Re: how to flush frozen email from queue
See below last 3 lines of mailq output: [root@mx postfix]# mailq ... 2h 1.6K 1QCSdu-0001X3-Gl <> *** frozen *** r...@mx.mydoom.com 86m 1.6K 1QCTZz-0003iI-Iz <> *** frozen *** r...@mx.mydoom.com 26m 1.6K 1QCUW0-000605-PD <> *** frozen *** r...@mx.mydoom.com [root@mx postfix]# I am running postfix! exim exist on system but is not running. [root@mx postfix]# /etc/rc.d/init.d/postfixd status master (pid 17757) is running... [root@mx postfix]# /etc/rc.d/init.d/exim status exim is stopped [root@mx postfix]# any ideas? Regards, Alx Quoting "Ralf Hildebrandt" : * Ralf Hildebrandt : * Alex : > Hi Victor, > > All I want to say is that when I run mailq command, I got 4590 frozen > emails. Please show actual output. Meaning, maybe a few lines. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas!
Re: how to flush frozen email from queue
Quoting "Ralf Hildebrandt" : * Alex : See below last 3 lines of mailq output: [root@mx postfix]# mailq ... 2h 1.6K 1QCSdu-0001X3-Gl <> *** frozen *** r...@mx.mydoom.com 86m 1.6K 1QCTZz-0003iI-Iz <> *** frozen *** r...@mx.mydoom.com 26m 1.6K 1QCUW0-000605-PD <> *** frozen *** r...@mx.mydoom.com That's not postfix. I am running postfix! exim exist on system but is not running. Yes it is running. See above. That's exim output. Your mailq binary uses exim instead of postfix. Hi Ralph, Indeed you are right I am running Post-Xim :-)) [root@mx ~]# ls -l /usr/bin/mailq /usr/bin/mailq -> /usr/sbin/sendmail [root@mx ~]# ls -l /etc/alternatives/mta-mailq /etc/alternatives/mta-mailq -> /usr/bin/mailq.exim [root@mx ~]# I've investigated more, because is very unusual configuration. Someone before me, installed postfix compilling it by hand. Postfix is started and running (exim is stopped) but mailq and mta-mailq is pointing to exim binaries. [root@mx ~]# lsof -i4 |grep smtp master17757root 12u IPv4 161740442 TCP *:smtp (LISTEN) smtpd 20341 postfix6u IPv4 161740442 TCP *:smtp (LISTEN) smtpd 20341 postfix9u IPv4 163035328 TCP 192.168.21.5:smtp->info.returnpath.net:15450 (ESTABLISHED) smtpd 20341 postfix 19u IPv4 163035478 UDP 192.168.21.5:47010->ns2.rdsnet.ro:domain smtpd 20341 postfix 20u IPv4 163035576 UDP 192.168.21.5:40566->ns1.netvisiontelecom.ro:domain smtpd 20341 postfix 21u IPv4 163035612 UDP 192.168.21.5:40210->ns2.netvisiontelecom.ro:domain [root@mx ~]# Now I would like to link mailq and /etc/alternatives/mta-mailq to point to correct sendmail.postfix installation but I cannot find it. Where should I look for it? Digging around I found that postfix has been installed by hand 19 March 2009 [root@mx ~]# ls -l /usr/sbin/postsuper -rwxr-xr-x 1 root root 331463 Mar 17 2009 /usr/sbin/postsuper [root@mx ~]# In usr sbin, I have (files dated with 17 march 2009) -rwxr-xr-x 1 root root 324K Mar 17 2009 postsuper -rwxr-sr-x 1 root postdrop 514K Mar 17 2009 postqueue -rwxr-xr-x 1 root root 469K Mar 17 2009 postmap -rwxr-xr-x 1 root root 276K Mar 17 2009 postlog -rwxr-xr-x 1 root root 297K Mar 17 2009 postlock -rwxr-xr-x 1 root root 305K Mar 17 2009 postkick -rwxr-xr-x 1 root root 273K Mar 17 2009 postfix -rwxr-sr-x 1 root postdrop 473K Mar 17 2009 postdrop -rwxr-xr-x 1 root root 557K Mar 17 2009 postconf -rwxr-xr-x 1 root root 305K Mar 17 2009 postcat -rwxr-xr-x 1 root root 493K Mar 17 2009 postalias To what binary should point now: /usr/bin/mailq and /etc/alternatives/mta-mailq. If matter, I am on centos-5.5. Regards, Alx - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas!
Re: how to flush frozen email from queue
Hi Ralph, On my system /usr/lib/sendmail is pointing to the wrong direction, see below: [root@mx alx2]# ls -l /usr/lib/sendmail lrwxrwxrwx 1 root root 30 Sep 14 2009 /usr/lib/sendmail -> /etc/alternatives/mta-sendmail [root@mx alx2]# ls -l /etc/alternatives/mta-sendmail lrwxrwxrwx 1 root root 22 Sep 8 2010 /etc/alternatives/mta-sendmail -> /usr/lib/sendmail.exim [root@mx alx2]# ls -l /usr/lib/sendmail.exim lrwxrwxrwx 1 root root 12 Sep 8 2010 /usr/lib/sendmail.exim -> ../sbin/exim [root@mx alx2]# ls -l /usr/sbin/exim -rwsr-xr-x 1 root root 924220 Jul 13 2010 /usr/sbin/exim [root@mx alx2]# rpm -qf /usr/sbin/exim exim-4.63-5.el5_5.1 [root@mx alx2]# So, where should I look to find the sendmail of postfix? Or how can I find postfix's sendmail without recompiling postfix again? Regards, Alx Quoting "Ralf Hildebrandt" : * Alex : See below last 3 lines of mailq output: [root@mx postfix]# mailq ... 2h 1.6K 1QCSdu-0001X3-Gl <> *** frozen *** r...@mx.mydoom.com 86m 1.6K 1QCTZz-0003iI-Iz <> *** frozen *** r...@mx.mydoom.com 26m 1.6K 1QCUW0-000605-PD <> *** frozen *** r...@mx.mydoom.com That's not postfix. I am running postfix! exim exist on system but is not running. Yes it is running. See above. That's exim output. Your mailq binary uses exim instead of postfix. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas!
Re: how to flush frozen email from queue
Quoting "Dennis Guhl" : Please stop top posting and multiple resending the same posting. On Thu, Apr 21, 2011 at 09:50:40AM -0500, li...@vfemail.net wrote: Hi Ralph, . o O ( =! Ralf ... ) On my system /usr/lib/sendmail is pointing to the wrong direction, see below: [..] So, where should I look to find the sendmail of postfix? Or how can I find postfix's sendmail without recompiling postfix again? # postconf | grep sendmail_path Dennis Hi Dennis, [root@mx ~]# postconf | grep sendmail_path sendmail_path = /usr/sbin/sendmail [root@mx ~]# I've checked config file before to post here. On my system /usr/sbin/sendmail is pointing to /etc/alternatives/mta-sendmail which is pointing to /usr/lib/sendmail.exim which is pointing to /usr/sbin/exim which belong to exim-4.63-5.el5_5.1 (see my past post). Normally, sendmail (from postfix install) should be somewhere ... else, I cannot understand how is possible to work this server... Doing one search and looking on enire system to find files/directories at the date which postfix has been installed, I found the following files and directories. So, one of them should be used as sendmail. Which one? /home/postfix/.bash_history /etc/postfix/makedefs.out /etc/postfix/generic /etc/postfix/postfix-script /etc/postfix/bounce.cf.default /etc/postfix/main.cf.default /etc/postfix/relocated /etc/postfix/post-install /etc/postfix/postfix-files /etc/postfix/access /etc/postfix/main.cf.orig /etc/postfix/TLS_LICENSE /etc/postfix/canonical /etc/postfix/aliases.orig /etc/postfix/LICENSE /usr/sbin/postconf /usr/sbin/postcat /usr/sbin/postalias /usr/sbin/postdrop /usr/sbin/postqueue /usr/sbin/postmap /usr/sbin/postsuper /usr/sbin/postlock /usr/sbin/postfix /usr/sbin/postkick /usr/sbin/postlog /usr/local/man/* /usr/libexec/postfix/flush /usr/libexec/postfix/smtp /usr/libexec/postfix/lmtp /usr/libexec/postfix/showq /usr/libexec/postfix/local /usr/libexec/postfix/cleanup /usr/libexec/postfix/anvil /usr/libexec/postfix/virtual /usr/libexec/postfix/proxymap /usr/libexec/postfix/verify /usr/libexec/postfix/pipe /usr/libexec/postfix/trivial-rewrite /usr/libexec/postfix/scache /usr/libexec/postfix/tlsmgr /usr/libexec/postfix/qmqpd /usr/libexec/postfix/nqmgr /usr/libexec/postfix/oqmgr /usr/libexec/postfix/master /usr/libexec/postfix/bounce /usr/libexec/postfix/error /usr/libexec/postfix/qmgr /usr/libexec/postfix/discard /usr/libexec/postfix/spawn /usr/libexec/postfix/smtpd /usr/libexec/postfix/pickup /var/spool/postfix /var/spool/postfix/corrupt /var/spool/postfix/saved As you can see, sendmail does not appear ... How can I fix it? Regards, Alx - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas!
Re: how to flush frozen email from queue
Quoting "Randy Ramsdell" : /dev/rob0 wrote: As you can see, sendmail does not appear ... How can I fix it? This could be ugly. Installation from source, even correctly done, interferes with OS features like this "alternatives" thing. It is well worth your while to spend some time learning how properly to manage your OS before undertaking mail admin. With Redhat-based systems, I suggest using Simon Mudd's SRPMs for a recent Postfix release. As to how to repair the damage, that would be a matter for your CentOS documentation and forums. Good luck. Using source is fine and necessary at times when you can't wait for certain vendors to fix things on their time frame. We run source for several things. You just need to manage it accordingly. In fact, I have found more than one borked rpm with wrong install dependencies, incorrect configurations that break things or overwrite prod configurations or incorrect remove dependencies. Does postfix compile without sendmail by default? You could recompile if you feel comfortable. Fairly I would do just that but I feel comfortable with this. For those that did not followed this thread from the beginning, I want to mentions that actual config (a mess from my opinion) IS A LEGACY. I don't want to comment more about just make things working and put it in the right shape and agree rob0, is an ugly installation. I know where to rpm for my distribution (plus repository is what i need to find postfix with sql support build in). I am just trying to fix something with minimal impact on that sistem. I compiled postix many times in the past, but for more than 3 years has not been necessary, everything I need is already done (rpm build). Regards, Alx - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas!
Re: how to flush frozen email from queue
Quoting "Randy Ramsdell" : /dev/rob0 wrote: As you can see, sendmail does not appear ... How can I fix it? This could be ugly. Installation from source, even correctly done, interferes with OS features like this "alternatives" thing. It is well worth your while to spend some time learning how properly to manage your OS before undertaking mail admin. With Redhat-based systems, I suggest using Simon Mudd's SRPMs for a recent Postfix release. As to how to repair the damage, that would be a matter for your CentOS documentation and forums. Good luck. Using source is fine and necessary at times when you can't wait for certain vendors to fix things on their time frame. We run source for several things. You just need to manage it accordingly. In fact, I have found more than one borked rpm with wrong install dependencies, incorrect configurations that break things or overwrite prod configurations or incorrect remove dependencies. Does postfix compile without sendmail by default? You could recompile if you feel comfortable. Fairly I would do just that but I feel comfortable with this. Just for my curiosity: can postfix be compiled without sendmail (binary)? As I cand see from makedefs.ot, postfix has been compiled with ssl and mysql support. No other fancy options has been used. Here comes makedefs.out content: # Do not edit -- this file documents how Postfix was built for your machine. SYSTYPE = LINUX2 AR = ar ARFL= rv RANLIB = ranlib SYSLIBS = -L/usr/lib -L/usr/lib/openssl/engines -L/usr/lib/mysql -L/usr/lib -lsasl2 -lcrypto -lssl -lmysqlclient -lz -lm -Wl,-rpath /usr/lib/mysql -Wl,-rpath /usr/lib -Wl,-rpath /usr/lib/openssl/engines -ldb -lnsl -lresolv CC = gcc $(WARN) -DUSE_SASL_AUTH -DHAS_SSL -DHAS_MYSQL -DUSE_CYRUS -DUSE_TLS -I/usr/include/sasl -I/usr/include/openssl -I/usr/include/mysql -I/usr/include OPT = -O DEBUG = -g AWK = awk STRCASE = EXPORT = AUXLIBS='-L/usr/lib -L/usr/lib/openssl/engines -L/usr/lib/mysql -L/usr/lib -lsasl2 -lcrypto -lssl -lmysqlclient -lz -lm -Wl,-rpath /usr/lib/mysql -Wl,-rpath /usr/lib -Wl,-rpath /usr/lib/openssl/engines' CCARGS='-DUSE_SASL_AUTH -DHAS_SSL -DHAS_MYSQL -DUSE_CYRUS -DUSE_TLS -I/usr/include/sasl -I/usr/include/openssl -I/usr/include/mysql -I/usr/include' OPT='-O' DEBUG='-g' WARN= -Wall -Wno-comment -Wformat -Wimplicit -Wmissing-prototypes \ -Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \ -Wunused Regards, Alx - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas!
