Re: how to set different send rate to different destination[ip]
You can set different rates for different destinations. For this, you MUST READ the rest of the URLs in my response. - specify a different (master.cf) transport for rate limited destinations. - specify (main.cf) mumble_destination_rate_delay values in main.cf. - specify a (main.cf) transport map with entries for each rate limited destination. - execute "postfix reload" to make the changes effective. Wietse
Re: smtp hangs on 4xx code response - active queue is stuck
> #1 0x0806d01f in read_wait (fd=-4, timeout=3600) at read_wait.c:120
> #2 0x08072241 in timed_read (fd=13, buf=0x8092d60, len=4096, timeout=3600,
> unused_context=0x0) at timed_read.c:73
That makes no sense. timed_read() does not change its argument as shown
below. But it does not matter. The poll() is waiting for your defer(8)
daemon to respond.
> #3 0x0806f20f in vstream_buf_get_ready (bp=0x80918f0) at vstream.c:731
> #4 0x0806eaf7 in vbuf_get (bp=0x80918f0) at vbuf.c:157
> #5 0x08063bcb in attr_vscan0 (fp=0x80918f0, flags=3, ap=0xafb16988 "\001") at
> attr_scan0.c:272
> #6 0x08063f9b in attr_scan0 (fp=0x80918f0, flags=3) at attr_scan0.c:427
> #7 0x08056e67 in mail_command_client (class=0x807462e "private",
> name=0x8085810 "defer") at mail_command_client.c:76
Your defer daemons aren't working.
Wietse
/* timed_read - read with deadline */
ssize_t timed_read(int fd, void *buf, size_t len,
int timeout, void *unused_context)
{
ssize_t ret;
/*
* Wait for a limited amount of time for something to happen. If nothing
* happens, report an ETIMEDOUT error.
*
* XXX Solaris 8 read() fails with EAGAIN after read-select() returns
* success.
*/
for (;;) {
if (timeout > 0 && read_wait(fd, timeout) < 0)
return (-1);
if ((ret = read(fd, buf, len)) < 0 && timeout > 0 && errno == EAGAIN) {
..warn then sleep...
continue;
} else if (ret < 0 && errno == EINTR) {
continue;
} else {
return (ret);
}
}
}
Re: smtp hangs on 4xx code response - active queue is stuck
Konrad Rzepecki: > Dnia _roda, 17 grudnia 2008, Wietse Venema napisa_: > > > > > Your defer daemons aren't working. > > > > > > If you mean this one: > > > postfix 29426 0.0 0.1 6472 1740 ?S14:24 0:00 bounce > > > -z -n defer -t unix -u > > > > > > it seems running... > > > > And what is it doing? > > You have right - this was problem with defer. I have invastigate it . The > bounce process hangs in flock() on unix.defer file. It was permamently locked > or something like that. The purpose of /var/spool/postfix/pid/unix.defer is to block all idle defer service processes except one. If this 10-year old synchronization mechanism messes up on your system, then you may want to consider a kernel update. Wietse > After deleting and recreating it, everything seems runs OK. > > Thanks for hint. > > -- >Konrad Rzepecki - Wydawnictwo Bestom DENTOnet.pl Sp.z o.o. > >
Re: smtp hangs on 4xx code response - active queue is stuck
Konrad Rzepecki: > > > #3 0x0806f20f in vstream_buf_get_ready (bp=0x80918f0) at vstream.c:731 > > > #4 0x0806eaf7 in vbuf_get (bp=0x80918f0) at vbuf.c:157 > > > #5 0x08063bcb in attr_vscan0 (fp=0x80918f0, flags=3, ap=0xafb16988 > > > "\001") at > > > attr_scan0.c:272 > > > #6 0x08063f9b in attr_scan0 (fp=0x80918f0, flags=3) at attr_scan0.c:427 > > > #7 0x08056e67 in mail_command_client (class=0x807462e "private", > > > name=0x8085810 "defer") at mail_command_client.c:76 > > > > Your defer daemons aren't working. > > If you mean this one: > postfix 29426 0.0 0.1 6472 1740 ?S14:24 0:00 bounce -z -n > defer -t unix -u > > it seems running... And what is it doing? Wietse
Re: Postfix and DNSSEC
klondike: > Bernhard Fischer escribi?: > > I'd like to use DNSSEC with Postfix. > > I did some research on the web but although DNSSEC is there nobody really > > cares about it. > > The most recent patch for Postfix is for release 2.3 and is based on libs > > (libval, libsres) I didn't find any download page for. > > > > Is there any recent development going on? > > > Although I don't know wether there is actual development or not in > DNSSEC, you should bear on mind that there are still a lot of servers > which don't support DNSSEC, either because it is disabled, due to > problems with the proved denial of existence system used originaly, or > because the admins haven't updated the machine as DNS is a fairly > sensitive service. > > Said that, if postfix developers want to add DNSSEC support, although > that should be implemented on the name resolving libraries, I wouldn't > mind sharing my, scarce, knowledge on it. What are the application-visible changes? If one relies on BIND etc. for validation, where does DNSSEC affect the application? Postfix uses the standard resolver library but these calls are entirely encapsulated in a single module. Wietse
Re: Problem forwarding to a program
Rob Tanner: > I set up a separate instance of Postfix on one of my mail servers so > that I can deal with a special instance of a FAX server without messing > up production mail. The email messages it handles are always addressed > to @send.fax and the messages are to be delivered to a > program that swaps from and reply-to headers and then directly forwards > the mail to the FAX server which, in turn, sends it to the FAX machine > identified in the local part of the email address. The problem is that > Postfix is trying to send the message directly instead of delivering it > to a program. This is what is contained in the aliases file: > > @send.fax "|/opt/local/adm/aliasfilters/FAX.filter faxfilter" Which aliases file? The local aliases(5) file is not indexed by domain. The virtual alias maps does not execute commands. Wietse > The alias is domain only because there are millions of possible FAX > machines in the world. Postfix recognizes the "@send.fax" pattern at > least for accepting the message in the first place (no error about > unknown local recipient), but I'm wondering if the way the alias is > declared is the reason the message is not being delivered to the program. > > Thanks, > > Rob Tanner > Linfield College > McMinnville, Oregon >
Re: Problem forwarding to a program
Rob Tanner:
> The local aliases file and I was afraid of that. Since the only thing
> going through this Postfix instance is the FAX stuff which needs to be
> delivered to the program, is there some way to force all delivery to the
> program unconditionally?
A transport map entry:
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
example.com fax:
/etc/postfix/master.cf:
fax unix - n n - - pipe
user=xxx argv=/some/where/command -- ${sender} ${recipient}
Keep in mind that ${recipient} expands into multiple arguments
unless you specify
/etc/postfix/main.cf:
fax_destination-recipient_limit=1
Wietse
Re: Connection timeout when trying to send email to gmail address
Asif Iqbal: > I could skip the signing part and just a .pem file. But seems like I > will also need a Thawte certificate. You need no certificate to SEND mail. Wietse
Re: Connection timeout when trying to send email to gmail address
Asif Iqbal: > On Fri, Dec 19, 2008 at 12:46 PM, Wietse Venema wrote: > > Asif Iqbal: > >> I could skip the signing part and just a .pem file. But seems like I > >> will also need a Thawte certificate. > > > > You need no certificate to SEND mail. > > I am trying to use gmail as my relayhost. I cannot just send mail to > gmail without a relay host, my ISP does not handle it right, as shown > in my original email You need SSL to send mail through gmail. You need NO SSL certificate to send mail through gmail. Wietse
Re: Special routing for mail from localhost
Terry Carmen: > Is there any way to have special routing for mail that's created on the > postfix server(localhost), destined for mydomain? As far as I recall, internally generated messages are not subject to the content_filter setting. Thus, you can use the content_filter parameter to send "regular" mail to the content filter, even when the filter never sends it back to Postfix, and send other mail directly to the exchange box. Wietse > The transport map allows for routing based on destination, but I don't > see any way to route based on source. Currently inbound mail goes from > the internet to postfix to a content scanner, then to exchange. I'd like > to have internally generated messages (notifications, etc.) go directly > to exchange. > > Anybody have any ideas? > > Thanks, > > Terry > > >
Re: Connection timeout when trying to send email to gmail address
Asif Iqbal: > > need to test it. Just set: > > > >smtp_tls_security_level = encrypt > > Thanks, I will put that in Just checked here that Postfix can talk SSL with [smtp.gmail.com]:587 just fine. But you need to set up client-side SASL authentication. Wietse
Re: Problems with user's mail file
Pedro Augusto: > If the problem is Mailscanner mangling the files, would an upgrade solve the > problem? > > How can I test if the problem is concurrent access? Just to be sure which of > these are the problems... Null bytes in mailbox files are usually the result of incorrect file locking. To find out if file locking is used, examine source code, strace output, etc. Postfix mailbox file locking is configurable. Wietse
Re: Connection timeout when trying to send email to gmail address
Asif Iqbal:
> On Fri, Dec 19, 2008 at 5:32 PM, Wietse Venema wrote:
> > Asif Iqbal:
> >> > need to test it. Just set:
> >> >
> >> >smtp_tls_security_level = encrypt
> >>
> >> Thanks, I will put that in
> >
> > Just checked here that Postfix can talk SSL with [smtp.gmail.com]:587
> > just fine. But you need to set up client-side SASL authentication.
>
> I did but still failing to relay through gmail
>
> Dec 20 14:24:32 improvise postfix/qmgr[19372]: 4238710E3AA:
> from=, size=444, nrcpt=1 (queue active)
> Dec 20 14:24:32 improvise postfix/smtp[19431]: 4238710E3AA:
> to=, relay=smtp.gmail.com[209.85.163.109]:587,
> delay=0.31, delays=0.03/0.08/0.16/0.04, dsn=5.7.0, status=bounced
> (host smtp.gmail.com[209.85.163.109] said: 530 5.7.0 Must issue a
> STARTTLS command first. h27sm3099851elf.16 (in reply to MAIL FROM
> command))
You need to turn on TLS in the Postfix smtp CLIENT.
You have turned on TLS in the Postfix smtp SERVER.
