Have some local transport issues
I had posted some of this before but since I wasn't a valid subscriber I was "silently" ignored.. mybad.. :-) --- I have an internal relay that I am replacing (sendmail with postfix) I have followed : http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall and have my transport working with relay_host and transport maps. Most everything goes out via the relay_host =outbound.aaa.dom but following Wieste's statement "transport ovrrides relay_host" I have set up the exceptions that will relay out directly and those are working correctly.. What isn't working is the ability for root to receive email for all the "bounced / undeliverable" messages that are relay through this box. I do have a user account that I want to receive "root's email" so I can read via dovecot and an IMAP client. I don't want all the messages coming to my work email account.. What happens is that the message To r...@zzz.aaa.dom goes directly out the relay_host.. I have tried Particulars - The current box relays about 30k messages daily. - aaa.dom = my domain - zzz.aaa.dom = my sub domain here is the postfinger output.. (strange did not include ) myorigin = $myhostname --System Parameters-- mail_version = 2.5.1 hostname = mailtest.zzz.aaa.dom uname = Linux mailtest.zzz.aaa.dom 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04 EST 2010 i686 i686 i386 GNU/Linux --Packaging information-- looks like this postfix comes from RPM package: postfix-2.5.1-1.rhel5 --main.cf non-default parameters-- alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases html_directory = /usr/share/doc/postfix-2.5.1-documentation/html local_transport = error:local mail delivery is disabled smtpd_helo_required = yes mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp mydestination = mynetworks = 127.0.0.0/8,172.dd.0.0/16, ddd.dd.0.0/16 newaliases_path = /usr/bin/newaliases.postfix readme_directory = /usr/share/doc/postfix-2.5.1-documentation/readme relay_domains = zzz.aaa.dom, aaa.dom, bbb.dom, ccc.dom relayhost = outbound.aaa.dom sendmail_path = /usr/sbin/sendmail.postfix smtpd_data_restrictions = reject_unauth_pipelining,permit_mynetworks transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 450 virtual_alias_maps = hash:/etc/postfix/virtual --master.cf-- smtp inet n - n - - smtpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache -- end of postfinger output -- Again... aaa.dom = my domain /etc/virtual root r...@mailtest.zzz.aaa.dom /etc/transport A.AAA.aaa.domrelay:[ddd.dd.dd.dd] host.aaa.dom smtp:[mail.host.aaa.dom] # to send through this box (no relay_host) #.smtp: Thx Charles
block specific IP addresses
I have several boxes that "check" my relay every 40 seconds to check that the server is up. After multiple attempts to get the number of checks reduced I would like the know the preferred way to block specific IP addresses in Postfix. I have no issue with checks.. but every 40 seconds is ridiculous. OS : CentOS 5.4 Postfix version: 2.5.1 Thx Charles
Re: block specific IP addresses
Ansgar Wiechers wrote: On 2010-04-15 groups wrote: Syntax follow up question... 1.2.3.4 REJECT or 1.2.3.4 REJECT 1.2.3.4 REJECT Regards Ansgar Wiechers Ansgar.. Thank you.. a tab issue "bit me" sometime ago in BSD hence the question.. Charles
Receiving bounce messages back to local-host
Following the firewall/smtp relay page http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall Process - internal servers *send* through *my-relay* - *my-relay* forwards to *master-relay* - valid email is passing through for all the clients as expected. - *master-relay* kicks back any undeliverable emails to *my-relay* I want the undeliverable email to be sent and received on *my-relay* and not my work account. - I work with end users to "fix" their undeliverable issue. -- Bounce messages are *not* being received back from the *master-relay* to *my-relay*. Particulars -- OS: CentOS 5.4 -- my-dom.TLD = my domain -- SUB-DOM= my sub domain Postfinger --System Parameters-- mail_version = 2.5.1 hostname = mailhost.SUB-DOM.my-dom.TLD uname = Linux mailhost.SUB-DOM.my-dom.TLD 2.6.18-164.15.1.el5 #1 SMP Wed Mar 17 11:37:14 EDT 2010 i686 i686 i386 GNU/Linux --Packaging information-- looks like this postfix comes from RPM package: postfix-2.5.1-1.rhel5 --main.cf non-default parameters-- alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases html_directory = /usr/share/doc/postfix-2.5.1-documentation/html local_transport = error:local mail delivery is disabled mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp mydestination = mynetworks = ppp.pp.0.0/16, DDD.dd.0.0/16 newaliases_path = /usr/bin/newaliases.postfix readme_directory = /usr/share/doc/postfix-2.5.1-documentation/readme relay_domains = SUB-DOM.my-dom.TLD, my-dom.TLD relayhost = *master-relay*.my-dom.TLD sendmail_path = /usr/sbin/sendmail.postfix smtpd_data_restrictions = reject_unauth_pipelining,permit_mynetworks transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 450 virtual_alias_maps = hash:/etc/postfix/virtual --master.cf-- smtp inet n - n - - smtpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache -- end of postfinger output -- -- /etc/postfix/virtual rootr...@mailhost.sub-dom.my-dom.tld mem...@mailhost.sub-dom.my-dom.tld -- /etc/postfix/aliases #root:m...@my-domain.tld root:m...@localhost Thx CT
Re: Receiving bounce messages back to local-host
Noel Jones wrote: On 4/18/2010 4:40 PM, groups wrote: Noel Jones wrote, On 04/18/2010 04:20 PM: On 4/18/2010 4:16 PM, groups wrote: Postfix logs help you know what happened to a particular message. Look in your logs for bounces (sender=<>) arriving from your relayhost, and see what postfix does with it. No need to wonder where they went. -- Noel Jones A lot of the send only hosts have only an IP (not in DNS) Look in the logs for the IP to find associated QUEUEIDs. Apr 18 16:01:24 mailhost postfix/qmgr[3283]: 5BE9956799: from=<>, size=89424, nrcpt=1 (queue active) Look in the logs for other entries with that same QUEUEID 5BE9956799 to see other information associated with that transaction. only 1 entry per transaction ID.. notthing in /var/spool/postfix ... ok.. and found something interesting.. Apr 18 16:01:22 mailhost postfix/qmgr[3283]: 04C2A56799: from=<>, size=83199, nrcpt=1 (queue active) Apr 18 16:01:22 mailhost postfix/qmgr[3283]: 2B54756799: from=<>, size=83614, nrcpt=1 (queue active) Apr 18 16:01:22 mailhost postfix/qmgr[3283]: 4D99856799: from=<>, size=84029, nrcpt=1 (queue active) Apr 18 16:01:22 mailhost postfix/qmgr[3283]: 7B1F756799: from=<>, size=8, nrcpt=1 (queue active) Apr 18 16:01:22 mailhost postfix/qmgr[3283]: 9BD4456799: from=<>, size=84859, nrcpt=1 (queue active) Apr 18 16:01:22 mailhost postfix/qmgr[3283]: BF6DC56799: from=<>, size=85274, nrcpt=1 (queue active) Apr 18 16:01:22 mailhost postfix/qmgr[3283]: E147056799: from=<>, size=85689, nrcpt=1 (queue active) All have the same invalid recipient.. These show the sender and number of recipients = 1; the recipient address is listed in a different log line. That seems like an awful lot of bounces in a short period of time. Sending lots of mail to undeliverable addresses is a red flag that something is wrong -- such as a badly outdated mail list, or a compromised machine spewing spam. One of your tasks is to investigate why there are so many bounces, and find a way to reduce them. Sending large amounts of undeliverable mail will have a bad effect on your server's reputation and may eventually lead to blacklisting. Almost looks like it is "ping-ponging" back and forth between the *master-relay* and my relay.. Messages with the null sender "<>" are never bounced, they must be delivered or discarded. Bounces are always sent with the null sender. This prevents bounces from ever looping (except in rare cases of stupid user tricks such as a .forward that rewrites <> to something