Re: how to flush frozen email from queue
Quoting li...@vfemail.net: Quoting "Randy Ramsdell" : /dev/rob0 wrote: As you can see, sendmail does not appear ... How can I fix it? This could be ugly. Installation from source, even correctly done, interferes with OS features like this "alternatives" thing. It is well worth your while to spend some time learning how properly to manage your OS before undertaking mail admin. Just for posterity and from my memory ... Stop postfix! Run a script to rename all files installed at 19th march 2009 between 16.45 and 17.00 when postfix has been installed by hand. rpm -ivh postfix-2.3.3-2.el5.centos.mysql_pgsql.*.rpm Restore main.cf and master.cf , tls certs, etc from backed up config directory. Start postfix! yum remove exim! rm -fr /var/spool/exim userdel -r exim! Thanks to all posters in this thread! Regards, Alx - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas!
header_checks for IP & email destination?
Hi, Running postfix-2.10.1-6.el7.x86_64 on RHEL 7.4. I've a very unique need to configure Postfix to deliver email based on source IP and destination email address. Example: --- If: Received: by mx0.example2.com AND Delivered-To: li...@mypenguin.net.au Action: Deliver else: Discard or Redirect (depending on user) fi --- Can postfix header_checks do this? Looks like it'll only accept regex based on a line by line query? Other research I've done suggests that I could use spamassassin? Regards, Craig
Reject/Discard mails to a Receipient
Hello, I have clients sending mails to an non-existent email address/domain, emailerm...@exchange.example.net. I want to discard any mail sent to this address. I looked at smtpd_recipient_restrictions, but cant figure out how to get this done. Please help me!! ~LA
Re: Reject/Discard mails to a Receipient
Sahil Tandon wrote: Linux Addict wrote: Hello, I have clients sending mails to an non-existent email address/domain, emailerm...@exchange.example.net. I want to discard any mail sent to this address. I looked at smtpd_recipient_restrictions, but cant figure out how to get this done. Please help me!! Why not simply reject such messages? What is the reason you want to accept but silently discard messages to that non-existent user? It is your choice to do so, but please offer some rationale for the archives. Sorry.. I wasn't checking my mails for sometime. I am open to Rejecting those mails as well.. Well. The mails are sent by one of the legacy app which has the hard coded the email address. The email domain has been decommed recently. The engineering will update this email address in their next release. But till that time, I don't want postfix to spend energy on these mails. So How will I reject mails to the email in question. Transport will do? Cheers LA
Re: Reject/Discard mails to a Receipient
Wietse Venema wrote: Linux Addict: Sahil Tandon wrote: Linux Addict wrote: Hello, I have clients sending mails to an non-existent email address/domain, emailerm...@exchange.example.net. I want to discard any mail sent to this address. I looked at smtpd_recipient_restrictions, but cant figure out how to get this done. Please help me!! Why not simply reject such messages? What is the reason you want to accept but silently discard messages to that non-existent user? It is your choice to do so, but please offer some rationale for the archives. Sorry.. I wasn't checking my mails for sometime. I am open to Rejecting those mails as well.. Well. The mails are sent by one of the legacy app which has the hard coded the email address. The email domain has been decommed recently. The engineering will update this email address in their next release. But till that time, I don't want postfix to spend energy on these mails. So How will I reject mails to the email in question. Transport will do? Transport rules such as: u...@example.com error:5.1.1 user unknown example.com error:5.1.2 domain unknown will do the job. Wietse thank you!
Zenoss Monitoring.
Apologies if its offlist. If Anyone using zenoss to monitor postfix, please reply only to me with whatever details you may have. Thank you very much in advance. ~LA
Bounces.
I am seeing multiple messages on Postfix Maillog. The mx server cant reach the host in question and its timing out. We monitor the mailq size and because of 100 of messages like this, we are bombarded with pages. What is the best practice to handle these messages? Any help or link to documentation is greatly appreciated. A414CD52788 3706 Fri Jan 23 02:36:41 bounce.7d54cafd@example.net (connect to a34-mta03.direcpc.com[66.82.4.104]:25: Connection timed out) movieaho...@direcway.com ~LA
Re: Bounces.
Magnus Bäck wrote: On Monday, January 26, 2009 at 23:39 CET, Linux Addict wrote: I am seeing multiple messages on Postfix Maillog. The mx server cant reach the host in question and its timing out. We monitor the mailq size and because of 100 of messages like this, we are bombarded with pages. What is the best practice to handle these messages? Any help or link to documentation is greatly appreciated. A414CD52788 3706 Fri Jan 23 02:36:41 bounce.7d54cafd@example.net (connect to a34-mta03.direcpc.com[66.82.4.104]:25: Connection timed out) movieaho...@direcway.com Where do these messages come from? Check the logs and inspect the messages with postcat(1). Are any of these domains hosted by you? If not, why are they being relayed in the first place? 100 deferred messages in the queue is nothing. Typo. Its 100s of messages, currently its more than 1600. We are sending this from one of our internal application. What I would like to do is, if a destination host does not have an MX record, then I would like to drop the message, don't want to bounce it.
Re: Bounces.
Wietse Venema wrote: Linux Addict: What I would like to do is, if a destination host does not have an MX record, then I would like to drop the message, don't want to bounce it. The Internet email RFCs do not require MX records. They specify that the MTA must deliver by A records when MX records don't exist. Wietse I dont know if its convincing to send mails to a host where no smtp is running(hence no MX record) but is there anyway at all in Postfix to check for MX record before the qmgr accepts the mail? I know Postfix is compliant to all RFCs, but just wondering anything customizable exists. ~LA
rbl clients.
Please see below my smtpd_recipient_restrictions. On my rbl client list I have multiple entries, but not sure how many of them actually maintained. Is there one single place where I can find such a list. Any help is greatly appreciated. smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_limit = 300 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination, reject_invalid_hostname,reject_unauth_pipelining, reject_non_fqdn_sender,reject_unknown_sender_domain, reject_non_fqdn_recipient,reject_unknown_recipient_domain, reject_rbl_client blackholes.easynet.nl,reject_rbl_client cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org,permit ~LA
Re: rbl clients.
Thank you everyone!! Lot of information. On Fri, Feb 13, 2009 at 4:44 PM, Res wrote: > On Thu, 12 Feb 2009, Linux Addict wrote: > > reject_rbl_client blackholes.easynet.nl,reject_rbl_client >> cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net, >> reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org, >> reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org, >> reject_rbl_client multihop.dsbl.org,permit >> >> > As others have mentioned, some of these have been dead for a long time, and > with others, you are doing twice the work, since some RBL's interact with > each other. > > We find the following work great, some recommend using spamhaus first, on > my private mail server I use it last, to keep under their 'hits per day', > I don't use spamhaus on employers because of the 'hits per day', and I cant > justify the rates they want, I find even at home I only get one or two hits > in a blue moon from spamhaus because SORBS and spamcop end up stopping > pretty much all of it. > > Privately I use: > reject_rbl_client dnsbl.njabl.org > reject_rbl_client dnsbl.sorbs.net > reject_rbl_client bl.spamcop.net > reject_rbl_client b.barracudacentral.org (you need to register, but its > free) > reject_rbl_client zen.spamhaus.org > > commercially we use: > reject_rbl_client dnsbl.sorbs.net > reject_rbl_client bl.spamcop.net > reject_rbl_client b.barracudacentral.org > > and along with things like > >reject_unknown_client_hostname >reject_unknown_helo_hostname >reject_invalid_helo_hostname >reject_non_fqdn_helo_hostname >reject_non_fqdn_sender >reject_non_fqdn_recipient > > we also use sendmails milter-regex with all these combined, its rare > spam gets through to MailScanner to deal with. > > (milter regex rules used: http://kb.ausics.net/sendmail/milter-regex.conf) > > -- > Res > > "All we need, is just a little patience" -- William Bruce (Axl) Rose >
mailbox_size_limit , quota + some other questions
Guys, i would like to understand the above said a little better and hence the following questions; 1. Since postfix has a mailbox_size_limit, why do we still need to have quota implemented (say via dovecot). Is it just for "enforcment and notification"? 1a. Is it ok to just set mailbox_size_limit=0 and then impose quota via dovecot (say 1GB) or must both settings match? 2. For a setup of about 1500 virtual users on a centos 5.2 machine with a raid10 array and with 8gb of ram, what settings do i need to change in postfix for better performance with regards to main.cf /master.cf. Dovecot provides POP/IMAP services. Thnx.
Re: mailbox_size_limit , quota + some other questions
replies below... > > > 1. Since postfix has a mailbox_size_limit, why do we still need to have > > quota implemented (say via dovecot). Is it just for "enforcment and > > notification"? > > Some admins like to set per user (or group) quotas via dovecot. Many dovecot > implementations use Maildir mailboxes, for which quotas are not supported by > mailbox_size_limit. thanx, i did not know that mailbox_size_limit did not cover maildir type mail boxes > > 1a. Is it ok to just set mailbox_size_limit=0 and then impose quota via > > dovecot (say 1GB) or must both settings match? > > The two settings do not have to match. > > > 2. For a setup of about 1500 virtual users on a centos 5.2 machine with a > > raid10 array and with 8gb of ram, what settings do i need to change in > > postfix for better performance with regards to main.cf /master.cf. Dovecot > > provides POP/IMAP services. > > Way too general. Sorry. Allow me to rephrase, is there any setting in postfix (main.cf, master.cf) whereby we can increase the number of threads, memory usage ,etc to allow for higher concurrency? Thanx.
Re: mailbox_size_limit , quota + some other questions
> > Sorry. Allow me to rephrase, is there any setting in postfix (main.cf, > > master.cf) whereby we can increase the number of threads, memory usage > > ,etc to allow for higher concurrency? > > 1500 users is not very many. You probably don't need higher than default > concurrency. > > http://www.postfix.org/TUNING_README.html 1500 users is not much? wow, how much users can a xeon dual processor box with a RAID10 array, 8 gigs of ram handle. i would appreciate a rough estimate?
Re: mailbox_size_limit , quota + some other questions
victor, replies below > > > > > > 1500 users is not much? wow, how much users can a xeon dual processor box > > with > a RAID10 array, 8 gigs of ram handle. i would appreciate a rough estimate? > > Depends on how much content processing you force on the CPU. If it is > a webmail server, IMAP server, virus scanner, anti-spam filter, ... your > constraint will be CPU, and there won't be any idle cycles to use by > increasing concurrency. its a dedicated email box, no webserver etc, but yes imap,etc. > If you don't design-in a lot of CPU demand, the MTA alone will easily > forward traffic for 10,000+ users with near default settings, provided ok. so, that box can handle with postfix's default settings, 1 users? that's nice to know. thanx. we wont be going to that size. > one has working recipient validation, and subscribes to a SpamHaus > data-feed for local zen.spamhaus.org lookups. With just 1500 users, > the public RBL mirrors may be sufficient. i have been thinking of using sorbs instead of spamhaus because sorbs allows sites with upto 100k user to connect to them but with spamhaus u are limited to 100users max. Sorbs has a detection rate of about 68% and i was thinking of beefing our spam wall with grey listing. Do u have any suggestions about this?
Re: mailbox_size_limit , quota + some other questions
replies below > > so, that box can handle with postfix's default settings, 1 users? > > that's > nice to know. thanx. > > we wont be going to that size. > > > > the problem you will have is not on the postfix side. content filters > and imap are more hungry. noted. > >> one has working recipient validation, and subscribes to a SpamHaus > >> data-feed for local zen.spamhaus.org lookups. With just 1500 users, > >> the public RBL mirrors may be sufficient. > > > > i have been thinking of using sorbs instead of spamhaus because sorbs > > allows > sites with upto 100k user to connect to them but with spamhaus u are limited > to > 100users max. Sorbs has a detection rate of about 68% and i was thinking of > beefing our spam wall with grey listing. > > > > Do u have any suggestions about this? > > where did you get the 100 users limit for spamhaus? spamhaus have no > idea how many users you server, they only watch dns queries, which are > related to how many messages you receive (minus those you reject before > DNSBL query, minus caching when the same IP tries again). And besides, > 100 is ridiculously low. its on their website. i saw it ... but cant seem to locate it now. but what i got today was; Your use of the Spamhaus DNSBLs is non-commercial*, and Your email traffic is less than 100,000 SMTP connections per day, and Your DNSBL query volume is less than 300,000 queries per day. So, guess its ok.
Re: Variables for addresses in master.cf
not in anything i hv read so far - Original Message > From: Daniel L. Miller > To: Postfix Users List > Sent: Wednesday, March 4, 2009 5:38:40 AM > Subject: Variables for addresses in master.cf > > Does Postfix support variables (I suppose defined in main.cf) to be used for > internet addresses in master.cf? Example: > > main.cf: >inbound_interface = 192.168.0.10 >outbound_interface = 192.168.0.11 > > master.cf: >inbound_interface:25 inet n - - - - smtpd >outbound_interface:submission inet n - - - - smtpd > > > -- Daniel
smtpd_recipient_restrictions Check
Dear Group, I am modifying my recipient restrictions to displayed below. I referred many documents to compile the options. I want you experts to once verify it for me. smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unauth_pipelining, reject_unknown_reverse_client_hostname reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit Thank you ~LA
Re: smtpd_recipient_restrictions Check
On Tue, Mar 10, 2009 at 12:24 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Tue, Mar 10, 2009 at 12:17:29PM -0400, Matt Hayes wrote: > > > Linux Addict wrote: > > > Dear Group, I am modifying my recipient restrictions to displayed > below. > > > I referred many documents to compile the options. I want you experts to > > > once verify it for me. > > > > > > smtpd_recipient_restrictions = > > > reject_non_fqdn_sender, > > > reject_non_fqdn_recipient, > > > reject_unknown_sender_domain, > > > reject_unknown_recipient_domain, > > > permit_mynetworks, > > > permit_sasl_authenticated, > > > reject_unauth_destination, > > > reject_unlisted_recipient, > > > reject_invalid_hostname, > > > reject_invalid_helo_hostname > > > reject_non_fqdn_helo_hostname > > > reject_unauth_pipelining, > > > reject_unknown_reverse_client_hostname > > > reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>, > > > reject_rbl_client bl.spamcop.net <http://bl.spamcop.net>, > > > permit > > > > > > Thank you > > > ~LA > > > > > > I would suggest moving permit_sasl_authenticated to the top of that > > list. Either that or using the submission service for SASL > > authenticated users > > THere is not much point in acceping invalid sender and recipient addresses > from MUAs. The restriction is fine where it is. > > -- >Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > The reason I moved below is there seems to be some rogue hosts/users(Mostly things like "Refer a Link") misusing the priority and injecting spam.
