September 6, 2010 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | >
September 6, 2010 [00:17:01] *** Matic`Makovec has quit IRC[00:31:43] *** loddafnir has joined #postfix[00:35:09] *** leroux has joined #postfix[00:38:39] *** leroux has quit IRC[00:42:03] *** zamba has quit IRC[00:42:05] *** maix has quit IRC[00:42:08] *** zamba has joined #postfix[00:42:16] *** maix has joined #postfix[00:43:14] *** misterjack is now known as misterJack[00:59:59] *** brancaleone has quit IRC[01:09:52] *** TomHome has quit IRC[01:14:51] *** sphenxes has quit IRC[01:17:52] *** talin has joined #postfix[01:18:32] <talin> hello. i have an open relay for a few companies. one of the companies has a router with several other companies behind it (but they appear from a single IP for me). if one of those starts spamming, i cannot determine the source, and such i end up blocking innocent clients[01:19:30] <talin> how do you remedy this? i've used e-mail accounts from several ISPs without having to authenticate for sending e-mail in the past... how do they do it?[01:39:15] <dragonheart> they don't care about "innocents" they'd rather everyone by their own connection[01:39:25] <dragonheart> s/by/buy/[01:40:28] <AstralStorm> talin: there's no easy solution[01:40:38] <AstralStorm> try checking received headers, maybe[01:40:50] <AstralStorm> as in "Received"[01:41:08] <AstralStorm> of course, those theoretically could be fake[01:41:14] *** ironm has left #postfix[01:41:32] <mroe> what does "I have an open relay for a few companies" mean?[01:41:51] <AstralStorm> I suspect it means he has an unauthenticated mail forward[01:42:16] <mroe> that is pretty bad[01:42:39] <AstralStorm> yeah, anyone could usurp one of the servers and start sending spam[01:43:02] <mroe> two options 1)fix your security hole 2)implement a policy server to rate limit outgoing message then fix your security hole[01:43:58] <talin> mroe: what do you propose concerning "fix security hole"?[01:44:12] <AstralStorm> SASL[01:44:16] <mroe> implement auth on either a per user level or at least a per server level[01:44:46] <talin> ah, okay. how does that work for the users' point of view?[01:44:52] <talin> they have to fill in a password every time they send an e-mail?[01:44:56] <mroe> yes[01:44:59] <AstralStorm> you can use SASL authentication (simple, cheap) or TLS certificates (less simple, might be cheap or expensive)[01:45:06] <mroe> or like most, they save their password in their MUA[01:45:25] <talin> mroe: ah. if they save their password, won't spam-software be able to send e-mail?[01:45:25] <AstralStorm> of course the servers might use the same method[01:45:35] <mroe> talin, no[01:45:39] <AstralStorm> actually, sometimes yes[01:45:56] <mroe> I have never heard of any botnet or malware using a locally configured mua[01:45:59] <talin> okay, so if i enable SASL, can i do it gradually? such that i enable it for one user at a time?[01:46:02] <AstralStorm> but you'll know then who sent the spam[01:46:15] <AstralStorm> because SASL authentication info is stored in the email in Received header[01:46:19] <AstralStorm> the user name.[01:46:21] <mroe> talin, yes, you can turn on auth, while not forcing it[01:46:38] <mroe> talin, also look into using submission[01:46:40] <talin> mroe: aah. is SASL part of postfix? i desperately need to implement this ASAP[01:46:44] <mroe> !sasl[01:46:44] <knoba> mroe: "sasl" : SASL is 'Simple Authentication and Security Layer', necessary for SMTP AUTH, and provided to Postfix by addin software. Cyrus SASL and/or Dovecot IMAP/POP3 can provide SASL. See http://www.postfix.org/SASL_README.html for details.[01:46:51] <mroe> !submission[01:46:52] <knoba> mroe: "submission" : Port 587 is submission, for user submission of mail, NOT suitable for mail exchange. See the commented example in master.cf. also see !msa, and rfc 2476 and 4409. Also read http://www.maawg.org/sites/maawg/files/news/MAAWG_Port25rec0511.pdf[01:46:57] <AstralStorm> do at least enable SASL (and/or TLS) for the submitting servers[01:47:11] <AstralStorm> !tls[01:47:11] <knoba> AstralStorm: "tls" : Short for Transport Layer Security (RFC2246). It adds an additional layer of encryption to protocols such as SMTP, POP3 or IMAP to improve security during transmission over the Internet. TLS features in Postfix are documented here: http://www.postfix.org/TLS_README.html[01:47:16] <talin> AstralStorm: these users generally connect to me directly, they don't have their own servers[01:47:16] <mroe> you better use tls if you are using sasl[01:48:29] <AstralStorm> talin: uhm, yes, open relays are bad, mmmkay?[01:48:33] <AstralStorm> mroe: nah, those DIGEST auths are good[01:48:38] <AstralStorm> but it's good to enable it anyway[01:48:42] <talin> i understand. i wish someone would have recommended this earlier ;)[01:48:42] <mroe> what is 'good' about them[01:48:51] <AstralStorm> as in, they're hard to crack[01:48:59] <mroe> not md5[01:49:01] <AstralStorm> of course they only secure your login pass[01:49:03] <talin> so basically, i can set up SASL and then force one-by-one IP to use it, with different passwords for all of them[01:49:20] <AstralStorm> MD5 is also hard to crack, because it's salted[01:49:39] <AstralStorm> see, digest auth is challenge-response[01:49:56] <AstralStorm> it's possible, yes, but hard.[01:52:08] <AstralStorm> the main problem with them is the man in the middle possibility[01:52:11] <talin> what is "submission"? does taht have anything to do with SASL/TLS?[01:52:12] <AstralStorm> talin: just a related issue: users shouldn't connect to port 25[01:52:12] <AstralStorm> instead they should use port 587[01:52:12] <AstralStorm> not that important really[01:52:12] <talin> AstralStorm: hmm, okay.[01:52:23] <talin> so i'll set up SASL, and then all the users will be prompted to fill in a password, which is when they call and ask what the password is ;)[01:53:13] <talin> do most ISPs uses SASL/TLS?[01:53:18] <AstralStorm> better to point them to some website where they can set the password properly[01:53:24] <AstralStorm> yes, nowadays they do[01:53:39] <AstralStorm> SASL definitely, most support TLS, a few require it[01:53:46] <talin> i see[01:56:14] <AstralStorm> oh right, and make sure that password setting website also is TLS (HTTPS) with a valid certificate[01:56:23] <AstralStorm> otherwise scams might happen[02:06:08] <talin> AstralStorm: ah, oki. i'll read up on SASL... there's a bit of info at postfix.org[02:07:52] <Tom-B> Hi guys I've had a look around and followed a fair few guides on postfix[02:08:35] <Tom-B> I have everything working, but I'm stuck on something simple with regards to the SMTP part[02:08:52] <Tom-B> I have SASL working, if I use authentication on outgoing email it rejects unless my credtionals match the users in mysql[02:08:53] <Tom-B> But if I untick "use authentication" in accounts in Outlook for example[02:09:05] <Tom-B> The mail gets sent regardless, I believe this makes it an "open relay"[02:09:20] <Tom-B> How does one go about disabling this?[02:09:22] <Tom-B> I think I'm missing something very simple?[02:10:05] <Tom-B> "broken_sasl_auth_clients" enable support for clients that don't support SASL OE4.0 etc etc chnaged to "= no" did not do it[02:10:24] <AstralStorm> it's not that[02:11:13] <Tom-B> Can you point me in the right direction?[02:11:32] <AstralStorm> yes, wait a sec, I need to remember the option name[02:11:36] <Tom-B> Cheers[02:12:05] <AstralStorm> smtpd_recipient_restrictions[02:12:08] <AstralStorm> set them properly[02:12:56] <AstralStorm> you can find the values in man smtpd[02:12:58] <Tom-B> smtpd_recipient_restrictions = permit_sasl_authenticated ?[02:13:04] <AstralStorm> not just that[02:13:14] <AstralStorm> it defaults to "permit"[02:13:53] <AstralStorm> so maybe smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject[02:14:02] <AstralStorm> you don't have to type it all in one line[02:14:05] <AstralStorm> read man smtpd[02:14:40] <Tom-B> smtpd_recipient_restrictions implies that filters who mail can be sent to not who can send mail[02:14:51] <Tom-B> Am I getting the wrong end of the stick there?[02:15:08] <AstralStorm> " The access restrictions that the Postfix SMTP server applies in[02:15:09] <AstralStorm> the context of the RCPT TO command."[02:15:19] <AstralStorm> so, when it gets some mail.[02:16:02] <Tom-B> All the guides say to use[02:16:06] *** pinoyskull has joined #postfix[02:16:06] <AstralStorm> http://www.postfix.org/SMTPD_ACCESS_README.html - read this[02:16:12] <Tom-B> smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination[02:16:15] <AstralStorm> yes, they probably add extra values[02:16:29] <Tom-B> Does that sound correct?[02:16:31] <AstralStorm> this is fine, except it doesn't reject anything else[02:16:56] <AstralStorm> it depends on whether you want to receive mail from other smtp servers[02:17:05] <AstralStorm> etc.[02:17:09] <AstralStorm> read the friendly readme[02:17:34] <Tom-B> Oh I see[02:18:06] <AstralStorm> reject_unauth_destination is fine, yes[02:18:19] <Tom-B> Those values are correct[02:18:21] <AstralStorm> but instead you might want permit_auth_destination, reject[02:18:28] <AstralStorm> which is stronger[02:18:39] <Tom-B> The reason I thought it related to who you could send mail to was because I was getting: The message could not be sent because one of the recipients was rejected by the server.[02:19:00] <Tom-B> When I tried to send to the outside world[02:19:01] <AstralStorm> there are other checks that may cut the spam volume[02:19:16] <Tom-B> But I need to authenticate and then it sends, I see now[02:21:11] <AstralStorm> I recommend adding reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unlisted_sender[02:21:49] <AstralStorm> and maybe also reject_non_fqdn_sender and rejecT_unknown_sender_domain *after* permit_mynetworks and permit_sasl_authenticated)[02:22:14] <AstralStorm> all those fun rejects may cut down on stupid spam[02:22:50] <AstralStorm> note that reject_unknown_*_domain has a cost - the server will perform a DNS lookup for each received message[02:24:16] <AstralStorm> ually, unknown_sender_domain goes into smtpd_sender_restrictions I think[02:25:37] <AstralStorm> smtpd_sasl_authenticated_header = yes is a good idea if you might have abuser users[02:25:38] <Tom-B> If users need credentials to login to the SMTP server and they do it over 587 isn't that secure enough?