OT: Diagnose blocked mail
Hello, I'm having an issue with mail being blocked (I think) and I was hoping that someone here would give me an idea on where to get started. here's the situation. (Made up names) server is postfix with amavis-new, spam-assassin and dovecot. logs are fairly verbose. Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC (b...@3rdserver.com) I run myserver.com. message goes through to b...@3rdserver.com, but not b...@myserver.com. there is absolutely no trace of alice's domain in the mail logs. am I being blocked up stream, is my server discarding the mail somewhere or ...? any suggestions including alternate mail lists or google search terms very much appreciated. Ray
Re: OT: Diagnose blocked mail
On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote: > Ray wrote: > > Hello, > > I'm having an issue with mail being blocked (I think) and I was hoping > > that someone here would give me an idea on where to get started. > > > > here's the situation. (Made up names) > > > > server is postfix with amavis-new, spam-assassin and dovecot. logs are > > fairly verbose. > > > > Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC > > (b...@3rdserver.com) I run myserver.com. message goes through to > > b...@3rdserver.com, but not b...@myserver.com. > > there is absolutely no trace of alice's domain in the mail logs. > > > > am I being blocked up stream, is my server discarding the mail somewhere > > or ...? > > > > any suggestions including alternate mail lists or google search terms > > very much appreciated. > > > > Ray > > Post the appropriate section of /var/log/maillog showing the misbehaving > transfer. > > Terry That's the problem, there's nothing in the logs. Ray
Re: OT: Diagnose blocked mail
On Wednesday 04 March 2009 16:35:01 Magnus Bäck wrote: > On Thursday, March 05, 2009 at 00:26 CET, > > Ray wrote: > > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote: > > > Ray wrote: > > > > Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC > > > > (b...@3rdserver.com) I run myserver.com. message goes through to > > > > b...@3rdserver.com, but not b...@myserver.com. > > > > there is absolutely no trace of alice's domain in the mail logs. > > > > > > > > am I being blocked up stream, is my server discarding the mail > > > > somewhere or ...? > > > > > > > > any suggestions including alternate mail lists or google search > > > > terms very much appreciated. > > > > > > Post the appropriate section of /var/log/maillog showing the > > > misbehaving transfer. > > > > That's the problem, there's nothing in the logs. > > Is Postfix running? > Is it accepting port 25 connections on the Internet-facing network > interface? Is there any firewall in the way? > Are the MX records pointing towards your server? > Does your ISP block inbound port 25? > Can you connect to port 25 from an outside network? > ... Sorry, I should have filled in all this information before hand :( Server is live and fully functional. it deals with thousands of messages per day and has for over a year. One user can't receive messages from one contact. That contact doesn't even show up in the logs as spam or lost connection or anything. Ray
Re: OT: Diagnose blocked mail
On Wednesday 04 March 2009 16:37:37 /dev/rob0 wrote: > On Wed March 4 2009 17:26:01 Ray wrote: > > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote: > > > Ray wrote: > > > > Hello, > > > > I'm having an issue with mail being blocked (I think) and I was > > > > hoping that someone here would give me an idea on where to get > > > > started. > > > > > > > > here's the situation. (Made up names) > > Unfortunately, made up (misappropriated) domain names as well. Your > problem is most likely either broken DNS or as you suggest, some kind > of firewall blocking. We can't help with any of that if you don't use > real domain names. > receiving domain is aplustaxi.ca > > > > server is postfix with amavis-new, spam-assassin and dovecot. > > > > logs are fairly verbose. > > > > > > > > Alice (al...@example.com) sends Bob an Email (b...@myserver.com) > > > > CC (b...@3rdserver.com) I run myserver.com. message goes through > > > > to b...@3rdserver.com, but not b...@myserver.com. > > > > there is absolutely no trace of alice's domain in the mail logs. > > > > > > > > am I being blocked up stream, is my server discarding the mail > > > > somewhere or ...? > > > > > > > > any suggestions including alternate mail lists or google search > > > > terms very much appreciated. > > > > > > > > Ray > > > > > > Post the appropriate section of /var/log/maillog showing the > > > misbehaving transfer. > > > > > > Terry > > > > That's the problem, there's nothing in the logs.
Re: OT: Diagnose blocked mail
On Wednesday 04 March 2009 18:10:22 Bill Weiss wrote: > Ray(r...@stilltech.net)@Wed, Mar 04, 2009 at 04:46:21PM -0700: > > On Wednesday 04 March 2009 16:37:37 /dev/rob0 wrote: > > > On Wed March 4 2009 17:26:01 Ray wrote: > > > > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote: > > > > > Ray wrote: > > > > > > Hello, > > > > > > I'm having an issue with mail being blocked (I think) and I was > > > > > > hoping that someone here would give me an idea on where to get > > > > > > started. > > > > > > > > > > > > here's the situation. (Made up names) > > > > > > Unfortunately, made up (misappropriated) domain names as well. Your > > > problem is most likely either broken DNS or as you suggest, some kind > > > of firewall blocking. We can't help with any of that if you don't use > > > real domain names. > > > > receiving domain is aplustaxi.ca > > Your DNS and firewall look ok from here: > > houd...@www ~ % dig aplustaxi.ca any +short > 10 mail.geekdelivery.com. > 206.75.152.197 > houd...@www ~ % dig mail.geekdelivery.com any +short > 206.75.152.197 > houd...@www ~ % telnet mail.geekdelivery.com 25 > Trying 206.75.152.197... > Connected to mail.geekdelivery.com. > Escape character is '^]'. > 220 mail.geekdelivery.com ESMTP Postfix > HELO clanspum.net > 250 mail.geekdelivery.com > MAIL FROM: > 250 2.1.0 Ok > RCPT TO: > 250 2.1.5 Ok > RSET > 250 2.0.0 Ok > QUIT > 221 2.0.0 Bye > Connection closed by foreign host. > houd...@www ~ % > > Have you tried getting a pcap while the mystery server is supposed to be > sending you mail? > Haven't done this yet, but I will try it. Assuming that the connection isn't getting to me, what kind of things do I check? > -- > Bill Weiss > > C has all the expressive power of two dixie cups and a string. > -- Jamie Zawinski
Re: OT: Diagnose blocked mail
On Wednesday 04 March 2009 17:49:57 Jose Ildefonso Camargo Tolosa wrote: > Hi! > > On Thu, Mar 5, 2009 at 7:11 PM, Ray wrote: > > On Wednesday 04 March 2009 16:35:01 Magnus Bäck wrote: > >> On Thursday, March 05, 2009 at 00:26 CET, > >> > >> Ray wrote: > >> > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote: > >> > > Ray wrote: > >> > > > Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC > >> > > > (b...@3rdserver.com) I run myserver.com. message goes through to > >> > > > b...@3rdserver.com, but not b...@myserver.com. > >> > > > there is absolutely no trace of alice's domain in the mail logs. > >> > > > > >> > > > am I being blocked up stream, is my server discarding the mail > >> > > > somewhere or ...? > >> > > > > >> > > > any suggestions including alternate mail lists or google search > >> > > > terms very much appreciated. > >> > > > >> > > Post the appropriate section of /var/log/maillog showing the > >> > > misbehaving transfer. > >> > > >> > That's the problem, there's nothing in the logs. > >> > >> Is Postfix running? > >> Is it accepting port 25 connections on the Internet-facing network > >> interface? Is there any firewall in the way? > >> Are the MX records pointing towards your server? > >> Does your ISP block inbound port 25? > >> Can you connect to port 25 from an outside network? > >> ... > > > > Sorry, I should have filled in all this information before hand :( > > Server is live and fully functional. it deals with thousands of messages > > per day and has for over a year. One user can't receive messages from one > > contact. That contact doesn't even show up in the logs as spam or lost > > connection or anything. > > So, let me see: one user can't receive mail from on specific mail > address, but can other users receive mail from that address?, ie, if > al...@example.com sends a mail to us...@myserver.com , is the mail > delivered? > haven't tested that yet. My gut feeling is no, but I will test. > Do you have some kind of spam filter "before" your actual mail server? > if yes: which one, and: can you temporarily disable/remove it and > test? > unless my IP is blocking specific email addresses or domains, the entire mail system consists of postfix, dovecot, amavisd new, clamav and spamassassin running under freebsd 7.0. All of the mail components log to the same file. Ray > I hope this helps, > > Ildefonso Camargo
Re: OT: Diagnose blocked mail (Summary)
Summary: I realize that the problem most likely is not due to postfix (thus the OT in the subject), but I figured someone here might have seen this before Server is live and fully functional. it deals with thousands of messages per day and has for over a year. One user can't receive messages from one contact. That contact doesn't even show up in the logs as spam or lost connection or anything. not previously stated, but I can't find my server name or IP address on any blacklists, and I did confirm that the email address was correct. the recommendations made (please correct me if I'm wrong or tell me if I'm missing anything): 1) have a message sent to another account on same server 2) "smtpd_delay_reject = yes" is set, so try to figure out sending ip address and search for it in maillog. 3) get administrator of sending server to check his logs 4) pcap during a communication attempt 1 is easy, I'll do this one. I think I can do 2. i've already asked for 3 to be done, but it's out of my control. I'll do number 4 if It comes down to it, but frankly I've never done anything with packet capture and it's a little intimidating. Thanks everyone for your input. If I get a resolution, I'll post back. Ray
cannot connect to mysql. Too many conections.
