r this mailing list, so let's not open this can of worms,
shall we?
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
___
Postfix-users mailing list -- postfix-use
should not care about the TLS connection to the
> MX anymore and deliver it even if plain.
Why not encrypt the message right away and save yourself the hassle, if
you already have that option? Transport encryption beyond the next hop
is outside your control anyway.
Regards
Ansgar Wiecher
useful I do believe that without
a clear understanding of what threats you (as a server admin) want to
mitigate with them in your specific situation, their added complexity
and maintenance cost (which is usually glossed over despite being rather
substantial) greatly outweighs their benefits.
Regard
expanding verbosity of postfix logging?
The postconf utility will show you the active configuration:
postconf -n smtpd_recipient_restrictions
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
_
der and recipient addresses, and explain why you
| require clearance. If the recipient agrees to accept your request, you
| will usually receive a notification within two working days.
Oh, well. Guess what just happened to horus-it.com on my mail server.
Regards
Ansgar Wiechers
--
"Abstracti
t has neither A nor mx record?
>From `man 5 postconf`:
| reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname)
| Reject the request when the HELO or EHLO hostname has no DNS A or MX
record.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but t
On 2024-02-21 MRob via Postfix-users wrote:
[ off-topic ]
It never ceases to amaze me how people *know* that what they're posting
is off-topic, yet decide it's okay for them to post it anyway if they
just label it as off-topic. Hint: it's not.
Regards
Ansgar Wiechers
--
"
range(s) listed by `postconf mynetworks`.
If a localpart-only sender address still is accepted: show the output of
`postconf -n` and `postconf -M` as well as the transcript of the
`telnet` dialog.
Regards
Ansgar Wiechers
--
"Abstractions save us time
outside
$mynetworks and you should see a response like
504 5.5.2 : Sender address rejected: need fully-qualified address
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
__
omain.com", which is
allowed.
As a side note: Please avoid making up arbitrary domain names for
examples. There are official domains reserved specifically for this
purpose. See RFC 2606[1] for details.
[1]: <https://www.rfc-editor.org/rfc/rfc2606.html>
Regards
Ansgar Wiechers
--
&quo
On 2022-08-22 Ruben Safir wrote:
> On Mon, Aug 22, 2022 at 08:50:51AM +0200, Ansgar Wiechers wrote:
>> You could use a check_sender_access restriction with a regular
>> expression like this:
>>
>> /bagel/ REJECT
>
> Do I use the map created by the postfix/acces
ECT
Perhaps even anchored (since all the localparts seem to begin with the
word "bagel"):
/^bagel.*=(nylxs|mrbrklyn)\.com@/ REJECT
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
t; * senderdomain3.example is only valid with 'v11' and 'v546'
>
> etc, etc
>
> Is this possible with postfix?
This should be doable with restriction classes [1], but it's probably
easier (and more straightforward) to implement it with a policy service
on who
successfully brainwashed half the internet into destroying ICMP because
"stealth?" *That* Steve Gibson?
I *strongly* advise everyone to take *anything* coming from Gibson with
two or three handful of salt. At least. The guy is a charlatan at best.
Regards
Ansgar Wiechers
--
"Abst
will this test reject the transport when any of those records are
> missing, or when the propagated HELO/EHLO domain doesn't have any of
> those records?
Postfix will reject the connection when neither A nor MX record exists.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
.239.195/24 but it does not work, if my
> address is 88.103.239.2
You need to specify the network address for that network:
mynetworks = 88.103.239.0/24
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
. However, the abuse of
Gmail Reply-To addresses by spammers/scammers is so rampant (at least in
my experience) that on my personal mail server I decided to reject
everything with a Gmail Reply-To except for whitelisted addresses.
Regards
Ansgar Wiechers
--
"Abstractions save us time working,
mas and/or whitespace. Continue long lines by starting
| the next line with whitespace.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
able for the sender match and an access map for the
recipient match because that worked best for my use cases, but other
table combinations should work as well.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
gin taking action, then you are a racist. If not, then I
> apologize. But only if you are not.
"Taking action" to accomplish ... what exactly? Somebody please explain
to me whose life got improved in any way by replacing the words
"whitelist" and "blacklist" with &quo
192.168.17.0/24 local_only
...
