Re: trying to figure out regex for custom_header checks
Hi, On 2015-08-20 00:44, Ben Greenfield wrote: On Aug 19, 2015, at 5:43 PM, Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 04:14:10PM -0400, Ben Greenfield wrote: First explain the problem, rather than the solution. We receive a lot of spam that have very rare top level domains .site, .link, .website, .eu. It is wrong to black TLDs, even if initially they appear to mostly send spam. It is quick and effective and my thinking was that if a legitimate domain gets rejected I would add it a specific ACCEPT above the reject in the custom header check. It may be a bad plan This seems like a bad plan to me. How do you plan to get notice of a blocked, but legitimate, domain when you block all of them? Go through your logs and check every entry? Rely on your users? Instead, try to improve your content filters. The spam that is getting through doesn’t have any spam score from spamassassin I guess I should insure that they aren’t circumventing the evaluation in someway. For example there is postscreen which can reduce your spam count significantly and has the added benefit that its leight-weight infront of your actual smtpd, thus should reduce your server load, as less mail would need to be handled by spamassassin... see: http://www.postfix.org/POSTSCREEN_README.html Whatever content scoring system is built-in to the Mac-OS/X Mail.app client, for example, identifies the vast majority of my spam without blocking any TLDs. I would like to be doing this on the server before it reaches the client. Thank you, Ben -- Viktor.
haproxy enablement issues
Hello, I am using v2.11.6 on CentOS 5 (and 6 and 7), without postscreen (it's a final destination server, not accepting mail from the Internet). I have tried enabling the proxy protocol to make postfix log correctly user data when connections arrive from our haproxy proxy (currently in test mode). So, I added (in main.cf) the directive: smtpd_upstream_proxy_protocol = haproxy and I expected that things would continue as they normally do, except when a connection originates from our haproxy server (which lies on a different network), in which case postfix would log the client IP Address rather than the proxy's address. But as soon as I reloaded postfix (after the above change), postfix stopped accepting normal connections: Aug 19 17:13:54 vmail postfix/postfix-script[24279]: refreshing the Postfix mail system Aug 19 17:13:55 vmail postfix/master[22272]: reload -- version 2.11.6, configuration /etc/postfix Aug 19 17:14:09 vmail postfix/smtpd[24327]: warning: haproxy read: timeout error Aug 19 17:14:09 vmail postfix/smtpd[24327]: connect from unknown[unknown] Aug 19 17:14:09 vmail postfix/smtpd[24327]: disconnect from unknown[unknown] Aug 19 17:14:12 vmail postfix/smtpd[24330]: warning: haproxy read: timeout error Aug 19 17:14:12 vmail postfix/smtpd[24330]: connect from unknown[unknown] Aug 19 17:14:12 vmail postfix/smtpd[24330]: disconnect from unknown[unknown] ... If I understand right, it seems as if postfix is trying to read from a haproxy each and every time, whereas in fact it should do so only when a connection originates from a haproxy proxy. Am I doing something wrong? Should I configure things differently? Please advise. Thanks in advance, Nick
SMTPUTF8 usage
HI! Does anybody here have experience with current usage of SMTPUTF8? I have a discussion whether that's already used in the wild or not. Given that e.g. SUSE Linux builds of postfix are currently not linked to libicu I assume that SMTPUTF8 is currently not widely used. How about other platforms? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: haproxy enablement issues
Nikolaos Milas: > Aug 19 17:13:54 vmail postfix/postfix-script[24279]: refreshing the > Postfix mail system > Aug 19 17:13:55 vmail postfix/master[22272]: reload -- version 2.11.6, > configuration /etc/postfix > Aug 19 17:14:09 vmail postfix/smtpd[24327]: warning: haproxy read: > timeout error Postfix does not receive text followed by newline within the time limit (1 second). In other words the proxy doesn't send the HAPROXY header line. That does not happen automatically. You need to turn it on. Wietse
Re: SMTPUTF8 usage
Michael Str?der: > HI! > > Does anybody here have experience with current usage of SMTPUTF8? > I have a discussion whether that's already used in the wild or not. > > Given that e.g. SUSE Linux builds of postfix are currently not linked to > libicu I assume that SMTPUTF8 is currently not widely used. > How about other platforms? What mail products are SMTPUTF8-compliant at this time? Wietse
Re: trying to figure out regex for custom_header checks
Hello, > On Aug 20, 2015, at 3:14 AM, Christian Kivalo > wrote: > > Hi, > > On 2015-08-20 00:44, Ben Greenfield wrote: >>> On Aug 19, 2015, at 5:43 PM, Viktor Dukhovni >>> wrote: >>> On Wed, Aug 19, 2015 at 04:14:10PM -0400, Ben Greenfield wrote: > First explain the problem, rather than the solution. We receive a lot of spam that have very rare top level domains .site, .link, .website, .eu. >>> It is wrong to black TLDs, even if initially they appear to mostly >>> send spam. >> It is quick and effective and my thinking was that if a legitimate >> domain gets rejected I would add it a specific ACCEPT above the reject >> in the custom header check. It may be a bad plan > > This seems like a bad plan to me. How do you plan to get notice of a blocked, > but legitimate, domain when you block all of them? > Go through your logs and check every entry? Rely on your users? Yes, that is how I found out my .eu regex was wrong. My rejection message tells the sender to get in touch. > >>> Instead, try to improve your content filters. >> The spam that is getting through doesn’t have any spam score from >> spamassassin I guess I should insure that they aren’t circumventing >> the evaluation in someway. > > For example there is postscreen which can reduce your spam count > significantly and has the added benefit that its leight-weight infront of > your actual smtpd, thus should reduce your server load, as less mail would > need to be handled by spamassassin... > see: http://www.postfix.org/POSTSCREEN_README.html I’m definitely using some of the features of postscreen and I’m trying to figure out which features if any could filter more mail. I’m keep reviewing that how-to to determine if there is more I can do. Thanks, Ben >>> Whatever content scoring system is built-in to the Mac-OS/X Mail.app >>> client, for example, identifies the vast majority of my spam without >>> blocking any TLDs. >> I would like to be doing this on the server before it reaches the client. >> Thank you, >> Ben >>> -- >>> Viktor.
