DevHeads.net

Postings by Voytek Eymont

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from d27-99-95-44.bla2.nsw.optusnet.com.au[27.99.95.44] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from d27-99-95-44.bla2.nsw.optusnet.com.au[27.99.95.44

temp avoiding RBL block with client_checks OK?

one of the users is waiting for an email from server currently listed on
<a href="http://www.dnsbl.manitu.net/lookup.php?value=203.12.160.162" title="http://www.dnsbl.manitu.net/lookup.php?value=203.12.160.162">http://www.dnsbl.manitu.net/lookup.php?value=203.12.160.162</a>

chances are it might get fixed in 12 hours, or, maybe not

short of removing dnsbl.manitu.net from my RBL checks, is there a way to
'bypass' this current predicament, and, allow mails from the IP/host?

can I simply put IP ? hostname ? both ? in /etc/postfix/client_checks ?

or is it /etc/postfix/sender_checks ? as so:

203.12.160.162 OK
mail12.tpgi.com.au OK

from main.cf:

t/s missing inbound mails with limited info

I've noticed I'm missing certain inbound emails addressed to me, the IT
support of sender is of limited help, as when I've asked for any rejection
notice or IP of sending server I was told "Please be informed that we
couldn't see failure/rejection notice from our end as we have received the
response from our transactional email provider which we are using in the
system."

I was told 'we rectified the error', but, I don't think I'm getting these
emails, and, the sender is of no help with any info

looking at header of one email that I have received, they are using
amazonses.com.

4.7.0 too many connections from Tbird client

one of the users reported getting on TBird client:

"Alert an error occurred when sending mail: the mail server sent incorrect
greeting 4.7.0 error too many connections from 110.170.19.146"

# grep '110.170.19.146' /var/log/maillog | wc
1349 24838 304573

I've tried
# grep 'too many' /var/log/maillog
Jan 23 22:13:24 geko postfix/postscreen[14348]: NOQUEUE: reject: CONNECT
from [113.121.240.227]:64523: too many connections
Jan 23 23:32:43 geko postfix/postscreen[14348]: NOQUEUE: reject: CONNECT
from [113.121.240.227]:55473: too many connections
Jan 24 06:42:00 geko postfix/postscreen[3426

fwd to no existent service, how to recover ?

in the process of attempting to setup amavisd-new with postfix, I had a
line like so in amavisd.conf

# forward to a smtpd service providing DKIM signing service
forward_method => 'smtp:[127.0.0.1]:10027',

BUT, don't have such service...

so, I now have a bunch of emails failing with Temporary MTA failure

how can I get these 'stuck' emails to 'skip' the non existent 10027 service ?

V

Jan 15 22:23:52 geko postfix/qmgr[21832]: D633A660003C: from=< ... at dom dot com>,
size=28792, nrcpt=1 (queue active)
Jan 15 22:24:01 geko amavis[32084]: (32084-04) Blocked MTA-BLOCKED
{TempFailedOutbound}, ORIGIN

check_sasl_access' ignored: no SASL support

I'm in the process of enabling postscreen, and, just noticed started
getting these warnings today, after editing/adding postscreen

Jan 11 13:03:12 geko postfix/smtpd[5403]: warning: restriction
`check_sasl_access' ignored: no SASL support
Jan 11 13:03:54 geko postfix/smtpd[5403]: warning: restriction
`check_sasl_access' ignored: no SASL support
Jan 11 13:04:39 geko postfix/smtpd[5403]: warning: restriction
`check_sasl_access' ignored: no SASL support

looking at log events for one of these, I see like[1]:

in my /etc/postfix/main.cf I have

# grep check_sasl_access main.cf
check_sasl_access

migrating mail server: force oldsrvr to newsrvr

I'm in the process of migrating old server postfix 2.x to new server 3.x

new server uses almost identical postfix/dovecot/mysql virtual
domains/users configuration, so currently, both servers are set up for
aaa.tld, bbb.tld, ccc.tld

I've edited MX for aaa, aaa's email start arriving at new server (and,
some at old server), after couple days, it's all good, some emails on old
server

to do this properly, when I edit MX of bbb (old to new server), I should
tell old server to relay? forward ?

