Discussion:
Postfix Address Verification
(too old to reply)
Jody Cleveland
2007-06-25 23:24:57 UTC
Permalink
Hello,

I've got a RedHat 5 server with Postfix and MailScanner. This server checks
all incoming mail and then forwards it on to an Exchange server. I'm looking
for a way to verify recipients without touching active directory. Will
either of these work at all?

smtpd_recipient_restrictions = reject_unauth_destination
smtpd_recipient_restrictions = reject_unverified_recipient

- jody
Gareth
2007-06-26 08:57:22 UTC
Permalink
See
http://www.mailscanner.info/wiki/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users
Thats what I do and it works very well.

Just make sure Exchange is configured to reject mail to unknown
recipients. If you cant do that then there are other ways such as using
LDAP to regularly pull out a list of valid addresses from exchange,
Post by Jody Cleveland
Hello,
I've got a RedHat 5 server with Postfix and MailScanner. This server checks
all incoming mail and then forwards it on to an Exchange server. I'm looking
for a way to verify recipients without touching active directory. Will
either of these work at all?
smtpd_recipient_restrictions = reject_unauth_destination
smtpd_recipient_restrictions = reject_unverified_recipient
- jody
Seamus Allan
2007-06-27 03:12:10 UTC
Permalink
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070627/9e10b7b6/attachment.html
Drew Marshall
2007-06-27 08:03:47 UTC
Permalink
Post by Gareth
See
http://www.mailscanner.info/wiki/doku.php?
id=documentation:configuration:mta:postfix:how_to:reject_non_existent
_users
Thats what I do and it works very well.
Just make sure Exchange is configured to reject mail to unknown
recipients. If you cant do that then there are other ways such as using
LDAP to regularly pull out a list of valid addresses from exchange,
Post by Jody Cleveland
Hello,
I've got a RedHat 5 server with Postfix and MailScanner. This server checks
all incoming mail and then forwards it on to an Exchange server. I'm looking
for a way to verify recipients without touching active directory. Will
either of these work at all?
smtpd_recipient_restrictions = reject_unauth_destination
smtpd_recipient_restrictions = reject_unverified_recipient
- jody
I am curious about this; it seems to make very good sense to do
this (and will in fact cut down the number of bounces created by my
mail gateway MailScanner machine), but I wonder how much more work
has to be done by Postfix to accomplish this.
It's a lot less than trying to keep running the mail queue that's
full of undeliverable bounce notifications. Reject unknown recipients
at SMTP stage will mean that you don't have to use your bandwidth to
download the full message, process it through MailScanner &
SpamAssassin, deliver or attempt to deliver somewhere else, create
the bounce notification and attempt to deliver this bounce using your
bandwidth. If it's not deliverable then keep retrying for x number of
days and re-examining the message in the queue to work out when it
must keep trying.

In comparison any form of db look up from hashed file to SQL or LDAP
is really cheap. Couple that with one or two other tricks such at
proxying for SQL for example (To retain connections) and you really
have very little overhead at all. In fact there are other checks that
are more work, such as RBL look ups that are much more work.

Drew
--
In line with our policy, this message has been scanned
for viruses and dangerous content by the Technology Tiger MailScanner.
Further information can be found at www.technologytiger.net/policy

Technology Tiger Limited is registered in Scotland with registration number: 310997
Registered Office 55-57 West High Street Inverurie AB51 3QQ

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070627/d4cbc623/attachment.html
Glenn Steen
2007-06-27 09:02:00 UTC
Permalink
Post by Gareth
See
http://www.mailscanner.info/wiki/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users
Thats what I do and it works very well.
Just make sure Exchange is configured to reject mail to unknown
recipients. If you cant do that then there are other ways such as using
LDAP to regularly pull out a list of valid addresses from exchange,
Hello,
I've got a RedHat 5 server with Postfix and MailScanner. This server checks
all incoming mail and then forwards it on to an Exchange server. I'm looking
for a way to verify recipients without touching active directory. Will
either of these work at all?
smtpd_recipient_restrictions = reject_unauth_destination
smtpd_recipient_restrictions = reject_unverified_recipient
- jody
I am curious about this; it seems to make very good sense to do this (and
will in fact cut down the number of bounces created by my mail gateway
MailScanner machine), but I wonder how much more work has to be done by
Postfix to accomplish this.
It's a lot less than trying to keep running the mail queue that's full of
undeliverable bounce notifications. Reject unknown recipients at SMTP stage
will mean that you don't have to use your bandwidth to download the full
message, process it through MailScanner & SpamAssassin, deliver or attempt
to deliver somewhere else, create the bounce notification and attempt to
deliver this bounce using your bandwidth. If it's not deliverable then keep
retrying for x number of days and re-examining the message in the queue to
work out when it must keep trying.
In comparison any form of db look up from hashed file to SQL or LDAP is
really cheap. Couple that with one or two other tricks such at proxying for
SQL for example (To retain connections) and you really have very little
overhead at all. In fact there are other checks that are more work, such as
RBL look ups that are much more work.
Drew
(Chiming in with Drew here:)
Not to mention that you will remove yourself from being a potential
"spam reflector" (NDN-spam thing)... And cut down on the risk of being
blacklisted (when one of your bounces hit a honeypot for one of the
more agressive BLs)... Small downside with recipient verification is
that your address-base might get mapped out, but... that is worth it,
compared to the alternative.

Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
Seamus Allan
2007-06-27 23:47:01 UTC
Permalink
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070628/54b49a6d/attachment.html
Steven Andrews
2007-06-28 01:41:52 UTC
Permalink
I've had probably 1/2 dozen mailscanners barf this week, all the same
way. The inbound queue backs up for an unknown reason and then all
mails that do come out of it are tagged as viruses and spam, when they
most certainly are not.

Granted, these are somewhat slim boxes, probably 700mhz, with 256-384
meg of ram, but they have minor loads as well. I've tried updating to
the latest MS as well as the rc2 clamav; even tried running it as
clamavmodule to save resources. Neither has any effect on the matter.

Anyone see anything similar lately?