Hello, System is FreeBSD 7.0, postfix 2.6.2, mysql storage of user info, amvisd-new, and dovecot for authentication and pop/imap. postconf -n at end of post. Just Yesterday I started receiving a lot of "warning: connect to mysql server localhost: Too many connections" (Sample log files follow signature) Mysql is showing about 75 sleeping connections from the mail database user. in my.cnf I increased "max_connections" to 300 and dropped "wait_timeout" to 4000 seconds and this seems to have fixed it for now, but I'm trying to figure out what's going on. the real weird part is that yesterday I had over 2500 occurrences of "too many connections" in the log file, but the previous week combined gave me 160 total. Is there a setting I can tweak, or should I be taking this to dovecot or amvisd? Google wasn't very helpful and the closest thing that I could find in the archives was "Postfix not closing mysql connections" back on 08/12/07, and it did help, but it didn't fully answer my question. Any help, including links to the docs appreciated. Ray Sample log lines: May 7 13:46:35 wserver postfix/cleanup[27554]: warning: connect to mysql server localhost: Too many connections May 7 13:46:36 wserver amavis[28466]: (28466-01) (!)connect_to_sql: unable to connect to DSN 'DBI:mysql:database=internal;host=localhost;port=3306': Too many connections Apr 29 09:35:28 wserver postfix/virtual[79240]: warning: connect to mysql server localhost: Too many connections Apr 29 09:35:29 wserver postfix/smtpd[78246]: warning: connect to mysql server localhost: Too many connections Apr 29 09:35:29 wserver postfix/cleanup[78685]: warning: connect to mysql server localhost: Too many connections postconf -n alias_database = hash:/etc/mail/aliases alias_maps = hash:/etc/mail/aliases bounce_template_file = /usr/local/etc/postfix/bounce.cf broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix debug_peer_level = 2 delay_warning_time = 4h disable_vrfy_command = yes html_directory = no inet_interfaces = all mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man message_size_limit = 25000 myhostname = mail.geekdelivery.com mynetworks_style = host newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop show_user_unknown_table_name = no smtpd_banner = $myhostname ESMTP $mail_name smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_sender_login_mismatch soft_bounce = yes transport_maps = hash:/usr/local/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/usr/local/etc/postfix/sql/virtual_alias_maps.cf mysql:/usr/local/etc/postfix/sql/virtual_email2email.cf mysql:/usr/local/etc/postfix/sql/catchall_alias_maps.cf virtual_gid_maps = mysql:/usr/local/etc/postfix/sql/virtual_gid_maps.cf virtual_mailbox_base = /usr/local/mail virtual_mailbox_domains = mysql:/usr/local/etc/postfix/sql/virtual_mailbox_domains.cf virtual_mailbox_limit = 10 virtual_mailbox_maps = mysql:/usr/local/etc/postfix/sql/virtual_mailbox_recipients.cf virtual_transport = virtual virtual_uid_maps = mysql:/usr/local/etc/postfix/sql/virtual_uid_maps.cf
Re: cannot connect to mysql. Too many conections.
On May 8, 2009 10:31:37 am Wietse Venema wrote: > Ray: > > Hello, > > > > System is FreeBSD 7.0, postfix 2.6.2, mysql storage of user info, > > amvisd-new, and dovecot for authentication and pop/imap. postconf -n at > > end of post. > > > > Just Yesterday I started receiving a lot of > > "warning: connect to mysql server localhost: Too many connections" > > (Sample log files follow signature) > > Mysql is showing about 75 sleeping connections from the mail database > > user. > > Short reply: s/mysql/proxy:mysql/ > Long reply: see "man a proxymap". > > Wietse > I replied off list to this by accident, Sorry Wietse. But for the sake of the archive, this solves the problem. Ray
Trying to debug mesage relay
Hello, I'm having an issue with email just disappearing. I have been looking at the documentation and logs. I have made the logs more verbose. http://www.postfix.org/DEBUG_README.html#verbose I can see the messages being accepted, but then nothing. Can anybody tell me where to look for logs or documentation on the next stages of the process. I have done manual pop\smtp transactions over telnet before and have no problem doing the equivilent, but I need some documentation. Thanks, Ray
Re: Trying to debug mesage relay
Hello and sorry for the delay, I wanted to re-examine my logs and assumptions. On December 21, 2010 03:00:02 pm Wietse Venema wrote: > Ray: > > Hello, > > I'm having an issue with email just disappearing. > > > > I have been looking at the documentation and logs. I have made the logs > > more verbose. > > http://www.postfix.org/DEBUG_README.html#verbose > > Please, don't open the gates of hell unless asked to do so. > I see that a lot of extra information is being generated, but I was hoping that this might give me what was needed > > I can see the messages being accepted, but then nothing. > > Accepted by Postfix? Why do you believe that the mail is accepted? I believe that the message is being accepted by Postfix due to lines like the following in the logs Dec 23 10:12:20 wserver amavis[15273]: (15273-12) Passed CLEAN, [70.65.***.***] [70.65.***.***] -> <**...@shaw.ca>, Message-ID: <201012231011.54704@stilltech.net>, mail_id: MS2XU3vqlzc0, Hits: 0.013, size: 557, queued_as: 6CF0C1B173C, 14673 ms (redacted IP address is the machine I'm sending email from. Redacted email is on the local cabelco mail server.) I'm not 100% sure the problem is on the remote server, that's why I would like to trace the communication between my server and the remote server. Thanks again, Ray > > Accepted by the remote server? Why do you believe that the mail is > accepted? if the mail is accepted, then it is the responsibility > of the remote server. > > Wietse > > > Can anybody tell me where to look for logs or documentation on > > the next stages of the process. I have done manual pop\smtp > > transactions over telnet before and have no problem doing the > > equivilent, but I need some documentation. > > > > Thanks, Ray
Re: Trying to debug mesage relay
On December 23, 2010 10:48:07 am Noel Jones wrote: > On 12/23/2010 11:33 AM, Ray wrote: > > I believe that the message is being accepted by Postfix due to lines like > > the following in the logs > > > > Dec 23 10:12:20 wserver amavis[15273]: (15273-12) Passed CLEAN, > > [70.65.***.***] [70.65.***.***] -> > > <**...@shaw.ca>, Message-ID:<201012231011.54704@stilltech.net>, > > mail_id: MS2XU3vqlzc0, Hits: 0.013, size: 557, queued_as: 6CF0C1B173C, > > 14673 ms > > (redacted IP address is the machine I'm sending email from. Redacted > > email is on the local cabelco mail server.) > > Wow, nearly 15 seconds to scan a 557 byte message. If all > your amavis scans are that slow or slower you might want some > help from the amavis-users list. > > Anyway, on the postfix-users list we prefer to see postfix > logging. > > > I'm not 100% sure the problem is on the remote server, that's why I would > > like to trace the communication between my server and the remote server. > > Thanks again, > > Ray > > Start with showing us the one-line entry postfix/smtp makes > when sending to the remote server, and we'll go on from there. > > > >-- Noel Jones Hello all, thank you for your quick response. All the gory details that you asked for follow. I have provided the output of postconf -n, and all the log details for my last message to this list as an example. But before we go that far, I'm wondering if my question was understood. My question is " is there a way to see in detail, through logging or simulation, what is happening when my mail server relays or attempts to relay, a message from me to an outside server that is not under my control, and for which I will never get logs. (Think Gmail). While I appreciate the willingness of the list members to help out, the exact problem was only given as justification for the real question. Thanks Ray Dec 23 10:33:22 wserver postfix/smtpd[16875]: 5B80F1B173C: client=S0106001c10f5c6f7.lb.shawcable.net[70.65.240.122], sasl_method=PLAIN, sasl_username=...