[02:26:12] <AstralStorm> TLS is preferable, otherwise someone may hijack the credentials[02:26:43] <Tom-B> I followed a guide and have this in my postfix/main.cfg[02:26:43] <Tom-B> smtpd_tls_cert_file = /etc/postfix/smtpd.cert[02:26:43] <Tom-B> smtpd_tls_key_file = /etc/postfix/smtpd.key[02:26:44] <Tom-B> smtpd_use_tls = yes[02:26:50] <Tom-B> That implies TLS is working yer?[02:26:53] <AstralStorm> yes, this enables TLS[02:27:11] <Tom-B> Don't I still need to be going over 587[02:27:22] <AstralStorm> it's also good to set smtp_use_tls =yes[02:27:31] <AstralStorm> you should, but it's not a strict requirement[02:27:41] <AstralStorm> port 25 can be used too, though that's technically incorrect[02:27:42] <Tom-B> That's the next thing to setup now :)[02:28:10] <Tom-B> it works over 25, now just need to enable SSL[02:28:14] <AstralStorm> smtp_sasl_auth_enable = yes is also nice[02:28:41] <Tom-B> I have that =)[02:28:51] <AstralStorm> note smtp not smtpd[02:28:54] <AstralStorm> that's for client[02:29:22] <AstralStorm> if your server is to connect somewhere, usually to a mail gateway, that needs SASL[02:29:41] <Tom-B> http://pastie.org/1140576 spammed the real mail.'s obviously[02:29:52] <Tom-B> Ah ok[02:30:02] <AstralStorm> see smtpd_sasl_security_options too[02:30:15] <Tom-B> Any suggestions you can make to that main.cf ?[02:32:35] <AstralStorm> yes, smtpd_sender_restrictions and expand recipient_restrictions[02:33:03] <AstralStorm> as well as disable plaintext SASL (at least, preferably also vulnerable to dictionary and active attack)[02:33:21] <AstralStorm> plaintext and active attack vulnerable is ok via TLS[02:33:45] <Tom-B> You're kind of going over my head dude :)[02:33:51] <AstralStorm> actually, all SASL methods (except anonymous, duh) are ok via TLS assuming your certificate is fine[02:34:23] <Tom-B> I get a certificate warning everytime I load outlook[02:34:33] <Tom-B> I just accept I figured I could fix that later too[02:34:45] <AstralStorm> you can remember the certificate[02:34:59] <AstralStorm> a real mail server will have a nice validated cert - they aren't that expensive[02:35:28] <AstralStorm> you probably have a self-signed one[02:35:33] <Tom-B> http://blog.dreamhosters.com/wp-content/uploads/2006/02/outlook-express-warning.gif[02:35:52] <AstralStorm> which doesn't protect against man in the middle attack for at least the first connection[02:36:05] <AstralStorm> oh, wrong CN[02:36:08] <AstralStorm> that has to be fixed[02:36:08] <Tom-B> No[02:36:11] <Tom-B> That's wrong message[02:36:24] <Tom-B> http://www.stroop.net/images/mail-certificate-warning.gif[02:36:24] <AstralStorm> it should match the server domain[02:36:25] <Tom-B> bingo[02:36:40] <Tom-B> That's the message[02:36:47] <AstralStorm> ok, is your certificate CACert's?[02:37:07] <AstralStorm> those aren't trusted implicitly by most systems (and rightly so, esp. the lowest class ones)[02:37:38] <AstralStorm> this warning is fine, Outlook should have a "remember this certificate" option[02:37:49] <Tom-B> I used this:[02:37:50] <Tom-B> http://library.linode.com/email/postfix/postfix-dovecot-mysql-ubuntu-10.04-lucid#create_an_ssl_certificate_for_postfix[02:38:04] <Tom-B> I've been using linux for a week so most of what you're saying is going over my head[02:38:15] <Tom-B> Most of what you're typing that I don't understand I'm googling[02:38:15] <AstralStorm> ok, that's self-signed[02:38:23] <Tom-B> For example CAcert I now know what CA is :)[02:38:37] <Tom-B> http://en.wikipedia.org/wiki/CAcert.org <--- =)[02:38:49] <Tom-B> Let's push the cert thing aside[02:38:54] <Tom-B> As it's small potatos tbh[02:38:59] <Tom-B> Well it's not[02:38:59] <AstralStorm> yeah,it's fine[02:39:03] <AstralStorm> the warning should show only once[02:39:03] <Tom-B> But it is[02:39:08] <Tom-B> Yer[02:39:28] <AstralStorm> technically the user should validate key fingerprint at that moment[02:39:36] <Tom-B> Right now can you please amend the main.cf pastie and I can then go and google your changes to try and understand them[02:40:21] <AstralStorm> nope[02:40:31] <AstralStorm> you're not paying me for configuring your server[02:40:35] <AstralStorm> :)[02:40:41] <AstralStorm> go read the docs instead[02:40:49] <Tom-B> I meant the security things you suggested[02:41:52] <Tom-B> Okay so "smtpd_sender_restrictions and expand recipient_restrictions"[02:42:00] <AstralStorm> oh those? again, read this: http://www.postfix.org/SMTPD_ACCESS_README.html[02:42:03] <Tom-B> I'll go google and attempt to implement them[02:42:30] <Tom-B> You said plain text is ok over SSL and using TLS?[02:42:31] <AstralStorm> note that the restrictions are applied in order[02:42:39] <AstralStorm> when using TLS, yes[02:42:53] <AstralStorm> but not without it - some silly might capture the password real easy[02:42:57] <Tom-B> And judging by the tutorial title I linked and the main.cf I am?[02:43:13] <Tom-B> Yer like a plaintext password to a VNC for example?[02:43:29] <AstralStorm> yes, but you're not rejecting plaintext SASL authentication without TLS[02:43:44] <AstralStorm> (and other vulnerable methods)[02:44:55] <Tom-B> You mean if a user sets up their client wrong?[02:47:44] <AstralStorm> most clients use the order server sends[02:47:56] <AstralStorm> which starts with PLAIN, then ANONYMOUS.[02:48:26] <AstralStorm> (which is rejected), then other better auths, then LOGIN (which is like plain, but nasty)[02:48:56] <Tom-B> So "smtpd_use_tls = yes" doesn't enable TLS then?[02:49:24] <Tom-B> I don't understand quite what you mean <AstralStorm> yes, but you're not rejecting plaintext SASL authentication without TLS[02:50:15] <AstralStorm> look up smtpd_sasl_security_options on that page I gave you a link to[02:50:35] <AstralStorm> then you'll understand (there's a twin smtpd_tls_sasl_security_options)[02:51:17] *** [sergiu] is now known as [Sergiu][02:51:36] <Tom-B> http://www.postfix.org/SMTPD_ACCESS_README.html[02:51:41] <AstralStorm> http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options[02:51:41] <Tom-B> ?[02:51:58] <AstralStorm> see, gave you a direct link[02:53:15] <Tom-B> So what I want is "smtpd_sasl_security_options = noplaintext" ?[02:53:47] <Tom-B> Thus disabling plaintext without SASL TLS ?[02:53:50] <AstralStorm> noplaintext,noanonymous[02:54:06] <AstralStorm> but better disable all the vulnerable auths[02:54:52] <Tom-B> If I want a given user to have to use TLS why not just "smtpd_sasl_security_options = nop, noa, nod, noanon, for, mut" ?[02:54:58] <AstralStorm> note that this might force the users to use TLS, which anyway is a good thing[03:03:18] <AstralStorm> but you can use smtpd_tls_auth_only = yes to do exactly that[03:03:25] <Tom-B> And that's a good thing?[03:03:27] <Tom-B> What clients do not support TLS?[03:03:28] <Tom-B> And that's a good thing? <--statement[03:03:28] <Tom-B> What clients do not support TLS?[03:03:31] *** Alagar has joined #postfix[03:03:39] *** AstralStorm has quit IRC[03:03:44] *** Alagar has left #postfix[03:07:30] *** AstralStorm has joined #postfix[03:08:02] <Tom-B> smtpd_tls_auth_only = yes[03:08:08] <Tom-B> Stopped outlook express from working[03:08:21] <Tom-B> Must I use TLS in conjunction with SSL?[03:08:24] <Tom-B> WB btw[03:08:28] <mroe> !outlook_express[03:08:29] <knoba> mroe: Error: "outlook_express" is not a valid command.[03:08:39] <mroe> you should stop using OE[03:09:33] <mroe> OE is old and has even worse standards support than outlook[03:09:39] *** [Sergiu] is now known as [sergiu][03:10:36] <AstralStorm> Tom-B: TLS works on the same port as normal SMTP[03:10:55] <AstralStorm> but is encrypted. it's the support for STARTTLS command[03:11:05] <AstralStorm> I'm not sure if OE supports that, every sane client does[03:11:57] <Tom-B> I appreciate that OE is terrible[03:12:19] <Tom-B> Which is exactly why I'm using it as a baseline for support, I need to provide interoptability[03:12:37] <Tom-B> I agree with what you're saying but the sad fact is that people do still use it[03:12:47] <mroe> only because it still works[03:13:21] <Tom-B> Is it safe to use plaintext auth over SSL?[03:14:37] <AstralStorm> yes[03:14:37] <AstralStorm> (as long as the certificate is correct and not compromised)[03:15:39] <Tom-B> And judging by http://library.linode.com/email/postfix/postfix-dovecot-mysql-ubuntu-10.04-lucid#create_an_ssl_certificate_for_postfix are my certs correct and not compromised?[03:17:03] <AstralStorm> no[03:17:07] <AstralStorm> they're not fully correct[03:17:22] <AstralStorm> it's a self-signed certificate, meaning the client has to check whether it belongs to you[03:17:24] <AstralStorm> I mean, the user[03:18:19] <AstralStorm> and the user can't possibly know if it's yours for the first time[03:18:42] <AstralStorm> that's why normal certificates have a validation chain[03:19:01] <Tom-B> So for good interoperability where should I go to get myself a certifcate and won't it matter I will be using this server in conjunction with mail.domain1.org mail.domain99.com mail.lol.co.uk etc?[03:19:15] <AstralStorm> no, it does[03:19:23] <AstralStorm> a certificate is issued per domain[03:20:47] <Tom-B> So does it make sense therefore possible purchase mail.mymailserver.com and setup correct DNS for that and tell users regardless of email suffix to connect to mail.mymailserver.com and let postfix sort out the rest on a user/password level?