DevHeads.net

User

Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="http://www.postfix.net/RESTRICTION_CLASS_README.html" title="http://www.postfix.net/RESTRICTION_CLASS_README.html">http://www.postfix.net/RESTRICTION_CLASS_README.html</a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1

main.cf
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from d27-99-95-44.bla2.nsw.optusnet.com.au[27.99.95.44] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from d27-99-95-44.bla2.nsw.optusnet.com.au[27.99.95.44

best practice for HA cluster

Hello

Which work method do you guys prefer for ha with postfix?

2 postfix nodes with f5 load balancer active passive and shared storage for the que
How can you share config between active and passive ?

Problems invoking amavis from postfix

I am building a new system on CentOS7 that has postfix 2.10.1 and
amavis-new 2.11.1

I am working from my notes of 2 years ago when I last did this
successfully so either something has changed since then (quite likely),
or I am missing something from my notes (also quite likely).

For main.cf I run:

postconf -e 'content_filter = amavis:[127.0.0.1]:10024'

Then I append to the default master.cf (working from my understanding
that the last instruction in master.cf encountered is the one applied,
rather than trying to edit what is there):

#
================================================

Stopping acceptence from unowned networks address as from my domains

I got this email, which I thought I set up postfix to block

From <a href="mailto: ... at mrbrklyn dot com"> ... at mrbrklyn dot com</a> Wed Feb 6 06:26:12 2019
Return-Path: < ... at mrbrklyn dot com>
X-Original-To: <a href="mailto: ... at mrbrklyn dot com"> ... at mrbrklyn dot com</a>
Delivered-To: <a href="mailto: ... at mrbrklyn dot com"> ... at mrbrklyn dot com</a>
Received: from mail.isentia.asia (mail.mediabanc.ws [203.223.144.88])
by mrbrklyn.com (Postfix) with ESMTP id BE463161132
for < ... at mrbrklyn dot com>; Wed, 6 Feb 2019 06:25:50 -0500 (EST)
Received: from fixed-187-189-92-126.totalplay.net (187.189.92.126) by
mail.mediabanc.ws (10.61.3.33) with Microsoft SMTP Server id
8.1.240.5; Wed,
6 Feb 2019 15:3

SMTP_HELO_NAME can cause Blacklist triggers

I learned the hard way that if you don't set $myhostname to a FQDN you can quickly end up on a black list despite having valid SPF records.
The documentation is IMO insufficiently clear that $myhostname MUST be fully qualified and that Postfix will NOT tack on $mydomain if no 'dots' are detected.

Sure, this could be chalked up to "stupid admin error" but doesn't it make sense to either warn about a short $myhostname during server startup and/or add code to smtp_proto.c before calling smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name) that if 2 dots are not found in $myhostname to automatic

Mysql and postfix mail que

hello you all

Can I set a mysql database for the mails that our in the mail que to get
send? and map that database to two postfix servers that our behind a F5 load
balancer set active passive?

so if active goes down the second one still could send the mails in the
database.

or should we every time transfer the flat mail files from one host to the
other if active server fails?

Google blocking...again...

I'm about at my wits end with Google.

A couple of weeks ago, we had a user account get compromised.

multi smtp for a sub domain

can somebody help me with this problem. we want to send out to our vessels on sea by ssh connections and a direct vpn sow we want to create for each *@a.vessel.com 2 smtp routes one will be our vpn the other the ssh vpn can somebody tell me where i can configure this or how i can configure this?

multi smtp relay

can somebody help me with this problem.we want to send out to our vessels on
sea by ssh connections and a direct vpnsow we want to create for each
*@a.vessel.com 2 smtp routes one will be our vpn the other the ssh vpncan
somebody tell me where i can configure this or how i can configure this?this
will need to be done for 80 vessels on the server sow I know I will need the
transport map, but as i see it I can only enter one smtp relay host there

Forwarded mail problem

Dear all,

I having some problem forwarding some emails to Gmail addresses.
Sometime the emails are bounced cause:

This message does not have authentication information or fails to pass
550-5.7.1 authentication checks. To best protect our users from spam,
the 550-5.7.1 message has been blocked. Please visit 550-5.7.1
<a href="https://support.google.com/mail/answer/81126#authentication" title="https://support.google.com/mail/answer/81126#authentication">https://support.google.com/mail/answer/81126#authentication</a> for more
550 5.7.1 information. k11si3359248wrp.39 - gsmtp (in reply to end of
DATA command))

I'm sure that these emails aren't spam.

