Complex canonical rewrite with ldap and regexp
Hi, I want to know if the following canonical rewrite is possible with Postfix, and how? In my LDAP directory, for each user, I have a givenName and a familyName attributes. The canonical name should be givenName.familyName or familyName.givenName, the order is depending on a thrid attribute (certain countries put the family name before the given name...) Then the string should be rewritten to replace all non alphanumerical characters by an hyphen. Is that possible with a combination of ldap: and regexp:, and how? On the other hand, if I receive and email addressed to some canonical name, how/where is the correspondance made with the uid? Best regards, Olivier
Expected output for local_recipient_maps = ldap:...
Hi, In my Postfix configuration I have local_recipient_maps = unix:passwd.byname $alias_maps ldap:$config_directory/ldap_local_recipient What is the expected output of the ldap: part? Anything non empty means the user is local? The user ID? Something else? Best regards, Olivier
Canonical forward and reverse
Hi, I managed to add canoical rewritting, but now I am stuck with postfix trying to deliver the message to the canonical name and not to the proper Unix login name. Using "sendmail -bv o...@cs.ait.ac.th" I get: --463023A3834.1248410743/mail2.cs.ait.ac.th Content-Description: Notification Content-Type: text/plain; charset=us-ascii This is the mail system at host mail2.cs.ait.ac.th. Enclosed is the mail delivery report that you requested. The mail system (expanded from ): delivery via local: unknown user: "olivier.nicole" --463023A3834.1248410743/mail2.cs.ait.ac.th Content-Description: Delivery report Content-Type: message/delivery-status Reporting-MTA: dns; mail2.cs.ait.ac.th X-Postfix-Queue-ID: 463023A3834 X-Postfix-Sender: rfc822; r...@cs.ait.ac.th Arrival-Date: Fri, 24 Jul 2009 11:45:43 +0700 (ICT) Final-Recipient: rfc822; olivier.nic...@cs.ait.ac.th Original-Recipient: rfc822; o...@cs.ait.ac.th Action: undeliverable Status: 5.1.1 Diagnostic-Code: X-Postfix; delivery via local: unknown user: "olivier.nicole" --463023A3834.1248410743/mail2.cs.ait.ac.th Content-Description: Message Headers Content-Type: text/rfc822-headers Return-Path: Received: by mail2.cs.ait.ac.th (Postfix, from userid 0) id 463023A3834; Fri, 24 Jul 2009 11:45:43 +0700 (ICT) From: r...@cs.ait.ac.th Subject: probe To: olivier.nic...@cs.ait.ac.th Message-Id: <20090724044543.463023a3...@mail2.cs.ait.ac.th> Date: Fri, 24 Jul 2009 11:45:43 +0700 (ICT) --463023A3834.1248410743/mail2.cs.ait.ac.th-- Expansion from on@ into Olivier.Nicole@ is correct. How/where do I inform the LDA that it is to deliver to the Unix account associated to that canonical name Olivier.Nicole? Best regards, Olivier
Re: spamc being called when using amavis-new
> I have gone through the postfix configs and amavis configs and could not f= > ind any reference to spamc.. so where could this be coming from? It should not be in amavisd-new: in normal configuration, amavisd-new loads SpamAssassin as a Perl module and does not use spamc/spamd mechanism. You could temporarily disable amavis from postfix, that way you wuill be sure that this spanc call does not come from amavis... Olivier
Address rewriting to include GECOS
Hi, I read and re-read the address-rewriting readme and coul dnot find any indication on the way to rewrite addresses to include GECOS information: o...@cs.ait.ac.th => Olivier Nicole Is that possible in Postfix? I beleive yes. Where is that done and how? Best regards, Olivier
Postfix to allow authentication only after STARTLS
Hi, I am using dovecot with postfix for authentication. Everything (TLS/SSL, authentication) is working fine, except I cannot find a way to force STARTLS before authentication: 20 mail2.cs.ait.ac.th ESMTP Postfix (2.6.2) EHLO [192.41.170.57] 250-mail2.cs.ait.ac.th 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN 235 2.7.0 Authentication successful The reply I got from Dovecot mailing list is: > disable_plaintext_auth affects logging in to dovecot IMAP/POP3 server. > This is a SMTP session with Postfix, you'll have to configure Postfix > not to allow plain text authentication before STARTTLS. But I am doubtful because the authentication is dovecot job, so I don't see how the configuration could be in postfix. Amy insight is more than welcome. Best regards, Olivier
Re: Postfix to allow authentication only after STARTLS
