Issue with pipe mail to script

[Simon]

Hi There, We are running postfix on debian etch and are using mysql to
store the transport and alias info and having an issue that i need a
little assistance with please. Here is the config:

mydestination = mysql:/etc/postfix/mysql-transport.cf
transport_maps = mysql:/etc/postfix/mysql-transport.cf
virtual_alias_maps=mysql:/etc/postfix/mysql-aliases.cf

Here are the config files:

mail-in1:/etc/postfix# cat mysql-aliases.cf
user = mail-in1
password = password
hosts = 210.xx.xx.xxx
dbname = postfix
table = aliases
select_field = destination_address
where_field = origin_address

mail-in1:/etc/postfix# cat mysql-transport.cf
user = mail-in1
password = password
dbname = postfix
table = transport
hosts = 210.xx.xx.xxx
select_field = transport
where_field = domain

So, in the transport table we have:

domain = testdomain.co.nz
transport = dbmail-lmpt:210.xx.xx.xxx:24

and in the alises table we have:

orgin_address = t...@testdomain.co.nz
destination_address = t...@testdomain.co.nz

Now - this works fine.. But as soon as i add a pipe to the
destination_address like this:

orgin_address = t...@testdomain.co.nz
destination_address = |/usr/local/autoresponder/autoresponder.php

Then we get the following:

Mar 16 11:19:41 mail-in1 amavis[1100]: (01100-07) FWD via SMTP:
 ->
<|/usr/local/autoresponder/autoresponder@mail-in1>, 250 2.6.0 Ok,
id=01100-07, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
3397D482CD
Mar 16 11:19:41 mail-in1 postfix/smtpd[31965]: disconnect from
localhost[127.0.0.1]
Mar 16 11:19:41 mail-in1 postfix/smtpd[31660]: connect from localhost[127.0.0.1]
Mar 16 11:19:41 mail-in1 postfix/smtpd[31660]: 413D048303:
client=localhost[127.0.0.1]
Mar 16 11:19:41 mail-in1 postfix/qmgr[7588]: 3397D482CD:
from=, size=4776, nrcpt=1 (queue active)
Mar 16 11:19:41 mail-in1 postfix/smtpd[1092]: connect from localhost[127.0.0.1]
Mar 16 11:19:41 mail-in1 postfix/smtpd[1092]: NOQUEUE: reject: RCPT
from localhost[127.0.0.1]: 550 5.1.1
<|/usr/local/autoresponder/autoresponder@mail-in1>: Recipient
address rejected: User unknown in local recipient table;
from=
to=<|/usr/local/autoresponder/autoresponder@mail-in1> proto=ESMTP
helo=
Mar 16 11:19:41 mail-in1 postfix/smtp[1096]: 3397D482CD:
to=<|/usr/local/autoresponder/autoresponder@mail-in1>,
relay=127.0.0.1[127.0.0.1]:587, delay=0.07, delays=0.06/0/0/0.01,
dsn=5.1.1, status=bounced (host 127.0.0.1[127.0.0.1] said: 550 5.1.1
<|/usr/local/autoresponder/autoresponder@mail-in1>: Recipient
address rejected: User unknown in local recipient table (in reply to
RCPT TO command))

Can someone please assist with this issue?

Thanks

Simon

Re: Issue with pipe mail to script

[Simon]

On Tue, Mar 17, 2009 at 7:57 AM, Simon  wrote:
> On Mon, Mar 16, 2009 at 11:35 PM, Wietse Venema  wrote:
>> You are expanding the virtual aliase BEFORE the Amavis filter,
>> and another time after mail is filtered.
>>
>> See http://www.postfix.org/FILTER_README, and look for examples
>> with receive_override_options.
>
> Thanks again.. OK: So the mail is getting delivered before amavis,
> which is fine for the normal address..  but the pipe gets delivered,
> then after amavis gets delivered again? Is that right?
>
> I need postfix to accept mail based on the virtual alises, filter the
> mail thru amavis, then deliver the mail to dbmail via dbmail-lmtp - am
> i going about this the correct way?
>

Bump.. can anyone check out this and see if i have things right?

Re: Issue with pipe mail to script

[Simon]

On Thu, Mar 19, 2009 at 10:39 AM, mouss  wrote:
> Simon a écrit :
>> On Tue, Mar 17, 2009 at 7:57 AM, Simon  wrote:
>>> On Mon, Mar 16, 2009 at 11:35 PM, Wietse Venema  
>>> wrote:
>>>> You are expanding the virtual aliase BEFORE the Amavis filter,
>>>> and another time after mail is filtered.
>>>>
>>>> See http://www.postfix.org/FILTER_README, and look for examples
>>>> with receive_override_options.
>>> Thanks again.. OK: So the mail is getting delivered before amavis,
>>> which is fine for the normal address..  but the pipe gets delivered,
>>> then after amavis gets delivered again? Is that right?
>>>
>>> I need postfix to accept mail based on the virtual alises, filter the
>>> mail thru amavis, then deliver the mail to dbmail via dbmail-lmtp - am
>>> i going about this the correct way?
>>>
>>
>> Bump.. can anyone check out this and see if i have things right?
>
> you need no pipe with amavisd-new.
>
> if mail gets delivered twice, you probably forgot to disable rewrite
> before amavisd-new. check amavisd-new README.postfix and follow it
> strictly. only when you get things working can you start customization.

Sorry - i need to understand this correct in my head.

Currently i have it setup like this:

Network > Postfix > Content Filter (amavis) > Postfix > Network (DBMail)

What is happening is listed in the thread, but basically the alias
that allows postfix to accept mail for t...@testdomain.co.nz, and then
deliver it thru the system to dbmail is working fine. Its when i add a
2nd alias for t...@testdomain.co.nz that points it to the
autoresponder service (defined in master.cf).. I get 2 emails
delivered to the autoresponder. So am i correct that in the above
flow, it is delivering the mail to the autoresponder script before and
after amavis?

Simon

Re: Issue with pipe mail to script

[Simon]

On Fri, Mar 20, 2009 at 11:49 AM, mouss  wrote:

>
> That's possible. please do what I told you. if you did and you still
> have a problem, feel free to ask. but it's annoying for us to help fix
> problems that are known and for which the solution is as easy as to
> follow well documented procedures.

OK.. sorry, just wanted to understand the issue. I have now changed this:

127.0.0.1:10025 inet n  -   n -   -  smtpd
..
-o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks

to this:

127.0.0.1:10025 inet n  -   n -   -  smtpd
..
-o 
receive_override_options=no_address_mappings,no_header_body_checks,no_unknown_recipient_checks

And it works a treat! Thank you. So it works, but did i use
no_address_mappings correct in this case?

Thanks

Simon

Illegal mix of collations error

[Simon]

Hi There,

We have postfix storing its transport and alias data in mysql, but we are
getting this error (which has just appeared out of knowwhere - yes well, OK,
not knowwhere, but we dont know where!)

# cat /etc/postfix/mysql-transport.cf
user = mail-in1
password = **
dbname = postfix
table = transport
hosts = 210.48.XX.XXX
select_field = transport
where_field = domain

Here is the error:

Jun  8 07:15:19 mail-in1 postfix/trivial-rewrite[23183]: warning: mysql
query failed: Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and
(utf8_general_ci,COERCIBLE) for operation '='
Jun  8 07:15:19 mail-in1 postfix/trivial-rewrite[23183]: fatal:
mysql:/etc/postfix/mysql-transport.cf(0,lock|fold_fix): table lookup problem

I have googled and have not really found a solution to this issue... can
anyone assist please?

THanks

SImon

SASL with two seperate auth sources?

[Simon]

Hi There,

Currently we are using postfix (2.5.5-1.1) on debian lenny sasl support
thus:

# cat smtpd.conf
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: mysql
sql_hostnames: xxx.xxx.xxx.xxx
sql_user: 
sql_passwd: 
sql_database: 
sql_select: select passwd from _users where userid ='%u

Which works well! I was wondering if there is a way we can add another
source to the mix so that postfix would check 2 seperate
servers/databases/tables with a different table structure on the second
mysql server?

Thanks!

Simon

Re: SASL with two seperate auth sources?

[Simon]

On Wed, Mar 10, 2010 at 10:05 AM, Simon  wrote:

> Hi There,
>
> Currently we are using postfix (2.5.5-1.1) on debian lenny sasl support
> thus:
>
> # cat smtpd.conf
> auxprop_plugin: sql
> mech_list: plain login cram-md5 digest-md5
> sql_engine: mysql
> sql_hostnames: xxx.xxx.xxx.xxx
> sql_user: 
> sql_passwd: 
> sql_database: 
> sql_select: select passwd from _users where userid ='%u
>
> Which works well! I was wondering if there is a way we can add another
> source to the mix so that postfix would check 2 seperate
> servers/databases/tables with a different table structure on the second
> mysql server?
>

Hi - in thinking further about this.. we simply created a mysql view table
with the combination of both sources of data and changed our details to use
that new view table.

Simon

BCC to Undisclosed-Recipient

[Simon]

Hi There,

I must have something a little wrong with my postfix config?? When someone
sends a email to me as part of a BCC email (leaving the TO field blank) the
TO field comes up as  - To: <"Undisclosed-Recipient:;"@
mail-in1.ourdomain.com>.

Any idea on what i have incorrect or how to fix this would be greatly
appeciated!

Thanks

Simon

Re: BCC to Undisclosed-Recipient

[Simon]

On Wed, Mar 31, 2010 at 8:45 AM, Noel Jones  wrote:

> On 3/30/2010 2:40 PM, Simon wrote:
>
>> Any idea on what i have incorrect or how to fix this would be greatly
>> appeciated!
>>
>>
> What do you think is should say?
>
> Have you looked at
> http://www.postfix.org/postconf.5.html#undisclosed_recipients_header
>
>  -- Noel Jones
>

I guess I was thinking that i didnt want our mailname in the to field. Some
customers ring up "I dont know why, but its got your domain in the TO
field"?

Re: BCC to Undisclosed-Recipient

[Simon]

On Wed, Mar 31, 2010 at 9:31 AM, Noel Jones  wrote:

>
> Ok.  Please see:
>
> http://www.postfix.org/postconf.5.html#undisclosed_recipients_header
>
> Either leaving undisclosed_recipients_header at its default value by
> removing it from your main.cf, or explicitly setting it empty should fix
> the problem.
>
>  -- Noel Jones
>

Thanks for the reply Noel... ive done this and we are still getting it in
the two field. However - i think this is our internal exchange server that
our external postfix server is rounting to that is doing it. And in thinking
about it, I dont know why i didnt think of this before. DOH!.

Simon

Postfix config for static:hold on all unauthenticated mail

[Simon]

Hi There,

We have a postfix (2.5.5) mail server (debian lenny) that runs behind our
firewall and acts as a SMTP server all hosts on our network. At the moment i
have all those servers listed in mynetworks and then the following
smtpd_sender_restrictions (see below). This allows the servers behind our
firewall to send mail if they use sasl_authenticated or not. We also have a
hard list of domains that we REJECT (/etc/postfix/access), plus making sure
that we are not sending email to unknown domains etc:

smtpd_sender_restrictions =
hash:/etc/postfix/access,
reject_unknown_sender_domain,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
permit

smtpd_recipient_restrictions =
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
permit

What I am trying to achieve is to have the following:

- All clients listed in mynetworks unrestricted sending
- All clients NOT in mynetworks using sasl_authenticated unrestricted
sending
- All clients NOT in mynetworks NOT using sasl_authenticated (all other
clients i guess?) added to the queue, but with static:hold

Can someone please assist with the config to achieve this?

Thanks MUCHLY!!

Simon

Real-time monitoring of postfix queue

[Simon]

Hi There,

We have been discussing in-house our methods to monitor the postfix queue on
our client Auth-SMTP servers (x2, one is used for our web servers to send
mail via PHP, this is Auth as well). At the moment we are using OpsView
(Nagios) to monitor the queue size and alert us if/when it gets reached,
along with this we check mailgraph logs daily.

But I was wondering if there is any sort of real-time monitor, something
that might check the queue and the logs on an on-going basis and send alerts
based on certain conditions being met?

e.g.

Rate of mail from client x rises above threshhold, check number of errors in
sending this mail, alert
Rate of mail in queue FROM a email address rises above threshhold,

I might not be explaining it in the correct way... but i think people would
get the idea of what we were thinking about?

Specifically want to catch web form spamming etc...

Simon

Moving deferred mail to another server

[Simon]

Hi There,

We have two postfix servers (postfix from debian lenny). Is there any
way to move all deferred mail from one server to another?

Thanks

Simon

Round robin outgoing smtp?

[Simon]

Hi There,

We have a postfix server running on debian lenny. We are wondering
what the best way would be to disperse outgoing mail via a ip range
rather than one single IP? E.g. have 6 IPs on the one server, and have
postfix round robin the mail out? This is all legitimate mail on with
customers who have confirmed email lists.

Any thoughts?

Regards,

Simon

Re: Round robin outgoing smtp?

[Simon]

Hi There, i have answered my own question. Sorry for the email.

On Fri, Nov 19, 2010 at 2:53 PM, Simon  wrote:
> Hi There,
>
> We have a postfix server running on debian lenny. We are wondering
> what the best way would be to disperse outgoing mail via a ip range
> rather than one single IP? E.g. have 6 IPs on the one server, and have
> postfix round robin the mail out? This is all legitimate mail on with
> customers who have confirmed email lists.
>
> Any thoughts?
>
> Regards,
>
> Simon
>

Spam Backscatter

[Simon]

We are using postfix with debian lenny...


We are receiving what appears to be backscatter from spam that is using a
valid address in the Return Path. I have included an example of the header
info from one of the spam messages below. The “From” and “To” addresses just
seem to be random and are not related to us in any way. Does anyone know to
block this sort of backscatter?