Someone can explain me why? Is there some misconfiguration in my mail
server?

downgrading from postfix-3.4 fails - unix-dgram

Downgrading from postfix-3.4 fails with:

[...]
Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/smtp.8...
Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/smtpd.8...
Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/spawn.8...
Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/tlsproxy.8...
Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/tlsmgr.8...
Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/trace.8...
Updating /var/tmp/portage/mail-mt

Support of "\"-like aliases feature?

Recently I rolled out a transition from sendmail to postfix. I've been very
happy with the changes except for one feature, which was supported by
sendmail but I'm not sure what to do about it in postfix.

This is the use of a backslash before a username in the aliases file. A
backslash inhibits further alias expanding. I have found it useful in
certain cases to stop mail loops.

Is there an equivalent feature supported by postfix?

Thanks in advance,

j

Blocked by yahoo.com

Even though this is not a postfix specific issue I was hoping someone in the community could help with this issue.

We recently changed IP addresses as we purchased a /24 to use as we plan to move Internet service provides in the near future.

Once we did this we now get the following from yahoo.com when trying to send email to anyone on their system.

<a href="mailto: ... at yahoo dot com"> ... at yahoo dot com</a> [mailto: ... at yahoo dot com]: host mta7.am0.yahoodns.net[67.195.229.59] said: 553 5.7.2
[TSS09] All messages from x.x.x.x will be permanently deferred;
Retrying will NOT succeed.

disable logging of header_checks FILTER action

hi,

smtp_header_checks = pcre:/etc/postfix/header_chk

/^Subject: .*test.*/ FILTER test:

Postfix then logs:

Jan 30 12:44:16 mx2 postfix/cleanup[19243]: 096B95EAE2: filter: header

How to disable logging of this events? I simply do not want to have
sensitive informations (subject) in postfix logs.

Stefan

Sender address rejected, but I didn't ask it to be checked.

Hi,

I have been using postfix for many years. So far whenever I had a problem,
Google or the documentation helped out.
However today I got stuck and have no idea what to do.
This is a new machine, fresh Debian stretch install.
I am trying to use postfix with virtual users, Dovecot imap and
authentication. I have not used virtual users in the past, so maybe there is
some rookie mistake somewhere.

I have set up postfix, the machine can receive and send emails. I have set
up dovecot, I can log in and read the emails that I received.

Rethinking the Postfix release schedule

I'm reconsidering the once-per-year schedule for stable releases.
Basically, a Postfix stable release freezes development at a point
in time, forever. Primarily, this is good for stability.

* In this day and age it seems archaic to have to wait for up to a
year before useful code can be deployed in a stable release.

* The once-per-year schedule makes development a race to get things
into the upcoming release, so that it does not have to wait for
another year.

There is a downside to less than a year between stable releases:
the support time window will become less than four years.

smtp_tls_security_level = dane but have encrypt as fallback

Hi,

we would like to go the next step, enable smtp_tls_security_level = dane.
Currently we have encrypt site-wide.

But in cases where remote sites do not have published key material, the
fallback is may with dane, which is a step back in terms of security and
not wanted.

How can we specify:

1, Always use at least encrypt
2, When TLSA-records are found and valid, use only this to encrypt
3, When no TLSA-records are found or the ones found can not be used, fall
back to encrypt, if not possible, fail.

*Stefan*

address_verify_negative_refresh_time = 30m is ignored

hi,

we have

address_verify_negative_refresh_time = 30m active
(root@mx2:/var/lib/postfix# postconf -n | grep verify
address_verify_negative_refresh_time = 30m)

but the verify behavior is strange.

Jan 23 21:15:21 mx2 postfix/postscreen[Jan 25 15:31:14 mx2
postfix/smtpd[10119]: NOQUEUE: reject: RCPT from
opsmail.colo.comodo.com[91.209.196.133]: 550 5.1.1
< ... at domain dot tld: Recipient address rejected: undeliverable
address: host IP[IP] said: 550 5.1.1 < ... at domain dot tld: Recipient
address rejected: User unknown in virtual mailbox table (in reply to
RCPT TO command); from=<no_reply_supp

flat down postfix to simple local sendmail forwarder

Ok, so the title isn't really helpful, so I try to explain it:

I want to use Apache James as my primary MTA (please don't ask why -
just take it as given). Major issue: james doesn't have a local sendmail
command replacement. So I've looked up apache james doc wich is heavy
outdated. Also, I'm running opensuse 15.0 wich uses full postfix instead
of sendmail.

