MX backup doesn't queue

2017-09-01 Thread Davide Marchi 

Hi friends,
on a Debian Jessie and Postfix 2.11.x,

where DNS configuration seem fine, infact if I shutdonwn the primary 
email server, the correspondence is delivered to the second correctly.

where SERVER1 is "the.backed-up.domain.tld"
where SERVER2 is "the backup MX)



My point is to understand why Postfix (on MX backup) store email into 
mailbox and does not queue them.






It seems to me that the essential parameter is:


/relay_domains = . . . the.backed-up.domain.tld   > 
(server1)/


and then:

mydestination = server2, localhost.server2, localhost



as described on: 
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup


But nevertheless it does not queue messages but always registers them 
within INBOX.



I'm using MySQL for:

virtual_mailbox_domains = 
mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = 
mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
smtpd_sender_login_maps = 
mysql:/etc/postfix/mysql-email2email.cf,mysql:/etc/postfix/mysql-virtual-alias-maps.cf


And into "virtual_mailbox_domains" also appears in the list 
the.backed-up.domain.tld
So I've change "virtual_mailbox_domains" from MySQL to hash (and 
postconf it) and excluding "the.backed-up.domain.tld" domain, but with 
no luck.


Do you know how I could ascertain the reasons of this strange (for me) 
behavior?



If you like to see my configuration files (main.cf) I've also posted 
here its two minimal configuration:


SERVER1: https://pastebin.com/wVaqxj2i
SERVER2 (backup MX): https://pastebin.com/2mYBGvCN


and for more:

/etc/postfix/mysql-virtual-mailbox-domains.cf: 
https://pastebin.com/7Wy1JrAS
/etc/postfix/mysql-virtual-mailbox-maps.cf: 
https://pastebin.com/jSdX4bTu

/etc/postfix/mysql-virtual-alias-maps.cf: https://pastebin.com/L0eAYxPG
/etc/postfix/mysql-email2email.cf: https://pastebin.com/2vRGFJy7




Please give me a useful suggestion I'm going crazy! :-)

many thanks!

Davide

relay host & client throttling

2017-09-01 Thread Admin Beckspaced 

Dear postfix community,

I got a few servers all running postfix 2.11.x
Then I got my main mail server and all other servers use this as relayhost.

authentication to relayhost is done via sasl auth and all is working 
fine and as expected ;)


but let's say I do a fail2ban restart on one of the servers lots of 
fail2ban notify emails will get send via the relayhost

resulting in the relayhost throttling down the other server

which is actually not a big thing as the mails stay in the queue for a 
bit and get send later.


But is there an option in postfix to say: no worries! trust that client. 
do not throttle ;)


before doing the sasl auth between relayhost and client I added all the 
other server's IP addresses to the mynetworks setting in postfix, but 
the negative effect was that you sometimes forget to remove an IP 
address when switching to new servers.


So a 'do not throttle this client' would be nice.
Or perhaps someone got a better idea?

Thanks, greetings & postfix is just awesome!
Becki

majordomo postfix 2.10.1 No recipient addresses found in message header

2017-09-01 Thread tslbai 
Dear Mailing-List,

i was running the latest Version of Majordomo (1.94.5) successful on
CentOS 6.x with postfix 2.6 (2.6.6-8.el6.x86_64.rpm) for years.

Since i installed CentOS 7.x with postfix 2.10 (2.10.1-6.el7.x86_64.rpm)
majordomo isn't working any more (sendmail-error).

"No recipient addresses found in message header"


Majordomo-Logfile tells:
Sep 01 10:42:35 agilolfinger.de majordomo[29232] {My Name
} ABORT majord...@agilolfinger.de: My Name
 is not a valid return address.

BUT: this address is working an can be used from e.g. cli or scripts.

Is there anyone, who is running majordomo on Postfix 2.10 or has a hint?

(I know that Majordomo ist very old and greatcircle isn't supporting ist
since years and the majordomo-Mailing-list ended 2003.
I know about Mailman too, but i'd like to use majordomo as a small and
tiny solution for a particular usecase.)

Thanks for any hint about running majordomo on CentOS 7.
If i can provide any other information, please tell me.