[03:21:10] <Tom-B> And get a cert for mail.mymailserver.com[03:22:46] <AstralStorm> yes[03:22:59] <AstralStorm> of course you can get multiple certificates instead[03:23:29] <AstralStorm> but I don't remember if postfix can run virtual hosts[03:23:32] <Tom-B> Aren't certs from proper places like $50-100 a pop?[03:23:37] <Tom-B> it can[03:24:49] <Tom-B> http://library.linode.com/email/postfix/postfix-dovecot-mysql-ubuntu-10.04-lucid#setting_up_domains_and_users if that's what you mean[03:25:02] <Tom-B> Can also be done without mySQL obviously using files[03:25:07] <AstralStorm> depends on the company[03:25:20] <Tom-B> https://help.ubuntu.com/community/PostfixVirtualMailBoxClamSmtpHowto#Setup%20Postfix%20to%20Use%20Virtual%20Mailboxes[03:25:57] <AstralStorm> yes, but they don't handle TLS certs[03:26:24] <Tom-B> Surely the cert only knows what domain you're connecting to[03:26:37] <Tom-B> it's a certicate that says domain X is above board[03:26:45] <Tom-B> Nothing else, I thought?[03:26:55] <AstralStorm> RCPT FROM says some[03:27:04] <AstralStorm> that's how the virtual domain is detected[03:27:10] <AstralStorm> but that's too late for TLS[03:27:45] <Tom-B> I thought we'd discarded TLS due to backwards compatability with still-used terrible clients such as OE?[03:28:00] <Tom-B> And decided to go the cert'd SSL route?[03:28:15] <rob0> "Virtual domains" like in HTTP are not possible in SMTP. You would need to use different IP addresses.[03:28:15] <AstralStorm> SSL and TLS are very similar[03:28:28] <AstralStorm> rob0: well, not with TLS[03:28:30] <rob0> TLS is the successor protocol to SSL.[03:28:50] <AstralStorm> with normal it is possible, just attach multiple DNS addresses[03:29:16] <AstralStorm> oh and you can of course just put a CNAME record[03:29:28] <AstralStorm> but then obviously postfix won't know about the domain[03:29:34] <rob0> But, certificate verification checks reverse DNS, and you're only going to get away with one name per IP address.[03:29:39] <AstralStorm> maybe it could be done via part of SASL auth[03:30:06] <AstralStorm> true, that's why I said with TLS it's impossible[03:30:40] <AstralStorm> real validation obviously follows CNAME records[03:30:53] <rob0> Virtual hosting is simple if you're not worried about the host's canonical name.[03:31:07] <AstralStorm> just in case (the cert might match anything in the CNAME chain)[03:31:21] <Tom-B> Surely having user at domain1 dot com and user at domain99 dot org connecting to mail.mymailserver.com and letting postfix sort out what mailboxes the emails go to via the username/password you're logging in with would work?[03:31:31] <AstralStorm> Tom-B: this will work[03:31:31] <rob0> yes tom[03:31:33] <AstralStorm> yes[03:31:55] <Tom-B> I like you two, you use words like "yes" and "no"[03:32:08] <Tom-B> Such defintion with your responses pleases me <3[03:32:21] <rob0> heh, hang around some, I get much worse :)[03:32:25] <Tom-B> I bet.[03:32:27] <Tom-B> =)[03:32:31] <AstralStorm> usually you do then a full address as SASL auth, including the domain[03:32:53] <Tom-B> So I should register a pretty generic domain[03:32:55] <thumbs> in person , rob0 uses complicated words on purpose.[03:32:57] <Tom-B> And get a cert for it[03:33:15] <AstralStorm> and add a rewrite rule based on this SASL auth[03:33:45] <Tom-B> otherwise clientA who owns www.smithsplumbing.com might wonder why his mail server is www.mikescarepair.co.uk ;D[03:33:59] <Tom-B> otherwise clientA who owns www.smithsplumbing.com might wonder why his mail server is mail.mikescarepair.co.uk ;D[03:34:19] <AstralStorm> Tom-B: yes, although you can just get multiple IP addresses and certificates[03:34:32] <AstralStorm> the problem is of course that IPv4 addresses are starting to run out[03:34:51] <Tom-B> At the risk of sounding tight fisted, because the whole point of this was to save clients some money and learn something[03:34:51] <AstralStorm> and IPv6 is still not supported in many places, suprisingly[03:35:06] <Tom-B> Won't multiple certifcates cost more?[03:35:17] <AstralStorm> yes[03:35:27] <AstralStorm> there are discounts though[03:35:34] <Tom-B> www.genericdomain.co.uk it is then[03:35:59] <AstralStorm> and a class 3 certificate isn't really that expensive anyway[03:36:28] <Tom-B> getting a proper cert will stop the OE prompt yer?[03:36:34] <AstralStorm> yes[03:37:03] <Tom-B> And because a cert is needed for a secure connection (SSL) it will secure up sending plain?[03:37:22] <AstralStorm> yes, that connection is encrypted and signed[03:37:48] <Tom-B> For the first time since I've used linux more has been achieved through IRC than ploughing away on google/tuts/terminal[03:37:55] <AstralStorm> and the public key is validated via the tree of trust, back to the CA[03:38:03] <Tom-B> Thankyou AstralStorm[03:38:36] <Tom-B> tree of trust sounds like something from a harry potter movie[03:38:45] <AstralStorm> heh[03:39:01] <AstralStorm> just read up on X.509 standard (like, on wikipedia)[03:39:34] <Tom-B> yer makes sense to understand how the certs work[03:39:42] <Tom-B> How does TLS superseed SSL?[03:39:47] <Tom-B> No need for a certificate?[03:39:54] *** lifeofguenter has joined #postfix[03:39:59] <lifeofguenter> hi all[03:41:37] <AstralStorm> Tom-B: no need for a silly separate port[03:41:54] <AstralStorm> and a few protocol weaknesses have been addressed[03:43:32] <Tom-B> Ok[03:43:57] <lifeofguenter> anybody using dcc here? somehow it does not show the rejectetion msg in my /var/log/mail.log :/[03:44:26] *** swombat_ has joined #postfix[03:44:33] <Tom-B> Thanks for all the help AstralStorm you've been great[03:46:27] *** swombat has quit IRC[03:48:31] <AstralStorm> Tom-B: X.509 v3 supports alternate server names[03:48:48] <AstralStorm> subjectAltName field.[03:49:07] <AstralStorm> of course all have to be filled at the time the certificate is issued[03:49:29][03:49:42] <Tom-B> Seems like money for old rope?[03:50:42] <AstralStorm> verisign is expensive, yes[03:50:51] *** higuita has joined #postfix[03:50:54] <AstralStorm> http://en.wikipedia.org/wiki/Server_Name_Indication - hopefully will be supported more widely soon[03:51:02] <AstralStorm> (e.g. in postfix)[03:51:42] <Tom-B> What comany would you suggest?[03:51:46] <Tom-B> Company[03:52:38] <AstralStorm> I'm not placing any ads here :) Use google.[03:53:05] <AstralStorm> or rather, any search engine of choice[03:53:06] <Tom-B> http://www.instantssl.com/ seems more reasonable?[03:53:26] <mroe> Tom-B, avoid thawte and verisign, they are expensive for little reason[03:53:35] *** higuita has quit IRC[03:53:57] <AstralStorm> mroe: Thawte has fairly cheap sub-CA certs though[03:54:05] <AstralStorm> in comparison to others[03:54:09] <mroe> what are they charging?[03:54:15] <AstralStorm> a lot[03:54:31] <AstralStorm> but this is a kind of cert for a large corporation[03:54:40] <mroe> I was amazed. Just but a wildcard cert for less than $400/year last week[03:54:56] <AstralStorm> not a wildcard. it's a sub-CA[03:55:01] <Tom-B> Personally when I see comodo and that trust thing in the corner: http://www.instantssl.com/images/cot_evssl.gif[03:55:16] <mroe> yees, I know. But it really shocked me. The industry has changed in the last 7 years[03:55:16] <AstralStorm> so it has no domain limitation[03:55:20] <AstralStorm> mhm[03:55:23] <AstralStorm> it did[03:55:28] <Tom-B> It looks a bit Tomy-toy-my-first-certificate[03:55:37] <Tom-B> Is that just a pre-conception I have personally?[03:56:02] <Tom-B> I mean are comodo recognised enough?[03:56:06] *** higuita has joined #postfix[03:56:07] <AstralStorm> yes, they are[03:56:30] <AstralStorm> their root certificates are bundled with all modern browsers and operating systems[03:56:45] <Tom-B> Will they be bundled with OE?[03:58:01] <AstralStorm> OE and IE don't come with certificates[03:58:10] <AstralStorm> they use whatever is installed in Windows[03:58:45] <Tom-B> So if my baseline is windows XP or greater will OE automatically say "yep comodo cert trust it" and thus no prompt?[03:59:00] <AstralStorm> I think so[03:59:21] <AstralStorm> definitely in updated XP[03:59:22] <Tom-B> They offer a free trial so that's pretty persuasive to my mind[03:59:32] <AstralStorm> meh, trials are just that[03:59:51] <Tom-B> let's me check it'll work under say XP SP2 or newer though[04:00:01] <Tom-B> Does it not?[04:01:49] *** lifeofguenter has quit IRC[04:03:37] <AstralStorm> definitely it does[04:04:30] <Tom-B> hardest part will be fishing out a none-slip streamed XP CD then ;D[04:07:18] <Tom-B> Once again, thankyou, gonna hit the hay 3am here up in 5 hours[04:08:27] *** talin has quit IRC[04:08:45] <AstralStorm> good night :)[04:21:38] *** hooch has joined #postfix[04:24:19] *** higuita has quit IRC[04:28:45] *** higuita has joined #postfix[04:45:41] *** higuita has quit IRC[04:48:05] *** higuita has joined #postfix[04:52:13] *** [sergiu] is now known as [Sergiu][04:54:13] *** lifeofguenter has joined #postfix[05:05:42] *** [Sergiu] is now known as [sergiu][05:26:38] *** higuita has quit IRC[05:29:00] *** higuita has joined #postfix[05:41:34] *** mroe has quit IRC[05:57:14] *** lifeofguenter has quit IRC[06:15:02] *** higuita has quit IRC[06:16:43] *** higuita has joined #postfix[06:23:09] *** gremlin133 has joined #postfix[06:24:08] <gremlin133> hey everyone, i was wondering if it was possible to do an address rewrite based on a keyword in the email subject[06:40:47] <dragonheart> the sender and/or the recipent address?[06:41:51] <dragonheart> two main options - 1 - write a milter[06:42:15] <dragonheart> 2 header_checks and some extreme trickery that I haven't tested[06:42:45] *** i0x71 has quit IRC[06:42:50] <dragonheart> 2.1 if you just want rewrite the recipient address there is a REDIRECT action on the header_checks[06:43:29] *** lifeofguenter has joined #postfix[06:44:42] <dragonheart> 2,2 if you want canonical kind of rewrites you may need to setup a second cleanup process in master.cf with -o options for the rewrites desired and make the header_checks return a filter that will deliver it via this second cleanup process[06:44:42] *** higuita has quit IRC[06:47:28] *** higuita has joined #postfix[07:03:37] <lunaphyte> 3 -that is an absolutely *horrible* idea.