gmane.mail.postfix.user

Re: Subdomain users through my smtpd_sender_restrictions

Noel Jones — 2012-05-25T20:39:45


It is unclear what you're referring to.  Postfix applies all
smtpd_*_restrictions to all mail, with clients listed in $mynetworks
getting special treatment.
http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/SMTPD_ACCESS_README.html

Perhaps you need to add some internal servers to mynetworks?

Please show your "postconf -n" output and postfix logs of the
unwanted behavior, along with your description of what you expected
to happen.
http://www.postfix.org/DEBUG_README.html#mail



  -- Noel Jones

Re: Postfix SMTP Client Segfaults over TLS

Daniel Sutcliffe — 2012-05-25T20:23:35

I'm having a very similar problem here on CentOS 6 - unfortunately moving or
removing the TLS session caches and restarting postfix is not fixing my problem
at all.  Coincidently the openssl package was updated the day before the problem
started.
  postfix 2.6.6-2.2.el6_1
  openssl 1.0.0-20.el6_2.4

postconf: http://pastebin.com/d898xtus

maillog (with -v on smtp line in master.cf): 
  May 25 20:20:17 li postfix/smtp[17618]: < smtp.gmail.com[173.194.77.108]:587:
250-mx.google.com at your service, [72.3.189.225]
  May 25 20:20:17 li postfix/smtp[17618]: < smtp.gmail.com[173.194.77.108]:587:
250-SIZE 35882577
  May 25 20:20:17 li postfix/smtp[17618]: < smtp.gmail.com[173.194.77.108]:587:
250-8BITMIME
  May 25 20:20:17 li postfix/smtp[17618]: < smtp.gmail.com[173.194.77.108]:587:
250-STARTTLS
  May 25 20:20:17 li postfix/smtp[17618]: < smtp.gmail.com[173.194.77.108]:587:
250 ENHANCEDSTATUSCODES
  May 25 20:20:17 li postfix/smtp[17618]: server features: 0x101b size 35882577
  May 25 20:20:17 li postfix/smtp[17618]: > smtp.gmail.com[173.194.77.108]:587:
STARTTLS
  May 25 20:20:17 li postfix/smtp[17618]: < smtp.gmail.com[173.194.77.108]:587:
220 2.0.0 Ready to start TLS
  May 25 20:20:17 li postfix/smtp[17618]: send attr request = lookup
  May 25 20:20:17 li postfix/smtp[17618]: send attr cache_type = smtp
  May 25 20:20:17 li postfix/smtp[17618]: send attr cache_id =
smtp:173.194.77.108:587:mx.google.com&p=1&c=ALL:+RC4:< at >STRENGTH
  May 25 20:20:17 li postfix/smtp[17618]: private/tlsmgr: wanted attribute: status
  May 25 20:20:17 li postfix/smtp[17618]: input attribute name: status
  May 25 20:20:17 li postfix/smtp[17618]: input attribute value: 4294967295
  May 25 20:20:17 li postfix/smtp[17618]: private/tlsmgr: wanted attribute: session
  May 25 20:20:17 li postfix/smtp[17618]: input attribute name: session
  May 25 20:20:17 li postfix/smtp[17618]: input attribute value: (end)
  May 25 20:20:17 li postfix/smtp[17618]: private/tlsmgr: wanted attribute:
(list terminator)
  May 25 20:20:17 li postfix/smtp[17618]: input attribute name: (end)
  May 25 20:20:17 li postfix/smtp[17618]: send attr request = seed
  May 25 20:20:17 li postfix/smtp[17618]: send attr size = 32
  May 25 20:20:17 li postfix/smtp[17618]: private/tlsmgr: wanted attribute: status
  May 25 20:20:17 li postfix/smtp[17618]: input attribute name: status
  May 25 20:20:17 li postfix/smtp[17618]: input attribute value: 0
  May 25 20:20:17 li postfix/smtp[17618]: private/tlsmgr: wanted attribute: seed
  May 25 20:20:17 li postfix/smtp[17618]: input attribute name: seed
  May 25 20:20:17 li postfix/smtp[17618]: input attribute value:
+KL9oSc4Fg2uos3Vm50k86FVj4pZHODixhyaXhn9AD0=
  May 25 20:20:17 li postfix/smtp[17618]: private/tlsmgr: wanted attribute:
(list terminator)
  May 25 20:20:17 li postfix/smtp[17618]: input attribute name: (end)
  May 25 20:20:17 li postfix/qmgr[14561]: warning: private/smtp socket:
malformed response
  May 25 20:20:17 li postfix/qmgr[14561]: warning: transport smtp failure -- see
a previous warning/fatal/panic logfile record for the problem description
  May 25 20:20:17 li postfix/master[14558]: warning: process
/usr/libexec/postfix/smtp pid 17618 killed by signal 11

