My question is how to figure out why smtpd_relay_restrictions is being
used for local recipients.
(In the following, I've renamed the local domain name (which is listed
in mydestination) to example.com to prevent email harvesting.)
I upgraded a system from openSUSE 13.1 to 13.2 and got Postfix
Hello,
I'd like postscreen to have the ability to reject clients based on a regex
pattern based on their PTR records.
I use both the pregreet and the dns block feature of postfix. However it seems
that still too many spamming hostsmanage to pass postscreen and thus
overwhelming smtpd processes.
On 08 Mar 2015, at 20:26 , Viktor Dukhovni wrote:
> On Sun, Mar 08, 2015 at 08:09:51PM -0600, @lbutlr wrote:
>
>> Does Always BCC bcc all incoming AND outgoing mail?
>>
>> Is there a way to have it BCC only incoming mail?
>
> Postfix has no notion of "incoming mail". All mail comes in (to
> th
@lbutlr:
I was hoping always_bcc would allow me to backup user’s incoming mail.
have a look at recipient_bcc_maps ...
Yes, I know the envelope-from is not your adress. The reason your adress is
listed as envelope-from in the header, is because I run with the Mail::SPF
module,
and input the From: header as "envelope from" parameter in the validator.
The validator (Mail::SPF) then thinks your adress was the envel
Viktor Dukhovni wrote:
On Mon, Mar 09, 2015 at 04:40:41AM +, Mick wrote:
I would not deploy this policy script. It requires a new Perl
process for each request. That's a rather bad idea. It does not
treat the sender address in a case-insensitive manner.
I hadn't thought of tha
On Mar 9, 2015, at 6:02 AM, Kovács Albert wrote:
> I'd like postscreen to have the ability to reject clients based on a regex
> pattern based on their PTR records.
If it has to be postscreen, you can setup a local RBL lookup and score it high
enough to trigger a rejection.
But based on your pa
On 3/9/2015 6:14 AM, Earl Killian wrote:
> My question is how to figure out why smtpd_relay_restrictions is
> being used for local recipients.
> (In the following, I've renamed the local domain name (which is
> listed in mydestination) to example.com to prevent email harvesting.)
>
> I upgraded a
On 3/9/2015 7:02 AM, Kovács Albert wrote:
> Hello,
>
> I'd like postscreen to have the ability to reject clients based on a
> regex pattern based on their PTR records.
>
> I use both the pregreet and the dns block feature of postfix.
> However it seems that still too many spamming hosts
> manage
On 2015/3/9 08:12, Noel Jones wrote:
You have misunderstood the purpose of smtpd_relay_restrictions.
Your mail is rejected by the final "reject" you placed.
*ALL* mail is evaluated by smtpd_relay_restrictions, and unless you
have very unusual relay requirements, you should either set it
empty, o
On 3/9/2015 10:46 AM, Earl Killian wrote:
> On 2015/3/9 08:12, Noel Jones wrote:
>> You have misunderstood the purpose of smtpd_relay_restrictions.
>> Your mail is rejected by the final "reject" you placed.
>>
>> *ALL* mail is evaluated by smtpd_relay_restrictions, and unless you
>> have very unusu
I would instead suggest setting the relay access to:
check_sender_access hash:/etc/postfix/relay_auth, reject_unauth_destination
where /etc/postfix/relay_auth is:
permit_mynetworks, reject
[] permit_mynetworks, reject
This protects agains most malicious relaying:
client inside "mynetworks":
B
On Mon, Mar 09, 2015 at 05:56:20PM +0100, Sebastian Nielsen wrote:
> I would instead suggest setting the relay access to:
>
> check_sender_access hash:/etc/postfix/relay_auth, reject_unauth_destination
>
> where /etc/postfix/relay_auth is:
> permit_mynetworks, reject
> [] permit_mynetworks, reje
I have noticed some automated open relay testing services do "fail" a domain
if it rejects a relay too early (eg in MAIL FROM).
