Re: serious bug with check_client_access

В Срд, 03/11/2010 в 22:16 -0500, Noel Jones пишет: > On 11/3/2010 10:00 PM, Vincent Lefevre wrote: > > On 2010-11-03 21:40:54 -0500, Noel Jones wrote: > >> ".domain.tld" only works if parent_domain_matches_subdomains does NOT > >> include smtpd_access maps. > > > > The man page says nothing like th

Re: serious bug with check_client_access

Le 04/11/2010 05:24, Noel Jones a écrit : On 11/3/2010 11:07 PM, Vincent Lefevre wrote: BTW, so, there is no way to match only subdomains (by that, I mean all possible subdomains, but not the domain itself) without changing parent_domain_matches_subdomains? That's correct with indexed tables.

Re: serious bug with check_client_access

Zitat von Покотиленко Костик : В Срд, 03/11/2010 в 22:16 -0500, Noel Jones пишет: On 11/3/2010 10:00 PM, Vincent Lefevre wrote: > On 2010-11-03 21:40:54 -0500, Noel Jones wrote: >> ".domain.tld" only works if parent_domain_matches_subdomains does NOT >> include smtpd_access maps. > > The man pa

Re: serious bug with check_client_access

В Чтв, 04/11/2010 в 10:44 +0100, lst_ho...@kwsoft.de пишет: > Zitat von Покотиленко Костик : > > > В Срд, 03/11/2010 в 22:16 -0500, Noel Jones пишет: > >> On 11/3/2010 10:00 PM, Vincent Lefevre wrote: > >> > On 2010-11-03 21:40:54 -0500, Noel Jones wrote: > >> >> ".domain.tld" only works if parent

Re: serious bug with check_client_access

On 2010-11-04 10:44:34 +0100, lst_ho...@kwsoft.de wrote: > >>The access(5) man page says: > >> > >> domain.tld > >> Matches domain.tld. > >> > >> The pattern domain.tld also matches subdomains, but only > >> when the string smtpd_access_maps is listed in the Pos

Re: Well, everyone else using dnswl.org say bye bye to "opensource" usage.

Jerrale G put forth on 11/4/2010 4:54 AM: > you know, they could have made a premium service or addition to offset > overhead and generate revenue while having the white and blacklists as a > free service. This means that spamassassin's accuracy, and opensource, > will reduce as well. I guess Im g

Re: Well, everyone else using dnswl.org say bye bye to "opensource"usage.

On 11/4/10 5:46 AM, Stan Hoeppner at s...@hardwarefreak.com wrote: > Jerrale G put forth on 11/4/2010 4:54 AM: > >> you know, they could have made a premium service or addition to offset >> overhead and generate revenue while having the white and blacklists as a >> free service. This means that s

Re: Well, everyone else using dnswl.org say bye bye to "opensource"usage.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4 Nov 2010, at 11:54, Larry Stone wrote: >> >> Be glad it's still free and that you simply have to add some software to >> your system to make it work again. > > Care to provide some pointers to such software? Or do you just assume we all > have

multiple instance question

I want to duplicate a existing postfix instance (master.cf / main.cf / all maps), all I want to change is the queue_directory and no smtpd should be listening. What's the easiest way to do this? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin

Re: Well, everyone else using dnswl.org say bye bye to "opensource"usage.

On 11/4/10 7:06 AM, Ronald MacDonald at ron...@rmacd.com wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > On 4 Nov 2010, at 11:54, Larry Stone wrote: > >>> >>> Be glad it's still free and that you simply have to add some software to >>> your system to make it work again. >> >> C

Documentation (was: serious bug with check_client_access)

Vincent Lefevre: > On 2010-11-04 10:44:34 +0100, lst_ho...@kwsoft.de wrote: > > >>The access(5) man page says: > > >> > > >> domain.tld > > >> Matches domain.tld. > > >> > > >> The pattern domain.tld also matches subdomains, but only > > >> when the string smtpd