RE: Postfix multi instance for incoiming and outgoing mail
Hmm, for me, this would be overkill. But, I guess it depends on how much mail you plan on processing. -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of NFXDD Sent: Saturday, August 15, 2015 1:48 AM To: postfix-users@postfix.org Subject: Re: Postfix multi instance for incoiming and outgoing mail Somethings else as well. Is an in-out multi instance solution like this a good solution for an i7-3770 CPU @ 3.40GHz, 8 cores + 16gb RAM + 250ssd system like this? -- View this message in context: http://postfix.1071664.n5.nabble.com/Postfix-multi-instance-for-incoiming-an d-outgoing-mail-tp78661p78674.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: SMTPUTF8 usage
wie...@porcupine.org (Wietse Venema) wrote: > Michael Str?der: >> Does anybody here have experience with current usage of SMTPUTF8? >> I have a discussion whether that's already used in the wild or not. >> >> Given that e.g. SUSE Linux builds of postfix are currently not linked to >> libicu I assume that SMTPUTF8 is currently not widely used. >> How about other platforms? > > What mail products are SMTPUTF8-compliant at this time? Good question. I see that it's planned for upcoming exim 4.86: https://bugs.exim.org/show_bug.cgi?id=1516 But it's not in the ChangeLog of that release. So I interpret your question it as an answer: SMTPUTF8 is currently not widely used. ;-) Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: SMTPUTF8 usage
On August 20, 2015 2:48:33 PM wie...@porcupine.org (Wietse Venema) wrote: Does anybody here have experience with current usage of SMTPUTF8? I have a discussion whether that's already used in the wild or not. Given that e.g. SUSE Linux builds of postfix are currently not linked to libicu I assume that SMTPUTF8 is currently not widely used. How about other platforms? What mail products are SMTPUTF8-compliant at this time? will it ever be needed ?, with idn domains it allready encoded into 7bit, is postfix translate this to utf8 ?, dont know here since thunderbird works with idn domains and postfix note that windows xp do work with idn encode dns names, will dns providers have to use utf8 to have windows xp need to upgrade ? we will imho loose if there will be 2 encoding standards used in mail :(
Re: SMTPUTF8 usage
Michael Str?der: > wie...@porcupine.org (Wietse Venema) wrote: > > Michael Str?der: > >> Does anybody here have experience with current usage of SMTPUTF8? > >> I have a discussion whether that's already used in the wild or not. > >> > >> Given that e.g. SUSE Linux builds of postfix are currently not linked to > >> libicu I assume that SMTPUTF8 is currently not widely used. > >> How about other platforms? > > > > What mail products are SMTPUTF8-compliant at this time? > > Good question. > > I see that it's planned for upcoming exim 4.86: > https://bugs.exim.org/show_bug.cgi?id=1516 > But it's not in the ChangeLog of that release. > > So I interpret your question it as an answer: > SMTPUTF8 is currently not widely used. ;-) 10 years ago, IPv6 implementation was driven by the concern that everyone was going to suffer from unavailable IP addresses. SMTPUTF8 is a usability upgrade for non-ASCII email addresses (localparts and domains). 10 Years from now I expect that most email products will support internationalized email addresses (whether specified by SMTPUTF8 or some later standard). Wietse
Re: SMTPUTF8 usage
* on the Thu, Aug 20, 2015 at 05:36:38PM +0200, Benny Pedersen wrote: >> What mail products are SMTPUTF8-compliant at this time? > will it ever be needed ?, with idn domains it allready encoded into 7bit, > is postfix translate this to utf8 ?, dont know here since thunderbird works > with idn domains and postfix SMTPUTF8 allows for UTF-8 characters in email address local parts. This is pretty important for most of the people in the World who might want to use Email. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature
Re: SMTPUTF8 usage
wie...@porcupine.org (Wietse Venema) wrote: > Michael Str?der: >> So I interpret your question it as an answer: >> SMTPUTF8 is currently not widely used. ;-) > > 10 years ago, IPv6 implementation was driven by the concern that > everyone was going to suffer from unavailable IP addresses. > > SMTPUTF8 is a usability upgrade for non-ASCII email addresses > (localparts and domains). 10 Years from now I expect that most email > products will support internationalized email addresses (whether > specified by SMTPUTF8 or some later standard). Thanks for confirming my own estimation. :-) Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: SMTPUTF8 usage
