rate limit outgoing mails with mailman
hey folks.. Im running the latest postfix on an ubuntu server with mailmain for mailing list management.. everything is pretty much working fine except that Im trying to get some kind of rate-limiting or throttling working for all outbound messages. Ive searched all over and found the smtpd -D and debugger_command = sleep 8 but for some reason, this doesnt seem to work for mails sent out via a mailing list with mailman.. I see emails getting relayed to my isp's smtp server one right after the other. Other settings I have been fooling with (in main.cf) are initial_destination_concurrency = 1 default_destination_recipient_limit = 1 default_destination_concurrency_limit = 1 smtp_destination_concurrency_limit = 1 I want only 1 smtp connection at a time to be made out from my server to my ISP's server.. Can someone please help me with a config that will accomplish this? regards, Jason
Re: rate limit outgoing mails with mailman
> The following requires Postfix 2.5 or later: > > /etc/postfix/main.cf: > # Deliver all mail via the "smtp" transport in master.cf. > # Use [] to suppress MX lookup. > relayhost = [mail.example.com] > default_transport = smtp > smtp_destination_rate_delay = 30 > > This will deliver one message every 30 seconds. > > Wietse aah heck, I lied to you.. I have postfix 2.4.5-3ubuntu1.3 installed :( Is there a way to accomplish the same thing for this version or should I compile the new one? I couldnt find postfix 2.5 for Ubuntu 7.10 thanks/regards, Jason
Re: rate limit outgoing mails with mailman
> > > >aah heck, I lied to you.. > >I have postfix 2.4.5-3ubuntu1.3 installed :( > > > >Is there a way to accomplish the same thing for this version or should I > compile the new one? > >I couldnt find postfix 2.5 for Ubuntu 7.10 > > > > Look in gutsy-backports or upgrade to 8.04. Also note that the release you > are using will be unsupported in another 3 months, so upgrading is likely > your best bet. > > Scott K excellent idea, so I did install the 2.5.4 version from the backport and I now have r...@ohs:~# grep smtp_destination_rate_delay /etc/postfix/main.cf smtp_destination_rate_delay = 10 r...@ohs:~# and I restarted postfix Jan 2 08:03:56 ohs postfix/master[16208]: terminating on signal 15 Jan 2 08:03:58 ohs postfix/master[16312]: daemon started -- version 2.5.4, configuration /etc/postfix and now when I send an email to my mailman mailing list, I still see it sending out emails with no delay.. Jan 2 08:04:52 ohs postfix/smtp[16349]: 72292189FF: to=, relay=outgoing.verizon.net[206.46.232.12]:25, delay=5.3, delays=0.12/0.51/0.36/4.3, dsn=2.5.0, status=sent (250 2.5.0 Ok.) Jan 2 08:04:52 ohs postfix/qmgr[16316]: 72292189FF: removed Jan 2 08:04:52 ohs postfix/smtp[16347]: 950C118A00: to=, relay=outgoing.verizon.net[206.46.232.12]:25, delay=5.2, delays=0.13/0.39/0.37/4.3, dsn=2.5.0, status=sent (250 2.5.0 Ok.) Jan 2 08:04:52 ohs postfix/smtp[16350]: 950C118A00: to=, relay=outgoing.verizon.net[206.46.232.12]:25, delay=5.3, delays=0.13/0.37/0.38/4.5, dsn=2.5.0, status=sent (250 2.5.0 Ok.) Jan 2 08:04:52 ohs postfix/qmgr[16316]: 950C118A00: removed so it looks like all three of these went out with no delays inbetween each message, right? regards, Jason
giving more resources to procmail/crm
I have 2.5.5 installed on my postfix server at home.. and postfix delivers to procmail on my system mailbox_command = /usr/bin/procmail and then my procmail then calls CRM114 for spam processing.. but more often than not, procmail fails with procmail: Program failure (-25) of "/usr/bin/crm" which I know means that procmail failed to run the command because of processing limits memory/disk/whatever.. I have jacked up what I *thought* would fix it message_size_limit = 6024 mailbox_size_limit = 6124 but it still fails. Does anyone know if these are the right values to be playing with? regards, Jason
Re: rate limit outgoing mails with mailman
yes, and I also realized I had commented out the item that Wietse had wanted me to put in.. Im just trying too many things at once.. Let me clean it up and try again. Jason On Fri, Jan 02, 2009 at 03:54:21PM -0500, Victor Duchovni wrote: > On Fri, Jan 02, 2009 at 03:43:15PM -0500, Jason Welsh wrote: > > > initial_destination_concurrency = 1 > > default_destination_concurrency_limit = 1 > > default_destination_recipient_limit = 1 > > smtpd_recipient_limit = 1 > > Point shotgun away from foot. > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. -- |Jason Welsh ja...@monsterjam.org| | http://monsterjam.orgDSS PGP: 0x5E30CC98 | |gpg key: http://monsterjam.org/gpg/ |
Re: rate limit outgoing mails with mailman
On Fri, Jan 02, 2009 at 03:54:21PM -0500, Victor Duchovni wrote:
> On Fri, Jan 02, 2009 at 03:43:15PM -0500, Jason Welsh wrote:
>
> > initial_destination_concurrency = 1
> > default_destination_concurrency_limit = 1
> > default_destination_recipient_limit = 1
> > smtpd_recipient_limit = 1
>
> Point shotgun away from foot.
>
> --
> Viktor.
ok, here is my latest config..
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
default_transport = smtp
home_mailbox = Maildir/
inet_interfaces = all
mailbox_size_limit = 0
mydestination = orientalhealthsolutions.com, ohs.com, localhost.localdomain,
localhost
myhostname = ohs
mynetworks = 127.0.0.0/8 192.168.1.5/32
myorigin = /etc/mailname
recipient_delimiter = +
relay_destination_rate_delay = 10
relayhost = outgoing.verizon.net
smtp_destination_rate_delay = 10
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
and heres my logs now
Jan 2 16:04:57 ohs postfix/smtp[18389]: B08B018A00:
to=, relay=outgoing.verizon.net[206.46.232.12]:25,
delay=0.89, delays=0.08/0.28/0.35/0.17, dsn=2.5.0, status=sent (250 2.5.0 Ok.)
Jan 2 16:04:57 ohs postfix/qmgr[18371]: B08B018A00: removed
Jan 2 16:05:12 ohs postfix/smtp[18389]: E50B018A02: to=,
relay=outgoing.verizon.net[206.46.232.12]:25, delay=15,
delays=0.24/11/0.34/4.4, dsn=2.5.0, status=sent (250 2.5.0 Ok.)
Jan 2 16:05:12 ohs postfix/smtp[18389]: E50B018A02: to=,
relay=outgoing.verizon.net[206.46.232.12]:25, delay=15,
delays=0.24/11/0.34/4.4, dsn=2.5.0, status=sent (250 2.5.0 Ok.)
Jan 2 16:05:12 ohs postfix/qmgr[18371]: E50B018A02: removed
so there WAS a delay after the first one, but the second two seemed to go out
together..
so we are making progress.. i think.. ;)
Jason
Re: rate limit outgoing mails with mailman
please see inline > > No, it means up to 60 messages an hour with up to 8 recipients each. but this still keeps me within the limits that verizon has set, right? > > Using this ISP for bulk mailing is a really poor infrastructure choice. wasnt my choice, it was my client's > > If you can't make better choices, you may be better off with VERP > (resulting in 1 recipient per message), and at most 450 messages per > hour via a rate delay of 8 seconds per message. With VERP you can also > determine, in a lot more cases, which recipient is causing persistent > bounces and must be removed from your list. fair enough, Ill look into it. thanks for your patience and help! Jason
Re: rate limit outgoing mails with mailman (solved)
> > so If I use the following: > > smtp_destination_recipient_limit = 8 > > smtp_destination_rate_delay = 60 I tested and it looks like these settings will do what I want. thanks folks. Jason
Domainkeys
Hello, I have setup postfix with dk-milter to sign my emails with domainkeys but I don't know if it is working properly or not. I have tested it with four different tests. 2 pass and 2 fail so I want to know if it is my fault or if the tests are faulty. Here are the tests... Here are the 2 tests that pass for me(Send a blank email to each address)... 1) autorespond...@dk.elandsys.com 2) d...@dk.crynwr.com Here are the 2 tests that fail for me... 1) http://www.mailradar.com/domainkeys/ 2) http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test Could someone who has domainkeys setup with their Postfix installation run the two tests that failed for me and let me know if you pass. That way I will no if the problem is on my end or the tests are faulty. Unfortunately the test says it fails without giving a reason. Thanks
Re: Domainkeys
> ja...@jasoncarson.ca wrote: >> Hello, I have setup postfix with dk-milter to sign my emails with >> domainkeys but I don't know if >> it is working properly or not. I have tested it with four different >> tests. 2 pass and 2 fail so I >> want to know if it is my fault or if the tests are faulty. Here are the >> tests... >> >> Here are the 2 tests that pass for me(Send a blank email to each >> address)... >> >> 1) autorespond...@dk.elandsys.com >> 2) d...@dk.crynwr.com >> >> Here are the 2 tests that fail for me... >> >> 1) http://www.mailradar.com/domainkeys/ >> 2) >> http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test >> >> Could someone who has domainkeys setup with their Postfix installation >> run the two tests that >> failed for me and let me know if you pass. That way I will no if the >> problem is on my end or the >> tests are faulty. Unfortunately the test says it fails without giving a >> reason. >> >> Thanks >> > > The signature on the message you sent to the list verifies as > good with both dkim-milter and SpamAssassin, so your signature > is fine. > > Seems as if everyone but Yahoo! is moving to dkim. Any > particular reason you are using DomainKeys? > > -- > Noel Jones > I have domainkeys for exactly that, sending mail to Yahoo! I am going to try and get both domainkeys and DKIM working on my installation.
Re: Webmin with Postfix: recommended or not.
I agree but for a novice webmin helps. I use it with a text editor to follow wietse brilliant guidance. I am trying postfix administration on new server. It appears to have potential to allow domain users to administer but I am on week three of setting it up Original message From: Glenn English Date: 27/03/2016 2:59 PM (GMT-04:00) To: postfix users Subject: Re: Webmin with Postfix: recommended or not. > On Sat, Mar 26, 2016 at 3:48 PM, Tom Browder wrote: > I am considering using Webmin on my servers and see that it has a Postfix > module. Does anyone have any experience with it or have an opinion to offer > ref its ability to manage Postfix? I use both Webmin and Vim on my Postfix config files. On Debian Linux, if it matters. Webmin's Postfix module saved my life when I was starting to learn the 'Net, and it's still quite useful when I want to do something fairly simple, but quickly. But it's GUI pictures and Perl scripts (Webmin is painfully show on a Raspberry Pi) aren't capable of doing most of the things Wietse and his buds talk about on the mailing list -- that usually takes a text editor, some time, and some knowledge. -- Glenn English
Forcibly disconnect spammers
I have Postfix, Dovecot and Amavis on my Ubuntu server. Recently, I get every 4 minutes a connection from IP 155.133.82.96, which appears to be Windows XP and maybe has a virus. Anyway, I found the way (after a lot of Googling) to make my Postfix not delay client access checks and I reject that IP based on a custom blacklist. However, it stays around for a while. I want to find a more radical way to forcibly disconnect the IP when the check has finished and the IP hasn't passed it. How can I do that? (I seek a Postfix solution, not iptables or similar)
Login to a user with empty password
I have Ubuntu 16.04 with Postfix and Dovecot set-up to follow SASL authentication. I also have amavisd-new installed and, as usual, email is sent to this user by the amavis service. However, this user has an empty password (no password). How can I login to that user's mail using Thunderbird since currently dovecot and postfix don't allow me to login? (I am aware of the available mail redirection options but don't want to do so)
Re: rate limit outgoing mails with mailman
my apologies.. here is the output of postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
default_destination_concurrency_limit = 1
default_destination_recipient_limit = 1
default_transport = smtp
home_mailbox = Maildir/
inet_interfaces = all
initial_destination_concurrency = 1
mailbox_size_limit = 0
mydestination = orientalhealthsolutions.com, ohs.com,
localhost.localdomain, localhost
myhostname = ohs
mynetworks = 127.0.0.0/8 192.168.1.5/32
myorigin = /etc/mailname
recipient_delimiter = +
relayhost = outgoing.verizon.net
smtp_destination_concurrency_limit = 1
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_limit = 1
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
and yes Victor, I tied with and without the processes set to 1..
smtp inet n - - - 1 smtpd -D
^^^
in master.cf is the correct way, right?
regards,
Jason
Wietse Venema wrote:
ja...@monsterjam.org:
excellent idea, so I did install the 2.5.4 version from the backport
and I now have
r...@ohs:~# grep smtp_destination_rate_delay /etc/postfix/main.cf
smtp_destination_rate_delay = 10
r...@ohs:~#
and I restarted postfix
Jan 2 08:03:56 ohs postfix/master[16208]: terminating on signal 15
Jan 2 08:03:58 ohs postfix/master[16312]: daemon started -- version 2.5.4,
configuration /etc/postfix
and now when I send an email to my mailman mailing list, I still see it sending
out emails with no delay..
Jan 2 08:04:52 ohs postfix/smtp[16349]: 72292189FF: to=, relay=outgoing.verizon.net[206.46.232.12]:25,
delay=5.3, delays=0.12/0.51/0.36/4.3, dsn=2.5.0, status=sent (250 2.5.0 Ok.)
Jan 2 08:04:52 ohs postfix/qmgr[16316]: 72292189FF: removed
Jan 2 08:04:52 ohs postfix/smtp[16347]: 950C118A00: to=, relay=outgoing.verizon.net[206.46.232.12]:25,
delay=5.2, delays=0.13/0.39/0.37/4.3, dsn=2.5.0, status=sent (250 2.5.0 Ok.)
Jan 2 08:04:52 ohs postfix/smtp[16350]: 950C118A00: to=, relay=outgoing.verizon.net[206.46.232.12]:25, delay=5.3,
delays=0.13/0.37/0.38/4.5, dsn=2.5.0, status=sent (250 2.5.0 Ok.)
Jan 2 08:04:52 ohs postfix/qmgr[16316]: 950C118A00: removed
so it looks like all three of these went out with no delays inbetween each
message, right?
Yes, so it is time that you follow instructions in the welcome message
and post "postconf -n" output instead of one-line fragments.
Wietse
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
Thank you for using Postfix.
--
|Jason Welsh ja...@monsterjam.org|
| http://monsterjam.orgDSS PGP: 0x5E30CC98 |
|gpg key: http://monsterjam.org/gpg/ |
Re: rate limit outgoing mails with mailman
Wietse Venema wrote: Jan 2 16:04:57 ohs postfix/smtp[18389]: B08B018A00: to=, relay=outgoing.verizon.net[206.46.232.12]:25, delay=0.89, delays=0.08/0.28/0.35/0.17, dsn=2.5.0, status=sent (250 2.5.0 Ok.) Jan 2 16:04:57 ohs postfix/qmgr[18371]: B08B018A00: removed Jan 2 16:05:12 ohs postfix/smtp[18389]: E50B018A02: to=, relay=outgoing.verizon.net[206.46.232.12]:25, delay=15, delays=0.24/11/0.34/4.4, dsn=2.5.0, status=sent (250 2.5.0 Ok.) Jan 2 16:05:12 ohs postfix/smtp[18389]: E50B018A02: to=, relay=outgoing.verizon.net[206.46.232.12]:25, delay=15, delays=0.24/11/0.34/4.4, dsn=2.5.0, status=sent (250 2.5.0 Ok.) Jan 2 16:05:12 ohs postfix/qmgr[18371]: E50B018A02: removed so there WAS a delay after the first one, but the second two seemed to go out together.. so we are making progress.. i think.. ;) The second message has TWO RECIPIENTS. Postfix inserts 10s delay between MESSAGE deliveries not RECIPIENTS. Wieste well, right, like I said, this is from a mailman mailing list , and there are 3 remote recipients in the list. But in the real list I want to implement, there are hundreds at various addresses and I would like to throttle ALL outgoing deliveries if I can. I guess best case scenario now is to serialize the delivery process somehow. thanks/regards, Jason -- |Jason Welsh ja...@monsterjam.org| | http://monsterjam.orgDSS PGP: 0x5E30CC98 | |gpg key: http://monsterjam.org/gpg/ |
Re: rate limit outgoing mails with mailman
well, right, like I said, this is from a mailman mailing list , and there are 3 remote recipients in the list. But in the real list I want to implement, there are hundreds at various addresses and I would like to throttle ALL outgoing deliveries if I can. I guess best case scenario now is to serialize the delivery process somehow. Postfix will send 50 recipients at a time by default. Does the ISP mandate a lower number of recipients per message? Sending more messages with fewer recipients each is certainly not helpful to the ISP. Whatever you set the smtp_destination_recipient_limit to, don't make it 1. If you really want to get one recipient per message, consider using VERP, a good idea with lists anyway. I looked it up and here is the real scoop.. ;) *You may not include more than 100 recipients in a single email. Messages will not be sent to any recipients in excess of 100. *You may not exceed 500 recipients in 1 hour. Exceeding 500 recipients in 1 hour will result in the suspension of your ability to send email for 24 hours. so If I use the following: smtp_destination_recipient_limit = 8 smtp_destination_rate_delay = 60 this means that only 480 messages will get relayed in one hour, right? thanks/regards, Jason
Re: Domainkeys
> ja...@jasoncarson.ca wrote: >>> ja...@jasoncarson.ca wrote: Hello, I have setup postfix with dk-milter to sign my emails with domainkeys but I don't know if it is working properly or not. I have tested it with four different tests. 2 pass and 2 fail so I want to know if it is my fault or if the tests are faulty. Here are the tests... Here are the 2 tests that pass for me(Send a blank email to each address)... 1) autorespond...@dk.elandsys.com 2) d...@dk.crynwr.com Here are the 2 tests that fail for me... 1) http://www.mailradar.com/domainkeys/ 2) http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test Could someone who has domainkeys setup with their Postfix installation run the two tests that failed for me and let me know if you pass. That way I will no if the problem is on my end or the tests are faulty. Unfortunately the test says it fails without giving a reason. Thanks >>> The signature on the message you sent to the list verifies as >>> good with both dkim-milter and SpamAssassin, so your signature >>> is fine. >>> >>> Seems as if everyone but Yahoo! is moving to dkim. Any >>> particular reason you are using DomainKeys? >>> >>> -- >>> Noel Jones >>> >> I have domainkeys for exactly that, sending mail to Yahoo! I am going to >> try and get both domainkeys and DKIM working on my installation. >> > > Then send a message to your own account at Yahoo and see if > they like the signature. > > -- > Noel Jones > lol, why didn't I think of that... I sent a message and everything was "ok" so I guess I can disregard those two tests that failed.
Domainkeys/DKIM and Posftix Configuration
I have installed and configured dk-milter and dkim-milter but when I try and send a message postfix won't send it. What is the proper main.cf configuration for both domainkeys and dkim? Here is what I have... smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock, unix:/var/run/dkim-filter/dkim-filter.sock non_smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock, unix:/var/run/dkim-filter/dkim-filter.sock
Re: Domainkeys/DKIM and Posftix Configuration
> I have installed and configured dk-milter and dkim-milter but when I try > and send a message > postfix won't send it. What is the proper main.cf configuration for both > domainkeys and dkim? > > Here is what I have... > > smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock, > unix:/var/run/dkim-filter/dkim-filter.sock > > non_smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock, > unix:/var/run/dkim-filter/dkim-filter.sock > > Turns out that is the correct configuration, the problem was a persmission problem with dkim-filter.sock
Postfix with AMAVISD how to white list
I have blocked files with gif attachments to block that category of spam. I do however have some people who send me legitimate gif attachments I tried to white list them by adding @whitelist_sender_maps = ( ['.example.org', '.example.net'] ); to amavisd.conf but exampl.net continues to get bounced with bad attachments. Any ideas where I can look for a solution??
