Re: Mail delivery problem.. intermittent .. I dont see what could be wrong...

[Matthew McGehrin]

It also seems like you have a permissions error as well with your 
quarantine directories.


Feb 17 16:49:52 mail amavis[16508]: (16508-03) (!)run_av (ClamAV-clamd) FAILED - 
unexpected , output="/var/spool/amavisd/tmp/amavis-20140217T163033-16508/parts: 
lstat() failed: Permission denied. ERROR\n"
Feb 17 16:49:52 mail amavis[16508]: (16508-03) (!)ClamAV-clamd av-scanner FAILED: 
CODE(0x9c2e4a8) unexpected , 
output="/var/spool/amavisd/tmp/amavis-20140217T163033-16508/parts: lstat() failed: 
Permission denied. ERROR\n" at (eval 102) line 596.
Feb 17 16:49:52 mail amavis[16508]: (16508-03) (!!)WARN: all primary virus 
scanners failed, considering backups

Also, I would recommend using only 1 or 2 RBL's. zen.spamhaus.org is highly accurate. 
Personally, I only use zen, as it also contains the CBL and PBL.


See: http://www.intra2net.com/en/support/antispam/
See: http://www.spamhaus.org/zen/

reject_rbl_client zen.spamhaus.org



Vaughan, Jesse wrote:


I have been having problems with mail not being delivered and I don’t 
know why… In this particular instance an email from cschofi...@cox.net 
 wasn’t delivered.. anyone know why?


I’m running centos 6 with virtual users using the config from 
howtoforge. I’m also using maildrop for my maildelivery.


I had smtpd –v turned on in the log.. the log is here:

http://www.restonlinux.com/maillog.txt

I don’t see anywhere where it says the message is being dropped and if 
anyone can shed light on the issue I would GREATLY appreciate it..

Message reject based on absense of a header(s)

[Vladimir Kozlov]

I'd like to reject messages without some headers (say, Date: or 
Message-ID:).
As far as I understand, headers-checks and body-checks could be done as 
described at http://www.postfix.org/BACKSCATTER_README.html


The only question I could not find answer to is: how to write regexp for 
_absence_ of a header(s)?


Kind regards,
Vladimir.



smime.p7s
Description: Криптографическая подпись S/MIME

Re: Message reject based on absense of a header(s)

[Noel Jones]

On 2/18/2014 10:54 AM, Vladimir Kozlov wrote:
> I'd like to reject messages without some headers (say, Date: or
> Message-ID:).
> As far as I understand, headers-checks and body-checks could be done
> as described at http://www.postfix.org/BACKSCATTER_README.html
> 
> The only question I could not find answer to is: how to write regexp
> for _absence_ of a header(s)?
> 
> Kind regards,
> Vladimir.
> 


The header_checks feature scans one header at a time and does not
save state between headers, making it impossible to detect missing
headers.

To detect missing headers you'll need a content filter such as
SpamAssassin.



  -- Noel Jones

Re: Message reject based on absense of a header(s)

[Andrey Repin]

Greetings, postfix users!

>> I'd like to reject messages without some headers (say, Date: or
>> Message-ID:).
>> As far as I understand, headers-checks and body-checks could be done
>> as described at http://www.postfix.org/BACKSCATTER_README.html
>> 
>> The only question I could not find answer to is: how to write regexp
>> for _absence_ of a header(s)?

> The header_checks feature scans one header at a time and does not
> save state between headers, making it impossible to detect missing
> headers.

> To detect missing headers you'll need a content filter such as
> SpamAssassin.

That's a bust :(
I receive 3-5 messages without date/msgid daily (and they are ALWAYS SPAM),
and I was hoping there's a way to save some horsepower.


--
WBR,
Andrey Repin (anrdae...@freemail.ru) 18.02.2014, <21:58>

Sorry for my terrible english...