Thanks, Florian
-

Here my /var/log/maillog
Mail to majordomo@domain:
---
Sep  1 10:43:31 authari postfix/smtpd[29227]: connect from
unknown[2001:a60:900f:0:79c0:ec35:91a8:337a]
Sep  1 10:43:31 authari postfix/smtpd[29227]: Anonymous TLS connection
established from unknown[2001:a60:900f:0:79c0:ec35:91a8:337a]: TLSv1.2
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep  1 10:43:31 authari postfix/smtpd[29227]: 4667F18417427:
client=unknown[2001:a60:900f:0:79c0:ec35:91a8:337a]
Sep  1 10:43:31 authari postfix/cleanup[29230]: 4667F18417427:
message-id=<282c028f-faba-4035-a8d3-d03063d98...@agilolfinger.de>
Sep  1 10:43:31 authari postfix/qmgr[29082]: 4667F18417427:
from=, size=810, nrcpt=1 (queue active)
Sep  1 10:43:31 authari postfix/smtpd[29227]: disconnect from
unknown[2001:a60:900f:0:79c0:ec35:91a8:337a]
Sep  1 10:43:31 authari postfix/sendmail[29243]: fatal:
majordomo-ow...@agilolfinger.de(1004): No recipient addresses found in
message header
Sep  1 10:43:31 authari postfix/local[29231]: 4667F18417427:
to=, relay=local, delay=0.09,
delays=0.02/0/0/0.06, dsn=2.0.0, status=sent (delivered to command:
/usr/local/majordomo-1.94.5/wrapper majordomo)
Sep  1 10:43:31 authari postfix/qmgr[29082]: 4667F18417427: removed
Sep  1 10:43:31 authari imapd-ssl: DISCONNECTED, user=bai,
ip=[2001:a60:900f:0:79c0:ec35:91a8:337a], headers=221, body=0, rcvd=934,
sent=33227, time=56, starttls=1


Mail to listname@domain
---
Sep  1 10:46:04 authari postfix/smtpd[29265]: connect from
unknown[2001:a60:900f:0:79c0:ec35:91a8:337a]
Sep  1 10:46:04 authari postfix/smtpd[29265]: Anonymous TLS connection
established from unknown[2001:a60:900f:0:79c0:ec35:91a8:337a]: TLSv1.2
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep  1 10:46:04 authari postfix/smtpd[29265]: B03A118417427:
client=unknown[2001:a60:900f:0:79c0:ec35:91a8:337a]
Sep  1 10:46:04 authari postfix/cleanup[29230]: B03A118417427:
message-id=
Sep  1 10:46:04 authari postfix/qmgr[29082]: B03A118417427:
from=, size=821, nrcpt=1 (queue active)
Sep  1 10:46:04 authari postfix/smtpd[29265]: disconnect from
unknown[2001:a60:900f:0:79c0:ec35:91a8:337a]
Sep  1 10:46:04 authari postfix/sendmail[29268]: fatal:
owner-frisco-mak-t...@agilolfinger.de(1004): No recipient addresses
found in message header
Sep  1 10:46:04 authari postfix/local[29231]: B03A118417427:
to=, relay=local, delay=0.14,
delays=0.03/0/0/0.11, dsn=2.0.0, status=sent (delivered to command:
/usr/local/majordomo-1.94.5/wrapper resend -l frisco-mak-test
frisco-mak-test-list)
Sep  1 10:46:04 authari postfix/qmgr[29082]: B03A118417427: removed
Sep  1 10:46:04 authari imapd-ssl: DISCONNECTED, user=bai,
ip=[2001:a60:900f:0:79c0:ec35:91a8:337a], headers=221, body=0, rcvd=946,
sent=33289, time=153, starttls=1

Re: [SPAM?] Re: mitigating gmail spam traps: how does one add the required headers?8

2017-09-01 Thread Tom Browder 
On Thu, Aug 31, 2017 at 21:44 Richard Damon 
wrote:
...

> One point of information about Gmail, which may want you to change your
> test setup a bit. Gmail suppresses duplicate messages (as determined by
> the Message-ID), and (unless the mailing list changes the message-id,
> which is generally a bad idea) Gmail will see the message from the list
> as a duplicate of the message sent (even if wildly reformatted) and thus
> suppress the message from the list. To test Gmail - list - Gmail
> interactions, you need two Gmail accounts.


Interesting, Richard! Then how do mailing list manager programs deal with
the same message going to multiple accounts? Probably something like the
bulk mail header I guess.

Thanks.

-Tom

mail archiving with bcc to a local user account: any security issues?

2017-09-01 Thread Tom Browder 
I tried to follow the instructions in several links detailing how to use
the always bcc method to archive mail sent through my mail server. However,
I couldn't get the no-home user with a /var Maildir directory to work.