Re: Postfix with AMAVISD how to white list
On Jan 26, 2009, at 5:04 PM, mouss wrote: Jason Hirsh a écrit : I have blocked files with gif attachments to block that category of spam. how do you blcok these? in header_checks? I do however have some people who send me legitimate gif attachments if you block with header_checks, there's no way for exceptions. I tried to white list them by adding @whitelist_sender_maps = ( ['.example.org', '.example.net'] ); so I bet you block gif in amavisd-new? sure did.blokced asan attachment to amavisd.conf but exampl.net continues to get bounced with bad attachments. Any ideas where I can look for a solution?? You probably want to ask on the amavisd list. but then give as much details as you can (whether you restarted amavisd-new, ... etc). I was told I should behere but all teh discussion Ihad on SPAM oretty much dealt wuth postfix and amavisd as an ingrate solution PS. It is a bad idea to bounce mail that was queued by postfix. This causes backscatter (and you may be blacklisted...) I am confused by this comment.. do you mean I shouldn't let amavisd do any bouncing?? it handles all of my spam, content and vitus checking postfix handles domain validation and the like..
Re: Postfix with AMAVISD how to white list
On Jan 26, 2009, at 5:26 PM, mouss wrote: Jason Hirsh a écrit : On Jan 26, 2009, at 5:04 PM, mouss wrote: [snip] You probably want to ask on the amavisd list. but then give as much details as you can (whether you restarted amavisd-new, ... etc). I was told I should behere but all teh discussion Ihad on SPAM oretty much dealt wuth postfix and amavisd as an ingrate solution hmm. did you ask on the amavis list: https://lists.sourceforge.net/lists/listinfo/amavis-user you'll find more amavsid-new users there, thus maximizing the chances to get an answer. (but as I said, you may need to provide more details). PS. It is a bad idea to bounce mail that was queued by postfix. This causes backscatter (and you may be blacklisted...) I am confused by this comment.. do you mean I shouldn't let amavisd do any bouncing?? it handles all of my spam, content and vitus checking if you use amavisd-new after the queue (content_filter or FILTER), then you should not configure it to bounce mail. Your choices are: (tag and) pass, quarantine or discard (the latter is bad, but still better than bouncing). The reason is that spammers forge sender addresses, so your bounce will go to an innocent who never sent you anything. This is backscatter. postfix handles domain validation and the like.. Rejecting spam during the smtp transaction in postfix (smtpd_*_restrictions) is good. but once postfix queues the mail, you should not bounce. so is header_checks = regexp:/usr/local/etc/postfix/header_checks bad or good as it turns out postfix is doing the rejection not amavisd
Is result_format being ignored?
Hi there: I'm a little tired of making some tests with gnarwl and postfix, so I started to reduce directives. I have something like this in main.cf (postconf -n): alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 debug_peer_list = domain.com html_directory = no inet_interfaces = all mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 20971520 mydestination = localhost mydomain = domain.com myhostname = mail.$mydomain mynetworks = 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES relayhost = 192.168.99.1 sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop show_user_unknown_table_name = no smtpd_banner = $myhostname ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unkno wn_sender_domain transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = ldap:/etc/postfix/phamm_alias.cf, $alias_maps virtual_mailbox_domains = ldap:/etc/postfix/phamm_dominios_virtuales.cf virtual_mailbox_maps = ldap:/etc/postfix/phamm_vacation.cf virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp The content of /etc/postfix/phamm_vacation.cf is: server_host= 127.0.0.1 server_port= 389 bind_dn = cn=phamm,o=hosting,dc=domain,dc=com,dc=pe bind_pw = secret timeout = 20 search_base = o=hosting,dc=domain,dc=com,dc=pe query_filter = (&(mail=%s)(objectClass=VirtualMailAccount)(accountActive=TRUE)(delete=FALSE)(forwardActive=FALSE)(vacationActive=TRUE)) result_attribute = mail result_format = jvoorhe...@gmail.com scope = sub debuglevel = 0 According to 'result_format' value... Isn't suposed that Postfix will return 'jvoorhe...@gmail.com' when someone aks for u...@domain.com? postmap -q returns the expected value: $ postmap -q u...@domain.com ldap:/etc/postfix/phamm_vacation.cf jvoorhe...@gmail.com But when I send a message to u...@domain.com Postfix doesn't return jvoorhe...@gmail.com, instead it returns u...@domain.com yet. These are the corresponding postfix logs: Jan 29 16:30:48 mail postfix/smtpd[22343]: connect from localhost.localdomain[127.0.0.1] Jan 29 16:31:02 mail postfix/smtpd[22343]: 677411E020D: client=localhost.localdomain[127.0.0.1] Jan 29 16:31:08 mail postfix/cleanup[22346]: 677411E020D: message-id=<20090129213102.677411e0...@mail.domain.com> Jan 29 16:31:08 mail postfix/qmgr[22339]: 677411E020D: from=<>, size=380, nrcpt=1 (queue active) Jan 29 16:31:08 mail postfix/lmtp[22348]: 677411E020D: to=, relay=mail.domain.com[/var/lib/imap/socket/lmtp], delay=15, delays=15/0.01/0/0.02, dsn=2.1.5, status=sent (250 2.1.5 Ok) Jan 29 16:31:08 mail postfix/qmgr[22339]: 677411E020D: removed Jan 29 16:31:09 mail postfix/smtpd[22343]: disconnect from localhost.localdomain[127.0.0.1] I sent the email like this: $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.domain.com ESMTP helo localhost 250 mail.domain.com mail from: <> 250 2.1.0 Ok rcpt to: 250 2.1.5 Ok data 354 End data with . Test . 250 2.0.0 Ok: queued as 677411E020D quit 221 2.0.0 Bye Connection closed by foreign host. So, why it's result_format in LDAP map being ignored? I hope someone can help me, bye people
Re: Is result_format being ignored?
Ok, something else. Maybe isn't too appropiate for this post to use jvoorhe...@gmail.com as result_format because has no relation with my virtual domains scenario. What I really try to do is: When accountActive=TRUE for some use, then return (result_format) %...@autoreply.domain.com But Postfix never send the email to u...@autoreply.domain.com, however postmap does return the expected value: $ postmap -q u...@domain.com ldap:/etc/postfix/phamm_vacation.cf u...@autoreply.domain.com So, what isn't failed here? Any help is appreciated On Thu, Jan 29, 2009 at 4:34 PM, Jason Voorhees wrote: > Hi there: > > I'm a little tired of making some tests with gnarwl and postfix, so I > started to reduce directives. I have something like this in main.cf > (postconf -n): > > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix > debug_peer_level = 2 > debug_peer_list = domain.com > html_directory = no > inet_interfaces = all > mail_owner = postfix > mailbox_size_limit = 0 > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 20971520 > mydestination = localhost > mydomain = domain.com > myhostname = mail.$mydomain > mynetworks = 127.0.0.0/8 > myorigin = $mydomain > newaliases_path = /usr/bin/newaliases.postfix > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES > relayhost = 192.168.99.1 > sample_directory = /usr/share/doc/postfix-2.3.3/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > show_user_unknown_table_name = no > smtpd_banner = $myhostname ESMTP > smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated > smtpd_data_restrictions = reject_unauth_pipelining, > reject_multi_recipient_bounce > smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated > smtpd_recipient_restrictions = reject_non_fqdn_recipient, > reject_unknown_recipient_domain, permit_mynetworks, > permit_sasl_authenticated, reject_unauth_destination > smtpd_sasl_auth_enable = yes > smtpd_sender_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_non_fqdn_sender, reject_unkno > wn_sender_domain > transport_maps = hash:/etc/postfix/transport > unknown_local_recipient_reject_code = 550 > virtual_alias_maps = ldap:/etc/postfix/phamm_alias.cf, $alias_maps > virtual_mailbox_domains = ldap:/etc/postfix/phamm_dominios_virtuales.cf > virtual_mailbox_maps = ldap:/etc/postfix/phamm_vacation.cf > virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp > > The content of /etc/postfix/phamm_vacation.cf is: > > server_host= 127.0.0.1 > server_port= 389 > bind_dn = cn=phamm,o=hosting,dc=domain,dc=com,dc=pe > bind_pw = secret > timeout = 20 > search_base = o=hosting,dc=domain,dc=com,dc=pe > query_filter = > (&(mail=%s)(objectClass=VirtualMailAccount)(accountActive=TRUE)(delete=FALSE)(forwardActive=FALSE)(vacationActive=TRUE)) > result_attribute = mail > result_format = jvoorhe...@gmail.com > scope = sub > debuglevel = 0 > > According to 'result_format' value... Isn't suposed that Postfix will > return 'jvoorhe...@gmail.com' when someone aks for u...@domain.com? > postmap -q returns the expected value: > > $ postmap -q u...@domain.com ldap:/etc/postfix/phamm_vacation.cf > jvoorhe...@gmail.com > > But when I send a message to u...@domain.com Postfix doesn't return > jvoorhe...@gmail.com, instead it returns u...@domain.com yet. These > are the corresponding postfix logs: > > Jan 29 16:30:48 mail postfix/smtpd[22343]: connect from > localhost.localdomain[127.0.0.1] > Jan 29 16:31:02 mail postfix/smtpd[22343]: 677411E020D: > client=localhost.localdomain[127.0.0.1] > Jan 29 16:31:08 mail postfix/cleanup[22346]: 677411E020D: > message-id=<20090129213102.677411e0...@mail.domain.com> > Jan 29 16:31:08 mail postfix/qmgr[22339]: 677411E020D: from=<>, > size=380, nrcpt=1 (queue active) > Jan 29 16:31:08 mail postfix/lmtp[22348]: 677411E020D: > to=, > relay=mail.domain.com[/var/lib/imap/socket/lmtp], delay=15, > delays=15/0.01/0/0.02, dsn=2.1.5, status=sent (250 2.1.5 Ok) > Jan 29 16:31:08 mail postfix/qmgr[22339]: 677411E020D: removed > Jan 29 16:31:09 mail postfix/smtpd[22343]: disconnect from > localhost.localdomain[127.0.0.1] > > I sent the email like this: > > $ telnet localhost 25 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 220 mail.domain.com ESMTP > helo localhost > 250 mail.domain.com > mail from: <> > 250 2.1.0 Ok > rcpt to: > 250 2.1.5 Ok > data > 354 End data with . > Test > . > 250 2.0.0 Ok: queued as 677411E020D > quit > 221 2.0.0 Bye > Connection closed by foreign host. > > So, why it's result_format in LDAP map being ignored? I hope someone > can help me, bye people >
Re: Is result_format being ignored?
Hi: On Thu, Jan 29, 2009 at 4:50 PM, Victor Duchovni wrote: > On Thu, Jan 29, 2009 at 04:46:01PM -0500, Jason Voorhees wrote: > >> Ok, something else. Maybe isn't too appropiate for this post to use >> jvoorhe...@gmail.com as result_format because has no relation with my >> virtual domains scenario. >> What I really try to do is: >> >> When accountActive=TRUE for some use, then return (result_format) >> %...@autoreply.domain.com >> >> But Postfix never send the email to u...@autoreply.domain.com, however >> postmap does return the expected value: >> >> $ postmap -q u...@domain.com ldap:/etc/postfix/phamm_vacation.cf >> u...@autoreply.domain.com > >> > virtual_mailbox_maps = ldap:/etc/postfix/phamm_vacation.cf > > Why do you expect virtual_mailbox_maps to perform address rewriting? > You probably wanted virtual_alias_maps instead. Yes, it was my mistake. I wanted more security (not using .forward files) using virtual(8) instead of local(8) and I suposed that the options was to use virtual mailboxes, but I misinterpreted the correct Postfix working. So I changed my configuration to this: mydestination = localhost virtual_alias_maps = ldap:/etc/postfix/phamm_alias.cf, ldap:/etc/postfix/phamm_usuarios.cf virtual_alias_domains = ldap:/etc/postfix/phamm_dominios_virtuales.cf mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp I disabled the use of ldap:/etc/postfix/phamm_vacation.cf so I'm not rewriting anything.. yet. When I try to send and email to u...@domain.com (domain.com is a virtual domain hosted in my LDAP tree) I get the error "user unknown" from Postfix. Why postfix isn't recognizing u...@domain.com as a valid existent account? It is because u...@domain.com doesn't exist in the local unix account database? If the previous it's true... then should I include $virtual_alias_maps in local_recipient_maps? (I did this but it happens the same "unknown user" error) When I use virtual_alias_maps and virtual_alias_domains, is Postfix using local(8) to deliver? I get a little confused about the relation between Postfix, local_transport, mailbox_transport, local(8) and virtual(8). I thought Postfix would use virtual(8) ONLY when using virtual mailboxes. Is this correct? > -- >Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. >
gnarwl invoked from postfix
Hi there:
I finally understood and fixed previous problems with my Postfix
installation. Now I'm invoking gnarwl from a transport, something like
this:
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = ldap:/etc/postfix/phamm_alias.cf,
ldap:/etc/postfix/phamm_vacation.cf
/etc/postfix/transport contains this:
autoreply.domain.com gnarwl:
/etc/postfix/phamm_vacation.cf always returns or "u...@domain.com" or
"u...@domain.com,u...@autoreply.domain.com" depending on the value of
vacationActive=TRUE of the user in the corresponding LDAP entry.
In /etc/postfix/master.cf I added gnarwl:
gnarwlunix - n n - - pipe
flags=F user=gnarwl argv=/usr/local/bin/gnarwl -c
/usr/local/etc/gnarwl.cfg -s ${sender} -a ${us...@{nexthop}
When I send an email to u...@domain.com (having vacationActive=TRUE)
postfix logs show me that is sending two mails: one for
u...@domain.com and the other one to u...@autoreply.domain.com
delivered via gnarwl service (as expected). No error logs, no
warnings, everything OK
But I can see that gnarwl isn't receiving the email from Postfix, then
I query my processes:
# ps aux | grep gnarwl
postfix 30245 0.0 0.3 6836 1804 ?S16:23 0:00 pipe
-n gnarwl -t unix flags=F user=gnarwl argv=/usr/local/bin/gnarwl -c
/usr/local/etc/gnarwl.cfg -s ${sender} -a ${us...@{nexthop}
root 30255 0.0 0.1 2996 708 pts/1R+ 16:24 0:00 grep gnarwl
and I see that the pipe process is still running, it seems that pipe
is busy with gnarwl or doesn't end its communication with gnarwl.
I query my processes many times and the pipe process is still there
and then after a minute approximately the pipe process just
dissapears, and gnarwl wasn't never invoked ... aparently.
Normally everytime gnarwl is invoked (with debug options enabled) I
can see a log of its activity, but this time I can't see any gnarwl
log. I am pretty sure that pipe isn't sending the email to gnarwl.
Does anybody here was able to setup gnarwl with Postfix trough the use
of transport?
Connection Refused
Is there a way to notify me (i.e. postmaster) when my smtpd_proxy_filter fails? I see in the logs where a "warning: connect to proxy service 127.0.0.1:10024: Connection refused" occurs. How do I get a message sent to me when this happens? -- Jason Wohlford <http://wohlford.org>
Re: Connection Refused
On Feb 10, 2009, at 9:05 PM, Sahil Tandon wrote: On Tue, 10 Feb 2009, Jason Wohlford wrote: Is there a way to notify me (i.e. postmaster) when my smtpd_proxy_filter fails? I see in the logs where a "warning: connect to proxy service 127.0.0.1:10024: Connection refused" occurs. How do I get a message sent to me when this happens? Try monit, or some log monitoring service that notifies you when service X fails. But if service X is required for root to send you email, you'll have to figure out a way around that. I thought 'notify_classes=bounce,delay,policy,protocol,resource,software' would do the trick, but no luck. -- Jason Wohlford <http://wohlford.org>
How catch-all works?
Hi people: I'm trying to set up a catch-all feature in my Postfix server based on LDAP. Here's my scenario: - Mail Accounts with VirtualMailAccount object class - Alias with VirtualAlias object class How can I tell Postfix to look for users/alias and return the catch-all address when the original destination isn't found? I have i...@domain.com as a alias. When I send an email to non-existant-acco...@domain.com then the catch-all address receives the message correctly. But when I send to i...@domain.com the catch-all is being recognized before the real alias, so my i...@domain.com alias never works. What's the right order to query alias or accounts databases stored in LDAP? Thanks
smtp-sink custom return codes
Folks: smtp-sink returns the following strings if configured to reject a command (ie, the -r, -f, -Q, arguments): #define SOFT_ERROR_RESP "450 4.3.0 Error: command failed" #define HARD_ERROR_RESP "500 5.3.0 Error: command failed" I have found it useful to be able to customize these responses based on command line arguments. The patch at: http://www.saffron.org/postfix-2.6.5-smtp-sink-custom-bounce-codes.patch adds two new command-line arguments to smtp-sink: -b soft bounce string Use soft bounce string for soft bounces. The default soft bounce string is "450 4.3.0 Error: command failed". -B hard bounce string Use hard bounce string for hard bounces. The default hard bounce string is "500 5.3.0 Error: command failed". Please review and consider for inclusion in postfix. Please let me know if there are any questions or concerns. Thank you. - Jason Parsons
smtp server authentication fail..
hey list.. im trying to authenticate my postfix smtp server to yahoo/att server, I have followed the following guide http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html and cannot get my server to authenticate.. here is the smtp conversation as i have sniffed it 220 smtp103.sbc.mail.ac4.yahoo.com ESMTP EHLO mydomain.org 250-smtp103.sbc.mail.ac4.yahoo.com 250-AUTH LOGIN PLAIN XYMCOOKIE 250-PIPELINING 250 8BITMIME MAIL FROM: BODY=7BIT RCPT TO: DATA 530 authentication required - for help go to http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html 530 authentication required - for help go to http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html 530 authentication required - for help go to http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html RSET QUIT 250 flushed 221 Service Closing transmission in my main.cf, I have (among other things) relayhost=smtp.att.yahoo.com:587 smtp_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous beast ~ # cat /etc/postfix/sasl_passwd [smtp.att.yahoo.com]:587 myacco...@att.net:xxx (real account name and password are in this file) and I have the .db file made .. beast ~ # ls -al /etc/postfix/sasl_passwd* -rw-r--r-- 1 root root57 Jul 10 09:53 /etc/postfix/sasl_passwd -rw-r--r-- 1 root root 12288 Jul 10 13:54 /etc/postfix/sasl_passwd.db so how can I figure out why postfix isnt trying to authenticate while relaying? Jason
Re: smtp server authentication fail..
