Re: IDN domain name support
>> Wietse, thanks...but in Postfix I have to work with the ?o?o.com.ar >> domain name or with the xn--oo-yjab.gov.ar punycode domain name ??? > > The MAIL CLIENT must tranform non-ASCII domain names before > sending MAIL FROM or RCPT TO commands. ICANN did not really consider the security and portability of IDNs before permitting them. The reasons for this are many, and speak poorly to ICANN's management structure. It is important to remember that ICANN's action does not mean that end-users are prepared to accept mail from such domains, or that doing so would be secure, much less that operating systems, libraries, and applications are capable of dealing with IDNs safely. Whether IDNs will ever be portable is a matter of debate. Right now they are in early-alpha status i.e., not ready for production. This might be OK for some DNS and SMTP implementations but for most production systems they pose too high of a risk. The increase in complexity of each OS, lib, and app required to accommodate IDNs is non-trivial. Widespread implementation would degrade security in and of itself (because of the relationship between code size and security among other factors). Speaking only for myself, for the foreseeable future we are not interested in experimental code and do not want to use a version of bind or postfix that cannot be compiled to refuse IDNs. Pat
How to use a Dovecot passwd file in place of /etc/passwd?
How does one use a Dovecot passwd file in place of /etc/passwd to validate local recipients? I'm not looking for authentication, just validation. Documentation is good on how to configure Postfix with Dovecot as an LDA except for the part about setting "local_recipient_maps =". Avoiding backscatter when setting local_recipient_maps to null appears to be left as an exercise for the Reader. Proxy:unix would seem the logical choice but there is no way to do so with an alternate password file. Neither is there support for a colon-delimited map type. The only recommendation I could find was to set the primary domain up as a virtual but that won't work in this environment. Seems like such a simple problem, to use an alternate passwd file or query Dovecot directly before accepting a recipient. What am I missing? Pat
Re: How to use a Dovecot passwd file in place of /etc/passwd?
>> How does one use a Dovecot passwd file in place of /etc/passwd to validate >> local recipients? I'm not looking for authentication, just validation. > > Any known table lookup type can be used in local_recipient_maps. > For a list of known table types on your system, use 'postconf -m'. Alternate passwd files are not a supported map/table type (per postconf -m and other documentation). That's the crux of this problem. Have not been able to get recipient validation to work with a Dovecot socket either. > Using unix pipes or SASL is not a direct option, but you should be able > to source them similarly. What we have is a password file and Dovecot sockets (as defined in dovecot.conf and master.cf). How would one source them directly for user validation? What would the corresponding main.cf section look like? Pat
Re: Outgoing Mail Moderation
Manish Kathuria wrote: > the mail administrator is more interested in having a look at > the attachments being sent with the mail which would appear > encoded in the queues. Is there any web interface to have a > look at the messages in the queue and also issue the postsuper > command ? We use postconf (.com) for exactly this (web queue management), over a half dozen postfix servers. It has buttons for sa-learn, hold, unhold, delete, ... Only thing missing is a tool to work across the queue i.e., delete all messages on hold where subject == xyz. Pat
Detecting non 7bit headers
Is there a way to detect non-7bit headers such that they can be flagged for post-queue filtering? Postfix' header_checks (with or without PCRE) would be ideal but I'd like to know if this is doable in Spamassassin or Amavisd-new as well. Before I get labeled an ASCII bigot the problem is security. Certain smart phones are susceptible to viruses and trojans passed via non-ASCII email headers. Javascript seems to be the language of choice for these exploits but it is not the only way to target email clients. The main problem is that no smartphones are yet designed with good security. A secondary problem is the sending of non-RFC compliant 7 bit clean headers. My preferred solution would be tagging for evaluation but a web search has turned up nothing straightforward. Pat
Re: Plesk or equivalent to manage Postfix
Benny Pedersen wrote: > On Fri, 04 Nov 2011 14:13:59 +0100, Frank Bonnet wrote: >> Does anyone has ever use Plesk or another graphical interface >> to manage Postfix ? > > postfixadmin just works, so i keep my problem :-) We're equally happy with Postconf (postconf.com). Pat
Alias Expansion Problem
Hello,
I've recently converted from sendmail, and postfix seems to be having problem
with a recursive alias we use.