I did get it to work by using a local user as bcc and all the mail goes to
that account fine (the name I picked isn't ideal so I plan to change it
soon).

My question is: is that any less secure than the no-home methods?

Thanks.

-Tom

Re: [SPAM?] Re: mitigating gmail spam traps: how does one add the required headers?8

2017-09-01 Thread Richard Damon 

On 9/1/17 6:23 AM, Tom Browder wrote:
On Thu, Aug 31, 2017 at 21:44 Richard Damon > wrote:

...

One point of information about Gmail, which may want you to change
your
test setup a bit. Gmail suppresses duplicate messages (as
determined by
the Message-ID), and (unless the mailing list changes the message-id,
which is generally a bad idea) Gmail will see the message from the
list
as a duplicate of the message sent (even if wildly reformatted)
and thus
suppress the message from the list. To test Gmail - list - Gmail
interactions, you need two Gmail accounts.


Interesting, Richard! Then how do mailing list manager programs deal 
with the same message going to multiple accounts? Probably something 
like the bulk mail header I guess.


Thanks.

-Tom


The trimming of duplicates is a MUA level function, not an MTA level, so 
every GMail user get the message, then it is eliminated at the MUA to 
those that already have it (the sender or anyone directly sent it also). 
It would be a major bug if they only delivered to just a single user a 
message directed to several.


--
Richard Damon

Re: relay host & client throttling

2017-09-01 Thread Matus UHLAR - fantomas 

On 01.09.17 10:37, Admin Beckspaced wrote:
but let's say I do a fail2ban restart on one of the servers lots of 
fail2ban notify emails will get send via the relayhost

resulting in the relayhost throttling down the other server

which is actually not a big thing as the mails stay in the queue for 
a bit and get send later.


But is there an option in postfix to say: no worries! trust that 
client. do not throttle ;)


how do you throttle?
if you use smtpd_*_limit for throttling, use smtpd_client_event_limit_exceptions
for exceptions.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.

Re: majordomo postfix 2.10.1 No recipient addresses found in message header

2017-09-01 Thread Matus UHLAR - fantomas 

On 01.09.17 12:18, tslbai wrote:

i was running the latest Version of Majordomo (1.94.5) successful on
CentOS 6.x with postfix 2.6 (2.6.6-8.el6.x86_64.rpm) for years.

Since i installed CentOS 7.x with postfix 2.10 (2.10.1-6.el7.x86_64.rpm)
majordomo isn't working any more (sendmail-error).

"No recipient addresses found in message header"


this question has been already asked and answered:

http://postfix.1071664.n5.nabble.com/majordomo-postfix-combination-troubles-td79952.html>


(I know that Majordomo ist very old and greatcircle isn't supporting ist
since years and the majordomo-Mailing-list ended 2003.


should be no issue since even this list runs on majordomo.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody

Re: SV: SV: Double Mails delivered with aliases.

2017-09-01 Thread Matus UHLAR - fantomas 

You haven't posted whole master nor whole xMTPDeliver (pastebin, please).
Both can contain something that causes multiple deliveries.


On 18.08.17 09:38, Søren Peter Skou wrote:

Pastebin coming up 😊
main.cf : https://pastebin.com/rQTFc50q
master.cf : https://pastebin.com/zfpG2sBB
xMTPDeliver: https://pastebin.com/GrUPuDgJ

I've come to the conclusion that the culprit lies in the "Not local" part
of xMTPDeliver.  Once it ships is off using sendmail (postfix) -oi, it is
re-entered back into the queue, and Postfix sees the address once more,
and delivers locally, since the a...@a.test resolves to both b...@a.test and
c...@b.test.

[]

I believe you should only send local mail to dovecot (not all via
content_filter), you seem to pass everything to is which apparently caused
your problem.



All incoming mail needs to be scanned for Vira/Malware, is why I pass it
to a content_filter, 127.0.0.1:10025 has clamsmtp running.  Clamsmtp
returns on port 10026 if clean.In master.cf 10026 is then defined with a
content_filter=spamassassin.  This calls xMTPDeliver which handles the
spamc calls.


I see it simple: stop sing content_filter for mail delivery. It is not
designed to do that.
configure the content_filter to push mail back to queue and use postfix to
decide when to forward and when to deliver the mail locally.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

Custom HELO/EHLO response

2017-09-01 Thread Daniel Ryšlink 

Hello!