beast ~ # postconf -a cyrus dovecot aha.. Im guessing sasl should be in there somewhere? Jason On Sat, Jul 10, 2010 at 2:20 PM, Matt Hayes wrote: > On 07/10/2010 02:10 PM, jason welsh wrote: > >> hey list.. im trying to authenticate my postfix smtp server to yahoo/att >> server, I have followed the following guide >> >> http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html >> >> and cannot get my server to authenticate.. >> here is the smtp conversation as i have sniffed it >> >> 220 smtp103.sbc.mail.ac4.yahoo.com >> <http://smtp103.sbc.mail.ac4.yahoo.com> ESMTP >> EHLO mydomain.org <http://mydomain.org> >> >> 250-smtp103.sbc.mail.ac4.yahoo.com >> <http://250-smtp103.sbc.mail.ac4.yahoo.com> >> >> 250-AUTH LOGIN PLAIN XYMCOOKIE >> 250-PIPELINING >> 250 8BITMIME >> MAIL FROM:mailto:ja...@mydomain.org>> BODY=7BIT >> RCPT TO:mailto:jawe...@someotherdomain.com >> >> >> >> DATA >> 530 authentication required - for help go to >> http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html >> 530 authentication required - for help go to >> http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html >> 530 authentication required - for help go to >> http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html >> RSET >> QUIT >> 250 flushed >> 221 Service Closing transmission >> >> >> in my main.cf <http://main.cf>, I have (among other things) >> >> relayhost=smtp.att.yahoo.com:587 <http://smtp.att.yahoo.com:587> >> >> smtp_sasl_auth_enable = yes >> broken_sasl_auth_clients = yes >> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd >> smtp_sasl_security_options = noanonymous >> >> beast ~ # cat /etc/postfix/sasl_passwd >> [smtp.att.yahoo.com <http://smtp.att.yahoo.com>]:587 >> >> myacco...@att.net:xxx >> >> (real account name and password are in this file) >> and I have the .db file made .. >> beast ~ # ls -al /etc/postfix/sasl_passwd* >> -rw-r--r-- 1 root root57 Jul 10 09:53 /etc/postfix/sasl_passwd >> -rw-r--r-- 1 root root 12288 Jul 10 13:54 /etc/postfix/sasl_passwd.db >> >> so how can I figure out why postfix isnt trying to authenticate while >> relaying? >> >> Jason >> >> >> >> > What is the output of: postconf -a > > -Matt >
Send Message when reject_unknown_hostname is invoked
I am apparently having an issue with some servers whose mail is being rejected because of reject_unknown_hostname the reject was shown here Aug 11 00:21:36 xxx postfix/smtpd[96422]: NOQUEUE: reject: RCPT from mail01a.yesbank.com[65.196.66.182]: 450 4.7.1 : Helo command rejected: Host not found; from= to= proto=ESMTP helo= Aug 11 00:21:36 batfish postfix/smtpd[96422]: generic_checks: name=reject_unknown_hostname status=2 Aug 11 00:21:36 postfix/smtpd[96422]: > mail01a.yesbank.com[65.196.66.182]: 450 4.7.1 : Helo command rejected: Host not found Aug 11 00:21:36 postfix/smtpd[96422]: < mail01a.yesbank.com[65.196.66.182]: DATA Aug 11 00:21:36 postfix/smtpd[96422]: > mail01a.yesbank.com[65.196.66.182]: 554 5.5.1 Error: no valid recipients Aug 11 00:21:36 postfix/smtpd[96422]: < mail01a.yesbank.com[65.196.66.182]: RSET but no reject message went out... Is there a way I can esnure an error message goes out to the sender??? it would also be nice if could cc my postmaster account when rejects occur
Re: Send Message when reject_unknown_hostname is invoked
On Aug 13, 2010, at 1:22 PM, Jeroen Geilman wrote: On 08/13/2010 07:05 PM, jason hirsh wrote: I am apparently having an issue with some servers whose mail is being rejected because of reject_unknown_hostname the reject was shown here Aug 11 00:21:36 xxx batfish ? i was trying to remove my server name for email postfix/smtpd[96422]: NOQUEUE: reject: RCPT from mail01a.yesbank.com[65.196.66.182]: 450 4.7.1 : Helo command rejected: Host not found; from= to= proto=ESMTP helo= Aug 11 00:21:36 batfish postfix/smtpd[96422]: generic_checks: name=reject_unknown_hostname status=2 Debug logging. Don't. I am debugging Aug 11 00:21:36 postfix/smtpd[96422]: > mail01a.yesbank.com[65.196.66.182]: 450 4.7.1 : Helo command rejected: Host not found Duplicated, because of debug logging. Don't. when I stop debugging I won't this is the third instance of I have had of "lost mail" and teh first that I had the address so I can chase it down Aug 11 00:21:36 postfix/smtpd[96422]: < mail01a.yesbank.com[65.196.66.182]: DATA Useless. Aug 11 00:21:36 postfix/smtpd[96422]: > mail01a.yesbank.com[65.196.66.182]: 554 5.5.1 Error: no valid recipients Odd. Aug 11 00:21:36 postfix/smtpd[96422]: < mail01a.yesbank.com[65.196.66.182]: RSET Uselesser. but no reject message went out... A whut ? Is there a way I can esnure an error message goes out to the sender??? If postfix rejects a message ? That would be the job of the sending MTA. The sender said to my client that he sent the message .. he was unaware it was rejected I would like to reject it back to the sender so he knows.. it would also be nice if could cc my postmaster account when rejects occur You really don't want to do that. if I can't notify senders of rejects it sure beats searching logs for rejects J.
Re: Send Message when reject_unknown_hostname is invoked
On Aug 13, 2010, at 2:14 PM, Larry Stone wrote: On Fri, 13 Aug 2010, jason hirsh wrote: when I stop debugging I won't this is the third instance of I have had of "lost mail" and teh first that I had the address so I can chase it down You didn't lose any mail. The upstream server did. You can't fix other server's problems and until you accept the mail (you didn't), it's not yours to lose. well when is it acceptance for a contract offer , it is kind of har to say.. hey the guy that wants to spend the money has a crappy server teh client would rather sort through spam then not receive email The sender said to my client that he sent the message .. he was unaware it was rejected I would like to reject it back to the sender so he knows.. You did reject it. Notification is the job of the last MTA to accept the message. A rejecting MTA cannot provide any notification back to the sender without it being at serious risk of being a backscatter source. Ok that makes sense, doesn't sell well, but it makes perfect semse That the upstream MTA failed to properly notify the sender is not, let me make that clear, IS NOT your problem to solve. If the sender is complaining to you, you need to tell him or her that your system rejected the message (which is your right) and that failure to notify him or her of the rejection is a failure by a server not under your control. He needs to complain to his provider as to why the upstream server (most likely the one he is sending via or if not, very near it) is not properly notifying him. if I can't notify senders of rejects it sure beats searching logs for rejects Are you new to this? Because given the level of spam and other crud on the Internet, with any kind of anti-spam/anti-virus controls in place, you should be (or soon will be) rejecting hundreds if not thousands of messages per day. No I am not mew.. but this is a new problem .. legitimate email being bounced I have a small customer bases.. 5 domains less then 20 active accounts ..but I wouldn't place the host name rejection messages at only a couple of hundred a daythe vast majority are for other reasons and from other filters those I don't care about Jason -- Larry Stone lston...@stonejongleux.com
Re: Send Message when reject_unknown_hostname is invoked [resolved]
On Aug 13, 2010, at 2:22 PM, Wietse Venema wrote: jason hirsh: I am apparently having an issue with some servers whose mail is being rejected because of reject_unknown_hostname the reject was shown here Aug 11 00:21:36 xxx postfix/smtpd[96422]: NOQUEUE: reject: RCPT from mail01a.yesbank.com[65.196.66.182]: 450 4.7.1 : Helo command rejected: Host not found; from= to= proto=ESMTP ... but no reject message went out... Is there a way I can esnure an error message goes out to the sender??? No reject message is sent out because your server answers with SMTP reply code 450. This corresponds with a "Try Again" class error. The SENDING MTA will give up after trying for several days. Only then will the sending MTA inform sender that the message is undeliverable, The 450 reply code means that the hostname lookup failed because Postfix received no reply when it looked up the client hostname, or when it tried to verify that the name really resolves to the client IP address. Ahh so where my server will try for 5 days before giving up ... the sender's will try for a period too THEN notify him.. Thanks.. now that I can sell. if I can't get the clients to agree I would have to drop this restriction this combined with Larry Stones comment on the Back Scatter Issues is of a tremendous help thanks to all Wietse
virtual_alias_expansion_limit
Hi people: I know that Postfix defaults virtual_alias_expansion_limit directive to 1000. I have a question: What happens if I have a virtual_alias_maps that returns more than 1000 results? Will postfix will send e-mail to the first 1000 results and ignore the rest from 1001? I ask this because I found these messages in my logs: Sep 28 09:20:39 mail postfix/cleanup[3836]: warning: D050411A94A0: unreasonable virtual_alias_maps map nesting for compl...@domain.com Sep 28 09:20:39 mail postfix/cleanup[3836]: warning: D050411A94A0: unreasonable virtual_alias_maps map expansion size for compl...@domain.com Then I got lots of this bounces: Sep 28 09:21:41 mail postfix/error[3776]: D050411A94A0: to=, orig_to=, relay=none, delay=100, status=bounced (User unknown in virtual alias table) Sep 28 09:21:41 mail postfix/error[4245]: D050411A94A0: to=, orig_to=, relay=none, delay=100, status=bounced (User unknown in virtual alias table) With the help of grep and the Postfix mail ID I found 452 bounce messages. So I'm not pretty sure if my virtual_alias_maps returned 1452 users and postfix bounced from 1001 to 1452 result. My default virtual_alias_expansion_limit was 1000, and now I pretend to increase this directive to 3000 but I'm not sure what was the real reason of those bounces. What's the postfix behaviour in this cases when a virtual_alias_maps returns more than 1000 (default) results? a) It causes a bounce to ALL results of the virtual_alias_maps? b) It delivers the first 1000 then bounces the rest over the default limit? I hope someone can help me. Thanks
Re: virtual_alias_expansion_limit
Thanks, your last sentence was the one I need to understand my problem. Bye :) On Tue, Sep 28, 2010 at 12:31 PM, Victor Duchovni wrote: > On Tue, Sep 28, 2010 at 11:24:47AM -0500, Jason Voorhees wrote: > >> I know that Postfix defaults virtual_alias_expansion_limit directive >> to 1000. I have a question: >> >> What happens if I have a virtual_alias_maps that returns more than >> 1000 results? Will postfix will send e-mail to the first 1000 results >> and ignore the rest from 1001? > > What happens is that expansion stops, and any remaining addresses > remain unexpanded, and may generate bounces (if they are in a virtual > alias domain). > > The behaviour when the limit is exceeded is not ideal. It is probably > better to reject the message. Wietse and I discussed this issue off-list > about a year ago, don't recall which, if either, of us was going to look > into it further... > > Because recursive virtual expansion happens in the cleanup(8) server, > it is not possible to reject a single SMTP recipient that expands to a > list over the limit. Rather, the entire message would have to be rejected > after "." with a "queue-file write error" (and a more specific message > in the mail logs). > > It is perhaps time to consider doing virtual expansion in the SMTP server > for a future Postfix 3.0 release. That would potentially allow wild-card > rewrites to co-exist with recipient validation. > >> What's the postfix behaviour in this cases when a virtual_alias_maps >> returns more than 1000 (default) results? >> >> a) It causes a bounce to ALL results of the virtual_alias_maps? > > No. > >> b) It delivers the first 1000 then bounces the rest over the default limit? > > Only the first 1000 undergo expansion, the others are not subjected to > virtual alias rewriting, and this may cause delivery to fail. > > -- > Viktor. >
Installation Error
I am doing an installation on a new FreeBSD 8.1 box and it fail with postfix: warning: valid_hostname: invalid character 32(decimal): my.domain-server.com Bind is up .. the server name is correct.. I have issued this on my previous server (which this is to replace) and didn't have a problem as I remember my installation any thoughts??
Re: Installation Error _RESOLVED
On Oct 2, 2010, at 3:56 PM, Ralf Hildebrandt wrote: * jason hirsh : I am doing an installation on a new FreeBSD 8.1 box and it fail with postfix: warning: valid_hostname: invalid character 32(decimal): my.domain-server.com remove the trailing or leading space from "my.domain-server.com " or " my.domain-server.com" I missed that edit and corrected rc.conf reboot and installation went fine thanks for you quick response -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Installation Error _RESOLVED
the change to the rc.conf doesn't apparently take effect until you reboot.. there might be another way but i am a bit of a newbie On Oct 2, 2010, at 4:42 PM, joe wrote: You rebooted to change the hostname??? Joe On 10/02/2010 01:13 PM, jason hirsh wrote: On Oct 2, 2010, at 3:56 PM, Ralf Hildebrandt wrote: * jason hirsh : I am doing an installation on a new FreeBSD 8.1 box and it fail with postfix: warning: valid_hostname: invalid character 32(decimal): my.domain-server.com remove the trailing or leading space from "my.domain-server.com " or " my.domain-server.com" I missed that edit and corrected rc.conf reboot and installation went fine thanks for you quick response -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
NOQUEUE: reject: RCPT 450 4.7.1 Recipient address rejected: Service is unavailable
(1) Some mail is getting delayed, or not delivered at all (see error log below). Not well versed in this. Any help appreciated. (postcon n attached) (2) uncertain how to rid myself of all the Anvil messages. Can I turn it off somehow if I do not require it ? Kind comments only please ;-) -- Jason Lukasiewicz Vice President Lukasiewicz Design, Inc. jayl...@lukedesign.com (212) 581-3344 POSTCON n (attached) MAIL.LOG ERROR MESSAGE Nov 22 12:59:33 mail postfix/smtpd[73566]: warning: connect to private/anvil: Connection refused Nov 22 12:59:33 mail postfix/smtpd[73566]: warning: problem talking to server private/anvil: Connection refused Nov 22 12:59:33 mail postfix/smtpd[73566]: warning: restriction `reject_invalid_helo_hostname' after `permit' is ignored Nov 22 12:59:33 mail postfix/smtpd[73566]: NOQUEUE: reject: RCPT from exprod7og102.obsmtp.com[64.18.2.157]: 450 4.7.1 : Recipient address rejected: Service is unavailable; from= to= proto=SMTP helo= Nov 22 12:59:33 mail postfix/smtpd[73566]: warning: connect to private/anvil: Connection refused Nov 22 12:59:33 mail postfix/smtpd[73566]: warning: problem talking to server private/anvil: Connection refused Nov 22 12:59:34 mail postfix/smtpd[73566]: warning: connect to private/anvil: Connection refused Nov 22 12:59:34 mail postfix/smtpd[73566]: warning: problem talking to server private/anvil: Connection refused Nov 22 12:59:34 mail postfix/smtpd[73566]: disconnect from exprod7og102.obsmtp.com[64.18.2.157] postcon -n.rtf Description: Binary data
Re: NOQUEUE: reject: RCPT 450 4.7.1 Recipient address rejected: Service is unavailable
I "migrated" from a Mac OS Server 10.4.11 to a Mac OS X Server 10.6. New Xserve and new software . . . . But it's likely the "migration" (auto copying all old files) that is screwing me up. What the f$#@ do I do now ? By the way, I am pretty impressed getting a response from "The Big Cheese" . . . I see you wrote the Man page on Anvil. Seriously, I know you likely have other things to do, but I am pretty amateur at this crap. Any assistance you could provide would be greaty appreciated. I may even send you fresh baked cookies ;-) -- Jason Lukasiewicz Vice President Lukasiewicz Design, Inc. jayl...@lukedesign.com on 11/22/10 1:55 PM, Wietse Venema at wie...@porcupine.org wrote: > Jason Lukasiewicz: >> Nov 22 12:59:33 mail postfix/smtpd[73566]: warning: connect to >> private/anvil: Connection refused >> Nov 22 12:59:33 mail postfix/smtpd[73566]: warning: problem talking to >> server private/anvil: Connection refused > > Apparently, your master.cf file is for an older version of Postfix > than the version that you are running now. > > What did you change to Postfix before this started to happen? > > Wietse
Simple question?: Aliases and transport
Hi: I'm running Postfix 2.3.3 for a domain 'mydomain.com' with some users hosted locally (with Cyrus IMAP) and some others are hosted by a MS Exchange server. I configured a transport map for all users that need to be relayed to the MS exchange like this: exchangeus...@mydomain.com smtp:[A.B.C.D] exchangeus...@mydomain.com smtp:[A.B.C.D] exchangeus...@mydomain.com smtp:[A.B.C.D] ... ... This is my transport map and is working fine. But we also have aliases at /etc/aliases like: postfixuser1: postfixuser2, postfixuser3 postfixuser4: postfixuser5, postfixuser6 ... ... The problem is that this aliases aren't working for Exchange users at /etc/aliases: exchangeuser1: exchangeuser2 This line is apparently being ignored by Postfix because their logs say that mail sent for exchangeus...@mydomain.com is being relayed directly to A.B.C.D smtp server, but I don't see any redirection to exchangeus...@mydomain.com before being forwarded to the Exchange server. Do you know what am I missing? I hope someone can help me. Thanks
Re: Simple question?: Aliases and transport
On Thu, Dec 2, 2010 at 9:40 AM, Brian Evans - Postfix List wrote: > On 12/2/2010 9:32 AM, Jason Voorhees wrote: >> >> Hi: >> >> I'm running Postfix 2.3.3 for a domain 'mydomain.com' with some users >> hosted locally (with Cyrus IMAP) and some others are hosted by a MS >> Exchange server. >> I configured a transport map for all users that need to be relayed to >> the MS exchange like this: >> >> exchangeus...@mydomain.com smtp:[A.B.C.D] >> exchangeus...@mydomain.com smtp:[A.B.C.D] >> exchangeus...@mydomain.com smtp:[A.B.C.D] >> ... >> ... >> >> This is my transport map and is working fine. But we also have aliases >> at /etc/aliases like: >> >> postfixuser1: postfixuser2, postfixuser3 >> postfixuser4: postfixuser5, postfixuser6 >> ... >> ... >> >> The problem is that this aliases aren't working for Exchange users at >> /etc/aliases: >> >> exchangeuser1: exchangeuser2 >> > > I'm assuming "/etc/aliases" is listed in alias_maps. According to "man 5 > postconf" > alias_maps (default: see "postconf -d" output) > The alias databases that are used for local(8) delivery. See aliases(5) > for syntax details. > > This means that only the local(8) delivery agent uses these. > > In order for this to work, you should add non-local user aliases to > virtual_alias_maps using the fully qualified addresses on both the left and > right sides. > > virtual_alias_maps are global and you *should not* add anything to > virtual_alias_domains. > > Brian > Thanks, that worked perfectly. I didn't understand completely the purpose of virtual_alias_maps :( Thanks again, bye.
Different backend authentications for Postfix
Hi: For personal reasons I'm planning to migrate a Zimbra installation to a Postfix+Cyrus IMAP based schema. My Zimbra server has two domains: domain1.com and domain2.com. Users from domain1.com authenticate via Active Directory and domain2.com authenticate via Zimbra (using its own OpenLDAP server). As you know Zimbra has postfix embedded with a custom version of saslauthd. Now I have to keep the same double authentication schema when migrate to postfix so the question is: How could configure Postfix to authenticate users from one domain (domain1.com) to a backend A (Active Directory) and users from other domain (domain2.com) to a backend B (OpenLDAP, MySQL, PAM, etc)? Is it possible? Any ideas? I hope someone can help me with some ideas. Thanks
Re: Different backend authentications for Postfix
On Tue, Dec 7, 2010 at 12:45 PM, Wietse Venema wrote: > Jason Voorhees: >> Hi: >> >> For personal reasons I'm planning to migrate a Zimbra installation to >> a Postfix+Cyrus IMAP based schema. My Zimbra server has two domains: >> domain1.com and domain2.com. Users from domain1.com authenticate via >> Active Directory and domain2.com authenticate via Zimbra (using its >> own OpenLDAP server). >> >> As you know Zimbra has postfix embedded with a custom version of >> saslauthd. Now I have to keep the same double authentication schema >> when migrate to postfix so the question is: How could configure >> Postfix to authenticate users from one domain (domain1.com) to a >> backend A (Active Directory) and users from other domain (domain2.com) >> to a backend B (OpenLDAP, MySQL, PAM, etc)? Is it possible? Any ideas? >> >> I hope someone can help me with some ideas. > > Postfix does not implement any SASL authentication - SASL > is implemented entirely by the back-end (Cyrus or Dovecot). > > Wietse > Yes, I know, but maybe I made the question incorrectly (sorry my native language isn't english). I could configure saslauthd to authenticate to MySQL/LDAP/Active Directory and I was planning to run (maybe) two instances of saslauthd with different backend authentications each one. I know that postfix delegates authentication to saslauthd so the question I really wanted to do is: Could postfix choose more than 1 different instance of saslauthd based on some criteria (maybe listening IP address, or u...@domain account, etc)? Or do I need to solve this issue necessarily at saslauthd level with some hacks?
