (if not *the*) *last* stages in email delivery, *long* after any spam/content filters. I was hoping to find something simple that can be implemented at the spam filter level when email bound to user on vacation can be reply automatically. maybe i dream about having this feature or i have seen it before? No, you're not dreaming, you're just not thinking through how it must work. -- Best regards, Charles
Re: ssl errors in log. error on remote or local side?
--On Wednesday, May 22, 2013 1:17 PM -0400 Charles Marcus wrote: On 2013-05-22 12:38 PM, Quanah Gibson-Mount wrote: --On Wednesday, May 22, 2013 12:30 PM -0400 Charles Marcus wrote: On 2013-05-22 12:19 PM, Viktor Dukhovni wrote: 1.0.1c has some known issues, you should use 1.0.1e. Hmmm... generally, gentoo is very good at keeping up with security or critical functionality issues. 1.0.1c has been stable for quite some time. Maybe they have added patches to address whatever concerns you are talking about... Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can absolutely confirm that Gentoo has applied all of the patches from both of those releases to their build, I would strongly advise you to roll your own 1.0.1e release. --Quanah Ok, but I'd prefer to check this out first and get gentoo to update/stabilize 1.0.1e... Any pointers/links to anything outlining said serious problems? Thanks for the heads up... I would read the CHANGES file shipped with OpenSSL. They didn't document the changes between 1.0.1d and 1.0.1e, but you can see the changes between 1.0.1c and 1.0.1d. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: /var/spool/postfix/private file permissons
On Wed, May 22, 2013 at 01:33:35PM -0400, Peter Skensved wrote: > The guidelines for setting up postfix with dovecot SASL recommends setting > the file permissions on /var/spool/postfix/private/auth to 660. This socket is created by Dovecot. > Yet all the other sockets in the .../private directory have 666 permissions. These are created by Postfix. Access control within Postfix is via the directory permissions. 0700 for private and 0710 for public. > Does it matter? That depends on the owner/group of the Dovecot auth socket. Just make sure that user "postfix" group "postfix" can read and write to it. IIRC Postfix daemons don't have secondary groups. There is not much difference between 660 and 666 if the socket is either owned by "postfix" or its group is "postfix". -- Viktor.
Re: /var/spool/postfix/private file permissons
Viktor Dukhovni: > On Wed, May 22, 2013 at 01:33:35PM -0400, Peter Skensved wrote: > > > The guidelines for setting up postfix with dovecot SASL recommends setting > > the file permissions on /var/spool/postfix/private/auth to 660. > > This socket is created by Dovecot. > > > Yet all the other sockets in the .../private directory have 666 permissions. With some socket implementations, socket permission don't work like file permissions, therefore Postfix relies on directory permissions for access control and leaves the socket permissions open for the systems where socket permissions do make a difference. Wietse
Re: postfix and dovecot SASL
On 5/22/2013 12:42 PM, Peter Skensved wrote: > I've set up dovecot to provide SASL for postfix and as far as I can > tell everything is working correctly. However, when I do a ehlo localhost > I don't see it announcing anything about AUTH : > > Connected to localhost. > Escape character is '^]'. > 220 xxx.yyy.QueensU.CA ESMTP Postfix > ehlo localhost > 250-xxx.yyy.QueensU.CA > 250-PIPELINING > 250-SIZE 4096 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > > Am I missing something in the configuration of postfix ( or dovecot ) ? > The log files tell me that it authenticates and entering the wrong password > makes it fail etc. > >peter > You didn't show your "postconf -n" output, so we're reduced to guessing. Common problem: AUTH seems to be working, but I don't see AUTH announced when I telnet localhost. Typically this means you've set "smtpd_tls_auth_only = yes", which suppresses the AUTH announcement until after an encrypted session is established -- which is a usually good thing. To see the AUTH announcement, either temporarily set "smtpd_tls_auth_only = no", or test with "openssl s_client -connect localhost:25 -starttls smtp" -- Noel Jones
Re: postfix and dovecot SASL
On 22 May 2013, at 13:42, Peter Skensved wrote: I've set up dovecot to provide SASL for postfix and as far as I can tell everything is working correctly. However, when I do a ehlo localhost I don't see it announcing anything about AUTH : Connected to localhost. Escape character is '^]'. 220 xxx.yyy.QueensU.CA ESMTP Postfix ehlo localhost 250-xxx.yyy.QueensU.CA 250-PIPELINING 250-SIZE 4096 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN Am I missing something in the configuration of postfix ( or dovecot ) ? My telepathy says "no" but if you had done what http://www.postfix.org/DEBUG_README.html#mail advises, I could use less inconsistent tools. The log files tell me that it authenticates and entering the wrong password makes it fail etc. Right. While it is not a default, smtpd_tls_auth_only=yes is a commonly recommended and wise setting. You probably have it.
