Re: AntiSpam & AntiVirus Integration with Postfix: lots of tools, but which one's AREN'T 'dead'?

2015-09-08 Thread Mark Martinec
joh...@fastmail.com wrote: I'm now at the phase of looking into Anti-Virus and Anti-Spam. Looks like ClamAV and Spamassassin are the main options here. Both of those projects seem to be pretty alive and kicking too. So I'm left with how to integrate them into and with Postfix. I've poked aroun

Re: Fwd: spf: lookup failed

2015-09-08 Thread Mark Martinec
A bug in getnameinfo() in perl 5.16 and older. Fixed with perl 5.18 and later, which deal with pPOK vs. POK flags somewhat differently. See: http://marc.info/?l=spamassassin-users&m=141461245312708 one possible workaround: http://marc.info/?l=spamassassin-users&m=141467352930918 or a workaro

Re: Fwd: spf: lookup failed

2015-09-08 Thread Mark Martinec
2015-09-07, Czarek wrote: For incomming messages I found in the logs: spf: lookup failed: addr is not a string at /usr/share/perl5/vendor_perl/IO/Socket/IP.pm line 662 A bug in getnameinfo() in perl 5.16 and older. Fixed with perl 5.18 and later, which deal with pPOK vs. POK flags somewhat diff

Re: SMTPUTF8 usage

2015-08-20 Thread Mark Martinec
Michael Ströder wrote: Does anybody here have experience with current usage of SMTPUTF8? I have a discussion whether that's already used in the wild or not. Google does support SMTPUTF8 : $ host -t mx gmail.com gmail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com. gmail.com mail is

Re: spampd + amavis? [pre-accept filtering and amvis]

2015-05-10 Thread Mark Martinec
There is no difference for the remote SMTP client whether you use spampd in "pre-accept" mode, or amavisd-new in "pre-accept" mode. Both approaches have the same problem: when it takes too much time to inspect a message, the remote SMTP client will time out. Right. Amavisd tries to get all pr

Re: Why does SPF fail sometimes?

2014-12-18 Thread Mark Martinec
Peter wrote: On 12/16/2014 05:25 AM, Darren Pilgrim wrote: It's extra fun when they do so to an email with a DKIM signature covering the From: header. MLMs should strip the DKIM header anyways and add their own if appropriate. There is (and must not be) any semantic or practical difference

anvil statistics log entry syntax

2014-12-10 Thread Mark Martinec
Just came across the following logged message which failed to be parsed by our log parser: postfix/anvil[29988]: statistics: max message rate 4/60s for ([2001:1470:ff80::25]:10088:2001:1470:ff80:88::80:c) at Dec 8 19:26:44 Btw, 10088 is a port number, not part of an IP address. Perhaps an IP

Re: google bouncing emails - ipv6 ptr problem?

2014-11-19 Thread Mark Martinec
Robert Moskowitz wrote: Perhaps this should go to the bind list, but all of my checking shows my ipv6 ptr record is working. This started, I think, last week. I was running an old mailserver and sent many an email to the cubieboard list. Just today I finally upgraded my mailserver, but still g

RFE: Using a link-local (scoped) IP address

2014-11-18 Thread Mark Martinec
After an instant success of switching our Redis server to listen only on a link-local (scoped) IPv6 address (RFC 4007), along with switching its clients (Amavis, SpamAssassin, logfeeder), I got greedy and tried to do the same with postfix, which didn't like my idea: master.cf: [fe80::1%lo0]:100

Internationalized Email now supported by amavisd (SMTPUTF8, EAI, IDN)

2014-10-22 Thread Mark Martinec
To go hand-in-hand with the Postfix support for Internationalized Email, the new version 2.10.0 of amavisd mail content filter was released today. So now that we have it covered at an MTA and at a content filter stages, it's perhaps time to step up the heat on developers of mail clients and IMA

Re: Discuss: safety net for other compatibility breaks

2014-10-07 Thread Mark Martinec
Wietse wrote: What else needs to be considered? There are more settings whose defaults can be confusing to people who aren't familiar with 10+ years of Postfix history. - relay_domains (default: $mydestination). This should be empty. - mynetworks-style (default: subnet). This should be "host". I

Re: Internationalized Domain Names (?)

2014-10-05 Thread Mark Martinec
Wietse wrote: Mark Martinec: Btw, amavisd since 2.10.0 converts ACE domain names to UTF-8 for presentation purposes (logging, JSON structured report, DNS and admin notfications), and encodes non-ASCII UTF-8 domains in sender and recipient addresses into ACE if the next hop MTA (e.g. back-end

Re: Internationalized Domain Names (?)