ot: MySQL config/tuning advice

I have old server Postfix 2.x with MySQL, migrating to Postfix 3.x on a
new Centos 7 MariaDB 10.2, virtual user/domain, maybe 20 domain/100 users,
see abbreviated usage summary [1]

new server has been up and running few weeks with just a handful users,
just now, transferred another domain/25 users across to new server, and,
within few hours started getting mysql 'issues', it looks like I don't
have enough mysql resources

Jan 4 00:12:39 postfix/proxymap[28038]: warning: connect to mysql server
127.0.0.1: Lost connection to MySQL server at 'reading initial
communication packet', system error:

backwards compatibility questions 2.1 to 3.x

I have 3.2.4 with /etc/postfix from 2.1, virtual domain/virtual users in
mysql

have not as yet set "postconf compatibility_level=2", "Postfix is running
with backwards-compatible default settings"

grep backward /var/log/maillog* (apart from warning about it) gives:

/var/log/maillog:

Dec 25 04:17:03 geko postfix/trivial-rewrite[4747]: using
backwards-compatible default setting append_dot_mydomain=yes to rewrite
"brandnew" to "brandnew.sbt.net.au"
Dec 27 15:35:55 geko postfix/trivial-rewrite[19201]: using
backwards-compatible default setting append_dot_mydomain=yes to rewrite
"iZ94nt9sb5tZ"

Outlook 2010 smtp auth probs ?

this might be off topic, I'm not sure if I have an issue with Postfix
setup - or just end user email client setup:

I have old postfix 2.1 server, migrating to new 3.x, copied over 2.1
/etc/postfix, all seemed OK till now trying to setup an Outlook 2010
client

as I don't have Outlook 2010 to hand, I've installed 2016, tested account
setup, all worked, both IMAP and 587/SMTP auth

the end user in question is remote to me, 2010 seems to have different
options than 2016 I have tested

the Outlook system is remote to me, it's possible end user screwed
something up

on Outlook, the setup for old 2

TLS library problem: error:140760FC:SSL routines, is it a problem ?

whilst installing/configuring 2.1 to 3.2.x migration
(using 2.1 main/master on 3.2 install), noticed these errors:

anything to worry about ?

# grep 'TLS library problem' /var/log/maillog*
/var/log/maillog:Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS
library problem: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
/var/log/maillog:Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS
library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
version number:s3_srvr.c:977:
/var/log/maillog-20171224:Dec 21 05:25:49 geko postfix/smtpd[

migrating 2.1 to 3.x, what else is needed ?

I'd like to update and migrate my current Postfix 2.1 to an up to date
version, it's a Postfix/Dovecot/MySQL/smtp auth/ virtual domains/users

I've installed new Centos 7 with ghettoforge postfix 3.2.4 /dovecot, and,
copied over /etc/postfix etc/dovecot, after some minor edits (remove
policyd 1.x, add postfwd, edit IPs/host names, letsencrypt, etc)

it seems to work OK, only some warnings, can send/receive

so I should now run this, yes ?

ot: policy d server suggestions?

I currently have Postfix 2.1 with vdomains/vusers, mysql with policyd 1.x for graylisting and throttle, all works well.

Looking at migrating/ moving to an up to date Postfix Dovecot MariaDB server, tried installing Cluebringer 2.0/2.1, getting multiple SQL errors at setup, and, it seems it's not best choice.

Looking at Postfix page, there are multiple choices, looking for some suggestions/ recommendations for a Policy server:

small server, maybe total 200+ users, 30+ domains, plain Postfix/Dovecot/SQL setup, looking for greylisting, throttling (to control hacked smtp auth?)
What other thing

ot: policyd advise

I have an 'old' Postfix 2.1 Centos 6 server, all running well, looking at
setting a more up to date server and Postfix

old server was not installed by me, just now I've realized I have policy
deamon I was not aware of (obviously was running OK...)

from main.cf
...
smtpd_recipient_restrictions =
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:7777,
permit_mynetworks,
check_sasl_access hash:/etc/postfix/sasl_access
permit_sasl_authenticated,
...

Q1: in a mu

migrating 2.1 to 3.x ?