@stilltech.net Dec 23 10:33:22 wserver postfix/cleanup[16730]: 5B80F1B173C: message- id=<201012231033.19447@stilltech.net> Dec 23 10:33:22 wserver postfix/qmgr[44344]: 5B80F1B173C: from=, size=2565, nrcpt=1 (queue active) Dec 23 10:33:22 wserver amavis[16134]: (16134-09) ESMTP::10024 /var/amavis/tmp/amavis-20101223T101352-16134: -> SIZE=2565 Received: from mail.geekdelivery.com ([127.0.0.1]) by localhost (wserver.geekdelivery.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Thu, 23 Dec 2010 10:33:22 -0700 (MST) Dec 23 10:33:22 wserver amavis[16134]: (16134-09) smtp connection cache, dt: 72.0, state: 0 Dec 23 10:33:22 wserver amavis[16134]: (16134-09) Checking: RAV2IYSSfcjM [70.65.240.122] -> Dec 23 10:33:22 wserver amavis[16134]: (16134-09) p001 1 Content-Type: text/plain, size: 1781 B, name: Dec 23 10:33:27 wserver postfix/smtpd[16875]: disconnect from S0106001c10f5c6f7.lb.shawcable.net[70.65.240.122] Dec 23 10:33:33 wserver postfix/scache[16684]: statistics: start interval Dec 23 10:30:16 Dec 23 10:33:33 wserver postfix/scache[16684]: statistics: domain lookup hits=2 miss=2 success=50% Dec 23 10:33:33 wserver postfix/scache[16684]: statistics: address lookup hits=0 miss=2 success=0% Dec 23 10:33:33 wserver postfix/scache[16684]: statistics: max simultaneous domains=1 addresses=1 connection=1 Dec 23 10:33:37 wserver postfix/smtpd[16682]: connect from localhost[127.0.0.1] Dec 23 10:33:37 wserver postfix/trivial-rewrite[16881]: warning: database /usr/local/etc/postfix/transport.db is older than source file /usr/local/etc/postfix/transport Dec 23 10:33:37 wserver postfix/smtpd[16682]: A12E71B173F: client=localhost[127.0.0.1] Dec 23 10:33:37 wserver postfix/cleanup[16730]: A12E71B173F: message- id=<201012231033.19447@stilltech.net> Dec 23 10:33:37 wserver postfix/smtpd[16682]: disconnect from localhost[127.0.0.1] Dec 23 10:33:37 wserver postfix/qmgr[44344]: A12E71B173F: from=, size=2985, nrcpt=1 (queue active) Dec 23 10:33:37 wserver amavis[16134]: (16134-09) FWD via SMTP: -> ,BODY=7BIT 250 2.0.0 Ok, id=16134-09, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A12E71B173F Dec 23 10:33:37 wserver amavis[16134]: (16134-09) Passed CLEAN, [70.65.240.122] [70.65.240.122] -> , Message-ID: <201012231033.19447@stilltech.net>, mail_id: RAV2IYSSfcjM, Hits: 0.038, size: 2565, queued_as: A12E71B173F, 15209 ms Dec 23 10:33:37 wserver postfix/smtp[16665]: 5B80F1B173C: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=0.1/0/0.01/15, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=16134-09, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A12E71B173F) Dec 23 10:33:37 wserver postfix/qmgr[44344]: 5B80F1B173C: removed Dec 23 10:33:37 wserver amavis[
Re: Trying to debug mesage relay
On December 23, 2010 03:00:29 pm Noel Jones wrote: > On 12/23/2010 2:08 PM, Ray wrote: > > On December 23, 2010 10:48:07 am Noel Jones wrote: > >> On 12/23/2010 11:33 AM, Ray wrote: > >>> I believe that the message is being accepted by Postfix due to lines > >>> like the following in the logs > >>> > >>> Dec 23 10:12:20 wserver amavis[15273]: (15273-12) Passed CLEAN, > >>> [70.65.***.***] [70.65.***.***] -> > >>> <**...@shaw.ca>, Message-ID:<201012231011.54704@stilltech.net>, > >>> mail_id: MS2XU3vqlzc0, Hits: 0.013, size: 557, queued_as: 6CF0C1B173C, > >>> 14673 ms > >>> (redacted IP address is the machine I'm sending email from. Redacted > >>> email is on the local cabelco mail server.) > >> > >> Wow, nearly 15 seconds to scan a 557 byte message. If all > >> your amavis scans are that slow or slower you might want some > >> help from the amavis-users list. > >> > >> Anyway, on the postfix-users list we prefer to see postfix > >> logging. > >> > >>> I'm not 100% sure the problem is on the remote server, that's why I > >>> would like to trace the communication between my server and the remote > >>> server. Thanks again, > >>> Ray > >> > >> Start with showing us the one-line entry postfix/smtp makes > >> when sending to the remote server, and we'll go on from there. > >> > >> -- Noel Jones > > > > Hello all, > > thank you for your quick response. All the gory details that you asked > > for follow. I have provided the output of postconf -n, and all the log > > details for my last message to this list as an example. > > The only thing I asked for is the one-line postfix/smtp log > entry when postfix attempts delivery to the remote server > you're having trouble with. I don't see that anywhere. > > After we see that, we'll tell you if we need anything else. > I'm not sure which line that is. If you can describe it I will pick it out. > > My question is " is there a way to > > see in detail, through logging or simulation, what is happening when my > > mail server relays or attempts to relay, a message from me to an outside > > server that is not under my control, and for which I will never get > > logs. > > Postfix verbose logs will show in painful detail what postfix > does. This is rarely necessary and often masks the real > problem in a flood of unrelated information. > http://www.postfix.org/DEBUG_README.html#debug_peer > > A TCP sniffer such as wireshark or tcpdump will show details > of the conversation. This is rarely necessary and often > distracts from the real problem. > http://www.postfix.org/DEBUG_README.html#sniffer > yeah, I read that. I was hoping for an easier solution, but ... so be it. > >-- Noel Jones
sending a message to two seperate accounts
Hello all I have a solution, and It seems to work, just want to know if I'm going to shoot myself in the foot. I'm running postfix 2.6 with a number of virtual domains, all data stored in a MySql database. Server is running well and has been for a while. When a message is sent to u...@example.com (a domain I host), I want it delivered to that account and the users gmail account. after a little time with google, it appears that If I set up u...@example.com as usual and set up an alias mapping u...@example.com -> u...@example.com, ...@gmail.com everything works. Am I missing something, or is this all there is to it? If this is correct, how many accounts can I include in that list? (Somebody is sure to ask me.) Also, In my experiment, this seemed to introduce a small delay (45 seconds?) in the delivery to the original account, is this my imagination, network issues or is it real? Thanks for your help. Ray
Re: sending a message to two seperate accounts
On July 21, 2009 06:49:09 pm Sahil Tandon wrote: > On Tue, 21 Jul 2009, Ray wrote: > > I have a solution, and It seems to work, just want to know if I'm going > > to shoot myself in the foot. > > > > I'm running postfix 2.6 with a number of virtual domains, all data stored > > in a MySql database. Server is running well and has been for a while. > > > > When a message is sent to u...@example.com (a domain I host), I want it > > delivered to that account and the users gmail account. after a little > > time with google, it appears that If I set up u...@example.com as usual > > and set up an alias mapping > > u...@example.com -> u...@example.com, ...@gmail.com > > everything works. Am I missing something, or is this all there is to it? > > Use a virtual alias mapping to do this; that is all there is to it. > > > If this is correct, how many accounts can I include in that list? > > (Somebody is sure to ask me.) > > http://www.postfix.org/postconf.5.html#virtual_alias_expansion_limit > > > Also, In my experiment, this seemed to introduce a small delay (45 > > seconds?) in the delivery to the original account, is this my > > imagination, network issues or is it real? > > Without evidence (logging, at the very least), this is just speculation. > Read the DEBUG_README before posting your follow-up. So I am doing it right, thanks
regexp using virtual_alias_maps does not work?
