On Sun, 02 Aug 2009, Martina Tomisova wrote:

> I can't find the format of Postfix logs. First I need to know what does
> 'nrcpt' mean exactly.

Original number of recipients for a given message.

> Jul 24 02:07:28 server-name postfix/local[8669]: 555AC6A60AF: to=<
> recipient@...>, relay=local, delay=0.13, delays=0.12/0/0/0.01,
> dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
>
> What does the 555AC6A60AF mean? First I thought that it is original number
> for each connection but it is not original - it repeats after hours...

That is the queue ID, which can be reused/repeated; but no two queue entries
will *simultaneously* have the same queue ID.

--
Sahil Tandon <sahil@...>

hi list,

I need help on this scenario that I want to accomplish.
  ex: I have the ff:
user1@...
user2@...
my mail server is : 192.168.1.254

-I have other network which is 192.168.10.0/24 which I included at mynetwork.

-I need that user1@... can send only from IP 192.168.10.21
using my mailserver, other than that, user1 should be denied relaying.

-user2 should be able to send from  192.168.10.0/24 by relaying to my
mail server (192.168.1.254)

any idea how to accomplish?

currently Im searching postfix docs related to sender restriction but
no success yet.

aio shin a écrit :
> hi list,
>
> I need help on this scenario that I want to accomplish.
>  ex: I have the ff:
> user1@...
> user2@...
> my mail server is : 192.168.1.254
>
> -I have other network which is 192.168.10.0/24 which I included at mynetwork.
>
> -I need that user1@... can send only from IP 192.168.10.21
> using my mailserver, other than that, user1 should be denied relaying.
>

This is an unusual requirement. What problem are you trying to solve?
Why do you care about the IP? Better use SASL...

Anyway, you can achieve this using restriction classes
	 http://www.postfix.org/RESTRICTION_CLASS_README.html

smtpd_restriction_classes =
	 ...
	 only_from_192_168_10_21

smtpd_sender_restrictions =
	 check_sender_access hash:/etc/postfix/access123

only_from_192_168_10_21 =
	 check_client_access cidr:/etc/postfix/192.168.10.21.cidr

=== 192.168.10.21.cidr
192.168.10.21 DUNNO
0.0.0.0/0 REJECT blah blah

== access123
user1@... only_from_192_168_10_21


but this does not scale. if you want to scale, you need a policy service


> -user2 should be able to send from  192.168.10.0/24 by relaying to my
> mail server (192.168.1.254)
>

By default, all users sending from mynetworks are allowed relay. so you
don't need to do anything.

if sending from outside, then do not rely on the sender for relay
authorization. The sender address is eaisly forged.

> any idea how to accomplish?
>
> currently Im searching postfix docs related to sender restriction but
> no success yet.

Martina Tomisova a écrit :
>
> So this single message will be send to the given number of recipients,
> right?. Well but there is no list of them in the log.

each recipient will be in its own log line when the message is delivered.

> My problem is that
> there is for example 390 recipients. This line has some queue ID, sender
> and nrcpt. And there are only for example 3 lines following with the
> same queue ID containing 3 recipients. Where are the others? It doesn't
> make sense...
>

grep for the QUEUEID will show you other log lines. some of these will
include the Message-Id. The Message-Id can also be used to find other
related log lines.

> In other words:
> There is a line like that one:
>> Jul 23 07:26:23 server postfix/qmgr[2580]: AEE706A60B5:
> from=<sender@... <mailto:sender@...>>, size=1707076,
> nrcpt=390 (queue active)
> Then there three lines containing the queue ID AEE706A60B5 like this one:
>> Jul 23 07:26:26 server postfix/smtp[30943]: AEE706A60B5:
> to=<reciever@... <mailto:reciever@...>>, relay=none,
> delay=148458, delays=148455/0.02/3/0, dsn=4.4.1, status=deferred
> (connect to       another.org <http://another.org>[1.2.3.4]:25: No route
> to host)

The message is in the queue. use postcat -q to see its content
(including the list of recipients). I'll leave it to you to make sure
that there are no PRIVACY issues.

PS. When posting from gmail, please hit the TEXT button. Otherwise, your
logs are hard to read (see the "<mailto:..." thing above?)

> And that's all. This queue ID is then used after more then one hour and
> it starts by line containing from=.... Where is the rest of recipients?
> Is it just not listed or there are only 3 recipients? That's why I'm
> confused whether the nrcpt realy means the number of recipients for this
> single message.
> Why I do this analysis is that I need to know whether this guy sends a
> spam or not... And I have to be sure about my conclusion. :)
>

Clunk Werclick wrote:
>
> ************************
>       PRE DNSBL      321
> ........................
>          NO PTR      201
>        SPOOFING      120
>  RELAY ATTEMPTS        0
>   BLOCKED OTHER        0
>     WHITELISTED        4
> ************************
>   BLOCKED DNSBL      287
> ........................
>

What tools are you using to generate your counts and get your output
presented this way?

Hi all,

I'm very new to postfix but was able to have a small working postfix
configuration on my Conceptronic NAS with a Debian etch OS.

In main.cf I have:

smtpd_client_restrictions =
permit_mynetworks,
reject_rbl_client zen.spamhaus.org=127.0.0.10,
reject_rbl_client zen.spamhaus.org=127.0.0.11,
reject_rbl_client zen.spamhaus.org

Now everything is working just fine but when I want to send mail through
my mobile connection it is blocked by ZEN:
Log shows:
Aug  2 23:20:19 mail postfix/smtpd[29483]: NOQUEUE: reject: RCPT from
unknown[62.140.137.157]: 554 5.7.1 Service unavailable; Client host
[62.140.137.157] blocked using zen.spamhaus.org=127.0.0.11;

IP Address Lookup (http://www.spamhaus.org/query/bl?ip=62.140.137.157)
62.140.137.157 is listed in the SBL, in the following records:* SBL74101
62.140.137.157 is listed in the PBL, in the following records:* PBL266985
62.140.137.157 is listed in the XBL, because it appears in:* CBL

I know it is blocked for a very good reason but now I (and other users)
can't send mail with the mobilephone.