Wietse
> Here are my configs
>
> iqb...@improvise:~$ postconf -n
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> config_directory = /etc/postfix
> home_mailbox = Maildir/
> inet_interfaces = loopback-only
> inet_protocols = ipv4
> mailbox_size_limit = 0
> mydestination = improvise.lan, localhost.lan, , localhost
> myhostname = improvise.lan
> mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
> myorigin = /etc/mailname
> readme_directory = no
> recipient_delimiter = +
> relayhost = [smtp.gmail.com]:submission
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_type = cyrus
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_security_level = encrypt
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
>
> iqb...@improvise:~$ cat /etc/postfix/sasl_passwd
> [smtp.gmail.com]:submission vadud3:mygmailpassword
>
> I followed this
>
> http://www.postfix.org/SASL_README.html#client_sasl
>
>
> >
> >Wietse
> >
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>
>
Re: Connection timeout when trying to send email to gmail address
Asif Iqbal: > Dec 20 21:25:20 improvise postfix/smtp[7157]: warning: SASL > authentication failure: No worthy mechs found This means that the SASL (NOT: SSL) mechanisms are not properly configured. > So I tried the openssl test and looks like I need a real certificate?! No, you need to fix the SASL (NOT: SSL) details. Output from: postconf -n |grep sasl Very likely you need to set /etc/postfix/main.cf: smtp_sasl_tls_security_options = noanonymous (the default is to disallow plaintext login mechanisms). Wietse
Re: transport documentation update proposed
Victor Duchovni: > On Mon, Dec 22, 2008 at 02:05:12AM -0300, Reinaldo de Carvalho wrote: > > > I suggest update transport documentation changing '*' to last lookup order. > > > > Beacause users can to deduct erroneously that '*' is a wildcard, and > > isn't. '*' is choosed caracter to represent a default > > transport/nexthop, > > It is a wildcard. It is the only wildcard documented for the transport(5) > table. Users can jump to all kinds of conclusions, ... or they can read > the documentation. While a different character would perhaps reduce the > conclusion-jumping, it would be harder to remember. > > I am not convinced that any amount of warnings in the reference > documentation will reduce conclusion jumping, since most users seem > to learn from examples and HOWTO documents, and rarely read reference > documentation. It makes sense to document '*' as the fourth lookup after user+extens...@domain, u...@domain, and (domain or .domain). Even if that lookup happens during process initialization. But the warning is not needed, because people who need it most don't read documentation. Wietse
Re: Stop retrying sending deferred messages when mailserver starts to tempfail?
Bas van Schaik: > Hi all, > > I have two company mailservers, both running Postfix. One of them is > "public" (accessible from the internet) and the other is used for > internal purposes only (i.e.: sending/recieving internal mail and > sending mail to the internet via the public mailserver). > > The public mailserver is (of course) configured to scan for spam and > viruses and does have rate limitations (smtpd_client_message_rate_limit > and smtpd_client_connection_count_limit) to avoid getting drowned in > mail from a single server. > > The internal mailserver sometimes sends a large batch of mail to the > public mailserver, this is where it gets nasty. The public mailserver > applies the rate limits and starts to tempfail the mail from the > internal server. This is /exactly/ what I want the public mailserver to > do (I don't want to use the smtpd_client_event_limit_exceptions option), > but the internal mailserver keeps trying and trying. > > Eventually, all mail from the internal server gets through and other > mail traveling through the public mailserver does not get affected by > large delays. However, I think the internal mailserver should stop > processing the large batch of mail as soon as it notices that the public > mailserver started tempfailing on it. That would save both mailservers a > lot of work and would speed up retrying other queued mail. Server overload is not the only reason for 4xx replies. An SMTP server mail respond with 4XX for all kinds of reasons. If the client were to stop delivering mail for any series of 4XX replies then mail would never get delivered. > I couldn't find such an option in the postconf(5) manpages, nor could I > find it on the internet. Is there a way to achieve this behavior? > > Furthermore I'm wondering if it is possible to tell Postfix to start > tempfailing incoming messages when the server load exceeds some value? > Of course it is possible to implement a hard-limit on the number of > smtpd-processes, but that could cause the server to start idling. Postfix has always had smtpd process count limits. This is because Sendmail's load average limits did not work. Wietse
Re: Subdomain matching problem
Munroe Sollog: > I will try to be as verbose as possible. I have been working with a > few people in IRC and can't seem to get the functionality wanted. I > have half a dozen servers, all with hostnames on a fake domain. I > want mail bound for r...@hostname to be forwarded to a central > location so that I can then deliver all mail to a "real" address. > Auto-forwarding, is easy. I can get all the servers to forward mail > to a central location. However the central location is turning around > and trying to send it back to the source machine. /etc/postfix/main.cf: virtual_alias_maps = hash:/etc/postfix/virtual /etc/postfix/virtual: r...@hostname someone+hostn...@example.com This will send mail for r...@hostname to some...@example.com, and assumes that + is the recipient delimiter on example.com. Wietse
Re: Stop retrying sending deferred messages when mailserver starts to tempfail?
Bas van Schaik: > >> Eventually, all mail from the internal server gets through and other > >> mail traveling through the public mailserver does not get affected by > >> large delays. However, I think the internal mailserver should stop > >> processing the large batch of mail as soon as it notices that the public > >> mailserver started tempfailing on it. That would save both mailservers a > >> lot of work and would speed up retrying other queued mail. > >> > > Server overload is not the only reason for 4xx replies. An SMTP > > server mail respond with 4XX for all kinds of reasons. If the client > > were to stop delivering mail for any series of 4XX replies then > > mail would never get delivered. > > > I'm sorry, I did not mean "stop delivering" but more some kind of > mechanism to detect a server which is not willing to accept anymore. I > do realize this is quite a vague criterium, clearly this is not easy to > implement. As mentioned by Victor, a connection rate limit will cause Postfix to abandon deliveries to the site that rejects the mail, but you will not like the result. It will take forever to get mail delivered. > >> Furthermore I'm wondering if it is possible to tell Postfix to start > >> tempfailing incoming messages when the server load exceeds some value? > >> Of course it is possible to implement a hard-limit on the number of > >> smtpd-processes, but that could cause the server to start idling. > >> > > Postfix has always had smtpd process count limits. This is because > > Sendmail's load average limits did not work. > > > Maybe a stupid question: why did the load average limits fail? Surely > the smtpd process count limit is a beautiful feature, but couldn't they > be used together? This is a standard example that I used to give in talks about Postfix. It is not made up. 1) Server is down (for maintenance or whatever). Mail queues up on the Internet elsewhere. 2) Server starts accepting mail. Mail starts pouring in from the Internet. 3) Server load AVERAGE increases. By the time the AVERAGE reaches the limit it is already too late (remember it is an AVERAGE). 4) Server crashes (runs out of swap or whatever). 5) Server reboots, spends some time fsck-ing itself, meanwhile more mail is queuing up elsewhere on the Internet. 6) Go to 2. The smtpd process limit provides graceful degradation, instead of overload/crash/reboot/fsck/overload/crash/reboot... Wietse
Re: warning: mysql query failed: MySQL server has gone away
J. Bakshi: > error3> warning: lookup owner-postmaster, NIS domain infoservices.in, > map mail.aliases: internal yp server or client error > ~~~` When reporting a problem, please do NOT remove useful information such as the name of the program that reports the problem. > could any one kindly give me the clue about which is actually causing > the problem ? Apparently, your Postfix tries to use NIS for alias_maps, and some SYSTEM LIBRARY function reports an error. Perhaps you need to update the main.cf:alias_maps setting. Wietse
Re: DIGEST-MD5 user/realm mismatch with Dovecot auth
Darren Pilgrim: > Is it possible to alter how postfix sets the username and realm used by > the smtp client? Is the problem within cyrus-sasl or postfix? The Postfix SMTP client sends no realm information. If the server expects a login name in the form "u...@domain" then it is up to you to configure this as the username in smtp_sasl_password_maps. As of 20070614, the Postfix SMTP client by default sends no authzid (authoriZation ID), only the authcid (authentiCation ID) + the authcid's password. This is configurable with send_cyrus_sasl_authzid (default: no). Happy holidays. Wietse
Re: Reject/Discard mails to a Receipient
Linux Addict: > Sahil Tandon wrote: > > Linux Addict wrote: > > > > > >> Hello, I have clients sending mails to an non-existent email > >> address/domain, emailerm...@exchange.example.net. I want to discard any > >> mail sent to this address. I looked at smtpd_recipient_restrictions, but > >> cant figure out how to get this done. Please help me!! > >> > > > > Why not simply reject such messages? What is the reason you want to > > accept but silently discard messages to that non-existent user? It is > > your choice to do so, but please offer some rationale for the archives. > > > > > Sorry.. I wasn't checking my mails for sometime. I am open to Rejecting > those mails as well.. > > Well. The mails are sent by one of the legacy app which has the hard > coded the email address. The email domain has been decommed recently. > The engineering will update this email address in their next release. > But till that time, I don't want postfix to spend energy on these mails. > > So How will I reject mails to the email in question. Transport will do? Transport rules such as: u...@example.com error:5.1.1 user unknown example.com error:5.1.2 domain unknown will do the job. Wietse
Re: Weaning myself off of procmail: .forward+tag
/dev/rob0: > First problem: well, I thought the alias would still have the Tag > extension, but no, ~rob0/.forward+Postfix was not used. According to > local(8), SECURITY: "The local(8) delivery agent disallows regular > expression substitution of $1 etc. in alias_maps, because that would > open a security hole." Perhaps $EXTENSION is in the "etc." The Postfix local delivery agent case-folds the address local-part, so that mail for wie...@porcupine.org is not returned as undeliverable. However, when address extension support was added somewhere in 1998 (between the alpha and beta releases), no code was added to exclude extensions from case folding. I would not object to additional options that control local-part case folding, but the behavior should remain backwards compatible to avoid massive breakage. Wietse
Re: howto setup outgoing port to 587 ?
Vidar Salberg Normann: > Does this mean you can't make postfix treat traffic on port 587 exactly like > normal SMTP traffic on port 25, while also accepting SASL and/or AUTH > LOGIN if used? The only difference between 25 and 587 is in the Postfix master.cf file. Wietse
Re: flush daemon
punit jain: > > Don't look under the hood unless you know what you are looking at. > > I agree with you Viktor but i am just trying to get a clear picture of > postfix as a novice. > > What my concern is what will happen after setting fast_flush_domains to > relay domains and flushing the queue say at the time when the remote > domain mentioned in fast_flush_domain is slow ? It will not make any difference at all. Files in the flush directory are used for "postqueue -s domain" or "sendmail -qR domain". > Will preemption of messages take place or will it effect the delivery > process ? None of the above. Do not list local destinations in fast_flush_domains. In fact, it is a good idea not to change parameters until you have been using Postfix for a considerable time. Wietse
Re: Trying to use uppercase names in Postfix.
