Replace subject with recipient localpart for one domain
My Postfix server handles message for a dozen domains, for one of these domains, I want the subject replaced with the recipient's local part, so something like this, but put in a format that Postfix understands: # domain3.com is the one recipient domain we want affected by this rule # $recipient_name the recipient localpart, so "joe" if the recipient is j...@domain3.com IF $recipient_domain = 'domain3.com' REPLACE $subject WITH $recipient_name ENDIF I think I need to setup a smtp_header_checks file, but the more I look at it the harder my head hurts. Thanks for you help. -- John Schmerold Katy Computer Systems, Inc https://katycomputer.com St Louis
Re: "max_use=1" does not work at a situation
kawakami: > Hi all, > > Setting "max_use=1" on /etc/master.cf, but the same process ID was > assigned to different connections(postfix/smtpd process) at particular > situation. SHOW LOGS.
Preventing domain impresonation
:-) Let's assume my hostname is 'sth.mydomain.tld' The following configuration: #- smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_checks_my, ... # cat /etc/postfix/sender_checks_my sth.mydomain.tld554 Please enable SMTP AUTH #- accepts mail from '...@sth.mydomain.tld' only from authenticated users or the hosts specified by the 'mynetworks' list. I'm wondering if there is a simple way of extending the list of hosts that may send me e-mails with '...@sth.mydomain.tld' as the sender address to my whole network (lets say '1.2.3.4/24') but without modifying the 'mynetworks' (which AFAIK grant much more privileges) list. What takes the precedence is case of: # cat /etc/postfix/sender_checks_my 1.2.3.4/24 OK sth.mydomain.tld554 Please enable SMTP AUTH ? Is there any other way? Thanks! Best regards, Marek smime.p7s Description: S/MIME Cryptographic Signature
Re: Replace subject with recipient localpart for one domain
On 8/27/2020 5:58 AM, Gregory Heytings wrote: My Postfix server handles message for a dozen domains, for one of these domains, I want the subject replaced with the recipient's local part, so something like this, but put in a format that Postfix understands: # domain3.com is the one recipient domain we want affected by this rule # $recipient_name the recipient localpart, so "joe" if the recipient is # j...@domain3.com IF $recipient_domain = 'domain3.com' REPLACE $subject WITH $recipient_name ENDIF I think I need to setup a smtp_header_checks file, but the more I look at it the harder my head hurts. That's not possible alas, see the section BUGS at http://www.postfix.org/header_checks.5.html : "Many people overlook the main limitations of header and body_checks rules. These rules operate on one logical message header or one body line at a time. A decision made for one line is not carried over to the next line." IOW, the only things you can do with smtp_header_checks is to replace a Subject: line with another Subject: line, possibly based on the contents of the original Subject: line if you use regexp backreferences. But there is no way to use the recipient name or domain in such rules. For cases like the one you have in mind, it is necessary to use a milter. Gregory Thank you for saving me some head scratching. It wouldn't be the end of the world to spin up an Exim VM (its system_filtering is capable of this black magic), but would prefer staying in Postfix. Do you have a milter in mind for this task?