Unfortunately, I couldn't find any way to disable smtp-server but keep
rest of postfix running so it will take mails from sendmail command and
process its queue.

Fixing open relay problem

I've been running Postfix for many years now (so thanks to Wietse and all
the others who have put in hard work to make it such a great mail system)
and recently I built a new mail server and copied most of the config files
from the old one.

After a couple of months, I began to notice that it appeared to be getting
used (infrequently) as an open relay, despite my attempts to lock it down
so that couldn't happen. Then, the problem got worse.

Postfix logging without syslogd

postfix-3.4-20190121-nonprod-logger has lightly-tested code for
logging to file without using syslogd.

Changing the imaps port-number

I am trying to change the imaps port-number to a non-standard port (9999)
since it seems that buisness.comcast.net is intercepting the standard imaps
port number and repeated emails requesting that they stop have been ignored.

This is only an issue when I am trying to access my personal mail server
when I am away from home.

I currently have the following configured in 10-master.conf -

service imap-login {
inet_listener imap {
address = 127.0.0.1, ::1
port = 143
}
inet_listener imaps {
port = 9999
}
process_min_avail = 3
service_count = 0
vsz_limit = 1 G
}

But I do

Trying to debug postfix 'unknown mail transport error'

FreeBSD 11.2, Postfix 3.3.2, Dovecot 2.3.4

Random user verification failures are occurring and I am not sure why.

Here's an example -

From /var/log/maillog:

Failure:

Jan 21 12:20:41 ns postfix/smtpd[31736]: NOQUEUE: reject: RCPT from
mta2.email.famousfootwear.com[136.147.183.86]: 450 4.1.1 < ... at mahan dot org>:
Recipient address rejected: unverified address: unknown mail transport
error; from=<
bounce-299_HTML-404541337-2436561-7222883- ... at bounce dot email.famousfootwear.com>
to=< ... at mahan dot org> proto=ESMTP helo=<mta2.email.famousfootwear.com>
....
Jan 21 12:20:41 ns dovecot: lmtp(31763): Conn

Re: Forwarding received mail through AWS SES

On 2019-01-20 14:40, John Stoffel wrote:
The insane reason is phishing spam, and DO ignoring abuse notices.

And this is not an appropriate subject for the Postfix mailing list.

Postfix is wrongly marking CA certificate expired

Randomly postfix is marking this as expired certificate and after some time
marking certificate as valid.
I have verified that certificate is not expired by taking pcap. Let me know
if is there any known defect in postfix of this sort ?

Master.cf Transport type - piping to Perl. How can I specify path to Perl?

I have Postfix Admin’s Vacation setup and would like to use the Perl at /usr/local/bin/perl rather than /usr/bin/perl.

I have:

vacation unix - n n - - pipe
flags=DRhu user=_vacation argv="/usr/local/bin/perl /var/spool/vacation/vacation.pl" -f ${sender} -- ${recipient}

But Iog shows:

2019-01-21 15:48:09.726114+1100 localhost pipe[8806]: 8A484E5F63E: to=<testvacationuser#bordo.com. ... at autoreply dot bordo.com.au>, orig_to=< ... at bordo dot com.au>, relay=vacation, delay=0.25, delays=0.21/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary fail

unsuccessful build of postfix 3.3.2 on solaris (sparc) with sunstudio compiler

Hi postfix-users,

today I have the pleasure to update sparc some machines, that haven't
been touched for more than 2.5 years :/

The systems use sunstudio compiler. Openssl, bind, ... went fine but
now, as it comes to postfix, I'm failing.

Forwarding received mail through AWS SES

Hello,

I use Debian 9 on AWS EC2. If mail is sent directly from EC2 host then
some mail service provider such as Gmail rejects receiving it. So I set up
so that mail is sent through AWS SES with following steps.

