gmane.mail.postfix.user

Re: Snapshot 20130517

Wietse Venema — 2013-05-18T13:49:56

/dev/rob0:

For whitelisting I used a wild-card "A" record, and for timeout
testing I used an NS record that resolves to a firewalled port (a
black hole).

This confirmed that postscreen will now use partial scores to
whitelist pending non-dnbsbl tests.

I can make those domain names available for general testing (but
not now as I am in the middle of a copper-to-fiber conversion).

Wietse

Re: Snapshot 20130517

/dev/rob0 — 2013-05-18T03:55:43

For testing I reenabled PSBL, and I'll see what comes in overnight.
I thought I could make my own pseudo-DNSBL on a random IP address 
with blocked ports 53, but I need to set up an NS record to point to 
that. I'll do that tomorrow if results tonight are inconclusive.

Snapshot 20130517 (was: Tweaking DNS timeouts)

Wietse Venema — 2013-05-18T02:06:38

Wietse Venema:

Released as snapshot 20130517.

Wietse

Re: postfix ssl errors in log, what does they mean?

Wietse Venema — 2013-05-17T22:38:46

Wietse Venema:

My mistake. The signature broke because my submission had Sender:
wietse< at >porcupine.org, which the list manager deletes and replaces
with Sender: owner-postfix-users< at >postfix.org.

Wietse

Re: postfix ssl errors in log, what does they mean?

Wietse Venema — 2013-05-17T22:01:24

Marko Weber | ZBF:

The DKIM verifier says that the DKIM signature does not match 
the message. This appears to be a problem with the postfix list
majordomo or content filter.

Wietse

Re: Tweaking DNS timeouts

Wietse Venema — 2013-05-17T20:45:59

/dev/rob0:

[begin background material]

I mis-understood how postscreen works (I do not constantly stare
at Postfix source code, having other things to work on that pay the
bills).

I thought that the whitelist will be applied only when DNS lookups
complete *before* the pregreet timer expires. That is,

- When some DNS lookup is taking too long, no DNS score is available.

This is consistent with how postscreen whitelisting works for non-DNS
tests.  It applies the whitelist threshold only when DNS lookup
completes before the pregreet timer expires.

However, the bullet above is incorrect. When soe DNS lookup takes
too long, a DNS score is available, and the postscreen DNS blocking
code uses that partial score.

This is safe when there are only positive scores (if the partial
client is already over the threshold then the client should be
blocked even if some DNS results are not yet in).

This is less safe when there may also be exculpatory evidence (in
the form of DNSWL lookups).  But, sites are usually not

Re: Tweaking DNS timeouts

/dev/rob0 — 2013-05-17T18:58:01

snip

I understand all this and agree. I'm not advocating a 30+ second 
greet pause. My original goal was to reduce delays.

Most of those who manage really busy outbounds will have gone to the 
trouble of getting listed on DNS whitelists. And for these outbounds, 
an occasional 10-second greet pause is better than "Service currently 
unavailable" and PASS NEW.

But I think this is all moot, and my quick fix, to stop querying 
psbl.surriel.com, was the best. The moral of the story being, use 
DNSBL sites with adequate response times and five nines. It's 
probably also moot if the postscreen_dnsbl_threshold score is only 
calculated when in excess thereof in case of DNS timeouts.

Re: virtual user (unknown user)

Benny Pedersen — 2013-05-17T18:43:08

postfixml< at >fuckaround.org skrev den 2013-05-16 14:10:


useradd fred

fred is not yet an unix user :=)

Re: problem, pass bad header thru amavis and dont quarantine them

Patrick Ben Koetter — 2013-05-17T18:30:46

* Marko Weber | ZBF <weber< at >zackbummfertig.de>:

Looks good. Amavis knows which messages are inbound now.

p< at >rick

Re: Tweaking DNS timeouts

Viktor Dukhovni — 2013-05-17T17:53:47


It creates a lot of needless congestion on legitimate sending
systems even if they don't hang up.