2014-10-05 Thread Mark Martinec
Ronald F. Guilmette wrote: These days, whenever one builds any kind of tool that does anything with e-mail, it is necessary to think about this new-fangled phenomenon of Internationalized Domain Names, so... In what (if any) mail headers generated by Postfix might one reasonably expect to find e

Re: SMTPUTF8: XFORWARD PROTO and "WITH protocol types" / UTF8SMTPS?A?

2014-09-30 Thread Mark Martinec
me said: The XFORWARD_README / "XFORWARD Command syntax" currently tersely states: - The PROTO attribute specifies the mail protocol for receiving mail from the up-stream host. This may be an SMTP or non-SMTP protocol name of up to 64 characters, or [UNAVAILABLE] when the information is

SMTPUTF8: XFORWARD PROTO and "WITH protocol types" / UTF8SMTPS?A?

2014-09-30 Thread Mark Martinec
The XFORWARD_README / "XFORWARD Command syntax" currently tersely states: - The PROTO attribute specifies the mail protocol for receiving mail from the up-stream host. This may be an SMTP or non-SMTP protocol name of up to 64 characters, or [UNAVAILABLE] when the information is unavailabl

SMTPUTF8: reject_unknown_recipient_domain misses the IDN to ascii conversion before DNS lookup

2014-09-24 Thread Mark Martinec
With: smtpd_recipient_restrictions = [...] reject_unknown_recipient_domain [...] the test fails: $ nc ::1 25 220 mail.ijs.si ESMTP Postfix ehlo bla 250-mail.ijs.si [...] 250 SMTPUTF8 MAIL FROM: SMTPUTF8 250 2.1.0 Ok RCPT TO: 550 5.1.8 : Sender address rejected: Domain not found

smtp-sink: fatal: sockaddr_to_hostaddr: Non-recoverable failure in name resolution

2014-09-17 Thread Mark Martinec
Was investigating why I can't connect to my smtp-sink: $ smtp-sink -v [::1]:10055 10 smtp-sink: name_mask: all smtp-sink: trying... [::1]:10055 then in another window: $ smtp-source [::1]:10055 and the smtp-sink aborts with: smtp-sink: fatal: sockaddr_to_hostaddr: Non-recoverable failure i

Re: Berkeley DB6 and Postfix

2014-05-15 Thread Mark Martinec
Robert Sander wrote: I remember that Mark Martinec mentioned a license change in Berkeley DB version 6 to the Affero GPL that forces Amavis to switch to LMDB. The additional provision requires that the complete source code be made available to any network user of the AGPL-licensed work https

Re: disable ipv6 when sending to gmail ?

2013-10-24 Thread Mark Martinec
Dominik George wrote: > if i would be you i would *not* use "v=spf1 mx ~all" > here you go for ipv6 > > > http://www.openspf.org/SPF_Record_Syntax#ip6 > > Jeez, I don't believe it. The problem is that the mx mechanism simply > only enumerates A records of MXs. That's broken ... Wietse wrote: > Tha

Re: disable ipv6 when sending to gmail ?

2013-10-18 Thread Mark Martinec
HQJaTu writes: > Google chose to change the wording in their 550 error. > 550-5.7.1 [2001:-my-IPv6-address-here-16] Our system has detected > 550-5.7.1 that this message does not meet IPv6 sending guidelines regarding > 550-5.7.1 PTR records and authentication. Please review > 550-5.7.1 https://su

Re: Auto-whitelist recipients

2012-09-04 Thread Mark Martinec
Eddy, > I'd like to continously update whitelist for spamassassin of recipients > that my sasl users have sent mail to (i.e. when the recipients reply > they will surely not be considered as spam). I am not using per-user > spamassassin configurations (only a global configuration). > > I've fo

Re: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

2012-02-02 Thread Mark Martinec
Kshitij, > Feb 1 10:21:43 D1OKH680RL postfix/master[11324]: warning: process > /usr/libexec/postfix/smtpd pid 11339 killed by signal 11 The smtpd service crashed with segmentation violation (SEGV). There is something wrong with your installation of postfix or libraries (like database access).

Re: post-install, IPv6-only: could not find any active network interfaces (again)

2011-12-29 Thread Mark Martinec
Sahil Tandon wrote: > I do not believe Mark should have to jump through extra hoops, or that > you should revert the change. This is a FreeBSD port-specific problem > created by me that I will address as soon as I can. Wietse Venema wrote: > Considering the short time left before the next stable

Re: post-install, IPv6-only: could not find any active network interfaces (again)

2011-12-27 Thread Mark Martinec
> I'm assuming that you have "inet_protocols=ipv6" in main.cf, instead > of the backwards-compatibility "inet_protocols=ipv4" workaround, > because that would not work on your machine. No, that was a fresh install attempt, no directory /etc/postfix or /usr/local/etc/postfix, no previous main.cf or

Re: post-install, IPv6-only: could not find any active network interfaces (again)