And you are a bit wrong with IP adress lookup. Yes, check_sender_access do
not itself lookup IPs.
But the rules I listed, will effectively "expand" to the rule:
smtp
: host mx01.1and1.com[74.208.5.21]
refused to talk to me: 501 Syntax error in parameters or arguments
We are getting these rejects when attempting to send to addresses at
this domain and only this domain (so far). Can someone provide some
insight as to what might be happening here? How can it b
Dear Mike and Victor,
Thank you both very much for replying and helping out with the possible
solutions.
I will try them out. Looks like upgrading to 2.11 seems like the best
choice. I am a little afraid to upgrade to 2.11 but after searching on
the internet, it seems that is alright. I am o
Viktor and I are in agreement here. The smtpd_relay_restrictions
should be kept as simple as possible to prevent accidents.
It's too easy to make a mistake in a check_*_access table and
inadvertently create an open relay. That's why
smtpd_relay_restrictions was invented.
It's fine to have a pol
On Mon, Mar 09, 2015 at 01:49:18PM +, Mick wrote:
> >I am not talking about concurrency, rather this still costs a Perl
> >invocation per lookup and Perl start-up time is considerable.
>
> Ah, I see. Thanks for clarifying the difference. I run a PERL script using
> spawn to block and group SMT
On Mon, Mar 09, 2015 at 06:53:21PM +0100, Sebastian Nielsen wrote:
> I have noticed some automated open relay testing services do "fail" a domain
> if it rejects a relay too early (eg in MAIL FROM).
Obviously, Postfix cannot and does not reject relay attempts at
MAIL FROM. At that point the dest
On Mon, Mar 09, 2015 at 02:10:16PM -0400, James B. Byrne wrote:
> : host mx01.1and1.com[74.208.5.21]
> refused to talk to me: 501 Syntax error in parameters or arguments
Perhaps they don't like your EHLO name.
$ posttls-finger -o myhostname=shorthelotest "[mx01.1and1.com]"
posttls-finger
You propably didnt understand what I mean with open relay testing services
failing a domain that rejects a relay too early:
Imagine you did do as you told with putting the table in
smtpd_sender_restrictions, and smtpd_delay_reject = no.
Imagine now a relay testing tool tests the server, and doe
On Mon, Mar 09, 2015 at 02:37:07PM +0100, Sebastian Nielsen wrote:
> What if the bank really send out
> something that should be filled in? You can't know.
A bank should never send email asking users to enter personal
information into web-sites linked from the email. I would switch
banks if my b
On Mon, Mar 09, 2015 at 07:50:13PM +0100, Sebastian Nielsen wrote:
> You propably didnt understand what I mean with open relay testing services
> failing a domain that rejects a relay too early:
>
> Imagine you did do as you told with putting the table in
> smtpd_sender_restrictions, and smtpd_de
On Mon, March 9, 2015 14:49, Viktor Dukhovni wrote:
> On Mon, Mar 09, 2015 at 02:10:16PM -0400, James B. Byrne wrote:
>
>> : host mx01.1and1.com[74.208.5.21]
>> refused to talk to me: 501 Syntax error in parameters or arguments
>
> Perhaps they don't like your EHLO name.
>
> report the output of:
On Mon, Mar 09, 2015 at 03:08:15PM -0400, James B. Byrne wrote:
> > report the output of:
> >
> > $ printf "---%s---\n" "$(postconf -h myhostname)"
> > $ printf "---%s---\n" "$(postconf -h smtp_helo_name)"
> >
> > Make that "-hx" instead of "-h" if your Postfix is recent enough.