Re: smtpd_recipient_restrictions Check
On Tue, Mar 10, 2009 at 12:22 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Tue, Mar 10, 2009 at 11:59:22AM -0400, Linux Addict wrote: > > > Dear Group, I am modifying my recipient restrictions to displayed below. > I > > referred many documents to compile the options. I want you experts to > once > > verify it for me. > > > > smtpd_recipient_restrictions = > > reject_non_fqdn_sender, > > reject_non_fqdn_recipient, > > reject_unknown_sender_domain, > > reject_unknown_recipient_domain, > > This mostly for hosts that handle "submission" from MUAs. Often best to > move submission to port 587 and apply only there. You'll reject bogus > domains from untrusted senders anyway. > > > permit_mynetworks, > > permit_sasl_authenticated, > > reject_unauth_destination, > > reject_unlisted_recipient, > > reject_invalid_hostname, > > reject_invalid_helo_hostname > > The two above are the same. > > > reject_non_fqdn_helo_hostname > > Why so much emphasis on HELO names, they are not a very effective > spam sign. > > > reject_unauth_pipelining, > > Currently best in smtpd_data_restrictions, where it is effective after > EHLO, as during RCPT TO, additional RCPT TO commands or the "DATA" > command can be legitimately "PIPELINED" in the same packet. > > > reject_unknown_reverse_client_hostname > > reject_rbl_client zen.spamhaus.org, > > reject_rbl_client bl.spamcop.net, > > permit > > Fairly sensible overall. Is it better to place rbl rejections under smtpd_client_restrictions? > > > -- >Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. >
Re: NMAP information about postfix
On Mon, Apr 19, 2010 at 11:37 AM, Wietse Venema wrote: > Gaby L: > > Hi > > I scan with my postfix server with NMap from other location. > > The NMAP creats report smtp port open (It is OK) but apear Postfix smtpd > and other information about MTA program. > > I dont want to apear any information about my MTA server. > > To disclose no information, close the SMTP port. > > Seriously. > > Even when you change the smtpd_banner value to say "$myhostname > ESMTP Sendmail" (this text MUST start with the hostname), the > server's replies (especially error messages) still reveal that it's > really Postfix. > >Wietse > Disclaimer :- It may violate some RFCs and possibly break the smtp system itself. [r...@stick ~]# grep ^smtpd_banner /etc/postfix/main.cf smtpd_banner = "unknown" [r...@stick ~]# telnet 0 25 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. 220 "unknown"
Re: NMAP information about postfix
On Tue, Apr 20, 2010 at 1:33 PM, Brian Evans - Postfix List < grkni...@scent-team.com> wrote: > On 4/20/2010 1:23 PM, Linux Addict wrote: > > > > > > On Mon, Apr 19, 2010 at 11:37 AM, Wietse Venema > <mailto:wie...@porcupine.org>> wrote: > > > > Gaby L: > > > Hi > > > I scan with my postfix server with NMap from other location. > > > The NMAP creats report smtp port open (It is OK) but apear > > Postfix smtpd and other information about MTA program. > > > I dont want to apear any information about my MTA server. > > > > To disclose no information, close the SMTP port. > > > > Seriously. > > > > Even when you change the smtpd_banner value to say "$myhostname > > ESMTP Sendmail" (this text MUST start with the hostname), the > > server's replies (especially error messages) still reveal that it's > > really Postfix. > > > >Wietse > > > > > > > > Disclaimer :- It may violate some RFCs and possibly break the smtp > > system itself. > > > > [r...@stick ~]# grep ^smtpd_banner /etc/postfix/main.cf <http://main.cf> > > smtpd_banner = "unknown" > > > > [r...@stick ~]# telnet 0 25 > > Trying 0.0.0.0... > > Connected to 0. > > Escape character is '^]'. > > 220 "unknown" > > > > > > As Wietse mentioned, the above has no effect on determining the server > type. > > Just because the banner doesn't say Postfix, doesn't mean a > script/person couldn't figure it out from the response/error messages. > > True. seems nmap doesn't even check the banner, it does an EHLO and picks the mta from response code. 25/tcp open smtpPostfix smtpd postfix/smtpd[21190]: lost connection after EHLO from stick127.0.0.1]
Disable NDR
Hello, One of my postfix server is sending thousands of messages to non-existent mail box in another internal server. The internal application sends mail as mailb...@domain.net thru postfix. The TO addresses are invalid. I need reject messages from those domains not resolved. to=, relay=none, delay=0.05, delays=0.01/0/0.04/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=dsaperftest.edu type=A: Host not found) thank you LA
Re: Disable NDR
On Mon, May 24, 2010 at 2:05 PM, Linux Addict wrote: > Hello, One of my postfix server is sending thousands of messages to > non-existent mail box in another internal server. The internal application > sends mail as mailb...@domain.net thru postfix. The TO addresses are > invalid. I need reject messages from those domains not resolved. > > > > to=, relay=none, delay=0.05, > delays=0.01/0/0.04/0, dsn=5.4.4, status=bounced (Host or domain name not > found. Name service error for name=dsaperftest.edu type=A: Host not found) > > thank you > LA > These are the restrictions. Surely the host which is sending spam is part of mynetworks. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client blackholes.easynet.nl, reject_rbl_client cbl.abuseat.org, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org, permit disable_vrfy_command = yes smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit transport_maps = hash:/etc/postfix/transport smtpd_recipient_limit = 300 data_directory = /var/lib/postfix smtpd_tls_wrappermode = no
Re: Disable NDR
On Mon, May 24, 2010 at 2:25 PM, John Adams wrote: > On 24.05.2010 20:05, Linux Addict wrote: > >> Hello, One of my postfix server is sending thousands of messages to >> non-existent mail box in another internal server. The internal >> application sends mail as mailb...@domain.net >> <mailto:mailb...@domain.net> thru postfix. The TO addresses are invalid. >> >> I need reject messages from those domains not resolved. >> >> >> >> to=> <mailto:dmr0613420524125827...@dsaperftest.edu>>, relay=none, >> >> delay=0.05, delays=0.01/0/0.04/0, dsn=5.4.4, status=bounced (Host or >> domain name not found. Name service error for name=dsaperftest.edu >> <http://dsaperftest.edu> type=A: Host not found) >> >> thank you >> LA >> > > > Well, if its one of your hosts doing the spamming turn of the application > that is causing it. Or blacklist the sender host's IP address on the first > receiving smtp server. Or do some sender address verification on your mail > gateway (or however your email architecture looks like - I have no idea). > The postfix MX are behind a load balancer so they dont show the actual IP. I stopped the postfix, then did postcat on one of the queued message and found the spam host. thanks for your help.
Upgrade 2.5.4
Hello, I am running postfix 2.5.4 and would like to upgrade it to latest stable 2.7.0. What is the best way upgrade? Do a clean install and port the settings to newer version? Any help is appreciated. ~LA
Re: Upgrade 2.5.4
On Tue, Oct 19, 2010 at 3:37 PM, fake...@fakessh.eu wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Le 19.10.2010 19:42, Victor Duchovni a écrit : > > On Tue, Oct 19, 2010 at 12:17:23PM -0400, Linux Addict wrote: > > > >> Hello, I am running postfix 2.5.4 and would like to upgrade it to latest > >> stable 2.7.0. What is the best way upgrade? Do a clean install and port > the > >> settings to newer version? Any help is appreciated. > > > > No. Do an upgrade. If installing from source: > > > > Read the RELEASE_NOTES file for 2.6 and 2.7, then: > > > > % make > > % su root > > # postfix stop > > # make upgrade > > # postfix start > > > > If installing from a well constructed package: > > > > Read the RELEASE_NOTES file for 2.6 and 2.7, then: > > > > # postfix stop > > # some-command-to-install-updated-package > > # postfix start > > > > In either case, save the updated main.cf and master.cf files that > > are automatically upgraded as part of the install process. > > > > If the package is not well constructed: > > > > Read the RELEASE_NOTES file for 2.6 and 2.7, then: > > > > # postfix stop > > > > # mkdir -p /etc/postfix/cfsavedir > > # cp /etc/postfix/main.cf /etc/postfix/master.cf \ > > /etc/postfix/cfsavedir/ > > > > # some-command-to-install-updated-poorly-constructed-package > > > > # cp /etc/postfix/cfsavedir/main.cf /etc/postfix/cfsavedir/ > master.cf \ > > /etc/postfix/ > > # postfix set-permissions upgrade-configuration > > > > # postfix start > > > > A package is not well contstructed if it fails to preserve and upgrade > > your existing main.cf and master.cf files. > > > > Thanks Victor. Reading from 2.6 releasing notes, it looks like postfix changed how multiple instances are handled. I am going to test on sandbox.
Re: Upgrade 2.5.4
On Wed, Oct 20, 2010 at 3:21 PM, Linux Addict wrote: > > On Tue, Oct 19, 2010 at 3:37 PM, fake...@fakessh.eu wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Le 19.10.2010 19:42, Victor Duchovni a écrit : >> > On Tue, Oct 19, 2010 at 12:17:23PM -0400, Linux Addict wrote: >> > >> >> Hello, I am running postfix 2.5.4 and would like to upgrade it to >> latest >> >> stable 2.7.0. What is the best way upgrade? Do a clean install and port >> the >> >> settings to newer version? Any help is appreciated. >> > >> > No. Do an upgrade. If installing from source: >> > >> > Read the RELEASE_NOTES file for 2.6 and 2.7, then: >> > >> > % make >> > % su root >> > # postfix stop >> > # make upgrade >> > # postfix start >> > >> > If installing from a well constructed package: >> > >> > Read the RELEASE_NOTES file for 2.6 and 2.7, then: >> > >> > # postfix stop >> > # some-command-to-install-updated-package >> > # postfix start >> > >> > In either case, save the updated main.cf and master.cf files that >> > are automatically upgraded as part of the install process. >> > >> > If the package is not well constructed: >> > >> > Read the RELEASE_NOTES file for 2.6 and 2.7, then: >> > >> > # postfix stop >> > >> > # mkdir -p /etc/postfix/cfsavedir >> > # cp /etc/postfix/main.cf /etc/postfix/master.cf \ >> > /etc/postfix/cfsavedir/ >> > >> > # some-command-to-install-updated-poorly-constructed-package >> > >> > # cp /etc/postfix/cfsavedir/main.cf /etc/postfix/cfsavedir/ >> master.cf \ >> > /etc/postfix/ >> > # postfix set-permissions upgrade-configuration >> > >> > # postfix start >> > >> > A package is not well contstructed if it fails to preserve and upgrade >> > your existing main.cf and master.cf files. >> > >> >> > Thanks Victor. Reading from 2.6 releasing notes, it looks like postfix > changed how multiple instances are handled. I am going to test on sandbox. > Sorry about beating the dead horse, but just came to know that there are few 2.2 postfix instances which needs to upgraded to 2.7 as well. Does upgrade stands true for 2.2 to 2.7 or install a clean 2.7 and just port the postconf -n will suffice? thanks again.
Re: Upgrade 2.5.4
On Tue, Nov 2, 2010 at 1:31 PM, Wietse Venema wrote: > Linux Addict: > > >> > If the package is not well constructed: > > >> > > > >> > Read the RELEASE_NOTES file for 2.6 and 2.7, then: > > >> > > > >> > # postfix stop > > >> > > > >> > # mkdir -p /etc/postfix/cfsavedir > > >> > # cp /etc/postfix/main.cf /etc/postfix/master.cf \ > > >> > /etc/postfix/cfsavedir/ > > >> > > > >> > # some-command-to-install-updated-poorly-constructed-package > > >> > > > >> > # cp /etc/postfix/cfsavedir/main.cf /etc/postfix/cfsavedir/ > > >> master.cf \ > > >> > /etc/postfix/ > > >> > # postfix set-permissions upgrade-configuration > > >> > > > >> > # postfix start > > >> > > > >> > A package is not well contstructed if it fails to preserve and > upgrade > > >> > your existing main.cf and master.cf files. > > >> > > > >> > > >> > > > Thanks Victor. Reading from 2.6 releasing notes, it looks like postfix > > > changed how multiple instances are handled. I am going to test on > sandbox. > > > > Sorry about beating the dead horse, but just came to know that there are > few > > 2.2 postfix instances which needs to upgraded to 2.7 as well. Does > upgrade > > stands true for 2.2 to 2.7 or install a clean 2.7 and just port the > postconf > > -n will suffice? > > No. The config files need to be upgraded, not overwritten. > > If you install clean 2.7, then follow instructions above as with > "not well constructed package", i.e. save the config files, install > Postfix, restore the config files and do "postfix set-permissions > upgrade-configuration". > >Wietse > Awsome, thank you. Testing the upgrade from 2.2 to 2.7.