2011-12-27 Thread Mark Martinec
> > postfix: fatal: could not find any active network interfaces > > *** Error code 1 > > How do you want to proceed: wait until I have time to reproduce > your IPv6-only setup for which I have no specification, or spend > all of next year doing blind testing? No offense and not intending to rush

post-install, IPv6-only: could not find any active network interfaces (again)

2011-12-27 Thread Mark Martinec
Reviving an old thread from 2011-09: Mark Martinec: > Trying to install postfix on an IPv6-only host > FreeBSD 9.0B1, http://wiki.freebsd.org/IPv6Only > ports: mail/postfix-current, > but the installation chokes in the post-install phase. > Running that failing command manuall

Re: Possibility to store all incoming mail (pre-content_filter)

2011-12-15 Thread Mark Martinec
Michael, > Yeah, unlikely but possible. In fact the mail passes through 2 filters > before being returned to postfix: > postfix:25 -> amavis:10024 -> apache-james:10025 -> postfix:10026 -> > smarthost > > All i can tell is that some mails (like 1 out of 2) get corrupted in > the process and e

Re: unused parameter: smtpd_client_connection_limit_exceptions

2011-11-23 Thread Mark Martinec
> > -o smtpd_client_connection_limit_exceptions=0.0.0.0/0 Jeroen Geilman wrote: > This is probably old code, since postconf(5) says: > http://www.postfix.org/postconf.5.html#smtpd_client_event_limit_exceptions > > *smtpd_client_event_limit_exceptions( > default: $mynetworks )* > > Clients

unused parameter: smtpd_client_connection_limit_exceptions

2011-11-23 Thread Mark Martinec
postfix 2.9.2019 warns me: unused parameter: smtpd_client_connection_limit_exceptions Yet if I remove this option from master.cf, I soon reach the connection limit at the pre-queue content filter's re-entry smtpd service: 421-4.7.0 mail.ijs.si Error: too many connections from ::1 451 4

Re: Per-Recipient Data Responses (was: ... per-recipient treatment of messages in a milter environment)

2011-11-23 Thread Mark Martinec
Wietse wrote: > To make per-recipient end-of-data replies useful with Postfix, PRDR > would need to be supported by at least one third-party content > inspection mechanism (such as Amavisd-new or Milter), because I see > no obvious user interface for PRDR with Postfix header/body_checks. > > - SMT

smtp-sink pipelining slow: TCP Nagle & delayed ACK stalls

2011-11-17 Thread Mark Martinec
While benchmarking a SMTP content filter, using smtp-source as a traffic generator and smtp-sink as sink, the message transfer rates were much worse than expected (about 100 seconds, instead of just a few seconds for 1000 messages). It turned out the problem is in a TCP session over a loopback int

Re: MIME Parser Error - Can't Send Email

2011-11-03 Thread Mark Martinec
Just for the archive: > (host 127.0.0.1[127.0.0.1] said: > 451 4.5.0 Error in processing, id=10796-01, > mime_decode-1 FAILED: > MIME::Parser: can't open tmpfile: Invalid argument As Patrick and Gary said, looks like a trouble with a /tmp directory (protection?) or its file system (full or

Re: smtp-sink shows one more empty EHLO option

2011-10-27 Thread Mark Martinec
> Nope, RFC 2821 and RFC 5321 still has the same text. > It even goes on to say ... RFC 5321 does not allow empty ehlo-keyword: section 4.1.1.1: ehlo-ok-rsp= ( "250" SP Domain [ SP ehlo-greet ] CRLF ) / ( "250-" Domain [ SP ehlo-greet ] CRLF *( "250

smtp-sink shows one more empty EHLO option

2011-10-27 Thread Mark Martinec
Seems like the smtp-sink appends one empty EHLO option at the end of its reply to an ehlo command. Should this be fixed? - my content filter is currently logging a warning, I wonder if I should remove the warning :) Using postfix-current-2.9.20111012 from FreeBSD ports. $ smtp-sink 127.0.0.1:200

Re: PIX & timed out while sending end of data -- message may be sent more than once

2011-10-06 Thread Mark Martinec
John, > Oct 5 00:10:22 myhost postfix/smtp[28713]: 125BC2400A7: > to=, relay=mail.abc.tld[123.456.789.123]:25, > delay=187500, delays=186888/0.01/0.16/612, dsn=4.4.2, status=deferred > (conversation with mail.abc.tld[123.456.789.123] timed out while sending > end of data -- message may be sen