Original message headers:



Return-Path: *[ourdomain.actual.domain]**>
Received: from 195-191-72-102.optolan.net.ua (unknown [195.191.72.102])
by smtp-0.counselschambers.com.au (Postfix) with ESMTP id
1D400396B7E
for ; Wed,  2 Feb 2011 08:28:43 +1100
(EST)
From: no-reply...@job.com
To: 
Subject: Position opening in your area
MIME-Version: 1.0
Importance: High
Content-Type: text/html
Message-ID: <20110201212844.1d400396...@smtp-0.counselschambers.com.au>
Date: Wed, 2 Feb 2011 08:28:43 +1100

Thanks

Simon

Re: Spam Backscatter

[Simon]

On Wed, Feb 2, 2011 at 1:29 PM, Noel Jones  wrote:

>
>>
>> Return-Path: > *[ourdomain.actual.domain]**>
>>
>> Received: from 195-191-72-102.optolan.net.ua
>>  (unknown [195.191.72.102])
>>
>
>
> The client 195.191.72.102 is listed in zen.spamhaus.org.  I would start
> with using  reject_rbl_client zen.spamhaus.org somewhere in your config.
>
> And then add the backscatter.org RBL as someone else suggested.
> http://www.backscatterer.org/?target=usage  (see the postfix section)
>

Hmm - thats interesting: our config allready as:

smtpd_recipient_restrictions =
...
reject_rbl_client zen.spamhaus.org,
...

Do i need to setup sender restrictions as well?

Re: Illegal mix of collations error

[Simon]

On Mon, Jun 8, 2009 at 10:09 AM, Darren Pilgrim wrote:

> Simon wrote:
>
>> Jun  8 07:15:19 mail-in1 postfix/trivial-rewrite[23183]: warning: mysql
>> query failed: Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and
>> (utf8_general_ci,COERCIBLE) for operation '='
>> Jun  8 07:15:19 mail-in1 postfix/trivial-rewrite[23183]: fatal:
>> mysql:/etc/postfix/mysql-transport.cf 
>> <http://mysql-transport.cf>(0,lock|fold_fix):
>> table lookup problem
>>
>> I have googled and have not really found a solution to this issue... can
>> anyone assist please?
>>
>
> This is usually due to comparing a string literal to a function return or a
> table with collation set to something other than latin1_swedish_ci (what it
> should be for email addresses).  Email addresses are always latin1
> case-insensitive.  This URL will give you some useful hints:
>
> http://www.google.com/search?q=Illegal+mix+of+collations+site%3Amysql.com
>
> Short answer: change the collation on your table or force collation on your
> string literal(s).


Thanks for the reply on this. I have now changed the collation of the tables
to latin1_swedish_ci, but am still getting these errors. Dont quite
understand what todo from here? Can anyone assist further please?

Thanks!!

Simon

Re: Illegal mix of collations error

[Simon]

On Tue, Jun 16, 2009 at 9:50 AM, Blake Hudson  wrote:

>
>  Thanks for the reply on this. I have now changed the collation of the
>> tables to latin1_swedish_ci, but am still getting these errors. Dont quite
>> understand what todo from here? Can anyone assist further please?
>>
>> Thanks!!
>>
>> Simon
>>
>>  The issue is that you are comparing two strings, one that uses one
> character set and another which uses a different character set. Mysql
> retains (and includes) character set information during string comparisons -
> if you were to compare strings with different character sets, you'd never
> have a match. It sounds like you have made some changes to your SQL server
> recently (or perhaps the changes were made a while ago and SQL was just
> recently restarted).
>
> If the table definition defines 'domain' as atin1_swedish_ci, then the
> utf8_general_ci is likely coming from the connection between postfix and
> MySQL. You might check your my.cnf or startup command for something similar
> to 'default-character-set=utf8'. If you find this, I would suggest reverting
> to the previous setting (likely commented out or missing altogether).
>
> --Blake
>
>
>
Hi Blake, thanks for the reply.

The Mysql server that the postfix configuration is on indeed does have
default-character-set=utf8 set and this was changed not so long ago.. but we
need to have it as such for reasons. I have moved the config to another
mysql server (without default-character-set=utf8) for the mean time, but is
there a way we can still have default-character-set=utf8 on the mysql server
and have the postfix config on it?

Thanks

Simon

Getting abused by backscatter spam

[Simon]

Hi There,

We are using postfix on debian lenny. Everything is mysql backed and
we are using amavisd-new (spamassassin with daily updates from
saupdates.openprotect.com and updates.spamassassin.org & clam-av),
postfix-policy greylisting and postfix-policyd-spf-python. All updates
applied.

But we are still getting hammered by backscatter spam (like the below)
and are hoping to get the lists input with where to head in terms of
getting this sorted... it seems like everything we look at just does
not quite suit our setup.

Many thanks in advance!!!!

Simon

Received: from psmtp.com ([64.18.3.158]) by mosesafonso.com with Microsoft
 SMTPSVC(6.0.3790.3959); Sun, 20 Mar 2011 14:18:35 -0400
Received: from source ([93.85.177.92]) by exprod8mx291.postini.com
([64.18.7.13]) with SMTP;
Sun, 20 Mar 2011 14:18:34 EDT
Received: from  93.85.177.92 (account 0-0-0-0-cbouys...@microapp.com
HELO syccjjv.pqhsfgogqp.com)
by  (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 932104756 for sbow...@mosesafonso.com; Sun, 20 Mar
2011 20:18:34 +0200
To: 
Subject: Re: CV
From: 
MIME-Version: 1.0
Importance: High
Content-Type: text/html
X-pstn-neptune: 1/1/1.00/86
X-pstn-levels: (S: 0.00445/92.75607 CV:99.9000 FC:95.5390 LC:95.5390
R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
Message-ID: <2322245927972554085239078162...@psmtp.com>
Return-Path: {user}@{clientdomain}.com
X-OriginalArrivalTime: 20 Mar 2011 18:18:35.0168 (UTC)
FILETIME=[39EDB200:01CBE72B]
Date: Sun, 20 Mar 2011 14:18:35 -0400

Our setup:

We have 2 x inbound mail servers (mail-in1 & mail-in2, which are
identical in setup and do simple load balancing) that do the above,
once filtered the mail is sent to a dbmail cluster. Out clients are
all over the place, connecting via the internet to our dbmail service
(e.g. not a lan). We then have two separate outgoing mail servers,
mail-out1 and mail-out2. mail-out1 is used by our client base who
connect with authenticated SMTP, mail-out2 backs up our other servers
(such as web servers etc) to allow them to send email.

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
inet_interfaces = all
mailbox_size_limit = 0
maximal_backoff_time = 2000
message_size_limit = 52428800
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
minimal_backoff_time = 500
mydestination = mysql:/etc/postfix/mysql-transport.cf
myhostname = mail-in1.{ourdomain}.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
queue_run_delay = 500
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_rbl_client zen.spamhaus.org,
check_client_access pcre:/etc/postfix/fqrdns.pcre,
#check_sender_access hash:/etc/postfix/check_backscatterer,
check_policy_service unix:private/policyd-spf,
check_policy_service inet:127.0.0.1:10031,
permit
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = mysql:/etc/postfix/mysql-transport.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-aliases.cf

Re: Getting abused by backscatter spam

[Simon]

On Wed, Mar 23, 2011 at 11:56 AM, mouss  wrote:

> 1) nothing in your sample shows that you use postfix.
> if using postfix, why is Return-Path in the middle of headers?
>
> 2) given the return-path you show, this is not backscatter. maybe you
> meant envelope sender forgery?
>
> 3)  93.85.177.92 is listed in ZEN and BRBL among other lists.

Thanks for the reply. Sorry - wrong headers, here is a better example

Received: from localhost (localhost [127.0.0.1]) by
mail-in2.{ourdomain}.net (Postfix) with ESMTP id 038A71278B for
; Mon, 21 Mar 2011 16:21:11 +1300 (NZDT)
X-Virus-Scanned: Debian amavisd-new at mail-in2.{ourdomain}.net
Received: from mail-in2.{ourdomain}.net ([127.0.0.1]) by localhost
(mail-in2.{ourdomain}.net [127.0.0.1]) (amavisd-new, port 10024) with
ESMTP id AjP3fH4O3NNn for ;   Mon, 21
Mar 2011 16:21:06 +1300 (NZDT)
Received-SPF: None (no SPF record) identity=helo;
client-ip=213.153.204.77; helo=smtp.prnet.com.tr; envelope-from=<>;
receiver=domains@{ourdomain}.net
Received: from smtp.prnet.com.tr (unknown [213.153.204.77]) by
mail-in2.{ourdomain}.net (Postfix) with ESMTPS id 97BBE12777 for
; Mon, 21 Mar 2011 16:21:04 +1300 (NZDT)
MIME-Version: 1.0
From: 
To: 
Date: Mon, 21 Mar 2011 05:25:02 +0200
Content-Type: multipart/report; report-type=delivery-status;
boundary="d011ae77-0e81-4180-8f36-55a4a8d8738f"
Content-Language: tr-TR
Message-ID: <2628b8a7-433a-4e0a-bb73-13460a834136@prnet.local>
In-Reply-To: <4c899952-38ad-4d53-be45-b0c63b4459e3@PRNETMAIL.prnet.local>
References: <4c899952-38ad-4d53-be45-b0c63b4459e3@PRNETMAIL.prnet.local>
Subject: Teslim Edilmedi: Welcoming speech
Return-Path: <>
DV:3.3.8414.660;SV:3.3.8526.390;SID:SenderIDStatus Fail;OrigIP:210.48.80.145

HOLD and reject_rbl_client?

[Simon]

Sorry if i have not explained it correctly in the subject... (Using
postfix 2.5 on debian lenny).

We are testing the "ips.backscatterer.org" setup on one of our servers
and would like to understand the impact before we implement. Is there
any way we can check the ips.backscatterer.org RBL for the IP, then
put the message on HOLD - rather than rejecting it?

smtpd_recipient_restrictions =
  ...
  check_sender_access hash:/etc/postfix/check_backscatterer,
  ...

# cat check_backscatterer
#<> reject_rbl_client ips.backscatterer.org
#postmaster reject_rbl_client ips.backscatterer.org


Thanks

Simon

Re: HOLD and reject_rbl_client?

[Simon]

On Thu, Mar 24, 2011 at 3:10 PM, Sahil Tandon  wrote:
> On Thu, 2011-03-24 at 03:07:05 +0100, Amedeo Rinaldo wrote:
>
>> Il 24/03/2011 02:46, Sahil Tandon ha scritto:
>> >On Thu, 2011-03-24 at 14:35:06 +1300, Simon wrote:
>> >
>> >>.. [CUT] ..
>> >
>> >Have you considered warn_if_reject?  If you must HOLD such mail, plug in
>> >a policy service that returns HOLD for IPs listed on the RBL.
>>
>> Sahil.. i've a similar need, could you put me in the right direction
>> in creating such a policy service? (how handle RBL return..)
>
> You could write one after reviewing SMTPD_POLICY_README or use something
> like postfwd.

Must admit im a little lost here. (sorry)... if anyone can assist with
an example so we can see how it works?

Thanks

Simon

Re: HOLD and reject_rbl_client?

[Simon]

On Thu, Mar 24, 2011 at 4:04 PM, /dev/rob0  wrote:

> As to how to implement this in postfwd, this is not the right forum
> for such a question. http://postfwd.org/ has instructions on how to
> join the postfwd-users mailing list.

What a fantastic piece of software!! Thanks :)

Postfix sasl with mysql and multiple servers with different tables

[Simon]

Hi There, We are using Postix 2.7.1-1+squeeze1 on Debian Squeeze. I
have a quick question regarding sasl auth with mysql and multiple
servers...

Is there a way to configure postfix to get its SMTP auth data from two
different mysql servers with different DB names?? E.g. "db_name1" on
"mysql1" and "dbpostfix_other" on mysql2?

Thanks

Simon

Restrict authenticated senders with domain/email SQL lookup table

[Simon]

Hi There,

We have a postfix server running on debian squeeze connected to mysql for SASL 
authentication information... along with the following settings in main.cf:

smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unknown_sender_domain,
permit

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unknown_recipient_domain,
permit

We also run the outbound email thru clamav. 

What we would like todo is update our config so that postfix will only send 
"from" {anything}@clientdomain.com (where the domain is listed in our 
"transport" mysql table) and from b...@externaldomain.com (where the user has 
run thru a registration process via our web-based control panel - the same 
process as gmail).. 

Can someone please give me some pointers here on where to start? I have 
searched quite bit for this, but can't think of the correct terms to find what 
i want...

Thanks!

Simon

Re: Restrict authenticated senders with domain/email SQL lookup table

[Simon]

On 15/12/2011, at 2:02 PM, Noel Jones wrote:

> On 12/14/2011 3:18 PM, Simon wrote:
>> 
>> 
>> What we would like todo is update our config so that postfix will only send 
>> "from" {anything}@clientdomain.com (where the domain is listed in our 
>> "transport" mysql table) and from b...@externaldomain.com (where the user 
>> has run thru a registration process via our web-based control panel - the 
>> same process as gmail).. 
>> 
>> Can someone please give me some pointers here on where to start? I have 
>> searched quite bit for this, but can't think of the correct terms to find 
>> what i want...
>> 
>> Thanks!
>> 
>> Simon
>> 
> 
> 
> You can associate sasl credentials with allowed "MAIL FROM" envelope
> sender. This does not restrict the contents of the From: header.
> 
> http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch
> http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

OK.. so basically this also allows us to lock it down further so that each sasl 
user has its own list of "allowed" domains and/or email addresses... Nice.

We also have specific sasl uses for clients websites... these are used to allow 
the website to send email (forms and such). I can see how we could use the 
above to also provide correct details for these sasl users as well...

So is smtpd_sender_login_maps the best way to achieve the result I'm looking 
for in my orginal email? There is no other way that other people can see? 

If this is the way... ill fire on into it :)

Thanks!

Simon

Re: Restrict authenticated senders with domain/email SQL lookup table

[Simon]

On 15/12/2011, at 3:05 PM, Noel Jones wrote:

> The sender_login_maps and friends is the only built-in method to
> associate a SASL login with allowed envelope senders.
> 
> As a more flexible alternative, you could use an external policy
> service.  I don't know of any policy services that handle this
> specifically, but I suppose postfwd could be convinced to do some of it.
> 
> 
> http://www.postfix.org/SMTPD_POLICY_README.html
> http://www.postfix.org/addon.html#policy

Thanks again... what if i just wanted postfix to check a mysql-based list of 
approved sending email addresses and/or domains? e.g. NOT associate it with a 
SASL login but has an approved sender list. e.g. all SASL login's would be able 
to send "from" all of the domains/addresses on the list? (I'm thinking of a 
specific situation where i would need this).