Re: multiple instance question

On Thu, Nov 04, 2010 at 01:47:59PM +0100, Ralf Hildebrandt wrote: > I want to duplicate a existing postfix instance (master.cf / main.cf / > all maps), all I want to change is the queue_directory and no smtpd > should be listening. > > What's the easiest way to do this? # set -e # # newname=post

Re: Documentation (was: serious bug with check_client_access)

On Thu, Nov 04, 2010 at 10:56:57AM -0400, Wietse Venema wrote: > Vincent Lefevre: > > On 2010-11-04 10:44:34 +0100, lst_ho...@kwsoft.de wrote: > > > >>The access(5) man page says: > > > >> > > > >> domain.tld > > > >> Matches domain.tld. > > > >> > > > >> The pattern doma

Re: Well, everyone else using dnswl.org say bye bye to "opensource"usage.

On Thu, Nov 04, 2010 at 06:54:05AM -0500, Larry Stone wrote: > On 11/4/10 5:46 AM, Stan Hoeppner at s...@hardwarefreak.com wrote: > > Be glad it's still free and that you simply have to add some > > software to your system to make it work again. > > Care to provide some pointers to such software?

Re: Documentation (was: serious bug with check_client_access)

On 2010-11-04 10:28:00 -0500, /dev/rob0 wrote: > On Thu, Nov 04, 2010 at 10:56:57AM -0400, Wietse Venema wrote: > > I can replace that "Otherwise..." sentence by a separate list item. > > > >domain.tld > > Matches domain.tld. > > > > The pattern domain.tld also mat

Re: Well, everyone else using dnswl.org say bye bye to "opensource"usage.

Le 04/11/2010 13:53, Larry Stone a écrit : On 11/4/10 7:06 AM, Ronald MacDonald at ron...@rmacd.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4 Nov 2010, at 11:54, Larry Stone wrote: Be glad it's still free and that you simply have to add some software to your system to make i

Re: Well, everyone else using dnswl.org say bye bye to "opensource"usage.

On Thu, 4 Nov 2010, /dev/rob0 wrote: On Thu, Nov 04, 2010 at 06:54:05AM -0500, Larry Stone wrote: On 11/4/10 5:46 AM, Stan Hoeppner at s...@hardwarefreak.com wrote: Be glad it's still free and that you simply have to add some software to your system to make it work again. Care to provide som

Re: serious bug with check_client_access

Le 04/11/2010 05:07, Vincent Lefevre a écrit : On 2010-11-03 22:55:59 -0500, Noel Jones wrote: I'm so sorry you lost your twitter post. Actually I might have lost other mail (though this is a bit unlikely) since I was generally using an initial dot. a good idea is to include both dotted and u

THREAD KILLED: Documentation (was: serious bug with check_client_access)

On Thu, Nov 04, 2010 at 05:02:25PM +0100, Vincent Lefevre wrote: > I still think that it's a bit ambiguous, because I was seeing > ".domain.tld" as a subcase of "domain.tld" This objection is spurious, and constitutes trolling. Please do not feed the trolls. For the record, elementary logic:

is there a way to tell postfix not to perform reverse lookup on the received header?

Hello, Postfix write the Received header like this: Received: from HELO.HOSTNAME (*HOSTNAME_OF_CONNECTING_IP* [CONNECTING_IP]) by HOSTNAME_OF_POSTFIX (Postfix) with SMTP id 0ABBCCDDEE for >; Wed, 1 Nov 2010 00:00:00 + (GMT) is there a way to tell postfix not to write the

Re: is there a way to tell postfix not to perform reverse lookup on the received header?

On Fri, Nov 05, 2010 at 12:25:21AM +0800, Joe Wong wrote: > is there a way to tell postfix not to write the HOSTNAME_OF_CONNECTING_IP, > or disable the reverse DNS lookup so that is always 'unknown' ? http://www.postfix.org/postconf.5.html#smtpd_peername_lookup -- Viktor.

Re: is there a way to tell postfix not to perform reverse lookup on the received header?

