Re: Questions about mynetworks_style parameter in main.cf
On 03/10/17 16:31, Viktor Dukhovni wrote: > Various platforms support newer, cleaner APIs to the same ends. > The documentation of mynetworks_style may be a bit out of date, > Postfix may well by now be able to find secondary IP addresses > of interfaces, even when not associated with a separate logical > interface. So it would seem that the reference to ifconfig should be ignored at this point and probably removed from the docs? Peter
ACL permission to move into different folder
Hi friends, I've set ACL for two user (two primary email address, no alias), where these users must not be able to delete email from imap server. Now I would like to add (from the client) the ability to move any incoming mail into different directory, if possible into an existing directory chosen by me. These are the settings on /etc/dovecot/dovecot.acl: * user=f...@mydomain.com lrwsip * user=i...@mydomain.com lrwsip is it possible? I've read https://wiki2.dovecot.org/ACL but I've not found a solution. many many thanks! Davide
how to reject disabled LDAP users
Hi,our postfix mail server is FreeIPA client. What this means is that user accounts are kept on a separate FreeIPA server, but they are real linux accounts on the mail server. "id" and "getent passwd" commands work on mail server and return user id and group membership information. (FreeIPA is RedHat implementation of identity management, http://www.freeipa.org/page/About)FreeIPA server also has LDAP service, and so far it has been used for virtual address expansion. For example, if a message is sent to test.u...@example.net, then postfix does LDAP lookup for mail attribute "test.u...@example.net" and deliver to "uid" result attribute “testuser". If LDAP lookup fails, then postfix attempts to deliver to local user "testuser” mailbox anyway.To say otherwise, LDAP lookup failure is not a fatal error and postfix still attempts to deliver locally.Now I would like to change this and include a check for account validity (and/or group membership).Say, if account is disabled (LDAP attribute nsAccountLock=TRUE) and LDAP lookup fails, then postfix should not attempt to deliver locally and reject message instead. Is it possible to achive this and keep current configuration relatively intact? (i.e., keep local_transport=local:$myhostname)I understand that I can change local_transport to "local_transport=virtual", but this brings in many other changes.I appreciate your time spent on this. Thank you. “postconf -nf” output and ldap-virtual.cf file attached.Kind regards,Ivars ldap-virtual.cf Description: Binary data main.cf Description: Binary data
Re: ACL permission to move into different folder
On 10/3/2017 7:33 AM, Davide Marchi wrote: > Hi friends, > I've set ACL for two user (two primary email address, no alias), > where these users must not be able to delete email from imap server. > Now I would like to add (from the client) the ability to move any > incoming mail into different directory, if possible into an existing > directory chosen by me. > > These are the settings on /etc/dovecot/dovecot.acl: > > * user=f...@mydomain.com lrwsip > * user=i...@mydomain.com lrwsip > > is it possible? > > I've read https://wiki2.dovecot.org/ACL but I've not found a solution. > > > many many thanks! > > Davide > > > This is the postfix users list. You'll probably get more help on the dovecot users list. -- Noel Jones
Re: Questions about mynetworks_style parameter in main.cf
> On Oct 2, 2017, at 7:27 PM, Peter wrote: > >> On 03/10/17 09:09, J Doe wrote: >> In man I see that the “subnet” option for “mynetworks_style” is >> listed as being supported in Postfix < 3.0. Does this mean that >> post-Postfix 3.0 this option is deprecated ? > > The full line in the docs you're referencing is: > (default: Postfix >= 3.0: host, Postfix < 3.0: subnet) > > That means that the default for this changed in postfix 3.0. It does > not refer to support for the subnet setting. Hi Peter, Ah, you are right! Somehow my eye missed the “default” at the beginning. Thank you for pointing this out. - J
Re: Questions about mynetworks_style parameter in main.cf
> On Oct 2, 2017, at 11:31 PM, Viktor Dukhovni > wrote: > > >>> On Oct 2, 2017, at 7:27 PM, Peter wrote: >>> >>> With ifconfig being deprecated on Linux, does that mean that network >>> settings specified with newer commands that replace ifconfig will not >>> work ? >> >> I'm not entirely sure, but I would venture to say that it means that >> ifconfig libraries are used to fetch the IPs and subnets on the system. > > There are no "ifconfig libraries". There's the original socket API, > which provides the SIOCGLIFCONF, SIOCGIFCONF ioctls() to retrieve > the list of interfaces and one IP address per logical interface. > > Various platforms support newer, cleaner APIs to the same ends. > The documentation of mynetworks_style may be a bit out of date, > Postfix may well by now be able to find secondary IP addresses > of interfaces, even when not associated with a separate logical > interface. Hi Viktor, Thank you for the clarification regarding ifconfig “libraries” and thanks for the link to the SCM - I will browse git later today. - J
Re: ACL permission to move into different folder
Il 2017-10-03 17:06 Noel Jones ha scritto: [..] This is the postfix users list. You'll probably get more help on the dovecot users list. -- Noel Jones Hoops, sorry to all! thanks
Re: how to reject disabled LDAP users
Le mardi 03 octobre 2017 à 18:24 +0530, Ivars Strazdiņš a écrit :
> Hi,
> our postfix mail server is FreeIPA client. What this means is that
> user accounts are kept on a separate FreeIPA server, but they are
> real linux accounts on the mail server. "id" and "getent passwd"
> commands work on mail server and return user id and group membership
> information. (FreeIPA is RedHat implementation of identity
> management, http://www.freeipa.org/page/About)
> FreeIPA server also has LDAP service, and so far it has been used for
> virtual address expansion. For example, if a message is sent to test.
