sender_access question

2017-08-30 Thread mbridgett 
Hi, 

This is the first time I have configured sender_access blacklisting -
although it works fine - i.e. the specific email address I have chosen to
blacklist get's their email blocked with /var/log/messages noting it as
"Sender address rejected:access denied".  I notice that after an hour has
gone by- the email is attempted to be delivered again.   Maybe I have missed
a subtlety here but I thought a REJECT would immediately return the message
to the sender but that doesn't appear to be the case.  

I guess my question is - how many times will the message be attempted to be
re-delivered, with my mail server rejecting it - until it will eventually be
returned as undeliverable? 

So far it's been 48 hours and I am still getting delivery attempts. 

Just wondering if this is another way of rejecting the email without this
continually attempted delivery? 

Thanks 
Mark 



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: sender_access question

2017-08-30 Thread Dominic Raferd 
On 30 August 2017 at 10:30, mbridgett  wrote:

> Hi,
>
> This is the first time I have configured sender_access blacklisting -
> although it works fine - i.e. the specific email address I have chosen to
> blacklist get's their email blocked with /var/log/messages noting it as
> "Sender address rejected:access denied".  I notice that after an hour has
> gone by- the email is attempted to be delivered again.   Maybe I have
> missed
> a subtlety here but I thought a REJECT would immediately return the message
> to the sender but that doesn't appear to be the case.
>
> I guess my question is - how many times will the message be attempted to be
> re-delivered, with my mail server rejecting it - until it will eventually
> be
> returned as undeliverable?


​With 'REJECT' action Postfix will have sent code $access_map_reject_code
(default 554) back to the sending server and so that server should not
attempt to send the same email again - see
http://www.postfix.org/access.5.html. Of course if the sending server is
badly-configured or malicious it may well ignore the code and try to resend
the email or (more likely) send similar (but technically different) emails.
There is nothing further than Postfix can do to stop this happening.

If the offending emails are all coming from the same ip you could ban this
ip with iptables / ufw. A less drastic strategy is to use fail2ban jobs to
block offenders on a temporary basis. But since Postfix is already blocking
the emails from this sender there is no need to do either.

Re: sender_access question

2017-08-30 Thread mbridgett 
Thanks for the comprehensive explanation.  What's strange is it's happening
for example to my gmail account (which I was using to test sender_access) as
well and I would have expected their mail servers to "behave".  Theirs seems
to retry at random periods between 90 minutes and two hours.  I sent a test
email over 12 hours ago and gmail keeps trying to re-deliver.

Also I note that my Postfix doesn't appear to be rejecting with the code
mentioned.  Maillog shows (just the last two entries):

Aug 30 07:17:16 localhost postfix/smtpd[1095]: NOQUEUE: reject: RCPT from
mail-qt0-f171.google.com[209.85.216.171]: 454 4.7.1 :
Sender address rejected: Access denied; from=
to= proto=ESMTP helo=
Aug 30 09:43:22 localhost postfix/smtpd[5125]: NOQUEUE: reject: RCPT from
mail-qt0-f174.google.com[209.85.216.174]: 454 4.7.1 :
Sender address rejected: Access denied; from=
to= proto=ESMTP helo=


So isn't think using 454?  I can't see anything outwardly in my config that
looks wrong:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
default_privs = nobody
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps =
luser_relay = mbridget
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a
"$RECIPIENT"
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 5000
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = accept
mydestination = byteplayer.byteplayer.com, mail.byteplayer.com, $myhostname,
$mydomain,
localhost,byteplayer.com,byteplayer.co.uk,byteplayer.dyndns.org,byteplayer.uk
mydomain = byteplayer.com
myhostname = mail.byteplayer.com
mynetworks = 192.168.200.0/24, 127.0.0.0/8
myorigin = byteplayer.com
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org,
b.barracudacentral.org,bl.spamcop.net
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relayhost = [smtp.tools.sky.com]:465
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
smtpd_delay_reject = yes
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
smtpd_milters = unix:/var/run/clamav-milter/clamav-milter.socket
smtpd_recipient_restrictions = reject_unknown_recipient_domain,
permit_sasl_authenticated, reject_unauth_pipelining, permit_mynetworks,
reject_unauth_destination, reject_invalid_hostname, check_sender_access
hash:/etc/postfix/sender_access, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/byteplayer.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = RC4-MD5
smtpd_tls_key_file = /etc/letsencrypt/live/byteplayer.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
soft_bounce = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_transport = dovecot

thanks for any support.
Mark



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: sender_access question

2017-08-30 Thread Christian Kivalo 



On 2017-08-30 12:45, mbridgett wrote:
Thanks for the comprehensive explanation.  What's strange is it's 
happening
for example to my gmail account (which I was using to test 
sender_access) as
well and I would have expected their mail servers to "behave".  Theirs 
seems
to retry at random periods between 90 minutes and two hours.  I sent a 
test

email over 12 hours ago and gmail keeps trying to re-deliver.

