September 13, 2010 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | >
September 13, 2010 [00:02:14] *** noneo has quit IRC[00:02:27] *** noneo has joined #postfix[00:18:30] *** xabbu has quit IRC[00:19:29] *** lifeofguenter has joined #postfix[00:22:40] *** sedulous has joined #postfix[00:22:43] *** sedulous has quit IRC[00:22:58] *** sedulous has joined #postfix[00:23:15] *** sedulous has joined #postfix[00:23:18] *** sedulous has quit IRC[00:38:38] *** p3rror has quit IRC[00:39:18] *** p3rror has joined #postfix[00:45:05] *** torralbo has joined #postfix[00:48:24] *** henriknj has quit IRC[00:57:27] *** nihe has quit IRC[00:58:09] *** pyther has joined #postfix[01:01:38] <pyther> Hi[01:01:56] <pyther> What is the differences between the smtp config entries and the smtpd config enteries?[01:03:15] <thumbs> !smtp!=smtpd[01:03:15] <knoba> thumbs: "smtp!=smtpd" : Postfix smtp_* and smtpd_* configuration parameters have different meanings. smtp_ = client and smtpd_ = server, the client-side sends mail whilst the server-side receives mail. (smtp = client = sends mail) (smtpd = server = receives mail)[01:04:57] <pyther> thumbs: thanks[01:05:21] <thumbs> pyther: see also the postfix architecture overview.[01:05:23] <pyther> now the question becomes, how can I force users to use TLS while allowing other servers to use an unencrypted channel[01:05:25] <thumbs> !overview[01:05:25] <knoba> thumbs: "overview" : Postfix Architecture Overview : http://www.postfix.org/OVERVIEW.html[01:06:41] <thumbs> pyther: you can use the submission port and enforce TLS on it.[01:06:45] <thumbs> !submission[01:06:45] <knoba> thumbs: "submission" : Port 587 is submission, for user submission of mail, NOT suitable for mail exchange. See the commented example in master.cf. also see !msa, and rfc 2476 and 4409. Also read http://www.maawg.org/sites/maawg/files/news/MAAWG_Port25rec0511.pdf[01:08:05] <thumbs> pyther: port 25 should only be used for local delivery anyway[01:08:32] <pyther> Ok, I'm learning and this is all new to me, so I'll do some reading[01:08:33] <pyther> !msa[01:08:33] <knoba> pyther: "msa" : Message Submission Agent : a process which accepts message submissions from MUAs on port 587 known as 'message submission service' using the 'message submission protocol' defined by rfc4409. To enable message submission service in postfix uncomment the relevant lines in master.cf. also see !submission.[01:12:22] <pyther> thumbs: would you mind looking at my configuration please?[01:12:56] <thumbs> pyther: kinda busy now.[01:12:58] <thumbs> !tls[01:12:58] <knoba> thumbs: "tls" : Short for Transport Layer Security (RFC2246). It adds an additional layer of encryption to protocols such as SMTP, POP3 or IMAP to improve security during transmission over the Internet. TLS features in Postfix are documented here: http://www.postfix.org/TLS_README.html[01:13:36] <pyther> thumbs: well I enabled the submission part, but I want to make sure I have the proper smtpd settings[01:13:55] <thumbs> pyther: see the /topic[01:14:09] <thumbs> pyther: other folks can lend a hand, once you provide that information[01:14:47] <pyther> Well anyone willing to check this out, I would greatly appreciate it: http://paste.pocoo.org/show/261241/[01:16:59] <lunaphyte> you just want us to look at your config? that seems odd...[01:17:22] <pyther> I enabled submission, so do I still need all the smtpd stuff?[01:17:30] <lunaphyte> huh?[01:17:45] <pyther> all the smtpd config stuff[01:17:51] <lunaphyte> huh?[01:18:12] <lunaphyte> is there some problem? what is the *actual* question?[01:18:27] <pyther> Well I want to ensure my server is properly setup[01:18:33] <pyther> in master.cf I enabled submission inet n - n - - smtpd[01:19:04] <pyther> so I now I'm wondering if I need this smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination[01:19:13] <pyther> or this smtpd_sasl_type = dovecot[01:19:16] <lunaphyte> why are you wondering?[01:19:58] <pyther> I guess I don't clearly understand what the subission port does[01:20:12] <lunaphyte> hmm. what's not clear?[01:20:21] <pyther> well I can still send mail using port 25[01:20:33] <lunaphyte> send mail to where?[01:20:44] <pyther> to any address from within my mail client[01:20:59] <lunaphyte> oh, then you've got things set up poorly.[01:21:11] <lunaphyte> that should only be possible via submission.[01:21:26] <pyther> ok, I'm trying to figure out how to set that up correctly[01:21:40] <pyther> what do I need to remove to prevent me from sending mail through port 25?[01:23:03] *** dragonheart has joined #postfix[01:23:11] *** EagleWatch has quit IRC[01:23:21] <lunaphyte> you need to have different restriction setups for each. postfix should only accept mail for which it is the mx on port 25, and should not offer smtp auth. postfix should offer smtp auth (protected by tls) only on port 587, and should not accept any mail for further delivery unless there has ben a successful authentication.[01:23:27] <lunaphyte> gotta run, good luck.[01:24:13] <pyther> OK thanks, can anyone point me to some documentation on doing what lunaphyte stated?[01:26:41] *** pyco has quit IRC[01:28:16] *** pyco has joined #postfix[01:37:32] <thumbs> !sasl[01:37:32] <knoba> thumbs: "sasl" : SASL is 'Simple Authentication and Security Layer', necessary for SMTP AUTH, and provided to Postfix by addin software. Cyrus SASL and/or Dovecot IMAP/POP3 can provide SASL. See http://www.postfix.org/SASL_README.html for details.[01:37:40] <thumbs> pyther: that's smtp atuh.[01:38:51] <pyther> ok so is this a sane default: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination[01:38:55] <pyther> in master.cf[01:39:09] <pyther> that should only allow internal hosts to send mail via port 25 correct?[01:44:54] *** brancaleone has quit IRC[01:50:20] *** jlaunay has joined #postfix[02:00:32] <Tom-B> pyther by default smtp runs port 25, smtps 465 and submission 587[02:02:01] <Tom-B> If you want to allow different things on different ports you need to set a good default smtpd_recipient_restrictions in main.cf and override said setting for various things (smtp/smtps/submission) using " -o smtpd_recipient_restrictions=whatever,whatever,whatever" in master.cf[02:02:41] <Tom-B> Note the whitespace before -o in master.cf Note the lack of tolerance for any white spaces after the initial pre " -o" whitespace[02:03:32] <pyther> ahh ok that makes sense, so master.cf should be the most restrictive and then I can override things[02:03:56] <Tom-B> It's also worth noting that "smtp, smtps and submisson" are sperate instances of the smtp[02:04:18] <Tom-B> All with their own unique properties (with you set using " -o whatever"[02:04:28] <Tom-B> That's up to you.