Xn Nooby: > I am using Postfix to replace an existing email system, and I am > inheriting usernames that are in uppercase. Apparently Postfix > converts all email addresses to lowercase, so I cannot receive mail to > the accounts that are in uppercase. This surprised me, because the > linux user accounts are in uppercase. The local(8) delivery agent always case-folds names to lowercase. This is currently not configurable. Ditto for the virtual(8) daemon. It's easy enough to delete the lowercase() call from local(8), but that would not be a general solution. The pipe(8) delivery agent has configurable case folding, and that code would have to be moved into a Postfix library module, so that it can be used by other Postfix delivery agents. Wietse
Re: VERP uses the recipient name after virtual_regexp rewriting
Jesper Dybdal: > I have just installed a mailing list manager (Mailman) for use with my > Postfix installation (which has just been upgraded to 2.5.5). I have > patched Mailman to use the XVERP option on MAIL FROM. > > This works, but I was surprised to see that when the recipient address > provided by Mailman is rewritten by Postfix' virtual_regexp, then the > recipient address that Postfix encodes in the envelope return path is > the rewritten address, rather than the original subscriber address that > Mailman knows. With VERP, Postfix embeds the envelope recipient address into the envelope sender address. If the sender is sen...@example.com, then the result of embedding is sender+rcptlocal=rcptdom...@example.com (depending on the delimiter settings; default is +=). If you change the envelope recipient address, then Postfix embeds the changed recipient. If you change the envelope sender, then Postfix embeds the recipient into the changed sender address. I do not understand why you would send mail to a recipient address other than the recipient subscribed to the Mailman list. > Since mailing list software using XVERP needs to recognize the address > from the envelope return path as being equal to the subscribed address, > would it not be better to always use the raw address from RCPT TO, > rather than the rewritten one, when creating the VERP'ed return path? If I understand this correctly, 1) When you rewrite the envelope RECIPIENT address, then you expect Postfix VERP to use the original recipient address instead of the rewritten one. 2) What if you rewrite the envelope SENDER address? Should Postfix VERP use the original envelope sender address or the rewritten one? If 1) and 2) work in opposite ways then my little mind will be really confused. > I have not tested this with the 2.6 experimental release, but the > release notes say nothing about VERP, so I assume the behaviour is the > same in 2.6. Yes, this project takes pride in accurate documentatiom :-) Wietse > (This is not a serious problem for me: the addresses that are rewritten > in my installation are in practice local addresses and it is extremely > unlikely that they will bounce. But it surprised me.) > -- > Jesper Dybdal, Denmark. > http://www.dybdal.dk (in Danish). > >
Re: Trying to use uppercase names in Postfix.
Xn Nooby: [ Charset ISO-8859-1 unsupported, converting... ] > On Mon, Dec 29, 2008 at 3:02 PM, Wietse Venema wrote: > > Xn Nooby: > >> I am using Postfix to replace an existing email system, and I am > >> inheriting usernames that are in uppercase. Apparently Postfix > >> converts all email addresses to lowercase, so I cannot receive mail to > >> the accounts that are in uppercase. This surprised me, because the > >> linux user accounts are in uppercase. > > > > The local(8) delivery agent always case-folds names to lowercase. > > This is currently not configurable. Ditto for the virtual(8) daemon. > > > > It's easy enough to delete the lowercase() call from local(8), > > but that would not be a general solution. > > > > The pipe(8) delivery agent has configurable case folding, and that > > code would have to be moved into a Postfix library module, so that > > it can be used by other Postfix delivery agents. > > > >Wietse > > > > Hi Wietse, thank you for responding. I've seen many of your posts, and > know you are a postfix expert. I am still very new, and was not able > to understand your suggestions. Your options are: 1) Create lower-case UNIX password file entries with the same numerical UID and GID fields as the upper-case names, and with a "*" password. 2) Do not use Postfix local(8). 3) Modify Postfix local(8) as described in my previous posting. Wietse > It sounded like you were suggesting that what I am attempting may no > be possible, which would be unfortunate for me. I lobbied to be able > to use Postfix instead of Qmail, so hopefully I will find a way to get > uppercase names to work. > > > In the hopes of forcing Postfix to use the uppercase local account > names, I tried adding this line to my /etc/postfix/main.cf, though it > is still not working: > >local_recipients_maps = unix:passwd.byname > > > I thought there at least two ways to use uppercase names, from what I > have found on Google. The first way is t use the "canonical_maps" to > switch the lowercase name back to uppercase. The second way is to use > "local_recipient_maps" to force Postfix to use the local accounts, > without ever converting to lowercase. Clearly I am wrong about one or > both of these options. > >
Re: Trying to use uppercase names in Postfix.
Xn Nooby: > > Your options are: > > > > 1) Create lower-case UNIX password file entries with the same > > numerical UID and GID fields as the upper-case names, and with a > > "*" password. > > I was able to resolve my problem by creating the duplicate entry in > the /etc/passwd file, I will use this method. Good. Now, consider that this question was asked here for 10 years, before I came up with this answer. I may have posted this solution before but then everyone including me gas forgotten it. > I might uses aliases if I can get them to work, but at least I know > the passwd file is guaranteed to solve my problem. The aliases solution cannot work, because Postfix local(8) case-folds all recipient addresses. Wietse
Re: VERP uses the recipient name after virtual_regexp rewriting
Jesper Dybdal: > On Tue, 30 Dec 2008 01:10:16 +0100, I wrote: > > >Since my first mail, I have tried an experiment where the rewriting of > >the sender address is done by a .forward file instead of by > >virtual_regexp; in that case, VERP actually uses the recipient address > >before it has been changed by .forward, as I would like it to do. > > That should of course be "rewriting of the *recipient* address", not > "sender address". FYI, Postfix implements VERP embedding in the queue manager, not in the individual delivery agents (one exception had to be added later, to handle the case where local(8) replaces the envelope sender upon delivery to an alias that has an owner-alias). Wietse
Re: Handling VERP bounces
ram: > If I am getting bounces for VERP ids With VERP, the envelope recipient rcptn...@rcptdomain is embedded in the bounce address as owner-listname+rcptname=rcptdom...@example.com (assuming recipient delimiters of "+="). > The postfix VERP HOWTO describes how to handle the emails that bounce > using forward path and aliases > Is there a simpler way. I want to send all the mails to a cyrus > mailbox , where I can do the parsing > > What if I use a virtual alias maps regex > > /^owner-listname...@mydomain.com/bounces-mail...@mydomain.com With this, you lose the rcptname=rcptdomain information, which already provides you with the recipient address. What could be simpler than replacing "=" by "@" ? Wietse > What do you guys do for handling bounces ? > > Thanks > Ram >
Re: Enforcing sending domain from the inside network
D. Karapiperis: > I did the from_inside_network thing to do the logical AND regarding the > sending domain. Is there any way to do this woth permit_mynetworks? > > Is there any way to permit local users (from the inside network) to send > emails using the business domain in a clear and nice way in postfix? For this you would need smtpd_sender_restrictions = check_sender_access [table that maps your domain -> permit] reject_mynetworks But, since reject_mynetworks is not implemented, you end up implementing it yourself: smtpd_sender_restrictions = check_sender_access [table that maps your domain -> permit] check_client_access [table that maps your networks -> reject] For example /etc/postfix/main.cf: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access check_client_access pcre:/etc/postfix/client_access.pcre hash:/etc/postfix/sender_access example.com permit /etc/postfix/client_access.pcre 192.168.0.0/24 reject must send mail as u...@example.com Wietse
Re: Enforcing sending domain from the inside network
Victor Duchovni: > On Tue, Dec 30, 2008 at 12:38:38PM -0500, Wietse Venema wrote: > > > For example > > > > /etc/postfix/main.cf: > > smtpd_sender_restrictions = > > check_sender_access hash:/etc/postfix/sender_access > > check_client_access pcre:/etc/postfix/client_access.pcre > > > > hash:/etc/postfix/sender_access > > example.com permit > > > > /etc/postfix/client_access.pcre > > 192.168.0.0/24 reject must send mail as u...@example.com > > Note the "typo", Wietse meant "cidr:" but the fingers typed "pcre:". Indeed. Since he asked for a "nice" way to specify this in Postfix, a "nice" implementation of this would look like this: /etc/postfix/main.cf: smtpd_sender_restrictions = permit_mydomain, reject_mynetworks Where the details are hidden by restriction classes: /etc/postfix/main.cf: restriction_classes = permit_mydomain, reject_mynetworks permit_mydomain = check_sender_access hash:/etc/postfix/sender_access reject_mynetworks = check_client_access cidr:/etc/postfix/client_access.cidr hash:/etc/postfix/sender_access example.com permit /etc/postfix/client_access.cidr 192.168.0.0/24 reject must send mail as u...@example.com Note that moving this into smtpd_recipient_restrictions would make this an open relay, as anyone can claim to have a sender address in your domain. Wietse
Re: Segmentation errors
webmas...@aus-city.com: > Hi, > > I keep getting these errors in /var/log/messages and can't work out why.. > > Dec 31 10:07:59 server kernel: postfix-queue[1323]: segfault at > 2068616e ip 08049f09 sp bfc13920 error 4 in postfix-queue[8047000+e000] > Dec 31 10:12:01 server kernel: postfix-queue[1559]: segfault at > 2068616e ip 08049f09 sp bfb47050 error 4 in postfix-queue[8047000+e000] > Dec 31 10:16:03 server kernel: postfix-queue[1789]: segfault at > 2068616e ip 08049f09 sp bfabefc0 error 4 in postfix-queue[8047000+e000] > Dec 31 10:20:05 server kernel: postfix-queue[2021]: segfault at > 2068616e ip 08049f09 sp bfcbc9c0 error 4 in postfix-queue[8047000+e000] > Dec 31 10:24:07 server kernel: postfix-queue[2229]: segfault at > 2068616e ip 08049f09 sp bfd11a10 error 4 in postfix-queue[8047000+e000] > > Any idea's how to fix this or what is causing them? Perhaps ask the people who provide the postfix-queue program? There is no such program in the official Postfix distribution. Wietse
Re: Alias piping + mysql in virtual domains
Sahil Tandon: > Joselito wrote: > > > I'm moving an existing domain to virtual mailboxes. All the info is > > stored in a mysql database. Currently all devlivery and alias mapping > > is working correctly; I'm using virtual_mailbox_maps, > > virtual_alias_maps and virtual_mailbox_domains stored in the sql > > backend. > > > > Problem is that aliases that pipe to a command and aren't delivered > > anywhere > > - this is most common for mailing list software like mailman and > > smartlist. Dropping the piped command into the destination side of an > > alias map results in a bounce mail, and the logs show an unknown user > > error. The current workaround that I'm using is to alias to another > > alias in /etc/aliases (obviously a flat file, not an sql backend) which > > is aliased to the pipe. > > You cannot pipe to programs from virtual alias maps; use local aliases > as you currently do, or route to an address that resolves (via > transport_maps) to a pipe transport. See also examples in http://www.postfix.org/VIRTUAL_README.html for delivery to command. Wietse
Re: Delivered to command difference if .procmailrc exists
Jacob Anawalt: > Hello, > > My configured mailbox_command has been 'procmail -a "$EXTENSION"' for > the longest time. I did not notice the difference between emails > 'delivered to command: procmail -a "$EXTENSION" and those 'delivered > to command: /usr/bin/procmail' because it was procmail in both cases. > I have never tried using $1 in procmail to filter so I don't know if I > was getting $EXTENSION or not. > > # postconf | grep mailbox_command > mailbox_command = procmail -a "$EXTENSION" > mailbox_command_maps = > > > No /home/userA/.procmailrc: > Dec 30 18:15:29 detroit postfix/local[29983]: 7D29A47DAC: > to=, relay=local, delay=0.03, delays=0.02/0.01/0/0.01, > dsn=2.0.0, status=sent (delivered to command: procmail -a > "$EXTENSION") > > > /home/userB/.procmailrc exists: > Dec 30 19:06:37 detroit postfix/local[30464]: 813F947D62: > to=, relay=local, delay=3.9, delays=1.5/0/0/2.4, > dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) > > > I tried switching mailbox_command, and all the .procmail people kept > using /usr/bin/procmail instead of the new value for mailbox_command. > This was unexpected by me. Is it normal behavior? Where can I read > about this and how can I override it? The replacing command, dspam, > calls procmail anyway and I want to continue to support the local > user's configurations. Perhaps you could follow instructions in the mailing list welcome message. Wietse TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix.
