Re: deflecting attacks

2009-08-22 Thread Jorey Bump
Martijn de Munnik wrote, at 08/22/2009 02:06 PM: > I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx > errors or sends to much spam it is banned in the firewall. > > failregex = reject: RCPT from (.*)\[\]: 5\d\d > ban time 1h > > failregex = Passed SPAM, \[\] > ban time 10m

Re: Wildcard certs - why only one level deep?

2009-08-07 Thread Jorey Bump
Chris Simmons wrote, at 08/07/2009 05:19 PM: > In testing (and by reading the archives) I have found that postfix only > supports one level of wildcard SSL certificates. That is to say, I can > get a certificate for *.example.com that will match host1.example.com > and host2.example.com, but won’t

Re: Reverse DNS requirement

2009-08-03 Thread Jorey Bump
Robert Schetterer wrote, at 08/03/2009 03:40 PM: > lost mail to where ? gone universe *g? > the mail got rejected at last with a debug code > so the sender may take his brain to fix its problem > or try to reach you by phone , valid mailservers etc > if the sender cant fix it you can simply wh

Re: Reverse DNS requirement

2009-08-03 Thread Jorey Bump
Mikael Bak wrote, at 08/03/2009 10:38 AM: > I'm currently blocking all attepmts to connect from hosts not having a > valid reverse DNS name with "reject_unknown_reverse_client_hostname". > > This is very effective for dealing with spam. This is not our only > protection though :-) > > Although f

Re: postfix mx check

2009-08-03 Thread Jorey Bump
Udo Mueller wrote, at 08/03/2009 09:01 AM: > Hello all, > > i'am having a problem at customer's site. I'am using postfix 2.5.5 > > Customer tries to send email to @vf.uk.vodafone.com. This domain does > not exist: > > $ dig -t any vf.uk.vodafone.com > > ; <<>> DiG 9.4.3-P1 <<>> -t any vf.uk.vod

Re: sieve instead procmail?

2009-07-24 Thread Jorey Bump
Michael Monnerie wrote, at 07/23/2009 10:33 AM: > I just need a sieve that can call an external program to deliver mails. > Is that really not existing? Sieve is deliberately crippled in this way: http://sieve.info/ One of its design goals was to reduce the chance of users performing potentia

Re: Mutt, postfix setup for multiple e-mail accounts

2009-07-07 Thread Jorey Bump
Vikas Rawal wrote, at 07/06/2009 07:41 PM: > On my laptop, I use mutt with postfix for sending e-mails FWIW, recent development versions of mutt support SMTP: http://www.mutt.org/doc/devel/manual.html#smtp I haven't tried it yet, but I plan to. Although I used mutt often, lack of built-in SMTP

Re: ISP being blocked by us

2009-06-26 Thread Jorey Bump
Ignacio Garcia wrote, at 06/26/2009 08:38 AM: > FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.9 CLIENT_NOT_MX/A_FROM_DOMAIN=9.1 Both of these rules are absurd. An MX record is only relevant when determining the destination for a domain's email. It has *nothing* to do with relaying to other sites. You should

Re: Postifix-v-Spamassassin BLOCK SMTP

2009-06-23 Thread Jorey Bump
EASY steve.h...@digitalcertainty.co.uk wrote, at 06/23/2009 09:12 AM: > Joey wrote: >>> Actually, I use a header_checks rule: >>> >>> /X-Spam-Level: \*{5,}/ REJECT > > I wrote; >> I looked at this myself and asked 'hang on, what if I put a header >> filter in for X-Spam-Level'. I assumed (and tha

Re: Postifix-v-Spamassassin BLOCK SMTP

2009-06-23 Thread Jorey Bump
Steve wrote, at 06/23/2009 04:21 AM: > Silly question. Currently I have Postfix using Spamassassin as a content > filter thus; > > smtp inet n - - - 10 smtpd > -o content_filter=spamassassin > ... > spamassassin unix - n n - -

Re: rejecting client=unknown[ip.ad.dr.ess]

2009-06-23 Thread Jorey Bump
LuKreme wrote, at 06/23/2009 02:58 AM: > On 22-Jun-2009, at 18:29, mouss wrote: >>> Is there anyway to, if not outright reject anyone whose DNS shows up as >>> unknown to at least tempfail them with a "Ooops, your DNS is not >>> resolving, try back later" or something? > >> if you insist, you coul

Re: Regular expression with fighting against spam

2009-06-19 Thread Jorey Bump
Jaroslaw Grzabel wrote, at 06/19/2009 10:44 AM: > Not in the times when IPS's are obligated to run smart hosts for their > customers and relay mails also for all hosting customers in the times > when mobile operators gives you a possibility to connect from any place > on the world using each time