Hi all, I am trying to create a LAB setup using postfix 2.8.12. I have problems using the virtual_alias_maps and the regexp table (similar) to the virtual-regex problem thread. I have tried to implement the suggestions in this thread but I can't get it to work. In this thread someone mentions that the regexp is recursive but I can't find this in the online documentation. The online documentation actually states that as soon as a match is found the search terminates with the result. This is consistent with the postmap -q key statement. When I run the postmap -q regexp:valias it get exactly the results I am looking for. However when running through postfix it doesn't work. I am trying to capture all external email addresses into 1 local mailbox (on the mailserver) and relay for some local addresses. This is to prevent email going to our customers in our dev and test systems. my main.cf looks like this: virtual_alias_domain=regexp:/etc/postfix/valias the valias file looks like this: /ray@ourdomain\.com\.au/ @ourdomain.local /.*/ mailtest/ mailtest is a local mailbox in the maildir format. Any help is appreciated. I do not necessary need to use the virtual-alias-maps but any setup that does what I need would be great. Thanks in advance for any responses. Ray -- View this message in context: http://postfix.1071664.n5.nabble.com/regexp-using-virtual-alias-maps-does-not-work-tp64892.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: regexp using virtual_alias_maps does not work?
Thanks Viktor. I managed to get it working... Not sure why recursive address rewriting is required but it seems to be working now. Thanks Ray -- View this message in context: http://postfix.1071664.n5.nabble.com/regexp-using-virtual-alias-maps-does-not-work-tp64892p64894.html Sent from the Postfix Users mailing list archive at Nabble.com.
Is it possible to have different systems for sending email (send directly, relay host) configurable via tables?
Hello List, on occasions I get problems with sending emails to our clients, and we sent a moderate amount (some 10th of thousands of mails) a day. This is strictly transactional, no comercial email. Sometimes I have delivery problems which are very localised. Right now we seem to have difficulties only in one country and from one speficic from domain. What I would like to implement is a loose table based system to be able to choose how I sent emails. Right now I would like to say that all mails with a from of no re...@xxx.yy should be sent with relay host . And the rest should be delivered normally via smtp. I also would like to say: if destination is @hotmail.com send with relay host , or would it be even possible to say: if mx server are COUNTRY, use relay host ? Right now the only thing I am able to do is use dnsmasq and create fake MX records for destination domains. Which works, but It would be nice to have it directly within postfix too, as not to relay on another piece of software. Thank you Best Ray --
Re: Is it possible to have different systems for sending email (send directly, relay host) configurable via tables?
- Original Message - > From: "Ray" > To: postfix-users@postfix.org > Sent: Wednesday, October 14, 2015 3:27:01 PM > Subject: Is it possible to have different systems for sending email (send > directly, relay host) configurable via tables? > Hello List, > on occasions I get problems with sending emails to our clients, and we sent a > moderate amount (some 10th of thousands of mails) a day. This is strictly > transactional, no comercial email. > Sometimes I have delivery problems which are very localised. Right now we > seem to have difficulties only in one country and from one speficic from > domain. > What I would like to implement is a loose table based system to be able to > choose how I sent emails. Right now I would like to say that all mails with > a from of no re...@xxx.yy should be sent with relay host . And the rest > should be delivered normally via smtp. > I also would like to say: if destination is @hotmail.com send with relay host > , or would it be even possible to say: if mx server are COUNTRY, use > relay host ? > Right now the only thing I am able to do is use dnsmasq and create fake MX > records for destination domains. Which works, but It would be nice to have > it directly within postfix too, as not to relay on another piece of > software. I think I just found the answer myself. It seems sender_dependent_default_transport_maps or sender_dependent_relayhost_maps is the way to go. I guess I should have checked the postfix docu earlier, seems as google does not have lot's of infos on that special subject. Best Ray
Re: Is it possible to have different systems for sending email (send directly, relay host) configurable via tables?
