"Sender-Dependent Aliases"
Hi, I'm using postfix aliases for mapping incoming emails to my mailman mailing lists, as described in the "Adding MySQL aliases" of this guide: http://freemars.org/howto/mailman.html#conadd What I'd like to do is to make this mapping sender-dependent. For instance, a mail from pers...@gmail.com to mail...@example.com should go to mailm...@lists.example.com, but a mail from pers...@gmail.com to mail...@example.com should go to mailm...@lists.example.com. (Here, mailman1 and mailman2 are two completely separate mailing lists.) Is there a simple way to configure postfix to do this? I've seen the sender dependent functionality like sender dependent transport map, but I'm still a little unclear about how to accomplish what I want. I'm sorry if this turns out to be trivial. I've been searching around for a couple hours for an answer to this question to no avail, so I figured I'd ask here. Thanks!
Re: "Sender-Dependent Aliases"
Cool, thanks for the response. I'm in the process of setting this up right now, but while I do that, I have a couple quick questions: 1) This seems like it might redirect *all* mail coming from from_address@domain to new_to_address@anotherdomain. That's not quite what I want. In my first example, pers...@gmail.com might be subscribed to more than one mailing list, so I need to redirect based both on the sender and the mailing list. I can see that this wasn't clear from my first email, so sorry about that. To be absolutely clear, an email from pers...@gmail.com to mail...@example.com should go to mailm...@lists.example.com, an email from pers...@gmail.com to another_l...@example.com should go to another_li...@lists.example.com , an email from pers...@gmail.com to mail...@example.com should go to mailm...@lists.example.com 2) I assume it's possible to enter the redirect mappings into a mysql database directly, rather than write the mapping in a file, right? (e.g.: I enter my aliases in the way described here: http://flurdy.com/docs/postfix/#data) Thanks for your help! On Thu, May 31, 2012 at 9:36 AM, Robert Wysocki wrote: > Dnia 2012-05-30, śro o godzinie 22:08 +0100, t t pisze: > > Hi, > > > > > > I'm using postfix aliases for mapping incoming emails to my mailman > > mailing lists, as described in the "Adding MySQL aliases" of this > > guide: > > > > > > http://freemars.org/howto/mailman.html#conadd > > > > > > What I'd like to do is to make this mapping sender-dependent. For > > instance, a mail from pers...@gmail.com to mail...@example.com should > > go to mailm...@lists.example.com, but a mail from pers...@gmail.com to > > mail...@example.com should go to mailm...@lists.example.com. (Here, > > mailman1 and mailman2 are two completely separate mailing lists.) > > > > > > Is there a simple way to configure postfix to do this? I've seen the > > sender dependent functionality like sender dependent transport map, > > but I'm still a little unclear about how to accomplish what I want. > > > > > > I'm sorry if this turns out to be trivial. I've been searching around > > for a couple hours for an answer to this question to no avail, so I > > figured I'd ask here. > > > > > Hi t t, > > You can use sender-dependant aliases like that: > > main.cf: > > smtpd_sender_restrictions = check_sender_access > hash:/etc/postfix/sender_access > > sender_access: > from_address@domain redirect new_to_address@anotherdomain > > > Regards, > -- > Robert Wysocki > administrator systemów linuksowych > Contium S.A., http://www.contium.pl > > >
Re: "Sender-Dependent Aliases"
Ok, cool, thanks everyone. I checked out qpsmtpd but couldn't really find resources explaining how to do address rewriting; maybe I'm supposed to write my own perl script to do it. (I don't know perl, but if this is actually an easy solution and you can link me to somewhere that explains how to do it or something similar, I'd definitely be interested.) Writing a procmail recipe looks pretty simple, so that might be good. One concern with the procmail solution is that I'm going to be programmatically adding users to Mailman mailing lists. It would seem, therefore, that I would need to alter the procmailrc file programmatically too. This is easily accomplished, but I wonder if this isn't a very robust solution. I'd rather be adding entries to a database, for instance, than altering a file. I'm worried about how well a solution that relies on writing to a file will scale, as well as whether I'm going to run into concurrency problems if multiple processes try to write the file simultaneously. I'm sure you all have much more experience writing software than I do, so your advice would be appreciated. Thanks! On Fri, Jun 1, 2012 at 6:59 AM, Robert Wysocki wrote: > Dnia 2012-05-31, czw o godzinie 10:01 +0100, t t pisze: > > > an email from pers...@gmail.com to mail...@example.com should go > > to mailm...@lists.example.com, > > > > > > an email from pers...@gmail.com to another_l...@example.com should go > > to another_li...@lists.example.com, > > > > > > an email from pers...@gmail.com to mail...@example.com should go > > tomailm...@lists.example.com > > > > You can use REDIRECT to a local account and then use .procmailrc to do > additional forwarding. > If I remember correctly, REDIRECT doesn't affect original To: header. > > > > > 2) I assume it's possible to enter the redirect mappings into a mysql > > database directly, rather than write the mapping in a file, right? > > (e.g.: I enter my aliases in the way described > > here: http://flurdy.com/docs/postfix/#data) > > > > > Surely it's possible. Never done it though. > > Regards, > > -- > Robert Wysocki > administrator systemów linuksowych > Contium S.A., http://www.contium.pl > > >
If To: address is $x. Change From: adress to $y
Hello, hopefully somebody can give me a clue on how to do this. Right now I have emails coming from al...@theircompany.com to distribut...@ourcompany.com. I want to set up something in Postfix so that if the email is going to distribut...@ourcompany.com, the From: address is automatically re-written to supp...@ourcompany.com. That way the people on distribut...@ourcompany.com will see the email coming from supp...@ourcompany.com instead of al...@theircompany.com. Any clue on this or where to start would be helpful! Thanks -Tay
NOQUEUE Relay Access denied
Hello everybody,
postfix user since neraly two years approximately (runs like a swiss
cloickwork, THANKS to developers) but now I have a question I could not
resolve via reading the documentation:
My question is not about Postfix configuration but only on how to read
Postfix' loglines.
I have a mail user with obviously a mixed up MUA setup (Thunderbird). This
mail user cannot send out Email to any Email address belonging to foreign
mail servers. He only succeeds to send Email to users on the same mailserver
(mine).
The principal problem (wrong MUA settings) is clear but I just would like to
fully understand the related postfix logline 100% right (to be able to give
more DETAILED advice to this MUA user.
My Email user is myu...@homedomain.tld (my mailservers)
He wants to send an Email to sil...@foreigndomain.tld (foreign mail server)
Here's the logline in question:
Oct 24 22:38:36 mail postfix/smtpd[91510]: NOQUEUE: reject: RCPT from
ANice-123-1-16-136.w82-144.abo.wanadoo.fr[123.123.123.123]: 554 5.7.1
: Relay access denied;
from= to= proto=ESMTP
helo=<[192.168.0.4]>
So three times an Email address is mentioned in this logline. The meaning of
the second occuremce ("... from= ...") and third
occurence (" to= ...")is clear. I just don't
get the exact meaning of the first occurence of an Email address.
Now the actual question:
Does the FIRST occurence of an Email address ( "... 554 5.7.1
: Relay access denied ...") mean, that my client
tried to smtp auth himself as mailbox user sil...@foreign.tld ?
Does this then mean that wrongfully this MUA setup has sil...@foreign.tld in
the mail accounts configuration instead of myu...@homedomain.tld ?
In this case, I had an approval on the wromg MUA setup. My postfix
configuration does exactly what it has to do: reject foreign users to avoid
being an open relay.
Many thanks in advance !
Tom
Re: NOQUEUE Relay Access denied
Noel, thanks a lot for your help. Just to precise my need for information: > > 554 5.7.1 > > : Relay access denied; > > This is the response postfix sent to the remote client. The > SMTP response is 554 (a permanent error) with an extended code > of 5.7.1, and a text description of what was rejected (the > recipient address) and why (relay access denied). Is the Email address at exactly that place always (by definition of the logline format) the recipients Email address ? Or may there be placed any text information (i.e. in some cases the senders address ) ? The question is just, how and as what to interpret the information at that part of the logline. We are just struggling to find out if there's a certain problem with Thunderbird (but almost probably, just the mail user messed up his SMTP configuration ffor his mail account). The mail server setup itself works like a charm. Thanks again Tom
Re: NOQUEUE Relay Access denied
Noel and others, > In the specific case of "Relay access denied" it will always > be the recipient address, but there are other reasons for mail > to be rejected. > > That section of the log line shows "what" was rejected along > with a brief text description/reason. > > The "what" can be any part of the SMTP envelope; client, HELO, > sender, recipient, or in the case of header/body checks, the > text that matched the rule. thanks a lot. THAT was the information I was looking for. Problem solved. Despite of various checks, the client/user still had a typo in his SMTP auth configuration (*snarf*). Thanks Tom
mailheader patch / sender IP
Hello everybody, I have to setup a postfix mailserver with speecial requirements from the customer side: They do not want their sender IP addresses being visible in the mailheader as seen by the recipients. Reason: They sometimes also communicate with competitors and they fear to get spied through geolocalization of their sender IP addresses (many of them are road warriors). Can this be done via postfix configuration or postfix compile options or available postfix patches ? Or in another way ? Many thanks in advance Tom
Re: mailheader patch / sender IP
Thanks to ALL. I made it using the header_checks method using in main.cf: header_checks = regexp:/usr/local/etc/postfix/header_checks in header_checks: /^Received: from/ IGNORE Seems to work like a charm :-) The VPN way certainly was another valuable thing but of course it'd need lots of additional work on all the client computers and so it wasn't the quickiest way. However, the header_checks thing was a ver quick and easy solution. Thanks again Tom On Saturday 13 November 2010 20:16:49 /dev/rob0 wrote: > On Sat, Nov 13, 2010 at 06:51:53PM +0100, t...@diogunix.com wrote: > > I have to setup a postfix mailserver with speecial requirements > > from the customer side: > > > > They do not want their sender IP addresses being visible in the > > mailheader as seen by the recipients. Reason: They sometimes > > also communicate with competitors and they fear to get spied > > through geolocalization of their sender IP addresses (many of > > them are road warriors). > > For Unix shell users, this is easy: ssh to your server and run > mutt(1) or alpine(1) or the like. Yes, I know that's not relevant in > your case, but it's fun to mention. :) > > If you're already using OpenVPN to secure their access to office > resources while on the road, consider that email is an office > resource too. Simply point the MUA to run throuugh the VPN, and > nothing useful can be gleamed from your Received: headers. > > > Can this be done via postfix configuration or postfix compile > > options or available postfix patches ? Or in another way ? > > As Jeroen mentioned, header_checks(5) REPLACE or IGNORE action does > this, no patching nor recompile needed. Search the list archives, > there have been examples to do this very thing posted before. No, > your requirement is not so unusual nor special.
Re: mailheader patch / sender IP
Viktor, /dev/rob0, thanks. Am already working also on this second step (Viktors proposal) as this is really important (thanks for the hint, was already worrying about unwanted effects). Anyway I'm only running all this on a testing machine this time. However, it's impressing what one can do with Postfix ! kind regards Tom > > Seems to work like a charm :-) > > So far, maybe. > > > However, the header_checks thing was a ver quick and easy solution. > > It's not as easy as you think it was, because you have now made it > impossible to debug many mail routing problems, and have broken > detection of mail loops. > > You should do as Viktor suggested, to restrict this "easy solution" > to your submission clients ONLY. Your fix will haunt you later.
Re: mailheader patch / sender IP
Ok. Got it. For others may be searching for a similar solution: in main.cf: cleanup_service_name = cleanup header_checks = (these are the default values anyway) in master.cf: submission inet n - n - - smtpd -o cleanup_service_name=cleansub cleansub unix n - n - 0 cleanup -o header_checks=regexp:/usr/local/etc/postfix/submission_header_checks in submission_header_checks: /^Received: from/ IGNORE Works nice on the testing machine. Will watch/test it for a while and then almost probably deploy it on the production machine. Again, thanks to ALL ! Tom On Sunday 14 November 2010 18:44:59 /dev/rob0 wrote: > On Sun, Nov 14, 2010 at 04:08:04PM +0100, t...@diogunix.com wrote: > > I made it using the header_checks method using > > > > in main.cf: > > header_checks = regexp:/usr/local/etc/postfix/header_checks > > > > in header_checks: > > /^Received: from/ IGNORE > > > > Seems to work like a charm :-) > > So far, maybe. > > > However, the header_checks thing was a ver quick and easy solution. > > It's not as easy as you think it was, because you have now made it > impossible to debug many mail routing problems, and have broken > detection of mail loops. > > You should do as Viktor suggested, to restrict this "easy solution" > to your submission clients ONLY. Your fix will haunt you later.
