postfix 2.8.3 and linux-3.0
hi, i tried to compile postfix 2.8.3 running a 3.0_rc2 kernel (on gentoo), and it failed with the error: ATTENTION: Unknown system type: Linux 3.0.0-rc2 however, when i edited the makedefs file, everything compiled just fine. not sure if this is good fix, but either way here's my quick-and-dirty patch ;) --- makedefs.orig 2011-06-14 20:37:45.357441277 +0200 +++ makedefs2011-06-14 20:42:29.657437782 +0200 @@ -260,7 +260,7 @@ Linux.1*) SYSTYPE=LINUX1 SYSLIBS="-ldb" ;; -Linux.2*) SYSTYPE=LINUX2 +Linux.2*|Linux.3*) SYSTYPE=LINUX2 # Postfix no longer needs DB 1.85 compatibility if [ -f /usr/include/db.h ] then i only did a quick search in the mailinglist's archive so if someone has already reported this please ignore. take care ron
Re: PATCH: postfix and linux-3.0
thank you for the quick response and patch! ron On 06/15/2011 01:48 AM, Wietse Venema wrote: Csillag Tamas: quoting from here: https://lkml.org/lkml/2011/5/29/204 "So what are the big changes? NOTHING. Absolutely nothing. Sure, we have the usual two thirds driver changes, and a lot of random fixes, but the point is that 3.0 is *just* about renumbering..." In that case, the following patch will be sufficient for all supported Postfix releases. Wietse
Reliably distinguishing authorized vs unauthorized users
I am working on a spam filter. I want both incoming and outgoing messages to go through the filter, not because the outgoing messages need to be filtered, but because I want the filter to know who my authorized users have sent messages to because that is a very reliable indicator of non-spam. My setup requires users to authenticate, so postfix knows who they are. My question is: is there a reliable way to pass this information to a filter? I can't find anything about this in the documentation. Reverse engineering indicates that postfix puts an "Authenticated sender" note in the received-from header, but that can be forged. Is there a reliable way for a filter to tell if a message is from an authenticated user? Thanks, rg
Re: Reliably distinguishing authorized vs unauthorized users
On Jan 19, 2011, at 12:06 PM, John Adams wrote: > Am 19.01.2011 21:03, schrieb Ron Garret: >> I am working on a spam filter. I want both incoming and outgoing messages >> to go through the filter, not because the outgoing messages need to be >> filtered, but because I want the filter to know who my authorized users have >> sent messages to because that is a very reliable indicator of non-spam. My >> setup requires users to authenticate, so postfix knows who they are. My >> question is: is there a reliable way to pass this information to a filter? >> I can't find anything about this in the documentation. Reverse engineering >> indicates that postfix puts an "Authenticated sender" note in the >> received-from header, but that can be forged. Is there a reliable way for a >> filter to tell if a message is from an authenticated user? >> >> Thanks, >> rg >> > > Yes, spamassassin+amavisd-new. > spamassassin recognizes the authentication header put there by postfix. > There's plenty of documentation around how to do this kind of setup. Indeed there is a lot of info out there if you know where to look, I just wasn't looking in the right places. Thanks! rg
Relay host auth not working
I'm trying to set up a relay host with authentication according to these
instructions:
http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/
but it's not working. I know my SMTP server is set up properly because I can
send mail using various other clients, but postfix is apparently not even
attempting to authorize. Here are the relevant lines from main.cf:
relayhost = secure.genesisgroup.info
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
Here is a log excerpt from my server from a successful login from a different
client (python smtplib):
Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from
ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]
Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949:
client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10],
sasl_method=LOGIN, sasl_username=XXX
and here's the same thing when Postfix tries to connect between the same two
machines:
Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from
ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]
Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from
ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1
: Relay access denied; from=
to= proto=ESMTP helo=
As you can see, postfix is not even attempting to authorize.
What am I doing wrong? This postfix is running on EC2 using one of their stock
images. A full postconf dump is attached.
Thanks,
rg
---
$ postconf
2bounce_notice_recipient = postmaster
access_map_defer_code = 450
access_map_reject_code = 554
address_verify_default_transport = $default_transport
address_verify_local_transport = $local_transport
address_verify_map =
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = ${stress?1}${stress:3}
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_relay_transport = $relay_transport
address_verify_relayhost = $relayhost
address_verify_sender = $double_bounce_sender
address_verify_sender_dependent_relayhost_maps =
$sender_dependent_relayhost_maps
address_verify_service_name = verify
address_verify_transport_maps = $transport_maps
address_verify_virtual_transport = $virtual_transport
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_mail_to_commands = alias, forward
allow_mail_to_files = alias, forward
allow_min_user = no
allow_percent_hack = yes
allow_untrusted_routing = no
alternate_config_directories =
always_add_missing_headers = no
always_bcc =
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
append_at_myorigin = yes
append_dot_mydomain = yes
application_event_drain_time = 100s
authorized_flush_users = static:anyone
authorized_mailq_users = static:anyone
authorized_submit_users = static:anyone
backwards_bounce_logfile_compatibility = yes
berkeley_db_create_buffer_size = 16777216
berkeley_db_read_buffer_size = 131072
best_mx_transport =
biff = yes
body_checks =
body_checks_size_limit = 51200
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 5
bounce_template_file =
broken_sasl_auth_clients = no
canonical_classes = envelope_sender, envelope_recipient, header_sender,
header_recipient
canonical_maps =
cleanup_service_name = cleanup
command_directory = /usr/sbin
command_execution_directory =
command_expansion_filter =
1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
command_time_limit = 1000s
config_directory = /etc/postfix
connection_cache_protocol_timeout = 5s
connection_cache_service_name = scache
connection_cache_status_update_time = 600s
connection_cache_ttl_limit = 2s
content_filter =
cyrus_sasl_config_path =
daemon_directory = /usr/libexec/postfix
daemon_timeout = 18000s
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list =
default_database_type = hash
default_delivery_slot_cost = 5
default_delivery_slot_discount = 50
default_delivery_slot_loan = 3
default_destination_concurrency_failed_cohort_limit = 1
default_destination_concurrency_limit = 20
default_destination_concurrency_negative_feedback = 1
default_destination_concurrency_positive_feedback = 1
default_destination_rate_delay = 0s
default_destination_recipient_limit = 50
default_extra_recipient_limit = 1000
default_minimum_delivery_slots = 3
default_privs = nobody
default_process_limit = 100
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what]
blocked using $rbl_domain${rbl_reason?; $rbl_reason}
default_recipient_limit = 2
default_recipient_refill_delay = 5s
default_recipient_refill_limit = 100
default_transport = smtp
default_verp_delimiters = +=
defer_code = 450
defer_service_name = defer
defer_transports =
delay_logging_resolution_limit = 2
delay_notice_recipient = postmaster
delay_wa
Re: Relay host auth not working
On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: > On 7/11/2011 8:12 PM, Ron Garret wrote: >> I'm trying to set up a relay host with authentication according to these >> instructions: >> >> http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ >> >> but it's not working. I know my SMTP server is set up properly because I >> can send mail using various other clients, but postfix is apparently not >> even attempting to authorize. Here are the relevant lines from main.cf: >> >> relayhost = secure.genesisgroup.info >> smtp_sasl_auth_enable = yes >> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd >> smtp_sasl_security_options = >> >> Here is a log excerpt from my server from a successful login from a >> different client (python smtplib): >> >> Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from >> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >> Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949: >> client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10], >> sasl_method=LOGIN, sasl_username=XXX >> >> and here's the same thing when Postfix tries to connect between the same two >> machines: >> >> Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from >> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >> Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from >> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1 >> : Relay access denied; from= >> to= proto=ESMTP helo= >> >> As you can see, postfix is not even attempting to authorize. >> >> What am I doing wrong? > > You're not telling us what you're attempting to accomplish for starters. Sorry, I thought that would be clear from the context. I'm trying to do exactly what you say: > When you specify relayhost you're telling Postfix to forward all non > local outbound mail to a gateway instead of delivering it directly to > internet MX destinations. Yes, that is exactly what I'm trying to do. The reason is that mail sent directly from an EC2 instance is usually flagged as spam by many mail recipients because the reverse DNS doesn't resolve properly. > You're showing smtpd logging, but the relayhost parameter applies to > smtp, not smtpd. Your logging shows a host connecting to your Postfix > server, not your Postfix server connecting to secure.genesisgroup.info. The log excerpts are taken from the postfix server on secure.genesisgroup.info, which is the machine I want to use to relay outbound mail from the EC2 instance. Sorry that wasn't clear. > Either you don't understand the relayhost parameter, or I simply don't > understand your goal here, or probably both. Well, I'm clearly missing something. But I don't think it's the relayhost parameter. rg
Re: Relay host auth not working
On Jul 11, 2011, at 11:03 PM, Jeroen Geilman wrote: > On 2011-07-12 07:12, Ron Garret wrote: >> On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: >> >>> On 7/11/2011 8:12 PM, Ron Garret wrote: >>>> I'm trying to set up a relay host with authentication according to these >>>> instructions: >>>> >>>> http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ >>>> >>>> but it's not working. I know my SMTP server is set up properly because I >>>> can send mail using various other clients, but postfix is apparently not >>>> even attempting to authorize. Here are the relevant lines from main.cf: > > No. > Include the FULL output from postconf -n, [ron@domU-12-31-39-00-E6-ED:~]$ postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = localhost inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = sunfire-offices.com myhostname = mail.sunfire-offices.com myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relayhost = secure.genesisgroup.info sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = unknown_local_recipient_reject_code = 550 > or, even better, the postfinger tool. Postfinger - Postfix Configuration on Tue Jul 12 06:08:45 UTC 2011 $Revision: 1.25 $ Warning: Postfinger output may show private configuration information, such as ip addresses and/or domain names which you do not want to show to the public. If this is the case it is your responsibility to modify the output to hide this private information. [Remove this warning with the --nowarn option.] --System Parameters-- mail_version = 2.6.6 hostname = domU-12-31-39-00-E6-ED uname = Linux domU-12-31-39-00-E6-ED 2.6.35.11-83.9.amzn1.x86_64 #1 SMP Sat Feb 19 23:42:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux --Packaging information-- looks like this postfix comes from a RPM package: postfix-2.6.6-2.8.amzn1.x86_64 --main.cf non-default parameters-- alias_maps = hash:/etc/aliases inet_interfaces = localhost inet_protocols = all mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydomain = sunfire-offices.com myhostname = mail.sunfire-offices.com myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relayhost = secure.genesisgroup.info sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = --master.cf-- smtp inet n - n - - smtpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache -- end of Postfinger output -- > We can only guess what you're doing wrong now. I did include the output from postconf at the end of my original message. rg
Re: Relay host auth not working
On Jul 11, 2011, at 11:07 PM, Stan Hoeppner wrote: > On 7/12/2011 12:12 AM, Ron Garret wrote: >> >> On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: >> >>> On 7/11/2011 8:12 PM, Ron Garret wrote: >>>> I'm trying to set up a relay host with authentication according to these >>>> instructions: >>>> >>>> http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ >>>> >>>> but it's not working. I know my SMTP server is set up properly because I >>>> can send mail using various other clients, but postfix is apparently not >>>> even attempting to authorize. Here are the relevant lines from main.cf: >>>> >>>> relayhost = secure.genesisgroup.info >>>> smtp_sasl_auth_enable = yes >>>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd >>>> smtp_sasl_security_options = >>>> >>>> Here is a log excerpt from my server from a successful login from a >>>> different client (python smtplib): >>>> >>>> Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from >>>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >>>> Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949: >>>> client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10], >>>> sasl_method=LOGIN, sasl_username=XXX >>>> >>>> and here's the same thing when Postfix tries to connect between the same >>>> two machines: >>>> >>>> Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from >>>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >>>> Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from >>>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1 >>>> : Relay access denied; >>>> from= to= proto=ESMTP >>>> helo= >>>> >>>> As you can see, postfix is not even attempting to authorize. >>>> >>>> What am I doing wrong? >>> >>> You're not telling us what you're attempting to accomplish for starters. >> >> Sorry, I thought that would be clear from the context. I'm trying to do >> exactly what you say: >> >>> When you specify relayhost you're telling Postfix to forward all non >>> local outbound mail to a gateway instead of delivering it directly to >>> internet MX destinations. >> >> Yes, that is exactly what I'm trying to do. The reason is that mail sent >> directly from an EC2 instance is usually flagged as spam by many mail >> recipients because the reverse DNS doesn't resolve properly. >> >>> You're showing smtpd logging, but the relayhost parameter applies to >>> smtp, not smtpd. Your logging shows a host connecting to your Postfix >>> server, not your Postfix server connecting to secure.genesisgroup.info. >> >> >> The log excerpts are taken from the postfix server on >> secure.genesisgroup.info, which is the machine I want to use to relay >> outbound mail from the EC2 instance. Sorry that wasn't clear. > > Ok, now the logging snippets make sense. I'm guessing you simply need > to add permit_sasl_authenticated to your smtpd_client_restrictions on > host secure.genesisgroup.info, or if you use the "everything under > smtpd_recipient_restrictions" main.cf style you'd do: > > smtpd_recipient_restrictions = >permit_mynetworks > permit_sasl_authenticated >reject_unauth_destination > ... No, that's not the problem. I already have exactly that on secure.genesisgroup.info. (See below.) And I have multiple clients successfully using that host for authenticated SMTP, including a python client running on the same machine that the non-working (in this respect) postfix is running on. > You provided 'postconf -d' instead of 'postconf -n', so it's impossible > for me to tell what your parameters actually are. "-d" simply shows the > Postfix defaults. Please provide 'postconf -n' so we can wrap this > thread up, assuming permit_sasl_authenticated doesn't fix the problem. Actually, it was postconf with no arguments. Here is postconf -n: [ron@domU-12-31-39-00-E6-ED:~]$ postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_dire