Re: Upgrade 2.5.4
On Wed, Nov 3, 2010 at 4:48 AM, Terry Kemp wrote: > On 11/3/10, Linux Addict wrote: > > On Tue, Nov 2, 2010 at 1:31 PM, Wietse Venema > wrote: > > > >> Linux Addict: > >> > >> > If the package is not well constructed: > >> > >> > > >> > >> > Read the RELEASE_NOTES file for 2.6 and 2.7, then: > >> > >> > > >> > >> > # postfix stop > >> > >> > > >> > >> > # mkdir -p /etc/postfix/cfsavedir > >> > >> > # cp /etc/postfix/main.cf /etc/postfix/master.cf \ > >> > >> > /etc/postfix/cfsavedir/ > >> > >> > > >> > >> > # > some-command-to-install-updated-poorly-constructed-package > >> > >> > > >> > >> > # cp /etc/postfix/cfsavedir/main.cf/etc/postfix/cfsavedir/ > >> > >> master.cf \ > >> > >> > /etc/postfix/ > >> > >> > # postfix set-permissions upgrade-configuration > >> > >> > > >> > >> > # postfix start > >> > >> > > >> > >> > A package is not well contstructed if it fails to preserve and > >> upgrade > >> > >> > your existing main.cf and master.cf files. > >> > >> > > >> > >> > >> > >> > >> > > Thanks Victor. Reading from 2.6 releasing notes, it looks like > postfix > >> > > changed how multiple instances are handled. I am going to test on > >> sandbox. > >> > > >> > Sorry about beating the dead horse, but just came to know that there > are > >> few > >> > 2.2 postfix instances which needs to upgraded to 2.7 as well. Does > >> upgrade > >> > stands true for 2.2 to 2.7 or install a clean 2.7 and just port the > >> postconf > >> > -n will suffice? > >> > >> No. The config files need to be upgraded, not overwritten. > >> > >> If you install clean 2.7, then follow instructions above as with > >> "not well constructed package", i.e. save the config files, install > >> Postfix, restore the config files and do "postfix set-permissions > >> upgrade-configuration". > >> > >>Wietse > >> > > > > > > Awsome, thank you. Testing the upgrade from 2.2 to 2.7. > > > > -- > Sent from my mobile device > Victor, I see these message after upgrade and in fact its RHEL4 w/ openssl-0.9.7a-43.17.el4_6.1 Nov 3 12:02:11 MXHOST postfix/smtp[6209]: certificate verification failed for MXHOST-1[10.46.200.23]:25: untrusted issuer /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority Nov 3 12:02:11 MXHOST postfix/smtp[6209]: warning: tls_text_name: MXHOST-1[10.46.200.23]:25: error decoding peer subject CN of ASN.1 type=12 Nov 3 12:02:11 MXHOST postfix/smtp[6209]: warning: TLS library problem: 6209:error:0D07A0A0:asn1 encoding routines:ASN1_mbstring_copy:unknown format:a_mbstr.c:142: I see your patch "coded_CN_buf = vstring_alloc(strlen(CN) + 1); \" on http://www.mailinglistarchive.com/postfix-users@postfix.org/msg35241.html which already in place for 2.7.1. I know its not postfix issue, cause I was getting cert error even before upgrade, but "TLS Library Problem" is an additional error after the upgrade. Cheers.
Re: Multiple relay_hosts
newbie error.. lets give him/her some love... and a gentle hint... ;) - Original Message > From: LuKreme > To: postfix-users@postfix.org > Sent: Sunday, June 21, 2009 2:20:22 AM > Subject: Re: Multiple relay_hosts > > On 20 Jun, 2009, at 09:17 , Cory Hawkless wrote: > > Hi, thanks for the reply(And prompt!) But i'm confused as to what you mean > > about hijacking threads? > > Instead of starting your own thread, you replied to Fakessh's message with > the > subject 'sid-milter with postfix' then you changed the subject and wrote your > message. > > This is hijacking a thread, and it screws up threading. > > >
Header Time
Hi, I am sure someone can clarify it for me. A device uses postfix relay to send mails out. When I receive them in outlook, they are 4 hrs behind. When I looked at the header, postfix seems to doing -400 (EDT). by postfixmta.domain.net (Postfix) with SMTP id 62B1257AB5 for ; Thu, 25 Jun 2009 12:16:12 -0400 (EDT) But I looked at var log messages, it shows the right time there. Did I configured anything wrong or how to fix this? Thank you very much!! ~LA
Re: Header Time
On Thu, Jun 25, 2009 at 1:41 PM, ghe wrote: > On 6/25/09 9:50 AM, Linux Addict wrote: > > A device uses postfix relay to send mails out. When I receive them in >> outlook, they are 4 hrs behind. When I looked at the header, postfix seems >> to doing -400 (EDT). >> > > Hmmm. 4 hours. Are you using greylisting? > > -- > Glenn English > g...@slsware.com > > We are, but these aren't even going out. There is a transport map which directs it to internal exchange servers. I am curious where its getting the -400(EDIT) from.
Re: Header Time
On Thu, Jun 25, 2009 at 2:22 PM, Sahil Tandon wrote: > On Jun 25, 2009, at 2:06 PM, Linux Addict wrote: > > > On Thu, Jun 25, 2009 at 1:41 PM, ghe < > g...@slsware.com>wrote: > >> On 6/25/09 9:50 AM, Linux Addict wrote: >> >> A device uses postfix relay to send mails out. When I receive them in >>> outlook, they are 4 hrs behind. When I looked at the header, postfix >>> seems >>> to doing -400 (EDT). >>> >> >> Hmmm. 4 hours. Are you using greylisting? >> >> -- >> Glenn English >> g...@slsware.com >> >> > We are, but these aren't even going out. There is a transport map which > directs it to internal exchange servers. > > I am curious where its getting the -400(EDIT) from. > > > No Outlook help here but what exactly is the Postfix problem? Or is the > GMT -> EDT terminology confusing you? EDT = Eastern Daylight Time = GMT - > 4:00. > Not looking for any outlook. See below the complete header. The BOLD text is where message enters the postfix and time seem adjusted. On my Mail Client, the sent time is showing as Wed 6/24/2009 *1:12 PM*instead of *5:12PM* ie. -4 hours. I believe that was caused by -0400 (EDT) modified by postfix. Microsoft Mail Internet Headers Version 2.0 Received: from NYCEX20.MYDOMAIN.NET ([XX.XX.XX.XX]) by NYCEX20.MYDOMAIN.NETwith Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Jun 2009 17:13:42 -0400 Received: from POSTFIXMTA.MYDOMAIN.NET ([XX.XX.XX.XX]) by NYCEX20.MYDOMAIN.NET with Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Jun 2009 17:13:42 -0400 Received: from LCM (unknown [XX.XX.XX.XX]) by POSTFIXMTA.MYDOMAIN.NET (Postfix) with SMTP id A21103A006F for ; *Wed, 24 Jun 2009 17:13:39 -0400 (EDT)* From: bac...@mydomain.net To: backups-al...@mydomain.net Subject: T120 Test Mail Date: *Wed, 24 Jun 2009 17:11:41* Message-Id: <20090624211340.a21103a0...@postfix.mydomain.net> Return-Path: bac...@mydomain.net X-OriginalArrivalTime: 24 Jun 2009 21:13:42.0727 (UTC) FILETIME=[A7067570:01C9F510]
Re: Header Time
On Thu, Jun 25, 2009 at 4:17 PM, ghe wrote: > I can't say much because I know next to nothing about Outlook and friends, > but MS keeps time in local time (I hear), and *nix goes on GMT, and there's > a 4 hour time correction for your local time, and you're seeing a 4 hour > time change in your headers in mail being passed between *nix and MS. Betcha > it's in there somewhere... > > > -- > Glenn English > g...@slsware.com > > I dont think this is something to do with outlook as I tested with yahoo and gmail as well. I see the same pattern. Looks to me message leaves postfix with updated time stamp. Is there any verbose can enabled in postfix to see what its doing to check time change process?
Re: Header Time
On Thu, Jun 25, 2009 at 5:11 PM, Blake Hudson wrote: > > Original Message > Subject: Re: Header Time > From: Linux Addict > > >> I dont think this is something to do with outlook as I tested with yahoo >> and gmail as well. I see the same pattern. >> Looks to me message leaves postfix with updated time stamp. �Is there any >> verbose can enabled in postfix to see what its doing to check time change >> process? >> >> >> The only problem I see is that your appliance sends the date as "Date: > Wed, 24 Jun 2009 17:11:41" when it should send as "Date: Wed, 24 Jun 2009 > 17:11:41 -0400". Since no time zone is provided, most mail clients likely > interpret this as UTC time and display accordingly. If your device send > email for the correct time zone, set the clock as UTC on the device. > > -Blake > A RHEL host(mailx) was able to sent correctly, but I didn't compare headers of the both. I will do it next morning and will confirm.
Re: Header Time
On Thu, Jun 25, 2009 at 10:18 PM, Linux Addict wrote: > > > On Thu, Jun 25, 2009 at 5:11 PM, Blake Hudson wrote: > >> >> Original Message >> Subject: Re: Header Time >> From: Linux Addict >> >> >>> I dont think this is something to do with outlook as I tested with yahoo >>> and gmail as well. I see the same pattern. >>> Looks to me message leaves postfix with updated time stamp. �Is there any >>> verbose can enabled in postfix to see what its doing to check time change >>> process? >>> >>> >>> The only problem I see is that your appliance sends the date as "Date: >> Wed, 24 Jun 2009 17:11:41" when it should send as "Date: Wed, 24 Jun 2009 >> 17:11:41 -0400". Since no time zone is provided, most mail clients likely >> interpret this as UTC time and display accordingly. If your device send >> email for the correct time zone, set the clock as UTC on the device. >> >> -Blake >> > > > A RHEL host(mailx) was able to sent correctly, but I didn't compare headers > of the both. I will do it next morning and will confirm. > > > Thank you everyone, I am all set. The appliance can set time, but no option to setup timezone.
Verisign Cert
Hello Gurus, Currently my postfix server runs with self-signed cert, but now I was asked to implement verisign cert for some of the outgoing mails. My question is when the verisign is cert installed, will all the outgoing mails such as toyahoo.com, gmail.com will be encrypted? Do the clients neeeds any certificate information? I am not very clear. Please throw some light.. ~LA
Re: Verisign Cert
On Wed, Jul 15, 2009 at 12:52 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Wed, Jul 15, 2009 at 10:38:55AM -0400, Linux Addict wrote: > > > Hello Gurus, Currently my postfix server runs with self-signed cert, but > now > > I was asked to implement verisign cert for some of the outgoing mails. > > You are mightily confused. X.509 certificates with SMTP STARTTLS are for > *incoming* mail, so that *senders* can authenticate your server: > >http://www.postfix.org/TLS_README.html#client_tls_secure > > The *server installs* a certificate signed by a trusted CA, and the > *client verifies* it. > > > My > > question is when the verisign is cert installed, will all the outgoing > mails > > such as toyahoo.com, gmail.com will be encrypted? Do the clients neeeds > any > > certificate information? I am not very clear. Please throw some light.. > > Your client certificate play no role in the delivery of email to other > domains, and will almost never be used, because the vast majority of > MX hosts that support STARTTLS do not request client certificates. > > The recommended configuration for TLS enabled Postfix servers is: > ># SMTP Server TLS (cert + key): >smtpd_tls_cert_file = /etc/postfix/your-cert.pem >smtpd_tls_key_file = /etc/postfix/your-key.pem > ># SMTP Client TLS (no cert or key): >smtp_tls_cert_file = >smtp_tls_key_file = > > -- >Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > On Wed, Jul 15, 2009 at 10:46 AM, Thomas Gelf wrote: > I assume you're using this certificate for TLS, so the answer is NO, no > single mails will be encrypted - TLS is "only" there to allow MTA's to > encrypt their transport layer. If no restrictions are configured this > happens automagically if both endpoints support TLS. > > Best regards, > Thomas Gelf > > > Linux Addict wrote: > > Hello Gurus, Currently my postfix server runs with self-signed cert, but > > now I was asked to implement verisign cert for some of the outgoing > > mails. My question is when the verisign is cert installed, will all the > > outgoing mails such as toyahoo.com <http://yahoo.com/>, gmail.com > > <http://gmail.com/> will be encrypted? Do the clients neeeds any > > certificate information? I am not very clear. Please throw some light.. > > > > ~LA > > Thank you. Looks like I need to stand up another postfix instance since the outgoing mails domain will different from the one on $mydomain. On the current instance(self-signed), when I do telnet to port 25, I get the below. 250-PIPELINING 250-SIZE 1024 250-ETRN 250-STARTTLS 250-AUTH PLAIN DIGEST-MD5 LOGIN CRAM-MD5 250-AUTH=PLAIN DIGEST-MD5 LOGIN CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN The postconf output is below smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /usr/share/ssl/certs/cert.pem smtpd_tls_key_file = /usr/share/ssl/certs/key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_source = dev:/dev/urandom I read on one of the doc, http://palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO-2.html#ss2.1, for a successfull TLS setup, the last line shud be "220 Ready to start TLS". I dont see any error on the logs, does my current setup really has TLS enabled? thanks LA
Re: Verisign Cert
