Re: Messages still in queue even after 5xx reply

[tejas sarade]

Please check the parameter soft_bounce in main.cf.
If it is set to yes then it will disable the locally generated bounce
messages




On Sat, Nov 16, 2013 at 3:51 PM, Erik Grøtnes  wrote:

> Hi.
>
> In my postfix queue I can see messages with return code 5xx which are
> still in queue for delivery.
>
> I find this strange, as the RFC 2821 states that codes starting with 5xx
> is a permanent failure, and “The SMTP client is discouraged from repeating
> the exact request”.
>
>
>
> Is this default behavior, or is this something I have done in my config by
> mistake?
>
>
>
> An example from the mailq:
>
> 653001005C5 1832 Sat Nov 16 09:17:26  ikkes...@netthandelen.no
>
> (host mta5.am0.yahoodns.net[98.138.112.32] said: 554 delivery error: dd
> This user doesn't have a yahoo.com account (qaram...@yahoo.com) [-5] -
> mta1500.mail.ne1.yahoo.com (in reply to end of DATA command))
>
>  qaram...@yahoo.com
>
>
>
> and this one:
>
> 624BC100599 1974 Sat Nov 16 00:01:31  anonym...@dist.kundeportal.no
>
> (host spam.bitpro.no[92.42.64.205] said: 550 5.1.1 :
> Recipient address rejected: undeliverable address: host 
> mail.bitpro.no[92.42.65.67]
> said: 550 5.1.1 User unknown (in reply to RCPT TO command) (in reply to
> RCPT TO command))
>
>  postmas...@fiko.no
>
>
>
> Why is postfix still trying to deliver these messages? Can this behavior
> be changed by configuration?
>
>
>
> -Erik-
>

Multiple machines sharing postscreen cache & cleanup?

[hodor]

Hello,

I've got 3 machines running postfix 2.11-20131001. Incoming connections are
balanced via haproxy (and postscreen_upstream_proxy_protocol=haproxy). Right
now each postfix instance has its own postscreen_cache_map. Everything works
fine.

I thought I could share the cache among all nodes using memcache with
postscreen_cache_cleanup_interval left to default and with the persistent btree
backup specified.

Something like:

# main.cf
postscreen_cache_map = memcache:/etc/postfix/postscreen_cache.cf

# postscreen_cache.cf
memcache = inet:10.11.12.13:11211
key_format = postscreen:%s
backup = btree:/var/lib/postfix/postscreen_cache
ttl = 86400


The idea is that each postscreen would attempt to clean the addresses it
iterates from the respective persistent backup (and remove it from both btree
and memcache). In case of crashed / dead node the memcache TTL would take care
of any leftovers. 

Would something like this work? And would the postscreen cache logic remain
intact?

I have read [1] and [2], but I didn't see it neither mention nor forbid such
setup. Did I overlook something?

BTW, in case of non-persistent memcache ([1], section "Sharing the temporary
whitelist", example 1). How does postscreen behave when the memcached becomes
inaccessible (crash, network problem, ...)? Is the practical outcome as with
empty postscreen_cache_map (plus timeout / error logged)?

[1] http://www.postfix.org/POSTSCREEN_README.html
[2] http://www.postfix.org/memcache_table.5.html


Thanks,

-- 
hodor

Re: How to configure fixed nexthop destination for smtp in master.cf

[Michael Storz]

Am 2013-11-21 17:39, schrieb Viktor Dukhovni:

On Thu, Nov 21, 2013 at 04:42:10PM +0100, Michael Storz wrote:


I am trying to configure a fixed destination for a smtp transport in
master.cf instead of confguring the destination in a transport_map.


There's your mistake.  Set the nexthop for the transport in the
transport table.  There is no master.cf (i.e. smtp(8) command-line)
option to set the nexthop destination.


Well, it is not a mistake, it was the question, if this is possible and 
from your answer I see it is not :-(


Therefore I need a separate transport file for every instance with the 
same domains but different nexthops because variables are not supported 
in hash files. I had the hope to be able to use just one file and 
specify the nexthop in master.cf.


Thanks.