Now every message (from a small MTA that does not visit often)
starts to take 30s to make a delivery.  Queue throughput collapses
and Patrick Raq's MTA can't deliver new mail in a timely fashion.
On the plus side, Wietse and Patrick may finally consider my
"concurrency balooning" suggestion. :-)

Much of the damage to the SMTP infrastructure is done by well-meaning
anti-spam measures.  Let's not take it too far.

Re: Tweaking DNS timeouts

/dev/rob0 — 2013-05-17T17:26:13

Do we have any testing to validate this? I'm pretty sure I recall 
from a few years back on the old original SPAM-L list that some 
Sendmail people[1] were saying they used greet pauses in excess of 30 
seconds.


Thanks for all that. As it happens, I have a quick fix for this:

$ grep 'dnsblog.*timeout' /var/log/maillog | wc
     35     420    3731
$ grep 'dnsblog.*timeout' /var/log/maillog | grep -v surriel | wc
      0       0       0

PSBL seems to be a bit slow for me. I've taken it out of my 
postscreen_dnsbl_sites; I had only recently added it.

What this shows is that there's no good, risk-free way to test 
potential new DNSBLs. No great harm done: at the most, 35 delayed 
mails. But could a site which is consistently timing out cause 
positive scores to be ignored? Apparently not here:

May 12 05:05:39 harrier postfix/postscreen[17895]: CONNECT from [24.227.47.42]:1362 to [207.223.116.211]:25
May 12 05:05:39 harrier postfix/postscreen[17895]: PREGREET 21 after 0.03 from [24.227.47.42]:1362: EHLO [1

Re: problem, pass bad header thru amavis and dont quarantine them

Marko Weber | ZBF — 2013-05-17T08:02:21

Hi Patrick,
i did it like described in your blog. (bit changed for my structure)

< at >local_domains_maps = (
".$mydomain",
read_hash('/etc/postfix/lookups/hash/virtual_domains_amavis')
);  # list of all local domains
#
### weber stop

the result in logfile is now:


May 17 09:57:05 mail amavis[15982]: (15982-01) Passed CLEAN 
{RelayedInbound}, [xxx.xxx.xxxx] <m.weber< at >_____.de> -> <weber< at >_____.de>, 
Message-ID: <zarafa.5195e2d0.0427.2379669854c2b919< at >xxxxx.loc>, mail_id: 
5Gj-xCw2MAvK, Hits: -, size: 2449, queued_as: 4C5B4368DCA, 65 ms


marko



Am 2013-05-17 00:20, schrieb Patrick Ben Koetter:

Re: problem, pass bad header thru amavis and dont quarantine them

Marko Weber | ZBF — 2013-05-17T07:55:26

Hi Patrick,

Am 2013-05-17 00:20, schrieb Patrick Ben Koetter:

I had a look at this page yesterday already as i seen it in a post from 
you to another guy.
Its not really clear for me at all.
How are teh virual_domains listed in the file? each line a domain? comma 
seperated? semicolon seperated?

At all teh page is really nice with very good explained inside 
knowledge. but for me it appears you
just intorduce informations and dont explain in depth. (huh, my english 
is not the best, it was easier to fon with you :-) .

For me, with not ultra skill in amavis "examples" would be useful. short 
examples maybe.

i will try each line a domain and tell you what the logs says.........

marko

Re: virtual user (unknown user)

Ansgar Wiechers — 2013-05-17T00:49:31

Please keep this conversation on-list. I don't do personal support for
free.

On 2013-05-16 Pol Hallen wrote:

I already told you what to do, aside from reading the documentation.
Have you removed the line from /etc/postfix/virtual? What is the output
of the following commands:

  postmap -q fred< at >nuvolabianca.org hash:/etc/postfix/virtual
  postmap -q fred< at >nuvolabianca.org hash:/etc/postfix/vmailbox

Regards
Ansgar Wiechers

Tweaking DNS timeouts (was: postscreen_dnsbl_whitelist_threshold)

Wietse Venema — 2013-05-16T23:48:24

/dev/rob0:

All postscreen versions work that way. When the DNSBL score is not
final before the pregreet test completes, the DNSBL test remains
undecided, and the test will be repeated the next time the client
connects.