[07:03:50] <lunaphyte> !tell gremlin133 goal[07:03:50] <knoba> gremlin133: "goal" : describe your goal, not what you think the solution is[07:04:33] <gremlin133> oh sorry, that pretty much was my goal, but to rewrite the sender address[07:04:57] <gremlin133> basically we have an evil CRM system that we need to send emails from, but it can only send from one email address, whereas we have different emails...[07:05:11] <gremlin133> so, based on a keyword in the subject, we wanted to rewrite the sender address[07:11:41] *** nokia3510 has joined #postfix[07:16:48] <lunaphyte> that's unclear.[07:16:48] <lunaphyte> why does the envelope sender need to change?[07:18:09] <seekwill> heh[07:18:26] *** shal3r has joined #postfix[07:42:30] <gremlin133> because the CRM can only send from one email address[07:43:02] <gremlin133> for example, orders@ and marketing@[07:43:11] <gremlin133> it can only send from one of those, for all email[07:45:48] <seekwill> Grown out of your CRM?[07:47:44] <gremlin133> i guess, its more we have 2 companies that use the one CRM.. so two different company email addresses for sending newsletters[07:48:01] <gremlin133> it supports multiple email addresses everywhere except the marketing and newsletter stuff[07:49:31] <seekwill> heh[07:51:00] <gremlin133> i was thinking of writing a logic hook to somehow change the email address it sends from, but i doubt it supports it[07:51:42] <gremlin133> the CRM that is, it supports them in certain places.. but it's email system seems badly written[08:18:55] *** higuita has quit IRC[08:20:46] *** e-jones has joined #postfix[08:21:55] *** higuita has joined #postfix[08:23:56] *** ramoni has joined #postfix[08:24:03] *** karlgus has joined #postfix[08:38:53] *** higuita has quit IRC[08:39:38] *** ramoni has quit IRC[08:41:24] *** higuita has joined #postfix[08:51:12] *** higuita has quit IRC[08:52:46] *** cga has joined #postfix[08:53:43] *** higuita has joined #postfix[08:57:54] *** Klem has quit IRC[09:12:44] *** Wilkins has joined #postfix[09:14:37] *** freaky[t] has quit IRC[09:14:53] *** misterJack has quit IRC[09:15:13] *** gencha has quit IRC[09:15:49] *** [dmp] has quit IRC[09:15:53] *** stockholm has quit IRC[09:16:26] *** thana has quit IRC[09:16:40] *** higuita has quit IRC[09:17:03] *** gremlin133 has quit IRC[09:17:13] *** stockholm has joined #postfix[09:17:33] *** thana has joined #postfix[09:17:39] *** thana has joined #postfix[09:17:52] *** [dmp] has joined #postfix[09:18:06] *** freaky[t] has joined #postfix[09:19:15] *** misterJack has joined #postfix[09:19:32] *** higuita has joined #postfix[09:22:29] *** brancaleone has joined #postfix[09:26:39] *** AstralStorm has quit IRC[09:31:21] *** denis_ has joined #postfix[09:39:30] *** denis_ has quit IRC[09:46:28] *** weedar has joined #postfix[09:52:22] *** JoKoT3 has joined #postfix[09:53:46] *** higuita has quit IRC[09:55:05] *** denis_ has joined #postfix[09:55:08] *** sphenxes has joined #postfix[09:56:35] *** higuita has joined #postfix[09:57:24] *** bezourox has quit IRC[09:58:15] *** bezourox has joined #postfix[10:24:18] *** henriknj has joined #postfix[10:24:19] *** higuita has quit IRC[10:24:19] *** jduggan_ has joined #postfix[10:27:14] *** bezourox has quit IRC[10:27:23] *** higuita has joined #postfix[10:38:26] *** higuita has quit IRC[10:40:56] *** higuita has joined #postfix[10:50:25] *** klem has joined #postfix[10:59:53] *** bezourox has joined #postfix[11:00:08] *** TomHome has joined #postfix[11:04:59] *** bezourx has joined #postfix[11:08:44] *** bezourox has quit IRC[11:14:37] *** bezourx is now known as bezourox[11:22:16] *** wdp_ has quit IRC[11:23:44] *** wdp has joined #postfix[11:25:50] *** higuita has quit IRC[11:26:13] *** master_of_master has quit IRC[11:28:16] *** master_of_master has joined #postfix[11:28:52] *** higuita has joined #postfix[11:44:50] *** higuita has quit IRC[11:46:52] *** ghobad_ has joined #postfix[11:47:22] *** higuita has joined #postfix[11:47:47] *** Swaagie has joined #postfix[11:58:23] <Swaagie> morning currently I got a VSP with only a IP to address, should myhostname in main.cf be that IP or is a bogus domain name allowed?[11:59:27] <Aprogas> !tell Swaagie fcrdns[11:59:27] <knoba> Swaagie: "fcrdns" : http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS : $myhostname should resolve to your IP address, which in turn should resolve to $myhostname. This is very important if you want big sites to accept your mail. If you can't have it from your ISP, see !relayhost .[11:59:46] <Aprogas> So myhostname must be set to the proper hostname of your machine.[12:01:48] <Swaagie> Aprogas: thanks, currently the domain name is on another server, but it will be transfered quite soon, I can test local messages between users if I just use that name already not?[12:01:59] *** henriknj has quit IRC[12:02:56] <Swaagie> let me rephrase that: the domain rights are with another server provider atm[12:07:10] <Aprogas> Not all servers enforce fcrdns, so for testing-phase you will be fine.[12:07:23] *** [sergiu] is now known as [Sergiu][12:11:10] *** canton_ has joined #postfix[12:12:06] <canton_> Hi folks, i have a strange problem: my Postfix is sending out mails using @localhost.localdomain as sender addresses. I have set mydomain, myhostname and also myorigin. Could you give me a hint at where to look?[12:23:06] <Aprogas> !tell canton_ welcome[12:23:06] <knoba> canton_: "welcome" : welcome to #postfix! if you're joining for the first time, or are new to irc, the first thing you'll want to do is read the channel topic (/topic). it includes crucial instructions on how to effectively ask for help here, and what data you should include with your questions. the degree of success you'll have is directly related to how effectively you're able to follow those guidelines.[12:25:53] <Signum> canton_: Depends which program was creating the email basically.[12:26:21] <canton_> Signum: mailx' "mail" command[12:26:37] *** ghobad_ has quit IRC[12:27:50] <Signum> canton_: what does "hostname -f" tell?[12:28:35] <canton_> Signum: cose2204, the host's name without any domain[12:28:37] <Signum> canton_: Besides specifying the sender with "-r ..." in the mailx call should work.[12:30:49] *** higuita has quit IRC[12:33:45] *** higuita has joined #postfix[12:33:56] *** sebuccino has joined #postfix[12:35:40] <canton_> i am just wondering why postfix does not recognize this "localhost.localdomain" as being local and does not add $myorigin[12:37:05] <Aprogas> myorigin only applies when domain-part is missing[12:37:19] <Aprogas> Recognizing which mail is accepted as local is handled by mydestination[12:37:39] <Aprogas> If you have a broken app, and you cannot stop it from using @localhost.localdomain, you can use canonical or generic (I always mix them up) to rewrite that.[12:37:45] <Signum> And append_dot_mydomain=yes must be set (=default).[12:38:42] <sebuccino> hi. are transport_maps the right way to ensure that mails for domain1 are send via outgoing interface1 and mail to domain2 via interface2 ??[12:39:11] <sebuccino> s/mail to/mail for/[12:41:56] <sebuccino> mail with "from @domain1" need to be send via interface1, mail with "from @domain2" need to be send via interface2.. how do i set this up?[12:42:18] <Aprogas> Is it really that important? Hardly anybody cares about Received-headers.[12:42:46] <Aprogas> I guess you could use transport_maps, and multiple smtp service with differing smtp_bind_address[12:42:56] <Aprogas> If you really want to go through with this that is.[12:45:36] <sebuccino> ok.. for "smtp unix ..." or "smtp inet.." ?!... smtp unix is only for sendmail right?[12:46:18] <Aprogas> Maybe you don't really want to be messing in master.cf and just use one outgoing server.[12:46:26] <Aprogas> Why is it important to seperate the flows?[12:47:57] *** Twinkletoes has joined #postfix[12:49:09] <sebuccino> different customers...[12:50:12] <Aprogas> Is any of them going to send spam?[12:52:16] <sebuccino> neither, but interface2 would like to ensure that mails get never marked as spam.. so i wanne seperate them from the remaing senders[12:53:23] <sebuccino> anyway, its still a fallback setup...[12:53:44] <sebuccino> the MX entry for interface1 needs to be fixed anyway[12:53:57] * sebuccino waiting for the $domain_owner[12:54:36] <sebuccino> postfix has no other method for splitting that traffic?[12:55:17] <Aprogas> I think overriding default nexthop-transport and using different smtp-services is the most simple route.[12:55:46] <sebuccino> kthx[12:56:03] <Aprogas> You might need sender_dependent_transport_maps[13:01:25] *** lifeofguenter has quit IRC[13:06:52] *** lifeofguenter has joined #postfix[13:10:37] *** lennard has joined #postfix[13:11:11] *** brancaleone has quit IRC[13:12:21] *** mihamina has joined #postfix[13:13:08] <mihamina> hi all[13:15:14] <mihamina> I would like to setup a specific relay host to some client IP address. How to? I already saw sender_dependent_relayhost_maps but it's "per sender", not per client IP[13:17:49] <Swaagie> aprogas: thanks for your earlier comments, got the internal dovecot/postfix mailshizzle working![13:18:02] <Swaagie> will do external as soon as the doman name is transferred[13:18:37] <klem> is it possible to specify an IP adress to route from the emails ?[13:18:53] <klem> I have 2 IP, I want to send from theses 2 IP with on epostfix[13:18:58] <klem> is that possible ?[13:26:32] *** BenTheDesigner has joined #postfix[13:26:35] <BenTheDesigner> Hi all[13:26:45] <BenTheDesigner> Anyone about to help with postfix+spamassassin?