Simon

Re: Restrict authenticated senders with domain/email SQL lookup table

[Simon]

On 15/12/2011, at 5:28 PM, Noel Jones wrote:

>> 
>> Thanks again... what if i just wanted postfix to check a mysql-based list of 
>> approved sending email addresses and/or domains? e.g. NOT associate it with 
>> a SASL login but has an approved sender list. e.g. all SASL login's would be 
>> able to send "from" all of the domains/addresses on the list? (I'm thinking 
>> of a specific situation where i would need this).
>> 
>> Simon
>> 
> 
> That's easy enough to do with a check_sender_access map.  Assuming
> an MSA (user submission only, no general incoming mail), something
> as simple as:
> 
> smtpd_sender_restrictions =
>  check_sender_access hash:/path/to/allowed_senders
>  reject
> 
> With allowed_senders table something like
> us...@example.com  OK
> example.org OK
> 
> Any sender not on the approved list gets rejected.  Do this in
> smtpd_sender_restrictions to avoid possible open relay accidents
> that could occur if you do this test in smtpd_recipients_restrictions.
> 
> These restrictions could also be put into master.cf as -o options on
> the submission or smtps services.

Thanks Noel, What if i needed todo this with SASL-authenticated "senders"... 
This is my current setup:

smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unknown_sender_domain,
permit

Can you assist me to get the order correct here? I would like 
permit_sasl_authenticated as well as check_sender_access (from a mysql table) 
if possible... 

Many thanks!

Simon

Starting today - lost connection after DATA (0 bytes) from xxx and END OF DATA - 554 5.7.1

[Simon]

All of a sudden (Monday morning - typical) we have starting getting this
error:

postfix/smtpd[4696]: lost connection after DATA (0 bytes) from XXX...

Which is resulting in the following bounce back to senders:

Server refused mail at END OF DATA - 554 5.7.1 This message has been
blocked because the return email domain is invalid.(failed to obtain DNS
record for domain sendingdomain.co.nz)

I have checked several times and changed DNS servers to test this but im
totally at a loss as to whats happening. Ive found lots of reference to
changing the MTU on the network card... but nothing that has helped me. Can
anyone please shed some light on what could be causing this issue?

Thank you

Simon

Postfix is running on VMWare VM on debian

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks
config_directory = /etc/postfix
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
maximal_backoff_time = 2000
maximal_queue_lifetime = 1d
message_size_limit = 52428800
minimal_backoff_time = 500
mydestination = mysql:/etc/postfix/mysql-transport.cf
mydomain = newmedia.net.nz
myhostname = mx1.newmedia.net.nz
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = newmedia.net.nz
queue_run_delay = 500
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_host_lookup = native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/amavis_bypass
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
 reject_unauth_destination,reject_unknown_sender_domain,
 reject_unknown_recipient_domain,reject_invalid_hostname,
 reject_non_fqdn_sender,reject_non_fqdn_recipient,
 reject_rbl_client zen.spamhaus.org,check_client_access
hash:/etc/postfix/access
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = no
transport_maps = mysql:/etc/postfix/mysql-transport.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-aliases.cf

Blocking emails from domain for a single user

[Simon]

Hi There,

We are using postfix 2.7.1 on debian. Is there a simple way to block emails
from a domain or From address only to a certain to address? So this would
match both from and to in the header to then block the email. e.g.

From: blockt...@domain.com
To: cli...@theirdomain.com

Only when blockt...@domain.com sent an email to  cli...@theirdomain.com
would it get blocked, otherwise all other emails from  blockt...@domain.com
would be sent to any other to address?

Thanks

Simon

Re: Blocking emails from domain for a single user

[Simon]

On Mon, Apr 20, 2015 at 3:51 PM, Noel Jones  wrote:

On 4/19/2015 7:03 PM, Simon wrote:
> > Hi There,
> >
> > We are using postfix 2.7.1 on debian. Is there a simple way to block
> > emails from a domain or From address only to a certain to address?
> > So this would match both from and to in the header to then block the
> > email. e.g.
> >
> > From: blockt...@domain.com <mailto:blockt...@domain.com>
> > To: cli...@theirdomain.com <mailto:cli...@theirdomain.com>
> >
> > Only when blockt...@domain.com <mailto:blockt...@domain.com> sent an
> > email to  cli...@theirdomain.com <mailto:cli...@theirdomain.com>
> > would it get blocked, otherwise all other emails from
> >  blockt...@domain.com <mailto:blockt...@domain.com> would be sent to
> > any other to address?
>
> You can use  a restriction class to block mail for a specific
> envelope sender/recipient combination.  The envelope addresses are
> what are logged by postfix, and may be different than what is in the
> From: and To: headers.
> http://www.postfix.org/RESTRICTION_CLASS_README.html
>
> If you must use the addresses listed in message headers, you will
> need a content filter such as SpamAssassin.
>

Thanks for the reply here - I think that envelope sender/recipient
combination would be fine :)

I get the basic idea of the the restriction classes, but finding it
difficult to figure out how to combine to get the result we need. Would you
be able give me a head start on this one? It would be much appreciated!

Thanks

Simon

Re: Blocking emails from domain for a single user

[Simon]

On Tue, Apr 21, 2015 at 11:34 AM, Simon  wrote:

>
>
> On Mon, Apr 20, 2015 at 3:51 PM, Noel Jones 
> wrote:
>
> On 4/19/2015 7:03 PM, Simon wrote:
>> > Hi There,
>> >
>> > We are using postfix 2.7.1 on debian. Is there a simple way to block
>> > emails from a domain or From address only to a certain to address?
>> > So this would match both from and to in the header to then block the
>> > email. e.g.
>> >
>> > From: blockt...@domain.com <mailto:blockt...@domain.com>
>> > To: cli...@theirdomain.com <mailto:cli...@theirdomain.com>
>> >
>> > Only when blockt...@domain.com <mailto:blockt...@domain.com> sent an
>> > email to  cli...@theirdomain.com <mailto:cli...@theirdomain.com>
>> > would it get blocked, otherwise all other emails from
>> >  blockt...@domain.com <mailto:blockt...@domain.com> would be sent to
>> > any other to address?
>>
>> You can use  a restriction class to block mail for a specific
>> envelope sender/recipient combination.  The envelope addresses are
>> what are logged by postfix, and may be different than what is in the
>> From: and To: headers.
>> http://www.postfix.org/RESTRICTION_CLASS_README.html
>>
>> If you must use the addresses listed in message headers, you will
>> need a content filter such as SpamAssassin.
>>
>
> Thanks for the reply here - I think that envelope sender/recipient
> combination would be fine :)
>
> I get the basic idea of the the restriction classes, but finding it
> difficult to figure out how to combine to get the result we need. Would you
> be able give me a head start on this one? It would be much appreciated!
>

Just to check on this one.. so am i correct that you would set a
restriction class for the inbound domain (say mailfrom.blockme.com), then
you would set a access list for that "class"? e.g. within that class block
if the recipient is cleanu...@client.com?

Simon

Re: Blocking emails from domain for a single user

[Simon]

On Tue, Apr 21, 2015 at 3:38 PM, Noel Jones  wrote:

> On 4/20/2015 6:39 PM, Simon wrote:
> >
> >
> > On Tue, Apr 21, 2015 at 11:34 AM, Simon  > <mailto:grem...@gmail.com>> wrote:
> >
> >
> >
> > On Mon, Apr 20, 2015 at 3:51 PM, Noel Jones
> > mailto:njo...@megan.vbhcs.org>> wrote:
> >
> > On 4/19/2015 7:03 PM, Simon wrote:
> > > Hi There,
> > >
> > > We are using postfix 2.7.1 on debian. Is there a simple way to
> block
> > > emails from a domain or From address only to a certain to
> address?
> > > So this would match both from and to in the header to then
> block the
> > > email. e.g.
> > >
> > > From: blockt...@domain.com <mailto:blockt...@domain.com>
> > <mailto:blockt...@domain.com <mailto:blockt...@domain.com>>
> > > To: cli...@theirdomain.com <mailto:cli...@theirdomain.com>
> > <mailto:cli...@theirdomain.com <mailto:cli...@theirdomain.com>>
> > >
> > > Only when blockt...@domain.com <mailto:blockt...@domain.com>
> > <mailto:blockt...@domain.com <mailto:blockt...@domain.com>>
> > sent an
> > > email to  cli...@theirdomain.com  cli...@theirdomain.com>
> > <mailto:cli...@theirdomain.com <mailto:cli...@theirdomain.com>>
> > > would it get blocked, otherwise all other emails from
> > >  blockt...@domain.com <mailto:blockt...@domain.com>
> > <mailto:blockt...@domain.com <mailto:blockt...@domain.com>>
> > would be sent to
> > > any other to address?
> >
> > You can use  a restriction class to block mail for a specific
> > envelope sender/recipient combination.  The envelope
> > addresses are
> > what are logged by postfix, and may be different than what
> > is in the
> > From: and To: headers.
> > http://www.postfix.org/RESTRICTION_CLASS_README.html
> >
> > If you must use the addresses listed in message headers, you
> > will
> > need a content filter such as SpamAssassin.
> >
> >
> > Thanks for the reply here - I think that envelope
> > sender/recipient combination would be fine :)
> >
> > I get the basic idea of the the restriction classes, but finding
> > it difficult to figure out how to combine to get the result we
> > need. Would you be able give me a head start on this one? It
> > would be much appreciated!
> >
> >
> > Just to check on this one.. so am i correct that you would set a
> > restriction class for the inbound domain (say mailfrom.blockme.com
> > <http://mailfrom.blockme.com>), then you would set a access list for
> > that "class"? e.g. within that class block if the recipient is
> > cleanu...@client.com <mailto:cleanu...@client.com>?
> >
> > Simon
>
>
> A very abbreviated example done off the top of my head late at night:
>
> Goal: block mail with sender example.info to recipient b...@example.com
>
>
> # main.cf
> smtpd_restriction_classes =
>   block_bob
>
> block_bob =
>   check_recipient_access hash:/etc/postfix/bob_recipient
>
> smtpd_sender_restrictions =
>   check_sender_access hash:/etc/postfix/sender_blocks
>
>
> # Other files:
>
> # bob_recipient
> b...@example.com   REJECT sender not allowed for this recipient
>
> # sender_blocks
> example.info   block_bob
>
>
> Hope this is close enough to right that it helps.
>
>
>   -- Noel Jones
>

Thanks Noel - excellent for late at night! :)

Cheers

Simon

RE: Postfix + Maildrop

[Simon Aquilina]

> Date: Wed, 18 Feb 2009 09:50:49 +
> Subject: Re: Postfix + Maildrop
> From: wyldf...@gmail.com
> To: postfix-users@postfix.org
> 
> 2009/2/17 mouss :
> > $ maildrop -v
> > maildrop 2.0.4 Copyright 1998-2005 Double Precision, Inc.
> > GDBM extensions enabled.
> > Courier Authentication Library extension enabled.
> > Maildir quota extension enabled.
> > This program is distributed under the terms of the GNU General Public
> > License. See COPYING for additional information.
> 
> I'm also using Ubuntu. I've got the courier-maildrop package installed
> which includes the auth library extension.
> Perhaps you have the plain "maildrop" package installed?
> 
> -- 
> Don't just do something...sit there!

What command did you use to install maildrop? Also did you have the configure 
maildrop to use the authmysqlrc file? if so where?

_
Discover the new Windows Vista
http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE

RE: Postfix + Maildrop

[Simon Aquilina]

Sorry for taking long ... tried to do some research on the hints I got
from over here but failed miserably... below are my comments ...

> Date: Wed, 18 Feb 2009 00:13:32 +0100
> From: mo...@ml.netoyen.net
> To: postfix-users@postfix.org
> Subject: Re: Postfix + Maildrop
> 
> sim085 a écrit :
> > [snip]
> > Thank you for your reply. I do have the courier authmysqlrc file set up
> > however it is located at /etc/courier/ not /etc/authlib/. 
> 
> The location is system dependent. if your courier (imap, pop, webmail)
> works, it's ok.

yes, I can confirm courier-imap is working fine.

> 
> > In my opinion this
> > file is set up properly since otherwise squirrelmail would not be working.
> 
> well... squirrelmail doesn't access that files. what you mean is that
> your imap server is working.
> 
> > However just in case I created the /etc/authlib/ directory and copied
> > authmysqlrc there. 
> 
> don't create random files. ok for testing. but now, remove'em.

:) definitely ...

> 
> > Unfortunately still no good results :(
> > 
> > Enterting the command maildrop  -V 4 -d  sysad...@mydomain.com  < 1 return
> > the following:
> > base 1: No such file or directory.
> 
> well, you asked it to read from a file named "1". use "< /dev/null"
> instead.

I did as you suggested and the results I get are the following;

Message start at 0 bytes, envelope sender=root
maildrop: Attempting sysad...@mydomain.com
maildrop: Unable to open filter file, errno=2

However
I cannot understand why I am getting the third line. On the
documentation it says that .maildropfilter should be in $HOME/. I
understand that this means the home directory of the user used by
maildrop. In my case the user is 'mail' and the home directory is
'/var/mail/'. I created a file named '.maildropfilter' and inside it I
placed only a single line to point to the mailbox (available further
below). To be sure I also passed the following commands; chown mail
.maildropfilter and chmod 666 .maildropfilter. I then copied the file
to '/etc/courier/' as well but still had the same results :(

> 
> > 
> > Enter the command maildrop  -v returns the following: 
> > maildrop 2.0.4 Copyright 1998-2005 Double Precision, Inc
> > GDBM/DB extensions enabled 
> > Maildir quota extensions enabled
> > 
> 
> so your maildrop was not built with authlib support. as a result, it
> can't query authdaemon. with authlib support, you get something like:
> 
> $ maildrop -v
> maildrop 2.0.4 Copyright 1998-2005 Double Precision, Inc.
> GDBM extensions enabled.
> Courier Authentication Library extension enabled.
> Maildir quota extension enabled.
> This program is distributed under the terms of the GNU General Public
> License. See COPYING for additional information.
> 

I
spent all morning on the internet trying to find how to install
maildrop with authlib support and did not find much. However I did find
something interesting. On one website there was written that maildrop
started displaying "Courier Authentication Library extension enabled."
after it was configured to use authmysqlrc. Needless to say I did not
fine the information where such setting should be placed! 

> 
> look at the "Courier Authentication Library extension enabled." line.
> 
> if the mailbox location or uid/gid is "dynamic", yiu'll need to
> reinstall maildrop with authlib support.
> 
> if the mailbox location is "static" (for example
> /base/domain/user/maildir/) and you use a single uid:gid for all
> mailboxes, then you can run maildrop with -d mailboxuid and have
> maildroprc determine the mailbox path.