else -- don't do that). Further information about those messages can be found in the logs. I have seen this invalid recipient on the old Sendmail box.. and it ended up in my queue then expires.. (the sender host has been out of the office when I tried to contact them) so it looks like I have something not right.. there is nothing in mailq.. Charles You need to examine the log further. If there's a problem, postfix will likely tell you what it is, or at least give you a better idea of where to look. Postfix generates several log lines for each message. You need to look at *all* the lines with the same QUEUEID to see what happened to a message. Logs for a single message look something like this below (with my comments). Because postfix can process many messages in parallel, logs for a single message may be separated by a considerable number of unrelated log entries. There may be more or fewer entries depending on what happens with a transaction, but this is fairly typical. Apr 18 00:00:20 mgate2 postfix/smtpd[91955]: connect from private.webmail.example.org[192.168.70.47] to smtpd (client connected; the hostname and IP are logged) Apr 18 00:00:20 mgate2 postfix/smtpd[91955]: 1A2C779788F: client=private.webmail.example.org[192.168.70.47] (the QUEUEID "1A2C779788F" is assigned. That means there was at least one recipient accepted and a queue file was created. Future lines pertaining to this specific message will include this same QUEUEID) Apr 18 00:00:20 mgate2 postfix/cleanup[92028]: 1A2C779788F: message-id=<1100418.aa11...@example.org> (the Message-id: header is logged. This is a helpful unique message identifier when searching the logs for a specific message.) Apr 18 00:00:20 mgate2 postfix/qmgr[95868]: 1A2C779788F: from=<>, size=382, nrcpt=1 (queue active) (envelope sender, size, number of recipients, which queue it's assigned to) Apr 18 00:00:20 mgate2 postfix/smtpd[91955]: disconnect from private.webmail.vbhcs.org[192.168.70.47] (postfix has disconnected from the client. This line can be related to the "connect" line above by the smtpd process id, in this case "91955") Apr 18 00:00:20 mgate2 postfix/local[94393]: 1A2C779788F: to=, relay=local, delay=0.11, delays=0.05 /0.03/0/0.02, dsn=2.0.0, status=sent (delivered to maildir) (the mail was delivered to a local user) Apr 18 00:00:20 mgate2 postfix/qmgr[95868]: 1A2C779788F: removed (postfix completed this
relayhost + backup relayhost
My relay sends as follows: 90% - relayhost 10% - other hosts in transport (these go "directly" out) This works well. my question: When the primary relayhost is "unavailable" what would be the best way to *send* the 90% out.. ? (not about load balancing) Thx Charles
Re: Receiving bounce messages back to local-host
CT wrote: Noel Jones wrote: On 4/18/2010 4:40 PM, groups wrote: Noel Jones wrote, On 04/18/2010 04:20 PM: On 4/18/2010 4:16 PM, groups wrote: Postfix logs help you know what happened to a particular message. Look in your logs for bounces (sender=<>) arriving from your relayhost, and see what postfix does with it. No need to wonder where they went. -- Noel Jones A lot of the send only hosts have only an IP (not in DNS) Look in the logs for the IP to find associated QUEUEIDs. Apr 18 16:01:24 mailhost postfix/qmgr[3283]: 5BE9956799: from=<>, size=89424, nrcpt=1 (queue active) Look in the logs for other entries with that same QUEUEID 5BE9956799 to see other information associated with that transaction. only 1 entry per transaction ID.. notthing in /var/spool/postfix ... ok.. and found something interesting.. Apr 18 16:01:22 mailhost postfix/qmgr[3283]: 04C2A56799: from=<>, size=83199, nrcpt=1 (queue active) Apr 18 16:01:22 mailhost postfix/qmgr[3283]: 2B54756799: from=<>, size=83614, nrcpt=1 (queue active) Apr 18 16:01:22 mailhost postfix/qmgr[3283]: 4D99856799: from=<>, size=84029, nrcpt=1 (queue active) Apr 18 16:01:22 mailhost postfix/qmgr[3283]: 7B1F756799: from=<>, size=8, nrcpt=1 (queue active) Apr 18 16:01:22 mailhost postfix/qmgr[3283]: 9BD4456799: from=<>, size=84859, nrcpt=1 (queue active) Apr 18 16:01:22 mailhost postfix/qmgr[3283]: BF6DC56799: from=<>, size=85274, nrcpt=1 (queue active) Apr 18 16:01:22 mailhost postfix/qmgr[3283]: E147056799: from=<>, size=85689, nrcpt=1 (queue active) All have the same invalid recipient.. These show the sender and number of recipients = 1; the recipient address is listed in a different log line. That seems like an awful lot of bounces in a short period of time. Sending lots of mail to undeliverable addresses is a red flag that something is wrong -- such as a badly outdated mail list, or a compromised machine spewing spam. One of your tasks is to investigate why there are so many bounces, and find a way to reduce them. Sending large amounts of undeliverable mail will have a bad effect on your server's reputation and may eventually lead to blacklisting. Almost looks like it is "ping-ponging" back and forth between the *master-relay* and my relay.. Messages with the null sender "<>" are never bounced, they must be delivered or discarded. Bounces are always sent with the null sender. This prevents bounces from ever looping (except in rare cases of stupid user tricks such as a .forward that rewrites <> to something else -- don't do that). Further information about those messages can be found in the logs. I have seen this invalid recipient on the old Sendmail box.. and it ended up in my queue then expires.. (the sender host has been out of the office when I tried to contact them) so it looks like I have something not right.. there is nothing in mailq.. Charles You need to examine the log further. If there's a problem, postfix will likely tell you what it is, or at least give you a better idea of where to look. Postfix generates several log lines for each message. You need to look at *all* the lines with the same QUEUEID to see what happened to a message. Logs for a single message look something like this below (with my comments). Because postfix can process many messages in parallel, logs for a single message may be separated by a considerable number of unrelated log entries. There may be more or fewer entries depending on what happens with a transaction, but this is fairly typical. Apr 18 00:00:20 mgate2 postfix/smtpd[91955]: connect from private.webmail.example.org[192.168.70.47] to smtpd (client connected; the hostname and IP are logged) Apr 18 00:00:20 mgate2 postfix/smtpd[91955]: 1A2C779788F: client=private.webmail.example.org[192.168.70.47] (the QUEUEID "1A2C779788F" is assigned. That means there was at least one recipient accepted and a queue file was created. Future lines pertaining to this specific message will include this same QUEUEID) Apr 18 00:00:20 mgate2 postfix/cleanup[92028]: 1A2C779788F: message-id=<1100418.aa11...@example.org> (the Message-id: header is logged. This is a helpful unique message identifier when searching the logs for a specific message.) Apr 18 00:00:20 mgate2 postfix/qmgr[95868]: 1A2C779788F: from=<>, size=382, nrcpt=1 (queue active) (envelope sender, size, number of recipients, which queue it's assigned to) Apr 18 00:00:20 mgate2 postfix/smtpd[91955]: disconnect from private.webmail.vbhcs.org[192.168.70.47] (postfix has disconnected from the client. This line can be related to the "connect" line above by the smtpd process id, in this case "91955") Apr 18 00:00:20 mgate2 postfix/local[94393]: 1A2C779788F: to=, relay=local, delay=0.11, delays=0.05 /0.03/0/0.02, dsn=2.0.0, st
looping question