[13:27:31] <Aprogas> !tell BenTheDesigner welcome[13:27:33] <knoba> BenTheDesigner: "welcome" : welcome to #postfix! if you're joining for the first time, or are new to irc, the first thing you'll want to do is read the channel topic (/topic). it includes crucial instructions on how to effectively ask for help here, and what data you should include with your questions. the degree of success you'll have is directly related to how effectively you're able to follow those guidelines.[13:30:09] *** forsberg has quit IRC[13:30:09] *** Tykling has quit IRC[13:44:29] *** bubbles| has joined #postfix[13:44:30] <bubbles|> hi[13:44:51] <bubbles|> why doesn't postfix respond to me when i telnet to localhost on port 25?[13:45:10] <bubbles|> https://help.ubuntu.com/community/PostfixVirtualMailBoxClamSmtpHowto <-- i was following this tutorial to set up virtual adresses[13:45:40] <joschi> bubbles|: see topic[13:49:28] <bubbles|> http://pastebin.com/Ay4VTMC2[13:50:30] *** gencha has joined #postfix[13:50:30] *** reisi has joined #postfix[13:52:16] <bubbles|> do you need anything else joschi?[13:52:25] <joschi> bubbles|: logs[13:52:36] <bubbles|> which ones? where do i find them?[13:54:04] <joschi> bubbles|: that depends on the configuration of your syslog-daemon. most probably in /var/log/mail.log[13:54:35] <bubbles|> hm.. ok, that one is rather long[13:55:18] *** jelly has quit IRC[13:55:19] <bubbles|> http://pastebin.com/nuMfmRLi <- these are the last few lines[13:55:25] <bubbles|> is that sufficient?[13:55:50] *** Zordrak has quit IRC[13:56:05] <bubbles|> http://pastebin.com/ji8AAe00 <-- mail.info[13:56:58] *** AstralStorm has joined #postfix[13:59:09] *** saurabhb has joined #postfix[13:59:59] <joschi> "fatal: dict_open: unsupported dictionary type: bash: Is the postfix-bash package installed?"[14:00:16] <joschi> bubbles|: and now recheck your main.cf[14:00:28] <joschi> hint: it has something to do with a typo (bash -> hash)[14:01:14] <bubbles|> virtual_mailbox_maps = bash:/etc/postfix/vmaps <- this line?[14:01:36] *** bezourox has quit IRC[14:04:41] <bubbles|> that seems to have been it, thanks[14:08:15] *** jelly has joined #postfix[14:13:19] *** dragonheart has quit IRC[14:14:22] *** bezourox has joined #postfix[14:22:38] *** Section1 has joined #postfix[14:26:42] <mihamina> I would like to setup a specific relay host to some client IP address. How to? I already saw sender_dependent_relayhost_maps but it's "per sender", not per client IP[14:27:28] *** canton_ has left #postfix[14:37:28] *** wdp_ has joined #postfix[14:40:52] *** wdp has quit IRC[14:42:21] *** founddeath has joined #postfix[14:46:16] *** JoKoT3 has quit IRC[14:47:26] *** sebuccino has quit IRC[14:50:21] *** brancaleone has joined #postfix[14:55:04] *** JoKoT3 has joined #postfix[15:05:49] *** BenTheDesigner has left #postfix[15:08:35] *** ribasushi has left #postfix[15:25:57] <bubbles|> telneting to postfix and writing mails works, but sending mails from gmail results in 550 550 <x at domain dot net>: Recipient address rejected: Access denied (state 14).[15:26:05] <bubbles|> i can't find anything in the log[15:27:50] *** higuita has quit IRC[15:28:25] <bubbles|> hm... cat /var/log/mail.info |grep client doesn't even list google/gmail[15:28:35] <Aprogas> How are you sending the mails to gmail?[15:29:48] <f3ew> bubbles| UUOC[15:29:59] <f3ew> Also, which domain, and is the MX record correct?[15:30:06] <bubbles|> no, i'm sending them from gmail to my server[15:30:12] <bubbles|> domain is qeleshi.net[15:30:22] *** higuita has joined #postfix[15:30:33] <bubbles|> i'm not sure about the mx records, but there are 2 of them..[15:30:49] <f3ew> mihamina, check_client_access and FILTER (see access(5) or http://www.postfix.org/access.5.html )[15:33:06] <Aprogas> bubbles|: Both mx1 and mx2 seem to resolve to the same IP-address.[15:33:21] <Aprogas> This won't break delivery per se, but it does indicate MX might be misconfigured.[15:33:24] <bubbles|> yes, it is only one server[15:33:39] <bubbles|> should i delete one of the entries?[15:34:18] <Aprogas> If you're not going to run a backup MX, don't specify one either.[15:34:35] <bubbles|> ok, i'll delete that one then[15:34:57] <bubbles|> e-mail address is gw at qeleshi dot net if you want to try it out yourself[15:36:17] <Aprogas> Is vs120079.tuxtools.net your server?[15:36:19] <bubbles|> is there anything more to mx than just the dns-entry?[15:36:30] <bubbles|> hm.. one moment[15:37:16] <Aprogas> MX has a priority and a hostname.[15:37:49] <bubbles|> no that is not my server[15:38:05] *** denis_ has quit IRC[15:38:14] *** G has joined #postfix[15:38:23] <bubbles|> where did you get that address?[15:39:17] <Aprogas> Oh, I accidently did qeleshi.com[15:40:01] <bubbles|> oh, that's mine too, but that's not a vserver[15:40:12] <bubbles|> emails there work fine[15:40:33] <Aprogas> My RCPT TO was accepted, I QUIT before DATA.[15:41:27] <bubbles|> should i be able to see someting in the log?[15:42:18] <Aprogas> Probably, but if you don't, you're MX is definitely set wrong.[15:42:47] <bubbles|> this line keeps repeating in the log: Sep 6 15:40:01 hc042058 postfix/virtual[15721]: CAEBAFEC8959: to=<smmsp at qeleshi dot net>, relay=virtual, delay=0.01, delays=0.01/0/0/0, dsn=5.1.1, status=bounced (unknown user: "smmsp at qeleshi dot net")[15:43:01] <bubbles|> where does that address come from?[15:43:35] *** weedar has quit IRC[15:43:59] *** weedar has joined #postfix[15:44:57] <bubbles|> hm.. i still don't see anything in the log except my test-mails[15:45:21] <Aprogas> What is the IP-address of your mailserver?[15:45:34] <bubbles|> ahh... the mx entry is to mx1.qeleshi.com :x[15:45:52] <bubbles|> it should be .net[15:46:35] *** Vivek has joined #postfix[15:47:41] <Aprogas> Why are you running two such similar domains on different servers?[15:48:17] <bubbles|> .com is a shared hosting pakage[15:50:37] *** henriknj has joined #postfix[15:57:19] *** Tykling has joined #postfix[16:00:36] <bubbles|> the next thing i need to do then is signal a running process about an incomming mail, how do i do that?[16:05:52] <Aprogas> You can pipe to a process, it will get run and be fed the incoming mail.[16:08:11] *** swombat_ is now known as swombat[16:10:25] *** weedar has quit IRC[16:14:30] *** pinoyskull has quit IRC[16:17:25] *** RLGyde has joined #postfix[16:20:14] <bubbles|> hm.. is there maybe a simple tutorial for pipe? google doesn't seem to be much help :\[16:20:20] *** JonnyV has joined #postfix[16:23:08] <RLGyde> Hey, I am runing a mailwall with postfix/amavis/spamassasin, and it relays the mail to a exchangserver via transport map. Now my exchange ppl have some problems, and they have asked if it where posible for me to keep a copy all mails I deliver to them (so that I coud resend them if needed - I know its crasy, exchange what can I say). Can you propose a solution ?[16:25:35] *** madduck has quit IRC[16:27:22] <Aprogas> There are some settings like always_bcc, but in my opinion if their mailserver is having problems, it shouldn't accept messages, but defer or even reject.[16:28:11] <Aprogas> I think you should look into documentation for setting up a backup MX, since your server will be sort of behaving like one if the exchange is down.[16:28:42] *** e-jones has quit IRC[16:28:45] *** madduck_ has joined #postfix[16:28:50] *** madduck__ has joined #postfix[16:29:15] *** madduck__ has quit IRC[16:29:51] *** madduck_ has joined #postfix[16:36:24] <RLGyde> Aprogas: the problem for my windows ppl, is that the exchang do accept and queue the mail, but then its gone. The error seams to be abit random, thats why they woud like that I coud resend them manual from time to time.[16:39:26] <Aprogas> Is it feasible to not send any mail to that server at all ever? :) Silently dropping mail at random is not really acceptable for a mailserver.[16:40:47] <RLGyde> Aprogas: I agree, but I try to stay out of it... I will have a look at the always_bcc and see if I can cock somthing up[16:41:22] *** karlgus has quit IRC[16:41:38] <Aprogas> Do they know when their mailserver is and isn't flaky? How long does a period of flakiness last?[16:41:55] <Aprogas> Or do they just want to store all mail, and only reactively recover reported lost mails?[16:42:52] *** Verilium has quit IRC[16:43:49] <RLGyde> hehe... they did have one episode where it happend for all mail resived in a 6h intavl, but now all seams to be fine, but well it might fuckup agen.[16:44:12] *** xpeed has quit IRC[16:45:02] <RLGyde> I have not askede to mutch, only notede to them that they have given me a: 250 Ok: queued ...[16:46:00] <f3ew> bubbles| man 8 pipe[16:46:44] <bubbles|> yes, that what google gives me too, but that's not so simple[16:47:53] <Aprogas> bubbles|: For local aliases, you can do things like mailman-bounce: "|/usr/local/mailman/bin/mailman"[16:48:12] <Aprogas> That is the most simple way, but doesn't work on virtual domains.[16:52:20] <f3ew> bubbles| there's an example pipe in master.cf[16:52:41] <bubbles|> hm.. ok, thanks[16:56:45] *** JonnyV has quit IRC[16:56:53] *** Verilium has joined #postfix[17:02:29] *** UQlev has joined #postfix[17:03:02] *** makomi has joined #postfix[17:04:06] *** makomi_ has joined #postfix[17:04:06] *** makomi has quit IRC[17:04:25] *** [Sergiu] is now known as [sergiu][17:05:08] *** cga has quit IRC[17:12:15] *** smica has joined #postfix[17:13:15] *** kervel has joined #postfix[17:13:47] *** JonnyV has joined #postfix[17:19:58] *** forsberg has joined #postfix[17:26:42] *** mihamina has left #postfix[17:30:19] *** shal3r has quit IRC[18:01:34] *** kervel has quit IRC[18:03:52] *** Southron has joined #postfix[18:16:56] *** Swaagie has quit IRC[18:17:58] *** Wilkins has quit IRC[18:49:15] *** higuita has quit IRC[18:49:42] *** Knoedel2 has joined #postfix[18:51:45] *** higuita has joined #postfix[18:52:17] *** cga has joined #postfix[18:52:22] *** brancaleone has quit IRC[19:01:32] *** UQlev has quit IRC[19:10:16] *** friskd has quit IRC[19:10:23] *** neorise-rider has joined #postfix[19:25:17] *** tharkun has joined #postfix[19:37:49] *** makomi_ has quit IRC[19:43:55] *** cga_ has joined #postfix[19:44:07] *** cga_ has quit IRC[19:44:07] *** cga has quit IRC[20:00:12] *** Twinkletoes has quit IRC[20:12:12] *** praedor has joined #postfix[20:20:02] *** kervel has joined #postfix[20:27:47] *** alxgomz has joined #postfix[20:28:54] <alxgomz> Hello If I set a specific transport in master.cf (in order to deliver mails at a special rate to specific destination) Does the name of the transport is used or will still see postfix/Smtp?