Re: Relay host auth not working
On Jul 11, 2011, at 11:17 PM, Mike Morris wrote: > On 07/11/2011 10:12 PM, Ron Garret wrote: >> >> On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: >> >>> On 7/11/2011 8:12 PM, Ron Garret wrote: >>>> I'm trying to set up a relay host with authentication according to these >>>> instructions: >>>> >>>> http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ >>>> >>>> but it's not working. I know my SMTP server is set up properly because I >>>> can send mail using various other clients, but postfix is apparently not >>>> even attempting to authorize. Here are the relevant lines from main.cf: >>>> >>>> relayhost = secure.genesisgroup.info >>>> smtp_sasl_auth_enable = yes >>>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd >>>> smtp_sasl_security_options = >>>> >>>> Here is a log excerpt from my server from a successful login from a >>>> different client (python smtplib): >>>> >>>> Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from >>>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >>>> Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949: >>>> client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10], >>>> sasl_method=LOGIN, sasl_username=XXX >>>> >>>> and here's the same thing when Postfix tries to connect between the same >>>> two machines: >>>> >>>> Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from >>>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >>>> Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from >>>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1 >>>> : Relay access denied; >>>> from= to= proto=ESMTP >>>> helo= >>>> >>>> As you can see, postfix is not even attempting to authorize. >>>> >>>> What am I doing wrong? >>> >>> You're not telling us what you're attempting to accomplish for starters. >> >> Sorry, I thought that would be clear from the context. I'm trying to do >> exactly what you say: >> >>> When you specify relayhost you're telling Postfix to forward all non >>> local outbound mail to a gateway instead of delivering it directly to >>> internet MX destinations. >> >> Yes, that is exactly what I'm trying to do. The reason is that mail sent >> directly from an EC2 instance is usually flagged as spam by many mail >> recipients because the reverse DNS doesn't resolve properly. >> >>> You're showing smtpd logging, but the relayhost parameter applies to >>> smtp, not smtpd. Your logging shows a host connecting to your Postfix >>> server, not your Postfix server connecting to secure.genesisgroup.info. >> >> >> The log excerpts are taken from the postfix server on >> secure.genesisgroup.info, which is the machine I want to use to relay >> outbound mail from the EC2 instance. Sorry that wasn't clear. >> >>> Either you don't understand the relayhost parameter, or I simply don't >>> understand your goal here, or probably both. >> >> >> Well, I'm clearly missing something. But I don't think it's the relayhost >> parameter. >> >> rg >> > > As stated by Jeroen, supplying the list with the output of 'postconf -n' > would be much more preferred than sending the entire output of > 'postconf'. There is no need for people to wade through hundreds of > lines that are configured for default values. Sorry, I'm still kinda new at this. > The server at secure.genesisgroup.info only advertises AUTH support > after STARTTLS. Therefore, in order to successfully authenticate with > that server from the client at 184.73.65.10, the following configuration > changes will need to be made on 184.73.65.10: > > Configure smtp_tls_security_level and/or smtp_tls_policy_maps, using at > least a setting of 'may'. This will allow the SMTP client to attempt > STARTTLS connections with remote hosts. Ah. I thought SASL implied TLS, but I guess it doesn't. So I tried adding: smtp_sasl_security_options = auth smtp_tls_security_level = may And now I get "unknown mail transport error" on the client side, and this on the server side: Jul 11 23:30:51 vm01 postfix/smtpd[22169]: connect from ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] Jul 11 23:30:52 vm01 postfix/smtpd[22169]: lost connection after EHLO from ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] Jul 11 23:30:52 vm01 postfix/smtpd[22169]: disconnect from ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] > Set smtp_sasl_security_options = noanonymous (or whatever is > appropriate). The remote server at secure.genesisgroup.info advertises > the following: AUTH PLAIN DIGEST-MD5 CRAM-MD5 LOGIN > > Read the TLS_README and SASL_README files for more information. Will do. At least now I know where to look to make further progress. Thanks! rg
Re: Relay host auth not working
On Jul 12, 2011, at 12:13 AM, Stan Hoeppner wrote: > On 7/12/2011 1:37 AM, Ron Garret wrote: >> >> On Jul 11, 2011, at 11:17 PM, Mike Morris wrote: > >>> Configure smtp_tls_security_level and/or smtp_tls_policy_maps, using at >>> least a setting of 'may'. This will allow the SMTP client to attempt >>> STARTTLS connections with remote hosts. >> >> Ah. I thought SASL implied TLS, but I guess it doesn't. >> >> So I tried adding: >> >> smtp_sasl_security_options = auth >> smtp_tls_security_level = may >> >> And now I get "unknown mail transport error" on the client side, and this on >> the server side: >> >> Jul 11 23:30:51 vm01 postfix/smtpd[22169]: connect from >> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >> Jul 11 23:30:52 vm01 postfix/smtpd[22169]: lost connection after EHLO from >> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >> Jul 11 23:30:52 vm01 postfix/smtpd[22169]: disconnect from >> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >> >>> Set smtp_sasl_security_options = noanonymous (or whatever is >>> appropriate). The remote server at secure.genesisgroup.info advertises >>> the following: AUTH PLAIN DIGEST-MD5 CRAM-MD5 LOGIN >>> >>> Read the TLS_README and SASL_README files for more information. >> >> Will do. At least now I know where to look to make further progress. >> Thanks! > > Since this is a server to server relay of known/trusted systems, and > assuming that 184.73.65.10 is static and won't change any time soon, why > not simply add 184.73.65.10 to $mynetworks on secure.genesisgroup.info > and forget the sasl auth junk? This should get the relaying working > instantly with little or no pitfalls. That's a good idea. The reason I didn't do it this way is that I can't count on the client IP remaining static. Also, I like to understand how things work, and I don't like to admit defeat :-) rg
Re: Relay host auth not working
On Jul 11, 2011, at 11:37 PM, Ron Garret wrote: > > On Jul 11, 2011, at 11:17 PM, Mike Morris wrote: > >> On 07/11/2011 10:12 PM, Ron Garret wrote: >>> >>> On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: >>> >>>> On 7/11/2011 8:12 PM, Ron Garret wrote: >>>>> I'm trying to set up a relay host with authentication according to these >>>>> instructions: >>>>> >>>>> http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ >>>>> >>>>> but it's not working. I know my SMTP server is set up properly because I >>>>> can send mail using various other clients, but postfix is apparently not >>>>> even attempting to authorize. Here are the relevant lines from main.cf: >>>>> >>>>> relayhost = secure.genesisgroup.info >>>>> smtp_sasl_auth_enable = yes >>>>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd >>>>> smtp_sasl_security_options = >>>>> >>>>> Here is a log excerpt from my server from a successful login from a >>>>> different client (python smtplib): >>>>> >>>>> Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from >>>>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >>>>> Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949: >>>>> client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10], >>>>> sasl_method=LOGIN, sasl_username=XXX >>>>> >>>>> and here's the same thing when Postfix tries to connect between the same >>>>> two machines: >>>>> >>>>> Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from >>>>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >>>>> Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from >>>>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1 >>>>> : Relay access denied; >>>>> from= to= proto=ESMTP >>>>> helo= >>>>> >>>>> As you can see, postfix is not even attempting to authorize. >>>>> >>>>> What am I doing wrong? >>>> >>>> You're not telling us what you're attempting to accomplish for starters. >>> >>> Sorry, I thought that would be clear from the context. I'm trying to do >>> exactly what you say: >>> >>>> When you specify relayhost you're telling Postfix to forward all non >>>> local outbound mail to a gateway instead of delivering it directly to >>>> internet MX destinations. >>> >>> Yes, that is exactly what I'm trying to do. The reason is that mail sent >>> directly from an EC2 instance is usually flagged as spam by many mail >>> recipients because the reverse DNS doesn't resolve properly. >>> >>>> You're showing smtpd logging, but the relayhost parameter applies to >>>> smtp, not smtpd. Your logging shows a host connecting to your Postfix >>>> server, not your Postfix server connecting to secure.genesisgroup.info. >>> >>> >>> The log excerpts are taken from the postfix server on >>> secure.genesisgroup.info, which is the machine I want to use to relay >>> outbound mail from the EC2 instance. Sorry that wasn't clear. >>> >>>> Either you don't understand the relayhost parameter, or I simply don't >>>> understand your goal here, or probably both. >>> >>> >>> Well, I'm clearly missing something. But I don't think it's the relayhost >>> parameter. >>> >>> rg >>> >> >> As stated by Jeroen, supplying the list with the output of 'postconf -n' >> would be much more preferred than sending the entire output of >> 'postconf'. There is no need for people to wade through hundreds of >> lines that are configured for default values. > > Sorry, I'm still kinda new at this. > >> The server at secure.genesisgroup.info only advertises AUTH support >> after STARTTLS. Therefore, in order to successfully authenticate with >> that server from the client at 184.73.65.10, the following configuration >> changes will need to be made on 184.73.65.10: >> >> Configure smtp_tls_security_level and/or smtp_tls_policy_maps, using at >> least a setting of 'may'. This will allow the SMTP client to attempt >> STARTTLS connections with remote hosts. > > Ah. I thought SASL implied TLS, but I guess it doesn't. > > So I tried adding: > > smtp_sasl_security_options = auth > smtp_tls_security_level = may > > And now I get "unknown mail transport error" on the client side, and this on > the server side: Just for the record, this worked: smtp_sasl_security_options = noanonymous smtp_tls_security_level = may Thanks for all the responses! rg
Re: Postscreen and exceptions
On 01/06/2013 12:29 PM, John Levine wrote: Don't use spamcop, or use it only with small weight in a scoring system. I agree that Spamcop used to be awful, with vast numbers of false alarms. But since Ironport bought them several years ago, there's been a nearly complete turnover of staff and it's much better run. Take another look. I find its false positive rates down with Spamhaus' now. I presume you're not talking about the Spamhaus DBL, which is quite awful. - Ron
block remote clients
Hi, I'm trying to configure Postfix in a way that it will block post from remote clients to local (system) users of the mail server. In my current configuration I set "local_transport = error:local delivery is disabled" but I don't like it. Is there another way to configure Postfix so it will reject post to system users from remote clients and at the same time will accept posts from $myorigin? Thanks, Ron
Re: block remote clients
On 03/20/2013 06:22 PM, Reindl Harald wrote: Am 20.03.2013 17:17, schrieb Ron Rondis: I'm trying to configure Postfix in a way that it will block post from remote clients to local (system) users of the mail server. In my current configuration I set "local_transport = error:local delivery is disabled" but I don't like it. Is there another way to configure Postfix so it will reject post to system users from remote clients and at the same time will accept posts from $myorigin? smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient reject_non_fqdn_sender permit_sasl_authenticated i would wonder how a system-users passes the fqdn check and before "permit_sasl_authenticated" it will also reject mistakes from authenticated users Still accepts the mail. I'll try to clarify, what I like to have is: 1. reject remote client post to @mail., @localhost. 2. accept remote client post to @ 3. accept local client (i.e. from localhost) post to @mail.domain>, @localhost.
Re: mailman issue
On 04/05/2014 06:40 PM, Curtis Maurand wrote:
> Sahil Tandon wrote:
>> On Fri, 2014-04-04 at 14:55:49 -0400, Curtis Maurand wrote:
>>
>>> I'm getting local user unknown errors when I try to send email to the
>>> list., but as far as I know, I shouldn't need local aliases with this
>>> configuration that anything destined for lists.delrc.org should go to
>>> mailman and that's that. I know that I'm missing a detail somewhere.
>>> I had all of this working prior to this, but I had a server meltdown
>>> the other day and my configs were blown away with it and for whatever
>>> reason, I can't find any backups. :-(
>>
>> Typically, you have to update the alias_maps definition, so that Postfix
>> is made aware of valid Mailman addresses. In your follow-up, include the
>> output of 'postconf -n' rather than snippets from main.cf. See:
>>
>>
>> http://www.gnu.org/software/mailman/mailman-install/postfix-integration.html
>> http://www.postfix.org/postconf.5.html#alias_maps
>>
> I'll remember to do that. However, i was told of a way to configure it in
> such a way that using transport maps all you had to do was to create the
> list and there would be no alias management.
In the end, with the transport method, which I use, along with
postfix-to-mailman.py, you're still better off using aliases. (I don't
remember the reason why, possibly bounce/spam related) These can be
auto-generated by Mailman though.
In mm_cfg.py I have this to generate the aliases:
MTA='Postfix'
In main.cf I use the aliases under:
alias_maps hash:/var/lib/mailman/data/aliases
In in my master.cf for the mailman transport, I have ${user} where you
have ${mailbox} , don't know if that's got anything to do with it.
If you want to use the autogenerated aliases, at this point, you're
going to need to generate them yourself first. This for me would look like:
/usr/lib/mailman/bin/genaliases
And of course, don't forget to restart Mailman if you change mm_cfg.py
(before running genaliases) and HUP Postfix if you change that.
- Ron
Re: mailman issue
On 04/05/2014 10:38 PM, Curtis Maurand wrote:
> Ron Guerin wrote:
>>
>> In mm_cfg.py I have this to generate the aliases:
>> MTA='Postfix'
>>
>> In main.cf I use the aliases under:
>> alias_maps hash:/var/lib/mailman/data/aliases
>>
>> In in my master.cf for the mailman transport, I have ${user} where you
>> have ${mailbox} , don't know if that's got anything to do with it.
>>
>> If you want to use the autogenerated aliases, at this point, you're
>> going to need to generate them yourself first. This for me would look
>> like:
>> /usr/lib/mailman/bin/genaliases
>>
>> And of course, don't forget to restart Mailman if you change mm_cfg.py
>> (before running genaliases) and HUP Postfix if you change that.
>
> my setup is a bit different. I'm using dbmail and I have to add the
> aliases to the aliases table, there. I can do that, but was trying to
> avoid it. I was told about and I had an alternate configuration working
> where alias maintenance was completely unnecessary. It had to do with
> setting up the mailman_to_postfix.py script and transport_maps. I wish I
> could find the backups of my original configuration. It's driving me
> crazy. I missed a detail, but I can't remember exactly what it is. very
> annoying.
Why do the Mailman aliases need to be in dbmail? I use MySQL, but
there's absolutely no need for these to be in the database. If you
allow Mailman to autogenerate them, there is no alias maintenance. Just
set it up like you see above. Add, to the alias_maps in main.cf, rather
than replacing whatever you're doing with dbmail.
Aside, some Googling says "I'm doing it wrong" using both, and that
there's really no reason why anyone should be using
postfix-to-mailman.py. Take that under consideration along with what I
said about dbmail not needing to know about Mailman's aliases. Let
Mailman manage Mailman's aliases. They've got nothing to do with
anything else except Postfix.