Re: post-install, IPv6-only: could not find any active network interfaces

2011-09-14 Thread Mark Martinec
> On Aug 23, 12:30 pm, Mark Martinec wrote: > > Trying to install postfix on an IPv6-only host > > FreeBSD 9.0B1,http://wiki.freebsd.org/IPv6Only > > ports: mail/postfix-current, > > but the installation chokes in the post-install phase. > > Running that faili

post-install, IPv6-only: could not find any active network interfaces

2011-08-23 Thread Mark Martinec
Trying to install postfix on an IPv6-only host FreeBSD 9.0B1, http://wiki.freebsd.org/IPv6Only ports: mail/postfix-current, but the installation chokes in the post-install phase. Running that failing command manually (in the ports work directory) gives: # bin/postfix -v post-install postfix

Re: conversation with ... timed out while sending end of data -- message may be sent more than once

2011-06-15 Thread Mark Martinec
On Wednesday June 15 2011 05:42:36 Noel Jones wrote: > At this time I'm inclined to set this aside. The DKIM bug > doesn't seem to be widespread; there is no compelling case to > add a new workaround right now. Indeed the situation has much improved in the past year or two. Many sites have turne

Re: conversation with ... timed out while sending end of data -- message may be sent more than once

2011-06-14 Thread Mark Martinec
> > How does an SMTP client recognize an ASA box before it breaks email? > > Only from the /^[02 *]+$/ banner. > # telnet mx.interfree.it 25 > 220 ** I think the newer versions of ASA can be configured to let ESMTP pass through with

Re: conversation with ... timed out while sending end of data -- message may be sent more than once

2011-06-14 Thread Mark Martinec
Ralf wrote: > Today I found that some sites behind a PIX/ASA firewall with "smtp > protocol fixup" would not accept DKIM signed mails. But you already knew that! :) ASA bug CSCsy28792 and a couple of related header-parsing bugs, triggered by encountering a "content-type" or "content-transfer-enc

Re: Anyone run Postfix in FreeBSD jails environement ?

2011-06-08 Thread Mark Martinec
> Does anyone is running postfix in FreeBSD "jails" environement > with success on a production server ? I'm thinking of it > and would be interrested by any successful experience. FreeBSD older than 7.2 did not support multiple IP addresses in jail (e.g. an IPv6 address, or a separate mail submi

Re: Timed out while sending message body

2011-05-17 Thread Mark Martinec
> Tomasz K. Jarzynka: > > Finally, I ran a tcpdump on our origin mail server, our firewall > > and the destinantion mail server (thanks to the help of its > > administrator) but the output is inconclusive to me. On our side, > > It looks like transmission stalls after a couple hundred bytes + > > s

Re: Google 7720 Error

2011-05-13 Thread Mark Martinec
> I have no proxies and have turned off the firewall > although the fact it works for some gmail and mindspring and not other > is puzzling Any Cisco firewall (ASA or PIX) on your side? Mark

Re: postfix performance

2011-03-25 Thread Mark Martinec
> I installed both pdns-recursor and unbound (running without any zone > data) on a test box and got very similar performance results from > both. We happened to go with unbound, but based on your > recommendation, maybe I'll give pdns-recursor another look (it's still > running on our test box).

Re: warning: truncate before-queue filter speed-adjust log: Permission denied

2011-03-24 Thread Mark Martinec
> Wietse Venema wrote: > > Please file a ZFS bug reportug. As per POSIX, when the O_CREAT is > > specified to open(), > > The third argument does not affect whether the file is open > > for reading, writing or for both. > > In other words, read/write access is controlled with the O_RDWR fla

Re: Long queue ID support gotcha

2011-03-12 Thread Mark Martinec
> The idea is to prepend the 30 least significant bits of the time > in seconds to the queue ID. Btw, 6 more hours to the next 'pretty' decimal unix timestamp: 13 Mark

Re: warning: truncate before-queue filter speed-adjust log: Permission denied

2011-02-18 Thread Mark Martinec
Wietse Venema wrote: > Please file a ZFS bug reportug. As per POSIX, when the O_CREAT is > specified to open(), > The third argument does not affect whether the file is open > for reading, writing or for both. > In other words, read/write access is controlled with the O_RDWR flags, > not th

warning: truncate before-queue filter speed-adjust log: Permission denied

2011-02-18 Thread Mark Martinec
A freshly installed postfix 2.8.0 from FreeBSD ports on FreeBSD 8.2-RC3, with a file system on ZFS (zpool v15, zfs v4) shows an interesting warning when smtpd_proxy_options=speed_adjust is enabled on a smtpd service which uses a proxy filter: Feb 18 20:25:39 xxx postfix/smtpd[3620]: warning: tru

Re: postfix/trivial-rewrite: warning: mysql query failed: Illegal mix of collations

2011-01-26 Thread Mark Martinec
Claudio Prono wrote: > Uhm, i have another information about that case: the mail are sended to > postfix from an antispam appliance (Symantec). Can be a problem of > config of that antispam results illegal characters are sended to postfix? > Can i add something to solve that problem? That is possi

Re: postfix/trivial-rewrite: warning: mysql query failed: Illegal mix of collations