[20:29:19] <adaptr> !transport[20:29:20] <knoba> adaptr: "transport" : transport(5) The optional transport(5) table specifies a mapping from email addresses to message delivery transports and next- hop destinations. Look at: http://www.postfix.org/transport.5.html[20:29:23] <adaptr> bah[20:29:53] <adaptr> alxgomz: are you not seeing what you expected to see[20:29:56] <rob0> !syslog_name[20:29:56] <knoba> rob0: "syslog_name" : a configuration parameter in the main.cf: The mail system name that is prepended to the process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd".[20:30:42] <rob0> FWIW generally these rate-limited transports are a bad idea.[20:30:53] <adaptr> I was thinking about saying that, but I forgot why[20:30:59] * rob0 guesses it's Yahoo[20:31:04] <alxgomz> right[20:31:11] <adaptr> I'm willing to bet 5 of your dollars, rob0[20:31:27] * rob0 scoops up the pot-o-dollars[20:32:16] <alxgomz> so following what Yahoo! publish as their general mail policy is a bad idea?[20:39:37] <alxgomz> knoba: thx syslog_name does the trick, even if i expect the later part (smtp) to be replaced by the name of the transport.[20:40:29] <rob0> !yahoo[20:40:30] <knoba> rob0: "yahoo" : Yahoo and other providers throttle inbound connections in an attempt to reduce spam. If you're a big operator, talk to them about whitelisting. If not, just wait for the retry, your mail eventually goes through. For bulk mail issues this contact is helpful: <mail-abuse-bulk at cc dot yahoo-inc.com>[20:40:37] *** jlaunay has joined #postfix[20:46:38] *** AstralSt` has joined #postfix[20:50:46] *** higuita has quit IRC[20:53:49] *** higuita has joined #postfix[20:56:38] *** MAAAAD has joined #postfix[21:07:07] *** leroux has joined #postfix[21:12:45] *** smica has quit IRC[21:13:22] *** weedar has joined #postfix[21:14:52] *** lepine_ has quit IRC[21:16:57] *** lepine has joined #postfix[21:17:14] *** smica has joined #postfix[21:17:36] *** lifeofguenter has quit IRC[21:17:44] *** Dessa has quit IRC[21:20:29] *** makomi has joined #postfix[21:21:46] *** mandragor has joined #postfix[21:21:47] *** weedar has quit IRC[21:27:34] *** niki has joined #postfix[21:27:41] *** brancaleone has joined #postfix[21:29:39] *** saurabhb has quit IRC[21:29:53] *** GOrshkOFF has joined #postfix[21:30:54] *** Vivek has quit IRC[21:30:57] <GOrshkOFF> hi all! Tell me, how can I enable authorization in postfix via system users?[21:31:13] <GOrshkOFF> /etc/passwd[21:31:34] <Aprogas> !tell GOrshkOFF sasl[21:31:34] <knoba> GOrshkOFF: "sasl" : SASL is 'Simple Authentication and Security Layer', necessary for SMTP AUTH, and provided to Postfix by addin software. Cyrus SASL and/or Dovecot IMAP/POP3 can provide SASL. See http://www.postfix.org/SASL_README.html for details.[21:32:19] <GOrshkOFF> I can`t do this without addons?[21:32:52] <GOrshkOFF> only same tools like sasl?[21:32:53] *** bubbles| has quit IRC[21:34:37] <Aprogas> Postfix does not implement SASL itself.[21:42:43] *** Vivek has joined #postfix[21:43:17] *** Vivek has quit IRC[21:43:18] *** Vivek has joined #postfix[21:52:17] *** RamsesFSFE has joined #postfix[21:52:27] <RamsesFSFE> hi all[21:53:55] <RamsesFSFE> I have a problem with postfix. I have a mysql setup, and mail addresses on all domains work fine except for one which keeps producing a "user unknown in local recipient table". I double checked the mysql entries, they look ok.[21:54:00] <RamsesFSFE> Any ideas?[21:54:40] *** alxgomz has left #postfix[21:55:33] <rob0> !unknown_local[21:55:34] <knoba> rob0: "unknown_local" : User unknown in local recipient table means that the recipient domain was found in $mydestination but the username was not found in local_recipient_maps (by default: users in /etc/passwd and aliases(5) in /etc/aliases).[21:56:18] <RamsesFSFE> knoba: thx[21:59:40] *** demetan has joined #postfix[22:00:08] <RamsesFSFE> knoba: but that doesn't seem to be the problem. the username does exist[22:00:37] *** dustybin has joined #postfix[22:00:39] <dustybin> i run a mail server at home, it has 2 accounts, i have registed one account with amazon and amazon can send mail back ok, however, i have another account and amazon will not send any email to it for some unknown reason, could this be down to the way ive setup DNS / Postfix or because im running a mail server from my home box?[22:00:50] *** ZykoticK9 has joined #postfix[22:01:00] <demetan> hi[22:01:11] *** ZykoticK9 has left #postfix[22:01:23] <thumbs> !tell dustybin welcome[22:01:23] <knoba> dustybin: "welcome" : welcome to #postfix! if you're joining for the first time, or are new to irc, the first thing you'll want to do is read the channel topic (/topic). it includes crucial instructions on how to effectively ask for help here, and what data you should include with your questions. the degree of success you'll have is directly related to how effectively you're able to follow those guidelines.[22:01:39] <dustybin> thumbs: eek your here as well[22:01:45] <thumbs> dustybin: yes.[22:01:58] <demetan> I am looking for automatic translation on mails[22:02:41] <rob0> !tell RamsesFSFE knoba[22:02:41] <knoba> RamsesFSFE: "knoba" : an informational bot in this channel (see http://workaround.org/f=postfix)[22:03:38] <dustybin> when i ask amazon to send a email out for password recovery, the mail never reaches my box, so i assume amazon is blocking the mail.[22:04:05] <rob0> !tell dustybin no_logs[22:04:05] <knoba> dustybin: "no_logs" : Nothing in your mail logs commonly means one of two things: either your syslogd is broken (try restarting it), or the connections are not coming to your server. Check your firewall/networking and the DNS for the domain in question. also see !logs.[22:04:29] <dustybin> rob0: i do get a log on another account what works[22:05:02] <dustybin> john at mybox dot net works bob at mybox dot net doesnt work they both share the same domain nam[22:05:17] <Aprogas> I think you should read the !welcome factoid again, it explains how to know which information we'll need from you.[22:05:39] <RamsesFSFE> rob0: oh, ok, thx[22:05:48] *** lifeofguenter has joined #postfix[22:06:07] <Aprogas> RamsesFSFE: Is your Postfix recognizing the domain-part of the email-address as local?[22:06:11] <dustybin> su[22:06:28] <rob0> mybox.net. 600 IN A 208.73.210.28[22:06:31] <RamsesFSFE> Aprogas: how can I check this?[22:06:42] <Aprogas> RamsesFSFE: In your logfiles and your configuration.[22:06:53] <Aprogas> RamsesFSFE: rob0 already told you about mydestination[22:07:04] <rob0> RamsesFSFE, reread the factoid, it DOES tell you what to check.[22:07:20] <rob0> It really IS the problem, trust me.[22:07:50] <rob0> You might also want to see:[22:07:53] <rob0> !virtual[22:07:54] <knoba> rob0: "virtual" : a way to configure additional domains and user accounts (that do not need to exist in your /etc/passwd). See: http://www.postfix.org/VIRTUAL_README.html[22:08:02] <rob0> !address_classes[22:08:02] <knoba> rob0: "address_classes" : http://www.postfix.org/ADDRESS_CLASS_README.html describes how Postfix deals with different classes of addresses: local, relay, virtual alias, virtual mailbox, and Internet.[22:08:04] *** Matic`Makovec has joined #postfix[22:14:28] *** schello has joined #postfix[22:14:29] <schello> hi[22:14:31] <schello> i have a question[22:15:00] <schello> i have the postfix configure at all but i have problems with some emails that are rejected for unknown host[22:15:19] <schello> how i can do to pass this mails? reject_....?[22:15:38] <Aprogas> !tell schello welcome[22:15:38] <knoba> schello: "welcome" : welcome to #postfix! if you're joining for the first time, or are new to irc, the first thing you'll want to do is read the channel topic (/topic). it includes crucial instructions on how to effectively ask for help here, and what data you should include with your questions. the degree of success you'll have is directly related to how effectively you're able to follow those guidelines.[22:17:15] <schello> [Aprogas] is not my first time[22:17:25] *** schello is now known as jokk[22:17:47] *** RamsesFSFE has left #postfix[22:17:52] <jokk> but some mail servers dont have the postfix/qmail... well configured[22:18:08] <jokk> and then the postfix reject the mail because the host its not the same as the host domain[22:18:15] <jokk> then what can i do to pass this mails?[22:18:46] <jokk> which is the reject restriction that if you enable it then some real mails can be confused as Spam?[22:18:59] *** maconga has joined #postfix[22:19:01] <Aprogas> You enabled this restriction, it is not enabled by default.[22:19:17] <Aprogas> !tell jokk access[22:19:18] <knoba> jokk: "access" : http://www.postfix.org/SMTPD_ACCESS_README.html : An overview of access(5) controls in the Postfix smtpd(8) SMTP server.[22:19:51] <jokk> yes[22:19:55] <jokk> but which restriction is?[22:20:27] <rob0> !wag[22:20:28] <knoba> rob0: "wag" : WAG: Wild-assed guess ... rarely, if ever, of much use in debugging problems. See !welcome and /topic and !debug.[22:20:50] <Aprogas> If you quickly skim that document, you'll find links that take you directly to the relevant _restrictions in the main.cf documentation.[22:21:32] <Aprogas> Each level of restriction has a list of restrictions that can be used; you should find the one relating to rejecting unknown hostnames there.