Re: MX Priority (configuring a new server)
On Tue, Jan 18, 2011 at 10:34:38AM +0530, ramesh srinivas wrote: > Sorry Noel, I will figure out the DNS issue. That's good, but you also said > when i send mail to x...@example.com from yahoo maillog in > mailhub shows 554 5.7.1 (Relay access denied) You have to take care of that problem first of all. Your new server must accept mail from anywhere to your domain, or you will lose mail. >From an IP that is NOT related to your new mailserver, do: you execute> telnet YOURNEWSERVER 25 server writes> 220 rest doesn't matter you write> HELO nomatter server writes> 250 rest doesn't matter you write> MAIL FROM:<> server writes> 250 rest doesn't matter you write> RCPT TO: server writes> 554 Relaying denied you write> RCPT TO: server writes> 250 rest doesn't matter If you do *NOT* get that first 554 then you are writing from a trusted IP and the rest is meaningless. (If that happens when writing from an IP that is not related to your server, then you have managed to misconfigure your server as an open relay, but that does not seem to be the problem here). If you do not have that last 250 in reply to the RCPT TO with the real e-mail address that you want your server to handle, but instead a 554 Relaying denied like the previous line, then you have misconfigured your server. It does not handle your domain. Do not change your DNS to point MX toward the new server, or you will bounce legitimate mail. HTH
Re: The future of SMTP ?
On Sun, Mar 13, 2011 at 12:38:24PM +0100, Steve wrote: > The spamming problem is not something that you can fix by > replacing SMTP with something new. An appropriate illustration is the initiative taken recently by Germany's government to create a secure e-mail environment. It does not replace SMTP. It mandates encryption, digital signatures with government-issued certificates, isolation from the current SMTP network, certified providers, and (optional?) per-message fees. http://www.itworld.com/software/139104/germany-identifies-secure-way-deal-spam
Re: (WTF) Re: Increase the speed of mails sending in postfix.
On Mon, Apr 25, 2011 at 12:23:13PM +0200, Reindl Harald wrote: > as long as you starting threads with single liners like > > * How can I send 10 mails using postfix in 5 minutes > * How can I increase mail sending speed in postfix He's been asking the same question since April 5th. Each time he got a selection of good answers; helpful, detailed, polite. I don't think there's any more anyone can do except trade money for time. Unless he's a spammer, of course, in which case one's imagination is the only limit.
Re: Postfix Question Regarding Returned Email {Scanned Virus Free}
On Thu, Apr 28, 2011 at 12:48:05AM +0200, mouss wrote: > Bounces go the envelope sender of the message. your best option is to > get the web developpers to set the right envelope sender. Amen. A lot of otherwise competent and knowledgeable people simply don't even begin to think about error checking when sending mail. > also check the ServerAdmin parameter in Apache. however, this won't let > you set different addresses. If it's PHP, you can set a PHP flag for each virtual host in the Directory Tag: # maybe lots of other options php_admin_value register_globals Off php_admin_value open_basedir /root/of/website/ php_admin_value doc_root /root/of/website/ php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f ADMIN@EMAIL" I don't remember if the open_basedir and doc_root were recommended in order for sendmail_path to work, but that's how I did it anyway :-) HTH
Re: Mail to self & DNS
On Sun, May 29, 2011 at 12:50:50PM +0100, Ronald MacDonald wrote: > Hello, > > Just been having a look through my config. I've an obscure > case, where I've added a domain to the alias/lookup tables but > the customer has not yet changed her DNS settings. > > In this case, when I'm waiting for a client to update DNS, I > still need to be able to get in touch with them. You'll also have the same problem when a client changes DNS to a new provider without telling you. Hopefully that doesn't happen too often :-) This is a classic problem for service providers. The classic answer is to have seperate instances for MSA and MX. (copy-n-paste from a blurb I've already written) MX receives mail from the Internet for local domains only. It binds to port 25 only. It needs access to the mail spool, and the list of user e-mails, but not auth info. It probably needs to run AS/AV software to protect your users. MSA receives mail from authentified clients only, with any destination address. It doesn't need to bind to port 25, it does not need to have any local domains at all, and it does not need to access the backend mail spool. It just needs to have access to the database of users with auth info in order to authorize users to relay. Anti-spam and antivirus are only in order to prevent your users from annoying the world, and as such it should have lots less hits than the MX. You could watch it more closely (every hit is an incident) or simply turn it off, it depends on your user base. POP/IMAP is usually different software, and needs access to the mail spool and to the database of users. (end copy-n-paste) In a small setup, all three can run on a single machine. The only problem is that MSA might balk if the MX for the destination domain is the same IP as the one the MSA is running on. In a bigger setup, you'd have several seperate machines for each function. The same basic reasons lead service providers to have seperate authoritative and resolving name servers. Hope this helps!