On 11/4/2010 11:25 AM, Joe Wong wrote: Hello, Postfix write the Received header like this: Received: from HELO.HOSTNAME (*HOSTNAME_OF_CONNECTING_IP* [CONNECTING_IP]) by HOSTNAME_OF_POSTFIX (Postfix) with SMTP id 0ABBCCDDEE for mailto:chant...@hk1.ibm.com>>; Wed, 1 Nov 201

Re: is there a way to tell postfix not to perform reverse lookup on the received header?

Thanks Viktor. I miss this one when reading the man page.. :) On Fri, Nov 5, 2010 at 12:42 AM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Fri, Nov 05, 2010 at 12:25:21AM +0800, Joe Wong wrote: > > > is there a way to tell postfix not to write the > HOSTNAME_OF_CONNECTING_IP

Re: is there a way to tell postfix not to perform reverse lookup on the received header?

Le 04/11/2010 17:45, Joe Wong a écrit : Thanks Viktor. I miss this one when reading the man page.. :) note that if your goal is to hide private information, then you should use header_checks instead of disabling reverse DNS lookup. header_checks = pcre:/etc/postfix/header_checks.pcre == hea

SPF enforcement opinions?

I have SPF setup and Postfix is rejecting mail from explicitly unauthorized servers. If a customer wants me to customize the configuration so that they can receive mail from that server, is that wrong? Their current SPF TXT record contains a hard fail as ... "v=spf1 a mx ptr -all" --Robert

Re: SPF enforcement opinions?

Robert Fitzpatrick wrote: I have SPF setup and Postfix is rejecting mail from explicitly unauthorized servers. If a customer wants me to customize the configuration so that they can receive mail from that server, is that wrong? Their current SPF TXT record contains a hard fail as ... "v=spf1

Re: SPF enforcement opinions?

On Nov 4, 2010, at 2:12 PM, Robert Fitzpatrick wrote: > I have SPF setup and Postfix is rejecting mail from explicitly unauthorized > servers. If a customer wants me to customize the configuration so that they > can receive mail from that server, is that wrong? Their current SPF TXT > record co

cidr table performance

What's the CIDR lookup table performance difference between say 256 /32 entries and a single /24 entry? Is it 256:1? Or, how about 90,000 /32 entries vs 60,000 entries that consolidate many of those 90,000 /32s into larger CIDRs such as /24s and /21s etc? I have no idea what the total processing

Re: serious bug with check_client_access

On 2010-11-04 17:18:17 +0100, mouss wrote: > otherwise, you can do whatever you want with pcre: > /\.example\.com$/OK > or with sql or ldap. For pcre, the man page is not clear. It says: Each pattern is a regular expression that is applied to the entire string being looked up. De

Re: serious bug with check_client_access

Vincent Lefevre put forth on 11/4/2010 6:04 PM: > On 2010-11-04 17:18:17 +0100, mouss wrote: >> otherwise, you can do whatever you want with pcre: >> /\.example\.com$/OK >> or with sql or ldap. > > For pcre, the man page is not clear. It says: > > Each pattern is a regular expressi

Re: serious bug with check_client_access

On 2010-11-04 19:06:57 -0500, Stan Hoeppner wrote: > check_client_access pcre:/etc/postfix/filter.pcre > check_sender_access pcre:/etc/postfix/filter.pcre > check_recipient_accesspcre:/etc/postfix/filter.pcre > > As you can see, this is defined by the smtpd_foo_restriction you target >

Re: cidr table performance

On 11/04/2010 11:55 PM, Stan Hoeppner wrote: What's the CIDR lookup table performance difference between say 256 /32 entries and a single /24 entry? Is it 256:1? Or, how about 90,000 /32 entries vs 60,000 entries that consolidate many of those 90,000 /32s into larger CIDRs such as /24s and /21s

Re: cidr table performance

Stan Hoeppner: > What's the CIDR lookup table performance difference between say 256 /32 > entries and a single /24 entry? Is it 256:1? One /32 match is a probably a little faster than one /24 match. The difference depends on compiler and hardware used. The CIDR implementation could be sped up