On Wed, Jul 15, 2009 at 1:58 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Wed, Jul 15, 2009 at 01:49:24PM -0400, Linux Addict wrote: > > > smtp_tls_note_starttls_offer = yes > > smtp_use_tls = yes > > smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem > > Make that: > >smtp_tls_CAfile = ... > > you don't need an smtpd_tls_CAfile, unless your cert file is missing > the intermediate CA issuing certificates that are found in this file. > The right solution is to include your trust chain in the cert.pem file > (in the right order, subject cert before issuer cert, leaf to root). > > > smtpd_tls_session_cache_timeout = 3600s > > No need if you don't also specify a "btree" cache database. > > > smtpd_use_tls = yes > > Make that: > >smtpd_tls_security_level = may > > > I read on one of the doc, > > > http://palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO-2.html#ss2.1 > , > > for a successfull TLS setup, the last line should be > > "220 Ready to start TLS". > > No, this is not the case. To test: > >openssl s_client -starttls stmp -connect 192.0.2.1:25 > > where 192.0.2.1 is replaced by the IP address of your SMTP server. > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > I think I lack knowledge on this.. I gotta do some reading. I ran openssl test command that you provided and doesn't look like my cert config is good. [r...@mx01 ~]# openssl s_client -starttls smtp -connect localhost:25 CONNECTED(0003) depth=0 /C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX i:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- Server certificate -BEGIN CERTIFICATE- MIIDvzCCAyigAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAk5ZMQswCQYDVQQHEwJOWTEOMAwGA1UEChMFV2ViTUQxDzANBgNV BAsTBnN5c29wczEjMCEGA1UEAxMabXgwMXgtb3BzLTAxLnBvZC53ZWJtZC5uZXQx JDAiBgkqhkiG9w0BCQEWFW1rYW50aGFzYW15QHdlYm1kLm5ldDAeFw0wODA5MTIx NjM1MzRaFw0wOTA5MTIxNjM1MzRaMIGTMQswCQYDVQQGEwJVUzELMAkGA1UECBMC TlkxCzAJBgNVBAcTAk5ZMQ4wDAYDVQQKEwVXZWJNRDEPMA0GA1UECxMGc3lzb3Bz MSMwIQYDVQQDExpteDAxeC1vcHMtMDEucG9kLndlYm1kLm5ldDEkMCIGCSqGSIb3 DQEJARYVbWthbnRoYXNhbXlAd2VibWQubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQC9FTsWjPgYo6mxFVwuEkS9VkAdzZCpWHjx1Dyu+LhNdGhatz309tiw lMo45z+DhIm0mlm8GoIsWRneZSQMHWAL6Jq1uDg5BaATtntsZAF+29oLeB5CsCZL IScdGs0NI5gnV4OC8r/Ne5mH47gKMSXVifhR9TGGF/rweuXYuK3CdwIDAQABo4IB HzCCARswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0 ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFMzUytMgpvHMtuIvrPwl86EIYsKLMIHA BgNVHSMEgbgwgbWAFGNNJBeYOV6PTYePdDE1mDPyd8bioYGZpIGWMIGTMQswCQYD VQQGEwJVUzELMAkGA1UECBMCTlkxCzAJBgNVBAcTAk5ZMQ4wDAYDVQQKEwVXZWJN RDEPMA0GA1UECxMGc3lzb3BzMSMwIQYDVQQDExpteDAxeC1vcHMtMDEucG9kLndl Ym1kLm5ldDEkMCIGCSqGSIb3DQEJARYVbWthbnRoYXNhbXlAd2VibWQubmV0ggEA MA0GCSqGSIb3DQEBBAUAA4GBAKValmAURkIp3r17tNbehKsRCsYsEjtUDGE9T+EB 4Ig9N2G8JztAWeXIltDRgpS1j2sKVrXTxxA5UntrB0T7nYRzPpEG6B7wl4pu4jHf iq+hUiiPU8vdED4/d5xiM0bpn9TdFRpgqI+0DNNBE34613P5Hw8iqwH1KTJE2/nU PZ6H -END CERTIFICATE- subject=/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX issuer=/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- No client certificate CA names sent --- SSL handshake has read 1595 bytes and written 350 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: E73EFFA5B6E8331A2571E2B15E43189D1F585D4B9D64128E6C09CE67190E2B64 Session-ID-ctx: Master-Key: BD77CCB997AFCD42BDFDC750763FD56FD82237E09686F6E596A9E885AD5B46C5FD99E9C5B45A7BBDE25A183F8BAA05D5 Key-Arg : None Krb5 Principal: None Start Time: 1247682108 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 220 XXX ESMTP
Re: Verisign Cert
On Wed, Jul 15, 2009 at 3:07 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Wed, Jul 15, 2009 at 02:33:46PM -0400, Linux Addict wrote: > > > I ran openssl test command that you provided and doesn't look like my > cert > > config is good. > > > > > > [r...@mx01 ~]# openssl s_client -starttls smtp -connect localhost:25 > > CONNECTED(0003) > > --- > > Certificate chain > > 0 s:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX > >i:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 1595 bytes and written 350 bytes > > --- > > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > > Server public key is 1024 bit > > --- > > 220 XXX ESMTP > > This is exactly what you would expect. Everything is working fine. > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > I am reading TLS page on postfix and here http://www.state-of-mind.de/assets/postfix_tls.pdf. I have one last question. What I am trying to setup is, I have set of hosts in LAN which use postfix relay servers in DMZ to send (secure) mails to one of our external client. The external client insists on using verisign cert. On this scenario my postfix server will send mails to the external client's server, so should I configure the Client Certificate on my postfix. Thank you,
Re: Verisign Cert
On Thu, Jul 16, 2009 at 12:03 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Thu, Jul 16, 2009 at 09:33:24AM -0400, Linux Addict wrote: > > > I am reading TLS page on postfix and here > > http://www.state-of-mind.de/assets/postfix_tls.pdf. > > > > I have one last question. What I am trying to setup is, I have set of > hosts > > in LAN which use postfix relay servers in DMZ to send (secure) mails to > one > > of our external client. The external client insists on using verisign > cert. > > This is not sufficiently precise, what does "using" mean? Printing it > on a piece of paper and using it as bathroom wallpaper? :-) :-) Honestly I haven't spoke to them directly, just working based on using piece of mail I got. > > > You need to understand what role the private key and associated (Verisign > or > other CA) certificate is to play in your communications with this party. > > > On this scenario my postfix server will send mails to the external > client's > > server, so should I configure the Client Certificate on my postfix. > > If they restrict access to their server, and allow only (certain) TLS > authenticated clients to connect, then indeed you may need to configure > a client certificate. This is never true for MX hosts, but if this is > a dedicated gateway used only by specially configured clients, it may > be one of the exceptions where SMTP client certs are useful. > Being secure, I think they allow only specific clients to connect. The postfix TLS doc says the key should be in .pem format, but I see many howtos usng .key or .crt as well. I used the openssl command to generate keys, and they both .pem and .key seems to be just rsa encryption with BEGIN and END. I assume the extension can be .pem or .crt or can be anything. Is that right?
Log file for Second Instance.
Greetings, I have Two instacnes of postfix running, but all the logs getting to /var/log/maillog. Could someone please point me on how to create separate log file for the 2nd instance?
Transport Maps
I have a postfix MTA server running. I was asked to setup relay mail to a specific domain thru MX record. Domain - Example.com An A record smtp.example.com MX Records smtp.example.com - smtp1.example.com and smtp2.example.com. In simple, When I send a mail to @example.com, postfix must send the mail to the MX records of smtp.example.com. I tried using transport maps, "example.com :[smtp1.example.com]" and " example.com smtp:[smtp1.example.com], but of them didn't use smtp.example.com. Please help me set this one up. ~LA
Re: Transport Maps
On Tue, Jul 21, 2009 at 12:00 PM, Ralf Hildebrandt < ralf.hildebra...@charite.de> wrote: > * Ralf Hildebrandt : > > > > In simple, When I send a mail to @example.com, postfix must send the > mail > > > to the MX records of smtp.example.com. > > > example.com smtp.example.com > > OK, not too sure if Postfix will perform an MX lookup for the RHS > (smtp.example.com in this example). Please try > > -- > Ralf Hildebrandt > Geschäftsbereich IT | Abteilung Netzwerk > Charité - Universitätsmedizin Berlin > Campus Benjamin Franklin > Hindenburgdamm 30 | D-12203 Berlin > Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 > ralf.hildebra...@charite.de | http://www.charite.de > > I just tried, Its NOT using MX records of smtp.example.com. I can manipulate it thru DNS, but will more comfortable if we can do it through Postfix.
Re: Transport Maps
On Tue, Jul 21, 2009 at 12:03 PM, Simon Waters wrote: > On Tuesday 21 July 2009 16:53:52 Linux Addict wrote: > > > > I tried using transport maps, "example.com :[smtp1.example.com]" > > and " example.com smtp:[smtp1.example.com], but of them didn't use > > smtp.example.com. > > Not clear what you mean here. > > Documentation of "transport" (man transport) suggests you don't want the > "[]" > if you want MX lookup. > > So I think you want: > > example.com smtp:smtp.example.com Simon, I already tried that. Its not doing MX lookup I guess.
Re: Transport Maps
I tried digging, I get the MX servers on the ANSWER section. I manage DNS as well, so I know its resolving correctly. On Tue, Jul 21, 2009 at 12:20 PM, Jaroslaw Grzabel wrote: > Linux Addict wrote: > >> >> Simon, I already tried that. Its not doing MX lookup I guess. >> >> Maybe it works but you're using your local DNS which doesn't know MX > record for that remote domain you want to relay your messages through. Try > locally run dig domainname.com MX and see the result. If it's empty it > means that it's something wrong with that domain name and there is nothing > to do with postfix in this case because postfix will not cast a spell for > you and charm MX record. > > syntax as: > domainname.com smtp:server.domain.com > should work for you > > Regards, > Jarek > > P.S. Sorry I posted that to your priv as well... reply to the list please. >
Re: Transport Maps
On Tue, Jul 21, 2009 at 12:24 PM, Jaroslaw Grzabel wrote: > Linux Addict wrote: > >> I tried digging, I get the MX servers on the ANSWER section. I manage DNS >> as well, so I know its resolving correctly. >> > What is in the log files then when you're trying to relay your messages ? > > Regards, > Jarek > Good Question. It is using the MX records of example.com, but we need postfix to use the MX records of smtp.example.com
Re: Transport Maps
On Tue, Jul 21, 2009 at 12:37 PM, Linux Addict wrote: > > > On Tue, Jul 21, 2009 at 12:24 PM, Jaroslaw Grzabel wrote: > >> Linux Addict wrote: >> >>> I tried digging, I get the MX servers on the ANSWER section. I manage DNS >>> as well, so I know its resolving correctly. >>> >> What is in the log files then when you're trying to relay your messages ? >> >> Regards, >> Jarek >> > > Good Question. It is using the MX records of example.com, but we need > postfix to use the MX records of smtp.example.com > > > Thanks all. I just worked around by adding internal CNAME pointing to 2 MX servers. I will come back later and check
Re: tls_random_source and OSX
On Tue, Jul 21, 2009 at 5:13 PM, Quanah Gibson-Mount wrote: > I noticed that on my OSX builds, there is no default tls_random_source > defined, yet /dev/urandom exists on those systems: > > OSX 10.4: > > build24:~ build$ ls -l /dev/urandom > crw-rw-rw- 1 root wheel8, 1 Jun 18 13:38 /dev/urandom > build24:~ build$ uname -a > Darwin build24.lab.zimbra.com 8.11.1 Darwin Kernel Version 8.11.1: Wed Oct > 10 18:23:28 PDT 2007; root:xnu-792.25.20~1/RELEASE_I386 i386 i386 > > OSX 10.5: > build09:~ build$ ls -l /dev/urandom > crw-rw-rw- 1 root wheel8, 1 Jun 23 12:42 /dev/urandom > build09:~ build$ uname -a > Darwin build09.lab.zimbra.com 9.7.0 Darwin Kernel Version 9.7.0: Tue Mar > 31 22:52:17 PDT 2009; root:xnu-1228.12.14~1/RELEASE_I386 i386 > > > Is there a particular reason for this? > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > > Zimbra :: the leader in open source messaging and collaboration Was the postfix compiled with TLS enabled? If yes what does postconf -d|grep tls_random_source shows?
Re: [Postfix] Wrong Time
On Tue, Oct 27, 2009 at 10:51 AM, Dan Schaefer wrote: > Wietse Venema wrote: > >> Try without SeLinux, AppArmor, and other "security" add-ons. >> They are not covered by the Postfix warranty. >> >>Wietse >> >> > Postfix has a warranty? :) It's a free product... > > -- > Dan Schaefer > Web Developer/Systems Analyst > Performance Administration Corp. > > This issue(-0600) is usually caused by an application/script sends mail without setting time offset.
Short burst of errors
Hello, Yesterday, our postfix did print some fatal errors, during approximatively 45 minutes. The errors are all identical, about the inet_interfaces variable : Apr 22 16:45:36 my_server postfix/flush[10510]: fatal: config variable inet_interfaces: host not found: server.fqdn.name The error messages diseappeared after 45 minutes. Postfix has been running happily for quite a long time on the server, and we did not make any change recently. What does this mean ? A temporary DNS problem ? Tia, -- Mbdr
Re: Short burst of errors
Hi, On 23/04/13 12:13, Bastian Blank wrote: > On Tue, Apr 23, 2013 at 12:09:19PM +0200, Embedding Linux wrote: >> Apr 22 16:45:36 my_server postfix/flush[10510]: fatal: config variable >> inet_interfaces: host not found: server.fqdn.name > > Not quite unexpected: > | $ drill server.fqdn.name > | ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 4402 Well... in my previous message, I altered the error message to 'remove' the true name of the server. Which does resolve (currently at least), and did so for several years. $ dig +short @8.8.8.8 our.server.name the_proper_server_ip Your answer seems nonetheless to point to a temporary DNS failure. Does anybody have another explanation ? Sincerely, -- Mbdr
Re: Is it time for 2.x.y -> x.y?
After 2.9, it should have been 3, not 2.10 ;) Sent from my iPhone On Jun 1, 2013, at 8:33 AM, Len Conrad wrote: > At 07:18 AM 6/1/2013, you wrote: >> Am 31.05.2013 22:56, schrieb Wietse Venema: >>> After the confusion that Postfix 2.10 is not Postfix 2.1, maybe it >>> is time to change the release numbering scheme. > > don't dumb postfix down. keep the current numbering style. > > Len > > >
Redirect Mail for specific Domain.