Re: Different backend authentications for Postfix
On Tue, Dec 7, 2010 at 1:09 PM, Patrick Ben Koetter wrote: > * Jason Voorhees : >> Hi: >> >> For personal reasons I'm planning to migrate a Zimbra installation to >> a Postfix+Cyrus IMAP based schema. My Zimbra server has two domains: >> domain1.com and domain2.com. Users from domain1.com authenticate via >> Active Directory and domain2.com authenticate via Zimbra (using its >> own OpenLDAP server). >> >> As you know Zimbra has postfix embedded with a custom version of >> saslauthd. Now I have to keep the same double authentication schema >> when migrate to postfix so the question is: How could configure >> Postfix to authenticate users from one domain (domain1.com) to a >> backend A (Active Directory) and users from other domain (domain2.com) >> to a backend B (OpenLDAP, MySQL, PAM, etc)? Is it possible? Any ideas? > > It is possible to use several SASL authentication services in chain. You > could, for example, use saslauthd to do Kerberos authentication to a Active > Directory and use another e.g. ldapdb authentication method to access an > OpenLDAP-server. > > A quick sketch of smtpd.conf: > > pwcheck_service: saslauthd auxprop > auxprop_plugin: ldapdb > mech_list: PLAIN LOGIN > ldapdb_uri: ldap://localhost > ldapdb_id: username > ldapdb_pw: secret > ldapdb_mech: DIGEST-MD5 > > And you could call saslauthd like this: > > saslauthd -a kerberos5 ... > > Read the NOTES section of the saslauthd man page for further instructions on > Kerberos. > That's exactly the idea I was looking for. I didn't know that saslauthd could do this kind of chain configuration trying different services. I'm going to read some documentation, man pages and Google to make this configuration. Thanks, and sorry if this question wasn't related to Postfix. Bye
Re: Different backend authentications for Postfix
On Tue, Dec 7, 2010 at 1:23 PM, Victor Duchovni wrote: > On Tue, Dec 07, 2010 at 01:15:46PM -0500, Jason Voorhees wrote: > >> > A quick sketch of smtpd.conf: >> > >> > pwcheck_service: saslauthd auxprop >> > auxprop_plugin: ldapdb >> > mech_list: PLAIN LOGIN >> > ldapdb_uri: ldap://localhost >> > ldapdb_id: username >> > ldapdb_pw: secret >> > ldapdb_mech: DIGEST-MD5 >> >> That's exactly the idea I was looking for. I didn't know that >> saslauthd could do this kind of chain configuration trying different >> services. > > No, it is not saslauthd that's doing the chaining, rather the Cyrus > SASL library first uses saslauthd and if that fails, tries the LDAP > auxprop plugin. > Yes, it was my mistake. I commonly call saslauthd and Cyrus SASL as the same thing. Thanks :) > -- > Viktor. >
Postfix and Postgrey Part II
OK Everyone was such a help that I am back.. I got a new server and thought things were going great The issue is Postgrey keeps bouncingh the same message i have tried to debug using my mac.com, comcast.net hotmail.com in all instances it kept boucing the mail until I entered the server in the white Freebsd 8.0 Postgrey is running as follows: postgrey 1258 0.0 1.0 12196 10144 ?? Ss3:05PM 0:00.21 /usr/ local/sbin/postgrey --pidfile=/var/run/postgrey.pid --inet=10023 -d -- user=postgrey --group=postgrey --dbd Postconf-n body_checks = regexp:/usr/local/etc/postfix/body_check command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix daemon_timeout = 36000s data_directory = /var/db/postfix delay_warning_time = 2h disable_vrfy_command = yes header_checks = regexp:/usr/local/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = /usr/local/share/doc/postfix mail_spool_directory = /var/mail/vmail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maps_rbl_domains = bl.spamcop.net message_size_limit = 1024 mydestination = localhost.$mydomain, localhost mynetworks = 127.0.0.0/8, 209.160.65.133, 209.160.68.112 newaliases_path = /usr/local/bin/newaliases readme_directory = /usr/local/share/doc/postfix receive_override_options = no_address_mappings relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_tls_note_starttls_offer = yes smtpd_banner = Hi This is the Ocean Window - BV smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated,permit_mynetworks,check_helo_access hash:/ usr/local/etc/postfix/ helo_access,reject_invalid_hostname,reject_unknown_hostname smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spamcop.net,check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated smtpd_tls_CAfile = /usr/local/etc/keys/root.crt smtpd_tls_cert_file = /usr/local/etc/keys/server.cert smtpd_tls_key_file = /usr/local/etc/keys/private.key smtpd_tls_loglevel = 5 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/virtual virtual_gid_maps = static:1000 virtual_mailbox_base = /var/mail/vmail virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox virtual_minimum_uid = 100 virtual_uid_maps = static:1003 Maillog shows postgrey is trying but not learning I get repeated 450 4.2.0 : Recipient address rejected: Greylisted, any thoughts???
Re: Postfix and Postgrey Part II
On Dec 31, 2010, at 5:23 PM, Victor Duchovni wrote: On Fri, Dec 31, 2010 at 05:13:24PM -0400, jason hirsh wrote: I get repeated 450 4.2.0 : Recipient address rejected: Greylisted, This log entry is over-redacted. Show *all* log entries for this message being refused, IN FULL, including dates, client IPs, envelope sender address, ... Dec 31 15:24:21 tuna postfix/smtpd[2514]: name_mask: FAILURE Dec 31 15:24:21 tuna postfix/smtpd[2514]: name_mask: DELAY Dec 31 15:24:21 tuna postgrey[1258]: action=greylist, reason=new, client_name=asmtpout029.mac.com, client_address=17.148.16.104, sender=kasd...@mac.com , recipien Dec 31 15:24:21 tuna postfix/smtpd[2514]: 127.0.0.1:10023: wanted attribute: action Dec 31 15:24:21 tuna postfix/smtpd[2514]: input attribute name: action Dec 31 15:24:21 tuna postfix/smtpd[2514]: input attribute value: DEFER_IF_PERMIT 4.2.0 Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html Dec 31 15:24:21 tuna postfix/smtpd[2514]: 127.0.0.1:10023: wanted attribute: (list terminator) Dec 31 15:24:21 tuna postfix/smtpd[2514]: input attribute name: (end) Dec 31 15:24:21 tuna postfix/smtpd[2514]: check_table_result: inet: 127.0.0.1:10023 DEFER_IF_PERMIT 4.2.0 Greylisted, see http://postgrey.schweikert.ch/help/kasdi Dec 31 15:24:21 tuna postfix/smtpd[2514]: generic_checks: name=check_policy_service status=0 Dec 31 15:24:21 tuna postfix/smtpd[2514]: >>> END Recipient address RESTRICTIONS <<< Dec 31 15:24:21 tuna postfix/smtpd[2514]: NOQUEUE: reject: RCPT from asmtpout029.mac.com[17.148.16.104]: 450 4.2.0 : Recipient address rejecte Dec 31 15:24:21 tuna postfix/smtpd[2514]: > asmtpout029.mac.com[17.148.16.104]: 450 4.2.0 : Recipient address rejected: Greylisted, see http:/ Dec 31 15:24:21 tuna postfix/smtpd[2514]: < asmtpout029.mac.com[17.148.16.104]: DATA Dec 31 15:24:21 tuna postfix/smtpd[2514]: > asmtpout029.mac.com[17.148.16.104]: 554 5.5.1 Error: no valid recipients Dec 31 15:24:21 tuna postfix/smtpd[2514]: < asmtpout029.mac.com[17.148.16.104]: QUIT Dec 31 15:24:21 tuna postfix/smtpd[2514]: > asmtpout029.mac.com[17.148.16.104]: 221 2.0.0 Bye Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_hostname: asmtpout029.mac.com ~? 127.0.0.0/8 Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_hostaddr: 17.148.16.104 ~? 127.0.0.0/8 Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_hostname: asmtpout029.mac.com ~? 209.160.65.133 Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_hostaddr: 17.148.16.104 ~? 209.160.65.133 Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_hostname: asmtpout029.mac.com ~? 209.160.68.112 Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_hostaddr: 17.148.16.104 ~? 209.160.68.112 Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_list_match: asmtpout029.mac.com: no match Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_list_match: 17.148.16.104: no match Dec 31 15:24:21 tuna postfix/smtpd[2514]: send attr request = disconnect Dec 31 15:24:21 tuna postfix/smtpd[2514]: send attr ident = smtp: 17.148.16.104 Dec 31 15:24:21 tuna postfix/smtpd[2514]: private/anvil: wanted attribute: status Dec 31 15:24:21 tuna postfix/smtpd[2514]: input attribute name: status Dec 31 15:24:21 tuna postfix/smtpd[2514]: input attribute value: 0 Dec 31 15:24:21 tuna postfix/smtpd[2514]: private/anvil: wanted attribute: (list terminator) Dec 31 15:24:21 tuna postfix/smtpd[2514]: input attribute name: (end) Dec 31 15:24:21 tuna postfix/smtpd[2514]: disconnect from asmtpout029.mac.com[17.148.16.104] Dec 31 15:24:21 tuna postfix/smtpd[2514]: master_notify: status 1 Dec 31 15:24:21 tuna postfix/smtpd[2514]: connection closed
Re: Postfix and Postgrey Part II
On Dec 31, 2010, at 5:48 PM, Victor Duchovni wrote: On Fri, Dec 31, 2010 at 05:38:17PM -0400, jason hirsh wrote: On Dec 31, 2010, at 5:23 PM, Victor Duchovni wrote: On Fri, Dec 31, 2010 at 05:13:24PM -0400, jason hirsh wrote: I get repeated 450 4.2.0 : Recipient address rejected: Greylisted, This log entry is over-redacted. Show *all* log entries for this message being refused, IN FULL, including dates, client IPs, envelope sender address, ... Dec 31 15:24:21 tuna postfix/smtpd[2514]: name_mask: FAILURE Dec 31 15:24:21 tuna postfix/smtpd[2514]: name_mask: DELAY Turn off verbose logging, it is rarely needed. OK Dec 31 15:24:21 tuna postgrey[1258]: action=greylist, reason=new, client_name=asmtpout029.mac.com, client_address=17.148.16.104, sender=kasd...@mac.com, recipien This log entry appears truncated. This said, I only asked for the Postfix reject log entries, i.e. the one below: Dec 31 15:24:21 tuna postfix/smtpd[2514]: NOQUEUE: reject: RCPT from asmtpout029.mac.com[17.148.16.104]: 450 4.2.0 : Recipient address rejecte Where is the rest of this log entry, it too is truncated... Where are the other instances of this same client/sender/recipient triple being rejected? Dec 31 00:03:02 tuna postfix/smtpd[8857]: NOQUEUE: reject: RCPT from snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 >: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html ; from= to= proto=ESMTP helo= Dec 31 00:11:02 tuna postfix/smtpd[9013]: NOQUEUE: reject: RCPT from snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 >: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html ; from= to= proto=ESMTP helo= Dec 31 00:15:02 tuna postfix/smtpd[9092]: NOQUEUE: reject: RCPT from snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 >: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html ; from= to= proto=ESMTP helo= and so forth until i turned off postgrey Do you have a backup MX host? Does the backup MX enforce greylisting? No and therefore no -- Viktor.
Re: Postfix and Postgrey Part II
On Jan 1, 2011, at 12:59 AM, Victor Duchovni wrote: On Fri, Dec 31, 2010 at 06:26:41PM -0400, jason hirsh wrote: Where is the rest of this log entry, it too is truncated... Where are the other instances of this same client/sender/recipient triple being rejected? Dec 31 00:03:02 tuna postfix/smtpd[8857]: NOQUEUE: reject: RCPT from snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 >: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html; from= to= proto=ESMTP helo= This is better the client/sender triple appears constant for the three log entries. Dec 31 00:11:02 tuna postfix/smtpd[9013]: NOQUEUE: reject: RCPT from snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 >: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html; from= to= proto=ESMTP helo= This re-transmission is likely too soon, what is your minimum retry time set to (in the postgrey configuration). The setting are the default from installation.. I haven't really figured out how to change them as I can not find any configuration other then the start up script While the hotmail account interval is extremely short (I believe default is 5 minutes) I had similar situations with virtually all incoming mail unless i manually white listed it Dec 31 00:15:02 tuna postfix/smtpd[9092]: NOQUEUE: reject: RCPT from snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 >: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html; from= to= proto=ESMTP helo= and so forth until i turned off postgrey OK, Postfix is behaving normally, so the question is why Postgrey is not, indeed the Postgrey logs and configuration are likely the right place to look next. only postgrey log entry is like this Dec 31 00:03:56 tuna postgrey[1250]: action=greylist, reason=new, client_name=qmta14.westchester.pa.mail.comcast.net, client_address=76.96.59.212, sender=dbowman7...@comcast.net, recipient=ja...@kasdivi.com for each incoming mail the configuration is however the freebsd port installed it Viktor.
Re: Postfix and Postgrey Part II
On Jan 1, 2011, at 4:45 PM, lst_ho...@kwsoft.de wrote:
Zitat von jason hirsh :
OK Everyone was such a help that I am back.. I got a new server and
thought things were going great
The issue is Postgrey keeps bouncingh the same message i have
tried to debug using my mac.com, comcast.net hotmail.com
in all instances it kept boucing the mail until I entered the
server in the white
Freebsd 8.0
Postgrey is running as follows:
postgrey 1258 0.0 1.0 12196 10144 ?? Ss3:05PM 0:00.21 /
usr/local/sbin/postgrey --pidfile=/var/run/postgrey.pid --
inet=10023 -d --user=postgrey --group=postgrey --dbd
There is clearly something missing. The last should be "--
dbdir=" and the most valuable part is "--delay=".
Have a look where the parameters are set, most of the time you
should be able to find out by examine the startscript.
Opps I made a mistake in cut and paste
postgrey 1258 0.0 1.0 12196 9988 ?? Is4:32PM 0:00.03 /usr/
local/sbin/postgrey --pidfile=/var/run/postgrey.pid --inet=10023 -d --
user=postgrey --group=postgrey --dbdir=/var/db/postgrey --x
Be sure to use --auto-whitelist-clients=1 if you have found out
where the config lives, the default of 5 is only useful if you have
at least midsize traffic.
I can not find any info where the config file is suppose to be.. i
changed the flags ij the startup script as follows
postgrey_flags=${postgrey_flags:-"--pidfile=${postgrey_pidfile} \
--inet=10023 -d --user=postgrey --group=postgrey --dbdir=/var/
db/postgrey \
--x-greylist-header=${postgrey_greylist_header}"}
--delay=30
--auto-whitelist-clients=1
My clients are off for the weekend so i restarted postgrey and will see
Regards
Andreas
postgrey 1257 0.0 1.0 12196 9988 ?? Is4:20PM 0:00.03 /usr/
local/sbin/postgrey --pidfile=/var/run/postgrey.pid --inet=10023 -d --
user=postgrey --group=postgrey --dbdir=/var/db/postgrey --x
r
Re: Postfix and Postgrey Part II
On Jan 1, 2011, at 7:36 PM, Ned Slider wrote: On 01/01/11 21:37, jason hirsh wrote: I can not find any info where the config file is suppose to be.. Create the file /etc/sysconfig/postgrey I have no such directory i am running freebsd 8.0 and add desired options like so: OPTIONS="--delay=30 --auto-whitelist-clients=1" Hope that helps.
Re: Postfix and Postgrey Part II
On Jan 3, 2011, at 7:03 AM, Jordi Espasa Clofent wrote: http://blog.minibofh.org/?p=45 -- thank you for you info.. This is pretty much what I did to install and from what I have seen.. it doesn't "learn" for me asbit will grey list the same domain over and over again I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain.
Postfix and Postgrey Not Really Communicating
OK after some work I have postgrey running but it doesn't appear to be
doing "mail stuff" with postfix
I am running postfix 2.8 clamav amavid-new dovecot
my rc.conf
postgrey_enable="YES"
postgrey_pidfile="/var/run/postgrey.pid"
postgrey_flags="--pidfile=${postgrey_pidfile} --inet=127.0.0.1:6000 -d
--user=postgrey --group=postgrey --dbdir=/var/db/postgrey --auto-
whitelist-clients=10 --delay=60 --max-age=20"
postconf -n
body_checks = regexp:/usr/local/etc/postfix/body_check
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
daemon_timeout = 36000s
data_directory = /var/db/postfix
delay_warning_time = 2h
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
mail_owner = postfix
mail_spool_directory = /var/mail/vmail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maps_rbl_domains = bl.spamcop.net
message_size_limit = 1024
mydestination = localhost.$mydomain, localhost
mydomain = theoceanwindow-bv.com
mynetworks = 127.0.0.0/32, 209.160.65.133, 209.160.68.112
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
receive_override_options = no_address_mappings
relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_tls_note_starttls_offer = yes
smtpd_banner = tuna.theoceanwindow-bv.com
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated,check_helo_access
hash:/usr/local/etc/postfix/helo_access,reject_invalid_hostname,permit
smtpd_recipient_restrictions = permit
mynetworks
,permit_sasl_authenticated,reject_unauth_destination,reject_rbl_client
zen.spamhaus.org,reject_rbl_client bl.spam,check_policy_service inet:
127.0.0.1:6000
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated
smtpd_tls_CAfile = /usr/local/etc/keys/root.crt
smtpd_tls_cert_file = /usr/local/etc/keys/server.cert
smtpd_tls_key_file = /usr/local/etc/keys/private.key
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_gid_maps = static:1000
virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:1003
ps aux | grep postgrey shows
postgrey 1258 0.0 1.0 12196 9952 ?? Is 11:10AM 0:00.03 /usr/
local/sbin/postgrey --pidfile=/var/run/postgrey.pid --
inet=127.0.0.1:6000 -d --user=postgrey --group=postgrey --dbdir=/var/
db/postgrey --auto-whitelist-clients=10 --delay=60 --max-age=20
(perl5.10.1)
he only reference in mail.log of postgrey is at start
Jan 30 11:10:48 tuna postgrey[1258]: Process Backgrounded
Jan 30 11:10:48 tuna postgrey[1258]: 2011/01/30-11:10:48 postgrey
(type Net::Server::Multiplex) starting! pid(1258)
Jan 30 11:10:48 tuna postgrey[1258]: Using default listen value of 128
Jan 30 11:10:48 tuna postgrey[1258]: Binding to TCP port 6000 on host
127.0.0.1
Jan 30 11:10:48 tuna postgrey[1258]: Setting gid to "225 225"
Jan 30 11:10:48 tuna postgrey[1258]: Setting uid to "225"
So it would would appear postgrey is now running but postfix is not
using it
any thoughts or help??
Solved: Postfix and Postgrey Not Really Communicating
my mistake i was cutting and paste from some some advise and copies the typo spaces are bad in postfix now to see if postgre wil actually learn this time so far no Begin forwarded message: From: Wietse Venema Date: January 30, 2011 12:41:56 PM AST To: jason hirsh Cc: postfix-users@postfix.org Subject: Re: Postfix and Postgrey Not Really Communicating jason hirsh: smtpd_recipient_restrictions = permit Right, all mail passes because you have "permit" first. Wietse
Google The recipient server did not accept our requests to connect.