At
the moment all uid:gid have the same value. Therefore I was trying to
get maildrop to work with the auth support and then work on connecting
maildrop to mysql later. 

For this reason I changed my
master.cf file maildrop setting to be finish with '... -d 1000
${recipient} ${user}'. Considering maildrop should drop the emails in:
'/var/mail/virtual/{user}/new/' I put a single line in .maildropfilter
file as follows: 'MAILBOX = "/var/mail/virtual/$1/new/" '. NOTE: I only
have this line in the .maildropfilter file. 

> 
> > 
> > Enter the command authtest sysad...@mydomain.com return the following:
> > Authentication FAILED: Operation not permitted
> > 
> 
> if you got this as root, then you have a problem. any selinux, apparmor,
> ... ?

It seems I have apparmor installed... is this a problem?

> 
> > Also from where do I turn logging on? I do not have the file
> > /etc/maildroprc!
> 
> you create it. but the location is system dependent. so you'll have to
> fins out whether your maildrop uses this file. this is easy: just put
> random stuff there and see maildrop barking for syntax errors...

I
created the maildroprc in '/etc/courier/' I put a single line (again)
which is as follows 'logfile = "/var/log/maildrop.log" '. When I run
the above mentioned commands I do not get anything written in the log
file (I pre-created and gave all type of rights on it). Where should I
see maildrop complain about the syntax?

RE: Postfix + Maildrop

[Simon Aquilina]

I am on the verge of giving up on maildrop ... but ...
before that I have some more comments below ...

> Date: Wed, 18 Feb 2009 21:17:19 +0100
> From: mo...@ml.netoyen.net
> To: postfix-users@postfix.org
> Subject: Re: Postfix + Maildrop
> 
> Simon Aquilina a écrit :
> >[snip]
> >> 
> >> >
> >> > Enterting the command maildrop -V 4 -d sysad...@mydomain.com < 1 return
> >> > the following:
> >> > base 1: No such file or directory.
> >>
> >> well, you asked it to read from a file named "1". use "< /dev/null"
> >> instead.
> > 
> > I did as you suggested and the results I get are the following;
> > 
> > Message start at 0 bytes, envelope sender=root
> > maildrop: Attempting sysad...@mydomain.com
> > maildrop: Unable to open filter file, errno=2
> > 
> 
> well, since your maildrop doesn't use authlib, it wants a real user (one
> that it can find in /etc/passwd).
> 
> anyway, you can try with a higher verbosity level. for example
> 
> maildrop -V 9 -d someuser < /dev/null

This gives me the same error; "maildrop: Unable to open filter file, errno=2".

I went to the maildrop website. Here I found a link about maildropfilter. The 
first thing I noticed is that it seems the file must be called .mailfilter 
rather then .maildropfiler. In this page it clearly says that the .mailfilter 
must be in the $HOME directory. Now I do not know if my logic is correct, 
however by $HOME directory I understand the directory defined in the 
/etc/passwd file for the user value defined in postfix master.cf file. 

is this correct? or?

Also am I correct in putting the maildroprc file in /etc/courier/ considering 
that all courier config files are in this location? or this is irrelevant? 
Where could I check where maildroprc should be placed?

> 
> 
> 
> > However I cannot understand why I am getting the third line. On the
> > documentation it says that .maildropfilter should be in $HOME/. I
> > understand that this means the home directory of the user used by
> > maildrop. In my case the user is 'mail' and the home directory is
> > '/var/mail/'. I created a file named '.maildropfilter' and inside it I
> > placed only a single line to point to the mailbox (available further
> > below). To be sure I also passed the following commands; chown mail
> > .maildropfilter and chmod 666 .maildropfilter. I then copied the file to
> > '/etc/courier/' as well but still had the same results :(
> > 
> >>
> >> >
> >> > Enter the command maildrop -v returns the following:
> >> > maildrop 2.0.4 Copyright 1998-2005 Double Precision, Inc
> >> > GDBM/DB extensions enabled
> >> > Maildir quota extensions enabled
> >> > 
> >>
> >> so your maildrop was not built with authlib support. as a result, it
> >> can't query authdaemon. with authlib support, you get something like:
> >>
> >> $ maildrop -v
> >> maildrop 2.0.4 Copyright 1998-2005 Double Precision, Inc.
> >> GDBM extensions enabled.
> >> Courier Authentication Library extension enabled.
> >> Maildir quota extension enabled.
> >> This program is distributed under the terms of the GNU General Public
> >> License. See COPYING for additional information.
> >>
> > 
> > I spent all morning on the internet trying to find how to install
> > maildrop with authlib support and did not find much. However I did find
> > something interesting. On one website there was written that maildrop
> > started displaying "Courier Authentication Library extension enabled."
> > after it was configured to use authmysqlrc. Needless to say I did not
> > fine the information where such setting should be placed!
> > 
> 
> maybe try:
> http://www.ckvsoft.at/pmwh/index.php/Installation:Ubuntu:Maildrop

This was helpful. I am going to update my .mailfilter with the sample given 
here. However when I run the install commands I get the message that both 
applications are already installed on my machine. Should I maybe uninstall 
maildrop and re-install it in that way?

> 
> 
> >>
> >> look at the "Courier Authentication Library extension enabled." line.
> >>
> >> if the mailbox location or uid/gid is "dynamic", yiu'll need to
> >> reinstall maildrop with authlib support.
> >>
> >> if the mailbox location is "static" (for example
> >> /base/domain/user/maildir/) and you use a single uid:gid for all
> >> mailboxes, then you can run maildr

RE: Postfix + Maildrop

[Simon Aquilina]

Date: Thu, 19 Feb 2009 04:34:14 -0500
Subject: Re: Postfix + Maildrop
From: gejop...@gmail.com
To: mouss+nob...@netoyen.net
CC: postfix-users@postfix.org

[quote]

On Wed, Feb 18, 2009 at 3:17 PM, mouss  wrote:

Simon Aquilina a écrit :

>[snip]

>>

>> >

>> > Enterting the command maildrop -V 4 -d sysad...@mydomain.com < 1 return

>> > the following:

>> > base 1: No such file or directory.

>>

>> well, you asked it to read from a file named "1". use "< /dev/null"

>> instead.

>

> I did as you suggested and the results I get are the following;

>

> Message start at 0 bytes, envelope sender=root

> maildrop: Attempting sysad...@mydomain.com

> maildrop: Unable to open filter file, errno=2

>



well, since your maildrop doesn't use authlib, it wants a real user (one

that it can find in /etc/passwd).



anyway, you can try with a higher verbosity level. for example



maildrop -V 9 -d someuser < /dev/null







> However I cannot understand why I am getting the third line. On the

> documentation it says that .maildropfilter should be in $HOME/. I

> understand that this means the home directory of the user used by

> maildrop. In my case the user is 'mail' and the home directory is

> '/var/mail/'. I created a file named '.maildropfilter' and inside it I

> placed only a single line to point to the mailbox (available further

> below). To be sure I also passed the following commands; chown mail

> .maildropfilter and chmod 666 .maildropfilter. I then copied the file to

> '/etc/courier/' as well but still had the same results :(

>

>>

>> >

>> > Enter the command maildrop -v returns the following:

>> > maildrop 2.0.4 Copyright 1998-2005 Double Precision, Inc

>> > GDBM/DB extensions enabled

>> > Maildir quota extensions enabled

>> > 

>>

>> so your maildrop was not built with authlib support. as a result, it

>> can't query authdaemon. with authlib support, you get something like:

>>

>> $ maildrop -v

>> maildrop 2.0.4 Copyright 1998-2005 Double Precision, Inc.

>> GDBM extensions enabled.

>> Courier Authentication Library extension enabled.

>> Maildir quota extension enabled.

>> This program is distributed under the terms of the GNU General Public

>> License. See COPYING for additional information.

>>

>

> I spent all morning on the internet trying to find how to install

> maildrop with authlib support and did not find much. However I did find

> something interesting. On one website there was written that maildrop

> started displaying "Courier Authentication Library extension enabled."

> after it was configured to use authmysqlrc. Needless to say I did not

> fine the information where such setting should be placed!

>



maybe try:

http://www.ckvsoft.at/pmwh/index.php/Installation:Ubuntu:Maildrop





>>

>> look at the "Courier Authentication Library extension enabled." line.

>>

>> if the mailbox location or uid/gid is "dynamic", yiu'll need to

>> reinstall maildrop with authlib support.

>>

>> if the mailbox location is "static" (for example

>> /base/domain/user/maildir/) and you use a single uid:gid for all

>> mailboxes, then you can run maildrop with -d mailboxuid and have

>> maildroprc determine the mailbox path.

>

> At the moment all uid:gid have the same value. Therefore I was trying to

> get maildrop to work with the auth support and then work on connecting

> maildrop to mysql later.

>

> For this reason I changed my master.cf file maildrop setting to be

> finish with '... -d 1000 ${recipient} ${user}'. Considering maildrop

> should drop the emails in: '/var/mail/virtual/{user}/new/' I put a

> single line in .maildropfilter file as follows: 'MAILBOX =

> "/var/mail/virtual/$1/new/" '. NOTE: I only have this line in the

> .maildropfilter file.

>



1- The variable is DEFAULT, not MAILBOX.

2- don't put a "new/" there. maildrop will try to deliver to

$whatyoutellit/new/.

3- in your example, ${user} is $2, not $1. but you lose the domain part

(${nexthop} or ${domain} depending on your postfix version).





>>

>> >

>> > Enter the command authtest sysad...@mydomain.com return the following:

>> > Authentication FAILED: Operation not permitted

>> >

>>

>> if you got this as root, then you have a problem. any selinux, apparmor,

>> ... ?

>

> It seems I have apparmor installed... is this a problem?

>



it may be. you can uninstall it and see. 

RE: Postfix + Maildrop

[Simon Aquilina]

> 
> 1- reinstall the "maildrop" package (not "courier-maildrop")
> 2- once this is done, run the following commands:
> 
>   maildrop -v

GDBM extensions enabled.
Courier Authentication Library extension enabled.
Maildir quota extension enabled.

>   ls -l /usr/bin/maildrop

-rwxr-sr-x 1 root mail 170016 2008-05-09 14:38 /usr/bin/maildrop

>   ldd /usr/bin/maildrop

linux-gate.so.1 => (0xb7a3000)
libgdbm.so.3 => /usr/lib/libgdbm.so.3 (0xb7f96000)
libcourierauth.so.0 => /usr/lib/courier-authlib/libcourierauth.so.0 (0x7f8a000)
libpcre.so.3 => /lib/libpcre.so.3 (0xb7f5f000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7e71000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb7e3c000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7cde000)
libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7cac000)
/lib.ld-linux.so.2 (0xb7fa4000)

> 
> and copy-paste the commands and their output here.

Now it seems it installed with Courier Authentication Library extension 
enabled! I think before the command I used to install maildrop was 'apt-get 
install courier-maildrop' :( 

When I run the command 'maildrop -V 4 sysadmin < /dev/null' I still recieve the 
error "Unable to open filter file, errno=2". However the problem I think is 
that maildrop cannot access the database. I think this because when I try to 
send email with telnet, in mail.info I get the following line about maildrop; 
"(user unknown. Command output: ERR: authdaemon: s_connect() failed: Permission 
denied Invalid user specified. )". 

I did some research and found this website: 
http://archive.netbsd.se/?ml=courier-maildrop&a=2007-06&t=4461364. Here the 
person asking the question was told to pass the command 'chown :daemon 
/var/run/courier/authdaemon/'. I did this and the error in mail.info changed to 
become '(user unknown. Command output: Invalid user specified. ) ... I am doing 
progress right!? :)







_
Invite your mail contacts to join your friends list with Windows Live Spaces. 
It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us

RE: Postfix + Maildrop

[Simon Aquilina]

> if you got this as root, then you have a problem. any selinux, apparmor,
> ... ?

authtest works fine now :) I tested it with postmaster and here are the results 
:)

Authentication succeeded



Authenticated: postmaster(uid: 6000, gid: 6000)

Home Directory: /var/spool/mail/virtual/

Maildir: /var/spool/mail/virtual/postmaster/

etc ... 

However as I said a previous post calling 'maildrop -V 4 postmaster < 
/dev/null' still gives me the error "Unable to open filter file'. Note that the 
Home directory of the postmaster user is at '/var/spool/mail/virtual/' and 
therefore I placed my .mailfilter file there. 

On some websites I read that I may need a maildropmysql.config file. However 
shouldn't maildrop now read the information it needs from the authmysqlrc file? 
I am afraid that for some reason using the above command still is not trying to 
access the information from the database (but I could be wrong!)


_
More than messages–check out the rest of the Windows Live™.
http://www.microsoft.com/windows/windowslive/

RE: Postfix + Maildrop

[Simon Aquilina]

Thanks, mouss and all the others for all the help. 

> now, it's time to move to the courier-maildrop mailing list.

I now got understand maildrop much better and know the mistakes I was doing. I 
still have some simple problems but will try to get them fixed :) I will take 
your suggestion and move to the courier-maildrop mailing list should I have 
problems fixing them. 

Thanks again to everyone for all the help given :) it was really appreciated!

Regards,
Simon J.



_
More than messages–check out the rest of the Windows Live™.
http://www.microsoft.com/windows/windowslive/

Queued non-deliverable message

[Simon Wilson]

I'm running Postfix 2.3.3 on CentOS 5.3 x64 (Postfix installed from  
CentOS repository). Firstly thank you to the writers for a great piece  
of software... :)


Postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = simonandkate.net, simonandkate.lan
message_size_limit = 26214400
mydestination = $myhostname, localhost.$mydomain, localhost,  
$mydomain, localhost.localdomain, simonandkate.net,  
system.simonandkate.net, howiesue.net

myhostname = mail.simonandkate.net
mynetworks = 127.0.0.0/8, 192.168.1.0/24
myorigin = simonandkate.net
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining  permit
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination, 
reject_unauth_pipelining, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,  reject_non_fqdn_sender,  
reject_unknown_sender_domain,reject_non_fqdn_recipient,   
reject_unknown_recipient_domain,check_sender_access  
hash:/etc/postfix/sender_access,
   reject_rbl_client zen.spamhaus.org, 
reject_rbl_client bl.spamcop.net,  
 check_policy_service  
unix:postgrey/socket,  permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/simonandkate.net-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/simonandkate.net-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

Setup works a treat, has been running great for a few weeks. I sent an  
email to about 10 people, 2 of the email addresses were wrong. For one  
of them I got a bounce message in my mailbox telling me it was wrong  
(I had typed @yahoo.com.uk instead of @yahoo.co.uk). The other one I  
got nothing (I had typed @talktalk.com instead of talktalk.net) so  
wasn't aware I'd mistyped but I have just noticed a message sitting in  
the Postfix mail queue in Webmin (for the talktalk.net one) saying  
"Status: 	Host or domain name not found. Name service error for  
name=talktalk.com type=MX: Host not found, try again"


So my question is why did I get a message that one was wring and not  
the other? Do I need to change config somehow?