- Original Message - > From: "Wietse Venema" > To: "Postfix users" > Sent: Wednesday, October 14, 2015 7:26:05 PM > Subject: Re: Is it possible to have different systems for sending email (send > directly, relay host) configurable via tables? > Ray: > > Right now the only thing I am able to do is use dnsmasq and create fake MX > > records for destination domains. Which works, but It would be nice to have > > it directly within postfix too, as not to relay on another piece of > > software. > Note, this selects relay based on the recipient address. > > I think I just found the answer myself. It seems > > sender_dependent_default_transport_maps or sender_dependent_relayhost_maps > > is the way to go. > Note, this selects the relay based on the sender address. Right, those are two of the problems I did encounter in the past, where I used DNSMasq to differentiate the recipient domain and I wished I had know about sender_dependent_relayhost ... But now I do. > > I guess I should have checked the postfix docu earlier, seems as > > google does not have lot's of infos on that special subject. > For best results, you need to use the same words as the articles that > you want to find, so it can be a chicken and egg problem. Yeah, sometimes it seems you need to be a google ninja to find the right stuff :-) > Wietse Thank you, Best Ray --
Send a DSN report only to one specified email address
Hello, we are a travel agency and have lot's of outbound email (confirmations, vouchers, etc.). What I want to integrate now is DSN report information in our backend management software. We want the agent in the callcenter be able to see an email has been sent and the Delivery information (Sent, not Sent, etc.). I have already a email parsing process so it would be trivial to parse the DSN mails (I would like to avoid log-file parsing and rather act on the DSN reports), but I only see how the sent error or problem DSN to a postmaster address, I do not see the possibility to disable sending DSN to the from (which could be no-reply, etc.) and sending every DSN (including success) only to a pre-defined email address . I hope I did miss something in the documentation, thank you, Best Ray --
Re: Send a DSN report only to one specified email address
> Use VERP! > That way bounces come back to a single address and can be processed. > Vacatrion and other autoreplies use the From: header address when > sending a reply. Hello, using VERP seems interesting, but the bounces I have already covered native with postfix (notify_class and some recipient parameter). 2Bounce is really secondary for me, what I would like is the possibility to also receive the Success DSN in some parameter defined email. VERP would handle the bounces, but not the success deliveries, right? Thanks Best Ray
Re: Send a DSN report only to one specified email address
> DSNs are sent to the envelope sender, VERP changes the envelope > sender, therefore VERP has effect for all DSNs. > Wietse OK, I will checkout VERP, sounds exactly like what I would need indeed. My remaining question would be on how to activate the Success DSN reports? Best Ray --
Re: Send a DSN report only to one specified email address
- Original Message - > From: "Wietse Venema" > To: "Postfix users" > Sent: Monday, July 20, 2015 4:57:43 PM > Subject: Re: Send a DSN report only to one specified email address > Postfix implements DSN as specified in RFC 3464. The Postfix > command-line interface and interaction with VERP are described at > http://www.postfix.org/DSN_README.html > You can also use the smtpd_command_filter to force SUCCESS > notification. The following is based on the examples in > http://www.postfix.org/postconf.5.html#smtpd_command_filter > /etc/postfix/main.cf: > smtpd_command_filter = pcre:/etc/postfix/command_filter > /etc/postfix/command_filter: > # Forced success notification > /^(RCPT\s+TO:\s*<.*>.*)\s+(NOTIFY=NEVER.*)/ $1 $2 > /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=(\S+.*)/ $1 NOTIFY=SUCCESS,$2 > /^(RCPT\s+TO:.*)/ $1 NOTIFY=SUCCESS,FAILURE Ah, OK, I saw that in some other mailing post from around 2012 (http://postfix.1071664.n5.nabble.com/Forcing-DSN-generation-without-sendmail-td49270.html#a49273), in this post viktor said that if this feature is popular enough, it would warrant a parameter on it's own. I thought it would be that popular but I guess I was wrong :-). Could you consider implementing this feature, it would be more convenient than messing with command filters. Thank you, Best Ray --
Multiple Instances
Hi, postfix-2.2.10-1.4.el4.centos.mysql_pgsql.plus I am trying to get 2 instances to play nicely. Main SMTP server mobo blew, so had to spin up another on an alternate box. I can't get to the existing config files. Network topology is such that I have a NIC on the DMZ side and a NIC on the inside and a second virtual on the internal NIC. I am doing this on the fly since I had to press and existing box into service until the primary can be repaired or replaced. I am trying to get amavid, etc running as we are currently getting crushed with spam. Eth0 - 10.1.0.85 - sandbox.specialized.com (previously existing) Eth0:0 - 10.1.0.89 - smtp-o.specialized.com (previous smtp server IP bound as a virt interface. This is the inside IP for all SMTP outbound mail from Exchange, servers, etc. Primary SMTP relay for org) Eth1 - 192.168.3.110 - smtp.specialized.com (DMZ NIC for inbound from the outside.) When I change the Inet_interfaces = smtp.specialized.com on the primary inbound instance the mail comes in, but can't find its way out of the box to relay to our internal Exchange server. If I leave inet_interfaces = all mail works both ways, but then I can't start the second interface as I am already bound to port 25 on all 3 interfaces. I am assuming I am missing something silly here. Thanks to all in advance. Ray ### Primary INBound Instance ### alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases alternate_config_directories = /etc/postfix-out command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 2560 mydestination = $myhostname, localhost.$mydomain, localhost mydomain = specialized.com myhostname = smtp.specialized.com mynetworks = 192.168.3.0/24 10.1.0.0/16 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES relay_domains = specialized.com, SBC.specialized.com, specialized.es, specialized.nl, specialized.eu, specialized.it, post-in.specialized.com, apesport.com, specializeduk.com, specialized.co.uk relay_recipient_maps = hash:/etc/postfix/recipients_sbc sample_directory = /usr/share/doc/postfix-2.2.10/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_sender,reject_non_fqdn_recipient, reject_unknown_sender_domain,reject_unknown_recipient_domain, reject_unlisted_recipient,permit_mynetworks, reject_unauth_destination,reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net,permit smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 450 ### Secondary Instance I am trying to get started ### alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix-out daemon_directory = /usr/libexec/postfix debug_peer_level = 2 html_directory = no inet_interfaces = smtp-o.specialized.com mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost myhostname = smtp-o.specialized.com myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix-out readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES sample_directory = /usr/share/doc/postfix-2.2.10/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_bind_address = 192.168.3.110 syslog_facility = mail syslog_name = post-out unknown_local_recipient_reject_code = 550
Intermittent User unknown
What would cause valid email addresses to be unknown periodically? They are valid before and after the following log entries and nothing on the server was changed. This happens to something like 1-4 emails per day (sometimes 0). When it happens, all the recipient addresses in the mail are rejected. Aug 16 09:44:29 mxs01 postfix/smtpd[15032]: NOQUEUE: reject: RCPT from mf0.ffm0.de.carpe.net[212.96.133.20]: 550 5.1.1 : Recipient address rejected: User unknown in virtual alias table; from= to= proto=ESMTP helo= Aug 16 09:44:29 mxs01 postfix/smtpd[15029]: NOQUEUE: reject: RCPT from mf0.ffm0.de.carpe.net[212.96.133.20]: 550 5.1.1 : Recipient address rejected: User unknown in virtual alias table; from= to= proto=ESMTP helo= This is a Mac OS X Snow Leopard Server with no postfix config modifications. Thanks, Ray
Re: Intermittent User unknown
On 19. Aug 2011, at 15:09 Uhr, Ralf Hildebrandt wrote: > * Ray Davis : > >> What would cause valid email addresses to be unknown periodically? >> They are valid before and after the following log entries and nothing >> on the server was changed. > > Is postmap run on the virtual_alias_maps from time to time? Yes - The Mac OS X user admin GUI does this whenever users are added or changed. -R
Re: Intermittent User unknown
On 19. Aug 2011, at 15:50 Uhr, Christian Roessner wrote: > Am 19.08.2011 14:56, schrieb Ray Davis: >> What would cause valid email addresses to be unknown periodically? They are >> valid before and after the following log entries and nothing on the server >> was changed. >> >> This happens to something like 1-4 emails per day (sometimes 0). When it >> happens, all the recipient addresses in the mail are rejected. >> >> Aug 16 09:44:29 mxs01 postfix/smtpd[15032]: NOQUEUE: reject: RCPT from >> mf0.ffm0.de.carpe.net[212.96.133.20]: 550 5.1.1 : >> Recipient address rejected: User unknown in virtual alias table; >> from= to= proto=ESMTP >> helo= >> Aug 16 09:44:29 mxs01 postfix/smtpd[15029]: NOQUEUE: reject: RCPT from >> mf0.ffm0.de.carpe.net[212.96.133.20]: 550 5.1.1 : >> Recipient address rejected: User unknown in virtual alias table; >> from= to= proto=ESMTP >> helo= >> >> This is a Mac OS X Snow Leopard Server with no postfix config modifications. > > So you are using OpenDirectory for your user accounts? Maybe this > service does have some problems? Yes, OpenDirectory. I don't know if it has any problems - was hoping someone here would know. But it's a hint to search in that direction. -R
Re: Intermittent User unknown
On 19. Aug 2011, at 15:11 Uhr, Wietse Venema wrote:
> Ray Davis:
>> What would cause valid email addresses to be unknown periodically?