I have been informed by a couple gmail users that my server is blocking their access. They are getting Technical details of temporary failure: The recipient server did not accept our requests to connect. Learn more athttp://mail.google.com/support/bin/answer.py?answer=7720 [mail.kasdivi.com. (5): Connection timed out] The wierd thing about this is that it appers to effect only a couple of gmail usres. For example mail from my gmail account goes through just fine postconf -n as follows body_checks = regexp:/usr/local/etc/postfix/body_check command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix daemon_timeout = 36000s data_directory = /var/db/postfix delay_warning_time = 2h disable_vrfy_command = yes header_checks = regexp:/usr/local/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = /usr/local/share/doc/postfix mail_owner = postfix mail_spool_directory = /var/mail/vmail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maps_rbl_domains = bl.spamcop.net message_size_limit = 1024 mydestination = localhost.$mydomain, localhost mydomain = theoceanwindow-bv.com mynetworks = 127.0.0.0/32, 209.160.65.133, 209.160.68.112 newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix receive_override_options = no_address_mappings relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_tls_note_starttls_offer = yes smtpd_banner = tuna.theoceanwindow-bv.com smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated,check_helo_access hash:/usr/local/etc/postfix/helo_access,reject_invalid_hostname,permit smtpd_recipient_restrictions = permit_mynetworks,hash:/usr/local/etc/ postfix/recipient_access,permit_sasl_authenticated, reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spam,check_policy_service inet: 127.0.0.1:6000,permit_mynetworks,permit_sasl_authenticated smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated,permit_mynetworks smtpd_tls_CAfile = /usr/local/etc/keys/root.crt smtpd_tls_cert_file = /usr/local/etc/keys/server.cert smtpd_tls_key_file = /usr/local/etc/keys/private.key smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/virtual virtual_gid_maps = static:1000 virtual_mailbox_base = /var/mail/vmail virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox virtual_minimum_uid = 100 virtual_uid_maps = static:1003 I have seen some discussion about misconfigued or lacking mx records but I have asdivi.com.IN SOA ns.kasdivi.com. info.kasdivi.com. ( 1227747798 10800 3600 604800 38400 ) mail.kasdivi.com. IN A 209.160.65.133 ftp.kasdivi.com.IN A 209.160.65.133 www.kasdivi.com.IN A 209.160.65.133 kasdivi.com.IN NS ns.kasdivi.com. kasdivi.com.IN NS ns1.kasdivi.com. kasdivi.com.IN NS ns2.kasdivi.com. tuna.theoceanwindow-bv.com. IN A 209.160.65.133 ns.kasdivi.com. IN A 209.160.65.133 ns1.kasdivi.com.IN A 209.160.68.112 ns2.kasdivi.com.IN A 209.160.65.133 kasdivi.com.IN A 209.160.65.133 kasdivi.com.IN MX 5 mail.kasdivi.com. webmail.kasdivi.com.IN CNAME mail.kasdivi.com. any thoughts or suggestions jason
Fwd: Google The recipient server did not accept our requests to connect.
oops Begin forwarded message: From: jason hirsh Date: March 3, 2011 3:52:45 PM AST To: John Hinton Subject: Re: Google The recipient server did not accept our requests to connect. On Mar 3, 2011, at 3:49 PM, John Hinton wrote: On 3/3/2011 2:34 PM, jason hirsh wrote: I have been informed by a couple gmail users that my server is blocking their access. They are getting Technical details of temporary failure: The recipient server did not accept our requests to connect. Learn more athttp://mail.google.com/support/bin/answer.py?answer=7720 [mail.kasdivi.com. (5): Connection timed out] The wierd thing about this is that it appers to effect only a couple of gmail usres. For example mail from my gmail account goes through just fine Are you running a greylist perhaps? Either way, Google 'slams' email. In other words they try once and if the email cannot be delivered before the time out, the failure response is sent. I run milter greylist on one of my sendmail servers and had to include an exception for gmail. Sad but true. Gmail is not really a fully compliant email system but they do a lot of other things very good. Yes I am running postgrey now.. but this occured even before I added postgrey plus, thetre still is the issue that some accounts make it and some don't There is no record of any rejection in my logs -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions
Re: Google The recipient server did not accept our requests to connect.
On Mar 3, 2011, at 4:02 PM, John Hinton wrote: On 3/3/2011 2:52 PM, jason hirsh wrote: On Mar 3, 2011, at 3:49 PM, John Hinton wrote: On 3/3/2011 2:34 PM, jason hirsh wrote: I have been informed by a couple gmail users that my server is blocking their access. They are getting Technical details of temporary failure: The recipient server did not accept our requests to connect. Learn more athttp://mail.google.com/support/bin/answer.py?answer=7720 [mail.kasdivi.com. (5): Connection timed out] The wierd thing about this is that it appers to effect only a couple of gmail usres. For example mail from my gmail account goes through just fine Are you running a greylist perhaps? Either way, Google 'slams' email. In other words they try once and if the email cannot be delivered before the time out, the failure response is sent. I run milter greylist on one of my sendmail servers and had to include an exception for gmail. Sad but true. Gmail is not really a fully compliant email system but they do a lot of other things very good. Yes I am running postgrey now.. but this occured even before I added postgrey plus, thetre still is the issue that some accounts make it and some don't There is no record of any rejection in my logs I'm at a bit of a loss about why before postgrey. It suggests that the mailserver is just not answering fast enough, which can vary based on load at a particular moment. Gmail might have a short connection attempt time set as well? Obviously slamming reduces loads to a huge degree... shorter connection times would also reduce loads. It is for the most part a 'free' service. Perhaps premiere gmail accounts are handled diffently? As for postgrey, I have not used that but you need to add an exception for gmail. I assume postgrey is like milter greylist in that it keeps a list of recent IP addresses to allow incoming email. Gmail certainly has lots of IP addresses for their mailservers. It could be simply hit or miss based on which are currently on that allow list. This would show as a sporadic issue. Another test, if you know any of the gmail people which are receiving the failure notices, is to have them try once, then again some minutes later which is greater than you postgrey time setting. Then again, I'm not sure every email sent from any particular gmail user always come in from the same IP address. I had this issue even before I added post grey to my configuratioin.. I am getting no errrors or bounces I have had the user resend again the wired things are 1) one gmail account works while others don't (which would support one server is really slamming while tjhe other isn't 2) absoultely no error mesages on my server.. its like it boucned off an invisible shield Best of luck. John -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions
Re: Google The recipient server did not accept our requests to connect.
On Mar 3, 2011, at 4:40 PM, John Hinton wrote: On 3/3/2011 3:09 PM, jason hirsh wrote: On Mar 3, 2011, at 4:02 PM, John Hinton wrote: On 3/3/2011 2:52 PM, jason hirsh wrote: On Mar 3, 2011, at 3:49 PM, John Hinton wrote: On 3/3/2011 2:34 PM, jason hirsh wrote: I have been informed by a couple gmail users that my server is blocking their access. They are getting Technical details of temporary failure: The recipient server did not accept our requests to connect. Learn more athttp://mail.google.com/support/bin/answer.py?answer=7720 [mail.kasdivi.com. (5): Connection timed out] The wierd thing about this is that it appers to effect only a couple of gmail usres. For example mail from my gmail account goes through just fine Are you running a greylist perhaps? Either way, Google 'slams' email. In other words they try once and if the email cannot be delivered before the time out, the failure response is sent. I run milter greylist on one of my sendmail servers and had to include an exception for gmail. Sad but true. Gmail is not really a fully compliant email system but they do a lot of other things very good. Yes I am running postgrey now.. but this occured even before I added postgrey plus, thetre still is the issue that some accounts make it and some don't There is no record of any rejection in my logs I'm at a bit of a loss about why before postgrey. It suggests that the mailserver is just not answering fast enough, which can vary based on load at a particular moment. Gmail might have a short connection attempt time set as well? Obviously slamming reduces loads to a huge degree... shorter connection times would also reduce loads. It is for the most part a 'free' service. Perhaps premiere gmail accounts are handled diffently? As for postgrey, I have not used that but you need to add an exception for gmail. I assume postgrey is like milter greylist in that it keeps a list of recent IP addresses to allow incoming email. Gmail certainly has lots of IP addresses for their mailservers. It could be simply hit or miss based on which are currently on that allow list. This would show as a sporadic issue. Another test, if you know any of the gmail people which are receiving the failure notices, is to have them try once, then again some minutes later which is greater than you postgrey time setting. Then again, I'm not sure every email sent from any particular gmail user always come in from the same IP address. I had this issue even before I added post grey to my configuratioin.. I am getting no errrors or bounces I have had the user resend again the wired things are 1) one gmail account works while others don't (which would support one server is really slamming while tjhe other isn't Or some are whitelisted by postgrey while others are not. Also, is it possible that loads are going high at times, causing time outs? Gmail will just give up while almost all others simply retry later. i have expanded my white listing in postgrey 2) absoultely no error mesages on my server.. its like it boucned off an invisible shield Do your postgrey logs show? If it is sending a delay response, it would only show in the logs of that 'invisible shield'. (again, sorry I'm out of my realm here as I only have experience with milter greylist on my backup sendmail server. I do remember setting several IP address ranges to get around gmail slamming.) John I am out of MY realm with postgrey too... but again the crux of the issue is that it occured BEFORE i had added postgrey I have postgrey.. logging to maillog and i have tried grep'ed the addresses with no find.. since it existed pre and post postgreu installation I continue to assume that it is something to do with postfix can I whitelist gmail in postfix in a manner to let all thie rmermutations and combos go through? I know that with all the spoofing of gmail this wull create an opening for spam... I have tried to convince the user the gmail is a horrible thing to be using for primary mail.. but.. I understand its gmail's error... Remember, the error message is generated by gmail, not your system. You could grep logs for the sender's email address. Best of luck. John -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions
Postgrey and Postfix
I raise this question here because it appears the basic postgrey daemon is running I have a FReebsd 7.0 server with Postfix, amavisd-new, Dovecot to which i added Postgrey I have postgrey runnng as a ps aux grep | postfix shows postgrey 653 0.0 2.4 14384 12052 ?? Is1:53PM 0:00.04 /usr/ local/sbin/postgrey --pidfile=/var/run/postgrey.pid --inet=10023 -d -- user=postgrey --group=postgrey --dbdir=/var/db/postgrey (perl5.8.9) There is no indication in the syslog maillog of any postgrey activity so I am presuming that i have messed up the install or configuration.. postconf -n shows command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/usr/local/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = no mail_owner = postfix mail_spool_directory = /var/mail/vmail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maps_rbl_domains = bl.spamcop.net mydestination = localhost.$mydomain, localhost myhostname = compnay.com mynetworks = 127.0.0.0/8, xxx.. myorigin = $myhostname newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no receive_override_options = no_address_mappings relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_tls_note_starttls_offer = yes smtpd_banner = Hi This is No One smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks,check_helo_access hash:/usr/local/etc/postfix/ helo_access,reject_invalid_hostname,reject_unknown_hostname smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains,reject_rbl_client zen.spamhaus.org bl,reject_rbl_client bl.spamcop.net,reject_rbl_client cbl.abuseat.org,reject_rbl_client safe.dnsbl.sorbs.net,check_policy_service inet:127.0.0.1 smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rbl_client bl.spamcop.net smtpd_tls_CAfile = /etc/mail/certs/root.crt smtpd_tls_cert_file = /etc/mail/certs/server.pem smtpd_tls_key_file = /etc/mail/certs/server.key smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/virtual virtual_gid_maps = static:1000 virtual_mailbox_base = /var/mail/vmail virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox virtual_minimum_uid = 100 virtual_uid_maps = static:1003 Can anyone provide me any ideas ?? I have also rasied the question on the postgrey mailing list Jason
Re: Postgrey and Postfix
On Aug 4, 2009, at 3:01 PM, Noel Jones wrote: Jason Hirsh wrote: I raise this question here because it appears the basic postgrey daemon is running I have a FReebsd 7.0 server with Postfix, amavisd-new, Dovecot to which i added Postgrey I have postgrey runnng as a ps aux grep | postfix shows postgrey 653 0.0 2.4 14384 12052 ?? Is1:53PM 0:00.04 / usr/local/sbin/postgrey --pidfile=/var/run/postgrey.pid -- inet=10023 -d --user=postgrey --group=postgrey --dbdir=/var/db/ postgrey (perl5.8.9) There is no indication in the syslog maillog of any postgrey activity so I am presuming that i have messed up the install or configuration.. postconf -n shows smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains, check_relay_domains is deprecated. Note that check_relay_domains always resolves to either "permit" or "reject". As a consequence, no restrictions after this are evaluated. Use reject_unauth_destination instead, that should fix your problem. reject_rbl_client zen.spamhaus.org bl,reject_rbl_client bl.spamcop.net,reject_rbl_client cbl.abuseat.org,reject_rbl_client safe.dnsbl.sorbs.net,check_policy_service inet:127.0.0.1 cbl.abuseat.org is included in zen.spamhaus.org - no need to query both. sorbs is currently negotiating a change of ownership. Monitor their web site and/or announcement mail list to decide if they still meet your needs after the change is completed. removed Should be check_policy_service inet:127.0.0.1:10023 Make sure the port matches where postgrey is listening. corrected smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rbl_client bl.spamcop.net rfc-ignorant.org is generally better used in a scoring system rather than for outright rejects. Why do you have some RBLs in smtpd_sender_restrictions and some in smtpd_recipient_restrictions? pick one or the other. Partial clean up I had seen similar discussion about douplicaton between smtp_client_restriction and smtp_recipients_restriction. thanks for making the point -- Noel Jones Based on above changes i have ths now postgrey 651 0.0 2.4 14384 12028 ?? Is3:24PM 0:00.04 /usr/ local/sbin/postgrey --pidfile=/var/run/postgrey.pid -- inet=127.0.0.1:10023 -d --user=postgrey --group=postgrey --dbdir=/var/ db/postgrey -verbose (perl5.8.9) postconf -n command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/usr/local/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = no mail_owner = postfix mail_spool_directory = /var/mail/vmail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maps_rbl_domains = bl.spamcop.net mydestination = localhost.$mydomain, localhost myhostname = batfish.theoceanwindow-bv.com mynetworks = 127.0.0.0/8, 66.235.184.124, 66.148.83.94 myorigin = $myhostname newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no receive_override_options = no_address_mappings relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_tls_note_starttls_offer = yes smtpd_banner = Hi This is the Ocean Window - BV smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks,check_helo_access hash:/usr/local/etc/postfix/ helo_access,reject_invalid_hostname,reject_unknown_hostname smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains,reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spamcop.net,reject_rbl_client, check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated smtpd_tls_CAfile = /etc/mail/certs/root.crt smtpd_tls_cert_file = /etc/mail/certs/server.pem smtpd_tls_key_file = /etc/mail/certs/server.key smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/virtual virtual_gid_maps = static:1000 virtual_mailbox_base = /var/mail/vmail virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox virtual_minimum_uid = 100 virtual_uid_maps = static:1003 and I go
Re: Postgrey and Postfix
On Aug 4, 2009, at 3:59 PM, Noel Jones wrote: Jason Hirsh wrote: On Aug 4, 2009, at 3:01 PM, Noel Jones wrote: Jason Hirsh wrote: I raise this question here because it appears the basic postgrey daemon is running I have a FReebsd 7.0 server with Postfix, amavisd-new, Dovecot to which i added Postgrey I have postgrey runnng as a ps aux grep | postfix shows postgrey 653 0.0 2.4 14384 12052 ?? Is1:53PM 0:00.04 /usr/local/sbin/postgrey --pidfile=/var/run/postgrey.pid --inet=10023 -d --user=postgrey --group=postgrey --dbdir=/var/db/ postgrey (perl5.8.9) There is no indication in the syslog maillog of any postgrey activity so I am presuming that i have messed up the install or configuration.. postconf -n shows smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains, check_relay_domains is deprecated. Note that check_relay_domains always resolves to either "permit" or "reject". As a consequence, no restrictions after this are evaluated. Use reject_unauth_destination instead, that should fix your problem. ... Based on above changes i have ths now smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains, Did you miss the very important comment about check_relay_domains in my original reply? reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spamcop.net,reject_rbl_client, check_policy_service inet: 127.0.0.1:10023 reject_rbl_client with no RBL to check will likely give a configuration error. and I got a check_access: ja...@kasdivi.com Aug 4 15:40:54 batfish postfix/smtpd[1326]: panic: check_access: dictionary not found: inet:127.0.0.1:10023 Aug 4 15:40:55 batfish postfix/master[1057]: warning: process / usr/local/libexec/postfix/smtpd pid 1326 killed by signal 6 Aug 4 15:40:55 batfish postfix/master[1057]: warning: /usr/local/ libexec/postfix/smtpd: bad command startup -- throttling erro message which I assume is related to postgrey?? I expect this is from the extra 'reject_rbl_client' under smtpd_recipient_restrictions I mentioned above. I guess you didn't se my configs postgrey postgrey 655 0.0 2.2 14384 11440 ?? Is4:04PM 0:00.03 /usr/ local/sbin/postgrey --pidfile=/var/run/postgrey.pid --inet=10023 -d -- user=postgrey --group=postgrey --dbdir=/var/db/postgrey (perl5.8.9) postconf -n which reflected your input command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/usr/local/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = no mail_owner = postfix mail_spool_directory = /var/mail/vmail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maps_rbl_domains = bl.spamcop.net mydestination = localhost.$mydomain, localhost myhostname = mynetworks = 127.0.0.0/8, xx myorigin = $myhostname newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no receive_override_options = no_address_mappings relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_tls_note_starttls_offer = yes smtpd_banner = smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks,check_helo_access hash:/usr/local/etc/postfix/ helo_access,reject_invalid_hostname,reject_unknown_hostname smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spamcop.net,reject_rbl_client,check_policy_service inet: 127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated smtpd_tls_CAfile = /etc/mail/certs/root.crt smtpd_tls_cert_file = /etc/mail/certs/server.pem smtpd_tls_key_file = /etc/mail/certs/server.key smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/virtual virtual_gid_maps = static:1000 virtual_mailbox_base = /var/mail/vmail virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox virtual_minimum_uid = 100 virtual_uid_maps = static:1003 this gets me the error messages Aug 4 16:40:32 batfish postfix/smtpd[1896]: panic: check_access: dictionary not found: inet:127.0.0.1:10023 Aug 4 16:40:33 batfish postfix/master[1046]: warning: process /usr/ local/libexec/postfix/smtpd pid 1896 killed
Re: Postgrey and Postfix
On Aug 4, 2009, at 4:23 PM, Brian Evans - Postfix List wrote: Jason Hirsh wrote: Based on above changes i have ths now postgrey 651 0.0 2.4 14384 12028 ?? Is3:24PM 0:00.04 /usr/local/sbin/postgrey --pidfile=/var/run/postgrey.pid --inet=127.0.0.1:10023 -d --user=postgrey --group=postgrey --dbdir=/var/db/postgrey -verbose (perl5.8.9) postconf -n smtpd_banner = Hi This is the Ocean Window - BV SASL is disabled with this banner. Use the default as no one will read it. smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains,reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spamcop.net,reject_rbl_client, check_policy_service inet:127.0.0.1:10023 Let's reformat the recipient restrictions for reading: smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client, check_policy_service inet:127.0.0.1:10023 See the error? To Postfix, a comma is whitespace when placed in restriction lists. i see youyr reference but how do I correct? the only error I see is the reject_rbl_client with out a cite the code for the check_policy_service is per all the instructions i hvave seen which state (Add check_policy_service inet:127.0.0.1:10023 to end of smtpd_recipient_restrictions in main.cf) So I guess you lost me
SOLVED Re: Postgrey and Postfix
On Aug 4, 2009, at 4:56 PM, Noel Jones wrote: Jason Hirsh wrote: On Aug 4, 2009, at 3:59 PM, Noel Jones wrote: Jason Hirsh wrote: On Aug 4, 2009, at 3:01 PM, Noel Jones wrote: Jason Hirsh wrote: I raise this question here because it appears the basic postgrey daemon is running I have a FReebsd 7.0 server with Postfix, amavisd-new, Dovecot to which i added Postgrey I have postgrey runnng as a ps aux grep | postfix shows postgrey 653 0.0 2.4 14384 12052 ?? Is1:53PM 0:00.04 /usr/local/sbin/postgrey --pidfile=/var/run/ postgrey.pid --inet=10023 -d --user=postgrey --group=postgrey --dbdir=/var/db/postgrey (perl5.8.9) There is no indication in the syslog maillog of any postgrey activity so I am presuming that i have messed up the install or configuration.. postconf -n shows smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains, check_relay_domains is deprecated. Note that check_relay_domains always resolves to either "permit" or "reject". As a consequence, no restrictions after this are evaluated. Use reject_unauth_destination instead, that should fix your problem. ... Based on above changes i have ths now smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains, Did you miss the very important comment about check_relay_domains in my original reply? reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spamcop.net,reject_rbl_client, check_policy_service inet: 127.0.0.1:10023 reject_rbl_client with no RBL to check will likely give a configuration error. and I got a check_access: ja...@kasdivi.com <mailto:ja...@kasdivi.com> Aug 4 15:40:54 batfish postfix/smtpd[1326]: panic: check_access: dictionary not found: inet:127.0.0.1:10023 Aug 4 15:40:55 batfish postfix/master[1057]: warning: process / usr/local/libexec/postfix/smtpd pid 1326 killed by signal 6 Aug 4 15:40:55 batfish postfix/master[1057]: warning: /usr/ local/libexec/postfix/smtpd: bad command startup -- throttling erro message which I assume is related to postgrey?? I expect this is from the extra 'reject_rbl_client' under smtpd_recipient_restrictions I mentioned above. I guess you didn't se my configs I guess you posted the wrong config. who ME?? :) smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spamcop.net,reject_rbl_client,check_policy_service inet: 127.0.0.1:10023 See the extra "reject_rbl_client" just before check_policy_service? that's what's causing your current error. that did it final working postconf -n command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/usr/local/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = no mail_owner = postfix mail_spool_directory = /var/mail/vmail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maps_rbl_domains = bl.spamcop.net mydestination = localhost.$mydomain, localhost myhostname = x mynetworks = 127.0.0.0/8, xxx myorigin = $myhostname newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no receive_override_options = no_address_mappings relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_tls_note_starttls_offer = yes smtpd_banner = smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks,check_helo_access hash:/usr/local/etc/postfix/ helo_access,reject_invalid_hostname,reject_unknown_hostname smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spamcop.net,check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated smtpd_tls_CAfile = /etc/mail/certs/root.crt smtpd_tls_cert_file = /etc/mail/certs/server.pem smtpd_tls_key_file = /etc/mail/certs/server.key smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/virtual virtual_gid_maps = static:1000 virtual_mailbox_base = /var/mail/vmail virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox virtual_minimum_uid = 100 -- Noel Jones
Duplicated messages
Hi: I have a Postfix 2.3.3 running on CentOS 5.5 with a local installation of OpenLDAP. System users are mapped from my LDAP directory server according to /etc/nsswitch.conf and /etc/ldap.conf. I have LDAP groups what I use in postfix as a virtual alias maps like this: virtual_alias_maps = ldap:/etc/postfix/groups.cf and the configuration of groups.cf queries my LDAP server like this: server_host = localhost search_base = ou=groups,dc=mydomain,dc=com query_filter = (&(cn=%u)(objectClass=posixGroup)) result_attribute = memberUid result_format = %s...@mydomain.com bind = no version = 3 I have users that belong to one or more LDAP groups and when people send e-mails to one of those users with Cc: to one of those groups (that contains one of those users), the final users receive multiplicated e-mails. How can I avoid this? I hope someone can help me. Thanks
Re: Duplicated messages
On Fri, Mar 11, 2011 at 11:20 AM, Victor Duchovni wrote: > On Fri, Mar 11, 2011 at 11:10:31AM -0500, Jason Voorhees wrote: > >> I have a Postfix 2.3.3 running on CentOS 5.5 with a local installation >> of OpenLDAP. >> I have LDAP groups what I use in postfix as a virtual alias maps like this: >> >> virtual_alias_maps = ldap:/etc/postfix/groups.cf >> >> I have users that belong to one or more LDAP groups and when people >> send e-mails to one of those users with Cc: to one of those groups >> (that contains one of those users), the final users receive >> multiplicated e-mails. >> >> How can I avoid this? I hope someone can help me. > > http://www.postfix.org/postconf.5.html#enable_original_recipient > Hi, thanks Viktor for your answer. I've already used these settings: Setting # 1: enable_original_recipient = no Setting # 2: enable_original_recipient = no smtpd_disable_ehlo_keywords = silent-discard, dsn But none of those solved my problem. This is my real configuration (except domain names) of main.cf: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all mail_owner = postfix mailbox_size_limit = 0 mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 12582912 mydestination = localhost, $mydomain, $myhostname mydomain = mydomain.com myhostname = $mydomain mynetworks = 127.0.0.1, 192.168.1.0/24, 192.168.5.0/24, 192.168.6.0/24, 10.0.0.0/24 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES relayhost = 192.168.1.251 sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_banner = $myhostname ESMTP smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/pki/tls/certs/exim.pem smtpd_tls_key_file = /etc/pki/tls/private/exim.pem smtpd_tls_security_level = may smtpd_tls_wrappermode = no smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/maps/virtual_alias_maps.hash, ldap:/etc/postfix/maps/virtual_alias_maps.cf This is the content of /etc/postfix/maps/virtual_alias_maps.hash: areng...@mydomain.com areng...@mycompany.microsoftonline.com This is the content of /etc/postfix/maps/virtual_alias_maps.cf: server_host = localhost search_base = ou=Groups,dc=mydomain,dc=com query_filter = (&(cn=%u)(objectClass=posixGroup)) result_attribute = memberUid result_format = %s...@mydomain.com bind = no version = 3 I hope it helps.
