Postfix master dead but pid file exists
Dear List, We have a mail server running on RHEL 6.2 with the following components :- 1. Postfix 2. Openldap 3. Courier-authlib 4. Courier-imap 5. SASL 6. Maildrop The problem is the postfix stops running after sometime and the postfix status is showing "master dead but pid file exists" . The main.cf file and the output of postconf -d is attached herein. I have also gone through the log files but could not find any errors. Please help me to resolve this issue. Regards, Jayanta main.cf Description: Binary data
Re: Postfix master dead but pid file exists
Jayanta Ghosh: > Dear List, > The problem is the postfix stops running after sometime and the postfix > status is showing "master dead but pid file exists" . The main.cf file and PLEASE FILE A REDHAT BUG REPORT. THIS WORKS PROPERLY IN POSTFIX AS DISTRIBUTED FROM POSTFIX.ORG. Wietse
Re: Postfix master dead but pid file exists
On Mon, Jun 10, 2013 at 01:08:12PM +0530, Jayanta Ghosh wrote: > The problem is the postfix stops running after sometime This is the problem you should pursue: Why does Postfix "stop running"? For this, you need to read your logs. > and the postfix status is showing "master dead but pid file exists". This is a non-issue you should ignore. > the output of postconf -d is attached herein. This is unnecessary. > I have also gone through the log files but could not find any errors. You need to look at the logs more carefully. Sometimes error messages are sent to a different log file than regular messages. Find any and all logging from postfix/master. Find out when mail delivery stopped. What was happening around the time the last few messages were logged... -- Viktor.
recipient_bcc_maps use case
Hi list, I need to setup recipient_bcc_maps to get the following behaviour: - by default, I need every message to be BBC'd to default_...@example.com - for particular recipients, I need the message to be BCC'd to other_...@example.com (and to this address only) - I need particular recipients to be stored in mysql, because of integration with other apps How should I get this? My first solution is: recipient_bcc_maps = mysql:/etc/postfix/recipient_bcc_maps.cf, regexp:/etc/postfix/recipient_bcc_maps.regexp /etc/postfix/recipient_bcc_maps.regexp: /^.*$/default_...@example.com The idea is: I look for "special" recipient addresses in mysql first and fallback to the regexp in case of non-match only. Is this going to work? If not, would you please point me to the relevant documentation? Thanks, Fabio
Re: recipient_bcc_maps use case
> Hi list,
>
> I need to setup recipient_bcc_maps to get the following behaviour:
> - by default, I need every message to be BBC'd to
> default_...@example.com
> - for particular recipients, I need the message to be BCC'd to
> other_...@example.com (and to this address only)
>
> - I need particular recipients to be stored in mysql, because of
> integration with other apps
>
> How should I get this?
> My first solution is:
>
> recipient_bcc_maps = mysql:/etc/postfix/recipient_bcc_maps.cf,
> regexp:/etc/postfix/recipient_bcc_maps.regexp
>
> /etc/postfix/recipient_bcc_maps.regexp:
> /^.*$/default_...@example.com
>
> The idea is: I look for "special" recipient addresses in mysql first
> and fallback to the regexp in case of non-match only.
>
> Is this going to work?
> If not, would you please point me to the relevant documentation?
>
> Thanks,
> Fabio
>
You may use something like this:
bcc_table:
address | enabled
| 1
spec...@example.com | 1
SELECT case when `enabled` then 'other_...@example.com' else
'default_...@example.com' end FROM `bcc_table` where `address` in ('%s','')
order by `address` desc limit 1;
It's not perfect - just pointing into possible mysql solution whithout extra
lookup table.
You may also consider using WHERE clause with user_part= '%u' and domain='%d'.
Regards
V.Dimitrov
RE: check_policy_service not for rejected?