I do believe this is a relatively simple issue to solve. but haven't found it yet.. *my-relay* = internal relay *master-relay* = internal and external relay Setup Sending host => *my-relay* => *master-relay* relayhost = master-relay Looping issue.. When the *master-relay* sends *my-relay* a bounced message *my-relay* sees the destination and then sends it back to the *master-relay*. I want my-relay to "receive" *all* email from the *master-relay* and dump it into the Postmaster (alias) mailbox instead of sending it *back* to the *master relay*.. What would be the best way to do this.? here is the postfinger output.. -- postfinger output -- mail_version = 2.5.1 hostname = mailhost.sub-dom.TLD.DOM uname = Linux mailhost.sub-dom.TLD.DOM 2.6.18-164.15.1.el5 #1 SMP Wed Mar 17 11:37:14 EDT 2010 i686 i686 i386 GNU/Linux --Packaging information-- looks like this postfix comes from RPM package: postfix-2.5.1-1.rhel5 --main.cf non-default parameters-- alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases html_directory = /usr/share/doc/postfix-2.5.1-documentation/html mailbox_command = /usr/libexec/dovecot/deliver mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp mydestination = $myhostname, $mydomain mynetworks = ppp.pp.0.0/16, DDD.DD.0.0/16 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix *notify_classes = resource, software, bounce, 2bounce* readme_directory = /usr/share/doc/postfix-2.5.1-documentation/readme relay_domains = sub-dom.TLD.DOM, TLD.DOM, TLD2.DOM, TLD3.DOM, sub-dom-2.TLD.DOM relayhost = [*master-relay*] sendmail_path = /usr/sbin/sendmail.postfix smtpd_data_restrictions = reject_unauth_pipelining,permit_mynetworks transport_maps = hash:/etc/postfix/transport --master.cf-- smtp inet n - n - - smtpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache -- end of postfinger output --
Re: drop email for my-sub-domain
On 07/22/2010 08:20 PM, Sahil Tandon wrote: On Thu, 2010-07-22 at 16:38:14 -0500, groups wrote: I have an internal relay.. - relay is mx for my-sub-domain - relay forwards of emails to many domains through trusted_networks Hm? What is trusted_networks in the Postfix context? - I want to drop all email to anyu...@my-sub-domain Then don't be MX for my-sub-domain. what is the simplest way to do this.. Please read DEBUG_README and provide additional information to convey what "this" is. My bad.. I should have posted this first.. postfinger below.. I have been chasing a mail loop issue for a while between *my.sub.domain* relay and the *master-relay*... What was happening is that my *sub.domain.relay* would forward all emails to the *master-relay* for *my.sub.domain* then the *master-relay* would send then back to *my.sub.domain* relay.. => mail loop.. I initially wanted to be a good "net citizen" and follow up on misc-configured sending hosts (all on my internal network) but I came to the conclusion that I did not have enough time.. so just wanted to "drop" or not relay any emails for *my.sub.domain*.. Dovecot is set up to dump all the un-deliverable email to mailbox on local system.. In my previous Configuration - (now removed (see postfinger below)) # relayhost = *master-relay* # relay_domains = "parent domain" , my.sub.domain # notify_classes = resource, software, bounce Additional - The configuration I have now does *drop" all email destined for *my.sub.domain*. - *my.sub.domain* is the mx for for *my.sub.domain* - I can not receive "any" email on the system.. which is ok.. This is not really an elegant solution.. but it does work.. Welcome any construction suggestions. Charles -- log sample -- Jul 26 06:52:05 mailhost postfix/smtp[17380]: 9177C5679F: to=, relay=none, delay=0.05, delays=0.05/0/0/0, dsn=5.4.6, status=bounced (mail for *my.sub.domain* loops back to myself) -- end log sample -- postfinger - postfix configuration on Mon Jul 26 06:41:42 CDT 2010 version: 1.30 --System Parameters-- mail_version = 2.5.1 hostname = mailhost.my.sub.doman. uname = Linux mailhost.my.sub.doman. 