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070627/d85757c9/attachment.html
Doc Schneider
2007-06-28 03:17:42 UTC
Permalink
Post by Steven Andrews
I've had probably 1/2 dozen mailscanners barf this week, all the same
way. The inbound queue backs up for an unknown reason and then all
mails that do come out of it are tagged as viruses and spam, when they
most certainly are not.
Granted, these are somewhat slim boxes, probably 700mhz, with 256-384
meg of ram, but they have minor loads as well. I've tried updating to
the latest MS as well as the rc2 clamav; even tried running it as
clamavmodule to save resources. Neither has any effect on the matter.
Anyone see anything similar lately?
Steve
Are you running any other virus scanners? I had something like this
happen on a MS system that was using antivir, Removed the use of it in
the conf file and away we went working fine. Of course YMMV.
--
-Doc
Lincoln, NE.
http://www.genealogyforyou.com/
http://www.cairnproductions.com/
Steven Andrews
2007-06-28 07:24:36 UTC
Permalink
Nope, just Julian's default clam/sa install. It's happened with
mailscanner.conf set to clam and clamavmodule.

I'd guess it's a timeout issue, but I'm real concerned that if that's
the case the default behavior is to start calling everything a virus
since those are sumarily tossed.

-----Original Message-----
From: mailscanner-***@lists.mailscanner.info
[mailto:mailscanner-***@lists.mailscanner.info] On Behalf Of Doc
Schneider
Sent: Wednesday, June 27, 2007 10:18 PM
To: MailScanner discussion
Subject: Re: Odd Clam/MS Problem
Post by Steven Andrews
I've had probably 1/2 dozen mailscanners barf this week, all the same
way. The inbound queue backs up for an unknown reason and then all
mails that do come out of it are tagged as viruses and spam, when they
most certainly are not.
Granted, these are somewhat slim boxes, probably 700mhz, with 256-384
meg of ram, but they have minor loads as well. I've tried updating to
the latest MS as well as the rc2 clamav; even tried running it as
clamavmodule to save resources. Neither has any effect on the matter.
Anyone see anything similar lately?
Steve
Are you running any other virus scanners? I had something like this
happen on a MS system that was using antivir, Removed the use of it in
the conf file and away we went working fine. Of course YMMV.

--
-Doc
Lincoln, NE.
http://www.genealogyforyou.com/
http://www.cairnproductions.com/

--
MailScanner mailing list
***@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
Drew Marshall
2007-06-28 09:47:03 UTC
Permalink
It seems after implementing this that I am having a lot of spam stopped
at MTA level - this is very good.<br>
However, the next morning I came in to discover that some of the
domains we host were not getting any email.<br>
I used telnet to pretend to have a fake session with the smtp server,
and interestingly, when trying to do a rcpt <a
class="moz-txt-link-abbreviated"
get the following error message.<br>
450 <a class="moz-txt-link-rfc2396E"
Recipient address rejected: Domain
not found<br>
Why is this happening? How come that Postfix is able to look into the
transport map and check the next server in line to see whether the user
is valid for most of the domains, but not for some. Is there a
misconfiguration somewhere? Is the verify map full or something?<br>
Firstly, please could you not use HTML mail. It does become something of a
mess (As you can see above) when working in plain text.

Anyway, check your maillog as I would expect the domain not found error to
come from a Postfix client access restriction (Reject unknown sender
domain for example) and nothing to do with your recipient maps. The logs
will tell you more.

Drew
--
In line with our policy, this message has been scanned
for viruses and dangerous content by the Technology Tiger MailScanner.
Further information can be found at www.technologytiger.net/policy

Technology Tiger Limited is registered in Scotland with registration number: 310997
Registered Office 55-57 West High Street Inverurie AB51 3QQ
--[ UxBoD ]--
2007-06-28 09:59:48 UTC
Permalink
After creating the look up table I presume you ran postmap on it ?

On Thu, 28 Jun 2007 09:46:55 +0100 (BST), "Drew Marshall"
Post by Drew Marshall
It seems after implementing this that I am having a lot of spam stopped
at MTA level - this is very good.<br>
However, the next morning I came in to discover that some of the
domains we host were not getting any email.<br>
I used telnet to pretend to have a fake session with the smtp server,
and interestingly, when trying to do a rcpt <a
class="moz-txt-link-abbreviated"
get the following error message.<br>
450 <a class="moz-txt-link-rfc2396E"
Recipient address rejected: Domain
not found<br>
Why is this happening? How come that Postfix is able to look into the
transport map and check the next server in line to see whether the user
is valid for most of the domains, but not for some. Is there a
misconfiguration somewhere? Is the verify map full or something?<br>
Firstly, please could you not use HTML mail. It does become something of a
mess (As you can see above) when working in plain text.
Anyway, check your maillog as I would expect the domain not found error to
come from a Postfix client access restriction (Reject unknown sender
domain for example) and nothing to do with your recipient maps. The logs
will tell you more.
Drew
--
In line with our policy, this message has been scanned
for viruses and dangerous content by the Technology Tiger MailScanner.
Further information can be found at www.technologytiger.net/policy
Technology Tiger Limited is registered in Scotland with registration number: 310997
Registered Office 55-57 West High Street Inverurie AB51 3QQ
--
MailScanner mailing list
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and dangerous content by
MailScanner, and is
believed to be clean.
--
--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: ***@sip.splatnix.net
--
This message has been scanned for viruses and dangerous content by MailScanner, and is
believed to be clean.
Seamus Allan
2007-06-29 04:57:55 UTC
Permalink
Post by Drew Marshall
It seems after implementing this that I am having a lot of spam stopped
at MTA level - this is very good.<br>
However, the next morning I came in to discover that some of the
domains we host were not getting any email.<br>
I used telnet to pretend to have a fake session with the smtp server,
and interestingly, when trying to do a rcpt <a
class="moz-txt-link-abbreviated"
get the following error message.<br>
450 <a class="moz-txt-link-rfc2396E"
Recipient address rejected: Domain
not found<br>
Why is this happening? How come that Postfix is able to look into the
transport map and check the next server in line to see whether the user
is valid for most of the domains, but not for some. Is there a
misconfiguration somewhere? Is the verify map full or something?<br>
Firstly, please could you not use HTML mail. It does become something of a
mess (As you can see above) when working in plain text.
I even made a point of not top posting. Guess I can't make *everyone* happy.
Post by Drew Marshall
Anyway, check your maillog as I would expect the domain not found error to
come from a Postfix client access restriction (Reject unknown sender
domain for example) and nothing to do with your recipient maps. The logs
will tell you more.
Drew
I spent the good part of a day investigating logs and found almost
nothing useful. I was expecting to see a point where the main (hub)
mailserver started rejecting the (Mailscanner) Gateways probes to check
whether a mailbox existed, as the probes are only Helo, Mail from, rcpt
to, then a disconnect.

