Over the last few days I discussed SMTP delivery problems with a czech
site which was using Postfix and a CISCO ASA with "smtp protocol
fixup" enabled.
I was able to work around the delivery problems by stripping the DKIM
headers on outgoing mails (as so often).
Some interesting info got out:
I'
Hi, Ralf,
On 12/8/11 9:53 AM, Ralf Hildebrandt wrote:
Over the last few days I discussed SMTP delivery problems with a czech
site which was using Postfix and a CISCO ASA with "smtp protocol
fixup" enabled.
I was able to work around the delivery problems by stripping the DKIM
headers on outgoing
* Rolf E. Sonneveld :
> >I was able to work around the delivery problems by stripping the DKIM
> >headers on outgoing mails (as so often).
>
> Do you mean a Cisco ASA/PIX firewall with 'smtp protocol fixup'
> effectively blocks _any_ message carrying a DKIM-signature header?
No, it's blocking SO
* Wietse Venema [2011-12-07 17:20]:
> Yes it was. I point the attention to the RIGHT problem, which is
> fixing the suboptimal configuration that does domain queries from
> SQL.
Hi,
with all due respect but for me the important thing at the moment
would be to understand why it works the way it w
Am 08.12.2011 09:53, schrieb Ralf Hildebrandt:
> Over the last few days I discussed SMTP delivery problems with a czech
> site which was using Postfix and a CISCO ASA with "smtp protocol
> fixup" enabled.
>
> I was able to work around the delivery problems by stripping the DKIM
> headers on outgoi
Hallo,
I have 2 postfix setup with openLDAP as back ends. I need to stress test my
configuration.
I tried with the smtp-source but I don't know it is OK to test with 1
connection or more. How is postfix handles the connections with the
smtp-source? Is it reliable? I mean, if I use 200 connecti
Sebastian Wiesinger:
> I really would like to know if it is not possible to have a temporary
> error when trivial-rewrite fails to access the MySQL database. I don't
> see any apparent reason for it. If there is one I would like to know.
You have the right to ask these questions. I recommend that
Wietse Venema:
> Sebastian Wiesinger:
> > I really would like to know if it is not possible to have a temporary
> > error when trivial-rewrite fails to access the MySQL database. I don't
> > see any apparent reason for it. If there is one I would like to know.
>
> You have the right to ask these q
Hello,
First post to the list, I would really appreciate any help/advice.
In my current setup I act as a Spam and Virus filter for several domains. Mail
is then relayed to their local Exchange servers once it has been scanned.
In the event that their Exchange server is down and they require eme
* Wietse Venema [2011-12-08 13:09]:
> Sebastian Wiesinger:
> > I really would like to know if it is not possible to have a temporary
> > error when trivial-rewrite fails to access the MySQL database. I don't
> > see any apparent reason for it. If there is one I would like to know.
>
> You have th
Le jeudi 08 décembre 2011 à 15:33 +1300, Peter a écrit :
> On 08/12/11 15:28, Kwasi Gyasi - Agyei wrote:
> > Thanks, where can I get src.rpm for v2.6.6, the highest version from
> > here http://postfix.wl0.org/en/available-packages/ is 2.5.
>
> ...picking a CentOS mirror at random:
> http://mirro
Zitat von Sebastian Wiesinger :
* Wietse Venema [2011-12-08 13:09]:
Sebastian Wiesinger:
> I really would like to know if it is not possible to have a temporary
> error when trivial-rewrite fails to access the MySQL database. I don't
> see any apparent reason for it. If there is one I would li
Am 08.12.2011 14:45, schrieb lst_ho...@kwsoft.de:
> Help is always welcome, simply demand how things could be better is useless
you have a bad attitude!
demand how things could be better is useful, everywhere
because it is a hint what can be improved
you need not always to be able making thin
Zitat von Reindl Harald :
Am 08.12.2011 14:45, schrieb lst_ho...@kwsoft.de:
Help is always welcome, simply demand how things could be better is useless
you have a bad attitude!
demand how things could be better is useful, everywhere
because it is a hint what can be improved
You have mis
Am 08.12.2011 15:15, schrieb lst_ho...@kwsoft.de:
> Zitat von Reindl Harald :
>
>> Am 08.12.2011 14:45, schrieb lst_ho...@kwsoft.de:
>>
>>> Help is always welcome, simply demand how things could be better is useless
>>
>> you have a bad attitude!
>>
>> demand how things could be better is useful
>> I don't see why local Squirrelmail won't send mail over 587,
>> but remote Thunderbird will. Squirrelmail also won't send mail over
>> port 25, but it will send mail over 465.