Hi, > I am using dovecot with postfix for authentication. > > Everything (TLS/SSL, authentication) is working fine, except I cannot > find a way to force STARTLS before authentication: > > 20 mail2.cs.ait.ac.th ESMTP Postfix (2.6.2) > EHLO [192.41.170.57] > 250-mail2.cs.ait.ac.th > 250-PIPELINING > 250-SIZE 1024 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250-AUTH PLAIN LOGIN > 250-AUTH=PLAIN LOGIN > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > AUTH PLAIN > 235 2.7.0 Authentication successful > > The reply I got from Dovecot mailing list is: > > > disable_plaintext_auth affects logging in to dovecot IMAP/POP3 server. > > This is a SMTP session with Postfix, you'll have to configure Postfix > > not to allow plain text authentication before STARTTLS. > > But I am doubtful because the authentication is dovecot job, so I > don't see how the configuration could be in postfix. > > Amy insight is more than welcome. I found it, it's postfix parameter: smtpd_tls_auth_only = yes that I planned to change, but forgot to do. Best regards, Olivier
Re: filter incoming but not outgoing
Hi, > 1. Sign outgoing messages with dkim and vbr (currently doing this with > amavis) > > 2. Only allow sending from our networks > > 3. Do NOT filter, virus scan or spam scam outgoing messages > > 4. DO scan and filter incoming messages > > 5. Optimize / Tweak settings for large number of outgoing messages Yesterday I was looking for the same thing and I found that page: http://www200.pair.com/mecham/spam/bypassing.html though it applies to Postfix+amavis, that is Postfix is in charge of deciding if a message is incoming or outgoing. Now I think it is a *very bad* idea to disable virus filtering on outgoing messages: I do filter all messages, and in case of outgoing message containing a virus, I sent a warning to the administrator: it means one of the machines in my network has a virus, I better know that and take action. Bests, Olivier
Re: Looking for opinions on FreeBSD OS for Postfix
Hi, > I'm considering FreeBSD as an alternative, but I was wondering what > people think of FreeBSD as a platform for Postfix. It's obviously not > as easy to maintain as Ubuntu, but it does have a reputation for > stability. Any thoughts, recommendations or experiences would be > appreciated. I am currently setting up a mail server based upon Postfix on FreeBSD. It works as well as one can expect. Now regarding the ease of maintenance, I would say that you have a wrong point of view: OS upgrade on a production server should never be something automated that you run blindly: at any stage, it is possible that something goes wrong, so you better keep good control when you are doing an update. That is the reason why I keep on with the RELENG update track on FreeBSD, that only applies security patches (on a running server I don't need new features or new drivers for something I don't use and that could cause trouble to my system). Beside, I agree with the comments about separation between base OS and additional software, good documentation, good ports (build from source, with a flexibility in the options you want to install), stability of NFS server (nothing specific to do to accept Ubuntu clients BTW). And yes, I have been an happy user of FreeBSD for more than 10 years, so I must be biased :) Bests, Olivier
Re: rbl checks, best place
Hi Dave, > I'm running postfix, amavisd-new and spamassassin. Currently in my > postfix smtpd_recipient_restrictions right at the end last thing i have some > rbl checks. I'm wondering if that's the best place for them or should i > disable that and activate them in spamassassin? Suggestions welcome. This is a difficult question. Do you really 100% trust the rbl you are using to have no false positive (some were listing gmail.com recently)? If yes, the you can keep the rbl in postfix, it rejects the email at earlier stage. If no, you better test rbl in SA, as the rbl test only contributes to the final score. I personnally use the second. Bests, Olivier
Re: Significant relay delays
Hi, This is just a wild guess... > I'm also pretty sure it's not a network issue. After passing > billions of packets there isn't a single error. I'm also pretty sure > DNS is configured properly. Have you checked the connection between postfix and the exchange machines? After some years, a cable can get bad, lousy, and the packets would not pass so reliably anymore. After moving a machine/wandering around a rack cabinet, one may have step on a cable and disconnect it or damage it. Bests, Olivier
Re: rbl checks, best place