Increasing the greet-wait to 10+ seconds could result in legitimate
clients hanging up, so I would not recommend that.

You can try to change the DNS resolver timeout/retry behavior:

/etc/resolv.conf:
    # Typical default settings shown here. See resolver(5).
    optionstimeout:5 attempts:2 ...

However, this changes all DNS lookups of every program on the system,
and that may be undesirable.

You can instead specify these settings for Postfix only by setting
the RES_OPTIONS environment variable.

/etc/postfix/main.cf:
    import_environment = ... RES_OPTIONS=timeout:3 ...

Unfortunately main.cf does not support RES_OPTIONS values that
contain spaces (there is no support for quotes) and multiple
RES_OPTIONS=whatever settings don't add up, so you can override
only one of "timeout" or "atte

Re: postscreen_dnsbl_whitelist_threshold

/dev/rob0 — 2013-05-16T22:08:27

In the time since I've been running this, I saw the first thing that 
might be seen as a problem: dnsblog timing out on one of the DNSBL 
lookups:

May 16 21:51:44 harrier postfix/postscreen[29502]: CONNECT from [208.66.205.36]:53814 to [207.223.116.211]:25
May 16 21:51:44 harrier postfix/dnsblog[29507]: addr 208.66.205.36 listed by domain list.dnswl.org as 127.0.15.0

This gives it a -2 so far, but when the greet pause is finished, 
postscreen proceeds anyway:

May 16 21:51:51 harrier postfix/postscreen[29502]: NOQUEUE: reject: RCPT from [208.66.205.36]:53814: 450 4.3.2 Service currently unavailable; from=<newsletter< at >pacmail.em.marketinghq.net>, to=<mungeduser< at >example.net>, proto=ESMTP, helo=<smtp36.elabs8.com>
May 16 21:51:54 harrier postfix/postscreen[29502]: warning: dnsblog reply timeout 10s for psbl.surriel.com
May 16 21:51:56 harrier postfix/postscreen[29502]: PASS NEW [208.66.205.36]:53814
May 16 21:51:56 harrier postfix/postscreen[29502]: DISCONNECT [208.66.205.36]:53814

To avoid this, I guess I'd

Re: postfix ssl errors in log, what does they mean?

/dev/rob0 — 2013-05-16T19:26:55

I don't see "postfix" anywhere in that.


Possibly. The only thing certain is that you are not having Postfix 
issues (or at least, not according to what you showed us.)

postfix ssl errors in log, what does they mean?

Marko Weber | ZBF — 2013-05-16T19:08:08

hello ,

i find many of these in my mail.log:

May 16 14:27:33 mail opendkim[2926]: 119CA2FB20: s=dktest 
d=porcupine.org SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad 
signature

is my openssl broken or something else glitchy? or does this mean the 
dkim from porcupine.org ist invalid?

thanks,

marko

Re: Postfix not speaking with amavis?

Viktor Dukhovni — 2013-05-16T14:18:02

[begin hostility]
[end hostility]

[begin sarcasm]
[end sarcasm]



Chill out and keep it civil.  Thanks.


Give it a try, sarcasm on public mailing lists is not terribly useful.


Probably not.  Just think it to yourself, smile if you enjoyed the
wit and don't mail it.

Re: limited syntax in regexp:header_checks ?

Patrick Proniewski — 2013-05-16T14:06:02


yes I am.



Was never my intention to blame postfix, I was just asking for help on a problem that I have.



I'll look into it.

thanks,

Patrick PRONIEWSKI

Re: virtual user (unknown user)

Wietse Venema — 2013-05-16T13:39:33

Pol Hallen:

If this is the right domain but wrong delivery agent, see
http://www.postfix.org/ADDRESS_CLASS_README.html which describes
how Postfix selects the "known user" info and the delivery agent.

This converstation is progressing too slowly.  Someone with more
patience may like to step in. I have to attend other things now.

Wietse