Michael

Re: can someone explain this SPF fail to me

[Scott Kitterman]

Kris Deugau  wrote:
>jeffrey j donovan wrote:
>> Greetings,
>> 
>> Can someone explain this error to me, I have never seen this one
>before. I tested my spf records and they seem fine. 
>> 
 : host mail.ncem-pa.org[204.186.202.37] said:
>554
5.7.1 : Recipient address rejected: Failed
>SPF
check; beth.k12.pa.us, Redundant applicable 'v=spf1' sender
>policies found
(in reply to RCPT TO command)
 Reporting-MTA: dns; smtp5.beth.k12.pa.us
>> 
>> in this , it looks like the user recipient address is incorrect or
>something along those lines.
>> I do have two spf records, one for my relays and one for google.
>
>I'm not completely clear on what you mean by "one for my relays and one
>for google", but you have two SPF records published publicly.  Don't Do
>That.  (I don't think it's strictly a violation of the spec, but
>clearly
>the recipient is being picky.)

It is an error. The recipient is choosing to reject based on an error condition 
that is specified in RFC 4408 (and still in the not quite released 4408bis).

Scott K

Re: How to configure fixed nexthop destination for smtp in master.cf

[Viktor Dukhovni]

On Thu, Nov 21, 2013 at 06:00:04PM +0100, Michael Storz wrote:

> >There's your mistake.  Set the nexthop for the transport in the
> >transport table.  There is no master.cf (i.e. smtp(8) command-line)
> >option to set the nexthop destination.
> 
> Well, it is not a mistake, it was the question, if this is possible
> and from your answer I see it is not :-(
> 
> Therefore I need a separate transport file for every instance with
> the same domains but different nexthops because variables are not
> supported in hash files. I had the hope to be able to use just one
> file and specify the nexthop in master.cf.

A Makefile will do the job nicely.  Create a source file with just
the rerouted domains.  Run make(1) to build a custom transport
table for each instance.  You'll end up with multiple transport
tables, but you'll only explicitly edit a single input file.

There are tricks you could perhaps play with the LOCALDOMAIN
environment variable, unqualified nexthops and smtp_host_lookup=native,
but those are far uglier, and may not work.

-- 
Viktor.

TCP Table and Unix Sockets

[Jason Woods]

Hi,

I'm wanting to get some unix socket support on my mail server for the same 
protocol used by the TCP table. I can see patches for this were submitted 
before but had some issues with usability and namespace:
http://comments.gmane.org/gmane.mail.postfix.user/222895

Has any thought been put into this? I'm guessing there may not be much demand 
for it so may be not but I want to check.

I'm just thinking if, namespace wise, it could use "socket". Then it could be:
socket:inet:host:port
socket:unix:pathname
socket:host:port

The last format could be allowed (and quite easily detected) so use of 
dict_tcp_open can simply be replaced with dict_socket_open, reducing code 
(tcp:host:port => socket:host:port). If absolute pathnames (start with /) are 
enforced, there would never be a conflict with this. Of course if relative 
pathnames are allowed there would be a possible conflict if somebody had a 
hostname of "unix" but I believe enforcing absolute pathnames would be safer 
and rule this out.

This would be 100% in line with "socketmap" and "lmtp" I believe. So usability 
it would be very familiar, and if "socket" is not the best keyword, we could 
use something else.

I can also see in socketmap there is use of auto_cln.h which maintains 
connections, reuses them, and re-establishes them, and already supports both 
tcp and unix sockets. Without having looked into them too deeply it looks like 
these could be utilised for the tcp table and unix socket table too? It looks 
like it could be possible to just clone the dict_socketmap_open and just 
replace the protocol areas. This would potentially mean we're not changing the 
amount of code since we'd be removing dict_tcp.[ch] and adding a potentially 
same size dict_socket.[ch]

I am really keen on helping to implement this and feedback on the above 
thoughts and ideas would be greatly appreciated. It would definitely offer a 
more secure way to do simple lookups such as the current tcp implementation 
provides.

Thanks!

Jason

Re: TLS timeout

[bitozoid]

On Wed, Nov 20, 2013 at 1:13 PM, li...@rhsoft.net  wrote:
> Am 20.11.2013 13:55, schrieb bitozoid:
>> On Tue, Nov 19, 2013 at 1:32 PM, Brian Evans  wrote:
>>> The smtp client process does not have support for the deprecated smtps
>>> protocol (465) you are trying to use.
>>
>> I have another instance of postfix working against other smarthost
>> (Exchange in this case) via port 465, and it seems not to be a problem
>> at all
>
> you do not - not with a public relay - period

You are right. There is an MSA running on port 465 instead of 587.

Thanks

Re: TCP Table and Unix Sockets

[Jason Woods]

> Why not use socketmaps? These already support "inet" and "unix"
> domain sockets, and they use (length, value) netstrings which require
> no encoding of special characters. There are netstring implementations
> for many languages, so availability should not be a problem.


Thanks. I'll definitely explore that approach... I hadn't realised the protocol 
for socketmap was so simple!