Re: serious bug with check_client_access

Vincent Lefevre: > On 2010-11-04 19:06:57 -0500, Stan Hoeppner wrote: > > check_client_access pcre:/etc/postfix/filter.pcre > > check_sender_access pcre:/etc/postfix/filter.pcre > > check_recipient_access pcre:/etc/postfix/filter.pcre > > > > As you can see, this is defined by the smtpd_foo_r

Re: serious bug with check_client_access

On 11/05/2010 01:26 AM, Vincent Lefevre wrote: On 2010-11-04 19:06:57 -0500, Stan Hoeppner wrote: check_client_access pcre:/etc/postfix/filter.pcre check_sender_access pcre:/etc/postfix/filter.pcre check_recipient_access pcre:/etc/postfix/filter.pcre As you can see, this is defined

Re: serious bug with check_client_access

On 2010-11-04 20:33:11 -0400, Wietse Venema wrote: > check_client_access searches the address and domain with ALL lookup > table types. It just doesn't do the substring lookups with PCRE, > REGEXP and CIDR. If I understand correctly, there's another difference: in the default table format, the str

Re: serious bug with check_client_access

On 2010-11-05 01:38:37 +0100, Jeroen Geilman wrote: > *REGULAR EXPRESSION TABLES* >This section describes how the table lookups change when >the table is given in the form of regular expressions. For >a description of regular expression lookup table syntax, >see*

too many recipients does not log

I have a client trying to send to more than the allowed number of recipients (smtpd_recipient_limit = 100). On the server side the only indication I see in the maillog is a "sender non-delivery notification" with no explanation. This makes debugging the client's problem more difficult when you a

Re: RBL Spam question

On 11/04/2010 12:39 AM, Stan Hoeppner wrote: > Ned Slider put forth on 11/3/2010 6:33 PM: > >> My other thought was to simply comment (or document) ranges known to >> contain FPs and then the user can make a judgement call whether they >> want to comment out that particular regex based on their ci

too many recipients does not log

I think I sent this to the wrong address, so I'm trying again... I have a client trying to send to more than the allowed number of recipients (smtpd_recipient_limit = 100). On the server side the only indication I see in the maillog is a "sender non-delivery notification" with no explanation. T

Re: too many recipients does not log

On Nov 4, 2010, at 6:09 PM, Richard Stockton wrote: > I think I sent this to the wrong address, so I'm trying again... > > I have a client trying to send to more than the allowed number of > recipients (smtpd_recipient_limit = 100). On the server side the > only indication I see in the maillog i

Re: serious bug with check_client_access

On 11/05/2010 01:57 AM, Vincent Lefevre wrote: On 2010-11-05 01:38:37 +0100, Jeroen Geilman wrote: *REGULAR EXPRESSION TABLES* This section describes how the table lookups change when the table is given in the form of regular expressions. For a description of regula

Re: serious bug with check_client_access

On Thu, Nov 4, 2010 at 8:04 PM, Vincent Lefevre wrote: > On 2010-11-04 17:18:17 +0100, mouss wrote: >> otherwise, you can do whatever you want with pcre: >> /\.example\.com$/        OK >> or with sql or ldap. > > For pcre, the man page is not clear. It says: > check_client_access type:table S

Re: serious bug with check_client_access

On 2010-11-05 02:29:53 +0100, Jeroen Geilman wrote: > If you combine > > Each pattern is a regular expression that is applied to the entire string > being looked up. > > > with > * > check_client_access /type:table > /* >Search the specified a

Re: serious bug with check_client_access

On Thu, Nov 4, 2010 at 10:42 PM, Reinaldo de Carvalho wrote: > > check_client_access type:table >    Search the specified access database for the client hostname, > parent domains, client IP address, or networks obtained by stripping > least significant octets. See the access(5) manual page for de

Re: serious bug with check_client_access

Vincent Lefevre put forth on 11/4/2010 7:49 PM: > On 2010-11-04 20:33:11 -0400, Wietse Venema wrote: >> check_client_access searches the address and domain with ALL lookup >> table types. It just doesn't do the substring lookups with PCRE, >> REGEXP and CIDR. > > If I understand correctly, there's