Re: newbie question
On 02/11/2011 04:54 PM, Noel Jones wrote: On 2/11/2011 4:38 PM, Gergely Buday wrote: Dear Postfix experts, I'm new to mailing servers and need advice. Is it reasonable for my small company to use my own mail server? How much configuration is needed for a secure setup on a CentOS box? Not too much. http://www.postfix.org/documentation.html http://www.postfix.org/BASIC_CONFIGURATION_README.html http://www.postfix.org/SOHO_README.html The requirements are: I have three domain names and only one user with some aliases. Google apps is not an option as I would like to run my own web server. I have some experience with Unices. You can use google apps for mail and still run your own web server. Just point your MX records at google and point www. to somewhere else. So, is using postfix a way to go for me? Sure, but understand that postfix is only part of the puzzle (and probably the easiest part) of what you'll need to run a mail server. You'll also need a POP/IMAP server (I suggest dovecot), and you might even want webmail service (roundcube or squirrelmail) Running a mail server is not a trivial task. If you want something that "just works" go with google apps. If you want full local control and don't mind spending ongoing time fiddling with it, postfix is a fine starting place. -- Noel Jones Gergely You might take a look at ClearOS, it has Postfix as its MTA, and is very easy to configure.. Charles
Forwarding mail to other email addresses
Hi, I've been asked to take over maintenance of a Postfix / Cyrus / LDAP setup, and my background is in Courier / Exim. I've read as many docs as I felt I could take in, but I'm still finding the learning curve a little steep. My basic problem is that I can't work out how to forward email to more than one recipient. For example, let's say I want o...@example.com to 1) be delivered to its Cyrus mailbox as normal and 2) to be forwarded to b...@blackberry.net and j...@vodafone.net. (1) Was working anyway, and so was (2) when there was only one email address to forward to. I setup /etc/postfix/recipient_bcc with o...@example.com: b...@blackberry.net and all was hunky-dory. However, I then tried o...@example.com: b...@blackberry.net,j...@vodafone.net and it failed delivery as 5.1.0 - Unknown address error 550-'5.1.1 : Recipient address rejected: User unknown in virtual alias table What's the correct syntax to do this? Very grateful for any assistance. Extra info: --- As an aside, I then tried to do it by changing the LDAP entry for the email account (my additions inside ) 22 uid=...@example.com,ou=Mailboxes,ou=E-Mail,dc=example,dc=com objectClass: top objectClass: account objectClass: mailRecipient objectClass: inetMailUser mailHost: captain.oracletc.co.uk inetMailUserVersion: 2 mailMessageStore: +shared.Operations uid: o...@example.com mailLocalAddress: o...@example.com mailDeliveryOption: CYRUS mailDeliveryOption: FORWARD mailForwardingAddress: b...@blackberry.net mailForwardingAddress: j...@vodafone.net But then the users complained that the mail wasn't being delivered to their IMAP mailbox, and it was being forwarded to the blackberry / vodafone address around ten times! If I don't get any replies to this post, I'm quite happy to pay a small fee for somebody's professional time on this, or make a charitable donation etc - it just needs to be sorted out ASAP. -- TD
Re: Forwarding mail to other email addresses
2009/12/17 /dev/rob0 : > On Thu, Dec 17, 2009 at 09:51:13AM +0000, T D wrote: >> But then the users complained that the mail wasn't being delivered to >> their IMAP mailbox, and it was being forwarded to the blackberry / >> vodafone address around ten times! > > Content filtering without proper receive_override_options set? Hard > to say, see above. Thanks to all who replied, on and off list - your input is much appreciated. The above issue turned out to be one of the users' Blackberries being misconfigured and forwarding the mail to the original address, creating a loop. *sigh* Thanks again, very helpful list. -- TD
Re: duplicate emails using always_bcc and amavisd-new
Noel Jones wrote: Bernard Higonnet wrote: Hello, I have my own little family mail server running postfix under FreeBSD 7.1-RELEASE #0. I keep a journal of all ingoing and outgoing mail using always_bcc which I'm happy with. I recently installed amavisd-new and ever since I get duplicate emails in the journal, apparently because when the mail is re-injected by amavisd-new it goes through always_bcc again. I have tried setting always_bcc to "" in master.cf, but that didn't work. Can someone tell me how to do this? TIA Bernard Higonnet Disable recipient rewriting either before or after the content_filter with http://www.postfix.org/postconf.5.html#receive_override_options Typically, add to your master.cf :10026 ... smtpd entry: -receive_override_options=no_unknown_recipient_checks,no_address_mappings,no_header_body_checks (note no spaces in the above) -- Noel Jones Turns out this (absence of no_address_mappings) was the problem. Many thanks! My attention was distracted from this problem for a long time which is why these thanks are so late. Bernard Higonnet
Re: Is split cleanup really needed?
Thanks. Further digging shows that my current setup was as described in http://www.ijs.si/software/amavisd/README.postfix.old (which wasn't old when I first started using it, heh). I see that it has been supplanted by (the now 2-3 year old) http://www.ijs.si/software/amavisd/README.postfix.html which doesn't use the split cleanup and does use no_address_mappings. Since even my copy of "The Book of Postfix" is going on 5 years old now, I find myself wondering what the current state-of-the-art is for setting up postfix, amavisd-new, et al ... -ste
Confusing sasl configuration examples
In the "Postfix SASL Howto", it says: In order to allow mail relaying by authenticated remote SMTP clients: /etc/postfix/main.cf: smtpd_recipient_restrictions = ... ... This is how I configured my submission port in the past. In building my new server, I see that the submission definition in master.cf uses smtpd_CLIENT_restrictions (cps mine, for emphasis) instead. I am confused about which I should use and why. Can someone enlighten me, please? Thanks! -- -ste
Re: Confusing sasl configuration examples
On Thu, Jan 7, 2010 at 5:14 PM, mouss wrote: > ... > To allow relay, you need to configure smtpd_recipient_restrictions. By > default, this contains > permit_mynetworks > reject_unauth_destination > so if you don't change it, only "mynetworks" can relay. so you need to > add permit_sasl_authentiated before reject_unauth_destination. Yes, this is what is shown in the SASL Howto and how I have had my server's submission port configured in the past. However, in the 2.6.2 postfix distribution I'm trying to configure now, the default definition of the submission port uses the same restrictions, but it applies them to the smtpd_CLIENT_restrictions parameter, NOT the smtpd_RECIPIENT_restrictions parameter. I'm trying to understand if that is just a typo in master.cf or if the change is legit and, if so, why. -- -ste
Don't see why I have Client host rejected: cannot find your hostname problem
I'm having a terrible problem with Client host rejected: cannot find your hostname All error messages, config options etc are below First trivial question: Why is the rejection message printed three times? (I am running postfix -v) Second, important question: I do not understand why my check_helo_access isn't working TIA Bernard Higonnet Running FreeBSD 7.0-RELEASE and Postfix 2.4.6 Here is the complete output from maillog for this client request (names and addresses have been changed to protect the guilty). I'm sorry but was unable to get Thunderbird 3 not to wrap these lines. Jul 26 08:59:36 freebsd postfix/smtpd[53134]: warning: 125.207.64.38: address not listed for hostname WXYZ.com.cn Jul 26 08:59:36 freebsd postfix/smtpd[53134]: connect from unknown[125.207.64.38] Jul 26 08:59:36 freebsd postfix/smtpd[53134]: NOQUEUE: reject: RCPT from unknown[125.207.64.38]: 450 4.7.1 Client host rejected: cannot find your hostname, [125.207.64.38]; from= to= proto=ESMTP helo= Jul 26 08:59:37 freebsd postfix/smtpd[53134]: NOQUEUE: reject: RCPT from unknown[125.207.64.38]: 450 4.7.1 Client host rejected: cannot find your hostname, [125.207.64.38]; from= to= proto=ESMTP helo= Jul 26 08:59:37 freebsd postfix/smtpd[53134]: NOQUEUE: reject: RCPT from unknown[125.207.64.38]: 450 4.7.1 Client host rejected: cannot find your hostname, [125.207.64.38]; from= to= proto=ESMTP helo= Jul 26 08:59:37 freebsd postfix/smtpd[53134]: disconnect from unknown[125.207.64.38] Here is the result of postconf -n (I have shown only those parameters which I think relevant to a rejection) smtpd_client_restrictions = reject_rbl_client sbl-xbl.spamhaus.org reject_unknown_client_hostname smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname, check_helo_access hash:/usr/local/etc/postfix/helo_access, reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,check_sender_access hash:/usr/local/etc/postfix/not_our_domains,check_client_access hash:/usr/local/etc/postfix/internal_networks, check_recipient_access hash:/usr/local/etc/postfix/access, reject_unknown_sender_domain,reject_invalid_hostname, reject_rbl_client sbl-xbl.spamhaus.org, reject_unknown_recipient_domain smtpd_reject_unlisted_sender = yes smtpd_restriction_classes = has_our_domain_as_sender smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access hash:/usr/local/etc/postfix/access, reject_unauth_destination, check_policy_service unix:private/tumgreyspf, strict_rfc821_envelopes = yes and here's what DNS has to say: freebsd# host WXYZ.com.cn WXYZ.com.cn has address 122.198.247.211 WXYZ.com.cn mail is handled by 10 mail8.WXYZ.com.cn. WXYZ.com.cn mail is handled by 15 mail.WXYZ.com.cn. freebsd# host mail.WXYZ.com.cn mail.WXYZ.com.cn has address 125.207.64.38 freebsd# host 122.198.247.211221.247.198.122.in-addr.arpa domain name pointer ip198.hichina.com. freebsd# host 125.207.64.38 38.64.207.125.in-addr.arpa domain name pointer WXYZ.com.cn. and, finally, here is /usr/local/etc/postfix/helo_access (I have not forgotten to run postmap or to reload postfix) freebsd# cat /usr/local/etc/postfix/helo_access mail.WXYZ.com.cn PERMIT 125.207.64.38 PERMIT sd02.ipslink.com permit freebsd#
Omnipresent "conversation with timed out while sending message body)"
bytes 189 65.94869810.3.1.12 -> 209.85.210.73 SMTP [TCP Retransmission] C: DATA fragment, 948 bytes 190 66.21968010.3.1.12 -> 209.85.210.73 SMTP [TCP Retransmission] C: DATA fragment, 948 bytes 191 128.65277610.3.1.12 -> 209.85.210.73 SMTP [TCP Retransmission] C: DATA fragment, 948 bytes 192 129.82969810.3.1.12 -> 209.85.210.73 SMTP [TCP Retransmission] C: DATA fragment, 948 bytes 193 129.84469410.3.1.12 -> 209.85.210.73 SMTP [TCP Retransmission] C: DATA fragment, 948 bytes 194 131.22760910.3.1.12 -> 209.85.210.73 SMTP [TCP Retransmission] C: DATA fragment, 948 bytes 195 131.75457610.3.1.12 -> 209.85.210.73 SMTP [TCP Retransmission] C: DATA fragment, 948 bytes 196 248.65026410.3.1.12 -> 209.85.210.73 SMTP [TCP Retransmission] C: DATA fragment, 948 bytes 197 249.82718110.3.1.12 -> 209.85.210.73 SMTP [TCP Retransmission] C: DATA fragment, 948 bytes 198 249.84217510.3.1.12 -> 209.85.210.73 SMTP [TCP Retransmission] C: DATA fragment, 948 bytes 199 251.22509110.3.1.12 -> 209.85.210.73 SMTP [TCP Retransmission] C: DATA fragment, 948 bytes 200 251.75305910.3.1.12 -> 209.85.210.73 SMTP [TCP Retransmission] C: DATA fragment, 948 bytes begin:vcard fn:Andrew T. Robinson, CISM, CGEIT, CISSP, CSSLP n:Robinson;Andrew org:NMI InfoSecurity Solutions adr:;;100 Christopher Columbus Drive Suite 2121;Jersey City;NJ;07302;USA email;internet:a...@nmi.net title:President & Owner tel;work:207-780-6381 x226 tel;fax:207-780-6301 tel;cell:347-327-4224 note;quoted-printable:Member of ISACA New York Area Board of Directors=0D=0A= andrew.robin...@isacany.org x-mozilla-html:TRUE url:http://www.nmi.net version:2.1 end:vcard
Re: Omnipresent "conversation with timed out while sending message body)"
Wietse Venema wrote: Andrew T. Robinson: delay=2005, delays=1283/0/361/361, dsn=4.4.2, status=deferred delay=5004, delays=4283/0.01/361/361, dsn=4.4.2, status=deferred delay=7283, delays=6561/0.01/361/361, dsn=4.4.2, status=deferred I these numbers aren't "modified for privacy reasons", Google is tarpitting your machine with 360s (6 min) delays. Ask them why. Possibly Google has throttled me because there about 10-15 attempts to send the same message in the queue, and I kept issuing postqueue -f. The outgoing relay public address isn't in any RBLs and I've yet to find a mechanism to inquire with Google as to whether my domain, IP address(es), or host name(s) are being inhibited for some reason. I know it's not your job to tell me how to "ask them why," but if you know I'd love to hear it. Gmail is not the only sink where this is happening. The problem is very phase-of-moon and I've yet to discern a pattern. begin:vcard fn:Andrew T. Robinson, CISM, CGEIT, CISSP, CSSLP n:Robinson;Andrew org:NMI InfoSecurity Solutions adr:;;100 Christopher Columbus Drive Suite 2121;Jersey City;NJ;07302;USA email;internet:a...@nmi.net title:President & Owner tel;work:207-780-6381 x226 tel;fax:207-780-6301 tel;cell:347-327-4224 note;quoted-printable:Member of ISACA New York Area Board of Directors=0D=0A= andrew.robin...@isacany.org x-mozilla-html:TRUE url:http://www.nmi.net version:2.1 end:vcard
Chasing down postmaster of large organizations
Bryan Irvine wrote: When I was still managing an email system and got a complaint like that. I'd actually contact the postmaster for the mail system with the errors and let them know it's failing. Let's say the problem is yahoo.com or gmail.com. Have you ever tried to reach a postmaster at large corporate mail and web sites? I am having problems with domains of mine being 'tarpitted' by some of the big email providers but I am unable to get in touch with anyone to find out a) why and b) if it can be fixed. I managed it once by chasing down an SEC filing and calling the corporate counsel, who returned my call instantly because he thought I was accusing his company of SPAM (I never said or implied any such thing, but the misunderstanding was fortuitous). Andy begin:vcard fn:Andrew T. Robinson, CISM, CGEIT, CISSP, CSSLP n:Robinson;Andrew org:NMI InfoSecurity Solutions adr:;;100 Christopher Columbus Drive Suite 2121;Jersey City;NJ;07302;USA email;internet:a...@nmi.net title:President & Owner tel;work:207-780-6381 x226 tel;fax:207-780-6301 tel;cell:347-327-4224 note;quoted-printable:Member of ISACA New York Area Board of Directors=0D=0A= andrew.robin...@isacany.org x-mozilla-html:TRUE url:http://www.nmi.net version:2.1 end:vcard
Is split cleanup really needed?