Re: That Ole' Devil Called Spoofing

2009-06-17 Thread Jorey Bump
Steve wrote, at 06/17/2009 05:38 AM: > Hi List, > > I'm currently controlling 'spoofing' (from isendm...@tomyself.null to > isendm...@tomyself.null) using a map; > > smtpd_sender_restrictions = > .. > check_sender_access hash:/etc/postfix/maps/spoofprotection > > This is fantastic but ha

Re: SSL

2009-06-17 Thread Jorey Bump
Postfix wrote, at 06/16/2009 11:23 PM: > Hi, > I am trying to setup SSL connections. > > I have it setup as the instructions say: > > smtpd_tls_CAfile = /etc/postfix/sslbundle.crt > smtpd_tls_cert_file = /etc/postfix/server.crt > smtpd_tls_key_file = /etc/postfix/server.key > smtpd_tls_received_h

Re: is reject_unknown_client_hostname safe now? (aka FCRDNS)

2009-06-16 Thread Jorey Bump
Michael Monnerie wrote, at 06/16/2009 02:17 AM: > A big ISP here in Austria started to use reject_unknown_client_hostname > (http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname) > also known as http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS > > Is this option safe t

Re: backup mx and with header checks

2009-06-15 Thread Jorey Bump
Terry L. Inzauro wrote, at 06/15/2009 01:52 PM: > I like the idea of verifying addresses, but this stuck out. > > > > WARNING > > The sender/recipient address verification feature described in this document > is suitable only for low-traffic sites. It > performs poorly under high load; excess

Re: Webmail

2009-05-19 Thread Jorey Bump
Carlos Williams wrote, at 05/19/2009 02:04 PM: > On Tue, May 19, 2009 at 1:50 PM, Just E. Mail > wrote: >> Thank you all. >> >> I am going with roundcube: http://www.roundcube.net > > It's really eacy to install. Main thing is making sure you have PHP > 5.2+ installed on Apache and also configu

Re: question on permit_sasl_authenticated and check_sender_access

2009-05-06 Thread Jorey Bump
Charles Marcus wrote, at 05/06/2009 09:38 AM: > On 5/6/2009 9:03 AM, Jorey Bump wrote: >> Another minor advantage is that the configuration will continue to work >> if permit_sasl_authenticated is removed from >> smtpd_recipient_restrictions in main.cf (if the decision is ever

Re: question on permit_sasl_authenticated and check_sender_access

2009-05-06 Thread Jorey Bump
Charles Marcus wrote, at 05/06/2009 08:48 AM: > On 5/6/2009 8:37 AM, Jorey Bump wrote: >>>> I modified master.cf and configure submission that way: >>>> submission inet n - n - - smtpd >>>> -o smtpd_enforce_tls=yes >

Re: question on permit_sasl_authenticated and check_sender_access

2009-05-06 Thread Jorey Bump
Charles Marcus wrote, at 05/06/2009 06:38 AM: > On 5/6/2009, Gaël Lams (lamsg...@gmail.com) wrote: >> I modified master.cf and configure submission that way: >> submission inet n - n - - smtpd >> -o smtpd_enforce_tls=yes >> -o smtpd_sasl_auth_enable=yes

Re: Suggestions on submission port config

2009-05-01 Thread Jorey Bump
Scott Haneda wrote, at 05/01/2009 08:37 PM: > On May 1, 2009, at 7:19 AM, Jorey Bump wrote: >> >> The difference is that MTAs typically don't quit if they can't verify >> the cert (check it against a root certificate store), so using a >> self-signed c

Re: Suggestions on submission port config

2009-05-01 Thread Jorey Bump
Victor Duchovni wrote, at 05/01/2009 10:26 AM: > On Fri, May 01, 2009 at 10:19:40AM -0400, Jorey Bump wrote: FTR: No, I didn't! :) >>> My end goal here is to get this all working, and then change these ports >>> to, for example, 25 -> 2525 and 587 -> 5

Re: Suggestions on submission port config

2009-05-01 Thread Jorey Bump
Scott Haneda wrote, at 04/30/2009 10:11 PM: > What happens is, under heavy MTA load on port 25, I will run out of > connection slots on port 25. Have you investigated the nature of this problem? > By moving users to 587, I do not care > about port 25 connection slots. MTA's will try again later

Re: Suggestions on submission port config

2009-05-01 Thread Jorey Bump
Scott Haneda wrote, at 04/30/2009 10:31 PM:> > On Apr 24, 2009, at 9:43 PM, Jorey Bump wrote: >> >> Since one of the purposes of the submission port is to support road >> warriors, I feel it should be as secure as possible and the entire >> communication should be

Re: Suggestions on submission port config

2009-04-24 Thread Jorey Bump
Scott Haneda wrote, at 04/24/2009 07:41 PM: > Thanks for this, this is getting me on track, comments interspersed > below... > > On Apr 24, 2009, at 6:51 AM, Jorey Bump wrote: > >> Scott Haneda wrote, at 04/24/2009 07:58 AM: >> >>> I am a little confused ab

