Log connection time on smtpd disconnect

[Markus Benning]

Hi,

i recently had to analyse slow/long held connections
on postfix servers.
Parsing the logs for connect/disconnect lines can take
some time if you have a lot of logs.
So i patched the smtpd to log the connection time with
the disconnect stats:

May  9 10:30:07 server01 postfix/smtpd[1234]: disconnect from
remotehost.example.com[1.2.3.4] ehlo=1 mail=1 rcpt=0/1 commands=2/3
conn_time=13

(connection took 13 seconds)

Would this be usefull for others too and should it be considered for
inclusion in postfix?

Markus
-- 
Markus Benning, https://markusbenning.de/

private/????????????????????????????????

[Erwin van de Pol]

List,

I have got a really strange issue with my transport table:

I use a regexp transport table, which contains about 100 entries.

When sending an email to a specific address: t...@bla.blabla.com

I get following error:

postfix/qmgr[12390]: warning: connect to transport
private/  smtp: No such file or directory

All other entries from transport table work...

The entry in transport table:

/^.*@bla.blabla.com/   smtp:[10.10.10.1]

Re: Subject Regular expressión

[Emanuel]

here again :-( i need match this: Reference No: PP-425-168-292

I use this regex: ^Reference No: PP-[0-9][0-9][0-9]+(-[0-9]+)*.

but not work.

i check this regex with grep, it work fine but in postfix no.

grep -E "^Reference No: PP-[0-9][0-9][0-9]+(-[0-9]+)*.$" test.txt

Reference No: PP-425-168-292

warning: header Subject: Reference No: PP-425-168-292

/^Subject: ^Reference No: PP-[0-9][0-9][0-9]+(-[0-9]+)*.$/ DISCARD

any ideas?


El 17/04/18 a las 14:39, Phil Stracchino escribió:

On 04/17/18 13:33, Emanuel wrote:

my idea is to limit the possibilities of the regular expression

by indicating only * there is an infinite number of possibilities

I've been having no luck with a simple regex to match strings with 64 or
less characters.

In a Perl-compatible regular expression, you want something like this:

/.{,64}(your linked profile)/





--

Re: Subject Regular expressión

[Petri Riihikallio]

> i check this regex with grep, it work fine but in postfix no.
> 
> grep -E "^Reference No: PP-[0-9][0-9][0-9]+(-[0-9]+)*.$" test.txt
> 
> Reference No: PP-425-168-292
> 
> warning: header Subject: Reference No: PP-425-168-292
> 
> /^Subject: ^Reference No: PP-[0-9][0-9][0-9]+(-[0-9]+)*.$/ DISCARD
> 
> any ideas?

- In the last example you have a caret at the beginning of both Subject and 
Reference.
- There is a period a the end between the asterisk and dollar sign. That means 
there has to be exactly one character after the last number. Is this a 
requirement?

You could simplify it as "Reference No: PP(-[0-9]+)+” unless it is mandatory 
that the first group of digits is exactly three characters. If they all are you 
could use {3,3} instead of the first plus. You could also use {1,3} if they are 
variable length. You can do the same to the second plus as it is the count of 
groups including the dash.

(I didn’t test any of these. It’s been a while since I last wrote regexps so I 
might be rusty.)
-- 
Cheers
Petri
https://metis.fi/en/petri
tel:+358400505939




smime.p7s
Description: S/MIME cryptographic signature

Re: Subject Regular expressión

[Ghislain Adnet]

hi,

  Warnign : no regex will work if the subject is encoded, with more and more emoji and UTF8/accents in them your 
success rate will be low if you do not control the subject type (plain text).


regards,
Ghislain.

Ptr DNS and domains

[Tobias Koeck]

Hi,

if I want to use several domains on my Postfix server do every domain need
a unique PTR DNS entry to an unique IP or is it enough to setup $myhostname
to the main domain?

smtp_helo_name = $myhostname
smtpd_proxy_ehlo = $myhostname

Greetings
Tobias

RE: Ptr DNS and domains

[Fazzina, Angelo]

Hi, I would think if you are relaying mail for multiple domains then you may 
not need to.
I relay/handle mail for many sub domains of uconn.edu and some don’t have PTR 
records.