1. Obtain SES SMTP credential accoring to following document
<a href="https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html" title="https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html">https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html</a>
2. Verify domain with SES accoring to following document
<a href="https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-domain-procedure.html" title="https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-domain-procedure.html">https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-domain-proc...</a>
3.

spam with doutle at (fake@domain1@domain2)

hi,

My server is crying with a spam problem. we are receiving a lot of
fake messages with virus attached.

the messages comming from an account like
... at mydomain dot ... at spammerdomain dot com with content very simlilar
to the messages sended by our real contacts.

How can i block that? im trying with amavisd-new and postgrey but dont work.

maybe can i use some regexp?

thanks a lot

logfile support for MacOS

I'm implementing logfile support for Postfix on MacOS, because not
providing results in a bad experience.

This is a retrofit workaround, therefore it will have limitations
that do not exist with the default syslog-based implementation.

- The logfile pathname is configured in main.cf, and therefore the
logfile cannot contain information from programs that fail before
they finish processing main.cf and command-line options.

- The logfile is written by a new postlogd daemon.

Question on how to deal with bad recipient address

Hi,

I have a blackbox UPS that send this email when I look at it with postcat

*** MESSAGE CONTENTS deferred/B/BFE60169 ***
regular_text: Received: from loki.nsd.org (ups-tms.nsd.org [10.145.1.25])
regular_text: by sys.nsd.org (Postfix) with ESMTP id BFE60169
regular_text: for <g. ... at nsd dot org>; Wed, 16 Jan 2019
15:24:32 -0800 (PST)
regular_text: Subject: TMS MDF ALARM USHA Test Message
regular_text: From: < ... at nsd dot org>
regular_text: To:
g. ... at nsd dot org<g. ... at nsd dot org>

Notice that there is no space between nsd,org and <g.emergen...> When I

detecting TLS issues in delivery - Cannot start TLS: handshake failure

Hi,

how can the following error be detected and an instant bounce/reject will
be send to the sender?

-- 880 Kbytes in 3 Requests.
root@mx1:~# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
A97288008B 776694 Sun Jan 13 13:14:29 sender@sender
(Cannot start TLS: handshake
failure)
recipient@recipient

Jan 15 14:23:01 mx1 smtp[5985]: SSL_connect error to recipient.tld[ip]:25:
-1
Jan 15 14:23:01 mx1 smtp[5985]: warning: TLS library problem:
error:141A318A:SSL routines:tls_process_ske_dhe

Accept email with 5xx status code

Hello, it is possible to accept emails with 5xx status code?

Why such behavior? I want to return 5xx status codes when email is
reject (to prevent sending bounces), but I would like to store copy of
rejected emails in case some inspection would be needed in future.
Storing copy of those emails into one "shared" mailbox is enough (no
need to properly deliver these emails into local accounts).

I have configured spamassassin via milter, so if spamd mark email as
spam, then postfix reject it via 5xx status code and does not produce
any bounce.

Query about restriction scenario in RESTRICTION_CLASS_README

I am using postfix 3.1.4 on NetBSD 8.

I am trying the idea of setting up a mailing list for a fairly static
group of size not exceeding around 300, with postfix. I am doing this on a
VPS server and want a solution that is conservative on resource footprint,
hence considering doing it with MTA itself. [Please do comment whether
postfix is suitable for this purpose.]

I am able to get the basic aliases functionality, Reply-To header
modification etc.

tls_high_cipherlist with !SEED is ignored

Nessus reports for example TLS_RSA_WITH_SEED_CBC_SHA as weak on our
submission port.

DSN behavior unclear - clarification needed

Hi,

i would like that postfix always sends DSN, when requested by client and
mail got forwarded to next-hop / final destination.

Thats works on some recipients, but not on all. postfix always sends DSN on
specific destinations (e.g. web.de)

< ... at web dot de>: delivery via mx-ha02.web.de[212.227.17.8]:25: 250 Requested
mail action okay, completed: id=1N0YD0-1hUYlq3qCq-00wNxk

But when mail is send to some other foreign postfix servers, the
foreign mailserver sends DSN.

How can we specifiy, that only "our" postfix server sends DSN.

New SASL error when relaying through gmail

Hello,

I have been using postfix on a local machine for a few years to act as a
relay for my domain to send email out through gmail.

This has worked well enough, but I noticed recently that I had some
email queued up and was not getting emails out any longer.

