Re: Patch Postfix 3.1: sender_dependent_relayhost_maps defaults to rcpt_domain not relayhost
Thanks alot Viktor! I will try to patch the 2.11 and try it out. /Henning -- View this message in context: http://postfix.1071664.n5.nabble.com/sender-dependent-relayhost-maps-does-not-default-to-relayhost-tp75756p75795.html Sent from the Postfix Users mailing list archive at Nabble.com.
Postfix / OpenSSL signal 11 on delivery from ebay
Hi, I'm getting segfaults from postfix smtpd. The same postfix configuration worked fine on FreeBSD 9.3 i386, on fresh FreeBSD 10.1 amd64 it's segfaulting. postfix-2.11.4,1 with DOVECOT2, MYSQL, PCRE and TLS. openssl-1.0.1_18 with ASM, EC, MD2, SCTP, SHARED, SSE2, THREADS and ZLIB segfault is always during delivery attempt from ebay (and only from them): Mar 19 00:10:08 mail postfix/smtpd[58326]: connect from mxslcpool35.ebay.com[66.135.215.101] Mar 19 00:10:09 mail postfix/master[86442]: warning: process /usr/local/libexec/postfix/smtpd pid 58326 killed by signal 11 Mar 19 00:10:09 mail postfix/master[86442]: warning: /usr/local/libexec/postfix/smtpd: bad command startup -- throttling Turning off TLS in postfix fixes delivery, no segfault. Postfix config: http://pastebin.com/EimdRvyf Postfix debug log: http://pastebin.com/imN0ud9X GDB backtrace: http://pastebin.com/jDaJrqty -- best regards, Lukasz Wasikowski
R: Strange behaviour of my multi-instance server
Thanks a lot, Mr. Venema. As you can see, I have a bind address in master.cf with: -o smtp_bind_address=xxx.yyy.zzz.79 Is it OK or "smtp_bind_address" in main.cf is different? Regarding "inet_interfaces" I usually have something like this (in every instance main.cf file, changing IP for each one): inet_interfaces = xxx.xxx.xxx.79, localhost Is it correct with "localhost" or I must write just the IP used for accepting smtp connections from my client? Finally, in my main.cf files I have: mynetworks = xxx.xxx.xxx.79/32, xxx.xxx.xxx.80/32, xxx.xxx.xxx.81/32, 127.0.0.0/8 where I usually list all IPs used for every instance of Postfix (5 instances => 5 IPs). Maybe the error is here!? Thank you. -Francesco -Messaggio originale- Da: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Per conto di Wietse Venema Inviato: mercoledì 18 marzo 2015 21:37 A: Postfix users Oggetto: Re: Strange behaviour of my multi-instance server i...@itrezero.it: > if web client (a web application) connects to xxx.yyy.zzz.79 => emails > are sent through xxx.yyy.zzz.79 (instance 1), > > if it connects to xxx.yyy.zzz.80 => emails are sent through > xxx.yyy.zzz.80 (instance 2), Here you talk about the IP address that Postfix uses to receive mail. > Everything worked properly, I thought! Until I discovered some > complaints messages from Yahoo that say: > > 421 4.7.0 [TS01] Messages from xxx.yyy.zzz.79 temporarily deferred due > to user complaints <-- from INSTANCE 1 IP address > > BUT I sent messages through xxx.yyy.zzz.80 that is IP address of > instance (2)!!!. Here you talk about the IP address that Postfix uses to send mail. To fix the source IP address for sending mail either: - Specify smtp_bind_address in the respective main.cf files. or: - Specify ONE address with the inet_interfaces parameters in the respective main.cf files. Wietse --- Questa e-mail è stata controllata per individuare virus con Avast antivirus. http://www.avast.com
Re: How to allow each user on an Ubuntu server use his/her google email and password to send the email via google smtp?