> tcp_table(5) is not really something that I am proud of.

I can appreciate your thoughts on TCP now I've looked more closely at the 
netstrings. Much better method, and even if there isn't an implementation it's 
so simple you could write it in 15 minutes haha.

> The following is from Postfix internal documentation. Unfortunately I did
> not find time to make this available as a socketmap_table(5) manpage.


No problem! That's where the mailing list helps I guess ^^

Thanks!

Jason

Re: Signing with OpenDKIM doesn't work when the content-type is multipart

[Viktor Dukhovni]

On Thu, Nov 21, 2013 at 09:07:44AM -0500, Wietse Venema wrote:

> > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=devisubox.com; s=mail;
> >   t=1385028965; bh=75o/sAM/Vtv41UrIwg0b4q1zZtrst1XwSPtjrKyZij0=;
> >   h=To:Subject:From:Reply-To:Content-Type:Content-Transfer-Encoding:
> >Message-Id:Date;
> 
> This email contains Content-Type: and Content-Transfer-Encoding:
> without MIME-Version: header.  That is the result of buggy software.

Furthermore, "simple" canonicalization is too fragile, use "relaxed"
at least for the headers.  I would add "Cc" and "Content-Disposition"
and all the above to the list headers signed even when absent (thus
detecting downstream insertion as a DKIM signature failure).

-- 
Viktor.

can someone explain this SPF fail to me

[jeffrey j donovan]

Greetings,

Can someone explain this error to me, I have never seen this one before. I 
tested my spf records and they seem fine. 

>> : host mail.ncem-pa.org[204.186.202.37] said: 554
>>5.7.1 : Recipient address rejected: Failed SPF
>>check; beth.k12.pa.us, Redundant applicable 'v=spf1' sender policies found
>>(in reply to RCPT TO command)
>> Reporting-MTA: dns; smtp5.beth.k12.pa.us

in this , it looks like the user recipient address is incorrect or something 
along those lines.
I do have two spf records, one for my relays and one for google.  The remote 
user has none.

any insight would be helpful.
thanks
-j

Re: virtual domains and aliases

[Pol Hallen]

Thanks! Very cool!

Pol

> On Tue, Nov 19, 2013 at 05:33:30PM -0500, Wietse Venema wrote:
>
>> --8<-snip-here--8<--
>> #!/bin/sh
>>
>> case $# in
>> 0) echo usage: $0 example.com ... 1>&2; exit 1;;
>> esac
>>
>> VIRTUAL_MAP=/etc/postfix/virtual
>> VIRTUAL_DOMAINS=/etc/postfix/virtual_domains
>>
>> for domainname
>> do
>>  echo postmaster@domainname root
>>  echo abuse@domainname root
>> done >> $VIRTUAL_MAP
>> postmap $VIRTUAL_MAP
>>
>> echo domainname >>$VIRTUAL_DOMAINS
>> postmap $VIRTUAL_DOMAINS
>> --8<-snip-here--8<--
>
> Replacing domainname with "${domainname}" as required:
>
> --8<-snip-here--8<--
> #!/bin/sh
>
> case $# in
> 0) echo usage: $0 example.com ... 1>&2; exit 1;;
> esac
>
> VIRTUAL_MAP=/etc/postfix/virtual
> VIRTUAL_DOMAINS=/etc/postfix/virtual_domains
>
> for domainname
> do
>   echo "postmaster@${domainname}" root
>   echo "abuse@${domainname}" root
> done >> $VIRTUAL_MAP
> postmap $VIRTUAL_MAP
>
> echo "${domainname} >>$VIRTUAL_DOMAINS
> postmap $VIRTUAL_DOMAINS
> --8<-snip-here--8<--
>
> Run this once for each new domain.  A more sophisticated approach
> is to use a Makefile, with a list of domains in a separate file,
> and the virtual table constructed from this and other files that
> contain ad-hoc mappings.
>
> --
>   Viktor.
>

Re: Signing with OpenDKIM doesn't work when the content-type is multipart

[Wietse Venema]

Jean-Christophe Begue:
> Hello,
> 
> I'm running postfix 2.7.0 and OpenDKIM Filter v2.0.2 on Ubuntu 10.04.4 LTS.

The critical component that you fail to mention is the program that
generates the email. And that program is the most likely source of
the problem.

> I suspect that i'm missing something that postfix does to my email after it
> has been signed, thus invalidating the signature.

I suspect that you are sending improperly-formatted email. 

With improperly-formatted mail there is no guarantee that any MTA,
Postfix or otherwise, will preserve DKIM signatures.