Can I:
smtpd_client_restrictions =
permit_mynetworks,
permit_62.140.137.157
reject_rbl_client zen.spamhaus.org=127.0.0.10,
reject_rbl_client zen.spamhaus.org=127.0.0.11,
reject_rbl_client zen.spamhaus.org

or something like that in my main.cf ? And how should I put it there to
work or is it indeed unwise to permit it and  should I walk other ways to
make it work ...

Thanks for your time and answer,
Edwin Minneboo

Edwin Minneboo wrote:
  > Hi all,
  >
  > I'm very new to postfix but was able to have a small working postfix
  > configuration on my Conceptronic NAS with a Debian etch OS.
  >
  > In main.cf I have:
  >
  > smtpd_client_restrictions =
  > permit_mynetworks,
  > reject_rbl_client zen.spamhaus.org=127.0.0.10,
  > reject_rbl_client zen.spamhaus.org=127.0.0.11,
  > reject_rbl_client zen.spamhaus.org
  >

I'm no aged guru either, but I've been administering postfix for about
5 years.

I think your best bet is to use SASL authentication and add
permit_sasl_authenticated to your restrictions:

smtpd_client_restrictions =
	 permit_mynetworks,
	 permit_sasl_authenticated,
	 reject_rbl_client zen.spamhaus.org=127.0.0.10,
	 reject_rbl_client zen.spamhaus.org=127.0.0.11,
	 reject_rbl_client zen.spamhaus.org

Then you have to setup some form of SASL, see:

http://www.postfix.org/SASL_README.html

I struggled to get SASL working at first. I use cyrus IMAP
and the authdaemon that comes with that package for IMAP
authentication.

Now SASL supports using this same authdaemon for SMTP
authentication. The config here:

== /usr/local/lib/sasl2/smtpd.conf
pwcheck_method: authdaemond
log_level: 3
mech_list: PLAIN LOGIN
authdaemond_path:/var/run/authdaemond/socket

The authentication sets you up for mobile sending.

Hope this helps...

johnea

> Edwin Minneboo wrote:
>  > Hi all,
>  >
>  > I'm very new to postfix but was able to have a small working postfix
>  > configuration on my Conceptronic NAS with a Debian etch OS.
>  >
>  > In main.cf I have:
>  >
>  > smtpd_client_restrictions =
>  > permit_mynetworks,
>  > reject_rbl_client zen.spamhaus.org=127.0.0.10,
>  > reject_rbl_client zen.spamhaus.org=127.0.0.11,
>  > reject_rbl_client zen.spamhaus.org
>  >
>
> I'm no aged guru either, but I've been administering postfix for about
> 5 years.
>
> I think your best bet is to use SASL authentication and add
> permit_sasl_authenticated to your restrictions:
>
<snip>

> The authentication sets you up for mobile sending.
>
> Hope this helps...
>
> johnea
>
>

Thank you!
It is working now,
I have a working sasl and I have it in the smtpd_recipient_restrictions.
My thought was that was the right place to put it. But now it works.

Thanks a lot, Edwin

On Sunday 02 August 2009 17:13:42 Edwin Minneboo wrote:
> >  > In main.cf I have:
> >  >
> >  > smtpd_client_restrictions =
> >  > permit_mynetworks,
> >  > reject_rbl_client zen.spamhaus.org=127.0.0.10,
> >  > reject_rbl_client zen.spamhaus.org=127.0.0.11,
> >  > reject_rbl_client zen.spamhaus.org

Note, this did not show any leading whitespace as is required for
continuation of lines. This is one of several reasons why "postconf -n"
output is preferred over main.cf contents.

> It is working now, I have a working sasl and I have it in the
> smtpd_recipient_restrictions. My thought was that was the right
> place to put it. But now it works.

Your thought was correct, but not complete. If you use multiple
restriction stages for smtpd(8), each of those stages must resolve to
a permit or "DUNNO" result. Any reject or defer result in any stage
means that mail is not accepted. For details, see:
	 http://www.postfix.org/SMTPD_ACCESS_README.html
	 http://www.postfix.org/access.5.html
--
     Offlist mail to this address is discarded unless
     "/dev/rob0" or "not-spam" is in Subject: header

> On Sunday 02 August 2009 17:13:42 Edwin Minneboo wrote:
>> >  > In main.cf I have:
>> >  >
>> >  > smtpd_client_restrictions =
>> >  > permit_mynetworks,
>> >  > reject_rbl_client zen.spamhaus.org=127.0.0.10,
>> >  > reject_rbl_client zen.spamhaus.org=127.0.0.11,
>> >  > reject_rbl_client zen.spamhaus.org
>
> Note, this did not show any leading whitespace as is required for
> continuation of lines. This is one of several reasons why "postconf -n"
> output is preferred over main.cf contents.
>
>> It is working now, I have a working sasl and I have it in the
>> smtpd_recipient_restrictions. My thought was that was the right
>> place to put it. But now it works.
>
> Your thought was correct, but not complete. If you use multiple
> restriction stages for smtpd(8), each of those stages must resolve to
> a permit or "DUNNO" result. Any reject or defer result in any stage
> means that mail is not accepted. For details, see:
>  http://www.postfix.org/SMTPD_ACCESS_README.html
>  http://www.postfix.org/access.5.html
> --
>     Offlist mail to this address is discarded unless
>     "/dev/rob0" or "not-spam" is in Subject: header
>
>

Thanks for your answer, I will read the documentation and add my postconf
-n from now on.
I do understand now why it did not work before

Edwin

On Sun, 2 Aug 2009, Willy De la Court wrote:

> On Sun, 02 Aug 2009 11:24:17 +0100, Clunk Werclick
> <clunk.werclick@...> wrote:
[snip]
>>         reject_rbl_client no-more-funn.moensted.dk
>>         reject_rbl_client bl.spamcop.net
>>         reject_rbl_client dnsbl-1.uceprotect.net
>>         reject_rbl_client dnsbl-2.uceprotect.net
>>         reject_rbl_client dnsbl-3.uceprotect.net
>>         reject_rbl_client dnsbl.sorbs.net
>>         reject_rbl_client bl.spamcannibal.org
>>         reject_rbl_client spam.dnsbl.sorbs.net
>>         reject_rbl_client zen.spamhaus.org
>>         reject_rbl_client b.barracudacentral.org
>>         permit
> [SNIP]
>
> wow a lot of rbls. I used to use some of these but got a lot of complaints
> so i'm sticking with just spamcop and spamhaus.

