[pfx] Question about automatic added headers
Hello, I have a question about the automatic adding of missing headers. Did an experiment with always_add_missing_headers = no. I sent a mail via telnet manually to postfix and checked, what it's forwarding to the next mail server. According to the tcpdump output, a missing Date header seems to be always added, ignoring the always_add_missing_headers option at all. Is this correct? Is there something special about the Date header? Is this a bug or intended behaviour? Thanks for your help! Greetings, Matthias ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Question about automatic added headers
On 20.04.23 09:25, Silamael Darkomen via Postfix-users wrote: I have a question about the automatic adding of missing headers. Did an experiment with always_add_missing_headers = no. I sent a mail via telnet manually to postfix and checked, what it's forwarding to the next mail server. According to the tcpdump output, a missing Date header seems to be always added, ignoring the always_add_missing_headers option at all. Is this correct? Is there something special about the Date header? Is this a bug or intended behaviour? if the always_add_missing_headers is "no", postfix adds headers only when client belongs to local_header_rewrite_clients. the default for local_header_rewrite_clients is "permit_inet_interfaces" which means, the headers are added when you submit mail from the same machine.. try from another IP address. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Question about automatic added headers
On 20 Apr 2023 10:03, Matus UHLAR - fantomas via Postfix-users wrote: On 20.04.23 09:25, Silamael Darkomen via Postfix-users wrote: I have a question about the automatic adding of missing headers. Did an experiment with always_add_missing_headers = no. I sent a mail via telnet manually to postfix and checked, what it's forwarding to the next mail server. According to the tcpdump output, a missing Date header seems to be always added, ignoring the always_add_missing_headers option at all. Is this correct? Is there something special about the Date header? Is this a bug or intended behaviour? if the always_add_missing_headers is "no", postfix adds headers only when client belongs to local_header_rewrite_clients. the default for local_header_rewrite_clients is "permit_inet_interfaces" which means, the headers are added when you submit mail from the same machine.. try from another IP address. Thanks for the hint. I'll give it a try. Greetings, Matthias ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Mailing list is being Spam Filtered by O-365
Is there any chance that SPF and DKIM records could be added to appear in the headers ? The gubba-mint folks are getting extremely medieval about email security. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Mailing list is being Spam Filtered by O-365
White, Daniel E. (GSFC-770.0)[AEGIS] via Postfix-users: > Is there any chance that SPF and DKIM records could be added to > appear in the headers ? The list server adds its own DKIM-Signature: on behalf of the domain postfix.org, AND it adds ARC headers and Authentication-Results: for the message as received before modiification and redistribution. However it does NOT remove existing DKIM-Signature: headers that are no longer matching header and body content. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: 3.8.0: spawn says "command time limit exceeded"
Wietse Venema wrote in <4q21sp16m7zj...@spike.porcupine.org>: |Steffen Nurpmeso via Postfix-users: |> On 3.8.0 services managed via spawn(8) now produce |> |> Apr 19 01:03:04 postfix/spawn[8485]: warning: /usr/libexec/s-postgray: \ |> process id 8486: command time limit exceeded |> Apr 19 14:43:56 postfix/spawn[19651]: warning: /usr/libexec/s-postgray:\ |>process id 19755: command time limit exceeded |> |> log messages, which they did not do in the past. I find this |> irritating, because the service works properly, it does not "hang" |> or fails to give answers, for example: | |The time limit is configured in main.cf. | |You need to figure out the name of the correspnding master.cf |entry, and then add a configuration parameter with that name: | |main.cf: |*name*_time_limit = some suitable number Is there a reason this happens now? I mean, that policy thing is waiting for postfix to ask it something, not vice versa? But ok, will do. Thanks. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: 3.8.0: spawn says "command time limit exceeded"
Steffen Nurpmeso: > Wietse Venema wrote in > <4q21sp16m7zj...@spike.porcupine.org>: > |Steffen Nurpmeso via Postfix-users: > |> On 3.8.0 services managed via spawn(8) now produce > |> > |> Apr 19 01:03:04 postfix/spawn[8485]: warning: /usr/libexec/s-postgray: \ > |> process id 8486: command time limit exceeded > |> Apr 19 14:43:56 postfix/spawn[19651]: warning: /usr/libexec/s-postgray:\ > |>process id 19755: command time limit exceeded > |> > |> log messages, which they did not do in the past. I find this > |> irritating, because the service works properly, it does not "hang" > |> or fails to give answers, for example: > | > |The time limit is configured in main.cf. > | > |You need to figure out the name of the correspnding master.cf > |entry, and then add a configuration parameter with that name: > | > |main.cf: > |*name*_time_limit = some suitable number > > Is there a reason this happens now? I mean, that policy thing is > waiting for postfix to ask it something, not vice versa? > But ok, will do. Thanks. The spawn daemon has always worked this way. Below is a sample from the Postfix 2.1.0 SMTPD_POLICY_README file, almost 20 years ago. Wietse 1 /etc/postfix/master.cf: 2 policy unix - n n - - spawn 3 user=nobody argv=/some/where/policy-server 4 5 /etc/postfix/main.cf: 6 smtpd_recipient_restrictions = 7 ... 8 reject_unauth_destination 9 check_policy_service unix:private/policy 10 ... 11 policy_time_limit = 3600 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: *_error_limit and exclude
W dniu 19.04.2023 o 17:23, Wietse Venema via Postfix-users pisze:
natan via Postfix-users:
Hi
I have question about *_error_limit and postfix
I have separated services like
smtp incomming and smtp outgoing and webmail
I have roudcube which is used by several thousand users
On smtp outgoing in main.cf:
...