messages:
  May 25 20:20:17 li kernel: smtp[17618]: segfault at 7fc182380ef0 ip
00007fc182380ef0 sp 00007fff333cb218 error 15

Any idea what might be going on here, or what I might do to investigate
further or even fix this?

Cheers
/dan

Rejecting based on message/partial

Alex — 2012-05-25T20:16:59

Hi,

I have a header check that I added some time ago that rejects mail
with message/partial content type because I believe it can't be
scanned for potential viruses unless it is first assembled:

/^(Content-(Disposition|Type)\:|[[:space:]]+).*message\/partial.*;?$/
REJECT This mail server does not permit messages with 'Content-type:
message/partial'.

Does this still present a significant threat these days, or is it okay
to permit partial messages?

If I were to permit it for a specific IP address or sender, would that
be done in a check_sender_access hash?

smtpd_recipient_restrictions =
        ...
        check_client_access hash:/etc/postfix/client_checks,
        check_sender_access hash:/etc/postfix/sender_checks,

/etc/postfix/sender_checks:
   63.87.XX.0/25                   OK

Thanks,
Alex

Subdomain users through my smtpd_sender_restrictions

Carlos R Laguna — 2012-05-25T19:08:25

Hello everyone i am facing a big mess here i had my MTA whith my own
user but this server is also a relay server for several subdomain the 
problem is that my own politic are been aplied to user that arent my, 
any clue why this is happening . Regards

Postfix and Dovecot missing delivery

Jan Meyland Andersen — 2012-05-25T20:06:42

Hi

I have a problem with the delivery of mails using dovecot as a transport.
According to the logfile mails seems to be delivered but nothing ends up in
the maildir.

my main.cf is the following.

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may
smtpd_tls_received_header = no
smtpd_tls_loglevel = 0
tls_random_source = dev:/dev/urandom
virtual_mailbox_maps = mysql:/etc/postfix/mysql/aliases.cf
virtual_alias_maps = mysql:/etc/postfix/mysql/remote_aliases.cf
virtual_uid_maps = mysql:/etc/postfix/mysql/vuids.cf
virtual_gid_maps = mysql:/etc/postfix/mysql/vgids.cf
virtual_mailbox_base = /var/spool/postfix/virtual
virtual_mailbox_limit = 102400000
virtual_alias_domains =
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
myhostname = NoiceControl.mydomain
append_dot_mydomain = no
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mydomain.dk, localhost
relayhost = mail.telenor.dk
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128,192.1.1.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

My master.cf is the standard supplied in debian + this statement.
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender}
  -d ${user}< at >${nexthop} -a ${recipient}


The log file looks like this.
May 25 22:02:42 NoiceControl postfix/smtpd[19683]: connect from
localhost[127.0.0.1]
May 25 22:02:42 NoiceControl dovecot: auth(default): new auth connection:
pid=19683
May 25 22:02:44 NoiceControl postfix/smtpd[19683]: A16B74A0537:
client=localhost[127.0.0.1]
May 25 22:02:46 NoiceControl postfix/cleanup[19689]: A16B74A0537:
message-id=<20120525200244.A16B74A0537< at >NoiceControl.mydomain>
May 25 22:02:46 NoiceControl postfix/qmgr[19412]: A16B74A0537: from=<
root< at >mydomain.dk>, size=344, nrcpt=1 (queue active)
May 25 22:02:46 NoiceControl postfix/smtpd[19683]: disconnect from
localhost[127.0.0.1]
May 25 22:02:46 NoiceControl postfix/local[19691]: A16B74A0537: to=<
jma< at >mydomain.dk>, orig_to=<jma>, relay=local, delay=3.2,
delays=3.1/0.01/0/0.1, dsn=2.0.0, status=sent (delivered to mailbox)
May 25 22:02:46 NoiceControl postfix/qmgr[19412]: A16B74A0537: removed


I don´t know if this is a postfix or dovecot error?