I'm still figuring things out, and have not really went very deep into
spam prevention at this point.  My question about the rbl rejects at the
smtp level is whether it's possible to only apply this to certain
domains/accounts without resorting ot using a policy daemon.  I'm guessing
no, but that may just be my old qmail pessimism. :)

Thanks,

Charles

>> ...
>> Have much fun and remember some spam is nice. Especially in a baguette
>> with some 'daddies' sauce
>
> Yep very nice.
>
> --
> Simple things make people happy.
> Willy De la Court
> PGP Public Key at http://www.linux-lovers.be/download/public_key.asc
> PGP Key fingerprint = 784E E18F 7F85 9C7C AC1A D5FB FE08 686C 37C7 A689
> GMail <wdl1908@...>
>

Charles Sprickman a écrit :
> On Sun, 2 Aug 2009, Willy De la Court wrote:
>
>> On Sun, 02 Aug 2009 11:24:17 +0100, Clunk Werclick
>> <clunk.werclick@...> wrote:
> [snip]
>>>         reject_rbl_client no-more-funn.moensted.dk
>>>         reject_rbl_client bl.spamcop.net
>>>         reject_rbl_client dnsbl-1.uceprotect.net
>>>         reject_rbl_client dnsbl-2.uceprotect.net
>>>         reject_rbl_client dnsbl-3.uceprotect.net
>>>         reject_rbl_client dnsbl.sorbs.net
>>>         reject_rbl_client bl.spamcannibal.org
>>>         reject_rbl_client spam.dnsbl.sorbs.net
>>>         reject_rbl_client zen.spamhaus.org
>>>         reject_rbl_client b.barracudacentral.org
>>>         permit
>> [SNIP]
>>
>> wow a lot of rbls. I used to use some of these but got a lot of
>> complaints
>> so i'm sticking with just spamcop and spamhaus.
>
> I'm still figuring things out, and have not really went very deep into
> spam prevention at this point.  My question about the rbl rejects at the
> smtp level is whether it's possible to only apply this to certain
> domains/accounts without resorting ot using a policy daemon.  I'm
> guessing no, but that may just be my old qmail pessimism. :)
>

if it depends on client, helo, sender or recipient, then you can use
restriction classes.

On Sun, 2009-08-02 at 17:04 -0400, Jon wrote:
> Clunk Werclick wrote:
> >
> > ************************
> >       PRE DNSBL      321
> > ........................
> >          NO PTR      201
> >        SPOOFING      120
> >  RELAY ATTEMPTS        0
> >   BLOCKED OTHER        0
> >     WHITELISTED        4
> > ************************
> >   BLOCKED DNSBL      287
> > ........................
> >
>
> What tools are you using to generate your counts and get your output
> presented this way?
A dirty little Perl script + cron.
--
-----------------------------------------------------------
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.

On Sun, 02 Aug 2009 17:04:17 -0400, Jon <jon_k@...> wrote:
> Clunk Werclick wrote:
>>
>> ************************
>>       PRE DNSBL      321
>> ........................
>>          NO PTR      201
>>        SPOOFING      120
>>  RELAY ATTEMPTS        0
>>   BLOCKED OTHER        0
>>     WHITELISTED        4
>> ************************
>>   BLOCKED DNSBL      287
>> ........................
>>
>
> What tools are you using to generate your counts and get your output
> presented this way?

The logwatch package can do something similar.

See example below. I stripped out some sections with sensitive information
but you get the idea.

  --------------------- Postfix Begin (detail=5) ------------------------

  ****** Summary
********************************************************************************\
*****

    28.893M  Bytes accepted                        30,296,112
     4.471M  Bytes sent via SMTP                    4,687,715
    25.310M  Bytes delivered                       26,538,982
  ========   ================================================

       370   Accepted                                   1.79%
     20326   Rejected                                  98.21%
  --------   ------------------------------------------------
     20696   Total                                    100.00%
  ========   ================================================

       124   5xx Reject relay denied                    0.61%
      5423   5xx Reject HELO/EHLO                      26.68%
       154   5xx Reject unknown user                    0.76%
     14625   5xx Reject RBL                            71.95%
  --------   ------------------------------------------------
     20326   Total 5xx Rejects                        100.00%
  ========   ================================================

        20   4xx Reject HELO/EHLO                       2.11%
         2   4xx Reject unknown user                    0.21%
       102   4xx Reject recipient address              10.75%
       648   4xx Reject sender address                 68.28%
       158   4xx Reject unknown reverse client host    16.65%
        19   4xx Reject RBL                             2.00%
  --------   ------------------------------------------------
       949   Total 4xx Rejects                        100.00%
  ========   ================================================

     14952   Connections made
      5149   Connections lost (inbound)
     14947   Disconnections
       368   Removed from queue
       334   Delivered
       127   Sent via SMTP
        10   Resent
         2   Deferred
         2   Deferrals
         2   Bounced (remote)
         2   Notifications sent

        45   Timeout (inbound)
        23   Illegal address syntax in SMTP command
        56   Numeric hostname
         7   SMTP dialog error
       106   Excessive errors in SMTP dialog
      3071   Hostname verification errors
         1   Hostname validation errors


  ****** Detail
********************************************************************************\
******

       124   5xx Reject relay denied
-----------------------------------------------------------------
        20      81.192.186.79    adsl-79-186-192-81.adsl.iam.net.ma
        20      85.181.161.97    e181161097.adsl.alicedsl.de
        20      95.110.96.169    g95-110-96-169.broadband.bashtel.ru
        20      190.48.158.110   unknown
        20      201.80.36.14     unknown
        20      202.142.223.169  unknown
         2      83.36.234.113    113.red-83-36-234.dynamicip.rima-tde.net
         2      90.176.249.58    58.249.broadband9.iol.cz