Re: rewrite recipients after /etc/aliases is processed
Hanspeter Kunz: > well, my intention was to use /etc/aliases for forwarding mail adresses > like root, webmaster, logcheck, etc. to real users. This would be > different users on every host. That's why I want first to > process /etc/aliases and then route the mail to our central mail server. /etc/aliases is used only for domains in $mydestination. This is documented behavior, and will not be changed. To rewrite address that don't deliver locally, use virtual_alias_maps (NOT virtual_alias_domains) to rewrite root etc, into real recipients. Wietse
Re: postfix questions: when emails are being rejected...
Hwan Dong: > > Hi there, > ? > Instead of?paying email professionals, I set up a postfix SMTP server to s >-end emails to the club members. I have also successfully enabled the delay b >-etween sending to some ISPs. But as more as I am sending, I could still get >-rejection. Do you have similar experience? Any insight or comments? Welcome to the real world. Some ISPs have "acceptable use" limits. If you want to send more than an occasional email message then you will have to become whitelisted. I don't think it is a good idea to build broken-by-design features into Postfix (*), especially when their sole purpose is to circumvent ISP acceptable use limitats. Wietse (*) Such as suspending all delivery to yahoo.com after only one recipient is rejected with a temporary error.
Re: Delivered to command difference if .procmailrc exists
Your measurements use two different users, one with .procmailrc file and one without .procmailrc file. To prove that the difference in behavior is caused by the presence or absence of .procmailrc files, you need to deliver mail to the EXACT SAME user and change NOTHING except the presence/existence of the .procmailrc file. Wietse
Re: Delivered to command difference if .procmailrc exists
Jacob Anawalt: > On Wed, Dec 31, 2008 at 7:39 AM, Wietse Venema wrote: > > To prove that the difference in behavior is caused by the presence > > or absence of .procmailrc files, you need to deliver mail to the > > EXACT SAME user and change NOTHING except the presence/existence > > of the .procmailrc file. > > > > Doh! Yes, when I move the .procmailrc out of the way postfix/local > still delivers as /usr/bin/procmail. I also found one account that has > a .procmailrc and it is delivering to command according to > mailbox_command, procmail -a "$EXTENSION". The difference is not > caused by the presence or absence of the .procmailrc files. The almost > 100% correlation must be nothing more than a coincidence. The user's .forward file takes precedence over mailbox delivery. Wietse
Re: Postfix and multiple smarthosts
Andrew Hodgson: > Hi, > > I am trying to find the answer whether Postfix will support multiple > smarthosts - i.e, sending to specific smarthosts, and if one fails, it > will try to send to the next one in the list, or will just use any > smart host in the list without issue? relayhost = [one.example.com] smtp_fallback_relay = [another.example.com] The [] suppress MX record lookups. Wietse > I have found several examples of using smart host routing based on > destination domain, but this is not what I want to do. > > Thanks. > Andrew. > > >
Re: RCPT TO problem using relay host
Dennis Putnam: > I have a machine running postfix that is required to relay mail > through my ISP's mail server. When I try to send mail, I get this error: > > 550 [PERMFAIL] destination not valid within DNS (in reply to RCPT TO > command) > > Can someone explain what this error means? If I use 'telnet' to send > the RCTP TO command manually it accepts it. Type the recipient domain into a DNS checking website (see search engine for examples) and see if they report any errors. Wietse
Re: rate limit outgoing mails with mailman
ja...@monsterjam.org: > hey folks.. Im running the latest postfix on an ubuntu server with > mailmain for mailing list management.. everything is pretty much working > fine except that Im trying to get some kind of rate-limiting or > throttling working for all outbound messages. Ive searched all over and The following requires Postfix 2.5 or later: /etc/postfix/main.cf: # Deliver all mail via the "smtp" transport in master.cf. # Use [] to suppress MX lookup. relayhost = [mail.example.com] default_transport = smtp smtp_destination_rate_delay = 30 This will deliver one message every 30 seconds. Wietse
Re: rate limit outgoing mails with mailman
ja...@monsterjam.org: > > The following requires Postfix 2.5 or later: > > > > /etc/postfix/main.cf: > > # Deliver all mail via the "smtp" transport in master.cf. > > # Use [] to suppress MX lookup. > > relayhost = [mail.example.com] > > default_transport = smtp > > smtp_destination_rate_delay = 30 > > > > This will deliver one message every 30 seconds. > > > > Wietse > > aah heck, I lied to you.. > I have postfix 2.4.5-3ubuntu1.3 installed :( > > Is there a way to accomplish the same thing for this version or should I > compile the new one? > I couldnt find postfix 2.5 for Ubuntu 7.10 For a collection of rate limiting examples, see the Postfix documentation at http://www.postfix.org/QSHAPE_README.html#backlog Wietse
Re: keep "Sensitivity" MIME header upon bounces/DSNs
Ralf Hauser: > Since certain MUAs such as MS Outlook allow the user to label messages as > "confidential" which according to http://www.faqs.org/rfcs/rfc1327.html gets > translated into MIME header "Sensitivity=Company-Confidential", quite some > secure mail gateways ensure higher transmission secrecy (e.g. > "smtp_enforce_tls") for such messages. > > To not loose such labeling, some MUAs also set this MIME-Header upon > replies/forwards. > > Unfortunately, if such a message causes a bounce (e.g. inexistent > recipient), postfix sends such a bounce without the sensitivity header. Just to be clear about this, Postfix is an MTA, not a security gateway. For this reason, Postfix has no code that recognizes message headers that control behavior of security gateways. It's not like I deliberately deleted the ability to do this. The whole question simply never came up so the code was never implemented. > This can cause contents to be disclosed since not treated properly by > above-mentioned gateways (in particular, if the main.cf doesn't say > bounce_size_limit=1 [the value 0 is not permitted??]). Normally, "zero" means "no limit" in Postfix. I did not think that that would be desirable in the case of bounce messages. > Is there any reason for postfix not to keep the sensitivity mime header even > on DSNs? Postfix implements RFCs, to avoid re-inventing the wheel poorly. Can you refer me to an RFC that requires MTAs to copy header fields from an original message to the message header of a delivery status notification? The only RFC that I am aware of is propagation of the MIME 7bit/8bit content transfer encoding. It would also help if you could point to an RFC that requires MTAs to the change delivery method depending on the content of a message header. Wietse
Re: Finding the envelope-sender after always_bcc? (SOLVED)
Jeff Weinberger:
[ Charset ISO-8859-1 unsupported, converting... ]
> On Jan 2, 2009, at 2:30 AM, mouss wrote:
>
> > Jeff Weinberger a ?crit :
> >>
> >> I used a pcre: table for smtpd_sender_restrictions and the PREPEND
> >> action as follows:
> >>
> >> main.cf:
> >> smtpd_sender_restrictions = check_sender_access
> >> pcre:/etc/postfix/smtpd_sender_restrictions.pcre
> >>
> >> smtpd_sender_restrictions.pcre
> >>/^(.*)/ PREPEND X-Envelope-Sender: ${1}
> >>
> >> this will insert into every message a header "X-Envelope-Sender: "
> >> followed by the envelope sender value. It won't pass the
> >> envelope-sender as SMTP MAIL FROM (dspam wasn't designed to do that,
> >
> > dspam gets it via LMTP MAIL FROM, and it will pass it back to postfix
> > with SMT MAIL FROM. I have used this in the past and I'm sure others
> > are
> > using it now (ping steve?). something in your setup prevents this from
> > working but I don' think it is a dspam limitation.
>
> It's definitely my set up. I don't use LMTP to pass the message to
> dspam, I use a transport called "dspam" that uses pipe. That means
> there's no S/LMTP dialog, just the message itself passed as STDIN.
If you can show what you've configured to pass mail into dspam,
then perhaps someone can tell you how to get that envelope sender
address into dspam, too.
Wietse
Re: VERP uses the recipient name after virtual_regexp rewriting
Jesper Dybdal: > On Mon, 29 Dec 2008 21:54:52 +0100, I wrote: > > >... I was surprised to see that when the recipient address > >provided by Mailman is rewritten by Postfix' virtual_regexp, then the > >recipient address that Postfix encodes in the envelope return path is > >the rewritten address, rather than the original subscriber address that > >Mailman knows. > > I have just realized that there is another way to look at this, which > may be a better argument for the semantics I would like: > > The problem occurs only because the sending server and the receiving > server is the same; the recipient address is in a domain handled by the > same postfix instance that Mailman uses to submit mail. If there were > two independent postfix instances, this would not happen. > > In such a case, it seems to me that the result ought to be the same as > if processing clearly related to the sending side, such as VERP address > generation, happened before processing clearly clearly related to the > receiving side, such as recipient address rewriting in virtual_maps. > > I.e., VERP belongs to "sending processing" and its result should > therefore not depend on virtual_maps rewriting, which are part of the > "receiving processing" and thus belongs logically "later"; it comes into > effect in the same postfix instance only because the subscriber happens > to be a local user. > > (But as I wrote earlier, I can live with the current semantics, and this > will - probably - be my last attempt to convince you that the order > ought to be different.) You don't need to convince me of anything. Where possible Postfix is based on general principles that solve a larger class of problems, instead of a bunch of special-purpose hacks that tend to get in the way when I want to add other features in the same area. In your case, the general principle was not obvious: VERP is a form of input processing. Fortunately, Postfix has original recipient information at hand. Unfortunately, the information is not guaranteed to be in the canonical u...@domain form. However, in the special case of VERP this is OK. The consumer of VERP bounces really wants to see the same string that it gave to the MTA. Wietse Wietse
Re: rate limit outgoing mails with mailman
ja...@monsterjam.org: > excellent idea, so I did install the 2.5.4 version from the backport > and I now have > r...@ohs:~# grep smtp_destination_rate_delay /etc/postfix/main.cf > smtp_destination_rate_delay = 10 > r...@ohs:~# > and I restarted postfix > Jan 2 08:03:56 ohs postfix/master[16208]: terminating on signal 15 > Jan 2 08:03:58 ohs postfix/master[16312]: daemon started -- version 2.5.4, > configuration /etc/postfix > > and now when I send an email to my mailman mailing list, I still see it > sending out emails with no delay.. > > Jan 2 08:04:52 ohs postfix/smtp[16349]: 72292189FF: > to=, relay=outgoing.verizon.net[206.46.232.12]:25, > delay=5.3, delays=0.12/0.51/0.36/4.3, dsn=2.5.0, status=sent (250 2.5.0 Ok.) > Jan 2 08:04:52 ohs postfix/qmgr[16316]: 72292189FF: removed > Jan 2 08:04:52 ohs postfix/smtp[16347]: 950C118A00: to=, > relay=outgoing.verizon.net[206.46.232.12]:25, > delay=5.2, delays=0.13/0.39/0.37/4.3, dsn=2.5.0, status=sent (250 2.5.0 Ok.) > > Jan 2 08:04:52 ohs postfix/smtp[16350]: 950C118A00: to=, > relay=outgoing.verizon.net[206.46.232.12]:25, delay=5.3, > delays=0.13/0.37/0.38/4.5, dsn=2.5.0, status=sent (250 2.5.0 Ok.) > Jan 2 08:04:52 ohs postfix/qmgr[16316]: 950C118A00: removed > > so it looks like all three of these went out with no delays inbetween each > message, right? Yes, so it is time that you follow instructions in the welcome message and post "postconf -n" output instead of one-line fragments. Wietse TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix.
