DevHeads.net

Postings by Voytek Eymont

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from d27-99-95-44.bla2.nsw.optusnet.com.au[27.99.95.44] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from d27-99-95-44.bla2.nsw.optusnet.com.au[27.99.95.44

block 'new style' TLDs ?

as of recently started getting heaps of spam from all kind of new domains
all ending in '.best'

what's the best way to block that, block entire '*.best' ?
how and where ?

or ?

thanks

using version 3.4.7

V
Return-Path: < ... at resolutionwine dot best>
Received: from resolutionwine.best (unknown [160.20.109.72])
by geko.sbt.net.au (Postfix) with ESMTP id B36914195027
for <vvvv>; Thu, 24 Oct 2019 06:53:21 +1100 (AEDT)
MIME-Version: 1.0

ot: dkim "fail (message has been altered)" ?

I'm attempting to implement dkim/dmarc, noticed that many spam messages
have like "fail (message has been altered)":

Authentication-Results: geko.sbt.net.au (amavisd-new);
dkim=pass (1024-bit key) header.d=dossierinfotech.in.net;
domainkeys=fail (1024-bit key)
reason="fail (message has been altered)"
header.from= ... at dossierinfotech dot in.net
header.d=dossierinfotech.in.net

is that something that can be rejected/blocked in Postfix, and how? or
where should that be utilized ?

thanks,

Voytek

opendmarc.dat Permission denied issues

i'm trying to setup DKIM & DMARC, set it few days ago, it seemed to be
working ok(?), well, I did'nt notice errors

noticed today multiple "Permission denied" errors since last night, across
multiple domains

grep " Permission denied" /var/log/maillog | wc
1943 19430 200491

May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9:
/var/run/opendmarc.dat: fopen(): Permission denied

# grep AAADD4E821C9 /var/log/maillog
May 29 13:41:41 geko postfix/smtpd[30596]: AAADD4E821C9:
client=mail01.hello.zendesk.com[142.0.163.127]
May 29 13:41:42 geko postfix/cleanup[30785]: AAADD4E821C9:
message-id=<3

DKIM doubled, which one to remove?

following earlier advice here, I've finally tried to set DKIM

I think I'm getting there, but I've noticed it's doubling up[1], with amavis

which one should be bypassed, and, how to do so ?

thanks, V

from main.cf
..
content_filter = smtp-amavis:[127.0.0.1]:10024
smtp-amavis_destination_recipient_limit = 1
..
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

[1]
# grep 711344531867 /var/log/maillog
May 24 15:15:08 geko postfix/smtpd[20479]: 711344531867:
client=mail.wintemo.eu[89.163.128.70]
May 24 15:15:09 geko pos

GF 3.3, unsupported dictionary type: mysql

I'm trying to migrate server to new vm, installed postfix* from GF (1)

but, after copying over main.cf/master.cf get this:

Apr 6 00:34:46 emu postfix/proxymap[15601]: error: unsupported dictionary
type: mysql
Apr 6 00:34:46 emu postfix/proxymap[15601]: error: unsupported dictionary
type: mysql
...

postconf shows no mysql

Centos 6

daemon started -- version 3.3.3, configuration /etc/postfix

Linux 2.6.32-754.10.1.el6.x86_64 #1 SMP Tue Jan 15 17:07:28 UTC 2019
x86_64 x86_64 x86_64 GNU/Linux

what did I do wrong ?

# yum shell --enablerepo=gf-plus
Loaded plugins: fast

intermittent sasl auth fails?

I have a user with TBird saying they get ocassional error when trying to
send with SASL AUTH, looking at log, I see this;

Mar 17 22:10:44 postfix/smtpd[11975]: connect from
111-222-333-444.static.tpgi.com.au[111.222.333.444]
Mar 17 22:10:45 postfix/smtpd[11975]: Anonymous TLS connection established
from 111-222-333-444.static.tpgi.com.au[111.222.333.444]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar 17 22:10:47 postfix/smtpd[11975]: warning:
111-222-333-444.static.tpgi.com.au[111.222.333.444]: SASL PLAIN
authentication failed:
Mar 17 22:10:53 postfix/smtpd[11975]: warnin

DKIM setup writeup for multi domain?