Re: Preventing domain impresonation
Dnia 27.08.2020 o godz. 14:30:21 Marek Kozlowski pisze: > The following configuration: > > #- > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination, > check_sender_access hash:/etc/postfix/sender_checks_my, > ... What does "check_sender_access" do in smtpd_recipient_restrictions ? According to documentation, you can have "check_recipient_access" there, but not "check_sender_access". > accepts mail from '...@sth.mydomain.tld' only from authenticated > users or the hosts specified by the 'mynetworks' list. Looks like a bad idea. Suppose someone is sending mail from u...@sth.mydomain.tld to some address that is forwarding mail back to anotheru...@sth.mydomain.tld. Under your assumptions, you will reject that mail requiring authentication. This is not an abstract example, one of large email providers in Poland that you probably know (Onet) was once configured that way that it required authentication for *all* incoming mail if the sender was from @poczta.onet.pl (yes, it required authentication on port 25 - I don't know if it's still configured that way). I was at that time managing an email server at some university. A lot of people forwarded mail from their university account to private accounts and some of them had accounts at Onet. When someone other with account at Onet sent them mail to their university address, they didn't receive the email that was forwarded to their private account, because it was rejected by Onet. > # cat /etc/postfix/sender_checks_my > 1.2.3.4/24OK > sth.mydomain.tld 554 Please enable SMTP AUTH What is an IP address doing in "check_sender_access" table? As the documentation says, "check_sender_access" does the following: "Search the specified access(5) database for the MAIL FROM address, domain, parent domains, or localpart@, and execute the corresponding action." I don't see any IP addresses mentioned here. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Preventing domain impresonation
On 27 Aug 2020, at 9:26, Jaroslaw Rafa wrote: What does "check_sender_access" do in smtpd_recipient_restrictions ? According to documentation, you can have "check_recipient_access" there, but not "check_sender_access". Incorrect. From `man 5 postconf`: smtpd_recipient_restrictions (default: see postconf -d output) Optional restrictions that the Postfix SMTP server applies in the con- text of a client RCPT TO command, after smtpd_relay_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time. [...] Other restrictions that are valid in this context: o Generic restrictions that can be used in any SMTP command con- text, described under smtpd_client_restrictions. o SMTPcommandspecificrestrictionsdescribed under smtpd_client_restrictions, smtpd_helo_restrictions and smtpd_sender_restrictions. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently)
Re: Feature suggestion: hook support for specific events?
Wietse Venema wrote in
<4bcnlx0tr4zj...@spike.porcupine.org>:
|Steffen Nurpmeso:
|> Wietse Venema wrote in
|> <4bcgr00pr0zj...@spike.porcupine.org>:
|>|Steffen Nurpmeso:
|>|> It would be great if a hook could be called for such events. Even
|>|> a simple fork+detach+exec+forget approach would be really great,
|>|> with an event indicator and an IP address as an argument.
|>|
|>|We don't do ad-hoc special-case solutions.
|>
|> Yes. That is good. But, on the other hand, trying to create
|> a very generic interface can become an endless undertaking.
|
|No, it doesn't. But, as this thread has already demonstrated, doing
Yes, i tend to disagree. Say you want to have a generic object
tree based MIME parser / representation, doing this really right
requires a lot of infrastructure, like string objects, collection
objects, configurable / hookable memory allocation routines, even
the basic plain old data types (even though today one could use
stdint). Of course an approach to I/O. You possibly want to have
generic iteration support that is able for the MIME tree as well
as for all the collection objects. You possibly want
a generically usable event/sender mechanism. All the objects need
a properly designed interface to make themselves generically
usable, you need documentation, and, of course, unit tests. You
end up needing an entire infrastructure, and you surely want to
extend usage of this infrastructure the entire application. That
is a major undertaking.
On the other hand, once you have it, you can walk pretty joyfully
from there on, more or less. I think dovecot just created another
I/O stream encapsulation layer (i have forgotten the details from
their announcement), and this seems to have been pretty
straightforward (i track the sources for some years, check in the
releases ball-by-ball into git(1), and can then see the diff
easily, and did, out of interest).
|a proper job does take more thought than a quick fix. Fred Brooks
|estimated the cost difference between an ad-hoc program versus
|code that is part of at maintainable system.
In Germany we say "Zu viele Köche verderben den Brei", "too many
cooks ruin|adulterate|.. the pulp". (I have not read the book.)
|In this case, it would require a logging API that takes a 'server
|state' argument, plus a callback function that serializes that server
|state as name-value pairs along with the error messge. It should
|probable be JSON format, but other loss-free formats would work, too.