Kind Regards

Jan Andersen

Re: smtp sasl client strange behavior?

Wietse Venema — 2012-05-25T18:51:04

Matt Teagarden:

Show logs and "postconf -n" command output for TWO cases: one that
does work, and one that doesn't work as expected.

Wietse

smtp sasl client strange behavior?

Matt Teagarden — 2012-05-25T18:34:50

I am working on having a postfix server relay certain messages via 
another server instead of delivering normally.  My issue that I can't 
figure out is  trying to get postfix to authenticate with another mail 
server (no tls).  If the other server is listening on seemingly any 
other port than 25,   the auth works normally and the message goes 
thru.  When postfix trys to send to a relay host on port 25 though,  it 
never even tries to authenticate and relaying fails.    I am working 
with postfix 2.3.3 on centos 5.7 BTW.    (both machines in play here are 
vm's so I won't mask any of the config)

The server I am sending to (under my control) always replies to an ehlo 
the same way (no matter what port I tell it to listen on) with:

Escape character is '^]'.
220 test.test
ehlo sdfgsdfg
250-test.test
250-PIPELINING
250-SIZE 30240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


Postfix Config:  (the one that needs to relay to another machine)
root< at >test /etc/postfix # postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
debug_peer_list = 10.10.10.5
html_directory = no
inet_interfaces = localhost
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = static:matt:bigbigger
smtp_sasl_security_options = noanonymous
unknown_local_recipient_reject_code = 550


Am I missing something basic as to why postfix won't try to authenticate 
on the target server on port 25?  (it works awesome on ports 
26/27/28/587 so far)

Thanks!
-Matt T

Re: Cannot make "smtpd_sender_restrictions = check_sender_access" work properly‏

Noel Jones — 2012-05-25T18:05:53

Requested information for assistance is described in the list
welcome message and here:
http://www.postfix.org/DEBUG_README.html#mail



Is this how the actual user submits mail, or is this just for testing?


This mail was submitted via the sendmail(1) command.  Only mail
submitted via SMTP is subject to the smtpd_*_restrictions.

Maybe this is what you're looking for
http://www.postfix.org/postconf.5.html#authorized_submit_users


  -- Noel Jones

Re: Cannot make "smtpd_sender_restrictions = check_sender_access" work properly‏

Brian Evans - Postfix List — 2012-05-25T18:02:26

Please do not post or enable verbose logging unless asked.  It generally
masks the real issue.


This mail entered via the pickup service (aka via the sendmail(1) command).
smtpd_sender_restrictions will never apply to anything except mail
received through smtpd.

Brian

Re: postmaster required / close port 25

Reindl Harald — 2012-05-25T17:42:21


Am 25.05.2012 19:37, schrieb Charles Marcus:

and they are playing spammers in their hand

i am seeing here around 50000 spam-mails to non-existent
RCPT in valid domains - if there would be catch-all we
would have two problems

the second only in the worst case they pass the spam-firewall

* 200 OK to the spammer which feels sucess and earn money
* 1.5 Mio messages to store and backup each month

Re: postmaster required / close port 25

Charles Marcus — 2012-05-25T17:37:39

Please do NOT use catch-all addresses, as that breaks recipient 
validation... anyone who sends an email to one of your users and typos 
their address will not know it...

Catch-alls are *always* a very bad idea, except in very specific special 
use cases...

Re: postmaster required / close port 25

Georg Schönweger — 2012-05-25T17:22:47

Am 23.05.2012 20:00, schrieb /dev/rob0:

First of all thanks to all of you for your constructive input!
I changed now "myorigin" to our main domain which is hosted external. As
this domain has a catch all mail address every sender of my Postfix
server should be valid now (can receive mails).
Port 25 is closed now.