>> They are valid before and after the following log entries and
>> nothing on the server was changed.
>>
>> This happens to something like 1-4 emails per day (sometimes 0).
>> When it happens, all the recipient addresses in the mail are
>> rejected.
>>
>> Aug 16 09:44:29 mxs01 postfix/smtpd[15032]: NOQUEUE: reject: RCPT
>> from mf0.ffm0.de.carpe.net[212.96.133.20]: 550 5.1.1 :
>> Recipient address rejected: User unknown in virtual alias table;
>> from= to= proto=ESMTP
>> helo=
>> Aug 16 09:44:29 mxs01 postfix/smtpd[15029]: NOQUEUE: reject: RCPT
>> from mf0.ffm0.de.carpe.net[212.96.133.20]: 550 5.1.1 :
>> Recipient address rejected: User unknown in virtual alias table;
>> from= to= proto=ESMTP
>> helo=
>>
>> This is a Mac OS X Snow Leopard Server with no postfix config modifications.
>
> Postfix does not use virtual aliases UNLESS if you configure it to do so.
>
> Please follow instructions in http://www.postfix.org/DEBUG_README.html#mail
> as requested in the mailing list welcome message.
>
> Wietse
I was expecting an answer like "oh this is a known problem" or "this could
happen when sender is ..., or when dns ..., or when the xyz file is locked or
..." I didn't expect a config problem since this is a standard Mac OS config.
Below is the postconf & postfinger output.
Thanks,
Ray
# postconf -n
2bounce_notice_recipient = postmaster
access_map_reject_code = 554
address_verify_default_transport = $default_transport
address_verify_local_transport = $local_transport
address_verify_map =
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = 3
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_relay_transport = $relay_transport
address_verify_relayhost = $relayhost
address_verify_sender = $double_bounce_sender
address_verify_sender_dependent_relayhost_maps =
$sender_dependent_relayhost_maps
address_verify_service_name = verify
address_verify_transport_maps = $transport_maps
address_verify_virtual_transport = $virtual_transport
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_mail_to_commands = alias, forward
allow_mail_to_files = alias, forward
always_bcc =
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
application_event_drain_time = 100s
authorized_flush_users = static:anyone
authorized_mailq_users = static:anyone
authorized_submit_users = static:anyone
backwards_bounce_logfile_compatibility = yes
berkeley_db_create_buffer_size = 16777216
berkeley_db_read_buffer_size = 131072
best_mx_transport =
body_checks_size_limit = 51200
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 5
bounce_template_file =
canonical_classes = envelope_sender, envelope_recipient, header_sender,
header_recipient
check_for_od_forward = yes
cleanup_service_name = cleanup
command_directory = /usr/sbin
command_execution_directory =
command_expansion_filter =
1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
command_time_limit = 1000s
config_directory = /etc/postfix
connection_cache_protocol_timeout = 5s
connection_cache_service_name = scache
connection_cache_status_update_time = 600s
connection_cache_ttl_limit = 2s
content_filter =
cyrus_sasl_config_path =
daemon_directory = /usr/libexec/postfix
daemon_timeout = 18000s
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list =
default_database_type = hash
default_delivery_slot_cost = 5
default_delivery_slot_discount = 50
default_delivery_slot_loan = 3
default_destination_concurrency_failed_cohort_limit = 1
default_destination_concurrency_limit = 20
default_destination_concurrency_negative_feedback = 1
default_destination_concurrency_positive_feedback = 1
default_destination_rate_delay = 0s
default_destination_recipient_limit = 50
default_extra_recipient_limit = 1000
default_minimum_delivery_slots = 3
default_privs = nobody
default_process_limit = 100
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what]
blocked using $rbl_domain${rbl_reason?; $rbl_reason}
default_recipient_limit = 2
default_recipient_refill_delay = 5s
default_recipient_refill_limit = 100
default_transport = smtp
default_verp_delimiters = +=
defer_code = 450
defer_service_name = defer
defer_transports =
delay_logging_resolution_limit = 2
delay_notice_recipient = postmaster
delay_warning_time = 0h
deliver_lock_attempts = 20
deliver_lock_delay = 1s
destination_concurrency_feedback_debug = no
detect_8bit_encoding_header = yes
dont_remove = 0
double_bou
Re: Intermittent User unknown
On 19. Aug 2011, at 15:56 Uhr, Ralf Hildebrandt wrote: > * Ray Davis : >> On 19. Aug 2011, at 15:09 Uhr, Ralf Hildebrandt wrote: >> >>> * Ray Davis : >>> >>>> What would cause valid email addresses to be unknown periodically? >>>> They are valid before and after the following log entries and nothing >>>> on the server was changed. >>> >>> Is postmap run on the virtual_alias_maps from time to time? >> >> Yes - The Mac OS X user admin GUI does this whenever users are added or >> changed. > > Do the times coincide with the rejections? I thought about that, but there were no changes made on the 16th (when my log messages occurred). Also, the problem occurs at random times or even multiple times in the same hour or two, so I don't expect it to be a periodic system level update. -R
Re: Intermittent User unknown
On 19. Aug 2011, at 16:22 Uhr, Wietse Venema wrote: > Wietse: >>> Postfix does not use virtual aliases UNLESS if you configure it to do so. >>> >>> Please follow instructions in http://www.postfix.org/DEBUG_README.html#mail >>> as requested in the mailing list welcome message. > > Ray Davis: >> virtual_alias_domains = $virtual_alias_maps hash:/etc/postfix/virtual_domains >> virtual_alias_maps = hash:/etc/postfix/virtual_users > > Look at the last modification time of /etc/postfix/virtual_domains.db. > > Does that time stamp correspond with "user unknown" errors? No, that hasn't changed in ages... -rw-r--r--@ 1 root wheel232 Dec 22 2009 virtual_domains -rw-r- 1 root wheel 16384 Dec 22 2009 virtual_domains.db virtual_users was changed and updated today, so I'll have to check it the next time I see the problem. Thanks, Ray
Re: Intermittent User unknown
On 19. Aug 2011, at 16:32 Uhr, Christian Roessner wrote: >> Yes, OpenDirectory. I don't know if it has any problems - was hoping >> someone here would know. But it's a hint to search in that direction. > > I know from a collegue that he sometimes does have problems with > OpenDirectory. We haven't had any known problems so far (really simple server setup). > Me personally also thinks about the filesystem HFS+. Did your server has > a crash or something similar in the past? I know from my Mac that this > always makes trouble with the filesystem. Maybe a test with the disk > utility might be helpful as well (just because mapfile, mapfile.db mtime > stuff). Good point. Just made a fsck with Disk Utility and it was happy. But maybe I'll re-postmap all the postfix db files - just in case. Thanks, Ray
Unable to send or receive mail
using this account because my postfix gateway can no longer send or receive mail. upgraded from v2.10.1 to v2.10.3 this morning. Since that time, unable to send or receive mail. If anyone can help me debug this issue, much appreciated. Errors seen: Apr 12 14:33:02 portus postfix/smtpd[10743]: initializing the server-side TLS engine Apr 12 14:33:02 portus postfix/master[10667]: warning: process /usr/libexec/postfix/smtpd pid 10743 killed by signal 11 Apr 12 14:33:02 portus postfix/master[10667]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling The "TLS" portion of my "main.cf" looks like (was not changed during update): smtp_tls_note_starttls_offer = no smtpd_tls_auth_only = no smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_tls_dh2048_param_file = /etc/postfix/dh2048.pem smtpd_tls_dh1024_param_file = /etc/postfix/dh1024.pem smtpd_tls_key_file = /etc/postfix/ssl/server.key smtpd_tls_cert_file = /etc/postfix/ssl/server_selfsign.crt smtpd_tls_CAfile = /etc/postfix/ssl/server_selfsign.crt smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_CAfile = /etc/postfix/exchange2.pem smtpd_tls_mandatory_ciphers = high smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
Re: Unable to send or receive mail
Viktor: I re-compiled without TLS: make makefiles make make upgrade Restarted postfix and send/receive restored (without TLS) When I use the following command to compile TLS into my postfix build: make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -DUSE_TLS -I/usr/local/include/sasl -I/usr/local/ssl/include" AUXLIBS="-L/usr/local/lib -L/usr/local/ssl/lib -lsasl2 -lssl -lcrypto" make make upgrade once postfix is restarted with the above commands, postfix fails with: Apr 12 15:38:07 portus postfix/master[20185]: warning: process /usr/libexec/postfix/smtpd pid 20191 killed by signal 11 path to openssl is: bash-3.00# which openssl /usr/local/bin/openssl -bash-3.00# /usr/local/ssl/bin/openssl version OpenSSL 1.0.1g 7 Apr 2014 Any idea on why TLS is not compiling? Obvious that "make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -DUSE_TLS..." is the culprit, just not sure how to fix. On Saturday, April 12, 2014 2:54 PM, Viktor Dukhovni wrote: On Sat, Apr 12, 2014 at 02:39:15PM -0700, Edward Ray wrote: > Apr 12 14:33:02 portus postfix/smtpd[10743]: initializing the > server-side TLS engine > Apr 12 14:33:02 portus postfix/master[10667]: warning: process > /usr/libexec/postfix/smtpd pid 10743 killed by signal 11 Download and re-install mutually compatible vendor distributions of the Postfix and OpenSSL software. > Apr 12 14:33:02 portus postfix/master[10667]: warning: > /usr/libexec/postfix/smtpd: bad command startup -- throttling If the symptoms persist, try: http://www.postfix.org/DEBUG_README.html#screen and report a stack trace for the segmentation fault. -- Viktor.