      5423   5xx Reject HELO/EHLO
--------------------------------------------------------------------
      5423      Need fully-qualified hostname

       154   5xx Reject unknown user
-----------------------------------------------------------------
       154      Virtual mailbox table

     14625   5xx Reject RBL
--------------------------------------------------------------------------
      7959      bl.spamcop.net
      6666      zen.spamhaus.org

        20   4xx Reject HELO/EHLO
--------------------------------------------------------------------
        20      Need fully-qualified hostname

         2   4xx Reject unknown user
-----------------------------------------------------------------
         2      Virtual mailbox table

       102   4xx Reject recipient address
------------------------------------------------------------

       648   4xx Reject sender address
---------------------------------------------------------------
       648      Domain not found

      5149   Connections lost (inbound)
--------------------------------------------------------------
      3274      After DATA
      1532      After RCPT
       261      After CONNECT
        26      After MAIL
        26      After QUIT
        15      After HELO
        12      After EHLO
         2      After UNKNOWN
         1      After RSET

         2   Deferrals
-------------------------------------------------------------------------------
         2      4.1.1: Transient failure: Addressing status: Bad
destination mailbox address

         2   Bounced (remote)
------------------------------------------------------------------------
         2      5.1.1: Permanent failure: Addressing status: Bad
destination mailbox address

         2   Notifications sent
----------------------------------------------------------------------
         2      Non-delivery

        45   Timeout (inbound)
-----------------------------------------------------------------------
        16      After CONNECT
         8      After RCPT
         7      After DATA
         7      After MAIL
         5      After EHLO
         2      After HELO

        23   Illegal address syntax in SMTP command
--------------------------------------------------
        23      MAIL

        56   Numeric hostname
------------------------------------------------------------------------
        44      Resource data of MX record
        12      Hostname

         7   SMTP dialog error
-----------------------------------------------------------------------
         7      Non-SMTP command

       106   Excessive errors in SMTP dialog
---------------------------------------------------------
        81      After RCPT
        25      After DATA

      3071   Hostname verification errors
------------------------------------------------------------
      2851      No address associated with hostname
       220      Address not listed for hostname

         1   Hostname validation errors
--------------------------------------------------------------
         1      misplaced delimiter: .



================================================================================\
======================================
  Delays Percentiles              0%         25%         50%         75%
     90%         95%         98%        100%

--------------------------------------------------------------------------------\
--------------------------------------
  1: Pre qmgr                  0.000       0.020       0.050       0.250
   0.542       0.988       1.400     522.000
  2: In qmgr                   0.000       0.000       0.000       0.010
   0.010       0.010       0.010       0.020
  3: Connection setup          0.000       0.000       0.000       0.080
   0.180       0.280       0.487       2.700
  4: Xmit time                 0.010       0.050       0.230       0.570
   1.200       1.680       3.092       4.300

================================================================================\
======================================

  ---------------------- Postfix End -------------------------



--
Simple things make people happy.
Willy De la Court
PGP Public Key at http://www.linux-lovers.be/download/public_key.asc
PGP Key fingerprint = 784E E18F 7F85 9C7C AC1A D5FB FE08 686C 37C7 A689