Re: Duplicated messages
On Fri, Mar 11, 2011 at 12:27 PM, Victor Duchovni wrote: > On Fri, Mar 11, 2011 at 12:06:28PM -0500, Jason Voorhees wrote: > >> >> How can I avoid this? I hope someone can help me. >> > >> > ? ?http://www.postfix.org/postconf.5.html#enable_original_recipient >> > >> >> Hi, thanks Viktor for your answer. I've already used these settings: >> >> Setting # 1: >> enable_original_recipient = no >> >> Setting # 2: >> enable_original_recipient = no >> smtpd_disable_ehlo_keywords = silent-discard, dsn >> > > Your Postfix may be too old. From the HISTORY file: > > 20070520 > > Bugfix (problem introduced Postfix 2.3): when DSN support > was introduced it broke "agressive" recipient duplicate > elimination with "enable_original_recipient = no". File: > cleanup/cleanup_out_recipient.c. > > This postdates the release of 2.5, but the change was backported to > 2.4.x, and 2.3.10. If all you have is 2.3.3, you need to upgrade. > > -- > Viktor. > You were right! I upgraded postfix to 2.5.0 and using the same setting previously mentioned above it solved my problem. Thanks
Re: Duplicated messages
On Fri, Mar 11, 2011 at 1:57 PM, Victor Duchovni wrote: > On Fri, Mar 11, 2011 at 01:13:23PM -0500, Jason Voorhees wrote: > >> > 20070520 >> > >> > Bugfix (problem introduced Postfix 2.3): when DSN support >> > was introduced it broke "agressive" recipient duplicate >> > elimination with "enable_original_recipient = no". File: >> > cleanup/cleanup_out_recipient.c. >> > >> > This postdates the release of 2.5, but the change was backported to >> > 2.4.x, and 2.3.10. If all you have is 2.3.3, you need to upgrade. >> >> You were right! > > I don't make this stuff up. :-) > >> I upgraded postfix to 2.5.0 and using the same setting >> previously mentioned above it solved my problem. > > Why 2.5.0 and not say 2.5.12? If you are going to the trouble of updating, > at this point it should be 2.7.3 or 2.8.1. > > -- > Viktor. > I need a fast way to get an earlier Postfix so I downloaded a rpm package from Postfix's website under "Packages and ports" section. For CentOS it was available postfix-2.5.0 RPM package.
Fwd: Google The recipient server did not accept our requests to connect.
Begin forwarded message: From: jason hirsh Date: March 3, 2011 4:50:09 PM GMT-04:00 To: John Hinton Cc: postfix-users@postfix.org Subject: Re: Google The recipient server did not accept our requests to connect. On Mar 3, 2011, at 4:40 PM, John Hinton wrote: On 3/3/2011 3:09 PM, jason hirsh wrote: On Mar 3, 2011, at 4:02 PM, John Hinton wrote: On 3/3/2011 2:52 PM, jason hirsh wrote: On Mar 3, 2011, at 3:49 PM, John Hinton wrote: On 3/3/2011 2:34 PM, jason hirsh wrote: I have been informed by a couple gmail users that my server is blocking their access. They are getting Technical details of temporary failure: The recipient server did not accept our requests to connect. Learn more athttp://mail.google.com/support/bin/answer.py?answer=7720 [mail.kasdivi.com. (5): Connection timed out] The wierd thing about this is that it appers to effect only a couple of gmail usres. For example mail from my gmail account goes through just fine Are you running a greylist perhaps? Either way, Google 'slams' email. In other words they try once and if the email cannot be delivered before the time out, the failure response is sent. I run milter greylist on one of my sendmail servers and had to include an exception for gmail. Sad but true. Gmail is not really a fully compliant email system but they do a lot of other things very good. Yes I am running postgrey now.. but this occured even before I added postgrey plus, thetre still is the issue that some accounts make it and some don't There is no record of any rejection in my logs I'm at a bit of a loss about why before postgrey. It suggests that the mailserver is just not answering fast enough, which can vary based on load at a particular moment. Gmail might have a short connection attempt time set as well? Obviously slamming reduces loads to a huge degree... shorter connection times would also reduce loads. It is for the most part a 'free' service. Perhaps premiere gmail accounts are handled diffently? I have reviewed my logs again.. and I can find no record of any rejection or bounce or delay. is there anything i can do to correct for this? I do not know how many mails i am losing because of the gmail issue and I realize that it is a gmail problem but my users don't... As for postgrey, I have not used that but you need to add an exception for gmail. I assume postgrey is like milter greylist in that it keeps a list of recent IP addresses to allow incoming email. Gmail certainly has lots of IP addresses for their mailservers. It could be simply hit or miss based on which are currently on that allow list. This would show as a sporadic issue. Another test, if you know any of the gmail people which are receiving the failure notices, is to have them try once, then again some minutes later which is greater than you postgrey time setting. Then again, I'm not sure every email sent from any particular gmail user always come in from the same IP address. I had this issue even before I added post grey to my configuratioin.. I am getting no errrors or bounces I have had the user resend again the wired things are 1) one gmail account works while others don't (which would support one server is really slamming while tjhe other isn't Or some are whitelisted by postgrey while others are not. Also, is it possible that loads are going high at times, causing time outs? Gmail will just give up while almost all others simply retry later. i have expanded my white listing in postgrey 2) absoultely no error mesages on my server.. its like it boucned off an invisible shield Do your postgrey logs show? If it is sending a delay response, it would only show in the logs of that 'invisible shield'. (again, sorry I'm out of my realm here as I only have experience with milter greylist on my backup sendmail server. I do remember setting several IP address ranges to get around gmail slamming.) John I am out of MY realm with postgrey too... but again the crux of the issue is that it occured BEFORE i had added postgrey I have postgrey.. logging to maillog and i have tried grep'ed the addresses with no find.. since it existed pre and post postgreu installation I continue to assume that it is something to do with postfix can I whitelist gmail in postfix in a manner to let all thie rmermutations and combos go through? I know that with all the spoofing of gmail this wull create an opening for spam... I have tried to convince the user the gmail is a horrible thing to be using for primary mail.. but.. I understand its gmail's error... Remember, the error message is generated by gmail, not your system. You could grep logs for the sender's email address. Best of luck. John -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solu
Fwd: Google The recipient server did not accept our requests to connect.
On 3/3/2011 3:09 PM, jason hirsh wrote: I have been informed by a couple gmail users that my server is blocking their access. They are getting Technical details of temporary failure: The recipient server did not accept our requests to connect. Learn more athttp://mail.google.com/support/bin/answer.py?answer=7720 [mail.kasdivi.com. (5): Connection timed out] The wierd thing about this is that it appers to effect only a couple of gmail usres. For example mail from my gmail account goes through just fine do to correct for this? ]I am trying to back top basics.. 1) There is no record of rejection in my logs... so I may not be able to do anything at all 2) Assuming that I am rejecting or delaying is there anyway I can white_list the noted addressed?? I have whitelisted in amavisd-new and postgrey any help would be appreciated
Message can't get through from Mindspring
Ok I stumped the band on my troubles on receiving email from google.com Now I am being told that messages from mindspring.com can't get through here is a copy of the error message Subject: Warning: message 1Q8d0n-0001fo-F7 delayed 24 hours This message was created automatically by mail delivery software. A message that you sent has not yet been delivered to one or more of its recipients after more than 24 hours on the queue on elasmtp- dupuy.atl.sa.earthlink.net. The message identifier is: 1Q8d0n-0001fo-F7 The date of the message is:Sat, 9 Apr 2011 14:35:57 -0400 (GMT-04:00) The subject of the message is: Re: Fwd: Computers The address to which the message has not yet been delivered is: ja...@kasdivi.com No action is required on your part. Delivery attempts will continue for some time, and this warning may be repeated at intervals if the message remains undelivered. Eventually the mail delivery software will give up, and when that happens, the message will be returned to you. There is no record of any bounce or activity in my maillog here is my postconf -n body_checks = regexp:/usr/local/etc/postfix/body_check command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix daemon_timeout = 36000s data_directory = /var/db/postfix delay_warning_time = 2h disable_vrfy_command = yes header_checks = regexp:/usr/local/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = /usr/local/share/doc/postfix mail_owner = postfix mail_spool_directory = /var/mail/vmail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maps_rbl_domains = bl.spamcop.net message_size_limit = 1024 mydestination = localhost.$mydomain, localhost mydomain = theoceanwindow-bv.com mynetworks = 127.0.0.0/32, 209.160.65.133, 209.160.68.112 newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix receive_override_options = no_address_mappings relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_tls_note_starttls_offer = yes smtpd_banner = tuna.theoceanwindow-bv.com smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated,check_helo_access hash:/usr/local/etc/postfix/helo_access,reject_invalid_hostname,permit smtpd_recipient_restrictions = permit_mynetworks, hash:/usr/local/etc/ postfix/recipient_access,permit_sasl_authenticated, reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spam,permit_sasl_authenticated smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated,permit_mynetworks smtpd_tls_CAfile = /usr/local/etc/keys/root.crt smtpd_tls_cert_file = /usr/local/etc/keys/server.cert smtpd_tls_key_file = /usr/local/etc/keys/private.key smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/virtual virtual_gid_maps = static:1000 virtual_mailbox_base = /var/mail/vmail virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox virtual_minimum_uid = 100 virtual_uid_maps = static:1003 I did away with postgrey thoughts or ideas??
Re: Message can't get through from Mindspring
On Apr 16, 2011, at 2:50 PM, Wietse Venema wrote:jason hirsh:Ok I stumped the band on my troubles on receiving email from google.comNow I am being told that messages from mindspring.com can't get throughPostfix logs ALL MAIL DELIVEY ATTEMPTS successful or not.You need to show Postfix logs for missed mail.I have grepped the mail logs for the impacted days and can find no attempts or records This was also the case in my gmail.com issueIf no attempts show up in your logs, then the sending failed toconnect to your machine (DNS error, firewall error, and so on).I understand what appears but in my gmail example it was only one out of many gmail accountsI can not judge how many mindspring accounts have the issueIf the attempts do show up in your logs, then the logging willprovide the clues as to why the mail was not delivered.as I said no log entries Wietse
Re: Message can't get through from Mindspring
On Apr 16, 2011, at 3:19 PM, Wietse Venema wrote: Wietse Venema: Postfix logs ALL MAIL DELIVEY ATTEMPTS successful or not. If no attempts show up in your logs, then the sending failed to connect to your machine (DNS error, firewall error, and so on). What are the DNS records (MX, A) for your mail server? mail.kasdivi.com. IN A 209.160.65.133 kasdivi.com.IN MX 5 mail.kasdivi.com. Wietse
Re: Message can't get through from Mindspring
On Apr 16, 2011, at 3:38 PM, Wietse Venema wrote: Wietse: What are the DNS records (MX, A) for your mail server? jason hirsh: mail.kasdivi.com. IN A 209.160.65.133 kasdivi.com.IN MX 5 mail.kasdivi.com. Now, look in your logs for 168.100.189.2. If nothing is there, then your logging is broken Wietse S: 220 tuna.theoceanwindow-bv.com C: EHLO spike.porcupine.org S: 250-tuna.theoceanwindow-bv.com S: 250-PIPELINING S: 250-SIZE 1024 S: 250-ETRN S: 250-STARTTLS S: 250-AUTH PLAIN LOGIN S: 250-ENHANCEDSTATUSCODES S: 250-8BITMIME S: 250 DSN C: MAIL FROM: SIZE=327 C: RCPT TO: ORCPT=rfc822;pxx...@kasdivi.com C: RSET C: QUIT S: 250 2.1.0 Ok S: 250 2.1.5 Ok S: 250 2.0.0 Ok S: 221 2.0.0 Bye My Log shows pr 16 15:33:07 tuna postfix/smtpd[37327]: permit_mynetworks: spike.porcupine.org 168.100.189.2 Apr 16 15:33:07 tuna postfix/smtpd[37327]: match_hostaddr: 168.100.189.2 ~? 127.0.0.0/32 Apr 16 15:33:07 tuna postfix/smtpd[37327]: match_hostaddr: 168.100.189.2 ~? 209.160.65.133 Apr 16 15:33:07 tuna postfix/smtpd[37327]: match_hostaddr: 168.100.189.2 ~? 209.160.68.112 Apr 16 15:33:07 tuna postfix/smtpd[37327]: match_list_match: 168.100.189.2: no match Apr 16 15:33:07 tuna postfix/smtpd[37327]: reject_rbl_addr: Client host 168.100.189.2 Apr 16 15:33:07 tuna postfix/smtpd[37327]: reject_rbl_addr: Client host 168.100.189.2 Apr 16 15:33:07 tuna postfix/smtpd[37327]: permit_inet_interfaces: spike.porcupine.org 168.100.189.2 Apr 16 15:33:07 tuna postfix/smtpd[37327]: 51D9A5C40: client=spike.porcupine.org[168.100.189.2] Apr 16 15:33:07 tuna postfix/smtpd[37327]: > spike.porcupine.org[168.100.189.2]: 250 2.1.5 Ok Apr 16 15:33:07 tuna postfix/smtpd[37327]: < spike.porcupine.org[168.100.189.2]: RSET Apr 16 15:33:07 tuna postfix/smtpd[37327]: > spike.porcupine.org[168.100.189.2]: 250 2.0.0 Ok Apr 16 15:33:07 tuna postfix/smtpd[37327]: < spike.porcupine.org[168.100.189.2]: QUIT Apr 16 15:33:07 tuna postfix/smtpd[37327]: > spike.porcupine.org[168.100.189.2]: 221 2.0.0 Bye Apr 16 15:33:07 tuna postfix/smtpd[37327]: match_hostaddr: 168.100.189.2 ~? 127.0.0.0/32 Apr 16 15:33:07 tuna postfix/smtpd[37327]: match_hostaddr: 168.100.189.2 ~? 209.160.65.133 Apr 16 15:33:07 tuna postfix/smtpd[37327]: match_hostaddr: 168.100.189.2 ~? 209.160.68.112 Apr 16 15:33:07 tuna postfix/smtpd[37327]: match_list_match: 168.100.189.2: no match Apr 16 15:33:07 tuna postfix/smtpd[37327]: send attr ident = smtp: 168.100.189.2 Apr 16 15:33:07 tuna postfix/smtpd[37327]: disconnect from spike.porcupine.org[168.100.189.2]
Re: Message can't get through from Mindspring
On Apr 16, 2011, at 4:33 PM, Wietse Venema wrote: Wietse: What are the DNS records (MX, A) for your mail server? jason hirsh: mail.kasdivi.com. IN A 209.160.65.133 kasdivi.com.IN MX 5 mail.kasdivi.com. Wietse: Now, look in your logs for 168.100.189.2. If nothing is there, then your logging is broken jason hirsh: My Log shows pr 16 15:33:07 tuna postfix/smtpd[37327]: permit_mynetworks: spike.porcupine.org 168.100.189.2 [etcetera] If you don't see Mindspring etc. activity in your logs, then - Their servers are not connecting to your machine, for reasons that have yet to be determined (no glue records for kasdivi.com at the top-level DNS servers, sender does not like your generic reverse DNS record, ...). - Their servers do connect, but their activity is lost in all your verbose logging. I would start with turning off Postfix verbose logging, then monitor the logfile for sessions that fail repeatedly with "lost connection", "timeout" and other abnormalities. Thanks I will give that a shot Wietse
Archiving with postfix
Hi people: I pretend to have the best backup of all e-mail of my servers than run Postfix and Cyrus/Dovecot. It would be simple for me to backup just /var/spool/mail or /var/spool/imap every night but there are so many people that use POP3, or simply deletes messages from their mailbox while using IMAP. So I thought that making a organized copy of all send/receipt e-mail that went through postfix would be the best solution (for me at least). I know I can achieve this archiving feature with MailScanner but I want to avoid using that. Do you know any method of create an archiving system using only postfix (and maybe procmail, maildrop or other filters maybe but no amavis)? I know there are commercial products to achieve this but I'm looking for an open source solution first. I hope someone can give me some ideas. Thanks
Re: Archiving with postfix
> Yes, please avoid using MailScanner. I never knew why postfix users apparently hate MailScanner. I know that this question isn't the purpose of my thread but... Can I know why you don't like MailScanner? > >> Do you know any method of create an archiving system using only >> postfix (and maybe procmail, maildrop or other filters maybe but no >> amavis)? > > If you don't need to preserve the original envelope, always_bcc or > recipient_bcc_maps will to what you want. > > If you do need to preserve the exact incoming message, use an smtp proxy to > do $whatever-you-want. > Ok, I'm not a postfix expert but could you give me some additional explanation about a smtp proxy to do $whatever-i-want? Just give me some tips so look up in google.