On Mon, 10 Jun 2013, Dudi Goldenberg wrote: Any ideas? smtpd_recipient_restrictions = check_policy_service unix:private/policy, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject Move the policy check to the end of the list, just before the reject. If I do that the check_policy_service will not be used if permit_mynetworks or permit_sasl_authenticated is matched. /Jonas
Re: check_policy_service not for rejected?
On 6/10/2013 12:13 AM, j...@soe.se wrote: > Hello, > > I have written a small policy service. > But I whish to not use it for those emails which are rejected. Only > permited emails (permit_mynetworks and permit_sasl_authenticated) > > Any ideas? > > smtpd_recipient_restrictions = check_policy_service > unix:private/policy, > permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination, > reject > > /Jonas "reject_unauth_destination, reject" can be simplified to just "reject", leaving: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject smtpd_data_restrictions = check_policy_service unix:private/policy Note: the "reject" you've put at the end of smtpd_recipient_restrictions means that this will be a "private" mail server -- only clients listed in mynetworks or SASL authenticated will be able to send you mail. I guess that's what you intend. -- Noel Jones
Re: check_policy_service not for rejected?
On Mon, 10 Jun 2013, Noel Jones wrote: On 6/10/2013 12:13 AM, j...@soe.se wrote: Hello, I have written a small policy service. But I whish to not use it for those emails which are rejected. Only permited emails (permit_mynetworks and permit_sasl_authenticated) Any ideas? smtpd_recipient_restrictions = check_policy_service unix:private/policy, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject /Jonas "reject_unauth_destination, reject" can be simplified to just "reject", leaving: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject smtpd_data_restrictions = check_policy_service unix:private/policy I didnt think if that. :-) Its working. Thanks a lot! Note: the "reject" you've put at the end of smtpd_recipient_restrictions means that this will be a "private" mail server -- only clients listed in mynetworks or SASL authenticated will be able to send you mail. I guess that's what you intend. Yes, only to send email. Not for recieve/store. Thanks again! /Jonas
Postscreen and policies
Hello, Postscreen (Postfix 2.10) is working very well indeed but I am having an issue with understanding where a policy check should be implemented. main.cf looks like: smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_policy_service inet:127.0.0.1:10031, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, permit postscreen_cache_map = memcache:/etc/postfix/postscreen/memcache.cf postscreen_greet_action = enforce postscreen_dnsbl_sites = sip.invaluement.local,sip24.invaluement.local,zen.spamhaus.org,bl.spamcop.net,bl.mailspike.net postscreen_dnsbl_threshold = 1 postscreen_dnsbl_action = enforce postscreen_access_list = permit_mynetworks,cidr:/etc/postfix/postscreen/access.cidr and in master.cf I have: smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd tlsproxy unix - - n - 0 tlsproxy dnsblog unix - - n - 0 dnsblog Yet when I SASL authenticate the policy service does not appear to be triggered; as I am trying to limit number of emails sent by SASL username. I thought that if the Postscreen checks were successfully passed then the connection would then flow through to a SMTP (smtpd) server process. Is that correct ? Should I move the smtpd_recipient_restrictions into master.cf ? A little baffled at the moment. Thank you. Phil
Problem with transport setup
Hi,
I'm looking at integrating dspam into postfix in a "Non-Postfix mailbox
store: separate domains, non-UNIX accounts" setup as described here:
http://www.postfix.org/VIRTUAL_README.html#in_virtual_other
The problem I have is getting the retraining to work. The idea is to
forward an email with wrong classification to spam@... or ham@... so
that dspam retrains. But after being processed by the dspam retrain
script, postfix attempts to deliver the forwarded email which fails
because there are no spam@... ham@... email addresses. Anyone have a
hint what I'm doing wrong?