I think this is unfair. In the meantime i have seen a few lines
of postfix code in smtpd and xsasl (and a bit milter), and i have
seen a lot of code duplication where msg*() and smtp_chat_reply()
come in pairs (but not always), at least. I have seen
C preprocessor statements which define strings, and then
assignment of these CPP macros to some state variable, but the
same string fully spelled out as a part of some logging / reply
(??), thus with the potential of running out of sync. A lot of
in-string definitions of SMTP codes, where possibly generic CCP
macros could also be used (and would be searchable more easily).
Just to mention it.
A new feature would be new and could be clean, _of_course_.
A generic [logging] API could also replace all things which
currently exist, say, replace
msg_warn("Refusing STARTTLS request from %s for service %s",
state->namaddr, state->service);
smtpd_chat_reply(state,
"454 4.7.0 Error: too many new TLS sessions from %s",
state->namaddr);
with a hypothetic
smtp_emit(state, 454 | ERROR | CHAT | WARN | WARN_APPEND_SERVICE,
"4.7.0 too many TLS .. %s",
"Refusing STARTTLS request from %s",
state->namaddr);
which could then be dispatched to several things, including
msg_warn, smtp_chat_reply as well as a generic notification
mechanism (however changing the message to "Refusing STARTTLS
request from %s (service XX)").
I do not know whether this is really possible.
And serializing the entire state is tough. JSON, puh. :-)
I like traditional binary, like A\0B\0\0. Or CBOR, a nice (JSON)
binary format. However, i see, postfix already does some JSON, in
postqueue.
Have you ever heard of libxo? FreeBSD makes use of it and changed
many of its traditional UNIX applications, the output format can
now be controlled via command line, they can output text, xml or
json (maybe even cbor now). I never used the possibilities (my
scripts must run on several systems).
This library uses format strings almost identical to the well
known C etc format strings, converting an entire application from
on to the other should not be too problematic, is possibly even
doable with automatic help.
--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
Re: Preventing domain impresonation
Hi, we utilize something along these lines. And yes: the forwarding problem needs to be addressed. in main.cf: smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/check_sender_access.hash.cf, permit in check_sender_access.hash.cf: ## list of exceptions # a subdomain that sends mail for $reason, this is what you wanted? somesubdomain.volkshilfe-ooe.at OK # external systems that send mail to us with fake address someserv...@volkshilfe-ooe.at # receipients that needs forwards (buggy list software from a partner) u...@volkshilfe-ooe.at ... # require auth volkshilfe-ooe.at REJECT authentication required The hash map is versatile enough for our use. But this method seen better days... 3,4 years ago this nuked like 80-90% of incomming spam. Now it's below 5% of incomming traffic. Not sure if I would implement it now again (was worth it when we implemented it though). It works only if you have a small number of users that need forwarding back to you. lg, rupi -- Rainer Ruprechtsberger Volkshilfe Oberösterreich IT 4020 Linz, Glimpfingerstrasse 48 Tel.: +43 732 3405 123 Mobil.: +43 676 8734 1123 ZVR Zahl: 064371505 Volkshilfe. Wir sind für die Menschen da.