Am 2015-03-18 18:49, schrieb Viktor Dukhovni: On Wed, Mar 18, 2015 at 11:31:40AM -0600, @lbutlr wrote: Gmail does not restrict the from address in outgoing emails. In fact, when my server is offline, i send admin warnings via gmail that are ?from? my postmaster account. Your gmail account is in the headers, but most people will never see it. I just tested this, I don't call this "most people will never see it": Return-Path: ... From: Viktor Dukhovni X-Google-Original-From: Viktor Dukhovni ... They've replaced the envelope and header "From:" address with the gmail account address. Replies and bounces go to the email address for the login account, not the envelope sender. This is not a multi-user solution (yes it works fine for system accounts on a personal machine). I checked my logs and I am finding a lot of mails which come from a Google mail server, where the "Mail From:" contains u...@gmail.com and the From-Header is user@private_domain. Therefore this mapping is not made for all mails. Michael
Re: How to allow each user on an Ubuntu server use his/her google email and password to send the email via google smtp?
Hi Viktor, You are right! I should add that I send emails via Gmail to a Gmail account. I mean, sendemail connects via tls to Gmail servers and send an email to a Gmail account using other Gmail account and credentials. Thanks! Atenciosamente, --- Fernando Maciel Souto Maior Projetos e Soluções de Tecnologia (31) 9226-9440 TIM On Wed, Mar 18, 2015 at 1:17 PM, Viktor Dukhovni wrote: > On Wed, Mar 18, 2015 at 07:38:33AM -0300, Fernando Maior wrote: > > > You also may try sendemail. Look at > > http://caspian.dotconf.net/menu/Software/SendEmail. I use it to send > emails > > from scripts directly to gmail accounts I use for servers backup control. > > Sending *to* is not sending *via*. > > -- > Viktor. >
Re: routing externally forwarded mail differently than internally originated mail
Daniel Bromberg: > > On 3/18/2015 7:23 PM, Wietse Venema wrote: > > Daniel Bromberg: > >> Greetings master postfixers, > >> > >> I am trying to solve a forwarding problem. I have two separate amavis > >> instanceson my edge MX that each do spam-checking: one incoming > >> (obvious), one outgoing (our users aren't too good about keeping their > >> computers zombie-free). > >> > >> For the particular case where mail passes the gateway, arrives locally, > >> whereupon it's discovered that it should be forwarded to an external > >> address, I do NOT want it to get re-scanned by the outgoing amavis > >> instance, but rather sent straight through. So, I need to route it > >> differently by choosing an alternate transport (which I will just set up > >> as a special, 'pre-screened' smtp listening port.) However, how do I > >> identify / capture this stream of forwarded mail? Right now, to the > >> outgoing MX/amavis gateway, it looks exactly like it originated from the > >> inside, rather than having been forwarded. > >> > >> mysql_virtual_alias_maps, which I'm using, did not have any helpful > >> references (because aliases are general, not necessarily external), nor > >> did several Google's about forwarding magic. The entry points for the inbound MTA are inbound.clean and inbound.dirty. The entry points for the outbound MTA are outbound.clean and outbound.dirty. Mail received on the dirty entry points is filtered. Receive all mail from remote senders on inbound-dirty. Receive all mail from local senders on outbound-dirty. Configure the inbound MTA with a "relayhost" setting of outbound-clean. Configure the outbound MTA to send local mail to inbound-clean. Wietse > > For line two: it's my local MX, not my edge MX, that welcomes local > users via the auth'd SSL'd submission port. I guess this is > 'outbound-dirty'. In order to ensure these messages are filtered, I have > to run amavis on that same host, correct? So that now amavis is running > on the local MX, rather than the edge MX? (Hoping to only run amavis there.) > > I hope I'm not garbling the solution. > > -Daniel > > -- > *Daniel Bromberg, Founder* > BaseZen Consulting, Inc. > dan...@basezen.com > 617.240.8036 > 52 Montague St Unit B > Arlington, MA 02474-2508
Re: R: Strange behaviour of my multi-instance server