- Ron
Re: Outgoing spam problem
Limit the number of destinations (recipients) allowed in an e-mail. Limit the number of e-mails per minute or half minute or whatever frequency you observe as their pattern. Put in a SPAM filter on outgoing mail and drop SPAM. Block repeated violations from from 1 IP. Just lock them out for a couple of hours. That may stop them from trying to use your services. On 10/04/2014 7:14 PM, AFCommerce wrote: A few things you can do: 1. Many spammers can switch their IP address but you should blacklist any ip that signs up for an account and spam, it will slow them down at least 2. The 100 cap per day is a good idea but I'd lower it to 5 messages a day, increasing by a couple messages cap per week. They will then likely have to build up time before they will waste the account, but this gives you time to build a log in history of ips. Block anyone who's ip changes often or at least watch those accounts 3. Block certain countries that cause the most spam, china and Russia to start 4. Content filtering helps but keep in mind most spammers are already tricking most common filters since they want to also trick major ISPs like yahoo to accept their mail. Instead, or in addition to a standard filter, start looking for common patterns in their links and images, as well as headers and HTML signature 5. Force a back up email address or phone number as part of sign up. You may want it to be easy to sign up but since you can't really stop a deticated spam team, your goal is to make using your system annoying enough to make them move on to someone else Just some ideas to get you thinking, expect this problem to be ongoing, providers like yahoo spend millions of dollars fighting this problem, there's no quick fix Sent from my iPhone On Apr 10, 2014, at 6:49 PM, LuKreme wrote: On 10 Apr 2014, at 07:58 , Marcin Szymonik wrote: Hello, We run a free accounts mail server (like gmail) and we struggle with the outgoing spam problem. Spammers abuse our service by creating accounts and then sending out spam. It is very easy and free to create an account and we want it to stay that way so blocking or removing spammers accounts is not a solition - they can easily create many new accounts. They use tens of different IP addresses and send from different locations and countries so per IP limits really don't work. Many of their IPs aren't listed on any RBL at all. I feel it would be hard to filter them by message contents - they avoid patterns by changing headers (even an encoding), message texts or links if they add any. How can we fight this? Require a valid email address to send a confirmation for account sign up. Restrict new accounts to sending email only to one destination address. Restrict new accounts to a few dozen emails a day and restrict ALL accounts to something like 100 a day maximum unless they request an increase and seem legit (this requires human intervention). The alternative is to have your system blacklisted as a spam source. Keep in mind that many mail admins will have their own blacklists, so even if you don’t get on RBLs or get cleaned up and off RBLs, you may never get off a particular mail-server’s blacklist. How other free mail service providers block this? Some implement Captchas, but as a user I find these horribly annoying and it often takes me 4 or 5 attempts to ‘solve’ them. I also don’t think they are at all effective as the botnets and spammers have networks of people solving them for them. -- If you could do a sort of relief map of sinfulness, wickedness and all-round immorality, rather like those representations of the gravitational field around a Black Hole, then even in Ankh-Morpork the Shades would be represented by a shaft. In fact the Shades was remarkably like the aforesaid well-known astrological phenomenon: it had a certain strong attraction, no light escaped from it, and it could indeed become a gateway to another world. The next one. -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Accept external SMTP traffic only from MX hosts
Another approach to reduce SPAM would be to use fail2ban for a "reasonable" period to shut out IP addresses for a "reasonable" period that are sending a "lot" of SPAM in a "short" period. Ron On 23/04/2014 3:56 PM, Larry Stone wrote: On Wed, 23 Apr 2014, James B. Byrne wrote: Does the idea of configuring Postfix so that external (to our network) smtp connections are only accepted from servers identified with MX records for the connecting IP address make any sense? Is it possible? No, it makes no sense at all. MX records define what hosts RECEIVE mail for a domain. They say nothing about what hosts should be SENDING mail for a domain. Many large ISPs use separate systems for receiving and sending mail. What you want to do will reject large quantities of legitimate mail. -- Larry Stone lston...@stonejongleux.com -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Accept external SMTP traffic only from MX hosts
1) I am blocking sites that: a) send SPAM to addresses in our domain b) have broken one of our e-mail passwords and try to send bulk mail through our server by faking an Artifact Software user. If postfix or spamassassin detects this behaviour, it blocks it as best as it can (without making legitimate e-mail hard to send) and creates log events which fail2ban picks up and blocks the offending IP for a while. 2) We block relaying of mail by unauthenticated users. Any employee who is not on a local network must use a username and password to send a mail. Postfix supports this easily and is the way to close an open relay. I am often out of the office as are most of the employees and this works fine. If you are using Postfix, you will find the recipes in "The Book of Postfix" which is worth buying. What e-mail client are you using? I use Thunderbird but others use Outlook and it all works with a simple set up. I hope that this helps. Ron On 23/04/2014 7:43 PM, John Griessen wrote: On 04/23/2014 04:07 PM, Ron Wheeler wrote: Another approach to reduce SPAM would be to use fail2ban for a "reasonable" period to shut out IP addresses for a "reasonable" period that are sending a "lot" of SPAM in a "short" period. Hi, Are you meaning to allow relaying that way, or just for mail that has a destination at your server? I've been trying to figure how to get my mail server to do TLS, but then found my idea of do TLS was about sealing off any but a whitelist of senders, and the list folk think differently, but then my wife wanted it on a trip, and it became too complicated to do with my old setup. So now, I'm planing to switch to dovecot for IMAP mail, and not sure what security for on the road uses, and not sure at all what is practical for smart-phone uses, and the list folk seem to hate OT anything, and howto a complete server setup they definitely put in OT category. So, if you've found a limiting way that doesn't get you blacklisted, I'm all ears. John Griessen Already blacklisted for no discernible reason by yahoo.com for bounces from a mailman list I run... -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: server side postfix tactics.
People use phones with our e-mail setup. ( There are only a few dinosaurs using a desktop for communication). On 23/04/2014 11:14 PM, John Griessen wrote: On 04/23/2014 08:30 PM, Ron Wheeler wrote: If you are using Postfix, you will find the recipes in "The Book of Postfix" which is worth buying. What e-mail client are you using? I use Thunderbird but others use Outlook and it all works with a simple set up. I hope that this helps. I use thunderbird on a desktop. Do you have any people that use their phones to email? your methods don't use any client side anything, so that works just as well, right? Thanks, John Griessen -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Accept external SMTP traffic only from MX hosts
On 23/04/2014 7:43 PM, John Griessen wrote: On 04/23/2014 04:07 PM, Ron Wheeler wrote: Another approach to reduce SPAM would be to use fail2ban for a "reasonable" period to shut out IP addresses for a "reasonable" period that are sending a "lot" of SPAM in a "short" period. Hi, Are you meaning to allow relaying that way, or just for mail that has a destination at your server? We do not allow relaying from any unauthenticated user. I want to prevent legitimate users (our staff) from sending SPAM. This prevents a hacked account from being used. We use Spamassassin to detect and kill incoming SPAM. We could block the source of these but are too small to differentiate between legitimate e-mail addressed to most of the staff and spam to everyone. I've been trying to figure how to get my mail server to do TLS, but then found my idea of do TLS was about sealing off any but a whitelist of senders, and the list folk think differently, but then my wife wanted it on a trip, and it became too complicated to do with my old setup. You need clients that can authenticate which is pretty common and you need to set up Postfix to authenticate a user before accepting SMTP messages that need to be relayed out of your network. So now, I'm planing to switch to dovecot for IMAP mail, and not sure what security for on the road uses, and not sure at all what is practical for smart-phone uses, and the list folk seem to hate OT anything, and howto a complete server setup they definitely put in OT category. We use dovecot. You need to use fail2ban to prevent dovecot from dictionary attacks or other probing to break passwords. So, if you've found a limiting way that doesn't get you blacklisted, I'm all ears. There is no guarantee since hackers are always finding new things to try. I have tried to stop anyone from mounting attacks or sneaking into our Postfix but I still monitor the message queue for evidence that someone has got in. John Griessen Already blacklisted for no discernible reason by yahoo.com for bounces from a mailman list I run... Getting off blacklists is possible but takes time. Ron -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Best anti-spam
Stroller wrote: On 22 Oct 2008, at 12:56, Richard Foley wrote: ... spam_ip_regex file: /[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be connecting from a Dynamic IP address. This looks fairly useful. Does anyone else have any experience with this approach, who might be able to offer insight into whether it's valid or not? My experience is on the butt-end of such filters - they're a sure fire way to annoy me if I'm sending you mail. I run a Postfix server on my home ADSL connection and it is extremely frustrating to have mail rejected because of that. The common response of admins to complaints about this is "you should use your ISP's mail server", but really it is just nice to have a a proper "receipt" for emails one has sent. If a message appears undelivered (it may have been incorrectly have been classified as spam by the recipient's filter) then, using Postfix & connecting directly, I can say "the mailserver listed in your domain's MX records acknowledged receipt for this message at $time on $date; here's the log entry". If I use my ISP's relay then the blame is uncertain I'm in the same boat. One suggestion (if you are not already doing so) is to take advantage of the fact that you can easily tell Postfix to send email for only the problem domains through your ISP and direct-deliver all the rest. Whenever I encounter a problem with a particular domain I just add it to the list of domains to transport through my ISP. -- Ron
Stopping backscatter spam to a specific domain
I have recently come under a backscatter spam attack from one specific domain. This domain has blacklisted my server’s IP address, and so bounce replies sent to this domain are piling up in my mail queue and I have to go through periodically and manually delete them. I don’t want to disable bounce messages in general because I don’t want incoming messages with typos in the destination address to just vanish into the cosmic void. Is there a way to disable bounce replies for a specific domain? Thanks, rg
Re: Stopping backscatter spam to a specific domain
On Jul 11, 2021, at 9:58 AM, Wietse Venema wrote: > Ron Garret: >> I have recently come under a backscatter spam attack from one >> specific domain. This domain has blacklisted my server?s IP >> address, and so bounce replies sent to this domain are piling up >> in my mail queue and I have to go through periodically and manually >> delete them. I don?t want to disable bounce messages in general >> because I don?t want incoming messages with typos in the destination >> address to just vanish into the cosmic void. Is there a way to >> disable bounce replies for a specific domain? > > Why is your server sending bounces (or any other email) to that > domain? Because spammers are sending messages with forged return-path headers to invalid addresses on my server. It’s called backscatter: https://en.wikipedia.org/wiki/Backscatter_(email) It’s actually possible that I’m sending backscatter spam to other domains, but only one has blacklisted me so far. rg
Re: Stopping backscatter spam to a specific domain
On Jul 11, 2021, at 10:12 AM, Wietse Venema wrote: > Ron Garret: > [ Charset windows-1252 converted... ] >> >> On Jul 11, 2021, at 9:58 AM, Wietse Venema wrote: >> >>> Ron Garret: >>>> I have recently come under a backscatter spam attack from one >>>> specific domain. This domain has blacklisted my server?s IP >>>> address, and so bounce replies sent to this domain are piling up >>>> in my mail queue and I have to go through periodically and manually >>>> delete them. I don?t want to disable bounce messages in general >>>> because I don?t want incoming messages with typos in the destination >>>> address to just vanish into the cosmic void. Is there a way to >>>> disable bounce replies for a specific domain? >>> >>> Why is your server sending bounces (or any other email) to that >>> domain? >> >> Because spammers are sending messages with forged return-path headers to >> invalid addresses on my server. It?s called backscatter: > > You must reject mail for invalid recipient addresses. Otherwise, > you deserve by 100% the problem that you experience. AFAIK, I am: smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit The problem is that a rejected recipient produces a mailer-daemon reply. rg
Re: Stopping backscatter spam to a specific domain
Yes, I looked at that, but AFAICT that is all about blocking INBOUND backscatter spam, not stopping outbound messages. On Jul 11, 2021, at 10:15 AM, Kevin N. wrote: > This might help: http://www.postfix.org/BACKSCATTER_README.html > > Cheers, > > K. > > >> On Jul 11, 2021, at 9:58 AM, Wietse Venema wrote: >>> Ron Garret: >>>> I have recently come under a backscatter spam attack from one >>>> specific domain. This domain has blacklisted my server?s IP >>>> address, and so bounce replies sent to this domain are piling up >>>> in my mail queue and I have to go through periodically and manually >>>> delete them. I don?t want to disable bounce messages in general >>>> because I don?t want incoming messages with typos in the destination >>>> address to just vanish into the cosmic void. Is there a way to >>>> disable bounce replies for a specific domain? >>> >>> Why is your server sending bounces (or any other email) to that >>> domain? >> Because spammers are sending messages with forged return-path headers to >> invalid addresses on my server. It’s called backscatter: >> https://en.wikipedia.org/wiki/Backscatter_(email) >> It’s actually possible that I’m sending backscatter spam to other domains, >> but only one has blacklisted me so far. >> rg
Re: Stopping backscatter spam to a specific domain
On Jul 11, 2021, at 12:22 PM, Matus UHLAR - fantomas wrote: > >> The problem is that a rejected recipient produces a mailer-daemon reply. > > only if you accept mail for such recipient. Ah. That may be my problem then. I’m using Dovecot via LMTP for local delivery. I thought that postfix would receive information about non-existent users via that protocol, but I guess it doesn’t and ends up just accepting everything. So… is dovecot actually the thing that is generating the emails from mailer-daemon? Is there a way to get this setup to do the Right Thing? If not, why is LMTP even supported, because it seems to me that anyone who uses it will have this problem. (FYI, the reason I want to use LMTP is that I’m using sqlite for my user db, but postfix does not play well with sqlite when other programs are trying to access the same DB. I didn’t want to duplicate the user DB (I’m a big believer in the DRY principle) so I wanted to localize DB access to a single process, and that process has to be Dovecot.) rg
Re: Stopping backscatter spam to a specific domain
Thanks, that was very helpful.
This has me wondering: if a message is sent to multiple recipients and some are
valid and others are not, what is the Right Thing to do?
rg
P.S. Just FYI:
> I'm not sure what the problem is with Postfix and sqlite
See
http://postfix.1071664.n5.nabble.com/What-is-the-right-way-to-update-a-postfix-sqlite-database-td109636.html#a109659
if you really want to know. The TL;DR is that postfix does not set a non-zero
value for pragma busy_timeout and so any simultaneous access results in an
immediate fatal error in postfix.
On Jul 11, 2021, at 1:54 PM, Bill Cole
wrote:
> On 2021-07-11 at 15:46:45 UTC-0400 (Sun, 11 Jul 2021 12:46:45 -0700)
> Ron Garret
> is rumored to have said:
>
>> On Jul 11, 2021, at 12:22 PM, Matus UHLAR - fantomas
>> wrote:
>>
>>>
>>>> The problem is that a rejected recipient produces a mailer-daemon reply.
>>>
>>> only if you accept mail for such recipient.
>>
>> Ah. That may be my problem then. I’m using Dovecot via LMTP for local
>> delivery. I thought that postfix would receive information about
>> non-existent users via that protocol, but I guess it doesn’t and ends up
>> just accepting everything.
>
> Postfix doesn't know about non-existent users that are relayed via LMTP until
> it has queued and accepted the message. Postfix's SMTP/LMTP client program
> picks up the queued message, tries to deliver it to Dovecot's LMTP server,
> and fails. That's when the Postfix bounce daemon takes over, constructing and
> queueing a bounce message.
>
>> So… is dovecot actually the thing that is generating the emails from
>> mailer-daemon?
>
> No. Dovecot is the thing telling Postfix that the address is bad.
>
>> Is there a way to get this setup to do the Right Thing? If not, why is LMTP
>> even supported, because it seems to me that anyone who uses it will have
>> this problem.
>
> 1. Use {local,relay}_recipient_maps and/or virtual_{mailbox,alias}_maps and
> reject_unlisted_recipients. You can either talk directly to the DB for the
> map or at smaller scales you could just periodically generate a static list
> for Postfix to check at SMTP time.