I'm rebuilding my postfix installation from scratch. In the past, I've split cleanup in two, to prevent address rewriting until after filtering: pre-cleanup unix n - n - 0 cleanup -o virtual_alias_maps= -o canonical_maps= -o sender_canonical_maps= -o recipient_canonical_maps= -o masquerade_domains= and cleanup unix n - n - 0 cleanup -o mime_header_checks= -o nested_header_checks= -o body_checks= -o header_checks= I don't really see this documented anywhere though. What I do see documented is adding: receive_override_options = no_address_mappings to the before-filter smtpd and receive_override_options = no_unknown_recipient_checks, no_header_body_checks to the after-filter smtpd. These two methods seem equivalent (are they?) and I think my use of a split cleanup is a holdover from the pre-2.1 days. Is the second way now the "proper" way to do this? -- -ste
Puzzled by installation message on obsolete files/directories
In connection with various other problems I shall probably need help with later, I thought I might re-install Postfix 2.8.3 from ports in FreeBSD 8.2. As part of the install I get the following messages: Note: the following files or directories still exist but are no longer part of Postfix: /etc/postfix/access /etc/postfix/aliases /etc/postfix/canonical /etc/postfix/generic /etc/postfix/header_checks /etc/postfix/postfix-files /etc/postfix/relocated /etc/postfix/transport /etc/postfix/virtual /etc/postfix/postfix-script /etc/postfix/post-install When I go to www.postfix.org I can find documentation on some of these files (I haven't checked them all but did check header_checks and transport) and there is no mention of these being obsolete! TIA Bernard Higonnet
canonical.db: Inappropriate file type or format
Hello, Here is the system: freebsd2.higonnet.net 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 I have just built postfix from source Nov 11 20:12:41 freebsd2 postfix/master[64285]: reload -- version 2.8.7, configuration /usr/local/etc/postfix Nov 11 20:13:08 freebsd2 postfix/qmgr[64852]: warning: problem talking to service rewrite: Operation timed out Nov 11 20:13:14 freebsd2 postfix/cleanup[64928]: fatal: open database /usr/local/etc/postfix/canonical.db: Inappropriate file type or format The main.cf file has been copied without change so far from a working version 2.7.1 running under FreeBSD 8.1 The canonical.db file has been produced by using postmap hash: using the same canonical file as the aforementioned working older version. postconf -m says hash is possible. As unusal I must be doing something dumb and simple; I only wish I knew what it is... TIA Bernard Higonnet PS I believe all the other db files are also bad
Re: canonical.db: Inappropriate file type or format
On 11/11/11 20:47, Noel Jones wrote: On 11/11/2011 1:30 PM, Bernard T. Higonnet wrote: Hello, Here is the system: freebsd2.higonnet.net 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 I have just built postfix from source Nov 11 20:12:41 freebsd2 postfix/master[64285]: reload -- version 2.8.7, configuration /usr/local/etc/postfix Nov 11 20:13:08 freebsd2 postfix/qmgr[64852]: warning: problem talking to service rewrite: Operation timed out Nov 11 20:13:14 freebsd2 postfix/cleanup[64928]: fatal: open database /usr/local/etc/postfix/canonical.db: Inappropriate file type or format The main.cf file has been copied without change so far from a working version 2.7.1 running under FreeBSD 8.1 When you copy postfix setup files, you must then run # postfix upgrade-configuration and # postfix set-permissions I had not done this, but since have When you copy indexed files between systems with different versions of the BDB library, you need to rebuild the files on the new system. Remove the existing unusable *.db files and postmap the input files to create new .db files. I had already re-created all the db files postmap hash:file All the databases are still bad... Thanks Bernard Higonnet
Re: canonical.db: Inappropriate file type or format - SOLVED
On 11/11/11 20:47, Noel Jones wrote: On 11/11/2011 1:30 PM, Bernard T. Higonnet wrote: Hello, Here is the system: freebsd2.higonnet.net 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 I have just built postfix from source Nov 11 20:12:41 freebsd2 postfix/master[64285]: reload -- version 2.8.7, configuration /usr/local/etc/postfix Nov 11 20:13:08 freebsd2 postfix/qmgr[64852]: warning: problem talking to service rewrite: Operation timed out Nov 11 20:13:14 freebsd2 postfix/cleanup[64928]: fatal: open database /usr/local/etc/postfix/canonical.db: Inappropriate file type or format The main.cf file has been copied without change so far from a working version 2.7.1 running under FreeBSD 8.1 When you copy postfix setup files, you must then run # postfix upgrade-configuration and # postfix set-permissions When you copy indexed files between systems with different versions of the BDB library, you need to rebuild the files on the new system. Remove the existing unusable *.db files and postmap the input files to create new .db files. -- Noel Jones I am actually replying to a later suggestion which I somehow managed to blow away. In that email it was suggested I see if there were other copies of postfix on the system. There was indeed an older postfix from ports (?) lying around. So I removed it, and did a complete re-install from source, all to no avail. So I looked some more. It turns out that on the 'new' system I'm building, there's something wrong with $path. So when I would execute postmap, it was using some old postmap and not finding the new postmap, even though the new correct postmap is in /usr/local/sbin where it's supposed to be (but that's another story...)?? When I generate the db files with the correct postmap, I can start Postfix fine. Thanks again Bernard Higonnet
Cannot force Postfix to require password
Hello, I would like to force all users sending mail to provide a name and password. As of this moment, if, in the mail client (Thunderbird anyway), I specify that the smtp server requires name and password it works fine (that is: name is requested and proper password required (duh)). But if in the Thunderbird description of the smtp server the user chooses not to supply name and password that works too! I sort of think (sic) that this is true because the client is on $mynetwork. If it were the case that only clients not on $mynetwork would have to provide name and password that would be OK but isn't what I seek. I have not yet had an opportunity to test from another network. I have tried to reduce $mynetwork to the server machine but that didn't work. I have tried smtpd_sasl_security_options = noanonymous but that did not seem to have any effect. I have started saslauthd like so: saslauthd -a rimap -O imap_server_machine I doubt it very pertinent but I am running 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011 r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 and Postfix 2.8.7 TIA Bernard Higonnet
Re: SSL Certificates
I use StartCOM (http://www.startcom.org/) for all my SSL certificate needs. I've had no problem with the certificates generated and signed through them working with Postfix installations. On 23.11.2012 20:46, The Doctor wrote: I was wondering who is the best CA Cert for Postfix? -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Merry Christmas 2012 and Happy New Year 2013
Re: smtpd optional authentication and relay
On 7/4/2013 8:01 PM, Wietse Venema wrote: > gw1500: >> It is not clear from the documentation if this is possible or how to do >> it but I want to make authentication optional but if a user does >> authenticate then I want to permit relaying. Can someone help? > This is how permit_sasl_authenticated works. > > http://www.postfix.org/SASL_README.html#server_sasl_authz > > Wietse > Thanks for the reply. I already have that much working. Where I am stuck is permitting relaying from authenticated users regardless of host while prohibiting everything else.
Re: smtpd optional authentication and relay
On 7/4/2013 8:36 PM, Wietse Venema wrote: > W T Riker: >> On 7/4/2013 8:01 PM, Wietse Venema wrote: >>> gw1500: >>>> It is not clear from the documentation if this is possible or how to do >>>> it but I want to make authentication optional but if a user does >>>> authenticate then I want to permit relaying. Can someone help? >>> This is how permit_sasl_authenticated works. >>> >>> http://www.postfix.org/SASL_README.html#server_sasl_authz >> Thanks for the reply. I already have that much working. Where I am stuck >> is permitting relaying from authenticated users regardless of host while >> prohibiting everything else. > I answered the question how "to make authentication optional". > > Perhaps someone else can figure out what you mean with "permitting > relaying from authenticated users while prohibiting everything else" > when only seconds ago you asked how "to make authentication optional". > > Wietse > Sorry that I was not clear. With this configuration, will any non-authenticated client still be able to deliver mail to a local recipient but not be permitted to relay email to non-local recipients?