Feature Discussion: Handling large numbers of IPv6 Remote Sessions in Anvil
Hi. Long time user of postfix here wanting to discuss Anvil. In IPv4, the max number of sessions per remote site is pretty much limited by the scarcity of IPv4 together with 65535 source port numbers. So individual remote sites were limited in what they could do by the underlying infrastructure and Anvil could track individual remote machines. I've been doing some investigation into the performance of Anvil when confronted by large numbers of IPv6 sessions. With IPv6, the address space is much larger, and individual users have much more source address space allocated per site, and I wanted to know if individual /64 and /48 address ranges could be used to mount any sort of meaningful attack, and whether this could be prevented by Anvil. The baseline problem statement would be: Can Anvil store enough state to be able to track (and filter) a DoS attack or resource depletion attack from an individual IPv6 site, whilst still being able to provide service to other remote sites, and not hogging the host machines resources entirely? The parameters would be: single attacker with access to a few /64's or /48's of address space. Not trying to fend off a distributed million-node botnet. mail server with 100Mbps full-duplex Internet connection = 5 sessions per second approx (10 packets per second with SYN, SYN-ACK, ACK three way handshake) storage time of approx 30-60 seconds. If you multiple that up, that's 3 million sessions per minute/ 3 million sessions worth of storage in Anvil [assuming everything else can keep up]. My results rather surprised me so far: the limit on Anvil seemed to be very much related to the CPU processing time, and network bandwidth, rather than the storage involved, although it's early days in my testing/experimenting. So I've been looking at a self-pruning Patricia Tree to store IPv6 sessions quickly and efficiently as an alternative, whilst at the same time being able to track on multiple prefix lengths simultaneously. On my machine I can get close to the required performance without very much optimization at all (again mainly limited by CPU). I seem to be able to get around 2.5 million remote addresses stored in 60 seconds using approx 8GB of memory in a pure test of the hash storage (without daemon overhead). Compared to the original hash function that's only about 1/10 as fast as the original code (I think I can still speed it up quite a bit by avoiding unnecessary string copying etc.) But the Patricia Tree does allow simultaneous tracking on all nibble boundaries e.g. to limit a /64 range to 100 concurrent connections whilst a /48 could allow e.g. 400 concurrent connections. And once a limit is triggered I could avoid storing any further state beyond that point in the tree i.e. for longer prefix lengths. Whereas I suspect the original code would allow a single user with access to a /48 or /64 to swamp postfix with several million sessions without anvil even detecting that at all. Is this the correct list to discuss this? Thoughts? Is there anyone interested in taking this further? -- Regards, RayH
Feature Discussion: Handling large numbers of IPv6 Remote Sessions in Anvil
re: Feature Discussion: Handling large numbers of IPv6 Remote Sessions in Anvil Wietse wrote: Anvil currently does not consider whether IP addresses in the same address range. There are plenty legitimate mail servers in the same /24 block, and I expect that IPv6 will be no different. When the anvil daemon runs into a memory resource limit, it terminates with a fatal error message, and it is immediately restarted by the master daemon. It is not the end of the world. To arrive at realistic numbers you need to take into consideration that all anvil requests are mediated by an SMTP daemon process, and that the SMTP daemon introduces significant latency. If you go too fast, then you end up SYN-flooding the site. I don't see why we can't discuss this on list. Wietse Thanks for the reply. Yes, I understand there's the overhead of the smtpd first having to contact anvil, so if everything was session set up traffic this would indeed be equivalent to a SYN attack on the whole site. I just wanted to have a lower bound of performance to shoot for that was realistic for a typical 100MB fiber SME connection. I see this as (a small) part of a layered defence, in the same way anvil tracks at multiple levels (connect, TLS ) So you could potentially use this in a larger set up in combination with multiple postfix servers, hidden MX records using BIND view, RFC7098 stateless IPv6 flow label load balancing, firewall rate filters etc. etc. I'd just like to focus on this one area of the difference between tracking IPv4 and IPv6 if you don't mind, as I think I might be able to book some progress resulting in running code. I think there's definitely a balance to be struck e.g. between being able to defend what is a huge address space of IPv6/48 available to a single user, and generating false positives for individual IPv6/64's containing multiple legitimate clients (that happen to fall within a particular /48). I was thinking of incorporating variable limits per range (based on longest prefix matching) although that might just get too complex/ slow. I can imagine being more lenient with respect to the number of clients served from my own /32 range compared to the number of connections permitted from an unknown /48 address range. Does anyone have any idea what is a realistic number of remote sessions that a single smptd can concurrently process? That would also help me get a handle on how scalable this would need to be. Is it 100, 1000 or 1 sessions? MfG Robert Schetterer wrote: To give you some ideas perhaps look at https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ sorry german too ,but tec side should be understandable anyway for sure there many other aspects more in this discussion question Best Regards MfG Robert Schetterer Thanks for the tips! I can also read German. Interesting defence: iptables being implemented in the kernel is much quicker than starting a daemon. However, a similar problem might arise in that an IPv6 DNSRBL would also have to be prefix length aware. Otherwise even a lone attacker or limited group of attackers can generate load from enough different source addresses within a /64 or /48 so that only one packet arrives from each IPv6/128. The following post highlights the difficulty that there's no reliable way today to know the prefix length structure within a remote organisation. http://www.circleid.com/posts/20120526_running_dnsbls_in_an_ipv6_world/ AFAIK the https://virbl.bit.nl IPv6 RBL tracks on a fixed /64 prefix length. An attacker could also potentially fill up your ip6table with many redundant entries if you didn't adapt your rule-creation strategy when porting from from IPv4 to IPv6, meaning your defence could potentially become the attack vector. So e.g. an Hurricane Electric tunnelbroker user with access to a /48 could have a 2^16 advantage over legitimate /64 users. 2^16 is a lot of additional firewall rules to process. Equivalent to an individual having access to a class B in the IPv4 world. So perhaps an adaptive prefix-length tracking method might also be applicable to an ip6tables firewall defence for IPv6: more than n* /64 firewall entires are instead replaced by 1* /56 or 1* /48 rule as appropriate in your rule creation scripts. -- Regards, RayH
Suppress logs for monitor connections
We are load balancing our Postfix servers and as part of that there is a connection test to ensure the services are running. So the logs fill with connection checks. Is there a way to suppress those connections from the logs? Thanks in advance, Ray
Suppress connection logging for IP
Hi, We have a load balancer that opens a connection to the SMTP port on our postfix boxes to ensure the ports are alive and kicking. But obviously, this generates a lot of log clutter that is not needed. How would I go about suppressing the connect from... / disconnect from... log entry for this particular IP? Thanks in advance, Ray