Re: rate limit outgoing mails with mailman
Jason Welsh: > my apologies.. here is the output of postconf -n Did you notice that there is no smtp_destination_rate_delay Wietse
Re: rate limit outgoing mails with mailman
> Jan 2 16:04:57 ohs postfix/smtp[18389]: B08B018A00: > to=, relay=outgoing.verizon.net[206.46.232.12]:25, > delay=0.89, delays=0.08/0.28/0.35/0.17, dsn=2.5.0, status=sent (250 2.5.0 Ok.) > Jan 2 16:04:57 ohs postfix/qmgr[18371]: B08B018A00: removed > Jan 2 16:05:12 ohs postfix/smtp[18389]: E50B018A02: to=, > relay=outgoing.verizon.net[206.46.232.12]:25, delay=15, > delays=0.24/11/0.34/4.4, dsn=2.5.0, status=sent (250 2.5.0 Ok.) > Jan 2 16:05:12 ohs postfix/smtp[18389]: E50B018A02: to=, > relay=outgoing.verizon.net[206.46.232.12]:25, delay=15, > delays=0.24/11/0.34/4.4, dsn=2.5.0, status=sent (250 2.5.0 Ok.) > Jan 2 16:05:12 ohs postfix/qmgr[18371]: E50B018A02: removed > > so there WAS a delay after the first one, but the second two seemed to go out > together.. > so we are making progress.. i think.. ;) The second message has TWO RECIPIENTS. Postfix inserts 10s delay between MESSAGE deliveries not RECIPIENTS. Wieste
Re: Finding the envelope-sender after always_bcc? (SOLVED)
Jeff Weinberger:
> That said, here's the current configuration:
>
> content_filter=dspam:dspam
>
> and in master.cf:
>
> dspam unix - n n - 10 pipe
> flags=Ru user=_dspam argv=/usr/local/bin/dspam --
> deliver=innocent --user ${recipient} -i - f $sender -- $recipient
>
Hmm, so dspam is getting the envelope recipent.
> I assume the LMTP setup should look something like:
>
> main.cf:
>
> content_filter=lmtp:unix:/path/to/dspam --deliver=innocent --
> user ${recipient} -i - f $sender -- $recipient
>
> and the transport in master.cf becomes unnecessary.
>
> I don't know how to handle the command line arguments (or even if I
> have to), so suggestions, help and especially examples would be most
> helpful.
With lmtp, the information is NOT passed on the command line
but instead is passed via the LMTP protocol.
Wietse
Re: bounce_size_limit
Ralf Hauser: > Hi Wietse, > > Thx for the quick reply. > > > This can cause contents to be disclosed since not treated properly by > > > above-mentioned gateways (in particular, if the main.cf doesn't say > > > bounce_size_limit=1 [the value 0 is not permitted??]). > > > > Normally, "zero" means "no limit" in Postfix. I did not think that > > that would be desirable in the case of bounce messages. > Sure, in most cases, a content leak of 1 character isn't a big deal. Actually, there is no 1-character leak, because Postfix does not truncate text that exceeds the bounce_size_limit setting. That would break message formats. Instead, Postfix produces bounce messages according to the formats defined in RFC 3461-3464 (Delivery Status Notifications) and in RFC 2045-2048 (MIME). When the message is smaller than the bounce size limit, Postfix sends a message/rfc822 segment, otherwise Postfix sends text/rfc822-headers. There is no code in Postfix to measure the size of the message header against the bounce size limit. See also my comments below about why I disagree with the idea of a global configuration setting to send header-less bounces. > But perhaps the semantics could be: > > 0 = unlimited original message can be attached (albeit it is de facto > limited by 'message_size_limit' of the incoming message...) > > -1 = do not attach original message > > -2 = don't even attach the header details: revealing who are the > recipients and what is the title may well be undesirable in some > MTA configurations. No "Undelivered Message Headers.txt" attachment > or alike. > > What do you think? Hm. That would specify non-size information via a size-limit parameter. Personally, I think that bounces without returned headers are a complete waste of human and computer resources, because the receiver has no idea what message was undeliverable. In fact, bounces without returned headers are harmful, With today's backscatter mail, the original message header is needed to block bounced forgeries without losing legitimate email. In summary, I think that it is wrong to turn off returned headers without consideration for what mail is being returned. If you want to improve Postfix to make it security-gateway friendly, then the changes should not be presented as isolated little hacks (as above), but they need to be part of an over-all plan. Wietse
Re: running a second custom smtpd on second IP address
Drew Derbyshire: > I've got a postfix server running which accepts several domains on it's > primary smtpd (kew.com, *.wild.kew.com, thinfilmmfg.com, > *.wild.thinfilmmfg.com, ...), all protected by the usual (and some > unusual) SPAM filters. Life is good. > > I'd like to set up a secondary smtpd on a second IP address with it's > own MX record which accepts mail for an additional domain > (*.bff.kew.com) with fewer checks, but does NOT accept mail for the > other domains listed above. I did a master.cf like this, but it accepts > the wrong (original) domains defined in main.cf and the virtual domains > configuration: The problem is that the distinction between domain classes (mydestination, relay_domains, virtual_alias_domains, virtual_mailbox_domains) is made by the trivial-rewrite daemon. Now you could in theory do things like /etc/postfix/main.cf bff-virtual_alias_maps = whatever # no .domain.example magic for virtual alias domains! bff-virtual_alias_domains = bff.kew.com, xxx.bff.com, yyy.bff.com /etc/postfix/master.cf 1.2.3.4:smtp inet ... ... ... ... smtpd -o rewrite_service_name=bff-trivial-rewrite -o mydestination= -o relay_domains= -o virtual_alias_maps=$bff-virtual_alias_maps -o virtual_alias_domains=$bff-virtual_alias_domains -o virtual_mailbox_domains= bff-trivial-rewrite unix ... ... ... trivial-rewrite -o mydestination= -o relay_domains= -o virtual_alias_maps=$bff-virtual_alias_maps -o virtual_alias_domains=$bff-virtual_alias_domains -o virtual_mailbox_domains= but things get complicated quickly. Wietse
Re: running a second custom smtpd on second IP address
Drew Derbyshire: [ Charset ISO-8859-1 unsupported, converting... ] > Wietse Venema wrote: > > > > The problem is that the distinction between domain classes > > (mydestination, relay_domains, virtual_alias_domains, > > virtual_mailbox_domains) is made by the trivial-rewrite daemon. > > > > > Make sense. > > Just to clarify, smtpd is asking trivial-rewrite if it should accept a > particular address? No, the distinction between domain classes (1=mydestination, 2=relay_domains, 3=virtual_alias_domains, 4=virtual_mailbox_domains) is made by the trivial-rewrite daemon. When the result is 1, smtpd queries $local_recipient_maps, when it's 2, smtpd queries $relay-recipient_maps, and so on. Postfix always queries $virtual_alias_maps and the canonical maps, because those maps rewrite all domain classes. Wietse
Re: Postix relay gateway - "Recipient address rejected" notification verbosity ...
Postfix 2.6 and later allow you to override the SMTP server response with the unverified_recipient_reject_reason parameter. See http://www.postfix.org/ADDRESS_VERIFICATION_README.html Wietse
Re: Postix relay gateway - "Recipient address rejected" notification verbosity ...
Antony: > I have tried to add : > unverified_recipient_reject_reason = Unknown user ! > > but no way, the error message is the same ... v Postfix 2.6 and later allow you to override the SMTP server ^ response with the unverified_recipient_reject_reason parameter. > Antony > > -Message d'origine- > De?: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] De la part de Wietse Venema > Envoy??: dimanche 4 janvier 2009 00:36 > ??: Postfix users > Objet?: Re: Postix relay gateway - "Recipient address rejected" notification > verbosity ... > > Postfix 2.6 and later allow you to override the SMTP server > response with the unverified_recipient_reject_reason parameter. > > See http://www.postfix.org/ADDRESS_VERIFICATION_README.html > > Wietse > > !DSPAM:495ff67172326021818051! > > > >
Re: Header/body checks question, problem.
KLaM Postmaster: > Among the stuff being rejected is the output of pflogsumm, I run a daily > a report and email it to postmaster. I was not getting the reports so I See http://www.postfix.org/http://www.postfix.org/BUILTIN_FILTER_README.html section "Preventing daily mail status reports from being blocked". Wietse
Re: Compile error Slackware 12.2 postfix 2.5.6 smtp_reuse.c
This is the result of a cut-and-paste error. I have re-issued the releases. Wietse
Postfix stable release 2.5.6, 2.4.10 and 2.3.16 available
Postfix stable releases 2.5.6, 2.4.10 and 2.3.16 catch up on fixes that were applied in the past three months. Postfix versions 2.2 and earlier are no longer updated. - Postfix 2.5: the SMTP server did not ask for a client certificate with "smtpd_tls_req_ccert = yes". Reported by Rob Foehl. - Postfix 2.5, 2.4 and 2.3: avoid reduced TCP performance when reusing an SMTP connection with a larger than 4096-byte TCP MSS value. In practice, this could happen only with loopback (localhost) connections. - Postfix 2.3: the cleanup server did not update the queue file's recipient count field, after a Milter application added or deleted a recipient. This resulted in harmless "rcpt count mismatch" warning messages from the Postfix queue manager. Reported by Matthew Sullivan (Sorbs). Fix back-ported from Postfix 2.4. The first version of these releases suffered from a cut-and-paste error in file smtp_reuse.c. Corrected versions have been issued in the mean time. The updated files should show up in the next 12 hours on the mirror sites listed at http://www.postfix.org/ Wietse
Re: per recipient transport [Was: Evaluation of maps in local or virtual address classes]
mouss: > Victor Duchovni a ?crit : > > On Mon, Jan 05, 2009 at 03:31:52AM +0100, mouss wrote: > > > >> Victor Duchovni a ?crit : > >>> [snip] > >>> Why per-recipient transport lookups? Often better to rewrite to a domain > >>> where the entire domain is handled by lmtp(8). > >>> > >> is there a benefit in avoiding per recipient transports? > > > > Simplicity, also reduces temptation to do LDAP or SQL transport lookups, > > unfortunately, this is exactly what I want to do: put everything in *sql > to ease mgmt. of course, it is possible to dump the sql data, but I am > talking about a web UI where I'd prefer the web app no have any > privileges. I guess a cron (to dump data) is the best I can do if I > don't want to write an "update" daemon? High-latency maps such as LDAP and SQL are OK for smtpd or cleanup (because these processes run in parallel) but not trivial-rewrite (because there is only one qmgr). This applies not only to transport maps but also to maps that define address classes. Wietse
Re: Using Postfix for business continuity
Kenneth Kalmer: > Hi all > > Just got asked by one our sales guys if we could implement a Postfix > business continuity service, by his definition it means that Postfix acts as > a normal backup MX but gives the users access to their email via webmail of > sorts. > > I understand the issues of user authentication, validating users, etc. > > I'd just like to find out if anyone has implemented something similar, or > have any pointers for implementing something like this. I don't know of any, but this is how I would do it. Business continuity requires that users keep access to old email. This requires continuous replication. In the absence of file systems with built-in replication, the best option is to implement replication at the message store level. >From the Postfix point of view this requires a replicated DBMS with standard (LMTP or pipe-to-command) mail injection interfaces. For web or IMAP access, another set of adapters would be needed. Of course this also requires that the customer's systems are replication enabled, and that your message store DBMSes can communicate with theirs. Wietse
Re: Why relay_domains defaults to mydestination?