> u...@example.net, then postfix does LDAP lookup for mail attribute "t
> est.u...@example.net" and deliver to "uid" result attribute
> “testuser". If LDAP lookup fails, then postfix attempts to deliver to
> local user "testuser” mailbox anyway.
> To say otherwise, LDAP lookup failure is not a fatal error and
> postfix still attempts to deliver locally.
>
> Now I would like to change this and include a check for account
> validity (and/or group membership).
> Say, if account is disabled (LDAP attribute
> nsAccountLock=TRUE) and LDAP lookup fails, then postfix
> should not attempt to deliver locally and reject message instead.
> Is it possible to achive this and keep current configuration
> relatively intact? (i.e., keep local_transport=local:$myhostname)
> I understand that I can change local_transport to
> "local_transport=virtual", but this brings in many other changes.
>
> I appreciate your time spent on this. Thank you. “postconf -nf”
> output and ldap-virtual.cf file attached.
> Kind regards,
> Ivars
>
Hello,
You may add a transport(5) table that returns "error:locked account
msg" if nsAccountLock is true on the given address ("error:" untested
on my side, I use discard)
I have such a table in my config :
query_filter =
(&(|(mail=%s)(mailAlternateAddress=%s))(qmailDotMode=discard))
result_attribute = uid
result_format = discard:
(Actually I discard mails, I do not reject them)
It's plugged in main.cf as this :
transport_maps = ldap:/etc/postfix/ldap-trash.cf,
ldap:/etc/postfix/ldap-virtual-transport.cf, ldap:/etc/postfix/ldap-
local-transport.cf
Regards,
--
Bastien Durel
DATA
Intégration des données de l'entreprise,
Systèmes d'information décisionnels.
bastien.du...@data.fr
tel : +33 (0) 1 57 19 59 28
fax : +33 (0) 1 57 19 59 73
12 avenue Raspail, 94250 GENTILLY France
www.data.fr
Re: how to reject disabled LDAP users
> On Oct 3, 2017, at 8:54 AM, Ivars Strazdiņš wrote:
>
> For example, if a message is sent to test.u...@example.net, then postfix does
> LDAP lookup for mail attribute "test.u...@example.net" and deliver to "uid"
> result attribute “testuser". If LDAP lookup fails, then postfix attempts to
> deliver to local user "testuser” mailbox anyway.
> To say otherwise, LDAP lookup failure is not a fatal error and postfix still
> attempts to deliver locally.
>
> Now I would like to change this and include a check for account validity
> (and/or group membership).
> Say, if account is disabled (LDAP attribute nsAccountLock=TRUE) and LDAP
> lookup fails, then postfix should not attempt to deliver locally and reject
> message instead.
> Is it possible to achive this and keep current configuration relatively
> intact? (i.e., keep local_transport=local:$myhostname)
> I understand that I can change local_transport to "local_transport=virtual",
> but this brings in many other changes.
See http://www.postfix.org/ADDRESS_CLASS_README.html
http://www.postfix.org/postconf.5.html#local_recipient_maps
Remove unix:passwd.byname from local_recipient_maps or otherwise
ensure that it only matches the users you want to accept mail for.
If all the users in question are listed in virtual_alias_maps
(which is implicitly applicable to every address class), then
use an essentially empty table for local_recipient_maps.
With a sufficiently recent Postfix, you could use something
like:
local_recipient_maps = inline:{ postmaster=root }
--
Viktor.
Re: How to fake Per-Recipient Data Responses (PRDR)?
On 10/2/2017 11:47 AM, Noel Jones wrote: Yes, for sure. Extra recipients will get a 4xx response. Note this may*severely* delay deliveries, depending on the sender's retry policy. If a message arrives with 100 recipients, the sender will need to retry 99 times, which will likely take a very long time. On 02.10.17 12:03, Kevin A. McGrail wrote: Agreed about the delay. I accept once and reinject internally with a milter so there is no delay and 1 email with 100 recipients becomes 100 emails. But it's nice to know this option exists because it might be helpful for store and queue internal purposes. Thanks for pointing it out! what about rejected e-mail? Do you generate bounces or simply drop them? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete
Re: How to fake Per-Recipient Data Responses (PRDR)?