Re: Replace subject with recipient localpart for one domain
My Postfix server handles message for a dozen domains, for one of these domains, I want the subject replaced with the recipient's local part, so something like this, but put in a format that Postfix understands: # domain3.com is the one recipient domain we want affected by this rule # $recipient_name the recipient localpart, so "joe" if the recipient is # j...@domain3.com IF $recipient_domain = 'domain3.com' REPLACE $subject WITH $recipient_name ENDIF I think I need to setup a smtp_header_checks file, but the more I look at it the harder my head hurts. That's not possible alas, see the section BUGS at http://www.postfix.org/header_checks.5.html : "Many people overlook the main limitations of header and body_checks rules. These rules operate on one logical message header or one body line at a time. A decision made for one line is not carried over to the next line." IOW, the only things you can do with smtp_header_checks is to replace a Subject: line with another Subject: line, possibly based on the contents of the original Subject: line if you use regexp backreferences. But there is no way to use the recipient name or domain in such rules. For cases like the one you have in mind, it is necessary to use a milter. Gregory
Re: Replace subject with recipient localpart for one domain
On 27 Aug 2020, at 8:43, John Schmerold wrote: On 8/27/2020 5:58 AM, Gregory Heytings wrote: My Postfix server handles message for a dozen domains, for one of these domains, I want the subject replaced with the recipient's local part, so something like this, but put in a format that Postfix understands: # domain3.com is the one recipient domain we want affected by this rule # $recipient_name the recipient localpart, so "joe" if the recipient is # j...@domain3.com IF $recipient_domain = 'domain3.com' REPLACE $subject WITH $recipient_name ENDIF I think I need to setup a smtp_header_checks file, but the more I look at it the harder my head hurts. That's not possible alas, see the section BUGS at http://www.postfix.org/header_checks.5.html : "Many people overlook the main limitations of header and body_checks rules. These rules operate on one logical message header or one body line at a time. A decision made for one line is not carried over to the next line." IOW, the only things you can do with smtp_header_checks is to replace a Subject: line with another Subject: line, possibly based on the contents of the original Subject: line if you use regexp backreferences. But there is no way to use the recipient name or domain in such rules. For cases like the one you have in mind, it is necessary to use a milter. Gregory Thank you for saving me some head scratching. It wouldn't be the end of the world to spin up an Exim VM (its system_filtering is capable of this black magic), but would prefer staying in Postfix. Do you have a milter in mind for this task? MIMEDefang could do it: a few lines of Perl in the filter() callback. However, I feel the need to say this: EWWW! -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently)
Re: One Domain to Remote Email Gateway
I did not get this solution started in the proper direction -- sorry. I believe the following solution is closer: main.cf: sender_dependent_relayhost_maps = regexp:/etc/postfix/sender_relay.regexp sender_relay.regexp: /@raystedman\.org$/ [smtp-relay.gmail.com] This should relay email where the from email address contains the domain @raystedman.org to smtp-relay.gmail.com. I need this relay to use a specific ip address to separate bulk and transactional email onto different ip addresses. How can I accomplish this? Thanks, Greg www.RayStedman.org On Wed, Aug 26, 2020 at 1:43 PM Greg Sims wrote: > > I would like to separate our bulk email and transactional email on > different ip addresses. All of the transactional email will be sent > to a remote email gateway for delivery. This gateway is authenticated > by ip address. > > It seems that I need to add an entry to my transport.regexp so all > email for our domain uses a specific transport: > > '@raystedman\.org$/ raystedman: > > Then create an smtp process in master.cf to bind a specific ip address: > > raystedman unix - - n - - smtp > -o smtp_bind_address=xxx.xxx.xxx.234 > -o smtp_helo_name=mail0.raystedman.org > -o syslog_name=raystedman > > Now I need this smtp process to deliver to the email gateway which is: > smtp-relay.gmail.com. How can I associate this gateway address with > the raystedman: transport? > > Thanks, Greg > www.RayStedman.org
Re: One Domain to Remote Email Gateway
Greg Sims:
> I did not get this solution started in the proper direction -- sorry.
> I believe the following solution is closer:
>
> main.cf:
>
> sender_dependent_relayhost_maps = regexp:/etc/postfix/sender_relay.regexp
>
> sender_relay.regexp:
>
> /@raystedman\.org$/ [smtp-relay.gmail.com]
>
> This should relay email where the from email address contains the
> domain @raystedman.org to smtp-relay.gmail.com. I need this relay to
> use a specific ip address to separate bulk and transactional email
> onto different ip addresses. How can I accomplish this?
main.cf:
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_relay
sender_relay:
@raystedman.org smtp-raystedman:[smtp-relay.gmail.com]
master.cf:
smtp-raystedman unix .. .. .. .. .. smtp
o { sntp_bind_address = x.x.x.x }
Wietse
Re: Feature suggestion: hook support for specific events?
