odd pickup maildrop permission denied warnings
Hi, I've got a number of message (150-200) on each of three mail relays stuck in the maildrop queue generating pickup permission denied warnings as follows: Jan 3 18:18:29 megalon postfix/pickup[12469]: warning: maildrop/BC4872E769C: Permission denied The messages are not particularly unusual. The permission of the maildrop directory are: drwx-wx--- 2 postfix postdrop 4096 Jan 3 17:30 And the files are all: -rwx-- 1 postfix postfix 3973 Dec 2 20:19 84AA92E75BC And I can do 'sudo -u postfix postcat ' on them and see the messages. I can also do postsuper -d on individual messages and delete them that way. Here is my postconf -n output: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_at_myorigin = no append_dot_mydomain = no canonical_maps = proxy:ldap:/etc/postfix/ldap-canonical.cf command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 1 default_destination_concurrency_limit = 20 default_process_limit = 150 defer_transports = hold disable_vrfy_command = yes html_directory = no inet_interfaces = all local_destination_concurrency_limit = 10 local_recipient_maps = $alias_maps proxy:ldap:/etc/postfix/ldap-localrecipient.cf mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maps_rbl_reject_code = 554 maximal_queue_lifetime = 10d message_size_limit = 1505 mydestination = megalon.clarku.edu clarku.edu muse.clarku.edu iris.clarku.edu alum.clarku.edu black.clarku.edu physics.clarku.edu nmr.clarku.edu planck.clarku.edu cci.clarku.edu mydomain = clarku.edu myhostname = megalon.clarku.edu mynetworks = 140.232.0.0/16, 127.0.0.0/8 mynetworks_style = subnet myorigin = clarku.edu newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix rbl_reply_maps = hash:/etc/postfix/dnsbl-reply-map readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES recipient_canonical_maps = proxy:ldap:/etc/postfix/ldap-canonical-mailalternate.cf relay_domains = clarku.edu sample_directory = /usr/share/doc/postfix-2.3.3/samples sender_canonical_maps = hash:/etc/postfix/sender-canonical.cf sendmail_path = /usr/lib/sendmail setgid_group = postdrop smtp_skip_5xx_greeting = no smtpd_banner = $myhostname NO UCE ESMTP Clark University Mail Relay. Authorized Use only. smtpd_client_restrictions = reject_rbl_client bl.dnsbl, reject_rbl_client clarkbl.dnsbl, permit_mynetworks,check_client_access hash:/etc/postfix/client_exceptions,permit smtpd_delay_reject = no smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/relay_hosts, check_recipient_access pcre:/etc/postfix/valid_domains, reject_unauth_destination soft_bounce = no strict_rfc821_envelopes = yes transport_maps = hash:/etc/postfix/transport, proxy:ldap:/etc/postfix/ldap-transport.cf undisclosed_recipients_header = To: "Undisclosed Recipients" virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-alias.cf --- Aaron Bennett Manager of Systems Administration Clark University ITS
RE: odd pickup maildrop permission denied warnings
Wietse wrote:
>
> The permissons are normal, therefore you have either
>
> - A corruped file system (not possible, since postcat can read the
> file).
>
> - Other file OR directory permission attributes that the "ls"
> command does not show but that allow you to view the files with
> sudo postcat.
>
> - Other "security" features (SeLinux etc) that don't allow the
> pickup daemon to open files owned by the postfix user. Such files
> exist when you move queue files with "postsuper -r".
>
> Wietse
Wietse,
Thank you, it was exactly that. In case this hits anyone else, here's the
workaround for SELinux users:
( make sure you are in enforcing mode -- run 'getenforce' -- if not, this is
not your issue )
$ /etc/init.d/postfix stop
$ setenforce permissive
$ /etc/init.d/postfix start
{ watch /var/spool/maildrop until it empties out }
$ setenforce enforcing
( the postfix restart is not needed; I just wanted to make sure I triggered a
maildrop run as quickly as possible so I could spend the least amount of time
in SELinux permissive mode. )
Best,
Aaron
---
Aaron Bennett
Manager of Systems Administration
Clark University ITS
RE: LoadShared Failover
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Michael Maymann Sent: Thursday, March 29, 2012 4:01 AM To: postfix-users@postfix.org Subject: Re: LoadShared Failover Hi List, Only problem I see now is when one of the postfix servers dies. Clients will still try to send mails to it as they are DNS RR'ed, but would get no response ofcause if they hit the dead one. (How) Do I handle this ? or will I just have to live with the time-loss, clients connecting to dead postfix server, gives me when it has to retry ? ---- [Aaron Bennett] Or buy a commercial load balancer, or build one out of something like the linux-ha project (http://www.linux-ha.org/wiki/Main_Page).