Hi, I have virtual zone on a postfix mail relay. Virtual Zone Virtual Alias zone1.example.com [EMAIL PROTECTED] goes to [EMAIL PROTECTED] zone1.example.com is managed by us which is postfix example.net is Exchange server managed by another Team. The problem I am facing is, the postfix server is resolving example.net to external address, but I really want to send those mails to internal SMTP address of example.net(Exchange Server). Is there a tweak in postfix to do this.? Cheers, LA
Re: Redirect Mail for specific Domain.
On Fri, Aug 8, 2008 at 9:45 PM, Sahil Tandon <[EMAIL PROTECTED]> wrote: > Linux Addict <[EMAIL PROTECTED]> wrote: > > > Hi, I have virtual zone on a postfix mail relay. > > > > Virtual Zone Virtual Alias > > zone1.example.com [EMAIL PROTECTED] goes to > > [EMAIL PROTECTED] > > > > zone1.example.com is managed by us which is postfix > > example.net is Exchange server managed by another Team. > > > > The problem I am facing is, the postfix server is resolving > example.net to > > external address, but I really want to send those mails to internal SMTP > > address of example.net(Exchange Server). > > > > Is there a tweak in postfix to do this.? > > If you want to direct all mail destined for zone1.example.com to > example.net, then instead of virtual aliases, you might consider > transport maps: > > http://www.postfix.org/transport.5.html > > -- > Sahil Tandon <[EMAIL PROTECTED]> > I can fix DNS, but it may break other prod. services. I will give it a shot with Transport Maps. Cheers.. Grt Weekend!!
Re: Redirect Mail for specific Domain.
Linux Addict wrote: On Fri, Aug 8, 2008 at 9:45 PM, Sahil Tandon <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: Linux Addict <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: > Hi, I have virtual zone on a postfix mail relay. > > Virtual Zone Virtual Alias > zone1.example.com <http://zone1.example.com/> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> goes to > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > zone1.example.com <http://zone1.example.com/> is managed by us which is postfix > example.net <http://example.net/> is Exchange server managed by another Team. > > The problem I am facing is, the postfix server is resolving example.net <http://example.net/> to > external address, but I really want to send those mails to internal SMTP > address of example.net <http://example.net/>(Exchange Server). > > Is there a tweak in postfix to do this.? If you want to direct all mail destined for zone1.example.com <http://zone1.example.com/> to example.net <http://example.net/>, then instead of virtual aliases, you might consider transport maps: http://www.postfix.org/transport.5.html -- Sahil Tandon <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> I can fix DNS, but it may break other prod. services. I will give it a shot with Transport Maps. Cheers.. Grt Weekend!! Hit a bump.. On the transport file, I cant seem to enter multiple MX server for the same domain. example.net smtp:[mx01] Works great, but How do I configure the MX02 for the same example.net? When I add new line it complains duplicate. ~LA
Re: HOTMAIL rejections ?
Frank Bonnet wrote: hello Our site is regulary rejected by HOTMAIL/LIVE during several days then it stop to be rejected then rejected again and so on ... This happens ONLY with HOTMAIL Anyone has the same trouble ? the rejection message is like the following host mx1.hotmail.com[65.54.244.8] said: 550 OU-002 Mail rejected by Windows Live Hotmail for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation problems. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit http://postmaster.live.com for email delivery information and support (in reply to MAIL FROM command) Thanks for any infos. Did you published your spf and sender id records? I had same issues and worked MS guys. Hotmail uses sender id very similar to spf. You can generate sender id records on MS Site. Hit this link, you should have all you need. http://www.clickz.com/showPage.html?page=3627253 ~LA
Likely Spam.
Hi, Looks like our MX servers are hit hard by a specific email address which is sending frequent mails trying to use our relay effectively many mail servers seems to be blacklisting. Oct 20 18:20:05 mx01 postfix/qmgr[6512]: DBB784BE68E: from=< [EMAIL PROTECTED]>, size=3309, nrcpt=1 (queue active) Oct 20 18:20:05 mx0 postfix/error[9345]: DA960E73E11: to=< [EMAIL PROTECTED]>, relay=none, delay=77080, delays=76950/130/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to exchange.net Connection timed out) Please help me stop this. Thank you! ~LA
Re: Likely Spam.
On Mon, Oct 20, 2008 at 6:33 PM, Neil <[EMAIL PROTECTED]> wrote: > On 20 Oct 2008, at 18:24, Linux Addict wrote: > > Hi, Looks like our MX servers are hit hard by a specific email address > which is sending frequent mails trying to use our relay effectively many > mail servers seems to be blacklisting. > > Oct 20 18:20:05 mx01 postfix/qmgr[6512]: DBB784BE68E: from=< > [EMAIL PROTECTED]>, size=3309, nrcpt=1 (queue active) > Oct 20 18:20:05 mx0 postfix/error[9345]: DA960E73E11: to=< > [EMAIL PROTECTED]>, relay=none, delay=77080, > delays=76950/130/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily > suspended: connect to exchange.net Connection timed out) > > Please help me stop this. Thank you! > > ~LA > > > Unless I'm mistaken (and I'm not the most knowledgeable person on this > list), I think your server thinks it's okay to accept mail for the domain " > exchange.net" (and I'm assuming "exchange.net" isn't yours). So to fix > this, you need to tell postfix only to accept mail for your domains. I > think you should check my_destination, relay_domains, etc. > > Post the output of "postconf -n". > > -N. > Thanks for your reply. mydestination = $myhostname relay_domains = $mydestination Actually its not just exchange.net, most of the mails are being sent to bellsouth.net Oct 20 18:37:27 mx01 postfix/qmgr[6597]: 5CE74D08FE1: from=< [EMAIL PROTECTED]>, size=3237, nrcpt=1 (queue active) Oct 20 18:37:27 mx01 postfix/error[6838]: 57AD01031088: to=< [EMAIL PROTECTED]>, relay=none, delay=14928, delays=14928/0.05/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 450 too frequent connects from 63.240.86.13, please try again later.) Thanks LA
Re: Likely Spam.
On Mon, Oct 20, 2008 at 6:41 PM, Neil <[EMAIL PROTECTED]> wrote: > > On 20 Oct 2008, at 18:39, Linux Addict wrote: > > > > On Mon, Oct 20, 2008 at 6:33 PM, Neil <[EMAIL PROTECTED]> wrote: > >> On 20 Oct 2008, at 18:24, Linux Addict wrote: >> >> Hi, Looks like our MX servers are hit hard by a specific email address >> which is sending frequent mails trying to use our relay effectively many >> mail servers seems to be blacklisting. >> >> Oct 20 18:20:05 mx01 postfix/qmgr[6512]: DBB784BE68E: from=< >> [EMAIL PROTECTED]>, size=3309, nrcpt=1 (queue active) >> Oct 20 18:20:05 mx0 postfix/error[9345]: DA960E73E11: to=< >> [EMAIL PROTECTED]>, relay=none, delay=77080, >> delays=76950/130/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily >> suspended: connect to exchange.net Connection timed out) >> >> Please help me stop this. Thank you! >> >> ~LA >> >> >> Unless I'm mistaken (and I'm not the most knowledgeable person on this >> list), I think your server thinks it's okay to accept mail for the domain " >> exchange.net" (and I'm assuming "exchange.net" isn't yours). So to fix >> this, you need to tell postfix only to accept mail for your domains. I >> think you should check my_destination, relay_domains, etc. >> >> Post the output of "postconf -n". >> >> -N. >> > > > Thanks for your reply. > > > mydestination = $myhostname > relay_domains = $mydestination > > Actually its not just exchange.net, most of the mails are being sent to > bellsouth.net > > Oct 20 18:37:27 mx01 postfix/qmgr[6597]: 5CE74D08FE1: from=< > [EMAIL PROTECTED]>, size=3237, nrcpt=1 (queue active) > Oct 20 18:37:27 mx01 postfix/error[6838]: 57AD01031088: to=< > [EMAIL PROTECTED]>, relay=none, delay=14928, delays=14928/0.05/0/0, > dsn=4.0.0, status=deferred (delivery temporarily suspended: host > gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 450 too > frequent connects from 63.240.86.13, please try again later.) > > > Thanks > LA > > > I don't think you need $mydestination in relay_domains. And the rest of > postconf -n would still be useful. > alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 50 disable_vrfy_command = yes fallback_transport = maildrop header_checks = regexp:/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = no inet_interfaces = all local_recipient_maps = proxy:unix:passwd.byname $virtual_alias_maps $alias_maps mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man mydestination = $myhostname mydomain = example.net myhostname = mx02.example.net mynetworks = /etc/postfix/network_table mynetworks_style = class myorigin = $myhostname newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no relay_domains = $mydestination sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_limit = 300 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination, reject_invalid_hostname,reject_unauth_pipelining, reject_non_fqdn_sender,reject_unknown_sender_domain, reject_non_fqdn_recipient,reject_unknown_recipient_domain, reject_rbl_client blackholes.easynet.nl,reject_rbl_client cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org,permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /usr/share/ssl/certs/cert.pem smtpd_tls_key_file = /usr/share/ssl/certs/key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/maps/pf_aliases virtual_gid_maps = static:102 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = hash:/etc/postfix/maps/pf_domain virtual_mailbox_limit = 5120 virtual_mailbox_maps = hash:/etc/postfix/maps/pf_domain_mailboxes virtual_minimum_uid = 102 virtual_transport = maildrop virtual_uid_maps = static:102
Re: Likely Spam.
On Mon, Oct 20, 2008 at 9:53 PM, Charles Marcus <[EMAIL PROTECTED]>wrote: > On 10/20/2008 Linux Addict wrote: > >> mynetworks = /etc/postfix/network_table >> > > Contents of this file could be instructive... > All I have on the file is RFC 1918 Address Space.
Re: Likely Spam.
On Tue, Oct 21, 2008 at 3:29 AM, mouss <[EMAIL PROTECTED]> wrote: > Linux Addict a écrit : > > > [snip] > > local_recipient_maps = proxy:unix:passwd.byname $virtual_alias_maps > > $alias_maps > > remove $virtual_alias_maps from local_recipient_maps. > > > [snip] > > mynetworks_style = class > > remove mynetworks_style (mynetworks is enough). > > > [snip] relay_domains = $mydestination > > set > relay_domains = > > The $mydestination setting is for compatibility reasons, and given your > mydestination setting, you don't need it (you don't want mail to > [EMAIL PROTECTED]). > > > [snip] > > smtpd_recipient_restrictions = permit_mynetworks, > > permit_sasl_authenticated,reject_unauth_destination, > > reject_invalid_hostname,reject_unauth_pipelining, > > reject_unauth_pipelining is useless here. > > > reject_non_fqdn_sender,reject_unknown_sender_domain, > > reject_non_fqdn_recipient,reject_unknown_recipient_domain, > > reject_unknown_recipient_domain is useless here. it only checks your own > domains. > > > reject_rbl_client blackholes.easynet.nl, > >reject_rbl_client cbl.abuseat.org, > >reject_rbl_client proxies.blackholes.wirehub.net, > >reject_rbl_client bl.spamcop.net, > >reject_rbl_client sbl.spamhaus.org, > >reject_rbl_client dnsbl.njabl.org, > >reject_rbl_client list.dsbl.org, > >reject_rbl_client multihop.dsbl.org, > >permit > > > you should check that the DNSBLs you use are active. You can start with >http://spamlinks.net/filter-dnsbl-dead.htm > In particular, blackholes.easynet.nl and *.dsbl.org are gone. > > and I don't think blackholes.wirehub.net does anything (it once (2003) > became blackholes.easynet.nl, which is dead now). > > and instead of using cbl and sbl, use xbl-sbl.spamhaus.org. Or better > yet, use zen.spamhaus.org. > > > [snip] > > > Regarding your problem, do what Noel said. check how the message entered > your system by finding all message > > Could someone please point to the direction of documents for tracking Queue ID.?
Re: Likely Spam.
On Tue, Oct 21, 2008 at 7:19 AM, Linux Addict <[EMAIL PROTECTED]>wrote: > > > On Tue, Oct 21, 2008 at 3:29 AM, mouss <[EMAIL PROTECTED]> wrote: > >> Linux Addict a écrit : >> >> > [snip] >> > local_recipient_maps = proxy:unix:passwd.byname $virtual_alias_maps >> > $alias_maps >> >> remove $virtual_alias_maps from local_recipient_maps. >> >> > [snip] >> > mynetworks_style = class >> >> remove mynetworks_style (mynetworks is enough). >> >> > [snip] relay_domains = $mydestination >> >> set >> relay_domains = >> >> The $mydestination setting is for compatibility reasons, and given your >> mydestination setting, you don't need it (you don't want mail to >> [EMAIL PROTECTED]). >> >> > [snip] >> > smtpd_recipient_restrictions = permit_mynetworks, >> > permit_sasl_authenticated,reject_unauth_destination, >> > reject_invalid_hostname,reject_unauth_pipelining, >> >> reject_unauth_pipelining is useless here. >> >> > reject_non_fqdn_sender,reject_unknown_sender_domain, >> > reject_non_fqdn_recipient,reject_unknown_recipient_domain, >> >> reject_unknown_recipient_domain is useless here. it only checks your own >> domains. >> >> > reject_rbl_client blackholes.easynet.nl, >> >reject_rbl_client cbl.abuseat.org, >> >reject_rbl_client proxies.blackholes.wirehub.net, >> >reject_rbl_client bl.spamcop.net, >> >reject_rbl_client sbl.spamhaus.org, >> >reject_rbl_client dnsbl.njabl.org, >> >reject_rbl_client list.dsbl.org, >> >reject_rbl_client multihop.dsbl.org, >> >permit >> >> >> you should check that the DNSBLs you use are active. You can start with >>http://spamlinks.net/filter-dnsbl-dead.htm >> In particular, blackholes.easynet.nl and *.dsbl.org are gone. >> >> and I don't think blackholes.wirehub.net does anything (it once (2003) >> became blackholes.easynet.nl, which is dead now). >> >> and instead of using cbl and sbl, use xbl-sbl.spamhaus.org. Or better >> yet, use zen.spamhaus.org. >> >> > [snip] >> >> >> Regarding your problem, do what Noel said. check how the message entered >> your system by finding all message >> >> > > Could someone please point to the direction of documents for tracking Queue > ID.? > Nevermind.. I did strings on one of the messages on "deferred" and got the information.