But the problem with rejected bounce mails still remains;
If i send a mail with sender mymail< at >domain.tld via my postfix server to
a non existing address a bounce mail will be generated.
mymail< at >domain.tld is hosted by a company. Sometimes they reject the
bounce mail. Full log;

May 25 18:57:07 susi2 postfix/cleanup[9312]: AAC41CACB54:
message-id=<4FBFB9EC.7040300< at >domain.tld>
May 25 18:57:07 susi2 postfix/qmgr[9014]: AAC41CACB54:
from=<mymail< at >domain.tld>, size=1526, nrcpt=1 (queue active)
May 25 18:57:07 susi2 postfix/smtp[9313]: AAC41CACB54:
to=<asdfdasf< at >dasfdasf.asd>, relay=none, delay=0.15, delays=0.15/0/0/0,
dsn=5.4.4, status=bounced (Host or domain name not found. Name service
error for name=dasfdasf.asd type=AAAA: Host not found)
May 25 18:57:07 susi2 postfix/cleanup[9312]: C67A9CACCAE:
message-id=<20120525165707.C67A9CACCAE< at >my-postfix-server>
May 25 18:57:07 susi2 postfix/bounce[9314]: AAC41CACB54: sender
non-delivery notification: C67A9CACCAE
May 25 18:57:07 susi2 postfix/qmgr[9014]: C67A9CACCAE: from=<>,
size=3549, nrcpt=1 (queue active)
May 25 18:57:07 susi2 postfix/qmgr[9014]: AAC41CACB54: removed
May 25 18:57:08 susi2 postfix/smtp[9313]: certificate verification
failed for mx.domain.tld[IP.OF.OUR.PROVIDER]:25: untrusted issuer
/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
May 25 18:57:08 susi2 postfix/smtp[9313]: C67A9CACCAE:
to=<mymail< at >domain.tld>, relay=mx.domain.tld[IP.OF.OUR.PROVIDER]:25,
delay=0.44, delays=0/0/0.38/0.05, dsn=5.1.0, status=bounced (host
mx.domain.tld[IP.OF.OUR.PROVIDER] said: 550 5.1.0 EGx71j00D08HtnS01Gx7D1
dominio non valido / invalid domain (in reply to MAIL FROM command))
May 25 18:57:08 susi2 postfix/qmgr[9014]: C67A9CACCAE: removed

Could this be a backscatter problem? I read a little bit about
backscatter, but i have no idea how tho check and fix this.

kind reagards,
Georg

Cannot make "smtpd_sender_restrictions = check_sender_access" work properly‏

JL Picard — 2012-05-25T17:13:21

I am trying to setup some simple username-based restrictions on what
local users can send on a local Solaris 10 server. In this case, I want
to allow emails by all other users, but reject any attempt for user
"local_usr" to send any email from this server. But so far, I can't
make the below configurations/commands work. This postfix server relays
to another close-by relayserver which forwards the msg to an external
server. If possible, I would prefer to reject on the local email server
before it hits the relay. If at all possible, I would also like an
error condition/status in the smtp client, but thats not a huge problem.

I
have provided as much diagnostic config and log data that I can
imagine, but I am more than happy to provide more, can anyone see what I
am missing?

Thanks-in-advance



###Here are some of the relevant main.cf settings that I think would apply:
root< at >myTestServer(/etc/opt/csw/postfix)% postconf | egrep "mynetworks|smtpd_sender_restrictions|relayhost ="
address_verify_relayhost = $relayhost
debug_peer_list = 127.0.0.1,myTestServer
mynetworks = 172.20.158.0/26, 172.20.204.0/24, 172.19.5.0/25, 172.19.21.0/24, 127.0.0.0/8
mynetworks_style = subnet
parent_domain_matches_subdomains
=
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
postscreen_access_list = permit_mynetworks
proxy_read_maps
= $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps
$sender_canonical_maps $recipient_canonical_maps $relocated_maps
$transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps
$smtp_generic_maps $lmtp_generic_maps
relayhost = [mail.myDomain.com]
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_sender_restrictions = check_sender_access hash:/etc/opt/csw/postfix/sender_access
root< at >myTestServer(/etc/opt/csw/postfix)%


##Here is what my sender_access file has in it
root< at >myTestServer(/etc/opt/csw/postfix)% more /etc/opt/csw/postfix/sender_access
local_usr< at > REJECT
local_usr< at >myDomain.com REJECT


#Here is the command I ran to get the HASHED sender_access file created:
postmap hash:sender_access