Examples of mistakes (there can be other mistakes than these):

- Lines > 990 characters. The Postfix SMTP client will fold such
  lines (insert ) to avoid violating SMTP standards,
  This means that mail is changed after it is DKIM signed.

- Lines with extra  characters. Some buggy (PHP-based) mail
  apps send a mess with some lines ending in  and other lines
  in .  The Postfix 2.9 sendmail command cleans up this
  mess. Older Postfix versions will send mail that violates SMTP.
  You can avoid this with "message_strip_characters = \r" in main.cf.

- Non-ASCII text in 7-bit Content-Transfer-Encoding. Postfix does not
  care but it will send mail that violates SMTP and other software
  may care about such things.

> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=devisubox.com; s=mail;
>   t=1385028965; bh=75o/sAM/Vtv41UrIwg0b4q1zZtrst1XwSPtjrKyZij0=;
>   h=To:Subject:From:Reply-To:Content-Type:Content-Transfer-Encoding:
>Message-Id:Date;

This email contains Content-Type: and Content-Transfer-Encoding:
without MIME-Version: header.  That is the result of buggy software.

Wietse

Re: can someone explain this SPF fail to me

[Wietse Venema]

jeffrey j donovan:
> Greetings,
> 
> Can someone explain this error to me, I have never seen this one before. I 
> tested my spf records and they seem fine. 
> 
> >> : host mail.ncem-pa.org[204.186.202.37] said: 554
> >>5.7.1 : Recipient address rejected: Failed SPF
> >>check; beth.k12.pa.us, Redundant applicable 'v=spf1' sender policies 
> >> found
> >>(in reply to RCPT TO command)
> >> Reporting-MTA: dns; smtp5.beth.k12.pa.us
> 
> in this , it looks like the user recipient address is incorrect or something 
> along those lines.
> I do have two spf records, one for my relays and one for google.  The remote 
> user has none.

You have two TXT/SPF records.

Wietse

Signing with OpenDKIM doesn't work when the content-type is multipart

[Jean-Christophe Begue]

Hello,

I'm running postfix 2.7.0 and OpenDKIM Filter v2.0.2 on Ubuntu 10.04.4 LTS.

I managed to get DKIM signature working, but I still have a problem with
multipart Content-Type. When it is so, I get dkim=neutral (bad format)
header.i=@devisubox.com as authentication result.

I suspect that i'm missing something that postfix does to my email after it
has been signed, thus invalidating the signature.

Here is an example of what I get when the signature is invalid :

[... message header ...]
Authentication-Results: mx.google.com;
   spf=pass (google.com: domain of www-d...@devisubox.com
designates 88.190.26.21 as permitted sender)
smtp.mail=www-d...@devisubox.com;
   dkim=neutral (bad format) header.i=@devisubox.com
Received: by devisubox.com (Postfix, from userid 33)
id 2448C64E621F; Thu, 21 Nov 2013 11:21:38 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=devisubox.com; s=mail;
t=1385029298; bh=ATpHt+VUEoQCTgXX7I94lQqflcgT7sgxti12mBUDEtk=;
h=To:Subject:MIME-Version:From:Content-Type:Message-ID:Date;
b=TY1Ta6BY/GpzF8cP2DnRdNgsHLLm1HXIC6/+JsXaJ5HBZwp8uoW2HfEwyPOJHrf4W
 nSbuKvMYRMwwSAFz6jdRV+DWhwBtUICVejP3LGhCfBqDB3Ezusug+HdFpC8fajS5LY
 ccp+JO55DSWBkBqOvh0SEM4iUJKSGZytzLUzD+Mg=
To: salutcop...@gmail.com
Subject: Photo chantier - binomic ( cbaralotto )
X-PHP-Originating-Script: 33:htmlMimeMail5.php
MIME-Version: 1.0
X-Mailer: htmlMimeMail5 
From: Devisubox Photos 
Content-Type: multipart/related;
boundary="=_2664b299b06652137daf3e016e5ee890"
Message-ID: 
Date: Thu, 21 Nov 2013 11:21:38 +0100 (CET)

--=_2664b299b06652137daf3e016e5ee890
Content-Type: multipart/alternative;
boundary="=_2c5b7d49393071bc293500a67b88e633"

--=_2c5b7d49393071bc293500a67b88e633
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

[... message content ...]


And what i get when the signature is valid :


[... message header ...]