Re: Re : configure postfix to relay host with yahoo
On Mon, May 30, 2011 at 06:09:43PM +0100, Nahliel Steinberg wrote: > May 30 19:00:25 osiris postfix/qmgr[3168]: 2CEF7281D9F: > from=, size=476, nrcpt=1 (queue active) > May 30 19:00:26 osiris postfix/smtp[3199]: 2CEF7281D9F: > to=, relay=127.0.0.1[127.0.0.1]:11125, delay=1.2, > delays=0.12/0.01/0.94/0.13, dsn=5.0.0, status=bounced (host > 127.0.0.1[127.0.0.1] said: 553 From address not verified - see > http://help.yahoo.com/l/us/yahoo/mail/original/manage/sendfrom-07.html (in > reply to MAIL FROM command)) [...] > > I think the problem is the mail address sender ? Exactly. There's also a problem later on with the bounce, though. You can tell postfix to accept the default address generated by your MUA and rewrite it to the correct address. This is good for servers that just have to send out mail (mail from cron and things like that), since rewriting is simple; there's just one domain. This is what you seem to have tried to do in the logs above, but usually the machines that I configure like this send all their mail to a smarthost . . . You should configure "myorigin" in the configuration file, details at http://www.postfix.org/BASIC_CONFIGURATION_README.html You can configure postfix to accept only properly qualified addresses, and configure the program that you used to inject the mail to use the proper address. This is good for ISP mail servers that serve a lot of MUA clients (Thunderbird, Outlook...) that have different domains. Otherwise, you can do something more complicated, but you'll need to read http://www.postfix.org/ADDRESS_REWRITING_README.html Hope this helps.
Re: Postfix Not Sending Emails. Timeout on Cleanup socket error.
On Wed, Dec 14, 2011 at 05:43:58PM -0800, Gonzo Fernandez wrote: > I'm not sure I'm understanding the log file info you would like. I tried > doing grep search for 8A2993E3003B on all log files under /var/log/* and only > found the following line to show up: > > Dec 11 05:31:27 batch-ca4-02 postfix/cleanup[31691]: warning: 8A2993E3003B: > read timeout on cleanup socket > > Can you please be more specific? Thanks for your patience and help. Your log line is dated 5 AM plus a little. Maybe your log file got rotated (that usually happens at 4 or 5 AM). The reason that your grep on all log files did not yield the result is probably that the rotated log files are zipped. zgrep (at least my version) behaves nicely when the files aren't zipped, so zgrep 8A2993E3003B /var/log/maillog* should yield the information Wietse was asking for. If not, an ls -ld /var/log/maillog* would be useful. Is this a very heavily used system?
Re: Postfix Not Sending Emails. Timeout on Cleanup socket error.
On Thu, Dec 15, 2011 at 11:49:35AM -0800, Gonzo Fernandez wrote: > /var/log/maillog:Dec 14 04:03:07 batch-ca4-02 postfix/sendmail[12280]: fatal: > root(0): queue file write error > /var/log/maillog:Dec 15 12:03:07 batch-ca4-02 postfix/postdrop[21744]: > warning: uid=0: Illegal seek In addition to what Wietse asked for in another mail just now, do look at the output of the commands mount dmesg That should show if there is a hardware problem. If it is not, then is it not possible that the 8A2993E3003B you are worrying about is a locally submitted mail from some system daemon (like logwatch) that is too big for your configured system limits? The times on the error messages make me suspect some kind of cron job. See: http://www.electrictoolbox.com/logwatch-postfix-sendmail-errors/ http://www.cyberciti.biz/tips/linux-unix-posttfix-mutt-illegal-seek-error.html 8A2993E3003B would then be a minor consequence of your main problem, which is mail freezing up over weekends. To diagnose that problem, it would be interesting to grep on a queue id that was correctly queued, like (from an earlier mail): Dec 12 10:08:50 batch-ca4-02 postfix/pickup[26935]: warning: 884643E30022: message has been queued for 1 days Since mails such as those have been correctly queued, there should be a wealth of information about when and how and why it's staying in the queue so long. HTH
Re: Loadbalancing+failover solution