Anywho, here are some log snippets for you to gander at.

This is for a domain where is worked:
Jun 28 02:49:24 gatekeeper2 postfix/smtpd[8702]: NOQUEUE: reject: RCPT
from c175-80.icpnet.pl[85.221.175.80]: 550 <***@validdomain.com>:
Recipient address rejected: undeliverable address: host
192.168.1.225[192.168.1.225] said: 550 Requested action not taken:
mailbox unavailable or not local (in reply to RCPT TO command);
from=<***@gopitts.com> to=<***@validdomain.com> proto=SMTP
helo=<144209448>

And this is for one where is didn't:
Jun 28 02:49:28 gatekeeper2 postfix/smtpd[8700]: NOQUEUE: reject: RCPT
from unknown[80.99.7.4]: 450 <***@validdomain.com>: Recipient address
rejected: Domain not found; from=<***@place.com>
to=<***@validdomain.com> proto=ESMTP helo=<aram.chello.hu>

After scouring the logs on both the gateway machine and the mail hub and
can't seem to find anything useful.

Any ideas?

Cheers.
--
*Seamus Allan*
Network Engineer
Rheel Electronics Ltd
Phone +64-3-386 3070 Fax +64-3-386-3071
Mobile +64-21-178-2980
***@rheelweb.co.nz
www.rheel.co.nz

This e-mail together with any attachments is confidential, may be
subject to legal privilege and may contain proprietary information,
including information protected by copyright. If you are not the
intended recipient, please do not copy, use or disclose this e-mail;
please notify us immediately by return e-mail and then delete this e-mail.
Drew Marshall
2007-06-29 10:27:00 UTC
Permalink
Post by Seamus Allan
I even made a point of not top posting. Guess I can't make *everyone* happy.
You are so right :-) The only reason I asked was that my quotes of yours
were so mangled by my web mail client they were almost not woth including.
No biggie really (To me!)
Post by Seamus Allan
I spent the good part of a day investigating logs and found almost
nothing useful. I was expecting to see a point where the main (hub)
mailserver started rejecting the (Mailscanner) Gateways probes to check
whether a mailbox existed, as the probes are only Helo, Mail from, rcpt
to, then a disconnect.
Anywho, here are some log snippets for you to gander at.
Jun 28 02:49:24 gatekeeper2 postfix/smtpd[8702]: NOQUEUE: reject: RCPT
Recipient address rejected: undeliverable address: host
mailbox unavailable or not local (in reply to RCPT TO command);
helo=<144209448>
That looks fine
Post by Seamus Allan
Jun 28 02:49:28 gatekeeper2 postfix/smtpd[8700]: NOQUEUE: reject: RCPT
This looks like a DNS problem. Are you running a cacheing DNS server on
this box? Postfix is rejecting with a temporary failure (450) as it is
having what it thinks could be a short term problem. I assume you have set
the next hop in the transport map file, have you done this using a name
record or IP address? i.e. in the file does it say:

validdomain relay:internal.host

or

validdomain relay:[192.168.1.225]

Just to make sure this isn't Postfix logging a slight red herring, can you
also let me know what you have under:

smtpd_client_restrictions
smtpd_sender_restrictions

in main.cf

The other thing to check is the logs of the internal machine (Exchange?),
just in case there is anything obvious there.

Drew
--
In line with our policy, this message has been scanned
for viruses and dangerous content by the Technology Tiger MailScanner.
Further information can be found at www.technologytiger.net/policy

Technology Tiger Limited is registered in Scotland with registration number: 310997
Registered Office 55-57 West High Street Inverurie AB51 3QQ
Glenn Steen
2007-06-29 11:17:40 UTC
Permalink
On 29/06/07, Drew Marshall <***@technologytiger.net> wrote:
(snip)
Post by Drew Marshall
Post by Seamus Allan
Jun 28 02:49:28 gatekeeper2 postfix/smtpd[8700]: NOQUEUE: reject: RCPT
This looks like a DNS problem. Are you running a cacheing DNS server on
this box? Postfix is rejecting with a temporary failure (450) as it is
having what it thinks could be a short term problem. I assume you have set
the next hop in the transport map file, have you done this using a name
validdomain relay:internal.host
or
validdomain relay:[192.168.1.225]
True ... assuming Seamus uses the transport map to do the routing...
And not some kind of split-view-DNS with internal MX records for the
respective domains... In which case this'd perhaps point to an DNS/MX
problem for that domain. ... Then again, with the serious lack of
sleep I'm labouring under, I might completely misstaken:-).
Post by Drew Marshall
Just to make sure this isn't Postfix logging a slight red herring, can you
smtpd_client_restrictions
smtpd_sender_restrictions
in main.cf
The other thing to check is the logs of the internal machine (Exchange?),
just in case there is anything obvious there.
Drew
Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
Seamus Allan
2007-07-01 22:29:23 UTC
Permalink
Post by Drew Marshall
This looks like a DNS problem. Are you running a cacheing DNS server on
this box? Postfix is rejecting with a temporary failure (450) as it is
having what it thinks could be a short term problem. I assume you have set
the next hop in the transport map file, have you done this using a name
validdomain relay:internal.host
or
validdomain relay:[192.168.1.225]
Just to make sure this isn't Postfix logging a slight red herring, can you
smtpd_client_restrictions
smtpd_sender_restrictions
in main.cf
The other thing to check is the logs of the internal machine (Exchange?),
just in case there is anything obvious there.
Drew
Hi,

I am not running a caching DNS server on this box, all DNS queries are
passed to our internal DNS server, however this shouldn't be an issue,
as you noted because the next hop is dictated by an entry in the
transport map, using IP based hosts. This is what I find so confusing,
surely Postfix uses this transport map or even the relay_domain map to
decide whether a domain is valid or not?
I did spend the other day looking at the internal mail hub, and there is
nothing out of the ordinary in there which would indicate a problem
(such as SMTP restrictions because of connection rate or something).
In my main.cf, I don't have entries for smtpd_client_restrictions or
smtpd_sender_restrictions (whether this is bad or not?), and my
smtp_receipient_restrictions is as follows:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unverified_recipient

It all seems rather tricky, as there is nothing obvious as to why this
his happening.