/var/log/maillog:
Jun 10 20:19:07 test postfix/smtpd[13975]: connect from localhost[::1]
Jun 10 20:19:08 test postfix/cleanup[13958]: 12812BE6:
message-id=<20130610181908.12812...@test.puzzled.xs4all.nl>
Jun 10 20:19:08 test postfix/qmgr[13952]: 12812BE6:
from=, size=317, nrcpt=1 (queue
active)
Jun 10 20:19:08 test postfix/pipe[13979]: 12812BE6:
to=, relay=dspam-retrain, delay=0.07,
delays=0.06/0.01/0/0, dsn=2.0.0, status=deliverable (delivers to
command: /usr/bin/dspam-retrain-forward.pl)
Jun 10 20:19:08 test postfix/qmgr[13952]: 12812BE6: removed
Jun 10 20:19:11 test postfix/smtpd[13975]: NOQUEUE: reject: RCPT from
localhost[::1]: 550 5.1.1 : Recipient address
rejected: User unknown; from= to=
proto=ESMTP helo=
Jun 10 20:19:11 test postfix/smtpd[13975]: disconnect from localhost[::1]
/etc/postfix/master.cf:
10.0.0.184:smtp inet n - n - - smtpd
-o content_filter=lmtp:unix:/var/run/dspam/dspam.sock
127.0.0.1:smtp inet n - n - - smtpd
-o smtpd_client_restrictions=permit_mynetworks,reject
[::1]:smtp inet n - n - - smtpd
-o smtpd_client_restrictions=permit_mynetworks,reject
dspam-retrainunix - n n - - pipe
flags=XRu user=dspam argv=/usr/bin/dspam-retrain-forward.pl
--debug=no
--client
--user ${sender}
--class=${nexthop}
--source=error
--full=yes
--headers-only=no
--bodies-only=yes
--first-only=no
--skip-first=no
--bin-dir=/usr/bin
127.0.0.1:10026 inetn - n - - smtpd
-o content_filter=
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8,[::1]/128
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
[::1]:10026 inetn - n - - smtpd
-o content_filter=
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8,[::1]/128
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
/etc/postfix/transport:
s...@example.orgdpsam-retrain:spam
h...@example.orgdspam-retrain:innocent
postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
canonical_classes = envelope_recipient
canonical_maps = proxy:ldap:/etc/postfix/ldap-canonical.cf
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 10.0.0.0/24, 127.0.0.0/8, [::1]/128
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
show_user_unknown_table_name = no
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
smtpd_recipient_restrictions = reject_unverified_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
permit_tls_clientcerts, reject_unauth_destination
smtpd_sasl_authenticated_header = yes
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unknown_sender_domain, reject_non_fqdn_sender
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_reason = Recipient address verification fai
Re: Postscreen and policies
Phil Daws: > Postscreen (Postfix 2.10) is working very well indeed but I am > having an issue with understanding where a policy check should be > implemented. main.cf looks like: ... > Yet when I SASL authenticate the policy service does not appear > to be triggered; as I am trying to limit number of emails sent by > SASL username. Are you connecting to port 25 or to port 587? Nowadays it is quite common to use port 25 for MTA-to-MTA service and port 587 for mail clients. Those may have their own smtpd_mumble_restrictions. This an example master.cf entry from Postfix 2.11. submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING In particular this overrides smtpd_recipient_restrictions from main.cf. Wietse
Re: Problem with transport setup
Patrick Lists: > Jun 10 20:19:11 test postfix/smtpd[13975]: NOQUEUE: reject: RCPT from > localhost[::1]: 550 5.1.1 : Recipient address > rejected: User unknown; from= to= > proto=ESMTP helo= To fix the "User unknown" error see this document: http://www.postfix.org/ADDRESS_CLASS_README.html Wietse
Re: Postscreen and policies
- Original Message - From: "Wietse Venema" To: "Postfix users" Sent: Monday, 10 June, 2013 8:10:50 PM Subject: Re: Postscreen and policies Phil Daws: > Postscreen (Postfix 2.10) is working very well indeed but I am > having an issue with understanding where a policy check should be > implemented. main.cf looks like: ... > Yet when I SASL authenticate the policy service does not appear > to be triggered; as I am trying to limit number of emails sent by > SASL username. Are you connecting to port 25 or to port 587? Nowadays it is quite common to use port 25 for MTA-to-MTA service and port 587 for mail clients. Those may have their own smtpd_mumble_restrictions. This an example master.cf entry from Postfix 2.11. submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING In particular this overrides smtpd_recipient_restrictions from main.cf. Wietse Good evening Wietse. We are using port 25 at present, though will get users migrated too 587 ASAP, but in the meantime would like to use postscreen and the check policy service. Was my thinking correct that if a client passed postscreen it would then flow through to a smtpd process ? and at that point the smtpd_client_restrictions from main.cf would be processed in hierarchy order ? smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, check_policy_service inet:127.0.0.1:10031, reject_unlisted_recipient, permit So if its gets passed reject_non_fqdn_recipient then it would hit the policy service; which it never appears to do :( Thank you.