[22:21:34] <jokk> one time i see a .txt file that have an example[22:21:57] <rob0> Oh yeah ... a .txt file![22:22:07] <jokk> form the Topic of this channel[22:22:26] *** uqlev has joined #postfix[22:22:53] <jokk> my server says: client host rejected: cannot find your hostname,[22:23:06] <jokk> i add the senders that are reals to a whitelist but this is not the best solution[22:23:24] <Aprogas> So your server is rejecting clients with unknown hostnames?[22:23:29] <jokk> yes[22:23:53] <jokk> but then some real domains are rejected[22:24:06] <jokk> because send using a program[22:24:11] <Aprogas> Have you looked at your current list of restrictions?[22:24:19] <jokk> yes[22:24:30] <Aprogas> Care to pastebin your postconf -n ?[22:24:31] *** maconga has quit IRC[22:24:35] <jokk> yes[22:25:12] <jokk> well i put the cat of postfix[22:25:16] <jokk> of the main.cf[22:25:23] <jokk> http://pastebin.com/eA2DPGv2[22:25:27] <Aprogas> We strongly prefer postconf -n instead[22:25:34] <jokk> ok i put postconf -n[22:26:03] <Aprogas> Oh, you put only your _restrictions part, whit whitespacing intact. That is okay, but postconf -n is still useful.[22:26:09] <jokk> but -n puts the restrictions using <TAB> and not <BR>[22:26:27] <jokk> ok[22:27:33] <Aprogas> cbl.abuseat.org is included in zen.spamhaus.org, no need to check both.[22:28:01] <jokk> thanks i dont know this[22:28:05] *** makomi has quit IRC[22:28:06] <jokk> i uplaod the postconf .-n[22:28:12] <Aprogas> Also some of your restrictions seem to use old format, e.g. reject_unknown_client and reject_invalid_hostname[22:28:23] <Aprogas> Replace them by their newer variants.[22:28:28] <jokk> http://pastebin.com/2JdhHq5U[22:28:44] <jokk> mm[22:28:53] <jokk> but still exist this 2 rejects[22:28:59] <rob0> reject_unknown_client is now reject_unknown_client_hostname, and would cause "client host rejected: cannot find your hostname" if no FCrDNS.[22:29:41] <jokk> then[22:29:48] <jokk> i comment it[22:29:51] <rob0> But you really ought to try to figure out how the whole access(5) thing works.[22:29:54] <Aprogas> How sensible is reject_unknown_sender_domain by the way? I am contemplating on whether to use it or not.[22:29:55] <jokk> because this reject deletes real messages[22:30:19] <Aprogas> Not sure if commenting works right in a multi-line definition.[22:30:21] <rob0> reject_unknown_sender_domain is safe and IMO a good idea to use, even for your own submission users.[22:30:39] <Aprogas> rob0: Because it verifies bounces can go somewhere sensible, and error is only a defer?[22:30:49] <rob0> You want to be stuck trying to deliver an undeliverable bounce?[22:31:01] <jokk> the more sensibl is the reject_unknow_client_hostname?[22:31:26] <Aprogas> rob0: Probably not. I guess I already knew it would be sensible, I just wanted a confirmation.[22:31:51] <rob0> reject_unknown_reverse_client_hostname is less aggressive (only rejects if no PTR for a host, and many big sites do this.)[22:32:15] * Aprogas shamefully has to admit being co-admin of a site without revDNS (and running exim4)[22:32:17] <jokk> i put this one[22:33:21] <jokk> any other to comment that is very sensible?[22:33:40] <jokk> Also amavis is very sensible[22:33:45] <jokk> puts as Spam normal mails[22:35:10] <Aprogas> Which policy daemon are you using?[22:35:23] <jokk> SPF?[22:35:28] <Aprogas> Ok.[22:35:36] <jokk> but ths is at the end[22:35:46] <jokk> then i use amavis with spamassassin for incoming[22:36:24] <jokk> also i see some: Sender address reject[22:36:24] <jokk> ed: Domain not found;[22:36:40] <jokk> with domain Example at dddd dot local[22:36:49] <Aprogas> Yes, that will happen.[22:38:19] <jokk> but this mail is normal :S?xd[22:38:30] <jokk> .local to strange but the domain its a real company[22:38:35] *** johnb_ has joined #postfix[22:38:51] <rob0> !.local[22:38:52] <knoba> rob0: Error: ".local" is not a valid command.[22:39:17] <johnb_> !welcome[22:39:17] <knoba> johnb_: "welcome" : welcome to #postfix! if you're joining for the first time, or are new to irc, the first thing you'll want to do is read the channel topic (/topic). it includes crucial instructions on how to effectively ask for help here, and what data you should include with your questions. the degree of success you'll have is directly related to how effectively you're able to follow those guidelines.[22:39:32] <jokk> i see xd[22:39:40] <rob0> .local is used in zeroconf http://en.wikipedia.org/wiki/Zero_configuration_networking[22:39:46] <johnb_> can I ask a question?[22:39:59] <jokk> mm[22:40:10] <jokk> one day i SEE a txt file from topic, anyone knows it?[22:40:10] <rob0> why wouldn't you want to reject a bad sender address? Why would any site accept it?[22:40:27] <johnb_> so I cant ask a question if im not registered right?[22:40:36] <jokk> this file: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt[22:40:44] <rob0> !cheatsheet[22:40:45] <knoba> rob0: "cheatsheet" : http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt : A HOWTO for pre-DATA spam control.[22:41:05] <jokk> [rob0] because many severse have the mail not well configured[22:41:19] <jokk> and then my mailboxes dont recive emails from this servers[22:41:59] <rob0> huh? We're talking about unknown SENDER domain. How can your users reply to an unknown sender?[22:42:23] <rob0> ok, enough for now, I have to get busy on other stuff, bbl.[22:42:46] <jokk> yes[22:42:52] <jokk> this is not a problem about this reject[22:42:58] <Aprogas> Postfix has hardcoded to not apply restrictions to mail to <postmaster>, but the same hardcode doesn't apply to <postmaster@local_virtual_or_relay_domain>, so I'd like to specify that myself above my rejects for non_fqdn and unknown helo/sender/recipient. I am not sure how to safely do this though without having to qualify all domains.[22:43:01] <jokk> the problem was on : reject_unknown_client_hostname[22:43:28] <Aprogas> Would something like "postmaster@ permit_auth_destination" as top check_recipient_access be safe?[22:44:01] <jokk> i lose[22:47:16] *** AstralStorm has quit IRC[22:48:38] <jokk> [Aprogas] i do you use the reject_unknown_client ?[22:48:42] <jokk> ore reverse?[22:49:27] *** tharkun has quit IRC[22:49:43] *** freaky[t] has quit IRC[22:50:02] <Aprogas> jokk: neither[22:51:22] <jokk> this is necesary? reject_non_fqdn_hostname[22:51:32] *** bubbles| has joined #postfix[22:51:35] <bubbles|> hi[22:51:39] <jokk> i have this other one: check_helo_access hash:/etc/postfix/helo_checks,[22:51:40] <Aprogas> jokk: It can make sense, but it is not necessary.[22:52:00] <bubbles|> how do i use pipe to send sigusr1 to a running process?[22:52:07] <dustybin> there was nothing wrong with amazon after all, for some unknown reason amazon doesnt warn you if a account doesnt exist[22:52:13] *** AstralSt` is now known as AstralStorm[22:52:33] <dustybin> so you think its going to send out a password but it never does[22:52:35] <jokk> oh now now my server its game over[22:52:45] *** johnb_ has quit IRC[22:52:46] <Aprogas> bubbles|: Do you want to keep the contents of the email?[22:53:05] <Aprogas> jokk: depends on the contents of helo_checks whether that is sensible[22:53:13] <bubbles|> yes, the email should be saved in the maildir directory[22:53:44] <Aprogas> bubbles|: oh, then you don't want to pipe to a process; I thought you wanted to process the email with some special program[22:53:56] <Aprogas> bubbles|: why do you want to signal?[22:54:02] <jokk> of corse but now my server dont response..shit[22:54:29] <Aprogas> jokk: What did you do?[22:55:42] <bubbles|> i need the other programm to know there's an incoming mail[22:56:07] <bubbles|> pipe-ing the whole mail to the process would be fine, but i can't figure out how to do that to an already running php programm[22:56:19] <bubbles|> so i want to send a signal and have php look in the folder for the mail[22:56:28] <jokk> only comment the reject_unknown_client[22:56:31] <jokk> and then restart postfixe[22:56:39] <jokk> 10 mintus later the server dont go[22:57:00] *** freaky[t] has joined #postfix[22:57:14] *** Vivek has quit IRC[22:57:48] <jokk> well i go to read in 30 minuts i will try[22:58:09] <jokk> the server is a little damaged[22:58:28] <jokk> have many apache requests that wants to exedcute a .exe that dont exist[22:58:37] <jokk> and then these conections hangs my server[22:58:55] <jokk> i put an anti-ddos atack using mod_evasive but nothing[22:59:47] <jokk> Now goes[22:59:54] <Aprogas> !tell jokk why[22:59:54] <knoba> jokk: "why" : are you sure that installing, configuring and maintaining a mailserver is really what you want to do here? it's not something that's for the faint of heart, and definitely not something for folks that are still just learning the basics of linux or unix. also see !nullclient[23:01:50] <jokk> [Aprogas] you have this enabled? reject_non_fqdn_hostname[23:01:53] <Aprogas> My testing so far seems to indicated my check_recipient_access with "postmaster@ permit_auth_destination" as top restriction works as intended.[23:02:08] <Aprogas> jokk: Yes, but I call it reject_non_fqdn_helo_hostname.[23:03:05] <jokk> and if the helo is like: myown.server.com[23:03:11] <jokk> then you can recive it?[23:05:17] <bubbles|> is there no way to send a signal when a mail comes in?[23:06:13] <Aprogas> Would someone care to test if they can relay via nvidium.soleus.nu by exploiting my "whitelisting" of postmaster@ and abuse@ and then report to me to if they discover I left a hole.[23:06:18] <adaptr> bubbles|: plenty[23:06:33] <bubbles|> what would you suggest adaptr?[23:06:36] <adaptr> Aprogas: do you mean you left a hole to discover, or you wonder if there is one[23:06:43] <adaptr> bubbles|: ANY mail ?[23:06:59] <Aprogas> adaptr: I wonder if there is one.[23:07:08] *** jokk has quit IRC[23:07:10] <bubbles|> can i limit it to a group of recepient-addresses?