I currently have Postfix 2.11 /MySQL on Centos 6, looking at migrating to
current Postfix.

current server:
CentOS release 6.x
mail_version = 2.11.0

new server:
CentOS 7.3
mail_version = 2.10.1

reading some of the ML posts: is ghettoforge the way to do it ?
<a href="http://ghettoforge.org/index.php/Postfix" title="http://ghettoforge.org/index.php/Postfix">http://ghettoforge.org/index.php/Postfix</a>

what can or should I do with current main.cf ?

exempting user or domain from one RBL check ?

I have a user's inbound mail blocked by barracudacentral, is there a way
to exempt this particular user/domain from this particular RBL check ?

or what else can or should I do ?

this is the only known issue with barracuda I have and, otherwise it seems
quite effective, I think ?

smtpd_recipient_restrictions =
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:7777,
permit_mynetworks,
check_sasl_access hash:/etc/postfix/sasl_access
permit_sasl_authenticated,

ot: 554 No SMTP service here

dumb question:

if I get 'connection closed' as below, does that confirm problem is at
remote end, not my Postfix ?

is there any other diags I can run from my end ?

Postfix works well, but, can not send to one particular server

from my Postfix server, I get telnet failure as so:

# telnet 115.70.161.114 25
Trying 115.70.161.114...
Connected to 115.70.161.114.
Escape character is '^]'.
554 No SMTP service here.
Connection closed by foreign host.

from a Win box on another network I get though

ot: 554 No SMTP service here

struck a problem sending to a particular server, get 554
everything else works fine, server unaltered since setup a while back

how can I troubleshoot this ?

Mar 3 06:36:56 emu postfix/smtp[25322]: 02D124C5D9:
to=< ... at rosscosmetics dot com.au>,
relay=rosstul1.rosscosmetics.com.au[115.70.161.114]:25, delay=17227,
delays=17227/0.01/0.06/0, dsn=4.0.0, status=deferred (host
rosstul1.rosscosmetics.com.au[115.70.161.114] refused to talk to me: 554
No SMTP service here.)

# telnet 115.70.161.114 25
Trying 115.70.161.114...
Connected to 115.70.161.114.
Escape character is '^]'.
554 No SMTP service here.

ot: troubleshhoting MX issue (?)

I'm unable to send an email to "a. ... at surfacetreatment dot be", getting
"domain not found".

it seems to me they're misconfigured and, don't have MX set correctly?

or am i misinterpreting this, mxtoolbox find MX ?

fwiw, web surfacetreatment.be redirects to surfacetreatment.nl

thanks for help, explanation and any pointers

Mar 1 08:58:53 emu postfix/smtpd[22849]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 450 4.1.2 <a. ... at surfacetreatment dot be>: Recipient
address rejected: Domain not found; from=< ... at sbt dot net.au>
to=<a. ... at surfacetreatment dot be> proto=ESMTP helo=<sbt.net.au>

# dig -t MX su

whitelisting to correct rbl false positives

just noticed some email sent from gmail/google bouncing from my server as
sorbs RBL had that server/host listed;

Nov 17 12:56:47 emu postfix/smtpd[16381]: NOQUEUE: reject: RCPT from
mail-ua0-f170.google.com[209.85.217.170]: 554 5.7.1 Service unavailable;
Client host [209.85.217.170] blocked using dnsbl.sorbs.net; Currently
Sending Spam See: <a href="http://www.sorbs.net/lookup.shtml?209.85.217.170;" title="http://www.sorbs.net/lookup.shtml?209.85.217.170;">http://www.sorbs.net/lookup.shtml?209.85.217.170;</a>
from=< ... at tld dot au> to=< ... at xyz dot au> proto=ESMTP
helo=<mail-ua0-f170.google.com>

what is correct way to whiltelist gmail/google

I have like this in main.cf[1]

so I should enter gmail into /etc/postfix/

incoming queue question: 'not found'

I monitor Postfix queue with Cacti, normally see warning on deffered
queue, charts in red, sends treshold warning, when there is some issues

today, first time ever saw that, I see incoming queue in Cacti growing, up
to 14/16, (charts blue) never observed that before...?

mailq gives nothing, pfqueue has like(1);

how to better asses what's going on?

Queue: 'incoming', 7 messages, 0 tagged, unsorted
ATCSB
ID From To
E29D64CBC2 *Not found* *Not found*
1B8654CBC1 *Not found* *Not fou

ot: exempting black listed domain for a user?