Authentication-Results: mx.google.com;
   spf=pass (google.com: domain of www-d...@devisubox.com
designates 88.190.26.21 as permitted sender)
smtp.mail=www-d...@devisubox.com;
   dkim=pass (test mode) header.i=@devisubox.com
Received: by devisubox.com (Postfix, from userid 33)
id 496C964E621F; Thu, 21 Nov 2013 11:16:05 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=devisubox.com; s=mail;
t=1385028965; bh=75o/sAM/Vtv41UrIwg0b4q1zZtrst1XwSPtjrKyZij0=;
h=To:Subject:From:Reply-To:Content-Type:Content-Transfer-Encoding:
 Message-Id:Date;
b=RdHIj/TNeotb5TwnX57hP207bf2MXjNppsg+WJ0Qze6X7ctV/3gVJuoT++PuSkqBt
 iyf7AOxDWWTqXDSdX7LTFD6FfJjkwliS2JhDyQ10DGO4TjVJCfhB4mlrOB0clAS92p
 t7HJt2XY2BR88qCNElfmSWwuxceP/tccgI0co36k=
To: salutcop...@gmail.com
Subject: sujet
X-PHP-Originating-Script: 33:lib_tmp.php
From: intervent...@devisubox.com
Reply-To:
Content-Type:text/html;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <20131121101605.496c964e6...@devisubox.com>
Date: Thu, 21 Nov 2013 11:16:05 +0100 (CET)

[... message content ...]


Here is my postfix configuration :

main.cf :

inet_protocols = all
inet_interfaces = all
virtual_mailbox_domains = $virtual_mailbox_maps,
hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
alias_maps = hash:/etc/aliases, nis:mail.aliases,
hash:/var/spool/postfix/plesk/aliases
transport_maps = hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks = 127.0.0.0/8 [::1]/128 88.190.26.21/32
[2a01:e0b:1000:26:be30:5bff:fed9:986]/128
smtpd_sender_restrictions = check_sender_access
hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated,
check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
mydestination = localhost.$mydomain, localhost, localhost.localdomain
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, check_client_access
pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated,
reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:110
virtual_gid_maps = static:31
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
smtpd_client_restrictions = permit_mynetworks, check_client_access
pcre:/var/spool/postfix/plesk/no_relay.re
myhostname = devisubox.com
myhostname = devisubox.com
myorigin = devisubox.com

#DKIM
milter_default_action = accept
#milter_protocol = 2
#smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891


sender_dependent_default_transport_maps =

Re: can someone explain this SPF fail to me

[LunarZone]

Why do you even have this record?  "v=spf1 include:_spf.google.com ~all" 
Did you get it from here?  https://support.google.com/a/answer/178723
You already have what you need for Google site verification, so unless
you have a good specific reason for it, you should drop that line
altogether.
Also, there is a SPF Wizard here:
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/



-
Free English ,
Spanish ,
& Portuguese 
Ecards for Birthdays, Christmas , 
Navidad , 
Valentines ,
& Love 
--
View this message in context: 
http://postfix.1071664.n5.nabble.com/can-someone-explain-this-SPF-fail-to-me-tp63239p63248.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: can someone explain this SPF fail to me

[li...@rhsoft.net]

Am 21.11.2013 18:40, schrieb jeffrey j donovan:
> Greetings,
> 
> Can someone explain this error to me, I have never seen this one before. I 
> tested my spf records and they seem fine. 
> 
>>> : host mail.ncem-pa.org[204.186.202.37] said: 554
>>>5.7.1 : Recipient address rejected: Failed SPF
>>>check; beth.k12.pa.us, Redundant applicable 'v=spf1' sender policies 
>>> found
>>>(in reply to RCPT TO command)
>>> Reporting-MTA: dns; smtp5.beth.k12.pa.us
> 
> in this , it looks like the user recipient address is incorrect or something 
> along those lines.
> I do have two spf records, one for my relays and one for google.  The remote 
> user has none

"Redundant applicable 'v=spf1' sender policies found" is pretty clear

> I do have two spf records, one for my relays and one for google

and that is what is called "redundant"
merge them in one

;; ANSWER SECTION:
beth.k12.pa.us. 28800   IN  TXT "v=spf1 ip4:209.96.107.0/24 
ip4:209.96.96.0/24 mx:beth.k12.pa.us
mx:bethsd.org ~all"
beth.k12.pa.us. 28800   IN  TXT 
"google-site-verification=JjPx6RdJsh1ILF2-zcX-g3xyhuuHPZxw28c_L2YVyFI"
beth.k12.pa.us. 28800   IN  TXT "v=spf1 include:_spf.google.com 
~all"

Re: Multiple machines sharing postscreen cache & cleanup?