Re: Message reject based on absense of a header(s)

[Andreas Schulze]

Noel Jones:


To detect missing headers you'll need a content filter such as
SpamAssassin.


opendmarc-milter implement a test to verify RFC5322-required headers  
(RFC5322 3.6)

The feature is new, available in the 1.2.0 Beta only.
(https://sourceforge.net/projects/opendmarc/files/Pre-Releases/)

Andreas

Re: Message reject based on absense of a header(s)

[Noel Jones]

On 2/18/2014 3:41 PM, Andreas Schulze wrote:
> 
> Noel Jones:
> 
>> To detect missing headers you'll need a content filter such as
>> SpamAssassin.
> 
> opendmarc-milter implement a test to verify RFC5322-required headers
> (RFC5322 3.6)
> The feature is new, available in the 1.2.0 Beta only.
> (https://sourceforge.net/projects/opendmarc/files/Pre-Releases/)
> 
> Andreas
> 
> 
> 

While Date and From headers are required by RFC5322 and ancestors,
note that Message-ID "SHOULD" be present but is not required.

A few years ago I tried rejecting messages with no Message-ID. Much
to my surprise, there were far more false-positives than actual spam
rejected.  I doubt the situation has changed much since then, but YMMV.



  -- Noel Jones

Re: Message reject based on absense of a header(s)

[Wietse Venema]

Noel Jones:
> A few years ago I tried rejecting messages with no Message-ID. Much
> to my surprise, there were far more false-positives than actual spam
> rejected.  I doubt the situation has changed much since then, but YMMV.

That was my experience, too. There was enough legitimate mail
without Message-ID that this was not a good test for spamminess.

Wietse

I have screwed it up

[edwinh]

Hi all,

I've been using postfix with a smarthost, and my ISP has just required 
me to use a new smarthost with authentication. After some struggle, I 
eventually got it to work, but now the incoming email that fetchmail is 
delivering to postfix is also forwarded to the smarthost, and therefore 
lost.


Can someone, PLEASE, tell me what I've screwed up?

Thanks,
Edwin

RE: I have screwed it up

[Terry Gilsenan]

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of edw...@netsensecomputers.com.au
Sent: Wednesday, 19 February 2014 11:25 AM
To: postfix-users@postfix.org
Subject: I have screwed it up

Hi all,

I've been using postfix with a smarthost, and my ISP has just required me to 
use a new smarthost with authentication. After some struggle, I eventually got 
it to work, but now the incoming email that fetchmail is delivering to postfix 
is also forwarded to the smarthost, and therefore lost.

Can someone, PLEASE, tell me what I've screwed up?

Have you got the domains that you are rec'ving email for listed in mydomains?

Thanks,
Edwin


===[Disclaimer]===
This electronic transmission, including any attachments, is confidential, may 
contain privileged information and should be read or retained only by the 
intended recipient. If you received this message in error, please delete it 
from your system and notify the sender immediately. Any review, dissemination 
or other use of this information by persons or entities other than the intended 
recipient is strictly prohibited.
===[End]===

Re: I have screwed it up

[Noel Jones]

On 2/18/2014 7:24 PM, edw...@netsensecomputers.com.au wrote:
> Hi all,
> 
> I've been using postfix with a smarthost, and my ISP has just
> required me to use a new smarthost with authentication. After some
> struggle, I eventually got it to work, but now the incoming email
> that fetchmail is delivering to postfix is also forwarded to the
> smarthost, and therefore lost.
> 
> Can someone, PLEASE, tell me what I've screwed up?
> 
> Thanks,
> Edwin


That's hardly enough problem description for a wild guess.

Potentially unhelpful wild guess: you messed up the postfix main.cf
mydestination parameter.

For something better than a wild guess, please see:
http://www.postfix.org/DEBUG_README.html#mail



  -- Noel Jones

Re: I have screwed it up

[edwinh]

Noel & Terry,

That was mu first thought as well, but I think it's OK; 
I've copied my main.cf file below.


Thanks.