I;m looking at adding DKIM to my Postfix

is there some up to date DKIM setup write up for multi domain Postfix
setup ? most of the ones I've found are for single domain, and, use
different setups, hence I'm trying to figure out what's the best way to
set this up.

V

server migration question

I have Postfix/Dovecot/Mysql on Centos 7 with mail_version = 3.2.4

setup new server same hostname as old server with mail_version = 3.3.3
using same hostname as old server

the thought was to change A records to point mailserver hostname to new
server IP at switch over time

is that an OK idea ?

what do I then need to set the old server to forward all mail to new server ?

migrating/cloning 3.2.4 > 3.3.2?

I have an existing Postfix/Dovecot/Mysql on Centos 7, I'm attempting to
clone/duplicate existing 3.2.4 to new 3.3.2

after installing from GF RPM 3.3.2, I've copied/overwrote /etc/postfix old
I've temporarily commented out two smtpd recipients restriction (as they
were rejecting my 'telnet localhost' basic test , and it seems working, I
can send test email using telnet localhost to gmail.

I don't currently see errors or warnings in maillog

what else should I be checking/testing/adding/removing ?

comments or suggestions on current

client incorrect greeting error, how to resolve?

I have a user reporting from time to time getting:
"An error occurred while sending mail. Mail server sent incorrect greeting
4.7.0 geko.sbt.net.au error too many connections from 147.50.1.226"

is this a Thunderbird issue ?

when I search like below, I get nothing, what am I doing wrong?

and, how to fix this, is there anything at this end ? user end ?

# grep 147.50.1.226 /var/log/maillog | wc
407 7142 79129
# grep 147.50.1.226 /var/log/maillog | grep error
# grep 147.50.1.226 /var/log/maillog | grep Error
# grep 147.50.1.226 /var/log/maillog | grep greeting

rejecting 'nested' from address ?

a user started getting many spam/malware with like 'nested' from:

<" ... at cinkmedia dot comgeranc"@gmail.com>

<" ... at cinkmedia dot com.abc"@expertsmeetings.org>

I'm waiting for a full header from him, can anything be done in Postfix ?
or where ? to reject/block ?

V

advice on postscreen setup / exception / dnsbls

I've recently updated Postfix from 2.1, and, enabled postscreen, all's
working well, though, just picked up a false positive:

several users inbound mail blocked with dnsbl.spfbl.net

I have like:

# grep spfbl.net main.cf
postscreen_dnsbl_sites = zen.spamhaus.org*5, psbl.surriel.com*2,
bl.spamcop.net*2, dnsbl.spfbl.net*2,

as this is a gov.au server, should I whitelist health.gov.au ? or sge.net
?

temp avoiding RBL block with client_checks OK?

one of the users is waiting for an email from server currently listed on
<a href="http://www.dnsbl.manitu.net/lookup.php?value=203.12.160.162" title="http://www.dnsbl.manitu.net/lookup.php?value=203.12.160.162">http://www.dnsbl.manitu.net/lookup.php?value=203.12.160.162</a>

chances are it might get fixed in 12 hours, or, maybe not

short of removing dnsbl.manitu.net from my RBL checks, is there a way to
'bypass' this current predicament, and, allow mails from the IP/host?

can I simply put IP ? hostname ? both ? in /etc/postfix/client_checks ?

or is it /etc/postfix/sender_checks ? as so:

203.12.160.162 OK
mail12.tpgi.com.au OK

from main.cf:

t/s missing inbound mails with limited info

I've noticed I'm missing certain inbound emails addressed to me, the IT
support of sender is of limited help, as when I've asked for any rejection
notice or IP of sending server I was told "Please be informed that we
couldn't see failure/rejection notice from our end as we have received the
response from our transactional email provider which we are using in the
system."

I was told 'we rectified the error', but, I don't think I'm getting these
emails, and, the sender is of no help with any info

looking at header of one email that I have received, they are using
amazonses.com.