>8
8<
# /etc/postfix/local_domains
foo.example.org OK
bar.example.org OK
...
---->8
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
ost server.cointalk.com
Host server.cointalk.com not found: 3(NXDOMAIN)
Postfix rejects the mail because it cannot resolve the sender domain.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
On 2020-12-15 Jeff Abrahamson wrote:
> On 15/12/2020 12:36, Ansgar Wiechers wrote:
>> Spoofing the envelope from address (Return-Path: ) is
>> actually valid (per the SMTP protocol) and a common occurrence for
>> mail sent by bad actors.
>
> Is prohibiting spoofing enve
this will only prevent senders from spoofing the envelope from
address:
Return-Path:
It does not affect the From: header in the mail:
From: p27.eu
You need a spam filter if you want to address that as well.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
ion-5.1>
If a domain should never receive mail it's better to define a null MX
for that domain (see RFC 7505).
<https://tools.ietf.org/html/rfc7505>
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
the file. The usual filters don't apply to that.
What you can do is disable pickup entirely so that even local users are
required to submit mail via SMTP (on localhost).
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
STANDARD_CONFIGURATION_README.html#null_client
[1]:
https://www.systutorials.com/sending-email-using-mailx-in-linux-through-internal-smtp/
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
use the structures the distro implements. If for some reason you must
use the pre-packaged Potfix but still have /usr/local/etc/postfix just
create it as a symlink to /etc/postfix, not the other way 'round.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
On 2020-06-08 John Dale wrote:
> Why does this agitate people?
Because the whole Political Correctness/Social Justice thing has
devolved into a religion. Thus all heathens must convert to this faith
or burn at the stake.
Regards
Ansgar Wiechers
--
"Abstractions save us time working,
rt for a specific next hop that port
will be used.
Of course an MTA can also use submission to send to a next-hop MTA if
the latter supports that (since the sending MTA is acting as a client
there), but you would need to specifically configure that on the sender.
Regards
Ansgar Wiechers
--
mple.org" with your virtual mailbox domain and
"example.com" with the local domain of the mail server.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
postfix reload
> > > fi;;
> > > esac
> > > done
> >
> > Sorry to bring this up after a while, but I have been trying this code,
> > but seem to hit a syntax error:
> >
> > line 10: [: : integer expression expected
> >
> >
> >
ages were stored into disk by encrypted?
AFAIK individual queued messages can't be encrypted, but you can
certainly encrypt the volume where the queue is located.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
ge.com/tutorial/configure-postfix-to-use-gmail-as-a-mail-relay/>
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
gt; I would prefer redis over memcache, since it supports
> replication/syncronisation over multiple servers.
I would recommend using a configuration management system like Puppet,
Ansible, Chef, ... for deploying tables across multiple servers instead
of replicating the information with somet
resources to a more
> permanent location, or at least update the links.
https://www.planetcobalt.net/patrick.koetter/saslfinger/
https://www.planetcobalt.net/patrick.koetter/smtpauth/
I adjusted links where it seemed appropriate. If I made a mistake
somewhere please let me know.
Regards
Ansga
ail through an encrypted transport channel and never store
it on disk, an attacker who has gained control of the server can still
intercept the message.
[1]: https://www.planetcobalt.net/sdb/crypter.shtml
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
On 2019-10-02 ratatouille wrote:
> Do I really have to whitelist all the IPs of
> outbound.protection.outlook.com in postgrey?
No. You could simply stop graylisting and instead use spam protection
measures without its side effects (e.g. postscreen).
Regards
Ansgar Wiechers
--
"Abstra
scribe the actual problem you're trying to
solve instead of what you perceive as the solution. Debug logging in
Postfix should not be required for any normal troubleshooting. What do
you think you need this for exactly?
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
ted mail for
delivery and then then somehow discards it. What you have presented so
far are allegations at best, without any actual proof.
Logs are always a good start for digging into issues like this.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
l versus hosted versus other domains"
section of the document:
http://www.postfix.org/VIRTUAL_README.html#canonical
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time
learning."
--Joel Spolsky
---
f...@example.org rc_foo
>8
In foo_sender_access:
8<
b...@example.com REJECT Mail not accepted.
some...@example.net REJECT Mail not accepted.
