Re: Adding Message-ID is wrong
On Wed, Jun 02, 2004 at 01:56:54AM +0200, Alex van den Bogaerdt wrote:
> On Tue, Jun 01, 2004 at 11:25:28AM -0500, Jay Maynard wrote:
> > On Tue, Jun 01, 2004 at 06:05:37PM +0200, Alex van den Bogaerdt wrote:
> > > Note that "the following changes" are allowed at the origin, not on an
> > > intermediate relay!
> > How about the destination? You keep talking about destination SMTP servers
> > as though they are intermediate relays. Is this, in fact, what the RFC
> > intends?
> Where am I talking about "destination SMTP servers" ?
When Postfix is the SMTP server that, in turn, delivers to the client's
mailbox (either via its own local delivery mechanism, or by LMTP), it's the
destination server. It's not an intermediate relay in that case. That is the
case where I see Postfix adding Message-ID: headers.
> It specifically forbids altering/adding Message-ID, "From:" and "To:"
> when the MTA is an intermediate relay. This is a "MUST NOT" which is
> as strong as it gets.
It says nothing about when it's the destination server, then?
> I know next to nothing (nor does postfix) about the client connecting
> over the internet. Why would I want to add -my- domain to the headers?
> Why confuse my users?
Because having a Message-ID: is better than not having one?
Face it: you can't reject based on not having a Message-ID: header. You'll
lose far too much mail. BTDT. Given that, why do you care if there's one or
not, or what the contents are?
Re: Adding Message-ID is wrong
>>>Note that "the following changes" are allowed at the origin, not on an
>>>intermediate relay!
>>
>>How about the destination? You keep talking about destination SMTP servers
>>as though they are intermediate relays. Is this, in fact, what the RFC
>>intends?
>
> Where am I talking about "destination SMTP servers" ?
>
> But even then: The RFC allows, when being cautious, to alter the body
> when the MTA is the first one encountered _only_; initial submission.
> This is a "MAY" in that case, i.e. optional.
>
> It specifically forbids altering/adding Message-ID, "From:" and "To:"
> when the MTA is an intermediate relay. This is a "MUST NOT" which is
> as strong as it gets.
I've been wanting to be able to disable this for ages..
> I run postfix as an intermediate relay; I'm sure I'm not alone. Let's
> face it: postfix _is_ a good program. That doesn't mean it is perfect.
>
> I know next to nothing (nor does postfix) about the client connecting
> over the internet. Why would I want to add -my- domain to the headers?
> Why confuse my users?
A large amount of my userbase is very confused by the From:/To: fields
that Postfix inserts.. (especially when they try to reply to the mail..)
Cami
Re: NFS Maildirs
>1. Does any network storage platform come to mind as being
> particularly fast (in terms of "postfix needs to write mails to
> maildir, while clients hammer away using POP3 and IMAP) while being
> reasonably economical?
> We have an average of 13.000 Logins/h -- POP/IMAP
> Note that the network storage is not exclusively used by us only,
> but is being shared.
>
>
> Do you have to share the filesystem or the NAS as such?
>
>
>>2. Will any NFS solution scale? If not, what alternative is there?
We have just moved to a Dell CX600, and its nothing short of amazing..
Each machine/mailhost connects to the CX600 via Fibre channel network
cards.. Its fast, very very fast..
Cami
Re: Confusing 'Received' Header
Wietse Venema wrote:
>>For some reason connections to a postfix 2.1.1 box running on my lan
>>from a host called spatula.flat seem to have a confusing Received header
>>added.
>>
>>Once such example is:
>>
>>Received: from [127.0.0.1] (spatula.flat [192.168.0.2])
>
>
> [127.0.0.1] is the client HELO or EHLO command parameter.
>
> [192.168.0.2] is the client IP address.
>
> spatula.flat is the hostname for [192.168.0.2].
Of course! I'm sorry I'd completely forgotten that. I've confirmed by
telnet-ing to port 25 and writing an email directly that the Recieved
header was then added correctly.
I think Mozilla Thunderbird 0.6 is generating the wrong hostname for use
in the HELO command - it used to always use the domain following the 
in the email address you were sending from.
Andrew
Re: Adding Message-ID is wrong
> I run postfix as an intermediate relay; I'm sure I'm not alone. Let's
> face it: postfix _is_ a good program. That doesn't mean it is perfect.
It is among _the_ best ones actually. :)
Re: Adding Message-ID is wrong
On Wed, Jun 02, 2004 at 02:04:58AM +0200, Cami wrote:
> A large amount of my userbase is very confused by the From:/To: fields
> that Postfix inserts.. (especially when they try to reply to the mail..)
Thank you. You understand the problem.
Do you have numbers on how many of such mail is malformed but otherwise
valid email? And how many of those do have a message-id?
As far as I can tell:
- mail without a message-id is spam or virus, perhaps a few exceptions
- those messages often have spoofed or non-fqdn headers
- the subject of filtering on a missing message-id has come up before
(as has the subject of non-FQDN from: and to:)
- adding a message-id is only optional as far as rfc822 is concerned
- adding a message-id is only optional as far as rfc2821 is concerned,
and several warnings are included such as this one:
"This strategy is generally considered appropriate when the server can
identify or authenticate the client, and there are prior agreements
between them. By contrast, there is at best great concern about fixes
applied by a relay or delivery SMTP server that has little or no
knowledge of the user or client machine."
- adding a message-id is specifically forbidden by rfc2821 when an MTA
is an intermediate (such as: spammer->MTA1->MTA2->destination when
postfix is MTA2)
- Correcting addresses to proper FQDN format is specifically forbidden
by rfc2821 when an MTA is an intermediate
- currently there's no way (AFAIK) to make postfix NOT add/correct the
headers despite the MUST NOT as discussed
So therefore I stand by my claim that adding a message-id is wrong. In
the message itself I stated that opinions and setups may differ so the
process should be configurable. I regret if my wordings are misinterpreted
however I have done my homework.
cheers,
Alex
--
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers. If
you reply to me off-list, you'd better tell me you're doing so. If
you don't, and if I reply to the list, that's your problem, not mine.
Re: Adding Message-ID is wrong
Alex van den Bogaerdt:
> As far as I can tell:
> - mail without a message-id is spam or virus, perhaps a few exceptions
I added a missing message ID warning and found that it would drop
legitimate SMTP mail that was forwarded by qmail. That was enough of
an exeption for me to not provide this as a spam blocking feature.
There has to be a better reason than being strict to the letter of
some RFC that was written when Postfix already existed.
Wietse
Re: Adding Message-ID is wrong
>>A large amount of my userbase is very confused by the From:/To: fields
>>that Postfix inserts.. (especially when they try to reply to the mail..)
>
> Thank you. You understand the problem.
>
> Do you have numbers on how many of such mail is malformed but otherwise
> valid email?
110 million mail messages are spam (+30 million legitimate), of those
almost 5 million have To/From headers that Postfix replaces.. (monthly
statistics)
Having to deal with those clients is quite a headache as previously
we used Exim and then Qmail, and neither had the same behaviour..
Be that as it may, perhaps i'm being over critical and having to
(in my opinion) use the best MTA comes with small burdens and a
lot more positive points..
> And how many of those do have a message-id?
Postfix accepts the mail, injects its own Message-ID and once queued,
the message gets past onto SpamAssassin. SpamAssassin clearly can see
that the Message-ID was added by the wrong machine (part of the default
SA ruleset) and adjusts the SA scoring ..
50_scores.cf:score MSGID_FROM_MTA_SHORT 3.665 3.310 3.167 3.030
Thats *extremely* high and has a very bad effect for legimate
mail entering the system..
> As far as I can tell:
> - mail without a message-id is spam or virus, perhaps a few exceptions
Thats is not quite true.. I done some tagging on mails without
Message-ID's and found that there *is* quite a lot of legimate
mail that does *not* have a Message-ID.. (especially from some
large mailing lists in the past..)
> - adding a message-id is specifically forbidden by rfc2821 when an MTA
> is an intermediate (such as: spammer->MTA1->MTA2->destination when
> postfix is MTA2)
> - currently there's no way (AFAIK) to make postfix NOT add/correct the
> headers despite the MUST NOT as discussed
>
> So therefore I stand by my claim that adding a message-id is wrong. In
> the message itself I stated that opinions and setups may differ so the
> process should be configurable. I regret if my wordings are misinterpreted
> however I have done my homework.
Just so i make my point known, the Message-ID bit is not really an
issue for me.. Its the From:/To: fields that cause the headaches..
Cami
Re: Adding Message-ID is wrong
> Postfix accepts the mail, injects its own Message-ID and once queued,
> the message gets past onto SpamAssassin. SpamAssassin clearly can see
> that the Message-ID was added by the wrong machine (part of the default
> SA ruleset) and adjusts the SA scoring ..
> 50_scores.cf:score MSGID_FROM_MTA_SHORT 3.665 3.310 3.167 3.030
Forgot to mention this little bit..
If SpamAssassin finds no Message-ID in the message:
# (allow this test to pass if there's no Message-Id header)
header MSGID_HAS_NO_AT MESSAGEID !~ /\/ [if-unset: NOMSGID]
describe MSGID_HAS_NO_AT Message-Id has no sign
50_scores.cf:score MSGID_HAS_NO_AT 0
So according to SpamAssasin, having no Message-ID is fine..
Cami
Re: Virtual hosting with cyrus (mailboxes called userfoo.domain)
On Tue, Jun 01, 2004 at 10:13:06PM +0100, Josef Karthauser wrote:
> Can someone point me in the right direction to get cyrus to use the
> transport "cyrus" to deliver to mailboxes with 's in the name.
> How do I get postfix to use the 'cyrus' transport for mailboxes named in
> this way?
Ok, I've worked out most of it.
I added the following to my main.cf file:
virtual_transport = cyrusx
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailboxes
virtual_mailbox_domains = $virtual_mailbox_maps
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
And defined this in master.cf:
cyrusx unix - n n - - pipe
flags=R user=cyrus argv=/usr/local/cyrus/bin/deliver -e -m ${extension} ${recipient}
Which is basically the same as the cyrus rule but with ${recipient}
instead of ${user} defined so that the whole email address gets sent to
cyrus's deliver command.
This works, but I'm confused about virtual_mailbox_maps.
virtual:
mejosef-k.net joetao.org.uk
youjosef-k.net testjosef-k.net
vmailboxes:
testjosef-k.net *
test2josef-k.net *
This looks to me as if there are two mailboxes defined: test and test2
at josef-k.net, and that there are two aliases defined also.
Strangely if I attempt to deliver mail to test3josef-k.net I get:
Jun 2 02:10:14 transwarp postfix/qmgr[65370]: 624B4EA52: from=<roottao.org.uk>, size=304, nrcpt=1 (queue active)
Jun 2 02:10:14 transwarp postfix/pipe[65469]: 624B4EA52: to=<test3josef-k.net>, relay=cyrusx, delay=0, status=bounced (data format error. Command output: test3josef-k.net: Mailbox does not exist )
Why is cyrusx trying to deliver mail to test3josef-k.net? It's not
mentioned in the vmailboxes file. Shouldn't something be saying
user-unknown before it attempts the delivery agent?
Joe
--
Josef Karthauser (joetao.org.uk) http://www.josef-k.net/
FreeBSD (cvs meister, admin and hacker) http://www.uk.FreeBSD.org/
Physics Particle Theory (student) http://www.pact.cpes.sussex.ac.uk/
================ An eclectic mix of fact and theory. =================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iEYEARECAAYFAkC9LcUACgkQXVIcjOaxUBahRQCgywVsaT1TG1I+e863LVvdAxSo
PugAnjm4weL/fVAYaTrP96GYzSfnmYfd
=ASSV
-----END PGP SIGNATURE-----
Re: NFS Maildirs
Linux Journal just ran an article about a large-scale migration to postfix,
etc. It can be found in the following links:
http://www.linuxjournal.com/article.php?sid=7323
http://www.linuxjournal.com/article.php?sid=7524
http://www.linuxjournal.com/article.php?sid=7456
We also just implemented a Dell CX-600 SAN for all of our Windows boxes.
It's fantastic. However, we found out (after purchase) that HP will not
support the connection from our N-Class HP-UX servers to the CX-600.
Apparently they only support connections to HP SANs (shocking!) and the EMC
Symetrix stuff (probably to other brands...don't know).
John
----- Original Message -----
From: "Cami" <camismweb.co.za>
To: <postfix-userspostfix.org>
Sent: Tuesday, June 01, 2004 7:08 PM
Subject: Re: NFS Maildirs
> >1. Does any network storage platform come to mind as being
> > particularly fast (in terms of "postfix needs to write mails to
> > maildir, while clients hammer away using POP3 and IMAP) while being
> > reasonably economical?