On Tue, Dec 27, 2011 at 06:12:12PM +0100, Michael Maymann wrote: > Hi all, > > Thanks Peter, for you kind reply - some setup you have there... sounds very > nice indeed...:-) ! > - If i have a lower budget, can this then be achieved without the > loadbalancers and still have same redundancy/flexibility (using e.g. "DNS > RR"/"MX with equal value") - if so what is for/against/preferred ?: I looked over the rest of the thread and I suspect people are talking about different things. If I understand correctly, you want a relay. You have a lot of servers with a primary function that is not sending mail, but which do send mail, and you want to relay all the mail out through a set of controlled dedicated mail servers. Am I right? If so, the basic question is *how* the servers send mail. Either the applications send mail directly to a hostname (Java Mail or PHP for example), or they use the local mailer, which would be postfix, I suppose, with a default smarthost configuration pointing to your dedicated mail servers. Pros and Cons: - Not using local mailer wil permit loadbalancing mail sent from a single host over several postfix instances. - Using local mailer will always work for all applications (since applications that send to a hostname can send to 127.0.0.1) - Using local mailer forces you to monitor the daemon and the queues on all the machines, and takes up (probable negligable) system resources - Using local mailers will give you the UID of the sending process in the headers - Using local mailer protects you from a short outage of the dedicated servers or some part of the network. Mail will be spooled locally until the dedicated machines come back on line. - Conversely, not using a local mailer will protect you from local failures such as full disks or postfix not running, but expose you more to network problems and availability problems. That will cause you to look at redundant load balancers. - Using a load balancer will probably require you to mask source IPs. That doesn't matter if you trust your servers or if you run local firewalls forcing mail to run through the local mailer. If you worry about client-written forms being exploited to send spam you need to think about that. > DNS RR: so just have like load-sharing (mail1->postfix1, mail2->postfix2, > mail3->postfix1, etc.). But if one postfix servers goes down, will all DNS > replies then be only for alive-postfix - or will there also be dead-postfix > replies that needs to timeout, before it retries (and for how many times?) > and potentially end up dropping the mail if it is so unlucky to get replies > for dead-postfix on all retries ? > "MX with equal value": is this handling differently? does a request load > all MX records for the domain, and then sort them by value and then > alphabetically, ending up with: if one postfix is down it will > automatically try the next one in the sorted list...? If you use a redundant load balancer, it will take care of all that and "always" reply. Unless the network goes down, of course. If you do not, then there will be timeouts if something goes down. You can specify relayhosts with or without brackets; the brackets stop MX lookups. I seem to remember that in postfix a relayhost that resolves to several IP addresses will be handled more or less the same as a relayhost the has several MX records. I think that wondering about which is more efficient is not very useful since the difference is certainly vanishingly small. Using MX permits you to specify main servers and backup servers, but that's about it. However, non-mail applications that send mail directly will probably not be able to handle anything else than a single host/IP correctly. So . . . is there a unique answer . . . probably not, need more info on your situation and needs :-)
Re: Loadbalancing+failover solution
On Tue, Dec 27, 2011 at 09:24:01PM +0100, Michael Maymann wrote: > thanks for your kind reply...:-) ! > yes this is exactly the case... and my internal local-mailers consist on > standard RHEL5+6 servers and NetApp's. > Our ISP is restricting mail from only 1 of our sites, so we need to relay > all our internal mail globally through this site. > > We can't prevent non-mail applications, as we don't have 100% control of > all hosts (LAB equipment etc.), so I guess it makes sense to still keep > local-mailer, at-least just to keep consistency. If it's for consistency, you would *not* have local mailers, but you would configure everything to point at your HA postfix relay. However I personally like local mailers as long as something is automatically monitoring that they are well, and you may find programs that will not work otherwise. > Do you have a howto for this setup laying around somewhere > (local-mailer -> HA postfix relay) ?: Not really, but it's basically going through the "basic configuration readme" and answering For local mailers: What domain name to use in outbound mail: $your_domain.com What domains to receive mail for: none at all What clients to relay mail from: localhost only What destinations to relay mail to: default (nothing) What delivery method: indirect: relayhost = [mailout.$your_domain.com] For your HA relays: What domain name to use in outbound mail: $your_domain.com What domains to receive mail for: none at all What clients to relay mail from: your local networks What destinations to relay mail to: nothing (not applicable) What delivery method: direct Hope this helps.