Re: Suggestions on submission port config

2009-04-24 Thread Jorey Bump
Scott Haneda wrote, at 04/24/2009 07:58 AM: > I am a little confused about main.cf and master.cf. Is there overlap in > some of the settings? Do some settings exist in both files, or at least > are interchangable? If this is the case, under what conditions do you > decide to do so? >From master

Re: Postfix telnet authentication

2009-04-13 Thread Jorey Bump
Antonis Rizopoulos wrote, at 04/13/2009 09:55 AM: > When I connect to my server, from different networks, to port 25 I am > able to send emails to local users only without authenticate! It's like > bypassing Cyrus-SASL. No, in this particular case it is not about you being allowed to *send* mail,

Re: Dumb question - How can I be sure that SMTP authentication is really working.

2009-04-11 Thread Jorey Bump
KLaM Postmaster wrote, at 04/11/2009 03:23 PM: > KLaM Postmaster wrote: >> How can I be sure that SMTP authentication is really working. I have >> been trying to determine is there is a reliable way of checking is my >> SMTP authentication is working, >> I think it is working, but as I an only tes

Re: alias with no primary domain

2009-04-11 Thread Jorey Bump
M.A. GEERTSMA wrote, at 04/11/2009 09:08 AM: > I configured my server with no/fake (primary) domain. So I only serve 4 > virtual domains. > > But then the /etc/alias file is of no use for these domains. Is it true > that I have to use the /etc/postfix/virtual for definining all possible > email ad

Re: Spam list (dns hostnames)

2009-04-10 Thread Jorey Bump
M.A. GEERTSMA wrote, at 04/10/2009 03:13 PM: > I will replace the 3 lines by the 1, but would that be double because of > MailScanner. > btw, MailScanner uses a local file: phishing.bad.sites.conf which is > updated regulary. You're missing the point, and comparing two unrelated features. reject

Re: reverse lookups

2009-04-10 Thread Jorey Bump
ghe wrote, at 04/10/2009 02:54 PM: > Oh, dear! I'm not sure what, if anything, I can do about this, but > thanks to you all for the response(s). Maybe a non-caching name server > might help. You've only indicated that an authenticated client's IP address does not reliably provide a reverse lookup

Re: Sender with invalid domain

2009-04-10 Thread Jorey Bump
post...@corwyn.net wrote, at 04/10/2009 12:08 PM: > Currently I block email with > smtpd_sender_restrictions = >reject_unknown_sender_domain >check_sender_access hash:/etc/postfix/access > smtpd_data_restrictions = >reject_multi_recipient_bounce > smtpd_recipient_restrictions = >r

Re: DNS verification

2009-04-08 Thread Jorey Bump
Jorey Bump wrote, at 04/08/2009 09:09 AM: > At the extreme end, some major > registrars cannot pass these checks, which could put domains at risk for > recipients who depend on email reminders to renew their domain > registrations. I guess we can add PayPal to the list of major

Re: DNS verification

2009-04-08 Thread Jorey Bump
Henrik K wrote, at 04/08/2009 09:54 AM: > On Wed, Apr 08, 2009 at 09:09:58AM -0400, Jorey Bump wrote: >> It's a shame, because enforcing these checks would have a noticeable >> impact on spam, especially FCrDNS: >> >> http://en.wikipedia.org/wiki/Forward_Confirmed

Re: DNS verification

2009-04-08 Thread Jorey Bump
berny wrote, at 04/08/2009 05:41 AM: > 2. If yes, what type do you use? >a) only PTR check [reject_unknown_reverse_client_hostname] >b) or PTR=A check [reject_unknown_client_hostname] > 3. What are your experiencies and opinion to it? I have found it unsafe to use either. At the

Re: my mailserver has been blacklisted

2009-03-26 Thread Jorey Bump
Ivan Ricotti wrote, at 03/26/2009 06:59 AM: > I suspect that some windows users in my network is sending spam... and > the question is: how can I prevent this acting on postfix? Don't speculate. Read your logs.