RE: How to store /var/log/maillog in sql database..?
Look at rsyslog -- it's a syslog daemon (that you might use and not know, it's the native one in a lot of distros). It can log directly to MySQL.. http://www.techrepublic.com/blog/opensource/set-up-rsyslog-to-store-syslog-messages-in-mysql/1174 --- Aaron Bennett Manager of Systems Administration Clark University ITS -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Naval saini Sent: Wednesday, July 25, 2012 5:06 AM To: postfix-users@postfix.org Subject: How to store /var/log/maillog in sql database..? I have configured postfix mail server and i use it for sending mails from my clients. when they send mails some mails are delivered, some are bounced,deferred,expire. and they report me that mails are not delevering. Now i want if we can store to,from address and status of mails in database and can be viewed graphically. Is there any way to accomplish this task.? -- View this message in context: http://old.nabble.com/How-to-store--var-log-maillog-in-sql-database..--tp34209278p34209278.html Sent from the Postfix mailing list archive at Nabble.com.
sporadic bouts of lost connections to exchange 2010 hub transport
Hi, I'm running 2.3.3 on CentOS 5 as a mail relay; most of my mail is delivered to an internal Exchange 2010 environment with two Hub Transport machines clustered behind Windows NLB under the same hostname. I'm seeing sporadic - and by sporadic I mean two or three intervals per month - when all mail relayed to the internal environment fails. Postfix logs: Sep 24 11:58:01 megalon.clarku.edu postfix/qmgr[28063]: BA1362E778B: to=, relay=none, delay=0.06, delays=0.05/0/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with exchange.clarku.edu[140.232.254.129] while receiving the initial server greeting) This lasts for a little under 20 minutes and usually effects more than one of our mail relays. I have exempted all of our mail relays from Exchange's rate-limiting, which was my first thought. I've done a little googling and I keep coming across this article: http://www.heinlein-support.de/blog/mailserver/postfix-verify-liefert-lost-connection-an-exchange-2010-sp1/ . It's in German, but google translate makes enough sense of it that I'm tempted to turn off pipelining to that exchange box anyway even though this isn't verification related. Anyone hear of this before? It's probably Exchange's fault not postfix. It doesn't happen enough to be a huge problem but it's maddening all the same. Thanks, Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS
RE: sporadic bouts of lost connections to exchange 2010 hub transport
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ralf Hildebrandt Sent: Tuesday, September 25, 2012 9:30 AM To: postfix-users@postfix.org Subject: Re: sporadic bouts of lost connections to exchange 2010 hub transport * Mikael Bak : > Hi Stan, > > On 09/25/2012 08:22 AM, Stan Hoeppner wrote: > > > > Apparently Linux and Windows TCP window scaling doesn't always work > > reliably together. Try disabling TCP window scaling on the Linux box(en): > > > [snip] > > Perhaps off topic, but do you have any links to documents or similar > that proves that there is a problem between the two operationg systems > with regard to TCP window scaling. This is the first time I hear about > this to be honest. I don't know if this is useful, but in our situation the exchange "server" is actually two boxes with both the CAS and Hub Transport roles on them bound together via the software-based windows Network Load Balancer. Since we never had issues relaying to our Exchange 2007 environment (which was based on 2K3 not 2K8), I suspect that the NLB may be the cause. I'm going to disable window scaling on one of our three relays and see if it crops up again on the other two. Thanks, Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS
transport rule question