>
> 2. Use reject_unverified_recipients. This is a generally bad idea on
> submission servers (port 465/587) unless you do something to limit it to
> recipients in local, virtual, and relay classes. Since that's all you should
> be seeing on a true SMTP (port 25) server, it's fine to apply it to all
> messages on your inbound mail stream.
>
>> (FYI, the reason I want to use LMTP is that I’m using sqlite for my user db,
>> but postfix does not play well with sqlite when other programs are trying to
>> access the same DB. I didn’t want to duplicate the user DB (I’m a big
>> believer in the DRY principle) so I wanted to localize DB access to a single
>> process, and that process has to be Dovecot.)
>
> I'm not sure what the problem is with Postfix and sqlite, but extracting a
> suitable static map from the DB periodically should be a SMOP with one SELECT
> and some trivial formatting, if you don't want Postfix contending with
> Dovecot synchronously.
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
Re: Stopping backscatter spam to a specific domain
For the record: On Jul 11, 2021, at 1:06 PM, Claus R. Wickinghoff wrote: > I think this can be achieved with reject_unverified_recipient to query > dovecot via lmtp but I've no practical experience with this. Probably you've > to do some googling... That turned out to be the Right Answer. I simply added reject_unverified_recipient to smtpd_recipient_restrictions and that fixed the problem. The chain of events that led to this problem is kind of interesting. What happened was that I migrated my email server from one machine, where it had been running with no problem for many years, to a new machine at a new provider. I had simply copied the main.cf file from the old machine to the new one, but changed the delivery mechanism from direct delivery (i.e. postfix as LDA) to LMTP (i.e. dovecot as LDA). So what was happening before (I think) is that postfix was looking up users in the user DB, not because of smtpd_recipient_restrictions (because I didn’t have that set) but because it had to in order to deliver local messages. When I switched to LMTP that was no longer the case. Postfix now thought it was possible to deliver to non-existent users, and that’s what resulted in the backscatter. Now I understand why the conventional wisdom is not to run your own email server :-) Thanks to all who responded! rg
Re: Stopping backscatter spam to a specific domain
On Jul 13, 2021, at 2:15 AM, Matus UHLAR - fantomas wrote: >> On Jul 11, 2021, at 1:06 PM, Claus R. Wickinghoff >> wrote: >>> I think this can be achieved with reject_unverified_recipient to query >>> dovecot via lmtp but I've no practical experience with this. Probably >>> you've to do some googling... > > On 12.07.21 10:19, Ron Garret wrote: >> That turned out to be the Right Answer. I simply added >> reject_unverified_recipient to smtpd_recipient_restrictions and that fixed >> the problem. >> >> The chain of events that led to this problem is kind of interesting. What >> happened was that I migrated my email server from one machine, where it >> had been running with no problem for many years, to a new machine at a new >> provider. I had simply copied the main.cf file from the old machine to >> the new one, but changed the delivery mechanism from direct delivery (i.e. >> postfix as LDA) to LMTP (i.e. dovecot as LDA). So what was happening >> before (I think) is that postfix was looking up users in the user DB, not >> because of smtpd_recipient_restrictions (because I didn’t have that set) >> but because it had to in order to deliver local messages. When I switched >> to LMTP that was no longer the case. Postfix now thought it was possible >> to deliver to non-existent users, and that’s what resulted in the >> backscatter. > > it MAY still be possible to set up postfix to read local recipients from > database dovecot uses. > Look at local_recipient_maps directive if it's possible, depends on your > dovecot setup. > > reject_unverified_recipient requires verifying each recipient and keep track > of them (deliverable or not) which is useful for cases where you can not use > local_recipient_maps Yes, it is certainly possible to set up postfix to read local recipients from the same DB that dovecot uses. And in fact that is how I had it set up on my previous server. However, on my previous server I was using MySQL and when I switched to the new server I decided to try switching to SQLite3. That turned out to be a very fateful decision because of how SQLite handles simultaneous access from multiple processes to the same DB. It’s a long story, but the upshot is that setting up Postfix and Dovecot to use the same DB causes intermittent errors which in turn cause Postfix to lose mail, which is Bad. That was the problem that originally caused me to move to LMTP in the first place. See this thread: http://postfix.1071664.n5.nabble.com/What-is-the-right-way-to-update-a-postfix-sqlite-database-td109636.html If you want the gory details. rg
How to set up a shadow server
Is there an easy way to tell postfix to send a copy of every message it receives to a “shadow server” in a way that preserves the SMTP envelope? I’m trying to tune a spam filter on actual data, but I don’t want to do it on my production server because the tuning is likely to break things. Thanks, rg
Re: Logging - Handling of Aliases
On Aug 18, 2021, at 11:55 AM, Viktor Dukhovni wrote: > If you want different processing for inbound and outbound mail, > use separate Postfix instances configured appropriately to the > task at hand. There is a useful distinction to be made between mail that is injected into the system by an authorized user and mail that is not. I think of the former as “outbound” even though that is not technically correct. And it is possible to handle these two kinds of messages differently by using a milter (there may be other ways as well, but I know for sure that a milter can do it). This may not be a smart thing to do, but it is possible. rg
Re: Logging - Handling of Aliases
On Aug 18, 2021, at 12:13 PM, Viktor Dukhovni wrote: >> On 18 Aug 2021, at 3:07 pm, Ron Garret wrote: >> >>> If you want different processing for inbound and outbound mail, >>> use separate Postfix instances configured appropriately to the >>> task at hand. >> >> There is a useful distinction to be made between mail that is injected into >> the system by an authorized user and mail that is not. I think of the >> former as “outbound” even though that is not technically correct. And it is >> possible to handle these two kinds of messages differently by using a milter >> (there may be other ways as well, but I know for sure that a milter can do >> it). This may not be a smart thing to do, but it is possible. > > Milters are primarily for content filtering, Sure, but... > they don't or shouldn’t affect address rewriting and message routing. That doesn’t make sense to me. One of the main uses of a milter is to sequester mail with questionable content and prevent it from being delivered to an end user. I don’t see how it can do that without affecting message routing. (Also, just because milters are primarily used for content filtering doesn’t mean that they can’t or shouldn’t be used for other things as well. It may well be the case that they should not be used for other things, but the mere fact that they are not is not in and of itself a good argument that they should not.) rg
Re: password security
If you google "fail2ban postfix", you will get a large number of links to ideas about using fail2ban to prevent this. On 2022-04-25 11:29, Mauricio Tavares wrote: On Mon, Apr 25, 2022 at 12:28 AM ミユナ (alice) wrote: do you know how to stop passwords from being brute-forced for a mailserver? do you have any practical guide? What about multifactor authentication? thank you. -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
Re: The historical roots of our computer terms
I am not sure how going to Caucasian-listed vs African-American-listed is going to help inclusion in the data processing field. If you or someone you know is "racialialized" and the biggest problem is how IT describes entities, Eliminating the word "Black" is not going to address any of the issues concerning the people who are protesting and the rest of us. Black "folks" feel excluded because white "folk" treat them differently in hiring, promoting and weighing their opinions for no good reason! And yes there was discrimination in 1500 and before that. Black people had been part of civilization from pre-history. Current scientific belief is that all of our ancestors were black. Slavery goes back before recorded history. https://en.wikipedia.org/wiki/History_of_slavery To fear and disrespect people who are "not like us" has a long history. Ron On 2020-06-07 2:46 p.m., Laura Smith wrote: The point here is that maybe this is just a small, insignificant, easy change that could be done that might make black folks feel less excluded and more interested in participating. Give me a break. Master/Slave, Blacklist/Whitelist in computing making black folks feel excluded ? For heavens sake ! Talk about clutching at straws in your argument. Seriously where, exactly, is the exclusion in being able to download, install and configure the software ? Ultimately your practical experience using that software as a black person is going to be exactly the same as any other race. The software won't run any differnetly just because you're black. -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
Re: The historical roots of our computer terms
https://en.wikipedia.org/wiki/Slavery_in_ancient_Rome Pliny probably had slaves. Ron On 2020-06-07 2:32 p.m., micah anderson wrote: Laura Smith writes: Before jumping on the hobbyhorse of self-righthousness about refusing to use “whitelist”/“blacklist”, perhaps you would do well to spend a few minutes on your favourite search engine researching the entymology of such terms. The origin of blacklist, for example, has nothing to do with the race of human beings... Oxford Dictionary suggested origin: The true peace-maker: laid forth in a sermon before his Majesty at Theobalds written by the Bishop of Norwich, Joseph Hall, in 1624: "Ye secret oppressors,..ye kind drunkards, and who euer come within this blacke list of wickednesse." The fact that the OED (a tome of great while male patriarchal enshrinement) doesn't say that the etymology of "blacklist" comes from a racial prejudiced origin, doesn't mean anything. It simply is quoting the oldest known reference to the word, and applying no broader analysis. Why does this quote use 'blacke list of wickedness'? I think scholarly analysis of much more significant rigor would be necessary to understand if you can truly come to the conclusion that it has "nothing" to do with race of human beings. Did race and racism exist in the middle ages? Racism is not a modern phenomena. In fact you can find racial thinking in medieval art, statues, maps, laws, beliefs, economic practices, war, literature, etc. There are also additional origins originating from the 1500's, with the term "blackball". Whereby a ball of black colour was placed in a container as a means of recording a negative vote. Why is black considered negative in 1500s? Very interesting question, worthy of pursuit, but the mere existence doesn't mean it has nothing to do with race. Does that mean it does? Not necessarily. A similar mechanism was used in gentleman's clubs well into the 20th century, whereby a list of prospective club members was affixed to a wall and negative votes were recorded through small circles drawn in black ink against a person's name. Three black circles and you would not make it in. Presumably said gentleman's club would have been white, and it was just a sheer coincidence that an exclusive, all white club, used black to indicate that you were not allowed in. Never heard that color used for that purpose before... the color black has been always associated with the negative, and weirdly black people have also been purposely portrayed in many places, with negative stereotypes that reinforced white supremacy. What a crazy, multi-epoch coincidence! That is so weird. /s In the end, maybe you are right, maybe blacklist has no etymological racial issue... but that isn't the point here, is it? The point here is that maybe this is just a small, insignificant, easy change that could be done that might make black folks feel less excluded and more interested in participating. Who cares if Pliny the Elder used it once, and he totally didn't mean it in a racist way, he probably had loads of black friends! -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
Re: Sender restriction to reject message with multiple from addresses
You need to fix your contact form. There is no such thing as multiple from addresses. As Tom said, your contact form is not creating an email. It is collecting information that it processes to produce some intelligent response or that it sends to you (or an automated proxy) requesting that you (or your proxy) respond to a person (or a list of people). That information that the user supplies should not be in the headers at all in any message that you get. It is just data. As Tom pointed out, the email to you or to the address entered on the form should be from your website not from e-mail addresses provided by the users. In your processing of the data, you could throw away data with multiple addresses. I am not sure why you would want a bounce in the case that users enter invalid (multiple) addresses. You contact form should validate the email address field to ensure that only one email address is provided and tell the user immediately to fix their input. I am not sure why you would care about other e-mail arriving at postfix with multiple from addresses. Does it ever happen from anyone else? Ron On 2020-10-09 4:59 a.m., Pau Peris wrote: Thanks a lot for you comments, opinion and help! :) As Tom said, before posting this question here, I already noticed the logic behaviour handling the contact form was wrong because emails should never be sent on behalf of someone else. When I developed that website, it's my dad's website, I did it like a spare time favour and so mistakes were made. Before posting here, I already fixed the form contact handling so emails, now, are sent using legitimate From addresses but I already wanted to work on the multiple From addresses handling. Running some tests, I noticed Gmail rejects those kind of messages even they comply with the RFC. That's why I wondered which would be use cases for using multiple From addresses. Even, the form contact is now fixed (I'm even finishing to integrate invisible reCaptcha v2 to keep spammers away) and free of bugs, I'm still curious on how to improve my Postfix setup. So I'm wondering, in case anyone could help: * I've found some regexp to validate email addresses strings, and I wonder if would it be ok to run this test on heaer_checks instead of the proposed milter solution? * When a message gets rejected because of multiple From addresses, could I generate a custom bouncing email message? If so, how should I proceed? * Which would be the real use case(s) where would be useful to use multiple From addresses? Thanks a lot for your time and help, On Thu, Oct 8, 2020 at 9:37 AM Tom Hendrikx wrote: On 07-10-2020 02:27, Pau Peris wrote: I'm hosting my dad's webpage which has a contact form (which should be improved to avoid spam and/or bots) and from time to time someone types multiple email addresses in the from field of the form so contact emails with multiple from addresses like "from: h...@example.com, f...@example.net" are generated. I though that those kind of messages should get rejected and thought that maybe there was a builtin restriction for this use case. Your basic setup is lacking, and causing you problems. The website should not send the emails using the email addresses of the person submitting data on your website in the From: header. If the email address has DKIM/SPF/DMARC policies attached, actual delivery of the message is likely harder, because f.i. the webserver is not listed in the SPF policy of the sender domain. Essentially, the email your website is sending, is spoofing the From: header. This might not be too obvious when all email sent from the website ends up in your mailbox (being the website administrator), but when you try to deliver to 3rd parties, you'll find this out very quickly. Conceptually, you could even say that ther person entering data in the form did not send an email: he/she entered data into a form on a website, and the website sent the email. Hence, the From: header should contain webs...@example.org. Back to your problem: the website controls the From: header so no multiple email addresses in there. You could configure the website to put the email address of the person entering data in the form in the Reply-To: header. Kind regards, Tom -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
Re: Sender restriction to reject message with multiple from addresses
I am also the family genealogist and just moved to Gramps from FTM. I am not sure what "multiple from addresses" actually means. It is not possible for an email to come from more than one email address at a time in reality. Of course, as you already know, the sending e-mail system can put whatever it wants in the headers (otherwise spam and phishing wouldn't work). Multiple reply-to addresses might make some sense if the sender wanted any reply to be sent to 2 or more email addresses rather than one. I doubt if many e-mail clients would respect this instruction. Likely would pick one for a Reply and ignore the second. The only possible use case for multiple "from address" would be if the e-mail SMTP server batched up a bunch of e-mails from various clients and looked through all of the emails to be sent and detected that 2 identical e-mails were being sent to the same address from 2 people. Not a good idea since sometimes timestamps are important for legal reasons and they would be different. Never going to happen! E-mail servers are generally stateless and process each e-mail as a separate request that is to be processed as received not lumped in with any other. If I got an e-mail with multiple "From addresses" and I cared to check, I would just drop it. No point sending a bounce to a spammer or someone with a poorly written e-mail client. My 2 cents. Ron On 2020-10-09 1:20 p.m., Pau Peris wrote: Thanks a lot Ron, I probably didn't explain myself well. The contact form was fixed before posting this topic here, but I'm currently managing a personal server where I host family websites among many other services and also a Postfix setup where I handle about 8 different domains. As you said, I collect data through a contact form and then send an email to my dad so he can give an answer if he feels so. Obviously, the From headers are not an issue now but I also would like to work on this use case. I hope now it's clear how the form manages the data. On the other hand, if someone knows how to help, I'm still interested on the following matter: * I've found some regexp to validate email addresses strings, and I wonder if would it be ok to run this test on heaer_checks instead of the proposed milter solution? * When a message gets rejected because of multiple From addresses,could I generate a custom bouncing email message? If so, how should I proceed? * Which would be the real use case(s) where it would be useful to use multiple From addresses? Thanks a lot for your time and help, On Fri, Oct 9, 2020 at 2:10 PM Ron Wheeler wrote: You need to fix your contact form. There is no such thing as multiple from addresses. As Tom said, your contact form is not creating an email. It is collecting information that it processes to produce some intelligent response or that it sends to you (or an automated proxy) requesting that you (or your proxy) respond to a person (or a list of people). That information that the user supplies should not be in the headers at all in any message that you get. It is just data. As Tom pointed out, the email to you or to the address entered on the form should be from your website not from e-mail addresses provided by the users. In your processing of the data, you could throw away data with multiple addresses. I am not sure why you would want a bounce in the case that users enter invalid (multiple) addresses. You contact form should validate the email address field to ensure that only one email address is provided and tell the user immediately to fix their input. I am not sure why you would care about other e-mail arriving at postfix with multiple from addresses. Does it ever happen from anyone else? Ron On 2020-10-09 4:59 a.m., Pau Peris wrote: Thanks a lot for you comments, opinion and help! :) As Tom said, before posting this question here, I already noticed the logic behaviour handling the contact form was wrong because emails should never be sent on behalf of someone else. When I developed that website, it's my dad's website, I did it like a spare time favour and so mistakes were made. Before posting here, I already fixed the form contact handling so emails, now, are sent using legitimate From addresses but I already wanted to work on the multiple From addresses handling. Running some tests, I noticed Gmail rejects those kind of messages even they comply with the RFC. That's why I wondered which would be use cases for using multiple From addresses. Even, the form contact is now fixed (I'm even finishing to integrate invisible reCaptcha v2 to keep spammers away) and free of bugs, I'm still curious on how to improve my Postfix setup. So I'm wondering, in case anyone could help: * I've found some regexp to validate email addresses strings, and I wonder if would it be ok to run this test on heaer_checks instead of the proposed milter solutio
Re: I'm a beginner and want to setup Postfix on CentOS.