Re: wildcard ssl certificate query

2009-03-18 Thread Jorey Bump
Paul Hutchings wrote, at 03/18/2009 02:06 PM: > We may be getting a wildcard SSL cert shortly, which would allow us > under the licensing terms to use it on as many servers as we wanted. > > I currently have Postfix setup to support SSL/TLS using a self-signed > cert. > > As mail servers obviousl

Re: saslauthd with realm support

2009-03-16 Thread Jorey Bump
Victor Duchovni wrote, at 03/16/2009 10:10 AM: > On Mon, Mar 16, 2009 at 02:29:17PM +0530, ram wrote: > >> For smtp-auth configuration, some users put full emailid as username , >> some use just the userid part of email-id(before '@'). Can postfix >> always authenticate with userid. Can this be do

Re: non-alpha HELO

2009-03-14 Thread Jorey Bump
LuKreme wrote, at 03/14/2009 12:19 PM: > On 13-Mar-2009, at 14:51, Jorey Bump wrote: >> submission inet n - n - - smtpd >> -o smtpd_tls_security_level=encrypt >> -o smtpd_sasl_auth_enable=yes >> -o smtpd_client_restrictions=permit_sasl_aut

Re: non-alpha HELO

2009-03-13 Thread Jorey Bump
Sahil Tandon wrote, at 03/13/2009 08:36 PM: > Jorey Bump wrote: >> LuKreme wrote, at 03/13/2009 04:26 PM: >>> On 13-Mar-2009, at 10:49, Bill Cole wrote: >>> >>>> If you have a good port 587 config in master.cf, you may need no >>>> changes ther

Re: non-alpha HELO

2009-03-13 Thread Jorey Bump
LuKreme wrote, at 03/13/2009 04:26 PM: > On 13-Mar-2009, at 10:49, Bill Cole wrote: > >> If you have a good port 587 config in master.cf, you may need no >> changes there. My submission entry for a server that accepts no port >> 25 submission from outside the LAN is: >> >> submissioninetn

Re: Export User

2009-03-13 Thread Jorey Bump
Sasa wrote, at 03/13/2009 11:35 AM: > On current mail server I have: > > [r...@mail ~]# file /etc/sasldb2 > /etc/sasldb2: Berkeley DB (Hash, version 8, native byte-order) > > on new mail server I have: > > [r...@mail ~]# file /etc/sasldb2 > /etc/sasldb2: Berkeley DB (Hash, version 9, native byt

Re: non-alpha HELO

2009-03-13 Thread Jorey Bump
LuKreme wrote, at 03/13/2009 11:53 AM: > On 13-Mar-2009, at 09:04, Jorey Bump wrote: >>> For the people still supporting the antiquated model of accepting mail >>> submission via SMTP rather than a proper port 587 daemon, it is >>> important to make allowances for

Re: Export User

2009-03-13 Thread Jorey Bump
Sasa wrote, at 03/13/2009 10:58 AM: > "Jorey Bump" wrote: > >> If you need to transfer your sasldb2 to a new machine, it will depend on >> the underlying database format/version used. In many cases, you can >> simply copy it. But, if the formats are incompati

Re: non-alpha HELO

2009-03-13 Thread Jorey Bump
Bill Cole wrote, at 03/13/2009 10:23 AM: > Jorey Bump wrote, On 3/13/09 8:51 AM: >> LuKreme wrote, at 03/13/2009 07:22 AM: >> >>> So I thought I'd see if anyone else thought that a helo in the form >>> [12.34.56.789] SHOULD be allowed. I mean, as far as I

Re: Export User

2009-03-13 Thread Jorey Bump
Sasa wrote, at 03/13/2009 09:08 AM: > How can I Export my postfix users (my users are stored in > sasldblistusers2 and I have 2.3.3 postfix version) for then to import in > a new server postfix server (with 2.5.6 postfix version)? > Thanks in advance. As long as you're compiling against the same

Re: non-alpha HELO

2009-03-13 Thread Jorey Bump
LuKreme wrote, at 03/13/2009 07:22 AM: > So I thought I'd see if anyone else thought that a helo in the form > [12.34.56.789] SHOULD be allowed. I mean, as far as I recall, this is > still technically allowed, right? A bracketed IP address is valid in a HELO/EHLO, but is so rare in legitimate mai

Re: Unable To Track Spam in Mail Logs = :(

2009-03-11 Thread Jorey Bump
Carlos Williams wrote, at 03/11/2009 11:19 AM: > I just had a ticket come in regards to a user who just last week > started receiving a crazy amount of spam emails that he has never had > an issue with. I checked the mail logs (/var/log/mail.log) and was > unable to find anything. I checked the spa

Re: hold all relayed mail by default

2009-03-09 Thread Jorey Bump
Charles Marcus wrote, at 03/09/2009 09:42 AM: > On 3/9/2009, Costin Gu_ (costi...@gmail.com) wrote: >> yes, it's true that people expect instant delivery; however I was >> thinking at short delays such as 5 minutes, since most regrettable >> errors are discovered within the next few seconds follow

Re: Plus addressing not delivering to folder

2009-03-06 Thread Jorey Bump
Charles Marcus wrote, at 03/06/2009 02:27 PM: > I want to be able to use plussed addresses in such a way that if such a > message comes in and a subfolder matches the extension, the message will > be delivered to that subfolder, and if there is no matching subfolder, > it is just delivered to the