>
> [root@
On Mon, March 9, 2015 15:23, Viktor Dukhovni wrote:
> On Mon, Mar 09, 2015 at 03:08:15PM -0400, James B. Byrne wrote:
>
>> > report the output of:
>> >
>> >$ printf "---%s---\n" "$(postconf -h myhostname)"
>> >$ printf "---%s---\n" "$(postconf -h smtp_helo_name)"
>> >
>> > Make that "-hx"
On Mon, Mar 09, 2015 at 04:05:51PM -0400, James B. Byrne wrote:
> When I send directly to postmas...@land1.com then I see this:
>
> Mar 9 16:02:41 inet08 postfix/smtp[6447]: 14604601DC:
> to=, relay=127.0.0.1[127.0.0.1]:10024,
> delay=2.1, delays=0.18/0/0.01/1.9, dsn=2.0.0, status=sent (250 2.0.
On Mon, March 9, 2015 16:19, Viktor Dukhovni wrote:
> On Mon, Mar 09, 2015 at 04:05:51PM -0400, James B. Byrne wrote:
>
>> When I send directly to postmas...@land1.com then I see this:
>>
>> Mar 9 16:02:41 inet08 postfix/smtp[6447]: 14604601DC:
>> to=, relay=127.0.0.1[127.0.0.1]:10024,
>> delay=2
Anyone else getting backscatter from this subscriber? It looks like
they are trying the process the message as a list of addresses.
This is the mail system at host mail.devels.es.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached b
On Mon, Mar 09, 2015 at 04:29:38PM -0400, James B. Byrne wrote:
> > These are not the same MX hosts. The problem is the HELO name.
> > The second set of MX hosts does not object to short helo names.
>
> I am not clear on this resolution either. Actually, I do not have a
> clue about what it is t
Postfix documentation says: "Postfix already ships with SPF support,
in the form of a plug-in policy daemon. This is the preferred
integration model, at least until SPF is mandated by standards. "
I have not yet found the SPF plug-in policy daemon of Postfix, nor how to
configure
it. Am I reading
On Monday, March 09, 2015 09:54:42 PM k...@keldix.com wrote:
> Postfix documentation says: "Postfix already ships with SPF support,
> in the form of a plug-in policy daemon. This is the preferred
> integration model, at least until SPF is mandated by standards. "
>
> I have not yet found the SPF p
On Mon, March 9, 2015 17:03, Scott Kitterman wrote:
> On Monday, March 09, 2015 09:54:42 PM k...@keldix.com wrote:
>> Postfix documentation says: "Postfix already ships with SPF support,
>> in the form of a plug-in policy daemon. This is the preferred
>> integration model, at least until SPF is ma
On Mon, March 9, 2015 16:50, Viktor Dukhovni wrote:
> So you're not reporting what is actually sent. With the remote
> server on "debug_peer_list", Postfix logs every command it sends
> and the remote reply. Otherwise get a tcpdump.
>
I have no idea what is going on. This was traced from a CL
Hello,
I have a few chained content filters based on pipe, so when the first
script ends its task, it sends the processed headers to the second script
and so on.
It is clear how to get the content back to Postfix as an input, using the
sendmail command. My question is how can the last content fil
On Mon, Mar 09, 2015 at 05:08:24PM -0400, James B. Byrne wrote:
> I have no idea what is going on.
So it seems, but you're also thinking clearly.
> This was traced from a CLI session
> on our primary MX host, inet08.hamilton.harte-lyne.ca. I do not see
> a shortened HELO in this. And it seems
I might be missing something, but I don't see a problem with a valid
trust worthy email contact is giving a person a valid and secure web
address.
If I received something unsolicited, I would never trust it.
But I have communicated with clients and services and asked them for
direct links to
Viktor Dukhovni wrote:
For policy services spawn is fine, because each smtpd(8) connects
once and makes many requests. However, you need to NOT exit until
the connection is closed by the client (i.e. smtpd(8)). Rather
you need to loop reading requests and writing responses until there
are no mo
On Tue, Mar 10, 2015 at 02:33:08AM +, Mick wrote:
> >With SQL tables you can make union queries that neatly solve the
> >problem at hand. Something along the lines of:
> >
> > SELECT sasl_login
> > FROM sender_to_login
> > WHERE sender_to_login.sender = '%u@%d' -- unlike %s, no pa
39 matches
Mail list logo