localhost is a name that Centos resolves. https://www.liquidweb.com/kb/what-is-localhost https://forums.centos.org/viewtopic.php?t=47101 discusses how it gets interpreted/set. lo and ifconfig does not enter into the discussion. On 2020-10-12 12:44 p.m., Jason Long wrote: I disabled IPv6 in CentOS but connect with localhost not affected. Sent from Yahoo Mail on Android <https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature> On Mon, Oct 12, 2020 at 6:48 PM, Jason Long wrote: # ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:80230 errors:0 dropped:0 overruns:0 frame:0 TX packets:80230 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:13792298 (13.1 MiB) TX bytes:13792298 (13.1 MiB) You right. # telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 mail.example.net ESMTP Postfix ehlo 127.0.0.1 250-mail.example.net 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN Which lines of configuration must be change? On Monday, October 12, 2020, 06:38:42 PM GMT+3:30, IL Ka mailto:kazakevichi...@gmail.com>> wrote: " ::1" is a local address for IPv6 "127.[something]" is a local address of IPv4. https://en.wikipedia.org/wiki/Localhost My guess is that you didn't include IPv6 address to the list of "mynetworks", so Postfix can't "trust" it, because "smtpd_relay_restrictions" is default to: "permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination", which means it only relays emails either from "mynetworks" or authenticated users. "localhost" is resolved to the IPv6 address on CentOS. You can explicitly disable IPv6: https://www.tecmint.com/disable-ipv6-in-centos-8/ Or use IPv4 address explicitly: "telnet 127.0.0.1 25". I'd stay with the latter case. On Mon, Oct 12, 2020 at 5:55 PM Jason Long mailto:hack3r...@yahoo.com>> wrote: > Thank you for your reply. > How can I sure I'm using IPv4 or IPv6? > > > On Monday, October 12, 2020, 06:18:10 PM GMT+3:30, IL Ka mailto:kazakevichi...@gmail.com>> wrote: > >> mynetworks = 127.0.0.0/8, My Public IP >> Trying ::1... > It could be that you are using IPv6 to connect while "mynetworks" is IPv4 address. > Try "telnet 127.0.0.1 25" > -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
Re: Mail server without MX record.
You want an MX record. Why would you not want an MX record? What is the downside? Where is your dns? On 2020-10-13 11:04 a.m., Jason Long wrote: I have an Internet domain name and a Linux server and I want to have an email server for send and receive emails. For example, if my domain is "example.net" then I want to have a "i...@example.net" address for send and receive emails from the Internet. On Tuesday, October 13, 2020, 06:09:06 PM GMT+3:30, IL Ka wrote: What are you trying to achieve? There are alot of scenarios where Postfix may be used: * "Send only" email server for your website (to give your website ability to send emails). You never receive any emails from the outside. * Forward only: it just accepts mails from your apps, and sends them via smart host (SMTP server of your provider). Some people run it on their laptops) * Email hosting: users send and receive emails with your Postfix (as they do with Gmail, for example) etc It is important to choose a scenario, because if you only need to send emails from your website, then you do not need dovecot nor MX record and you even do not need to listen for incoming connections to the public port, but you may need DKIM and SPF. In the "forward only via smart host" scenario you need almost nothing: no MX, no SPF/DKIM, no public port. If you want to receive emails, then having an MX record is a good idea. You would also need to listen public port for incoming connections, and may be one more port for clients (465 or 587) On Tue, Oct 13, 2020 at 5:19 PM Jason Long wrote: Thank you for all of your messages. With that tutorial, which record or port is needed? On Tuesday, October 13, 2020, 04:31:34 PM GMT+3:30, Wietse Venema wrote: Jason Long: Hello, Can I use Postfix without MX record? I installed Postfix and?Dovecot via "https://wiki.centos.org/HowTos/postfix"; tutorial and I want to know can I use it without MX record? The SMTP standard (RFC 2821) does not *require* MX records. Some uninformed mail operators may require one, but those are rare. Wietse -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
Re: Mail server without MX record.
Have you tried Google? You can likely find whole tutorials answering both your questions. Ron On 2020-10-14 3:04 a.m., Jason Long wrote: Thank you. Can you tell me how can I setup my Postfix server with A record Or how can I change the DNS server two support two MX records? On Tuesday, October 13, 2020, 11:09:22 PM GMT+3:30, IL Ka wrote: 1- Each domain can have a MX record? If you want to receive email for this domain then yes, you should have an MX record for it. Without it "A" record will be used, but it is better to have MX. 2- If a company need multi MX record then it must have multi DNS server too? You can have multiple MX records with different priorities. Sender's MTA will try first one first. Number of DNS servers doesn't affect the number of MX records: in most cases all public servers must have the same records. 3- Other methods like forwarding need MX record too? No, if you only want to send email, you are not required to have an MX record. Some MTAs may decline messages from domains without of MX, but most of them accept such mails. But if you have no MX, then you can't get replies and non delivery reports. There are some books about Postfix: "The book of Postfix", "Postfix: The Definitive Guide". It may be a good idea to read some of them: they cover how postfix works with DNS and MX. On Tue, Oct 13, 2020 at 10:15 PM Jason Long wrote: I'm really thankful for all information and help. Excuse me, I have some questions and I'm thankful if anyone answer to them by number: 1- Each domain can have a MX record? 2- If a company need multi MX record then it must have multi DNS server too? 3- Other methods like forwarding need MX record too? Thank you. Sent from Yahoo Mail on Android On Tue, Oct 13, 2020 at 10:12 PM, @lbutlr wrote: On 13 Oct 2020, at 12:03, Fred Morris wrote: Notwithstanding, any "fully qualified domain name" (FQDN) can have email sent to it; typically only the FQDN immediately below the zone cut, and also the subject of SOA and NS records, has MX records. Pretty sure it is prefect fine to have different MX records for subdomains. example.com MX 10 mail.example.com. foo MX 10 mail.sub1.example.com. Bar MX 10 mail.sub2.example.com. Universities used to often have different MX servers for different departments/machines, though now it seems they are using external services for MX (maybe lucky, I checked five and all were using google or outlook for MX). -- "Are you pondering what I'm pondering?" "I think so, Brain, but Tuesday Weld isn't a complete sentence." -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
Re: Mail server without MX record.
There were a lot of answers given but the questions showed that the person asking the questions did not have the background in DNS and SMTP to take advantage of the answers and needed to take a bit of time with books or Google to develop enough understanding to know what to ask and how to interpret the answers. We all have businesses to run or work of our own to do. If you do not want to read and get the basic understanding required, you hire a consultant. This is not a public school or a free consulting agency. That is as polite a response as I can manage. It is unseemly to complain about people who are trying to help you and are giving you the advice that you need to successfully accomplish the task that you have been given. You will be much happier after you have read the introduction to the book and the chapters that apply to your problem. You will also be in a much better position to deal with the next roadblock that you will hit; and you will have a lot more fun before you have a email server doing what you want. Ron On 2020-10-14 9:56 a.m., Jason Long wrote: It is so odd that some people here don't like to answer to the users questions and forwarding them to read a book with 496 pages. On Wednesday, October 14, 2020, 10:42:08 AM GMT+3:30, Viktor Dukhovni wrote: On Wed, Oct 14, 2020 at 07:04:25AM +, Jason Long wrote: Can you tell me how can I setup my Postfix server with A record Or how can I change the DNS server two support two MX records? The gap between what your questions suggest you know, and what you need to know to operate a mailserver is too wide to be adequately bridged on this mailing list. Asking questions here is no substitute for taking the time to purchase and read some books on DNS, and Postfix. For Postfix, the "No Starch Press" book by Ralf Hildebrandt and Patrick Koetter is a good start, and may even get some of your DNS questions answered. You can start there, and if you still have DNS questions, also read a DNS book. -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
Re: postqueue -f delayed
You might want to take a look at what is in the queue. Flushing the queue means communicating with other mail servers and the reason that mail is in the queue is that it was "too hard" to deliver it the first time. A broken or overloaded remote could still be slow. Ron On 2020-10-26 6:07 a.m., Pedro David Marco wrote: Hi... flushing the queue with 'postqueue -f'' normally produces instant flush but sometimes it takes some time to do it... it always works! but sometimes with a long delay... just out of curiosity... why does this happen? is it qmgr daemon waiting for anything? is there any way for force it? Thanks... Pete. -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
Re: postqueue -f delayed
Could be just that the other end was busy receiving someone else's mail. Takes 2 to tango! No big attachments? On 2020-10-26 12:22 p.m., Pedro David Marco wrote: >On Monday, October 26, 2020, 05:09:41 PM GMT+1, Ron Wheeler wrote: >You might want to take a look at what is in the queue. >Flushing the queue means communicating with other mail servers and the reason that mail is in the queue is that it was "too hard" to deliver it the first time. >A broken or overloaded remote could still be slow. >Ron Thanks Ron, Just a real example: 100 emails in deferred queue due to connection timed out (remote host was down for a while). Once the remote is up again, i run postqueue -f for quick delivery... Sometimes it works inmediatelly, and sometimes there is a delay... (with no postfix log activity at all) Thanks Wietse.. please, what extra data may be needed? is the previous example enough? Thanks! Pete. -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
Re: postqueue -f delayed
I think that you should only see the attempt as a successful send. Are you logging successful sends? I would not expect any error as long as the delay is not so long that Postfix decides that it is never going to go. As long as the attempt succeeds within the timeout delay, Postfix considers it a success, does not complain and moves on to the next one. I am not sure of the following: - how many time Postfix retries before putting something in the queue? - how often Postfix goes through the queue retrying old failed sends? - what make Postfix give up retrying automatically? If I were in your situation, I would be looking to see if there is anything that could be done to make Postfix deal with the root problem of stuff getting caught in the queue and not being delivered after the remote system resumes normal operation. Having to do a manual flush is what makes the delay visible. If it went on its own, you would never know of the occasional delay. If you are very old, you will remember when networking was young and e-mail was sent over dial-up connections that connected only once or twice a day. The email system has to deal with the historical world where connections where not "always on" so a successful send does not imply anything about time. Ron On 2020-10-26 12:44 p.m., Pedro David Marco wrote: >On Monday, October 26, 2020, 05:31:05 PM GMT+1, Ron Wheeler wrote: > >Could be just that the other end was busy receiving someone else's mail. Takes 2 to tango! >No big attachments? Thanks Ron... size no bigger than 500KB... if remote is busy... in the log at least i should see the postfix attempt, am i right? but there is nothing at all in the log... Pete. -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
Re: postqueue -f delayed
I came through the ARPAnet-DECnet and 2780/3780 stream. On 2020-10-26 1:49 p.m., Peter Blair wrote: At 26 October, 2020 Ron Wheeler wrote: If you are very old, you will remember when networking was young and e-mail was sent over dial-up connections that connected only once or twice a day. The email system has to deal with the historical world where connections where not "always on" so a successful send does not imply anything about time. All of the good tech started with "uu": uucp, uuencode, uunet :P -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
Re: postqueue -f delayed
You got me!!! I have only been running corporate e-mail on Postfix for a couple of decades and still learning the basics. It does not require a lot of expertise until something goes wrong! I knew that you or Wietse or one of the other experts would correct my guesses. You guys give great support on a product that is very complex but does damn near everything possible with mail. Ron On 2020-10-26 2:59 p.m., Viktor Dukhovni wrote: On Mon, Oct 26, 2020 at 10:07:25AM +, Pedro David Marco wrote: Flushing the queue with 'postqueue -f' normally produces instant flush but sometimes it takes some time to do it... it always works! It never produces "instant flush", what it does is reset the queue manager's delay timer for the next deferred queue scan, so that if no deferred queue scan is currently in progress, it starts now, or if already in progress, the next scan will start as soon as the current one completes. Furthermore, instead of retrying just the messages whose retry time is in the past, for the next scan (and any remaining portion of the current scan) all messages will be retried. but sometimes with a long delay... just out of curiosity... why does this happen? is it qmgr daemon waiting for anything? is there any way for force it? As Wietse noted, without more information about what's in the queue at the time, etc. it is hard to say. One would expective to see "qmgr" log messages showing mail entering the active queue, e.g.: Oct 26 14:43:56 amnesiac postfix/qmgr[97795]: E0BFA3BC92C: from=, size=11617, nrcpt=1 (queue active) but perhaps your logging subsystem is losing messages. On Mon, Oct 26, 2020 at 04:22:21PM +, Pedro David Marco wrote: On Monday, October 26, 2020, 05:09:41 PM GMT+1, Ron Wheeler wrote: You might want to take a look at what is in the queue. Flushing the queue means communicating with other mail servers and the reason that mail is in the queue is that it was "too hard" to deliver it the first time. A broken or overloaded remote could still be slow. Ron is not well informed on this topic, and is just guessing. Just a real example: 100 emails in deferred queue due to connection timed out (remote host was down for a while). Once the remote is up again, i run postqueue -f for quickdelivery...Sometimes it works immediatelly, and sometimes there is a delay... (with no postfix log activity at all) Your logging subsystem may be losing messages, are you seeing logging from the queue manager at all? With "postqueue -f", and deferred messages in the queue, you should be seeing "qmgr" log messages about new mail entering the queue, which would show up promptly, unless you're using a particularly sluggish transport table (slow LDAP, overloaded MySQL, ...). On Mon, Oct 26, 2020 at 04:44:11PM +, Pedro David Marco wrote: >On Monday, October 26, 2020, 05:31:05 PM GMT+1, Ron Wheeler wrote: > Could be just that the other end was busy receiving someone else's mail. Takes 2 to tango! No big attachments? Thanks Ron... size no bigger than 500KB... if remote is busy... in the log at least i should see the postfix attempt, am i right? but there is nothing at all in the log... Message content size does not matter in this context. Queue manager latency depends on the number of recipients in a message (up to a limit on the number brought into memory at once) not the message size. With a sufficiency low-latency transport table (none or indexed files) the queue manager activates messages "in real time". -- Ron Wheeler Artifact Software 438-345-3369 rwhee...@artifact-software.com
HELO and nothing else
Hello (not helo :-) I am working on a spam filter and so I find myself spending a lot more quality time with mail logs than I used to. One of the things I have noticed is that I will get a lot of connections that send a HELO command and then disconnect. Sometimes I get this repeated several times a minute from the same IP for hours on end. What is going on here? Should I block these IPs? Am I being scanned? By what? To what end? Thanks, rg
What is the right way to update a postfix sqlite database?