Re: performance of postfix
On 5/22/2013 10:13 AM, Viktor Dukhovni wrote:
> On Wed, May 22, 2013 at 04:45:42PM +0300, Selcuk Yazar wrote:
>
If your content filter is not very fast, bursts of mail will accumulate<
while they are waiting to be scanned. Then the queue becomes empty.
You may also have deferred mail that is retried periodically. You logs
have a more complete picture.
To improve content filter performance, eliminate remote DNS lookups
in the filter, or increate concurrency. If the problem is lack of
sufficient CPU resources, try to find a more performant scanner or
turn off optional scanning features you don't need.
Since mail is not delayed for very long, there is no problem (certainly
not with Postfix itself, but scanning could perhaps be tuned).
>>
>> I found a script for log analyze (sourceforge), result are like below. I
>> think we have some queue problem, as I understand, %95 e-mails wait in
>> queue 132 seconds ?
>
> No, less than 5% of messages spend more than 132s in the active
> queue. Most messages spend less than 21s, with 50%s delivered
> immediately.
>
>> postfix logwatch
>>
>> === Delivery Delays Percentiles
>>
>> 0% 25% 50% 75% 90% 95%
>> 98% 100%
>>
>> In qmgr 0.00 0.00 0.01 21.00110.00132.00
>> 158.00180.00
>> Conn setup0.00 0.00 0.00 0.00 0.85 9.43
>> 51.00226.00
>> Transmission 0.00 0.11 4.70 6.20 13.00 18.00
>> 22.00 73.00
>> Total 0.04 1.10 9.00 46.00123.00154.00
>> 180.00 2373.00
>>
>
> To understand what is actually going on, you'll have to *read* the
> logs, not just look at summaries.
I've been using logwatch for quite some time and I've found the Delivery Delay
Percentiles '100%' column to be seemingly pulled from thin air. Don't rely on
it.
=== Delivery Delays Percentiles
0% 25% 50% 75% 90% 95%
98% 100%
Before qmgr 0.02 0.03 0.06 0.28 0.42 0.88
2.48 9.20
In qmgr 0.00 0.02 0.02 0.03 0.03 0.03
0.04 0.06
Conn setup0.00 0.00 0.00 0.00 0.00 0.00
0.55 2.70
Transmission 0.03 0.07 0.62 3.10 4.12 5.36
9.75232.00
Total 0.08 0.12 1.50 3.60 4.82 6.90
11.28232.00
For instance this summary of yesterday shows 232s for Transmission. Yet when I
search my last ~3 days of logs with:
~$ grep local /var/log/mail.log|mawk '{ print($10) }'|grep "delays"
~$ grep smtp /var/log/mail.log|mawk '{ print($10) }'|grep "delays"
the largest value I see is 3.1s, in smtp. For local all delays are less than
one second.
> You'll probably find occasional
> latency sending messages through the content filter. If that's a
> problem, tune the content filter to remove DNS lookups or raise
> its concurrency. If the content filter is using all available CPU
> resources, tune it to do less, or find a more efficient one.
>
> Before any of that, locate the log entries showing delayed deliveries,
> read them, and figure out the reasons for the delay.