>
>
> Do you have a new-enough SquirrelMail? From the looks of it, the only
> version >= 1.5.1 is the development snaps
>>> You've probably got permit_mynetworks near the top of your
>>> smtpd_foo_restrictions, which are inherited by default. The "-o
>>
>>
>> The only smtpd_foo_restrictions I have in main.cf are:
>>
>> smtpd_recipient_restrictions =
>> permit_sasl_authenticated,
>> permit_mynetworks,
Le 08.12.2011 16:50, Kwasi Gyasi - Agyei a écrit :
The building of postfix with pgsql is proving to be rather
complicated, I think it doesn't like my Kernel
(echo "# Do not edit -- this file documents how Postfix was built for
your machine."; /bin/sh makedefs) >makedefs.tmp
ATTENTION:
ATTENTION:
Hi folks,
Hope this isn't too dumb a question, but here goes:
Is there are "best practice" concerning the ordering of the directives
to the right hand side of the "=" for smtpd_recipient_restrictions?
The reason I'm asking is I added a set of lines for RBL reverse DNS and
they don't seem to
On 12/8/2011 2:04 PM, Peter L. Berghold wrote:
Hi folks,
Hope this isn't too dumb a question, but here goes:
Is there are "best practice" concerning the ordering of the directives
to the right hand side of the "=" for smtpd_recipient_restrictions?
The reason I'm asking is I added a set of line
On 12/08/2011 11:24 AM, Grant wrote:
You don't really need the permit_sasl_authenticated, since you shouldn't be
trying to auth on port 25. It doesn't hurt, though.
I just noticed that I can't send mail from Thunderbird unless I
include permit_sasl_authenticated in the above
smtpd_recipient_re
On Thursday 08 December 2011 13:04:13 Peter L. Berghold wrote:
> Is there are "best practice" concerning the ordering of the
> directives to the right hand side of the "=" for
> smtpd_recipient_restrictions?
Consider the relative costs of the restrictions. For example, a hash:
table access(5) loo
smtpd_recipient_restrictions =
permit_mynetworks,
permit_auth_destination,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/access,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_
> So you should change 'client' to 'recipient' in master.cf before you
> remove the 'permit_sasl_authenticated' in main.cf.
>
> At that point, SquirrelMail (or anything else) won't be able to send
> mail unless it authenticates on port 587, sends to one of your domains
> on port 25, or is in $myne
On 12/08/2011 02:21 PM, Gary Smith wrote:
Wouldn't it be smarter to just tell SquirrelMail to use port 587 and
pass through authentication? This way if the server is compromised
or has another exploit there isn't a simple internal email server to
send all that spam from.
This is exactly what w
On 12/8/11 8:46 AM, Grant wrote:
>>> I don't see why local Squirrelmail won't send mail over 587,
>>> but remote Thunderbird will. Squirrelmail also won't send mail over
>>> port 25, but it will send mail over 465.
>>
>>
>> Do you have a new-enough SquirrelMail? From the looks of it, the only
>> v
On 12/8/2011 6:45 AM, James Day wrote:
> Hello,
>
> First post to the list, I would really appreciate any help/advice.
>
> In my current setup I act as a Spam and Virus filter for several domains.
> Mail is then relayed to their local Exchange servers once it has been scanned.
>
> In the event
On Thursday, December 08, 2011 at 19:17:44 UTC, pe...@berghold.net confabulated:
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_auth_destination,
> reject_unauth_destination,
> check_sender_access hash:/etc/postfix/access,
> permit_sasl_authenticated,
>
On 12/8/2011 1:28 PM, Michael Orlitzky wrote:
> On 12/08/2011 02:21 PM, Gary Smith wrote:
>>
>> Wouldn't it be smarter to just tell SquirrelMail to use port 587 and
>> pass through authentication? This way if the server is compromised
>> or has another exploit there isn't a simple internal email s
I don't see why local Squirrelmail won't send mail over 587,
but remote Thunderbird will. Squirrelmail also won't send mail over
port 25, but it will send mail over 465.
>>>
>>>
>>> Do you have a new-enough SquirrelMail? From the looks of it, the only
>>> version >= 1.5.1 is the dev
On 12/8/2011 2:17 PM, Peter L. Berghold wrote:
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_auth_destination,
This restriction at this location will IGNORE all RBL lookups when mail
is destined for your system.
I suggest removing it as it is implied if reject_unauth_de
Where did you find this list? There are major issues here.
On Thursday 08 December 2011 13:17:44 Peter L. Berghold wrote:
> smtpd_recipient_restrictions =
> permit_mynetworks,
fine ...