[02:04:36] <Tom-B> It's also worth noting that "smtp, smtps and submisson" are sperate instances of the smtpd[02:05:38] <Tom-B> The validty of your security hinges on smtpd_recipient_restrictions; do not look elsewhere, understand what each option does and the order in which they're parsed[02:06:17] <pyther> This is pretty good right? smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination[02:06:29] <pyther> I believe I understand how that gets parsed[02:06:50] <Tom-B> if you understand then you don't need me to verify if it's "pretty good" =)[02:08:52] <pyther> Well it should only allow mail from within and if my server is the last hop, correct?[02:16:12] *** loddafnir has quit IRC[02:19:26] *** loddafnir1 has joined #postfix[02:36:47] *** Moofius has quit IRC[02:58:31] <lunaphyte> this is where using restriction classes becomes particularly useful.[03:05:44] *** lepine has quit IRC[03:07:51] *** lepine has joined #postfix[03:18:05] *** Vivek has joined #postfix[03:18:17] *** Vivek has quit IRC[03:18:17] *** Vivek has joined #postfix[03:25:05] *** Tom-B has quit IRC[03:26:01] *** pinoyskull has joined #postfix[03:36:36] *** dragonheart has quit IRC[03:43:45] *** nihe has joined #postfix[03:59:09] *** johnjay has quit IRC[03:59:13] *** johnjay has joined #postfix[04:03:59] *** Mazon has quit IRC[04:05:55] *** Mazon has joined #postfix[04:31:33] *** higuita has joined #postfix[04:33:30] *** dragonheart has joined #postfix[04:36:40] *** niki has quit IRC[04:37:01] *** pyther has quit IRC[04:50:10] *** loddafnir1 has quit IRC[05:00:45] *** tjikkun has quit IRC[05:02:08] *** leroux has joined #postfix[05:02:46] *** leroux has quit IRC[05:09:52] *** kervel has quit IRC[05:11:25] *** higuita has quit IRC[05:13:52] *** higuita has joined #postfix[05:19:18] *** Vivek has quit IRC[05:22:21] *** tharkun has joined #postfix[05:23:37] *** pinoyskull has quit IRC[05:28:01] *** rajijoom has joined #postfix[05:32:42] *** Vivek has joined #postfix[05:32:54] *** neekfenwick_ has joined #postfix[05:33:42] *** tharkun has quit IRC[05:34:59] *** Vivek has quit IRC[05:34:59] *** Vivek has joined #postfix[05:35:08] *** koollman has quit IRC[05:35:43] *** koollman has joined #postfix[05:39:03] <will_> spam[05:49:04] *** grobe0ba is now known as grobe0ba|away[05:51:31] *** MAAAAAD has joined #postfix[05:54:56] *** MAAAAD has quit IRC[05:59:31] *** lifeofguenter has quit IRC[06:04:44] *** shmock has joined #postfix[06:22:00] *** denysonique has quit IRC[06:24:22] *** Motoko-chan has joined #postfix[06:32:06] *** navaki has joined #postfix[06:36:13] *** tryskall has joined #postfix[06:36:32] *** torralbo has quit IRC[06:37:51] *** navaki has quit IRC[06:38:44] *** navaki has joined #postfix[06:46:06] *** ebegin has joined #postfix[06:49:49] *** ebegin has left #postfix[07:01:32] *** Yvemath has joined #postfix[07:03:30] <Yvemath> i've a gmx.com account and i want my newly installed postfix installation to relay mails to GMX SMTP.. i've mutt sett to fetch emails from imap.gmx.com, but i'm confused about the relaying process. May i've a few suggesstions on what to do ?[07:05:00] <lunaphyte> i don't know what gmx.com is, but if they provide both an mra and an msa, why would postfix be needed at all?[07:05:27] <lunaphyte> you've got mutt set to retrieve message from them, just configure it to submit message to them as well.[07:05:33] <lunaphyte> *messages[07:07:17] <Yvemath> lunaphyte: i aint sure, is mutt suppossed to or is able to submit the messages to GMX smtp server :S[07:11:23] <lunaphyte> oh, that's right, i forgot, mutt only uses sendmail(1). i never did like it much because of that. anyway, my advice would be to use a better email client. one that can submit messages to an msa.[07:11:57] <Yvemath> lunaphyte: cant' i use postfix to do that? i've actually settled with mutt so far.[07:12:54] <lunaphyte> that sure would be silly. installing, configuring and maintaining an entire mta just so you can submit messages to your *real* mail server?[07:13:57] <lunaphyte> imagine if programs like thunderbird or other popular mail clients insisted on such requirements...[07:14:16] <Yvemath> lunaphyte: yeah, would be. i just need the fastest way, hehe. && i really don't like Graphical Email clients, they eat up RAM :([07:14:30] <lunaphyte> sorry, we don't do fast here. we do right.[07:15:17] <Yvemath> okay, w/e the postfix philosophy says^. :\[07:16:09] <lunaphyte> although i don't really understand the aversion to graphical user interfaces for email, since what good is ram for if not to be used, there was i time when i also didn't use a gui email client, and found pine to be a good program.[07:17:21] <lunaphyte> i can't even remember the last time i concerned myself with whether or not a trivial program like an email client was using too much ram. a drop in the bucket, if that.[07:18:49] *** higuita has quit IRC[07:18:55] <Yvemath> lunaphyte: with more than 5 workspaces open, with firefox, gimp, irssi+neusbeuter+mutt , geany , music/videoplayer daemon. I think, it's properly configured except the "Mutt" problem.[07:19:04] <lunaphyte> right now my mail client is using 144 mb of ram. that's 84 less than my web browser, both which sit idle at the moment.[07:19:31] <Yvemath> lunaphyte: an alternative way could be, If you would suggest a console email client other than mutt, which is also a mta rather than just being a mua.[07:20:01] *** klem has quit IRC[07:20:10] *** Vivek has quit IRC[07:20:20] <lunaphyte> yeah, that drivel they espouse about mail clients not being mtas is just plain technically wrong.[07:20:53] <Yvemath> lunaphyte: what is right to Mutt = Should use an alternative program to transfer mail messages to smtp server, but that's something which also conflicts with what postfix users think.[07:20:55] <lunaphyte> no end user email clients are mtas (nor msa, nor mras), regardless of if they can submit email to a mail server for delivery.[07:20:57] <Yvemath> :S[07:21:06] *** higuita has joined #postfix[07:22:06] <lunaphyte> yes, i'm aware of their babbling on the subject. nonetheless, i did suggest pine.