Re: Postscreen and policies
On 6/10/2013 1:49 PM, Phil Daws wrote: > Hello, > > Postscreen (Postfix 2.10) is working very well indeed but I am having an > issue with understanding where a policy check should be implemented. main.cf > looks like: > > smtpd_relay_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > check_policy_service inet:127.0.0.1:10031, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unlisted_recipient, > permit > postscreen_cache_map = memcache:/etc/postfix/postscreen/memcache.cf > postscreen_greet_action = enforce > postscreen_dnsbl_sites = > sip.invaluement.local,sip24.invaluement.local,zen.spamhaus.org,bl.spamcop.net,bl.mailspike.net > postscreen_dnsbl_threshold = 1 > postscreen_dnsbl_action = enforce > postscreen_access_list = > permit_mynetworks,cidr:/etc/postfix/postscreen/access.cidr > > and in master.cf I have: > > smtp inet n - n - 1 postscreen > smtpd pass - - n - - smtpd > tlsproxy unix - - n - 0 tlsproxy > dnsblog unix - - n - 0 dnsblog > > Yet when I SASL authenticate the policy service does not appear to be > triggered; as I am trying to limit number of emails sent by SASL username. You've put check_policy_service AFTER permit_sasl_authenticated. First match wins, so the policy never gets called for authenticated clients. Depending on your needs, you can put your check_policy_service in smtpd_data_restrictions or smtpd_sender_restrictions by itself. smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:10031 It's also common for there to be overrides for the submission service in master.cf that change the options you've set in main.cf. > > I thought that if the Postscreen checks were successfully passed then the > connection would then flow through to a SMTP (smtpd) server process. Is that > correct ? Should I move the smtpd_recipient_restrictions into master.cf ? Hopefully SASL and postscreen have no interaction -- postscreen should be configured for only port 25, and SASL should only be on submission. Using postscreen + SASL on port 25 is guaranteed to cause headaches -- users may be rejected by postscreen before they ever get a chance to authenticate. If you must offer SASL on port 25, don't use postscreen. -- Noel Jones > > A little baffled at the moment. > > Thank you. > > Phil >
Re: Problem with transport setup
On 06/10/2013 09:14 PM, Wietse Venema wrote: Patrick Lists: Jun 10 20:19:11 test postfix/smtpd[13975]: NOQUEUE: reject: RCPT from localhost[::1]: 550 5.1.1 : Recipient address rejected: User unknown; from= to= proto=ESMTP helo= To fix the "User unknown" error see this document: http://www.postfix.org/ADDRESS_CLASS_README.html Thank you for your feedback Wietse. The problem (to my untrained eye) is not the "User unknown" error. It's that after the forwarded email was submitted to the dspam-retrain transport and processed, postfix attempts to deliver it. I would expect it to stop once the forwarded email was handed off to the dspam-retrain transport and processed by the script. So I don't understand how fixing the "User unknown" issue would solve this problem. I just want the forwarded email to be processed by the dspam script and *not* be delivered afterwards. What did I miss? Regards, Patrick
Re: Problem with transport setup