On Mon, 2009-08-03 at 08:29 +0200, Willy De la Court wrote:
> On Sun, 02 Aug 2009 17:04:17 -0400, Jon <jon_k@...> wrote:
> > Clunk Werclick wrote:
> >>
> >> ************************
> >>       PRE DNSBL      321
> >> ........................
> >>          NO PTR      201
> >>        SPOOFING      120
> >>  RELAY ATTEMPTS        0
> >>   BLOCKED OTHER        0
> >>     WHITELISTED        4
> >> ************************
> >>   BLOCKED DNSBL      287
> >> ........................
> >>
> >
> > What tools are you using to generate your counts and get your output
> > presented this way?
>
> The logwatch package can do something similar.
>
> See example below. I stripped out some sections with sensitive information
> but you get the idea.
>
>  --------------------- Postfix Begin (detail=5) ------------------------
>
>  ****** Summary
>
********************************************************************************\
*****
>
>    28.893M  Bytes accepted                        30,296,112
>     4.471M  Bytes sent via SMTP                    4,687,715
>    25.310M  Bytes delivered                       26,538,982
>  ========   ================================================
>
>       370   Accepted                                   1.79%
>     20326   Rejected                                  98.21%
>  --------   ------------------------------------------------
>     20696   Total                                    100.00%
>  ========   ================================================
>
>       124   5xx Reject relay denied                    0.61%
>      5423   5xx Reject HELO/EHLO                      26.68%
>       154   5xx Reject unknown user                    0.76%
>     14625   5xx Reject RBL                            71.95%
>  --------   ------------------------------------------------
>     20326   Total 5xx Rejects                        100.00%
>  ========   ================================================
>
>        20   4xx Reject HELO/EHLO                       2.11%
>         2   4xx Reject unknown user                    0.21%
>       102   4xx Reject recipient address              10.75%
>       648   4xx Reject sender address                 68.28%
>       158   4xx Reject unknown reverse client host    16.65%
>        19   4xx Reject RBL                             2.00%
>  --------   ------------------------------------------------
>       949   Total 4xx Rejects                        100.00%
>  ========   ================================================
>
>     14952   Connections made
>      5149   Connections lost (inbound)
>     14947   Disconnections
>       368   Removed from queue
>       334   Delivered
>       127   Sent via SMTP
>        10   Resent
>         2   Deferred
>         2   Deferrals
>         2   Bounced (remote)
>         2   Notifications sent
>
>        45   Timeout (inbound)
>        23   Illegal address syntax in SMTP command
>        56   Numeric hostname
>         7   SMTP dialog error
>       106   Excessive errors in SMTP dialog
>      3071   Hostname verification errors
>         1   Hostname validation errors
>
>
>  ****** Detail
>
********************************************************************************\
******
>
>       124   5xx Reject relay denied
> -----------------------------------------------------------------
>        20      81.192.186.79    adsl-79-186-192-81.adsl.iam.net.ma
>        20      85.181.161.97    e181161097.adsl.alicedsl.de
>        20      95.110.96.169    g95-110-96-169.broadband.bashtel.ru
>        20      190.48.158.110   unknown
>        20      201.80.36.14     unknown
>        20      202.142.223.169  unknown
>         2      83.36.234.113    113.red-83-36-234.dynamicip.rima-tde.net
>         2      90.176.249.58    58.249.broadband9.iol.cz
>
>      5423   5xx Reject HELO/EHLO
> --------------------------------------------------------------------
>      5423      Need fully-qualified hostname
>
>       154   5xx Reject unknown user
> -----------------------------------------------------------------
>       154      Virtual mailbox table
>
>     14625   5xx Reject RBL
> --------------------------------------------------------------------------
>      7959      bl.spamcop.net
>      6666      zen.spamhaus.org
>
>        20   4xx Reject HELO/EHLO
> --------------------------------------------------------------------
>        20      Need fully-qualified hostname
>
>         2   4xx Reject unknown user
> -----------------------------------------------------------------
>         2      Virtual mailbox table
>
>       102   4xx Reject recipient address
> ------------------------------------------------------------
>
>       648   4xx Reject sender address
> ---------------------------------------------------------------
>       648      Domain not found
>
>      5149   Connections lost (inbound)
> --------------------------------------------------------------
>      3274      After DATA
>      1532      After RCPT
>       261      After CONNECT
>        26      After MAIL
>        26      After QUIT
>        15      After HELO
>        12      After EHLO
>         2      After UNKNOWN
>         1      After RSET
>
>         2   Deferrals
>
-------------------------------------------------------------------------------
>         2      4.1.1: Transient failure: Addressing status: Bad
> destination mailbox address
>
>         2   Bounced (remote)
> ------------------------------------------------------------------------
>         2      5.1.1: Permanent failure: Addressing status: Bad
> destination mailbox address
>
>         2   Notifications sent
> ----------------------------------------------------------------------
>         2      Non-delivery
>
>        45   Timeout (inbound)
> -----------------------------------------------------------------------
>        16      After CONNECT
>         8      After RCPT
>         7      After DATA
>         7      After MAIL
>         5      After EHLO
>         2      After HELO
>
>        23   Illegal address syntax in SMTP command
> --------------------------------------------------
>        23      MAIL
>
>        56   Numeric hostname
> ------------------------------------------------------------------------
>        44      Resource data of MX record
>        12      Hostname
>
>         7   SMTP dialog error
> -----------------------------------------------------------------------
>         7      Non-SMTP command
>
>       106   Excessive errors in SMTP dialog
> ---------------------------------------------------------
>        81      After RCPT
>        25      After DATA
>
>      3071   Hostname verification errors
> ------------------------------------------------------------
>      2851      No address associated with hostname
>       220      Address not listed for hostname
>
>         1   Hostname validation errors
> --------------------------------------------------------------
>         1      misplaced delimiter: .
>
>
>
>
================================================================================\
======================================
>  Delays Percentiles              0%         25%         50%         75%
>     90%         95%         98%        100%
>
>
--------------------------------------------------------------------------------\
--------------------------------------
>  1: Pre qmgr                  0.000       0.020       0.050       0.250
>   0.542       0.988       1.400     522.000
>  2: In qmgr                   0.000       0.000       0.000       0.010
>   0.010       0.010       0.010       0.020
>  3: Connection setup          0.000       0.000       0.000       0.080
>   0.180       0.280       0.487       2.700
>  4: Xmit time                 0.010       0.050       0.230       0.570
>   1.200       1.680       3.092       4.300
>
>
================================================================================\
======================================
>
>  ---------------------- Postfix End -------------------------
>
>
Yes, I use that too - but I like a quick summary on demand.

--
-----------------------------------------------------------
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.

Hey,

[..]
> Yes, I use that too - but I like a quick summary on demand.
See: <http://www.mikecappella.com/logwatch/>
You can use the scripts _without_ logwatch and get an instant summary of
your mail.log.

Cheers,
Thomas

On Mon, 2009-08-03 at 16:52 +1000, Thomas wrote:
> Hey,
>
> [..]
> > Yes, I use that too - but I like a quick summary on demand.
> See: <http://www.mikecappella.com/logwatch/>
> You can use the scripts _without_ logwatch and get an instant summary of
> your mail.log.
>
> Cheers,
> Thomas
Indeed it does and that is interesting, thank you. My long term goal is
to get my Perl to log, in single line;

DATE/TIME INBOUND/OUTBOUND TO FROM SUBJECT SPAM SCORE IP

That is what I really would like to be able to do - but so far I do not
find a way that is easy or straightforward to bring all of this
information together in a single 'delivered' log. Rejected or dropped
mail is straightforward, but delivered mail seems to be harder to cobble
something together to give it, how do you say, 'the inside leg
measurements' ?

--
-----------------------------------------------------------
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.

Hi all,

Since adding check_sender_access to stop our domain from emailing unauthed
from the outside and our Wireless Broadband now being in the
pbl.spamhaus.org list, we want to allow TLS/SASL Auth'd users to email from
their broadband cards and get them bypassing the rbl's, ie RBL checks on
port 25 without auth, no rbl checks on 587 but reject those not
authenticated.

I thought I could just overwrite smtpd restrictions from main.cf with
additional rules in master.cf and get it working, but all combinations I
have tried have failed.

Do I have to move main.cf smtpd_(client|recipient|sender)_restrictions into
master.cf under smtp and then use the alternative restrictions under the
submission port? If so I wonder what else will loose restriction options.

I am pretty sure that I can whitelist their subnet, but I must be able to
bypass the rbl checks for any auth'ed user on port 587.

Any suggestions gratefully received.