i...@itrezero.it: > As you can see, I have a bind address in master.cf with: > -o smtp_bind_address=xxx.yyy.zzz.79 > Is it OK or "smtp_bind_address" in main.cf is different? Postfix has TWO SMTP clients in master.cf: one called "relay" and one called "smtp". You need to set smtp_bind_address on both. > Regarding "inet_interfaces" I usually have something like this (in every > instance main.cf file, changing IP for each one): > inet_interfaces = xxx.xxx.xxx.79, localhost > Is it correct with "localhost" or I must write just the IP used for > accepting smtp connections from my client? To force a fixed Postfix SMTP client IP address, you must specify smtp_bind_address if inet_interfaces has more than one IP address. See also my comment about multiple SMTP clients in master.cf. Wietse
Re: Fwd: routing externally forwarded mail differently than internally originated mail
> >> Greetings master postfixers, > >> > >> I am trying to solve a forwarding problem. I have two separate amavis > >> instanceson my edge MX that each do spam-checking: one incoming > >> (obvious), one outgoing (our users aren't too good about keeping their > >> computers zombie-free). > >> > >> For the particular case where mail passes the gateway, arrives locally, > >> whereupon it's discovered that it should be forwarded to an external > >> address, I do NOT want it to get re-scanned by the outgoing amavis > >> instance, but rather sent straight through. So, I need to route it > >> differently by choosing an alternate transport (which I will just set up > >> as a special, 'pre-screened' smtp listening port.) However, how do I > >> identify / capture this stream of forwarded mail? Right now, to the > >> outgoing MX/amavis gateway, it looks exactly like it originated from the > >> inside, rather than having been forwarded. > >> > >> mysql_virtual_alias_maps, which I'm using, did not have any helpful > >> references (because aliases are general, not necessarily external), nor > >> did several Google's about forwarding magic. The entry points for the inbound MTA are inbound.clean and inbound.dirty. The entry points for the outbound MTA are outbound.clean and outbound.dirty. Mail received on the dirty entry points is filtered. Receive all mail from remote senders on inbound-dirty. Receive all mail from local senders on outbound-dirty. Configure the inbound MTA with a "relayhost" setting of outbound-clean. Configure the outbound MTA to send local mail to inbound-clean. Wietse > > For line two: it's my local MX, not my edge MX, that welcomes local > users via the auth'd SSL'd submission port. I guess this is > 'outbound-dirty'. In order to ensure these messages are filtered, I have > to run amavis on that same host, correct? So that now amavis is running > on the local MX, rather than the edge MX? (Hoping to only run amavis there.) > > I hope I'm not garbling the solution. > > -Daniel > OK I believe I've worked out your solution. However my setup is different. I am not specializing my MTAs for outbound/inbound. I have a public MX that receives mail on inbound-dirty, filters it on inbound-filter, and sends it to inbound-clean on the private MX, (which is also the IMAP server so it gets delivered locally). The public MX also receives mail from the private MX on outbound-dirty-internal, filters it on outbound-filter, determines where it should go, and either sends it outbound to the world or back to the private MX on inbound-clean. The private MX receives mail from local users on outbound-dirty-local, only performing authentication, and merely forwards it to the private MX on outbound-dirty-internal. This way, the spam filtering (both instances) only run on one host, which does not have any IMAP, SSL, or authentication responsibilities. When I edit my spam rules or train Bayes, etc., I only have to do it on one host. This is my attempt at specialization. Should I switch to the outbound/inbound model and run a filter on each host? That would require a lot of re-wiring. It implies the public MX, the inbound MTA, also be the IMAP host because that's where inbound-clean mail goes. (Unless I have a third host that only does IMAP and recieves in from the inbound MTA via LMTP.) -Daniel
Re: Fwd: routing externally forwarded mail differently than internally originated mail