Re: submission port requiring starttls even when set not to (Resolved)

2009-03-04 Thread Jorey Bump
LuKreme wrote, at 03/04/2009 09:25 PM: > On 4-Mar-2009, at 19:12, Jorey Bump wrote: >> LuKreme wrote, at 03/04/2009 05:24 PM: >>> On 4-Mar-2009, at 14:33, Jorey Bump wrote: >>>> smtpd_tls_security_level should be used instead. >>> >>> Not if you d

Re: submission port requiring starttls even when set not to (Resolved)

2009-03-04 Thread Jorey Bump
J.P. Trosclair wrote, at 03/04/2009 05:01 PM: > I'll research the smtpd_tls_security_level option further. It didn't > present a problem until I started working on this specific feature with > the white lists. I have created another smtpd instance to forward white > listed domains to rather than t

Re: submission port requiring starttls even when set not to (Resolved)

2009-03-04 Thread Jorey Bump
LuKreme wrote, at 03/04/2009 05:24 PM: > On 4-Mar-2009, at 14:33, Jorey Bump wrote: >> smtpd_tls_security_level should be used instead. > > Not if you don't want to force TLS on the submission port it shouldn't. The context is irrelevant. smtpd_tls_security_level

Re: submission port requiring starttls even when set not to (Resolved)

2009-03-04 Thread Jorey Bump
J.P. Trosclair wrote, at 03/04/2009 04:05 PM: > LuKreme wrote: >> On 4-Mar-2009, at 13:08, J.P. Trosclair wrote: >>> submission inet n - - - - smtpd >>> -o smtpd_tls_security_level=encrypt >> >> >> Why? >> > > I didn't explicitly add it. It was a left over from the d

Re: Configuration advice

2009-03-04 Thread Jorey Bump
Emmanuel Seyman wrote, at 03/04/2009 02:03 PM: > What's the best way to do this? If I install SA on the first domain > and remove the lists.example.org MX, spammers will still be able to > send spam to it directly. Is setting up SA on both machines the simplest > way to go? It's certainly more fl

Re: "Forging" headers?

2009-03-04 Thread Jorey Bump
Ken D'Ambrosio wrote, at 03/04/2009 11:53 AM: > Hi, all. My company has a web server hosted by an external provider. It > sends out e-mail (e.g., in response to web forms), and, occasionally, it > gets bounced and/or eaten up by spam filters. What I'd like to do is > relay mail from the web serv

Re: a problem with catch-all alias handling in virtuals

2009-02-20 Thread Jorey Bump
Andi Raicu wrote, at 02/20/2009 04:47 AM: > I don't want to be in the situation where I didn't create an account to > the new server and emails that were supposed to be recieved are now, > well, kind of lost; so I need a catch-all email. Anyone who decides to distribute an email address without e

Re: Replacing Message-Id for SASL authenticated senders

2009-02-08 Thread Jorey Bump
Victor Duchovni wrote, at 02/08/2009 03:37 PM: > On Sun, Feb 08, 2009 at 09:08:32PM +0100, mouss wrote: > >> No, I was referring to the "Sent" folder, populated by the MUA, either >> in a local disk or using IMAP. > > I know some people clever-enough to set "Sent == Inbox", yes this is not > very

Re: Blocking spam/address

2009-02-06 Thread Jorey Bump
Nandini Mocherla wrote, at 02/06/2009 12:49 PM: > I am new to postfix and thinking for a way to block the email address > which does not come from that domain. For example, if someone with a > @xxx.com email sends to a list it must come from a server in the xxx.com > domain else it should be rejec

Re: Aliases question - can I alias a user name to a name that is not a local user account?

2009-01-29 Thread Jorey Bump
Dave wrote, at 01/29/2009 01:37 AM: > What's with you guys on this list who have the answers yet are just > handing out clues one by one and making me guess about the answer over > the course of several email exchanges? You'll find that they are often being considerate, and are trying to avoid gi

Re: Name service error for name=localhost type=AAAA: Host not found

2009-01-28 Thread Jorey Bump
Dave (DavesTechShop.net) wrote, at 01/28/2009 07:26 PM: > I am not finding any solution. Here is my error: > > Jan 28 19:18:23 ubuntu postfix/smtp[27317]: 13n20: > to=, relay=none, delay=8, delays=7.9/0.01/0/0, > dsn=5.4.4, status=bounced (Host or domain name not found. Name service > error f

Re: I thought I had a send-only Postfix server, but I see someone connected to it!