Jeremie Le Hen: > Hi list again, > > Wietse, I take advantage of this new email to thank you for your reply > to my earlier email. > > This time I just wonder why relay_domains defaults to mydestination? Backwards compatibility. Wietse
Re: virtual_alias_maps/relay_recipient_maps in smtpd_recipient_restrictions
Jeremie Le Hen: > Hi list ! > > As far as I understand, there is an "implicit" check in the > smtpd_recipient_restrictions parameter when virtual_alias_maps > or relay_recipient_maps is specified. But when does it append? By default, the check happens at the end. However, you can specify the documented reject_unlisted_recipient and reject_unlisted_sender earlier if you like. > From my own testing, I think it is check at the very end but I would > like to know if there's a rule for this, I couldn't find it in the > documentation (by the way I think it should be worth writing it > explicitely). It is documented as part of smtpd_reject_unlisted_recipient. When this is set to "yes", Postfix will reject mail even when you did not specify reject_unlisted_recipient. This means that reject_unlisted_recipient takes precedence over smtpd_reject_unlisted_recipient. Therefore, smtpd_reject_unlisted_recipient must take effect at the end. If it took effect at the beginning, then reject_unlisted_recipient could not take precedence. Wietse
Re: CDB map files for virtual alias maps
ram: > if I use >virtual_alias_maps = cdb:/path/mapfile > This doesnt work if mails are sent to users in uppercase Please show evidence of this in the form of SMTP commands and Postfix logging. Wietse
Re: Getting reject_sender_login_mismatch/smtpd_sender_login_maps and mysql to work together
Jeff Weinberger: > I then added the line: > > smtpd_sender_login_maps=hash:/path/to/map > > to my main.cf and send a few messages. Postfix correctly allowed and > rejected all of the test messaages, and the logs showed the correct > reason for the rejection, and no log entries showing a successful match. > > I then, again just to test, added a field to my virtual users table to > hold authorized addresses, and wrote the query noted above into a > mysql_sender_login_maps.cf file. > > I used postmap -q to verify that the results of the query were correct > and were exactly the same as the results received when I used postmap - > q on the hash: file. They all were identical for the same lookup keys. smtpd does the same lookups as "postmap -q". If the result is different than when you run "postmap -q" by hand, then it is almost certain that you are using a different search key than Postfix uses. Postfix does the lookups as documented in the postconf(5) manual page: smtpd_sender_login_maps (default: empty) Optional lookup table with the SASL login names that own sender (MAIL FROM) addresses. Specify zero or more "type:table" lookup tables. With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, the following search operations are done with a sender address of u...@domain: 1) u...@domain This table lookup is always done and has the highest precedence. 2) user This table lookup is done only when the domain part of the sender address matches $myorigin, $mydestination, $inet_inter- faces or $proxy_interfaces. 3) @domain This table lookup is done last and has the lowest precedence. You can see what lookups Postfix does by setting the debug_peer_list parameter in main.cf. For example: # postconf -e debug_peer_list=static:all # postfix reload Wietse Wietse
Re: CDB map files for virtual alias maps
ram: > > On Tue, 2009-01-06 at 09:57 -0500, Victor Duchovni wrote: > > On Tue, Jan 06, 2009 at 07:58:07PM +0530, ram wrote: > > > > > [r...@50.133 postfix]# postmap -q t...@netcore.co.in cdb:/etc/postfix/vmap > > > r...@netcore.co.in > > > [r...@50.133 postfix]# postmap -q t...@netcore.co.in cdb:/etc/postfix/vmap > > > [r...@50.133 postfix]# > > > > Well, that's not how CDB tables work here, looks someone helpfully > > modified your CDB driver or Postfix dictionary lookup interface. > > The results below are obtained from Wietse's Postfix 2.5.5 code: > > > > which CDB package ( rpm ? ) does this use > > I downloaded the package from > http://www.corpit.ru/mjt/tinycdb.html#download > > created & installed the rpm on a centos 5 box I'm using tinycdb-0.75, with the Postfix CDB driver of Postfix 2.4, 2.5 and 2.6. % echo FOO this is FOO >x % postmap cdb:x % postmap -q FOO cdb:x this is FOO % postmap -q foo cdb:x this is FOO % % echo foo this is foo >x % postmap cdb:x % postmap -q FOO cdb:x this is foo % postmap -q foo cdb:x this is foo % With all Postfix versions, the postmap command by default always case folds CDB lookup keys, both on create and on query. If someone is distributing "improved" Postfix versions then you need to file a complaint. Wietse
Re: CDB map files for virtual alias maps
ram: > > With all Postfix versions, the postmap command by default always > > case folds CDB lookup keys, both on create and on query. > > > > If someone is distributing "improved" Postfix versions then you > > need to file a complaint. > > > > So that seems to be it. I would really need to compile an "authentic" > postfix version. Can you give me a link to source RPM of 2.5.5 for > centos 5 The authentic Postfix source code is released via http://www.postfix.org/downloads.html. Wietse
Re: Problem with notifications
Michael JOLY: > Hello, > > I have a problem. When i sent a mail to mailboxes of my domain and i > request notifications of delivery, i receive two notifications : one says > that the message is delivered (that's right) and another that tells the > message has not been delivered. Postfix delivery status notifications implement Internet standards as defined in RFC 3461-3464. Specifically, after notification of successful alias expansion, you may stil receive notification that subsequent delivery attempts have failed. The "success" notification text that you deleted even contains text to that effect. If Postfix behavior disagrees with the standards then you're welcome to point out where Postfix errs from the standards. Wietse > This is an extract of the two notifications : > > Success Mail delivery > - > : alias expanded > : alias expanded > - > > Failed Mail delivery > - > (expanded from ): data format > error. Command output: : Mailbox does not exist > > (expanded from ): data format > error. Command output: : Mailbox does not exist > > Action: failed > Status: 5.6.0 > Diagnostic-Code: x-unix; : Mailbox does not exist > > - > > > Thanks > Mick
Re: Question regarding reject_unlisted_sender
Bill Landry: > I'm following a discussion on another list regarding a Communigate > gateway that is rejecting spoofed "MAIL FROM" before "RCPT TO" is > received. This is perfectly legitimate usage of SMTP. Clients that cannot handle this are broken. Postfix's delayed "reject" works around broken clients, and gives the server's administrator more information about what mail is being rejected. However the delay is not required by SMTP. Wietse
Re: fatal: open file trace :Permission denied
I'd say, run "postfix set-permissions" and if that does not do the job, kill off or update SELINUX, APPARMOR, etc. Wietse
Re: Access and smtpd_sender_restrictions
Martin Spinassi: [ Charset UTF-8 unsupported, converting... ] > Hi list! > > I'm trying to install a postfix with some restrictions, including a > sender restriction, but I'm just missing something. > > The idea is to allow only one domain to send mails from that server, but > I'm having access denied including the domain that is supposed to be > allowed. > > Here is what I got: > > > main.cf: > > smtpd_sender_restrictions= > check_client_access hash:/etc/postfix/access > reject ... > 554 5.7.1 : Sender address rejected: Access denied So, what's wrong with it? Wietse
PATCH: bug from May 19, 1997
While adding a feature I ran into a problem that is so old that I had to dig into my pre-alpha source code to find when it was introduced. Bugfix (introduced May 19, 1997): removing a parameter setting from main.cf did not reset the parameter to its default value. File: global/mail_params.c. This has rarely been an issue because most Postfix processes run for a limited amount of time, and because people usually do "postfix reload" after making a change, so that all daemons except master terminate voluntarily. A redundant design does have benefits ... Wietse diff -bcr /var/tmp/postfix-2.6-20090106/src/global/mail_conf.c ./mail_conf.c *** /var/tmp/postfix-2.6-20090106/src/global/mail_conf.cSat Apr 10 10:52:51 2004 --- ./mail_conf.c Thu Jan 8 20:45:10 2009 *** *** 173,178 --- 173,181 && geteuid() != 0) /* untrusted */ mail_conf_checkdir(var_config_dir); path = concatenate(var_config_dir, "/", "main.cf", (char *) 0); + /* In case a name=value pair is removed from main.cf. */ + if (dict_handle(CONFIG_DICT) != 0) + dict_unregister(CONFIG_DICT); dict_load_file(CONFIG_DICT, path); myfree(path); }
Re: PATCH: bug from May 19, 1997
Victor Duchovni: > Translation, this only matters for parameters that change the behaviour > of the master daemon. Removing such a parameter from main.cf did not > result in changed master(8) behaviour without a full restart. > > Most users don't modify master(8) parameters other than inet_interfaces, > and changing this without a restart is not supported. > > Thus no surprise that there have not been very many problem reports > for this. > > By the way, will it be "legal" to do crazy things like change the > "queue_directory" and/or "data_directory" of a running Postfix instance? Changing data_directory on a running system would be fine; there is nothing that "postfix reload" can't fix, and all you lose is some non-essential state. However it would make sense to warn about queue_directory changes (and perhaps config_directory). The master(8) does not use a lot of parameters because it was written before main.cf support was implemented by May 1997, so it is not like there is a lot to warn about. It's not clear if mail_conf.c is the right place to fix this, though. I'll look into this today. Wietse
Re: Preventing domain mails from outside
Norm Mackey: > Received: by www.thisisireallymydomain.com (Postfix) > id 3C916254775; Tue, 30 Dec 2008 03:50:01 -0800 (PST) That mail did not arrive via SMTP. Look in your maillog file around that time. If this mail comes from your HTTP account, the look in the HTTP logs for details. If the HTTP logs are in UTC, you will have to look for time stamps that are 0800 hours earlier. Wietse
Re: Problem with http://www.postfix.org/postconf.5.html
mouss: > Luigi Rosa a ?crit : > > Markus Sch?nhaber said the following on 10/01/09 13:35: > > > >> Is there something wrong with the server / anyone else seeing this? I typo-ed in the source file. Bad: Specify a value > 0 and < 65536 to enable this feature. Good:Specify a value > 0 and < 65536 to enable this feature. There's a new version at http://www.porcupine.org/postfix-mirror that will be picked up by the mirrors in the next 24 hours. Wietse
Re: Preventing domain mails from outside