2.6.18-194.8.1.el5 #1 SMP Thu Jul 1 19:07:06 EDT 2010 i686 i686 i386 GNU/Linux --Packaging information-- looks like this postfix comes from RPM package: postfix-2.5.1-1.rhel5 --main.cf non-default parameters-- alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases default_process_limit = 150 html_directory = /usr/share/doc/postfix-2.5.1-documentation/html mailbox_command = /usr/libexec/dovecot/deliver mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp mynetworks = 172.25.0.0/16, 192.168.0.0/16 newaliases_path = /usr/bin/newaliases.postfix readme_directory = /usr/share/doc/postfix-2.5.1-documentation/readme sendmail_path = /usr/sbin/sendmail.postfix smtpd_helo_restrictions = permit_mynetworks, reject_unauth_pipelining, check_helo_access hash:/etc/postfix/helo_access, check_client_access hash:/etc/postfix/blacklist transport_maps = hash:/etc/postfix/transport --master.cf-- smtp inet n - n - - smtpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache -- end of postfinger output -- -- /etc/postfix/transport -- # Modified transport file... # Note: transport takes precedent over relay_host parent.domain smtp:[master-relay] .netsmtp:[master-relay] .comsmtp:[master-relay] .org
MX question
General postfix question regarding MX lookups.. Does Postfix do an MX lookup on "inbound mail" as part of "spam" prevention or some other check.. ? Thx Charles
Re: MX question
On 09/14/2010 08:02 AM, Simon Waters wrote: On Tuesday 14 September 2010 13:51:12 CT wrote: Does Postfix do an MX lookup on "inbound mail" as part of "spam" prevention or some other check.. ? Mind has "check_sender_mx_access" so and logs appropriate messages if the MX results are unacceptable. What are you trying to achieve, as it seems unlikely to me that you have a purely academic interest in the mix of DNS requests generated. It was a question that came up in a discussion.. I have had issues in the past when delivering email and I did not have PTR in place.. the email was rejected.. so the question regarding "inbound MX lookups" came up so I figured I would ask.. no nefarious intent here.. Thx for the response.. Charles
Re: MX question
Ralf.. > A MX lookup is performed to check if the sender domain exists; it can > be activated using: > > reject_unknown_sender_domain is what I was looking for.. Thank you .. Charles On 09/14/2010 08:18 AM, Ralf Hildebrandt wrote: * CT: It was a question that came up in a discussion.. I have had issues in the past when delivering email and I did not have PTR in place.. the email was rejected.. That's not an MX problem, but a missing PTR. Postfix can check for this using: reject_unknown_reverse_client_hostname oder (more harsh) reject_unknown_client_hostname so the question regarding "inbound MX lookups" came up so I figured I would ask.. A MX lookup is performed to check if the sender domain exists; it can be activated using: reject_unknown_sender_domain
rewrite "from address" - one specific destination
Postfix Version: postfix-2.5.1-1.rhel5 I have an internal relay with an external NAT. The internal relay is not visible to the outside.. The receiving destination gives the error: -- 550 [PERMFAIL] xxx.xxx.net requires valid sender domain (in reply to RCPT TO command)) -- My question What is the most efficient way to "rewrite" the sender address with a valid smtp address to a "specific" domain. I only need to do this for 1 destination domain.. Thx CT
How can I rewrite "from address" - one specific destination
I accidentally replied to a thread instead of starting my own..oops.. Postfix Version: postfix-2.5.1-1.rhel5 I have an internal relay with an external NAT. The internal relay is not visible to the outside.. The receiving destination gives the error: -- 550 [PERMFAIL] xxx.xxx.net requires valid sender domain (in reply to RCPT TO command)) -- My question What is the most efficient way to "rewrite" the sender address with a valid smtp address to a "specific" domain. I only need to do this for 1 destination domain.. Thx CT
Dropping email for non-deliverable "internal" domains