The error I seem to get if its not the rbl error;
Aug  3 15:39:14 mail1 postfix/smtpd[25528]: NOQUEUE: reject: CONNECT from
unknown[58.171.177.107]: 554 5.7.1 <unknown[58.171.177.107]>: Client host
rejected: Access denied; proto=SMTP


master.cf;
smtp      inet  n       -       -       -       50       smtpd
         -o cleanup_service_name=pre-cleanup
         -o content_filter=procmail:filter
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps     inet  n       -       n       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       -       -       -       qmqpd
587     inet    n       -       n       -       -       smtpd
         -o smtpd_enforce_tls=yes
         -o smtpd_sasl_auth_enable=yes
#tried various combinations of these 3 (with and without reject)
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
         -o mime_header_checks=
         -o nested_header_checks=
         -o body_checks=
         -o header_checks=
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       n       300   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
         -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache

#Vacation Handler
#vacation  unix  -      n       n       -       -       pipe
#   flags=Rhu user=vacation argv=/var/spool/vacation/vacation.pl

#Procmail
procmail  unix  -       n       n       -       -       pipe
   flags=Rq user=virtual argv=/usr/bin/procmail -t -m /etc/procmailrc
${sender} ${recipient}

maildrop  unix  -       n       n       -       -       pipe
   flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -       n       n       -       -       pipe
   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
   flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix  -       n       n       -       2       pipe
   flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
   ${nexthop} ${user}
amavis    unix  -       -       -       -       2       smtp
         -o smtp_data_done_timeout=1200
         -o smtp_send_xforward_command=yes
127.0.0.1:10025 inet    n     -  -      -       -       smtpd
         -o content_filter=
	   -o local_recipient_maps=
         -o relay_recipient_maps=
         -o smtpd_restriction_classes=
         -o smtpd_client_restrictions=
         -o smtpd_helo_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o strict_rfc821_envelopes=yes
         -o mynetworks=127.0.0.0/8
         -o smtpd_error_sleep_time=0
         -o smtpd_soft_error_limit=1001
         -o smtpd_hard_error_limit=1001

pre-cleanup unix n      -        -       -       0       cleanup
         -o virtual_alias_maps=
         -o canonical_maps=
         -o sender_canonical_maps=
         -o recipient_canonical_maps=
         -o masquerade_domains=



postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
delay_warning_time = 4h
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 26214400
mydestination =
myhostname = <hostname>
mynetworks = <various networks>
myorigin = /etc/mailname
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
relayhost =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client
blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org, reject_rbl_client
zen.spamhaus.org, reject_rbl_client relays.mail-abuse.org, reject_rbl_client
whois.rfc-ignorant.org, reject_rbl_client nonconfirm.mail-abuse.org,
reject_rbl_client dialups.mail-abuse.org, reject_rbl_client sc.surbl.org,
reject_rbl_client ws.surbl.org, reject_rbl_client ob.surbl.org,
reject_rbl_client ab.surbl.org, reject_rbl_client multi.surbl.org,
reject_rbl_client black.uribl.com
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit

smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient,
reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks,reject_non_fqdn_sender, reject_unauth_pipelining,
check_sender_access hash:/etc/postfix/spoofprotection, permit
smtpd_timeout = 60s
smtpd_tls_cert_file = /etc/apache2/ssl/somefile.crt
smtpd_tls_key_file = /etc/apache2/ssl/somefile.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = mysql:/etc/postfix/mysql_transport2.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_transport = mysql:/etc/postfix/mysql_transport2.cf
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf

TIA
Nick

On 8/3/09 12:26 AM, Nick Sharp wrote:
> Hi all,
>
> Since adding check_sender_access to stop our domain from emailing unauthed
> from the outside and our Wireless Broadband now being in the
> pbl.spamhaus.org list, we want to allow TLS/SASL Auth'd users to email from
> their broadband cards and get them bypassing the rbl's, ie RBL checks on
> port 25 without auth, no rbl checks on 587 but reject those not
> authenticated.
>
> I thought I could just overwrite smtpd restrictions from main.cf with
> additional rules in master.cf and get it working, but all combinations I
> have tried have failed.

A sample submission entry in master.cf:

submission inet n       -       n       -       -       smtpd
     -o smtpd_tls_security_level=encrypt
     -o smtpd_tls_auth_only=yes
     -o smtpd_sasl_auth_enable=yes
     -o broken_sasl_auth_clients=yes
     -o receive_override_options=no_header_body_checks,no_address_mappings
     -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
     -o content_filter=lmtp-amavis:[127.0.0.1]:10026

The key is the smtpd_recipient_restrictions' permit_sasl_authenticated
coming first or early.  Thus, port 587 users who authenticate pass the
green light.


>
> Do I have to move main.cf smtpd_(client|recipient|sender)_restrictions into
> master.cf under smtp and then use the alternative restrictions under the
> submission port? If so I wonder what else will loose restriction options.

Tailor as you see fit for your users.  The restrictions you'll add under
submission overrides those in main.cf.

>
> I am pretty sure that I can whitelist their subnet, but I must be able to
> bypass the rbl checks for any auth'ed user on port 587.

Whitelisting == not so good.

>
> Any suggestions gratefully received.
>
> The error I seem to get if its not the rbl error;
> Aug  3 15:39:14 mail1 postfix/smtpd[25528]: NOQUEUE: reject: CONNECT from
> unknown[58.171.177.107]: 554 5.7.1<unknown[58.171.177.107]>: Client host
> rejected: Access denied; proto=SMTP

I read John Peach's response to a mail regarding the Postfix option to
reject non-FQDN HELO transactions.

http://www.irbs.net/internet/postfix/0302/0183.html

He states that Joris Benschop is correct in that email.

I was scanning through RFC 821 (and also through RFC2821 which has
superseeded it) and I cannot find the quote referenced in the message
above in either of those documents.

Where can I find an official reference which validates what he stated in
the message above?

As far as I can tell, section 5.2.5 does not exist in in RFC821 and
section 3.5 does not contain the quote specified in the above mentioned
message.

I used these references to verify the content of the RFCs.

http://www.ietf.org/rfc/rfc821.txt
http://www.ietf.org/rfc/rfc2821.txt
http://www.faqs.org/rfcs/rfc821.html
http://www.faqs.org/rfcs/rfc2821.html

The main.cf options I'm referring to are these:

http://www.postfix.org/postconf.5.html#reject_non_fqdn_helo_hostname
http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname

Apparently RFC2821 also allows IP-adress syntax (see section 4.1.1.1).