pseudo mail relay which stores inbound emails
A customer wants a mail relay for testing to SAP applications. It should take all relayed email and save it to a local mailbox (or forward it to another email address) - but it should not actually send the emails further to the recipient. I know that sender_bcc_map can take car of saving the emails, but how can I keep the server from sending the mail further? I need an all_emails_from_sender_go_to_dev_null option? ;) Or do I need to set up a separate mail server for this with sender_bcc_map and a default transport which silently sends the email to /dev/null? Any suggestions would be more than welcome! Thanks, Ray
Re: pseudo mail relay which stores inbound emails
On 18. Sep 2014, at 19:01 Uhr, Wietse Venema wrote: > Ray Davis: >> A customer wants a mail relay for testing to SAP applications. It should >> take all relayed email and save it to a local mailbox (or forward it to >> another email address) - but it should not actually send the emails further >> to the recipient. >> >> I know that sender_bcc_map can take car of saving the emails, but how can I >> keep the server from sending the mail further? I need an >> all_emails_from_sender_go_to_dev_null option? ;) >> > > REPLACE the recipient, instead of ADDING one. Except the customer wants to see the email unmodified from their SAP software. But now that I see there is a transport discard:silently, then I can just set up a private postfix server with sender_bcc_map and discard:silently. Thanks! Ray > > Wietse > >> Or do I need to set up a separate mail server for this with sender_bcc_map >> and a default transport which silently sends the email to /dev/null? >> >> Any suggestions would be more than welcome! >> >> Thanks, >> Ray
best approach to filtering one specific case?
Hello all- New to Postfix, inexperienced in mail system setups, foolishly volunteered to tackle upgrading mail servers at work and now stuck up the creek without a paddle. Recently setup some new mail servers running postfix and using amavis-spamassassin-clamav to do AS/AV. I've used mostly defaults, tweaked a few settings and for the most part it is working well -- a testament to people much smarter than I doing sane things for defaults. However, I've hit a snag trying to iron out a last few "glitches" in the system. In amavis, I have banned certain attachments and I warn the sender and recipient if that happens. However, for one email address in particular, I don't want to send the banned message (it doesn't end up in an inbox, but gets thrown to a script and imported into an internal web application). I'm asking on the Amavis mailing list, but assuming I can't stop that message there, I'm looking to stop it in postfix. The basic condition I'm trying to deal with is a message that has a certain subject *and* is destined for a particular address. I've been trying to wrap my head around the documentation. If I understand it, I can't use header_checks directly as those are evaluated individually, line-by-line; however, I may be able to use header_checks to call a content filter so that only a subset of messages are filtered, minimizing the impact on efficiency. So I have a couple questions: First, is this a reasonable approach or am I missing something simpler and more straightforward? While my situation only needs to cope with on address for the time-being, it is very possible that it would need to expand to encompass other addresses in this functionality in the first place. Secondly, I've heard that it is "better" to use milters (before-queue filters?) as opposed to content filters (after-queue filters?), though the reasons I've heard might not apply in this case. However, if it is the case, can I configure a milter to only run on one of postfix's listening interfaces? Since this message will only be coming from Amavis directly, it would be a waste of time to have the milter listen on the internet interface. Thanks all, Mike Ray
Re: best approach to filtering one specific case?
>- Original Message - >From: "Wietse Venema" >To: "Postfix users" >Sent: Thursday, November 6, 2014 1:26:29 PM >Subject: Re: best approach to filtering one specific case? > >Mike Ray: >> The basic condition I'm trying to deal with is a message that has >> a certain subject *and* is destined for a particular address. > >Hi, I wrote Postfix. Postfix does not do combinations of headers >and other stuff. Such things are supposed to be "outsourced" to >external filters such as Amavisd, Milters, and the like. > >You might be able to cobble together something with header_checks >and such, but the solution falls apart when a requirement changes. > >> Secondly, I've heard that it is "better" to use milters (before-queue >> filters?) as opposed to content filters (after-queue filters?), > >There is no fundamental difference in functionality between Milters >and other before-queue filters. The main difference with after-queue >filters is that an after-queue filter can be chosen dynamically. > > Wietse I should have been more clear. I understand that header_checks can't be checked together, but do you all think it reasonable to have a header_check for that specific address and then call a filter specific to this situation, one that could analyze the compound condition, or do you all avoid this kind of setup (if so, why)? E.g. /etc/postfix/main.cf: header_checks = /etc/postfix/checkme /etc/postfix/checkme /this_one_address@my.domain/FILTER foo:bar Or have I misunderstood: http://www.postfix.org/FILTER_README.html#dynamic_filter ? -Mike
Smart Host
Hi, I have a configuration change to make to our postfix relays and I want to confirm it will work as intended (before I mis-route email for 1,000 people). I think I have what is a fairly common Postfix environment - Dual instances - Instance 1 for inbound - AmavisD, Spamassassin, and some other "secret sauce". 99.9% of this inbound email is scanned with amavisd, and a few other checks, and is passed to our Exchange servers. Instance 2 for outbound - We directly deliver email today. The outbound instance is used for all internal email systems (Exchange, other *nix systems, scanners, etc). We are changing our filtering and archiving so that we will need to route outbound (Internet destined) mail through a service provider instead of direct delivery. Since this environment is primarily a relay server, I seem to be having an issue wrapping my head around using a smarthost and yet still sending email internally. Will the smarthost send everything out to the smarthost destination? Or will it still use mail routing as defined in Transport to internal emails. For instance, if an internal *nix box send a message to someone in our domain today, it uses the Transport definitions to locate the Exchange servers. If I define a smarthost, will it still look at Transport? Or will it send it out to the smarthost? Thanks RD
Re: Current Postfix RPMs?
On Thu, Jul 08, 2010 at 12:32:43AM +0100, Matthew Valentino wrote: > I'm new to Postfix, and I'm learning all I can from the readme files. > However, I'm using CentOS 5.5 and the repo contains v2.3 of postfix. > Building from source is causing strange problems with yum. Is there anywhere > I don't know about where I can find an RPM for a current version of Postfix? My question would be -- do you really need it? Especially for a production deployment, it's nice to use the vendor provided packages as they will receive regular security updates and such. If I recall, however, there is an updated version in CentOS-extras (or maybe it's centosplus, I forget). You're other "RedHat'ish" option would be to rebuild the Fedora 13 SRPM's for CentOS. Could be a bit of a learning curve there though. :) If possible, just stick with 2.3 unless there's some specific feature you're missing. Ray
Re: Distribution lists with Postfix
On Mon, Dec 13, 2010 at 03:24:03PM +0100, Michael Grimm wrote: > Is there maybe an even more simple approach to this using standard > postfix functionality? The distribution lists are very static and do > not require adjustments very often. /etc/aliases? :) Ray