4.7.0 too many connections from Tbird client

one of the users reported getting on TBird client:

"Alert an error occurred when sending mail: the mail server sent incorrect
greeting 4.7.0 error too many connections from 110.170.19.146"

# grep '110.170.19.146' /var/log/maillog | wc
1349 24838 304573

I've tried
# grep 'too many' /var/log/maillog
Jan 23 22:13:24 geko postfix/postscreen[14348]: NOQUEUE: reject: CONNECT
from [113.121.240.227]:64523: too many connections
Jan 23 23:32:43 geko postfix/postscreen[14348]: NOQUEUE: reject: CONNECT
from [113.121.240.227]:55473: too many connections
Jan 24 06:42:00 geko postfix/postscreen[3426

fwd to no existent service, how to recover ?

in the process of attempting to setup amavisd-new with postfix, I had a
line like so in amavisd.conf

# forward to a smtpd service providing DKIM signing service
forward_method => 'smtp:[127.0.0.1]:10027',

BUT, don't have such service...

so, I now have a bunch of emails failing with Temporary MTA failure

how can I get these 'stuck' emails to 'skip' the non existent 10027 service ?

V

Jan 15 22:23:52 geko postfix/qmgr[21832]: D633A660003C: from=< ... at dom dot com>,
size=28792, nrcpt=1 (queue active)
Jan 15 22:24:01 geko amavis[32084]: (32084-04) Blocked MTA-BLOCKED
{TempFailedOutbound}, ORIGIN

check_sasl_access' ignored: no SASL support

I'm in the process of enabling postscreen, and, just noticed started
getting these warnings today, after editing/adding postscreen

Jan 11 13:03:12 geko postfix/smtpd[5403]: warning: restriction
`check_sasl_access' ignored: no SASL support
Jan 11 13:03:54 geko postfix/smtpd[5403]: warning: restriction
`check_sasl_access' ignored: no SASL support
Jan 11 13:04:39 geko postfix/smtpd[5403]: warning: restriction
`check_sasl_access' ignored: no SASL support

looking at log events for one of these, I see like[1]:

in my /etc/postfix/main.cf I have

# grep check_sasl_access main.cf
check_sasl_access

migrating mail server: force oldsrvr to newsrvr

I'm in the process of migrating old server postfix 2.x to new server 3.x

new server uses almost identical postfix/dovecot/mysql virtual
domains/users configuration, so currently, both servers are set up for
aaa.tld, bbb.tld, ccc.tld

I've edited MX for aaa, aaa's email start arriving at new server (and,
some at old server), after couple days, it's all good, some emails on old
server

to do this properly, when I edit MX of bbb (old to new server), I should
tell old server to relay? forward ?

ot: MySQL config/tuning advice

I have old server Postfix 2.x with MySQL, migrating to Postfix 3.x on a
new Centos 7 MariaDB 10.2, virtual user/domain, maybe 20 domain/100 users,
see abbreviated usage summary [1]

new server has been up and running few weeks with just a handful users,
just now, transferred another domain/25 users across to new server, and,
within few hours started getting mysql 'issues', it looks like I don't
have enough mysql resources

Jan 4 00:12:39 postfix/proxymap[28038]: warning: connect to mysql server
127.0.0.1: Lost connection to MySQL server at 'reading initial
communication packet', system error:

backwards compatibility questions 2.1 to 3.x

I have 3.2.4 with /etc/postfix from 2.1, virtual domain/virtual users in
mysql

have not as yet set "postconf compatibility_level=2", "Postfix is running
with backwards-compatible default settings"

grep backward /var/log/maillog* (apart from warning about it) gives:

/var/log/maillog:

Dec 25 04:17:03 geko postfix/trivial-rewrite[4747]: using
backwards-compatible default setting append_dot_mydomain=yes to rewrite
"brandnew" to "brandnew.sbt.net.au"
Dec 27 15:35:55 geko postfix/trivial-rewrite[19201]: using
backwards-compatible default setting append_dot_mydomain=yes to rewrite
"iZ94nt9sb5tZ"

Outlook 2010 smtp auth probs ?

this might be off topic, I'm not sure if I have an issue with Postfix
setup - or just end user email client setup:

I have old postfix 2.1 server, migrating to new 3.x, copied over 2.1
/etc/postfix, all seemed OK till now trying to setup an Outlook 2010
client

as I don't have Outlook 2010 to hand, I've installed 2016, tested account
setup, all worked, both IMAP and 587/SMTP auth

the end user in question is remote to me, 2010 seems to have different
options than 2016 I have tested

the Outlook system is remote to me, it's possible end user screwed
something up

on Outlook, the setup for old 2

TLS library problem: error:140760FC:SSL routines, is it a problem ?

whilst installing/configuring 2.1 to 3.2.x migration
(using 2.1 main/master on 3.2 install), noticed these errors:

anything to worry about ?