smtpd_client_connection_count_limit = 900
smtpd_hard_error_limit = 5
smtpd_soft_error_limit = 2
First: your limits are much smaller than the default, and second:
what kinds of errors are causing Postfix to reject commands?
I'd like to exclude all too many errors * for a specific IP
I would like to avoid that in case of any "too many errors" problems
with sending mails from roundcube
Of course, when I find errors, I try to remove them - it's obvious
But in this time I need a sollutions to whitelists thats IP
Some times I get "too many errors after NOOP from zabbix"
In the following case, for example, zabbix has a problem with sending
once in a while
local zabbix admin say they won't do anything about it
zabbix send 3 x times for 1min
Additionally for smtpd_junk_command_limit = ${stress?{1}:{100}}
but problem with too many errors after NOOP from zabbix - sometimes it
shows up
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
--
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: 3.8.0: spawn says "command time limit exceeded"
Wietse Venema wrote in <4q2khr57flzj...@spike.porcupine.org>: |Steffen Nurpmeso: |> Wietse Venema wrote in |> <4q21sp16m7zj...@spike.porcupine.org>: |>|Steffen Nurpmeso via Postfix-users: |>|> On 3.8.0 services managed via spawn(8) now produce |>|> |>|> Apr 19 01:03:04 postfix/spawn[8485]: warning: /usr/libexec/s-postgray\ |>|> : \ |>|> process id 8486: command time limit exceeded |>|> Apr 19 14:43:56 postfix/spawn[19651]: warning: /usr/libexec/s-postgra\ |>|> y:\ |>|>process id 19755: command time limit exceeded |>|> |>|> log messages, which they did not do in the past. I find this |>|> irritating, because the service works properly, it does not "hang" |>|> or fails to give answers, for example: |>| |>|The time limit is configured in main.cf. |>| |>|You need to figure out the name of the correspnding master.cf |>|entry, and then add a configuration parameter with that name: |>| |>|main.cf: |>|*name*_time_limit = some suitable number |> |> Is there a reason this happens now? I mean, that policy thing is |> waiting for postfix to ask it something, not vice versa? |> But ok, will do. Thanks. | |The spawn daemon has always worked this way. Below is a sample from |the Postfix 2.1.0 SMTPD_POLICY_README file, almost 20 years ago. Yes, but it never logged it with a warning:, which is what this thread is about? I am absolutely fine with postfix rotating the processes, but why warn about my little policy thing, and not about the postfix instance going home, too? | Wietse | | 1 /etc/postfix/master.cf: | 2 policy unix - n n - - spawn | 3 user=nobody argv=/some/where/policy-server | 4 | 5 /etc/postfix/main.cf: | 6 smtpd_recipient_restrictions = | 7 ... | 8 reject_unauth_destination | 9 check_policy_service unix:private/policy |10 ... |11 policy_time_limit = 3600 --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] smtpcheck
Hi
I use keepalived and easy check like:
vrrp_script chk_myscript {
script "/usr/bin/postfix-check.sh"
interval 4
fall 2
weight 10
user root
}
...
#!/bin/bash
echo "ehlo localhost" | /bin/nc -w 1 "127.0.0.1" 25 |grep -q "250"
...
It's not very pretty but do you have any similar solutions?