Cheers for the help


Seamus

*Seamus Allan*
Network Engineer
Rheel Electronics Ltd
Seamus Allan
2007-07-04 01:05:27 UTC
Permalink
Post by Seamus Allan
Post by Drew Marshall
This looks like a DNS problem. Are you running a cacheing DNS server on
this box? Postfix is rejecting with a temporary failure (450) as it is
having what it thinks could be a short term problem. I assume you have set
the next hop in the transport map file, have you done this using a name
validdomain relay:internal.host
or
validdomain relay:[192.168.1.225]
Just to make sure this isn't Postfix logging a slight red herring, can you
smtpd_client_restrictions
smtpd_sender_restrictions
in main.cf
The other thing to check is the logs of the internal machine
(Exchange?),
just in case there is anything obvious there.
Drew
Hi,
I am not running a caching DNS server on this box, all DNS queries are
passed to our internal DNS server, however this shouldn't be an issue,
as you noted because the next hop is dictated by an entry in the
transport map, using IP based hosts. This is what I find so confusing,
surely Postfix uses this transport map or even the relay_domain map to
decide whether a domain is valid or not?
I did spend the other day looking at the internal mail hub, and there
is nothing out of the ordinary in there which would indicate a problem
(such as SMTP restrictions because of connection rate or something).
In my main.cf, I don't have entries for smtpd_client_restrictions or
smtpd_sender_restrictions (whether this is bad or not?), and my
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unverified_recipient
It all seems rather tricky, as there is nothing obvious as to why this
his happening.
Cheers for the help
Seamus
*Seamus Allan*
Network Engineer
Rheel Electronics Ltd
Anybody got ideas?

Cheers

Seamus
--
*Seamus Allan*
Network Engineer
Rheel Electronics Ltd
Gerard
2007-07-04 12:08:49 UTC
Permalink
On July 03, 2007 at 08:05PM Seamus Allan wrote:

[snip]
Post by Seamus Allan
Anybody got ideas?
Have you tried posting this question on the Postfix forum? You will
obviously need to include a the results of a 'postconf -n' output as
well as the relevant sections of the maillog.

Off hand, I cannot see anything wrong though.
--
Gerard

"Everybody has a right to be stupid, but some people abuse the privilege."

Joseph Stalin
Darren Benfer
2007-07-01 18:13:00 UTC
Permalink
Lately it seems like it takes MS children take forever to start up for
some reason, and my server load climbs to 4-5 while they are doing so.
Anyone else experiencing (or experienced) this? Anything I should check
into for a fix? Worked well for about year, but latest update for MS
started this trend.

TIA!
Darren @ Serversphere.com
Nerijus Baliunas
2007-07-01 19:00:07 UTC
Permalink
Post by Darren Benfer
Lately it seems like it takes MS children take forever to start up for
some reason, and my server load climbs to 4-5 while they are doing so.
Anyone else experiencing (or experienced) this? Anything I should check
into for a fix? Worked well for about year, but latest update for MS
started this trend.
Please provide more info - MailScanner versions before and now, what virus
scanners are used, MTA (sendmail? postfix?) etc.

Regards,
Nerijus
Hugo van der Kooij
2007-07-01 19:15:26 UTC
Permalink
Post by Nerijus Baliunas
Post by Darren Benfer
Lately it seems like it takes MS children take forever to start up for
some reason, and my server load climbs to 4-5 while they are doing so.
Anyone else experiencing (or experienced) this? Anything I should check
into for a fix? Worked well for about year, but latest update for MS
started this trend.
Please provide more info - MailScanner versions before and now, what virus
scanners are used, MTA (sendmail? postfix?) etc.
Also run something like top to see which process is in fact consuming
resources.

Hugo.
--
***@vanderkooij.org http://hugo.vanderkooij.org/
This message is using 100% recycled electrons.

Some men see computers as they are and say "Windows"
I use computers with Linux and say "Why Windows?"
(Thanks JFK, for the insight.)
Glenn Steen
2007-07-01 22:01:32 UTC
Permalink
Post by Hugo van der Kooij
Post by Nerijus Baliunas
Post by Darren Benfer
Lately it seems like it takes MS children take forever to start up for
some reason, and my server load climbs to 4-5 while they are doing so.
Anyone else experiencing (or experienced) this? Anything I should check
into for a fix? Worked well for about year, but latest update for MS
started this trend.
Please provide more info - MailScanner versions before and now, what virus
scanners are used, MTA (sendmail? postfix?) etc.
Also run something like top to see which process is in fact consuming
resources.
Hugo.
I'm with Jules on this one, clamav 0.90.something and clamavmodule
will have exactly this effect. Then again, asking for more info tobe
able to give better help is never wrong either....:-)

Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
Julian Field
2007-07-01 19:14:54 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'll put a tenner on the fact that you are running the latest version of
ClamAV and are using the clamavmodule scanner.
It's ClamAV's fault in that case. The current version takes *forever* to
load the signatures. Fortunately it only has to do this once in each child.
You can fix it by either
1) Download and run the latest release candidate of ClamAV which
apparently has fixed it. This is the most common solution I have seen.
2) Wait for the new version of ClamAV and not worry about it for now. It
only affects the startup time of each child, not the actual processing
speed of ClamAV. This is what I have done.
3) Switch to clamd but make sure you are running something to keep an
eye on the clamd daemon in case it crashes (I cannot guarantee clamd's
stability).

Jules.
Post by Darren Benfer
Lately it seems like it takes MS children take forever to start up for
some reason, and my server load climbs to 4-5 while they are doing so.
Anyone else experiencing (or experienced) this? Anything I should
check into for a fix? Worked well for about year, but latest update
for MS started this trend.
TIA!
Jules

- --
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at ***@Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1

wj8DBQFGh+5rEfZZRxQVtlQRAtZpAJ99I6EWKthmGH6yqNFd5J2AVPoubQCglcKA
YaHuW+6cN/wa9DLZH6A1Ty8=
=Jovf
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk
Darren Benfer
2007-07-02 14:17:14 UTC
Permalink
Jules,

Thank you, yes! This is exactly the case - we use clamAV/clamavmodule.
Sorry I did not provide this info in my original post. Switching clam
off makes things as speedy as ever, so I will just endure it across all
machines until the current RC moves into release.