So, in our aliases file, we have an address like this:
allstaff: user1, user2, user3 ... user79, user80, allstaff80
allstaff80: user81, user82, ... user159, user160, allstaff160
allstaff160: user160, user161, ... user219, user220, allstaff220
...
and so forth and so on ... at user1921 (contained in alias allstaff1920),
postfix starts responding with:
warning: alias database loop for user1921
and continues in that vein for the remaining 1000+ addresses.
I've tried adjusting virtual_alias_expansion_limit and
virtual_alias_recursion_limit -- but even upping them to 1 doesn't seem to
remedy the situation.
Any thoughts on what I should be setting to address this issue?
Thanks,
-p
--
Pat Hirayama
IT / Server Operations
Fred Hutchinson Cancer Research Center
phira...@fhcrc.org
RE: Alias Expansion Problem
So, the problem is with the recursion, and in fact, if it were just an alias with 3000+ addresses in a flat file, that will be handled without difficulty? -p -Original Message- From: Victor Duchovni [mailto:victor.ducho...@morganstanley.com] Sent: Fri 6/26/2009 2:41 PM To: Hirayama, Pat Cc: postfix-users@postfix.org Subject: Re: Alias Expansion Problem On Fri, Jun 26, 2009 at 12:52:33PM -0700, Hirayama, Pat wrote: > Hello, > > I've recently converted from sendmail, and postfix seems to be having problem > with a recursive alias we use. > > So, in our aliases file, we have an address like this: > > allstaff: user1, user2, user3 ... user79, user80, allstaff80 > allstaff80: user81, user82, ... user159, user160, allstaff160 > allstaff160: user160, user161, ... user219, user220, allstaff220 > ... Because Postfix does not modify the queue file during local alias expansion, this is a poor way to represent the alias with Postfix. Instead: /etc/aliases: owner-allstaff: sysad...@example.com allstaff: :include:/etc/postfix/allstaff /etc/postfix/allstaff: us...@example.com us...@example.com ... flat list of all the users ... If at all possible ensure that the none of the addresses in the "allstaff" file are "local", rather it is better if they are all in a virtual alias domain, which rewrites them to local addresses. You could even resort to: virtual_alias_domains = valias.example.com virtual_alias_maps = ... pcre:/etc/postfix/virtual.pcre virtual.pcre: /(.*)@valias\.example\.com$/$...@example.com and list: /etc/postfix/allstaff: us...@valias.example.com us...@valias.example.com ... flat list of all the users ... anything to suppress parallel recursive alias expansion in Postfix. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
script to adjust file date/time according to mail header?