Sahil Tandon: > > > > > Received: by www.thisisireallymydomain.com (Postfix) > > > > id 3C916254775; Tue, 30 Dec 2008 03:50:01 -0800 (PST) > > > > Delivered-To: n...@thisisireallymydomain.com > > > > Received: from alkhorayef.com (unknown [91.189.132.54]) I repeat, this mail did not arrive via the SMTP service. Search your Postfix logs for the "pickup" service logfile record with local UID of the account that submitted this email message. You can prevent the httpd account from making mail submissions with authorized_submit_users = !httpd, static:anyone Instead of "httpd" use "www" or whatever. Wietse
Re: Question about transport
Sahil Tandon: > M Mollar wrote: > > > For my docent activity, I need to setup a transport like this: > > > > /(.*.dyn.nisu.org)/smtp:[$1]:2500 > > > > My students will setup a postfix server in their computers, but they > > cannot listen port 25. I update dns dynamically, so the mail directed to > > somestudent.dyn.nisu.org will be sent to the corresponding computer at > > port 2500. > > I understand that this is forbidden in the transport maps by security > > reasons, but I don't know any other way to solve the problem. > > When you update DNS, use a script that updates the transport map and > populates it with the appropriate hostnames and transport nexthops. Yes, it hurts that regexps currently can't make safe substitutions. You could use (requires Postfix 2.6 experimental release): transport_maps = tcp:host:port See tcp_table(5) for the description of this trivial protocol. In theory it is possible to make regexp substitutions safe, but this requires source code changes so that the application can specify what characters are allowed in $number substitutions. Wietse
Re: fatal: open file trace :Permission denied
N. Yaakov Ziskind: > In: DATA > Out: 354 End data with . > Out: 451 4.3.0 Error: queue file write error > > puzzling. The actual problem is logged in the MAILLOG file. Postfix does not divulge internal problem details to SMTP clients. Wietse
Re: fatal: open file trace :Permission denied
N. Yaakov Ziskind: > Wietse Venema wrote (on Wed, Jan 07, 2009 at 09:03:42PM -0500): > > I'd say, run "postfix set-permissions" and if that does not > > do the job, kill off or update SELINUX, APPARMOR, etc. > > > > Wietse > > # postfix/postfix-script: fatal: usage: postfix start (or stop, reload, > abort, flush, or check) > > a little digging convinced me that you meant: > > # /etc/postfix/post-install set-permissions The command "postfix set-permissions" is available since Postfix 2.1 which was released in April 2004. Before Postfix version 2.3, the trace service was used only to report results for "sendmail -v" and "sendmail -bv". Postfix version 2.3 and later also use the trace service for RFC 3462 "success" delivery status notifications. > but that gave a string of (I think) meaningless errors - fix one, another > pops up, etc. (Now I'm up to "chown: cannot access > `/usr/share/man/man1/mailq.postfix.1.bz2': No such file or directory") Your Postfix installation is badly inconsistent. All warranties are void at this point. > SELINUX is not installed, and APPARMOR is in complain mode. It does not matter. You need to first fix the inconsistencies. Wietse
Re: Is it possible to run 2 or more Postfix instances on a single machine?
Jet Wilda: > Hi, > > Is it possible to run 2 or more postfix instances on a single machine? > If so what steps are necessary to make it work? Thanks in advance for any > and all help. You need a new config_directory, and it needs a main.cf and master.cf file The main.cf file specifies a mail_queue_directory and data_directory that aren't shared with other Postfix instances. Both the default main.cf and the new one need to specify inet_interfaces settings that do not conflict with each other. Then you need to list the non-default config_directory in the default main.cf under "alternate_config_directories". Then it is a matter of postfix -c config_directory start postfix -c config_directory stop sendmail -C config_directory mailq -C config_directory newaliases -C config_directory etc. to talk to the new instance. A first version of a multi-instance manager will likely become available in the coming weeks. Wietse
Re: Adding a table to proxy_read_maps...
Charles Marcus: > First question... is there a reason that none of the *_limit_maps are > included in proxy_read_maps by default? I.e., maybe doing this is not > recommended? There are no _limit_maps parameters in Postfix. Someone must have introduced these with a patch, and botched the job by not adding his parameters to the default proxy_read_maps setting. Wietse
Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
David Cottle: > Content-Description: Undelivered Message > Content-Type: message/rfc822 > Content-Transfer-Encoding: 8bit > > Received: from server.engineering.idb (unknown [127.0.0.1]) > by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D > for ; Sun, 11 Jan 2009 23:43:36 + (UTC) > Received-SPF: none (no valid SPF record) > Received: from hosting.mgapi.edu (unknown [82.179.217.2]) > by server.engineering.idb (Postfix) with SMTP > for ; Sun, 11 Jan 2009 23:43:35 + (UTC) > Received: from dpkpyv (181.138.153.218) > by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300 This is your problem. If webmas...@aus-city.com is invalid, then hosting.mgapi.edu MUST NOT ACCEPT MAIL FOR THAT RECIPIENT. To learn more about blocking invalid recipients on an inbound transit mail server, see the archives, as this is discussed here about every other week. See also: http://www.postfix.org/postconf.5.html#relay_recipient_maps http://www.postfix.org/postconf.5.html#relay_domains http://www.postfix.org/ADDRESS_VERIFICATION_README.html Wietse
Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
David Cottle: > On 13/01/2009, at 10:13, wie...@porcupine.org (Wietse Venema) wrote: > > > David Cottle: > >> Content-Description: Undelivered Message > >> Content-Type: message/rfc822 > >> Content-Transfer-Encoding: 8bit > >> > >> Received: from server.engineering.idb (unknown [127.0.0.1]) > >>by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D > >>for ; Sun, 11 Jan 2009 23:43:36 + > >> (UTC) > >> Received-SPF: none (no valid SPF record) > >> Received: from hosting.mgapi.edu (unknown [82.179.217.2]) > >>by server.engineering.idb (Postfix) with SMTP > >>for ; Sun, 11 Jan 2009 23:43:35 + > >> (UTC) > >> Received: from dpkpyv (181.138.153.218) > >>by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300 .. > Hi Wietse, > > Sorry I am now totally confused as webmas...@aus-city.com is not > invalid it's this address! If webmas...@aus-city.com is valid, then the problem is that your own system is returning mail for webmas...@aus-city.com as undeliverable. That problem has NOTHING to do with spam. Wietse
Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
David Cottle: > > On 13/01/2009, at 11:44, wie...@porcupine.org (Wietse Venema) wrote: > > > David Cottle: > >> On 13/01/2009, at 10:13, wie...@porcupine.org (Wietse Venema) wrote: > >> > >>> David Cottle: > >>>> Content-Description: Undelivered Message > >>>> Content-Type: message/rfc822 > >>>> Content-Transfer-Encoding: 8bit > >>>> > >>>> Received: from server.engineering.idb (unknown [127.0.0.1]) > >>>> by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D > >>>> for ; Sun, 11 Jan 2009 23:43:36 + > >>>> (UTC) > >>>> Received-SPF: none (no valid SPF record) > >>>> Received: from hosting.mgapi.edu (unknown [82.179.217.2]) > >>>> by server.engineering.idb (Postfix) with SMTP > >>>> for ; Sun, 11 Jan 2009 23:43:35 + > >>>> (UTC) > >>>> Received: from dpkpyv (181.138.153.218) > >>>> by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300 > > .. > >> Hi Wietse, > >> > >> Sorry I am now totally confused as webmas...@aus-city.com is not > >> invalid it's this address! > > > > If webmas...@aus-city.com is valid, then the problem is that > > your own system is returning mail for webmas...@aus-city.com > > as undeliverable. > > > > That problem has NOTHING to do with spam. > > > >Wietse > > Hi Wietse, > > Sorry that is incorrect I am not sending out Viagra emails. I look at THIS WAS MAIL FOR webmas...@aus-city.com. IT IS NOW BEING RETURNED AS UNDELIVERABLE. THIS MESSAGE DOES NOT HAVE YOU AS THE SENDER. Wietse
Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
David Cottle: > >> Received: from server.engineering.idb (unknown [127.0.0.1]) > >> by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D > >> for ; Sun, 11 Jan 2009 23:43:36 + ... > > THIS WAS MAIL FOR webmas...@aus-city.com. > > The postmaster address on every domain exists but does not accept mail > it will bounce. This was mail for WEBMASTER, now being returned to the sender. If you have a non-functional postmaster address, that is sufficient grounds for getting your entire domains blacklisted. Wietse
Re: Problem with Zen filtering legit e-mail
Roland Pl??ss: > I never received nor got pointed to a DEBUG_README at all. Where's this one? > Below is the mailing list welcome that you ignored. Wieste TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix.
Re: Parameter %s to %...@%d
MSG Support: > Hi, > > Our mail server encounter below error on the log: > > Dec 4 04:34:09 localhost postfix/cleanup[26596]: warning: > 3E0582648E7: virtual_alias_maps map lookup problem for > u...@internaldomain Your logfile has much more information on this. See: http://www.postfix.org/DEBUG_README.html#mail for instructions to get the rest. Wietse
Re: xforward and 503 errors
Eric S. Johansson: > I've been over the documentation, mailing list archives, Google a few times > but > I'm not seeing what's wrong. I would appreciate some help. http://www.postfix.org/XFORWARD_README.html After receiving the server's announcement for XFORWARD support, the client may send XFORWARD requests at any time except in the middle of a mail delivery transaction (i.e. between MAIL and RSET or DOT). The command may be pipelined when the server supports ESMTP command pipelining.
Re: backscattering
Bruno GRANDJEAN: > how can I reject mail from outside claiming to be from my domain? > > with a 'from:' header only in the header_checks internal users > cannot send emails, outgoing traffic was completely blocked. If you reject mail from outside with your address in the From: header, then you would never receive your own messages from this mailing list. Wietse
Re: How to restrict ACCESS not RELAY to the SMTP daemon?
Thomas:
> Hello,
> i try to figure out how to restrict ACCESS to the SMTP daemon.
>
> With that, i mean something like the tcpwrapper for SMTP/SMTPS ...
>
> For what?
>
> I have several root-Servers, vServer and Xen domains - only one is the
> mail system and should be available for mail from the internet.
>
> The others servers use the mail server as the smart relay ("relayhost =
> ...") and have mynetworks at "" or "127.0.0.1/8 /32". I think, i
> could solve this with mynetworks = "" and mynetworks_style = host ...
>
> But those servers also need to RECEIVE mail - from the other servers at
> least.
> That means, for example, they need to receive mail from the mail system
> - and for that, they need a running smtpd.
>
> But all other servers in the internet shall never be able to access
> those smtp daemons ...