Thanks, Darren
Post by Julian Field
I'll put a tenner on the fact that you are running the latest
version of
Post by Julian Field
ClamAV and are using the clamavmodule scanner.
It's ClamAV's fault in that case. The current version takes *forever* to
load the signatures. Fortunately it only has to do this once in each child.
You can fix it by either
1) Download and run the latest release candidate of ClamAV which
apparently has fixed it. This is the most common solution I have seen.
2) Wait for the new version of ClamAV and not worry about it for now. It
only affects the startup time of each child, not the actual processing
speed of ClamAV. This is what I have done.
3) Switch to clamd but make sure you are running something to keep an
eye on the clamd daemon in case it crashes (I cannot guarantee clamd's
stability).
Jules.
Post by Darren Benfer
Lately it seems like it takes MS children take forever to start up for
some reason, and my server load climbs to 4-5 while they are doing so.
Anyone else experiencing (or experienced) this? Anything I should
check into for a fix? Worked well for about year, but latest update
for MS started this trend.
TIA!
Jules
Jody Cleveland
2007-06-27 17:43:11 UTC
Permalink
Post by Gareth
See
http://www.mailscanner.info/wiki/doku.php?id=documentation:configuration:mta:p
ostfix:how_to:reject_non_existent_users
Thats what I do and it works very well.
Just make sure Exchange is configured to reject mail to unknown
recipients. If you cant do that then there are other ways such as using
LDAP to regularly pull out a list of valid addresses from exchange,
So, just so I'm clear, (we're using Exchange 2003) it will work if I add
this (taken from the link you sent):

1) Confirm that master.cf contains the following line and add it if not:

verify unix - - n - 1 verify

2) Add the following to main.cf

In smtpd_recipient_restrictions add the following options:

reject_unknown_recipient_domain, reject_unverified_recipient

Then add the following options:

unverified_recipient_reject_code = 550
address_verify_map = btree:/etc/postfix/verify

3) Restart postfix and test functionality

The problem is, I need to be able to do this without using ldap, and I can't
change any settings on the exchange server itself. (it's under someone
else's control)

- jody
Scott Silva
2007-06-27 18:21:38 UTC
Permalink
Post by Jody Cleveland
Post by Gareth
See
http://www.mailscanner.info/wiki/doku.php?id=documentation:configuration:mta:p
ostfix:how_to:reject_non_existent_users
Thats what I do and it works very well.
Just make sure Exchange is configured to reject mail to unknown
recipients. If you cant do that then there are other ways such as using
LDAP to regularly pull out a list of valid addresses from exchange,
So, just so I'm clear, (we're using Exchange 2003) it will work if I add
verify unix - - n - 1 verify
2) Add the following to main.cf
reject_unknown_recipient_domain, reject_unverified_recipient
unverified_recipient_reject_code = 550
address_verify_map = btree:/etc/postfix/verify
3) Restart postfix and test functionality
The problem is, I need to be able to do this without using ldap, and I can't
change any settings on the exchange server itself. (it's under someone
else's control)
- jody
The Exchange server has to be set to only accept valid e-mail. I am not sure
if it is a default setting. Looking at Microsofts track record of backward
compatibility, it probably is not the default.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
Gareth
2007-06-27 17:50:22 UTC
Permalink
Yes that will work on the condition that the exchange server itself rejects
mail to unknown recipients.
If the exchange server accepts all mail for its domain and then emails out a
non delivery mail for addresses that dont exist then it wont help you.
-----Original Message-----
Cleveland
Sent: 27 June 2007 17:43
Subject: Re: Postfix Address Verification
See
http://www.mailscanner.info/wiki/doku.php?id=documentation:configu
ration:mta:p
ostfix:how_to:reject_non_existent_users
Thats what I do and it works very well.
Just make sure Exchange is configured to reject mail to unknown
recipients. If you cant do that then there are other ways such as using
LDAP to regularly pull out a list of valid addresses from exchange,
So, just so I'm clear, (we're using Exchange 2003) it will work if I add
this (taken from the link you sent):

1) Confirm that master.cf contains the following line and add it if not:

verify unix - - n - 1 verify

2) Add the following to main.cf

In smtpd_recipient_restrictions add the following options:

reject_unknown_recipient_domain, reject_unverified_recipient

Then add the following options:

unverified_recipient_reject_code = 550
address_verify_map = btree:/etc/postfix/verify

3) Restart postfix and test functionality

The problem is, I need to be able to do this without using ldap, and I can't
change any settings on the exchange server itself. (it's under someone
else's control)

- jody

--
MailScanner mailing list
***@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
Martin.Hepworth
2007-06-28 09:15:32 UTC
Permalink
Steve
Latest beta's allow you to use clamd calls directly.

There's been lots of reports about clamscan (and the module!) timing out
etc for some reason due to the time it takes to load the virus defs.

Try the latest beta and use clamd as the scanner.

Other thing to check is looking for timeouts in the logs.

If you're running any DNS level checks (RBLs etc), make sure the
connections to these are OK as well.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
-----Original Message-----
Sent: 28 June 2007 01:42
To: MailScanner discussion
Subject: Odd Clam/MS Problem
I've had probably 1/2 dozen mailscanners barf this week, all the same
way.
The inbound queue backs up for an unknown reason and then all mails
that
do come out of it are tagged as viruses and spam, when they most
certainly
are not.
Granted, these are somewhat slim boxes, probably 700mhz, with 256-384
meg
of ram, but they have minor loads as well. I've tried updating to the
latest MS as well as the rc2 clamav; even tried running it as
clamavmodule
to save resources. Neither has any effect on the matter.
Anyone see anything similar lately?
Steve
**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the
addressee only and may be confidential. If they come to you in error
you must take no action based on them, nor must you copy or show them
to anyone. Please advise the sender by replying to this e-mail
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of
the author and unless specifically stated to the contrary, are not
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure
communications medium and can be subject to data corruption. We advise
that you consider this fact when e-mailing us.
Viruses : We have taken steps to ensure that this e-mail and any
attachments are free from known viruses but in keeping with good
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
United Kingdom
**********************************************************************
Martin.Hepworth
2007-07-04 12:15:47 UTC
Permalink
Seamus
I'd start here..