I ran into the sqlite locked database problem discussed in these threads: https://marc.info/?l=postfix-users&m=160096626120296&w=2 https://marc.info/?l=postfix-users&m=151561295721906&w=2 The problem occurs (AFAICT) because the database file was shared with a spam filter which was writing to the db. But that raises the following question: what is the right way to update a sqlite db used by postfix? The only safe way I can think of doing it is to actually shut down postifx, update the db, and then start postfix back up again. But that feels like an overly brutal solution. Is there a better way? Even a non-shared db needs to be updated now and then. I can guarantee that all writes will complete within a short time, so what I would really like to do is to get postfix to issue a “PRAGMA busy_timeout = …” command before doing the query, but I don’t want to have to rebuild postfix from source in order to do this. Is this possible? How? Thanks, rg
Re: What is the right way to update a postfix sqlite database?
On Feb 22, 2021, at 4:56 PM, Ron Garret (gmail) wrote: > > On Feb 22, 2021, at 2:57 PM, Wietse Venema wrote: > >> Ron Garret: >> [ Charset windows-1252 converted... ] >>> I ran into the sqlite locked database problem discussed in these threads: >>> >>> https://marc.info/?l=postfix-users&m=160096626120296&w=2 >>> >>> https://marc.info/?l=postfix-users&m=151561295721906&w=2 >>> >>> The problem occurs (AFAICT) because the database file was shared with a >>> spam filter which was writing to the db. But that raises the following >>> question: what is the right way to update a sqlite db used by postfix? The >>> only safe way I can think of doing it is to actually shut down postifx, >>> update the db, and then start postfix back up again. But that feels like >>> an overly brutal solution. Is there a better way? Even a non-shared db >>> needs to be updated now and then. >>> >>> I can guarantee that all writes will complete within a short time, so what >>> I would really like to do is to get postfix to issue a ?PRAGMA busy_timeout >>> = ?? command before doing the query, but I don?t want to have to rebuild >>> postfix from source in order to do this. Is this possible? How? >>> >> >> Isn't SQLite supposed to deal with concurrent access? >> https://sqlite.org/lockingv3.html > > Yes, it does, but the way it “deals” with it is to throw an error if one > connection tried to read while another is writing. The net result of this is > that if Postfix tries to read during a concurrent update from somewhere else, > it fails catastrophically (mail is actually lost). Just for the record: I spent some more time groveling around in the docs and source code and AFAICT it is actually not possible to safely update a sqlite DB that is in use by postfix. The only safe way to do it is to make a copy of the DB, update that, and then mv it to the active path. This is according to both the docs and the code. It would be nice if postfix would set a non-zero busy timeout. It’s a simple code change, just a call to sqlite3_busy_timeout. That would not be a guarantee, but it would at least make it *possible* to safely update a sqliite database in-place. I’m going to head on over to the postfix-dev list to see if it’s possible to get this done. rg
Re: What is the right way to update a postfix sqlite database?
On Feb 23, 2021, at 10:19 AM, Wietse Venema wrote: > Ron Garret: >>>> Isn't SQLite supposed to deal with concurrent access? >>>> https://sqlite.org/lockingv3.html >>> >>> Yes, it does, but the way it ?deals? with it is to throw an error >> if one connection tried to read while another is writing. The net > > Bleh, it does not retry the operation? Nope. See postfix-3.5.9/src/global/dict_sqlite.c. It’s not clear that retrying would even be the right thing to do because you could just get unlucky again. The failure can happen in three different places: the query itself (obviously) but also statement preparation and finalization. I’ve seen all three actually happen in practice. So you really want it to wait. That’s a lot simpler, and it guarantees success as long as there are no slow writers (which is a reasonable constraint). > What happens when you update the table while some Postfix code is > READING from the DB? Does the writer also fail? No idea, but because I control all the writers that would be easy for me to fix. In any event I don’t think that’s something postfix should be worried about. >> result of this is that if Postfix tries to read during a concurrent >> update from somewhere else, it fails catastrophically (mail is >> actually lost). > > Losing mail would be a bug in the sending program. Postfix never > loses mail because of a fatal error. What can I say? When this happens, I can’t find the message that was being processed anywhere. It is not delivered (obviously) and it is not bounced. The way I first found out this was happening was an error notification in the root mailbox of the machine where postfix is running. >> It would be nice if postfix would set a non-zero busy timeout. >> It?s a simple code change, just a call to sqlite3_busy_timeout. > > What about https://www.sqlite.org/pragma.html#pragma_busy_timeout ? > I don't know if that is a DB property or a session property. It’s a session/connection property. The problem with trying to use a pragma in the config file is that the C interface to sqlite does not allow multiple semicolon-separated statements in a call to sqlite3_prepare_v2, so just putting the pragma in the postfix sql config as part of the query with a semicolon after will not work. Postfix would have to know to separate multiple statements and prepare them separately. Since a source code change would be needed anyway, a much simpler solution is just to call sqlite3_busy_timeout directly. >> That would not be a guarantee, but it would at least make it >> *possible* to safely update a sqliite database in-place. I?m going >> to head on over to the postfix-dev list to see if it?s possible >> to get this done. > > If we take this route, then there needs to be a new field in the > Postfix sqlite config file that controls the time limit. Not necessarily. You could just hard-code a reasonable value (like 1 second), or make it a #define so you need a recompile to change it. That’s sub-optimal, obviously, but still a major improvement over the current situation for very little effort and no down-side that I can see. rg
Re: What is the right way to update a postfix sqlite database?
On Feb 23, 2021, at 11:41 AM, Richard Damon wrote: > On 2/23/21 2:18 PM, Wietse Venema wrote: >> Ron Garret: >>>> If we take this route, then there needs to be a new field in the >>>> Postfix sqlite config file that controls the time limit. >>> Not necessarily. You could just hard-code a reasonable value (like >>> 1 second), or make it a #define so you need a recompile to change >>> it. That?s sub-optimal, obviously, but still a major improvement >>> over the current situation for very little effort and no down-side >>> that I can see. >> The limit should be configurable. It takes: >> >> - one line of code to define a C variable, >> >> - one line of code to read its value from an sqlite_table configuration >> file (or to use a documented default value), >> >> - a few lines of text to document the new field in the sqlite_table manpage. >> >> Wietse > > One thng to look at is WAL mode. WAL mode increases the cost of writes > to the database, as all writes become two stage, first to the WAL > journal, and then flushed to the main database (called A checkpoint), > and reads reads can get a bit more expensive if the second stage of the > write gets delayed by long accesses (but that may not be an issue with > postfix). > > In exchange, the database allows for simultaneous reads and writes, > except possibly for the period when the second phase of the writes are > occurring, and it will try to allow as much overlap there as possible, > and try to find a time when no readers are active to do this operation. > > Without a busy timeout being set, the reader should only get a busy in > fairly rare conditions, the main one being if the last connection to the > database is closing, then SQLite does some cleanup that locks the > database for just a little bit, or if the last connection 'crashes' than > the next connection will do some cleanup. Even a fairly short busy wait > should handle these cases most of the time. WAL mode was previously discussed here: https://marc.info/?l=postfix-users&m=160096626120296&w=2 The upshot appears to be this, at least as things currently stand: > DO NOT use SQLite as a Postfix backend database updated live while > Postfix is running. rg
Re: 53% of Postfix servers are black-listed (DNSBL)
Part of the problem is that e-mail security checks are constantly changing as people react to spam and hacking. This means that a setup that has worked for a few years without any problem suddenly starts to have trouble with one or two connections since sending or receiving SMTP servers for some sites have changed their connection validation. It is a PITA to go back to work on a Postfix and DNS setup that has not been touched for years. The Postfix reference books in my library are 10 and 12 years old! Still very useful! Webmin does make it a bit easier but if you have not looked at the setup configuration for a while it takes a bit of study and concentration of get back into the Postfix data structure. Ron On 29/12/2015 9:43 AM, Fernando Maior wrote: To configure a smtp server is not easy task. It takes long, and you should be allways looking for new troubles. So, it is not only because lazy or not capable admins. Some of them just do not have the time to do it properly, because they have too much work to do already. Also, if the server is used in a service provider, for a number of domains, it is even more difficult to do it. Anyway, I agree 100% with Chalmers and Horne. And, creating good code, with no - or almost none - security problems, and easy to manage, with lots of utilities is the work of Wietse. To configure, test, running and maintening is OUR work. If it is not well-configured, it is not "shame on Wietse", it is "shame on me"... Regards, --- Fernando Maciel Souto Maior On Tue, Dec 29, 2015 at 12:21 PM, Danny Horne <mailto:da...@trisect.uk>> wrote: Nothing at all, as long as you take the time to learn how to configure it properly, all your stats seem to show is that many admins are too lazy (or not capable) of doing this. That being the case, I suggest you use a third party mail provider or learn how to configure Postfix On 29/12/2015 12:01 pm, sb wrote: > What is wrong with Postfix? -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Spawning milter processes
Hello, What is the usual way to start a milter process? Can postfix be configured to spawn it automatically, or does the milter have to be set up as a separate service? If the former, how do you do it? Thanks, rg
Re: Spawning milter processes
On Jan 31, 2016, at 1:28 AM, Robert Schetterer wrote: > Am 31.01.2016 um 09:56 schrieb Ron Garret: >> Hello, >> >> What is the usual way to start a milter process? Can postfix be configured >> to spawn it automatically, or does the milter have to be set up as a >> separate service? If the former, how do you do it? >> >> Thanks, >> rg >> > > milters are usually seperate services OK, but is there any way to get Postfix to restart a milter if it goes down? By default, if a milter goes down, it takes postfix down with it. Also, why did you hedge with “usually”? What other possibilities are there? rg
Re: Spawning milter processes
OK, that’s exactly what I needed to know. Thanks! On Jan 31, 2016, at 9:16 AM, Steve Jenkins wrote: > On Sun, Jan 31, 2016 at 9:04 AM, Ron Garret wrote: > OK, but is there any way to get Postfix to restart a milter if it goes down? > By default, if a milter goes down, it takes postfix down with it. > > The usual way to start a milter service is to have it autostart when the > server boots, just as you would with any service. For example, if you're > using systemd, you'd have a miltername.service unit file to fire it up. > > I don't know of any way for Postfix itself to then monitor the running milter > service to respawn if it fails, but the two milters I'm most familiar with -- > OpenDKIM and OpenDMARC -- both have "AutoRestart=yes" configuration options > in their conf files to respawn themselves in the event they fail. I assume > they're monitoring their own PID file, or something to that effect, but I'm > not a programmer, so I don't know what's under-the-hood to enable that. I > have Nagios configured to regularly check that Postfix is up, and separately > monitor my important milters. > > If you're looking to write your own milter service, I'd join the dev > discussion list for one of the milters that supports AutoRestart (such as > OpenDKIM) and ask about it there. A good number of guys on this Postfix list > are also on that list. > > Or you could look through the source code on SourceForge and find the > AutoRestart stuff: > > http://sourceforge.net/projects/opendkim/ > > SteveJ
Re: Freelance to recommand?