Steffen Nurpmeso: > Wietse Venema wrote in > <4bcnlx0tr4zj...@spike.porcupine.org>: > |Steffen Nurpmeso: > |> Wietse Venema wrote in > |> <4bcgr00pr0zj...@spike.porcupine.org>: > |>|Steffen Nurpmeso: > |>|> It would be great if a hook could be called for such events. Even > |>|> a simple fork+detach+exec+forget approach would be really great, > |>|> with an event indicator and an IP address as an argument. > |>| > |>|We don't do ad-hoc special-case solutions. > |> > |> Yes. That is good. But, on the other hand, trying to create > |> a very generic interface can become an endless undertaking. > | > |No, it doesn't. But, as this thread has already demonstrated, doing > > Yes, i tend to disagree. That's fine. I guess that's why millions use my software. Wietse
Re: Feature suggestion: hook support for specific events?
Wietse Venema wrote in <4bcx7t0nfyzj...@spike.porcupine.org>: |Steffen Nurpmeso: |> Wietse Venema wrote in |> <4bcnlx0tr4zj...@spike.porcupine.org>: |>|Steffen Nurpmeso: |>|> Wietse Venema wrote in |>|> <4bcgr00pr0zj...@spike.porcupine.org>: |>|>|Steffen Nurpmeso: |>|>|> It would be great if a hook could be called for such events. Even |>|>|> a simple fork+detach+exec+forget approach would be really great, |>|>|> with an event indicator and an IP address as an argument. |>|>| |>|>|We don't do ad-hoc special-case solutions. |>|> |>|> Yes. That is good. But, on the other hand, trying to create |>|> a very generic interface can become an endless undertaking. |>| |>|No, it doesn't. But, as this thread has already demonstrated, doing |> |> Yes, i tend to disagree. | |That's fine. I guess that's why millions use my software. Yes, that must be it. But i feel a bit mutilated. Good night. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Replace subject with recipient localpart for one domain
On 8/27/2020 3:26 PM, Gregory Heytings wrote: For cases like the one you have in mind, it is necessary to use a milter. Thank you for saving me some head scratching. It wouldn't be the end of the world to spin up an Exim VM (its system_filtering is capable of this black magic), but would prefer staying in Postfix. Do you have a milter in mind for this task? MIMEDefang could do it: a few lines of Perl in the filter() callback. Yes, that would be the standard milter to do what you want. But if I were you I would ask myself if what you'd like to do is really necessary, and worth the price of maintaining a specific tool for it. Note also that, if you control more than Postfix, it might be possible to do what you want outside of Postfix. For example, if you have a Dovecot server behind your Postfix, you could do what you want with Sieve filters. Gregory My Postfix is managed by Proxmox, they have a filtering solution built into Proxmox Mail Gateway that will allow me to copy the recipient address to the subject line, it's not precisely what I wanted, but we are getting close. Thanks everyone for your help!
Re: Replace subject with recipient localpart for one domain
For cases like the one you have in mind, it is necessary to use a milter. Thank you for saving me some head scratching. It wouldn't be the end of the world to spin up an Exim VM (its system_filtering is capable of this black magic), but would prefer staying in Postfix. Do you have a milter in mind for this task? MIMEDefang could do it: a few lines of Perl in the filter() callback. Yes, that would be the standard milter to do what you want. But if I were you I would ask myself if what you'd like to do is really necessary, and worth the price of maintaining a specific tool for it. Note also that, if you control more than Postfix, it might be possible to do what you want outside of Postfix. For example, if you have a Dovecot server behind your Postfix, you could do what you want with Sieve filters. Gregory
Re: Preventing domain impresonation
On Thu, Aug 27, 2020 at 02:30:21PM +0200, Marek Kozlowski wrote:
> #-
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
> check_sender_access hash:/etc/postfix/sender_checks_my,
> ...