On 10-06-13 21:30, Patrick Lists wrote: > On 06/10/2013 09:14 PM, Wietse Venema wrote: >> Patrick Lists: >>> Jun 10 20:19:11 test postfix/smtpd[13975]: NOQUEUE: reject: RCPT from >>> localhost[::1]: 550 5.1.1 : Recipient address >>> rejected: User unknown; from= to= >>> proto=ESMTP helo= >> >> To fix the "User unknown" error see this document: >> >> http://www.postfix.org/ADDRESS_CLASS_README.html > > Thank you for your feedback Wietse. The problem (to my untrained eye) is > not the "User unknown" error. It's that after the forwarded email was > submitted to the dspam-retrain transport and processed, postfix attempts > to deliver it. I would expect it to stop once the forwarded email was > handed off to the dspam-retrain transport and processed by the script. > So I don't understand how fixing the "User unknown" issue would solve > this problem. I just want the forwarded email to be processed by the > dspam script and *not* be delivered afterwards. What did I miss? > The final delivery attempt is triggered by either the retrain script, or dspam (after accepting the message from the retrain script). Inherently, this is actually a dspam question and not a postfix one. Normally, you'd tell dspam to not deliver the messages passed while retraining by adding '--deliver=' (i.e. deliver never) to the retrain command line. I'm missing support for that in the script (as available in the dspam git repo), but I'm not sure whether there is a valid reason for that, since I have no experience with the actual script. Re-post your message to the dspam mailinglist, maybe someone else knows more. Kind regards, Tom
Re: Problem with transport setup
Patrick Lists: > Jun 10 20:19:07 test postfix/smtpd[13975]: connect from localhost[::1] > Jun 10 20:19:08 test postfix/cleanup[13958]: 12812BE6: > message-id=<20130610181908.12812...@test.puzzled.xs4all.nl> > Jun 10 20:19:08 test postfix/qmgr[13952]: 12812BE6: > from=, size=317, nrcpt=1 (queue > active) > Jun 10 20:19:08 test postfix/pipe[13979]: 12812BE6: > to=, relay=dspam-retrain, delay=0.07, > delays=0.06/0.01/0/0, dsn=2.0.0, status=deliverable (delivers to > command: /usr/bin/dspam-retrain-forward.pl) That looks like a "sendmail -bv" or "reject_unverified_recipient" probe to find out if an address is deliverable. Such probes do NOT deliver mail to /usr/bin/dspam-retrain-forward.pl. Wietse
Re: Show username for "SASL LOGIN authentication failed:"?
Hi.
On 09.06.2013 18:12, Charles Marcus wrote:
> On 2013-06-09 10:34 AM, Zhang Huangbin wrote:
>> On Sunday, June 9, 2013 at 10:09 PM, Charles Marcus wrote:
>>> Dovecot uses login_log_format_elements to determine what it logs for
>>> login attempts... you'll find the variables it supports here:
>>>
>>> http://wiki2.dovecot.org/Variables?highlight=%28login_log_format_elements%29
>>>
>>>
>>> Mine (which logs the username) looks like:
>>>
>>> login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
>>> mpid=%e %c session=<%{session}>
>
>> This works for IMAP/POP3/Managesieve services provided by Dovecot, and
>> logged in Dovecot log file, but it won't appear in Postfix/Dovecot
>> log files for
>> SMTP service.
>
> Hmmm... well, I definitely see the usernames on my system
> (postfix+dovecot) for both successful and unsuccessful logins...