Hi, For reasons beyond my control, one of the hosts we need to relay to is occasionally dropping out of dns. We relay to it based on an ldap map which returns: relay:[office365relay.clarku.edu] That host is a CNAME for an external vendor. It's not hard to guess which one. When it drops out, the message bounces: Jan 8 13:50:28 mothra.clarku.edu postfix/smtp[27291]: E1614684CCD: to=, relay=none, delay=0.18, delays=0.06/0.03/0.1/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=office365relay.clarku.edu type=A: Host not found) I'd prefer it to defer. I'm not sure why it's not deferring - is it the relay: line, or the [] enclosure, or something else? Thanks for your time, Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS W:508.793.7315
RE: transport rule question
> -Original Message- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Wietse Venema > Sent: Wednesday, January 8, 2014 4:13 PM > To: Postfix users > Subject: Re: transport rule question > Postfix would defer when it receives no DNS reply. > > Postfix bounces because the DNS server replies that this DNS > record DOES NOT EXIST. > > To work around, use soft_bounce=yes and watch your queue > carefully for mail piling up. > > Wietse Thanks, Wietse. I don't want soft_bounce=yes for everything so I'll probably created a dedicated transport for that host. Does that seem reasonable? -Aaron
forward mail & deliver it locally
Hi, I need to be able to BOTH forward email and, optionally, deliver it locally as well. I think I've gone about this wrong but it's easy to change... Everything is in ldap. I've been using virtual_alias_maps to hold the forwarding information. What happens there though is that if it hits there it never tries to store the mail locally. What I want is to figure out how to get this behavior: 1. If user has forwarding set, forward the mail 2. if user wants local deliver, deliver it locally These are independent of each other and are easily determined from ldap. I know I'm missing out on some easy way to do this. Thanks, Aaron Bennett
Re: forward mail & deliver it locally
Magnus Bäck wrote: Set up an alias on the following form: [EMAIL PROTECTED][EMAIL PROTECTED],[EMAIL PROTECTED] In your LDAP map configuration this could translate to something like: query_filter = mail=%s result_attribute = mail, mailForwardingAddress Does that go in $alias_maps or $virtual_alias_maps? I have three ldap maps working: ldap-localonly.cf ldap-forwardonly.cf ldap-forwardkeep.cf When I query them with postmap -q [EMAIL PROTECTED], I get the right thing: if the user is set up just to get their local mail, I get: [EMAIL PROTECTED] as a result from ldap-localonly.cf and nothing from the other if they are set to forward their mail and keep it locally, I get: [EMAIL PROTECTED],[EMAIL PROTECTED] if they are set to just forward and not keep it, I get: [EMAIL PROTECTED] however, it's not forwarding, it's just doing local delivery [EMAIL PROTECTED] postfix]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, proxy:ldap:/etc/postfix/ldap-forwardonly.cf, proxy:ldap:/etc/postfix/ldap-forwardkeep.cf, proxy:ldap:/etc/postfix/ldap-localonly.cf broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 1 default_destination_concurrency_limit = 50 default_process_limit = 500 home_mailbox = html_directory = no inet_interfaces = all local_recipient_maps = $alias_maps mail_owner = postfix mail_spool_directory = /export/maildirs/ mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, depot.bwh.harvard.edu, maildrop.bwh.harvard.edu, bwh.harvard.edu, spl.harvard.edu mynetworks = 134.174.8.0/24, 134.174.9.0/24, 134.174.54.0/24, 170.223.221.0/24, 155.52.0.0/16 mynetworks_style = host newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_client_connection_count_limit = 500 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks smtpd_tls_CAfile = /etc/pki/smtp.bwh.harvard.edu.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/smtp.bwh.harvard.edu.pem smtpd_tls_key_file = /etc/pki/smtp.bwh.harvard.edu.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes unknown_local_recipient_reject_code = 550
Re: forward mail & deliver it locally
Magnus Bäck wrote: Does that go in $alias_maps or $virtual_alias_maps? This particular example is meant for virtual aliases, but if you adjust it so that it expects the lookup key to be the bare username it'll work with local aliases as well. Thank you, that works.