--
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtpcheck
natan wrote in
:
|Hi
|I use keepalived and easy check like:
|
|vrrp_script chk_myscript {
| script "/usr/bin/postfix-check.sh"
| interval 4
| fall 2
| weight 10
| user root
|}
|
|...
|#!/bin/bash
|echo "ehlo localhost" | /bin/nc -w 1 "127.0.0.1" 25 |grep -q "250"
|...
|
|It's not very pretty but do you have any similar solutions?
|--
From localhost either
postfix_watchdog() {
postfix__init
${prog} status >/dev/null 2>&1
[ ${?} -ne 0 ] && postfix_start
}
or
postfix_status() {
# As postfix does not use stdout but console, no
# postfix__init
# ${prog} status 2>&1
name=postfix
eval $(postconf daemon_directory data_directory | tr -d '[ ]')
prog=${daemon_directory}/master
pid=${data_directory}/master.lock
daemons__stat_and_dog n
}
and
daemons__stat_and_dog() {
{
isdog=${1}
exe=${prog}
[ -n "${exe}" ] && exe=' --exec '${exe}
if [ -n "${DAEMONS_SSD_GRACEFUL}" ]; then
${ssd} --status --pidfile ${pid} ${exe}
e=${?}
else
# XXX busybox start-stop-daemon without --status
# XXX After checking "kill -0 $PID" we could "pgrep $exe" and ensure
# XXX $PID is found in output!
if [ -f ${pid} ]; then
i=$(cat ${pid})
if kill -0 ${i} >/dev/null 2>/dev/null; then
e=0
else
e=1
fi
else
e=3
fi
fi
if [ ${isdog} != y ]; then
case ${e} in
0) echo "${name} is running with pid $(cat ${pid})";;
1) echo "${name} is not running but the pid file ${pid} exists";;
3) echo ${name}' is not running';;
4) echo ${name}' is in unknown state';;
esac
elif [ ${e} -ne 0 ]; then
echo >&2 ${name}' watchdog forces start'
if [ ${e} -eq 1 ]; then
rm -f ${pid}
elif [ ${e} -eq 4 ]; then
( eval ${name}_stop ) 2>/dev/null
fi
eval ${name}_start
e=${?}
fi
} 2>&1
return ${e}
}
--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: 3.8.0: spawn says "command time limit exceeded"
Steffen Nurpmeso:
> Wietse Venema wrote in
> <4q2khr57flzj...@spike.porcupine.org>:
> |Steffen Nurpmeso:
> |> Wietse Venema wrote in
> |> <4q21sp16m7zj...@spike.porcupine.org>:
> |>|Steffen Nurpmeso via Postfix-users:
> |>|> On 3.8.0 services managed via spawn(8) now produce
> |>|>
> |>|> Apr 19 01:03:04 postfix/spawn[8485]: warning: /usr/libexec/s-postgray\
> |>|> : \
> |>|> process id 8486: command time limit exceeded
> |>|> Apr 19 14:43:56 postfix/spawn[19651]: warning: /usr/libexec/s-postgra\
> |>|> y:\
> |>|>process id 19755: command time limit exceeded
> |>|>
> |>|> log messages, which they did not do in the past. I find this
> |>|> irritating, because the service works properly, it does not "hang"
> |>|> or fails to give answers, for example:
> |>|
> |>|The time limit is configured in main.cf.
> |>|
> |>|You need to figure out the name of the correspnding master.cf
> |>|entry, and then add a configuration parameter with that name:
> |>|
> |>|main.cf:
> |>|*name*_time_limit = some suitable number
> |>
> |> Is there a reason this happens now? I mean, that policy thing is
> |> waiting for postfix to ask it something, not vice versa?
> |> But ok, will do. Thanks.
> |
> |The spawn daemon has always worked this way. Below is a sample from
> |the Postfix 2.1.0 SMTPD_POLICY_README file, almost 20 years ago.
>
> Yes, but it never logged it with a warning:, which is what this
> thread is about? I am absolutely fine with postfix rotating the
> processes, but why warn about my little policy thing, and not
> about the postfix instance going home, too?
That code has not changed since it was written 23 years ago.