>
> successful login:
>
> 2013-06-09T10:50:38-04:00 myhost postfix-587/smtpd[5807]: E9482B73AF4:
> client=client.example.com[192.168.1.110], sasl_method=PLAIN,
> sasl_username=myu...@example.com
>
> bad password:
>
> 2013-06-09T11:02:38-04:00 myhost postfix-587/smtpd[5903]: connect from
> myclient.example.com[###.###.###.###]
> 2013-06-09T11:02:38-04:00 myhost dovecot: auth-worker(5904):
> sql(validu...@example.com,###.###.###.###): Password mismatch
>
> invalid username:
>
> 2013-06-09T11:01:45-04:00 myhost postfix-587/smtpd[5903]: connect from
> myclient.example.com[###.###.###.###]
> 2013-06-09T11:01:50-04:00 myhost dovecot: auth-worker(5904):
> sql(invalidu...@example.com,###.###.###.###): unknown user
>
> So, it is possible...
>
I just enabled "login_log_format_elements" as:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
service=%s mpid=%e %c session=<%{session}>
I get more info than usual (service, mpid, session) but still nothing
for smtp. Clearly, I'm missing something. Probably my dovecot/postfix
combo is too old.
Re: Show username for "SASL LOGIN authentication failed:"?
On 2013-06-10 4:57 PM, Bogdan Enache wrote:
Hi.
On 09.06.2013 18:12, Charles Marcus wrote:
On 2013-06-09 10:34 AM, Zhang Huangbin wrote:
On Sunday, June 9, 2013 at 10:09 PM, Charles Marcus wrote:
Dovecot uses login_log_format_elements to determine what it logs for
login attempts... you'll find the variables it supports here:
http://wiki2.dovecot.org/Variables?highlight=%28login_log_format_elements%29
Mine (which logs the username) looks like:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
mpid=%e %c session=<%{session}>
This works for IMAP/POP3/Managesieve services provided by Dovecot, and
logged in Dovecot log file, but it won't appear in Postfix/Dovecot
log files for
SMTP service.
Hmmm... well, I definitely see the usernames on my system
(postfix+dovecot) for both successful and unsuccessful logins...
successful login:
2013-06-09T10:50:38-04:00 myhost postfix-587/smtpd[5807]: E9482B73AF4:
client=client.example.com[192.168.1.110], sasl_method=PLAIN,
sasl_username=myu...@example.com
bad password:
2013-06-09T11:02:38-04:00 myhost postfix-587/smtpd[5903]: connect from
myclient.example.com[###.###.###.###]
2013-06-09T11:02:38-04:00 myhost dovecot: auth-worker(5904):
sql(validu...@example.com,###.###.###.###): Password mismatch
invalid username:
2013-06-09T11:01:45-04:00 myhost postfix-587/smtpd[5903]: connect from
myclient.example.com[###.###.###.###]
2013-06-09T11:01:50-04:00 myhost dovecot: auth-worker(5904):
sql(invalidu...@example.com,###.###.###.###): unknown user
So, it is possible...
I just enabled "login_log_format_elements" as:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
service=%s mpid=%e %c session=<%{session}>
I get more info than usual (service, mpid, session) but still nothing
for smtp. Clearly, I'm missing something. Probably my dovecot/postfix
combo is too old.
How old?
Anyway, I just went back and looked, and I believe to get the username
you also have to add:
protocol smtp {
auth_verbose = yes
}
But mine is 2.1.16, soon to be 2.2...
--
Best regards,
Charles
Re: Show username for "SASL LOGIN authentication failed:"?
On 2013-06-10 5:25 PM, Charles Marcus wrote:
On 2013-06-10 4:57 PM, Bogdan Enache wrote:
Hi.
On 09.06.2013 18:12, Charles Marcus wrote:
On 2013-06-09 10:34 AM, Zhang Huangbin
wrote:
On Sunday, June 9, 2013 at 10:09 PM, Charles Marcus wrote:
Dovecot uses login_log_format_elements to determine what it logs for
login attempts... you'll find the variables it supports here:
http://wiki2.dovecot.org/Variables?highlight=%28login_log_format_elements%29
Mine (which logs the username) looks like:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
mpid=%e %c session=<%{session}>
This works for IMAP/POP3/Managesieve services provided by Dovecot, and
logged in Dovecot log file, but it won't appear in Postfix/Dovecot
log files for
SMTP service.