> > This is a difficult question. > I disagree. Just that because you disagree makes the question not simple :) > 2. Gmail is not squeaky clean, it's no surprise that they end up in Of course, but then it gets people complaining why they cannot receive mails from gmail. > 5. A reject_rbl_client "false positive" results in the sender getting >an immediate bounce. The sender knows the mail was not delivered. Then you are lucky, your are only dealing with educated senders. Regular sender will disregard/delete a bounce message and will simply complain his message was not delivered. > 1. Again, know your DNSBL. > 3. If Zen makes a mistake or gets too aggressive, I guarantee yours >will not be the only site blocking mail from that sender. The >sending site is going to have to resolve the issue. That means you must spend more time on checking that the quality of the RBL you are using is constant. Olivier
Re: Country IP block list
Hi, > Could someone provide links to sites where IP addresses are grouped by coun= > try? ASNs would work too but would prefer IP lists that I could put in a f= > ile that my postfix mail gateway could read. Obvious countries like China = > and Brazil I would like to block wholesale. As mentionned earlier, blocking by country is pretty uneffective, as you will end-up blocking some legitimate mail. The counties you've mentionned are not the originators of spam, but only the relay. If you want to block the biggest originator of spam, you should consider blocking USA... Which is obviously not possible. What will you reply to your user visiting one of these blocked countries, when they complain they cann write back home? Bests, Olivier
Re: Strange behaviour of Postfix + LDAP
Hi Evgeniy, > Check where the rewriting is taking place > (http://www.postfix.org/ADDRESS_REWRITING_README.html) Then just add a > -v switch to a corresponding daemon in the master.cf > (http://www.postfix.org/DEBUG_README.html#verbose) Thank you, now I can write a more documented message. I have problem with postfix rewriting, specifically on the part firstname.lastname->username. When I send an emails to sanjeet.ama...@toto.tutu it ends up rewritten to sanj...@cs.ait.ac.th and get delivered locally. If I write a mail to sanj...@toto.tutu, it gets properly rejected because the domain does not exists. What i don't understand is why the rewriting occurs when toto.tutu is obviously not a domain served by my server. I am lost here. A friend suggested that it could be because maps should contain only fully qualified email addresses: firstname.lastn...@my.domain and not just firstname.lastname. Eventually, my users should receiv emails under 2 domains that both resolve to the same maibox, how would I solve that with maps containing full addresses? Having 2 maps in parallel? Any help is very much welcome. Best regards, Olivier PS: I also sent this email this morning, but it never reached the list: a side effect of rewriting the sender's address, I had to subscribe again with my firstname.lastname address :) Below are the technical parts. -- the error email as it is been delivered X-Original-To: sanj...@cs.ait.ac.th Delivered-To: sanj...@cs.ait.ac.th Received: from localhost (localhost [127.0.0.1]) by mail.cs.ait.ac.th (Postfix) with ESMTP id 34B5A3A3839 for ; Fri, 28 Aug 2009 09:49:45 +0700 (ICT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.ait.ac.th; h= subject:subject:from:from:message-id:date:date:received:received :received; s=selector1; t=1251427784; x=1253242184; bh=g3zLYH4xK xcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; b=l2wCf6slc5W/pC+py2yDIRhwT 4Qn3CyJnPQ9RhWDQrOX+hTFnJe/MnEruK0iSVRXgeSNBULpQeJVQpCA6QgtQabTx y7cgMd35u/BtsTcAgIfoffRaCd+5/EF8jFQf88c8vkidFzwAnyuT3XWCZ89Uri0S 6rtZVH2Kek6APJYavw= X-Virus-Scanned: amavisd-new at cs.ait.ac.th Received: from mail.cs.ait.ac.th ([127.0.0.1]) by localhost (mail.cs.ait.ac.th [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 8Fe0qIw9goKc for ; Fri, 28 Aug 2009 09:49:44 +0700 (ICT) >>> The recipient address is rewritten here Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.cs.ait.ac.th (Postfix) with ESMTPS id A57BA3A3837 for ; Fri, 28 Aug 2009 09:49:44 +0700 (ICT) Received: (from o...@localhost) by banyan.cs.ait.ac.th (8.14.3/8.14.3/Submit) id n7S2nioG030069; Fri, 28 Aug 2009 09:49:44 +0700 (ICT) (envelope-from on) Date: Fri, 28 Aug 2009 09:49:44 +0700 (ICT) Message-Id: <200908280249.n7s2niog030...@banyan.cs.ait.ac.th> From: Olivier Nicole To: sanj...