hi, I have a server on which a restore job went wrong and all files in Maildir have the date of the restore, not of the file creation. Is there a script to extract the correct date from the mail headers and touch the files itself with the correct date? PAT -- *Pat Erler* Gtalk/G+: per...@gmail.com Skype: pat_erler
Odd Sender Rewrite
4502]: F09DEBF76AF: to=, relay=local, delay=0.27, delays=0.19/0/0/0.08, dsn=2.0.0, status=sent (forwarded as 2B907BF76A5) Jun 4 07:33:24 dilbert postfix/qmgr[23578]: F09DEBF76AF: removed Jun 4 07:33:24 dilbert postfix/qmgr[23578]: 2B907BF76A5: from=, size=3157, nrcpt=1 (queue active) Jun 4 07:33:24 dilbert postfix/smtp[24475]: 2B907BF76A5: to=, orig_to=, relay=exchange.fhcrc.org[140.107.14.101]:25, delay=0.4, delays=0.08/0/0.05/0.27, dsn=2.6.0, status=sent (250 2.6.0 <20140603223145.5990.41578.78@tuxcard.com> [InternalId=33291352] Queued mail for delivery) Jun 4 07:33:24 dilbert postfix/qmgr[23578]: 2B907BF76A5: removed Pat Hirayama CIT / Infrastructure Operations Fred Hutchinson Cancer Research Center phira...@fhcrc.org
Postfix white listing with helo_access
We have implemented HELO restrictions for our postfix configuration to attempt to cut down on the amount of spam. Unfortunately this has turn up a lot of legitimate servers that have been incorrectly configured. That is to say, they do not have dns entries for their mail servers. Whilst we are attempting to get the sysadmin's to resolve these issues I need to put in a work around to allow these legitimate mail servers to send mails to our users. I am considering setting up a white list system using "check_helo_access" however I am not sure about the sequencing of the commands in main.cf. The configuration I am considering is (main.cf extract of only relevant section): unknown_hostname_reject_code = 550 smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname reject_non_fqdn_hostname check_helo_access hash:/etc/postfix/helo_access reject_unknown_hostname In /etc/postfix/helo_access I will have: mailhost.domain1.suffix OK mailhost.domain2.suffix OK mailhost.domain3.suffix OK My question is related to the sequencing. With this configuration when a valid server in my helo_access file returns an OK will it then be processed, or will it then move onto the "reject_unknown_hostname" and get rejected because it does not not have a dns entry? If this is the case is there some way around this? Thanks, Pat Grogan
Dynamic "MAIL FROM" / 5321.MailFrom
Hello, I'm looked in every corner of the internet for a solution to this seemingly simple problem I'm having. Last week, I started signing mail with opendkim, and hope to have DMARC fully implemented for all of my domains. I host dozens of domains, and send all of their mail through a single outward-facing postfix server (we'll call it mymailserver.com). At this point, everything works with DKIM, but DMARC fails because Postfix's "MAIL FROM" envelope does not match the domain name from the numerous hosted domains. I believe "MAIL FROM" uses the $mydomain, which in this case is "mymailserver.com". The DMARC reports come back with: 11.22.33.44 1 none pass fail somedomain.com somedomain.com pass mymailserver.com pass As you can see, although DKIM and SPF pass individually, the DMARC policy still marks SPF as "fail" simply because the 5322.From is "somedomain.com" and 5321.MailFrom is "mymailserver.com". Is there a simple directive to give Postfix so that it always passes "MAIL FROM" matching the "From" for trusted hosts? Thanks a million, --Pat
Re: Dynamic "MAIL FROM" / 5321.MailFrom
On 2016-08-15 12:22 PM, Wietse Venema wrote: The solution is to require that the hosted domains provide the correct envelope sender address. With submissions that use the Postfix sendmail command, that's done with the "-f" command-line option. I'm struggling with this concept. I tried it on the command line, and it does work. But it looks super hacky to add that (essentially manually) wherever mail is sent. Surely, there's some way to override it in postfix...? We're talking about all kinds of software and different mailers (custom PHP, zabbix, nagios, etc, etc, etc). It just seems to make a lot more sense to set it at the edge of what I control. Thanks! --Pat
Re: Dynamic "MAIL FROM" / 5321.MailFrom
On 2016-08-15 12:46 PM, Robert Schetterer wrote: i am not sure what your problem is ( do you mean sending reports with strict spf ? ) however have a look on this too in your concept Not quite. I'm trying to satisfy DMARC policy for SPF that does not match mail-from and envelope-from. I'd like postfix to rewrite the envelope to match. Thanks. --Pat
postfix authentication problem + doesn't send to mailbox
Hello,
i ve a problem to send with a postfix server.