Also I note that my Postfix doesn't appear to be rejecting with the 
code

mentioned.  Maillog shows (just the last two entries):

Aug 30 07:17:16 localhost postfix/smtpd[1095]: NOQUEUE: reject: RCPT 
from
mail-qt0-f171.google.com[209.85.216.171]: 454 4.7.1 
:

Sender address rejected: Access denied; from=
to= proto=ESMTP helo=
Aug 30 09:43:22 localhost postfix/smtpd[5125]: NOQUEUE: reject: RCPT 
from
mail-qt0-f174.google.com[209.85.216.174]: 454 4.7.1 
:

Sender address rejected: Access denied; from=
to= proto=ESMTP helo=


So isn't think using 454?  I can't see anything outwardly in my config 
that

looks wrong:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin 
xxgdb

$daemon_directory/$process_name $process_id & sleep 5
default_privs = nobody
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps =
luser_relay = mbridget
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a
"$RECIPIENT"
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 5000
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = accept
mydestination = byteplayer.byteplayer.com, mail.byteplayer.com, 
$myhostname,

$mydomain,
localhost,byteplayer.com,byteplayer.co.uk,byteplayer.dyndns.org,byteplayer.uk
mydomain = byteplayer.com
myhostname = mail.byteplayer.com
mynetworks = 192.168.200.0/24, 127.0.0.0/8
myorigin = byteplayer.com
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org,
b.barracudacentral.org,bl.spamcop.net
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relayhost = [smtp.tools.sky.com]:465
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
smtpd_delay_reject = yes
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
smtpd_milters = unix:/var/run/clamav-milter/clamav-milter.socket
smtpd_recipient_restrictions = reject_unknown_recipient_domain,
permit_sasl_authenticated, reject_unauth_pipelining, permit_mynetworks,
reject_unauth_destination, reject_invalid_hostname, check_sender_access
hash:/etc/postfix/sender_access, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, 
permit_sasl_authenticated,

defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, 
permit_mynetworks,

smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = 
/etc/letsencrypt/live/byteplayer.com/fullchain.pem

smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = RC4-MD5
smtpd_tls_key_file = /etc/letsencrypt/live/byteplayer.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
soft_bounce = yes
^^ you have the soft_bounce safety net enabled. This changes all 5xx to 
4xx replies, telling the sending server that it should try again later.

See http://www.postfix.org/postconf.5.html#soft_bounce


strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_transport = dovecot

thanks for any support.
Mark



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html


--
 Christian Kivalo

Re: postfix/postqueue[5742]: panic: vbuf_print: output for \%s\ exceeds space 0

2017-08-30 Thread Wietse Venema 
Wietse Venema:
> A. Schulze:
> > postqueue: panic: vbuf_print: output for '%s' exceeds space 0
> 
> Unfortunately, there is no way that I can reproduce this in
> postfix-3.2.0, given the preconditions in this code.  Does this
> machine have ECC meory? Does it have a history of programs crashing?
> 
>   Wietse
> 
> Message-ID: <20170826122446.horde.wtusryfdzjjo1nij3m0g...@andreasschulze.de>
> postfix 3.2.0
> postqueue: panic: vbuf_print: output for '%s' exceeds space 0
> 
> This msg_panic() call is made from VBUF_SNPRINTF():
> #define VBUF_SNPRINTF(bp, sz, fmt, arg) do { \
> ssize_t _ret; \
> VBUF_SPACE((bp), (sz)); \
> _ret = snprintf((char *) (bp)->ptr, (bp)->cnt, (fmt), (arg)); \
> if (_ret < 0) \
> msg_panic("%s: output error for '%s'", myname, (fmt)); \
> if (_ret >= (bp)->cnt) \
> msg_panic("%s: output for '%s' exceeds space %ld", \
>   myname, fmt, (long) (bp)->cnt); \
> 
> According to the panic message, (bp)->cnt is zero, meaning the
> output buffer has no free space, which can't happen because
> VBUF_SNPRINTF() is called with sz > 0, as will be argued below.
> Therefore, VBUF_SPACE() is called with a value sz > 0, and the
> output buffer must have free space.
> 
> The panic message says "%s" therefore this VBUF_SNPRINTF() call is
> made while formatting a string with an fmt value of "%s".