[07:24:29] *** ebegin has joined #postfix[07:25:24] * ebegin is fighting to configure postfix on a debian machine[07:25:27] <lunaphyte> for reasons unknown to me, the mutt community seems to think that the ability to speak smtp (or submission, as it were) is the sole empirical characteristic that defines an mta. that, of course, is just absurd.[07:27:19] <lunaphyte> Yvemath: alternatively, you could also use a null client, which would accommodate mutt's insistence on using sendmail(1). of course, the downside would be that you'd just be enabling them.[07:30:38] <Yvemath> lunaphyte: using alpine, configuring it.[07:33:06] <lunaphyte> ah, that's right. i'd forgotten alpine had superseded pine.[07:34:10] *** klem has joined #postfix[07:36:07] *** Vivek has joined #postfix[07:37:51] *** loddafnir has joined #postfix[07:46:08] <cite> rob0: Thanks for keeping me posted on the spam-l development.[08:05:03] *** robotarmy has joined #postfix[08:09:31] *** robotarmy has quit IRC[08:11:10] *** mac- has quit IRC[08:17:49] *** Matic`Makovec has joined #postfix[08:32:17] *** karlgus has joined #postfix[08:33:04] *** Moofius has joined #postfix[08:38:07] *** Moofius has quit IRC[08:39:36] *** navaki has quit IRC[08:42:01] *** higuita has quit IRC[08:44:46] *** higuita has joined #postfix[08:53:40] *** WhoNeedszzz has joined #postfix[08:53:47] <WhoNeedszzz> Hey all[08:54:06] <WhoNeedszzz> I just upgraded dovecot, changed the config file, and now postfix isn't starting[08:54:09] <WhoNeedszzz> I'm getting "postfix/master[21175]: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype"[08:54:13] <WhoNeedszzz> Why is this?[08:55:25] *** Motoko-chan has quit IRC[08:55:43] <zamba> anyone set up postfwd here and can help me setting up a specific set of rules?[08:56:39] <zamba> i basically know what i want, but not how to implement it :)[08:58:09] *** Wilkins has joined #postfix[08:58:10] *** makomi has joined #postfix[08:59:26] *** makomi has quit IRC[08:59:31] *** makomi has joined #postfix[09:03:18] *** schnoobby has joined #postfix[09:08:18] *** snoopy has joined #postfix[09:08:45] *** snoopy is now known as Guest9896[09:11:36] *** schnoobby has quit IRC[09:15:03] *** cga has joined #postfix[09:15:46] *** Yvemath has quit IRC[09:21:01] *** EagleWatch has joined #postfix[09:21:10] *** WhoNeedszzz has left #postfix[09:21:24] *** oasisfleeting has joined #postfix[09:27:42] <oasisfleeting> jj[09:28:08] *** cga has left #postfix[09:30:18] *** pyco has quit IRC[09:31:14] <oasisfleeting> !welcome[09:31:14] <knoba> oasisfleeting: "welcome" : welcome to #postfix! if you're joining for the first time, or are new to irc, the first thing you'll want to do is read the channel topic (/topic). it includes crucial instructions on how to effectively ask for help here, and what data you should include with your questions. the degree of success you'll have is directly related to how effectively you're able to follow those guidelines.[09:31:57] <oasisfleeting> hello room[09:32:23] <Zerberus> hi[09:37:06] *** brancaleone has joined #postfix[09:41:12] *** JoKoT3 has joined #postfix[09:50:06] <Aprogas> zamba: postfwd has a manpage, which also is online; even though the online docs are for postfwd2, most of it applies to postfwd too.[09:53:55] *** ichdasich has quit IRC[09:56:54] *** rajijoom has quit IRC[10:07:50] *** dragonheart has quit IRC[10:10:13] *** bezourox has joined #postfix[10:12:04] *** shal3r has joined #postfix[10:12:07] *** vho\ is now known as vho[10:15:10] *** ichdasich has joined #postfix[10:15:42] *** juergen_dose has joined #postfix[10:15:54] *** hrhrhr has joined #postfix[10:15:55] *** juergen_dose is now known as car[10:16:46] *** hever has joined #postfix[10:17:57] *** hever has quit IRC[10:19:08] *** DogWater has quit IRC[10:22:20] *** jeroen_h has joined #postfix[10:23:27] *** DogWater has joined #postfix[10:27:27] *** denis_ has joined #postfix[10:29:14] *** f3ew has joined #postfix[10:29:31] *** henriknj has joined #postfix[10:32:50] *** hrhrhr has quit IRC[10:40:37] *** higuita has quit IRC[10:41:07] *** dragonheart has joined #postfix[10:43:53] *** higuita has joined #postfix[10:46:43] *** johest|w has joined #postfix[10:48:12] *** henriknj has quit IRC[10:50:17] *** cilly has joined #postfix[10:58:42] *** rajijoom has joined #postfix[11:03:35] *** pinoyskull has joined #postfix[11:05:41] *** tjikkun has joined #postfix[11:05:45] *** Vivek has quit IRC[11:07:12] *** makomi has quit IRC[11:08:38] *** pinoyskull has quit IRC[11:14:26] *** Twinkletoes has joined #postfix[11:24:36] *** master_of_master has quit IRC[11:27:55] *** master_of_master has joined #postfix[11:31:56] *** denysonique has joined #postfix[11:39:33] *** cpm has joined #postfix[11:41:17] *** xabbu has joined #postfix[11:42:26] *** Moofius has joined #postfix[11:47:55] *** neekfenwick__ has joined #postfix[11:49:26] *** henriknj has joined #postfix[11:51:57] *** neekfenwick_ has quit IRC[11:54:05] *** henriknj has quit IRC[11:56:54] *** henriknj has joined #postfix[12:03:44] *** Wilkins_ has joined #postfix[12:04:25] *** Wilkins has quit IRC[12:09:12] *** higuita has quit IRC[12:11:22] *** henriknj has quit IRC[12:11:48] *** higuita has joined #postfix[12:14:37] *** Wilkins_ is now known as Wilkins[12:16:36] *** talin has joined #postfix[12:17:33] <talin> hello. when i look through the maillog to see which emails were blocked, i usually see that they are put in /var/virusmails/blahblah.gz. but when someone mails to a lot of addresses, the list is so long that the log ends in "email34, email35, ..."[12:17:42] <talin> and i can't see where the e-mail is[12:22:11] <Aprogas> Rejected mails are not stored by Postfix. Do you have any software involved in your mail delivery chain?[12:25:23] *** JonnyV has joined #postfix[12:29:37] *** pyco has joined #postfix[12:35:02] *** Technofrood has joined #postfix[12:36:39] *** higuita has quit IRC[12:38:59] <cpm> rejected mails are rejected, blocked == rejected. mails that are stored aren't rejected. Try again.[12:39:19] *** higuita has joined #postfix[12:39:29] <talin> silly me. this was an amavis-question[12:39:39] <talin> i have another question for you guys though![12:39:57] <talin> a few days ago you recommended that i set up SASL and TLS on my MSA[12:40:06] <talin> my problem is[12:40:22] <talin> that there are people using my MSA... and sometimes there are several companies behind a single IP[12:40:39] <talin> i.e. one router with several companies behind it[12:40:51] <talin> sometimes they have their own server behind that router, and that server forwards to me[12:41:15] <talin> what happens if i set up e.g. dovecot with SASL?