Thank you.

--
Simon Wilson
www.simonandkate.net

Re: Queued non-deliverable message

[Simon Wilson]

Quoting Sahil Tandon :


On Mon, 27 Apr 2009, Simon Wilson wrote:

So my question is why did I get a message that one was wring and

not the

other? Do I need to change config somehow?


You use reject_unknown_recipient_domain, which results in a

deferral and

re-retry of mail delivery in the case of *temporary* error.

Postfix will try

to deliver the mail until $maximal_queue_lifetime.  Set

$delay_warning_time

to a non-zero value if you wish for Postfix to send the envelope

sender a

notice that mail was undeliverable, but is still being re-tried.

To understand the difference between your two scenarios, try using

host(1) to

query yahoo.com.uk and talktalk.com.

--
Sahil Tandon 





Aha! Now I understand - thank you to you both (Michael and Sahil).  
Running host on them both shed a lot of light. I'll look at  
$delay_warning_time so it warns me if I do it again...


Thanks.

--
Simon Wilson
www.simonandkate.net

SPF

[Simon Wilson]

I have set up Postfix for SPF for my domain simonandkate.net. Incoming  
emails are being checked fine, but I am not 100% certain on setting up  
the TXT record for outgoing emails.


I realise my Postfix config is working fine, but thought this list may  
be able to quickly help me with the outgoing. Can someone with more  
expertise advise on my TXT record please?


My mail server is mail.simonandkate.net, IP address is 59.167.212.191.  
MX records are mail.simonandkate.net 10 and mail.bluetie.com 20.


From my reading at openspf.org I have come up with:

TXT v=spf1 a mx ip4:59.167.212.191 ~all

The mx bit to cover the mx records for the domain, the ip4 because  
59.167.212.191 doesn't resolve back to mail.simonandkate.net but to  
ppp212-191.static.internode.on.net.


The ~all to softfail until I make sure all is working OK.

The reason I am not sure is that the two email addresses at  
http://www.openspf.org/Tools for verifying setup respond differently:


1. spf-t...@openspf.org responds with:

May 11 21:17:35 server04 postfix/smtp[26922]: 6A763573DF:  
to=,  
relay=mailout02.controlledmail.com[72.81.252.18]:25, delay=2.7,  
delays=0.02/0.03/0.85/1.8, dsn=5.7.1, status=bounced (host  
mailout02.controlledmail.com[72.81.252.18] said: 550 5.7.1  
: Recipient address rejected: SPF Tests:  
Mail-From Result="pass": Mail From="si...@simonandkate.net" HELO  
name="mail.simonandkate.net" HELO Result="permerror" Remote  
IP="59.167.212.191" (in reply to RCPT TO command))


The bounce is normal, as is the address rejection. The Mail From  
result is pass, but the HELO result is a permerror.


2. check-a...@verifier.port25.com responds with:

==
Summary of Results
==
SPF check:  pass
DomainKeys check:   neutral
DKIM check: neutral
Sender-ID check:pass
SpamAssassin check: ham

==
Details:
==

HELO hostname:  mail.simonandkate.net
Source IP:  59.167.212.191
mail-from:  si...@simonandkate.net

--
SPF check details:
--
Result: pass
ID(s) verified: smtp.mail=si...@simonandkate.net
DNS record(s):
simonandkate.net. 3600 IN TXT "v=spf1 a mx ip4:59.167.212.191 ~all"
simonandkate.net. A (no records)
simonandkate.net. 3600 IN MX 20 mail.bluetie.com.
simonandkate.net. 3600 IN MX 10 mail.simonandkate.net.
mail.bluetie.com. 86400 IN A 206.65.164.155
mail.simonandkate.net. 3598 IN A 59.167.212.191

--
DomainKeys check details:
--
Result: neutral (message not signed)
ID(s) verified: header.from=si...@simonandkate.net
DNS record(s):

--
DKIM check details:
--
Result: neutral (message not signed)
ID(s) verified:

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

--
Sender-ID check details:
--
Result: pass
ID(s) verified: header.from=si...@simonandkate.net
DNS record(s):
simonandkate.net. 3600 IN TXT "v=spf1 a mx ip4:59.167.212.191 ~all"
simonandkate.net. A (no records)
simonandkate.net. 3600 IN MX 20 mail.bluetie.com.
simonandkate.net. 3600 IN MX 10 mail.simonandkate.net.
mail.bluetie.com. 86400 IN A 206.65.164.155
mail.simonandkate.net. 3598 IN A 59.167.212.191

--
SpamAssassin check details:
--
SpamAssassin v3.2.5 (2008-06-10)

Result: ham  (2.0 points, 5.0 required)

 pts rule name  description
 -- --
-0.0 SPF_PASS   SPF: sender matches SPF record
-0.2 BAYES_40   BODY: Bayesian spam probability is 20 to 40%
[score: 0.2655]
 0.0 HTML_MESSAGE   BODY: HTML included in message
 2.2 TVD_SPACE_RATIOBODY: TVD_SPACE_RATIO



Is my TXT record OK? Do I need the IP4 entry?

Thanks.



--
Simon Wilson
www.simonandkate.net

Re: SPF

[Simon Wilson]

Quoting Mathias Meinelt :


Simon Wilson wrote:

TXT v=spf1 a mx ip4:59.167.212.191 ~all


Your setup of the SPF record is ok, however you should leave out

the
"a" and "mx" directive as they have no use here unless you want to  
send mail over "mail.bluetie.com" as well.

This SPF Record should work for you:
TXT v=spf1 ip4:59.167.212.191 -all

The HELO "permerror"  is probably because your IP resolves to  
ppp212-191.static.internode.on.net but cannot be resolved back to

an
IP again, or because your HELO hostname does not match the  
reverse-looked-up IP.


However your setup seems fine. :-)

Regards,

Mathias






Thanks Mathias. I have logged a support job with my ISP to get them to  
set the reverse mapping to mail.simonandkate.net so that should fix  
the HELO permerror.


Thanks for your help.

--
Simon Wilson
www.simonandkate.net

My local user aren't working!

[Simon Waters]

After many years I noticed in my current config that the local users aren't 
working properly.

Specifically I have a hostname in "mydestination" (h7.zynet2.co.uk) and I want 
to accept email for "r...@h7.zynet2.co.uk"

This email is currently delivered correctly if submitted from a trusted user 
or address, but rejected by the SMTP recipient check if sent from outside. So 
I think I want an addition/correction to the "smtpd_recipient_restrictions" 
that will accept valid local addresses before I check the virtual users 
(permit_auth_destination causes Postfix to accept and bounce email for 
non-existent addresses in virtual_alias_domains, but otherwise appears to 
work as expected), or a correction to the valid user check.

All local users are currently in "/etc/aliases" map, and all these map 
eventually to addresses that are not local (either remote users or virtual 
mailbox users), so "local" is a bit of a misnomer here.

I have:

 virtual_alias_maps, virtual_alias_domains 
   -- postgres lookups that returns  virtual aliases for which we do 
forwarding or similar. At the end of "smtpd_recipient_restrictions" I have a 
call a postgres map that returns "OK" for good virtual addresses and "REJECT" 
for non-existent virtual addresses (if that right?).

 virtual_mailbox_maps (and friends) allow delivery to mailboxes for people 
whom we are final destination.

 transport_map -- list of domains and addresses, one domain of which we 
extract 200 addresses for delivery via SMTP transport, the rest we ship off 
to "local".

I have a note in the Postgres user validation function that says "Postfix 2.2 
has some new functionality that should obselete this", but I didn't have the 
good sense to write down what that new feature was.

Does anyone know what Postfix 2.2 feature I probably meant?

Is it obvious what I did wrong? Is it just the "REJECT" on not matching a 
virtual_alias?

I'm tempted to move all the content of mydestination and /etc/aliases into the 
Postgres database of "virtual_alias", which I can probably make work easily 
enough. But I'm sure there is a "postfix way" of achieving what I intended.

postconf -n (softbounce because I've been fiddling - but I think this is back 
how it was).

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
default_process_limit = 200
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 5120
message_size_limit = 2000
mydestination = localhost.localdomain localhost.localdomain localhost 
h7.zynet2.co.uk
myhostname = h7.zynet2.co.uk
mynetworks = 127.0.0.0/8, 212.24.80.0/27, 212.24.80.32/27, 212.24.80.64/27
myorigin = /etc/mailname
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps 
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains 
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps 
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks 
proxy:pgsql:/etc/postfix/pgsql-valid-rcpt.cf
readme_directory = /usr/share/doc/postfix
recipient_delimiter = -
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = cidr:/etc/postfix/cidr-badips
smtpd_delay_reject = yes
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,  check_helo_access 
hash:/etc/postfix/helo_access,  permit
smtpd_junk_command_limit = 10
smtpd_recipient_restrictions = permit_mynetworks,reject_rbl_client 
zen.spamhaus.org,check_policy_service inet:127.0.0.1:6,   
check_recipient_access hash:/etc/postfix/relay-domains, 
check_recipient_access proxy:pgsql:/etc/postfix/pgsql-valid-rcpt.cf,
reject_unauth_destination
smtpd_sender_restrictions = hash:/etc/postfix/access,   
reject_unknown_sender_domain
soft_bounce = yes
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 554
virtual_alias_domains = proxy:pgsql:/etc/postfix/pgsql-email-virt-domains.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql-email-virtual.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail
virtual_mailbox_domains = pop.mail.zynet.net
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:5000

Re: Sent Mail Shows FQDN in Email Address

[Simon Wilson]

Quoting Carlos Williams :


I am using a new Postfix server and when I send an email to anyone,
it
shows the FQDN as follows:

u...@mail.myserver.com

When it should display:

u...@myserver.com

Now in my Postfix main.cf file, I made sure to check I have:

[code]myorigin = $mydomain[/code]

Now obviously mydomain = myserver.com in my main.cf. So now I don't
know what to do. Users will see this as a huge inconvenience and
will
start to complain. Could this be Amavisd?

Anyone know what I can do to test who and why this is occurring?

[r...@mail ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain
mydomain = myserver.com
myhostname = mail.myserver.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_delay_reject = yes
smtpd_helo_required = yes




http://www.postfix.org/ADDRESS_REWRITING_README.html#masquerade

--
Simon Wilson
www.simonandkate.net

Disable content_filter

[Simon Schelkshorn]

Hi,

I'm having a postfix installation that uses spamassassin for content 
filtering. Therefore I have in my master.cf

smtp  inet  n   -   n   -   75  smtpd -o 
content_filter=postfixfilter

and

postfixfilter unix -n   n   -   -   pipe
  flags=Rq user=filter argv=/home/filter/postfixfilter -f ${sender} -- 
${recipient}

This worked fine for several years now. This postfix is now intended 
to also act as a relay-host for outgoing mail. The relay 
functionality should only be available for other hosts in my local 
network. In addition to that, the relayed mail shouldn't be filtered 
by spamassassin. To achieve this, I added the following line to my 
master.cf

192.168.xxx.xxx:25   inetn   -   n   -   -   smtpd 
-o content_filter=

This also works fine besides the fact, that mail send to the local 
smtp-port also is filtered by spamassassin. Can anyone point me into 
the right direction on how to fix this?

Thanks in advance,
Simon

Re: Disable content_filter

[Simon Schelkshorn]

Hi Wietse,

thank you for your very fast reply!

> > 192.168.xxx.xxx:25   inetn   -   n   -   -   
> > smtpd -o content_filter=
> > 
> > This also works fine besides the fact, that mail send to the local 
> > smtp-port also is filtered by spamassassin. Can anyone point me into 
> > the right direction on how to fix this?
> 
> /etc/postfix/main.cf:
> smtpd_recipient_restrictions =
>   check_recipient_access hash:/etc/postfix/filter_access
>   permit_mynetworks
>   reject_unauth_destination
> 
> /etc/postfix/filter_access:
> # Filter example.com destinations only.
> example.com   filter transport:host:port

If I do understand this correctly, then all mail to my domain 
(example.com) will be filtered, all relayed mail coming from my 
network and going to an external address won't be filtered, but mail 
coming from my network and going to one of my users is being filterd.

Filtering of local mail (example.com -> example.com) also has to be 
turned off, acutally this has the highest priority!

Is there a reason, why the "-o content_filter=" option doesn't work, 
it works fine for the port, spamassassin reinjects the filtered mail.

localhost:10025 inetn   -   n   -   -   smtpd -o 
content_filter=

Thanks,
Simon

Re: Disable content_filter

[Simon Schelkshorn]

> what exactly doesn't work? what do you mean by "the local smtp-port"? if
> you mean port 25 on localhost, then you need to add a listener
> 
> localhost:25  -o content_filter=

Here is part of my master.cf

smtp  inet  n   -   n   -   75  smtpd -o 
content_filter=postfixfilter
localhost:10025 inetn   -   n   -   -   smtpd -o 
content_filter=
192.168.xxx.xxx:25   inetn   -   n   -   -   smtpd 
-o content_filter=

postfixfilter unix -n   n   -   -   pipe
  flags=Rq user=filter argv=/home/filter/postfixfilter -f ${sender} -- 
${recipient}


Mail from outside is received and then passed to the postfixfilter. 
This works perfect. Filtered mail is returned to postfix via the 
listener on localhost. Contentfiltering is turned off and everything 
works fine. My problem is the third listener. This one should receive 
mail from other servers within my network (postfix acts as a relay), 
but here contentfiltering should also be turned off for all mail, 
independent of where it comes from and where it goes to.

The problem is, that I can send mail to the listener on 
192.168.xxx.xxx on port 25, but that it is passed to the 
postfixfilter. My question is, how can I completely turn off 
contentfiltering for all mail received on 192.168.xxx.xxx and why 
does the "-o content_filter=" option turn off contentfiltering for 
the listener on localhost and not for the one on 192.168.xxx.xxx?