I currently have an internal relay for "internal-1.example.com" The "internal-1.example.com" relay : -- is the MX for "internal-1.example.com" -- primarily used for "system email" -- relays "905%" of email to a "master relay". -- drops any "return" email for the "internal-1.example.com" Example: to=, relay=none, delay=0.01, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail for internal-1.example.com loops back to myself) I would like a simple way to drop other "internal domains" email that can't be delivered. i.e. "internal-2.example.com" any email "to=
Re: Dropping email for non-deliverable "internal" domains
On 05/05/2011 05:37 PM, Sahil Tandon wrote: On Thu, 2011-05-05 at 13:16:31 -0500, CT wrote: I would like a simple way to drop other "internal domains" email that can't be delivered. something like : #@internal-2.example.com/dev/null Google 'postfix + discard'. I have tried : -- header_checks -- smtpd_sender_restrictions = hash:/etc/postfix/access but none has worked.. It is the recipient domain that I want to DISCARD.. Here is the postfinger output.. Thx Charles postfinger - postfix configuration on Fri May 6 13:10:54 CDT 2011 version: 1.30 --System Parameters-- mail_version = 2.5.1 hostname = intrelay.internal-1.example.com uname = Linux intrelay.internal-1.example.com 2.6.18-238.9.1.el5 #1 SMP Tue Apr 12 18:10:56 EDT 2011 i686 i686 i386 GNU/Linux --Packaging information-- looks like this postfix comes from RPM package: postfix-2.5.1-1.rhel5 --main.cf non-default parameters-- alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases default_process_limit = 150 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix-2.5.1-documentation/html mailbox_command = /usr/libexec/dovecot/deliver mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp mynetworks = 10.0.0.0/8, 172.25.0.0/16, 172.16.0.0/16 newaliases_path = /usr/bin/newaliases.postfix readme_directory = /usr/share/doc/postfix-2.5.1-documentation/readme relayhost = [master-relay] sendmail_path = /usr/sbin/sendmail.postfix smtpd_client_message_rate_limit = 10 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_unauth_pipelining, check_helo_access hash:/etc/postfix/helo_access, check_client_access hash:/etc/postfix/blacklist smtpd_sender_restrictions = hash:/etc/postfix/access transport_maps = hash:/etc/postfix/transport virtual_alias_maps = hash:/etc/postfix/virtual --master.cf-- smtp inet n - n - - smtpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache -- end of postfinger output -- -- /etc/postfix/access -- internal-2.example.com DISCARD internal-3.example.com DISCARD -- end of /etc/postfix/access output -- -- /etc/postfix/header_checks -- /^To:*.internal-2.example.com/ DISCARD /^to:*.internal-3.example.com/ DISCARD -- end of /etc/postfix/header_checks output --
Re: Dropping email for non-deliverable "internal" domains
On 05/06/2011 01:52 PM, Victor Duchovni wrote: The routing of mail for a particular recipient address or all recipients in a given domain is performed by resolving the recipient to a (transport, nexthop, address) triple. http://www.postfix.org/ADDRESS_REWRITING_README.html#resolve http://www.postfix.org/ADDRESS_REWRITING_README.html#transport Use the transport table to map the addresses in question to a transport implemented via the discard(8) delivery agent. master.cf: discard unix - - n - - discard transport: example.comdiscard:into the entropy pool -- Viktor. Viktor.. I already use transport but did not realize the syntax was so simple in this case.. I tested it from a host and it gives me the desired results.. Discard May 6 14:13:17 mailhost postfix/discard[28953]: B6BC756778:to, relay=none, delay=0.05,delays=0.01/0.04/0/0, dsn=2.0.0, status=sent (into the entropy pool) Success May 6 14:15:03 mailhost postfix/qmgr[28883]: 7E3D45677A: from=, size=1568, nrcpt=2 (queue active) Thank you very much... Charles
network_table format
Question on main.cf mynetworks = hash:/etc/postfix/network_table After much looking and I surmise the format should be 192.168.1.2 OK (a space between IP and "OK") "should work".. and that CIDR 192.168.1.0/24 OK (a space between IP and "OK") does not work. In my test the "single IP" did not work either.. May 6 17:30:03 mailhost postfix/smtpd[30135]: NOQUEUE: reject: RCPT from host.example.com [162.198.1.2]: 554 5.7.1 : Relay access denied; thx Charles