Hmmm... well, I definitely see the usernames on my system
(postfix+dovecot) for both successful and unsuccessful logins...
successful login:
2013-06-09T10:50:38-04:00 myhost postfix-587/smtpd[5807]: E9482B73AF4:
client=client.example.com[192.168.1.110], sasl_method=PLAIN,
sasl_username=myu...@example.com
bad password:
2013-06-09T11:02:38-04:00 myhost postfix-587/smtpd[5903]: connect from
myclient.example.com[###.###.###.###]
2013-06-09T11:02:38-04:00 myhost dovecot: auth-worker(5904):
sql(validu...@example.com,###.###.###.###): Password mismatch
invalid username:
2013-06-09T11:01:45-04:00 myhost postfix-587/smtpd[5903]: connect from
myclient.example.com[###.###.###.###]
2013-06-09T11:01:50-04:00 myhost dovecot: auth-worker(5904):
sql(invalidu...@example.com,###.###.###.###): unknown user
So, it is possible...
I just enabled "login_log_format_elements" as:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
service=%s mpid=%e %c session=<%{session}>
I get more info than usual (service, mpid, session) but still nothing
for smtp. Clearly, I'm missing something. Probably my dovecot/postfix
combo is too old.
How old?
Anyway, I just went back and looked, and I believe to get the username
you also have to add:
protocol smtp {
auth_verbose = yes
}
But mine is 2.1.16, soon to be 2.2...
sorry - that needs to be added to your dovecot config, not postfix... ;)
--
Best regards,
Charles
Re: Problem with transport setup
On 06/10/2013 09:46 PM, Wietse Venema wrote: Patrick Lists: Jun 10 20:19:07 test postfix/smtpd[13975]: connect from localhost[::1] Jun 10 20:19:08 test postfix/cleanup[13958]: 12812BE6: message-id=<20130610181908.12812...@test.puzzled.xs4all.nl> Jun 10 20:19:08 test postfix/qmgr[13952]: 12812BE6: from=, size=317, nrcpt=1 (queue active) Jun 10 20:19:08 test postfix/pipe[13979]: 12812BE6: to=, relay=dspam-retrain, delay=0.07, delays=0.06/0.01/0/0, dsn=2.0.0, status=deliverable (delivers to command: /usr/bin/dspam-retrain-forward.pl) That looks like a "sendmail -bv" or "reject_unverified_recipient" probe to find out if an address is deliverable. Such probes do NOT deliver mail to /usr/bin/dspam-retrain-forward.pl. Thanks, I understand now. Regards, Patrick
Re: Postscreen and policies
- Original Message - From: "Noel Jones" To: postfix-users@postfix.org Sent: Monday, 10 June, 2013 8:19:57 PM Subject: Re: Postscreen and policies On 6/10/2013 1:49 PM, Phil Daws wrote: > Hello, > > Postscreen (Postfix 2.10) is working very well indeed but I am having an > issue with understanding where a policy check should be implemented. main.cf > looks like: > > smtpd_relay_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > check_policy_service inet:127.0.0.1:10031, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unlisted_recipient, > permit > postscreen_cache_map = memcache:/etc/postfix/postscreen/memcache.cf > postscreen_greet_action = enforce > postscreen_dnsbl_sites = > sip.invaluement.local,sip24.invaluement.local,zen.spamhaus.org,bl.spamcop.net,bl.mailspike.net > postscreen_dnsbl_threshold = 1 > postscreen_dnsbl_action = enforce > postscreen_access_list = > permit_mynetworks,cidr:/etc/postfix/postscreen/access.cidr > > and in master.cf I have: > > smtp inet n - n - 1 postscreen > smtpd pass - - n - - smtpd > tlsproxy unix - - n - 0 tlsproxy > dnsblog unix - - n - 0 dnsblog > > Yet when I SASL authenticate the policy service does not appear to be > triggered; as I am trying to limit number of emails sent by SASL username. You've put check_policy_service AFTER permit_sasl_authenticated. First match wins, so the policy never gets called for authenticated clients. Depending on your needs, you can put your check_policy_service in smtpd_data_restrictions or smtpd_sender_restrictions by itself. smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:10031 It's also common for there to be overrides for the submission service in master.cf that change the options you've set in main.cf. > > I thought that if the Postscreen checks were successfully passed then the > connection would then flow through to a SMTP (smtpd) server process. Is that > correct ? Should I move the smtpd_recipient_restrictions into master.cf ? Hopefully SASL and postscreen have no interaction -- postscreen should be configured for only port 25, and SASL should only be on