Have you purchased some textbooks on Postfix? That is a good start to identifying the processes that are available out of the box. It will certainly tell you how to attach your custom processes to the main postfix flows. They will also tell you about ACLs, rewriting, recipient mailboxs and delivery to lists. Once you get a general design outlined, you should be able to ask specific questions here about how to implement each piece and perhaps find people who have pieces that you need or are able to build them. Ron On 15/02/2016 6:27 PM, Roman Doe wrote: I need to assess the feasibility of the email hub I want to set-up. It must have specific and quite uncommon features: - Remailing (rewrite envelops and headers from remote SMTP clients) (anonymous remailer, kind of like craigslist 2-way relay) - ACL: blacklists per users - Dynamic recipients - Limit of total recipients per month (different quotas possible) - Lists (annoucement and discussion) - Different sending rules per lists (for example different authorized message sizes, or attachement files (photo, file, etc…)) Cet e-mail a été envoyé depuis un ordinateur protégé par Avast. www.avast.com <https://www.avast.com/sig-email> On Mon, Feb 15, 2016 at 10:40 PM, Luis Daniel Lucio Quiroz mailto:luis.daniel.lu...@gmail.com>> wrote: What you need? Le 15 févr. 2016 4:35 PM, "Danny Horne" mailto:da...@trisect.uk>> a écrit : What are you trying to achieve? There's plenty of experts here (not me I hasten to add!!) On 15/02/2016 8:52 pm, Roman Doe wrote: > I'm struggling finding a postfix expert, any contact to suggest? > > Thank you very much. -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Postfix Mailman integration
On 2/29/2016 12:19 PM, Viktor Dukhovni wrote: > For submission of list messages to a large number of recipients, I > would generally use sendmail(1) rather than SMTP. Don't know whether > mailman supports that. > It does, but its use is "highly discouraged". - Ron
Re: Postfix Mailman integration
On 3/2/2016 1:30 AM, Viktor Dukhovni wrote: > On Tue, Mar 01, 2016 at 07:32:02PM -0500, Ron Guerin wrote: > >> On 2/29/2016 12:19 PM, Viktor Dukhovni wrote: >>> For submission of list messages to a large number of recipients, >>> I would generally use sendmail(1) rather than SMTP. Don't know >>> whether mailman supports that. >>> >> >> It does, but its use is "highly discouraged". > > Perhaps they have their reasons, I would not be so sure they are the > right reasons, but if their implementations handles this poorly, so > be it. It *should* work well (potentially quite a lot better than > SMTP, as the recipient list gets really large, unless the list > expansion is done by Postfix via a :include: local alias). > > So my guess is that the Mailman developers don't understand Postfix > well enough to use it properly, but the converse might also be true. I used to use the Sendmail delivery module. It works, and I don't know why they discourage its use, but I switched to SMTP over the years with new installs and upgrades because when the authors of your software "highly discourage" something, it's time to change. I haven't had any problems since switching, and my lists are almost certainly about the same size as Ruben's. The comments earlier about his lists being dirty (as in full of dead addresses) caught my attention though. I don't know whether or not his Majordomo kept his lists clean, and Mailman's own list cleaning is pretty ineffective in all of my own use cases until you change the settings. - Ron
Re: transport smtp failure after MySQL connection
On 3/2/2016 11:19 AM, Christian Renner wrote: > On 25/02/16 15:30, Wietse Venema wrote: >> As Postfix has not changed, this is a platform-specific (maybe >> even site-specific) problem. Have you asked your software provider >> for help? > > Problem is solved now and yes, it was some kind of > platform-specific. > > We're running multiple chrooted instances of postfix > (/var/spool/postfix/, /var/spool/postfix2/, /var/spool/postfix3/, > ...) and after replacing files in > /var/spool/%postfixinstance%/lib/x86_64-linux-gnu/ with the > corresponding files in /lib/x86_64-linux-gnu/ the problem was gone. > > As far as I know in Debian the init-script copies those files at > every start of postfix. But as we are running multiple instances of > postfix this only works for the first standard instance in > /var/spool/postfix/. > > Many thanks for your help Christian I've been running three instances of Postfix on Debian since about 2011. Originally I had to modify the init script, but the one Debian ships in more recent years handles multi-instance Postfix properly. - Ron
Re: Webmin with Postfix: recommended or not.
On 27/03/2016 2:08 PM, Steve Jenkins wrote: On Sat, Mar 26, 2016 at 3:48 PM, Tom Browder <mailto:tom.brow...@gmail.com>> wrote: I am considering using Webmin on my servers and see that it has a Postfix module. Does anyone have any experience with it or have an opinion to offer ref its ability to manage Postfix? Hi, Tom. I use Webmin for a few different tasks, and like it, but find the Postfix config files straightforward and so I've always edited them directly. Which is all the Webmin module is going to do, as well. I can't see any harm to using it. I just think that it's quicker to edit the main.cf <http://main.cf> and master.cf <http://master.cf> files directly. SteveJ I have used Webmin for years including for Postfix. You have the option of direct editing of the cf files with Webmin. To me this is the best of both worlds. A lot of the instructions for adding things and fixing things come as direct mods to the .cf files so you do need to be able to both. Webmin makes it easy to add aliases and manage the queue. It is also easy to look at individual mailboxes if there is a question about a particular user where the problem may be on the client side. Ron -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Was the Dovecot working well?
Fail2ban might be able to do the whack-a-mole in a sensible manner that allowed for innocent interruptions but banned the bad guys Ron On 14/11/2016 11:39 PM, Sean Greenslade wrote: On Mon, Nov 14, 2016 at 08:21:24PM -0800, vod vos wrote: so are there any configurations to auto ban this kind of visit, like postfix postscreen? or, I should write firewall rules to do the job? I don't know if dovecot provides such functionality. I personally don't bother, since it quickly becomes a game of whack-a-mole. Plus, it's not always a malicious event. If the connection gets interrupted before the client sends its auth credentials, it looks the same as this type of scan. Basically, make sure users are using good, secure passwords, and make sure your software is all up to date. --Sean -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Was the Dovecot working well?
On 15/11/2016 9:52 PM, Sean Greenslade wrote: On Tue, Nov 15, 2016 at 04:21:17AM -0500, Ron Wheeler wrote: Fail2ban might be able to do the whack-a-mole in a sensible manner that allowed for innocent interruptions but banned the bad guys For the kind of attempts I typically see, F2B won't do much. It's usually not a brute force type of attach. Generally it's only a single connection that either attempts to fingerprint the server (checking for known vulns) or just tries a few "easy" passwords (e.g. root/root, pi/raspberry). F2B is pretty flexible. You can say that any IP that fails to login on root or pi 3 times in a week should be banned for a month or forever if you really see a subtle attack. You have control of the frequency of log messages that constitute an attack. You can look for any string in the log so you can watch for the vulnerability probes as well as login attempts. Ron I would suggest simple connection rate limiting and enforcing strong passwords as a better (in my opinion) option. --Sean -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Stopping compromised accounts
I also limit the number of recipients allowed on an out-going email. This blocks bulk spammers since they tend to put a lot of addresses on 1 envelope. The number allowed will depend on your user's typical patters. Mine is pretty low (between 10-20) since we tend to have small project teams. Ron On 06/12/2016 2:59 AM, Julian Kippels wrote: Am Mon, 5 Dec 2016 20:52:21 -0500 schrieb Alex : Hi, I have a postfix-3.0.5 system with a few hundred users. They have access to submission, webmail, and dovecot to send and receive mail. On occasion, user's local desktop are compromised, and with it their account on this system. This leads to their local desktop using the submission service to send hundreds or thousands of spam emails through this compromised account. They're only stopped after the user receives a ton of bounce messages, or we happen to see it somehow while watching logs. What mechanisms are available to say, control the number of messages sent per day or otherwise be made aware of a pattern of messages being sent by an account that could be indicative of account compromise? Thanks, Alex Hi Alex, I use a policy deamon that registers every mail that is sent by our servers. The metadata is stored in a SQL Database. Every two minutes a cronjob is run which checks the metadata for which sasl_sender has send how many mails. If a sasl_sender surpasses a certain threshold the cronjob automatically blocks this user in our LDAP so that he can't submit any more mails. -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Postfix and Mailman 2 virtual alias domain integration
This is pretty common. The DNS does not matter all that much as long as people can find the MX server for each domain. The MX record has to point to an A or CNAME that maps to the actual machine where your main service (Postfix) runs. The A or CNAME can be in a different domain as long as that is resolvable to an IP somehow. Every Domain can have its MX point to smtp.B.tld as long as smtp.B.tld resolves to something in the B domain's DNS. This is probably easiest since you can move all SMTP traffic with a single change in the DNS for B.tld. In the end the foreign SMTP server has to be able to reach someone who will take the mail off its hands and the DNS serves that purpose. Once the mail is transferred to the "right" IP address, the sender doesn't care how you organize your domains internally. Ron On 18/08/2015 8:55 AM, Tom Browder wrote: On Sun, Aug 16, 2015 at 3:36 PM, @lbutlr wrote: On 16 Aug 2015, at 10:44 , Tom Browder wrote: Okay, then I guess I should pick one of the virtual hosts as the domain name and add some arbitrary host then. Does that mean it is then a "real" server and should not be treated as a virtual domain? You need a reasonable helo name and you need an rDNS that matches. Okay, let me be more specific: On a single Apache/Postfix/MM2 server I have domains A.tld ... Z.tld, each of which I want to have mail delivered to/from. I will choose B.tld as the non-virtual server (with FQHN mail.B.tld). I have a single IP address, say, 9.9.9.9, to which all domains are mapped. So how should the DNS records look? Can anyone give me the exact settings for the A, CNAME, MX, and PTR records for A.tld and B.tld (and any other suggested records)? Many thanks. Best, -Tom -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Postfix 20 years ago
A great contribution to the Internet. Your 20 years of fantastic support and sustained commitment has made Postix successful. Thanks Ron On 12/02/2017 1:12 PM, Dominic Raferd wrote: On 12 February 2017 at 18:06, Wietse Venema wrote: Last month it was 20 years ago that I started writing Postfix code... Amazing what a mighty oak has grown from such an acorn. Thanks to you for the original planting and to all those, including you, who have nurtured its growth, and continue to do so. -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Execute linux commands after receive a mail...
What would be the human reaction to a 15 second latency (nothing to regular e-mail service) on a light switch - hit it again and again until the first message arrives. Fun to imagine lights suddenly turning on and off in rapid succession as delayed e-mail starts to get delivered a few seconds after the initial request. The fridge could e-mail the grocery list when the milk runs low but e-mail not a good fit for most IoT applications. Ron On 17/03/2017 3:18 AM, Sean Greenslade wrote: On Thu, Mar 16, 2017 at 05:48:49PM -0700, li...@lazygranch.com wrote: I had no idea you could receive email on any port. I wonder how many ISPs allow this. Sure, you can run any service on any port. The default ports (e.g. 25 for SMTP) are simply there to make interoperability easy. Most ISPs do nothing to block specific services on specific ports. The only thing I've ever seen is some residential ISPs block all outgoing connections on port 25 to hamstring spambots on infected home PCs. This is typically a blanket port ban, so it doesn't matter if it's a SMTP server on that port or not; nothing goes out port 25. This generally doesn't effect home users, since they almost always use a submission port or a webmail client to get to their mail relay. In any event, would this be THE scheme to use for an IOT application? That is send an email to turn on/off a sprinker, light, etc. The idea being postfix et all does all the security, AKA the hard part. While it would certainly be _A_ way of doing IoT, I certainly wouldn't call it _THE_ way. Email is not particularly well-suited for command and control type applications. Lots of protocol and message overhead, high latency, unidirectional channels...overall not a great fit. --Sean -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: MariaDB versus MySQL
On 12/17/2017 12:15 AM, @lbutlr wrote: Are there any config changes that need to be made in postfix when moving from mysql to MariaDB 10.0? No, but be aware, I've done 3 conversions now on Debian and none of them has gone correctly. At the least you should expect to have to run mysql_upgrade manually. - Ron
Re: Mails stuck in queue until inflow stops
On 21/04/2018 7:38 AM, Ram wrote: On 04/20/2018 07:39 PM, Wietse Venema wrote: Ram: On 04/20/2018 07:14 PM, Wietse Venema wrote: Ram: I have a very busy postfix server that acts as a relay. It gets mails from an application and then forwards the mails to the delivery servers on local LAN The application can send mails at rate of? upto 600 mails per second Postfix has been configured to accept mails all that quickly, but the delivery is very poor until inflow stops. Only around 20-50 mails per s Once the app completes the inflow, then the mails are cleared at a rate of 1000 mails per second Why ? Is there a contention on the queue manager when the inflow is too quick ? No, there is contention for the file system. If you disabled in_flow_delay, turn it back on, please. This allows the queue manager to push back, though it works only for clients that make few parallel connections. Otherwise, you need a faster disk. SSDs have become quite affordable, even the 'enterprise' ones that have some extra capacitors to prevent data corruption after power failure. I am using spool dir on /dev/shm in flow delay .. slows down smtp connections which the application can not handle That is why I have disabled If you can't use the Postfix safety mechanism, then I can't help you. I know , And in_fllow_delay works for almost all cases where I use postfix. Excepting when 1 sec delay per process becomes too much If I have a high end machine , will running multiple postfix instances on the same machine help That way If I change the app to deliver to multiple instances simultaneously. There is no IO load running everything in /dev/shm https://netcore.in/20-years-journey/?utm_source=email-disclaimer&utm_medium=email&utm_campaign=netcore-turns-20 I hope that you have no spam or virus checking on the inflow. -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Mails stuck in queue until inflow stops
On 21/04/2018 8:07 AM, Ram wrote: On 04/21/2018 05:32 PM, Ron Wheeler wrote: On 21/04/2018 7:38 AM, Ram wrote: On 04/20/2018 07:39 PM, Wietse Venema wrote: Ram: On 04/20/2018 07:14 PM, Wietse Venema wrote: Ram: I have a very busy postfix server that acts as a relay. It gets mails from an application and then forwards the mails to the delivery servers on local LAN The application can send mails at rate of? upto 600 mails per second Postfix has been configured to accept mails all that quickly, but the delivery is very poor until inflow stops. Only around 20-50 mails per s Once the app completes the inflow, then the mails are cleared at a rate of 1000 mails per second Why ? Is there a contention on the queue manager when the inflow is too quick ? No, there is contention for the file system. If you disabled in_flow_delay, turn it back on, please. This allows the queue manager to push back, though it works only for clients that make few parallel connections. Otherwise, you need a faster disk. SSDs have become quite affordable, even the 'enterprise' ones that have some extra capacitors to prevent data corruption after power failure. I am using spool dir on /dev/shm in flow delay .. slows down smtp connections which the application can not handle That is why I have disabled If you can't use the Postfix safety mechanism, then I can't help you. I know , And in_fllow_delay works for almost all cases where I use postfix. Excepting when 1 sec delay per process becomes too much If I have a high end machine , will running multiple postfix instances on the same machine help That way If I change the app to deliver to multiple instances simultaneously. There is no IO load running everything in /dev/shm If you look at a system monitor output (top on Linux is enough), is Postfix using 100% of the CPU? Is there a significant amount of process time in wait queues? Is there lots of spare physical memory? Probably a silly question but are you sure that the sending application or network is not the bottleneck? If you configure Postfix to throw away the e-mails immediately in receipt does the inflow meet your expectations. I thought so too. I tried using postfix-sink and the mails are sent at max speed. So the network is not a problem https://netcore.in/20-years-journey/?utm_source=email-disclaimer&utm_medium=email&utm_campaign=netcore-turns-20 Does the analysis of which postfix tasks are eating the CPU give any hints? Ron -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Authentication attempts for x...@com.au addresses
There does not seem to be a completely foolproof and easy to manage solution. In my case, I modified the fail2ban time in jail to block the IP for days rather than hours and did a close look at the expressions defining the bad attempts to be sure that I got all (I hope) of the cases that were appearing. They will run out of compromised sites/IPs at some point. If you notice that the blocked IPs show entire class C blocks that are in countries where you do not really care about serving, you can manually block the entire class C at the outside edge of your firewall until someone that you actually want to let in complains. If you have sshd running, that is another critical service to watch. Everything is under attack all the time and the huge amount of money spent by G7 governments on cybersecurity is not having any noticeable reduction in this annoyance. Sorry for the short rant but we should not have to waste so much energy and bandwidth on this given the billions (pick a currency) that are being spent. I am afraid that it is mostly spent on training people who were not recruited with the right skills and going to international conferences to talk about how serious the problem is. Ron On 4/2/19 8:10 AM, James Brown wrote: Thanks Esteban. I have fail2ban installed. Unfortunately each attempt comes from a different IP (botnet I presume). I’m finding this all the time now, so fail2ban seems to be no longer much use. Was just hoping there was a Postfix or Dovecot setting I could use to ignore these submission attempts. James. On 2 Apr 2019, at 7:43 pm, Esteban L <mailto:este...@little-beak.com>> wrote: You will need to install fail2ban to ip block failed attempts. As you have correctly assumed, a malicious person is trying to hack into you mail server. Fail2ban is a required application now and days. On April 2, 2019 8:57:06 AM GMT+02:00, James Brown mailto:jlbr...@bordo.com.au>> wrote: Not sure if this is a Dovecot or Postfix issue we use Dovecot for authentication for Postfix. Mailboxes are stored in MySQL. Have noticed this today: auth-worker(42777): Info: sql(cont...@com.au <mailto:cont...@com.au>,127.0.0.1): unknown user (given password: someone123) alsoi...@com.au <mailto:i...@com.au> etc. They are coming through on port 465. Obviously my domain is not ‘com.au <http://com.au>’ - how can I stop these attempts from even being considered? I did update to Postfix 3.4.5 yesterday. Running Dovecot 2.3.5. Thanks, James. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Relaying to 2 SMTP servers
What actual benefit are you trying to get from doing this? In what way do the 2 different servers differ in their behaviour? A little less cryptic description might actually get you some good information. Ron On 4/17/19 10:56 AM, sel...@linagora.com wrote: I want to forward an incoming mail to 2 SMTP servers using the same mail domain. Each server will then deliver the mail to its IMAP storage. Regards Simon On 2019-04-17 16:50, Phil Stracchino wrote: On 4/17/19 10:36 AM, Simon ELBAZ wrote: Thanks for your reply. Sorry, I wanted to say using Postfix. I look for different open source solutions to achieve this. OK. Perhaps if you could give us a little more detail on exactly what you are trying to accomplish?