> And this is not about relaying for for this or that recipient, but just
> to drop access from all oter networks and IPs.
>
> How to do that?!?!
> I just could not find a way :-(
http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/access.5.html
http://www.postfix.org/cidr_table.5.html
/etc/postfix/main.cf
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/client_access
/etc/postfix/client_access
192.168.0.0/28 OK
192.168.1.1/32 OK
0.0.0.0/0 REJECT
Use smtpd_CLIENT_restrictions not smtpd_RECIPIENT_restrictions.
Wietse
Re: Share postfix config directory
Rocco Scappatura: > Hello, > > I have different SMTP gateways each one configurred exactly at the same > manner. The only difference is the hostname. > > I would like to know if I could define "/etc/postfix" as an NFS share > somewhere and export it on each of my SMTP gateways. The aim is > obviously to change only one configuration file each time that a postfix > configuration update is needed. Let the computer do the work for you. See: man 1 make. If you are not familiar with this tool, then you work too hard. Wietse
Re: connection timeout on win2007 exchange
bharathan kailath: > Hi > > Jan 13 15:43:41 relay1 postfix/smtp[18476]: 5BF411611EE: to=< > valer...@example.com>, relay=xxx.xxx.xxx.xxx[1xxx.xxx.xxx.xxx > ]:25, delay=101565, delays=100962/0.02/3.4/600, dsn=4.4.1, status=deferred > (host xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] said: 421 4 > .4.1 Connection timed out (in reply to end of DATA command)) > > the above is the log from our postfix relay; the host machine is a win2007 > exchange; this happens always; > but some mails go through some not; > > what i can do about this ? Record the content of network packets with tcpdump, and find out which of the following is the case: 1) The client does not end the message with . 2) The server does not recognize . as the end of message. For example, because some buggy ```security''' software does not correctly handle the case where . is sent in two pieces. Wietse
Re: ETRN
bharathan kailath: > we've got a gateway postfix server with which we provide mails to hosted > domains; postfix is configured with Separate Domains with System Accounts > (virtual alias domains and virtual alias maps); clients mail server pop up > and collect all the their mails; it works great; but one of the client using > ETRN and their domain is specified in transport and fast flush domain > parameter in main.cf; that also work; > > but i want to know for this particular client (who send ETRN) can have a > mailbox like other clients? > > now for this particular client our postfix server defer the mail till it get > the ETRN from client; > > the idea is if mailbox is there i can retrieve/monitor the mails if anything > goes wrong ; but is it possible in postfix? This is how ETRN works: 1) The SMTP client sends an ETRN command to the SMTP server. 2) The SMTP server searches the queue and delivers the mail. The Postfix ETRN implementation overrides the defer_transports setting, so you can use that to hold mail in the queue until ETRN. Wietse
Re: Share postfix config directory
Rocco Scappatura: > > > I have different SMTP gateways each one configurred exactly at the > > same > > > manner. The only difference is the hostname. > > > > > > I would like to know if I could define "/etc/postfix" as an NFS > share > > > somewhere and export it on each of my SMTP gateways. The aim is > > > obviously to change only one configuration file each time that a > > postfix > > > configuration update is needed. > > > > Let the computer do the work for you. See: man 1 make. If you are > > not familiar with this tool, then you work too hard. > > I know that make is a really powerfull tool. I have used it (in the > sense that I have write down some Makefile) for compiling rather few C > projects. At the moment I can't guess how I could use 'make' for my > purpouse. I feel that in some manner it could be a substitution matter > that 'make' is very clever to manage. But I can't infere anything more.. > > Could you give me further insight? :-) > # cat Makefile FILES: main.cf-a main.cf-b main.cf-c all: $(FILES) main.cf-a: Makefile main.cf-template sed 's/whatever/whatever/' main.cf-template >$@ rsync -av $@ hosta:/etc/postfix main.cf-b: Makefile main.cf-template sed 's/whatever/whatever/' main.cf-template >$@ rsync -av $@ hostb:/etc/postfix main.cf-c: Makefile main.cf-template sed 's/whatever/whatever/' main.cf-template >$@ rsync -av $@ hostc:/etc/postfix
Re: Configure an Alternate Interface for Destination
Chris Babcock: Checking application/pgp-signature: FAILURE -- Start of PGP signed section. > On Wed, 14 Jan 2009 10:50:01 -0600 (CST) > "Matt Rude" wrote: > > > > > > > /etc/postfix-asciiking/main.cf: > > > transport_maps = hash:/etc/postfix-asciiking/transport Show "postconf -n" output instead of cut-and-paste. You may have typo-ed something. > > > /etc/postfix-asciiking/master.cf: > > > blocked unix - - n - - smtp -o > > > relayhost = [IP-of-other-Postfix-instance] As documented, relayhost is not used by the smtp CLIENT. Wietse
Re: SPF Checking
Russ Lavoy: > Hello List, > > I am wondering about an SPF checking addition for postfix. Where I see al >-l of the addon software, I am not 100% comfortable modifying the postfix cod >-e and still have it be as secure as it was when I first set it up. > > Are there any plans on integrating SPF checking into postfix itself? Use the available plugins. At this point it makes no sense to build any of SPF SRS BATV DKIM ADSP and other technologies into Postfix. The core MTA implements the rock-solid stable protocols. Everything else will be plugged in via more-or-less safe extension interfaces. Wietse
Re: holding messages for one address or one domain in the queue?
Jeff Weinberger: > This may seem like an odd question, but I need to find a way to > suspend delivery of mail to one account or one domain for a short > period of time to allow me to do a bit of maintenance. > > As it stands now, I use maildrop as my delivery transport for virtual > mailboxes. > > Is there a way to tell postfix to hold the mail in its queue until I > tell it I'm ready? /etc/postfix/transport: u...@example.comretry:4.4.1 Service unavailable another.example.com retry:4.4.1 Service unavailable > Is this as simple as having maildrop return a temporary failure code? That would work, too. Postfix will return mail when it exceeds $maximal_queue_lifetime. > and if that happens, postfix will retry at certain intervals (or on > postqueue -f) right? And if that is a good way to do it, what return > code should maildrop return? If using pipe-to-command: /usr/include/sysexits.h's EX_TEMPFAIL If using LMTP: a suitable 4XX numeric code. Wietse
Re: Share postfix config directory
Rocco Scappatura: > > > > > I have different SMTP gateways each one configurred exactly at > > the > > > > same > > > > > manner. The only difference is the hostname. > > > > > > > > > > I would like to know if I could define "/etc/postfix" as an NFS > > > share > > > > > somewhere and export it on each of my SMTP gateways. The aim is > > > > > obviously to change only one configuration file each time that a > > > > postfix > > > > > configuration update is needed. > > > > > > > > Let the computer do the work for you. See: man 1 make. If you are > > > > not familiar with this tool, then you work too hard. > > > > > > I know that make is a really powerfull tool. I have used it (in the > > > sense that I have write down some Makefile) for compiling rather few > > C > > > projects. At the moment I can't guess how I could use 'make' for my > > > purpouse. I feel that in some manner it could be a substitution > > matter > > > that 'make' is very clever to manage. But I can't infere anything > > more.. > > > > > > Could you give me further insight? :-) > > > > > > > # cat Makefile > > FILES: main.cf-a main.cf-b main.cf-c > > > > all: $(FILES) > > > > main.cf-a: Makefile main.cf-template > > sed 's/whatever/whatever/' main.cf-template >$@ > > rsync -av $@ hosta:/etc/postfix > > > > main.cf-b: Makefile main.cf-template > > sed 's/whatever/whatever/' main.cf-template >$@ > > rsync -av $@ hostb:/etc/postfix > > > > main.cf-c: Makefile main.cf-template > > sed 's/whatever/whatever/' main.cf-template >$@ > > rsync -av $@ hostc:/etc/postfix > > Thanks Wietse, > > you are asserting implicitily that is better to avoid the use of an NFS > filesystem mounted on /etc/postfix of each SMTP gateway? No. You can change the pathnames in my example, and use /some/where/hosta/etc/postfix instead of hosta:/etc/postfix. There are lots of ways to set up NFS shares and I won't speculate on how you did it. You still need something to tell the remote host that the file has changed. Wietse
Re: vServer system resources
Nathan H?sken: > Hi, > > I have installed postfix on a small vServer (256Mb Ram, 10GB HD). I > installed it with dovecot, mysql and postfixadmin. > When I tested it, I got lots of "Cannot allocate Memory" errors. The primary MX for porcupine.org runs on a "non-virtual" machine with 256MB and never has resource problems. It runs, however, with default_process_limit=30, and there are no other resource-hungry processes. > vzfree told me, that I have enough memory. So I assumed a problems > with open sockets. When systems lie about errors, use strace and see what system calls are failing. # strace -f -o outputfile /usr/libexec/postfix/master -d Be prepared for massive amounts of output once you get past the point that things break immediately. Wietse
Re: running on different ports
Leonardo Rodrigues Magalh?es: > > Let's suppose i have postfix running smtpd processes in two > different ports. 25 and 587, for example. > > is it possible, in the logs, to differ which connections came from > 25 and which came from 587 ?? I know i can analyze the full transaction http://www.postfix.org/postconf.5.html#syslog_name http://www.postfix.org/master.5.html master.cf: smtp .. smtpd -o syslog_name=foobar Wietse > and look for sasl authentications on 587 or deliveries on 25 ... but > i would like to filter logs and easily see all connections that came on > one port and all connections that came on the other. > > if some change on master.cf is needed, there's no problem at all. > > is this kind of configuration possible ? > > -- > > > Atenciosamente / Sincerily, > Leonardo Rodrigues > Solutti Tecnologia > http://www.solutti.com.br > > Minha armadilha de SPAM, N?O mandem email > gertru...@solutti.com.br > My SPAMTRAP, do not email it > > > > > > >
Re: Requirement to "always_bcc" except when email is internal
Eric Sammons: > I have a requirement to always_bcc except when email is internal. Instead of always_bcc use sender_bcc_maps or recipient_bcc_maps. > I have > investigated options such as always_bcc, sender|recipient_bcc_maps and none > seem to fully address the issue. Yes they do. Just configure them so that the archive copy is made when: the sender is remote OR the receiver is remote. /etc/postfix/main.cf: sender_bcc_maps = pcre:/etc/postfix/archive-check recipient_bcc_maps = pcre:/etc/postfix/archive-check /etc/postfix/archive-check: !/@example\.com$/ arch...@example.com This is a predicate transformation, from (NOT (local AND local)), what you asked for, into ((NOT local) OR (NOT local)), shown above. Now, if it takes a PhD in nuclear physics to configure an MTA, then that is another issue. Wietse > Sample scenario. > > My domain is example.com; when a email's RECIPIENT and SENDER are both @ > example.com then process email WITHOUT forwarding a copy to > arch...@archive.example.com. IF the email's RECIPIENT and / or SENDER are > not @example.com then process email AND forward a copy to > arch...@archive.example.com. > > Is this possible with postfix, postfix filters, and / or postfix + procmail? > > Thank you! > Eric