submission. Using postscreen + SASL on port 25 is guaranteed to cause headaches -- users may be rejected by postscreen before they ever get a chance to authenticate. If you must offer SASL on port 25, don't use postscreen. -- Noel Jones > > A little baffled at the moment. > > Thank you. > > Phil > Hmmm, I increased the Postfix debugging and switched it on for my client IP, and to my surprise when the connection is made to the content filter the SASL details are not being sent: Jun 10 17:45:59 mx2 postfix/smtpd[7996]: auto_clnt_open: connected to 127.0.0.1:10031 Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr request = smtpd_access_policy Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr protocol_state = RCPT Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr protocol_name = ESMTP Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr client_address = my IP Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr client_name = rDNS Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr reverse_client_name = rDMS Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr helo_name = uxbod-laptop Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr sender = srcmail@somedomain Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr recipient = destmail@somedomain Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr recipient_count = 0 Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr queue_id = Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr instance = 1f3c.51b64917.8d5e2.0 Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr size = 0 Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr etrn_domain = Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr stress = I was expecting to see in the attributes: sasl_method = LOGIN sasl_username = sasl_sender = which is probably why its not working. Has something changed as we recently upgraded to 2.10 from 2.6.6. Thanks.
Re: Problem with transport setup
On 06/10/2013 09:38 PM, Tom Hendrikx wrote: Normally, you'd tell dspam to not deliver the messages passed while retraining by adding '--deliver=' (i.e. deliver never) to the retrain command line. I'm missing support for that in the script (as available in the dspam git repo), but I'm not sure whether there is a valid reason for that, since I have no experience with the actual script. Re-post your message to the dspam mailinglist, maybe someone else knows more. Thanks for the suggestion Tom. I'll post to the dspam mailing list. Regards, Patrick
Re: Postscreen and policies
On 6/10/2013 4:49 PM, Phil Daws wrote: >> > > Hmmm, I increased the Postfix debugging and switched it on for my client IP, > and to my surprise when the connection is made to the content filter the SASL > details are not being sent: > > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: auto_clnt_open: connected to > 127.0.0.1:10031 > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr request = > smtpd_access_policy > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr protocol_state = RCPT > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr protocol_name = ESMTP > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr client_address = my IP > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr client_name = rDNS > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr reverse_client_name = rDMS > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr helo_name = uxbod-laptop > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr sender = srcmail@somedomain > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr recipient = > destmail@somedomain > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr recipient_count = 0 > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr queue_id = > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr instance = > 1f3c.51b64917.8d5e2.0 > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr size = 0 > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr etrn_domain = > Jun 10 17:45:59 mx2 postfix/smtpd[7996]: send attr stress = > > I was expecting to see in the attributes: > > sasl_method = LOGIN > sasl_username = > sasl_sender = > > which is probably why its not working. Has something changed as we recently > upgraded to 2.10 from 2.6.6. Seems to work here. Did the client really authenticate? -- Noel Jones