> > We have an average of 13.000 Logins/h -- POP/IMAP
> > Note that the network storage is not exclusively used by us only,
> > but is being shared.
> >
> >
> > Do you have to share the filesystem or the NAS as such?
> >
> >
> >>2. Will any NFS solution scale? If not, what alternative is there?
>
> We have just moved to a Dell CX600, and its nothing short of amazing..
> Each machine/mailhost connects to the CX600 via Fibre channel network
> cards.. Its fast, very very fast..
>
> Cami
>
Re: Best POP/IMAP Server
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
On Tuesday 01 June 2004 13:08, Matt Krause wrote:
> Forgive me for writing out this to the Postfix group, but I was wanting
> the opinion of Postfix users as to what the best POP/IMAP server is to
> run over the top of Postfix. Right now, but I am using the Courier
> servers, but am unhappy with the amount of information in the log files.
> Can anyone tell me what Qpoppers logs files are like and how detailed
> you can make them? Also, are there any other decent IMAP servers out
> there?
>
> Thanks.
My vote is for courier-imap. It takes advantage of postfix's ability to
deliver to a maildir and, if configured (easy) first, will generate its own
TLS certs (both for imap and pop3) the first time you fire it up.
Cyrus-imap looks interesting, but its configuration is a bit more challenging.
- --
BOFH excuse #187:
Reformatting Page. Wait...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Sed quis custodiet ipsos custodes?
iD8DBQFAvU1jo0pgX8xyW4YRA1OpAJ9+ucaDKIMBM3SKKuxc+Z6gj2YKWQCeNfXz
bs4wriHOfRItKHb9ye3yRnc=
=3TXf
-----END PGP SIGNATURE-----
SASL auth - fatal: per-session SASL client initialization
I am trying to enable SASL authentication in the
postfix smtp client using Cyrus SASL. According to
the logs, the transport map, user and password
database lookup, and smtp ELHO command all occur
correctly. Then I get:
:starting new SASL client
:fatal: per-session SASL client initialization
Here is my /usr/local/sasl/smtpd.conf file:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login
sasldb_path: /etc/sasldb2
Setup:
RedHat9 (kernel 2.4.20-8)
Cyrus 2.1.10
postfix 2.1.1
postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
debug_peer_list = lostinthewood.com, nvsys.com,
sbcglobal.net, 66.163.171.137
default_privs = nobody
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
local_recipient_maps = unix:passwd.byname
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain
mydomain = lostinthewood.com
myhostname = montague.lostinthewood.com
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps =
hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_application_name = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options =
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/valias
virtual_gid_maps = static:200
virtual_mailbox_base = /var/mail/hosts
virtual_mailbox_domains = novemberskies.com,
picfbcla.com, gatesmiths.com lostinthewood.com
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:200
I can provide more info if necessary, but hopefully
someone has seen this and can tell me what is wrong,
probably something simple.
Thanks for any help,
Gregg
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
Re: Adding Message-ID is wrong
On Mon, May 24, 2004 at 09:03:27AM -0400, Wietse Venema wrote:
> Alex van den Bogaerdt:
> > I have spent several hours
> > studying the source, and am confident I can make postfix RFC2821 compliant
> > at least on that small part. It will be a non-public patch, so be it.
>
> There are better ways to get something into Postfix than doing that.
> All I have seen is griping, and THAT really turns me off.
maybe postfix should only add a missing Message-Id if the client IP address is
in $mynetworks (or authenticated with SMTP AUTH or tls certificate or perhaps
even pop-before-smtp).
craig
--
craig sanders <castaz.net.au>
The next time you vote, remember that "Regime change begins at home"
Re: Authentication failed sasl & mysql (SOLVED)
Am Mittwoch, 2. Juni 2004 01:48 schrieb erri:
> Look at log:
> Jun 2 01:42:41 aixsrv2 postfix/smtpd[307352]: > unknown[172.26.0.2]:
> 250-AUTH PLAIN
>
> Jun 2 01:42:41 aixsrv2 postfix/smtpd[307352]: > unknown[172.26.0.2]:
> 250-AUTH=PLAIN
>
> Jun 2 01:42:41 aixsrv2 postfix/smtpd[307352]: match_list_match: unknown: no
> match
>
> Jun 2 01:42:41 aixsrv2 postfix/smtpd[307352]: match_list_match: 172.26.0.2:
> no match
>
> Jun 2 01:42:41 aixsrv2 postfix/smtpd[307352]: > unknown[172.26.0.2]: 250
> 8BITMIME
>
> Jun 2 01:42:41 aixsrv2 postfix/smtpd[307352]: watchdog_pat: 2004ec60
>
> Jun 2 01:42:41 aixsrv2 postfix/smtpd[307352]: < unknown[172.26.0.2]: MAIL
> FROM: <usudomainx.com>
There is no authenticating. The client does not speak "PLAIN", maybe it can
only handle "LOGIN" (Maybe Outlook).
The mech_list-Option was only to test, if you are editing the right
smtpd.conf. Delete the Line and try it again.
--
Andreas
Re: Adding Message-ID is wrong
On Tue, Jun 01, 2004 at 06:05:37PM +0200, Alex van den Bogaerdt wrote:
> Note that "the following changes" are allowed at the origin, not on an
> intermediate relay!
>
> A spammer sends mail with just a bare "From: spammer" as the RFC822 sender
> address. Postfix appends $myorigin to it. Users get mail from a supposedly
> local user. Difficult to explain to them *that* postfix adds its own name,
> not possible to respond to the general response of "But... thats stupid. Why
> does it do that?"
the answer is that lots of local users are stupid and configure their mail
clients to send mail from just plain "john" rather than "johnexample.com".
in this particular instance, postfix IS the originating SMTP server, acting on
behalf of the client and what it does is a Good Thing. it drastically reduces
the number of stupid questions from stupid users with misconfigured mail
clients. the one or two stupid questions per year from people puzzled by the
behaviour are a tiny price to pay.
it's probably not possible to implement without radical changes to the way that
postfix works (which would cost far more than it is worth), but a strong
argument could be made that postfix should only append $mydomain when the
client IP address is in $mynetworks or has been authenticated.
another possibility is to only make these changes IF there aren't any Received:
headers (apart from the one added by the local postfix). it won't help with
direct-to-mx spam/viruses(*), but otherwise it is a pretty good indicator of
whether the local postfix is the first smtp server that has seen the message or
not.
(*) these often have several forged Received headers anyway.
craig
--
craig sanders <castaz.net.au>
The next time you vote, remember that "Regime change begins at home"
Re: SASL auth - fatal: per-session SASL client initialization
Am Mittwoch, 2. Juni 2004 05:47 schrieb Gregg Donley:
> I am trying to enable SASL authentication in the
> postfix smtp client using Cyrus SASL. According to
> the logs, the transport map, user and password
> database lookup, and smtp ELHO command all occur
>
> correctly. Then I get:
> :starting new SASL client
> :fatal: per-session SASL client initialization
>
> Here is my /usr/local/sasl/smtpd.conf file:
Check your Cyrus-SASL Version. I would guess you are using sasl2. So look in /
usr/local/lib/sasl2/ for the smtpd.conf.
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> mech_list: plain login
> sasldb_path: /etc/sasldb2
Most of this are sasl2-options.
> Setup:
> RedHat9 (kernel 2.4.20-8)
> Cyrus 2.1.10
> postfix 2.1.1
Show:
# ldd `postconf -h daemon_directory`/smtpd
--
Andreas
Re: SASL auth - fatal: per-session SASL client initialization
--- Andreas Winkelmann <mlawinkelmann.de> wrote:
> Am Mittwoch, 2. Juni 2004 05:47 schrieb Gregg
> Donley:
>
> > I am trying to enable SASL authentication in the
> > postfix smtp client using Cyrus SASL. According
> to
> > the logs, the transport map, user and password
> > database lookup, and smtp ELHO command all occur
> >
> > correctly. Then I get:
> > :starting new SASL client
> > :fatal: per-session SASL client initialization
> >
> > Here is my /usr/local/sasl/smtpd.conf file:
>
> Check your Cyrus-SASL Version. I would guess you are
> using sasl2. So look in /
> usr/local/lib/sasl2/ for the smtpd.conf.
Sorry, my typo, I am using sasl2 and this was my
/usr/local/sasl2/smtpd.conf file.
>
> > pwcheck_method: auxprop
> > auxprop_plugin: sasldb
> > mech_list: plain login
> > sasldb_path: /etc/sasldb2
>
> Most of this are sasl2-options.
>
> > Setup:
> > RedHat9 (kernel 2.4.20-8)
> > Cyrus 2.1.10
> > postfix 2.1.1
>
> Show:
>
> # ldd `postconf -h daemon_directory`/smtpd
>
> --
> Andreas
>
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
Re: SASL auth - fatal: per-session SASL client initialization
Am Mittwoch, 2. Juni 2004 06:28 schrieb Gregg Donley:
> > > correctly. Then I get:
> > > :starting new SASL client
> > > :fatal: per-session SASL client initialization
> > >
> > > Here is my /usr/local/sasl/smtpd.conf file:
> >
> > Check your Cyrus-SASL Version. I would guess you are
> > using sasl2. So look in /
> > usr/local/lib/sasl2/ for the smtpd.conf.
>
> Sorry, my typo, I am using sasl2 and this was my
> /usr/local/sasl2/smtpd.conf file.
>
> > > pwcheck_method: auxprop
> > > auxprop_plugin: sasldb
> > > mech_list: plain login
> > > sasldb_path: /etc/sasldb2
Exists the link /usr/lib/sasl2 -> /usr/local/lib/sasl2 ? Is there another one
in /usr/lib/sasl2 ?
Most time this error occur, when there are "="-Signs instead of ":" in the
smtpd.conf.
--
Andreas
Re: SASL auth - fatal: per-session SASL client initialization
--- Gregg Donley <greggd1yahoo.com> wrote:
>
> --- Andreas Winkelmann <mlawinkelmann.de> wrote:
> > Am Mittwoch, 2. Juni 2004 05:47 schrieb Gregg
> > Donley:
> >
> > > I am trying to enable SASL authentication in the
> > > postfix smtp client using Cyrus SASL. According
> > to
> > > the logs, the transport map, user and password
> > > database lookup, and smtp ELHO command all occur
> > >
> > > correctly. Then I get:
> > > :starting new SASL client
> > > :fatal: per-session SASL client initialization
> > >
> > > Here is my /usr/local/sasl/smtpd.conf file:
> >
> > Check your Cyrus-SASL Version. I would guess you
> are
> > using sasl2. So look in /
> > usr/local/lib/sasl2/ for the smtpd.conf.
>
> Sorry, my typo, I am using sasl2 and this was my
> /usr/local/sasl2/smtpd.conf file.
Sorry for the waste of bandwidth, but before I confuse
everyone it is "/usr/lib/sasl2/smtpd.conf" which is
the same as "/usr/local/lib/sasl2/smtpd.conf".
>
> >
> > > pwcheck_method: auxprop
> > > auxprop_plugin: sasldb
> > > mech_list: plain login
> > > sasldb_path: /etc/sasldb2
> >
> > Most of this are sasl2-options.
> >
> > > Setup:
> > > RedHat9 (kernel 2.4.20-8)
> > > Cyrus 2.1.10
> > > postfix 2.1.1
> >
> > Show:
> >
> > # ldd `postconf -h daemon_directory`/smtpd
> >
> > --
> > Andreas
> >
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Friends. Fun. Try the all-new Yahoo! Messenger.
> http://messenger.yahoo.com/
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
Re: Adding Message-ID is wrong
>>A spammer sends mail with just a bare "From: spammer" as the RFC822 sender
>>address. Postfix appends $myorigin to it. Users get mail from a supposedly
>>local user. Difficult to explain to them *that* postfix adds its own name,
>>not possible to respond to the general response of "But... thats stupid. Why
>>does it do that?"
>
> the answer is that lots of local users are stupid and configure their mail
> clients to send mail from just plain "john" rather than "johnexample.com".
You are making huge presumptions..
> in this particular instance, postfix IS the originating SMTP server, acting on
> behalf of the client and what it does is a Good Thing. it drastically reduces
> the number of stupid questions from stupid users with misconfigured mail
> clients. the one or two stupid questions per year from people puzzled by the
> behaviour are a tiny price to pay.
Clearly you do not work for any large ISP..
> it's probably not possible to implement without radical changes to the way that
> postfix works (which would cost far more than it is worth), but a strong
> argument could be made that postfix should only append $mydomain when the
> client IP address is in $mynetworks or has been authenticated.
Agreed..
> another possibility is to only make these changes IF there aren't any Received:
> headers (apart from the one added by the local postfix). it won't help with
> direct-to-mx spam/viruses(*), but otherwise it is a pretty good indicator of
> whether the local postfix is the first smtp server that has seen the message or
> not.
*Why*? This is exactly what you do not want..
Cami
Re: NFS Maildirs
> http://www.linuxjournal.com/article.php?sid=7323
>
> http://www.linuxjournal.com/article.php?sid=7524
>
> http://www.linuxjournal.com/article.php?sid=7456
>
> We also just implemented a Dell CX-600 SAN for all of our Windows boxes.
> It's fantastic. However, we found out (after purchase) that HP will not
> support the connection from our N-Class HP-UX servers to the CX-600.
We have our entire solution certified and supported by EMC..
They have strict requirements on OS/drivers etc etc, but its
proven to provide far more joy in the long run..
Cami
Re: Greylisting and whitelists for bad mailers???
* Jason Fesler <jfeslergigo.com>:
> Also, ebay's retry times seem to be about *4h*.
Got a list of their outbound relays?
--
Ralf Hildebrandt Ralf.Hildebrandtcharite.de
my current spamtrap spamtrapcharite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
I'm awaiting the day that SCO claims that Osama himself has submitted
patches to the kernel and that Alan Cox colaborated with Saddam
Hussein in the mid 90's.
Re: Adding Message-ID is wrong
* Alex van den Bogaerdt <alexergens.op.het.net>:
> I know next to nothing (nor does postfix) about the client connecting
> over the internet. Why would I want to add -my- domain to the
> headers? Why confuse my users?
You do have a point there, and that's a long standing issue with
Postfix.
But Postfix cannot know if it's an initial submission or if Postfix is
performing relay duties.
On a setup like here, where hauptpostamt.charite.de is just a relay,
we might as well turn the message-id generation off. Unfortunately, we
need to keep the function append_at_myorigin, or all our virtual
aliasing will break. I could fix that, but that would be a lot of work.
--
Ralf Hildebrandt Ralf.Hildebrandtcharite.de
my current spamtrap spamtrapcharite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
"Windows 95 /n./ 32 bit extensions and a graphical shell for a 16 bit
patch to an 8 bit operating system originally coded for a 4 bit
microprocessor, written by a 2 bit company that can't stand 1 bit of
competition."
Re: Adding Message-ID is wrong
* Wietse Venema <wietseporcupine.org>:
> I added a missing message ID warning and found that it would drop
> legitimate SMTP mail that was forwarded by qmail.
Well, the warning would be ok. Why not add an option to add a warning
in the snapshot and then we could all try HOW MUCH MAIL ACTUALLY comes
without a message-id and what kind of mail that is. Some sort of field
study.
--
Ralf Hildebrandt Ralf.Hildebrandtcharite.de
my current spamtrap spamtrapcharite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
Given the opacity of the product, how could a Windows admin ever know
as much about Windows as a UNIX admin does about UNIX?! (Roger B. A.
Klorese on Postfix Mailing List)
Re: Greylisting and whitelists for bad mailers???
>>Also, ebay's retry times seem to be about *4h*.
>
> Got a list of their outbound relays?
http://www.greylisting.org/whitelisting.html
66.135.209 # Ebay (for time critical alerts)
66.135.197 # Ebay
Re: Adding Message-ID is wrong
>> I added a missing message ID warning and found that it would drop
>> legitimate SMTP mail that was forwarded by qmail.
>
> Well, the warning would be ok. Why not add an option to add a warning
> in the snapshot and then we could all try HOW MUCH MAIL ACTUALLY comes
> without a message-id and what kind of mail that is. Some sort of field
> study.
Adding a warning for a message not having Message-ID is fine, however
rejecting that message because it does not have one isn't a good idea..
Cami
smtp auth question
Hi,
I have realised on my mail server that when users are authenticated
against my smtp server they can change From: field with different username
within my domain. MS outlook express allows you to specify different
SMTP-AUTH username/pass than your account. Thus a clever!! user can abuse
it with authenticating against my smtp server but can send mails under
another account. Is there a way to prevent this?
REGARDS
--
Omer Faruk Sen
http://www.faruk.net
Public Key: http://www.faruk.net/omer.asc
Re: smtp auth question
>Thus a clever!!
> user can abuse it with authenticating against my smtp server but can
> send mails under another account. Is there a way to prevent this?
>
They will need to know the password of the account they are using to
send out with. SMTP-AUTH reuires a vaild username & password pair.
If they only know their own username & password then they can't do as
you suspected.
--
Regards
Mick Pollard ( lunix )
------------------------------------------------
BOFH Excuse of the day:
Static Registry Underflow Error
Re: Greylisting and whitelists for bad mailers???
> Got a list of their outbound relays?
Haven't tracked it to be honest. I'm whitelisting based on combination of
both sender and reverse DNS name. My understanding is the first box that
tries to talk to you, if it fails for any reason (including greylisting),
they punt it to a different box for the slow deliveries. That box,
immediately tries once as well, then sits on the message for hours.
My number one user of course was affected by this. Since I'm married to
such user, I actaully paid attention.. :-)
RE: Postfix+Virtual Domain+imapd
I think that if you want to use courier-imap you have to use Maildir (not
mailbox).
You can specify it on main.cf like, home_mailbox = Maildir/ and comment out
the home_mailbox = Mailbox directive.
I tinhk it will work for you.
_____
From: owner-postfix-userspostfix.org
[mailto:owner-postfix-userspostfix.org] On Behalf Of IZEM Farid
Sent: Tuesday, June 01, 2004 4:20 PM
To: postfix-userspostfix.org
Subject: Postfix+Virtual Domain+imapd
Hi all,
I'm testing Postfix Virtual Domain and Courier-Imap on FreeBSD 5.1.
Courier-Imap basic setup seems to be working.
Authentication is good. No error in my log.
Directory where to store the mailbox is /var/vhosts/dsi.test.fr/First
Name.LastName
It's the first time using courier-imap so I 'm currently using userdb
authentication.
Postfix configuration:
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
mydomain = test.fr
myhostname = myserver.test.fr
mynetworks = 192.168.0.0/16, 172.19.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vhosts
virtual_mailbox_domains = dsi.test.fr
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
Content of vmailbox:
farid.izemdsi.test.fr dsi.test.fr/farid.izem/farid.izem
Mail is delivered as I get no error in my logs:
Jun 1 14:32:07 ABXCompaq postfix/smtpd[40397]: connect from
ABXCompaq.dsi.test.fr[192.168.1.81]
Jun 1 14:32:28 ABXCompaq postfix/smtpd[40397]: 910A0B8073:
client=ABXCompaq.dsi.test.fr[192.168.1.81]
Jun 1 14:32:47 ABXCompaq postfix/cleanup[40399]: 910A0B8073:
message-id=<20040601123228.910A0B8073abxcompaq.abxlogistics.fr>
Jun 1 14:32:47 ABXCompaq postfix/qmgr[40395]: 910A0B8073:
from=<farid.izemdsi.test.fr>, size=416, nrcpt=1 (queue active)
Jun 1 14:32:47 ABXCompaq postfix/virtual[40401]: 910A0B8073:
to=<farid.izemdsi.test.fr>, relay=virtual, delay=19, status=sent (mailbox)
I can't retrieve mail from the imapd server.
Do I need something to add to postfix in order to deliver mail to
courier-imap ??
All informations I found when googleing is Postfix+MySQL+Courier Imap !!!
Nothing on a simple installation.
Thanks for you help, your time and the works you are making on Postfix.
Farid IZEM
Ingénieur Système Unix
Société ABX Logistics France
48-50, route principale du port
92232 Gennevilliers
Tél. : 01-41-47-61-78
Email : farid.izemabxlogistics.fr
Re: smtp auth question
I have verified myself that using valid username/password for smtp-auth
but changing From: line can be done easily by modifying Outlook (Tools
-->Accounts -->Mail -->Properties -->General-->Email addresss ..)
>>Thus a clever!!
>> user can abuse it with authenticating against my smtp server but can
>> send mails under another account. Is there a way to prevent this?
>>
> They will need to know the password of the account they are using to
> send out with. SMTP-AUTH reuires a vaild username & password pair.
> If they only know their own username & password then they can't do as
> you suspected.
>
>
> --
> Regards
> Mick Pollard ( lunix )
> ------------------------------------------------
> BOFH Excuse of the day:
> Static Registry Underflow Error
>
--
Omer Faruk Sen
http://www.faruk.net
Public Key: http://www.faruk.net/omer.asc
Content_filter for certain users only
Hi,
I wish to use a content filter for certain users only.
The goal is to tst an anti-spam tool for certain users only.
For the moment, a
Has anyone ever done this ??
I use postfix 2.0.19 on solaris 2.6.
Here is an extract of my master.cf :
smtp inet n - n - - smtpd -o
content_filter= smtp:[localhost]:10999 -o disable_dns_lookups=yes
localhost:10926 inet n - n - - smtpd
-o content_filter= -o myhostname=localhost
The 10999 port is used by interscan viruswall. All traffic is sent to
viruswall and sent back to the smtpd on port 10926.
Thanks
Nicolas figaro
Re: clamAV and postifix without spamassassin
Get setup SpamAssassin with amavisd-new you need to install both and
then edit the defaults in /etc/amavisd.conf
/# SpamAssassin settings/
To your liking. Also server for the section with
/av_scanners = (/
And make sure you having something like the following uncommented:
/ ['Clam Antivirus-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/amavis/clamd.sock"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],/
So that you use the fast C daemon. Next edit /etc/clamav.conf
In particular make sure you use the same user as for amavis, and use the
same unix socket for amavis too:
/PidFile /var/run/clamav/clamd.pid
User amavis
/
Start both amavisd-new and clamd daemons. Check your syslog (with
$log_level = 2;) for something like:
/May 28 06:24:27 mail amavis[5600]: starting. amavisd at
mail.hardcore-gaming.net amavisd-new-20030616-p9, Unicode aware
May 28 06:24:27 mail amavis[5600]: Perl version 5.008003
May 28 06:24:27 mail amavis[5600]: Module Amavis::Conf 1.15
May 28 06:24:27 mail amavis[5600]: Module Archive::Tar 1.05
May 28 06:24:27 mail amavis[5600]: Module Archive::Zip 1.06
May 28 06:24:27 mail amavis[5600]: Module Compress::Zlib 1.22
May 28 06:24:27 mail amavis[5600]: Module Convert::TNEF 0.17
May 28 06:24:27 mail amavis[5600]: Module Convert::UUlib 0.31
May 28 06:24:27 mail amavis[5600]: Module MIME::Entity 5.404
May 28 06:24:27 mail amavis[5600]: Module MIME::Parser 5.406
May 28 06:24:27 mail amavis[5600]: Module MIME::Tools 5.411
May 28 06:24:27 mail amavis[5600]: Module Mail::Header 1.60
May 28 06:24:27 mail amavis[5600]: Module Mail::Internet 1.60
May 28 06:24:27 mail amavis[5600]: Module Mail::SpamAssassin 2.63
May 28 06:24:27 mail amavis[5600]: Module Net::Cmd 2.24
May 28 06:24:27 mail amavis[5600]: Module Net::DNS 0.40
May 28 06:24:27 mail amavis[5600]: Module Net::SMTP 2.26
May 28 06:24:27 mail amavis[5600]: Module Net::Server 0.85
May 28 06:24:27 mail amavis[5600]: Module Time::HiRes 1.5
May 28 06:24:27 mail amavis[5600]: Module Unix::Syslog 0.100
May 28 06:24:27 mail amavis[5600]: Found myself: /usr/sbin/amavisd -c
/etc/amavisd.conf
May 28 06:24:27 mail amavis[5600]: Lookup::SQL code NOT loaded
May 28 06:24:27 mail amavis[5600]: Lookup::LDAP code NOT loaded
May 28 06:24:27 mail amavis[5600]: AMCL-in protocol code loaded
May 28 06:24:27 mail amavis[5600]: SMTP-in protocol code loaded
May 28 06:24:27 mail amavis[5600]: ANTI-VIRUS code loaded
May 28 06:24:27 mail amavis[5600]: ANTI-SPAM code loaded
May 28 06:24:27 mail amavis[5601]: Net::Server: Process Backgrounded
May 28 06:24:27 mail amavis[5601]: Net::Server: 2004/05/28-06:24:27
Amavis (type Net::Server::PreForkSimple) starting! pid(5601)
May 28 06:24:28 mail amavis[5601]: Net::Server: Binding to UNIX socket
file /var/run/amavis/amavisd.sock using SOCK_STREAM
May 28 06:24:28 mail amavis[5601]: Net::Server: Binding to TCP port
10024 on host 127.0.0.1
May 28 06:24:28 mail amavis[5601]: Net::Server: Setting gid to "441 441"
May 28 06:24:28 mail amavis[5601]: Net::Server: Setting uid to "102"
May 28 06:24:28 mail amavis[5601]: Net::Server: Couldn't POSIX::setuid
to "102" []
May 28 06:24:28 mail amavis[5601]: Found $file at /usr/bin/file
May 28 06:24:28 mail amavis[5601]: Found $arc at /usr/bin/arc
May 28 06:24:28 mail amavis[5601]: Found $gzip at /bin/gzip
May 28 06:24:28 mail amavis[5601]: Found $bzip2 at /bin/bzip2
May 28 06:24:28 mail amavis[5601]: Found $lzop at /usr/bin/lzop
May 28 06:24:28 mail amavis[5601]: Found $lha at /usr/bin/lha
May 28 06:24:28 mail amavis[5601]: Found $unarj at /usr/bin/unarj
May 28 06:24:28 mail amavis[5601]: Found $uncompress at /usr/bin/uncompress
May 28 06:24:28 mail amavis[5601]: Found $unfreeze at /usr/bin/unfreeze
May 28 06:24:28 mail amavis[5601]: Found $unrar at /usr/bin/unrar
May 28 06:24:28 mail amavis[5601]: Found $zoo at /usr/bin/zoo
May 28 06:24:28 mail amavis[5601]: Found $cpio at /usr/bin/cpio
May 28 06:24:28 mail amavis[5601]: Using internal av scanner code for
(primary) Clam Antivirus-clamd
May 28 06:24:28 mail amavis[5601]: SpamControl: initializing
Mail::SpamAssassin
/And:/
//May 28 06:24:32 mail clamd[6042]: Daemon started.
May 28 06:24:32 mail clamd[6042]: Log file size limited to 262144000 bytes.
May 28 06:24:32 mail clamd[6042]: Running as user amavis (UID 102, GID 441)
May 28 06:24:32 mail clamd[6042]: Reading databases from /var/lib/clamav
May 28 06:24:32 mail clamd[6042]: Protecting against 21650 viruses.
May 28 06:24:33 mail clamd[6044]: Unix socket file
/var/run/amavis/clamd.sock
May 28 06:24:33 mail clamd[6044]: Setting connection queue length to 50
May 28 06:24:33 mail clamd[6044]: Archive: Archived file size limit set
to 209715200 bytes.
May 28 06:24:33 mail clamd[6044]: Archive: Recursion level limit set to 10.
May 28 06:24:33 mail clamd[6044]: Archive: Files limit set to 100000.
May 28 06:24:33 mail clamd[6044]: Archive: Compression ratio limit set
to 200.
May 28 06:24:33 mail clamd[6044]: Archive support enabled.
May 28 06:24:33 mail clamd[6044]: RAR support enabled.
May 28 06:24:33 mail clamd[6044]: Mail files support enabled.
May 28 06:24:33 mail clamd[6044]: OLE2 support enabled.
May 28 06:24:33 mail clamd[6044]: Self checking every 2000 seconds.
May 28 06:24:33 mail freshclam[6046]: Freshclam started.
May 28 06:24:33 mail freshclam[6047]: freshclam daemon started (pid=6047)
May 28 06:24:33 mail freshclam[6047]: ClamAV update process started at
Fri May 28 06:24:33 2004
May 28 06:24:34 mail freshclam[6047]: main.cvd is up to date (version:
23, sigs: 21096, f-level: 2, builder: ddm)
/
In your /etc/postfix/main.cf add something like the follow, note the
10024, make sure amavisd-new is configured for this:
/content_filter=smtp-amavis:[127.0.0.1]:10024/
At the end of /etc/postfix/master.cf add:
/
smtp-amavis unix - - n - 2 lmtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000/
That should be most of it. You're relaying from Postfix to amavisd-new
via LMTP (scan mass emails once), then from amavisd-new back to Postfix
via SMTP.
Limme know if you have questions.
-ryan
Dustin Krysak wrote:
> 2) can someone point to a somewhat current how-to for this setup?
> clamAV/glue/postfix. Without any extras. I could decider the current
> how-tos and take the relevant info, but i am hoping to avoid any
> mess-ups due to a misinterpretation.
>
> Thanks in advance.
>
> Dustin
>
Automtic User Subdomains
For each user named 'foo' on my system, I'd like to have it so
'<ANYTHING>foo.users.inorganic.org' goes to fooinorganic.org
Normally, I'd need two entries in virtual:
foo.users.inorganic.org filler
foo.users.inorganic.org fooinorganic.org
It _looked_ like (reading virtual and regexp_table) I could do the second
half automatically thus:
/(.*).users.inorganic.org/ ${1}inorganic.org
So I figured maybe I'd be able to do this with the first line also,
resulting in these two lines in my virtual table:
/(.*).users.inorganic.org/ filler
/(.*).users.inorganic.org/ ${1}inorganic.org
I've made no changes to main.cf because there doesn't seem to be a need to
include alias domains in both virtual and, say, mydestination. postconf -n
output is attached, of course.
Unfortunately, mailing to somethingrsr.users.inorganic.org gets me a
bounce with the dreaded
---
Diagnostic-Code: X-Postfix; mail for rsr.users.inorganic.org loops back to mysel
---
And these logfile entries:
---
16.239.56.246]
Jun 1 23:30:49 puppy postfix/smtpd[15774]: [ID 197553 mail.info] connect from mproxy.gmail.com[216.239.56.249]
Jun 1 23:30:49 puppy postfix/smtpd[15774]: [ID 197553 mail.info] 67CCD43E1: client=mproxy.gmail.com[216.239.56.249]
Jun 1 23:30:49 puppy postfix/cleanup[15777]: [ID 197553 mail.info] 67CCD43E1: message-id=<d9e4c7fc04060123302d52216amail.gmail.com>
Jun 1 23:30:49 puppy postfix/qmgr[15769]: [ID 197553 mail.info] 67CCD43E1: from=<royrapoportgmail.com>, size=743, nrcpt=2 (queue active)
Jun 1 23:30:49 puppy postfix/smtpd[15774]: [ID 197553 mail.info] disconnect from mproxy.gmail.com[216.239.56.249]
Jun 1 23:30:49 puppy postfix/smtp[15778]: [ID 197553 mail.info] 67CCD43E1: to=<whateverrsr.users.inorganic.org>, relay=none, delay=0, status=bounced (mail for rsr.users.inorganic.org loops back to myself)
---
What am I missing? What docs should I be reading to figure this out?
-roy
Inbound connections through Cisco PIX failing?
Hi!
I have a problem at a customer site, with a newly installed Postfix
version 2.1.1. The Postfix machine is behind a Cisco PIX firewall, as
seen by trying to connect from the outside:
220 SMTP/cmap ready_________________________________________________________________
Now, the problem is that mail from hotmail, and quite a few other
domains, doesn't arrive as expected. The only thing seen in the
Postfix logs are entries like these:
May 28 04:16:27 eskil postfix/smtpd[14289]: connect from bay17-f42.bay17.hotmail.com[64.4.43.92]
May 28 04:16:28 eskil postfix/smtpd[14289]: disconnect from bay17-f42.bay17.hotmail.com[64.4.43.92]
There is nothing inbetween the two lines above for that particular
smtpd process.
I suspect this is a problem with the Cisco PIX. Unfortunately, I don't
know the exact version of the PIX, nor have I been able to put
hotmail.com in the debug_peer_list to get more info out of Postfix,
and currently the customer has gone back to his old Sendmail
configuration (which works flawlessly for all inbound connections).
Any ideas on this? I know there was problems with Postfix _sending_
mail to other servers behind a Cisco PIX, a few years ago, but I
haven't heard of the other direction. On the other hand, I've been off
this list a while.. I couldn't find any relevant Google hits or FAQ
entries.
Regards,
\EF
--
Erik Forsberg Telephone: +46-13-21 46 00
Cendio AB Web: http://www.cendio.com
RE: Inbound connections through Cisco PIX failing?
Usually when PIX issues occur disabling smtp fixup seems to be the
suggestion.
regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378
mailto:paul.hutchingsmira.co.uk
> -----Original Message-----
> From: Erik Forsberg [mailto:forsberg+pfucendio.se]
> Sent: 02 June 2004 08:42
> To: postfix-userspostfix.org
> Subject: Inbound connections through Cisco PIX failing?
>
>
> Hi!
>
> I have a problem at a customer site, with a newly installed Postfix
> version 2.1.1. The Postfix machine is behind a Cisco PIX firewall, as
> seen by trying to connect from the outside:
>
> 220 SMTP/cmap
> ready_________________________________________________________________
>
> Now, the problem is that mail from hotmail, and quite a few other
> domains, doesn't arrive as expected. The only thing seen in the
> Postfix logs are entries like these:
>
> May 28 04:16:27 eskil postfix/smtpd[14289]: connect from
> bay17-f42.bay17.hotmail.com[64.4.43.92]
> May 28 04:16:28 eskil postfix/smtpd[14289]: disconnect from
> bay17-f42.bay17.hotmail.com[64.4.43.92]
>
> There is nothing inbetween the two lines above for that particular
> smtpd process.
>
> I suspect this is a problem with the Cisco PIX. Unfortunately, I don't
> know the exact version of the PIX, nor have I been able to put
> hotmail.com in the debug_peer_list to get more info out of Postfix,
> and currently the customer has gone back to his old Sendmail
> configuration (which works flawlessly for all inbound connections).
>
> Any ideas on this? I know there was problems with Postfix _sending_
> mail to other servers behind a Cisco PIX, a few years ago, but I
> haven't heard of the other direction. On the other hand, I've been off
> this list a while.. I couldn't find any relevant Google hits or FAQ
> entries.
>
> Regards,
> \EF
> --
> Erik Forsberg Telephone: +46-13-21 46 00
> Cendio AB Web: http://www.cendio.com
>
>
Re: Greylisting and whitelists for bad mailers???
Zitat von Ralf Hildebrandt <Ralf.Hildebrandtcharite.de>:
> * Jason Fesler <jfeslergigo.com>:
>
> > Also, ebay's retry times seem to be about *4h*.
>
> Got a list of their outbound relays?
This was the first domain i included in the whitelist for greylisting ...
A simple "ebay.com OK" should do the trick.
Regards
Andreas
Postfix, MySQL based virtual domains and Mailman
I'm running Postfix 2.1.1-3 with completely virtual domains (no local user
accounts) with the domain info coming from MySQL database. Also hands out
to Amavisd-new for spam and virus checking.
I've tried to integrate Mailman into the setup and I just cannot get it to
recognise the mailman aliases.
Here's a short summary of what I have tried to do:
1. Ensured localhost is in $mydestination
2. Added the mailman aliases file to $alias_database and $alias_maps
3. Built the alias db with newaliases
4. Put in a virtual alias of mailmanzordah.net -> mailmanlocalhost
When I send email to mailmanzordah.net I get 450 4.1.0
<mailmanlocalhost.zordah.net>: Recipient address rejected: User unknown
in local recipient table (in reply to end of DATA command)
That should work, right?
postconf -n
===========
alias_database = hash:/etc/postfix/aliases, hash:/home/mailman/aliases
alias_maps = hash:/etc/postfix/aliases, hash:/home/mailman/aliases
body_checks = regexp:/etc/postfix/body_checks
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix-2.1.1-documentation/html
inet_interfaces = 127.0.0.1, 202.173.151.130
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 5120000
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = caramon.zordah.net
mynetworks = 127.0.0.0/8, 192.168.0.0/16, 202.173.151.128/28
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
notify_classes = bounce, 2bounce, delay, policy, protocol, resource, software
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.1.1-documentation/readme
relay_domains = lists.zordah.net
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_client_access
hash:/etc/postfix/helo_ip_whitelist, check_helo_access
regexp:/etc/postfix
/helo_regexp, reject_invalid_hostname
smtpd_junk_command_limit = 3
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination,
check_rec
ipient_access hash:/etc/postfix/per_user_rules, check_client_access
hash:/etc/postfix/client_checks, check_client_access hash:/etc/postfix/
zordah_client, check_client_access
regexp:/etc/postfix/zordah_client_regexp, check_sender_access
hash:/etc/postfix/spamtrap.senders, check
_sender_access hash:/etc/postfix/sender_checks, check_sender_access
regexp:/etc/postfix/sender_checks_regexp, check_recipient_access hash:/
etc/postfix/recipient_checks, check_recipient_access
regexp:/etc/postfix/recipient_checks_regexp, check_sender_access
hash:/etc/postfix/zor
dah, reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unauth_pipelining, reject_rbl_client dnsbl.njabl.org, reject_
rbl_client http.dnsbl.sorbs.net, reject_rbl_client socks.dnsbl.sorbs.net,
reject_rbl_client misc.dnsbl.sorbs.net, reject_rbl_client smtp.d
nsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client
list.dsbl.org, reject_rbl_client opm.blitzed.org, check_sender_a
ccess hash:/etc/postfix/strict_sender_map, permit
smtpd_restriction_classes = strict_client_domain,
tafi_greenfroglover_com_rules
smtpd_soft_error_limit = 5
soft_bounce = yes
strict_rfc821_envelopes = yes
syslog_facility = local1
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/virtual_alias.cf
virtual_gid_maps = mysql:/etc/postfix/virtual_gid.cf
virtual_mailbox_base = /home/mail
virtual_mailbox_domains = mysql:/etc/postfix/virtual_domain.cf
virtual_mailbox_maps = mysql:/etc/postfix/virtual_mailbox.cf
virtual_minimum_uid = 500
virtual_uid_maps = mysql:/etc/postfix/virtual_uid.cf
/home/mailman/aliases
=====================
mailman: "|/home/mailman/mail/mailman post mailman"
/etc/postfix/virtual_alias.cf
=============================
user=xxxx
password=yyyy
dbname=zzzz
table=alias
select_field=username
where_field=alias
hosts=localhost
Alias Table
===========
select * from alias where alias like '%zordah.net';
+-------------------------+--------------------------+
| alias | username |
+-------------------------+--------------------------+
| abusezordah.net | postmasterzordah.net |
| postmasterzordah.net | zordahzordah.net |
| pkiemzordah.net | zordahzordah.net |
| mailmanzordah.net | mailmanlocalhost |
+-------------------------+--------------------------+
Anything I have forgotten?
--
Regards,
+-----------------------------+---------------------------------+
| Peter Kiem .^. | E-Mail : <zordahzordah.net> |
| Zordah IT /V\ | Mobile : +61 0414 724 766 |
| IT Consultancy & /( )\ | WWW : www.zordah.net |
| Internet Services ^^-^^ | ICQ : "Zordah" 866661 |
+-----------------------------+---------------------------------+
My current spamtrap address is est0604zordah.net
Re: smtp auth question
Zitat von Omer Faruk Sen <omerfaruk.net>:
>
> Hi,
>
> I have realised on my mail server that when users are authenticated
> against my smtp server they can change From: field with different username
> within my domain. MS outlook express allows you to specify different
> SMTP-AUTH username/pass than your account. Thus a clever!! user can abuse
> it with authenticating against my smtp server but can send mails under
> another account. Is there a way to prevent this?
Have a look at the reject_sender_login_mismatch and
reject_authenticated_sender_login_mismatch settings.
Regards
Andreas
Re: Adding Message-ID is wrong
On Wed, Jun 02, 2004 at 03:01:07AM +0200, Cami wrote:
> Forgot to mention this little bit..
> If SpamAssassin finds no Message-ID in the message:
>
[zero points]
>
> So according to SpamAssasin, having no Message-ID is fine..
That is correct. As wietse already said: the message-ID is optional.
cheers,
Alex
--
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers. If
you reply to me off-list, you'd better tell me you're doing so. If
you don't, and if I reply to the list, that's your problem, not mine.
Re: Adding Message-ID is wrong
On Wed, Jun 02, 2004 at 07:51:55AM +0200, Ralf Hildebrandt wrote:
> > I know next to nothing (nor does postfix) about the client connecting
> > over the internet. Why would I want to add -my- domain to the
> > headers? Why confuse my users?
>
> You do have a point there, and that's a long standing issue with
> Postfix.
> But Postfix cannot know if it's an initial submission or if Postfix is
> performing relay duties.
Correct me if I'm wrong:
Suppose I configure master.cf to have an smtpd listening to the outside,
and one listening to the inside. I do not want initial submission on the
outside smtpd. The only initial submission allowed is postfix-generated
email (bcc, bounces, maybe more). If a configurable option would exist,
such as "fix_headers = permit_mynetworks, reject" I think a lot of users
would be happy.
Similar story for a relay-only MTA that needs just one smtpd of course.
> On a setup like here, where hauptpostamt.charite.de is just a relay,
> we might as well turn the message-id generation off. Unfortunately, we
> need to keep the function append_at_myorigin, or all our virtual
> aliasing will break. I could fix that, but that would be a lot of work.
Am I wrong when I think message-id is generated from $myhostname and
append_at_myorigin is for From/To fixes ?
Unfortunately there's lots of questions and lots of warnings about
append_at_myorigin. So far I've been unable to determine what would
happen *exactly*. I know I have to be very carefull with aliases and
such. Any insight in this would be much appreciated, especially since
that topic is very close related to my original post.
cheers,
Alex
--
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers. If
you reply to me off-list, you'd better tell me you're doing so. If
you don't, and if I reply to the list, that's your problem, not mine.
Re: Adding Message-ID is wrong
On Wed, Jun 02, 2004 at 02:55:27AM +0200, Cami wrote:
> > So therefore I stand by my claim that adding a message-id is wrong. In
> > the message itself I stated that opinions and setups may differ so the
> > process should be configurable. I regret if my wordings are misinterpreted
> > however I have done my homework.
>
> Just so i make my point known, the Message-ID bit is not really an
> issue for me.. Its the From:/To: fields that cause the headaches..
Similar over here. For now, I think a missing message-id is a clear
sign of unwanted email; the exceptions can be whitelisted. If such
a message is presented to me I hate to waste resources. Malformed
From/To and missing message-id seems to go hand in hand.
Therefore I tried to filter on missing header-ids. No go. header_checks
are done _before_ postfix adds the message-id. Even if this would be done
the other way around one cannot simply reject all messages with a
message-id using the local hostname.
cheers,
Alex
--
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers. If
you reply to me off-list, you'd better tell me you're doing so. If
you don't, and if I reply to the list, that's your problem, not mine.
BCC problem
Is there any way to know who are RCPT TO hiding behind the outgoing mail?
because some peoples used to use outlook send mail out through postfix
server, the BCC he don't know has been added in outgoing mail, and he said
he never added it in BCC field under outlook.
Re: Adding Message-ID is wrong
>>>So therefore I stand by my claim that adding a message-id is wrong. In
>>>the message itself I stated that opinions and setups may differ so the
>>>process should be configurable. I regret if my wordings are misinterpreted
>>>however I have done my homework.
>>
>>Just so i make my point known, the Message-ID bit is not really an
>>issue for me.. Its the From:/To: fields that cause the headaches..
>
>
> Similar over here. For now, I think a missing message-id is a clear
> sign of unwanted email; the exceptions can be whitelisted. If such
This is definately *NOT* true.. There are far too many legit mails
to be whitelisted..
> a message is presented to me I hate to waste resources. Malformed
> From/To and missing message-id seems to go hand in hand.
>
> Therefore I tried to filter on missing header-ids. No go. header_checks
> are done _before_ postfix adds the message-id. Even if this would be done
> the other way around one cannot simply reject all messages with a
> message-id using the local hostname.
You will lose/reject legimate mail by blocking mail with no Message-ID..
Cami
Re: Virtual hosting with cyrus (mailboxes called userfoo.domain)
On Wed, Jun 02, 2004 at 02:30:45AM +0100, Josef Karthauser wrote:
>
> Strangely if I attempt to deliver mail to test3josef-k.net I get:
>
> Jun 2 02:10:14 transwarp postfix/qmgr[65370]: 624B4EA52: from=<roottao.org.uk>, size=304, nrcpt=1 (queue active)
> Jun 2 02:10:14 transwarp postfix/pipe[65469]: 624B4EA52: to=<test3josef-k.net>, relay=cyrusx, delay=0, status=bounced (data format error. Command output: test3josef-k.net: Mailbox does not exist )
>
> Why is cyrusx trying to deliver mail to test3josef-k.net? It's not
> mentioned in the vmailboxes file. Shouldn't something be saying
> user-unknown before it attempts the delivery agent?
>
I've found the answer to this. The address is only rejected in the smtpd
agent, whereas I'm delivering mail from the command line via 'mail'. If
I deliver it over SMTP then it works fine.
Last question (if anyone is listening... is there anyone there?)
I've now got:
main.cf:
cyrusx_destination_recipient_limit=1
virtual_mailboxes = hash:/usr/local/etc/postfix/vmailboxes
virtual_transport = cyrusx
virtual_mailbox_domains = $virtual_mailboxes
virtual_mailbox_maps = $virtual_mailboxes
virtual_alias_maps = $virtual_maps
virtual:
josef-k.net testjosef-k.net
mejosef-k.net joetao.org.uk
youjosef-k.net testjosef-k.net
vmailboxes:
josef-k.net *
#----------
testjosef-k.net *
test2josef-k.net *
Something is going wrong with the "catch-all" address "josef-k.net".
It appears that mail to test2josef-k.net is being picked up by the
catch all in 'virtual' and being delivered to test instead of test2.
Is this a misconfiguration on my part, or a "feature" of postfix?
I'd really appreciate any insight that can be offered.
Many thanks,
Joe
--
Josef Karthauser (joetao.org.uk) http://www.josef-k.net/
FreeBSD (cvs meister, admin and hacker) http://www.uk.FreeBSD.org/
Physics Particle Theory (student) http://www.pact.cpes.sussex.ac.uk/
================ An eclectic mix of fact and theory. =================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iEYEARECAAYFAkC9lfQACgkQXVIcjOaxUBbMvwCZAQMLQWhVFxu7ea67eR0QsPaT
YOwAoNP70SVevsNokfPk/bAaANJVeHOQ
=WKa5
-----END PGP SIGNATURE-----
Re: smtp auth question
I have used reject_sender_login_mismatch but I have one problem though: My
clients authenticate themselves using username "username" (not
usernamedomainname.com) but this is done. This time
reject_sender_login_mismatch works and reject message with a 553 error:
Protocol SMTP, Server Response: 553 <userxdomain.com>: Sender address
rejected: not owned by user userx
Is there a workaround for that in postfix since I use saslauthd -a shadow
(I mean against /etc/shadow) and can't change that.
> Zitat von Omer Faruk Sen <omerfaruk.net>:
>
>>
>> Hi,
>>
>> I have realised on my mail server that when users are authenticated
>> against my smtp server they can change From: field with different
>> username
>> within my domain. MS outlook express allows you to specify different
>> SMTP-AUTH username/pass than your account. Thus a clever!! user can
>> abuse
>> it with authenticating against my smtp server but can send mails under
>> another account. Is there a way to prevent this?
>
> Have a look at the reject_sender_login_mismatch and
> reject_authenticated_sender_login_mismatch settings.
>
> Regards
>
> Andreas
>
>
--
Omer Faruk Sen
http://www.faruk.net
Public Key: http://www.faruk.net/omer.asc
Re: smtp auth question
Zitat von Omer Faruk Sen <omerfaruk.net>:
> I have used reject_sender_login_mismatch but I have one problem though: My
> clients authenticate themselves using username "username" (not
> usernamedomainname.com) but this is done. This time
> reject_sender_login_mismatch works and reject message with a 553 error:
>
> Protocol SMTP, Server Response: 553 <userxdomain.com>: Sender address
> rejected: not owned by user userx
>
>
> Is there a workaround for that in postfix since I use saslauthd -a shadow
> (I mean against /etc/shadow) and can't change that.
Use the smtpd_sender_login_maps and set :
userxdomain.com userx
userydomain.com usery
....
Regards
Andreas
Re: Automtic User Subdomains
On Wednesday, June 02, 2004 at 08:36 CEST,
"Roy S. Rapoport" <postfix-usersols.inorganic.org> wrote:
> For each user named 'foo' on my system, I'd like to have it so
> '<ANYTHING>foo.users.inorganic.org' goes to fooinorganic.org
>
> Normally, I'd need two entries in virtual:
> foo.users.inorganic.org filler
> foo.users.inorganic.org fooinorganic.org
>
> It _looked_ like (reading virtual and regexp_table) I could do the second
> half automatically thus:
> /(.*).users.inorganic.org/ ${1}inorganic.org
>
> So I figured maybe I'd be able to do this with the first line also,
> resulting in these two lines in my virtual table:
> /(.*).users.inorganic.org/ filler
> /(.*).users.inorganic.org/ ${1}inorganic.org
Better:
/\.users\.inorganic\.org$/ filler
/(.*)\.users\.inorganic\.org$/ ${1}inorganic.org
There is however a major design flaw; the first expression matches
everything the second expression matches. This means that
somethingfoo.users.inorganic.org will be rewritten to filler$myorigin.
You can fix this by reversing the order of the lines, or rather rewrite
the first expression.
/^[^]+\.users\.inorganic\.org$/ filler
/(.*)\.users\.inorganic\.org$/ ${1}inorganic.org
I don't know if this will remedy your actual problem, but it's certainly
a start.
[...]
--
Magnus Bäck
magnusdsek.lth.se
Re: BCC problem
On Wednesday, June 02, 2004 at 10:42 CEST,
yeskwms15.hinet.net wrote:
> Is there any way to know who are RCPT TO hiding behind the outgoing
> mail? because some peoples used to use outlook send mail out through
> postfix server, the BCC he don't know has been added in outgoing mail,
> and he said he never added it in BCC field under outlook.
The Postfix logs will reveal all recipients of a message.
--
Magnus Bäck
magnusdsek.lth.se
Re: Adding Message-ID is wrong
On Tue, Jun 01, 2004 at 08:39:16PM -0400, Wietse Venema wrote:
> Alex van den Bogaerdt:
> > As far as I can tell:
> > - mail without a message-id is spam or virus, perhaps a few exceptions
>
> I added a missing message ID warning and found that it would drop
> legitimate SMTP mail that was forwarded by qmail. That was enough of
> an exeption for me to not provide this as a spam blocking feature.
That may be so, but I, in my setup, have not seen legitimate messages
without message-id as far as I can remember . That doesn't mean there
won't be any but it does mean I _probably_ be better of whitelisting
some exceptions and blocking the rest, ignoring the fact that there
is collateral damage.
My message also tries to discuss altering From and To. This is
discussed in rfc2821 as well, together with message-id.
I don't know qmail so there's a good chance that the following is
at least partially incorrect:
When qmail is used to inject mail, it uses "idhost" to generate
a message-Id. In other words: initial submission by qmail does
provide a message-id.
I take your word for it that qmail does forward mail without adding
a message-Id. Also, I've read that bounces from qmail do not contain
a message-Id.
> There has to be a better reason than being strict to the letter of
> some RFC that was written when Postfix already existed.
I'm not going over every RFC just to pester you. I'm looking at this
issue (message-id _and_ From/To) for many moons now and cannot reliably
work around it. Other people have problems with it as well.
Real people, real problem. And an RFC that IMHO supports my concerns.
quoting myself:
> I understand that this subject is controversial, so it should be
> configurable.
I'm not going to quote an entire post so if you want to comment on
_what_ I say in stead of _how_ I say it, please have another look
at my first post in this thread.
cheers,
Alex
--
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers. If
you reply to me off-list, you'd better tell me you're doing so. If
you don't, and if I reply to the list, that's your problem, not mine.
Re: Automtic User Subdomains
On Wed, Jun 02, 2004 at 11:12:27AM +0200, Magnus Bck wrote:
> /^[^]+\.users\.inorganic\.org$/ filler
> /(.*)\.users\.inorganic\.org$/ ${1}inorganic.org
>
> I don't know if this will remedy your actual problem, but it's certainly
> a start.
Alas, the same problem continues :(
-roy
Re: Content_filter for certain users only
On Wednesday, June 02, 2004 at 08:32 CEST,
"Figaro, Nicolas" <nfigarocdcixis-cm.com> wrote:
> I wish to use a content filter for certain users only.
"User" means nothing in SMTP (except with authentication). Are you
talking about sender addresses or recipient addresses?
Look into the FILTER access map action (man 5 access).
[...]
--
Magnus Bäck
magnusdsek.lth.se
Re: Adding Message-ID is wrong
* Alex van den Bogaerdt <alexergens.op.het.net>:
> Suppose I configure master.cf to have an smtpd listening to the outside,
> and one listening to the inside.
Yes, that's easy.
> Am I wrong when I think message-id is generated from $myhostname and
> append_at_myorigin is for From/To fixes ?
Yes, but the whole thread diverges into two directions: FROM/TO
alteration and Message-Id generation.
--
Ralf Hildebrandt Ralf.Hildebrandtcharite.de
my current spamtrap spamtrapcharite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
So whenever someone says: "it works with Sendmail, so it must be
a Postfix bug" my initial reaction is "yeah, right".
Re: Adding Message-ID is wrong
On Wed, Jun 02, 2004 at 11:18:13AM +0200, Ralf Hildebrandt wrote:
> Yes, but the whole thread diverges into two directions: FROM/TO
> alteration and Message-Id generation.
Maybe I should separate these issues. I think the FROM/TO is causing
unnecesarry helpdesk trouble and I think the message-id issue is a
sign of spammyness. Both Cami and Wietse strongly disagree on that
last part.
If you want to further discuss FROM/TO separate from Message-ID,
maybe you could change the subject to (zB) "append_at_myorigin".
cheers,
Alex
--
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers. If
you reply to me off-list, you'd better tell me you're doing so. If
you don't, and if I reply to the list, that's your problem, not mine.
RE: Content_filter for certain users only
> -----Original Message-----
> From: Magnus Bäck [mailto:magnusdsek.lth.se]
> Sent: Wednesday, June 02, 2004 11:20 AM
> To: postfix-userspostfix.org
> Subject: Re: Content_filter for certain users only
>
> On Wednesday, June 02, 2004 at 08:32 CEST,
> "Figaro, Nicolas" <nfigarocdcixis-cm.com> wrote:
>
> > I wish to use a content filter for certain users only.
>
> "User" means nothing in SMTP (except with authentication).
> Are you talking about sender addresses or recipient addresses?
>
> Look into the FILTER access map action (man 5 access).
I found some infos in the access man page.
And users means recipient.
Thanks for the reply.
NF
>
> [...]
>
> --
> Magnus Bäck
> magnusdsek.lth.se
>
>
single external user
Hello
I have a postfix server, managing a single domain. The domain is hosted at
a provider and the mail is fetched via POP3 to the Postfix-System.
There is a single external user who has his own POP3 Account and fetches
the mail directly via POP3.
How can I tell postfix to rediret the mail for this user to the external
provider and not to deliver it locally? A single email in the transport
map does not work :-( I hope there is a nice way to do this.
Thanks for your help
Peter
Re: single external user
On Wednesday, June 02, 2004 at 11:46 CEST,
Peter Scholl <peter.schollunix-ag.org> wrote:
> I have a postfix server, managing a single domain. The domain is hosted at
> a provider and the mail is fetched via POP3 to the Postfix-System.
>
> There is a single external user who has his own POP3 Account and fetches
> the mail directly via POP3.
>
> How can I tell postfix to rediret the mail for this user to the external
> provider and not to deliver it locally? A single email in the transport
> map does not work :-( I hope there is a nice way to do this.
To redirect without rewriting the recipient address, use transport_maps.
Per-user transport map entries requires Postfix 2.0. To redirect by
rewriting the recipient address, use aliases (local or virtual).
--
Magnus Bäck
magnusdsek.lth.se
Re: Best POP/IMAP Server
Robin Lynn Frank wrote:
> On Tuesday 01 June 2004 13:08, Matt Krause wrote:
>
>>Forgive me for writing out this to the Postfix group, but I was wanting
>>the opinion of Postfix users as to what the best POP/IMAP server is to
>>run over the top of Postfix. Right now, but I am using the Courier
>>servers, but am unhappy with the amount of information in the log files.
>> Can anyone tell me what Qpoppers logs files are like and how detailed
>>you can make them? Also, are there any other decent IMAP servers out
>>there?
>>
>>Thanks.
>
>
> My vote is for courier-imap. It takes advantage of postfix's ability to
> deliver to a maildir and, if configured (easy) first, will generate its own
> TLS certs (both for imap and pop3) the first time you fire it up.
>
> Cyrus-imap looks interesting, but its configuration is a bit more challenging.
> --
> BOFH excuse #187:
>
> Reformatting Page. Wait...
If you use procmail, don't you lose this maildir delivery advantage you
speak of? I use courier-imap and found it to be OK. There may be some
issues, but I haven't been bothered enough to really address them.
dovecot might be worth investigating. I hear good things about it.
cyrus-imap has some great performance capabilities but the filtering
language (sieve) is severely limited in comparison to maildrop and
procmail. It's probably more secure as well because of this. But it is
by no means a maildir delivery system. I made that assumption and
deleted an email once through the command line. Took me forever to get
things working again. I gave up on it because of an overall lack of
documentation and capability in sieve.
RE: Inbound connections through Cisco PIX failing?
Here is the command for disabling fixup on the pix for smtp, this was
once my problem also and I thought this was in the FAQ I know I read it
somewhere but no big deal.
Here are the commands you need
Login to the pix in enable mode
conf t
no fixup protocol smtp 25
That is all you need.
> -----Original Message-----
> From: owner-postfix-userspostfix.org [mailto:owner-postfix-
> userspostfix.org] On Behalf Of Paul Hutchings
> Sent: Wednesday, June 02, 2004 3:47 AM
> To: postfix-userspostfix.org
> Subject: RE: Inbound connections through Cisco PIX failing?
>
> Usually when PIX issues occur disabling smtp fixup seems to be the
> suggestion.
>
> regards,
> Paul
> --
> Paul Hutchings
> Network Administrator, MIRA Ltd.
> Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378
> mailto:paul.hutchingsmira.co.uk
>
> > -----Original Message-----
> > From: Erik Forsberg [mailto:forsberg+pfucendio.se]
> > Sent: 02 June 2004 08:42
> > To: postfix-userspostfix.org
> > Subject: Inbound connections through Cisco PIX failing?
> >
> >
> > Hi!
> >
> > I have a problem at a customer site, with a newly installed Postfix
> > version 2.1.1. The Postfix machine is behind a Cisco PIX firewall,
as
> > seen by trying to connect from the outside:
> >
> > 220 SMTP/cmap
> >
ready_________________________________________________________________
> >
> > Now, the problem is that mail from hotmail, and quite a few other
> > domains, doesn't arrive as expected. The only thing seen in the
> > Postfix logs are entries like these:
> >
> > May 28 04:16:27 eskil postfix/smtpd[14289]: connect from
> > bay17-f42.bay17.hotmail.com[64.4.43.92]
> > May 28 04:16:28 eskil postfix/smtpd[14289]: disconnect from
> > bay17-f42.bay17.hotmail.com[64.4.43.92]
> >
> > There is nothing inbetween the two lines above for that particular
> > smtpd process.
> >
> > I suspect this is a problem with the Cisco PIX. Unfortunately, I
don't
> > know the exact version of the PIX, nor have I been able to put
> > hotmail.com in the debug_peer_list to get more info out of Postfix,
> > and currently the customer has gone back to his old Sendmail
> > configuration (which works flawlessly for all inbound connections).
> >
> > Any ideas on this? I know there was problems with Postfix _sending_
> > mail to other servers behind a Cisco PIX, a few years ago, but I
> > haven't heard of the other direction. On the other hand, I've been
off
> > this list a while.. I couldn't find any relevant Google hits or FAQ
> > entries.
> >
> > Regards,
> > \EF
> > --
> > Erik Forsberg Telephone: +46-13-21 46 00
> > Cendio AB Web: http://www.cendio.com
> >
> >
Re: Automtic User Subdomains
D'oh.
virtual _supports_ regular expressions. But if you want to use regular
expressions, you've got to change
virtual_alias_maps = hash:/etc/postfix/virtual
to
virtual_alias_maps = regexp:/etc/postfix/virtual
(and tweak the rest of your expressions in virtual; you quite likely could
just use two maps, but I didn't bother setting it up).
It's all working now. Thanks for the help, and my apologies for not
understanding this well enough the first time.
-roy
Re: Best POP/IMAP Server
* Tom Allison <tallisontacocat.net>:
> If you use procmail, don't you lose this maildir delivery advantage you
> speak of?
No, procmail can deliver to Maildir
--
Ralf Hildebrandt Ralf.Hildebrandtcharite.de
my current spamtrap spamtrapcharite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
There are two ways to write error-free programs. Only the third one
works.
Re: Best POP/IMAP Server
Ralf Hildebrandt wrote:
> * Tom Allison <tallisontacocat.net>:
>
>
>>If you use procmail, don't you lose this maildir delivery advantage you
>>speak of?
>
>
> No, procmail can deliver to Maildir
>
Right, but I was trying to clarify on the statement that courier-imap
takes advantage of the postfix maildir delivery.
If you run procmail, then you've intercepted that connection between
postfix and courier and effectively replaced any advantage/disadvantage
of postfix delivering to a maildir folder.
But for many who don't use procmail, this would be a consideration.
Re: Adding Message-ID is wrong
On Wed, 2 Jun 2004, Alex van den Bogaerdt wrote:
> Real people, real problem. And an RFC that IMHO supports my concerns.
>
Time to get a life, real RFCs can be real wrong, especially when making
gratuituous revisions to existing standards, see for example the text in
RFC 2821 that says that a 552 error should be treated as a 452 error.
Perhaps the problem can be fixed in RFC 4821/4822, it may be time to start
writing them :-)
The message-id insertion is by all admissions harmless and is useful for
tracking message delivery accross multiple hops when the remote 250 Ok
does not include a queue id.
The addition of mydomain to header recipients is done only for messages
that are already not RFC conformant.
The behaviour of the MTA for such input is not specified by the RFC. The
RFC does not apply. When the message is a local submission, the right
thing to do for legacy unix (especially Sendmail) clients is to append the
local domain. Since the input is malformed, there is no right approach in
any other case, so the same at least sometimes right approach is used.
Furthermore, if you configure a split relay (input handled by different
Postfix instance than output) "myorigin = address.invalid" nicely solves
the problem of how to qualify broken mail.
The result is that Postfix emits RFC conformant output even with
non-conformant input. Lets move on to another topic please.
And yes, one day headers processing will be more configurable, but there
are more important issues to deal with first...
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
Re: smtp auth question
Instead of using:
smtpd_sender_login_maps and set :
userxdomain.com userx
userydomain.com usery
I have used that for ease of use:
cat /etc/postfix/sender_login_maps
/^(.*)domain.com/ ${1}
> Zitat von Omer Faruk Sen <omerfaruk.net>:
>
>> I have used reject_sender_login_mismatch but I have one problem though:
>> My
>> clients authenticate themselves using username "username" (not
>> usernamedomainname.com) but this is done. This time
>> reject_sender_login_mismatch works and reject message with a 553 error:
>>
>> Protocol SMTP, Server Response: 553 <userxdomain.com>: Sender address
>> rejected: not owned by user userx
>>
>>
>> Is there a workaround for that in postfix since I use saslauthd -a
>> shadow
>> (I mean against /etc/shadow) and can't change that.
>
> Use the smtpd_sender_login_maps and set :
> userxdomain.com userx
> userydomain.com usery
> ....
>
>
> Regards
>
> Andreas
>
--
Omer Faruk Sen
http://www.faruk.net
Public Key: http://www.faruk.net/omer.asc
Re: Adding Message-ID is wrong
> The message-id insertion is by all admissions harmless and is useful for
> tracking message delivery accross multiple hops when the remote 250 Ok
> does not include a queue id.
Indeed..
> Furthermore, if you configure a split relay (input handled by different
> Postfix instance than output) "myorigin = address.invalid" nicely solves
> the problem of how to qualify broken mail.
However that doesnt resolve what happens when users try and reply to
such addresses..
> The result is that Postfix emits RFC conformant output even with
> non-conformant input. Lets move on to another topic please.
>
> And yes, one day headers processing will be more configurable, but there
> are more important issues to deal with first...
Amen..
Cami
Re: NFS Maildirs
>> We have our entire solution certified and supported by EMC..
>> They have strict requirements on OS/drivers etc etc, but its
>> proven to provide far more joy in the long run..
>
> Unless all mail/imap/pop servers can share the whole spool in between
> them, all the other (SAN) solutions are limited by having only one
> concurrent server accessing the spool.
Yup.. We have 9 active (and 9 passive mailhosts) with 150gig of space
on each LUN/mailstore.. The entire userbase is spread out evenly over
all the mailhosts which makes things a pure dream to admin/maintain..
Everything ofcourse is complete transparent to the entire userbase so
no user ever has to know on which mailhost they reside on..
Cami
RE: Inbound connections through Cisco PIX failing?
Oh yeah one lst thing I forgot make sure you
wr mem
On ths pix when you are done to save the current running config to
startup config because if not if you reboot it or loose power it will go
back to the old config.
> -----Original Message-----
> From: owner-postfix-userspostfix.org [mailto:owner-postfix-
> userspostfix.org] On Behalf Of Paul Hutchings
> Sent: Wednesday, June 02, 2004 3:47 AM
> To: postfix-userspostfix.org
> Subject: RE: Inbound connections through Cisco PIX failing?
>
> Usually when PIX issues occur disabling smtp fixup seems to be the
> suggestion.
>
> regards,
> Paul
> --
> Paul Hutchings
> Network Administrator, MIRA Ltd.
> Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378
> mailto:paul.hutchingsmira.co.uk
>
> > -----Original Message-----
> > From: Erik Forsberg [mailto:forsberg+pfucendio.se]
> > Sent: 02 June 2004 08:42
> > To: postfix-userspostfix.org
> > Subject: Inbound connections through Cisco PIX failing?
> >
> >
> > Hi!
> >
> > I have a problem at a customer site, with a newly installed Postfix
> > version 2.1.1. The Postfix machine is behind a Cisco PIX firewall,
as
> > seen by trying to connect from the outside:
> >
> > 220 SMTP/cmap
> >
ready_________________________________________________________________
> >
> > Now, the problem is that mail from hotmail, and quite a few other
> > domains, doesn't arrive as expected. The only thing seen in the
> > Postfix logs are entries like these:
> >
> > May 28 04:16:27 eskil postfix/smtpd[14289]: connect from
> > bay17-f42.bay17.hotmail.com[64.4.43.92]
> > May 28 04:16:28 eskil postfix/smtpd[14289]: disconnect from
> > bay17-f42.bay17.hotmail.com[64.4.43.92]
> >
> > There is nothing inbetween the two lines above for that particular
> > smtpd process.
> >
> > I suspect this is a problem with the Cisco PIX. Unfortunately, I
don't
> > know the exact version of the PIX, nor have I been able to put
> > hotmail.com in the debug_peer_list to get more info out of Postfix,
> > and currently the customer has gone back to his old Sendmail
> > configuration (which works flawlessly for all inbound connections).
> >
> > Any ideas on this? I know there was problems with Postfix _sending_
> > mail to other servers behind a Cisco PIX, a few years ago, but I
> > haven't heard of the other direction. On the other hand, I've been
off
> > this list a while.. I couldn't find any relevant Google hits or FAQ
> > entries.
> >
> > Regards,
> > \EF
> > --
> > Erik Forsberg Telephone: +46-13-21 46 00
> > Cendio AB Web: http://www.cendio.com
> >
> >
ldap lookup question..
I'm trying to reduce ldap serches in my postix-ldap mta system.
Now when i'm sending mail from adres1domain.com to adres2domain.com
in ma LDAP logs i have:
filter="(&(avflag=1)(|(objectclass=mailrecipient)(objectclass=mailgroup))(|(mail=ciociainteria.pl)(mailalternateaddress=ciociainteria.pl)))"
filter="(&(|(objectclass=mailrecipient)(objectclass=mailgroup))(|(mail=ciociainteria.pl)(mailalternateaddress=ciociainteria.pl)))"
filter="(&(avflag=1)(|(objectclass=mailrecipient)(objectclass=mailgroup))(|(mail=kwiatektpi.pl)(mailalternateaddress=kwiatektpi.pl)))"
filter="(&(|(objectclass=mailrecipient)(objectclass=mailgroup))(|(mail=kwiatektpi.pl)(mailalternateaddress=kwiatektpi.pl)))"
filter="(&(avflag=1)(|(objectclass=mailrecipient)(objectclass=mailgroup))(|(mail=kwiatektpi.pl)(mailalternateaddress=kwiatektpi.pl)))"
filter="(&(|(objectclass=mailrecipient)(objectclass=mailgroup))(|(mail=kwiatektpi.pl)(mailalternateaddress=kwiatektpi.pl)))"
I'm using only ldap transport lookup.
My questions are:
1. How to reduce mail sender ldap lookup (two first searches are
unneeded).
2. How to reduce the next searches to be done only once ?
Thanks in advance
AK
Re: Adding Message-ID is wrong
On Wed, Jun 02, 2004 at 07:35:03AM -0400, Victor.DuchovniMorganStanley.com wrote:
> The addition of mydomain to header recipients is done only for messages
> that are already not RFC conformant.
I do not say otherwise. I just wish I could recognize this more easely.
That, or (prefered) use it to block.
This may not be a real problem for you but that does not mean I am
talking about something trivial or unimportant. I wouldn't spend
this much time if it doesn't matter much.
> Furthermore, if you configure a split relay (input handled by different
> Postfix instance than output) "myorigin = address.invalid" nicely solves
> the problem of how to qualify broken mail.
Tried several configurations. Eventually an issue comes up, generating
double bounces because address.invalid is invalid. Sure, this too can
be worked around. So I need a workaround for a workaround.
In the end it doesn't matter much since the exchange server will most
likely allow replies to useraddress.invalid, ending up in bitheaven
(blackhole) or as a double bounce. I need to tackle the problem at
input, not at output.
Add this to the not quite easy to maintain multiple instance setup
and _I_ have a _real_ problem that is not easely fixed.
> The result is that Postfix emits RFC conformant output even with
> non-conformant input. Lets move on to another topic please.
Rubbish in is rubbish out. It's just different rubbish.
I will discontinue with this thread. I understand that my priorities
are different from the general public's. Time to hack/workaround in the
code I guess.
It will take some time, much trial and error (especially error) but I
will get it right eventually.
No, this will not be a clean patch and no, I will thus not share.
Thanks for your answer,
Alex
--
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers. If
you reply to me off-list, you'd better tell me you're doing so. If
you don't, and if I reply to the list, that's your problem, not mine.
Re: NFS Maildirs
>> Yup.. We have 9 active (and 9 passive mailhosts) with 150gig of space
>> on each LUN/mailstore.. The entire userbase is spread out evenlyover
>> all the mailhosts which makes things a pure dream to admin/maintain..
>>
>> Everything ofcourse is complete transparent to the entire userbase so
>> no user ever has to know on which mailhost they reside on..
>
> However, in this case, you waste 2 times the computing power... I don't
> know for how many users we're talking about,
Over 350 000 users.
> and what do you consider a
> mailhost, but for 50,000 users we have 2 mail servers, 2 pop readers and 1
> imap reader, and they are working in load balancing mode, rather than
> standby mode.
The only thing that is in standy-mode is the mailhosts.. The pop3/imap
proxies, aswell as spam layer, aswell as incoming MX layer all user
load balancing..
> Your solution might be faster (performance wise), but is
Not just faster, its more stable.
> more expensive in all other aspects
Not quite, hardware is becoming cheaper and cheaper..
> and of course harder to manage than one single spool.
Where do you get that idea from? Think about what happens
if that single mail spool filesystem becomes corrupted..
Spreading your spool across multiple machines ensures
minimal impact when things go wrong.. Also, having your
mailhosts in an active/passive configuration allows
you to perform drastic changes and maintence without
requiring hours of downtime..
Granted, no clustering is perfect, but the point is to
ensure everything is as stable as possible.. If hardware
is *really* that much of an issue in terms of cost, you
can have 6 active nodes and 1 passive which will automatically
take over if any of the active nodes fail.
Cami
Re: hotmail.com woes
On Friday 14 May 2004 14:23, Maarten de Vries wrote:
> has anyone on this list actually succeeded yet in delivering large
> quantities of mail to the hotmail.com domain within a reasonable
> timeframe?
Well, it could of course be that the boys and girls in Redmond are having
a good week, but it would appear that I've found a way to do exactly
that.
The hack is an ugly one, but after having implemented it, thousands of
deffered messages for the hotmail.com domain every day have been reduced
to just a couple. Instead of ~12 hour delays, all messages are delivered
within a matter of minutes. So I think it's justified...
Here's what I did (no rocket science, really):
main.cf:
hotmail_destination_recipient_limit = 128
hotmail_destination_concurrency_limit = 384
master.cf:
hotmail unix - - n - 400 smtp
-o smtp_connect_timeout=6s
-o smtp_helo_timeout=3s
-o smtp_always_send_ehlo=no
And of course a corresponding entry in the transport table:
hotmail.com hotmail:
So, in short: allowing postfix to open a huge amount of connections to the
hotmail.com MX'es apparently does the trick...
--
Maarten
http://unsavoury.net/
entry in master.cf for high volume mail
Hi,
i wish to make an additional entry in master.cf which needs to send lots
of mails to
mailrelays. suppose i have lots of messages to send for domain.com
so i add an entry to master.cf like this:
domain unix - - n - 130 smtp
-o domain_connect_timeout=3s
-o domain_helo_timeout=6s
-o domain_destination_recipient_limit=128
-o domain_destination_concurrency_limit=50
so domain_destination_recipient_limit=128 means in one connection 128
messages can be send in one connection to the mta of domain.com?
domain_destination_concurrency_limit=50 means 50 simultaneous connections
can be made to a mta of domain.com? Suppose domain.com got 4 mx records.
So to each mx (mta) a maximum of 50 simultaneous connections can be made
and a complete maximum of 130 simultaneous connection total to domain.com?
Is anything wrong about these assumtions, is the entry in master.cf
correct or is something wrong with it? any other suggestions
Bye,
Mipam.
Re: hotmail.com woes
On Wed, 2 Jun 2004, Maarten de Vries wrote:
> main.cf:
> hotmail_destination_recipient_limit = 128
> hotmail_destination_concurrency_limit = 384
>
> master.cf:
> hotmail unix - - n - 400 smtp
> -o smtp_connect_timeout=6s
> -o smtp_helo_timeout=3s
> -o smtp_always_send_ehlo=no
>
> So, in short: allowing postfix to open a huge amount of connections to the
> hotmail.com MX'es apparently does the trick...
>
Are you sure actually need this much concurrency, or are you just using
the correspondingly larger "concurrency window" to avoid throttling the
destination. Why were messages deferred before? Are fewer messages
deferred now?
My conjecture is that hotmail is likely indeed having a better week.
Increased concurrency can reduce active queue congestion, but it should
not have any impact on the rate of message deferral unless the destination
is being throttled by the queue manager. You can configure a low
concurrency transport with a large concurrency "window" that avoids
throttling due to a burst of consecutive errors. See QSHAPE_README
(Postfix 2.1) for details.
I am seeing no mail deferred to hotmail today:
...
09:20 smtp sent:12 deferred:0 bounced:1
09:21 smtp sent:6 deferred:0 bounced:0
09:22 smtp sent:13 deferred:0 bounced:0
09:23 smtp sent:6 deferred:0 bounced:0
09:24 smtp sent:5 deferred:0 bounced:0
09:25 smtp sent:6 deferred:0 bounced:0
09:26 smtp sent:9 deferred:0 bounced:0
09:28 smtp sent:2 deferred:0 bounced:0
09:29 smtp sent:5 deferred:0 bounced:0
09:30 smtp sent:4 deferred:0 bounced:0
09:31 smtp sent:4 deferred:0 bounced:0
09:32 smtp sent:4 deferred:0 bounced:0
09:33 smtp sent:4 deferred:0 bounced:0
09:34 smtp sent:5 deferred:0 bounced:0
09:35 smtp sent:12 deferred:0 bounced:0
09:36 smtp sent:10 deferred:0 bounced:1
09:37 smtp sent:18 deferred:0 bounced:2
09:38 smtp sent:6 deferred:0 bounced:0
09:39 smtp sent:3 deferred:0 bounced:0
09:40 smtp sent:3 deferred:0 bounced:0
...
The code that generates this output is:
-------------- deliverstats.pl ------------
#! /usr/bin/env perl
my $domain = shift(ARGV) or die "Usage: $0 destination-re [logfile ...]\n";
my $pat = q{^... .. (..:..):.. \S+ postfix/(\w+)\S+:}
. q{(?: \[[^]]+\])?} # SunOS [ID ...]
. q{ \w+: to=<\S+}. qq{$domain}. q{>,}
. q{ .*, status=(sent|deferred|bounced)};
my %c = ();
my $t;
while (<>) {
next unless /$pat/io;
if ($1 ne $t) {
while (my ($k, $v) = each %c) {
printf "%s %8s %s\n", $t, $k,
join (" ", map { sprintf "%8s:%-4d", $_, $v->{$_} }
qw(sent deferred bounced));
}
$t = $1;
%c = ();
}
++$c{$2}{$3};
}
# Final record...
while (my ($k, $v) = each %c) {
printf "%s %8s %s\n", $t, $k,
join (" ", map { sprintf "%8s:%-4d", $_, $v->{$_} }
qw(sent deferred bounced));
}
-------------- deliverstats.pl ------------
$ count.pl 'hotmail\.com' /var/log/mail
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
Re: entry in master.cf for high volume mail
On Wed, 2 Jun 2004, Mipam wrote:
> domain unix - - n - 130 smtp
> -o domain_connect_timeout=3s
No, use "smtp_connect_timeout".
> -o domain_helo_timeout=6s
No, use "smtp_helo_timeout".
> -o domain_destination_recipient_limit=128
> -o domain_destination_concurrency_limit=50
>
These are used by the queue manager and must go in main.cf.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
Re: entry in master.cf for high volume mail
On Wed, 2 Jun 2004 Victor.DuchovniMorganStanley.com wrote:
> On Wed, 2 Jun 2004, Mipam wrote:
>
> > domain unix - - n - 130 smtp
> > -o domain_connect_timeout=3s
>
> No, use "smtp_connect_timeout".
>
> > -o domain_helo_timeout=6s
>
> No, use "smtp_helo_timeout".
>
> > -o domain_destination_recipient_limit=128
> > -o domain_destination_concurrency_limit=50
> >
>
> These are used by the queue manager and must go in main.cf.
So in master.cf
domain unix - - n - 130 smtp
-o smtp_connect_timeout=3s
-o smtp_helo_timeout=6s
and in main.cf
domain_destination_recipient_limit=128
domain_destination_concurrency_limit=50
Then postfix will automatically apply these settings for mails to
domain.com? Nice to learn so, i though these were set in master.cf, i was
wrong. Were the interpretations of what these limits did right or not?
Would you rather use other values, any other hints?
Bye,
Mipam.
Re: email server concept: what's mail delivery agent
> From: Patrick Welche <prlw1newn.cam.ac.uk>
> Date: Wed, 2 Jun 2004 14:34:59 +0100
> To: Zhang Weiwu <zhangweiwurealss.com>
> Cc: info-cyruslists.andrew.cmu.edu
> Subject: Re: email server concept: what's mail delivery agent
>
> This is the way I understand - this might be wrong too!
>
> On Wed, Jun 02, 2004 at 07:49:53PM +0800, Zhang Weiwu wrote:
>> 2. Documents often mention 'delivery agent' and 'maildir', it seems
>> 'delivery agent' is not a standalone package, there is a delievery agent
>> in postfix package, and there is also one in cyrus package, I can choose
>> to use the delivery agent (postfix's or cyrus')
>
> I think postfix can deliver directly to cyrus, i.e., not need to pipe
> the message to cyrus' deliver (don't know for sure, I use exim).
actually, the entry in master.cf is a pipe to cyrus deliver.
>> 3. maildir is a way to store email, it is where postfix save incoming
>> mail, and it is the place cyrus-imapd get emails so that to put to
>> user's INBOX. But an email server can have no maildir completely, and
>> let cyrus's delivery agent by pass maildir and put mail directly to
>> user's INBOX.
>
> Yes, maildir is a filesystem storage format. If postfix is going to
> deliver all local mail to cyrus, then cyrus will be using its filesystem
> format, which I think is similar to maildir: one directory per folder,
> messages as numbered files.
Cyrus uses standard Maildir format and setup. I migrated from Courier to
Cyrus without any hassle. Just copied the directories into the Cyrus
locations.
Re: email server concept: what's mail delivery agent
* m <mtelerama.com>:
> Cyrus uses standard Maildir format and setup.
Nope.
--
Ralf Hildebrandt Ralf.Hildebrandtcharite.de
my current spamtrap spamtrapcharite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
Why you can't find your system administrators:
they're busy rerouting their support telephone to the luser of the day
Re: email server concept: what's mail delivery agent
I stand corrected.
> From: Ralf Hildebrandt <Ralf.Hildebrandtcharite.de>
> Reply-To: postfix-userspostfix.org
> Date: Wed, 2 Jun 2004 16:12:03 +0200
> To: postfix-userscloud9.net
> Subject: Re: email server concept: what's mail delivery agent
>
> * m <mtelerama.com>:
>
>> Cyrus uses standard Maildir format and setup.
>
> Nope.
>
> --
> Ralf Hildebrandt Ralf.Hildebrandtcharite.de
> my current spamtrap spamtrapcharite.de
> http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
> Why you can't find your system administrators:
> they're busy rerouting their support telephone to the luser of the day
>
>
>
Reporting tools
I've got postfix in a DMZ, and I'd like to know if there are any products
which run from a Windows OS which can pull reports from the postfix server
logs. I downloaded ActivePerl & AWStats, but I'm not sure it'll work in my
environment.
Any recommendations?
**********************************************************************
The information contained in this message is confidential and is intended
for the addressee(s) only. If you have received this message in error or
there are any problems please notify the originator immediately. The
unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. CED-Concord Management will not be liable for direct,
special, indirect or consequential damages arising from the alteration of the
contents of this message by a third party or as a result of any virus being
passed on.
This footnote confirms that this email message has been swept by
MIMEsweeper for Content Security threats, including computer viruses.
www.mimesweeper.com
**********************************************************************
Re: Reporting tools
* Mueller, Jim <jmuellerced-concord.com>:
> I've got postfix in a DMZ, and I'd like to know if there are any
> products which run from a Windows OS which can pull reports from the
> postfix server logs.
Why not generate the reports in the DMZ?
--
Ralf Hildebrandt Ralf.Hildebrandtcharite.de
my current spamtrap spamtrapcharite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
Vampireware /n/, a project, capable of sucking the lifeblood out of
anyone unfortunate enough to be assigned to it, which never actually
sees the light of day, but nonetheless refuses to die.
queues filling up
Hi,
It doesnt happen rarely that the mailq is running full.
A server in the internal network is making lots of connections to postfix
and delivers mail to postfix. postfix doesnt seem able to send the load
away as soon as it comes in. The problem is that i dont know to what sites
many messages are being send. When i issue a postqueue -f, lots and lots
of outbound connections are being made and the mailq is being emtied very
quickly and the mailq is reducing in size quickly.
I have a seperate fs for /var/spool/postfix of 1 gig.
I am not sure if the active queue is not full when this is encountered,
but i guess so, since postqueue -f helps a lot. I could raise the
in_flow_delay value from 1 to 10, but this would limit the server which is
have lots of connections to postfix and sending mail?
Or should i raise the amount of cleanup processes? How to do this btw?
I thought that destination_concurrency_limit is only for the amount of
simultaneous connection made to a mta or does it have another use?
I am trying to find the cause of why the mailq is filling up.
I couldnt see whether is was the incomming queue which was becomming full,
or whether the active queue was filled up. But i guess it was the
incomming queue, because postqueue -f helped the mailq size decreased.
This brings me to a next point, the only command i know is mailq, but that
doesnt make a difference between the incomming and active queue, so i
cannot see which queue is filling up.
Maybe be raising the amount of cleanup processes helps?
Am i understand the function of initial_destination_concurrency
and default_destination_concurrency_limit wrongly?
Bye,
Mipam.
RE: Reporting tools
I guess it doesn't matter where they're generated so long as I can
review/manage the reports from a machine in our internal network...
-----Original Message-----
From: Ralf Hildebrandt [mailto:Ralf.Hildebrandtcharite.de]
Sent: Wednesday, June 02, 2004 11:00 AM
To: postfix-userspostfix.org
Subject: Re: Reporting tools
* Mueller, Jim <jmuellerced-concord.com>:
> I've got postfix in a DMZ, and I'd like to know if there are any
> products which run from a Windows OS which can pull reports from the
> postfix server logs.
Why not generate the reports in the DMZ?
--
Ralf Hildebrandt Ralf.Hildebrandtcharite.de
my current spamtrap spamtrapcharite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
Vampireware /n/, a project, capable of sucking the lifeblood out of
anyone unfortunate enough to be assigned to it, which never actually
sees the light of day, but nonetheless refuses to die.
**********************************************************************
The information contained in this message is confidential and is intended
for the addressee(s) only. If you have received this message in error or
there are any problems please notify the originator immediately. The
unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. CED-Concord Management will not be liable for direct,
special, indirect or consequential damages arising from the alteration of the
contents of this message by a third party or as a result of any virus being
passed on.
This footnote confirms that this email message has been swept by
MIMEsweeper for Content Security threats, including computer viruses.
www.mimesweeper.com
**********************************************************************
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