Wietse
Postfix 1.0.0 spawn_command.c:
if ((err = timed_waitpid(pid, &wait_status, 0, args.time_limit)) < 0
&& errno == ETIMEDOUT) {
msg_warn("%s: process id %lu: command time limit exceeded",
args.command, (unsigned long) pid);
kill(-pid, SIGKILL);
err = waitpid(pid, &wait_status, 0);
}
Postfix 3.8.0 spawn_command.c:
if ((err = timed_waitpid(pid, &wait_status, 0, args.time_limit)) < 0
&& errno == ETIMEDOUT) {
msg_warn("%s: process id %lu: command time limit exceeded",
args.command, (unsigned long) pid);
kill(-pid, SIGKILL);
err = waitpid(pid, &wait_status, 0);
}
The last change in that file was in Postfix 3.0, and that was
a cosmetic change.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: *_error_limit and exclude
natan via Postfix-users: > W dniu 19.04.2023 o?17:23, Wietse Venema via Postfix-users pisze: > > natan via Postfix-users: > >> Hi > >> I have question about *_error_limit and postfix > >> > >> I have separated services like > >> smtp incomming and smtp outgoing and webmail > >> > >> I have roudcube which is used by several thousand users > >> > >> On smtp outgoing in main.cf: > >> ... > >> smtpd_client_connection_count_limit = 900 > >> smtpd_hard_error_limit = 5 > >> smtpd_soft_error_limit = 2 > > First: your limits are much smaller than the default, and second: > > what kinds of errors are causing Postfix to reject commands? > > I'd like to exclude all too many errors * for a specific IP > I would like to avoid that in case of any "too many errors" problems > with sending mails from roundcube Why do you have such ridiculously low error limits? Why are there ANY errors at all from Roundcube? It is supposed to be well-behaved software. For the crap client, if they won't fix the client, and you won't fix your error limits, you can configure a different SMTP service in master.cf on a different IP address or port. On a different IP address: master.cf: 1.2.3.5:smtp inet n - n - - smtpd -o smtpd_junk_command_limit=some-huge-number -o smtpd_hard_error_limit=some-huge-number -o smtpd_soft_error_limit=some-huge-number On a different port: master.cf: :2525 inet n - n - - smtpd -o smtpd_junk_command_limit=some-huge-number -o smtpd_hard_error_limit=some-huge-number -o smtpd_soft_error_limit=some-huge-number Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Reject mail by language
On 4/18/23 23:38, Viktor Dukhovni via Postfix-users wrote: > On Wed, Apr 19, 2023 at 11:33:36AM +0800, tom--- via Postfix-users wrote: > >> I got a lot of spams (20+ every day) like the following for which i even >> don't know what language they were. >> > >> مميز المنتدى العربي الثالث > > The script is Arabic. Language is harder for an MTA to deduce. A > priori any of > > - Arabic > - Farsi > - Urdu > - ... > > Though in this case actually Arabic. I'd focus more on the client IP, > sender domain, ... than the content language. If this is a private mail server for only a small number of people, any mail in a script that none of the users can read is almost guaranteed to be spam, and would not be useful even if it wasn’t. -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Reject mail by language
fyi if SpamAssassin's in use in your Postfix message flow, then its TextCat plugin, https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_TextCat.html does a decent job of detecting many langs. good enough for scoring but NOT for outright policy reject, here. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: 3.8.0: spawn says "command time limit exceeded"
Wietse Venema via Postfix-users wrote in <4q2l0p03svzj...@spike.porcupine.org>: |Steffen Nurpmeso: |> Wietse Venema wrote in |> <4q2khr57flzj...@spike.porcupine.org>: |>|Steffen Nurpmeso: |>|> Wietse Venema wrote in |>|> <4q21sp16m7zj...@spike.porcupine.org>: |>|>|Steffen Nurpmeso via Postfix-users: |>|>|> On 3.8.0 services managed via spawn(8) now produce |>|>|> |>|>|> Apr 19 01:03:04 postfix/spawn[8485]: warning: /usr/libexec/s-postgr\ |>|>|> ay\ |>|>|>: \ |>|>|> process id 8486: command time limit exceeded ... |>|>|> log messages, which they did not do in the past. I find this ... |>|> Is there a reason this happens now? I mean, that policy thing is ... |>|The spawn daemon has always worked this way. Below is a sample from ... |> Yes, but it never logged it with a warning:, which is what this |> thread is about? I am absolutely fine with postfix rotating the |> processes, but why warn about my little policy thing, and not |> about the postfix instance going home, too? | |That code has not changed since it was written 23 years ago. Hm. Well maybe i simply have not seen the messages in the past, the logs rotate so fast, the only message still there is from "Apr 19 14:43:56", and when i checked my thing via postfix logs i, ..., hm. I really have never seen such a message, consciously. Then sorry for the noise. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] maillog_file is unintentionally? created with 600 permissions
I was doing some work with postfix logrotation as part of a recent project and ran across what seems to be unintended behavior. When running postfix logrotate the maillog_file is created with 600 permissions which was tripping up a log tail system of ours. I'm working on the log tailer, but looking through the source it appears the maillog_file is intended to have 0644 permissions https://github.com/vdukhovni/postfix/blob/master/postfix/src/util/logwriter.c#L85 Looking into why, the logrotate command calls master -t to trigger creating the new maillog_file https://github.com/vdukhovni/postfix/blob/master/postfix/conf/postfix-script#L431 However the master binary sets a umask of 077 as one of its first actions https://github.com/vdukhovni/postfix/blob/master/postfix/src/master/master.c#L297 According to the docs for open https://man7.org/linux/man-pages/man2/open.2.html The effective mode is modified by the process's umask in the usual way: in the absence of a default ACL, the mode of the created file is (mode & ~umask). The umask setting results in the created maillog_file having a mode of 600 even though it appears it was intended to be 0644 considering it was explicitly set that way in logwriter. I've got ways around this situation, but this seemed like unintended behavior so figured I'd bring it up -David Roe ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Questions for the third party plugins
greetings, do policyd-service (such as rate-limit) and milter (such as opendkim) use the same communication way to postfix? any difference between them? Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