Re: smtpd optional authentication and relay
On 7/5/2013 12:27 AM, b...@bitrate.net wrote: > On Jul 4, 2013, at 20.44, W T Riker wrote: > >> On 7/4/2013 8:36 PM, Wietse Venema wrote: >>> W T Riker: >>>> On 7/4/2013 8:01 PM, Wietse Venema wrote: >>>>> gw1500: >>>>>> It is not clear from the documentation if this is possible or how to do >>>>>> it but I want to make authentication optional but if a user does >>>>>> authenticate then I want to permit relaying. Can someone help? >>>>> This is how permit_sasl_authenticated works. >>>>> >>>>> http://www.postfix.org/SASL_README.html#server_sasl_authz >>>> Thanks for the reply. I already have that much working. Where I am stuck >>>> is permitting relaying from authenticated users regardless of host while >>>> prohibiting everything else. >>> I answered the question how "to make authentication optional". >>> >>> Perhaps someone else can figure out what you mean with "permitting >>> relaying from authenticated users while prohibiting everything else" >>> when only seconds ago you asked how "to make authentication optional". >>> >>> Wietse >>> >> Sorry that I was not clear. With this configuration, will any >> non-authenticated client still be able to deliver mail to a local >> recipient but not be permitted to relay email to non-local recipients? > i'd counsel against this. instead, set up a proper submission service [see > the commented out example in master.cf], and use separate streams for mx and > submission. presumably you're asking about providing "relay" service for > client [e.g. mua] software. clients should use submission [port 587], not > port 25. port 25 is for servers to talk to other servers. setting up > separate streams/services allows you to require encryption and authentication > for all connections [eg. "clients"] to the submission service, and allows you > to avoid offering it unnecessarily on port 25. > > -ben Indeed this is using port 587. I did not realize that that in itself was sufficient to prevent relaying from non-authenticated clients. Thanks.
Re: smtpd optional authentication and relay
On 7/4/2013 11:21 PM, Noel Jones wrote: > On 7/4/2013 7:44 PM, W T Riker wrote: >> On 7/4/2013 8:36 PM, Wietse Venema wrote: >>> W T Riker: >>>> On 7/4/2013 8:01 PM, Wietse Venema wrote: >>>>> gw1500: >>>>>> It is not clear from the documentation if this is possible or how to do >>>>>> it but I want to make authentication optional but if a user does >>>>>> authenticate then I want to permit relaying. Can someone help? >>>>> This is how permit_sasl_authenticated works. >>>>> >>>>> http://www.postfix.org/SASL_README.html#server_sasl_authz >>>> Thanks for the reply. I already have that much working. Where I am stuck >>>> is permitting relaying from authenticated users regardless of host while >>>> prohibiting everything else. >>> I answered the question how "to make authentication optional". >>> >>> Perhaps someone else can figure out what you mean with "permitting >>> relaying from authenticated users while prohibiting everything else" >>> when only seconds ago you asked how "to make authentication optional". >>> >>> Wietse >>> >> Sorry that I was not clear. With this configuration, will any >> non-authenticated client still be able to deliver mail to a local >> recipient but not be permitted to relay email to non-local recipients? >> > That's the usual way for it to work, but we don't really know what > you mean by "this configuration". For a definite answer, we would > need to see your "postconf -n" settings. > > > > -- Noel Jones Thanks. By "this configuration" I was referring to the section of the documentation referred to by Wietse.
Re: smtpd optional authentication and relay
On 7/5/2013 9:51 AM, Larry Stone wrote: > On Fri, 5 Jul 2013, W T Riker wrote: > >> Indeed this is using port 587. I did not realize that that in itself was >> sufficient to prevent relaying from non-authenticated clients. Thanks. > > It doesn't. If 587 is configured the same as 25, it will behave just > like port 25. There is nothing special about port 587 other than how > YOU configure it to be different. > > They key to understanding Postfix restrictions is they evaluate in > order and the first to return a result other than DUNNO is what wins. > A permit_ restrictions generally returns PERMIT or DUNNO. A > reject_ restriction generally returns REJECT or DUNNO. So if you > have permit_sasl_authernticated as the first test in a group of > restrictions (e.g. smtpd_recipient_restrictions), if the user is SASL > authenticated, it returns PERMIT and the mail is accepted and, if not > destined locally, relayed. All remaining tests in that group of > restrictions are then skipped. If the user is not SASL authenticated, > it returns DUNNO and goes on to the next restriction in that group. If > that next restriction is reject_unauth_destination (which in case it's > not clear to you is the restriction that prevents relaying), an > unauthenticated user will not be permitted to relay. > > So in short, a restriction group that permits authenticated users to > send anywhere and unauthenticated users to only send to domains for > which Postfix is configure to accept mail would be: > permit_sasl_authenticated, reject_unauth_destination. However, don't > just do what we suggest; make sure you understand it and that it is > doing what YOU want. > > -- Larry Stone >lston...@stonejongleux.com > Thanks for that explanation. I think I understand the way it works now so I modified my restrictions a bit. Does this order pass the sniff test? smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain
Re: smtpd optional authentication and relay
Thanks. I fixed it. On 7/5/2013 10:07 AM, Viktor Dukhovni wrote: > On Fri, Jul 05, 2013 at 10:00:02AM -0400, W T Riker wrote: > >> Thanks for that explanation. I think I understand the way it works now >> so I modified my restrictions a bit. Does this order pass the sniff test? >> >> smtpd_recipient_restrictions = >> reject_non_fqdn_recipient, >> reject_non_fqdn_sender, >> reject_unlisted_recipient, >> permit_mynetworks, >> permit_sasl_authenticated, >> reject_unauth_destination, >> reject_invalid_helo_hostname, >> reject_unknown_sender_domain, > Fine up to here. > >> reject_unknown_recipient_domain > This is not a good idea in this context, you've already checked > the message is to one of your own domains. Unless you've specified > relay_domains (and you have relay_domains listed in > parent_domain_mathes_subdomains) or inherit relay_domains via its > default $mydestination, every domain you accept should be "known", > you just risk deferring mail due to transient DNS lookup errors. > > You should generally avoid having subdomain matching in relay_domains, > set parent_domain_matches_subdomains empty or perhaps just: > > parent_domain_matches_subdomains = smtpd_access_maps > > if your access tables rely on this to match a domain and all its > subdomains. > > The backwards compatible default is: > > parent_domain_matches_subdomains = > debug_peer_list, > fast_flush_domains, > mynetworks, > permit_mx_backup_networks, > qmqpd_authorized_clients, > relay_domains, > smtpd_access_maps >
Re: smtpd optional authentication and relay
On 7/5/2013 10:52 AM, Tom Hendrikx wrote: > On 07/05/2013 04:07 PM, Viktor Dukhovni wrote: >> On Fri, Jul 05, 2013 at 10:00:02AM -0400, W T Riker wrote: >> >>> Thanks for that explanation. I think I understand the way it works now >>> so I modified my restrictions a bit. Does this order pass the sniff test? >>> >>> smtpd_recipient_restrictions = >>> reject_non_fqdn_recipient, >>> reject_non_fqdn_sender, >>> reject_unlisted_recipient, > I'd say that reject_unlisted_recipient will also reject mail to offsite > recipients, even when it is sent by an authenticated sender (since > permit_sasl_authenticated is specified later). > >>> permit_mynetworks, >>> permit_sasl_authenticated, >>> reject_unauth_destination, >>> reject_invalid_helo_hostname, >>> reject_unknown_sender_domain, >> Fine up to here. >> >>> reject_unknown_recipient_domain >> This is not a good idea in this context, you've already checked >> the message is to one of your own domains. Unless you've specified >> relay_domains (and you have relay_domains listed in >> parent_domain_mathes_subdomains) or inherit relay_domains via its >> default $mydestination, every domain you accept should be "known", >> you just risk deferring mail due to transient DNS lookup errors. >> >> You should generally avoid having subdomain matching in relay_domains, >> set parent_domain_matches_subdomains empty or perhaps just: >> >> parent_domain_matches_subdomains = smtpd_access_maps >> >> if your access tables rely on this to match a domain and all its >> subdomains. >> >> The backwards compatible default is: >> >> parent_domain_matches_subdomains = >> debug_peer_list, >> fast_flush_domains, >> mynetworks, >> permit_mx_backup_networks, >> qmqpd_authorized_clients, >> relay_domains, >> smtpd_access_maps >> > Good point. I fixed that too. Thanks.
Re: Domains without MX Records
Sounds like you're trying to send email to a host that is possibly greylisting. On 13.10.2013 00:10, Roman Gelfand wrote: sorry about this. I guess it has nothing to do with mx records. It is the remote server telling me their server is not able to accept mail. On Sun, Oct 13, 2013 at 12:04 AM, Roman Gelfand wrote: but I am geting the following message said: 451 Temporary local problem - please try later (in reply to RCPT TO command)) it is stuck forever in a queue until it fails. Is there a setting I need to set so it should be accepted.
After upgrading from 2.4.6 to 2.5.3..
I get the following in my log...: Aug 20 12:36:44 web postfix/smtpd[2774]: connect from pat.havleik.no[10.1.1.4] Aug 20 12:36:44 web postfix/smtpd[2774]: 88AC71FA25F: client=pat.havleik.no[10.1.1.4] Aug 20 12:36:44 web postfix/cleanup[2789]: 88AC71FA25F: message-id=<[EMAIL PROTECTED]> Aug 20 12:36:44 web postfix/qmgr[2195]: 88AC71FA25F: from=<[EMAIL PROTECTED]>, size=12652, nrcpt=1 (queue active) Aug 20 12:36:44 web postfix/smtpd[2774]: disconnect from pat.havleik.no[10.1.1.4] Aug 20 12:36:44 web postfix/pipe[2802]: 88AC71FA25F: to=<[EMAIL PROTECTED]>, relay=dovecot, delay=0.09, delays=0.07/0/0/0.02, dsn=5.4.6, status=bounced (mail forwarding loop for [EMAIL PROTECTED]) Aug 20 12:36:44 web postfix/cleanup[2787]: 9DCA71FA264: message-id=<[EMAIL PROTECTED]> Aug 20 12:36:44 web postfix/qmgr[2195]: 9DCA71FA264: from=<>, size=14394, nrcpt=1 (queue active) Aug 20 12:36:44 web postfix/bounce[2811]: 88AC71FA25F: sender non-delivery notification: 9DCA71FA264 Aug 20 12:36:44 web postfix/qmgr[2195]: 88AC71FA25F: removed Aug 20 12:37:14 web postfix/smtp[2753]: connect to mx2.aftenposten.no[80.91.34.67]:25: Connection timed out Aug 20 12:37:44 web postfix/smtp[2753]: connect to mx1.aftenposten.no[80.91.34.51]:25: Connection timed out Aug 20 12:37:44 web postfix/smtp[2753]: 9DCA71FA264: to=<[EMAIL PROTECTED]>, relay=none, delay=60, delays=0.03/0/60/0, dsn=4.4.1, status=deferred (connect to mx1.aftenposten.no[80.91.34.51]:25: Connection timed out) Outgoing port 25 is closes by my ISP, is there some new config I need to set? (didn't have this problem before I upgraded...) (this happends for just some of my mails and not for instanse for the postfix maillist...) Regards, BTJ -- --- Bjørn T Johansen [EMAIL PROTECTED] --- Someone wrote: "I understand that if you play a Windows CD backwards you hear strange Satanic messages" To which someone replied: "It's even worse than that; play it forwards and it installs Windows" ---
Re: After upgrading from 2.4.6 to 2.5.3..
On Wed, 20 Aug 2008 07:08:32 -0400 (EDT)
[EMAIL PROTECTED] (Wietse Venema) wrote:
> Bj?rn T Johansen:
> > Aug 20 12:36:44 web postfix/pipe[2802]: 88AC71FA25F: to=<[EMAIL
> > PROTECTED]>, relay=dovecot, delay=0.09,
> > delays=0.07/0/0/0.02, dsn=5.4.6, status=bounced (mail forwarding loop for
> > [EMAIL PROTECTED])
>
> You are sending mail with
>
> Delivered-To: [EMAIL PROTECTED]
>
> into the pipe daemon.
>
> See:
> The RELEASE_NOTES file
> man 8 pipe
>
> Wietse
Yes, in my master.cf file I have this..:
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient}
I can't use this anymore with version 2.5.x?
BTJ
Re: After upgrading from 2.4.6 to 2.5.3..