@cs.ait.ac.th Subject: test test -- the output of postconf -n alias_maps = hash:/etc/aliases, ldap:$config_directory/ldap_user_alias, ldap:$config_directory/ldap_deleted_alias, ldap:$config_directory/ldap_user_alias_fullname, ldap:$config_directory/ldap_deleted_alias_fullname, ldap:$config_directory/ldap_alias broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /usr/local/ETC content_filter = smtp-amavis:[localhost]:10024 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = /usr/local/share/doc/postfix inet_interfaces = $myhostname, localhost local_header_rewrite_clients = permit_mynetworks, permit_sasl_authenticated local_recipient_maps = unix:passwd.byname, $alias_maps, ldap:$config_directory/ldap_local_recipient mail_owner = postfix mailbox_command = /usr/local/bin/procmail -t -a $HOME mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man masquerade_domains = cs.ait.ac.th masquerade_exceptions = root mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, ufo.$mydomain, banyan.$mydomain, ldap.$mydomain, door.$mydomain, firewall.$mydomain, dns.$mydomain, amanda.$mydomain, database.$mydomain, sysl.$mydomain, mailback.$mydomain, csim.ait.asia mydomain = cs.ait.ac.th mynetworks = 192.41.170.0/24, 203.159.32.0/32 myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix recipient_canonical_maps = ldap:$config_directory/ldap_uncanonical relay_domains = cs.ait.ac.th, vgl-vforge.cs.ait.ac.th, ait.ac.th, dec.ait.ac.th, interlab.ait.ac.th, gmseenet.org sample_directory = /usr/local/etc sender_canonical_maps = ldap:$config_directory/ldap_canonical sendmail_path = /usr/loc
Problm with transport map
Hi, My server acts as MX for a few domains and I have problem setting up the transport map properly. Any help is welcome. TIA, Olivier -- postconf -n alias_maps = hash:/etc/aliases, ldap:$config_directory/ldap_user_alias, ldap:$config_directory/ldap_deleted_alias, ldap:$config_directory/ldap_user_alias_fullname, ldap:$config_directory/ldap_deleted_alias_fullname, ldap:$config_directory/ldap_alias broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /usr/local/ETC content_filter = smtp-amavis:[localhost]:10024 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = /usr/local/share/doc/postfix inet_interfaces = $myhostname, localhost local_header_rewrite_clients = permit_mynetworks, permit_sasl_authenticated local_recipient_maps = unix:passwd.byname, $alias_maps, ldap:$config_directory/ldap_local_recipient mail_owner = postfix mailbox_command = /usr/local/bin/procmail -t -a $HOME mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man masquerade_domains = cs.ait.ac.th masquerade_exceptions = root mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, ufo.$mydomain, banyan.$mydomain, ldap.$mydomain, door.$mydomain, firewall.$mydomain, dns.$mydomain, amanda.$mydomain, database.$mydomain, sysl.$mydomain, mailback.$mydomain, csim.ait.asia mydomain = cs.ait.ac.th mynetworks = 192.41.170.0/24, 203.159.32.0/32 myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix recipient_canonical_maps = ldap:$config_directory/ldap_user_uncanonical, ldap:$config_directory/ldap_deleted_uncanonical >> relay_domains = cs.ait.ac.th, vgl-vforge.cs.ait.ac.th, ait.ac.th, >> dec.ait.ac.th, interlab.ait.ac.th, gmseenet.org >> relay_transport = /usr/local/etc/transport sample_directory = /usr/local/etc sender_canonical_maps = ldap:$config_directory/ldap_canonical sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_tls_loglevel = 2 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/run/postfix/smtp_scache smtp_tls_session_cache_timeout = 3600s smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = check_client_access cidr:$config_directory/amavis_bypass smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticatedreject_unauth_destination check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_CAfile = /usr/local/ssl/ca/ait-itserv.crt smtpd_tls_auth_only = yes smtpd_tls_cert_file = /usr/local/ssl/crt/combined/mail.cs.ait.ac.th.pem smtpd_tls_key_file = /usr/local/ssl/key/mail.cs.ait.ac.th.