I assume that perhaps you also have "smtpd_relay_restrictions" defined
as a safety net, but it is good to see "reject_unauth_destination"
safely above the sender checks.
> # cat /etc/postfix/sender_checks_my
> 1.2.3.4/24OK
> sth.mydomain.tld 554 Please enable SMTP AUTH
Well that can't work, because "1.2.3.4/24" is not a sender address,
and CIDR syntax doesn't work in a hashed file anyway.
> ? Is there any other way? Thanks!
Yes, there is another way:
main.cf:
default_database_type = hash
indexed = ${default_datbase_type}:${config_directory}/
cidr = cidr:${config_directory}/
# See http://www.postfix.org/RESTRICTION_CLASS_README.html
smtpd_restriction_classes = check_impersonator
check_impersonator =
check_client_access ${cidr}impersonators.cidr
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_sender_access ${indexed}sender_checks_my,
...
sender_checks_my:
# Restricted sender domains
sth.mydomain.tldcheck_impersonator
impersonators.cidr:
# Order matters, list permitted clients above the final REJECT
# No need to return "OK", a DUNNO suffices to avoid the reject.
1.2.3.4/24 DUNNO
0.0.0.0/0 REJECT 5.7.1 Please enable SASL AUTH
--
Viktor.
.forward, vacation, and bashslash username support
Hi, Recently I have created a postfix driven (CentOS 8) mail server with dovecot-lda as local delivery agent. We have a few number of users who make use of vacation program (when they are on leave) so that upon activation, a .forward file is made under the home directory as: \username, "|/usr/bin/vacation username" In the past, sendmail played well when handling "\username". But it comes to my attention that under postfix, it does not seem to honor backslash username which results in mail looping under the postfix server itself. I have taken a look at some historical discussion, and some were talking about \username is not honored under aliases setting. I would like to know if \username is also not honored under users' .forward files. Thanks. Dominic -- Dominic Lai Department of Computer Science and Engineering HKUST
Re: Preventing domain impresonation
On 27 Aug 2020, at 8:30, Marek Kozlowski wrote: :-) Let's assume my hostname is 'sth.mydomain.tld' The following configuration: #- smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_checks_my, ... # cat /etc/postfix/sender_checks_my sth.mydomain.tld554 Please enable SMTP AUTH #- accepts mail from '...@sth.mydomain.tld' only from authenticated users or the hosts specified by the 'mynetworks' list. Why offer AUTH on port 25 at all? Enable initial mail submission (port 465 with SSL 'wrappermode' and/or port 587 with STARTTLS) with AUTH and disable AUTH for port 25. Removing support for initial mail submission from port 25 SMTP allows for a more tightly defined configuration and depending on what your specific needs are, you may be able to eliminate IP-based authentication altogether. I'm wondering if there is a simple way of extending the list of hosts that may send me e-mails with '...@sth.mydomain.tld' as the sender address to my whole network (lets say '1.2.3.4/24') but without modifying the 'mynetworks' (which AFAIK grant much more privileges) list. Viktor wrote up the standard approach to do what you asked in his reply, using a restriction class. A simpler solution may be to limit the privilege given to $mynetworks by adding an explicit definition for smtpd_relay_restrictions: smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination With that set, the permit_mynetworks directive in smtpd_recipient_restrictions only applies to inbound mail, not relayed mail, so you may feel more comfortable adding more addresses to $mynetworks. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently)
Re: .forward, vacation, and bashslash username support
On Fri, Aug 28, 2020 at 02:04:36AM +, Dominic Lai wrote: > Recently I have created a postfix driven (CentOS 8) > mail server with dovecot-lda as local delivery > agent. You should explain what you mean by that in detail. > We have a few number of users who make use > of vacation program (when they are on leave) so > that upon activation, a .forward file is made > under the home directory as: > > \username, "|/usr/bin/vacation username" Well, aliases(5) and .forward files are processed by the Postfix local(8) delivery agent, and if you replace it with something else, then aliases(5) and .forward files may not be processed at all. And really the question that you should be asking is how to deliver email both to Dovecot and to a vacation program. The "\username" thing is perhaps a distraction, unless you have no other means to turn the feature on. -- Viktor.