Re: serious bug with check_client_access

On 2010-11-04 23:06:17 -0300, Reinaldo de Carvalho wrote: > On Thu, Nov 4, 2010 at 10:42 PM, Reinaldo de Carvalho > wrote: > > > > check_client_access type:table > >    Search the specified access database for the client hostname, > > parent domains, client IP address, or networks obtained by stri

Re: cidr table performance

Wietse Venema put forth on 11/4/2010 7:30 PM: > Stan Hoeppner: >> What's the CIDR lookup table performance difference between say 256 /32 >> entries and a single /24 entry? Is it 256:1? > > One /32 match is a probably a little faster than one /24 match. > The difference depends on compiler and h

Re: Well, everyone else using dnswl.org say bye bye to "opensource"usage.

On Thu, 2010-11-04 at 06:54:05 -0500, Larry Stone wrote: > On 11/4/10 5:46 AM, Stan Hoeppner at s...@hardwarefreak.com wrote: > > Be glad it's still free and that you simply have to add some > > software to your system to make it work again. > > Care to provide some pointers to such software? Or

Re: serious bug with check_client_access

On Thu, Nov 4, 2010 at 11:13 PM, Vincent Lefevre wrote: > On 2010-11-04 23:06:17 -0300, Reinaldo de Carvalho wrote: >> On Thu, Nov 4, 2010 at 10:42 PM, Reinaldo de Carvalho >> wrote: >> > >> > check_client_access type:table >> >    Search the specified access database for the client hostname, >>

Re: too many recipients does not log

On Thu, Nov 04, 2010 at 06:04:37PM -0700, Richard Stockton wrote: > I have a client trying to send to more than the allowed number of > recipients (smtpd_recipient_limit = 100). On the server side the > only indication I see in the maillog is a "sender non-delivery > notification" with no explana

Re: cidr table performance

Stan Hoeppner put forth on 11/4/2010 9:20 PM: > Wietse Venema put forth on 11/4/2010 7:30 PM: >> Stan Hoeppner: >>> What's the CIDR lookup table performance difference between say 256 /32 >>> entries and a single /24 entry? Is it 256:1? >> >> One /32 match is a probably a little faster than one /

Re: serious bug with check_client_access

Vincent Lefevre put forth on 11/4/2010 7:57 PM: > This is not what the documentation says: > > Depending on the application, that string is an entire client > hostname, an entire client IP address, or an entire mail address. _Application_ in this sentence refers to things like smtpd_foo_rest

Re: RBL Spam question

Michael Orlitzky put forth on 11/4/2010 8:06 PM: > On 11/04/2010 12:39 AM, Stan Hoeppner wrote: >> Ned Slider put forth on 11/3/2010 6:33 PM: >> >>> My other thought was to simply comment (or document) ranges known to >>> contain FPs and then the user can make a judgement call whether they >>> want

Relaying denied during 2 hours, driving me crazy

Today we had a 'relaying denied' issue between 15:08-17:02 p.m. Here it is the output of pflogsumm: Per-Hour Traffic Summary time received delivered deferredbounced rejected -0100 0

Re: serious bug with check_client_access

Le 05/11/2010 00:04, Vincent Lefevre a écrit : On 2010-11-04 17:18:17 +0100, mouss wrote: otherwise, you can do whatever you want with pcre: /\.example\.com$/OK or with sql or ldap. For pcre, the man page is not clear. It says: Each pattern is a regular expression that is appli

Re: Relaying denied during 2 hours, driving me crazy

Le 05/11/2010 05:54, Pablo Chamorro a écrit : Today we had a 'relaying denied' issue between 15:08-17:02 p.m. Here it is the output of pflogsumm: Per-Hour Traffic Summary time received delivered deferredbounced rejected

Re: RBL Spam question

On 11/05/10 00:11, Stan Hoeppner wrote: > Michael Orlitzky put forth on 11/4/2010 8:06 PM: >> On 11/04/2010 12:39 AM, Stan Hoeppner wrote: >>> Ned Slider put forth on 11/3/2010 6:33 PM: >>> My other thought was to simply comment (or document) ranges known to contain FPs and then the user