Daniel Bromberg: > > > > >> Greetings master postfixers, > > > >> > > > >> I am trying to solve a forwarding problem. I have two separate amavis > > > >> instanceson my edge MX that each do spam-checking: one incoming > > > >> (obvious), one outgoing (our users aren't too good about keeping > > their > > > >> computers zombie-free). > > > >> > > > >> For the particular case where mail passes the gateway, arrives > > locally, > > > >> whereupon it's discovered that it should be forwarded to an external > > > >> address, I do NOT want it to get re-scanned by the outgoing amavis > > > >> instance, but rather sent straight through. So, I need to route it > > > >> differently by choosing an alternate transport (which I will just > > set up > > > >> as a special, 'pre-screened' smtp listening port.) However, how do I > > > >> identify / capture this stream of forwarded mail? Right now, to the > > > >> outgoing MX/amavis gateway, it looks exactly like it originated > > from the > > > >> inside, rather than having been forwarded. > > > >> > > > >> mysql_virtual_alias_maps, which I'm using, did not have any helpful > > > >> references (because aliases are general, not necessarily > > external), nor > > > >> did several Google's about forwarding magic. > > > > The entry points for the inbound MTA are inbound.clean and inbound.dirty. > > > > The entry points for the outbound MTA are outbound.clean and > > outbound.dirty. > > > > Mail received on the dirty entry points is filtered. > > > > Receive all mail from remote senders on inbound-dirty. > > > > Receive all mail from local senders on outbound-dirty. > > > > Configure the inbound MTA with a "relayhost" setting of outbound-clean. > > > > Configure the outbound MTA to send local mail to inbound-clean. > > > > Wietse > > OK I believe I've worked out your solution. However my setup is > different. I am not specializing my MTAs for outbound/inbound. > I have a public MX that receives mail on inbound-dirty, filters it on > inbound-filter, and sends it to inbound-clean on the private MX, (which > is also the IMAP server so it gets delivered locally). There is only so much that a single Postfix instance can accomplish without kludges, and I will not give advice with kludges. The solution that I outline is robust because it uses separate Postfix instances for inbound and outbound mail. Each MTA can send cleaned mail to the other MTA's "clean" entry point. Wietse
Re: retirement
On 3/15/2015 10:04 PM, John Allen wrote: Retirement - Mine. I have finally persuaded my family that it would be a good idea to give up on the family server. I have two, probably minor, problems 1. informing senders of recipients address change. 2. redirect to recipients new address. 3. how to transfer existing imap folders to new service - probably gmail. Not all existing user want to to continue receiving email. 1. can probably be achieved with a relocation map, but I am not sure how to combine it wit 2 and possibly 3. Thanks for the input. I was going to go with a variation on the imapsync, sending everybody a notice of the address changes. However, FYI, I am not retiring, I am allowed to retire. Maybe I can get my grandson to take over. Once I started to do something about this family panic set in, you probably heard the howls of protest if you lived in Antarctica. Once again thanks for the input! -- John Allen KlaM OK, so what is the speed of dark? smime.p7s Description: S/MIME Cryptographic Signature
R: R: Strange behaviour of my multi-instance server
Thanks Dr. Venema. I'll try these settings (in particular for relay client in master.cf of each instance). However, here below a snippet of an email sent to yahoo where the problem is more evident: [...] X-Originating-IP: [xxx.xxx.xxx.79] Received: from 127.0.0.1 (EHLO mx4.DOMAIN1.it) (xxx.xxx.xxx.79) by mta1163.mail.ir2.yahoo.com with SMTP; Thu, 19 Mar 2015 14:47:00 + [...] As i wrote, my client connects to (and send email through) mx4.mydomain.it (IP= xxx.xxx.xxx.80) BUT email header contains an EHLO host whose IP (xxx.xxx.xxx.80) is different from IP between parenteses (xxx.xxx.xxx.79 whose correct reverse is mx7.DOMAIN1.it). While, this is what I find in email sent to gmail (that is CORRECT: FROM hostname and IP are consistent!!!): [...] Received: from mx4.DOMAIN1.it (mx4.DOMAIN1.it. [xxx.xxx.xxx.80]) by mx.google.com with ESMTP id pe8si4041037wic.94.2015.03.19.10.25.18 