[23:07:29] <adaptr> what signal[23:07:33] <Aprogas> <postmaster at my dot domains.tld> is meant to be accepted, as is <postmaster>, but not <postmaster at remote dot domain.tld>[23:07:34] <bubbles|> sigusr1[23:07:38] <adaptr> did you consider that "email" is a signal[23:07:50] <bubbles|> no i mean a system-signal[23:07:57] <adaptr> pipe it to a script in your alias file and do whatever[23:08:12] <bubbles|> hm.. ok[23:08:34] <bubbles|> what is the alias file?[23:08:40] <adaptr> Aprogas: if you didn't change it from the last time I checked, it's fine[23:08:41] <Aprogas> Piping to a script is a method of final delivery; the script must handle storing the contents somewhere.[23:08:50] <adaptr> bubbles|: you lack knowledge. don't do email. it's not for you.[23:09:06] <Aprogas> adaptr: I did change it. I whitelisted postmaster@ and abuse@ as top restriction. Hold on while I'll pastie what I've done.[23:09:19] <bubbles|> adaptr i have to[23:09:28] <adaptr> on pain of pain ?[23:09:53] <bubbles|> is it that complex?[23:10:08] <adaptr> I just told you how to do it. you can make it as complex as you like[23:10:37] <adaptr> however, somebody who does not know what an alias file is should not administer a mail server[23:11:01] <Trengo> unless its windows[23:11:16] <Trengo> windows doesnt have files does it?[23:11:23] <Trengo> its all in The Registry (TM)[23:11:52] <Aprogas> http://pastie.org/private/613qersxs6u7zd6idndjma[23:11:57] *** olek has joined #postfix[23:14:00] <Aprogas> Basically I put a recipient_access above reject_unauth_destination, so I want to make 100% sure everything is okay.[23:14:08] <Aprogas> Oh, and I shouldn't forget to turn off soft_bounce either.[23:14:50] <adaptr> you put a recipient check that only accepts auth destination. I don't see the problem[23:16:15] *** Matic`Makovec has quit IRC[23:17:55] *** henriknj has quit IRC[23:18:50] *** founddeath has quit IRC[23:18:52] <Aprogas> It's the first time I've done this, I wanted to make super-sure.[23:19:00] <adaptr> follow the logic[23:19:11] <adaptr> $dickwad sends to postmaster[23:19:17] <adaptr> recipient is checked[23:19:23] <adaptr> if auth destination, PERMIT[23:19:25] <adaptr> end of story[23:19:59] <Aprogas> Yes, I know all this, but I always check such things with an outsider too, because my brain sometimes deceives me. So now I have confirmation and I'll leave it like this.[23:20:15] <adaptr> if I started distrusting my brain I'd never get any work done![23:20:34] <Aprogas> Yeah, that sounds like me most of the time.[23:21:59] <adaptr> what should have been a 20-minute firewall change ran into a 5-hour-long headdesk session today... until I discovered that it was the catalyst, routing shit, that caused the symptoms[23:22:44] <Aprogas> So you were fixing a machine while the problem was in the networking?[23:22:54] <adaptr> a firewall is still networking[23:23:09] <adaptr> I wouldn't call an ASA a machine - it's a damn sexy machine[23:24:45] <Aprogas> Yesterday I spent 10 minutes figuring out why vim would no longer accept my ":set parse" before entering insert-mode to paste text. At first I suspect my .vimrc didn't exist in that virtualbox installation, but it did; I also checked on my main system on which it always worked, didn't work there either. I tried ":h parse" and it returned no help-text. After 10 minutes of feeling my sanity slip away, I suddenly realised the word I was looking fo[23:25:15] <adaptr> was "pastebin"[23:26:05] * adaptr doesn't touch vivimacs with a 10-foot cattle prod. lazy is good. nano is lazy. mc is even more lazy[23:26:55] <Aprogas> I got forced into vi in my early Linux days (highschool peer pressure and all that), but in retrospect I am happy for that.[23:28:25] * adaptr tries to remember early linux days, but recoils from memories of red hat 6[23:29:04] <Aprogas> I started out with Red Hat too.[23:29:39] <adaptr> I used it up until.. oooh.. when my 7.1 -> 7.2 upgrqade broke stuff[23:30:05] <adaptr> plunged headlong into debian, didn't like it much, switched to gentoo, messed with that for a year or so - painful, very painful[23:30:19] <Aprogas> I think after Red Hat, I was at Debian for a short while, and then I got force-converted to FreeBSD.[23:30:27] <adaptr> ended up with ubuntu - braindead, super-stupid defaults, but works OOTB and is still tweakable[23:30:47] <adaptr> now preparing to convert anything that dies to slackware[23:30:55] <Aprogas> And now after years I am stuck with Debian again because it runs more reliable in VPS than FreeBSD.[23:31:58] <Aprogas> I was considering Ubuntu Server for a bit, if only because it's packages are more up-to-date than Debian.[23:32:14] <Aprogas> I might consider Slackware, since it's been around for all this time, there must be something to it.[23:32:21] <adaptr> about 3 years more up to date, yes[23:32:40] <adaptr> slackware is rock-solid. not a lot to update, so not a lot of crap either[23:32:57] <adaptr> and you can trim a server down to freebse-volumes - a few hundred mb or so[23:33:43] *** tharkun has joined #postfix[23:33:47] <adaptr> we use Ubuntu at work a lot, because they're simple to deploy and get going[23:34:44] <Aprogas> I am having some trouble locating an accurate slackwave package list or browser.[23:38:13] <adaptr> um whut ?[23:38:22] <adaptr> for what purpose ? it comes with several tools[23:39:17] <Aprogas> For checking which version of postfix and some other things I use are at in their package repository.[23:40:09] *** axisys has quit IRC[23:40:30] *** axisys has joined #postfix[23:40:57] <Aprogas> In the end I did manage to find some package search engine; but I was distracted at first by non-functioning package browser at the official website.[23:41:43] <adaptr> postfix isn't in the stock distribution, but it's on SBo[23:41:58] <adaptr> you can trivially build from source though[23:42:08] <adaptr> slackware is very much FSH compliant[23:44:26] <adaptr> the version on SBo is 2.6.1, but there are slackbuilds for 2.7 and up[23:44:53] <Aprogas> I guess for now I'm going to stick to the slightly familiar Debian. And try to learn some iptables maybe.[23:48:47] <adaptr> the real point though is that there are fewer layers between you and the OS - the worst issues I have come across so far have to do with xterm or locale settings[23:50:04] <adaptr> a simple example - on a stock Ubuntu system, mdadm arrays are automatically checked every month - great! except that A. I did not ask for that, and I did not think to LOOK for it either (and nothing tells you this), and B. I have several 4TB arrays that take FIVE FUCKING HOURS TO CHECK[23:50:10] <adaptr> during which the machine is as good a sdead[23:50:28] <adaptr> yeah, great, thanks[23:51:18] <lennard> I think debian does that by default as well nowadays[23:51:25] <lennard> either that or I told it to, but I don't remember doing so :P[23:51:29] <adaptr> they should be hangded[23:51:43] <Aprogas> Heh, I had a "hackaton" with someone with Ubuntu on his laptop, he ran some auto-update, which broke his networking, with no method of regression; eventually we spend more time trying to fix his laptop, than doing what we actually were going to do.[23:52:12] <lennard> personally I kinda like the behavior[23:52:23] *** tharkun is now known as quill[23:52:47] *** quill is now known as tharkun[23:53:03] <lennard> and you can probably limit the rate of check, making the machinie less dead[23:53:18] <adaptr> lennard: IF you remember to set it before it runs! and nothing tells me it's going to run![23:53:20] <lennard> but, I admit, it may not be for everyone :)[23:53:31] <lennard> yes, well, now you know[23:53:36] <adaptr> lennard: I don't care. the *debian* man pages DO NOT TELL YOU there is a cron job[23:53:40] <adaptr> they suck[23:53:51] <lennard> yes allright, you made your opinion clear :P[23:54:01] <lennard> I'm fully convinced you don't like it :P[23:54:18] <adaptr> and even if there was no man page, ANY cron job that potentially kills my box for 5 straight hours should give me a friggin hint when it is installed[23:54:40] <adaptr> they really need to learn the meaning of "fail safe"[23:54:53] <adaptr> them, and ubn00bu, fail utterly in that concept[23:54:55] <Aprogas> Disk I/O has that nasty habit of not really being affected by high or low nice.[23:55:10] <adaptr> Aprogas: you can tell mdadm to max the rebuild/.check rate[23:55:27] <adaptr> but it was at 600MB/sec by default.. which doesn't really help[23:55:43] <lennard> by the way, about the remembering to set it - so let a cronjob take care of it[23:56:00] <adaptr> I could probably stand to lower it to 50MB, but then it will slow down when I need to rebuild - which should go fastest[23:56:08] <adaptr> lennard: you whut ?[23:56:19] <lennard> (not trying to defend the bahavior here, just shouting some ideas)[23:56:21] <adaptr> lennard: you don't get it. this is AS INSTALLED. cron job. runs every month.[23:56:26] <adaptr> I did nothing[23:56:37] <Aprogas> "Everything worked before and I did nothing"[23:56:37] <lennard> 23:59:45 < adaptr> lennard: IF you remember to set it before it runs! and nothing tells me it's going to run![23:56:50] <lennard> I was responding to that AND STOP SHOUTING PLEASE[23:56:51] <adaptr> yes.. bit of a chicken and egg there[23:57:01] <lennard> ok, fine, don't be reasonable[23:57:06] <lennard> its time for bed anyway[23:57:11] <adaptr> you only have to set it once obviously - please go elswhere if you don't know what I'm talking about[23:57:20] <Aprogas> I think adaptr meant that if you forget it the first time, you don't recall until too late.[23:57:33] <Aprogas> You are like "oh right, I should have done that after install".[23:57:58] <lennard> I was assuming you'd want to reset the speed to something high *after* the monthly check. please don't insult me. goodnight.[23:57:59] <adaptr> and I'd like to be told that shit has been scheduled that increases with the size of my arrays[23:58:21] <adaptr> lennard: insult you ? wow. bruise much ?[23:58:39] <Aprogas> I think lennard has gone to bed.[23:58:54] <Section1> centos has that feature too :D[23:59:10] <adaptr> THEY would call it a feature, yes