2009-01-27 Thread Jorey Bump
MountainX wrote, at 01/27/2009 11:35 AM: > In my opinion, the opportunity for Linux to rise to greater heights starts Please get off your soapbox. If you have a question about Postfix, ask it. If you don't understand the answer and have more questions, ask them. If you want to say thanks, do so b

Re: how to filter

2009-01-27 Thread Jorey Bump
Tolga wrote, at 01/27/2009 08:19 AM: > > Heiko Wundram yazmış: >> >> I filter on the header >> >> List-Post: >> >> which catches everything (AFAICT) that comes in over the list. >> > or by the From: line > > Regards, > > /Tolga Your own message proves this

Re: Blocking certain outbound domains?

2009-01-21 Thread Jorey Bump
Todd A. Jacobs wrote, at 01/21/2009 03:42 PM: > Based on the feedback that I've gotten, I've made the following changes: > > smtpd_client_restrictions = > check_recipient_mx_access hash:/etc/postfix/mx_access > check_recipient_access hash:/etc/postfix/recipient_access >

Re: getting dns error

2009-01-09 Thread Jorey Bump
Sahil Tandon wrote, at 01/08/2009 10:06 PM: > James D. Parra wrote: > >> I am getting the following error when sending to the below mail server. I >> added the name of our internal relay server to our public dns and a ptr >> record, but I am still getting the error below. >> >> >> host mxi4p.cra

Re: "forcing" authenticated users to use port 587?

2009-01-09 Thread Jorey Bump
Sahil Tandon wrote, at 01/08/2009 11:37 PM: > Jeff Weinberger wrote: > >> Also you noted: >> In the final step of my scenario, that's the behavior I want to achieve. Will that simple step work? >>> Yes. You can completely disable submission on port 25 and prevent >>> relaying to d

Re: "forcing" authenticated users to use port 587?

2009-01-08 Thread Jorey Bump
Jeff Weinberger wrote, at 01/08/2009 09:27 AM: > Setting smtpd_sasl_auth_enable = no would mean that no authentication is > required on port 25, but if I understand it correctly, it wouldn't > actually stop an authenticated user from sending mail through port 25. > If they tried to authenticate on

Re: "forcing" authenticated users to use port 587?

2009-01-08 Thread Jorey Bump
Chris Babcock wrote, at 01/08/2009 03:19 AM: > On Wed, 7 Jan 2009 21:10:57 -0800 > Jeff Weinberger wrote: > >> 1) using the controls in postfix, is it possible to prevent >> authenticated >> users from using port 25 to submit mail? Is there a construct that >> would do >> that without interfe

Re: "forcing" authenticated users to use port 587?

2009-01-08 Thread Jorey Bump
Jeff Weinberger wrote, at 01/08/2009 12:10 AM: > Hi: > > Based on good practice and the help and urging of some of the gurus on this > list, I am moving my users to using the submission service (port 587) > instead of port 25 to send mail from their mail clients. > > Once most of them move, I'd l

Re: email retry problem

2009-01-07 Thread Jorey Bump
jittinan suwanrueangsri wrote, at 01/07/2009 02:15 PM: > In our environment > 1. a user can not connect to other mailserver directly such as gmail,aol > etc. except our mailserver. > 2. a user have right to use his/her other domain sender (aol,gmail) in > message which have to relay via our mailse

Re: Question regarding reject_unlisted_sender

2009-01-07 Thread Jorey Bump
Bill Landry wrote, at 01/07/2009 01:11 PM: > However, RFCs 2821 & 5321 seem to state that rejection after "MAIL TO" > is valid and should be properly handled by the sending server. So my > question is why does Postfix waits until after the "RCPT TO" phase > before rejecting the sender address?

Re: Does a policy server exist to filter on domain age/creation?

2008-12-20 Thread Jorey Bump
Justin Piszcz wrote, at 12/20/2008 05:43 AM: > $ whois linendim.com > > Record created on:2008-12-15 11:45:30.0 > Domain Expires on:2009-12-15 11:45:31.0 > > A 1-second life domain name. What do you mean? The domain expires in one year and a second from its creati

Re: how to send mail to gmail account

2008-12-19 Thread Jorey Bump
Jose Ildefonso Camargo Tolosa wrote, at 12/19/2008 08:47 PM: > On Fri, Dec 19, 2008 at 7:19 AM, Jorey Bump wrote: >> Jose Ildefonso Camargo Tolosa wrote, at 12/18/2008 06:28 AM: >> >>> I think you should send more info on your config, for example: >>> >>>

Re: how to send mail to gmail account

2008-12-18 Thread Jorey Bump
vivek.agrawal wrote, at 12/18/2008 07:01 AM: > please find main.cf contents below The output of postconf -n is preferred. > relayhost=smtp.gmail.com OK, this indicates that you are trying to send email *through* a gmail account, not merely *to* any gmail account. If you are simply having troubl