for ; [...] Why this problem? Attached you'll find the main/master.cf of the 2 instances that seem to be problematic. Thank you. -Francesco --- Questa e-mail è stata controllata per individuare virus con Avast antivirus. http://www.avast.com INSTANCE 2) MAIN.CF queue_directory = /var/spool/postfix-4 command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix-4 mail_owner = postfix myhostname = mx4.DOMAIN1.it inet_interfaces = xxx.xxx.xxx.80, localhost unknown_local_recipient_reject_code = 550 relay_domains = DOMAIN1.it, DOMAIN2.it multi_instance_group = mta multi_instance_name = postfix-4 multi_instance_enable = yes master_service_disable = authorized_submit_users = root strict_rfc821_envelopes = yes disable_vrfy_command = yes smtpd_helo_required = yes smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_end_of_data_restrictions = smtp_sender_dependent_authentication = yes strict_rfc821_envelopes = yes disable_vrfy_command = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases header_checks = regexp:/etc/postfix/header_checks transport_maps = hash:/etc/postfix/transport veryslow_destination_rate_delay = 3s slow_destination_rate_delay = 1s smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept MASTER.CF == xxx.xxx.xxx.80:smtp inet n - n - 10 smtpd smtp unix - - n - - smtp -o syslog_name=postfix-smtp80 -o smtp_helo_name=mx4.DOMAIN1.it -o myhostname=mx4.DOMAIN1.it -o smtp_bind_address=xxx.xxx.xxx.80 veryslow unix - - n - - smtp -o smtp_fallback_relay= slow unix - - n - - smtp -o smtp_fallback_relay= [...]INSTANCE 1) MAIN.CF queue_directory = /var/spool/postfix-3 command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix-3 mail_owner = postfix myhostname = mx7.DOMAIN1.it (IP of this host=xxx.xxx.xxx.79) inet_interfaces = xxx.xxx.xxx.79, localhost unknown_local_recipient_reject_code = 550 mynetworks = xxx.xxx.xxx.81/32, xxx.xxx.xxx.79/32, 127.0.0.0/8 relay_domains = DOMAIN1.it, DOMAIN2.it multi_instance_group = mta multi_instance_name = postfix-3 multi_instance_enable = yes master_service_disable = authorized_submit_users = root strict_rfc821_envelopes = yes disable_vrfy_command = yes smtpd_helo_required = yes smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_end_of_data_restrictions = smtp_sender_dependent_authentication = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases header_checks = regexp:/etc/postfix/header_checks transport_maps = hash:/etc/postfix/transport veryslow_destination_rate_delay = 3s slow_destination_rate_delay = 1s smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept MASTER.CF == # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after edi
Re: R: R: Strange behaviour of my multi-instance server
On Thu, Mar 19, 2015 at 06:31:50PM +0100, i...@itrezero.it wrote: > However, here below a snippet of an email sent to yahoo where the problem is > more evident: > > [...] > X-Originating-IP: [xxx.xxx.xxx.79] > Received: from 127.0.0.1 (EHLO mx4.DOMAIN1.it) (xxx.xxx.xxx.79) > by mta1163.mail.ir2.yahoo.com with SMTP; Thu, 19 Mar 2015 14:47:00 + > [...] You're still wasting everyone's time by not providing the corresponding Postfix log entries in full. > myhostname = mx4.DOMAIN1.it > inet_interfaces = xxx.xxx.xxx.80, localhost At most one instance should list "localhost" in inet_interfaces, probably only the "default" one (/etc/postfix). > MASTER.CF > == > xxx.xxx.xxx.80:smtp inet n - n - 10 smtpd > smtp unix - - n - - smtp > -o syslog_name=postfix-smtp80 > -o smtp_helo_name=mx4.DOMAIN1.it > -o myhostname=mx4.DOMAIN1.it > -o smtp_bind_address=xxx.xxx.xxx.80 > veryslow unix - - n - - smtp > -o smtp_fallback_relay= > slow unix - - n - - smtp > -o smtp_fallback_relay= What are these "slow" and "veryslow" transports? Did you set "smtp_bind_address" for these also? > inet_interfaces = xxx.xxx.xxx.79, localhost See above. > smtp unix - - n - - smtp > -o syslog_name=postfix-smtp79 > -o smtp_helo_name=mx7.DOMAIN1.it > -o myhostname=mx7.DOMAIN1.it > -o smtp_bind_address=xxx.xxx.xxx.79 > veryslow unix - - n - - smtp > -o smtp_fallback_relay= > slow unix - - n - - smtp > -o smtp_fallback_relay= Sure looks like you don't understand that each instance of an smtp(8) transport needs all the relevant settings specified. There's no "inheritance" between "smtp" and "slow" for example. -- Viktor.