[12:41:23] <talin> user -> user's server -> my server[12:41:30] <talin> how will authentication work in that case?[12:42:27] * cpm is trying to figure out why he cares.[12:42:33] <cpm> or even if he cares.[12:43:15] <cpm> talin, if yer not up to the task, maybe you should hire someone who is. Or, pony up and post a help-wanted and get a consultant in.[12:43:18] <Aprogas> talin: Other mailservers are usually on static IP-address; you could whitelist them based on that. Or just make their mailserver login via SASL too.[12:43:36] <Aprogas> talin has started his own company providing mail services, I think.[12:43:54] *** Dosshell has joined #postfix[12:43:58] <Aprogas> His business model is based on getting free help on IRC and turning it into money on his bank account. :)[12:44:22] <talin> Aprogas: no. i'm working for a small town isp as a programmer... and the mailserver here was just a fresh postfix install without any particular configuration[12:44:59] <talin> Aprogas: i get the same hourly salary for my programming whether i fix this or not. i just don't think it's right, that's all[12:45:26] <Aprogas> Well, alright then.[12:45:48] <talin> i don't think anyone would pay some random guy for installing a postfix server anyway[12:46:11] <talin> what i have done so far, is install amavis and clam on it... and then set mynetworks to a much smaller range[12:46:17] <rob0> Pony?[12:46:25] <cpm> or rob0 up, whichever[12:46:37] <rob0> I WANT A PONY :([12:46:45] <cpm> !no-pony[12:46:45] <knoba> cpm: Error: "no-pony" is not a valid command.[12:46:49] <cpm> !pony[12:46:49] <knoba> cpm: "pony" : http://www.brainfuel.tv/wp-content/uploads/2006/03/nopony.jpg[12:46:56] * rob0 pouts[12:48:35] <talin> Aprogas: the other mailservers are behind the same router... so the two companies and their mailserver all have the same IP[12:48:36] <Aprogas> talin: If you trust some remote server to authenticate which users can use that server, you can fully trust that server, whether based in IP or SASL-login.[12:49:11] <Aprogas> Mailservers behind NAT?[12:49:26] <talin> Aprogas: the problem is that i don't trust that server, since it is already sending me spam during the night[12:49:46] <Aprogas> Why does your ISP allow a spammer to use their services?[12:50:05] <cpm> indeed. This sounds like a non-problem to me.[12:50:28] <talin> Aprogas: because they apparently thought a fresh postfix install was okay. basically, if i block that "spammer" IP, i block two companies, in which one of them is innocent[12:51:22] <Aprogas> If $bad_company pays $your_employer for mail delivery, you cannot just block $bad_company either, because you have a contract.[12:51:51] <Technofrood> Is it possible you have virtual mailboxes in postfix, and have any email sent to a nonexistant mail box forwarded to my local Exchange server? I belive I can youse fallback_transport to do this if I was only using local users, but I can't find information on how to do it with virtual users.[12:51:59] <Aprogas> Anyway, if IP-address is eliminated as a meaningful base for permissions, SASL-login (or TLS-certs, or possibly some other solutions) remain.[12:52:00] *** JonnyV_ has joined #postfix[12:52:20] <Aprogas> Technofrood: Do you mean like a catch-all alias?[12:52:22] <Guest9896> !virtual_alias_maps[12:52:22] <knoba> Guest9896: "virtual_alias_maps" : A configuration parameter in the main.cf: Optional lookup tables that alias specific mail addresses or domains to other local or remote addresses. The table format and lookups are documented in virtual(5).[12:52:43] <Technofrood> no I don't think so[12:52:48] <Aprogas> There is a hook when using a catch-all in virtual-alias combined with virtual-mailbox.[12:52:55] <talin> Aprogas: so basically i can configure my server such that "IP used by two companies and their mail-server" has to authenticate? i'm not sure how they can make their own server authenticate though...[12:52:58] <Aprogas> Because mailbox isn't checked until after alias.[12:53:27] <Aprogas> talin: SASL can work between mailservers too.[12:53:42] <rob0> !mantras[12:53:42] <knoba> rob0: "mantras" : 1. do not accept mail that you do not intend to deliver. 2. do not drop mail. 3. do not use wildcards or catchalls.[12:54:11] *** Guest9896 has quit IRC[12:54:13] <dragonheart> or for a 3rd option dkim local rejection policies for unsigned email from client[12:54:27] *** Guest9896 has joined #postfix[12:54:38] *** Guest9896 is now known as Schnoobby[12:54:45] *** brahama__ has joined #postfix[12:55:14] *** JonnyV has quit IRC[12:55:24] * cpm drops rob0[12:55:32] *** henriknj has joined #postfix[12:56:25] *** JonnyV_ has quit IRC[12:57:01] <talin> Aprogas: ah, okay. i guess i will just install dovecot with a "whitelist all" setting, and then force people to use it, one by one... even if they have mail servers...[12:57:47] <Technofrood> I have several users who can't connect to Exchange, and with the current setup eveyone on exchange has to wait for 15 mins for the pop3 connector to pick up mail from an external server (set up by my old boss), I want to catch the non exchange users on the external server and forward everyone esles to Exchange for delivery[12:58:53] <Aprogas> talin: If people can be identified by IP-address, you could not require them to SASL. The ordering of your restrictions is key.[13:00:21] *** sash_ has quit IRC[13:01:33] *** cemc has joined #postfix[13:02:31] <talin> Aprogas: oh, i see. i will read about dovecot on their site and see if i can figure it out. thanks a lot for the help so far...[13:03:15] <cemc> hi. I would like to do something like: if from: X.com and to: office at Y dot com => accept, if from: X.com and to: anythingelse at Y dot com => no such user . is there a way to do this easily, where Y.com is on a postfix ?[13:03:36] <Aprogas> talin: What mechanism are you using now to identify who your clients are?[13:04:05] <Aprogas> cemc: By default Postfix does not accept for non-existing users.[13:04:27] *** sash_ has joined #postfix[13:04:48] <talin> Aprogas: i have a database with IP-addresses and company names[13:04:53] <cemc> Aprogas: the thing is the users exist, I just don't want to accept mail from domain X.com to other than office at Y dot com[13:05:08] <talin> Aprogas: so i look in the log for IP adresses, and then i can look up some basic information about them... such as phone number and address[13:05:16] <Aprogas> !tell cemc local_recipient_maps[13:05:16] <knoba> cemc: "local_recipient_maps" : a configuration parameter in the main.cf: Lookup tables with all names or addresses of local recipients. A recipient address is local when its domain matches $mydestination, $inet_interfaces or $proxy_interfaces.