---->8
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
etworks
permit_sasl_authenticated
reject_unauth_destination
...
check_client_access pcre:/etc/postfix/client_access.pcre
...
and define the offending domain in that file:
/\.artegic\.net$/ REJECT Not accepting mail from your domain.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Please do not reply off-list.
On 2018-05-28 Poliman - Serwis wrote:
> 2018-05-28 13:18 GMT+02:00 Ansgar Wiechers :
>> On 2018-05-28 Poliman - Serwis wrote:
>>> Thank you for advices but how setup different SMTP in MX record if
>>> MX record determine pop3/imap and sm
mailservers with different priority.
> I would like to underline I could not understand you properly.
MX records only ever specify the servers designated for RECEIVING
INBOUND mail for a domain. They say nothing about POP or IMAP (or
which servers will handle outbound mail for that matter).
the Zimbra mailing list. Did you
try the Zimbra documentation?
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
hey might
be subject to change anytime without prior notice). Hence MailScanner is
not supported and not recommended with Postfix, regardless of whether it
does or doesn't work right now.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time
learning."
--Joel Spolsky
EADME.html#danger
This is probably just personal preference, but in addition to
whitelisting postmaster recipients I put a client blacklist before the
whitelist where I block all clients who deemed sending spam to a
postmaster address a good idea.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
yname
shortname: myname
save and run `newaliases`.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
mission, but still: you may want to disable verbose
logging for the smtpd on port 25. Remove the "-v" from this line in
master.cf:
> smtp inet n - - - - smtpd -v
Verbose logging is only required in very specific debugging scenarios
and wont do you any good for regular operations or troubleshooting.
Regards
Ansgar Wiechers
sions, depending on
where you're located and whose mail you're handling.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
. Spamassassin is rather heavyweight whereas Postscreen was
designed to be a lightweight zombie deflection tool. You'd lose that
low resource impact advantage by mixing the two.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
practice to restrict PTR records to a single name.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
1]: https://www.mail-archive.com/postfix-users@postfix.org/msg65583.html
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
etime expired (generating a double
bounce)?
Does name resolution work correctly for the user "postfix"?
> Does the spamass-milter run before postscreen?
>
> If not, can it?
Postscreen was created as a lightweight protection against spam bots. It
would be utterly pointless to run it after heavyweight spam protection
measures like Spamassassin.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
an MTA problem. I don't think you can
suppress these duplicates in Postfix, because the MTA correctly receives
and delivers two separate transmissions (one for group1, the other for
group2).
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
http://www.planetcobalt.net/sdb/crypter.shtml
Run it as a daemon and configure it as a relayhost for your Postfix.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
t;> in contacting the sysadmin to shut it down
>
> * close the port on the firewall for the source IP
> * check_sender_access
s/_sender_/_client_/
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
On 2014-09-23 A. Schulze wrote:
> wietse:
>> Dammit, I want to hear from people who expect to have problems
>> or not.
>
> OK, I don't expect problems for /my/ systems
> because I already explicit set 'append_dot_mydomain = no'.
Same here.
Regards
Ansgar
I think you're looking for the "reject_sender_login_mismatch"
restriction[1]. See section "Envelope sender address authorization" in
the SASL README[2] for details.
[1] http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
[2] http://www.postfix.org/SASL_README.
ave on the same database row also the blacklist check,
> spam score and antivirus info ?
Postfix logs to syslog and syslog (rsyslog at least) can be configured
to write to MySQL instead of files. See [1] for details.
[1] http://www.rsyslog.com/doc/rsyslog_mysql.html
Regards
Ansgar Wiechers
--
problems, we're
not here to read the documentation to you. Please do your homework
yourself.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
ix to use STARTTLS in smtpd_proxy_filter setup?
Are Postfix and amavis running on different hosts? Otherwise don't
bother. Encrypting connections on localhost is just a waste of system
resources.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
On 2014-03-25 postfix-users@postfix.org wrote:
> Ansgar Wiechers wrote:
>> On 2014-03-25 postfix-users@postfix.org wrote:
>>> I was suspecting this already:
>>>
>>> Mar 25 12:16:56 HOSTNAME postfix/smtpd[6243]: connect from
>>> unknown[180.93.167.22
ing seems to get through possibly should not?