Re: .forward, vacation, and bashslash username support
On 27 Aug 2020, at 22:04, Dominic Lai wrote: Hi, Recently I have created a postfix driven (CentOS 8) mail server with dovecot-lda as local delivery agent. We have a few number of users who make use of vacation program (when they are on leave) so that upon activation, a .forward file is made under the home directory as: \username, "|/usr/bin/vacation username" In the past, sendmail played well when handling "\username". But it comes to my attention that under postfix, it does not seem to honor backslash username which results in mail looping under the postfix server itself. I have taken a look at some historical discussion, and some were talking about \username is not honored under aliases setting. I would like to know if \username is also not honored under users' .forward files. Thanks. No "historical discussion" is as definitive as the current Postfix aliases man page: Lines in per-user .forward files have the same syntax as the right-hand side of aliases(5) entries. Nowhere in that page is any sort of backslash syntax described, so you can count on no such syntax working inany Postfix aliases or .forward file. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently)
Re: .forward, vacation, and bashslash username support
On Thu, Aug 27, 2020 at 11:31:29PM -0400, Bill Cole wrote: > No "historical discussion" is as definitive as the current Postfix > aliases man page: > >Lines in per-user .forward files have the same syntax as the >right-hand side of aliases(5) entries. > > Nowhere in that page is any sort of backslash syntax described, so you > can count on no such syntax working inany Postfix aliases or .forward > file. However, local(8) mentions: When an address is found in its own alias expansion, delivery is made to the user instead. When a user is listed in the user's own ~/.forward file, delivery is made to the user's mailbox instead. An empty ~/.forward file means do not forward mail. So perhaps no "\user" is needed at all. Just "user" does the job, assuming that .forward file is processed at all. -- Viktor.
Re: .forward, vacation, and bashslash username support
Hi, On 28/8/2020 11:25 am, Viktor Dukhovni wrote: > On Fri, Aug 28, 2020 at 02:04:36AM +, Dominic Lai wrote: >> We have a few number of users who make use >> of vacation program (when they are on leave) so >> that upon activation, a .forward file is made >> under the home directory as: >> >> \username, "|/usr/bin/vacation username" > > Well, aliases(5) and .forward files are processed by the Postfix > local(8) delivery agent, and if you replace it with something else, then > aliases(5) and .forward files may not be processed at all. > > And really the question that you should be asking is how to deliver > email both to Dovecot and to a vacation program. The "\username" thing > is perhaps a distraction, unless you have no other means to turn the > feature on. > The mail log reports as follows: Aug 28 10:11:36 postfix-server postfix/local[3915542]: 2D8F33028D88: to=, relay=local, delay=0.06, delays=0.05/0/0/0.01, dsn=5.4.6, status=bounced (mail forwarding loop for usern...@postfix-server.mydomain.com) When I look at dovecot log (I have got mail_log plugins on), and I note that postfix bounced this message even before handling it to dovecot-lda (ie. dovecot-lda does not even record any handling of this transaction). However, if I changed the .forward as follows: username@localhost, "|/usr/bin/vacation username" Then vacation works, username can also receive a copy of email. If: \username, "|/usr/bin/vacation username" the sender would receive a mailer bounce complaining of mail forward looping, while vacation part works. This is why I asked if "\username" is not honored anymore. Dominic P.S. : Postfix version - 3.3.1, bundled from CentOS 8 distribution -- Dominic Lai Department of Computer Science and Engineering HKUST
Re: .forward, vacation, and bashslash username support
On Fri, Aug 28, 2020 at 03:42:20AM +, Dominic Lai wrote: > Aug 28 10:11:36 postfix-server postfix/local[3915542]: 2D8F33028D88: > to=, relay=local, > delay=0.06, delays=0.05/0/0/0.01, dsn=5.4.6, status=bounced (mail > forwarding loop for usern...@postfix-server.mydomain.com) > > When I look at dovecot log (I have got mail_log plugins on), and > I note that postfix bounced this message even before handling it > to dovecot-lda (ie. dovecot-lda does not even record any handling of > this transaction). > > However, if I changed the .forward as follows: > > username@localhost, "|/usr/bin/vacation username" > > Then vacation works, username can also receive a copy of email. This likely because $myorigin is not listed in $mydestination, and so just a bare "username" in aliases(5) or .forward files is not a reference to an address in "local" address class. You either need to ensure that $myorigin is listed in $mydestination, or else to use explicit local domains in .forward files and aliases(5) files as you noted. -- Viktor.