2011-01-25 Thread Mark Martinec
> How does MySQL know that the query parameter(s) should be UTF-8 > and not ISO LATIN mumble or something else? By a client executing a command: SET NAMES 'utf8' as far as I can tell. SET NAMES indicates what character set the client will use to send SQL statements to the server. http://dev.mys

Re: postfix/trivial-rewrite: warning: mysql query failed: Illegal mix of collations

2011-01-24 Thread Mark Martinec
Jeroen Geilman wrote: > Urgh. Which RFC are you reading ? > I quote: > Systems MUST NOT define mailboxes in such a way as to require the use > in SMTP of non-ASCII characters True (tell it to generators of malicious mail or just incompetent sending sw). This does not prevent illegal data to appe

Re: postfix/trivial-rewrite: warning: mysql query failed: Illegal mix of collations

2011-01-24 Thread Mark Martinec
> What MySQL makes of such data is up to the MySQL client and server > libraries, but Postfix does not promise that the input will be well-formed > UTF-8, or ISO Latin or anything of the sort. Just an array of bytes. Right, as it should be. Envelope addresses are not associated with any character

Re: postscreen access list

2011-01-22 Thread Mark Martinec
> postscreen_dnsbl_sites = zen.dnsbl*2 ??? You mean zen.spamhaus.org Mark

Re: postfix-2.8.0-RC3 and postfix-2.9-20110118

2011-01-19 Thread Mark Martinec
> Anything else? > Does it work? So far so good, it works. Perhaps it's time (in the next RC, if any) to remove the safety net need for postscreen_whitelist_networks = postscreen_blacklist_networks = Mark

Re: postfix-2.8.0-RC3 and postfix-2.9-20110118

2011-01-19 Thread Mark Martinec
> I have uploaded new tarballs to ftp.porcupine.org. Let's hope that > things stabilize this week. Below are the changes since RC2. > Last-minute incompatible syntax change: Postfix now uses > ";" instead of "," to separate DNSBL/DNSWL address filter > fields inside "[]". R

postscreen_dnsbl_sites filter syntax?

2011-01-18 Thread Mark Martinec
I must be doing something silly, but I can't see my mistake. $ postconf postscreen_dnsbl_sites postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11] postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need "," or "]" at "127.0.0.[2><" Or to simplify the matter: $ postconf

Re: PREPEND problems

2010-12-20 Thread Mark Martinec
mouss wrote: > anyway, reading your prepend info tells us that you're trying to do > something regarding spamhaus based on the From header. This is most > probably wrong. if you tell us what you're trying to do, we will tell > you why you are wrong ;-p If we are talking about VBR-Info based on a D

Re: Spamhaus DWL in postfix

2010-12-02 Thread Mark Martinec
OT, sorry, just to finish up this thread: myself: > I'm working on a SpamAssassin plugin to implement Spamhaus DWL > (and other 'SA tag'- based DNS lookups). Done. Available in the SpamAssassin SVN trunk (on its way to become 3.4.0): https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6518

Re: Spamhaus DWL in postfix

2010-11-15 Thread Mark Martinec
Christian Roessner: > I am interested in including the DWL feature from SpamHaus into > postfix. Wietse: > DWL requires content external content inspection. For example, a > Milter, or a before-or-after-queue SMTP-based filter. Either approach > can be used to verify the DKIM signature and the VBR

Re: cidr table performance

2010-11-05 Thread Mark Martinec
Jeroen Geilman wrote: > for (entry = list; entry; entry = entry->next) { > Each map is a linked list of CIDR patterns, so consolidate as much as > possible - 10 single IPs will cause noticable delays when the last > entry matches! Funny coincidence: just yesterday I added a Patricia (ra

Re: postscreen vs. (all?|some?) address verification milter(s) in sendmail

2010-09-30 Thread Mark Martinec
Here is a similar incident with a milter not understanding multiline responses, as well as shooting out the query without waiting for a greeting. Below is my side of the correspondence with its author and with the postmaster of the site where it was first observed. From: Mark Martinec To

Re: Seeking recommendation for before-queue content filter capable of removing headers

2010-09-13 Thread Mark Martinec
our needs. The $b is a header field body, the result is a replacement body, or undef to delete it. > $signed_header_fields{lc('Received')} = 0; > @Mark Martinec (in case you're reading this): Do you think > this would make a reasonable default setting for amavisd-new?