Zitat von Mike Cardwell : * on the Thu, Aug 20, 2015 at 05:36:38PM +0200, Benny Pedersen wrote: What mail products are SMTPUTF8-compliant at this time? will it ever be needed ?, with idn domains it allready encoded into 7bit, is postfix translate this to utf8 ?, dont know here since thunderbird works with idn domains and postfix SMTPUTF8 allows for UTF-8 characters in email address local parts. This is pretty important for most of the people in the World who might want to use Email. The E-Mail address is simply a routing token, not the name of the owner or some descriptive text. UTF8 is important for the realname where people really need to type in all kind of charsets. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: SMTPUTF8 usage
Michael Ströder wrote: Does anybody here have experience with current usage of SMTPUTF8? I have a discussion whether that's already used in the wild or not. Google does support SMTPUTF8 : $ host -t mx gmail.com gmail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com. gmail.com mail is handled by 5 gmail-smtp-in.l.google.com. gmail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com. gmail.com mail is handled by 40 alt4.gmail-smtp-in.l.google.com. gmail.com mail is handled by 30 alt3.gmail-smtp-in.l.google.com. $ telnet gmail-smtp-in.l.google.com 25 Trying 2a00:1450:400c:c04::1a... Connected to gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP gk19si9434995wjc.187 - gsmtp ehlo test 250-mx.google.com at your service, [...] 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 quit Apparently also a commercial mailer Momentum supports it. Mark
Re: haproxy enablement issues
On 20/8/2015 2:41 μμ, Wietse Venema wrote: Postfix does not receive text followed by newline within the time limit (1 second). In other words the proxy doesn't send the HAPROXY header line. That does not happen automatically. You need to turn it on. It is turned on the proxy itself, but the log lines listed are from other clients, not from the proxy! With the setting: smtpd_upstream_proxy_protocol = haproxy does postfix expect the HAPROXY header line from ALL clients? If so, how can we enforce the above setting e.g. ONLY for the ip address(es) of the proxy? Please clarify. Thanks, Nick
Re: haproxy enablement issues
On Thu, Aug 20, 2015 at 10:24:26PM +0300, Nikolaos Milas wrote: > With the setting: > >smtpd_upstream_proxy_protocol = haproxy > > does postfix expect the HAPROXY header line from ALL clients? Yes. > If so, how can > we enforce the above setting e.g. ONLY for the ip address(es) of the proxy? Have the proxy connect to a dedicated smtpd(8) instance in master.cf listening on a dedicated ip/port. Allow only the proxy to connect there, and turn on haproxy support for just that instance. -- Viktor.
Re: haproxy enablement issues
Nikolaos Milas: > On 20/8/2015 2:41 ??, Wietse Venema wrote: > > > Postfix does not receive text followed by newline within the > > time limit (1 second). > > > > In other words the proxy doesn't send the HAPROXY header line. > > That does not happen automatically. You need to turn it on. > > It is turned on the proxy itself, but the log lines listed are from > other clients, not from the proxy! You can't mix HaProxy clients with SMTP clients. Use different master.cf services for HaProxy clients and SMTP clients. Wietse
Re: SMTPUTF8 usage
On Thu, 20 Aug 2015 19:01:48 +0200, Mark Martinec stated: > Michael Ströder wrote: > > Does anybody here have experience with current usage of SMTPUTF8? > > I have a discussion whether that's already used in the wild or not. > > Google does support SMTPUTF8 : > > > $ host -t mx gmail.com > gmail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com. > gmail.com mail is handled by 5 gmail-smtp-in.l.google.com. > gmail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com. > gmail.com mail is handled by 40 alt4.gmail-smtp-in.l.google.com. > gmail.com mail is handled by 30 alt3.gmail-smtp-in.l.google.com. > > $ telnet gmail-smtp-in.l.google.com 25 > Trying 2a00:1450:400c:c04::1a... > Connected to gmail-smtp-in.l.google.com. > Escape character is '^]'. > 220 mx.google.com ESMTP gk19si9434995wjc.187 - gsmtp > ehlo test > 250-mx.google.com at your service, [...] > 250-SIZE 35882577 > 250-8BITMIME > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-CHUNKING > 250 SMTPUTF8 > quit "outlook.com" has no support. 250-BLU436-SMTP191.smtp.hotmail.com Hello [174.109.28.112] 250-TURN 250-SIZE 41943040 250-ETRN 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-8bitmime 250-BINARYMIME 250-CHUNKING 250-VRFY 250-TLS 250-STARTTLS 250 OK -- Jerry