BTW: in main.cf there is also set content_filter=.

Regards,
Simon

Re: Disable content_filter (Solved!)

[Simon Schelkshorn]

> > The problem is, that I can send mail to the listener on 
> > 192.168.xxx.xxx on port 25, but that it is passed to the 
> > postfixfilter. My question is, how can I completely turn off 
> > contentfiltering for all mail received on 192.168.xxx.xxx and why 
> > does the "-o content_filter=" option turn off contentfiltering for 
> > the listener on localhost and not for the one on 192.168.xxx.xxx?

I have two servers with identical configuration. During debugging I 
found, that only one of the two servers suffers from this problem. A 
diff on the two main.cf revealed the cause.

On the server with the problem the address of the 192.168.xxx.xxx 
listener was listed in the inet_interfaces. It seems that in this 
case the definition of the "smtp" listener has a higher priority. 
After removing the address from inet_interfaces everything works now 
as expected.

BR,
Simon

Simple mail submission tool was Re: "nobody is going to write a new MTA"

[Simon Waters]

On Thursday 28 May 2009 14:41:30 Marcio Merlone wrote:
> 
> That would be great, I have some servers wich sends nothing but
> administrative mails to me, logcheck, crontab, such annoying things.
> They need nothing more than a bare bones MTA wich is able to send mails
> to a relay host.

Debian has ssmtp which was written to do something like this.

However I think it is "too simple" being as such a tool needs a queue for the 
emails root sends when the network is down (or maybe you regard that 
as "first cause analysis" :-).

As a result I used postfix on such boxes because the Debian package can be 
persuaded to do a suitable "listen on localhost and forward to smarthost" 
config via debconf so no editting of config files.

But it does feel like overkill, and doesn't support some common configurations 
easily, so I'm open to better ideas.

"Common configurations" would be = can forward to SMTP submission host using 
SMTP over SSL, and/or other ways of submitting to an account keeping the 
password encrypted (think mobile linux device queuing up system emails to 
send via regular email submission account when it next gets net access).

Meanwhile I guess lots of minuscule postfix installs will have to do.

Re: received date differs

[Simon Waters]

The date inside the mail (on the "Date:" header) was for February.

Since spam is junk there is no reason to expect this date to be valid, 
spammers frequently use future or past dates to end up at the top or the 
bottom of the in tray and thus more prominent and more likely to be read.

Sometimes it is simply because the date is set wrong on the computer sending 
the email.

SpamAssassin uses dates in future and distant past as an indication of 
likelihood that an email is spam.

It is spam - hit delete and move on - unless you need a better spam filter.

 Simon

message_size_limit

[Simon Schelkshorn]

Hi there,

I added a second listener in my master.cf. For this listener I added 
the option message_size_limit=2048 to increase the maximum size 
for emails sent via this additional listener.

192.168.xxx.xxx:25   inetn   -   n   -   -   smtpd 
-o content_filter=
-o message_size_limit=2048

When I now connect to the server it correctly notifies me about the 
maximum message size.

vs100:/home/simon # telnet 192.168.xxx.xxx 25
Trying 192.168.xxx.xxx...
Connected to 192.168.xxx.xxx.
Escape character is '^]'.
220 mail2.example.com ESMTP Postfix
EHLO mail1.example.com
250-mail2.example.com
250-PIPELINING
250-SIZE 2048
250-VRFY
250-ETRN
250 8BITMIME
quit
221 Bye
Connection closed by foreign host.

Sending a message larger than the default size of 10MB still results 
in an error message.

552 Error: message too large

The message size after BASE64 encoding was approx. 14MB.

Can anyone point me into the right direction, what I'm doing wrong?

BR,
Simon

anvil

[Simon Jones]

Hi folks,

I have postfix 2.3.3 installed and have just found some info on
Anvil(8) which looks like it should be good as part of my anti-spam
implementation.  I can see anvil in /usr/libexec/postfix/ but when i
enable the config within main.cf smtpd_error_sleep_time = 1s and grep
on maillog there's no entry for anvil - its as though it isn't
compiled or something.  Anyone know how to get it up and running?

Si

Re: anvil

[Simon Jones]

2009/6/10 Ralf Hildebrandt :
> * Simon Jones :
>> Hi folks,
>>
>> I have postfix 2.3.3 installed and have just found some info on
>> Anvil(8) which looks like it should be good as part of my anti-spam
>> implementation.  I can see anvil in /usr/libexec/postfix/ but when i
>> enable the config within main.cf smtpd_error_sleep_time = 1s
>
> That does not enable anvil.
>
> --
> Ralf Hildebrandt
> Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
Thanks Ralf,

can you point me to some docs on how to do it perhaps?  would be much
appreciated, this is something i cam across today so apologies for
coming across as a complete noob...

Re: anvil

[Simon Jones]

2009/6/10 Ralf Hildebrandt :
> * Simon Jones :
>
>> > That does not enable anvil.
>
>> can you point me to some docs on how to do it perhaps?  would be much
>> appreciated, this is something i cam across today so apologies for
>> coming across as a complete noob...
>
> http://www.postfix.org/TUNING_README.html#conn_limit
> --
> Ralf Hildebrandt
> Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
> http://www.computerbeschimpfung.de
> The opposite of increment is excrement.

ok thanks - I added those to main.cf but it still doesn't do anything,
I have googled - oooh yes I have googled something good but it still
doesn't make sense how to get postfix working with anvil, there's
plenty of info on config but how do i get pfx to pass info to anvil so
it generates stats?

Re: anvil

[Simon Jones]

2009/6/10 Ralf Hildebrandt :
> * Simon Jones :
>
>> > http://www.postfix.org/TUNING_README.html#conn_limit
>
>> ok thanks - I added those to main.cf
>
> What EXACTLY did you add?
>
>> but it still doesn't do anything,
>
> Of course it doesn't do anything per se!
>
> Shit needs to hit the fan before something happens. Did you throw enough
> shit in the general direction of the fan to faicilitaty a hitting of the
> fan?
>
> --
> Ralf Hildebrandt
> Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
> http://www.computerbeschimpfung.de
> "The percentage of users running Windows NT Workstation 4.0 whose PCs
> stopped working more than once a month was less than half that of Windows
> 95 users."-- microsoft.com/ntworkstation/overview/Reliability/Highest.asp
>

This is the part I'm missing, how do I enable the shit flinger?

Re: anvil

[Simon Jones]

2009/6/10 Ralf Hildebrandt :
> * Simon Jones :
>
>> This is the part I'm missing, how do I enable the shit flinger?
>
> You COULD use smtp_source
>
> OR
>
> your could set ridiculous low limits (1/60s) and then test it manually using 
> telnet.
>
> Keep in mind, though:
> smtpd_client_event_limit_exceptions = $mynetworks
>
> so the test must be performed from a client OUTSIDE of $mynetworks
> Or you just say:
>
> smtpd_client_event_limit_exceptions =
>
> --
> Ralf Hildebrandt
> Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
> http://www.computerbeschimpfung.de
> Ballmer should step down in favour of Mr T, because he pity the fool
> who don't got high-end video cards and 4GB RAM for Vista Aero!

Thanks guys, fail2ban looks great - config is being a bitch though but
i have anvil working now!

Jason, when I fire up failt2ban it says "WARNING 'action' not defined
in 'postfix'. Using default value"

i found some info on
http://www.howtoforge.com/forums/showthread.php?t=28781 and followed
it through but i got the same error when firing fail2ban up too, the
postfix.conf files looks ok -

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# postfix

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#  host must be matched by a group named "host". The tag "" can
#  be used for standard IP/hostname matching and is only an alias for
#  (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#
#failregex = reject: RCPT from (.*)\[\]: 554
failregex = reject: RCPT from (.*)\[\]: 5[05][0-4]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

I modded it slightly though - but it does the same weather default or
not, any pointers to what i'm doing wrong?  "action not defined" would
suggest that i've not enabled / configured something correctly but the
files look the same as the examples i've seen on the web.

Re: anvil

[Simon Jones]

2009/6/11 Simon Jones :
> 2009/6/10 Ralf Hildebrandt :
>> * Simon Jones :
>>
>>> This is the part I'm missing, how do I enable the shit flinger?
>>
>> You COULD use smtp_source
>>
>> OR
>>
>> your could set ridiculous low limits (1/60s) and then test it manually using 
>> telnet.
>>
>> Keep in mind, though:
>> smtpd_client_event_limit_exceptions = $mynetworks
>>
>> so the test must be performed from a client OUTSIDE of $mynetworks
>> Or you just say:
>>
>> smtpd_client_event_limit_exceptions =
>>
>> --
>> Ralf Hildebrandt
>> Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
>> http://www.computerbeschimpfung.de
>> Ballmer should step down in favour of Mr T, because he pity the fool
>> who don't got high-end video cards and 4GB RAM for Vista Aero!
>
> Thanks guys, fail2ban looks great - config is being a bitch though but
> i have anvil working now!
>
> Jason, when I fire up failt2ban it says "WARNING 'action' not defined
> in 'postfix'. Using default value"
>
> i found some info on
> http://www.howtoforge.com/forums/showthread.php?t=28781 and followed
> it through but i got the same error when firing fail2ban up too, the
> postfix.conf files looks ok -
>
> # Fail2Ban configuration file
> #
> # Author: Cyril Jaquier
> #
> # $Revision: 510 $
> #
>
> [Definition]
>
> # postfix
>
> # Option:  failregex
> # Notes.:  regex to match the password failures messages in the logfile. The
> #          host must be matched by a group named "host". The tag "" can
> #          be used for standard IP/hostname matching and is only an alias for
> #          (?:::f{4,6}:)?(?P\S+)
> # Values:  TEXT
> #
> #failregex = reject: RCPT from (.*)\[\]: 554
> failregex = reject: RCPT from (.*)\[\]: 5[05][0-4]
>
> # Option:  ignoreregex
> # Notes.:  regex to ignore. If this regex matches, the line is ignored.
> # Values:  TEXT
> #
> ignoreregex =
>
> I modded it slightly though - but it does the same weather default or
> not, any pointers to what i'm doing wrong?  "action not defined" would
> suggest that i've not enabled / configured something correctly but the
> files look the same as the examples i've seen on the web.
>

Apologies - i mean Terry of course... I have never been too good with names :)

Re: message_size_limit

[Simon Schelkshorn]

Hi,

thanks for your fast reply.

@Truth Seeker: I added the message_size_limit statement to the 
definition in master.cf as I intended to increase the message size 
only for mail sent from my local users and not for all messages.


> > > You can't change the size limit for the SMTP server alone.
> > > It must be a main.cf setting.
> > 
> > Specifically, message_size_limit is enforced by cleanup(8). Adding
> > another cleanup(8) service with a different message_size_limit and
> > choosing it for this particular smtpd(8) with cleanup_service_name
> > should work.
> 
> But wait, there is more...
> 
> The queue manager and the delivery agents can be affected, too.
> Depending on how mail gets into Postfix, recipient records may be
> sitting at the end of a queue file, and when a delivery agent (or
> queue manager) tries to mark a recipient as "done" they get into
> trouble when their "message size limit" setting is too small.
> 
> That was one of the bugs that was introduced by the VDA patch,


Thanks Magnus for showing a way on how to achieve what I was trying 
to get and thanks Wietse for pointing out, that there may be some 
other problems with it.

So I decided to go with the "save" configuration and increased the 
general message size in main.cf.


Simon

Re: 250 Backend Replied

[Simon Morvan]

Le 02/03/2010 22:01, Kaleb Hosie a écrit :

When a user emailed one of our customers, this line came up in the logs:

Mar  2 15:43:22 mailgate postfix/smtp[4830]: 89423170093: to=, 
relay=domain.com.inbound15.mxlogicmx.net[208.65.144.13]:25, delay=1.4, 
delays=0/0/0.27/1.2, dsn=2.0.0, status=sent (250 Backend Replied 
[dc87d8b4.0.970491.00-043.1797288.p02c11m002.mxlogic.net]: 2.6.0 
  
Response codes in 2xx means success and status=sent should tell you 
"don't worry".
Actually, because of the 250, your server considers the message sent so 
you should watch if a bounce comes back on the Return-Path adresse.


--
Simon.

Re: quota with mysql

[Simon Morvan]

Le 03/03/2010 09:17, Andre Hübner a écrit :

Hello,
 
i want to do a exact calculating quota with postfix<->mysql to reject 
incoming mails if user is over quota.

Complete storage-statistics+quota is done by dovecot in background.
Currently i use check_recipient_access mysql:/path/mysql.conf to get 
return value.
But for an exact calculation i misses value of current mailsize to 
calculate expected storageconsumption.

Is there a way to get size of mail into my sql-query?
My 2nd option would be a policy-service which gets mailsize delivered 
as attribut by postfixserver.

Whats the better way?
 
Thanks,

Andre
Maybe you should give a try to dovecot-deliver. It'll take care of the 
quota stuff directly.


--
Simon

Re: quota with mysql

[Simon Morvan]

On 03/03/2010 10:18, Andre Hübner wrote:
> Hallo,
>
>> Maybe you should give a try to dovecot-deliver. It'll take care of
>> the quota stuff directly.
>
> this is working already but is not rejecting a mail on smtp-dialog. it
> deletes the mail after postfix was accepting it and this is a legal
> difference.
>
> Thanks,
> Andre
Do you use deliver's -e switch ?

OT: 0.0.0.0

[Simon Waters]

One domain is advertising an MX record of "0.0.0.0" which postfix correctly 
reports as "numeric domain name in resource data of MX record for ..."

Then (on Linux at least), Postfix connects to "0.0.0.0" and then logs a couple 
of messages complaining it is trying to talk to itself.

I'm not sure 0.0.0.0 should work as an address to connect to, but probably too 
late to put that genie back in the bottle.

In this instant I would prefer to reject mail from domain. I believe the 
Postfix way is a policy daemon to reject email with bad or unwanted DNS 
settings. (i.e. the Yahoo MX . trick).

Does anyone have a good list of bad things not to connect to?
How have folks done the DNS filtering.

Meta question - should outgoing to 0.0.0.0 really connect to anything.

Re: Relaying to SPF protected server

[Simon Waters]

On Thursday 01 April 2010 12:38:29 J.R.Ewing wrote:
> 
> Is there any solution?
> I have idea to move senders address to "reply to" field and write new
> sender. Is it possible with postfix?

As Ralph says SRS will do this.