Re: Archiving with postfix
> I suggest the documentation, instead: > > http://www.postfix.org/postconf.5.html#smtpd_proxy_filter > Thanks, I'm going to read it. > This can be anything that speaks SMTP. > > (Note that implementing one of the *_bcc options will be far easier) > I'm not pretty sure how to do that because I don't want to bcc all my e-mail to one address.
Google 7720 Error
I posted this about two months ago the problem continues .. Ihave removed postgrey in its entirety I continue to have issues with some , not all , gmail users and some, not all mindspring users there is no record of any rejection in my mail log.. which i have been told means I am not the problem but taht is hard to sell to users who aren't getting their mail any new thoughts?? Technical details of temporary failure: The recipient server did not accept our requests to connect. Learn more athttp://mail.google.com/support/bin/answer.py?answer=7720 [mail.kasdivi.com. (5): Connection timed out] The wierd thing about this is that it appers to effect only a couple of gmail usres. For example mail from my gmail account goes through just fine postconf -n as follows body_checks = regexp:/usr/local/etc/postfix/body_check command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix daemon_timeout = 36000s data_directory = /var/db/postfix delay_warning_time = 2h disable_vrfy_command = yes header_checks = regexp:/usr/local/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = /usr/local/share/doc/postfix mail_owner = postfix mail_spool_directory = /var/mail/vmail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maps_rbl_domains = bl.spamcop.net message_size_limit = 1024 mydestination = localhost.$mydomain, localhost mydomain = theoceanwindow-bv.com mynetworks = 127.0.0.0/32, 209.160.65.133, 209.160.68.112 newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix receive_override_options = no_address_mappings relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_tls_note_starttls_offer = yes smtpd_banner = tuna.theoceanwindow-bv.com smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated,check_helo_access hash:/usr/local/etc/postfix/helo_access,reject_invalid_hostname,permit smtpd_recipient_restrictions = permit_mynetworks,hash:/usr/local/etc/ postfix/recipient_access,permit_sasl_authenticated, reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spam,check_policy_service inet: 127.0.0.1:6000,permit_mynetworks,permit_sasl_authenticated smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated,permit_mynetworks smtpd_tls_CAfile = /usr/local/etc/keys/root.crt smtpd_tls_cert_file = /usr/local/etc/keys/server.cert smtpd_tls_key_file = /usr/local/etc/keys/private.key smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/virtual virtual_gid_maps = static:1000 virtual_mailbox_base = /var/mail/vmail virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox virtual_minimum_uid = 100 virtual_uid_maps = static:1003 I have seen some discussion about misconfigued or lacking mx records but I have asdivi.com.IN SOA ns.kasdivi.com. info.kasdivi.com. ( 1227747798 10800 3600 604800 38400 ) mail.kasdivi.com. IN A 209.160.65.133 ftp.kasdivi.com.IN A 209.160.65.133 www.kasdivi.com.IN A 209.160.65.133 kasdivi.com.IN NS ns.kasdivi.com. kasdivi.com.IN NS ns1.kasdivi.com. kasdivi.com.IN NS ns2.kasdivi.com. tuna.theoceanwindow-bv.com. IN A 209.160.65.133 ns.kasdivi.com. IN A 209.160.65.133 ns1.kasdivi.com.IN A 209.160.68.112 ns2.kasdivi.com.IN A 209.160.65.133 kasdivi.com.IN A 209.160.65.133 kasdivi.com.IN MX 5 mail.kasdivi.com. webmail.kasdivi.com.IN CNAME mail.kasdivi.com. any thoughts or suggestions
Re: Google 7720 Error
On May 13, 2011, at 1:43 PM, Noel Jones wrote: On 5/13/2011 12:12 PM, jason hirsh wrote: I posted this about two months ago the problem continues .. Ihave removed postgrey in its entirety I continue to have issues with some , not all , gmail users and some, not all mindspring users there is no record of any rejection in my mail log.. which i have been told means I am not the problem but taht is hard to sell to users who aren't getting their mail any new thoughts?? Technical details of temporary failure: The recipient server did not accept our requests to connect. Learn more athttp://mail.google.com/support/bin/answer.py?answer=7720 [mail.kasdivi.com <http://mail.kasdivi.com/>. (5): Connection timed out] The wierd thing about this is that it appers to effect only a couple of gmail usres. For example mail from my gmail account goes through just fine If postfix doesn't log anything, then postfix isn't the problem. Possibilities include a firewall that's blocking some google servers, or one of your DNS servers issuing a bad IP under some circumstances, or a misbehaving proxy in front of postfix. I have no proxies and have turned off the firewall although the fact it works for some gmail and mindspring and not other is puzzling Or just a plain old flaky network connection, but it sounds as if you don't have any evidence of that. so I just tell users .. sorry charlie getting email through my service is a crap shoot -- Noel Jones
Re: Google 7720 Error
i am on a leased server,, to the best of my knowledge no On May 13, 2011, at 2:03 PM, Mark Martinec wrote: I have no proxies and have turned off the firewall although the fact it works for some gmail and mindspring and not other is puzzling Any Cisco firewall (ASA or PIX) on your side? Mark
Re: Google 7720 Error
On May 13, 2011, at 4:03 PM, Wietse Venema wrote: Victor Duchovni: On Fri, May 13, 2011 at 01:12:18PM -0400, jason hirsh wrote: The recipient server did not accept our requests to connect. Learn more athttp://mail.google.com/support/bin/answer.py?answer=7720 [mail.kasdivi.com. (5): Connection timed out] If Google's TCP connections time out, naturally your Postfix server will have no record of the connection attempt, and your Postfix configuration plays no role in the problem. This is a transport or network layer issue, and nothing at the application level will fix it. For what it's worth, I have no issues connecting: Same here (from 168.100.189.2). I, from a philisophical basis, understand, but the fact remains I have several gmail and several mindspring users that can not get through to my clients I know those domains for fact.. but have reports of othetr sbut not enough information to chase them Perhaps your server's connection smtpd(8) process limit is exhausted from time to time, but Google's email should get through eventually, unless there is a systemic network level issue. Such as, IP or TCP-level options that are not or mis-implemented. well the interesting thing is that it is SOME not all gmail and mindspring users for example my gmail account, while slow, get through am I to tell potential business.. "I can provide mail service for MOST of your contacts??" Wietse
Re: Google 7720 Error
On May 13, 2011, at 5:39 PM, Wietse Venema wrote: jason hirsh: On May 13, 2011, at 4:03 PM, Wietse Venema wrote: Victor Duchovni: On Fri, May 13, 2011 at 01:12:18PM -0400, jason hirsh wrote: The recipient server did not accept our requests to connect. Learn more athttp://mail.google.com/support/bin/answer.py?answer=7720 [mail.kasdivi.com. (5): Connection timed out] If Google's TCP connections time out, naturally your Postfix server will have no record of the connection attempt, and your Postfix configuration plays no role in the problem. This is a transport or network layer issue, and nothing at the application level will fix it. For what it's worth, I have no issues connecting: Same here (from 168.100.189.2). I, from a philisophical basis, understand, but the fact remains I have several gmail and several mindspring users that can not get through to my clients I know those domains for fact.. but have reports of othetr sbut not enough information to chase them If you want to solve this, then you will need to do the measurements that provide the evidence of what is going on. Until you can show network packets from gmail etc. trying to connect to your Postfix server, you have no evidence at all that this problem belongs on this mailing list. the users can access my web page so web services are fine they can ping my server. so DNS is fine i have the message that says that it can't contact my mail server.. my MTA is Postfix where else could iI see help?? do I have to drop postfix and goback tosendmail to debug?? Wietse
Re: Google 7720 Error
On May 13, 2011, at 6:31 PM, Noel Jones wrote: On 5/13/2011 5:09 PM, jason hirsh wrote: i have the message that says that it can't contact my mail server.. my MTA is Postfix where else could iI see help?? do I have to drop postfix and goback tosendmail to debug?? Your connectivity problem isn't a postfix issue. Something in between postfix and the client server is blocking access, possibly only port 25. Just because clientA can connect to your web server doesn't mean clientB can connect to your mail server. Next step is a tcp sniffer between your server and the internet to record unsuccessful attempts to connect to postfix. If this is a hosted system, your debug options are limited; contact your hosting provider for help. I know you're frustrated, but this isn't a problem you're going to fix by tweaking -- or replacing -- postfix. thanks you for you suggestion on the TCP sniffer.. of the responses I have received only yours offered a concrete suggestion instead of damning me -- Noel Jones
Re: Google 7720 Error
On May 14, 2011, at 5:01 AM, Ralf Hildebrandt wrote: * jason hirsh : the users can access my web page so web services are fine they can ping my server. so DNS is fine i have the message that says that it can't contact my mail server.. my MTA is Postfix where else could iI see help?? Do you have other software like e.g. fail2ban running? Or a firewall? Th eonly firewall I use is IPFW I can connect to you mailserver: # telnet mail.kasdivi.com 25 Trying 209.160.65.133... Connected to mail.kasdivi.com. Escape character is '^]'. 220 tuna.theoceanwindow-bv.com do I have to drop postfix and goback tosendmail to debug?? That won't play a role. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Google 7720 Error
On May 13, 2011, at 7:11 PM, Wietse Venema wrote: jason hirsh: If you want to solve this, then you will need to do the measurements that provide the evidence of what is going on. Until you can show network packets from gmail etc. trying to connect to your Postfix server, you have no evidence at all that this problem belongs on this mailing list. the users can access my web page so web services are fine Please think. Are they connecting from the same machine that can't send mail to your SMTP server? No. ahh ok i see your point on that they can ping my server. so DNS is fine Think again. Are they pinging from the same machine that can't send mail to your SMTP server? I repeat my suggestion that you collect real data to show that those SMTP packets from gmail actually reach you. Because when you finally discover that they don't then you can go and fix the real problem. i have no idea HOW to get that real data.. I do not have access to the servers that are connecting and none of my logs shwo info on the failed attempts Wietse
Re: Google 7720 Error
On May 14, 2011, at 8:27 AM, Wietse Venema wrote: jason hirsh: I repeat my suggestion that you collect real data to show that those SMTP packets from gmail actually reach you. Because when you finally discover that they don't then you can go and fix the real problem. i have no idea HOW to get that real data.. I do not have access to the servers that are connecting and none of my logs shwo info on the failed attempts Run tcpdump on your machine, then send mail from gmail etc. # tcpdump port 25 Then you should see packets from hosts that can reach you; you should see no or only few packets from hosts that can't. Thank you for that suggestion I did run that and was able to ascertain that the gmail servers are in fact reaching my server from the comments received in the thread I am obviously screwing up something on my server and do not have the knowledge to find... Wietse
Re: Google 7720 Error
On May 14, 2011, at 1:38 PM, Ralf Hildebrandt wrote: * jason hirsh : Th eonly firewall I use is IPFW Well, that's something! Could you somehow dump the rules? Maybe it's accidentially dropping traffic which it should drop (typo!) I double checked the ruleset and 25 and 2500 (which I have to use because of a local isp) are open I have also tried running the server with the IPFW turned off and still have the issue with some gmail and mindspring.com users -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Google 7720 Error [thread on hold pending useful data]
On May 14, 2011, at 2:20 PM, Victor Duchovni wrote: On Sat, May 14, 2011 at 01:56:00PM -0400, jason hirsh wrote: I have also tried running the server with the IPFW turned off and still have the issue with some gmail and mindspring.com users I would like to suggest that further posts in this threat are moot, and should cease, unless and until jason is able to record TCP sessions between Gmail (or another "problem" systems) and his server, and make at least one such recordings available. Isolate a single session that fails along the lines of: C: TCP SYN (one or more if server response is delayed) S: TCP SYN ACK or TCP RST or silence C: TCP ACK S: SMTP 4XX banner or 5XX or timeout C: SMTP EHLO S: 4XX response or 5XX response or timeout Save a binary packet capture not decoded packets: # tcpdump -s0 -w /some/file tcp port 25 then decode with "tcpdump -s0 -r /some/file" and find the source host/port of the failed connection, isolate that with: # tcpdump -s0 -r /some/file -w /some/other-file tcp and \ host and tcp port then make the final binary file containing just the failed session available. -- That makes sense I hall attempt to do that Viktor.
Re: Google 7720 Error [thread on hold pending useful data]
On May 15, 2011, at 1:14 AM, Frank Bonnet wrote: Le 15/05/2011 02:42, jason hirsh a écrit : On May 14, 2011, at 2:20 PM, Victor Duchovni wrote: On Sat, May 14, 2011 at 01:56:00PM -0400, jason hirsh wrote: I have also tried running the server with the IPFW turned off and still have the issue with some gmail and mindspring.com users I would like to suggest that further posts in this threat are moot, and should cease, unless and until jason is able to record TCP sessions between Gmail (or another "problem" systems) and his server, and make at least one such recordings available. Isolate a single session that fails along the lines of: C: TCP SYN (one or more if server response is delayed) S: TCP SYN ACK or TCP RST or silence C: TCP ACK S: SMTP 4XX banner or 5XX or timeout C: SMTP EHLO S: 4XX response or 5XX response or timeout Save a binary packet capture not decoded packets: # tcpdump -s0 -w /some/file tcp port 25 then decode with "tcpdump -s0 -r /some/file" and find the source host/port of the failed connection, isolate that with: # tcpdump -s0 -r /some/file -w /some/other-file tcp and \ host and tcp port then make the final binary file containing just the failed session available. -- That makes sense I hall attempt to do that Viktor. It seems you are using FreeBSD, could you type the following command then send back the result ? sysctl -a | grep tcp net.inet.tcp.rfc1323: 1 net.inet.tcp.mssdflt: 512 net.inet.tcp.keepidle: 720 net.inet.tcp.keepintvl: 75000 net.inet.tcp.sendspace: 32768 net.inet.tcp.recvspace: 65536 net.inet.tcp.keepinit: 75000 net.inet.tcp.delacktime: 100 net.inet.tcp.v6mssdflt: 1024 net.inet.tcp.hostcache.purge: 0 net.inet.tcp.hostcache.prune: 300 net.inet.tcp.hostcache.expire: 3600 net.inet.tcp.hostcache.count: 25 net.inet.tcp.hostcache.bucketlimit: 30 net.inet.tcp.hostcache.hashsize: 512 net.inet.tcp.hostcache.cachelimit: 15360 net.inet.tcp.read_locking: 1 net.inet.tcp.recvbuf_max: 262144 net.inet.tcp.recvbuf_inc: 16384 net.inet.tcp.recvbuf_auto: 1 net.inet.tcp.insecure_rst: 0 net.inet.tcp.ecn.maxretries: 1 net.inet.tcp.ecn.enable: 0 net.inet.tcp.abc_l_var: 2 net.inet.tcp.rfc3465: 1 net.inet.tcp.rfc3390: 1 net.inet.tcp.rfc3042: 1 net.inet.tcp.drop_synfin: 0 net.inet.tcp.delayed_ack: 1 net.inet.tcp.blackhole: 0 net.inet.tcp.log_in_vain: 0 net.inet.tcp.sendbuf_max: 262144 net.inet.tcp.sendbuf_inc: 8192 net.inet.tcp.sendbuf_auto: 1 net.inet.tcp.tso: 1 net.inet.tcp.newreno: 1 net.inet.tcp.local_slowstart_flightsize: 4 net.inet.tcp.slowstart_flightsize: 1 net.inet.tcp.path_mtu_discovery: 1 net.inet.tcp.reass.overflows: 50 net.inet.tcp.reass.maxqlen: 48 net.inet.tcp.reass.cursegments: 0 net.inet.tcp.reass.maxsegments: 1600 net.inet.tcp.sack.globalholes: 0 net.inet.tcp.sack.globalmaxholes: 65536 net.inet.tcp.sack.maxholes: 128 net.inet.tcp.sack.enable: 1 net.inet.tcp.inflight.stab: 20 net.inet.tcp.inflight.max: 1073725440 net.inet.tcp.inflight.min: 6144 net.inet.tcp.inflight.rttthresh: 10 net.inet.tcp.inflight.debug: 0 net.inet.tcp.inflight.enable: 1 net.inet.tcp.isn_reseed_interval: 0 net.inet.tcp.icmp_may_rst: 1 net.inet.tcp.pcbcount: 44 net.inet.tcp.do_tcpdrain: 1 net.inet.tcp.tcbhashsize: 512 net.inet.tcp.log_debug: 0 net.inet.tcp.minmss: 216 net.inet.tcp.syncache.rst_on_sock_fail: 1 net.inet.tcp.syncache.rexmtlimit: 3 net.inet.tcp.syncache.hashsize: 512 net.inet.tcp.syncache.count: 0 net.inet.tcp.syncache.cachelimit: 15360 net.inet.tcp.syncache.bucketlimit: 30 net.inet.tcp.syncookies_only: 0 net.inet.tcp.syncookies: 1 net.inet.tcp.timer_race: 0 net.inet.tcp.finwait2_timeout: 6 net.inet.tcp.fast_finwait2_recycle: 0 net.inet.tcp.always_keepalive: 1 net.inet.tcp.rexmit_slop: 200 net.inet.tcp.rexmit_min: 30 net.inet.tcp.msl: 3 net.inet.tcp.nolocaltimewait: 0 net.inet.tcp.maxtcptw: 5120 net.inet.flowtable.tcp_expire: 86400 Is BPF enabled in the kernel machine ? aooarently yes What is the FreeBSD version ( I had troubles with 8.2 ) 8.1 In fact the problem seems to be OS related and NOT a Postfix/ sendmail/exim problem. I will give that a shot thank you I would suggest to post your request into freebsd-us...@freebsd.org mailing list or look at http://lists.freebsd.org/mailman/listinfo to find a more fine grained list
Re: Google 7720 Error [thread on hold pending useful data]