On Oct 2, 2017, at 11:47 AM, Noel Jones wrote: Note this may *severely* delay deliveries, depending on the sender's retry policy. If a message arrives with 100 recipients, the sender will need to retry 99 times, which will likely take a very long time. On 02.10.17 12:09, Viktor Dukhovni wrote: It violates SMTP standards. Interoperable SMTP servers are required to accept up to 100 recipients per envelope (message delivery). Do not cripple SMTP. Make sure your anti-abuse measures do not impede legitimate email. Avoid techniques that impose behaviour changes on legitimate email senders. Agreed. However I know one legitimate reason to do this: accept spam on abuse@ mailbox (may be spam report), while refuse for others. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept.
Re: How to fake Per-Recipient Data Responses (PRDR)?
> On Oct 3, 2017, at 1:22 PM, Matus UHLAR - fantomas wrote: > > Agreed. However I know one legitimate reason to do this: > accept spam on abuse@ mailbox (may be spam report), while refuse for others. Sure, you can indeed force mail to "abuse@" and/or "postmaster@" into a separate envelope from all other recipients, by tempfailing these at "RCPT TO" if any other recipients have been accepted, and tempfailing all other recipients after these have been accepted. Such a policy does not overly fragment multi-recipient messages, and if you have multiple MX hosts, will typically just cause the rest of the envelope to be accepted (or rejected) in its entirety when retried at the next alternate MX. This does not require PRDR, just tempfail mixtures of spam-lover and spam-hater recipients in the same envelope, but only works if you have just two recipient classes, any more, and it starts becoming unreliable and too costly for legitimate senders. -- Viktor.
Skip AV scan for outbound email
I collect spam emails and submit them in batches to a group that works to reduce spam. I'm running the combination of postfix, amavisd-new, clamav, and spamassassin. Some of the batches of spam contain viruses and when amavisd scans them my submission is blocked and quarantined. Is there a way to do any of the following? a) eliminate the amavisd or clamav scan for mail addressed to a specific recipient or from a specific sender b) eliminate the clamav scan for all outbound traffic c) eliminate the amavisd scan for all outbound traffic but keeping it active for inbound messages Thanks, Jon -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
Re: Skip AV scan for outbound email
On 10/3/2017 2:12 PM, Jon LaBadie wrote: > I collect spam emails and submit them in batches to > a group that works to reduce spam. I'm running the > combination of postfix, amavisd-new, clamav, and > spamassassin. Some of the batches of spam contain > viruses and when amavisd scans them my submission > is blocked and quarantined. Is there a way to do > any of the following? > > a) eliminate the amavisd or clamav scan for mail > addressed to a specific recipient or from a > specific sender > > b) eliminate the clamav scan for all outbound > traffic > > c) eliminate the amavisd scan for all outbound > traffic but keeping it active for inbound > messages > > Thanks, > Jon > If your batch is already on the server, the simplest way is to submit your spam/virus batch to the postfix reinjection port, bypassing amavisd completely. Use a command line SMTP tool such as mini_sendmail to send the mail to -p 10025 or whatever port you use. If you need to submit these over the network to postfix, set up a separate postfix listener in master.cf with no filtering. Require authentication and/or restrict the port to specific clients.
Re: Skip AV scan for outbound email
On Tue, Oct 03, 2017 at 03:21:13PM -0500, Noel Jones wrote: > On 10/3/2017 2:12 PM, Jon LaBadie wrote: > > I collect spam emails and submit them in batches to > > a group that works to reduce spam. I'm running the > > combination of postfix, amavisd-new, clamav, and > > spamassassin. Some of the batches of spam contain > > viruses and when amavisd scans them my submission > > is blocked and quarantined. Is there a way to do > > any of the following? > > > > a) eliminate the amavisd or clamav scan for mail > > addressed to a specific recipient or from a > > specific sender > > > > b) eliminate the clamav scan for all outbound > > traffic > > > > c) eliminate the amavisd scan for all outbound > > traffic but keeping it active for inbound > > messages > > > > Thanks, > > Jon > > > > > If your batch is already on the server, the simplest way is to > submit your spam/virus batch to the postfix reinjection port, > bypassing amavisd completely. Use a command line SMTP tool such as > mini_sendmail to send the mail to -p 10025 or whatever port you use. > Thank you Noel, nice approach. I am already using mutt in a script to send the batches as attachments. It uses a customized muttrc file and all I had to do was add set smtp_url=smtp://127.0.0.1:10025 Jon -- Jon H. LaBadie jlaba...@acm.org 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