Unfortunately, the panic call overwrites the format string that was
involved with the error, so the analysis for width and precision
is wrong.

Wietse

Re: Lists and spam prevention / use of Reply-To:

2017-08-30 Thread Ralph Seichter 
On 30.08.2017 03:24, Richard Damon wrote:

> I suggest you then talk the the legislators in the jurisdictions that
> MANDATE that many mailing list have clearly visible {munged, see P.S.}
> instructions.

Electronic mailing lists with a global reach which folks like myself
have been using since the 1980s are governed by RFCs and the rules set
by their respective administrators. Admins decide to include those
instructions, or they don't. Should legislators in country A believe
they can pass laws that list admins in country B and C will abide by,
they better think again. If you are referring to the United States'
CAN-SPAM act, please keep in mind that it is aimed at unsolicited email,
not lists with a double-opt-in, and more importantly that for most of
the globe Lex Americana is just so much marsh gas.

> Sending signed content to a system that is known to need to adjust it
> is unsocial.

A public mailing list does not need to adjust what I post. People can
comment based on my unmodified original text, and they may disagree or
dislike my message, but there is no need for the messenger software to
manipulate what I wrote in the first place.

Also, cryptographic signatures gain more importance the further we move
into the land of post-truth and alternative facts. If Alice signs her
messages, she takes a step to ensure that what she wrote cannot later
be modified or taken out of context without breaking the signature.

-Ralph

P.S.: I had to replace your original "unsubscribe" with "munged" because
I received an automated bounce message containing the following text:

  Your submission to the postfix-users mailing list was blocked because
  [...] the submission contains words like "subscribe", "unsubscribe",
  "change address", or "help", in the subject or in the first few lines.

That was a rather unexpected outcome. :-)

Re: postfix/postqueue[5742]: panic: vbuf_print: output for \%s\ exceeds space 0

2017-08-30 Thread Wietse Venema 
Wietse Venema:
> > The panic message says "%s" therefore this VBUF_SNPRINTF() call is
> > made while formatting a string with an fmt value of "%s".
> 
> Unfortunately, the panic call overwrites the format string that was
> involved with the error, so the analysis for width and precision
> is wrong.

If you built Postfix from source, applying this will save the
format string during panic, and may make problem diagnosis
possible.

Wietse

--- src/util/vbuf_print.c-  2017-01-01 10:58:50.0 -0500
+++ src/util/vbuf_print.c   2017-08-30 07:09:17.0 -0400
@@ -109,10 +109,10 @@
VBUF_SPACE((bp), (sz)); \
_ret = snprintf((char *) (bp)->ptr, (bp)->cnt, (fmt), (arg)); \
if (_ret < 0) \
-   msg_panic("%s: output error for '%s'", myname, (fmt)); \
+   msg_panic("%s: output error for '%s'", myname, mystrdup(fmt)); \
if (_ret >= (bp)->cnt) \
msg_panic("%s: output for '%s' exceeds space %ld", \
- myname, fmt, (long) (bp)->cnt); \
+ myname, mystrdup(fmt), (long) (bp)->cnt); \
VBUF_SKIP(bp); \
 } while (0)
 #else

Re: sender_access question

2017-08-30 Thread mbridgett 


> soft_bounce = yes
^^ you have the soft_bounce safety net enabled. This changes all 5xx to 
4xx replies, telling the sending server that it should try again later.
See http://www.postfix.org/postconf.5.html#soft_bounce

Doh, thanks.  I put that in years ago for some reason that's long since gone
out of my mind.  I have disabled this and am sure this will be the solution. 
Thanks.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

cleanup(8) man page

2017-08-30 Thread Patrick Lamaiziere 
Hello,

I think that the description in this man page is confusing since cleanup
does not *always* insert missing headers (message-id etc).