On May 15, 2011, at 1:14 AM, Frank Bonnet wrote: Le 15/05/2011 02:42, jason hirsh a écrit : On May 14, 2011, at 2:20 PM, Victor Duchovni wrote: On Sat, May 14, 2011 at 01:56:00PM -0400, jason hirsh wrote: I have also tried running the server with the IPFW turned off and still have the issue with some gmail and mindspring.com users I would like to suggest that further posts in this threat are moot, and should cease, unless and until jason is able to record TCP sessions between Gmail (or another "problem" systems) and his server, and make at least one such recordings available. Isolate a single session that fails along the lines of: C: TCP SYN (one or more if server response is delayed) S: TCP SYN ACK or TCP RST or silence C: TCP ACK S: SMTP 4XX banner or 5XX or timeout C: SMTP EHLO S: 4XX response or 5XX response or timeout Save a binary packet capture not decoded packets: # tcpdump -s0 -w /some/file tcp port 25 then decode with "tcpdump -s0 -r /some/file" and find the source host/port of the failed connection, isolate that with: # tcpdump -s0 -r /some/file -w /some/other-file tcp and \ host and tcp port then make the final binary file containing just the failed session available. this is the record of the exchange.. it does not appear to be what you expected though 08:40:31.036997 IP mail-iy0-f182.google.com.51101 > tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, options [mss 1430,sackOK,TS val 2972295960 ecr 0,nop,wscale 6], length 0 08:40:34.037857 IP mail-iy0-f182.google.com.51101 > tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, options [mss 1430,sackOK,TS val 2972298960 ecr 0,nop,wscale 6], length 0 08:40:40.036791 IP mail-iy0-f182.google.com.51101 > tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, options [mss 1430,sackOK,TS val 2972304960 ecr 0,nop,wscale 6], length 0 08:40:50.037758 IP mail-iy0-f182.google.com.51101 > tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, options [mss 1430,sackOK,TS val 2972314960 ecr 0,nop,wscale 6], length 0 08:41:00.037805 IP mail-iy0-f182.google.com.51101 > tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, options [mss 1430,sackOK,TS val 2972324960 ecr 0,nop,wscale 6], length 0 08:41:10.037831 IP mail-iy0-f182.google.com.51101 > tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, options [mss 1430,sackOK,TS val 2972334960 ecr 0,nop,wscale 6], length 0 -- That makes sense I hall attempt to do that Viktor. It seems you are using FreeBSD, could you type the following command then send back the result ? sysctl -a | grep tcp net.inet.tcp.rfc1323: 1 net.inet.tcp.mssdflt: 512 net.inet.tcp.keepidle: 720 net.inet.tcp.keepintvl: 75000 net.inet.tcp.sendspace: 32768 net.inet.tcp.recvspace: 65536 net.inet.tcp.keepinit: 75000 net.inet.tcp.delacktime: 100 net.inet.tcp.v6mssdflt: 1024 net.inet.tcp.hostcache.purge: 0 net.inet.tcp.hostcache.prune: 300 net.inet.tcp.hostcache.expire: 3600 net.inet.tcp.hostcache.count: 25 net.inet.tcp.hostcache.bucketlimit: 30 net.inet.tcp.hostcache.hashsize: 512 net.inet.tcp.hostcache.cachelimit: 15360 net.inet.tcp.read_locking: 1 net.inet.tcp.recvbuf_max: 262144 net.inet.tcp.recvbuf_inc: 16384 net.inet.tcp.recvbuf_auto: 1 net.inet.tcp.insecure_rst: 0 net.inet.tcp.ecn.maxretries: 1 net.inet.tcp.ecn.enable: 0 net.inet.tcp.abc_l_var: 2 net.inet.tcp.rfc3465: 1 net.inet.tcp.rfc3390: 1 net.inet.tcp.rfc3042: 1 net.inet.tcp.drop_synfin: 0 net.inet.tcp.delayed_ack: 1 net.inet.tcp.blackhole: 0 net.inet.tcp.log_in_vain: 0 net.inet.tcp.sendbuf_max: 262144 net.inet.tcp.sendbuf_inc: 8192 net.inet.tcp.sendbuf_auto: 1 net.inet.tcp.tso: 1 net.inet.tcp.newreno: 1 net.inet.tcp.local_slowstart_flightsize: 4 net.inet.tcp.slowstart_flightsize: 1 net.inet.tcp.path_mtu_discovery: 1 net.inet.tcp.reass.overflows: 50 net.inet.tcp.reass.maxqlen: 48 net.inet.tcp.reass.cursegments: 0 net.inet.tcp.reass.maxsegments: 1600 net.inet.tcp.sack.globalholes: 0 net.inet.tcp.sack.globalmaxholes: 65536 net.inet.tcp.sack.maxholes: 128 net.inet.tcp.sack.enable: 1 net.inet.tcp.inflight.stab: 20 net.inet.tcp.inflight.max: 1073725440 net.inet.tcp.inflight.min: 6144 net.inet.tcp.inflight.rttthresh: 10 net.inet.tcp.inflight.debug: 0 net.inet.tcp.inflight.enable: 1 net.inet.tcp.isn_reseed_interval: 0 net.inet.tcp.icmp_may_rst: 1 net.inet.tcp.pcbcount: 44 net.inet.tcp.do_tcpdrain: 1 net.inet.tcp.tcbhashsize: 512 net.inet.tcp.log_debug: 0 net.inet.tcp.minmss: 216 net.inet.tcp.syncache.rst_on_sock_fail: 1 net.inet.tcp.syncache.rexmtlimit: 3 net.inet.tcp.syncache.hashsize: 512 net.inet.tcp.syncache.count: 0 net.inet.tcp.syncache.cachelimit: 15360 net.inet.tcp.syncache.bucketlimit: 30 net.inet.tcp.syncookies_only: 0 net.inet.tcp.syncookies: 1 net.inet.tcp.timer_race: 0 net.inet.tcp.finwait2_timeout: 6 net.inet.tcp.fast_finwait2_recycle: 0 net.inet.tcp.always
Re: Google 7720 Error [thread on hold pending useful data]
On May 15, 2011, at 8:54 AM, Jeroen Geilman wrote: On 05/15/2011 02:50 PM, jason hirsh wrote: this is the record of the exchange.. it does not appear to be what you expected though 08:40:31.036997 IP mail-iy0-f182.google.com.51101 > tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, options [mss 1430,sackOK,TS val 2972295960 ecr 0,nop,wscale 6], length 0 08:40:34.037857 IP mail-iy0-f182.google.com.51101 > tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, options [mss 1430,sackOK,TS val 2972298960 ecr 0,nop,wscale 6], length 0 08:40:40.036791 IP mail-iy0-f182.google.com.51101 > tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, options [mss 1430,sackOK,TS val 2972304960 ecr 0,nop,wscale 6], length 0 08:40:50.037758 IP mail-iy0-f182.google.com.51101 > tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, options [mss 1430,sackOK,TS val 2972314960 ecr 0,nop,wscale 6], length 0 08:41:00.037805 IP mail-iy0-f182.google.com.51101 > tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, options [mss 1430,sackOK,TS val 2972324960 ecr 0,nop,wscale 6], length 0 08:41:10.037831 IP mail-iy0-f182.google.com.51101 > tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, options [mss 1430,sackOK,TS val 2972334960 ecr 0,nop,wscale 6], length 0 Your server is not responding to TCP SYN. OK but why just that one server here is an exchnage with another server thatr appears normal.. 08:39:54.189545 IP scc-mailrelay.att.net.smtp > tuna.theoceanwindow- bv.com.35659: Flags [P.], ack 34, win 33304, options [nop,nop,TS val 317610222 ecr 3017712232], length 133 08:39:54.189611 IP tuna.theoceanwindow-bv.com.35659 > scc- mailrelay.att.net.smtp: Flags [P.], ack 191, win 8326, options [nop,nop,TS val 3017712351 ecr 317610222], length 111 08:39:54.199460 IP scc-mailrelay.att.net.smtp > tuna.theoceanwindow- bv.com.35659: Flags [.], ack 145, win 33304, options [nop,nop,TS val 317610223 ecr 3017712351], length 0 08:39:54.201472 IP scc-mailrelay.att.net.smtp > tuna.theoceanwindow- bv.com.35659: Flags [P.], ack 145, win 33304, options [nop,nop,TS val 317610223 ecr 3017712351], length 8 08:39:54.229704 IP scc-mailrelay.att.net.smtp > tuna.theoceanwindow- bv.com.35659: Flags [P.], ack 145, win 33304, options [nop,nop,TS val 317610226 ecr 3017712351], length 8 08:39:54.229717 IP tuna.theoceanwindow-bv.com.35659 > scc- mailrelay.att.net.smtp: Flags [.], ack 207, win 8325, options [nop,nop,TS val 3017712391 ecr 317610223], length 0 08:39:54.230072 IP scc-mailrelay.att.net.smtp > tuna.theoceanwindow- bv.com.35659: Flags [P.], ack 145, win 33304, options [nop,nop,TS val 317610226 ecr 3017712351], length 8 08:39:54.230143 IP tuna.theoceanwindow-bv.com.35659 > scc- mailrelay.att.net.smtp: Flags [.], ack 215, win 8326, options [nop,nop,TS val 3017712391 ecr 317610226], length 1448 08:39:54.230149 IP tuna.theoceanwindow-bv.com.35659 > scc- mailrelay.att.net.smtp: Flags [P.], ack 215, win 8326, options [nop,nop,TS val 3017712391 ecr 317610226], length 338 08:39:54.241318 IP scc-mailrelay.att.net.smtp > tuna.theoceanwindow- bv.com.35659: Flags [.], ack 1931, win 33304, options [nop,nop,TS val 317610227 ecr 3017712391], length 0 08:39:54.244078 IP scc-mailrelay.att.net.smtp > tuna.theoceanwindow- bv.com.35659: Flags [P.], ack 1931, win 33304, options [nop,nop,TS val 317610227 ecr 3017712391], length 39 08:39:54.244161 IP scc-mailrelay.att.net.smtp > tuna.theoceanwindow- bv.com.35659: Flags [P.], ack 1931, win 33304, options [nop,nop,TS val 317610227 ecr 3017712391], length 13 08:39:54.244169 IP tuna.theoceanwindow-bv.com.35659 > scc- mailrelay.att.net.smtp: Flags [.], ack 267, win 8324, options [nop,nop,TS val 3017712405 ecr 317610227], length 0 08:39:54.244214 IP tuna.theoceanwindow-bv.com.35659 > scc- mailrelay.att.net.smtp: Flags [F.], seq 1931, ack 267, win 8326, options [nop,nop,TS val 3017712405 ecr 317610227], length 0 08:39:54.253854 IP scc-mailrelay.att.net.smtp > tuna.theoceanwindow- bv.com.35659: Flags [.], ack 1932, win 33304, options [nop,nop,TS val 317610228 ecr 3017712405], length 0 08:39:54.253968 IP scc-mailrelay.att.net.smtp > tuna.theoceanwindow- bv.com.35659: Flags [F.], seq 267, ack 1932, win 33304, options [nop,nop,TS val 317610228 ecr 3017712405], length 0 08:39:54.253983 IP tuna.theoceanwindow-bv.com.35659 > scc- mailrelay.att.net.smtp: Flags [.], ack 268, win 8325, options [nop,nop,TS val 3017712415 ecr 317610228], length 0 -- J.
Re: Google 7720 Error [thread resumed due to useful data]
On May 15, 2011, at 10:09 AM, Wietse Venema wrote: > jason hirsh: >> 08:40:31.036997 IP mail-iy0-f182.google.com.51101 > >> tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, >> options [mss 1430,sackOK,TS val 2972295960 ecr 0,nop,wscale 6], length 0 > > SYN from google.com -> theoceanwindow-bv.com > >> 08:40:34.037857 IP mail-iy0-f182.google.com.51101 > >> tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, >> options [mss 1430,sackOK,TS val 2972298960 ecr 0,nop,wscale 6], length 0 > > Retransmission: SYN from google.com -> theoceanwindow-bv.com > >> 08:40:40.036791 IP mail-iy0-f182.google.com.51101 > >> tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, >> options [mss 1430,sackOK,TS val 2972304960 ecr 0,nop,wscale 6], length 0 > > Retransmission: SYN from google.com -> theoceanwindow-bv.com > >> 08:40:50.037758 IP mail-iy0-f182.google.com.51101 > >> tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, >> options [mss 1430,sackOK,TS val 2972314960 ecr 0,nop,wscale 6], length 0 > > and so on. > > The packet arrives on the network interface, but it is dropped > (by firewall rule) before it reaches your TCP protocol engine, > and therefore your machine does not respond. > > Show your IPFW rules (or whatever the packet filter). I suspect > a malformed net/mask rule. > IPFW show as follows 00010 10199 16170990 allow ip from any to any via lo0 00015 2038374094 allow ip from any to any via tap0 00035 0 0 allow ip from any to 10.8.0.0/24 keep-state 00037 0 0 allow ip from 10.8.0.0/24 to any keep-state 00040 0 0 deny tcp from any to any frag 00041 0 0 deny log ip from 221.192.199.49 to any 00050 0 0 check-state 00060 189242 105467724 allow tcp from any to any established 00070 32719 3680271 allow ip from any to any out keep-state 00080324 27140 allow icmp from any to any 00100 3825245465 allow log tcp from any to me dst-port 21 in setup keep-state 00105 0 0 allow log tcp from me 20,21 to any out keep-state 00120 0 0 allow log tcp from any to any dst-port 21 out 00130 13 676 allow tcp from any to any dst-port 22 in 00140 0 0 allow tcp from any to any dst-port 22 out 00150261 15020 allow tcp from any to any dst-port 25 in 00160 0 0 allow tcp from any to any dst-port 25 out 00170 2625197570 allow udp from any to any dst-port 53 in 00175 0 0 allow tcp from any to any dst-port 53 in 00180 0 0 allow udp from any to any dst-port 53 out 00185 0 0 allow tcp from any to any dst-port 53 out 00190552 32580 allow tcp from any to any dst-port 80 in 00192 0 0 allow tcp from any to any dst-port 8010 in 00193 0 0 allow tcp from any to any dst-port 8010 out 00195 0 0 allow tcp from any to any dst-port 80 out 00196 0 0 allow tcp from any to any dst-port 81 in 00197 0 0 allow tcp from any to any dst-port 81 out 00198 0 0 allow udp from any to any dst-port 81 in 00199 0 0 allow udp from any to any dst-port 81 out 00209156 9696 allow tcp from any to any dst-port 110 in 00210 0 0 allow tcp from any to any dst-port 110 out 00211 218000 17030046 allow udp from any to any dst-port 137 in 00212 0 0 allow tcp from any to any dst-port 137 in 00213 0 0 allow udp from any to any dst-port 137 out 00214 0 0 allow tcp from any to any dst-port 137 out 00215 24493 5357641 allow udp from any to any dst-port 138 in 00216 0 0 allow tcp from any to any dst-port 138 in 00217 0 0 allow udp from any to any dst-port 138 out 00218 0 0 allow tcp from any to any dst-port 138 out 00223 0 0 allow udp from any to any dst-port 139 in 00224 0 0 allow udp from any to any dst-port 139 out 00225 5 288 allow tcp from any to any dst-port 139 in 00226 0 0 allow tcp from any to any dst-port 139 out 00227 0 0 allow tcp from any to any dst-port 445 in 00228 0 0 allow tcp from any to any dst-port 445 out 00229 0 0 allow udp from any to any dst-port 445 in 00230 0 0 allow udp from any to any dst-port 445 out 00231118 7264 allow ip from any to any dst-port 465 in 00232 0 0 allow ip from any to any dst-port 465 out 00240 0 0 allow ip from any to any dst-port 587 in 00242 0 0 allow ip from any to any dst-port 587 out 00250 57 3544 allow tcp from any to any dst-port 993 in 00251 0 0 allow tcp from any to any dst-port 993 out 00260 1714108268 allow tcp f
Re: Google 7720 Error [thread resumed due to useful data]
On May 16, 2011, at 9:51 AM, Wietse Venema wrote: > jason hirsh: >> 08:40:31.036997 IP mail-iy0-f182.google.com.51101 > >> tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, >> options [mss 1430,sackOK,TS val 2972295960 ecr 0,nop,wscale 6], length 0 > > So, you are receiving connection attempts from a Google system > mail-iy0-f182.google.com. This has IP address 209.85.210.182. > > I also notice that tuna.theoceanwindow-bv.com has an IP address > of 209.160.65.133. > > What is the output of > > ifconfig -a | grep 209.160 inet 209.160.65.133 netmask 0xf800 broadcast 209.160.71.255 (this is the IP handling mail services) inet 209.160.68.112 netmask 0xff00 broadcast 209.255.255.255 > > If the netmask is mis-configured (say, 0xff00) then that explains > why we see no responses to connection attempts from 209.85.210.182 > (and other 209.* IP addresses). > > The reason is that your machine is sending out ARP requests to the > local subnet for 209.85.210.182. Of course it gets no response, > and therefore it never replies to connection attempts from that IP > address. > > FYI this means that no-one in 209.* would be able to connect to > your web server as well. I am more then a little confused in that I have in fact received mail from that google server an example from message header is "Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by tuna.theoceanwindow-bv.com (Postfix) with ESMTP id 11AB65C23 for ; Sat, 14 May 2011 22:37:41 -0400 (EDT)" > > Wietse
Re: Google 7720 Error [thread resumed due to useful data]
On May 16, 2011, at 10:47 AM, /dev/rob0 wrote: > On Mon, May 16, 2011 at 10:29:10AM -0400, jason hirsh wrote: >> On May 16, 2011, at 9:51 AM, Wietse Venema wrote: >>> jason hirsh: >>>> 08:40:31.036997 IP mail-iy0-f182.google.com.51101 > >>>> tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, >>>> options [mss 1430,sackOK,TS val 2972295960 ecr 0,nop,wscale 6], length 0 >>> >>> So, you are receiving connection attempts from a Google system >>> mail-iy0-f182.google.com. This has IP address 209.85.210.182. >>> >>> I also notice that tuna.theoceanwindow-bv.com has an IP address >>> of 209.160.65.133. >>> >>> What is the output of >>> >>> ifconfig -a | grep 209.160 >> >> inet 209.160.65.133 netmask 0xf800 broadcast 209.160.71.255 >> >> (this is the IP handling mail services) >> >> inet 209.160.68.112 netmask 0xff00 broadcast 209.255.255.255 >> >> >>> >>> If the netmask is mis-configured (say, 0xff00) then that explains >>> why we see no responses to connection attempts from 209.85.210.182 >>> (and other 209.* IP addresses). > > Wietse's amazing crystal ball strikes again! :) > >>> The reason is that your machine is sending out ARP requests to the >>> local subnet for 209.85.210.182. Of course it gets no response, >>> and therefore it never replies to connection attempts from that IP >>> address. >>> >>> FYI this means that no-one in 209.* would be able to connect to >>> your web server as well. >> >> >> I am more then a little confused in that I have in fact received >> mail from that google server >> >> an example from message header is >> >> "Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com >> [74.125.83.54]) by tuna.theoceanwindow-bv.com (Postfix) with ESMTP > > mail-iy0-f182.google.com[209.85.210.182] is not the same as > mail-gw0-f54.google.com[74.125.83.54] staring at my screen too long > >> id 11AB65C23 for ; Sat, 14 May 2011 22:37:41 >> -0400 (EDT)" > -- >Offlist mail to this address is discarded unless >"/dev/rob0" or "not-spam" is in Subject: header
Re: Google 7720 Error [thread resumed due to useful data]
On May 16, 2011, at 10:48 AM, Wietse Venema wrote: > jason hirsh: >> inet 209.160.68.112 netmask 0xff00 broadcast 209.255.255.255 > > Well that explains everything. With this, your machine believes > that all IP addresses in 209.* are on the local subnet. > >>> If the netmask is mis-configured (say, 0xff00) then that explains >>> why we see no responses to connection attempts from 209.85.210.182 >>> (and other 209.* IP addresses). >>> >>> FYI this means that no-one in 209.* would be able to connect to >>> your web server as well. >> I am more then a little confused in that I have in fact received >> mail from that google server >> >> an example from message header is >> >> "Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com >> [74.125.83.54]) by tuna.theoceanwindow-bv.com (Postfix) with ESMTP >> id 11AB65C23 for ; Sat, 14 May 2011 22:37:41 >> -0400 (EDT)" >> > > Indeed. Have you noticed that this is 74.125.83.54? staring at screen too long > > You will never receive a connection from 209.* until you fix > that IP netmask from 0xff00. I am correcting.. thank you I was unable to get this quality of advice from the Freebsd forum I rechecked my mindspring bounce and found it was also a 209. IP > > Wietse
Re: Google 7720 Error [thread resumed due to useful data]
On May 16, 2011, at 11:27 AM, Wietse Venema wrote: > Wietse Venema: >> jason hirsh: >>>>>> What is the output of >>>>>> >>>>>> ifconfig -a | grep 209.160 >>>>> >>>>> inet 209.160.65.133 netmask 0xf800 broadcast 209.160.71.255 >>>>> >>>>> (this is the IP handling mail services) >>>>> >>>>> inet 209.160.68.112 netmask 0xff00 broadcast 209.255.255.255 >>>>>> >>>>>> If the netmask is mis-configured (say, 0xff00) then that explains >>>>>> why we see no responses to connection attempts from 209.85.210.182 >>>>>> (and other 209.* IP addresses). >>>> >>>> Wietse's amazing crystal ball strikes again! :) >> >> FYI the correct FreeBSD rc.conf setting would be: >> >> (assuming your interface is em0) >> ifconfig_em0="inet 209.160.65.133 netmask 0xf800" >> ifconfig_em0_alias0="inet 209.160.68.112 netmask 0x" >> >> And to fix by hand: >> >> (assuming your interface is em0) >> # ifconfig em0 inet 209.160.68.112 netmask 0x > > That is, assuming the two addresses were on the same network > interface. If they're on different interfaces then specify > the same 0xf800 netmask for both. Wietse They were and thank your for the information.. saved me MUCH research as I am use to 255. format I was able to get at least one of the trouble addresses to mail me again and it worked. thanks for the help, patience and understand.. I have a lot more to learn jason >