Re: how to send mail to gmail account

2008-12-18 Thread Jorey Bump
Jose Ildefonso Camargo Tolosa wrote, at 12/18/2008 06:28 AM: > I think you should send more info on your config, for example: > > MX record for your domain. > myhostname entry from main.cf > > these two should match. There is no requirement that these match. They are completely unrelated. The

Re: spammers using my mailserver trough webmai

2008-12-11 Thread Jorey Bump
Gerardo Herzig wrote, at 12/11/2008 12:47 PM: > Victor Duchovni wrote: >> Change the password for the compromised account. Or do you offer free >> sign-up? > > Well, yes, that an option. But seems like a partial solution. About the > postfix configuration: There is anything i can do to avoid an ac

Re: spammers using my mailserver trough webmai

2008-12-11 Thread Jorey Bump
Gerardo Herzig wrote, at 12/11/2008 12:32 PM: > Hi all. Im facing a ugly situation. Some spammer is using the webmail to > send spam. The thing is, hes using an actual account/password (from my > server)to authenticate agains the webmail, and then sending mail from > "UK LOTTO "...crap!! > > Sinc

Re: Minimal MTA/ MDA for local mail only?

2008-12-11 Thread Jorey Bump
Gaute Amundsen wrote, at 12/11/2008 07:25 AM: > Slightly OT this, but I can't think on any other obvious place to ask, and an > hour of googling turned up little. > > The question: > What are my options if I don't want to run a full blown mail server, and > really only want all mail delivered to

Re: stop accepting mail and clear mailq

2008-11-19 Thread Jorey Bump
J.P. Trosclair wrote, at 11/19/2008 08:14 PM: > > On Nov 19, 2008, at 6:06 PM, Wietse Venema wrote: > >> To stop receiving mail from the network, comment out the network >> facing smtpd entry in master.cf, do "postfix reload", and look >> for warnings in the maillog file. >> >> You can get a lot

Re: TLS Logging

2008-11-19 Thread Jorey Bump
Larry Stone wrote, at 11/19/2008 01:50 PM: > You have a client connecting to a server with your self-signed > certificate (signed by a CA of your own creation). Connections to it do > not generate verification failures. Does the client have your > self-created CA's root certificate on it? If so, t

Re: Check MX entry before virtual domains maps

2008-11-03 Thread Jorey Bump
M. wrote, at 11/03/2008 03:41 PM: > On Mon, 2008-11-03 at 15:26 -0500, Jorey Bump wrote: >> Although checking the MX record before provisioning would provide the >> ultimate verification, it would expose the domain to the possibility of >> lost mail, since it requires the cust

Re: Check MX entry before virtual domains maps

2008-11-03 Thread Jorey Bump
Wietse Venema wrote, at 11/03/2008 03:06 PM: > M.: >> On Mon, 2008-11-03 at 19:32 +0100, mouss wrote: >>> and the problem is? If they "control the domain", then you have no problem! >> OK, I will try to explain that by example: >> >> 0. user buys domain mydomain.com >> >> 1. user adds mx record mai

Re: Check MX entry before virtual domains maps

2008-11-03 Thread Jorey Bump
M. wrote, at 11/03/2008 01:51 PM: > 4. user can add *any* domain he wants to my postfix's virtual domains > maps by perl script. If that particular domain is listed in virtual > domains maps postfix will not check MX record. I want to avoid it. I > need to force postfix to use DNS before checking

Re: Backscatter issues with non-delivery notifications

2008-11-03 Thread Jorey Bump
Dave Buchanan (Abo Ltd) wrote, at 11/03/2008 10:32 AM: > Dear postfix users > > I have re-configured our postfix mailservers to remove catch all aliases to > remove the ammount of mail accepted. > > I know have one more issue to resolve with respect to non delivery > notifications - backscatte

Re: Virtual Alias Rejection issues

2008-11-02 Thread Jorey Bump
Dave Buchanan (Abo Ltd) wrote, at 11/02/2008 02:03 PM: > virtual_alias_domains = domain_one.tld domain_two.tld > virtual_alias_maps = hash:/etc/postfix/virtual > > /etc/postfix/virtual contains > [EMAIL PROTECTED][EMAIL PROTECTED] > @domain_two.tlddomain_one.tld > > Mail to [EMA

Re: Which FileSystem do you use on your postfix server?