On Wed, 20 Aug 2008 14:16:22 -0400 (EDT)
[EMAIL PROTECTED] (Wietse Venema) wrote:
> Bj?rn T Johansen:
> > On Wed, 20 Aug 2008 07:08:32 -0400 (EDT)
> > [EMAIL PROTECTED] (Wietse Venema) wrote:
> >
> > > Bj?rn T Johansen:
> > > > Aug 20 12:36:44 web postfix/pipe[2802]: 88AC71FA25F: to=<[EMAIL
> > > > PROTECTED]>, relay=dovecot, delay=0.09,
> > > > delays=0.07/0/0/0.02, dsn=5.4.6, status=bounced (mail forwarding loop
> > > > for [EMAIL PROTECTED])
> > >
> > > You are sending mail with
> > >
> > > Delivered-To: [EMAIL PROTECTED]
> > >
> > > into the pipe daemon.
> > >
> > > See:
> > > The RELEASE_NOTES file
> > > man 8 pipe
> > >
> > > Wietse
> >
> > Yes, in my master.cf file I have this..:
> >
> > dovecot unix - n n - - pipe
> > flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d
> > ${recipient}
> >
> >
> > I can't use this anymore with version 2.5.x?
>
> Please read the documents that I referred you to.
>
> Wietse
Yes, I did but I am not sure what the solution is? I see that the D flag adds a
Delivered-To header and that
it checks the mail to see if it already has a Delivered-To header and the
message is returned as undeliverable if so,
as of version 2.5.x...
But is the solution to this to remove the D flag from the pipe transport? Or
should I increase
dovecot_destination_recipient_limit from 1 to 2?
Or?
Regards,
BTJ
Re: After upgrading from 2.4.6 to 2.5.3..
On Thu, 21 Aug 2008 07:08:33 -0400 (EDT)
[EMAIL PROTECTED] (Wietse Venema) wrote:
> Bj?rn T Johansen:
> > On Wed, 20 Aug 2008 14:16:22 -0400 (EDT)
> > [EMAIL PROTECTED] (Wietse Venema) wrote:
> >
> > > Bj?rn T Johansen:
> > > > On Wed, 20 Aug 2008 07:08:32 -0400 (EDT)
> > > > [EMAIL PROTECTED] (Wietse Venema) wrote:
> > > >
> > > > > Bj?rn T Johansen:
> > > > > > Aug 20 12:36:44 web postfix/pipe[2802]: 88AC71FA25F: to=<[EMAIL
> > > > > > PROTECTED]>, relay=dovecot, delay=0.09,
> > > > > > delays=0.07/0/0/0.02, dsn=5.4.6, status=bounced (mail forwarding
> > > > > > loop for [EMAIL PROTECTED])
> > > > >
> > > > > You are sending mail with
> > > > >
> > > > > Delivered-To: [EMAIL PROTECTED]
> > > > >
> > > > > into the pipe daemon.
> > > > >
> > > > > See:
> > > > > The RELEASE_NOTES file
> > > > > man 8 pipe
> > > > >
> > > > > Wietse
> > > >
> > > > Yes, in my master.cf file I have this..:
> > > >
> > > > dovecot unix - n n - - pipe
> > > > flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d
> > > > ${recipient}
> > > >
> > > >
> > > > I can't use this anymore with version 2.5.x?
> > >
> > > Please read the documents that I referred you to.
> > >
> > > Wietse
> >
> >
> > Yes, I did but I am not sure what the solution is? I see that the D flag
> > adds a Delivered-To header and that
> > it checks the mail to see if it already has a Delivered-To header and the
> > message is returned as undeliverable if
> > so, as of version 2.5.x...
> > But is the solution to this to remove the D flag from the pipe transport?
> > Or should I increase
> > dovecot_destination_recipient_limit from 1 to 2?
>
> Given this description:
>
> D Prepend a "Delivered-To: recipient" message header with
> the envelope recipient address. Note: for this to work,
> the transport_destination_recipient_limit must be 1 (see
> SINGLE-RECIPIENT DELIVERY above for details).
>
> The D flag also enforces loop detection (Postfix 2.5 and
> later): if a message already contains a Delivered-To:
> header with the same recipient address, then the message
> is returned as undeliverable. The address comparison is
> case insensitive.
>
> This feature is available as of Postfix 2.0.
>
> Which solution would you pick when mail is returned as undeliverable
> because a "mail forwarding loop" was detected?
>
> You will have to use your own brain cycles.
>
Well, I just thought that the D flag was included for a reason and that
removing the flag maybe would break something
else...
Instead of wasting time to write such long answer maybe a simple yes or no
would be sufficient...
Isn't that the idea with a mailinglist, getting help and verify solutions or am
I misunderstanding something??
BTJ
Re: After upgrading from 2.4.6 to 2.5.3..
On Thu, 21 Aug 2008 09:17:43 -0400 (EDT) [EMAIL PROTECTED] (Wietse Venema) wrote: > Bj?rn T Johansen: > > > > > Please read the documents that I referred you to. > > > > > > > > Yes, I did but I am not sure what the solution is? I see that the D > > > > flag adds a Delivered-To header and that > > > > it checks the mail to see if it already has a Delivered-To header and > > > > the message is returned as undeliverable > > > > if so, as of version 2.5.x... > > > > But is the solution to this to remove the D flag from the pipe > > > > transport? Or should I increase > > > > dovecot_destination_recipient_limit from 1 to 2? > > > > > > Given this description: > > > > > > D Prepend a "Delivered-To: recipient" message header > > > with > > > the envelope recipient address. Note: for this to > > > work, > > > the transport_destination_recipient_limit must be 1 > > > (see > > > SINGLE-RECIPIENT DELIVERY above for details). > > > > > > The D flag also enforces loop detection (Postfix 2.5 > > > and > > > later): if a message already contains a > > > Delivered-To: > > > header with the same recipient address, then the > > > message > > > is returned as undeliverable. The address > > > comparison is > > > case insensitive. > > > > > > This feature is available as of Postfix 2.0. > > > > > > Which solution would you pick when mail is returned as undeliverable > > > because a "mail forwarding loop" was detected? > > > > > > You will have to use your own brain cycles. > > > > > > > Well, I just thought that the D flag was included for a reason > > and that removing the flag maybe would break something else... > > > Instead of wasting time to write such long answer maybe a simple > > yes or no would be sufficient... Isn't that the idea with a > > mailinglist, getting help and verify solutions or am I misunderstanding > > something?? > > No, the purpose is to help you choose the best solution. It's your > system. You decide what is best. > > - One possibility is to stop using the D flag and thereby disable > loop detection in the pipe mailer (which didn't work before > Postfix 2.5). > > However it is possible that you have other mail software that > depends on the presence of this header. Only you can make that > determination, not this mailing list. > > - Another possibility is to keep loop detection, and to fix the > system that falsely prepends the Delivered-To: header BEFORE mail > is given to Postfix. > > Wietse That's the answer I was looking for, thx! :) BTJ
Re: will this break DMARC?
The DMARC record itself looks fine and valid; however, the issue is going to be whether your SPF and DKIM records alignment. I suspect the issue will be in the alignment and the OP didn't provide those details to be able to evaluate. On Thu, Aug 12, 2021 at 11:47 PM Benny Pedersen wrote: > On 2021-08-13 04:44, Ken N wrote: > > I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. > > > > This is DMARC setting of mail.ru: > > > > _dmarc.mail.ru. 164 IN TXT > > "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai"; > > "lto:dmarc_...@corp.mail.ru" > > > > (please notice p=reject setting) > > https://dmarcian.com/dmarc-inspector/?domain=mail.ru > > its valid > > but it could join the splitted txt record without breaking line with > space > > so remove " " wont hurd here, it makes it more readable in dns terms, > but its still valid > > > When gmail receive the forwarded email from pobox, will it break DMARC? > > example ? > > > since the message header showing sender is x...@mail.ru, but the SMTP > > talking IP is pobox's IP address. > > forwards change spf envelope sender, but it should not break dmarc > > > Thank you. >
Looking for pointers to assist me
I've had my Postfix mail server running for several years now using Postfixadmin to manage the database tables holding my virtual mailbox information for domains I'm hosting mail from. It's become time to move this mail server so I'm having to rebuild it and I'm wanting to put the mailboxes behind a firewall but have an SMTP relay host that will accept the mail and forward it in. Obviously I don't want to just blindly accept all email for the domains and relay it into the internal host which would then have to deal with sending back scatter for invalid addresses. My current configuration handled the configuration using virtual_mailbox_maps, virtual_alias_maps and virtual_mailbox_domains settings that were pointed to the configuration files that generated the appropriate queries for the database. Obviously I'll be reusing this for my internal postfix server behind the firewall which will be receiving the emails but I'm trying to determine how to modify for my relay to be able to validate the email before relaying it into the internal host. smime.p7s Description: S/MIME Cryptographic Signature
Re: Looking for pointers to assist me
On 8/23/2015 12:33 PM, Robert Schetterer wrote: > Am 23.08.2015 um 18:15 schrieb Jeremy T. Bouse: >> I've had my Postfix mail server running for several years now using >> Postfixadmin to manage the database tables holding my virtual mailbox >> information for domains I'm hosting mail from. It's become time to move >> this mail server so I'm having to rebuild it and I'm wanting to put the >> mailboxes behind a firewall but have an SMTP relay host that will accept >> the mail and forward it in. Obviously I don't want to just blindly >> accept all email for the domains and relay it into the internal host >> which would then have to deal with sending back scatter for invalid >> addresses. >> >> My current configuration handled the configuration using >> virtual_mailbox_maps, virtual_alias_maps and virtual_mailbox_domains >> settings that were pointed to the configuration files that generated the >> appropriate queries for the database. Obviously I'll be reusing this for >> my internal postfix server behind the firewall which will be receiving >> the emails but I'm trying to determine how to modify for my relay to be >> able to validate the email before relaying it into the internal host. >> > depends on your network/firewall setup you may simply use sql as before > , another option use smtp verify, or create > static tables at/from sql change time with secure copy etc Both Postfix servers are able to reach the database that holds the mail account data. Is there a simple elegant solution that can reuse the database content but under a different mapping to allow it to be accepted and forwarded along to the internal mail server? Last time I did something like this it was with Sendmail using LDAP for smart host routing of mailboxes. smime.p7s Description: S/MIME Cryptographic Signature
Re: Complaints due to helo restrictions
On 9/13/2016 1:16 PM, Nikolaos Milas wrote: > Hello, > > We are running postfix v2.11.0 on CentOS 6.8 as a gateway server and > we have recently imposed helo restrictions. > > Few servers have problems sending us mail due to the helo restrictions: > > Sep 8 09:35:37 mailgw1 postfix/smtpd[18791]: NOQUEUE: reject: RCPT > from mail.ipta.demokritos.gr[143.233.230.2]: 450 4.7.1 > : Helo command rejected: Host not found; > from= to= proto=ESMTP > helo= > > We have notified them that their helo answer is different than their > mail server name / FQDN (so as to change it) and they say that we > should not be restricting access due to this: > > "The HELO receiver MAY verify that the HELO parameter really > corresponds to the IP address of the sender. However, the receiver > MUST NOT refuse to accept a message, even if the sender's HELO command > fails verification. http://www.ietf.org/rfc/rfc1123.txt (section 5.2.5)" > > From your experience and knowledge: > > 1. How should we treat this issue? > > 2. How should we respond to the complaints? > For myself this comes down to a question of how important is mail with this domain that can't properly configure their mail server to send a proper FQDN HELO as well as how much spam does rejecting based off invalid HELO hostnames. For myself looking at my logwatch reports for this month I reject about 15-33% of the messages for either HELO/EHLO, unknown user, recipient address, sender address or RBL each day. The HELO/EHLO rejection rate is between 1-13% of the total rejections and varies quite a bit from day to day. By far though most of my rejects come from RBLs. I also run messages through Amavis for content filtering before accepting into the queue at all and that tends to reject anywhere frmo 45-55% of the messages daily as well. > 3. If we are supposed to remove these restrictions, which settings > should we remove from our config to resolve the problem? Should we > remove all of: reject_unknown_helo_hostname, > reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname ? > I only have the following for my smtpd_*_restrictions: smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_unauth_destination, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service unix:private/policyd-spf, permit smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_mx_access cidr:/etc/postfix/drop.cidr, check_sender_ns_access cidr:/etc/postfix/drop.cidr, check_sender_mx_access cidr:/etc/postfix/bogon_networks.cidr, check_sender_access pcre:/etc/postfix/sender_access, reject_rhsbl_sender dsn.rfc-ignorant.org, permit_sasl_authenticated, permit_mynetworks, permit > > Thanks in advance, > Nick > > smime.p7s Description: S/MIME Cryptographic Signature