I'm using spamc/spamd via pipe so it doesn't add to delays in postfix/local log
stamps. To see the spamd delays I use:
~$ grep scantime /var/log/mail.log|mawk '{ print($12) }'|cut -f1 -d,
This shows the largest spamd time is 37.7s, the next largest 13.0s. Some 95%
appear to be less than 6s. Summing the largest of these with corresponding
postfix/local delays doesn't come close to 232s, but less than 40s.
--
Stan
Re: postscreen questions
On 5/22/2013 10:02 AM, Noel Jones wrote: ... > Secondly, remember postscreen is intended as a quick-and-simple > zombie killer, its only purpose is to reduce the workload on the > more complex filters further downstream. This fact is not emphasized often enough. Many people forget the intended purpose of postscreen, or simply never read the opening of the docs, and falsely see it as a replacement for smtpd_foo_restricions, policy daemons, firewalls, etc. This is a direct result of the feature creep late in the development of postscreen. While the added features are beneficial to some, they are not a replacement for most of the existing antispam features of Postfix and popular addons. In fact, for low volume servers, using postscreen can be more trouble than it's worth according to many posts here, especially if 'after 220' tests are enabled without fully understanding the ramifications. I've personally never configured postscreen. Why? 1. My servers are low volume 2. I've never had problems with bots eating up smtpds 3. I reject in smtpd w/3 dnsbls and 3 rhsbls and this has worked great I'll make an educated guess that many folks here have configured postscreen simply because it was/is "the new thing", without considering whether they -needed- it or not. Many have run into the same address based whitelisting problem mentioned here, and either ditched postscreen, or spent hours/days trying to tweak it just right. My advice is to avoid postscreen unless bots are eating up your smtpds. If they're not, and your current setup works well, you gain little, or nothing, by using postscreen, but for headaches integrating it. -- Stan
Re: performance of postfix
On Wed, May 22, 2013 at 03:00:44PM -0500, Stan Hoeppner wrote:
> > You'll probably find occasional
> > latency sending messages through the content filter. If that's a
> > problem, tune the content filter to remove DNS lookups or raise
> > its concurrency. If the content filter is using all available CPU
> > resources, tune it to do less, or find a more efficient one.
> >
> > Before any of that, locate the log entries showing delayed deliveries,
> > read them, and figure out the reasons for the delay.
>
> I'm using spamc/spamd via pipe so it doesn't add to delays in postfix/local
> log stamps. To see the spamd delays I use:
>
> ~$ grep scantime /var/log/mail.log|mawk '{ print($12) }'|cut -f1 -d,
When the scanner throughput is too low, the delay shows up in the
active queue of the pre-scan Postfix instance, not in the scanner
time to scan a message logs. Messages sitting in active wating to
be scheduled for scanning are not seen by the non-telepathic scanner.
--
Viktor.
Re: performance of postfix
On 5/22/2013 4:04 PM, Viktor Dukhovni wrote:
> On Wed, May 22, 2013 at 03:00:44PM -0500, Stan Hoeppner wrote:
>
>>> You'll probably find occasional
>>> latency sending messages through the content filter. If that's a
>>> problem, tune the content filter to remove DNS lookups or raise
>>> its concurrency. If the content filter is using all available CPU
>>> resources, tune it to do less, or find a more efficient one.
>>>
>>> Before any of that, locate the log entries showing delayed deliveries,
>>> read them, and figure out the reasons for the delay.
>>
>> I'm using spamc/spamd via pipe so it doesn't add to delays in postfix/local
>> log stamps. To see the spamd delays I use:
>>
>> ~$ grep scantime /var/log/mail.log|mawk '{ print($12) }'|cut -f1 -d,
>
> When the scanner throughput is too low, the delay shows up in the
> active queue of the pre-scan Postfix instance, not in the scanner
> time to scan a message logs. Messages sitting in active wating to
> be scheduled for scanning are not seen by the non-telepathic scanner.
The only point I was making is that some of the logwatch summary values
may not be accurate, providing him a heads up as he had apparently never
used logwatch prior to installing it and posting his summary table. I
was not attempting to troubleshoot his larger issue in this post.
--
Stan