> permit_auth_destination,
"If the destination is served by this host, accept the mail."
> r
On 12/8/2011 1:17 PM, Peter L. Berghold wrote:
> smtpd_recipient_restrictions =
> permit_mynetworks,
OK.
> permit_auth_destination,
Permits all mail handled by your server.
> reject_unauth_destination,
Rejects all mail not handled by your server.
Nothing left after that... N
Thanks Noel.
I'm forwarding the aliased mail to catch all Pop3 boxes to prevent back
scatter. I don't have a valid recipient list for all these domains hence the
request for a wild card type solution. I gather this function isn't built in so
maybe, as you suggest, a script is the way to go.
**
On 12/8/2011 2:13 PM, James Day wrote:
> Thanks Noel.
>
> I'm forwarding the aliased mail to catch all Pop3 boxes to prevent back
> scatter. I don't have a valid recipient list for all these domains hence the
> request for a wild card type solution. I gather this function isn't built in
> so ma
On Thursday 08 December 2011 14:06:15 Grant wrote:
Philip:
> > 587 can be used encrypted or unencrypted, authenticated
> > (preferably) or not... you could for instance just limit 587
> > connections from a particular subnet, etc.
>
> Why then won't Squirrelmail send mail on port 587 unencrypted w
>>> You don't really need the permit_sasl_authenticated, since you shouldn't
>>> be
>>> trying to auth on port 25. It doesn't hurt, though.
>>
>>
>> I just noticed that I can't send mail from Thunderbird unless I
>> include permit_sasl_authenticated in the above
>> smtpd_recipient_restrictions bloc
On 12/8/11 1:06 PM, Grant wrote:
>> I don't think you're really getting the significance of port 587 vs. port 25.
>
> I think you're right.
>
>> 587 can be used encrypted or unencrypted, authenticated (preferably) or
>> not... you could for instance just limit 587 connections from a particular
On Thursday 08 December 2011 14:24:00 Grant wrote:
> Squirrelmail and postfix are on the same machine. I've changed
> Squirrelmail to send to port 25 with no authentication and no TLS
> and it works! It must have been failing before because it was
> trying to authenticate?
>
> So this is working
On 12/08/2011 03:24 PM, Grant wrote:
So I should specify smtpd_client_restrictions or
smtpd_recipient_restrictions, but not both?
I think most people find it easier to put all of the restrictions under
smtpd_recipient_restrictions, since you can just read them top-to-bottom
with smtpd_delay
Em 07/12/11 13:58, Noel Jones escreveu:
On 12/7/2011 6:03 AM, Leonardo Rodrigues wrote:
Anyway, i'm having hard times trying to figure out why, for some
messages, like the queueid i posted the full log, postfix is
apparently not even trying to delivery to the primary MX for some
large perio
> Hi,
>
> I'm using Postfix with MySQL via proxy:mysql maps. The documentation
> states that mails should get deferred if no mysql server is reachable.
>
> However when I shut down MySQL, SMTP transaction freeze after I enter
> the "MAIL FROM:<...>" statement.
>
> Any ideas how I can change that
>>> 25 is used by your MTA to receive *incoming* messages from other
>>> administrative domains (organizations).
>>
>> Port 25 is never used to submit outbound messages? If not, I'm
>> confused as to why Squirrelmail describes its "SMTP Port" setting this
>> way:
>>
>> This is the port to connect
Zitat von Peter Tselios :
Hallo,
I have 2 postfix setup with openLDAP as back ends. I need to stress
test my configuration.
I tried with the smtp-source but I don't know it is OK to test with
1 connection or more. How is postfix handles the connections with
the smtp-source? Is it reliabl
Am 08.12.2011 21:49, schrieb Grant:
25 is used by your MTA to receive *incoming* messages from other
administrative domains (organizations).
>>>
>>> Port 25 is never used to submit outbound messages? If not, I'm
>>> confused as to why Squirrelmail describes its "SMTP Port" setting thi
On 12/8/2011 2:49 PM, Grant wrote:
> Is it alright to send on port 25 from Squirrelmail when it's on the
> same machine as postfix?
OK, but not optimal. Better to leave on 465 to separate the traffic.
> That way I can make 587 require TLS and
> authentication but not require that local Squirrel
>> So I should specify smtpd_client_restrictions or
>> smtpd_recipient_restrictions, but not both?
>>
>
> I think most people find it easier to put all of the restrictions under
> smtpd_recipient_restrictions, since you can just read them top-to-bottom
> with smtpd_delay_reject = yes (the default).
On 12/8/11 1:49 PM, Grant wrote:
25 is used by your MTA to receive *incoming* messages from other
administrative domains (organizations).