When a postfix server replies to the HELO/EHLO command, the response 
starts with this line:


250-mail.dialtelecom.cz

However, when Exim or other server replies, the first line contains 
additional information:


250-mx01.dialtelecom.cz Hello office.dialtelecom.cz [212.24.132.66], 
pleased to meet you


I would like to know if there is a way to customize this reply in 
Postfix, specifically, if there is a way to include the information 
about the sender IP and reverse DNS name as in the second reply via 
modifying Postfix configuration, and if it is possible, then I would 
like to know which configuration directives should be used.


I thank anyone in advance for any useful information, and I apologize in 
advance if my question does not adhere to a required standard, or if the 
question seems trivial. I did look through the Postfix documentation, 
and I also looked through all the postconf configuration directives in 
the active configuration of my server, but I did not find anything 
relevant.


--
S pozdravem,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.rysl...@dialtelecom.cz
---
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
---

Re: Custom HELO/EHLO response

2017-09-01 Thread Ralph Seichter 
On 01.09.2017 15:48, Daniel Ryšlink wrote:

> I would like to know if there is a way to customize this reply in
> Postfix [...]

See 'smtpd_banner' and 'postscreen_greet_banner'.

-Ralph

sasl auth LOGIN / PLAIN

2017-09-01 Thread mj 

Hi,

Just a small question: we currently use posfix with sasl authentication, 
and folowing many docs, we have enabled PLAIN and LOGIN authentication.


However, googling leads me to believe that LOGIN is mostly used by 
Outlook Express, and that most (or all?) modern clients support the 
PLAIN mechanism.


I also noticed that most failed authentication attempts are done using 
LOGIN.


Now, assuming that most of these failed authentications are simply 
username/password guessing... how many problems would I expect, if I 
simply only offer PLAIN mechanism?


It's hard to find info on what clients use what auth type. So, are 
all/most modern clients capable of doing PLAIN? (thunderbird, outlook 
2010/2013) so could I simply disallow LOGIN?


MJ

Re: majordomo postfix 2.10.1 No recipient addresses found in message header

2017-09-01 Thread tslbai 
Thanks for the hint!

Sorry, but i don't know, how to tell majordomo, to invoke sendmail in
the correct way.

I grep'ed the majordomo scripts for "-t" Option. This is used several times:

# pwd
/usr/local/majordomo-1.94.5
# grep sendmail * | grep " \-t"
archive2.pl:$bounce_mailer = $bounce_mailer || "$sendmail_command
-f\$sender -t";
config-test:print "$sendmail_command -f\\\$sender -t\n";
config-test:print "/usr/lib/sendmail -f\\\$sender -t\n";
config-test:$bounce_mailer = "$sendmail_command -f\$sender -t"
digest:$bounce_mailer = "$sendmail_command -f\$sender -t"
digest:$bounce_mailer = "$sendmail_command -fmajordomo-owner -t"
majordomo:$bounce_mailer = "$sendmail_command -f\$sender -t"
majordomo.cf:$bounce_mailer = "$sendmail_command -oi -oee -f\$sender -t";
majordomo.pl:$mail_prog = "$sendmail_command -f\$sender -t";
request-answer:$bounce_mailer = "$sendmail_command -f\$sender -t"
resend:$bounce_mailer = $bounce_mailer || "$sendmail_command -f\$sender -t";
resend:# check for the dreaded -t option to sendmail, which will cause
resend: $mailcmd = "/usr/lib/sendmail -f$sender -t";
sample.cf:$bounce_mailer = "$sendmail_command -oi -oee -f\$sender -t";
#
# pwd
/usr/local/majordomo-1.94.5/Tools
new-list:$bounce_mailer = "$sendmail_command -f\$sender -t"
sequencer:  print MAIL ">>> /usr/lib/sendmail -f$sendmail_sender -t\n";
sequencer:local(@mailer) = split(' ',"/usr/lib/sendmail
-f$sendmail_sender -t");

I deleted some of the "-t"-Options, but my problem persists. :-(

I know, this is not a postfix-issue, but can you please advise me, how
to treat majordomo?