Re: Likely Spam.
On Tue, Oct 21, 2008 at 7:33 AM, Noel Jones <[EMAIL PROTECTED]> wrote: > Linux Addict wrote: > >> >> Nevermind.. I did strings on one of the messages on "deferred" and got the >> information. >> >> > use > postcat -q QUEUEID | more > to view the contents of a queued messsage. > > -- > Noel Jones > I got the culprit. Its was one of the internal host. Now how do I reject any mail from that particular email address. I tried with sender_access, but not working. Any ideas? Thanks, LA
Re: Likely Spam.
On Thu, Oct 23, 2008 at 5:15 PM, Noel Jones <[EMAIL PROTECTED]> wrote: > Linux Addict wrote: > > >> >> On Tue, Oct 21, 2008 at 7:33 AM, Noel Jones <[EMAIL PROTECTED]> [EMAIL PROTECTED]>> wrote: >> >>Linux Addict wrote: >> >> >>Nevermind.. I did strings on one of the messages on "deferred" >>and got the information. >> >> >>use >>postcat -q QUEUEID | more >>to view the contents of a queued messsage. >> >>--Noel Jones >> >> >> >> I got the culprit. Its was one of the internal host. Now how do I reject >> any mail from that particular email address. I tried with sender_access, but >> not working. Any ideas? >> >> Thanks, LA >> >> >> > > Use a check_client_access table to reject that host's IP. > > sample config: > > #main.cf > smtpd_client_restrictions = > check_client_access hash:/etc/postfix/client_blacklist > > > # /etc/postfix/client_blacklist > 192.168.1.33 REJECT your computer has a virus. > > then run: > # postmap client_blacklist > > # postfix reload > > If you don't have a smtpd_client_restrictions section in your main.cf yet, > the above example should work fine as is. > > -- > Noel Jones > Unfortuantly that hosts also sends some legitimate mails. I just want to block those two mail ids for now. smtpd_sender_restrictions = hash:/etc/postfix/sender_access sender_access has following entries, but not working. [EMAIL PROTECTED] REJECT [EMAIL PROTECTED] REJECT Anything wrong here?
Re: Likely Spam.
On Thu, Oct 23, 2008 at 5:49 PM, mouss <[EMAIL PROTECTED]> wrote: > Linux Addict a écrit : > > Unfortuantly that hosts also sends some legitimate mails. I just want to > > block those two mail ids for now. > > unfortunately for you, if the host is owned, it will find other sender > addresses... > > > > > smtpd_sender_restrictions = hash:/etc/postfix/sender_access > > > > put the name of the check explicitely: > > smtpd_sender_restrictions = >check_sender_access hash:/etc/postfix/sender_access > > don't forget to postmap the hash map. > > > sender_access has following entries, but not working. > > > > [EMAIL PROTECTED] REJECT > > [EMAIL PROTECTED] REJECT > > > > > > Anything wrong here? > > > > it's ok, but see note above (a sender address is easily forged unless > you use reject_sender_login_mismatch). > Thank you guys!! It worked. We have escalated to the DEV to fix the problem. Actually spammers are exploiting "Email a Friend" option on our webpage inserting spam note, but there are also legitimate referrals. Its a bit of politics as well as DEV is downplaying the issue. Thank you again.
Spam on deck!!
We have a java mailer application which was hung and queued more than 100k mails. People are working to fix it. I am worried that all 100k mails may hit postfix server and cause some damage. Anyway I can prepare for it? ~LA
Re: Spam on deck!!
Steven King wrote: Postfix is very cautious about system resource usage. It keeps an eye on RAM usage, disk space, and CPU usage. I battered my postfix server with 200K mails once. Just for a stress test. The load on the server went up sharply and was a bit sluggish but postfix chugged along through it with very little impact to other services running on the system. Linux Addict wrote: We have a java mailer application which was hung and queued more than 100k mails. People are working to fix it. I am worried that all 100k mails may hit postfix server and cause some damage. Anyway I can prepare for it? ~LA Thanks! I am not just worried about the system performance, but possible blacklisting as it may send flurry of mails to external domains. ~LA
Re: Spam on deck!!
Linux Addict wrote: Steven King wrote: Postfix is very cautious about system resource usage. It keeps an eye on RAM usage, disk space, and CPU usage. I battered my postfix server with 200K mails once. Just for a stress test. The load on the server went up sharply and was a bit sluggish but postfix chugged along through it with very little impact to other services running on the system. Linux Addict wrote: We have a java mailer application which was hung and queued more than 100k mails. People are working to fix it. I am worried that all 100k mails may hit postfix server and cause some damage. Anyway I can prepare for it? ~LA Thanks! I am not just worried about the system performance, but possible blacklisting as it may send flurry of mails to external domains. ~LA I am reading the TUNING_README and it looks like anvil seems to be taking care of most things.
DKIMproxy Information.
Hi, Please excuse me if it is not relevant on this forum. I am planning to use domain keys and dkim for our domain just to send mails outside. Is DKIMproxy good enough to cover both older Yahoo Domainkeys and new DKIM? thanks you. ~LA
Re: Spam on deck!!
On Sat, Nov 8, 2008 at 12:06 AM, Sahil Tandon <[EMAIL PROTECTED]> wrote: > Terry Carmen <[EMAIL PROTECTED]> wrote: > > > Sahil Tandon wrote: > >> Linux Addict <[EMAIL PROTECTED]> wrote: > >> > >> > >>> Steven King wrote: > >>> > >>>> Postfix is very cautious about system resource usage. It keeps an eye > on > >>>> RAM usage, disk space, and CPU usage. > >>>> > >>>> I battered my postfix server with 200K mails once. Just for a stress > >>>> test. The load on the server went up sharply and was a bit sluggish > but > >>>> postfix chugged along through it with very little impact to other > >>>> services running on the system. > >>>> > >>>> Linux Addict wrote: > >>>> > >>>>> We have a java mailer application which was hung and queued more than > >>>>> 100k mails. People are working to fix it. I am worried that all 100k > >>>>> mails may hit postfix server and cause some damage. > >>>>> > >>>>> Anyway I can prepare for it? > >>>>> > >>>>> ~LA > >>>>> > >>>> > >>> Thanks! I am not just worried about the system performance, but > possible > >>> blacklisting as it may send flurry of mails to external domains. > >>> > >> > >> If you're really worried, you can parse the queue for large amounts of > >> messages heading to the same external domain and release the associated > >> QUEUE IDs slowly. Bit of a crude option, but one you might consider. > >> > > > > I'm not sure that would be helpful. One of my IPs got throttled at Yahoo > > for sending exactly two messages that looked spammy (but actually > weren't). > > > > The OP will probably have to take his lumps and fix it later. > > Yahoo! is especially atrocious in this regard and considers almost any > frequent sender as spammer unless the server is whitelisted. I only > have anecdotal evidence to back that up, so I am sure some will > disagree. > > The advice was disclaimed as "crude" for a reason. :-) It's no panacea, > but it should help on the margin. > > -- > Sahil Tandon <[EMAIL PROTECTED]> > Well... I worked with yahoo in the past to whitelist an IP and they ask tons of information but literally they think were always right in blacklisting. I am planning to sign domain keys and dkim. I hope yahoo doesn't block me. thank you. ~LA
Re: DKIMproxy Information.
On Mon, Nov 10, 2008 at 5:19 PM, Noel Jones <[EMAIL PROTECTED]> wrote: > Linux Addict wrote: > >> Hi, Please excuse me if it is not relevant on this forum. >> >> I am planning to use domain keys and dkim for our domain just to send >> mails outside. >> >> Is DKIMproxy good enough to cover both older Yahoo Domainkeys and new >> DKIM? >> >> thanks you. >> >> ~LA >> > > dkimproxy supports both DKIM and DomainKeys. > http://dkimproxy.sourceforge.net/ > > -- > Noel Jones > While I read through this, I understand that to use domain keys, the client has to send mails through submission port 587. Does that sound right? Just to use domainkeys, all clients to has to send mails to port 587 instead of port 25? Please clarify. Thank you ~LA
Re: DKIMproxy Information.
On Tue, Nov 11, 2008 at 4:53 PM, Charles Marcus <[EMAIL PROTECTED]>wrote: > On 11/11/2008 4:49 PM, Charles Marcus wrote: > >> Common administrative practices include submission on 587 for > >> trusted clients only and should not be permitted on the internet. > >> This port should be firewalled outside of your network. > > > Excuse me?!?!? Thats ridiculous... in fact, just the OPPOSITE is > > true. > > Well... correction... > > Port 587 is designed to provide smtp_auth services to trusted clients > VIA an UNtrusted network (like the internet)... > > So, no WAY should it be firewalled - just limit it to sasl_auth based > sessions - and hopefully you enforce strong password policies too... > > -- > > Best regards, > > Charles > My reason for configuring domain keys is yahoo not filtering my mails as spam. I dont want to go back and change more than 1000 clients port from 25 to 587. So is there anyway we can achieve domainkeys authentication on port 25? Thanks, LA
Re: DKIMproxy Information.
On Wed, Nov 12, 2008 at 12:44 PM, mouss <[EMAIL PROTECTED]> wrote: > Linux Addict wrote: > >> On Tue, Nov 11, 2008 at 4:53 PM, Charles Marcus >> <[EMAIL PROTECTED]>wrote: >> >> On 11/11/2008 4:49 PM, Charles Marcus wrote: >>> >>>> Common administrative practices include submission on 587 for >>>>> trusted clients only and should not be permitted on the internet. >>>>> This port should be firewalled outside of your network. >>>>> >>>> Excuse me?!?!? Thats ridiculous... in fact, just the OPPOSITE is >>>> true. >>>> >>> Well... correction... >>> >>> Port 587 is designed to provide smtp_auth services to trusted clients >>> VIA an UNtrusted network (like the internet)... >>> >>> So, no WAY should it be firewalled - just limit it to sasl_auth based >>> sessions - and hopefully you enforce strong password policies too... >>> >>> -- >>> >>> Best regards, >>> >>> Charles >>> >>> >> >> My reason for configuring domain keys is yahoo not filtering my mails as >> spam. >> > > because you think once you sign your mail they will deliver it to Inbox? :-) I know they may or may not. As an admin, we are trying our best. > > > I dont want to go back and change more than 1000 clients port from 25 >> to 587. >> >> if they come from specific networks, you can use a NAT implementation to > redirect them to port 587. otherwise, see below. > > >> So is there anyway we can achieve domainkeys authentication on port 25? >> >> > smtpd_client_restrictions = >check_client_access pcre:/etc/postfix/filter_outbound >permit_mynetworks >permit_sasl_authenticated >check_client_access pcre:/etc/postfix/filter_inbound > > == filter_outbound > # pass to "outbound" filter > /./ FILTER scan:[127.0.0.1]:10586 > > == filter_inbound > # pass to "inbound" filter > /./ FILTER scan:[127.0.0.1]:10024 > > if you wonder what that does: > - if mail comes from mynetworks or is sasl authenticated, then it is passed > to port 10586 > - otherwise, it is passed to port 10024 > > > >
outlook blocks email from private mailserver
though the sender IP is not listed in any RBL, outlook still blocks it. do you know how can I deal with this? thanks & regards.
send limit option
hello experts if I have added this line into main.cf: smtpd_client_message_rate_limit = 5 does it mean a common smtp user (not peer MTA) can send 5 messages per 1 min? Thanks.
postfix and dovecot for mailbox quota
dear list, Both postfix and dovecot can set the limits for mailbox quota. So what are their special uses? Thanks
DISCORD from a user to noreply
Folks, I am trying to configure discord when supp...@company.com sends to noreply@ / no-reply@. The smtp recipient/header checks seems to parse line by line so I can discord to noreply, but how do add a condition. I looked if.. endif, but I am unsure how to get this done with from and to lines in one regex. any help would be appreciated.
Re: DISCORD from a user to noreply
Sorry.. yeah discard.
though there are headers checks already on this system, I can do recipient
check for this one. But is it possible to discard noreply email for just
only one sender? I am clear on how to discard when everything sent to
noreply@.*.
check_recipient_access inline:{{nore...@example.com = discard}}
On Thu, Feb 13, 2020 at 2:57 PM Wietse Venema wrote:
> Linux Addict:
> > Folks, I am trying to configure discord when supp...@company.com sends
> to
> > noreply@ / no-reply@.
>
> Did you mean "discard"?
>
> > The smtp recipient/header checks seems to parse line by line so I can
> > discord to noreply, but how do add a condition. I looked if.. endif, but
> I
> > am unsure how to get this done with from and to lines in one regex.
>
> Headers are not a good way to determine where email is being sent
> to. The recipient is part of the envelope. It is sent with the RCPT
> TO command.
>
> /etc/postfix/main.cf:
> smtpd_recipient_restrictions =
> ...
> reject_unauth_destination
> check_recipient_access inline:{{nore...@example.com = discard}}
> ...