#Timestamps of files proves the postmap command did something:
-rw-r--r-- 1 root root 43 May 24 11:12 sender_access
-rw-r--r-- 1 root root 49152 May 24 11:12 sender_access.db


#Here is the local IP address of my server:
172.19.5.25


#Here are some modifications (in diff format) to master.cf to get more logging:
11c11
< smtp inet n - n - - smtpd
---
40c40
< smtp unix - - n - - smtp
---

#Here is the local SMTP Client command I ran to generate an email as the "local_usr" user:
local_usr< at >myTestServer(~)% echo "test" | mutt -s "reject test 17" -- externaluser< at >example.com



#SYSLOG file:
May 24 11:41:51 myTestServer postfix/postfix-script[10277]: [ID 197553 mail.info] starting the Postfix mail system
May
24 11:41:51 myTestServer postfix/master[10278]: [ID 197553 mail.info]
daemon started -- version 2.8.6, configuration /etc/opt/csw/postfix
May 24 11:41:59 myTestServer postfix/pickup[10279]: [ID 197553 mail.info] C41391CD00: uid=34001 from=
May
24 11:41:59 myTestServer postfix/cleanup[10410]: [ID 197553 mail.info]
C41391CD00:
message-id=<20120524154159.GA10397< at >myTestServer.myDomain.com>
May
24 11:41:59 myTestServer postfix/qmgr[10280]: [ID 197553 mail.info]
C41391CD00: from=, size=490, nrcpt=1
(queue active)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] name_mask: ipv4
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] inet_addr_local: configured 2 IPv4 addresses
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] process generation: 5 (5)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] match_string: debug_peer_list ~? debug_peer_list
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] match_string: fast_flush_domains ~? debug_peer_list
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] match_string: fast_flush_domains ~? fast_flush_domains
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] name_mask: canonical
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] name_mask: virtual
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] name_mask: dns
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] name_mask: native
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] host name lookup methods: dns native
May
24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]
auto_clnt_create: transport=local endpoint=private/scache
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] connection established
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] master_notify: status 0
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] deliver_request_initial: send initial status
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] send attr status = 0
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: flags
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: flags
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: 3
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: queue_name
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: queue_name
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: active
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: queue_id
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: queue_id
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: C41391CD00
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: offset
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: offset
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: 241
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: size
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: size
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: 490
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: nexthop
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: nexthop
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: [mail.myDomain.com]
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: encoding
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: encoding
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: sender
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: sender
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: local_usr< at >myDomain.com
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: envelope_id
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: envelope_id
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: ret_flags
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: ret_flags
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: 0
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: time
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: time
May
24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]
input attribute value:
T75WxwALvedPvlbHAAy+AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: log_client_name
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: log_client_name
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: log_client_address
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: log_client_address
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: log_client_port
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: log_client_port
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: log_protocol_name
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: log_protocol_name
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: log_helo_name
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: log_helo_name
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: sasl_method
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: sasl_method
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: sasl_username
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: sasl_username
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: sasl_sender
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: sasl_sender
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: log_ident
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: log_ident
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: rewrite_context
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: rewrite_context
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: local
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: recipient_count
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: recipient_count
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: 1
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: (list terminator)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: original_recipient
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: original_recipient
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: externaluser< at >example.com
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: recipient
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: recipient
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: externaluser< at >example.com
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: offset
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: offset
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: 222
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: dsn_orig_rcpt
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: dsn_orig_rcpt
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: notify_flags
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: notify_flags
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute value: 0
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp socket: wanted attribute: (list terminator)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] input attribute name: (end)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] deliver_request_get: file active/C41391CD00
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] deliver_message: from local_usr< at >myDomain.com
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp_parse_destination: [mail.myDomain.com] smtp
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] connecting to mail.myDomain.com port 25
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp_addr_one: host mail.myDomain.com
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] lookup mail.myDomain.com type A flags 0
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] dns_query: mail.myDomain.com (A): OK
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] dns_get_answer: type A for mail.myDomain.com
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] smtp_find_self: not found
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] begin mail.myDomain.com address list
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] pref 0 host mail.myDomain.com/172.19.21.5
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] end mail.myDomain.com address list
May
24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]
smtp_connect_addr: trying: mail.myDomain.com[172.19.21.5] port 25...
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] vstream_tweak_tcp: TCP_MAXSEG 1380
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] global TLS level: none
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] match_hostname: mail.myDomain.com ~? 127.0.0.1
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] match_hostaddr: 172.19.21.5 ~? 127.0.0.1
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] match_hostname: mail.myDomain.com ~? myTestServer
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] match_hostaddr: 172.19.21.5 ~? myTestServer
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] match_list_match: mail.myDomain.com: no match
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] match_list_match: 172.19.21.5: no match
May
24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]
< mail.myDomain.com[172.19.21.5]:25: 220
************************************
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] name_mask: disable_esmtp
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] name_mask: delay_dotcrlf
May
24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]
C41391CD00: enabling PIX workarounds: disable_esmtp delay_dotcrlf for
mail.myDomain.com[172.19.21.5]:25
May 24 11:41:59 myTestServer
postfix/smtp[10413]: [ID 197553 mail.info]>
mail.myDomain.com[172.19.21.5]:25: HELO myTestServer.myDomain.com
May
24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]
< mail.myDomain.com[172.19.21.5]:25: 250 mail.myDomain.com
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] server features: 0x31000 size 0
May
24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]
FROM:
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] < mail.myDomain.com[172.19.21.5]:25: 250 2.1.0 Ok
May
24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]
TO:
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] < mail.myDomain.com[172.19.21.5]:25: 250 2.1.5 Ok
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]> mail.myDomain.com[172.19.21.5]:25: DATA
May
24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]
< mail.myDomain.com[172.19.21.5]:25: 354 End data with
.
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] header_token: text / plain
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]> mail.myDomain.com[172.19.21.5]:25: .
May
24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]
< mail.myDomain.com[172.19.21.5]:25: 250 2.0.0 Ok: queued as
F1B043A66E
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID
197553 mail.info] C41391CD00: to=,
relay=mail.myDomain.com[172.19.21.5]:25, delay=0.22,
delays=0.07/0.03/0.08/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
as F1B043A66E)
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info]> mail.myDomain.com[172.19.21.5]:25: QUIT
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] name_mask: resource
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] name_mask: software
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] deliver_request_final: send: "" 0
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] send attr status =
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] send attr diag_type =
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] send attr diag_text =
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] send attr mta_type =
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] send attr mta_mname =
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] send attr action =
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] send attr reason =
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] send attr status = 0
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] master_notify: status 1
May 24 11:41:59 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] connection closed
May 24 11:41:59 myTestServer postfix/qmgr[10280]: [ID 197553 mail.info] C41391CD00: removed
May 24 11:43:39 myTestServer postfix/smtp[10413]: [ID 197553 mail.info] idle timeout -- exiting