[Wietse Venema]

hodor:
> Hello,
> 
> I've got 3 machines running postfix 2.11-20131001. Incoming connections are
> balanced via haproxy (and postscreen_upstream_proxy_protocol=haproxy). Right
> now each postfix instance has its own postscreen_cache_map. Everything works
> fine.
> 
> I thought I could share the cache among all nodes using memcache with
> postscreen_cache_cleanup_interval left to default and with the persistent 
> btree
> backup specified.
> 
> Something like:
> 
> # main.cf
> postscreen_cache_map = memcache:/etc/postfix/postscreen_cache.cf
> 
> # postscreen_cache.cf
> memcache = inet:10.11.12.13:11211
> key_format = postscreen:%s
> backup = btree:/var/lib/postfix/postscreen_cache
> ttl = 86400

This will work, but keep in mind that only the memcache will be shared.
This should still speed things up for clients that connect frequently,
so it would be an improvement over what you have now.

Wietse

Re: How to configure fixed nexthop destination for smtp in master.cf

[Manuel Bieling]

On 2013.11.21 17:45:29 +0100, Michael Storz wrote:
> Am 2013-11-21 17:26, schrieb Manuel Bieling:
> >On 2013.11.21 16:42:10 +0100, Michael Storz wrote:
> >You specify command line options for the smtp daemon via '-o'.
> >All options are well documented in
> >
> >http://www.postfix.org/smtp.8.html
> 
> The question is, which of these options I could use.

Sorry, I would have told you. I don't know one. Apparently this is not how
postfix works.

-- 
Best regards,
Manuel

Re: How to configure fixed nexthop destination for smtp in master.cf

[Viktor Dukhovni]

On Thu, Nov 21, 2013 at 04:42:10PM +0100, Michael Storz wrote:

> I am trying to configure a fixed destination for a smtp transport in
> master.cf instead of confguring the destination in a transport_map.

There's your mistake.  Set the nexthop for the transport in the
transport table.  There is no master.cf (i.e. smtp(8) command-line)
option to set the nexthop destination.

transport:
example.com foosmtp:foonexthop.example

master.cf:
foosmtpunix  -   -   n   -   -   smtp
-o smtp_mumble=$foosmtp_mumble
...

main.cf:
# Define the foosmtp_ overrides in main.cf
foosmtp_mumble = ...

indexed = ${default_database_type}:${config}/
transport_maps = ${indexed}transport

-- 
Viktor.

Re: How to configure fixed nexthop destination for smtp in master.cf

[Manuel Bieling]

On 2013.11.21 16:42:10 +0100, Michael Storz wrote:
> I am trying to configure a fixed destination for a smtp transport in
> master.cf instead of confguring the destination in a transport_map.
> Since smtp has no special command-line option for this I suppose I
> have to specify a generic Postfix daemon option via -o. However,

You specify command line options for the smtp daemon via '-o'.
All options are well documented in

http://www.postfix.org/smtp.8.html

> since all relevant commands in main.cf like default_transport
> include a transport field, but transport has already been choosen
> when the email arrives at my smtp transport, I have no idea how to
> configure this in the correct way.

'default_transport' is an option for the trivial-rewrite daemon [1] and
trivial-rewrite is queried by the qmgr daemon [2].

[1]: http://www.postfix.org/trivial-rewrite.8.html
[2]: http://www.postfix.org/ADDRESS_REWRITING_README.html

Thus one solution is to manage multiple postfix instances.

http://www.postfix.org/MULTI_INSTANCE_README.html

-- 
Best regards,
Manuel

Re: How to configure fixed nexthop destination for smtp in master.cf

[Viktor Dukhovni]

On Thu, Nov 21, 2013 at 05:45:29PM +0100, Michael Storz wrote:

> Correct, default_transport cannot be used because to is too late.
> What I need is a smtp option which would be evaluated when the email
> arrives at the smtp transport and which would overwrite the
> destination already calculated by qmgr.

You don't.  Either the SMTP transport in question is the default
transport, in which case its nexthop can be bolted its definition:

default_transport = smtp:[mynexthop.example]

Or it is a non-default transport (thus obtained via transport_maps),
in which case do the logical thing in the transport table (or
content_filter setting or FILTER actions in access tables, ...).

There is no smtp(8) command-line option to override the primary
message destination, you can only tweak the smtp_fallback_relay.

-- 
Viktor.