http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta
:postfix:how_to:reject_non_existent_users


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
-----Original Message-----
Sent: 04 July 2007 12:09
Subject: Re[2]: Postfix Address Verification
[snip]
Post by Seamus Allan
Anybody got ideas?
Have you tried posting this question on the Postfix forum? You will
obviously need to include a the results of a 'postconf -n' output as
well as the relevant sections of the maillog.
Off hand, I cannot see anything wrong though.
--
Gerard
"Everybody has a right to be stupid, but some people abuse the
privilege."
Joseph Stalin
--
MailScanner mailing list
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the
addressee only and may be confidential. If they come to you in error
you must take no action based on them, nor must you copy or show them
to anyone. Please advise the sender by replying to this e-mail
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of
the author and unless specifically stated to the contrary, are not
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure
communications medium and can be subject to data corruption. We advise
that you consider this fact when e-mailing us.
Viruses : We have taken steps to ensure that this e-mail and any
attachments are free from known viruses but in keeping with good
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
United Kingdom
**********************************************************************
Seamus Allan
2007-07-04 22:42:52 UTC
Permalink
Thats where I originally started ;)
Cheers though
Post by Seamus Allan
Seamus
I'd start here..
http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta
:postfix:how_to:reject_non_existent_users
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Glenn Steen
2007-07-04 23:33:50 UTC
Permalink
Post by Seamus Allan
Thats where I originally started ;)
Cheers though
Thing is, I'm still not too clear on which postfix is telling you
this.... "external" or "internal"... Am slightly "muddled" ATM, but
... does both recognize that they are to handle that particular
domain? And it's users? How did you set the verification up on both of
them?
I might be completely "muddled", so please set me straight:-)

Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
Seamus Allan
2007-07-05 04:17:11 UTC
Permalink
Mail from the internet hits the "Gateway" machine with MailScanner and
postfix. The clean mail is then forwarded to the "Hub" machine, running
windows and Mail Enable Enterprise.

What was happening is that bulk mailers were targeting ***@domain.com,
and a bunch of this was getting through the Gateway as all it knew about
was the domains that it was allowed to forward, and where to send them
(transport map pointing to the Hub machine). The Hub machine was
replying 550 mailbox does not exist, and so the Gateway was trying to
send bounce messages back to a non existent mailbox where the spam
originated from.

So, as per documentation (on the MailScanner docs, Postfix website), I
set up verification on the Gatekeeper machine, such that when a mail
comes in, postfix looks in the transport map, then queries the Hub
machine as to whether the mailbox exists or now. Then the Gateway
machine can reject the mail "at the door" (solving bandwidth, load and
bounce issues).

This worked pretty much OK, until I realised that mail was not being
delivered for some (a lot as it turned out) of domains. A look in the
maillog was showing that mail to these domains was being rejected by the
Gatekeeper (presumably the verification mechanism) with a 400 error of
Domain Not Found (as in previous log entries that have been posted).
I suspected at first that the Hub machine was blocking access, but
nothing in the logs indicate this (on either machines).

So I'm a bit lost
Hope this helps someone help me,

Cheers

Seamus
Post by Glenn Steen
Thing is, I'm still not too clear on which postfix is telling you
this.... "external" or "internal"... Am slightly "muddled" ATM, but
... does both recognize that they are to handle that particular
domain? And it's users? How did you set the verification up on both of
them?
I might be completely "muddled", so please set me straight:-)
Cheers
Rob Sterenborg
2007-07-05 07:35:10 UTC
Permalink
Post by Seamus Allan
Mail from the internet hits the "Gateway" machine with
MailScanner and postfix. The clean mail is then forwarded to the
"Hub" machine, running windows and Mail Enable Enterprise.
[...]
Post by Seamus Allan
So, as per documentation (on the MailScanner docs, Postfix
website), I set up verification on the Gatekeeper machine, such
that when a mail comes in, postfix looks in the transport map,
I didn't see this in the doc, so I'm not sure if you did this..

If your Postfix is a relay for your Windows mailserver, Postfix *must*
know which domains to relay for. Typically, you configure Postfix for
this using the relay_domains parameter which holds either all relay
domains or points to a file/db that holds the relay domains.
relay_domains should *only* contain relay domains, and mydestination
should -of course- *not* contain any relay domains.
See: man 5 postconf.
Post by Seamus Allan
then queries the Hub machine as to whether the mailbox exists or
now. Then the Gateway machine can reject the mail "at the door"
(solving bandwidth, load and bounce issues).
Personally, I think you shouldn't bother your Windows mailserver with
address verification.
I know nothing of Mail Enable Enterprise, but perhaps you can, like with
Exchange, export a list of all know email addresses using some script
(perhaps LDAP?), reformat this list into something postmap can use to
create the hash file or put it in a database, and configure Postfix to
query that list/db using relay_recipient_maps.

That way you may not have all email addresses at any given time but if
generating the email address list isn't generating too much load you can
schedule the script to run more frequently so you won't run far behind.
This all depends on your needs however.
The positive side on this is that when you get flooded with email, at
least the Windows servers don't get DOS-ed with verification requests so
your corporate/internal email doesn't suffer from it.