In my mailog, I am seeing these errors:

Jan 14 08:16:18 deathstar postfix/smtp[16142]: 8CBF11E12B5:
to=< ... at my dot domain>, relay=smtp.gmail.com[173.194.203.108]:587,
delay=58297, delays=58297/0.05/0.71/0, dsn=4.7.0, status=deferred (SASL
authentication failed; cannot authenticate to server
smtp.gmail.com[173.194.203.108]: inv

postdrop user maps

Hello!

Is there any option for postdrop which may be equivalent to
smtpd_sender_login_maps option used for sasl?

I have postfix submission configured with
-o smtpd_sender_restrictions=reject_sender_login_mismatch,permit
-o smtpd_sender_login_maps=hash:/my/file
to ensure that authenticated user can use only allowed MAIL FROM
addresses.

And I want something similar to enforce also for postdrop, when email is
not sent via TCP submission port, but rather locally via postdrop or via
/usr/sbin/sendmail wrapper.

Assistance to protect from spam flood

Hi all,
Until recently I did not receive too much spam and had it pretty-much
under control. This week has gone mental. So far this week I have
received 29860 connection attempts form {some_random_number}@qq.com to
{the_same_random_number}@howitts.co.uk.

I have a mail server and two backup MX servers and most of the mail is
arriving via one of the backup servers.

pflogsumm milter patch

Hello,

I have made a small patch for counting milter rejections in pflogsumm.

I put it on <a href="http://test.fantomas.sk/pflogsumm-milter-test.patch" title="http://test.fantomas.sk/pflogsumm-milter-test.patch">http://test.fantomas.sk/pflogsumm-milter-test.patch</a>

pflogsumm now displays erors below when using amavisd-milter refusals.

I would strip the "from ", but first I would like to ask people who use
header and body checks to reject messages, and use pflogsumm, to confirm
whether they need the "from ", and possibly send me (personally, please)
the part output where "cleanup" rejections are shown.

without --verbose-msg-detail

cleanup
END-OF-MESSAGE (top 10) (total: 485)
17 from mail.sime

concurrency rate limit

I'm wondering if I have my rate limiting set up correctly.

It is possible for Postfix logging to bypass journald?

We recently switched our Postfix mail servers to Ubuntu Server 18, which
uses journald for logging. Since we have monitoring systems that parse
/var/log/maillog, we enabled rsyslog with imuxsock so we still can parse
the log like we did before journald. But, it's unreliable.

Our monitoring systems are reporting failed deliveries of messages
because of missing log lines in /var/log/maillog.

TLS client certificates and auth external

Hello,

I have an email client (K-9 on Android), which, when using TLS client
certificates insists on sending an auth external. However, postfix/SASL
does not advertise external auth, which causes the client to not being
able to use client certificates with postfix.

As I see it, postfix is missing the external mechanism as specified in
RFC 2222 (SASL) completely.

Retiring oqmgr?

Configuring a new Postfix server I just ran across the commented entry for
oqmgr and I thought: It must have been ages qmgr had been renamed to oqmgr and
it might be time to remove that entry from master.cf.

p@rick

Who can test Postfix BURL support?

I'm looking for someone who can test Postfix BURL support.

(With BURL a client can ask the SMTP server to include a message
that sits on an IMAP server; for example, to send a saved draft
message, or to forward an existing message, without having to
download it first and then upload it).

I looked over the RFCs and over the code that Apple donated in 2011,
where they tried to minimize changes to the SMTP protocol handler.
The code was not incorrect, just a little awkward, and it was a
limited implementation that supported only one chunk.

Adding BURL support should be much easier because it c

how to balance outgoing emails with multiple IP addresses with postfix

Hello,

Do you know how to balance outgoing emails with multiple IP addresses with
postfix ?
(I do not have randmap on my postfix)

Thank you.

Paul

How to add custom headers to NDR mails?

Hello,

We get bounce-back emails from mailer-daemon when one or more of the
recipient addresses are invalid. But, this information is conveyed only in
the body of the email and not inside any of the headers.

I'm aware of the bounce daemon along with setting custom bounce messages
using a template file but I'm unable to figure out a way to extract the
failed recipients and then append that onto the template file as a custom
header, say "X-Failed-Recipients". Are they present inside a special
variable of some sort that I'm missing out on?

Thanks,
Abhijith

Turn off command pipelining for a domain

Is there a possible way to turn off command pipelining completely for a
whole domain based on DNS? The pipelining-firewalling of yahoo.com seems
to be broken quite often.