Re: .forward, vacation, and bashslash username support
Yes, thanks for your suggestion. I tried it and it works. I kept on thinking that it would work if I just set: mydestination = postfix-server.mydomain.com $myhostname would work (I have set myhostname=postfix-server.mydomain.com). It turns out that I also need to set myorigin, and also need to specifically set "mydestination = $myorigin ". Now, both \username and |/usr/bin/vacation work as expected! Thanks! Dominic On 28/8/2020 11:47 am, Viktor Dukhovni wrote: > On Fri, Aug 28, 2020 at 03:42:20AM +, Dominic Lai wrote: > >> Aug 28 10:11:36 postfix-server postfix/local[3915542]: 2D8F33028D88: >> to=, relay=local, >> delay=0.06, delays=0.05/0/0/0.01, dsn=5.4.6, status=bounced (mail >> forwarding loop for usern...@postfix-server.mydomain.com) >> >> When I look at dovecot log (I have got mail_log plugins on), and >> I note that postfix bounced this message even before handling it >> to dovecot-lda (ie. dovecot-lda does not even record any handling of >> this transaction). >> >> However, if I changed the .forward as follows: >> >> username@localhost, "|/usr/bin/vacation username" >> >> Then vacation works, username can also receive a copy of email. > > This likely because $myorigin is not listed in $mydestination, > and so just a bare "username" in aliases(5) or .forward files > is not a reference to an address in "local" address class. > > You either need to ensure that $myorigin is listed in > $mydestination, or else to use explicit local domains > in .forward files and aliases(5) files as you noted. > -- Dominic Lai Department of Computer Science and Engineering HKUST
Re: "max_use=1" does not work at a situation
On 2020/08/27 20:54, Wietse Venema wrote: kawakami: Hi all, Setting "max_use=1" on /etc/master.cf, but the same process ID was assigned to different connections(postfix/smtpd process) at particular situation. SHOW LOGS. Thank you for your reply. Here are the logs I picked out: Aug 3 15:10:11 dummy postfix/smtpd[5254]: connect from example.com[X.X.X.X]:56925 Aug 3 15:10:11 dummy postfix/smtpd[5254]: NOQUEUE: reject: MAIL from example.com[X.X.X.X]:56925: 451 4.7.1 : Sender address rejected: denied temporary; from= proto=ESMTP helo= Aug 3 15:10:11 dummy postfix/smtpd[5254]: disconnect from example.com[X.X.X.X]:56925 Aug 3 15:10:11 dummy postfix/smtpd[5254]: connect from example.net[aa:bb:ccc::e]:15480 Aug 3 15:10:21 dummy postfix/smtpd[5254]: NOQUEUE: reject: MAIL from example.net[aa:bb:ccc::e]:15480: 451 4.7.1 : Sender address rejected: denied temporary; from= proto=ESMTP helo= Aug 3 15:10:26 dummy postfix/smtpd[5254]: lost connection after MAIL from example.net[aa:bb:ccc::e]:15480 Aug 3 15:10:26 dummy postfix/smtpd[5254]: disconnect from example.net[aa:bb:ccc::e]:15480