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/run/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s tls_daemon_random_bytes = 32 tls_random_bytes = 32 tls_random_exchange_name = /var/run/postfix/prng_exch tls_random_prng_update_period = 3600s tls_random_reseed_period = 3600s tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 -- /usr/local/etc/transport cs.ait.ac.th: csim.ait.asia : .cs.ait.ac.th : .csim.ait.asia : vgl-vforge.cs.ait.ac.th smtp:[vgl-vforge.cs.ait.ac.th] ait.ac.th smtp:smtp.ait.ac.th .ait.ac.th smtp:smtp.ait.ac.th ait.asiasmtp:smtp.ait.ac.th .ait.asia smtp:smtp.ait.ac.th dec.ait.ac.th : error:mail for dec.cs.sit.sc.th is not deliverable interlab.ait.ac.th smtp:mail.interlab.ait.ac.th gmseenet.orgsmtp:[gmseenet.org] cluster.cs.ait.ac.thsmtp:cluster.cs.ait.ac.th adpc.netsmtp:smtp.ait.ac.th # some domain that cause problem via Uninet #.austar.net.au smtp:[smtp.ait.ac.th] #.usyd.edu.au smtp:[smtp.ait.ac.th] #.csiro.au smtp:[smtp.ait.ac.th] .springer-sbm.com smtp:smtp.ait.ac.th .econ.tu.ac.th smtp:smtp.ait.ac.th #austar.net.au smtp:[smtp.ait.ac.th] #usyd.edu.ausmtp:[smtp.ait.ac.th] #csiro.au smtp:[smtp.ait.ac.th] springer-sbm.comsmtp:smtp.ait.ac.th econ.tu.ac.th smtp:smtp.ait.ac.th -- On the previous mail server (sendmail) /etc/mail/mailertable; I used it to create the tansport table, with very little change. Th e below configuration for sendmail has been working for ages. # avoid ait mail to go through mailgate (twice over the leased line) .ait.ac.th smtp:[smtp.ait.ac.th] ait.ac.th smtp:[smtp.ait.ac.th] .ait.asia smtp:[smtp.ait.ac.th] ait.asiasmtp:[smtp.ait.ac.th] mail2.cs.ait.ac.th sm
Applying Unix quota
Hi, Is there a way (policy?) to have POstfix check for the user's Unix quota before delivering a local mail? I am using procmail as MDA, so when procmail finds that the mail cannot be delivered because the user is over quota, it's too late. Hence I would like to have a sort of smtpd_end_of_data_restrictions = check_policy_service something that could accept/reject the mail before it is being handled to the MDA. Bests, olivier
Re: Applying Unix quota
Hi, > > Hence I would like to have a sort of > > smtpd_end_of_data_restrictions = check_policy_service something > > that could accept/reject the mail before it is being handled to the MDA. > > You could write a policy service to do this, or simply use a utility outside > of Postfix to update an access(5) map that sends 4xx or 5xx responses for > users that exceed quota. I have written the table, it send DUNNO or REJECT depending whether the user is over quota or not. Where is the best place to hook that table in Postfix? smtpd_recipient_restrictions = check_recipient_access ldap:... May not be the best choice because it seems it is check before the aliases are expanded, so if a user over quota is part of an alias, the message will not boun ce for that user. Bests, Olivier alias_maps = hash:/etc/aliases, ldap:$config_directory/ldap_user_alias, ldap:$config_directory/ldap_deleted_alias, ldap:$config_directory/l dap_user_alias_fullname,ldap:$config_directory/ldap_deleted_alias_fullna me, ldap:$config_directory/ldap_alias command_directory = /usr/local/sbin config_directory = /usr/local/ETC content_filter = smtp-amavis:[localhost]:10024 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = /usr/local/share/doc/postfix inet_interfaces = $myhostname, localhost local_header_rewrite_clients = permit_mynetworks, permit_sasl_authenticated local_recipient_maps = unix:passwd.byname, $alias_maps,ldap:$config_dir ectory/ldap_local_recipient mail_owner = postfix mailbox_command = /usr/local/bin/procmail -t -a $HOME mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man masquerade_domains = cs.ait.ac.th masquerade_exceptions = root mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$my domain, ufo.$mydomain, banyan.$mydomain, ldap.$mydomain,door.$mydomain, firewall.$mydomain, dns.$mydomain, amanda.$mydomain,database.$mydomain, sysl .$mydomain, mailback.$mydomain, csim.ait.asia mydomain = cs.ait.ac.th mynetworks = 192.41.170.0/24, 203.159.32.0/32 myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix recipient_canonical_maps = ldap:$config_directory/ldap_user_uncanonical, ldap:$config_directory/ldap_deleted_uncanonical relay_domains = cs.ait.ac.th, vgl-vforge.cs.ait.ac.th, ait.ac.th, dec.ait.ac.th, interlab.ait.ac.th, gmseenet.org sample_directory = /usr/local/etc sender_canonical_maps = ldap:$config_directory/ldap_canonical sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_tls_loglevel = 2 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/run/postfix/smtp_scache smtp_tls_session_cache_timeout = 3600s ...skipping... smtpd_client_restrictions = check_client_access cidr:$config_directory/amavis_by pass smtpd_recipient_restrictions = check_recipient_access ldap:$config_directory/lda p_accesspermit_mynetworkspermit_sasl_authenticatedreject _unauth_destination check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_CAfile = /usr/local/ssl/ca/ait-itserv.crt smtpd_tls_auth_only = yes smtpd_tls_cert_file = /usr/local/ssl/crt/combined/mail.cs.ait.ac.th.pem smtpd_tls_key_file = /usr/local/ssl/key/mail.cs.ait.ac.th.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/run/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s tls_daemon_random_bytes = 32 tls_random_bytes = 32 tls_random_exchange_name = /var/run/postfix/prng_exch tls_random_prng_update_period = 3600s tls_random_reseed_period = 3600s tls_random_source = dev:/dev/urandom transport_maps = hash:/usr/local/etc/transport unknown_local_recipient_reject_code = 550