Something like:

yahoo.com pipelining

SMTP filter using geo-localization

Hello,

I would like to filter SMTP access using geo-localization.

I have installed geoip-bin on my mailserver.

This tool works like nslookup with an IP (geoiplookup @IP) and give
geographic informations about this IP and especially the country (FR,
DE,...).

My purpose is to filter IPs out of my country to reject SMTP connection.

I must made a linux script, on bash (/usr/bin/policyd-geoip).

But I don't know how the script can tell to postfix if the IP is OK or
KO.

For postfix configuration I think that I must do that:

* master.cf:

policy-geoip unix - n n - 0 spawn

user=nobo

How to configure an infinite-retry for relay

I have a situation where my primary/final MX server will be down for
an indefinite period of time, possibly up to a week.

Content filter - reijnect message back into queue

Hi there,

I'm trying to build my own content filter so I can actually filter outgoing
messages and take appropriated actions upon spam messages.

After some time I was able to make postfix send messages to the content
filter.

The documentation says that content_filter expects a "transport:maps"
response.

The content_filter configuration parameter expects a value of the form

bypass policy server in recipient_restrictions when subject contains string

Hi,

is there a way to bypass policy server in smtp_recipient_restrictions, in
case, subject contains special string?

smtpd_recipient_restrictions = check_policy_service unix:private/policy

header_checks:

/^Subject: .*string.*/ FILTER no-policy-service:

header_checks could reroute by subject but seems to kick in too late :/

Stefan

Slowness after upgrading from postfix 2.x to 3.1.8

Hi,

after upgrading to Debian 9 (thus Postfix 3.1.8) I'm experiecing an odd
behaviour, which causes slowness on all the infrastructure.

I have a generator server which injects (via smtp) into postfix, the
actual sender, and when burst of delivery happens, the receiving
postfix stuck before answering to the generator, which causes the
generator queues to fill up.

I've logged the smtp session under load from the postfix 3.1.8 server,
and in the following log excerpt you can note a "pause" of ~26 seconds:

Nov 30 09:11:31 postfix01 postfix-main/smtpd[31800]: rec_put: type N
len 9 data </td

policy server, TLS only exeptions and restrictions

Hi,

we have enforced TLS to all remote sites and have appropriate tls policy
server, that checks if TLS is avail before accepting mails. That works as
expected. we also only accept users with auth.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination

smtpd_recipient_restrictions = check_policy_service unix:private/policy

policy server returns dunno or defer...

Now the problem:

for some destinations, we are aware, that TLS fails, so we skip checking
and set "may" policy for specific users/destinations.

Limiting global number of outgoing connections

Hi.

I need to limit the maximum number of outgoing SMTP connections done by Postfix for delivering messages.
Our VPS provider is limiting to 5 conns/s, so I need Postfix not to open more than 5 connections to remote SMTP servers.

I cannot use config param *destination_concurrency_limit because they’re related to a single recipient domain. So I was pointed to master.cf, where I could limit the maximum number of “smtp” processes.

So I changed the smtp (or what I think it is) line as follows:

smtp unix - - y - 5 smtp

Is this the correct approach? I’m asking because it didn’t fully work.

Address rewriting not working

Hi,

I'm configuring Postfix to relay mail via a smarthost, and I need to
rewrite the sender address in order for the smarthost to accept the
mail (and not reject it as 'relaying'). I'm using generic mapping to do
this, and it works correctly on two of my systems (Debian Sid,
running Postfix 3.3.2), but not on a third (Debian Stretch, running
3.1.8). I've tried all sorts of adjustments and debugging, and I'm at
my wits' end.

Virtual Domain

If a server software can handle one domain, why can't it handle two or
more in the same manner?  Why must other domains be seen as somehow less
in importance by labeling them "Virtual"?  Regardless of where the
server is physically located IP-wise, why not just design the software
to do multiples of its basic function?

I hope the reader can see the relationship between these questions. 
Feel free to ask for clarification on any point.

Thank you.

Use relayhost or not ? What is the best strategy ?

In old days, using relayhost was a good solution for ISPs who declared
an IP as dynamic even when it is static (free.fr did that..) .

With the inconvenience of ISP smtp IPs being blacklisted because of
spammers.

Is there a good reason today to use relayhost ?

What is the best strategy ?

Thanks

PC

Syndicate content