Default actions on restrictions
Hi, I am trying to set up authentication on 587 and I'm struggling with the postfix implementation in ClearOS. I have a restriction: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client 2.0.0.127.b.barracudacentral.org, permit But when I make certain changes it adds , check_policy_service unix:/var/spool/postfix/postgrey/socket to the end of it. Postfix then throws an error saying there is no point adding anything after a "permit" instruction. I filed a bug with ClearOS but their response is that they use a standard "postconf" tool rather than their own script. This has me wondering, is there any need to have a "permit" statement at the end of smtpd_recipient_restrictions? If not, then it would get round the issue irrespective of any discussion of whether it was a postconf tool bug or not. Similarly I have permit at the end of smtpd_sender_restrictions and smtpd_helo_restrictions. Is it necessary? FWIW postfix is at version 2.6.6 TIA, Nick
Re: Default actions on restrictions
> Am 19.03.2015 um 21:16 schrieb Nick Howitt : > > Hi, > > I am trying to set up authentication on 587 and I'm struggling with the > postfix implementation in ClearOS. I have a restriction: > smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, > reject_unknown_recipient_domain, reject_unauth_pipelining, > reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, > reject_non_fqdn_recipient, reject_unauth_destination, reject_rbl_client > zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client > 2.0.0.127.b.barracudacentral.org, permit > But when I make certain changes it adds > , check_policy_service unix:/var/spool/postfix/postgrey/socket > to the end of it. Postfix then throws an error saying there is no point > adding anything after a "permit" instruction. I filed a bug with ClearOS but > their response is that they use a standard "postconf" tool rather than their > own script. This has me wondering, is there any need to have a "permit" > statement at the end of smtpd_recipient_restrictions? If not, then it would > get round the issue irrespective of any discussion of whether it was a > postconf tool bug or not. > No there is no Need for the permit on the end. It will ne there by default. Take a Look at http://www.postfix.org/SMTPD_ACCESS_README.html for more Details. > Similarly I have permit at the end of smtpd_sender_restrictions and > smtpd_helo_restrictions. Is it necessary? > > FWIW postfix is at version 2.6.6 > Cheers André > TIA, > > Nick
Re: How to allow each user on an Ubuntu server use his/her google email and password to send the email via google smtp?
On Thu, Mar 19, 2015 at 10:17:20AM +0100, Michael Storz wrote: > >They've replaced the envelope and header "From:" address with the > >gmail account address. Replies and bounces go to the email address > >for the login account, not the envelope sender. This is not a > >multi-user solution (yes it works fine for system accounts on a > >personal machine). > > I checked my logs and I am finding a lot of mails which come from a Google > mail server, where the "Mail From:" contains u...@gmail.com and the > From-Header is user@private_domain. Therefore this mapping is not made for > all mails. Which merely goes to confirm what I said, the OP's problem is not a Postfix problem, it is a Gmail account provisioning problem, or alternatively a user re-education problem. Choose one. * Gmail Apps domain account setup provisions a server login or other access mechanism that allows the server to send as multiple Gmail users. OR * Users submit directly via Gmail, obviating any need to route via Gmail on the server. OR * Users' outgoing email from the server is not addressed with Gmail sender addresses. Replies go back to the server. -- Viktor.