2008-10-30 Thread Jorey Bump
Victor Duchovni wrote, at 10/30/2008 12:44 PM: > Past reports of ReiserFS on this list indicate that it falls short > of reasonable (i.e. perfect) data integrity expectations. I also value data integrity over performance and will add that XFS never made it out of my punishment closet into a produ

Re: Outgoing IP address

2008-10-23 Thread Jorey Bump
Robert Fitzpatrick wrote, at 10/23/2008 03:58 PM: > I have an SMTP server down and would like to use another box > temporarily. The IP address of the down server is setup with reverse > DNS. I added this IP address as an alias to the interface on the temp > box, can Postfix control the IP used to s

Re: Best anti-spam

2008-10-22 Thread Jorey Bump
Richard Foley wrote, at 10/22/2008 07:56 AM: > On Wednesday 22 October 2008 01:27:51 Terry Carmen wrote: >> >> check_client_access=regexp:/etc/postfix/spam_ip_regex >> >> spam_ip_regex file: >> >> /[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be >> connecting from a Dynamic

Re: multiple mx and timeout question

2008-10-20 Thread Jorey Bump
Joey wrote, at 10/20/2008 12:42 PM: > I just wanted to confirm something. > > We are defining 3 servers for MX and the first one is basically nolisting. > > Should any server trying to deliver to the first mx IMMEDIATELY try to > connect to the second, or should we see a delay like with greylist

Re: Finally blocking some spam

2008-10-17 Thread Jorey Bump
Joey wrote, at 10/17/2008 09:14 PM: >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] >> On Behalf Of j debert >> Sent: Thursday, October 16, 2008 11:26 AM >> To: postfix-users@postfix.org >> Subject: Re: Finally blocking some spam > >> That's still too simple

Re: Finally blocking some spam

2008-10-13 Thread Jorey Bump
Joey wrote, at 10/13/2008 05:10 PM: > I can only tell you that in 4 days we have blocked at the firewall level ( > on only 1 server ) > 161,166 connections from Poland > 1,184,747 connections from Turkey > 418,162 connections from Russia > 53,656 connections from Czech > 1,613,636 connections from

Re: Finally blocking some spam

2008-10-13 Thread Jorey Bump
Joey wrote, at 10/13/2008 03:50 PM: > You feel like we are doing you a disservice unintentionally because we may > be blocking your IP, but in reality the other people in Poland who are > exploiting the internet are to blame. :( Glass houses... It may be true that your users can afford to give Po

Re: Finally blocking some spam

2008-10-13 Thread Jorey Bump
Joey wrote, at 10/13/2008 01:42 PM: > You reach a point where the money we think we are profiting from > services sucks up all our time and resources and somehow we have to > reduce that overhead and SPAM. Imagine that we are blocking millions > of spam messages a month through various methods and

Re: Finally blocking some spam

2008-10-13 Thread Jorey Bump
Joey wrote, at 10/13/2008 11:57 AM: > For us greylisting was a problem because it put a big delay on email when you > were sitting waiting for a message from someone you were talking to, but that > catches A LOT of email. Consider Nolisting. It doesn't have the delay associated with greylisting

Re: TLS on port 25

2008-10-08 Thread Jorey Bump
Jake Vickers wrote, at 10/08/2008 10:49 AM: > Are there good reasons to NOT use TLS on port 25? (ie: in master.cf: -o > smtpd_use_tls=no) > Curious as to if it breaks things for certain clients or something. There's a good reason not to *require* STARTTLS on port 25, if you want to allow connectio

Re: Fighting SPAM

2008-10-06 Thread Jorey Bump
Marky Yehezkiel (SNC) wrote, at 10/06/2008 10:17 PM: > I just wondering is there any way in postfix that can check port 25 of > sender is open or not. Why do you assume that a legitimate relay must also accept connections on port 25? There's no requirement that an MX must also be the source of ou

Re: Virtual domain uncertainty...

2008-10-06 Thread Jorey Bump
Charles Marcus wrote, at 10/06/2008 04:27 PM: > I'm going to be writing up instructions for users who will be using > these new domains how to set up their mail clients (Thunderbird mainly, > but I also include instructions for the Microsoft clients)... so I > wanted to confirm that I can use the

Re: Use of X509v3 Subject Alternative Name

2008-10-03 Thread Jorey Bump
Victor Duchovni wrote, at 10/03/2008 12:35 PM: > On Fri, Oct 03, 2008 at 10:22:59AM -0400, Jorey Bump wrote: > >> I'm curious about the use of X509v3 Subject Alternative Name in >> certificates, and if they pose any problems when used in production. > > No, these are

Re: SASL configuration woes

2008-10-03 Thread Jorey Bump
Stephen Holmes wrote, at 10/03/2008 12:01 PM: > Jorey Bump wrote: >> You've wisely configured postfix to offer AUTH only via STARTTLS, so it >> won't appear until the session is renegotiated and encrypted. telnet is >> not up to troubleshooting this task. You'v

Re: SASL configuration woes

2008-10-03 Thread Jorey Bump
Stephen Holmes wrote, at 10/03/2008 11:44 AM: > Hi PostFixers, > > I'm now running postfix/dovecot/mysql in SUSE Linux Enterprise 10 SP2 > and I wanted to secure the SMTP connections. I've tried to follow one > or more tutorials, but so far to no avail. The server is up and running > and Thunder

  1   2   >