The cleanup(8) daemon always performs the following transformations:

   o  Insert missing  message  headers:  (Resent-)  From:,
   To:,  Mes- sage-Id:, and Date:.

We hit this here :)

Thanks, Best regards.

451 4.3.5 Server configuration error

2017-08-30 Thread Daniel Armando Rodriguez 
Hi, I'm getting such message logged after the warning: unknown smtpd
restriction: "milter_default_action"

All incoming mail is rejected.

What I'm trying to achieve is to get dkim validation working,
following this guide
https://wiki.debian.org/opendkim




regards in advance

Re: 451 4.3.5 Server configuration error

2017-08-30 Thread Christian Kivalo 



On 2017-08-30 14:51, Daniel Armando Rodriguez wrote:

Hi, I'm getting such message logged after the warning: unknown smtpd
restriction: "milter_default_action"

Note that options in master.cf are without spaces around the "=".


All incoming mail is rejected.

What I'm trying to achieve is to get dkim validation working,
following this guide
https://wiki.debian.org/opendkim

It helps to show your configuration.

See http://www.postfix.org/DEBUG_README.html#mail

Send the output of
postconf -n
postconf -Mf





regards in advance


--
 Christian Kivalo

Re: 451 4.3.5 Server configuration error

2017-08-30 Thread Daniel Armando Rodriguez 
> On 2017-08-30 14:51, Daniel Armando Rodriguez wrote:
>>
>> Hi, I'm getting such message logged after the warning: unknown smtpd
>> restriction: "milter_default_action"
>
> Note that options in master.cf are without spaces around the "=".

yep

>> All incoming mail is rejected.
>>
>> What I'm trying to achieve is to get dkim validation working,
>> following this guide
>> https://wiki.debian.org/opendkim
>
> It helps to show your configuration.
>
> See http://www.postfix.org/DEBUG_README.html#mail
>
> Send the output of
> postconf -n

#  postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_command =
mailbox_size_limit = 0
mydestination = localhost
mydomain = unau.edu.ar
myhostname = correo.$mydomain
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128, 170.210.45.128/29
myorigin = $myhostname
policyd-spf_time_limit = 3600
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_policy_service unix:private/policyd-spf milter_default_action =
accept milter_protocol = 6 smtpd_milters =
local:/opendkim/opendkim.sock non_smtpd_milters = $smtpd_milters
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/unau.edu.ar/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/unau.edu.ar/privkey.pem
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual_aliases
virtual_mailbox_domains = $mydomain
virtual_transport = lmtp:unix:private/dovecot-lmtp

> postconf -Mf

postconf -Mf
smtp   inet  n   -   -   -   -   smtpd
-o content_filter=spamassassin
submission inet  n   -   -   -   -   smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o content_filter=spamassassin
smtps  inet  n   -   -   -   -   smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o content_filter=spamassassin
pickup unix  n   -   -   60  1   pickup
cleanupunix  n   -   -   -   0   cleanup
qmgr   unix  n   -   n   300 1   qmgr
tlsmgr unix  -   -   -   1000?   1   tlsmgr
rewriteunix  -   -   -   -   -   trivial-rewrite
bounce unix  -   -   -   -   0   bounce
defer  unix  -   -   -   -   0   bounce
trace  unix  -   -   -   -   0   bounce
verify unix  -   -   -   -   1   verify
flush  unix  n   -   -   1000?   0   flush
proxymap   unix  -   -   n   -   -   proxymap
proxywrite unix  -   -   n   -   1   proxymap
smtp   unix  -   -   -   -   -   smtp
relay  unix  -   -   -   -   -   smtp
showq  unix  n   -   -   -   -   showq
error  unix  -   -   -   -   -   error
retry  unix  -   -   -   -   -   error
discardunix  -   -   -   -   -   discard
local  unix  -   n   n   -   -   local
virtualunix  -   n   n   -   -   virtual
lmtp   unix  -   -   -   -   -   lmtp
anvil  unix  -   -   -   -   1   anvil
scache unix  -   -   -   -   1   scache
maildrop   unix  -   n   n   -   -   pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp   unix  -   n   n   -   -   pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix  -   n   n   -   -   pipe flags=F user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp  unix  -   n

Re: 451 4.3.5 Server configuration error

2017-08-30 Thread Christian Kivalo 



On 2017-08-30 15:07, Daniel Armando Rodriguez wrote:

On 2017-08-30 14:51, Daniel Armando Rodriguez wrote:


Hi, I'm getting such message logged after the warning: unknown smtpd
restriction: "milter_default_action"


Note that options in master.cf are without spaces around the "=".


yep


All incoming mail is rejected.