If it is not a sub domain I think you should follow best practice, and my guess 
is yes you want DNS configured as completely as possible.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Tobias Koeck
Sent: Wednesday, May 9, 2018 11:36 AM
To: postfix-users@postfix.org
Subject: Ptr DNS and domains

Hi,

if I want to use several domains on my Postfix server do every domain need a 
unique PTR DNS entry to an unique IP or is it enough to setup $myhostname to 
the main domain?

smtp_helo_name = $myhostname
smtpd_proxy_ehlo = $myhostname

Greetings
Tobias

Re: Ptr DNS and domains

[Viktor Dukhovni]

> On May 9, 2018, at 11:36 AM, Tobias Koeck  wrote:
> 
> if I want to use several domains on my Postfix server do every domain need a 
> unique PTR DNS entry to an unique IP or is it enough to setup $myhostname to 
> the main domain?

1. Though IP addresses can map to multiple PTR records, this is not a good idea.
   Publish exactly one primary name for each IP address via a single PTR record.

2. When handling multiple domains, it is much better to use a single MX hostname
   for them all:

   foo.example. IN MX 0 smtp.example.net.
   bar.example. IN MX 0 smtp.example.net.
   baz.example. IN MX 0 smtp.example.net.
   ...

   Put all the indirection into the MX record, rather than use (outside the SMTP
   standard) CNAMEs in the MX hostname, or define multiple hostnames with the 
same
   underlying IP addresses.

The myhostname setting of a Postfix MTA should ideally be a non-CNAME that maps 
to
its A/ records.

-- 
Viktor.

Re: Ptr DNS and domains

[Tobias Koeck]

On Wed, May 9, 2018 at 5:59 PM, Viktor Dukhovni 
wrote:

>
> >
>Publish exactly one primary name for each IP address via a single PTR
> record.
>

Sounds great but doesn't that mean I need exactly one unique public IP for
every domain? If I 'skip' the PTR records completely how likely is emails
will be bounced back?

Greetings and thanks
Tobias

> --
> Viktor.
>
>

Re: Ptr DNS and domains

[Viktor Dukhovni]

> On May 9, 2018, at 12:11 PM, Tobias Koeck  wrote:
> 
>> Publish exactly one primary name for each IP address via a single PTR record.
>  
> Sounds great but doesn't that mean I need exactly one unique public IP for 
> every domain? If I 'skip' the PTR records completely how likely is emails 
> will be bounced back?

No.  All it means is that each IP address reverse maps to one name.  No more, 
no less.
This has nothing to do with the domains you receive mail for, or whose mail you 
route
outbound.

-- 
Viktor.

verify mail fom after authentication

[Stanislas LEVEAU]

Hi,

i would like verify mail from address after authentication.


I set up a ldap authentication for my users that works very well. it's ok

smtp inet  n   -   n   -   -   smtpd
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_local_domain=ac-caen.fr
    -o smtpd_sasl_application_name=smtpd
    -o broken_sasl_auth_clients=yes
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_sasl_authenticated_header=no
    -o smtpd_helo_required=yes
    -o 
smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject




In a second time i allow the email addresses of the account to send 
messages only from the addresses of their account, I added this 
configuration and it works very well but currently for my users it is 
too restrictive so i search a less restrictive solution


    -o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-loginsasl.cf
   -o smtpd_sender_restrictions=reject_sender_login_mismatch


File /etc/postfix/ldap-loginsasl.cf

server_host = ldap.domain.fr
server_port = 389
bind = no
search_base = ou=domain,c=fr
query_filter = 
(&(objectclass=inetMailUser)(|(mail=%s)(mailAlternateAddress=%s)(mailEquivalentAddress=%s)))

result_attribute = uid, mail, mailAlternateAddress, mailEquivalentAddress
domain = domain1.fr, domain2.fr
version = 3



My less restrictive solution is, that only the addresses (MAIL FROM) of 
my domains (ldap verification) can send mails even if they are not 
attached to the authenticated account and the addresses of another 
domain are rejected.



I did that but it does not work. i think it's not good solution i had 
*check_sender_access*


-o smtpd_recipient_restrictions=*check_sender_access 
ldap:/etc/postfix/sender-list.cf*,permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject



File /etc/postfix/sender-list.cf :

server_host = ldap.domain.fr
server_port = 389
bind = no
search_base = ou=domain,c=fr
query_filter = 
(&(objectclass=inetMailUser)(|(mail=%s)(mailAlternateAddress=%s)(mailEquivalentAddress=%s)))

result_attribute = uid, mail, mailAlternateAddress, mailEquivalentAddress
domain = domain1.fr, domain2.fr
version = 3


do you have an idea?

regards

Re: private/????????????????????????????????