Re: local_recipient_maps into an ldap
Nicolas, > server_host = zimbra.pcsol.be Are you sure your server is running on port 389? Would you run TLS? >From your Postfix machine, can you access the LDAP server on zimbra machine (no firewall)? I would try ldapsearch command on the postfix machine to make sure that all the parameters in ldap-localusers.cf are valid. I think you need to bind in any case, if you do not configure a bind_dn and a bind_pw, it will make an anonymous bind, but I think you have to bind to your LDAP server before you can make a query. If you bind anonymously, you must make sure that the attributes you are searching for are readable. Best regards, Olivier
Re: Outlook certificate with postfix
> Ok but waht certificates load in Outlook > I have 3 certificate > cacert.pem > mydomain-key.pem > mydomain-cert.pem You have one certificate (mydomain-cert.pem), one certificate authority (cacert.pem) and one key (mydomain-cert.pem). What you will want is to add cacert.pem to outlook, so any new certificate validated by cacert.pem is automatically accepted by outlook. You should try something like what is described on the page http://itserv.ait.ac.th/Helpdesk/announce/ie_oe_win.html (sorry for the self advertissement), replacing "AIT CA certificate" with your cacert.pem file. To make a .crt from a .pem, simply edit the file and remove all the text before the -BEGIN CERTIFICATE- line. (Can someone confirm?) Bests, olivier
A bug somewhere in the management of LDAP tables?
Hi, I just made a typo writting a filter in an LDAP table: i typed s% instead of %s: query_filter = (&(mail=s%)(csimAccountPermission=mail)(!(uid=vw))) should be: query_filter = (&(mail=%s)(csimAccountPermission=mail)(!(uid=vw))) as a result, postmap would coredump (and eventually mail would not be delivered by postFix). Maybe there is a need for a better check of the syntax of the LDAP tables. Best regards, Olivier
Re: Blacklisted on Verizon
Hi, > Hello list! We are being blacklisted every few days from verizon. This is > less important right now as I need to find out if/who is sending spam from > the email server or if the server is an open relay. I am less inclined to > think postfix (which is what we use) is an open relay. More inclined to > think someone has gotten an account is sending spam out using the server. > What is the best way to find out who/if an account is sending spam from the > server? At same time you can try to talk to Verizon, asking them what message caused the blacklisting. Having the message ID of the spam may help identifying your spammer. Good luck, Olivier
Re: access table problems
> When I run these through postmap -q I a get a "REJECT" return. When I > add a fourth octect to the postmap -q input, I get nothing. I've been > beating me head on the desk whilst re-reading man 5 access, and I can't > figure out why real addresses matching these class C subnets aren't > returning "REJECT" when I run them through postmap -q. For quite some > time I thought these were workingI was wrong. Any ideas what's wrong? I think that postmap is not doing the multiple tests that postfix would be doing: - postfix would try to match a.b.c.d, a.b.c, a.b and a; - while postmap try to match exactelly what you are feeding it. Best regards, Olivier
Re: access table problems
And seeing that the guy is blocking email by country, I really wonder why I took time replying to him.
Extending Postfix to Amavis for the local clients
Hello, In main.cf I have: smtpd_client_restrictions = check_client_access cidr:$config_directory/amavis_bypass with the file amavis_bypass being: 203.159.68.0/22 FILTER smtp-amavis:[127.0.0.1]:10026 That is applying a special filter for calling Amavis when a message is issued by my internal network (like insert DKIM signature, warn if a virus is detected, etc.) I would like to extend this special filter for any connection incoming through the submission port (587) or authenticated connection (equivalent to submission), whatever the IP they are coming from. How is that possible? Thanks in advance, Olivier --