>>>
>>> Port 25 is never used to submit outbound messages? If not, I'm
>>> confused as to why Squirrelmail describes its "SMTP Port" setting this
>>>
> 25 is used by your MTA to receive *incoming* messages from other
> administrative domains (organizations).
Port 25 is never used to submit outbound messages? If not, I'm
confused as to why Squirrelmail describes its "SMTP Port" setting this
way:
This is the
On 12/8/2011 5:29 PM, Grant wrote:
> I think I can't do that because I also need to connect to 587 from
> Thunderbird in remote locations.
You're making this way too complicated.
Either continue to happily use 465 as you always have, or make the
changes to submission I suggested a few minutes ago
* lst_ho...@kwsoft.de [2011-12-08 14:46]:
> >And I had hoped that perhaps this would be an improvement to postfix.
> >Sadly it seems it was some kind of blasphemy to question the way
> >postfix does handle this stuff.
>
> No, it means until now no one needs this so important to step up
> with cod
Sebastian Wiesinger:
> * lst_ho...@kwsoft.de [2011-12-08 14:46]:
> > >And I had hoped that perhaps this would be an improvement to postfix.
> > >Sadly it seems it was some kind of blasphemy to question the way
> > >postfix does handle this stuff.
> >
> > No, it means until now no one needs this s
* Wietse Venema [2011-12-09 01:01]:
> > And that is where I disagree. IMHO a mailsystem should respond with a
> > temporary error if it is experiencing a temporary error (like a lookup
> > table not being availabe) not simply hang there and do.. nothing.
>
> We know that. What are you going to do
>> I think I can't do that because I also need to connect to 587 from
>> Thunderbird in remote locations.
>
> You're making this way too complicated.
>
> Either continue to happily use 465 as you always have, or make the
> changes to submission I suggested a few minutes ago. These changes
> still
Am 09.12.2011 01:11, schrieb Grant:
>>> I think I can't do that because I also need to connect to 587 from
>>> Thunderbird in remote locations.
>>
>> You're making this way too complicated.
>>
>> Either continue to happily use 465 as you always have, or make the
>> changes to submission I suggest
On 09/12/11 13:11, Grant wrote:
> Got it. I misunderstood you before. May I ask why using 465 for
> Thunderbird and Squirrelmail would be better than 587 for Thunderbird
> and 25 for Squirrelmail talking to localhost?
I'm quite sure that he never said to use 465 for Thunderbird. The
reason you
On 12/8/2011 6:11 PM, Grant wrote:
> Got it. I misunderstood you before. May I ask why using 465 for
> Thunderbird and Squirrelmail would be better than 587 for Thunderbird
> and 25 for Squirrelmail talking to localhost?
The good reason to not use port 25 for local user submissions is
that it al
This week I implemented a memcache client for Postfix in the hope
that it would be useful to share postscreen(8) or verify(8) caches
among multiple MTAs.
The implementation is based on libmemcache. This was not too much
work, given a few examples (libmemcache is under-documented).
However, rob
>> Got it. I misunderstood you before. May I ask why using 465 for
>> Thunderbird and Squirrelmail would be better than 587 for Thunderbird
>> and 25 for Squirrelmail talking to localhost?
>
> I'm quite sure that he never said to use 465 for Thunderbird. The
> reason you don't want to use port 2
On 12/08/2011 05:18 PM, Grant wrote:
I've boiled my config down to this. It is functional and I think it
is secure and that it rejects any attempt to send messages from
outside mynetworks unless authenticated. Am I correct? Please
consider all other directives to be default.
You're fine.
I
On 12/8/11 4:29 PM, Grant wrote:
>>> Is it alright to send on port 25 from Squirrelmail when it's on the
>>> same machine as postfix? That way I can make 587 require TLS and
>>> authentication but not require that local Squirrelmail encrypt or
>>> authenticate.
>>
>> No, I'd do exactly what I sai
On 12/8/11 5:33 PM, Reindl Harald wrote:
>
>> Got it. I misunderstood you before. May I ask why using 465 for
>> Thunderbird and Squirrelmail would be better than 587 for Thunderbird
>> and 25 for Squirrelmail talking to localhost?
>
> there is no better
> configure a server as YOU need
>
Wel
>> Is it alright to send on port 25 from Squirrelmail when it's on the
>> same machine as postfix?
>
> OK, but not optimal. Better to leave on 465 to separate the traffic.
>
>> That way I can make 587 require TLS and
>> authentication but not require that local Squirrelmail encrypt or
>> authenti
63 matches
Mail list logo