[Viktor Dukhovni]

> On May 9, 2018, at 5:26 AM, Erwin van de Pol  wrote:
> 
> I use a regexp transport table, which contains about 100 entries.

Many users struggle to produce robust regular expressions, this is best
avoided.

> When sending an email to a specific address: t...@bla.blabla.com 
> 
> I get following error:
> 
> postfix/qmgr[12390]: warning: connect to transport 
> private/  smtp: No such file or directory

This resolved to a transport with lots of unprintable characters before "smtp",
perhaps non-printing characters that your editor does not display.

> All other entries from transport table work...
> 
> The entry in transport table:
> 
> /^.*@bla.blabla.com/   smtp:[10.10.10.1]

Try:

/@bla\.blabla\.com$/ smtp:[10.10.10.1]

making sure that the apparent whitespace between the pattern and the
result is actually composed of just SPACEs and TABs, and not other
invisible characters.

-- 
Viktor.

dkim appair twice

[Maurizio Caloro]

Hello

Please i dont understand why me dkim result will appair twice ?

 

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=caloro.ch; s=mail;

t=1525915627; bh=o/rYrKxw/+ndhuZDfXCm7/KqiRRQm1XdBuvSJRaf+S8=;

h=From:To:Subject:Date:From;

b=d/KxFnMoTyVW9Qm4r3UEGM8E7Bmy/74vsa5Y9m/93Vt6yjMWsqVIWB+6TBrOntSLa

2LZmu4/1N+vD1OY6ir6Vnd93kxFkMajrOfInkBoi3YWqsxrw7rnjWrF/6CDhEnnc3Z

B9M9LEVf3cuVTx7cGuw7JnABlC6Rc2MtrSf2ccYA=

From: <***@caloro.ch  >

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=caloro.ch; s=mail;

t=1525915627; bh=o/rYrKxw/+ndhuZDfXCm7/KqiRRQm1XdBuvSJRaf+S8=;

h=From:To:Subject:Date:From;

b=d/KxFnMoTyVW9Qm4r3UEGM8E7Bmy/74vsa5Y9m/93Vt6yjMWsqVIWB+6TBrOntSLa

2LZmu4/1N+vD1OY6ir6Vnd93kxFkMajrOfInkBoi3YWqsxrw7rnjWrF/6CDhEnnc3Z

B9M9LEVf3cuVTx7cGuw7JnABlC6Rc2MtrSf2ccYA=

 

Re: dkim appair twice

[Benny Pedersen]

Maurizio Caloro skrev den 2018-05-10 04:04:


Please i dont understand why me dkim result will appair twice ?


this happens when opendkim does not know whats is originating mails or 
incomming mails


the last one is resulting in forged signing

# cat main.cf

milter_opendkim = inet:[127.0.0.1]:8891
milter_opendmarc = inet:[127.0.0.1]:8893
milter_protocol = 6
non_smtpd_milters = $milter_opendkim
smtpd_milters = $milter_opendkim,$milter_opendmarc

# cat master.cf
submission inet  n   -   n   -   -   smtpd
 -o milter_macro_daemon_name=ORIGINATING
 
smtps  inet  n   -   n   -   -   smtpd
 -o milter_macro_daemon_name=ORIGINATING
 

# cat opendkim.conf
#
MTA ORIGINATING

Re: Log connection time on smtpd disconnect

[@lbutlr]

On 2018-05-09 (02:46 MDT), Markus Benning  wrote:
> 
> May  9 10:30:07 server01 postfix/smtpd[1234]: disconnect from
> remotehost.example.com[1.2.3.4] ehlo=1 mail=1 rcpt=0/1 commands=2/3
> conn_time=13
> 
> (connection took 13 seconds)
> 
> Would this be usefull for others too and should it be considered for
> inclusion in postfix?


How much does this differ from the value in delays= ?

-- 
I WILL NOT GREASE THE MONKEY BARS Bart chalkboard Ep. 7F17

Re: Log connection time on smtpd disconnect

[Viktor Dukhovni]

> On May 9, 2018, at 11:00 PM, @lbutlr  wrote:
> 
> How much does this differ from the value in delays= ?

It is unrelated.

-- 
Viktor.

Re: not able to telnet on port 25 for second instances

[ahsan2011]

Thanks this worked


I put in the below lines and kept this value blank for 2nd , 3rd and 4th
instances.
master_service_disable = 





--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html