Re: TCP Table and Unix Sockets

[Wietse Venema]

Jason Woods:
> Hi,
> 
> I'm wanting to get some unix socket support on my mail server for
> the same protocol used by the TCP table. I can see patches for
> this were submitted before but had some issues with usability and
> namespace:
> http://comments.gmane.org/gmane.mail.postfix.user/222895
> 
> Has any thought been put into this? I'm guessing there may not be
> much demand for it so may be not but I want to check.

Why not use socketmaps? These already support "inet" and "unix"
domain sockets, and they use (length, value) netstrings which require
no encoding of special characters. There are netstring implementations
for many languages, so availability should not be a problem.

The following is from Postfix internal documentation. Unfortunately I did
not find time to make this available as a socketmap_table(5) manpage.

[begin quote]

   Postfix  socketmap names have the form inet:host:port:socketmap-name or
   unix:pathname:socketmap-name, where socketmap-name specifies the  sock-
   etmap name that the socketmap server uses.

PROTOCOL
   The  socketmap class implements a simple protocol: the client sends one
   request, and the server sends one reply.

ENCODING
   Each request and reply are sent as one netstring object.

REQUEST FORMAT
 
  Search the specified socketmap under the specified key.

REPLY FORMAT
   Replies must be no longer than 10  characters  (not  including  the
   netstring encapsulation), and must have the following form:

   OK  
  The requested data was found.

   NOTFOUND 
  The requested data was not found.

   TEMP  

   TIMEOUT  

   PERM  
  The  request  failed.  The  reason, if non-empty, is descriptive
  text.

[End quote]

tcp_table(5) is not really something that I am proud of.

Wietse

Re: can someone explain this SPF fail to me

[Kris Deugau]

jeffrey j donovan wrote:
> Greetings,
> 
> Can someone explain this error to me, I have never seen this one before. I 
> tested my spf records and they seem fine. 
> 
>>> : host mail.ncem-pa.org[204.186.202.37] said: 554
>>>5.7.1 : Recipient address rejected: Failed SPF
>>>check; beth.k12.pa.us, Redundant applicable 'v=spf1' sender policies 
>>> found
>>>(in reply to RCPT TO command)
>>> Reporting-MTA: dns; smtp5.beth.k12.pa.us
> 
> in this , it looks like the user recipient address is incorrect or something 
> along those lines.
> I do have two spf records, one for my relays and one for google.

I'm not completely clear on what you mean by "one for my relays and one
for google", but you have two SPF records published publicly.  Don't Do
That.  (I don't think it's strictly a violation of the spec, but clearly
the recipient is being picky.)

There's no reason not to combine them like so:

beth.k12.pa.us IN TXT "v=spf1 ip4:209.96.107.0/24 ip4:209.96.96.0/24
mx:beth.k12.pa.us mx:bethsd.org include:_spf.google.com ~all"

unless you really need different SPF records to be visible to different
systems, which means you'll need to investigate DNS views so that any
given client only sees one SPF record.

-kgd

Re: Signing with OpenDKIM doesn't work when the content-type is multipart

[Jean-Christophe Begue]

Wieste : apparently, the php script uses htmlMimeMail5.php, that you can
find here:
http://code.google.com/p/punchcms/source/browse/trunk/manager/libraries/htmlMimeMail5/htmlMimeMail5.php?r=87.
 I think it could be as buggy as you described, i'll try to dump the Raw
message.

Viktor : thank you for the tip, i didin't figure the difference between
relaxed and simple, thank you. Your strategy for detecting post-added
fields seems good! I'll give it a try!

Jean-Christophe BEGUE
Ingénieur R&D - Devisubox
Marseille - France
+33 6 89 64 45 88
http://www.devisubox.com


2013/11/21 Viktor Dukhovni 

> On Thu, Nov 21, 2013 at 09:07:44AM -0500, Wietse Venema wrote:
>
> > > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=devisubox.com;
> s=mail;
> > >   t=1385028965; bh=75o/sAM/Vtv41UrIwg0b4q1zZtrst1XwSPtjrKyZij0=;
> > >
> h=To:Subject:From:Reply-To:Content-Type:Content-Transfer-Encoding:
> > >Message-Id:Date;
> >
> > This email contains Content-Type: and Content-Transfer-Encoding:
> > without MIME-Version: header.  That is the result of buggy software.
>
> Furthermore, "simple" canonicalization is too fragile, use "relaxed"
> at least for the headers.  I would add "Cc" and "Content-Disposition"
> and all the above to the list headers signed even when absent (thus
> detecting downstream insertion as a DKIM signature failure).
>
> --
> Viktor.
>

LDAP Lookups to bypass content filter`

[Casartello, Thomas]

Hello,

I am trying to find a way to use an LDAP filter in Postfix to bypass my amavis 
(maia mailguard) content filter. Currently I do use hash or cidr files in my 
smtpd recipient restrictions list to bypass the filter for certain senders 
and/or recipient that has lines like this in it:
 FILTER 
smtp-amavis:[127.0.0.1]:10025
Which bypasses my content filter for that particular sender or recipient. 
Currently I use this for certain approved senders that send mass mailings to 
our users to avoid clogging up the content filter. I'm trying to find a way to 
perform this same action if the recipient matches a certain ldap search filter. 
Would appreciate it if someone could point me in the right direction.