Re: postscreen dnsbl reply text

DTNX Postmaster — 2012-05-25T10:31:02


Also, I would not bother optimizing something that isn't going to make 
a measurable difference in a meaningful metric.

Spamhaus is so close to universal that if someone does get listed, they 
will be seeing rejections across the board. Will they actually read the 
extensive explanation, and save you time?

In our experience, the overwhelming majority of users does not read the 
actual error message. Or only the first part. If it's even visible to 
them, and not buried in a custom bounce message generated by their 
local MTA, trying to be helpful.

Exchange does this, for example, and Mimecast will suggest that the 
'Recipient email address is possibly incorrect' if you reject after 
RCPT with a '550 5.7.1'. And that's not counting the ones that will cut 
off the response after a certain number of characters.

We haven't seen complaints with regard to Spamhaus in years. And the 
complaints we do get (DNS/SPF errors, for example) tend to arrive via 
the client, who got a message from the original sender's Gmail/Hotmail 
account. Even if the error message specifically requests that they 
contact 'abuse' at 'dtnx.net'.

Beware of premature optimization. I hear it's the root of all evil.

Cya,
Jona

Re: postscreen dnsbl reply text

Wietse Venema — 2012-05-25T00:25:22

Dan Lists:

I second Rob's comments: the purpose of postscreen is to block
spambots. Don't use it to block mail from sites that (also) send
non-spam mail, and don't use it on a submission server.

Other than the postscreen_reject_footer feature, there is no option
to customize responses. This is likely to stay that way, given that
postscreen is not meant to block mail from sources that (also) send
legitimate email.