# See /usr/share/postfix/main.cf.dist for a commented, more complete 
version



# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package 
for

# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 
172.31.255.0/8

mailbox_size_limit = 0
recipient_delimiter = +
relayhost = mail.antmail.com.au:587
# relayhost = mail.antmail.com.au:587
message_size_limit = 2048
myhostname = barney.netsensecomputers.com.au
mydestination = $myhostname, localhost.$mydomain, $mydomain, 
Deep-Thought, barney.netsensecomputers.com.au, netsensecomputers.com.au, 
earthcaretech.com.au

myorigin = barney.netsensecomputers.com.au
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/passwords
smtp_sasl_security_options =
delay_notice_recipient = edwin@127.0.0.1
bounce_notice_recipient = edwin@127.0.0.1
2bounce_notice_recipient = edwin@127.0.0.1
error_notice_recipient = edwin@127.0.0.1

RE: I have screwed it up

[Terry Gilsenan]

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of edw...@netsensecomputers.com.au
Sent: Wednesday, 19 February 2014 11:39 AM
To: postfix users
Subject: Re: I have screwed it up

Noel & Terry,

That was mu first thought as well, but I think it's OK; I've 
copied my main.cf file below.


You don't have a mydomain=

so this line:
mydestination = $myhostname, localhost.$mydomain, $mydomain,

...is not working for you.

Fix the mydomain= bit

Thanks.

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package
for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
172.31.255.0/8
mailbox_size_limit = 0
recipient_delimiter = +
relayhost = mail.antmail.com.au:587
# relayhost = mail.antmail.com.au:587
message_size_limit = 2048
myhostname = barney.netsensecomputers.com.au
mydestination = $myhostname, localhost.$mydomain, $mydomain,
Deep-Thought, barney.netsensecomputers.com.au, netsensecomputers.com.au,
earthcaretech.com.au
myorigin = barney.netsensecomputers.com.au
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/passwords
smtp_sasl_security_options =
delay_notice_recipient = edwin@127.0.0.1
bounce_notice_recipient = edwin@127.0.0.1
2bounce_notice_recipient = edwin@127.0.0.1
error_notice_recipient = edwin@127.0.0.1


===[Disclaimer]===
This electronic transmission, including any attachments, is confidential, may 
contain privileged information and should be read or retained only by the 
intended recipient. If you received this message in error, please delete it 
from your system and notify the sender immediately. Any review, dissemination 
or other use of this information by persons or entities other than the intended 
recipient is strictly prohibited.
===[End]===

Re: I have screwed it up

[edwinh]

OK, so I changed the main.cf:

Changed Line   myorigin = $mydomain
New Line   mydomain = netsensecomputers.com.au

Reloaded, and behaviour is still the same.

I wonder, though, what the domain should be: the postfix logs show that 
fetchmail is reporting the email being for 
edw...@netsensecomputers.com.au@ando.pair.com, and postfix is trying to 
deliver that to edwin@localhost, relayed through the smarthost.

RE: I have screwed it up

[Terry Gilsenan]

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of edw...@netsensecomputers.com.au
Sent: Wednesday, 19 February 2014 12:48 PM
To: postfix-users@postfix.org
Subject: Re: I have screwed it up

OK, so I changed the main.cf:

Changed Line   myorigin = $mydomain
New Line   mydomain = netsensecomputers.com.au

Reloaded, and behaviour is still the same.

I wonder, though, what the domain should be: the postfix logs show that 
fetchmail is reporting the email being for 
edw...@netsensecomputers.com.au@ando.pair.com, and postfix is trying to deliver 
that to edwin@localhost, relayed through the smarthost.

I think your .fetchmailrc is mangled.

===[Disclaimer]===
This electronic transmission, including any attachments, is confidential, may 
contain privileged information and should be read or retained only by the 
intended recipient. If you received this message in error, please delete it 
from your system and notify the sender immediately. Any review, dissemination 
or other use of this information by persons or entities other than the intended 
recipient is strictly prohibited.
===[End]===

Re: Message reject based on absense of a header(s)

[Michael J Wise]

On Feb 18, 2014, at 2:57 PM, Wietse Venema wrote:

> Noel Jones:
>> A few years ago I tried rejecting messages with no Message-ID. Much
>> to my surprise, there were far more false-positives than actual spam
>> rejected.  I doubt the situation has changed much since then, but YMMV.
> 
> That was my experience, too. There was enough legitimate mail
> without Message-ID that this was not a good test for spamminess.


Granted, but …

At the very least, such traffic should have to be safe-sendered to keep it out 
of the Junk.
IMHO.