Grts,
Rob
Glenn Steen
2007-07-05 11:51:42 UTC
Permalink
Post by Rob Sterenborg
Post by Seamus Allan
Mail from the internet hits the "Gateway" machine with
MailScanner and postfix. The clean mail is then forwarded to the
"Hub" machine, running windows and Mail Enable Enterprise.
[...]
Post by Seamus Allan
So, as per documentation (on the MailScanner docs, Postfix
website), I set up verification on the Gatekeeper machine, such
that when a mail comes in, postfix looks in the transport map,
I didn't see this in the doc, so I'm not sure if you did this..
If your Postfix is a relay for your Windows mailserver, Postfix *must*
know which domains to relay for. Typically, you configure Postfix for
this using the relay_domains parameter which holds either all relay
domains or points to a file/db that holds the relay domains.
relay_domains should *only* contain relay domains, and mydestination
should -of course- *not* contain any relay domains.
See: man 5 postconf.
Post by Seamus Allan
then queries the Hub machine as to whether the mailbox exists or
now. Then the Gateway machine can reject the mail "at the door"
(solving bandwidth, load and bounce issues).
Personally, I think you shouldn't bother your Windows mailserver with
address verification.
I know nothing of Mail Enable Enterprise, but perhaps you can, like with
Exchange, export a list of all know email addresses using some script
(perhaps LDAP?), reformat this list into something postmap can use to
create the hash file or put it in a database, and configure Postfix to
query that list/db using relay_recipient_maps.
That way you may not have all email addresses at any given time but if
generating the email address list isn't generating too much load you can
schedule the script to run more frequently so you won't run far behind.
This all depends on your needs however.
The positive side on this is that when you get flooded with email, at
least the Windows servers don't get DOS-ed with verification requests so
your corporate/internal email doesn't suffer from it.
Grts,
Rob
Thanks Rob for chipping in.... this was exactly what I was leaning
towards, both the doubt about the relay_domains and the suggestion to
offload the work to PF itself.

Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
--[ UxBoD ]--
2007-07-05 11:55:52 UTC
Permalink
I do the same for a client who runs Lotus Notes. Hourly dump from LDAP of
all users email addresses and then postmap it. We have cut down email to
the internal Notes servers from ?150k per day to 5k, through a combination
of PF and MailScanner.
Post by Glenn Steen
Post by Rob Sterenborg
Post by Seamus Allan
Mail from the internet hits the "Gateway" machine with
MailScanner and postfix. The clean mail is then forwarded to the
"Hub" machine, running windows and Mail Enable Enterprise.
[...]
Post by Seamus Allan
So, as per documentation (on the MailScanner docs, Postfix
website), I set up verification on the Gatekeeper machine, such
that when a mail comes in, postfix looks in the transport map,
I didn't see this in the doc, so I'm not sure if you did this..
If your Postfix is a relay for your Windows mailserver, Postfix *must*
know which domains to relay for. Typically, you configure Postfix for
this using the relay_domains parameter which holds either all relay
domains or points to a file/db that holds the relay domains.
relay_domains should *only* contain relay domains, and mydestination
should -of course- *not* contain any relay domains.
See: man 5 postconf.
Post by Seamus Allan
then queries the Hub machine as to whether the mailbox exists or
now. Then the Gateway machine can reject the mail "at the door"
(solving bandwidth, load and bounce issues).
Personally, I think you shouldn't bother your Windows mailserver with
address verification.
I know nothing of Mail Enable Enterprise, but perhaps you can, like with
Exchange, export a list of all know email addresses using some script
(perhaps LDAP?), reformat this list into something postmap can use to
create the hash file or put it in a database, and configure Postfix to
query that list/db using relay_recipient_maps.
That way you may not have all email addresses at any given time but if
generating the email address list isn't generating too much load you can
schedule the script to run more frequently so you won't run far behind.
This all depends on your needs however.
The positive side on this is that when you get flooded with email, at
least the Windows servers don't get DOS-ed with verification requests so
your corporate/internal email doesn't suffer from it.
Grts,
Rob
Thanks Rob for chipping in.... this was exactly what I was leaning
towards, both the doubt about the relay_domains and the suggestion to
offload the work to PF itself.
Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
--
MailScanner mailing list
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: ***@sip.splatnix.net
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Glenn Steen
2007-07-05 12:06:38 UTC
Permalink
Post by --[ UxBoD ]--
I do the same for a client who runs Lotus Notes. Hourly dump from LDAP of
all users email addresses and then postmap it. We have cut down email to
the internal Notes servers from ?150k per day to 5k, through a combination
of PF and MailScanner.
Yeah Phil, I do that myself too, although I dump (a not that big) AD
every 15 minutes, so that I don't have to rely on the M-Sexchange
admin to do the right thing... Saves me job as well as him:-). In my
case I only reduce total volume (by that particular measure) by about
25% though... Total rejected fluctuating between 35 - 50%... Call me
lucky:-).

Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
Seamus Allan
2007-07-05 21:51:32 UTC
Permalink
Hi Guys,

of course I have relay_domains setup, or my mail wouldn't be
transferring in the first place! I was hoping not to have to pull the
email list from the Hub machine, but it seems that my problem is pretty
weird.

Thanks though.

Seamus
Post by Glenn Steen
Yeah Phil, I do that myself too, although I dump (a not that big) AD
every 15 minutes, so that I don't have to rely on the M-Sexchange
admin to do the right thing... Saves me job as well as him:-). In my
case I only reduce total volume (by that particular measure) by about
25% though... Total rejected fluctuating between 35 - 50%... Call me
lucky:-).
Cheers
Seamus Allan
2007-07-05 23:59:17 UTC
Permalink
Post by Seamus Allan
Hi Guys,
of course I have relay_domains setup, or my mail wouldn't be
transferring in the first place! I was hoping not to have to pull the
email list from the Hub machine, but it seems that my problem is
pretty weird.
Thanks though.
Seamus
Post by Glenn Steen
Yeah Phil, I do that myself too, although I dump (a not that big) AD
every 15 minutes, so that I don't have to rely on the M-Sexchange
admin to do the right thing... Saves me job as well as him:-). In my
case I only reduce total volume (by that particular measure) by about
25% though... Total rejected fluctuating between 35 - 50%... Call me
lucky:-).
Cheers
Actually it occurred to me that this wouldn't work in full, because the
mail for some of the domains that pass through the Gateway machine is
destined for other mailservers in the world that I cannot pull the
mailboxes from. So I do need to get the verification working correctly.
I might have to try the Postfix forum or something.