Re: network_table format
mynetworks = hash:/etc/postfix/network_table After much looking and I surmise the format should be 192.168.1.2 OK (a space between IP and "OK") "should work".. For hash: or cidr: (see cidr_table(5)), yes. and that CIDR 192.168.1.0/24 OK (a space between IP and "OK") does not work. For hash:, no, won't work; for cidr:, yes, it will. http://www.postfix.org/DATABASE_README.html In my test the "single IP" did not work either.. May 6 17:30:03 mailhost postfix/smtpd[30135]: NOQUEUE: reject: RCPT from host.example.com [162.198.1.2]: 554 5.7.1: Relay access denied; Not enough information to answer, but there is a strong hint that munging took place: 162.198.1.2 != 192.168.1.2. (Why would you mung RFC1918 addresses?) http://www.postfix.org/DEBUG_README.html#mail 162 was a typo... Thank you for the response..and the cidr link.. Charles
Re: network_table format
On 05/06/2011 05:59 PM, Sahil Tandon wrote: Question on main.cf mynetworks = hash:/etc/postfix/network_table After much looking and I surmise the format should be 192.168.1.2 OK (a space between IP and "OK") "should work".. In this context, Postfix only cares if the lookup succeeds; the result (whether it's OK, or anything else) is ignored. and that CIDR 192.168.1.0/24 OK (a space between IP and "OK") does not work. If you wish to use CIDR, then use cidr: instead of hash:. We have a client that has a list of about 80 IP addresses. I created a table used the format of IP OK and put in : mynetworks = cidr1 , cidr2 , hash:/etc/postfix/customer-x.servers postmap customer-x.servers postfix reload and success.. I am not sure what I was doing incorrectly before but I wanted to post my success / solution.. I will look into the cidr: and see what I am doing wrong there.. hope this helps someone else.. Charles
Rate Limit question - outbound email
I have done a lot of researching rate limit on outbound email. There seems to be a 'plethora' of ways to do this.. - smtpd_client_connection_rate_limit - smtpd_client_message_rate_limit - smtpd_client_recipient_rate_limit - transport_destination_concurrency_limit - /etc/postfix/transport domain.comslow: and http://www.postfix.org/TUNING_README.html#rcpts My Goal I want to put a "speed limit" on all outbound traffic since 95% of it goes to 1 of 3 master relays.. i.e. - when a mis-configured smtp host blasts out over 100k email in 1 hour, I want to limit the impact on the master relays.. - I want the email to be delivered.. but at a "reasonable" speed. ( limit a 100mph to a 55mph limit.. ) I have tried in /etc/postfix/main.cf smtpd_client_connection_rate_limit = 10 smtpd_client_message_rate_limit = 10 I expected the email to move at a slower speed through the relay but did not see any difference. Thx for any pointers.. Charles
Re: Rate Limit question - outbound email
On 05/13/2011 12:52 PM, Wietse Venema wrote: CT: I have done a lot of researching rate limit on outbound email. There seems to be a 'plethora' of ways to do this.. Note: you are search for *outbound* mail controls. - smtpd_client_connection_rate_limit - smtpd_client_message_rate_limit - smtpd_client_recipient_rate_limit The above are for *inbound* mail. Do not confuse *outbound* mail with *inbound* mail. - transport_destination_concurrency_limit - /etc/postfix/transport domain.comslow: That controls *concurrency*. Do not confuse outbound *rate* control with *concurrency* control. For *outbound *rate* control see http://www,postfix.org/postconf.5.html#transport_destination_rate_delay To apply, replace "transport" with the name of the mail delivery transport (e.g., slow_destination_rate_delay, when sending mail via the "slow" transport map entry). Wietse Thank you Mr Wietse , For a simple solution.. Charles