poor perfomance for multiple-recipient emails
Hello, I'm experiencing very poor performance on receipt of email with large numbers of multiple recipients. One particular listserv for example sends emails to 1600+ users in chunks of 50-60 per message. Users are either local (maildir) or forwarded. We do have three ldap maps in each receipt so that's a possible source of slowness, however, a previous setup that used sendmail with the same ldap server didn't experience this at all. By 'very poor' I mean it takes almost two hours for the message to be delivered to all 1600 users. Each message of 50 users sits in the incoming queue for quite a while and then in the active queue for quite a while as well. Any tips? The hardware is sufficient to run almost any number of smtp or local processes if that is what's required. thanks, Aaron Bennett # postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, proxy:ldap:/etc/postfix/ldap-localonly.cf broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 1 default_destination_concurrency_limit = 50 default_process_limit = 500 home_mailbox = html_directory = no in_flow_delay = 0 inet_interfaces = all local_recipient_maps = $alias_maps $virtual_alias_maps mail_owner = postfix mail_spool_directory = /export/maildirs/ mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, depot.bwh.harvard.edu, maildrop.bwh.harvard.edu, bwh.harvard.edu, spl.harvard.edu mynetworks = 127.0.0.1, 134.174.8.0/24, 134.174.9.0/24, 134.174.54.0/24, 170.223.221.0/24, 155.52.0.0/16 mynetworks_style = host newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_client_connection_count_limit = 500 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks smtpd_tls_CAfile = /etc/pki/smtp.bwh.harvard.edu.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/smtp.bwh.harvard.edu.pem smtpd_tls_key_file = /etc/pki/smtp.bwh.harvard.edu.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-forwardonly.cf, proxy:ldap:/etc/postfix/ldap-forwardkeep.cf
Re: smtp_recipient_restrictions not applied to local email
Ralf Hildebrandt wrote: sendmail != smtpd thus smtpd_recipient_restrictions don't apply understood. Nonetheless, do you know of a way to prevent users from using sendmail to send to a particular recipient, besides an ugly hack like aliasing the recipient to /dev/null or something?
Re: smtp_recipient_restrictions not applied to local email
Wietse Venema wrote: To apply smtpd_recipient_restrictions when mail arrives via the /usr/bin/sendmail command, this solution was posted a few days ago: To force sendmail command-line submissions through the SMTP server, use this: Thank you.
maps_rbl_reject_code
Hi, I am experimenting with setting maps_rbl_reject_code to 454 to cause XBL clients to defer instead of bounce requests, in the thought that zombied hosts will not retry anyhow and legitimate senders who are compromised will have a chance to get themselves delisted. However, although I have "maps_rbl_reject_code = 454" and I'm rejecting with "smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/relay_hosts, check_recipient_access pcre:/etc/postfix/valid_domains, reject_rbl_client bl.dnsbl, reject_unauth_destination", I'm still seeing "reject... 554 5.7.1" in the logs and clients are still getting bounce'd instead of retry'd. I'm sure I'm doing something stupid. At least one thing... maybe more! Thanks for your time, Aaron Bennett Clark University ITS
Re: maps_rbl_reject_code
Ralf Hildebrandt wrote:
default_rbl_reply = $rbl_code Service unavailable; $rbl_class
[$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason} --
Contact [EMAIL PROTECTED] for whitelisting
and rbl_code is what you're looking for
OTOH:
# postconf rbl_code
postconf: warning: rbl_code: unknown parameter
Huh?
ahh, that makes sense. That is set in rbl_reply_maps ( in my case,
rbl_reply_maps = hash:/etc/postfix/dnsbl-reply-map).
and it looks like:
bl.dnsbl 454 $client blocked using xbl+sbl.spamhaus.org. Please see $rbl_txt
and that works, it sends 454's instead of 554's.
thanks!
- Aaron
postfix 2.6.6 / always_add_missing_headers behavior question
Hello, I'm confused by the docs at http://www.postfix.org/postconf.5.html#always_add_missing_headers, to wit: "Always add (Resent-) From:, To:, Date: or Message-ID: headers when not present. Postfix 2.6 and later add these headers only when clients match the local_header_rewrite_clients parameter setting. Earlier Postfix versions always add these headers; this may break DKIM signatures that cover non-existent headers." With 2.6.6, will it "always" add those headers if they are missing, or only if they are missing AND the clients match the local_header_rewrite_clients parameter? Thank you for your time, Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS
RE: postfix 2.6.6 / always_add_missing_headers behavior question
-Original Message- >2.6.6, though many years past EOL, is indeed later than 2.6, so WHEN [the >listed headers are] NOT >PRESENT they are added ONLY WHEN CLIENTS MATCH THE >local_header_rewrite_clients >PARAMETER SETTING. That's the default setting >of "no" for always_add_missing_headers. > >The Postfix 2.5 and prior behavior was to ALWAYS add these headers if missing, >regardless of the >client address. Thank you.