[13:06:10] <Aprogas> talin: And you are using this list of IP-addresses for mynetworks, check_client_access or something like that?[13:07:56] <rob0> cemc, define "mail from domain X.com"? Do you mean the easily and commonly forged sender address? It sounds like a bad idea to me if you want access(5) controls based on sender addresses.[13:08:24] *** brancaleone has quit IRC[13:09:17] *** Vivek has joined #postfix[13:09:17] *** Vivek has joined #postfix[13:09:22] <cemc> rob0: well, I know, but that's what they want. if From: is whatever at X dot com, the email should be delivered only to office at Y dot com, any other mail should be rejected (forged or not)[13:10:19] <cemc> if it's forged, than it's not a problem if it gets filtered. if it's not forged, then I want it delivered only the ones addressed to office at Y dot com[13:10:40] *** NotInternat has joined #postfix[13:12:05] <cemc> not filtered but rejected (preferably with user unknown)[13:12:31] <Aprogas> cemc: So the rest of the world is allowed to send to all-valid-users at Y dot com, but X.com is also allowed to send to office at Y dot com ?[13:12:36] <Aprogas> s/also/only/[13:13:15] *** Internat has quit IRC[13:13:22] <talin> Aprogas: i am using those networks in mynetworks, yes. i don't think i have defined any check_client_access that i can remember. i just know that if you aren't in mynetworks, you can't connect. i used telnet from adresses outside mynetworks to verify that[13:14:12] <cemc> Aprogas: X.com is ONLY allowed to send to office at Y dot com[13:14:18] <Aprogas> talin: That all depends on how you set up your restrictions. mynetworks affects a bit more than just a check_client_access would.[13:14:18] <rob0> !tell cemc restriction_classes[13:14:18] <knoba> cemc: "restriction_classes" : see !restriction_class[13:14:27] <rob0> !tell cemc restriction_class[13:14:27] <knoba> cemc: "restriction_class" : postfix per-client/user/etc. access control http://www.postfix.org/RESTRICTION_CLASS_README.html[13:15:11] <rob0> check_sender_access + check_recipient_access[13:15:46] <talin> Aprogas: i see.[13:16:24] <cemc> rob0: thanks, I'll take a look[13:17:42] *** makomi has joined #postfix[13:19:42] *** JonnyV has joined #postfix[13:20:42] *** brahama__ has quit IRC[13:25:24] *** JonnyV has quit IRC[13:36:34] *** JonnyV has joined #postfix[13:37:43] <zamba> Aprogas: the action=greylisting? that refers to the smtpd_restriction_classes in main.cfg?[13:39:06] <Aprogas> zamba: Yes.[13:39:42] *** higuita has quit IRC[13:39:54] *** Vivek has quit IRC[13:42:12] *** higuita has joined #postfix[13:50:54] *** pyther has joined #postfix[13:50:54] *** pyther has joined #postfix[13:51:31] *** pyco has quit IRC[13:51:31] *** pyco has joined #postfix[13:51:51] *** Vivek has joined #postfix[13:52:53] <zamba> Aprogas: if i set up postfwd and test it using warn_if_reject.. what happens with the greylisting then?[13:54:10] <Aprogas> zamba: Whatever the policy service returns, gets put in place of where the check_policy_service statement was. So it becomes "warn_if_reject check_postgrey"[13:54:37] <zamba> Aprogas: ok[13:54:57] <zamba> so i'll do a double check with postgrey[13:56:02] <Aprogas> If you check postgrey anyway after postfwd, don't make postfwd return check_postgrey[13:56:21] *** Technofrood has quit IRC[13:57:19] <zamba> Aprogas: how do i prevent postfwd from returning check_postgrey?[13:57:28] <zamba> errors in your postfwd file, btw[13:57:37] <zamba> Sep 13 14:02:08 hobbiton postfwd: warning - "Argument "$$rblcount" isn't numeric in numeric ge (>=) at /usr/sbin/postfwd line 867. "[13:58:03] <Aprogas> Which postfwd version are you using?[13:58:19] <Aprogas> I'm on 1.17 or 1.18[13:58:30] <Aprogas> If you use Debian, you're on 0.18pre8 or something[13:58:34] <zamba> yeah[13:58:37] <zamba> that's the one i've got[13:58:49] <Aprogas> Just use hege's example config then.[13:59:11] <zamba> http://postfwd.org/example-cfg.txt that one?[13:59:48] *** MariusKarthaus has joined #postfix[14:00:28] *** e-jones has joined #postfix[14:02:42] *** googlah has joined #postfix[14:04:30] <Aprogas> I think my pastie included the link from where I based my config.[14:04:40] *** Vivek has quit IRC[14:04:40] *** Vivek has joined #postfix[14:07:51] <zamba> ah, that it did[14:07:53] <zamba> my bad :)[14:08:40] <zamba> nah, still lots of errors[14:09:52] <zamba> http://pastebin.com/e05aaMHM[14:10:09] <Aprogas> What precisely is your postfwd version?[14:10:20] <Aprogas> hege's config is for 1.10pre8+[14:10:48] <zamba> # postfwd -V[14:10:48] <zamba> postfwd 1.10pre7c[14:10:50] <zamba> oooh[14:10:54] <zamba> stupid debian[14:11:16] <Aprogas> volatile and backports may be your friends[14:11:52] <zamba> 1.17 there, yeah[14:14:16] *** dragonheart has quit IRC[14:15:27] <zamba> so if postfwd returns "OK", then it's used.. but if it returns a reject, then it'll just send a warning?[14:16:46] <Aprogas> warn_if_reject sends the warning to the logs, it still accepts and processes the message.[14:17:10] <zamba> but if it's OK-ed from postfwd, then it's OK-ed for postfix as well?[14:17:20] <zamba> i was thinking more in the lines of warn_if_ok as well :)[14:17:56] <Aprogas> Those are called logs.[14:18:59] *** JonnyV has quit IRC[14:25:16] *** sanderj is now known as Snadder[14:31:43] *** JonnyV has joined #postfix[14:31:49] *** Matic`Makovec has quit IRC[14:32:25] <zamba> Aprogas: these two makes no sense to me: http://pastebin.com/cmEQHyyN[14:32:32] <zamba> will that email be whitelisted by postfwd?[14:32:54] <zamba> just because the domain part is whitelisted by jmf?[14:33:41] <Aprogas> Not if you only match /^127\.0\.0\.2$/[14:34:21] <Aprogas> hostkarma.junkemailfilter.com requires special attention, they are all sorts of lists in one lookup (which I why I use them before checking the other DNSBLs, saves lookups).[14:34:30] *** karlgus has quit IRC[14:34:57] <zamba> i see different versions are used here[14:35:18] <Aprogas> [DNSBL] just shows what the list returns, [RULES] shows what happened with it.[14:35:22] <zamba> ah[14:35:42] <Aprogas> It also smells like you are using reject_unknown_helo_hostname which I don't recommend.