Aloha,
Michael.
-- 
"Please have your Internet License 
 and Usenet Registration handy..."

qmgr_queue_throttle not fired up in 2.12.20140209

[Birta Levente]

Hi

I have a problem with Postfix 2.12 Snapshot 20140209.

The qmgr_queue_throttle never fired up for destinations which go through
slow transport and obviously the delivery never suspended to these few
destinations.
Mails which go out "normally", i.e. not through slow transport, seems to
throttle:

Feb 19 03:48:55 srv2 postfix/qmgr[23307]: qmgr_queue_throttle: feedback 1
Feb 19 03:48:55 srv2 postfix/qmgr[23307]: qmgr_queue_throttle: queue
notslowtransportdomain.com: limit 20 window 3 success 0 failure 1
fail_cohorts 0.2

Now, if I downgrade to 2.12.20140109 without any change in configs, it's
working ok.

Played a few times upgrade/downgrade/upgrade and same result.

Thanks
Levi


# ./postfinger.sh --nowarn
postfinger - postfix configuration on Wed Feb 19 09:34:41 EET 2014
version: 1.30

--System Parameters--
mail_version = 2.12-20140109
hostname = srv2.mydomain.com
uname = Linux srv2.mydomain.com 2.6.32-431.5.1.el6.x86_64 #1 SMP Wed Feb
12 00:41:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

--Packaging information--
looks like this postfix comes from RPM package:
postfix-2.12.20140109-1.x86_64

--main.cf non-default parameters--
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
bounce_queue_lifetime = 2d
broken_sasl_auth_clients = yes
content_filter = smtp-amavis:[127.0.0.1]:10024
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_process_limit = 50
destination_concurrency_feedback_debug = yes
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
html_directory = /usr/share/doc/postfix-2.11.20131126-documentation/html
inet_interfaces = 192.168.1.1, xx.yy.zz.ww, 127.0.0.1
inet_protocols = ipv4
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 6000s
maximal_queue_lifetime = 4d
message_size_limit = 2200
milter_default_action = accept
minimal_backoff_time = 1400s
mydestination = $myhostname
mydomain = srv2.mydomain.com
mynetworks = 192.168.1.0/24, 127.0.0.0/8
mynetworks_style = host
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
dnsbl.ahbl.org*2 bl.spamcop.net*1 bl.spameatingmonkey.net*1
swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner/Postscreen enabled
queue_run_delay = 700s
readme_directory = /usr/share/doc/postfix-2.11.20131126-documentation/readme
sendmail_path = /usr/sbin/sendmail.postfix
slow_destination_concurrency_failed_cohort_limit = 10
slow_destination_concurrency_limit = 2
slow_destination_rate_delay = 0s
slow_destination_recipient_limit = 10
slow_initial_destination_concurrency = 1
smtp_bind_address = xx.yy.zz.ww
smtpd_client_restrictions = permit_mynetworks, sleep 1,
check_client_access hash:/etc/postfix/smtpd_client_access,
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/smtpd_helo_checks, reject_invalid_helo_hostname
smtpd_milters = inet:localhost:8891,inet:localhost:8892
smtpd_recipient_limit = 50
smtpd_recipient_restrictions = permit_mynetworks,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unauth_pipelining, permit_sasl_authenticated,
reject_unlisted_sender, check_recipient_access
hash:/etc/postfix/smtpd_recipient_access, reject_unauth_destination,
reject_non_fqdn_hostname, reject_invalid_hostname, reject_rbl_client
zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client
psbl.surriel.com permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/smtpd_sender_access
smtpd_tls_ask_ccert = yes
smtpd_tls_CAfile = $smtp_tls_CAfile
smtpd_tls_cert_file = $smtp_tls_cert_file
smtpd_tls_key_file = $smtp_tls_key_file
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
smtp_tls_CAfile = /etc/pki/tls/certs/cacert_ca.pem
smtp_tls_cert_file = /etc/pki/tls/certs/srv2.mydomain.com.pem
smtp_tls_key_file = /etc/pki/tls/private/srv2.mydomain.com.key
smtp_tls_loglevel = 1
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
transport_maps =
hash:/etc/post