However I looked at this recently for a project, where I thought I'd need SRS, 
and after reviewing the various issues and SPF adoption figures, concluded 
I'd ignore SPF.

In particular very few people reject outright on SPF failure (not least this 
isn't a good strategy compared to other filtering methods if all you want to 
do is reduce spam). Various systems handle SPF failed email in a more 
suspicious manner, but that isn't a practical problem in my experience.

SRS might work better for your purpose, but SPF is broken by design and you 
should flag that to the people using it.

We forward a lot of email, we don't do envelope rewriting, and have had a 
handful of complaints over the years, most from the same person who didn't 
seem to understand "we have no plans to change at this time".

Re: Patch: support BURL

[Simon Waters]

On Monday 12 April 2010 16:53:10 Victor Duchovni wrote:
> On Mon, Apr 12, 2010 at 11:50:02AM -0400, Charles Marcus wrote:
> > There is no IMAP client that I'm aware of that can 'save' a message to
> > to the Sent folder.
>
> They all do it, that's how messages end up in the Sent folder, you
> are confused.

Although Thunderbird seems to find ever more ingenious reasons for why it 
can't do it for this specific message at this specific time, as a bonus 
giving you a chance to mistakenly send the message twice. 

Some days I think starting again from scratch with software would be a good 
idea, then I remember how quickly I can code

Re: Mail to wildcard MX records doesn't work from Yahoo Mail, but fine from other addresses

[Simon Waters]

On Tuesday 13 April 2010 08:16:47 Bob Eastbrook wrote:
>

Your post appears mangled beyond hope of direct assistance.

> Remote host said: 554 5.7.1 : Relay access denied

This implies that your server rejected it. So where is the log from your 
server?

The DNS config you give appears to be a case "CNAME and other" which is a 
violation of RFC1034. So fix your DNS and see if things work correctly.

 Simon

Re: Mail to wildcard MX records doesn't work from Yahoo Mail, but fine from other addresses

[Simon Waters]

On Tuesday 13 April 2010 10:16:49 Bob Eastbrook wrote:
> On Tue, Apr 13, 2010 at 1:01 AM, Simon Waters  wrote:
> > Your post appears mangled beyond hope of direct assistance.
>
> Are you saying that the message was improperly formatted?

No I'm saying I don't think you aren't administering "example.com" 
or "example.org".

I've exchanged email the person who use to administer them now and then, and 
he doesn't need my help with DNS configuration issues - well not very 
often ;)

But generally best not to obfuscate here, especially on issues relating to 
DNS.

Re: backscatter spam

[Simon Waters]

On Tuesday 13 April 2010 16:32:03 motty.cruz wrote:
> Hello, I seemed to be losing the fight against backscatter email, one of
> our users is getting tons of backscatter spam a day. I'm using postfix
> Mail_version 2.7.0 + amavisd (Spamassassin) on FreeBSD machine. Please
> help!

Did you try this yet? 

http://www.postfix.org/BACKSCATTER_README.html#real

Re: Mail server responded 5.7.1

[Simon Waters]

On Monday 19 April 2010 09:51:52 mohamad rahimi wrote:
> In our group we are using suse and
> Postfix SMTP server. Every thing was fine until last month when we
> restart our mail server and also firewall.
> The first problem is that when we use
> Thunderbird with security and Authentication it is impossible to send
> a email. we receive this error “Unable to authentication to SMTP
> server  mx.mydomain. The server does not support any compatible
> secure authentication mechanism but you have chosen secure
> authentication.

Could it be that authentication depends on a daemon and that daemon isn't in 
your start-up scripts?

But without details of how it was configured I'm just guessing.

So it could be as simple as: "/etc/init.d/courier-authdaemon start"

And then ensuring it is in the start-up.

Post here output of postconf, and also any errors, and others can probably 
give more specific advice.

Re: Rejecting Spam Based on Spamassassin Score

[Simon Waters]

On Monday 19 April 2010 18:34:59 Aaron Clausen wrote:
> This has probably been asked a hundred times before, but a client of
> mine has requested the ability to reject emails if their spam score is
> above a certain score, rather than marking it as spam.  Is this a
> possibility with Postfix?

As noted in other responses SpamAssassin is typically too late in the process, 
and wants to examine content.

You can do the "content free" checks with policy daemons (policyd-weight being 
one of the popular ones), which require you to specify a threshold at which 
you reject but based on a selection of tests it is more sensible to do before 
accepting as email.

Re: postfix smtp_loop() breaks SMTP

[Simon Waters]

On Tuesday 27 April 2010 17:24:35 Victor Duchovni wrote:
>
> $ < /tmp/data pcregrep -c Postfix
> 134368

If we are hijacking the thread for how to convince suits to use Postfix...

Picking an MTA based only on popularity would have got you sendmail until 
fairly recently, and I don't think anyone would want that.

All the figures show is that lots of people use Postfix.

That big companies like AOL and HP use Postfix tells you it is probably 
suitable for big companies. One wonders why IBM greets like sendmail 
sometimes though ;)

That small mail admins like myself use it tells you it probably isn't too 
onerous to setup.

The hard thing when comparing mail solutions is I believe comparing systems 
that try to do everything (some include Postfix), versus building from 
constituent parts. Historically the "do everythings" have been onerously 
complicated, and/or insecure. But I really can't comment on things like SUN 
Java Messaging Server, Groupwise, or even current versions of Lotus Notes, 
other than to say in my experience such combined products have been 
relatively inflexible (hence a lot of the discussion about putting Postfix in 
front of Exchange for security and filtering).

Of course what is really needed to convince suits is someone to take them to 
play golf, and explain why paying a lot of money will be good for their 
company.

PostFix Mail Delivery to Different Hosts

[Simon Croome]

Hi

We are replacing sendmail as our MTA to Postfix and our internal mail 
relay receives mail from our edge MTA server <#> in the DMZ, once mail 
is recieved then any email address to a staff member for instance : 
.< last name >@example.com is sent to a Lotus Notes server, 
and any other email <#> < whatever >@example.com is sent to our OCS server.


We have had a rule in our sendmail configuration that has been able to 
do this for many years but I cannot seem to find any examples on how 
this can be done in postfix.


Someone on another forum suggested that you achieve this in postfix 
using the transport file, but could any one give me an example how to 
get this working ?


Thanks in advance, Simon.

Re: PostFix Mail Delivery to Different Hosts

[Simon Croome]

On 05/05/2010 17:42, Victor Duchovni wrote:

On Wed, May 05, 2010 at 04:21:37PM +0100, Simon Croome wrote:

   

We are replacing sendmail as our MTA to Postfix and our internal mail relay
receives mail from our edge MTA server<#>  in the DMZ, once mail is
received then any email address to a staff member for instance :.<  last name>@example.com is sent to a Lotus Notes server, and any
other email<#>  <  whatever>@example.com is sent to our OCS server.

We have had a rule in our sendmail configuration that has been able to do
this for many years but I cannot seem to find any examples on how this can
be done in postfix.

Someone on another forum suggested that you achieve this in postfix using
the transport file, but could any one give me an example how to get this
working ?
 

 http://www.postfix.org/ADDRESS_REWRITING_README.html

You can rewrite addresses to a recipient-dependent internal domain,
which is then routed to the right mail-store, or use per-user transport
tables.

I recommend the first approach on architectural grounds, but the second
is easier to implement in some cases.

   

Could someone give me example of this pls. ?

Re: PostFix Mail Delivery to Different Hosts

[Simon Croome]

On 07/05/2010 10:30, Patrick Ben Koetter wrote:

* Simon Croome:
   

On 05/05/2010 17:42, Victor Duchovni wrote:
 

On Wed, May 05, 2010 at 04:21:37PM +0100, Simon Croome wrote:

   

We are replacing sendmail as our MTA to Postfix and our internal mail relay
receives mail from our edge MTA server<#>   in the DMZ, once mail is
received then any email address to a staff member for instance :.<   last name>@example.com is sent to a Lotus Notes server, and any
other email<#>   <   whatever>@example.com is sent to our OCS server.

We have had a rule in our sendmail configuration that has been able to do
this for many years but I cannot seem to find any examples on how this can
be done in postfix.

Someone on another forum suggested that you achieve this in postfix using
the transport file, but could any one give me an example how to get this
working ?
 

 http://www.postfix.org/ADDRESS_REWRITING_README.html

You can rewrite addresses to a recipient-dependent internal domain,
which is then routed to the right mail-store, or use per-user transport
tables.

I recommend the first approach on architectural grounds, but the second
is easier to implement in some cases.

   

Could someone give me example of this pls. ?

 

Here's the easier version...

Take a look at the "TABLE SEARCH ORDER" in man 5 transport. Here's an example:

# main.cf
transport_maps = hash:/etc/postfix/transports

# /etc/postfix/transports
firstname.lastn...@example.com  relay:lotus.notes.server:25
firstname1.lastna...@example.comrelay:lotus.notes.server:25
firstname2.lastna...@example.comrelay:lotus.notes.server:25
example.com relay:ocs.server:25



   
Hi, thanks for your response, but does that not mean that I would have 
to create any entry for every lotus notes account as we have around 1500 
accounts and it increases daily ?

Re: PostFix Mail Delivery to Different Hosts

[Simon Croome]

On 07/05/2010 12:19, Wietse Venema wrote:

Patrick Ben Koetter:
   

* Simon Croome:
 

On 05/05/2010 17:42, Victor Duchovni wrote:
   

Here's the easier version...

Take a look at the "TABLE SEARCH ORDER" in man 5 transport. Here's an example:

# main.cf
transport_maps = hash:/etc/postfix/transports

# /etc/postfix/transports
firstname.lastn...@example.com  relay:lotus.notes.server:25
firstname1.lastna...@example.comrelay:lotus.notes.server:25
firstname2.lastna...@example.comrelay:lotus.notes.server:25
example.com relay:ocs.server:25
 

If you take the transport_maps solution, then you need to set up
a relay-recipient_maps table with the addresses of valid recipients,
as documented in

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

If you believe that Sendmail was able to guess the addresses of
your local users, then I can assure you that it can't.

More likely, Sendmail was accepting all kinds of garbage from the
Internet, and your Sendmail queue was full of MAILER-DAEMON messages
all around the clock.

We cannot make that same mistake with Postfix (if we did then you
might just as well have stayed with Sendmail).

Wietse
   

Hi,

Thanks for all your responses it seems that this might explain the 
issues we have had in the past whilst using sendmail, will look into 
taking the LDAP lookup from the domino directory.


Thanks again.

Re: PostFix Mail Delivery to Different Hosts

[Simon Croome]

On 07/05/2010 14:32, Wietse Venema wrote:

Simon Croome:
   

# main.cf
transport_maps = hash:/etc/postfix/transports

# /etc/postfix/transports
firstname.lastn...@example.com  relay:lotus.notes.server:25
firstname1.lastna...@example.comrelay:lotus.notes.server:25
firstname2.lastna...@example.comrelay:lotus.notes.server:25
example.com relay:ocs.server:25

 

If you take the transport_maps solution, then you need to set up
a relay-recipient_maps table with the addresses of valid recipients,
   

I can save you a lot of work if your problem description was accurate.

1) Set up the relay_recipient_maps over LDAP as discussed by Patrick.
This ensures that Postfix will NOT accept mail for bogus addresses.

2) Instead of one transport map entry per user, use a regular expression:

 /etc/postfix/main.cf:
 transport_maps = regexp:/etc/postfix/transports.regexp

 /etc/postfix/transports.regexp
 /\...@example\.com$/relay:lotus.notes.server:25
 /@example\.com$/relay:ocs.server:25

The first pattern sends send first.l...@example.com to lotus.notes.server,
and the second sends all other example.com mail to ocs.server.

Caution: regular expressions are unlike file name wildcards.  The
above example uses "\." to match a dot character, ".+" for wild-card,
and $ at the end.

 Wietse
   

Thanks for you help with the above problem.

Could I ask what would be the best way to prevent connections to 
postfix, similar to how tcp wrappers is used with sendmail.


I only want approx 4 ip addresses which would be in different network to 
be able to connect the postfix daemon ?


Thanks again.

Delivery to external domains

[Simon Croome]

Hi,

I have setup a internal postfix server that relays mail from our 
external DMZ server to internal mail hosts, it should accept mail the 
example.com but allow relaying from selected lan hosts to external 
domains for instance o2.co.uk etc, whenever I attempt to relay through 
the postfix server to an external domain it returns Relaying Access 
Denied can anyone help ?


I have posted my main.cf

bounce_notice_recipient = mail.info
2bounce_notice_recipient = mail.info
delay_notice_recipient = mail.info
error_notice_recipient = mail.info
max_idle = 30s
max_use = 20
header_size_limit = 65536
message_size_limit = 104857600
mailbox_size_limit = 209715200

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix

mail_owner = postfix
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname
mynetworks = 194.81.151.0/24
relay_domains = example.com
relayhost =

readme_directory = /usr/share/doc/packages/postfix/README_FILES
smtp_generic_maps = pcre:/etc/postfix/smtp_generic_maps
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
transport_maps = regexp:/etc/postfix/transport.regexp
virtual_maps = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual_alias

unknown_local_recipient_reject_code = 450

smtpd_banner = $myhostname SMTP

debugger_command =
 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
 xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/packages/postfix/samples
html_directory = no
readme_directory = no
smtpd_helo_required = yes

smtpd_client_restrictions = reject_unauth_pipelining, 
reject_multi_recipient_bounce, reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, reject_unauth_destination, 
reject_non_fqdn_sender, reject_invalid_hostname, 
reject_unknown_sender_domain


smtpd_recipient_restrictions = permit_mynetworks, 
reject_non_fqdn_hostname, reject_non_fqdn_sender, 
reject_non_fqdn_recipient, check_sender_access hash:/etc/postfix/access, 
reject_unknown_sender_domain, reject_unknown_recipient_domain, 
reject_unauth_destination


strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_etrn_restrictions = reject
notify_classes = resource,software
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
allow_percent_hack = no
swap_bangpath = no
resolve_dequoted_address = yes
require_home_directory = yes
maps_rbl_reject_code = 571
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 2
smtpd_timeout=50s
smtpd_error_sleep_time=10s
smtpd_delay_reject=yes
smtpd_client_connection_rate_limit=10
smtpd_client_message_rate_limit=20
smtpd_client_recipient_rate_limit=20

Receipent Access

[Simon Croome]

Hi,

I'm trying to configure our postfix servers to only accept email for 
valid recipents from a hash table, I have in a file following an example 
online that it should be in the format of


zhu...@example.com OK

Can anyone confirm if this is correct ?