Re: Ris: AWS timeout
You never see him interviewed on TV. If people knew how much of the email travels over the internet as a result of his work, he would be a tech star. Ron On 2019-05-14 10:39 p.m., Durga Prasad Malyala wrote: No surprises here. Weitse ranks along the alltime greats of Computing. Cheers/DP On Wed, May 15, 2019, 00:51 j...@voipsupport.it <mailto:j...@voipsupport.it> <mailto:j...@voipsupport.it>> wrote: Frank Credit to Weitse who noticed the strange TSval in the pcap. It does look like an issue with Checkpoint. Good thing is this is reproducible. John Messaggio originale Oggetto: Re: AWS timeout Da: Frank Hare A: John Fawcett CC: postfix-users@postfix.org <mailto:postfix-users@postfix.org> John, Wow, good one dude! Turning off tcp timestamps on the client instantly fixed it. So I guess I bring this to Checkpoint Support and see what they say, THAT should be fun. Thanks! On Tue, May 14, 2019 at 3:02 AM John Fawcett mailto:j...@voipsupport.it>> wrote: On 14/05/2019 01:27, Wietse Venema wrote: > Wietse Venema: >> If you look at the non-VPN captures, then you will see the following: >> >> - In one trace, we see a client ACK 138, followed by a client packet >> with "." (data 443:446, ACK 138, and a timestamp field >> tht is unlike those of al other packets in the stream). >> >> - In the other trace, we see that the ACK and "." packets >> are sent as one packet, with a normal timestamp field. >> >> - After this, the TCP connection is messed up, the server keeps >> transmitting "Queued as xxx", and the client keeps transmitting >> QUIT. >> >> This looks like the VPN mucks with TCP and screws up the protocol. > I verified this another time. On the SMTP client side, there is one packet, > and on the SMTP server side there are two. > > Here is a diff -U output for client-side and server-side pcap files. > > -TIMESTAMP IP 10.110.2.9.33256 > 10.1.3.134.smtp: Flags [P.], seq 443:446, ack 1 > 38, win 211, options [nop,nop,TS val 2968348176 ecr 687501956], length 3: SMTP: > . > +TIMESTAMP IP 10.110.2.9.33256 > 10.1.3.134.smtp: Flags [.], ack 138, win 211, o > ptions [nop,nop,TS val 2968348176 ecr 687501956], length 0 > +TIMESTAMP IP 10.110.2.9.33256 > 10.1.3.134.smtp: Flags [P.], seq 443:446, ack 138, win 211, options [nop,nop,TS val 1 ecr 0], length 3: SMTP: . > > On the client side we see that the client sends one TCP packet with > three data bytes (offset 443:446, content "."), an ACK for > server offset 138, and Timestamp Value 2968348176 and Timestamp > Echo Reply 687501956. > > On the server side we see that the server receives two TCP packets. > > - One packet with the same ACK for server offset 138, and the same > Timestamp Value 2968348176 and Timestamp Echo Reply 687501956, as > the client sent, but no data bytes. this looks like a duplicate ACK that was generated on the server side VPN node. > - One packet with the same ACK for server offset 138, and the same > three data bytes as the client sent, but with a Timestamp Value of > 1 and a Timestamp Echo Reply of 0. The TSval of 1 was generated on the server side VPN node. Seems that the packet is accepted anyway on the server because we can see that Postfix responds to that. When the next packet containing the QUIT command comes throught the TSVal has jumped back to the original clock sequence (as generated on the client) 2968348359. I can't see why the Linux kernel would reject that jump, but maybe it's happening on a lower level. I'd suggest looking into potential bugs in the tcp/ip stack of the vpn node when it generates a TSval of 1 on that packet. Another possibility would be to see if turning off
Re: How to allow mail relay when only for correct auth id + From: + Sender: combination ?
IMHO, preventing emails with differing from and sender values is contradictory to valid usage of email. You are better off rate-limiting, as was already suggested, and employing better mail content analysis through policy servers. Ron Scott-Adams r...@tohuw.net "We are stuck with technology when what we really want is just stuff that works." (Douglas Adams) On Jun 6, 2013, at 10:37 , wie...@porcupine.org (Wietse Venema) wrote: > jayesh shinde: >> Hi , >> >> Is there any alternative , how to stop if spammer / virus infected >> machine start sending such emails. >> Due to this outlook's "On Behalf of" option , one of our end user >> created the noise. This option makes confusion , when the end >> recipient receive the emails and reply it. >> >> I came to know in exchange this can be control from server side. >> >> How the other experts are handling this kind of issue from server side. >> I am searching the option by which postfix will allow SMTP relay only >> if auth id + From: + Sender: are same. > > Rate limit your mail clients, so that they cannot send large amounts > of email when they become infected. Then, you have less cleaning > up to do. > > http://www.postfwd.org/ > http://www.policyd.org/ > > Wietse
Re: 'reject_non_fqdn_helo_hostname' not working?!
Not at all. asgljgsglhg.aergohgergearguaoreg.gaegergheagaerhgaerhgopaeg is just as much an FQDN as mail.google.com. Ron Scott-Adams r...@tohuw.net "Soap and education are not as sudden as a massacre, but they are more deadly in the long run." (Mark Twain) On Jun 7, 2013, at 09:16 , Nikolas Kallis wrote: > On 07/06/13 23:11, Mark Goodge wrote: >> On 07/06/2013 14:06, Nikolas Kallis wrote: >>> Hello, >>> >>> >>> >>> I just got an unsolicited e-mail from the domain 'bbbmail.com', which is >>> hosted at '46.235.78.1'. >>> >>> '46.235.78.1' does not resolve to a host name, therefore 'bbbmail.com' >>> is not a FQDN. >> >> 'bbbmail.com' is a fully qualified domain name. That is completely >> irrelevant to the question of whether the source IP address resolves to >> a host name. >> >> Mark > > I thought for a domain to be fully qualified, it must have a PTR record setup > for it?
Postfix 2.9.6/OpenLDAP Recipient Not Found in Table after Attribute Change
I’ve updated a working user on this test server from r...@tohuw.net to r...@joab.tohuw.net. Under the previous address, I could successfully complete a telnet session and convey mail for r...@tohuw.net to the local MTA. After changing the user’s mail attribute in LDAP to r...@joab.tohuw.net and adding the domain to LDAP, I restarted Postfix. Telnet sessions in which I use RCPT TO:r...@joab.tohuw.net fail with "550 5.1.1 : Recipient address rejected: User unknown in local recipient table” What have I forgotten to do? CONFIGURATION INFORMATION FOLLOWS... --- MY POSTCONF: config_directory = /etc/postfix content_filter = scan:127.0.0.1:10025 home_mailbox = Maildir/ mailbox_transport = lmtp:unix:private/dovecot-lmtp mydestination = $myhostname, localhost mydomain = tohuw.net myhostname = joab.tohuw.net mynetworks = 127.0.0.0/8 myorigin = /etc/mailname receive_override_options = no_address_mappings smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/dovecot-auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_tls_auth_only = yes smtpd_tls_cert_file = [redacted] smtpd_tls_key_file = [redacted] smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_tls_received_header = yes smtpd_use_tls = yes virtual_mailbox_domains = proxy:ldap:$config_directory/ldap_virtual_domains_maps.cf virtual_mailbox_maps = proxy:ldap:$config_directory/ldap_virtual_mailbox_maps.cf virtual_transport = lmtp:unix:private/dovecot-lmtp — LDAP_VIRTUAL_DOMAINS_MAPS.CF: server_host = ldap://localhost/ search_base = ou=MailDomains,ou=Services,dc=tohuw,dc=net version = 3 bind = no query_filter = (&(ObjectClass=dNSDomain)(dc=%s)) result_attribute = dc — LDAP_VIRTUAL_MAILBOX_MAPS.CF server_host = ldap://localhost/ search_base = ou=Users,dc=tohuw,dc=net version = 3 bind = no query_filter = (&(objectclass=inetOrgPerson)(mail=%s)) result_attribute = mail — LDIF TO LOAD THE NEW DOMAIN: dn: dc=joab.tohuw.net,ou=MailDomains,ou=Services,dc=tohuw,dc=net objectClass: dNSDomain objectClass: top dc: joab.tohuw.net — LDIF TO MODIFY THE USER: dn: uid=tohuw,ou=Users,dc=tohuw,dc=net changetype: modify replace: mail mail: r...@joab.tohuw.net
Re: Postfix 2.9.6/OpenLDAP Recipient Not Found in Table after Attribute Change
You made a great point here, as I did a little digging and discovered that dovecot’s bind and search LDAP account had mismatched credentials. However, the issue persists after fixing this and restarting the services. I’m pursuing the dovecot side, as this may be the problem after all. Thanks! On Feb 26, 2014, at 3:40 AM, l...@grootstyr.eu wrote: > On Wed, Feb 26, 2014 at 01:44:07AM -0500, Ron Scott-Adams wrote: >> >> I?ve updated a working user on this test server from r...@tohuw.net to >> r...@joab.tohuw.net. Under the previous address, I could successfully >> complete a telnet session and convey mail for r...@tohuw.net to the local >> MTA. >> >> After changing the user?s mail attribute in LDAP to r...@joab.tohuw.net and >> adding the domain to LDAP, I restarted Postfix. >> >> Telnet sessions in which I use RCPT TO:r...@joab.tohuw.net fail with "550 >> 5.1.1 : Recipient address rejected: User unknown in >> local recipient table? >> >> What have I forgotten to do? >> virtual_mailbox_domains = >> proxy:ldap:$config_directory/ldap_virtual_domains_maps.cf >> virtual_mailbox_maps = >> proxy:ldap:$config_directory/ldap_virtual_mailbox_maps.cf >> virtual_transport = lmtp:unix:private/dovecot-lmtp > > You use LMTP for delivery, are you sure that it is Postfix that is rejecting > the clients address? Check the log > if it is the postfix/lmtp process that is rejecting, if so, it is dovecot > that is reporting unknown user, not > postfix. Check if your user lookup maps are also correct in your dovecot > configuration. > > Matthijs
Re: Postfix 2.9.6/OpenLDAP Recipient Not Found in Table after Attribute Change
Wietse, Thank you for the reply. However, I didn’t have any entry for “ron” in the maps previously. I think it’s as Matthijs indicated, and something is going on in the Dovecot side. I clearly need to re-read docs I haven’t visited in awhile and regain understanding of lmtp configurations. I’ll keep plugging away. Thanks for the help, everyone. On Feb 26, 2014, at 6:51 AM, Wietse Venema wrote: > Ron Scott-Adams: >> Telnet sessions in which I use RCPT TO:r...@joab.tohuw.net fail >> with "550 5.1.1 : Recipient address rejected: >> User unknown in local recipient table? > > Look at output from: > > postconf local_recipient_maps > >> What have I forgotten to do? > > There is no "ron" found in those maps. > > Wietse
Re: Postfix 2.9.6/OpenLDAP Recipient Not Found in Table after Attribute Change
So, it did end up being a Postfix problem. I eventually found the problem in mail.warn. mydestination included $myhostname, joab.tohuw.net, which was also in MailDomains in LDAP. So, I had a double-mapped entry. I removed it from mydestination and all is well. Thanks everyone. On Feb 27, 2014, at 11:29 PM, Ron Scott-Adams wrote: > Wietse, > > Thank you for the reply. However, I didn’t have any entry for “ron” in the > maps previously. I think it’s as Matthijs indicated, and something is going > on in the Dovecot side. I clearly need to re-read docs I haven’t visited in > awhile and regain understanding of lmtp configurations. I’ll keep plugging > away. Thanks for the help, everyone. > > On Feb 26, 2014, at 6:51 AM, Wietse Venema wrote: > >> Ron Scott-Adams: >>> Telnet sessions in which I use RCPT TO:r...@joab.tohuw.net fail >>> with "550 5.1.1 : Recipient address rejected: >>> User unknown in local recipient table? >> >> Look at output from: >> >> postconf local_recipient_maps >> >>> What have I forgotten to do? >> >> There is no "ron" found in those maps. >> >> Wietse >
[pfx] Postfix as an SMTP front end
I am running postfix on the same machine as my IMAP server, but this is a security risk because having two different services on the same machine increases the attack surface. My IMAP server doesn't need to be publicly visible, so I would like to move that service to a separate machine, and have the public-facing postfix just forward all incoming mail (modulo some basic spam filtering) to that server (which would also be running its own copy of postfix). Is there a concise set of instructions somewhere on how to configure postfix for this use case? I can't be the first person who has wanted to do this. Thanks, rg ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