Thanks,
Florian
--

On 9/1/2017 2:16 PM, Matus UHLAR - fantomas wrote:
> On 01.09.17 12:18, tslbai wrote:
>> i was running the latest Version of Majordomo (1.94.5) successful on
>> CentOS 6.x with postfix 2.6 (2.6.6-8.el6.x86_64.rpm) for years.
>>
>> Since i installed CentOS 7.x with postfix 2.10 (2.10.1-6.el7.x86_64.rpm)
>> majordomo isn't working any more (sendmail-error).
>>
>> "No recipient addresses found in message header"
> 
> this question has been already asked and answered:
> 
> http://postfix.1071664.n5.nabble.com/majordomo-postfix-combination-troubles-td79952.html>
> 
> 
>> (I know that Majordomo ist very old and greatcircle isn't supporting ist
>> since years and the majordomo-Mailing-list ended 2003.
> 
> should be no issue since even this list runs on majordomo.
>

Re: Custom HELO/EHLO response

2017-09-01 Thread Viktor Dukhovni 
On Fri, Sep 01, 2017 at 03:48:21PM +0200, Daniel Ryšlink wrote:

> When a postfix server replies to the HELO/EHLO command, the response starts
> with this line:
> 
> 250-mail.dialtelecom.cz

Via the smtpd_banner parameter you can replace this with any *fixed*
string.

> However, when Exim or other server replies, the first line contains
> additional information:
> 
> 250-mx01.dialtelecom.cz Hello office.dialtelecom.cz [212.24.132.66], pleased 
> to meet you

This is mostly pointless.

> I would like to know if there is a way to customize this reply in Postfix,
> specifically, if there is a way to include the information about the sender
> IP and reverse DNS name as in the second reply via modifying Postfix
> configuration, and if it is possible, then I would like to know which
> configuration directives should be used.

There is no current mechanism to inject client-specific data into
the SMTP server banner.  Is there a good reason to add such a
feature?

-- 
Viktor.

Re: MX backup doesn't queue

2017-09-01 Thread Noel Jones 
> My point is to understand why Postfix (on MX backup) store email
> into mailbox and does not queue them.


On the backup MX:


DO NOT list the domain in mydestination, virtual_alias_domains, or
mailbox_domains parameters.  These list domains for local delivery.

DO list the domain in relay_domains


DO NOT list the valid recipients in virtual_mailbox_maps, or
virtual_alias_maps.  These list local recipients.

DO list valid recipients in relay_recipient_maps

http://www.postfix.org/ADDRESS_CLASS_README.html


On the other hand, most folks these days think a backup MX is more
trouble than it's worth due to the way they are abused by spammers.




  -- Noel Jones

Re: sasl auth LOGIN / PLAIN

2017-09-01 Thread postfix 

On 09/01/2017 04:25 PM, mj wrote:

Hi,

Just a small question: we currently use posfix with sasl authentication, 
and folowing many docs, we have enabled PLAIN and LOGIN authentication.


However, googling leads me to believe that LOGIN is mostly used by 
Outlook Express, and that most (or all?) modern clients support the 
PLAIN mechanism.


I also noticed that most failed authentication attempts are done using 
LOGIN.


Now, assuming that most of these failed authentications are simply 
username/password guessing... how many problems would I expect, if I 
simply only offer PLAIN mechanism?


It's hard to find info on what clients use what auth type. So, are 
all/most modern clients capable of doing PLAIN? (thunderbird, outlook 
2010/2013) so could I simply disallow LOGIN?


MJ


As far as I know, outlook does only LOGIN, even: because of outlook the 
LOGIN mechanism was introduced.


suomi

Re: sasl auth LOGIN / PLAIN

2017-09-01 Thread Patrick Ben Koetter 
* postfix :
> On 09/01/2017 04:25 PM, mj wrote:
> > Just a small question: we currently use posfix with sasl authentication,
> > and folowing many docs, we have enabled PLAIN and LOGIN authentication.
> > 
> > However, googling leads me to believe that LOGIN is mostly used by
> > Outlook Express, and that most (or all?) modern clients support the
> > PLAIN mechanism.
> > 
> > I also noticed that most failed authentication attempts are done using
> > LOGIN.
> > 
> > Now, assuming that most of these failed authentications are simply
> > username/password guessing... how many problems would I expect, if I
> > simply only offer PLAIN mechanism?
> > 
> > It's hard to find info on what clients use what auth type. So, are
> > all/most modern clients capable of doing PLAIN? (thunderbird, outlook
> > 2010/2013) so could I simply disallow LOGIN?

Thunderbird:
PLAIN, DIGEST-MD5
Outlook 20**:
LOGIN, NTLM

> As far as I know, outlook does only LOGIN, even: because of outlook the
> LOGIN mechanism was introduced.

That is correct.

p@rick

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein