|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Victor Duchovni (Victor.Duchovni
MorganStanley.com)
Date: Tue Jul 20 2004 - 07:36:22 CDT
On Tue, Jul 20, 2004 at 02:27:54PM +0200, CutMaster wrote:
> But the problem is that, using this method, postfix ALWAYS uses the
> relayhost to send mail georgin.com The way I wanted to do is that,
> if a mail has to be sent to georgin.com AND IS NOT "one of the listed
> email addresses" so it deliver it directly to local mailboxes (to permit
> to distributed internal email even if the internet connexion is down).
This is documented:
http://www.postfix.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/ADDRESS_REWRITING_README.html#virtual
http://www.postfix.org/ADDRESS_REWRITING_README.html#transport
http://www.postfix.org/ADDRESS_REWRITING_README.html#aliases
http://www.postfix.org/ADDRESS_REWRITING_README.html#luser_relay
http://www.postfix.org/ADDRESS_CLASS_README.html
http://www.postfix.org/ADDRESS_CLASS_README.html#classes
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
From: Richard Wood (richardukrm.co.uk)
Date: Tue Jul 20 2004 - 07:41:50 CDT
From: "Ralf Hildebrandt" <Ralf.Hildebrandtcharite.de>
> * Richard Wood <richardukrm.co.uk>:
>
> > Would there happen to be a script that takes the output of postqueue,
> > gives me a little menu of all the message IDs with the option of
> > viewing them via postcat, and deleting or unholding them?
>
> Yes, on my webpages
Thanks.
I've downloaded them, upon running qvmenu.pl I get
"Can't locate Curses/UI.pm in <snip directories>"
Tried to do an install Curses from CPAN but that failed to
compile with :-
"Curses.c:275: error: too few arguments to function `Perl_sv_isa'"
plus many warning, and many functions "NOT found".
Googling returned very little (just one log file, not really any use!)
Any clues as to what I should do next?
Thanks,
Richard
From: Wietse Venema (wietseporcupine.org)
Date: Tue Jul 20 2004 - 07:45:01 CDT
CutMaster:
[ Charset ISO-8859-1 unsupported, converting... ]
> Thanks Wietse.
>
> But the problem is that, using this method, postfix ALWAYS uses the relayhost to send mail georgin.com
> The way I wanted to do is that, if a mail has to be sent to georgin.com AND IS NOT "one of the listed email addresses" so it deliver it directly to local mailboxes (to permit to distributed internal email even if the internet connexion is down).
>
> Any idea ?
Yes. Give local georgin.com users a local(8) alias
thisuser userthis.server
otheruser userother.server
And don't believe what people say about mail loops and Delivered-To:
message headers.
Wietse
From: CutMaster (postfixvlproduction.com)
Date: Tue Jul 20 2004 - 07:49:40 CDT
----- Original Message -----
From: Wietse Venema
To: CutMaster
Cc: postfix-userspostfix.org
Sent: Tuesday, July 20, 2004 2:45 PM
Subject: Re: How to relay only some email addresses ?
CutMaster:
[ Charset ISO-8859-1 unsupported, converting... ]
> Thanks Wietse.
>
> But the problem is that, using this method, postfix ALWAYS uses the relayhost to send mail georgin.com
> The way I wanted to do is that, if a mail has to be sent to georgin.com AND IS NOT "one of the listed email addresses" so it deliver it directly to local mailboxes (to permit to distributed internal email even if the internet connexion is down).
>
> Any idea ?
Yes. Give local georgin.com users a local(8) alias
thisuser userthis.server
otheruser userother.server
And don't believe what people say about mail loops and Delivered-To:
message headers.
Wietse
In fact, Thanks to Victor Duchovni, the good result is the following :
- Let the mydestination handle the domain georgin.com
- Set local_recipient_maps to nothing
- Put the users to relay in luser_relay like luser_relay = someonegeorgin.com, someoneelsegeorgin.com
Thanks for your help guys :)
From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Tue Jul 20 2004 - 08:05:45 CDT
On Tue, Jul 20, 2004 at 02:29:14PM +0200, Arvinn L?kkebakken wrote:
> >The Exchange guys use this scheme. That's why Exchange is so unreliable.
> >
>
> Does it have to be unreliable? In my experience Exchange is unreliable
> because of a lot of things. But then again, Exchange is much more than a
> MTA, so it's kinda not the right example to look at anyway IMO.
>
Exchange is a mailstore with an MTA bolted-on for state replication and
messaging. While the MTA could use a dose of transparency and better
logging, the real problem is the storage, not the fancy features, but
the underlying storage design.
The choice of a monolithic store for mail is a major design error, since
it imposes excessive global consistency requirements that make recovery
difficult, and corruption likely.
File-systems offer fine-grained rather than global consistency:
Directories point at files that really exist, files point at blocks that
belong to them, data flushed to a file persists after a sync operation
(explicit or delayed from the buffer cache). Even if a single file is
corrupted, global file-system corruption is rare with mature file-systems
(I make no specific public claims about which file-systems are mature
on which OS).
By separating data and meta-data into different files, and ideally
meta-data for each folder into a separate file, a mailstore can support
fast meta-data recovery (it is the meta-data that is most likely to
become corrupted).
File-systems support a rich ecosystem of file manipulation tools, if
something goes wrong the mail-store meta-data the administrator can
still wrest the underlying content from the mailstore and re-build
(portions of) the meta-data, obviating the need for a full data and
meta-data recovery (in these days of TB sized stores full recovery can
be totally impractical).
File-system recovery can be faster than database recovery because it is
not necessary to arrive at a globally consistent state. One can recover
parts of a file-system, restoring individual mailboxes or messages.
I cannot honestly recommend to anyone a mailstore design based on any
database, regardless of the technology.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Tue Jul 20 2004 - 08:08:32 CDT
On Tue, Jul 20, 2004 at 02:49:40PM +0200, CutMaster wrote:
> - Put the users to relay in luser_relay like luser_relay =
> someonegeorgin.com, someoneelsegeorgin.com > > Thanks for your help
You have failed to understand luser_relay. Read the documentation again,
see also the local(8) manpage.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
From: Xavier Beaudouin (kiwioav.net)
Date: Tue Jul 20 2004 - 08:13:57 CDT
Hello there,
My mailhub is getting more and more spam that have Subject header like
this :
Subject: $85145
Starting with a $ and 5 numbers only.
SA is not enough to kill it... But I really like to kill such spams
directly using good and nice regexp... So anyone have a optimized one
on his desk ?
Thanks,
/Xavier
--
Xavier Beaudouin - Unix System Administrator & Projects Leader.
President of Kazar Organization : http://www.kazar.net/
Please visit http://caudium.net/, home of Caudium & Camas projects
From: Wietse Venema (wietseporcupine.org)
Date: Tue Jul 20 2004 - 08:17:17 CDT
CutMaster:
> > But the problem is that, using this method, postfix ALWAYS uses the relayhost to send mail georgin.com
> > The way I wanted to do is that, if a mail has to be sent to georgin.com AND IS NOT "one of the listed email addresses" so it deliver it directly to local mailboxes (to permit to distributed internal email even if the internet connexion is down).
> >
> > Any idea ?
>
> Yes. Give local georgin.com users a local(8) alias
>
> thisuser userthis.server
> otheruser userother.server
>
> And don't believe what people say about mail loops and Delivered-To:
> message headers.
>
> Wietse
>
>
> In fact, Thanks to Victor Duchovni, the good result is the following :
>
> - Let the mydestination handle the domain georgin.com
> - Set local_recipient_maps to nothing
> - Put the users to relay in luser_relay like luser_relay = someonegeorgin.com, someoneelsegeorgin.com
>
> Thanks for your help guys :)
DO NOT use luser_relay for this.
DO USE local aliases or transport maps.
Wietse
From: Dimitri Aivaliotis (dnaeveryware.ch)
Date: Tue Jul 20 2004 - 08:18:48 CDT
check the archives for a thread with subject "regexp mime_header_checks : subject" started this past sunday
- Dimitri
On Tue, 20 Jul 2004 15:13:57 +0200
Xavier Beaudouin <kiwioav.net> wrote:
> Hello there,
>
> My mailhub is getting more and more spam that have Subject header like
> this :
>
> Subject: $85145
>
> Starting with a $ and 5 numbers only.
>
> SA is not enough to kill it... But I really like to kill such spams
> directly using good and nice regexp... So anyone have a optimized one
> on his desk ?
>
> Thanks,
> /Xavier
>
> --
> Xavier Beaudouin - Unix System Administrator & Projects Leader.
> President of Kazar Organization : http://www.kazar.net/
> Please visit http://caudium.net/, home of Caudium & Camas projects
>
>
> !DSPAM:40fd1aaa506788517415467!
>
>
--
Dimitri Aivaliotis
EveryWare AG
Birmensdorferstrasse 125
8003 Zurich
tel: +41 (1) 466 60 00
fax: +41 (1) 466 60 10
From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Tue Jul 20 2004 - 08:27:43 CDT
On Tue, Jul 20, 2004 at 09:17:17AM -0400, Wietse Venema wrote:
> DO NOT use luser_relay for this.
>
> DO USE local aliases or transport maps.
>
Likely either local (aliases(5)) or virtual (virtual(5)) aliases are
necessary, because the ultimate destination for the users who are not
local will, unless configured to short-circuit individual mailboxes,
forward all mail addressed to the domain back to the primary MX.
The OP needs to diagram the delivery logic for various users conving
himself that mail delivery follows the appropriate loop-free paths in
all cases.
The tools at hand are virtual_alias_maps (virtual(5)), alias_maps
(aliases(5)), transport_maps (transport(5)), in and in rare cases
luser_relay, but either virtual_alias_maps or alias_maps is usually the
right answer and they do not require disabling recipient validation.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
From: Matthias Andree (madt.e-technik.uni-dortmund.de)
Date: Tue Jul 20 2004 - 08:37:03 CDT
On Tue, 20 Jul 2004, Wietse Venema wrote:
> > This will only lead spammers to identity theft, using addresses
> > harvested from the net. Not really useful.
>
> I have the right to stop spam that is sent to my machine,
> and I won't let you dispute that right.
I don't dispute your right,
but I dispute workability of this particular technical solution in the
long run.
We've seen blacklists, and the result was that spammers started using
home computers as spam relays (through mail worms).
We've seen address verification start and spammers and worms harvest
used addresses.
Seen from a distance, spamming is a social and economical problem that
cannot be solved technically.
All technical solutions we are implementing that fall short of real
authentication and accountability and letting the SENDER pay the proper
amount per mail rather than the recipient will ultimately fail.
UCE measures such as sender address verification work only as long as
there are some spammers that roll their dice to create a sender address.
--
Matthias Andree
Encrypted mail welcome: my GnuPG key ID is 0x052E7D95 (PGP/MIME preferred)
From: CutMaster (postfixvlproduction.com)
Date: Tue Jul 20 2004 - 08:48:38 CDT
----- Original Message -----
From: Victor Duchovni
To: postfix-userspostfix.org
Sent: Tuesday, July 20, 2004 3:27 PM
Subject: Re: How to relay only some email addresses ?
On Tue, Jul 20, 2004 at 09:17:17AM -0400, Wietse Venema wrote:
> DO NOT use luser_relay for this.
>
> DO USE local aliases or transport maps.
>
Likely either local (aliases(5)) or virtual (virtual(5)) aliases are
necessary, because the ultimate destination for the users who are not
local will, unless configured to short-circuit individual mailboxes,
forward all mail addressed to the domain back to the primary MX.
The OP needs to diagram the delivery logic for various users conving
himself that mail delivery follows the appropriate loop-free paths in
all cases.
The tools at hand are virtual_alias_maps (virtual(5)), alias_maps
(aliases(5)), transport_maps (transport(5)), in and in rare cases
luser_relay, but either virtual_alias_maps or alias_maps is usually the
right answer and they do not require disabling recipient validation.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
I'm sorry but I'm a newbie and this documentation is REALLY hard to understand.
That's why I ask some help from you.
It's kind of you to tell me which documentation I've to read but if I ask help to you, be sure that I've previously read the www.postfix.org documentation before.
The luser_relay I used works in this particular case.
I tried, before asking your for help, to put the following on transport map file :
someonethedomain.com stmp:mail.thedomain.com
expecting that, only for this email address, postfix will use the mail.thedomain.com relay to send it instead of trying to deliver locally, but it doesn't.
So if I haven't take the good way, can you provide me just a syntax sample of what I've to do to deliver localy all email from thedomain.com EXCEPT for someonethedomain.com which must be sent through the relayhost ?
Thanks again...
From: Schaefer, Dirk Alexander (dasmydom.ath.cx)
Date: Tue Jul 20 2004 - 08:58:00 CDT
Hi there,
i've got a little question about ldap.
A view days ago I tried to configure ldap lookups. But when I'm activate it
I cannot use the mail server anymore.
At the messages log file I see, that postfix is searching for the user
postmaster at the ldap directory but cannot find it and therefore it results
in errors. Does anybody now how to configure it proper and what kind of
objects and attributes are to be added to an user and how to set the correct
values for them?
Thx in advance.
Mit freundlichen Gruessen / With kind regards
D. A. Schaefer
From: Covington, Chris (ccovingtonplusone.com)
Date: Tue Jul 20 2004 - 08:59:03 CDT
>The Exchange guys use this scheme. That's why Exchange is
>so unreliable.
It seems to work well for us. YMMV.
Chris
From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Tue Jul 20 2004 - 09:01:26 CDT
On Tue, Jul 20, 2004 at 03:37:03PM +0200, Matthias Andree wrote:
> I don't dispute your right, but I dispute workability of this particular
> technical solution in the long run.
Everyone may be right, but this discussion belongs (and already died
down) on SPAM-L. The issue there was Verizon's use of a (non-Postfix)
SAV system. There is a big difference between a major ISP using SAV and
Wietse's personal domain using SAV. Most of the real issues arise when
the SAV user has a lot more network and CPU resources than the domain
being verified...
It is probably best to not use Postfix-users cycles to rehash this.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
From: Covington, Chris (ccovingtonplusone.com)
Date: Tue Jul 20 2004 - 09:03:06 CDT
>I tought this was due mostly to the exchange database being
>unmaintainable.
I don't think there's anything wrong with the concept. Most
'enterprise' commercial systems work this way, Lotus, Exchange, Oracle.
I hear the Oracle system is great:
http://www.oracle.com/collabsuite/index.html?feature_email.html
Chris
From: Marcelo Gonçalves Narciso (narcisocnptia.embrapa.br)
Date: Tue Jul 20 2004 - 09:09:19 CDT
Hi,
I have installed and configured postfix.
I can send mail from my domain to
others domains, but I can´t receive mail
from others domains to my domain.
in /var/mail directory postfix don´t write any
message if someone sends mail for me
or any user im cnptia.embrapa.br domain.
If you know what happens, please,
send the answer for narcisocnptia.embrapa.br
thanks a lot
The result or "postconf -n" is
alias_database = dbm:/export/home/postfix/etc/postfix/aliases
alias_maps = dbm:/export/home/postfix/etc/postfix/aliases,
dbm:/export/home/postfix/etc/postfix/majordomo.aliases
command_directory = /export/home/postfix/usr/sbin
config_directory = /etc/postfix
daemon_directory = /export/home/postfix/usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/export/home/postfix/etc/postfix/header_checks
home_mailbox = /export/home/mail
html_directory = no
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command = /usr/sbin/scanmails
mailq_path = /export/home/postfix/usr/bin/mailq
manpage_directory = /export/home/postfix/usr/local/man
message_size_limit = 10485760
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = cnptia.embrapa.br
myhostname = norma.cnptia.embrapa.br
mynetworks = 200.0.70.0/24 192.207.194.0/24
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /export/home/postfix/usr/bin/newaliases
notify_classes = resource, software, policy, bounce, delay
queue_directory = /export/home/postfix/var/spool/postfix
readme_directory = no
relay_domains = $mydomain, localhost
sample_directory = /export/home/postfix/etc/postfix
sendmail_path = /export/home/postfix/usr/lib/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = dbm:/export/home/postfix/etc/postfix/access,
reject_maps_rbl
smtpd_helo_required = yes
smtpd_sender_restrictions = dbm:/export/home/postfix/etc/postfix/access,
reject_unknown_sender_domain, warn_if_reject reject_unverified_sender
strict_rfc821_envelopes = yes
unknown_local_recipient_reject_code = 550
From: Wietse Venema (wietseporcupine.org)
Date: Tue Jul 20 2004 - 09:07:57 CDT
Matthias Andree:
> On Tue, 20 Jul 2004, Wietse Venema wrote:
>
> > > This will only lead spammers to identity theft, using addresses
> > > harvested from the net. Not really useful.
> >
> > I have the right to stop spam that is sent to my machine,
> > and I won't let you dispute that right.
>
> I don't dispute your right,
> but I dispute workability of this particular technical solution in the
> long run.
>
> We've seen blacklists, and the result was that spammers started using
> home computers as spam relays (through mail worms).
>
> We've seen address verification start and spammers and worms harvest
> used addresses.
>
> Seen from a distance, spamming is a social and economical problem that
> cannot be solved technically.
The "no silver bullet" statement.
> All technical solutions we are implementing that fall short of real
> authentication and accountability and letting the SENDER pay the proper
> amount per mail rather than the recipient will ultimately fail.
Real authentication will not be the silver bullet. The spammer will
use a backdoored windows PC and impersonate the owner of that
machine until their credential is revoked.
Making the sender pay will not be the silver bullet. The spammer
will use a backdoored windows PC and impersonate the owner of that
machine until their credits run out, and then move to the next
victim.
No single solution will be the silver bullet. Each solution by
itself only raises the bar.
> UCE measures such as sender address verification work only as long as
> there are some spammers that roll their dice to create a sender address.
No silver bullet. That doesn't mean that I have to accept all the
junk mail that is sent to my machine.
Meanwhile, work is under way to attack the problem at multiple
levels, including political, and legal. Only a combination of
technical and non-technical measures and enforcement methods
will get the situation under control.
Wietse
Ali.Naddaftrilogy.com
Date: Tue Jul 20 2004 - 09:09:45 CDT
Dirk,
Take a look at these instructions, they should give you some idea as to
what kind of settings you may need. If you couldn't make it work, drop me
a line and I will try to help you:
http://jeroen.protheus.com/postfix-courier-ldap-howto.html
Ali.
"Schaefer, Dirk Alexander" <dasmydom.ath.cx>
Sent by: owner-postfix-userspostfix.org
07/20/2004 08:58 AM
To: <postfix-userspostfix.org>
cc:
Subject: postfix and ldap
Hi there,
i've got a little question about ldap.
A view days ago I tried to configure ldap lookups. But when I'm activate
it I cannot use the mail server anymore.
At the messages log file I see, that postfix is searching for the user
postmaster at the ldap directory but cannot find it and therefore it
results in errors. Does anybody now how to configure it proper and what
kind of objects and attributes are to be added to an user and how to set
the correct values for them?
Thx in advance?
Mit freundlichen Gruessen / With kind regards
D. A. Schaefer
From: Hariharan Gopalan (hariom100yahoo.com)
Date: Tue Jul 20 2004 - 09:13:58 CDT
Hi all
Was wondering if there was a way for the SMTP server
to respond with different HELO as per the domain name
it is called as, for example, with a single instance
of postfix with virtual domains:
"telnet mail.abc.com 25" should resond as
Trying 9.21.57.75..
Connected to mail.abc.com
Escape character is '^]'.
220 mail.abc.com ESMTP Postfix
And "telnet mail.xyz.com 25" should respond as
Trying 9.21.57.75...
Connected to mail.xyz.com
Escape character is '^]'.
220 mail.xyz.com ESMTP Postfix
Would appreciate any pointers.
thanks
Hariom
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
From: Ian Hunter (ihunterhunterweb.net)
Date: Tue Jul 20 2004 - 09:16:11 CDT
> > testsaslauthd -u <username> -p <password> -s smtp
> >
> > ...works fine, even if I "su postfix" and then run it. (Couldn't get
> > pam working that way, switched to shadow, works fine as shadow)
> >
> > However, when I connect to smtpd (with Outlook Express, ack! phht!),
> > I see absolutely no activity from "saslauthd -d -a shadow" (and I see
> > all kinds of messages when I connect from testsaslauthd) and Outlook
> > keeps prompting me for my username and password.
>
> Usually this indicates that saslauthd and smtpd don't meet at the sasl
> socket.
That's what I thought. I just don't know how to troubleshoot it.
> How do you start saslauthd?
service saslauthd start, the actual command winds up looking like
/usr/sbin/saslauthd -m /var/run/saslauthd -a shadow -V
I stuck the -V in there in hopes of seeing some clue in the logs. Problem
is, I can't find anything in the logs after it starts up. The only
interesting thing I see in the logs is in /var/log/messages, when I try to
authenticate via smtpd:
Jul 20 09:55:08 charlie postfix/smtpd[12106]: unable to dlopen
/usr/lib/sasl/libgssapiv2.so: /usr/lib/sasl/libgssapiv2.so: undefined
symbol: GSS_C_NT_HOSTBASED_SERVICE
But I'm using shadow, and I've seen references to people getting that error
and still being able to authenticate.
> Where does it create the socket?
Per the command above, it winds up in the /var/run/saslauthd directory
> What are the permissions for that directory? Can postfix access it?
Yup, postfix can access it, and in fact, the postfix account can
successfully execute testsaslauthd.
> Can you show a telnet to localhost with EHLO foo to see the AUTH
> announcement?
Sure:
[rootcharlie sasl2]# telnet localhost 4025
Trying 127.0.0.1...
Connected to charlie (127.0.0.1).
Escape character is '^]'.
220 mail.hunterweb.net ESMTP Postfix
EHLO foo
250-mail.hunterweb.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME
> Can you run 'postfinger' to give us debug info for your
> setup?
[rootcharlie sasl2]# postfinger
postfinger - postfix configuration on Tue Jul 20 10:03:22 EDT 2004
version: 1.29
--System Parameters--
mail_version = 2.1.4
hostname = charlie
uname = Linux charlie 2.4.20-24.9 #1 Mon Dec 1 11:35:51 EST 2003 i686 i686
i386 GNU/Linux
--Packaging information--
looks like this postfix comes from RPM package:
postfix-2.1.4-3.sasl1.tls.rh9
--main.cf non-default parameters--
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
html_directory = /usr/share/doc/postfix-2.1.4-documentation/html
luser_relay = postmaster
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = $mydomain
mydestination = $mydomain
mydomain = [doesn't matter]
myhostname = [doesn't matter]
mynetworks = [doesn't matter]
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.1.4-documentation/readme
sample_directory = /usr/share/doc/postfix-1.1.12/samples
sendmail_path = /usr/sbin/sendmail.postfix
unknown_local_recipient_reject_code = 450
--master.cf--
smtp inet n - n - - smtpd
4025 inet n - n - - smtpd -o
smtpd_recipient_restrictions=$smtpd2_recipient_restrictions -o
smtpd_sasl_auth_enable=$smtpd2_sasl_auth_enable -o
broken_sasl_auth_clients=yes
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail.postfix
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
-- end of postfinger output --
> Can I write on sentence that doesn't end with a question mark?
I'm seen them from you before, so I'm guessing "yes." :)
Here's a really good example of what's happening, soup to nuts:
--snip--
[rootcharlie root]# useradd sasltest
[rootcharlie root]# passwd sasltest
Changing password for user sasltest.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[rootcharlie root]# testsaslauthd -u sasltest -p sasltest -s smtp
0: OK "Success."
[rootcharlie root]# su postfix
bash-2.05b$ testsaslauthd -u sasltest -p sasltest -s smtp
0: OK "Success."
bash-2.05b$ exit
exit
[rootcharlie root]# cat saslauth.pl
#!/usr/bin/perl -w
use MIME::Base64;
print "Username: ";
chomp($username=<>);
print "Password: ";
chomp($password=<>);
print encode_base64("$username\0$username\0$password");
[rootcharlie root]# ./saslauth.pl
Username: sasltest
Password: sasltest
c2FzbHRlc3QAc2FzbHRlc3QAc2FzbHRlc3Q=
[rootcharlie root]# telnet localhost 4025
Trying 127.0.0.1...
Connected to charlie (127.0.0.1).
Escape character is '^]'.
220 mail.hunterweb.net ESMTP Postfix
EHLO foo
250-mail.hunterweb.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME
AUTH PLAIN c2FzbHRlc3QAc2FzbHRlc3QAc2FzbHRlc3Q=
535 Error: authentication failed
quit
221 Bye
Connection closed by foreign host.
[rootcharlie root]# echo Doh!
Doh!
[rootcharlie root]#
--snip---
See, auth works fine as root and postfix, but via stmpd it barfs, and
there's NOTHING in the logs from saslauth itself; smtpd whines about unable
to dlopen /usr/lib/sasl/libgssapiv2.so: /usr/lib/sasl/libgssapiv2.so:
undefined symbol: GSS_C_NT_HOSTBASED_SERVICE but that's it.
Argh!!
From: J.D. Bronson (jbronsonwixb.com)
Date: Tue Jul 20 2004 - 09:21:12 CDT
I use some of the ideas on this list to setup postfix to accept email from
hotmail.com (for example) only if it comes from a hotmail.com server...
/(^|.)hotmail.com$/ OK
/(^|.)msn.com$/ OK
Recently microsoft seems to be using blocks of IPs that dont always have
reverse DNS on them ( go figure ) and as such, email is getting accidently
rejected...
Can someone please tell me the syntax for adding IP blocks in the above?
Here is what I have come up with that I need to add:
64.4
65.52
65.53
65.54
65.55
207.46
207.68
209.185
216.32
216.33
thanks in advance for any help. This approach really does drop a ton of
spam with very little (if any) ill effects. At least until now!
--
J.D. Bronson
Aurora Health Care // Information Services // Milwaukee, WI USA
Office: 414.978.8282 // Email: jdaurora.org // Pager: 414.314.8282
From: John Peach (postfixjohnpeach.com)
Date: Tue Jul 20 2004 - 09:19:57 CDT
On Tue, 20 Jul 2004 07:13:58 -0700 (PDT)
Hariharan Gopalan <hariom100yahoo.com> wrote:
> Hi all
>
> Was wondering if there was a way for the SMTP server
> to respond with different HELO as per the domain name
> it is called as, for example, with a single instance
> of postfix with virtual domains:
>
No - only the client machine knows what name was used - it is translated
to an address, which is what is used to connect.
From: Ian Hunter (ihunterhunterweb.net)
Date: Tue Jul 20 2004 - 09:23:21 CDT
If anything, not enough info on how postfix calls saslauthd -- I see lots of
references to /var/spool/postfix/var/run/saslauthd but nowhere does it says
where postfix invents that socket path from, nor does that appear in
/usr/lib/sasl2/smptd.conf.
----- Original Message -----
From: "Luca Berra" <blucacomedia.it>
To: <postfix-userspostfix.org>
Sent: Tuesday, July 20, 2004 7:10 AM
Subject: Re: Postfix SASL Issues...
> On Mon, Jul 19, 2004 at 12:59:37PM -0700, Shawn Daniel wrote:
> >I am looking for documentation on configuring SASL in Postfix
> >2.1.1x, but haven't found anything that really covers Postfix 2.x.
> >All of the docs seem to be for 1.x. Does anyone know of such a
> >document and where I might acquire it?
> >
> >I am running in to config issues that I haven't been able to resolve
> >with the SASL that is in Postfix.
>
> are there shortcomings in the postfix SASL_REAMDE document?
>
> L.
>
> --
> Luca Berra -- blucacomedia.it
> Communication Media & Services S.r.l.
> /"\
> \ / ASCII RIBBON CAMPAIGN
> X AGAINST HTML MAIL
> / \
From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Tue Jul 20 2004 - 09:23:45 CDT
On Tue, Jul 20, 2004 at 10:03:06AM -0400, Covington, Chris wrote:
> I don't think there's anything wrong with the concept. Most
> 'enterprise' commercial systems work this way, Lotus, Exchange, Oracle.
> I hear the Oracle system is great:
>
> http://www.oracle.com/collabsuite/index.html?feature_email.html
>
The popularity of the design does not make it right, the reason the
design is chosen is *developer* convenience rather than greater likely
robustness.
It is possible to architect all the fancy features in a more robustly
designed system with separate data and metadata repositories, tools for
metadata recovery, ...
I believe that OpenExchange uses Cyrus as a mailstore, and still offers
enterprise features. This is a reasonable design in my view.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
From: John Peach (postfixjohnpeach.com)
Date: Tue Jul 20 2004 - 09:27:58 CDT
On Tue, 20 Jul 2004 09:21:12 -0500
"J.D. Bronson" <jbronsonwixb.com> wrote:
> I use some of the ideas on this list to setup postfix to accept email
> from hotmail.com (for example) only if it comes from a hotmail.com
> server...
>
> /(^|.)hotmail.com$/ OK
> /(^|.)msn.com$/ OK
>
> Recently microsoft seems to be using blocks of IPs that dont always
> have reverse DNS on them ( go figure ) and as such, email is getting
> accidently rejected...
AHG - not msn as well as hotmail.
>
> Can someone please tell me the syntax for adding IP blocks in the
> above?
It all depends what type of map you are using....
I use a cidr map for hotmail - looks like I need to add these msn
netblocks.
FYI - these are the hotmail ones without PTR records:
64.4.0.0/18 OK
65.52.0.0/14 OK
207.46.0.0/16 OK
207.68.128.0/18 OK
207.68.192.0/20 OK
209.185.240.0/23 OK
216.32.180.0/23 OK
216.32.240.0/23 OK
216.33.148.0/23 OK
216.33.236.0/23 OK
216.33.240.0/23 OK
From: John Peach (postfixjohnpeach.com)
Date: Tue Jul 20 2004 - 09:31:15 CDT
On Tue, 20 Jul 2004 10:27:58 -0400
John Peach <postfixjohnpeach.com> wrote:
To follow up to my own post :)
I should have looked at the netblocks listed - they must be shared
between msn and hotmail, because they match the ones I already have.
> FYI - these are the hotmail ones without PTR records:
>
> 64.4.0.0/18 OK
> 65.52.0.0/14 OK
> 207.46.0.0/16 OK
> 207.68.128.0/18 OK
> 207.68.192.0/20 OK
> 209.185.240.0/23 OK
> 216.32.180.0/23 OK
> 216.32.240.0/23 OK
> 216.33.148.0/23 OK
> 216.33.236.0/23 OK
> 216.33.240.0/23 OK
From: J.D. Bronson (jbronsonwixb.com)
Date: Tue Jul 20 2004 - 09:38:15 CDT
At 09:27 AM 07/20/2004, you wrote:
>On Tue, 20 Jul 2004 09:21:12 -0500
>"J.D. Bronson" <jbronsonwixb.com> wrote:
>
> > I use some of the ideas on this list to setup postfix to accept email
> > from hotmail.com (for example) only if it comes from a hotmail.com
> > server...
> >
> > /(^|.)hotmail.com$/ OK
> > /(^|.)msn.com$/ OK
> >
> > Recently microsoft seems to be using blocks of IPs that dont always
> > have reverse DNS on them ( go figure ) and as such, email is getting
> > accidently rejected...
>
>AHG - not msn as well as hotmail.
> >
> > Can someone please tell me the syntax for adding IP blocks in the
> > above?
>
>It all depends what type of map you are using....
>I use a cidr map for hotmail - looks like I need to add these msn
>netblocks.
>
>
>FYI - these are the hotmail ones without PTR records:
>
>64.4.0.0/18 OK
>65.52.0.0/14 OK
>207.46.0.0/16 OK
>207.68.128.0/18 OK
>207.68.192.0/20 OK
>209.185.240.0/23 OK
>216.32.180.0/23 OK
>216.32.240.0/23 OK
>216.33.148.0/23 OK
>216.33.236.0/23 OK
>216.33.240.0/23 OK
yes I think they are shared...so I left them in for MSN/HOTMAIL just in case??
I didnt see any side effects to doing that.
Here is what i am doing:
main.cf:
from_msn_com = check_client_access regexp:/etc/postfix/freemail/from_msn_com
then the file referenced:
/(^|.)msn.com$/ OK
so can I simply add you examples to this:
/(^|.)msn.com$/ OK
64.4.0.0/18 OK
65.52.0.0/14 OK
...
...
Thanks John-
--
J.D. Bronson
Aurora Health Care // Information Services // Milwaukee, WI USA
Office: 414.978.8282 // Email: jdaurora.org // Pager: 414.314.8282
From: John Peach (postfixjohnpeach.com)
Date: Tue Jul 20 2004 - 09:44:22 CDT
On Tue, 20 Jul 2004 09:38:15 -0500
"J.D. Bronson" <jbronsonwixb.com>
> yes I think they are shared...so I left them in for MSN/HOTMAIL just
> in case?? I didnt see any side effects to doing that.
>
> Here is what i am doing:
>
> main.cf:
> from_msn_com = check_client_access
> regexp:/etc/postfix/freemail/from_msn_com
>
> then the file referenced:
> /(^|.)msn.com$/ OK
>
>
> so can I simply add you examples to this:
>
> /(^|.)msn.com$/ OK
> 64.4.0.0/18 OK
> 65.52.0.0/14 OK
Actually I just allow all mail from those netblocks. It doesn't seem to
have caused me any problems. I was working under the, possible mistaken,
assumption that those are corporate netblocks......
From: Arshavir Grigorian (agm-cam.com)
Date: Tue Jul 20 2004 - 09:59:07 CDT
On Sat, 2004-07-17 at 06:50, lst_hoe01kwsoft.de wrote:
> Zitat von Arshavir Grigorian <agm-cam.com>:
>
> > Hello,
> >
> > Although I have used Postfix for a long time, I just subscribed to this
> > list and this is my first post.
> >
> > I have a secondary MX server running Postfix, and I thought I properly
> > configured it. But then I started seeing certain entries in my logs,
> > which I couldn't understand. If someone could enlighten me as to what
> > these messages mean and/or what's causing them to appear in my logs, I
> > would very much appreciate it.
> >
> > 1) Jul 15 19:38:21 mail1 postfix/nqmgr[7349]: 3E0323E8A9: from=<>,
> > size=9458, nrcpt=1 (queue active)
> > Jul 15 19:38:51 mail1 postfix/smtp[8517]: connect to
> > mail.kf7.us[65.182.130.10]: Connection timed out (port 25)
> > Jul 15 19:38:51 mail1 postfix/smtp[8517]: 3E0323E8A9: to=<kf7.us>,
> > relay=none, delay=1559, status=deferred (connect to
> > mail.kf7.us[65.182.130.10]: Connection timed out)
>
> These are bounces. Have a look which mail was bounced. Don't accept mail for
> invalid user (see xxxx_recipient_maps feature)
>
> > 2) Jul 15 22:39:26 mail1 postfix/smtpd[2184]: warning: smtpd_peer_init:
> > 201.129.238.141: hostname dsl-201-129-238-141.prod-infinitum.com.mx
> > verification failed: Name or service not known
> >
> > Jul 16 00:18:25 mail1 postfix/smtpd[2344]:warning: smtpd_peer_init:
> > 65.182.129.81: address not listed for hostname www-way.biz
> >
> > Jul 15 22:57:13 mail1 postfix/smtpd[2211]: warning: smtpd_peer_init:
> > 24.208.216.195: hostname dhcp024-208-216-195.indy.rr.com verification
> > failed: Temporary failure in name resolution
> >
> > I guess the last one is caused by some DNS failure, though I can't
> > figure out what failure exactly, since both the IP and the hostname are
> > present. I have no idea about the former 2.
>
> Forward (A) and reverse (PTR) lookups must match. If either one fails or the
> results don't match postfix log this warnings.
>
> Regards
>
> Andreas
Thanks for the comments, Andres.
I am not quite sure I understand how that entry is considered a bounce.
I have bounce entries for unknown users:
Jul 19 03:32:31 mail1 postfix/local[22892]: 02DA93E8B9:
to=<zylkijyxenrmail1.xxxxxxxx.com>, orig_to=<zylkijyxenr>,
relay=local, delay=0, status=bounced (unknown user: "zylkijyxenr")
My understanding it that if a mail is to be bounced it's done during the
SMTP conversation. So why is my server trying to connect to the other
server? Are you saying that the other server closed connection before my
server could bounce the message?
Could you please elaborate? Thanks.
Arshavir
From: Arvinn Løkkebakken (arvinnsandakerveien.net)
Date: Tue Jul 20 2004 - 10:02:06 CDT
Victor Duchovni wrote:
> On Tue, Jul 20, 2004 at 02:29:14PM +0200, Arvinn L?kkebakken wrote:
>
>
>>>The Exchange guys use this scheme. That's why Exchange is so unreliable.
>>>
>>
>>Does it have to be unreliable? In my experience Exchange is unreliable
>>because of a lot of things. But then again, Exchange is much more than a
>>MTA, so it's kinda not the right example to look at anyway IMO.
>>
>
>
> Exchange is a mailstore with an MTA bolted-on for state replication and
> messaging. While the MTA could use a dose of transparency and better
> logging, the real problem is the storage, not the fancy features, but
> the underlying storage design.
>
> The choice of a monolithic store for mail is a major design error, since
> it imposes excessive global consistency requirements that make recovery
> difficult, and corruption likely.
>
> File-systems offer fine-grained rather than global consistency:
> Directories point at files that really exist, files point at blocks that
> belong to them, data flushed to a file persists after a sync operation
> (explicit or delayed from the buffer cache). Even if a single file is
> corrupted, global file-system corruption is rare with mature file-systems
> (I make no specific public claims about which file-systems are mature
> on which OS).
>
> By separating data and meta-data into different files, and ideally
> meta-data for each folder into a separate file, a mailstore can support
> fast meta-data recovery (it is the meta-data that is most likely to
> become corrupted).
>
> File-systems support a rich ecosystem of file manipulation tools, if
> something goes wrong the mail-store meta-data the administrator can
> still wrest the underlying content from the mailstore and re-build
> (portions of) the meta-data, obviating the need for a full data and
> meta-data recovery (in these days of TB sized stores full recovery can
> be totally impractical).
>
> File-system recovery can be faster than database recovery because it is
> not necessary to arrive at a globally consistent state. One can recover
> parts of a file-system, restoring individual mailboxes or messages.
>
> I cannot honestly recommend to anyone a mailstore design based on any
> database, regardless of the technology.
>
Damn, that was a quite a few good arguments :)
Arvinn
From: Robin Lynn Frank (rlfrankparadigm-omega.com)
Date: Tue Jul 20 2004 - 01:27:16 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
On Monday 19 July 2004 21:37, Peter H. Coffin wrote:
> > Wrong read : The objection is that spammer will use *valid* sender
> > addresses if SAV gets widespread. Taken the fact that still many
> > sites generate bounces i prefer this bounces to be to invalid
> > addresses at my site instead of valid ones.
>
> Some spammers will change. Some won't. You'll catch the ones that don't.
>
> Some sites still bounce. Some probably ALWAYS will. That will fill the
> spoofed mailbox with bounces very quickly, and SAV will again start
> catching spam.
>
> Spammers still send direct from dialups, still send to dictionary
> addresses, still use broken SMTP-ware, continue to use hijacked machines
> even after the hijacked machine shows up in block lists that they can
> look at. Why discard a rejection criterion that smart spammers might be
> able to get around when there's so much evidence that most of them are
> slightly smarter than begonias?
I'm not so sure you are correct. When spammers managed to get people more
concerned with backscatter than in blocking UCE, they won and we lost. That
makes them considerably smarter than begonias and vastly smarter than the the
crew on spam-l that spend so much time grousing about backscatter and,
apparently so little time in effectively blocking UCE.
- --
Robin Lynn Frank
Director of Operations
Paradigm-Omega, LLC
======================
A bug in the code is worth two in the documentation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Sed quis custodiet ipsos custodes?
iD8DBQFA/LtOo0pgX8xyW4YRA1gUAJ95vOYmW6GZdfDznAapwIaL4G92MACfRn5w
9TgnWfOyAWBG147UzlTYwn0=
=nBXZ
-----END PGP SIGNATURE-----
From: Kevin W. Gagel (gagelcnc.bc.ca)
Date: Tue Jul 20 2004 - 10:30:24 CDT
I upgraded postfix from 2.0.16 to 2.1.4 yesterday. Doing a tail showed that the
new version was considering messages as corrupt. Venturing a guess I upgraded
amavisd-new which did solve that problem.
Can these messages be returned to service? How? Mind pointing me to docs please.
====================
Kevin W. Gagel
Network Administrator
(250) 561-5848 local 448
(250) 562-2131 local 448
--------------------------------------------------------------
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
--------------------------------------------------------------
From: Kevin OGorman (kogormanpacbell.net)
Date: Tue Jul 20 2004 - 10:11:55 CDT
Yes. A .forward file will do the trick. Details surely
depend on your OS, but here's the Unix/Linux way:
Suppose your login name is 'joe'. Then in Joe's home
directory create the forwarding file ~joe/.forward,
with 600 permissions. In it, put a line to deliver the
mail locally as usual (because the .forward file preempts
that function) and also a line to send it to your test
domain: something like this
=== cut here
\joe
joetest.domain.top
=== cut here
Now the incoming mail goes to two places.
You can also send the mail to local files, or even to
a command pipeline, but it seems you don't need those
functions.
++ kevin
--- Sean Tempesta <tempestamore.net> wrote:
> Hello,
>
> I have been tasked with testing out a anti-spam solution
> for my
> company. It has been very challenging, however, to test
> the system
> simply because any mail I send through it has the same
> headers and is
> not very suspicious.
>
> Is there any way to copy mail (with postfix) that is
> incoming on one of
> my real mail servers and send one of the copies to my
> test email servers
> while letting the original pass through?
>
> Sean Tempesta
> GRA - S&P
>
>
=====
Dr. Kevin O'Gorman (805) 756-2986 mailto:kogormanpacbell.net
Home Page: http://www.csc.calpoly.edu/~kogorman
From: Luca Berra (blucacomedia.it)
Date: Tue Jul 20 2004 - 10:13:22 CDT
On Tue, Jul 20, 2004 at 10:23:45AM -0400, Victor Duchovni wrote:
>It is possible to architect all the fancy features in a more robustly
>designed system with separate data and metadata repositories, tools for
>metadata recovery, ...
>
>I believe that OpenExchange uses Cyrus as a mailstore, and still offers
>enterprise features. This is a reasonable design in my view.
The only nice enterprise feature that i believe is worthwile having a robust
database as a mail store are the fact that some database already solved
the problem of data replication.
Doing this kind of work with a filesystem is not that easy, since you
have to insure some level of coherency between data and metadata.
and keeping two filesystem synchronous might be expensive in terms of
bandwith