[14:36:00] *** ebegin has left #postfix[14:36:45] <zamba> only warn_if_reject[14:37:03] <zamba> removed those warn_if_reject now[14:37:10] <zamba> they clutter the logs[14:37:16] <Aprogas> unknown_helo is too strict in my opinion[14:37:27] <zamba> yeah, i agree[14:37:37] <Aprogas> Removing warn_if_reject means you turn them into real rejects.[14:37:42] <zamba> yup[14:37:45] <zamba> i removed the whole line[14:37:55] <Aprogas> Rejecting invalid HELO is ok.[14:37:58] *** karlgus has joined #postfix[14:38:05] <zamba> http://pastebin.com/Wz8wBtHh[14:38:10] *** wdp_ has joined #postfix[14:38:12] <Aprogas> Saves postfwd from doing DNS lookups on crap.[14:38:26] <zamba> invalid helo is syntax error in the helo, right?[14:38:46] <Aprogas> Yes.[14:38:54] <Aprogas> Also the non_fqdn settings are nice.[14:39:32] <zamba> and safe?[14:39:42] <Aprogas> Although technically unknown_ will catch those too, it is at the cost of a DNS lookup (and some delay).[14:39:46] <zamba> i mean.. if a client sends "helo pc" then it won't be a fqdn?[14:39:50] <Aprogas> RFC forbids non-FQDN emailaddresses, I think.[14:39:57] <zamba> ah.. the addresses, ok[14:40:01] <zamba> not the helo now, right?[14:40:03] <Aprogas> zamba: Correct. I reject non_fqdn helo too[14:40:11] <zamba> i can't do that[14:40:16] <Aprogas> Why not?[14:40:44] <zamba> then the above pastebin would have been rejected?[14:40:58] <zamba> oh, nevermind[14:41:01] <zamba> that wouldn't have been[14:41:13] <zamba> but other helos where the helo is just "PC-03" for instance[14:41:17] <zamba> that's not a fqdn[14:41:43] <Aprogas> Plenty spammers send non-FQDN HELO.[14:41:59] <Aprogas> Sep 13 14:36:15 nvidium postfix/smtpd[12994]: NOQUEUE: reject: RCPT from unknown[217.174.229.221]: 504 5.5.2 <raoamzmu>: Helo command rejected: need fully-qualified hostname; from=<s.elodia_ig at barbarascanlon dot com> to=<j.jongmansn at aprogas dot net> proto=ESMTP helo=<raoamzmu>[14:42:03] *** uqlev has joined #postfix[14:42:27] <zamba> but plenty non-spammers as well?[14:42:36] <Aprogas> I haven't seen any.[14:42:40] <zamba> oh[14:42:41] <rob0> nope, except for MUAs[14:42:45] *** wdp__ has quit IRC[14:42:56] <zamba> the MUAs i should allow with previous rules[14:43:01] <rob0> right[14:43:01] <zamba> so maybe i should include those, yeah[14:43:09] <Aprogas> MUAs should be handled by your MSA, with a seperate restriction set.[14:43:27] <Aprogas> Your life becomes so much easier if you seperate the restrictions used for the evil Internet, and used for your trusted clients.[14:43:40] <zamba> Aprogas: how do you handle it?[14:43:46] <Aprogas> I forgot.[14:43:59] <Aprogas> I think my MUA just sends proper HELO.[14:45:34] *** JonnyV_ has joined #postfix[14:46:21] <Aprogas> Seems my MUA sends IPv6-literal as HELO.[14:48:21] *** JonnyV has quit IRC[14:53:32] *** karlgus has quit IRC[14:54:55] *** JonnyV_ has quit IRC[14:58:07] *** uqlev has quit IRC[14:59:01] <jelly> wiz ze [] around it or not?[14:59:19] <Aprogas> Yes.[14:59:44] *** liamjfoy_ has quit IRC[14:59:47] <Aprogas> I don't truncate those Received headers either, plus I use a relayhost, so all my mails to postfix-users are nicely decorated with excess Received lines.[14:59:47] <Schnoobby> which webmailer would you propose? let's say for 3 virtual domains with around 50 accounts each[15:00:26] <jelly> I ♥ily agree with this: <Aprogas> Your life becomes so much easier if you seperate the restrictions used for the evil Internet, and used for your trusted clients.[15:04:52] *** xabbu has quit IRC[15:05:27] *** wild_oscar has joined #postfix[15:05:31] *** brancaleone has joined #postfix[15:07:43] <wild_oscar> hey. I'm having a problem with my IMAP account, perhaps someone can help me. when I send a mail through my mobile phone, in usual clients (evoluion, thunderbird) it either doesn't appear or appears with Jan 1 1970 as the date[15:07:59] <wild_oscar> however, it shows up with the correct date on my android's mail reader[15:08:12] <wild_oscar> and there's a date in the message source: http://pastebin.com/iPrrhs2i[15:08:27] <zamba> Aprogas: instead of actually doing the greylisting through postfwd, how can i log a message saying it would go to greylisting?[15:08:40] <cpm> what does this have to do with postfix?[15:08:52] <zamba> cpm: was that for me?[15:08:58] <Aprogas> zamba: No.[15:09:08] <wild_oscar> cpm: are you asking me?[15:09:12] <Aprogas> wild_oscar: Yes.[15:09:16] <zamba> hehe[15:09:21] <wild_oscar> the server is running postfix[15:09:48] <cpm> is your mobile phone running postfix?[15:10:34] <Aprogas> Postfix generally doesn't touch headers, unless perhaps the Date field is missing.[15:10:42] <wild_oscar> no, cpm, it is not. the IMAP server is. the server I send the message to. the message which I pastebinned. a message that has a problem, and a postfix user might identidy it[15:10:48] <wild_oscar> *identify[15:10:52] <Aprogas> Your phone seems to start the date with "seg, " which other clients might not parse well.[15:11:12] <Aprogas> You could use Postfix to rewrite the Date header, but I suggest fixing the client on the phone instead.[15:11:39] <Aprogas> Also not sure which month "Set" is, I'd guess "september".[15:11:57] <Aprogas> Or perhaps you use an Egyptian calendar and it refers to the month of the deity Set.[15:12:01] *** matthewburton has joined #postfix[15:12:04] *** keiserr has joined #postfix[15:12:05] <wild_oscar> Aprogas: the thing is, I have another imap account (also running postfix) configured on the phone[15:12:06] <zamba> Aprogas: i can use WARN, i see[15:12:33] <wild_oscar> and sending from the same phone using the other account doesn't yield this problem[15:12:48] <keiserr> hi i had a wrong transportmap and now some mails are queued on my system, i have fixed my transport map, any idea how i can get the queued mails to go through the proper route now?[15:13:09] <wild_oscar> ie, same phone, 2 IMAP accounts to 2 different postfix servers - one saves the sent message correctly, the other doesn't[15:13:47] <wild_oscar> cpm: so you see, it might be related with postfix after all... );[15:13:47] <Dominian> keiserr: man postsuper[15:13:54] <Dominian> keiserr: reference the -r option for 'requeue'[15:13:59] <keiserr> okie thanks[15:14:01] <Dominian> welcome[15:14:48] <wild_oscar> ( Aprogas: yes, it is september)[15:16:19] *** alcohol_ has quit IRC[15:17:25] <Aprogas> Is "seg, " a day of the week? I think Date-headers in emails are supposed to be in English.[15:17:50] *** robotarmy has joined #postfix[15:17:58] *** cpm has left #postfix[15:19:06] <wild_oscar> Aprogas: yes, Monday[15:20:06] <keiserr> in my transport map am allowed to have stuffs like these domain.com relay:myreleasemachine.local:9998[15:20:13] <keiserr> as in non standard smtp port?