Building and testing a parallel replacement server
I want to build and test (at least a little) a new server to replace an existing, production one. The old one is on machine xxx.xxx.xxx.A running FreeBSD10/Postfix 3.0.2 and the new one on xxx.xxx.xxx.B running FreeBSD11/Postfix 3.1.3. I would much appreciate advice on how best to define the variables related to host name, domain name, etc. to that 1) I can send mail out from xxx.xxx.xxx.B (mostly to xxx.xxx.xxx.A but hopefully elsewhere if possible) AND 2) receive mail at xxx.xxx.xxx.B 3) not change anything on xxx.xxx.xxx.A Both of these machines are virtual machines housed at some data center somewhere. When I am reasonably satisfied xxx.xxx.xxx.B is working, I will copy all the (IMAP) emails on xxx.xxx.xxx.A to xxx.xxx.xxx.B, give it the host name etc. of xxx.xxx.xxx.A, and change my DNS to point to xxx.xxx.xxx.B. TIA Bernard Higonnet
Postfix seems to deliver mail and then remove it
System FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE #0 Postfix version 2.9.1 After screwing up a working postfix server (by erasing main.cf and various tables and then restoring out-of-date backups...) I find that incoming mail is seemingly "(delivered to maildir)" and then removed from same! Here is a log snippet to illustrate what I mean: Dec 9 07:11:23 freebsd postfix/qmgr[20416]: 62015C382F: from=, size=1888, nrcpt=2 (queue active) Dec 9 07:11:23 freebsd postfix/local[20502]: 62015C382F: to=, relay=local, delay=0.17, delays=0.15/0.02/0/0, dsn=2.0.0, status=sent (delivered to maildir) Dec 9 07:11:23 freebsd postfix/local[20502]: 62015C382F: to=, relay=local, delay=0.17, delays=0.15/0.02/0/0, dsn=2.0.0, status=sent (delivered to maildir) Dec 9 07:11:23 freebsd postfix/qmgr[20416]: 62015C382F: removed The intended recipient is b...@higonnet.net in the 2nd line. The 3rd line is a copy sent to a journal in which I place all copies of all incoming mail The mail never shows up in b...@higonnet.net's Maildir, presumably as a result of the action logged in the 4th line "removed" The copy placed in the journal's Maildir behaves as expected: it's there. Apart from the fact I have only the vaguest ideas about postfix queues (mails entering and re-entering different queues etc.), I find it astonishing that postfix would ever go to maildir and remove something it put there! Looking at it more closely, the 4th line probably is trying to tell me that the mail is no longer in the active queue and indicates postfix has finished with this mail. It occurs to me that mail ostensibly delivered to b...@higonnet.net in the 2nd line is probably going somewhere else than the right place? I hope this makes some sense to someone who can explain why I'm making postfix behave this way. TIA Bernard Higonnet
PostgreSQL+Postfix inquiry
I'm going ahead and asking here as I've been searching and haven't found any information... I've been using PostgreSQL, and MySQL in the past, to hold virtual user information for my Postfix server. The only thing that has bothered me is every *sql_*.cf file I had to setup had to have the username, password and host to use for the DB connection. Am I completely missing it or is there a way to set that information in one location for all the database queries to utilize? smime.p7s Description: S/MIME Cryptographic Signature
Re: PostgreSQL+Postfix inquiry
On 1/26/2017 2:15 AM, Patrick Ben Koetter wrote: > * Jeremy T. Bouse : >> I'm going ahead and asking here as I've been searching and haven't >> found any information... >> >> I've been using PostgreSQL, and MySQL in the past, to hold virtual user >> information for my Postfix server. The only thing that has bothered me >> is every *sql_*.cf file I had to setup had to have the username, >> password and host to use for the DB connection. Am I completely missing >> it or is there a way to set that information in one location for all the >> database queries to utilize? > ATM this is as good as it gets. > > Postfix has no means to e.g. include files in a configuration e.g. like this: > > include = /etc/postfix/dbsettings.cf > > You *could* put all query settings in main.cf, *but* main.cf must remain world > readable. This effectively exposes the db connection settings (and all other > secrets) to any user, who has access to the machine. > > I guess you don't want that. > > If you use configuration management you can have it create the query files. > But setting one up only to get around the redundant work is in no relation to > the few minutes you spend to write the user/pass etc. a few times. > > p@rick I'd prefer not to put them in main.cf and have it world readable; however this is an exercise in part as I'm working to rebuild my existing VPS MX host into a Docker container which technically won't have anyone else logging into it but for security sake better safe than sorry. It looks like I'm going to have to go through creating the file(s) one way or another, I'm looking at doing it by passing in environment variables (whether they are merely the name of a Docker secrets in-memory file to read from or the actual values) and have the entrypoint do the necessary steps. If we still have to put the information in the db .cf files, do those files at least accept variable expansion? If so, could I simply define those as user-defined variables in the main.cf which the db .cf files use without having to modify multiple files on startup? smime.p7s Description: S/MIME Cryptographic Signature
Re: PostgreSQL+Postfix inquiry
On 1/26/2017 3:58 AM, Christoph Moench-Tegeder wrote: > ## Jeremy T. Bouse (jeremy.bo...@undergrid.net): > >> I've been using PostgreSQL, and MySQL in the past, to hold virtual user >> information for my Postfix server. The only thing that has bothered me >> is every *sql_*.cf file I had to setup had to have the username, >> password and host to use for the DB connection. Am I completely missing >> it or is there a way to set that information in one location for all the >> database queries to utilize? > Unfortunately, you cannot unleash the power of the PostgreSQL client > library with Postfix as of now. I'm wondering how far backwards-compatible > Postfix wants to be with regards to libpq (the PostgreSQL client > library) - looking at the code alone, there's just a small change > to have PostgreSQL user and password default to NULL instead of the > empty string "", and that would allow to use full connection info > strings in place of the database name. That would unlock the "service > file" and the "password file" features: > > https://www.postgresql.org/docs/current/static/libpq-pgservice.html > https://www.postgresql.org/docs/current/static/libpq-connect.html > https://www.postgresql.org/docs/current/static/libpq-pgpass.html > > I need to test that. > > Regards, > Christoph This would seem like a much cleaner and secure means by which to do it and provide additional configuration options in the process but I'd be curious how it might be affected when using proxy:pgsql:* as well as simply pgsql:* mappings. smime.p7s Description: S/MIME Cryptographic Signature
Re: PostgreSQL+Postfix inquiry
On 1/27/2017 7:03 AM, Wietse Venema wrote: > Jeremy T. Bouse: >>> https://www.postgresql.org/docs/current/static/libpq-pgservice.html >>> https://www.postgresql.org/docs/current/static/libpq-connect.html >>> https://www.postgresql.org/docs/current/static/libpq-pgpass.html >>> >>> I need to test that. >>> >>> Regards, >>> Christoph >> This would seem like a much cleaner and secure means by which to do >> it and provide additional configuration options in the process but I'd >> be curious how it might be affected when using proxy:pgsql:* as well as >> simply pgsql:* mappings. > You could set PGPASSFILE via main.cf:export_environment, and set > permissions (group read for 'postfix'). > > But, there is no need for passwords in main.cf; If you configure > the table as pgsql:/path/to/file, you can reduce access permission > for that file. > > Wietse Wietse, Are you saying that Postfix will already honor a pgpass file if we export the filename as PGPASSFILE and specify that using 'postconf -e export_environment = PGPASSFILE=/path/to/pgpass' ? What I already have in my existing configuration are a series of pgsql_*.cf files that follow the syntax like the following for my virtual alias maps: user = password = dbhost = table = alias select_field = goto where_field = address additional_conditions = AND active = true If I could simply create a pgpass file and set PGPASSFILE to point to it that contains: :5432:*:: Then leave out the user and password from the .cf files that would be precisely the solution I was looking for. Now you mentioned configuring the table as pgsql:/path/to/file would that also work if using proxy:pgsql:/path/to/file smime.p7s Description: S/MIME Cryptographic Signature
Re: PostgreSQL+Postfix inquiry
On 1/27/2017 7:03 AM, Wietse Venema wrote: > Jeremy T. Bouse: >>> https://www.postgresql.org/docs/current/static/libpq-pgservice.html >>> https://www.postgresql.org/docs/current/static/libpq-connect.html >>> https://www.postgresql.org/docs/current/static/libpq-pgpass.html >>> >>> I need to test that. >>> >>> Regards, >>> Christoph >> This would seem like a much cleaner and secure means by which to do >> it and provide additional configuration options in the process but I'd >> be curious how it might be affected when using proxy:pgsql:* as well as >> simply pgsql:* mappings. > You could set PGPASSFILE via main.cf:export_environment, and set > permissions (group read for 'postfix'). > > But, there is no need for passwords in main.cf; If you configure > the table as pgsql:/path/to/file, you can reduce access permission > for that file. > > Wietse I downloaded the source code and poked around a little and doing a little testing on my current system... I tried to set up a PGPASSFILE that I 'chmod 0600' and 'chown postfix' then added the export_environment setting to my main.cf pointing to it. When I commented out the 'user' and 'password' sections in my pgsql .cf files and attempted to test using 'postmap -q' I was getting the error: postmap: warning: connect to pgsql server psqldb.undergrid.net: fe_sendauth: no password supplied? postmap: fatal: table pgsql:/etc/postfix/pgsql/virtual_domains.cf: query error: Success When I poked around the /proc filesystem I noticed that only the spawn'd policyd-spf process had the PGPASSFILE value set in the environ file under /proc/ and looking through the source code that seems to be confirmed as I could only find the VAR_EXPORT_ENVIRON being used in global/mail_stream.c, local/command.c, pipe/pipe.c and spawn/spawn.c which doesn't seem to include the processes that would actually be doing the lookups for the virtual_* config settings. smime.p7s Description: S/MIME Cryptographic Signature
Re: PostgreSQL+Postfix inquiry