Cheers
Seamus
Rob Sterenborg
2007-07-06 07:04:31 UTC
Permalink
Post by Seamus Allan
Post by Seamus Allan
Hi Guys,
of course I have relay_domains setup, or my mail wouldn't be
transferring in the first place! I was hoping not to have to pull the
email list from the Hub machine, but it seems that my problem is
pretty weird.
Some email *would* be transferred and some *wouldn't* if your
relay_domains table is setup but isn't complete.
Since you're saying that email is not accepted for *some* domains
(posting on june 28: "However, the next morning I came in to discover
that some of the domains we host were not getting any email."), I'd say
it was a valid thought.
Post by Seamus Allan
Actually it occurred to me that this wouldn't work in full, because
the mail for some of the domains that pass through the Gateway machine
is destined for other mailservers in the world that I cannot pull the
mailboxes from. So I do need to get the verification working
correctly. I might have to try the Postfix forum or something.
I think that's a more appropriate place for this challenge, indeed. ;-)

Just a thought before going there: I didn't see much of your PF config
on this list apart from some snippets (that doesn't automagically mean
that I would be able to help you if you did post more of it). I can
understand that and it is your good right not to show it but it's hard
to support a config you don't fully know.
When going to the Postfix list, be prepared to explain what you've
already done and to post the (sanitized) output of postconf -n, maybe
other (sanitized) information. The problem may be completely something
else that we haven't thought of because the rest of the PF config is
unknown to us. Some PF guru on that list will most likely want to see it
to support you.


Grts,
Rob
Gerard
2007-07-06 11:22:05 UTC
Permalink
Post by Rob Sterenborg
Just a thought before going there: I didn't see much of your PF config
on this list apart from some snippets (that doesn't automagically mean
that I would be able to help you if you did post more of it). I can
understand that and it is your good right not to show it but it's hard
to support a config you don't fully know.
When going to the Postfix list, be prepared to explain what you've
already done and to post the (sanitized) output of postconf -n, maybe
other (sanitized) information. The problem may be completely something
else that we haven't thought of because the rest of the PF config is
unknown to us. Some PF guru on that list will most likely want to see it
to support you.
From personal experience, if you post the 'sanitized' version of
"postconf -n' rather than the full output of that command, you leave
yourself open to abuse. If you do decide to obscure domain names, be
sure to do it consistently throughout the file. DO NOT obscure IP
addresses.

It would behoove you to post the complete output of:

1) postconf -n
2) Complete list of modifications to master.cf
3) Relevant mail log entries.

You may need to run Postfix in debug mode. Someone will inevitably
inform you of that detail if it needs to be done.

As a long time user of Postfix, I can attest to the assistance I have
received on their forum, provided I played by their rules.

Good luck!
--
Gerard
Rob Sterenborg
2007-07-06 11:52:17 UTC
Permalink
Post by Gerard
Post by Rob Sterenborg
Just a thought before going there: I didn't see much of your PF
config on this list apart from some snippets (that doesn't
automagically mean that I would be able to help you if you did post
more of it). I can understand that and it is your good right not to
show it but it's hard to support a config you don't fully know.
When going to the Postfix list, be prepared to explain what you've
already done and to post the (sanitized) output of postconf -n, maybe
other (sanitized) information. The problem may be completely
something else that we haven't thought of because the rest of the PF
config is unknown to us. Some PF guru on that list will most likely
want to see it to support you.
From personal experience, if you post the 'sanitized' version of
"postconf -n' rather than the full output of that command, you leave
yourself open to abuse.
I'm sorry if I wasn't clear on that; I'm not native English: I guess
"sanitize" was not the correct word.. I meant to say what you are saying
below but your comment is more in depth.

What I don't understand however, is how I would be open to abuse by
sending a sanitized version op postconf -n instead of the original
output. The full original output certainly can contain information you
don't want to spread on the list. With sanitized I meant that the output
of postconf -n would have that information obfuscated.
Post by Gerard
If you do decide to obscure domain names, be sure to do it
consistently throughout the file. DO NOT obscure IP addresses.
1) postconf -n
2) Complete list of modifications to master.cf
3) Relevant mail log entries.
You may need to run Postfix in debug mode. Someone will inevitably
inform you of that detail if it needs to be done.
As a long time user of Postfix, I can attest to the assistance I have
received on their forum, provided I played by their rules.
Grts,
Rob
Gerard
2007-07-06 12:18:58 UTC
Permalink
On July 06, 2007 at 06:50AM Rob Sterenborg wrote:

[snip]
Post by Rob Sterenborg
I'm sorry if I wasn't clear on that; I'm not native English: I guess
"sanitize" was not the correct word.. I meant to say what you are saying
below but your comment is more in depth.
What I don't understand however, is how I would be open to abuse by
sending a sanitized version op postconf -n instead of the original
output. The full original output certainly can contain information you
don't want to spread on the list. With sanitized I meant that the output
of postconf -n would have that information obfuscated.
We are probably talking about the say thing. I was under the
impression that you meant for the OP to send only selected portions of
the output of 'postconf -n' rather than the entire output. The problem
is that so many users, especially those using 'virtual' addressing, or
anything to do with 'virtual', redact the file so badly that nobody
is able to easily spot where the problem is. To obscure a domain name,
when the poster is in fact using that same name in his/her email
address is ridiculous. In any case, the more complete the information
that is supplied is, the better chance of getting a satisfactory
response.
--
Gerard
Seamus Allan
2007-07-09 03:41:02 UTC
Permalink
I suspect I have solved the problem.
After trying to set up sender domain verification (to prevent stuff from
***@fghi.com) I discovered that people who had their domains with us
could not send email, giving a 430 Domain not found error. (Needless to
say the phones started ringing immediately!). I then realised that
Postfix wasn't using the relay map to determine whether a domain existed
or not, it just did a dns lookup, in our case to our internal dns
server. The internal DNS is used essentially only for the intranet and a
few hostnames of servers, so most domains that it is 'authoritative' for
only have A records for www.domain.com. So when postfix was querying to
see whether domain.com existed, the DNS was giving no results and
thusly, the 430 error popped up. After fixing the DNS up, the sender
domain verification worked, and I have just turned on the recipient
verification back on to see whether that is fixed too.

Cheers all

Seamus
--
*Seamus Allan*
Network Engineer
Rheel Electronics Ltd
Phone +64-3-386 3070 Fax +64-3-386-3071
Mobile +64-21-178-2980
***@rheelweb.co.nz
www.rheel.co.nz

This e-mail together with any attachments is confidential, may be
subject to legal privilege and may contain proprietary information,
including information protected by copyright. If you are not the
intended recipient, please do not copy, use or disclose this e-mail;
please notify us immediately by return e-mail and then delete this e-mail.
Continue reading on narkive:
Loading...