> I have no idea, what i should fix :-(
Some host connects to your mail server, then disconnects from your mail
server. Apparently without doing anything else. What problem do you
perceive here that would require fixing?
Regards
Ansgar Wiechers
--
se logging unless specifically asked to
do so. Regular Postfix logging is usually sufficient for trouble-
shooting. Verbose logging tends to drown information about the actual
problem in tons of unrelated information.
See here for more information on reporting problems to this list:
http://www
host[127.0.0.1] in MAIL
> command: <-timeshare.escape.artist-user=example@atcturbo.com> "
The leading hyphen is what makes the address illegal. To allow addresses
starting with a hyphen set "allow_min_user = yes" in main.cf.
http://www.postfix.org/postconf
eader_checks.5.html
I don't think this is possible. header_checks evaluates one header at a
time, so you can't conditionally check To: and From: header in the same
rule.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
hing was different except nobody
> knew what happened over years
<http://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters>
Fefe blogged about this back in September.
https://blog.fefe.de/?ts=acceb732
Regards
Ansgar Wiechers
--
"Abst
cot cluster keeping in mind to
> our scenario. (If needed we can buy additional hardware like load
> balancer).
This is a dovecot-related question, which is off-topic for the Postfix
mailing list.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
suspended: connect to IP[IP]:25: Connection timed out)
>
> command just like
> telnet mail.example.com 25
> Trying IP...
Looks to me like your provider is blocking outbound connections to port
25/tcp.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
ntry for a virtual_mailbox_domain. Maybe I
> am wrong, but I am pretty sure. What do you think?
You're free to file a bug report, but I can practically guarantee you
that it will be discarded, since the virtual mailbox configuration
example in the VIRTUAL_README clearly tells you not to do what you're
doing.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
virtual alias map by reading the
virtual mailbox map and creating a mapping for each address found in it:
f...@example.com f...@example.net
b...@example.com b...@example.net
...
This can be done with a Makefile or some other script.
[1] http://www.postfix.org/VIRTUAL_README.html
Regards
Ansgar W
ve all unnecessary tolower() function
> calls in all reporting modules
Localparts are not case-insensitive.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
and the second one worked:
>
> http://pastebin.com/XUYR4ZDe
Please do not enable verbose logging unless specifically asked to.
Normal Postfix logging usually suffices for troubleshooting delivery
problems.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
sent to the alias -
> mai...@example.com - and includes orig_to (see below) the mail is not
> being DISCARDed. Can anyone tell me the correct way to do this?
Remove the aliases pointing to . Problem solved.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don&
server. Obviously, I need to do
> that only internally, i.e. on our domain.
>
> Can anyone send me a link to the official documentation, or an example
> on how to do this.
I think "reject_sender_login_mismatch" is what you're looking for.
http://www.postfix.org/postconf
> servers until it gets to that point. You can send mail through your
> own server, but it can not be encrypted when you send it out to
> another server, which pretty much breaks any concept of NSA-proof
> email.
Read again.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
gt; Or should I just stop worrying and figure the amount of resources
> being used is insignificant?
I'd say fail2ban is the way to go about this. If you want to be on the
safe side, make the threshold somewhat higher and extend the lockout
period.
Regards
Ansgar Wiechers
--
"Abstract
it. I'm sure they get bugged all the time as
> it is.
You're mistaken. example.com, example.net and example.org as well as the
TLDs .test, .example, .invalid and .localhost were reserved for this
exact purpose. See RFC 2606 [1].
[1] http://www.ietf.org/rfc/rfc2606.txt
Regards
Ans
f to globally disable it.
Not really. Aside the fact that there are other ways to verify an
address, I get a single VRFY every other month on my mail server.
In my experience most spammers don't actually care if an address is
valid or not and blindly throw their crap at everything that looks a
R: "set wrap" or "set nowrap" don't add or remove any linebreaks. They
just modify how the text is displayed.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
On 2013-06-05 Steve Jenkins wrote:
> On Wed, Jun 5, 2013 at 2:11 AM, Ansgar Wiechers wrote:
>> mod_rewrite wouldn't help with this, because there is no domain A
>> record for postfix.org.