Wieste

Re: postscreen dnsbl reply text

/dev/rob0 — 2012-05-24T21:20:26

Hmmm. In general you would not be getting calls from spammers about 
the mail you rejected in postscreen. It's going to be mostly zombie 
spew, so not even the spammer can see the rejection.

You should not use postscreen for your own users' submission. If 
you're unable to get them off of port 25, use a different IP address 
for submission and MX mail. Only use postscreen on the MX.


That's correct.


When smtpd(8) uses reject_rbl_client to reject mail, it checks for 
TXT records in the DNSBL, and that is incorporated into the reply: 
$rbl_reason in default_rbl_reply or rbl_reply_maps. Postscreen is 
less verbose about it: all it will say is the name of the zone.

My own postscreen_dnsbl_reply_map reflects my fairly conservative 
postscreen config. I reject outright only on Zen. Any other DNSBL, 
even the ones like BRBL that I use later as reject_rbl_client, 
requires another DNSBL to reject. So here's mine (a pcre map):

!/^zen\.spamhaus\.org$/multiple DNS-based blocklists

Perhaps your workaround is to put up a web page and use it as 
$(postscreen|smtpd)_reject_footer, and to hope that people will read 
it?

postscreen dnsbl reply text

Dan Lists — 2012-05-24T20:43:21

I am looking to switch one or more of my blacklists to run from
postscreen.   I send custom replies based on the blacklist, which
reduces the number of calls I get.  The relevant part of my current
configs:

smtpd_client_restrictions =
        reject_rbl_client zen.local,
        reject_rbl_client b.barracudacentral.org

rbl_reply_maps = hash:$config_directory/rbl_reply_maps

$config_directory/rbl_reply_maps:
# Spamhaus rbls (all in one)
zen.local $rbl_code Service unavailable; $rbl_class [$rbl_what]
blocked because it has been blacklisted. : To be removed from this
blacklist please visit: http://www.spamhaus.org/query/bl?ip=$rbl_what

# Barracuda Central Reputation System
b.barracudacentral.org $rbl_code Service unavailable; $rbl_class
[$rbl_what] blocked because it has been blacklisted. : To be removed
from this blacklist please visit:
http://www.barracudacentral.org/rbl/removal-request/$rbl_what

I do not see any way to set the response text when using postscreen.
I see postscreen_dnsbl_reply_map, but it looks like that just changes
the domain (ie zen.local to zen.spamhaus.org) not the reply text.   Is
there any way to set the postscreen DNSBL reply message?

Thanks,

Dan

Re: deliver locally and relay at the same time?

/dev/rob0 — 2012-05-24T18:03:49

The example you showed would redirect me< at >local.domain mail ONLY to 
me< at >external.domain.


Have you looked yet at the manual for aliases(5)?

"
DESCRIPTION
       The  aliases(5)  table provides a system-wide mechanism to
       redirect mail for local recipients. The  redirections  are
       processed by the Postfix local(8) delivery agent.
       [ ... ]

       The format of the alias database input file is as follows:

       o      An alias definition has the form

                   name: value1, value2, ...
"

You would want:

me: me< at >external.domain, me< at >local.domain

See also about .forward files in the aliases(5) manual. With a 
.forward file a non-root user can control this forwarding.

Beware the consequences of forwarding spam in this manner. The 
external site might block it and consider you a spammer.

deliver locally and relay at the same time?

lejeczek — 2012-05-24T12:13:24

hallo everybody

I begin my adventure with postfix/dovecot and have most bits 
ready an up but was wondering if below is possible with postfix?

have local users aliased to external addresses(different domain)
and postfix to deliver locally and at the same time relay to 
external user a copy of the email
e.g.

in my local aliases:
me: me< at >external.domain

me is a local user and me< at >external.domain is hosted on some 
external system.

so when I internally send to me< at >local.domain both accounts 
would get the same email.

is it even possible, can you shed some light?
I'd appreciate
thanks!

Re: force tls but allow amavis

jeffrey j donovan — 2012-05-24T11:59:48

On May 23, 2012, at 11:06 PM, /dev/rob0 wrote:


whoa, worked like a charm. thanks.
-j

Re: force tls but allow amavis

/dev/rob0 — 2012-05-24T03:06:25


Add " -o smtpd_tls_security_level=none" to the reinjection (after 
filter) smtpd command in master.cf.