On 1/27/2017 11:41 PM, Viktor Dukhovni wrote: >> On Jan 27, 2017, at 6:37 PM, Jeremy T. Bouse >> wrote: >> >> I tried to set up a PGPASSFILE >> that I 'chmod 0600' and 'chown postfix' then added the >> export_environment setting to my main.cf pointing to it. > The correct setting is "import_environment" not "export_environment". Thanks Viktor... I'd only tried export_environment as Wietse had mentioned it earlier and I wasn't aware of import_environment. I do see that it is used on the internal process (master/master.c, postdrop/postdrop.c, postfix/postfix.c, postmulti/postmulti.c, postqueue/postqueue.c and global/mail_params.c) so that does look more promising. I'll give it a shot later this evening after I get back from my best friends memorial service this afternoon. smime.p7s Description: S/MIME Cryptographic Signature
Re: PostgreSQL+Postfix inquiry
On 1/28/2017 12:16 PM, Wietse Venema wrote: > Sorry about that, I should have written 'import_environment'. That > setting controls what Postfix uses internally, including in its > pgsql client. > > Wietse Okay so am I doing something wrong here... I've got the following in my main.cf: import_environment = PGPASSFILE=/etc/postfix/pgsql/.pgpass virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_alias.cf, proxy:pgsql:/etc/postfix/pgsql/virtual_alias_domainaliases.cf virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox.cf, proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_domainaliases.cf virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql/virtual_domains.cf With the /etc/postfix/pgsql/*.cf files all following the format: user = DB_USER password = DB_PASSWD hosts = psqldb.undergrid.net dbname = postfixadmin query = Everything is working fine... So with the PGPASSFILE set in import_environment and I've confirmed through procfs that it is in the environ file for the postfix processes I comment out the 'user' and 'password' lines in each of the .cf files and restart postfix. I then tried to run 'sendmail -bv jbo...@undergrid.net' and I get the following: Jan 28 22:25:53 mail02 postfix/pickup[20576]: 99FFD5FB82: uid=0 from= Jan 28 22:25:53 mail02 postfix/cleanup[20633]: 99FFD5FB82: message-id=<20170128222553.99ffd5f...@smtp.undergrid.net> Jan 28 22:25:53 mail02 postfix/qmgr[20577]: 99FFD5FB82: from=, size=291, nrcpt=1 (queue active) Jan 28 22:25:53 mail02 postfix/proxymap[20634]: warning: connect to pgsql server psqldb.undergrid.net: fe_sendauth: no password supplied? Jan 28 22:25:53 mail02 postfix/trivial-rewrite[20635]: warning: proxy:pgsql:/etc/postfix/pgsql/virtual_alias.cf: table lookup problem Jan 28 22:25:53 mail02 postfix/trivial-rewrite[20635]: warning: virtual_alias_domains lookup failure Jan 28 22:25:53 mail02 postfix/error[20636]: 99FFD5FB82: to=, relay=none, delay=0.22, delays=0.02/0.2/0/0.01, dsn=4.3.0, status=undeliverable (address resolver failure) Jan 28 22:25:53 mail02 postfix/cleanup[20633]: warning: proxy:pgsql:/etc/postfix/pgsql/virtual_alias.cf lookup error for "r...@undergrid.net" Jan 28 22:25:53 mail02 postfix/cleanup[20633]: warning: CDBC05FC95: virtual_alias_maps map lookup problem for r...@undergrid.net -- message not accepted, try again later Jan 28 22:25:53 mail02 postfix/qmgr[20577]: 99FFD5FB82: status=deferred (trace failed) My /etc/postfix/psql/.pgpass file has "psqldb.undergrid.net:5432:postfixadmin:DB_USER:DB_PASSWD" and it's chmod 0600 and chown postfix:root. I know the .pgpass file itself is valid as if I set the PGPASSFILE environment variable on my shell and run 'psql -h psqldb.undergrid.net -U DB_USER postfixadmin' I am able to log into the database and query it when ran from a user that doesn't otherwise have access to the database. Am I missing something? smime.p7s Description: S/MIME Cryptographic Signature
Re: PostgreSQL+Postfix inquiry
On 1/28/2017 6:10 PM, Wietse Venema wrote: > Jeremy T. Bouse: > [ Charset windows-1252 converted... ] >> On 1/28/2017 12:16 PM, Wietse Venema wrote: >>> Sorry about that, I should have written 'import_environment'. That >>> setting controls what Postfix uses internally, including in its >>> pgsql client. >>> >>> Wietse >> Okay so am I doing something wrong here... I've got the following in >> my main.cf: >> >> import_environment = PGPASSFILE=/etc/postfix/pgsql/.pgpass >> virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_alias.cf, >> proxy:pgsql:/etc/postfix/pgsql/virtual_alias_domainaliases.cf >> virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox.cf, >> proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_domainaliases.cf >> virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql/virtual_domains.cf >> >> With the /etc/postfix/pgsql/*.cf files all following the format: >> >> user = DB_USER >> password = DB_PASSWD >> hosts = psqldb.undergrid.net >> dbname = postfixadmin >> query = > You can set the access permissions ON /etc/postfix/pgsql/virtual_alias.cf, > /etc/postfix/pgsql/virtual_alias_domainaliases.cf, etc. There is > no need for those to be world-readable. > > Wietse root@mail02:/etc/postfix# ls -ld /etc/postfix/pgsql drwxr-xr-x 2 postfix root 4096 Jan 28 23:08 /etc/postfix/pgsql root@mail02:/etc/postfix# ls -la /etc/postfix/pgsql total 36 drwxr-xr-x 2 postfix root 4096 Jan 28 23:08 . drwxr-xr-x 4 rootroot 4096 Jan 28 16:26 .. -rw--- 1 postfix root 65 Jan 28 22:39 .pgpass -rw--- 1 postfix root 199 Jan 28 22:27 relay_domains.cf -rw--- 1 postfix root 245 Jan 28 23:08 virtual_alias.cf -rw--- 1 postfix root 274 Jan 28 22:27 virtual_alias_domainaliases.cf -rw--- 1 postfix root 200 Jan 28 22:27 virtual_domains.cf -rw--- 1 postfix root 254 Jan 28 22:56 virtual_mailbox.cf -rw--- 1 postfix root 286 Jan 28 22:27 virtual_mailbox_domainaliases.cf The permissions and ownership shouldn't be an issue... postfix owns them and has read-write access to everything. As I said with the `user` and `password` config keywords in the .cf files everything works. It only fails when I try to comment them out and have Postfix use the .pgpass file. smime.p7s Description: S/MIME Cryptographic Signature
Re: PostgreSQL+Postfix inquiry
On 1/29/2017 6:41 AM, Christoph Moench-Tegeder wrote: > ## Jeremy T. Bouse (jeremy.bo...@undergrid.net): > >> Everything is working fine... So with the PGPASSFILE set in >> import_environment and I've confirmed through procfs that it is in the >> environ file for the postfix processes I comment out the 'user' and >> 'password' lines in each of the .cf files and restart postfix. > There's your mistake: you need to specify the user in that cf file. > https://www.postgresql.org/docs/current/static/libpq-pgpass.html > libpq selects the password matching the host/port/db/user tuple - > not the user/password tuple matching host/port/db. > > Regards, > Christoph Christoph, Thanks that was the missing piece I guess... I also found when testing with 'postmap -q' I had to include the PGPASSFILE environment variable as it wasn't being read from main.cf apparently. Just commenting out the password and leaving user in the .cf files it is now working fine. smime.p7s Description: S/MIME Cryptographic Signature
Re: PostgreSQL+Postfix inquiry
On 1/30/2017 10:27 AM, Wietse Venema wrote: > Viktor Dukhovni: >>> On Jan 30, 2017, at 8:57 AM, Jeremy T. Bouse >>> wrote: >>> >>> I also found when >>> testing with 'postmap -q' I had to include the PGPASSFILE environment >>> variable as it wasn't being read from main.cf apparently. >> The "import_environment" setting is used to sanitize the environment >> in master(8) and setgid programs by removing all variables not listed, >> and overriding all variables with explicit assignments. This is not >> appropriate for tools as postmap(1). > There is no need to store the password in a separate file. Just > set those restricted permissions on the postfix-mysql cf files,, > and postmap will pick up the password from there. In this particular use case that I'm working to setup, having the password stored in a single file referenced by an environment variable is a major improvement and simplification. I'm attempting to containerize my entire incoming mail relay system and don't want to store the password within the image and having to re-generate multiple files successfully upon start up is risking complications. I've got a Postfix container to build which will reference an Amavis container via container link as well as a PostgreSQL container by container link also. With the container links the hostnames are known so they can be embedded in the necessary config files. I was intending to pass the password into the container via Docker secrets so it needs to be read via an in-memory only FD and I can actually pass that in PGPASS file format and then just reference the location of that in-memory FD as PGPASSFILE to Postfix at startup using postconf which is a much simpler approach than having to re-generate all the .cf files. > That said, postmap and other programs already depend on main.cf > settings, so respecting import_environment might actually help to > make program behavior more consistent. What do you think? > > Wietse It would make a lot of sense if all the postfix utilities had access to the same. I had ran postmap without passing the PGPASSFILE environment on my command call because I had assumed that was the case. Consistency would help with validation of the configuration. smime.p7s Description: S/MIME Cryptographic Signature
Re: MTA Deferring e-mail
Hi Wietse, >> Oct 1 14:31:37 www postfix/qmgr[15204]: warning: connect to transport >> private/lsmtp: No such file or directory > > Fix that. I am not sure where it expects `private/lsmtp` to be located though. -Jason
Re: MTA Deferring e-mail
I noticed that, a typo from earlier. But now it seems I cannot send, nor receive e-mail: Oct 1 16:12:05 www zmmailboxdmgr[25272]: status OK Oct 1 16:12:20 www postfix/smtpd[25394]: connect from mail[192.168.1.27] Oct 1 16:12:20 www postfix/smtpd[25394]: A6EDD1A8043C: client=mail[192.168.1.27] Oct 1 16:12:20 www postfix/cleanup[25398]: A6EDD1A8043C: message-id=<1344622638.2.1349133140334.javamail.r...@ouremail.us> Oct 1 16:12:20 www postfix/qmgr[24672]: A6EDD1A8043C: from=, size=600, nrcpt=2 (queue active) Oct 1 16:12:20 www postfix/smtpd[25394]: disconnect from mail[192.168.1.27] Oct 1 16:12:20 www amavis[20527]: (20527-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20121001T161220-20527: -> , SIZE=600 Received: from thedigiologygroup.org ([127.0.0.1]) by localhost (thedigiologygroup.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Mon, 1 Oct 2012 16:12:20 -0700 (PDT) Oct 1 16:12:20 www amavis[20527]: (20527-01) Checking: Fhh+FWfhscEU MYNETS [192.168.1.27] -> , Oct 1 16:12:21 www postfix/smtpd[25403]: connect from localhost.localdomain[127.0.0.1] Oct 1 16:12:21 www postfix/smtpd[25403]: 2A6051A80445: client=localhost.localdomain[127.0.0.1] Oct 1 16:12:21 www postfix/cleanup[25398]: 2A6051A80445: message-id=<1344622638.2.1349133140334.javamail.r...@ouremail.us> Oct 1 16:12:21 www postfix/qmgr[24672]: 2A6051A80445: from=, size=1048, nrcpt=1 (queue active) Oct 1 16:12:21 www amavis[20527]: (20527-01) FWD via SMTP: -> ,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2A6051A80445 Oct 1 16:12:21 www postfix/smtpd[25403]: 4972C1A80447: client=localhost.localdomain[127.0.0.1] Oct 1 16:12:21 www postfix/cleanup[25398]: 4972C1A80447: message-id=<1344622638.2.1349133140334.javamail.r...@ouremail.us> Oct 1 16:12:21 www postfix/qmgr[24672]: 4972C1A80447: from=, size=1249, nrcpt=1 (queue active) Oct 1 16:12:21 www amavis[20527]: (20527-01) FWD via SMTP: -> ,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4972C1A80447 Oct 1 16:12:21 www amavis[20527]: (20527-01) Passed CLEAN, MYNETS LOCAL [192.168.1.27] [192.168.1.27] -> ,, Message-ID: <1344622638.2.1349133140334.javamail.r...@ouremail.us>, mail_id: Fhh+FWfhscEU, Hits: -1.106, size: 600, queued_as: 2A6051A80445/4972C1A80447, 571 ms Oct 1 16:12:21 www postfix/smtp[25400]: A6EDD1A8043C: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.71, delays=0.13/0.01/0.01/0.57, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2A6051A80445) Oct 1 16:12:21 www postfix/smtp[25400]: A6EDD1A8043C: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.71, delays=0.13/0.01/0.01/0.57, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2A6051A80445) Oct 1 16:12:21 www postfix/qmgr[24672]: A6EDD1A8043C: removed Oct 1 16:12:21 www amavis[20527]: (20527-01) extra modules loaded: /opt/zimbra/zimbramon/lib/x86_64-linux-thread-multi/auto/Net/SSLeay/autosplit.ix, /opt/zimbra/zimbramon/lib/x86_64-linux-thread-multi/auto/Net/SSLeay/randomize.al, /usr/lib64/perl5/vendor_perl/auto/Net/LibIDN/autosplit.ix, IO/Socket/SSL.pm, Net/LDAP/Extension.pm, Net/LibIDN.pm, Net/SSLeay.pm Oct 1 16:12:21 www postfix/lmtp[25404]: 4972C1A80447: to=, relay=thedigiologygroup.org[192.168.1.27]:7025, delay=0.29, delays=0.07/0.01/0/0.2, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK) Oct 1 16:12:21 www postfix/qmgr[24672]: 4972C1A80447: removed Oct 1 16:12:29 www zmmailboxdmgr[25495]: status requested Oct 1 16:12:29 www zmmailboxdmgr[25495]: status OK Oct 1 16:12:30 www zmmailboxdmgr[25504]: status requested Oct 1 16:12:30 www zmmailboxdmgr[25504]: status OK Oct 1 16:12:51 www postfix/smtp[24675]: connect to gmail.com[74.125.224.149]:25: Connection timed out Oct 1 16:13:12 www postfix/smtpd[23012]: timeout after END-OF-MESSAGE from localhost.localdomain[127.0.0.1] Oct 1 16:13:12 www postfix/smtpd[23012]: disconnect from localhost.localdomain[127.0.0.1] Oct 1 16:13:21 www postfix/smtp[24675]: connect to gmail.com[74.125.224.150]:25: Connection timed out Oct 1 16:13:21 www postfix/smtp[24675]: 2A6051A80445: to=, relay=none, delay=60, delays=0.12/0.01/60/0, dsn=4.4.1, status=deferred (connect to gmail.com[74.125.224.150]:25: Connection timed out)