Can someone enlighten me as to what is actually correct behaviour
according to RFC?

Regards,
Robin Smidsrød

On Mon, 03 Aug 2009 11:14:10 +0200, Robin Smidsrød <robin@...>
wrote:
> I read John Peach's response to a mail regarding the Postfix option to
> reject non-FQDN HELO transactions.
>
> http://www.irbs.net/internet/postfix/0302/0183.html
>
> He states that Joris Benschop is correct in that email.
>
> I was scanning through RFC 821 (and also through RFC2821 which has
> superseeded it) and I cannot find the quote referenced in the message
> above in either of those documents.
>
> Where can I find an official reference which validates what he stated in
> the message above?
>
> As far as I can tell, section 5.2.5 does not exist in in RFC821 and
> section 3.5 does not contain the quote specified in the above mentioned
> message.
>
> I used these references to verify the content of the RFCs.
>
> http://www.ietf.org/rfc/rfc821.txt
> http://www.ietf.org/rfc/rfc2821.txt
> http://www.faqs.org/rfcs/rfc821.html
> http://www.faqs.org/rfcs/rfc2821.html

rfc2821 contains the following

  -  the clarifications and applicability statements in RFC 1123 [2],

and rfc1123

http://www.freesoft.org/CIE/RFC/1123/index.htm

contains

http://www.freesoft.org/CIE/RFC/1123/90.htm

where it states

  The sender-SMTP MUST ensure that the <domain> parameter in a HELO command
is a valid principal host domain name for the client host. As a result,
the
receiver-SMTP will not have to perform MX resolution on this name in order
to validate the HELO parameter.

  The HELO receiver MAY verify that the HELO parameter really corresponds
to
the IP address of the sender. However, the receiver MUST NOT refuse to
accept a message, even if the sender's HELO command fails verification.


So it seems it's not allowed to refuse msgs when the HELO is incorrect.

>
> The main.cf options I'm referring to are these:
>
> http://www.postfix.org/postconf.5.html#reject_non_fqdn_helo_hostname
> http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname
>
> Apparently RFC2821 also allows IP-adress syntax (see section 4.1.1.1).
>
> Can someone enlighten me as to what is actually correct behaviour
> according to RFC?
>
> Regards,
> Robin Smidsrød

--
Simple things make people happy.
Willy De la Court
PGP Public Key at http://www.linux-lovers.be/download/public_key.asc
PGP Key fingerprint = 784E E18F 7F85 9C7C AC1A D5FB FE08 686C 37C7 A689

On Mon, 03 Aug 2009 12:18:53 +0200, Willy De la Court
<wdl@...>
wrote:
> On Mon, 03 Aug 2009 11:14:10 +0200, Robin Smidsrød <robin@...>
> wrote:
>> I read John Peach's response to a mail regarding the Postfix option to
>> reject non-FQDN HELO transactions.
>>
>> http://www.irbs.net/internet/postfix/0302/0183.html
>>
>> He states that Joris Benschop is correct in that email.
>>
>> I was scanning through RFC 821 (and also through RFC2821 which has
>> superseeded it) and I cannot find the quote referenced in the message
>> above in either of those documents.
>>
>> Where can I find an official reference which validates what he stated
in
>> the message above?
>>
>> As far as I can tell, section 5.2.5 does not exist in in RFC821 and
>> section 3.5 does not contain the quote specified in the above mentioned
>> message.
>>
>> I used these references to verify the content of the RFCs.
>>
>> http://www.ietf.org/rfc/rfc821.txt
>> http://www.ietf.org/rfc/rfc2821.txt
>> http://www.faqs.org/rfcs/rfc821.html
>> http://www.faqs.org/rfcs/rfc2821.html
>
> rfc2821 contains the following
>
>  -  the clarifications and applicability statements in RFC 1123 [2],
>
> and rfc1123
>
> http://www.freesoft.org/CIE/RFC/1123/index.htm
>
> contains
>
> http://www.freesoft.org/CIE/RFC/1123/90.htm
>
> where it states
>
>  The sender-SMTP MUST ensure that the <domain> parameter in a HELO
command
> is a valid principal host domain name for the client host. As a result,
> the
> receiver-SMTP will not have to perform MX resolution on this name in
order
> to validate the HELO parameter.
>
>  The HELO receiver MAY verify that the HELO parameter really corresponds
> to
> the IP address of the sender. However, the receiver MUST NOT refuse to
> accept a message, even if the sender's HELO command fails verification.
>
>
> So it seems it's not allowed to refuse msgs when the HELO is incorrect.
>

and this I found in the rfc2821

   If the EHLO command is not acceptable to the SMTP server, 501, 500,
    or 502 failure replies MUST be returned as appropriate.  The SMTP
    server MUST stay in the same state after transmitting these replies
    that it was in before the EHLO was received.

    The SMTP client MUST, if possible, ensure that the domain parameter
    to the EHLO command is a valid principal host name (not a CNAME or MX
    name) for its host.  If this is not possible (e.g., when the client's
    address is dynamically assigned and the client does not have an
    obvious name), an address literal SHOULD be substituted for the
    domain name and supplemental information provided that will assist in
    identifying the client.