I have a user who can not receive emails as his correspondent's domain is currently on multiple rbls.

As an interim measure, should I look at temporarily allowing this domain?

Or, is that a bad idea, shouldn't consider such temp workarounds?

domain in question:

Checking ckchaiseree.com which resolves to119.59.120.56 against 107 known blacklists... 
Listed 7 times. 

Blacklist Reason 
LISTED CBL
119.59.120.56 was listed 
LISTED ivmSIP
119.59.120.56 was listed 
 LISTED ivmSIP24
119.59.120.56 was listed  
LISTED Protected Sky
119.59.120.56 was listed 
LIS

ot: poor repution work arounds? standby smtp?

I have a small Postfix/Dovecot virtual server, low usage
every so often a user account get compromised and spam sent (like couple
of days ago), now I'm seeing 5 or 6 emails 'stuck' in the queue with like:

(host mail2.abcdef.com[217.xx.xx.xx] refused to talk to me:
554-mail1.abcdef.com 554 Your access to this mail system has been rejected
due to the sending MTA's poor reputation.

ot: pre emptive throttling/limiting ?

I have a small server with several domains, always worry some dumb users'
account will get hacked and start spamming (including this dumb user,
like, my own forgotten test account got hacked....)

is it a good idea to put some limits or throttling 'just in case' ?

Postfix 2.11, average server usage is like:
Per-Day Traffic Summary

mime header and header pcre Q

I was updating file type definitions in my header checks when I noticed I
have header checks as well as mime header checks :

/etc/postfix/main.cf

header_checks = pcre:/etc/postfix/header_checks.pcre
mime_header_checks = pcre:$config_directory/mime_headers.pcre

header_checks has (now updated) "/^Content-(Disposition|Type)...." AND
lots of old rules from Jim Seymor's page and securitysage page and stuff
from the ml;

mime_header_checks has just "/^Content-(Disposition|Type)...." AND nothing
else

do I need both ?
do I need "/^Content-(Disposition|Type)...." in both checks ?

thanks for any po

header .com check false positive

I've struck a false positive problem rejecting email,
should reject on file extension '.com', but, rejected on a domain name as
below(1):

I think this is the rule ?:

# grep "may not end with" *head*

mime_headers.pcre:/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x
REJECT Attachment name "$2" may not end with ".$3"

main.cf:mime_header_checks = pcre:$config_directory/mime_headers.pcre

rate limit compromised sasl senders ?

is there a way to block or rate limit compromised sasl senders ?

postconf -d | grep mail_version
mail_version = 2.11.0

grep limit main.cf

recipient_delimiter = +
message_size_limit = 20971520
dovecot_destination_recipient_limit = 1
smtpd_client_connection_rate_limit = 50

grep sasl_username= ... at example dot com.au /var/log/maillog | wc
6374 57366 902481

...
Oct 27 22:11:42 emu postfix/smtpd[20784]: 391BF24ECEA:
client=unknown[81.196.92.93], sasl_method=PLAIN,
sasl_username= ... at example dot com.au
Oct 27 22:11:45 emu postfix/smtpd[20732]: 10A0924EC8B:
client=unknown[81.196.92.93], s

aliased domain works for test user, doesn't for another

I have Postfix/MySQL/Postfixadmin/Dovecot, using postfixadmin I've aliased
one domain to another

using a mailbox for myself for testing, sent emails to aliased domain,
both from outside (gmail) and through this server, receiving OK to my own
mailbox.

BUT, when tried sending to a different user, got "User unknown in virtual
mailbox table"

what am I missing ?

fails to <a href="mailto: ... at aa dot com"> ... at aa dot com</a>

Oct 11 22:38:59 emu postfix/smtpd[1506]: NOQUEUE: reject: RCPT from
mail-io0-f182.google.com[209.85.223.182]: 550 5.1.1 < ... at aa dot com>: Recipient
address rejected: User unknown in virtual mailbox table;
from=<voytek.e@g

Re: blocking compromised sasl users ?

Nicolás, thanks

no
# grep 104.200 main.cf
#

yes

how to do that ?

blocking compromised sasl users ?

it looks like I have a couple of compromised user accounts on one of the
domains on this server, I've changed the user password then even deleted
the user (through postfixadmin) but that didn't help..?