Re: Postfix / OpenSSL signal 11 on delivery from ebay
On Thu, Mar 19, 2015 at 10:10:13AM +0100, ?ukasz W?sikowski wrote: > postfix-2.11.4,1 with DOVECOT2, MYSQL, PCRE and TLS. > ... > Postfix config: http://pastebin.com/EimdRvyf > Postfix debug log: http://pastebin.com/imN0ud9X > GDB backtrace: http://pastebin.com/jDaJrqty Please avoid pastebin in the future. There's a bug in your SSL library. It crashes in zlib's deflate() called via SSL_accept(). http://archives.neohapsis.com/archives/postfix/2014-02/thread.html#266 which leads to (again FreeBSD): http://archives.neohapsis.com/archives/postfix/2013-10/0444.html You can sweep the problem under the rug by disabling compression in OpenSSL. http://www.postfix.org/postconf.5.html#tls_ssl_options tls_ssl_options = NO_COMPRESSION But it sure looks like FreeBSD has some DLL-hell problems. (gdb) bt #0 0x000801863a8f in deflateSetDictionary () from /lib/libz.so.6 #1 0x000801866035 in deflateCopy () from /lib/libz.so.6 #2 0x000801864d52 in deflate () from /lib/libz.so.6 #3 0x000800f4c889 in zlib_stateful_compress_block (ctx=, out=, olen=17408, in=, ilen=) at c_zlib.c:207 #4 0x000800f4ba39 in COMP_compress_block (ctx=0x803063a80, out=0x803174000 "\024", olen=13556, in=0x34f4 , ilen=16) at comp_lib.c:46 #5 0x000800b97b9b in do_ssl3_write (s=0x803058d00, type=22, buf=0x803106000 "\024", len=16, create_empty_fragment=0) at s3_pkt.c:584 #6 0x000800b977c2 in ssl3_write_bytes (s=0x803058d00, type=22, buf_=0x803106000, len=) at s3_pkt.c:646 #7 0x000800b994d9 in ssl3_do_write (s=0x803058d00, type=22) at s3_both.c:132 #8 0x000800b89206 in ssl3_accept (s=0x803058d00) at s3_srvr.c:792 #9 0x0042ed5c in tls_bio (fd=18, timeout=300, TLScontext=0x8030402d0, hsfunc=0x40676c , rfunc=0, wfunc=0, buf=0x0, num=0) at tls_bio_ops.c:198 #10 0x0042c975 in tls_server_start (props=0x7fffd430) at tls_server.c:778 #11 0x00409328 in smtpd_start_tls (state=0x7fffd608) at smtpd.c:4226 #12 0x0040b525 in starttls_cmd (state=0x7fffd608, argc=1, unused_argv=0x80303c800) at smtpd.c:4437 #13 0x00408d51 in smtpd_proto (state=0x7fffd608) at smtpd.c:4854 #14 0x00407203 in smtpd_service (stream=0x803036a90, service=0x7fffeef0 "smtpd", argv=0x7fffed40) at smtpd.c:4989 #15 0x0042b07f in single_server_wakeup (fd=18, attr=0x8030da860) at single_server.c:278 #16 0x0042ae6c in single_server_accept_pass (unused_event=1, context=0x6 ) at single_server.c:361 #17 0x00472138 in event_loop (delay=-1) at events.c:1182 #18 0x0042aa9a in single_server_main (argc=6, argv=0x7fffed10, service=0x406f30 ) at single_server.c:772 #19 0x00406f29 in main (argc=6, argv=0x7fffed10) at smtpd.c:5484 (gdb) quit Report this bug to the FreeBSD maintainers. -- Viktor.
Re: Default actions on restrictions
On Thu, Mar 19, 2015 at 08:16:26PM +, Nick Howitt wrote: > I am trying to set up authentication on 587 and I'm struggling with the > postfix implementation in ClearOS. I have a restriction: > >smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unknown_recipient_domain, > reject_unauth_pipelining, > reject_invalid_hostname, > reject_non_fqdn_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unauth_destination, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client bl.spamcop.net, > reject_rbl_client 2.0.0.127.b.barracudacentral.org, > permit > > But when I make certain changes it adds > > , check_policy_service unix:/var/spool/postfix/postgrey/socket > > to the end of it. Postfix then throws an error saying there is no point > adding anything after a "permit" instruction. I filed a bug with ClearOS > but their response is that they use a standard "postconf" tool rather than > their own script. This response is nonsense. if they simply append to whatever happens to be in your recipient restrictions, expecting that to do something useful, that's an all too naive approach. Just because there happens to be a "postconf -e" command that makes it possible to do the wrong thing, does not mean that they are off the hook for misusing it. With recipient restrictions one needs to either build the whole thing or leave it alone. This sort of thing would be easier if one could add new top-level restriction classes (evaluated independently of client, helo, sender, relay, recipient, data and end_of_data restrictions) however there's not been much demand for that feature to date. # New top-level restrictions to evaluate at RCPT TO: smtpd_rcpt_restriction_classes = ..., smptd_foo_restrictions # Nested classes smtpd_restriction_classes = ..., foo_whitelist # User customizable, default empty foo_whitelist = # Maintainer definition "foo" instance. smtpd_foo_restrictions = foo_whitelist, Packages that want to add restrictions would then use their own "foo" class. -- Viktor.