Thanks in advance,
Tom Casartello

Thomas E. Casartello, Jr.
Information Technology
Westfield State University

Re: How to configure fixed nexthop destination for smtp in master.cf

[Michael Storz]

Am 2013-11-21 17:26, schrieb Manuel Bieling:

On 2013.11.21 16:42:10 +0100, Michael Storz wrote:

I am trying to configure a fixed destination for a smtp transport in
master.cf instead of confguring the destination in a transport_map.
Since smtp has no special command-line option for this I suppose I
have to specify a generic Postfix daemon option via -o. However,


You specify command line options for the smtp daemon via '-o'.
All options are well documented in

http://www.postfix.org/smtp.8.html


The question is, which of these options I could use.




since all relevant commands in main.cf like default_transport
include a transport field, but transport has already been choosen
when the email arrives at my smtp transport, I have no idea how to
configure this in the correct way.


'default_transport' is an option for the trivial-rewrite daemon [1] 
and

trivial-rewrite is queried by the qmgr daemon [2].



Correct, default_transport cannot be used because to is to late. What I 
need is a smtp option which would be evaluated when the email arrives at 
the smtp transport and which would overwrite the destination already 
calculated by qmgr.




[1]: http://www.postfix.org/trivial-rewrite.8.html
[2]: http://www.postfix.org/ADDRESS_REWRITING_README.html

Thus one solution is to manage multiple postfix instances.

http://www.postfix.org/MULTI_INSTANCE_README.html


Michael

Re: Signing with OpenDKIM doesn't work when the content-type is multipart

[Wietse Venema]

Jean-Christophe Begue:
> Wieste : apparently, the php script uses htmlMimeMail5.php, that you can
> find here:
> http://code.google.com/p/punchcms/source/browse/trunk/manager/libraries/htmlMimeMail5/htmlMimeMail5.php?r=87.
>  I think it could be as buggy as you described, i'll try to dump the Raw
> message.

My guess is that your email contains >990 characters per line,
causing the Postfix SMTP client to insert SPACE>,

Bad line endings can be fixed with message_strip_characters=\r,
although I expect that c=relaxed/relaxed will take care of that, too.

Wietse

> Viktor : thank you for the tip, i didin't figure the difference between
> relaxed and simple, thank you. Your strategy for detecting post-added
> fields seems good! I'll give it a try!
> 
> Jean-Christophe BEGUE
> Ing?nieur R&D - Devisubox
> Marseille - France
> +33 6 89 64 45 88
> http://www.devisubox.com
> 
> 
> 2013/11/21 Viktor Dukhovni 
> 
> > On Thu, Nov 21, 2013 at 09:07:44AM -0500, Wietse Venema wrote:
> >
> > > > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=devisubox.com;
> > s=mail;
> > > >   t=1385028965; bh=75o/sAM/Vtv41UrIwg0b4q1zZtrst1XwSPtjrKyZij0=;
> > > >
> > h=To:Subject:From:Reply-To:Content-Type:Content-Transfer-Encoding:
> > > >Message-Id:Date;
> > >
> > > This email contains Content-Type: and Content-Transfer-Encoding:
> > > without MIME-Version: header.  That is the result of buggy software.
> >
> > Furthermore, "simple" canonicalization is too fragile, use "relaxed"
> > at least for the headers.  I would add "Cc" and "Content-Disposition"
> > and all the above to the list headers signed even when absent (thus
> > detecting downstream insertion as a DKIM signature failure).
> >
> > --
> > Viktor.
> >

How to configure fixed nexthop destination for smtp in master.cf

[Michael Storz]

I am trying to configure a fixed destination for a smtp transport in 
master.cf instead of confguring the destination in a transport_map. 
Since smtp has no special command-line option for this I suppose I have 
to specify a generic Postfix daemon option via -o. However, since all 
relevant commands in main.cf like default_transport include a transport 
field, but transport has already been choosen when the email arrives at 
my smtp transport, I have no idea how to configure this in the correct 
way.


Michael