What I'm trying to achieve is to get dkim validation working,
following this guide
https://wiki.debian.org/opendkim


It helps to show your configuration.

See http://www.postfix.org/DEBUG_README.html#mail

Send the output of
postconf -n


#  postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_command =
mailbox_size_limit = 0
mydestination = localhost
mydomain = unau.edu.ar
myhostname = correo.$mydomain
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128, 
170.210.45.128/29

myorigin = $myhostname
policyd-spf_time_limit = 3600
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_policy_service unix:private/policyd-spf milter_default_action =

   ^^
Maybe just your mailclient, but you seem to be missing newlines here.


accept milter_protocol = 6 smtpd_milters =
local:/opendkim/opendkim.sock non_smtpd_milters = $smtpd_milters

All these milter_* options should be on their own line.

smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/unau.edu.ar/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/unau.edu.ar/privkey.pem
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual_aliases
virtual_mailbox_domains = $mydomain
virtual_transport = lmtp:unix:private/dovecot-lmtp


postconf -Mf


postconf -Mf
smtp   inet  n   -   -   -   -   smtpd
-o content_filter=spamassassin
submission inet  n   -   -   -   -   smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o content_filter=spamassassin
smtps  inet  n   -   -   -   -   smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o content_filter=spamassassin
pickup unix  n   -   -   60  1   pickup
cleanupunix  n   -   -   -   0   cleanup
qmgr   unix  n   -   n   300 1   qmgr
tlsmgr unix  -   -   -   1000?   1   tlsmgr
rewriteunix  -   -   -   -   -   
trivial-rewrite

bounce unix  -   -   -   -   0   bounce
defer  unix  -   -   -   -   0   bounce
trace  unix  -   -   -   -   0   bounce
verify unix  -   -   -   -   1   verify
flush  unix  n   -   -   1000?   0   flush
proxymap   unix  -   -   n   -   -   proxymap
proxywrite unix  -   -   n   -   1   proxymap
smtp   unix  -   -   -   -   -   smtp
relay  unix  -   -   -   -   -   smtp
showq  unix  n   -   -   -   -   showq
error  unix  -   -   -   -   -   error
retry  unix  -   -   -   -   -   error
discardunix  -   -   -   -   -   discard
local  unix  -   n   n   -   -   local
virtualunix  -   n   n   -   -   virtual
lmtp   unix  -   -   -   -   -   lmtp
anvil  unix  -   -   -   -   1   anvil
scache unix  -   -   -   -   1   scache
maildrop   unix  -   n   n   -   -   pipe 
flags=DRhu

user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp   unix  -   n   n   -   -   pipe 
flags=Fqhu

user=uucp argv=uu

Re: 451 4.3.5 Server configuration error

2017-08-30 Thread Daniel Armando Rodriguez 
2017-08-30 10:16 GMT-03:00 Christian Kivalo :
>
>
> On 2017-08-30 15:07, Daniel Armando Rodriguez wrote:
>>>
>>> On 2017-08-30 14:51, Daniel Armando Rodriguez wrote:


 Hi, I'm getting such message logged after the warning: unknown smtpd
 restriction: "milter_default_action"
>>>
>>>
>>> Note that options in master.cf are without spaces around the "=".
>>
>>
>> yep
>>
 All incoming mail is rejected.