>>
>> cobalt@iridium:~ $ host -t a postfix.org
>> postfix.org has no A
27;t help with this, because there is no domain A record
for postfix.org.
cobalt@iridium:~ $ host -t a postfix.org
postfix.org has no A record
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
ias_maps
into this:
virtual_alias_domains = safeport.us
Furthermore, $mydestination is for local delivery of mail of which your
server is the final destination. $relay_domains is for relaying mail for
domains that your server is NOT the final destination of. Do NOT mix the
two. Remove $
On 2013-05-18 Benny Pedersen wrote:
> Ansgar Wiechers skrev den 2013-05-18 17:27:
>> He seems to want fred to be a virtual (mailbox) user.
>
> in that case he should not list fuckaround dot org in mydestination,
> but in virtual_mailbox_domains
No, he shouldn't. Please car
; useradd fred
>
> fred is not yet an unix user :=)
Quoting from the original mail:
> After read many howto I try to use virtual user.
He seems to want fred to be a virtual (mailbox) user.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
I should be?
I already told you what to do, aside from reading the documentation.
Have you removed the line from /etc/postfix/virtual? What is the output
of the following commands:
postmap -q f...@nuvolabianca.org hash:/etc/postfix/virtual
postmap -q f...@nuvolabianca.org hash:/etc/postfix/vmailbox
x/virtual (don't forget to re-hash it
afterwards) and make sure you have a proper entry for the address in
/etc/postfix/vmailbox.
All of this is explained rather well in the documentation[1].
[1] http://www.postfix.org/VIRTUAL_README.html
Regards
Ansgar Wiechers
--
"Abstractions save
line to your main.cf:
local_recipient_maps = $alias_maps
and include a mapping for all valid (local) recipients in $alias_maps:
userA: userA
userB: userB
...
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
8A /var/log/mail.log").
Then block that route.
For further help post the output of "postconf -n" (as requested per the
list welcome message) and the abovementioned log excerpt.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
f you want them to be
able to use arbitrary addresses for mail sent to local recipients,
but disallow non-local sender addresses for outbound mail, you'll
probably have to use a policy service.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Please keep this on-list. I'm not doing personal support for free.
On 2013-03-14 Littlefield, Tyler wrote:
> On 3/14/2013 2:51 AM, Ansgar Wiechers wrote:
>>On 2013-03-13 Littlefield, Tyler wrote:
>>> I'd also like to be able to use procmail on these.
>>
>>
drop it silent
That would be a post-queue filter. A pre-queue filter rejects, so you
don't become a backscatter source.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
n this scenario is 587 (see
RFC 6409). As required per that RFC you must enable authentication on
that port.
Also, do *not* enable verbose logging (-v) unless specifically asked to
do so.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
ostfix configurations on 100+ servers is
> definitively harder than a handful of relay servers with a fixed
> configuration on the other servers.
That's what configuration management was invented for. You may want to
look into puppet et al.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
s. Ever. Set up mailbox quota if you want to restrict the amount
of mail your users can keep.
[1] http://www.postfix.org/ADDRESS_CLASS_README.html
[2] http://standish.home3.org/virtual-procmail
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
sed Postfix
to check a hash table hash:/etc/postfix/filtered_domains, but neglected
to actually create it. You probably just created the text file
/etc/postfix/filtered_domains without converting it to an actual hash
table. Run "postmap /etc/postfix/filtered_domains".
Regards
Ansgar Wiecher
On 2013-03-13 Viktor Dukhovni wrote:
> On Wed, Mar 13, 2013 at 01:48:57PM +0100, Ansgar Wiechers wrote:
>>> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: NOQUEUE: reject:
>>> RCPT from ip68-227-115-116.ok.ok.cox.net[68.227.115.116]: 451 4.3.5
>>> : Reci
works
"check_recipient_access" should go *after* "reject_unauth_destination",
otherwise you're prone to becoming an open relay.
Also put all restrictions under $smtpd_recipient_restrictions. Unless
you set "smtpd_delay_reject = no" (which you shouldn't) the res
1 - 100 of 352 matches
Mail list logo