when i use telnet (port 25) to send, i ve a message in mailq, but
nothing go out :
6FDA937607C1* 399 Wed Oct 19 11:20:10 t...@dm.com
t...@dm.com
when i use an other soft (mutt port 25) to send a mail, i ve an error :
in the mail's logs there's that :
Oct 19 11:21:37 mail postfix/smtpd[22701]: connect from
unknown[192.168.1.50]
Oct 19 11:21:37 mail postfix/smtpd[22701]: Anonymous TLS connection
established from unknown[192.168.1.50]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Oct 19 11:22:36 mail postfix/smtpd[22701]: lost connection after EHLO
from unknown[192.168.1.50]
Oct 19 11:22:36 mail postfix/smtpd[22701]: disconnect from
unknown[192.168.1.50]
in the mutt soft, it indicates : SMTP server doesn't support authentication
in the SMTP server postconf -n :
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
lmtp_tls_session_cache_database = btree:${data_directory}/lmtp_scache
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = localhost, localhost.localdomain, localhost
myhostname = mail.dm.com
mynetworks = 127.0.0.0/8 192.168.1.0/24
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_CAfile = /etc/ssl/certs/ca.cert.pem
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, 3DES, RC2, RC4,
MD5, PSK, SRP, DSS, AECDH, ADH
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = dm.com ESMTP mx1.dm.com (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated,
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_recipient,
reject_unauth_destination, reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-sender-login-maps.cf
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_sender_login_mismatch
smtpd_tls_CAfile = $smtp_tls_CAfile
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/mailserver.crt
smtpd_tls_dh1024_param_file = $config_directory/dh2048.pem
smtpd_tls_dh512_param_file = $config_directory/dh512.pem
smtpd_tls_key_file = /etc/ssl/private/mailserver.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/vmail
virtual_mailbox_domains =
mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_minimum_uid = 5000
virtual_transport = lmtp:unix:private/lmtp
virtual_uid_maps = static:5000
did i miss something ?
thx
pat.
problem with sender_access ; can't reject domains
hello, i use postfix since years, there was no problem, but since some weeks, we receive mails from bad domains. i don' t find solution in postfix. i use "sender_access" to reject some domains, but domains are always coming even if i postmap sender_access and i restart postfix. what can be the solution ? i use : check_sender_access hash:/etc/postfix/sender_access here my postconf -n : <http://paste.debian.net/970772/>http://paste.debian.net/971113/ thx for your help, Pat.
problem on a relay server
Hello, i am working on a relay server, but it isn't functionnal. my main.cf is : http://paste.debian.net/1026390/ but i ve theses errors in logs : http://paste.debian.net/1026400/ did i miss something or did i do something wrong ? Thanks, Patrice G
Re: problem on a relay server
Ok it is better now than yesterday, it can receive requests. However, when one of our internal mails server send a message by relayhost to our external postfix server (which should relay messages received to external mails servers, of differents domains), it indicates that users doesn't exist, but like if he wanted to send message in local mailbox... Did i miss something for that it send in external domains/server ? Thanks, Le 24/05/2018 à 16:22, Dominic Raferd a écrit : > On 24 May 2018 at 15:01, pat G wrote: >> Hello, >> >> i am working on a relay server, but it isn't functionnal. >> >> my main.cf is : >> >> http://paste.debian.net/1026390/ >> >> but i ve theses errors in logs : >> >> http://paste.debian.net/1026400/ >> >> did i miss something or did i do something wrong ? > > /etc/postfix/users needs to be hashed: > > in main.cf: > ... > relay_recipient_maps = hash:/etc/postfix/users > ... > > action to hash (creates users.db): > # postmap /etc/postfix/users
Re: problem on a relay server [resolved]
Sorry i ve found the problem, i putted domain to be sent in "mydestination" Thx. Le 25/05/2018 à 13:00, Wietse Venema a écrit : > pat G: >> Ok it is better now than yesterday, it can receive requests. >> However, when one of our internal mails server send a message by >> relayhost to our external postfix server (which should relay messages >> received to external mails servers, of differents domains), it indicates >> that users doesn't exist, but like if he wanted to send message in local >> mailbox... >> >> Did i miss something for that it send in external domains/server ? > Logs, 'postconf -n' command output? See also: > http://www.postfix.org/DEBUG_README.html#mail > > Wietse