    An SMTP server MAY verify that the domain name parameter in the EHLO
    command actually corresponds to the IP address of the client.
    However, the server MUST NOT refuse to accept a message for this
    reason if the verification fails: the information about verification
    failure is for logging and tracing only.

and the same for the EHLO

>>
>> The main.cf options I'm referring to are these:
>>
>> http://www.postfix.org/postconf.5.html#reject_non_fqdn_helo_hostname
>> http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname
>>
>> Apparently RFC2821 also allows IP-adress syntax (see section 4.1.1.1).
>>
>> Can someone enlighten me as to what is actually correct behaviour
>> according to RFC?
>>
>> Regards,
>> Robin Smidsrød

--
Simple things make people happy.
Willy De la Court
PGP Public Key at http://www.linux-lovers.be/download/public_key.asc
PGP Key fingerprint = 784E E18F 7F85 9C7C AC1A D5FB FE08 686C 37C7 A689

Willy De la Court wrote:
> On Mon, 03 Aug 2009 11:14:10 +0200, Robin Smidsrød <robin@...>
> wrote:
[snip]
>
> rfc2821 contains the following
>
>  -  the clarifications and applicability statements in RFC 1123 [2],
[snip]
> http://www.freesoft.org/CIE/RFC/1123/90.htm
>
> where it states
>
>  The sender-SMTP MUST ensure that the <domain> parameter in a HELO command
> is a valid principal host domain name for the client host. As a result,
> the
> receiver-SMTP will not have to perform MX resolution on this name in order
> to validate the HELO parameter.
>
>  The HELO receiver MAY verify that the HELO parameter really corresponds
> to
> the IP address of the sender. However, the receiver MUST NOT refuse to
> accept a message, even if the sender's HELO command fails verification.
>
>
> So it seems it's not allowed to refuse msgs when the HELO is incorrect.
>
>> The main.cf options I'm referring to are these:
>>
>> http://www.postfix.org/postconf.5.html#reject_non_fqdn_helo_hostname
>> http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname

my main.cf has these lines (among others):

smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  check_client_access mysql:$config_directory/sql/accept_bad_helo.cf,
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  reject_unknown_helo_hostname,
  permit

Does this mean that all of the reject rules are in fact not RFC-conformant?

The reason I mention reject_invalid_helo_hostname is that I'm unsure if
the IPv(4|6) address syntax is part of this rule (postfix version 2.5.5,
distributed with ubuntu 9.04).

What about the two other reject rules? As far as I can tell, they are
both non-conformant.

-- Robin

On Mon, 03 Aug 2009 13:18:52 +0200
Robin Smidsr__d <robin@...> wrote:
[snip]
> Willy De la Court wrote:
>
>
> Does this mean that all of the reject rules are in fact not
> RFC-conformant?
>
> The reason I mention reject_invalid_helo_hostname is that I'm unsure
> if the IPv(4|6) address syntax is part of this rule (postfix version
> 2.5.5, distributed with ubuntu 9.04).
>
> What about the two other reject rules? As far as I can tell, they are
> both non-conformant.

Your server, your rules.


>
> -- Robin
>


--
John

John Peach:
> On Mon, 03 Aug 2009 13:18:52 +0200
> Robin Smidsr__d <robin@...> wrote:
> [snip]
> > Willy De la Court wrote:
> >
> >
> > Does this mean that all of the reject rules are in fact not
> > RFC-conformant?
> >
> > The reason I mention reject_invalid_helo_hostname is that I'm unsure
> > if the IPv(4|6) address syntax is part of this rule (postfix version
> > 2.5.5, distributed with ubuntu 9.04).
> >
> > What about the two other reject rules? As far as I can tell, they are
> > both non-conformant.
>
> Your server, your rules.

Indeed.  RFCs are relevant only when parties want to interoperate.
Generally, there is no such desire on the receiving end of SPAM.

	 Wietse

Hi,
Is there a way to differ between rejected mails?
I'm just interested in outgoing mails from my server which got rejected.
All the mails I'm rejecting from the internet are not important for my
pflogsumm report.

Chris

On Mon, 3 Aug 2009 08:05:26 -0400 (EDT), wietse@... (Wietse
Venema) wrote:
> John Peach:
>> On Mon, 03 Aug 2009 13:18:52 +0200
>> Robin Smidsr__d <robin@...> wrote:
>> [snip]
>> > Willy De la Court wrote:
>> >

This was the question asked by robin. Something went wrong with the
quoting.

>> >
>> > Does this mean that all of the reject rules are in fact not
>> > RFC-conformant?
>> >
>> > The reason I mention reject_invalid_helo_hostname is that I'm unsure
>> > if the IPv(4|6) address syntax is part of this rule (postfix version
>> > 2.5.5, distributed with ubuntu 9.04).
>> >
>> > What about the two other reject rules? As far as I can tell, they are
>> > both non-conformant.
>>
>> Your server, your rules.

And if that rule blocks about 40% of the spam........

>
> Indeed.  RFCs are relevant only when parties want to interoperate.
> Generally, there is no such desire on the receiving end of SPAM.
>
>  Wietse

I totally agree.


--
Simple things make people happy.
Willy De la Court
PGP Public Key at http://www.linux-lovers.be/download/public_key.asc
PGP Key fingerprint = 784E E18F 7F85 9C7C AC1A D5FB FE08 686C 37C7 A689

Hi!.

  I have a secondary MX server and I'm trying to configure it to "check"
recipient addresses against primary SMTP servers to reject emails
directed to non existing addresses.

I've read the following:

http://www.postfix.org/ADDRESS_VERIFICATION_README.html

  So I added this to my main.cf:

address_verify_map = btree:/var/lib/postfix/verify
address_verify_positive_refresh_time = 14d

  and:

smtpd_recipient_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     reject_unauth_pipelining,
     reject_non_fqdn_recipient,
     reject_unknown_recipient_domain,
     reject_unauth_destination,
     reject_rbl_client bl.spamcop.net,
     reject_rbl_client dnsbl.ahbl.org,
     reject_rbl_client zen.spamhaus.org,
     check_policy_service unix:private/policy-spf,
     reject_unverified_recipient,         <--------------- This
     permit

  This works nicely when MX1 servers are working and answering RCPT-TO
checks, but then I asked ... what happens if my server can't reach the
primary MX (server stopped, misconfiguration, power outage...) ?

  In that case my server reacts rejecting ALL email because if cannot be
verified with "Recipient address rejected: unverified address: Address
verification in progress".

  Is it possible to change behaviour to ACCEPT all email when the primary
MX cannot be contacted for address verification?. I mean:

- If MX can be contacted -> check it and reject if 550.
- If MX cannot be contacted -> just accept it.

  This machine is a secondary MX server for some domains so I'm supposed
to accept email for them when they are not available...

  I'm using postfix 2.5.1 .

  Thanks a lot, and sorry if this is a very obvious question...


--
Santiago Romero