Re: I'm an open relay some how
On Fri, Dec 30, 2011 at 12:51:27PM -0600, Noel Jones wrote: > These are rejected and not useful to our discussion. Please show > ALL the postfix logging of a suspect transaction that makes it to > your queue. In particular, we want to see if there is a > sasl_username= line logged for a suspicious QUEUEID. Stephen, you say that you have a lot of mail in the queue. I suppose you use `mailq` to see that? You need to take the queue ID of a suspect mail from there, grep /var/log/maillog for that, and send us the output. HTH
Re: Aliases on local submissions only
On Sun, Jan 01, 2012 at 06:00:46PM -0700, Philip Prindeville wrote: > I have a 'border' postfix MTA that doesn't host any mailboxes, indeed it > doesn't even know what the valid usernames are for the domain. > > It merely serves to check messages for viruses, and block DoS attacks. > > As such, I need it to perform aliasing *only* on messages generated locally > by system services, such as 'cron'. Wouldn't the easiest way be to configure the box with a specific local domain? If its local domain is "antivirus.example.com", then it won't do alias expansion for anything else. Should the box have your main domain as a local domain it it doesn't even know the valid usernames for the domain? HTH
Re: Selecting Client Name Based On IP Version
On Mon, Jan 09, 2012 at 08:37:48PM +, Sabahattin Gucukoglu wrote: > One of my Postfix installs runs behind a NAT box. The host > name for the local private IP is in the .local domain, not > suitable for public use in SMTP sessions but suitable for > trace fields. However, on IPv6, the host is a first-class > citizen on the net and has its own host name. > > Can I arrange it so that the SMTP client uses different names > in the EHLO/HELO command based on the protocol (IPv4 or IPv6) > I am connecting with? I do not want IPv6 servers to know > my server as "natbox.mydomain", but "Bloodstone.mydomain". > (natbox is the NAT box, anything could run behind that.) In your place I would put the IPv6 domain name, and not worry about the HELO being wrong when using IPv4. You could revise that if you have problems with your correspondents actually rejecting or downgrading your mail based upon the HELO string, but I seriously doubt that will happen. If, from some desire for ultimate perfection, you really want to have the correct HELO name, then why not add another hostname that points to the IPv4 address and the IPv6 address, and put that as your mail server name? HTH
Re: Transport: Multiple routes to internal domain
On Tue, Feb 07, 2012 at 11:42:37AM +1100, Greg Wilson wrote:
> I use this
> technique, DNS round robin to evenly spread rdp connections to our
> terminal servers. My understanding is that a device does a DNS lookup and
> the server hands out each different IP address sequentially. Each device
> uses (caches) the first IP address it recieves until it's rebooted.
That might be true for rdp connections to your terminal servers,
but (luckily!) it's a bit more complicated.
The DNS server sends a reply containing all the IP
addresses. The order varies. If the code asking the question
only wants one address, then it takes only one, and the next
time it asks the question it might get another answer. Postfix,
however, understands that there are multiple addresses and
tries them all, one after the other in a random order until
one replies or until it has tried them all and decides to wait
before trying again. After waiting Postfix will make another DNS
lookup.
The response to that lookup may be cached since the previous
lookup, but the cache is valid only until the record's time to
live (TTL) expires. The TTL is set in the DNS server. It can
be anything from zero ("do not cache") to a week or more. A
common default value is 24 hours. Of course, in the case of
a long-lived TCP connection you may have the impression that
the IP address is used until the device is restarted, and you
might even be correct (for an RDP client running on Windows, for
example), but that is not the case when sending mails.
> Is it possible to setup multiple transport records wth different
> costs to a domain? This may be a solution.
You can do unequal load balancing by creating multiple records
with the same IP. That could work using /etc/hosts, you'd have
to test.
You can do priorities (first try X and if it doesn't work try
Y then Z) by using different-priority MX records. This needs
access to your DNS server, and cannot be done with /etc/hosts.
Hope this helps.
Re: Bulk Mailing Performance
The exact same question was sent by someone calling himself "Ron White" to the exim mailing list at almost exactly the same time. Peddling one's services by soliciting comparisons with competitors is so passé . . .
Re: possible localhost dns spoof attack
On Tue, Feb 26, 2013 at 05:16:20PM +0200, Jamie wrote: > I unblocked the IP and the problem came back. In another mail you said you'd used tcpdump. Why don't you set tcpdump to record everything from that IP address, unblock the IP address, wait faor a few spams to go through, block the IP address, and analyze the tcpdump to see exactly what is happening? This should do it: tcpdump -i $INTERFACE -s 0 -w /tmp/spammer.tcpdump host 113.167.239.162
Re: Need some help: "fatal: no login name found for user ID"
Wietse Venema wrote: > To prevent Postfix sendmail from looking up this information you > must supply the sender name or address with the -f command-line > option. Maksim, One way to make the PHP mail() function do this is to configure Apache with this: # maybe lots of other options php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f SOURCE@EMAIL.ADDRESS"
Re: UTF-8 subjects not logging correctly.
On Thu, Dec 19, 2013 at 04:49:46PM +0530, tejas sarade wrote:
> warning: subject: =?utf-8?B?QVBMIE..
...
> Is there any way the the logged warning subject in Postfix logs can be
> displayed the way mail client does.
I suggest you run the log through a script that decodes the encoded UTF. A perl
one-liner should do it:
$ cat test.log
something
warning: subject: testing four a's:=?UTF-8?B?IGHDg8Khw4PCoMODwqQ=?= end
something else
$ cat test.log | perl -MEncode=decode -ne 'print (decode("MIME-Header", "$_"))'
something
warning: subject: testing four a's: aáàä end
something else
$