>
> Wietse
>
Re: DISCORD from a user to noreply
I have no reason to use DISCARD. I also dont want sender to receive anything back. Is reject silently is an option? /^From:.?(no|No)(reply|-reply)@.*/ REJECT:silently On Thu, Feb 13, 2020 at 3:12 PM Viktor Dukhovni wrote: > On Thu, Feb 13, 2020 at 03:06:37PM -0500, Linux Addict wrote: > > > Sorry.. yeah discard. > > > > But is it possible to discard noreply email for just > > only one sender? I am clear on how to discard when everything sent to > > noreply@.*. > > Nothing built into Postfix will discard just the one recipient > in a multi-recipient mail based on the sender. > > In a single-recipient message (unsafe assumption), discarding > the whole message is possible via restriction classes. > > Now it turns out that "recipient_restrictions" configured via: > > smtpd_data_restrictions = ... > > only run on single-recipient messages, if the message had two or more > recipients, the restriction is skipped. Thus it would be safe to > use a sender-based rule that resolves to a restriction class that > processes the recipient, and run that sender rule in the data > restrictions, and be sure to discard just single-recipient mail. > > -- > Viktor. >
Re: DISCORD from a user to noreply
Well.. I should have checked but assumed the action statements are similar
whether its transport or access.. obviously that does not seem to be the
case.
*Mail is either accepted or rejected (the sender is **told which) *- this
is my I wished or made up silent with reject. I don't want sender to know
about the rejects.
I guess I am going to go with below which will silently drop the email and
wont notify the sender.
check_recipient_access inline:{{nore...@example.com = discard}}
On Thu, Feb 13, 2020 at 3:43 PM Viktor Dukhovni
wrote:
> On Thu, Feb 13, 2020 at 03:33:42PM -0500, Linux Addict wrote:
>
> > I have no reason to use DISCARD. I also dont want sender to receive
> > anything back. Is reject silently is an option?
> >
> > /^From:.?(no|No)(reply|-reply)@.*/ REJECT:silently
>
> First of all, as you've already been told, header checks are entirely
> the wrong tool for this. You need to use either access(5) restrictions
> or else rewriting to an address which is dropped on delivery.
>
> You're also randomly making up syntax. The "discard:silently" example
> was transport table example and only makes sense in that context.
>
> Lastly, and sadly, you may need better command of English to get help on
> this list. There's no such thing as a silent "REJECT", that's a
> contradiction. Mail is either accepted or rejected (the sender is
> told which), delivered or discarded (after the message is accepted).
>
> --
> Viktor.
>
postfix pdf
I want to receive a mail with pdf attached but got errors: Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: message-id=<809c0b3357a556a826cd508693b0f...@www.ubuntushop.be> Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: reject: body lgwSkgRBEQhIAhx6yJgLL8xxhz71jAvOOv2ZV998L7fVZoLoto1CdVf87Vx9d9DObHjAWvewI7Bk from local; from=: 5.7.1 message content rejected Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: to=, orig_to=, relay=none, delay=0.05, delays=0.05/0/0/0, dsn=5.7.1, status=bounced (message content rejected) Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Jan 5 15:44:40 mail postfix/discard[21428]: warning: deliver_request_get: error receiving common attributes Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: to=, orig_to=, relay=none, delay=0.06, delays=0.06/0/0/0, dsn=5.7.1, status=bounced (message content rejected) Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Jan 5 15:44:40 mail postfix/discard[21428]: warning: deliver_request_get: error receiving common attributes Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: to=, orig_to=, relay=none, delay=0.06, delays=0.06/0/0/0, dsn=5.7.1, status=bounced (message content rejected) Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Jan 5 15:44:40 mail postfix/discard[21428]: warning: deliver_request_get: error receiving common attributes Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Jan 5 15:44:40 mail postfix/discard[21428]: warning: deliver_request_get: error receiving common attributes
Re: postfix pdf
Yes, from joomla with phpmail I have disabled body_checks in postfix and than it was ok. guy Op 05-01-17 om 16:39 schreef chaouche yacine: Are you sending the PDF via a common MUA or via a program/script ? On Thursday, January 5, 2017 4:30 PM, linux-service wrote: I want to receive a mail with pdf attached but got errors: Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: message-id=<809c0b3357a556a826cd508693b0f...@www.ubuntushop.be <mailto:809c0b3357a556a826cd508693b0f...@www.ubuntushop.be>> Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: reject: body lgwSkgRBEQhIAhx6yJgLL8xxhz71jAvOOv2ZV998L7fVZoLoto1CdVf87Vx9d9DObHjAWvewI7Bk from local; from=mailto:i...@ubuntushop.be>>: 5.7.1 message content rejected Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: to=mailto:duport...@mail.duportail.be>>, orig_to=mailto:g...@duportail.be>>, relay=none, delay=0.05, delays=0.05/0/0/0, dsn=5.7.1, status=bounced (message content rejected) Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Jan 5 15:44:40 mail postfix/discard[21428]: warning: deliver_request_get: error receiving common attributes Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: to=mailto:r...@mail.duportail.be>>, orig_to=mailto:g...@duportail.be>>, relay=none, delay=0.06, delays=0.06/0/0/0, dsn=5.7.1, status=bounced (message content rejected) Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Jan 5 15:44:40 mail postfix/discard[21428]: warning: deliver_request_get: error receiving common attributes Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: to=mailto:d...@mail.duportail.be>>, orig_to=mailto:g...@duportail.be>>, relay=none, delay=0.06, delays=0.06/0/0/0, dsn=5.7.1, status=bounced (message content rejected) Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Jan 5 15:44:40 mail postfix/discard[21428]: warning: deliver_request_get: error receiving common attributes Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Jan 5 15:44:40 mail postfix/discard[21428]: warning: deliver_request_get: error receiving common attributes
Re: postfix pdf
body of mail: http://www.ubuntushop.be/mailbody.txt guy Op 05-01-17 om 16:39 schreef chaouche yacine: Are you sending the PDF via a common MUA or via a program/script ? On Thursday, January 5, 2017 4:30 PM, linux-service wrote: I want to receive a mail with pdf attached but got errors: Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: message-id=<809c0b3357a556a826cd508693b0f...@www.ubuntushop.be <mailto:809c0b3357a556a826cd508693b0f...@www.ubuntushop.be>> Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: reject: body lgwSkgRBEQhIAhx6yJgLL8xxhz71jAvOOv2ZV998L7fVZoLoto1CdVf87Vx9d9DObHjAWvewI7Bk from local; from=mailto:i...@ubuntushop.be>>: 5.7.1 message content rejected Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: to=mailto:duport...@mail.duportail.be>>, orig_to=mailto:g...@duportail.be>>, relay=none, delay=0.05, delays=0.05/0/0/0, dsn=5.7.1, status=bounced (message content rejected) Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Jan 5 15:44:40 mail postfix/discard[21428]: warning: deliver_request_get: error receiving common attributes Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: to=mailto:r...@mail.duportail.be>>, orig_to=mailto:g...@duportail.be>>, relay=none, delay=0.06, delays=0.06/0/0/0, dsn=5.7.1, status=bounced (message content rejected) Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Jan 5 15:44:40 mail postfix/discard[21428]: warning: deliver_request_get: error receiving common attributes Jan 5 15:44:40 mail postfix/cleanup[21419]: 3AF94CC3CDC: to=mailto:d...@mail.duportail.be>>, orig_to=mailto:g...@duportail.be>>, relay=none, delay=0.06, delays=0.06/0/0/0, dsn=5.7.1, status=bounced (message content rejected) Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Jan 5 15:44:40 mail postfix/discard[21428]: warning: deliver_request_get: error receiving common attributes Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Jan 5 15:44:40 mail postfix/discard[21428]: warning: deliver_request_get: error receiving common attributes
Re: postfix pdf
I did changed joomla from phpmail to sendmail and the problem is over, even with body_checks enabled guy Op 05-01-17 om 17:48 schreef Viktor Dukhovni: On Jan 5, 2017, at 10:29 AM, linux-service wrote: Jan 5 15:44:40 mail postfix/discard[21428]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) It looks like your Postfix installation is broken (contains binaries from multiple versions of Postfix). Stop postfix, re-install, and restart. If problem persists, report a potential bug.
Use 1 TLS certificate for multiple domains
I'm running Postfix with MailScanner as a spamfilter for multiple domains/customers. Is it possible to create a TLS configuration to force encryption for a set of domains with one 1 SSL certificate for the FQDN of the mailserver? The MX-records of the hosted domains are pointing to my mailserver and my mailserver is forwarding the mail to the destionation mailserver of the customer. Does the SSL certificate need to contain the domainnames of the destination domains? Or is the FQDN of the active mailserver enough for good encryption? Thanks in advance.
Re: Use 1 TLS certificate for multiple domains
Thank you Viktor! Totally clear to me now. Greetings 2017-07-26 16:43 GMT+02:00 Viktor Dukhovni : > > > On Jul 26, 2017, at 6:01 AM, Z3us Linux wrote: > > > > I'm running Postfix with MailScanner as a spamfilter for multiple > domains/customers. > > Is it possible to create a TLS configuration to force encryption for a > set of domains with one 1 SSL certificate for the FQDN of the mailserver? > > Deploying an RSA 2048-bit key and matching certificate is generally > sufficient to allow clients that support SMTP STARTTLS to employ > opportunistic TLS. See: > > http://www.postfix.org/TLS_README.html#quick-start > AND http://www.postfix.org/postfix-tls.1.html > > > The MX-records of the hosted domains are pointing to my mailserver > > and my mailserver is forwarding the mail to the destionation mailserver > > of the customer. > > Generate a certificate whose DNS subject alternative name is the DNS > name of your MX host as it appears in the MX records of the customer > domains. > > > Does the SSL certificate need to contain the domainnames of the > > destination domains? > > A few broken senders aside, opportunistic TLS in SMTP does not > validate the server certificate, and it makes little difference > whether the certificate has a matching name, is "expired" or > issued by a CA trusted by the sending SMTP client. > > That said, you should generally try to make your certificate > broadly interoperable, and avoid leaving "expired" certificates > in place, or not having the MX hostname as a DNS subject alternative > name. However, you may, and often should employ your own CA, that > will not be known to the sender. > > > Or is the FQDN of the active mailserver enough for good encryption? > > Some SMTP servers have no names in their certificate at all. See > below my signature for an example. It is not necessarily a good > idea to have such a minimal certificate, but it does interoperate > with the vast majority of sending clients. The 1000-year lifetime > is especially "cute", the administrator of the server in question > truly understands that with opportunistic TLS only the public key > matters, and the certificate is largely devoid of any extraneous > information. > > -- > Viktor. > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > c3:26:2b:13:ca:b1:36:72 > Signature Algorithm: sha256WithRSAEncryption > Issuer: > Validity > Not Before: Jul 27 14:59:59 2014 GMT > Not After : Nov 27 14:59:59 3013 GMT > Subject: > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (4096 bit) > Modulus: > 00:b6:d3:42:35:68:e9:2a:9e:ba:f8:f0:f4:bf:30: > b5:0b:40:cd:10:4b:20:94:aa:fc:e8:d3:b1:b8:15: > cc:24:ba:7f:95:b5:85:92:e9:d5:97:70:d3:fd:b3: > c9:91:ba:d5:85:5d:c6:6d:98:8b:c3:b3:79:74:a7: > 41:c6:f4:df:14:53:bb:90:21:72:71:ba:e2:56:03: > 0a:0b:a9:db:d5:92:d3:90:58:4e:eb:a4:8b:51:80: > db:5f:56:26:cf:9b:26:a8:2e:42:df:54:14:86:4e: > 1f:ad:b2:9c:57:54:16:7a:39:25:a3:b3:90:97:eb: > 70:92:04:27:10:b6:fd:9e:70:4f:b2:02:e2:fa:6d: > 90:eb:9a:0c:64:3c:31:86:4c:98:99:47:00:75:b6: > d0:bb:80:02:13:c7:43:97:24:ec:1e:3e:b1:1c:d6: > c7:b7:de:fc:e8:bb:c6:d8:20:74:16:09:27:2d:17: > 17:a5:a4:41:d0:f6:60:de:a2:84:fa:e4:8d:dd:1e: > 98:7e:19:75:a4:87:52:18:45:d9:6d:39:3e:2c:b2: > 64:1a:13:37:26:3f:72:8c:7d:fe:2e:d6:26:d7:cc: > 37:aa:06:4a:2f:ea:bc:0f:00:5f:d5:30:79:e8:11: > 21:64:03:b9:91:e5:da:47:6b:7d:43:e6:5e:20:e8: > 1d:1d:1e:3d:b8:57:62:01:98:13:5b:cc:a8:9f:6b: > d2:34:e0:6f:86:b8:ac:9d:89:f1:e9:27:b9:f8:55: > ce:a2:8a:33:2b:ac:3a:65:c0:fb:12:b8:f7:5a:47: > a6:ea:83:80:88:0f:ca:d4:d5:dc:62:5c:08:d9:cf: > e6:ca:fe:32:00:9e:e3:c0:53:99:21:a3:c9:4f:66: > 07:fc:61:e2:20:18:01:7f:61:dd:e1:72:b5:fd:c3: > 97:23:2a:51:bf:42:58:64:0d:2b:4e:cc:85:a0:5e: > 01:52:2b:7b:46:f0:63:19:9b:a3:5e:2c:70:23:36: > a3:a9:3a:b3:60:2e:ad:78:68:96:ce:a4:4c:ea:13: > 77:02:97:c4:55:82:f3:fd:3b:f3:f4:65:4e:dd:3b: > fe:d2:dd:d0:da:29:e8:3e:dd:a9:e3:c6:16:db:eb: >