# grep 'TLS library problem' /var/log/maillog*
/var/log/maillog:Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS
library problem: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
/var/log/maillog:Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS
library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
version number:s3_srvr.c:977:
/var/log/maillog-20171224:Dec 21 05:25:49 geko postfix/smtpd[

migrating 2.1 to 3.x, what else is needed ?

I'd like to update and migrate my current Postfix 2.1 to an up to date
version, it's a Postfix/Dovecot/MySQL/smtp auth/ virtual domains/users

I've installed new Centos 7 with ghettoforge postfix 3.2.4 /dovecot, and,
copied over /etc/postfix etc/dovecot, after some minor edits (remove
policyd 1.x, add postfwd, edit IPs/host names, letsencrypt, etc)

it seems to work OK, only some warnings, can send/receive

so I should now run this, yes ?

ot: policy d server suggestions?

I currently have Postfix 2.1 with vdomains/vusers, mysql with policyd 1.x for graylisting and throttle, all works well.

Looking at migrating/ moving to an up to date Postfix Dovecot MariaDB server, tried installing Cluebringer 2.0/2.1, getting multiple SQL errors at setup, and, it seems it's not best choice.

Looking at Postfix page, there are multiple choices, looking for some suggestions/ recommendations for a Policy server:

small server, maybe total 200+ users, 30+ domains, plain Postfix/Dovecot/SQL setup, looking for greylisting, throttling (to control hacked smtp auth?)
What other thing

ot: policyd advise

I have an 'old' Postfix 2.1 Centos 6 server, all running well, looking at
setting a more up to date server and Postfix

old server was not installed by me, just now I've realized I have policy
deamon I was not aware of (obviously was running OK...)

from main.cf
...
smtpd_recipient_restrictions =
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:7777,
permit_mynetworks,
check_sasl_access hash:/etc/postfix/sasl_access
permit_sasl_authenticated,
...

Q1: in a mu

migrating 2.1 to 3.x ?

I currently have Postfix 2.11 /MySQL on Centos 6, looking at migrating to
current Postfix.

current server:
CentOS release 6.x
mail_version = 2.11.0

new server:
CentOS 7.3
mail_version = 2.10.1

reading some of the ML posts: is ghettoforge the way to do it ?
<a href="http://ghettoforge.org/index.php/Postfix" title="http://ghettoforge.org/index.php/Postfix">http://ghettoforge.org/index.php/Postfix</a>

what can or should I do with current main.cf ?

exempting user or domain from one RBL check ?

I have a user's inbound mail blocked by barracudacentral, is there a way
to exempt this particular user/domain from this particular RBL check ?

or what else can or should I do ?

this is the only known issue with barracuda I have and, otherwise it seems
quite effective, I think ?

smtpd_recipient_restrictions =
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:7777,
permit_mynetworks,
check_sasl_access hash:/etc/postfix/sasl_access
permit_sasl_authenticated,

ot: 554 No SMTP service here

dumb question:

if I get 'connection closed' as below, does that confirm problem is at
remote end, not my Postfix ?

is there any other diags I can run from my end ?

Postfix works well, but, can not send to one particular server

from my Postfix server, I get telnet failure as so:

# telnet 115.70.161.114 25
Trying 115.70.161.114...
Connected to 115.70.161.114.
Escape character is '^]'.
554 No SMTP service here.
Connection closed by foreign host.

from a Win box on another network I get though

ot: 554 No SMTP service here

struck a problem sending to a particular server, get 554
everything else works fine, server unaltered since setup a while back

how can I troubleshoot this ?

Mar 3 06:36:56 emu postfix/smtp[25322]: 02D124C5D9:
to=< ... at rosscosmetics dot com.au>,
relay=rosstul1.rosscosmetics.com.au[115.70.161.114]:25, delay=17227,
delays=17227/0.01/0.06/0, dsn=4.0.0, status=deferred (host
rosstul1.rosscosmetics.com.au[115.70.161.114] refused to talk to me: 554
No SMTP service here.)

# telnet 115.70.161.114 25
Trying 115.70.161.114...
Connected to 115.70.161.114.
Escape character is '^]'.
554 No SMTP service here.