 What I'm trying to achieve is to get dkim validation working,
 following this guide
 https://wiki.debian.org/opendkim
>>>
>>>
>>> It helps to show your configuration.
>>>
>>> See http://www.postfix.org/DEBUG_README.html#mail
>>>
>>> Send the output of
>>> postconf -n
>>
>>
>> #  postconf -n
>> alias_database = hash:/etc/aliases
>> alias_maps = hash:/etc/aliases
>> append_dot_mydomain = no
>> biff = no
>> config_directory = /etc/postfix
>> home_mailbox = Maildir/
>> html_directory = /usr/share/doc/postfix/html
>> inet_interfaces = all
>> mailbox_command =
>> mailbox_size_limit = 0
>> mydestination = localhost
>> mydomain = unau.edu.ar
>> myhostname = correo.$mydomain
>> mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128,
>> 170.210.45.128/29
>> myorigin = $myhostname
>> policyd-spf_time_limit = 3600
>> readme_directory = /usr/share/doc/postfix
>> recipient_delimiter = +
>> relayhost =
>> smtp_tls_security_level = may
>> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>> smtpd_banner = $myhostname ESMTP $mail_name
>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, reject_unauth_destination,
>> check_policy_service unix:private/policyd-spf milter_default_action =
>
>^^
> Maybe just your mailclient, but you seem to be missing newlines here.
>
>> accept milter_protocol = 6 smtpd_milters =
>> local:/opendkim/opendkim.sock non_smtpd_milters = $smtpd_milters
>
> All these milter_* options should be on their own line.


They are, look like this in main.cf

# OpenDKIM
   milter_default_action = accept
   milter_protocol = 6
   smtpd_milters = local:/opendkim/opendkim.sock
   non_smtpd_milters = $smtpd_milters




___
Daniel A. Rodriguez
Departamento de Tecnología para la Gestión
Escuela Provincial de Educación Técnica N° 1
Posadas - Misiones - Argentina
(0376) 443-8578
www.epet1.edu.ar

Re: 451 4.3.5 Server configuration error

2017-08-30 Thread Viktor Dukhovni 

> On Aug 30, 2017, at 12:56 PM, Daniel Armando Rodriguez 
>  wrote:
> 
> They are, look like this in main.cf
> 
> # OpenDKIM
>   milter_default_action = accept
>   milter_protocol = 6
>   smtpd_milters = local:/opendkim/opendkim.sock
>   non_smtpd_milters = $smtpd_milters

Each parameter definition must start in the *first*
column of its text line. See

  http://www.postfix.org/postconf.5.html

The general format of the main.cf file is as follows:

• Each logical line is in the form "parameter = value".
  Whitespace around the "=" is ignored, as is whitespace
  at the end of a logical line.

• Empty lines and whitespace-only lines are ignored, as are
  lines whose first non-whitespace character is a `#'.

• A logical line starts with non-whitespace text. A line
  that starts with whitespace continues a logical line. 

-- 
Viktor.

Re: 451 4.3.5 Server configuration error

2017-08-30 Thread Daniel Armando Rodriguez 
>> They are, look like this in main.cf
>>
>> # OpenDKIM
>>   milter_default_action = accept
>>   milter_protocol = 6
>>   smtpd_milters = local:/opendkim/opendkim.sock
>>   non_smtpd_milters = $smtpd_milters
>
> Each parameter definition must start in the *first*
> column of its text line. See
>
>   http://www.postfix.org/postconf.5.html
>
> The general format of the main.cf file is as follows:
>
> • Each logical line is in the form "parameter = value".
>   Whitespace around the "=" is ignored, as is whitespace
>   at the end of a logical line.
>
> • Empty lines and whitespace-only lines are ignored, as are
>   lines whose first non-whitespace character is a `#'.
>
> • A logical line starts with non-whitespace text. A line
>   that starts with whitespace continues a logical line.


That was it, should read first!


Thank you guys






___
Daniel A. Rodriguez
Departamento de Tecnología para la Gestión
Escuela Provincial de Educación Técnica N° 1
Posadas - Misiones - Argentina
(0376) 443-8578
www.epet1.edu.ar

Outgoing rate limit based on number of bad recipients

2017-08-30 Thread MRob 

Has anyone done something like this for Postfix who is willing to share?

Rate limit outgoing mail based on the number of bad recipients as a more 
intelligent rule that won't impact regular users (intended to stop abuse 
of compromised accounts).


https://lists.exim.org/lurker/message/20100226.153132.58ab2e98.en.html
https://github.com/Exim/exim/wiki/BlockCracking

Re: mitigating gmail spam traps: how does one add the required headers?8

2017-08-30 Thread Dirk Stöcker 

On Tue, 29 Aug 2017, Tom Browder wrote:


Gmail has a list of steps recommended to minimize spam identification, 
particularly mail sent as bulk mail (as from mailing lists).

One of the recommendations is to use DKIM and that is clearly explained on the 
postfix website.

The other steps are fairly straight forward, also, but how does one add the 
various headers they recommend?  I assume it's via a filter, but which one and 
how is it done?