Re: Seeking recommendation for before-queue content filter capable of removing headers

2010-09-13 Thread Mark Martinec
Ralph, > On 12.09.10 10:46, mouss wrote: > > Received headers should not be included in the DKIM signature. so > > removing them won't invalidate DKIM. > > If you have a look at my message which you quoted, you'll see > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=seichter.de; h= >

Re: timeout trouble with postfix and amavisd in BQCF

2010-09-03 Thread Mark Martinec
> Sep 2 13:00:47 ru amavis[87682]: (87682-15) TIMING [total 257879 ms] - > SMTP greeting: 25055 (10%)10, SMTP EHLO: 0 (0%)10, SMTP pre-MAIL: 0 (0%)10, > SMTP pre-DATA-flush: 7 (0%)10, > SMTP DATA: 24052 (9%)19, check_init: 25053 (10%)29, digest_hdr: 1 (0%)29, > digest_body: 0 (0%)29, > gen_ma

Re: timeout trouble with postfix and amavisd in BQCF

2010-09-03 Thread Mark Martinec
Patrick, Versions before amavisd-new 2.7.0 and SA older than 3.3.0 are not particularly suitable for a pre-queue filtering setup. The combined new features of 2.7.0, SA 3.3.* and the postfix 'speed_adjust' made such a setup much better behaved. Please read the introductory sections of 2.7.0 (pre)

Re: Better logging for a unix socket connection failure in a proxy filtering setup

2010-09-02 Thread Mark Martinec
> > All I got was a '451 4.3.0 Error: queue file write error' for the > > client, and just a disconnect and a double bounce in the log. > > Turning on verbosity on smtpd did not help to explain the issue. > > (version: postfix-current-2.8.20100728 from ports @ FreeBSD 8.1) > > By design, Postfix d

Better logging for a unix socket connection failure in a proxy filtering setup

2010-09-02 Thread Mark Martinec
I'd like to report a rather minor/cosmetic problem - namely a lack of useful logging when an smtpd service tries to connect to a proxy content filter over a Unix socket which is too heavily protected - but which took me far longer to understand than necessary (the strong protection was on a parent

Re: Delayed-ACK holdups to a proxy content filter on lo0 for mid-size messages

2010-08-27 Thread Mark Martinec
On Friday August 27 2010 19:06:02 Victor Duchovni wrote: > Just so everyone else is clear on the context, this is not a post-queue > content_filter issue (post-queue content filters use the SMTP/LMTP > delivery agent which already does the right thing). This applies only > to the pre-queue proxy f

Delayed-ACK holdups to a proxy content filter on lo0 for mid-size messages

2010-08-27 Thread Mark Martinec
Seems I stumbled across another manifestation of a delayed-ACK holdups of 100 ms in the communication over a loopback interface between postfix and a content filter in a proxy (pre-queue) setup ... similar to what was already resolved for a milter setup: http://archives.neohapsis.com/archives/pos

db50 (DB11gR2) - Unsupported Berkeley DB version

2010-06-11 Thread Mark Martinec
postfix-2.8-20100323, FreeBSD ports: mail/postfix-current, databases/db50 /etc/make.conf: WITH_BDB_VER=50 --- src/util/dict_db.c~ 2010-01-02 22:28:08.0 +0100 +++ src/util/dict_db.c 2010-06-11 15:50:48.0 +0200 @@ -676,5 +676,5 @@ if (type == DB_HASH && db->set_h_nelem(db, DIC

Re: All email forward a copy to testing server

2010-04-13 Thread Mark Martinec
Patric, > I looked in to it a little more and it looks like Maia re-writes the > new.sub.domain.com to sub.domain.com. > I get: > > /usr/sbin/amavisd-new[22834]: (22834-04) Checking: [62.127.194.20] > -> > , > > When I guess it should be: > > /usr/sbin/amavisd-new[22834]: (22834-04) Checking:

Re: amavis Delivery status notification(DSN) failing

2010-04-09 Thread Mark Martinec
Ashish, >> Your java filter sent a greeting: "220 Hello\n" >> instead of: "220 Hello\r\n". Amavisd waited 30 seconds but >> end of line (CR LF) never arrived, so the session was aborted. >> RFC 5321 (and RFC 2821 and RFC 821) requires that SMTP commands >> and replies are terminated by a CRLF, not

Re: amavis Delivery status notification(DSN) failing

2010-04-09 Thread Mark Martinec
Ashish, > Attached is the full level 5 log for your reference. Thank you! Apr 9 07:17:31 ip-10-194-99-63 amavis[18885]: (18885-05) (about to connect to [127.0.0.1]:10030) FWD via SMTP: -> Apr 9 07:17:31 ip-10-194-99-63 amavis[18885]: (18885-05) smtp session: setting up a new session Ap

Re: amavis Delivery status notification(DSN) failing

2010-04-08 Thread Mark Martinec
Ashish, > I have a postfix mail server over which I have deployed a custom content > filter written in java. > > Now I introduced amavisd (containing clamav and spamassassin) as content > filter such that the mail is passing in following manner: > > ===>mail from outside ===> Postfix > ama

Re: log message

2010-02-16 Thread Mark Martinec
> Jon L Miller: > > postfix/postsuper[4932]: warning: bogus file name: hold/razor-agent.log > > Some NON-POSTFIX software is leaving its NON-POSTFIX garbage in > the Postfix queue. Sounds like a MailScanner issue. Mark

Re: My postfix server sometimes send command less than 4 alphabets

2010-01-19 Thread Mark Martinec
> > I'm using content filter, which parses email from my postfix server. > > My postfix server sometimes sends a command which is less than 4 > > alphabets. > > I don't know what to do for that command, as I don't know which command > > is that... Can anybody tell me, is there any command of less

Re: Multiple "From:" in a mail header?