Re: MTA Deferring e-mail
So it looks like incoming e-mail might be working now, outgoing not so much. Oct 1 16:33:32 www clamd[20590]: SelfCheck: Database status OK. Oct 1 16:33:33 www postfix/smtpd[32650]: connect from localhost.localdomain[127.0.0.1] Oct 1 16:33:33 www postfix/smtpd[32650]: 64D131A8045E: client=localhost.localdomain[127.0.0.1] Oct 1 16:33:33 www postfix/cleanup[3358]: 64D131A8045E: message-id=<1989555850.5.1349134412351.javamail.r...@ouremail.us> Oct 1 16:33:33 www postfix/qmgr[24672]: 64D131A8045E: from=, size=1399, nrcpt=1 (queue active) Oct 1 16:33:33 www amavis[20533]: (20533-01) FWD via SMTP: -> ,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 64D131A8045E Oct 1 16:33:33 www amavis[20533]: (20533-01) Passed CLEAN, MYNETS LOCAL [192.168.1.27] [192.168.1.27] -> , Message-ID: <1989555850.5.1349134412351.javamail.r...@ouremail.us>, mail_id: dVByAWcL3Dcp, Hits: -1.106, size: 920, queued_as: 64D131A8045E, 836 ms Oct 1 16:33:33 www postfix/smtp[3359]: 8F3BF1A80459: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.97, delays=0.12/0.01/0.01/0.83, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 64D131A8045E) Oct 1 16:33:33 www postfix/qmgr[24672]: 8F3BF1A80459: removed Oct 1 16:33:33 www amavis[20533]: (20533-01) extra modules loaded: /opt/zimbra/zimbramon/lib/x86_64-linux-thread-multi/auto/Net/SSLeay/autosplit.ix, /opt/zimbra/zimbramon/lib/x86_64-linux-thread-multi/auto/Net/SSLeay/randomize.al, /usr/lib64/perl5/vendor_perl/auto/Net/LibIDN/autosplit.ix, IO/Socket/SSL.pm, Net/LDAP/Extension.pm, Net/LibIDN.pm, Net/SSLeay.pm Oct 1 16:34:03 www postfix/smtp[3362]: connect to gmail.com[74.125.224.149]:25: Connection timed out Oct 1 16:34:05 www zmmailboxdmgr[3687]: status requested Oct 1 16:34:05 www zmmailboxdmgr[3687]: status OK Oct 1 16:34:18 www zmmailboxdmgr[3896]: status requested Oct 1 16:34:18 www zmmailboxdmgr[3896]: status OK Oct 1 16:34:18 www zmmailboxdmgr[3905]: status requested Oct 1 16:34:18 www zmmailboxdmgr[3905]: status OK
Re: MTA Deferring e-mail
>> So it looks like incoming e-mail might be working now, outgoing >> not so much. > >> Oct 1 16:34:03 www postfix/smtp[3362]: connect to >> gmail.com[74.125.224.149]:25: Connection timed out > > This looks quite like a "disable_dns_lookups=yes" issue. The question > then would be: how was it working before? $ postconf -n disable_dns_lookups = yes I now changed it to 'no' and things seem to be working again. I dont understand why, though, this would be creating the problem. Could you explain? If it creates this problem, why do people set it? -Jason
Postfix, and MX record questions
I am building a new CentOS 6.5 server. In the past I have just used Zimbra for ease. Not, since I am behind a pfsense box that does some IP mapping Zimbra requires a "split-dns" setup. I thought that it might be time to cum out Zimbra and just use Postfix, Dovecot, etc. I gound a great tutorial. So I have 5 statics and the pfSense box answers to all and forwards the traffic to the correct box that has a private IP. In this case, xx.xx.xx.27 -> 192.168.1.27 192.168.1.27 is the IP address of the mail server. Am I going to still need this same "split-dns" setup? I cannot decide if it is something Zimbra needs or something I would need in any setup... Jason
[pfx] Re: mail.log and mail.info
this is probably due to syslog facility/daemon, not postfix. eg. personal rsyslog.conf : #mail.info -/var/log/mail.info #mail.warn -/var/log/mail.warn #mail.err /var/log/mail.err mail.* -/var/log/mail.log so, comment out whatever you don't want and just keep one (eg mail.log) for everything. or split as you like between log files. d. Στις 30/7/24 13:18, ο/η Linkcheck via Postfix-users έγραψε: I am recently seeing an almost exact similarity between mail.log and mail.info, to the extent I am now querying the usefulness of looking at mail.info at all. Am I missing something? In main.cf I have smtp_tls_loglevel = 1 smtpd_tls_loglevel = 1 and no other obvious log control. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
not sure why you don't just block the ip/subnet of that client in firewall (?) or just try postscreen + postscreen_access_list with client ip/subnet.. is it coming from gmail or another too-big-to-block sender? The "access" file currently contains REJECT lines for both "spamgateway.nil" (no leading period) and ".spamgateway.nil" (leading period), and I did the postmap-and-restart dance after updating it, but the e-mails are still coming through. My understanding (see also Wietse's first response) is that adding "stupidspammers.example" won't accomplish anything, as that domain is only in the message headers and isn't the domain of the actual server the e-mails are coming from. maybe this header_checks example works : /^(To|From|Cc|Reply-To):.*@stupidspammers\.example/ DISCARD postmap /etc/postfix/header_checks and in main.cf : header_checks = regexp:/etc/postfix/header_checks postfix reload should work.. d. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] postscreen_dnsbl_reply_map not matching/replacing in replies ?
Hello,
I am working on upgrading an old and pretty broken Postfix setup I inherited.
I managed to get it cleaned up, and running on Postfix v3.9.
The server's using Spamhaus DQS dnsbls @ postscreen, and the policy it uses is
reject on match.
They're working like they should for postscreen, rejecting when there's a match.
But it appears to be leaking the DQS password in the response.
I read the Postfix docs a few times, and thought I got it right.
But clearly, I'm missing something :-/
For example, with
cat master.cf
[mx.example.com]:25 inet n - n - 1 postscreen
-o smtpd_service_name=ps-int
...
ps-int pass - - n - - smtpd
-o syslog_name=postfix/ps-int
...
cat main.cf
var_SHDQS=xxx
postscreen_dnsbl_reply_map =
texthash:/etc/postfix/postscreen_dnsbl_reply_map
rbl_reply_maps =
${stress?lmdb:/etc/postfix/smtpd_dnsbl_reply_maps}
default_rbl_reply = $rbl_code Service unavailable; REJECT: (
$rbl_class [$rbl_what] ) listed at $rbl_domain${rbl_reason?; $rbl_reason}
cat /etc/postfix/postscreen_dnsbl_reply_map
${var_SHDQS}.zen.dq.spamhaus.net=127.0.0.[2..11] 554
$rbl_class $rbl_what blocked using ZEN - see
https://www.spamhaus.org/query/ip/$client_address for details
${var_SHDQS}.dbl.dq.spamhaus.net=127.0.1.[2..99] 554
$rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
${var_SHDQS}.zrd.dq.spamhaus.net=127.0.2.[2..24] 554
$rbl_class $rbl_what blocked using ZRD - domain too young
${var_SHDQS}.zen.dq.spamhaus.net 554
$rbl_class $rbl_what blocked using ZEN - see
https://www.spamhaus.org/query/ip/$client_address for details
${var_SHDQS}.dbl.dq.spamhaus.net 554
$rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
${var_SHDQS}.zrd.dq.spamhaus.net 554
$rbl_class $rbl_what blocked using ZRD - domain too young
${var_SHDQS}.sbl.dq.spamhaus.net 554
$rbl_class $rbl_what blocked using SBL - see $rbl_txt for details
${var_SHDQS}.xbl.dq.spamhaus.net 554
$rbl_class $rbl_what blocked using XBL - see $rbl_txt for details
${var_SHDQS}.pbl.dq.spamhaus.net 554
$rbl_class $rbl_what blocked using PBL - see $rbl_txt for details
${var_SHDQS}.sbl-xbl.dq.spamhaus.net 554
$rbl_class $rbl_what blocked using SBL+XBL - see $rbl_txt for details
Running tests from Spamhaus I get a
2024-08-02T07:30:14.710397-04:00 arizona postfix/ps-int/smtpd[52267]:
NOQUEUE: reject: RCPT from unlisted.blt.spamhaus.net[199.168.89.101]: 554 5.7.1
Service unavailable; REJECT: ( Helo command [zrd-dqs.blt.spamhaus.net] ) listed
at xxx.zrd.dq.spamhaus.net; zrd-dqs.blt.spamhaus.net first seen around
01-Aug-2024 15:00 UTC; from=
to= proto=ESMTP helo=
Where you see
xxx.zrd.dq.spamhaus.net
being leaked in the 554 reply.
It looks like it's using the "default_rbl_reply" instead of the match from
"postscreen_dnsbl_reply_map".
I think maybe that's the actual problem -- using the wrong match?
Or is my texthash: file used incorrectly?
I'd appreciate any hints here!
Thanks.
--
Arnie
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postscreen_dnsbl_reply_map not matching/replacing in replies ?
Hello, > Why empty unless under stress??? I've no idea yet. I hadn't gotten that far. Was starting with 'first contact' -- at postscreen -- and working inwards. > > cat /etc/postfix/postscreen_dnsbl_reply_map > Only used by postscreen(8).! > This was not blocked by postscreen(8) and so was handled by smtpd(8), Aha, ok. I thought that was postscreen. I misunderstood the flow. Thanks. > > It looks like it's using the "default_rbl_reply" instead of the match from > > "postscreen_dnsbl_reply_map". > > That parameter is not applicable for connections passed to smtpd(8). I'm not clear on that. It seems to be using the form in that map. > You need to use the same table for both smtpd(8) and postscreen(8). > That is: > > rbl_reply_maps = ... some table ... > postscreen_dnsbl_reply_map = ... same table ... Ok that I can do. > And of course that table needs to match all the applicable keys. I guess that's the first question then. Why DIDN'T it match+reject "@ postscreen", passing it through to the internal smtpd instead? Thanks. -- Arnie ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Mails sent to rspamd twice
hey, not sure about your setup, but rspamd can also check email with clamav [1]. that way, there is no need to add clamav to postfix (as content_filter or milter). d. [1] https://rspamd.com/doc/modules/antivirus.html Στις 9/9/24 13:53, ο/η Danjel Jungersen via Postfix-users έγραψε: I have set up clamav, and I think it works But when a mail is recieved, it is first scanned by rspamd and then clamav. Thats all fine. But when clamav is done, rspamd scans it again. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: I have found out the reason why Postfix keeps getting killed by OOM Killer
Στις 3/3/25 17:32, ο/η Turritopsis Dohrnii Teo En Ming via Postfix-users έγραψε: Noted Patrick. I will ask Virtualmin developers to use clamd instead of clamdscan and clamscan. On Monday, March 3rd, 2025 at 11:25 PM, Patrick Ben Koetter via Postfix-users wrote: * Turritopsis Dohrnii Teo En Ming via Postfix-users teo.en.m...@protonmail.com: Dear Patrick Ben Koetter, I will suggest Virtualmin developers to use clamdscan instead of clamscan. Looks like a re-design of Virtualmin in how it uses ClamAV to scan email messages is required. Don't do that. Ask them to use clamd. They must not use clamdscan or clamscan. p@rick virtualmin already has options for these. https://www.virtualmin.com/docs/server-components/spam-and-virus-scanning/ d. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