Thanks

Re: Setting mime-header checking

[Simon Waters]

On Tuesday 08 June 2010 12:04:36 Ockleford Paul (NHS Connecting for Health) 
wrote:
> I would be grateful if anybody is able to offer some assistance.
>
> mime_header_checks
>
> #!/^\s*Content-(Disposition|Type).*name\s*=\s*"{1,1}.+\.(ecf)"{1,1}\s*$/!/n
>ame=[^>]*\.(ecf)/ WARN Would normally reject this message
> #!/^[[:space:]]*content-(type|disposition):.*name[[:space:]]*=.*\.(ecf)/
> # WARN Bad attachment file name extension
>

I have one scrounged from the list:

regexp:headercheck

/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(cpl|asd|hlp|ocx|reg|bat|
c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))"?
\s*$/  REJECT Attachment type not allowed. File "$2" has the unacceptable 
extension "$3"

Which is tested in battle.

There is an example for pcre in the Postfix docs.

http://www.postfix.org/header_checks.5.html

Isn't immediately apparent why your regexp fails to me, but I'd suggest not 
reinventing regexp here. Be careful to distinguish if it is regexp: or pcre:

 Simon

Re: dealing with Yahoo slowness

[Simon Waters]

On Thursday 10 June 2010 19:51:51 Florin Andrei wrote:
>
> One of the tricks some people seem to use is creating a dedicated
> transport for the slow destination. I'm reading the tuning and qshape
> README documents, and there are a lot of good suggestions there, but I
> was wondering what are the solutions that are being used *now*
> specifically for dealing with Yahoo.

We don't treat Yahoo! any differently here, so essentially we delivered using 
Postfix defaults.

We have a "fragile" queue for difficult providers but only Microsoft domains 
are listed.

Whilst I've seen comment that Yahoo! throttle, I had some logs that suggest 
Yahoo! also can be overloaded at times (hardly surprising given some of the 
botnets out there).

As such afraid I tend to the view that if Yahoo! email is delayed it is 
largely a Yahoo! problem. Although we've not had any complaints of such in 
recent months (years?), and BT Internet use Yahoo so we ship them quite a 
significant proportion of our outbound email. Most of the feedback we got was 
when BT switched to using Yahoo, so I assume teething problems.

Re: Too aggressive

[Simon Waters]

On Friday 11 June 2010 13:30:44 Curtis Maurand wrote:
> currently I have  in my smtpd_client_restrictions:  ...
> reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net,
> permit
>
> Is flat out rejecting clients on the RBL's considered too agressive?
> should I just let spamassassin handle this and score accordingly?

It is a policy issue - there is no right answer - does it work for you?

I include flat reject on zen.spamhaus.org on some servers without unacceptable 
(for us) false positive rate (Spamhaus are good at listing mostly spammers).

Main issue I see with zen.spamhaus.org is some persistent spammers who 
presumably are clean in parts, or otherwise difficult for Spamhaus to list 
(suing them?).

I can't comment on bl.spamcop.net, but I'd expect it to have more false 
positives based on the description provided, so a weighted use of this is 
probably sensible.

I'd stick it in with warn_if_reject and measure the false positive rate, and 
benefit if any over existing lists I use. Block lists don't add nicely -- 
they may well include the same spam sources but tend to disagree over their 
mistakes, so you get addition of mistakes but overlap on the correct answers 
meaning the returns may diminish quickly.

Re: Should I be removing first received header for client IP

[Simon Waters]

On Friday 25 June 2010 16:06:26 Mark Krenz wrote:
>  
> They also think that because we leave
> that in that they are having their IP put on blacklists.

Ask for the bounced emails or other evidence for why they believe this.

I've seen all sorts of misunderstanding from people looking at such things, so 
simply ask for the evidence including headers for anything to do with spam.

 Simon

Re: where to put domain name that's only it virtual map

[Simon Waters]

On Monday 12 July 2010 20:53:46 Phil Howard wrote:
> I've added a domain name which has email addresses that are only in
> the virtual map. There are no real mailboxes over on Dovecot (via
> transport) for this one. Attempts to send mail to
> postmas...@newdomain.example.com gets "Relay access denied", so it
> clearly doesn't recognize the domain (I didn't put it anywhere, so how
> could it ... depending on the virtual map for that would not get the
> right error message for bad LHS in that domain).  So my question is,
> which map does it go in if all it is used for is addresses in the
> virtual map (being forwarded to real mailboxes in another domain).

I think you want virtual_mailbox_domains, so in your 
config /etc/postfix/domains.

This is domains for which it is a final destination but delivery is via the 
virtual transport.

http://www.postfix.org/postconf.5.html#virtual_mailbox_domains

I didn't check to see if this fits the rest of your config

Re: Postfix with PostgreSQL backend - number of connections to the database issue

[Simon Waters]

On Friday 27 August 2010 10:52:46 Adam PAPAI wrote:
>
> It seems postfix keeps-up 8-10-15 connections always, but i guess 2 or 3
> would be enough. The queries are very quick, so it's not necessary to
> keep the SQL connection open.
>
> The documentation does not mention any part of this issue.

Read the documentation concerning proxymap, if all tables are proxied then the 
connections should be limited by the number of proxymap processes, and all 
will be efficient.

Although Postgres shouldn't have a problem with many tens of simulateneous 
connections. 

Open connections from idle processes shouldn't be a big issue either.

The problem I have seen is under dictionary attack a box hit a limit on 
database connections before the botnet drove it into the dust on some other 
parameter. Ensuring everything used proxymap meant that it took a much bigger 
botnet to stop our email working - che sera sera.

So if the number of connections you are seeing is an issue already it might be 
worth considering how robust things might be when nasty things start 
happening (Postfix is amazingly good under such conditions I find, although 
sometimes it throws up the odd sub-optimal configuration choice - like my not 
using proxymap for all tables).

Re: Invalid IP address (ipv6)

[Simon Waters]

On Tuesday 31 August 2010 11:17:25 Arthur Titeica wrote:
>
>  In:  EHLO [::z:z:::fe79:ccd9]

> Could someone share some thought about it?

Not seen this myself, and only starting to learn IPv6 but

EHLO tag not conforming with RFC2821 4.1.3 should start [IPV6 for an IPv6 tag 
so Postfix is probably doing the right thing unless the standard has been 
relaxed subsequently.

Without the IPv6 prefix Postfix probably expects an IPv4 address, and what you 
have doesn't look like a valid IPv4 address to me (you seem to have 
obfuscated the relevant section). You'd have to check the code to see if my 
supposition is correct, or wait for Wietse or someone more knowledgable.

I'd check the status of the email client IPv6 support, and if it is current, 
post back here without obfuscating (you might need to reproduce it with test 
data for privacy reasons), and mail client name version so we know what to 
look out for when the time comes.

 Simon

Re: Postfix forwarding may result in backscatter

[Simon Waters]

On Tuesday 31 August 2010 16:57:16 Stefan Seidel wrote:
> 
> Really, I don't care about NDNs
> for _forwarded_ mail, esp. since most of the mail traffic on this address
> is from mailing lists.

Most mailing lists can automatically detect dead accounts using NDN - but your 
choice to do it manually or chew on the unwanted bytes for eternity.

> Additionally, the mail is also stored to a local 
> mailbox. I know, that means that users could fetch them via
> POP3/IMAP/Webmail, but as it is, they prefer getting it forwarded.

Just send the email on as if it is new mail rather than using Postfix for 
forwarding, and then it will appear to come from the final destination host, 
and NDN will come back to that host rather than being "general backscatter".

I dare say the relevant ".forward" file is trivial to create, but one can 
probably use the Sender Rewriting scheme code out there if ".forward" is too 
simple for one's liking.

But strikes me if you deliver and forward, perhaps that second step doesn't 
even need SMTP? What are you doing that encourages you to duplicate every 
email? Sounds like there maybe a bad design decision lurking.

Re: Customized transport with multiple recipients

[Simon Waters]

On Thursday 02 September 2010 14:26:33 Zhou, Yan wrote:
>
> I observed that the transport only get one single message with multiple
> TO: address in it. So, this means my transport should do the work of
> sending to multiple destinations?

If it is an SMTP transport yes the remote end should do that anyway.

If you have a program or some other transport where one recipient at a time is 
more sensible, try setting the transport's destination_recipient_limit to 1.

What are you actually trying to achieve, since unless it is entirely novel 
approach to email, it is probable someone here is already doing it with 
postfix.

Re: Unable to put recepient access

[Simon Waters]

On Tuesday 07 September 2010 10:11:02 Sharma, Ashish wrote:
>
> Sep  7 04:53:55 ip-10-194-99-63 postfix/smtpd[942]: fatal: open database
> /etc/postfix/blockList.db: No such file or directory Sep  7 04:53:56
> ip-10-194-99-63 postfix/master[938]: warning: process
> /usr/libexec/postfix/smtpd pid 942 exit status 1
>
> Please help

hash implies a Berkeley Database - see:

http://www.postfix.org/DATABASE_README.html

You probably want to type "postmap hash:/etc/postfix/blockList", but read the 
docs first.

Re: MX question

[Simon Waters]

On Tuesday 14 September 2010 13:51:12 CT wrote:
> 
> Does Postfix do an MX lookup on "inbound mail" as part of
> "spam" prevention or some other check.. ?

Mind has "check_sender_mx_access" so and logs appropriate messages if the MX 
results are unacceptable.

What are you trying to achieve, as it seems unlikely to me that you have a 
purely academic interest in the mix of DNS requests generated.

Re: SPF Softfail question

[Simon Waters]

On Monday 20 September 2010 14:18:16 Kammen van, Marco, Springer SBM NL wrote:
> 
> Not really Postfix related, but maybe you can share your thoughts...

Definitely not Postfix related.

> As far as I understand from the whole SPF perspective, shouldn't a Soft
> Fail be a 4** error and re-try, 

Softfail introduces ambiguity as to whether an email is forged or not and then 
leaves the decision to the receiving server, so one shouldn't be surprised in 
this spam rich world if they choose to reject it.

Re: mail to hotmail bounce back

[Simon Waters]

On Thursday 02 July 2009 10:21:35 Umar wrote:
> 
> : host mx2.hotmail.com[65.55.92.152] said: 550 OU-002 Mail
> rejected by Windows Live Hotmail for policy reasons. Reasons for
> rejection
> may be related to content with spam-like characteristics or IP/domain
> reputation problems. If you are not an email/network admin please
> contact
> your E-mail/Internet Service Provider for help. Email/network admins,
> please visit http://postmaster.live.com for email delivery information
> and
> support (in reply to MAIL FROM command).

Hotmail delivery is pretty shakey at the best of times.

What is the sending server IP address and domain?

How you tried registering for feedback (if that still works), as that will 
tell you if they think your server is sending them spam, although it isn't 
terribly useful and they make it awfully hard work.

Re: Recommended way to (quickly) get total mail queue size?

[Simon Waters]

On Tuesday 07 July 2009 16:15:06 Michael Durket wrote:
>
> So what's the best way to quickly (i.e. less than a few seconds) get the
> current queue count out of Postfix?

man qshape

Re: Message Size Limit Exceed

[Simon Waters]

On Tuesday 14 July 2009 10:20:09 Jacky Chan wrote:
>
> I would like to ask if the size of message exceeds the one defined in
> main.cf, how can I configure Postfix to generate a bounce or error notice
> to user/admins?

User?

On our boxes it returns an appropriate error code to the sender (who is the 
only person who can fix the issue), and logs an error. I use logcheck and 
pflogsumm, so as administrator this is picked out of mail logs and reported 
to me.

One could create an event from the log file entry, plenty of tools to do that 
sort of thing around, but I'd say half of these events are things the users 
wouldn't want to know about anyway (i.e. things (read bots) gone mad, rather 
than genuine attempts to send email with big attachments, although that may 
depend on the largest size allowed).

Re: Enabling cisco pix workarounds affect on performance

[Simon Waters]

On Thursday 16 July 2009 14:41:59 ram wrote:
>
> If I enable cisco pix workarounds on a high traffic outgoing server ,
> what are the performance impacts on that

Judging from today's log files on my postfix box the default configuration 
enables these as needed.

Jul 16 11:36:10 servername postfix/smtp[3320]: 94A1161252B: enabling PIX 
workarounds: disable_esmtp delay_dotcrlf for 
forward10.nameresolvers.com[216.13.106.65]:25

Or am I missing something?

I'd hazard a guess that for most folks writing the log message (since it 
requires disk I/O) is going to be the worst "hit" from this feature.

Re: Enabling cisco pix workarounds affect on performance

[Simon Waters]

On Thursday 16 July 2009 15:26:01 ram wrote:
> 
> For all outgoing mails, the mails are going through a PIX.
> Will my outgoing performance be hit then

The advice is usually to disable the PIX SMTP fix-up because it is buggy, 
aside from issues of load. This may have security implications.

Re: Multiple PTR entries

[Simon Waters]

On Thursday 16 July 2009 17:19:23 Victor Duchovni wrote:
> 
> People publishing multiple PTR records are IMHO misguided.

I fear the folks who wrote RFC1033 used the term "official name" for where a 
reverse PTR record should point. I'm sure they meant "canonical", which I'm 
assured is an outdated concept with regard to DNS resource records.

But multiple PTR records are an annoying fact, I've seen several bits of 
software croak when the number of PTR records caused responses for reverse 
lookup to exceed the allowed size of response for their specific buffer. 
Mostly hosts that add a PTR record for every website on that IP address.

But hey I've only done DNS for umpteen years, and I'm still learning about the 
vaguaries of interpretation people feel is okay to allow (I only just learnt 
why so many Linux boxes are now assigning hostname to 127.0.1.1 - don't do it 
on your email servers it is for DHCP clients that wander the world and want 
to keep their own internal name so they know who they are).

Re: postscreen test

[Simon Waters]

Winnow from winnowing.

Re: Transport Maps

[Simon Waters]

On Tuesday 21 July 2009 16:53:52 Linux Addict wrote:
> 
> I tried using transport maps,  "example.com  :[smtp1.example.com]"  
> and " example.com   smtp:[smtp1.example.com], but of them didn't use
> smtp.example.com.

Not clear what you mean here.

Documentation of "transport" (man transport) suggests you don't want the "[]" 
if you want MX lookup.

So I think you want:

example.com smtp:smtp.example.com