2010-01-15 Thread Mark Martinec
On Friday January 15 2010 09:11:27 Kārlis Repsons wrote: > But have you seriously seen a mail client, which would allow sending such > mail? I would think, this is an extreme rarity, but is it? It is very rare alright. Multiple author addresses in a single From header field are legitimate, but so

Re: Multiple "From:" in a mail header?

2010-01-14 Thread Mark Martinec
On Thursday January 14 2010 20:14:48 Victor Duchovni wrote: > It may be prudent to also treat: > From: > From: > as synonymous with: > From: , > the implied meaning is that the people with those email addresses, > co-authored the email. ...or treated with utmost suspicion, as

Re: does order of postscreen_* params matter?

2009-12-10 Thread Mark Martinec
Wietse Venema wrote: > The postscreen manpage lists the tests in the order of execution. > Thus, the blacklist is done tested first. If the client is not > blacklisted, then the whitelist test is done. And so on. > > I could swap the order of black/white tests if there is agreement that > the curr

Re: PATCH: smtpd_proxy logging

2009-12-07 Thread Mark Martinec
Wietse Venema : > Like this? >Dec 5 20:15:25 server postfix/smtpd[16712]: proxy-accept: >END-OF-MESSAGE: 250 2.0.0 Ok: queued as 91BE3547AFE; >from= to= proto=ESMTP >helo= > (with the same form for proxy-reject at END-OF-MESSAGE; the format > of the reject message would be consiste

Re: Postfix DKIM

2009-11-25 Thread Mark Martinec
On Tuesday 24 November 2009 20:38:51 Michael Saldivar wrote: > On Wed, Sep 9, 2009 at 8:08 PM, KLaM Postmaster wrote: > > I found the easiest way by far, was to use the DKIM feature of > > amavisd-new > > simple to setup and work like a ch

Re: Experience with the new speed_adjust feature

2009-11-13 Thread Mark Martinec
On Friday 13 November 2009 19:17:07 Wietse Venema wrote: > Victor found it (missing fflush before ftruncate). > If you can back out the changes and apply the patch below. > *** ./smtpd_proxy.c.orig Mon Nov 9 19:41:50 2009 > --- ./smtpd_proxy.c Fri Nov 13 13:15:25 2009 Thanks, done. So far

Re: Experience with the new speed_adjust feature

2009-11-13 Thread Mark Martinec
On Friday 13 November 2009 18:52:03 Wietse Venema wrote: > Thanks for the logging. If you have time, can you change the code > to print information about the non-zero size? This could be a > filesystem feature where ftruncate() does not reset st_size until > the file is rewritten or closed (in whic

Re: Experience with the new speed_adjust feature

2009-11-13 Thread Mark Martinec
On Friday 13 November 2009 14:48:27 Wietse Venema wrote: > 20091105-nonprod has a known problem when the temp file > can't be written for some reason (fixed in 20091109). > As for the second problem, it would help if you could add > a missing sanity check here: Thanks. Done both: upgraded to 20091

Experience with the new speed_adjust feature

2009-11-13 Thread Mark Martinec
For the last couple of days I'm now experimenting with the 2.7-20091105-nonprod with the new speed_adjust experimental feature turned on at the MX port, along with the postscreen. Seems to work as advertised: timing reports by a pre-queue proxy content filter confirm that the content filter is invo

postscreen lookalike, but in FreeBSD kernel (presentation)

2009-10-15 Thread Mark Martinec
Just came across this one, might be interesting. It sounds similar to postscreen's functionality: EuroBSDCon 2009: FreeBSD kernel protection measures against SMTP DDoS attacks, by Martin Blapp http://people.freebsd.org/~mbr/ http://www.ukuug.org/events/eurobsdcon2009/papers/BSDCON09-SMTP-DDoS

Re: Postfix DKIM

2009-09-09 Thread Mark Martinec
> I'm using dkim-milter now. Btw, the dkim-milter seems rather abandoned now, its development has been picked up by OpenDKIM (same author, who previously worked on dkim-milter). http://www.opendkim.org/ So, either amavisd-new or OpenDKIM should be fine. Mark

before-queue proxy filter and SMTP dot stuffing sanitation

2009-09-03 Thread Mark Martinec
So far I lived under impression that smtpd service does some basic sanitation, de-pipelining etc to a SMTP session, before passing data to a smtpd_proxy_filter content filter. Apparently dot-stuffing sanitation is not performed, as (invalid) lines with a single leading dot can still reach a proxy

Re: rbl checks, best place + ipv6?