The recommendations from the Google link you gave usually boils down to:
* use software properly adhering to standards (e.g. for mailinglists) and
  configure it properly
* if you send mail with your own software make sure you generate mails
  which follow the standards
* check if what you send really is what you want to send

Google is especially unhappy when you send lots of mails (e.g. from a 
warning or information system) and don't mark the mails as "bulk". The 
PTR, SPF, DKIM setups are very important for them as well if you send bulk 
mail and the fact that Google users don't have any of your mails in their 
Spam folders. If you get bounces for some users it may be better to inform 
and unsubscribe them instead of loosing reputation. They can resubscribe 
when they cleanup their Spam folder in case they still want to receive the 
mailinglist.


All the other tests also apply:
* What does an own (receiving) SpamAssassin say to your mails
* What do blacklists say

The cleaner a mail is (good time stamps, no bad or strange headers, ...) 
the better is the chance bulk mail is accepted.


In the past I can't remember trouble with normal (human sent) mail. Google 
makes differences between the human made mail and automatic mail systems 
of different sorts. Requirements for mail from the automatics are higher.


Ciao
--
http://www.dstoecker.eu/ (PGP key available)

Milter order?

2017-08-30 Thread Michael Munger 
*TL;DR* - my milter works, but I want it to operate /after/
smtpd_helo_restrictions, smtpd_recipient_restrictions, and
smtpd_client_restrictions have done their magic because it's logging
information from spam that gets filtered out by those guys (and also by
spamassassin).

Here's my config line:

smtpd_milters = unix:/var/run/spamass/spamass.sock
unix:/var/run/opendkim/opendkim.sock local:/var/run/mcdbcache/mcdb.sock

Background:

We are caching the to and from fields for a CRM system. Additionally, we
are tagging inbound and outbound mail with an SMTP header and a tag in
the body so we can associated conversations with projects and vice
versa. So, I need full access to the envelope and the body (and
attachments, which is another thread entirely, so let's not get
sidetracked there).

In re-reading the FILTER_README and MILTER_READMEs, it almost seems as
if I need to change this from a milter to a filter, but that is a
content filter, which I don't really want to do. I don't want to change
the disposition of any email that has made it past the restrictiosn and
spamassassin. Just clone it for further processing later.

I want to cache / copy the emails as they come in, and do not want to
filter anything.

What's my next step? I am hoping there is a config that I have missed
that will apply the milter /after /the restrictions have been processed...
-- 
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
mich...@highpoweredhelp.com

Re: postfix/postqueue[5742]: panic: vbuf_print: output for \%s\ exceeds space 0

2017-08-30 Thread Wietse Venema 
Wietse Venema:
> Wietse Venema:
> > > The panic message says "%s" therefore this VBUF_SNPRINTF() call is
> > > made while formatting a string with an fmt value of "%s".
> > 
> > Unfortunately, the panic call overwrites the format string that was
> > involved with the error, so the analysis for width and precision
> > is wrong.
> 
> If you built Postfix from source, applying this will save the
> format string during panic, and may make problem diagnosis
> possible.

Sorry, you also have to add a ``#include "mymalloc.h"'' line.

Wietse

--- /var/tmp/postfix-3.3-20170730/src/util/vbuf_print.c 2017-01-01 
10:58:50.0 -0500
+++ src/util/vbuf_print.c   2017-08-30 19:47:51.0 -0400
@@ -64,6 +64,7 @@
 /* Application-specific. */
 
 #include "msg.h"
+#include "mymalloc.h"
 #include "vbuf.h"
 #include "vstring.h"
 #include "vbuf_print.h"
@@ -109,10 +110,10 @@
VBUF_SPACE((bp), (sz)); \
_ret = snprintf((char *) (bp)->ptr, (bp)->cnt, (fmt), (arg)); \
if (_ret < 0) \
-   msg_panic("%s: output error for '%s'", myname, (fmt)); \
+   msg_panic("%s: output error for '%s'", myname, mystrdup(fmt)); \
if (_ret >= (bp)->cnt) \
msg_panic("%s: output for '%s' exceeds space %ld", \
- myname, fmt, (long) (bp)->cnt); \
+ myname, mystrdup(fmt), (long) (bp)->cnt); \
VBUF_SKIP(bp); \
 } while (0)
 #else