[15:20:22] <Aprogas> keiserr: Yes.[15:20:34] *** ketema has joined #postfix[15:20:43] <wild_oscar> Aprogas: this message is displayed with the correct date, though http://pastebin.com/3bspaEKp[15:20:48] *** ketema has left #postfix[15:20:53] <wild_oscar> and it also has date info in Portuguese[15:21:24] <Aprogas> wild_oscar: "Jul" is a month in English, the invalid day of the week can be reconstructed from the rest of the date.[15:21:41] *** Section1 has joined #postfix[15:21:46] <Aprogas> wild_oscar: Tell the makes of the emailclient on your phone to send Date-fields in English.[15:21:48] <wild_oscar> hmm...[15:22:04] <wild_oscar> can it be? let me check[15:22:35] *** robotarmy has quit IRC[15:23:27] <keiserr> can i have smtp:myreleasedomain.com:9998 instead of relay?[15:23:34] <keiserr> in my transport map i.e[15:23:42] <Aprogas> keiserr: Yes.[15:23:45] <keiserr> thanks[15:25:06] <wild_oscar> Aprogas: yup, that's exactly it[15:25:44] <wild_oscar> cheers![15:26:00] <matthewburton> just set up postfix, and my server will not send mail unless i do it manually from terminal as root. my mail.log reads, "fatal: the postfix command is reserved for the superuser"[15:29:27] <Aprogas> matthewburton: The postfix command is reserved for the superuser. What precisely is your question?[15:29:33] <wild_oscar> Aprogas: can't postfix read dates in other languages though?[15:30:20] <Aprogas> wild_oscar: Postfix doesn't read or manipulate dates, it just passes messages through.[15:30:59] <wild_oscar> Aprogas: ok, so this would be in the mail reader client...[15:31:05] *** liamjfoy has joined #postfix[15:31:09] <Aprogas> wild_oscar: Any MUA is free to convert the English Date-header to a local representation, but in the raw message, it must be in English.[15:31:42] <matthewburton> Aprogas: hm. Well, I suppose I'm wondering how I get my Web application to send email. My scripts use the mail() command.[15:31:56] <Aprogas> !tell matthewburton nullclient[15:31:56] <knoba> matthewburton: "nullclient" : a null client is a computer that can only send mail. it receives no mail from the network, and it does not deliver any mail locally. while postfix can be configured to fill this role, it is often unnecessary overkill, and a much simpler software package is more appropriate. see !nullclient_software for more details.[15:34:31] <lunaphyte_> better yet, don't use the mail() "command". use a proper smtp library or class and provide a mechanism for setting related items.[15:36:33] <keiserr> am trying to do a postqueue -f, it says that mail system is down, yet it sounds up, netstat -na does show all the ports are up[15:36:36] <keiserr> any clue?[15:36:41] *** higuita has quit IRC[15:36:51] <Aprogas> !tell keiserr logs[15:36:51] <knoba> keiserr: "logs" : postfix logs to the mail facility of syslog. Something like grep -i `postconf -h syslog_facility` /etc/syslog.conf should tell you where logs are going. also see !no_logs and !have2mung[15:37:02] <matthewburton> !nullclient_software[15:37:03] <knoba> matthewburton: "nullclient_software" : a program that serves as a drop in replacement for /usr/sbin/sendmail and provides a simple means to submit messages to an existing msa without the need to install and maintain a full-blown mta/msa. examples include esmtp, ssmtp and nullmailer. also see !msa[15:37:18] <keiserr> nothing much in messages or maillog[15:39:13] *** higuita has joined #postfix[15:40:49] <Aprogas> !pear[15:40:49] <knoba> Aprogas: Error: "pear" is not a valid command.[15:41:19] <Aprogas> keiserr: Restart your Postfix and pastebin the lines that appear in the logs.[15:41:23] *** wild_oscar has left #postfix[15:43:11] <keiserr> okie[15:45:13] *** EagleWatch has quit IRC[15:45:23] <keiserr> http://pastebin.com/UBRmNizW[15:46:28] <keiserr> i get this when trying to do a postqueue -f fatal: Cannot flush mail queue - mail system is down[15:46:44] <Aprogas> Run "postfix check" as super-user.[15:47:03] <keiserr> i vv'ed it[15:47:05] <keiserr> postqueue: fifo_trigger: open public/pickup: cannot open file: Device not configured[15:47:36] <Aprogas> Either your system doesn't support FIFO, or you've been messing in your master.cf[15:47:47] <keiserr> gives me nothing[15:47:51] <Dominian> /usr/local/etc seems to be an odd place for a postfix default prefix[15:47:57] <Aprogas> Dominian: Not really.[15:48:04] <Dominian> keiserr: what distro?[15:48:04] <keiserr> that would be lpogical for freebsd[15:48:09] <keiserr> logical[15:48:16] <Dominian> Well, I didn't realize itw as freebsd[15:48:21] <keiserr> no probs[15:48:21] <Aprogas> For OpenBSD too I'd guess, /usr/pkg/etc/ for NetBSD.[15:48:23] <Dominian> and yes for freebsd it is logical[15:48:32] <Aprogas> Scratch that, Postfix is base in NetBSD, so /etc/[15:48:40] <keiserr> lol[15:48:49] <Dominian> Aprogas: unless you install from pkgsrc than it is /usr/pkg etc[15:50:24] <Aprogas> keiserr: Have you used the port to install Postfix?[15:50:34] <sysmonk> Dominian: woot?[15:50:38] <sysmonk> what's illogical?[15:50:44] <Dominian> sysmonk: eh?[15:50:45] *** henriknj has quit IRC[15:50:48] <Aprogas> Dominian is just repeating what I said.[15:51:00] <Dominian> I repeating what?[15:51:09] <sysmonk> ah sorry, you said it IS logical :)[15:51:20] *** Schnoobby has quit IRC[15:51:25] <Dominian> I didn't repeat anything that yous aid Aprogas[15:51:28] <Dominian> I was repeating what keiserr said[15:51:33] <keiserr> Aprogas, yes[15:52:12] <keiserr> hmmm[15:52:22] <keiserr> "Impossible things like FIFOs suddenly stopping to work are a typical[15:52:22] <keiserr> sign of bad hardware, or broken library or kernel code. " .. i wonder if i shud be really really worried :p[15:52:38] <keiserr> found that here http://archives.neohapsis.com/archives/postfix/2000-08/0469.html[15:53:02] <Aprogas> !tell talin access[15:53:02] <knoba> talin: "access" : http://www.postfix.org/SMTPD_ACCESS_README.html : An overview of access(5) controls in the Postfix smtpd(8) SMTP server.[15:53:20] *** forsberg is now known as fOrsberg[15:53:25] <Aprogas> keiserr: Does /var/spool/postfix/public/pickup exist?[15:53:34] <talin> Aprogas: thank you[15:53:36] *** talin has quit IRC[15:54:23] <keiserr> Aprogas, yes it does[15:54:44] <keiserr> owned by postfix and group maildrop[15:54:51] <Aprogas> keiserr: Do you have any exotic mount-options? Such as nosuid on /usr/local?