2009-08-23 Thread Mark Martinec
On Sunday August 23 2009 04:10:06 Dave Täht wrote: > What I found after fighting with an exchange server that what seems to > work best is assigning my first mx host to be ipv6 only, and my fallback > to be a mx ipv6 and ipv4 host. My choice is to have the first MX have both the IPv6 and IPv4 addr

OT: dkim-milter forked to an OpenDKIM project

2009-08-17 Thread Mark Martinec
For those who missed it, the dkim-milter project forked. Its principal developer is now with the OpenDKIM project. The OpenDKIM v1.0.0 brings a couple of bug fixes over the dkim-milter, and uses a new build mechanism. Mark Here is the announcement posted on 2009-08-14: == The OpenDKIM proj

Re: Conversation with DOMAIN timed out while sending end of data -- message may be sent more than once

2009-04-25 Thread Mark Martinec
On Thursday 23 April 2009 10:02:29 Jørn Odberg wrote: > I can now see that the recieving side has an ESTABLISHED connection from > the sender, even after the sender tell me it has lost the connection > with the reciever. So it seems like something in the middle is forcing > the connection to a clos

Re: Another SMTP protocol breakage by ASA

2009-04-23 Thread Mark Martinec
> Ralf, here is another one for your list of Cisco PIX and ASA > problems with inspection of a SMTP protocol (actually, parsing > of a mail header section): > > http://www.arschkrebs.de/postfix/postfix_cisco_pix_bugs.shtml > > > > CSCsy28792 > SMTP session disconnects due to improper parsing >

Another SMTP protocol breakage by ASA

2009-04-22 Thread Mark Martinec
Ralf, here is another one for your list of Cisco PIX and ASA problems with inspection of a SMTP protocol (actually, parsing of a mail header section): http://www.arschkrebs.de/postfix/postfix_cisco_pix_bugs.shtml CSCsy28792 SMTP session disconnects due to improper parsing of a DKIM header fie

Re: Plus Addressing

2009-04-22 Thread Mark Martinec
Jeff, > >> One more thing I noticed today also. All messages which have the "+" in > >> the e-mail are sent to Dovecot's Deliver twice. So, I receive the > >> message twice in the folder. All other messages are only sent to > >> Deliver once. Any idea what I have configured wrong for the messa

Re: Conversation with DOMAIN timed out while sending end of data -- message may be sent more than once

2009-04-22 Thread Mark Martinec
Jørn, > As I said in the first email, I control both ends (both the sender- and > the receiver-server). But I do not control neither network-connectivity > or Internet-connectivity at either sites. > > I did try turning of Window Scaling at both ends, but it did not help at > all. It still won't d

Re: Plus Addressing

2009-04-17 Thread Mark Martinec
Jeff, > One more thing I noticed today also. All messages which have the "+" in > the e-mail are sent to Dovecot's Deliver twice. So, I receive the > message twice in the folder. All other messages are only sent to > Deliver once. Any idea what I have configured wrong for the message to > be s

rw_loop: leaving rw loop, no progress

2009-03-20 Thread Mark Martinec
-- Forwarded Message -- Subject: Re: [AMaViS-user] rw_loop: leaving rw loop, no progress Date: Friday 20 March 2009 From: Mark Martinec To: amavis-u...@lists.sourceforge.net Ivan, > This is log in attached files Thanks, interesting and strange. I'll CC this to the

Re: postfix - amavisd - SMTP or LMTP (was: TLS)

2009-02-19 Thread Mark Martinec
JLA, > secondary question, would I be better off using LMTP rather than SMTP > for the amavisd. With more recent versions of Postfix (2.3?) the lmtp and smtp clients share common code, so there isn't much difference in their behaviour regarding connection caching and persistency of connection, so

Re: postfix - amavisd - TLS

2009-02-17 Thread Mark Martinec
JLA, > I run amavisd-new as part of my anti-spam setup. > The configuration is pretty well out of the box. I use the split clean > up, which if I remember correctly, is straight out of Patrick Koetter's > setup guide. > One of the things I have noticed is that when amavisd passes emails back > int

Re: Reject Non-Ascii characters

2008-11-25 Thread Mark Martinec
On Tuesday 25 November 2008 12:26:17 bijayant kumar wrote: > Some days ago at my original amavis server logs I observed some strange > lines like (16188-21) WARN: address modified (recip): > <[EMAIL PROTECTED]> -> <"\240singh.richa09"@gmail.com> > > (16188-21) (!) lookup_sql: sql exec: err=7, 22021

  1   2   >