[15:54:57] <Aprogas> keiserr: Or perhaps ZFS.[15:55:07] <keiserr> nopes[15:55:15] <keiserr> ufs[15:55:45] <Aprogas> Is /usr/local/sbin/postqueue setgid maildrop?[15:56:03] *** yates has joined #postfix[15:56:10] <keiserr> yup[15:56:36] <Aprogas> Please pastebin your master.cf[15:56:39] <yates> can one mail messge be delivered in multiple smtp connections between two specific smtp servers?[15:57:07] <Aprogas> yates: Sort of. You can use a (virtual) alias to rewrite a message to go to multiple recipients.[15:57:42] <yates> Aprogas: hmm. not my situation (one recipient) - i'm building a fpaste now[15:57:46] <yates> of the header[15:59:01] <Aprogas> keiserr: I'm also curious about uname -rs.[15:59:11] <yates> http://fpaste.org/1c40/[15:59:26] <Aprogas> keiserr: Did you upgrade Postfix from an earlier installation? Did you update all its dependencies too?[15:59:45] <yates> http://fpaste.org/1c4O/[15:59:52] <yates> (correction ^^^^)[15:59:58] <keiserr> http://pastebin.com/TuVUJTYc, uname -rs FreeBSD 8.0-Release[16:00:41] <keiserr> Aprogas, well, i kind of tried a few stuffs here and there on that box, i don't really remember what though.. but i did just upgrade perl some days ago on it[16:00:46] <Aprogas> Kaspersky killed your pickup[16:01:03] *** sebbow has joined #postfix[16:01:13] <yates> what is "postfix.imss70"?[16:01:36] *** lepine has quit IRC[16:01:47] <Aprogas> keiserr: /usr/local/libexec/postfix/master.cf should have the defaults.[16:02:08] *** lepine has joined #postfix[16:02:13] <keiserr> okie thanks[16:02:20] <yates> sorry - nevermind - i read the header wrong[16:02:26] <Aprogas> yates: Looks like some internal hostname.[16:02:32] *** hever has joined #postfix[16:02:59] *** hever has quit IRC[16:03:20] *** sebbow has quit IRC[16:03:28] *** sebbow has joined #postfix[16:03:47] <yates> Aprogas: right. what's happening here is my wife (freeda) sent me an email through my ieee alias account. then the ieee alias account forwarded it back to my account on my mail server (galois.digitalsignallabs.com)[16:04:38] *** Trengo has quit IRC[16:05:30] <aptituz_> hmm. is there a command to create a postfix queue directory? i'm just experimenting with multi instance and due to config coming from a configuration management and postmulti create is not really handling the situation where a config dir already exists, but not the other directories and therefore is not creating them.[16:05:48] <Aprogas> aptituz_: Do you really need multiple instances?[16:06:08] <aptituz_> Aprogas: that is a test setup and yes it seems it will help us.[16:06:20] *** aptituz_ is now known as aptituz[16:06:30] <keiserr> Aprogas, THANKS MAN! IT WORKS![16:06:47] <Aprogas> aptituz_: Sorry, I have no experience with multiple instances myself. I just have experience with asking people if they really need it, and finding out that half of them just want to run smtpd on a second port.[16:07:09] <yates> but it was delayed over 4 hours - trying to figure out why[16:07:09] <aptituz> however postmulti is supposed to create the spool dir but it does not in this case. so I wonder if there is a command for the creation of the spool dir[16:07:23] <Aprogas> keiserr: Did you install that Kaspersky thing from a port? You should probably contact the maintainer of that port to say their script mangles master.cf[16:07:28] <aptituz> Aprogas: yeah, I'm the wrong person to ask that ;)[16:07:59] <keiserr> Aprogas, I had infact installed kaspersky and well, i tried to disable it manually...[16:08:13] <keiserr> that was a while ago though[16:09:34] <yates> Aprogas: question: in the "Received: from [76.3.105.199] ([76.3.105.199:18520] helo=galois.digitalsignallabs.com) by smtp.centurylink.net ..." line, the time stamp is 02:35:02 -0400. there's the four hours. but how can i tell if it was centurylink that delayed the reception, or my mail server that delayed the transmission?[16:10:38] <Aprogas> yates: Judging by Date and Received headers, I conclude a few things: message didn't appear on first mailserver until about 4 hours after creation in MUA; one mailserver has a rather broken block.[16:10:39] <aptituz> postfix check does what I want, although it requires creating /var/spool/xy myself[16:11:29] <Aprogas> yates: Oops, I overlooked some Received headers because of the spammy spamfilter.[16:11:35] <yates> yeah[16:12:41] <yates> i have postfix configured like this: relayhost = [smtp.centurylink.net]:submission[16:13:11] <Aprogas> yates: Tell root of hormel7.ieee.org that clock may be 40 minutes off, but that's a tangent.[16:13:22] <yates> yeah, i saw that too[16:13:34] <Aprogas> yates: It does seem smtp.centurylink.net was either down, or very slow in processing your connection.[16:13:46] <Aprogas> yates: Consult your logs, if it was down, you'll see failed connections and retries.[16:14:02] <yates> ah - good idea![16:15:04] <yates> where does postfix post such message? in /var/log/messages?[16:15:16] <Aprogas> !tell yates logs[16:15:16] <knoba> yates: "logs" : postfix logs to the mail facility of syslog. Something like grep -i `postconf -h syslog_facility` /etc/syslog.conf should tell you where logs are going. also see !no_logs and !have2mung[16:15:24] <Aprogas> Usually /var/log/mail.log or similar.[16:15:40] *** henriknj has joined #postfix[16:15:46] *** Matic`Makovec has joined #postfix[16:16:27] <Aprogas> grep F41ED760219 is your friend[16:16:43] <yates> knoba: thank you[16:16:51] <yates> is it /var/log/maillog[16:16:52] <Aprogas> !tell yates knoba[16:16:52] <knoba> yates: "knoba" : an informational bot in this channel (see http://workaround.org/f=postfix)[16:16:58] <yates> s/is it/it is/[16:17:11] <yates> i hate it when i do that[16:18:08] *** henriknj_ has joined #postfix[16:19:40] *** cpm has joined #postfix[16:19:44] <yates> oh darn. am i getting abused? Sep 12 22:16:46 localhost postfix/smtpd[22823]: connect from ip4.everydayfashiontips.com[67.219.31.11][16:20:09] <yates> never mind - just incoming spam i guess...[16:20:16] *** sphenxes has quit IRC[16:20:26] <Aprogas> Hence my comment about grep queue-id being your friend.[16:20:28] *** henriknj has quit IRC[16:20:45] *** Moofius has quit IRC[16:20:54] <yates> Aprogas: sorry - missed that![16:23:16] <yates> i keep getting these: Sep 13 00:10:01 localhost postfix/smtp[24154]: F41ED760219: to=<yates at ieee dot org>, relay=smtp.centurylink.net[208.47.184.132]:587, delay=7196, delays=7196/0.03/0.1/0, dsn=4.4.2, status=deferred (lost connection with smtp.centurylink.net[208.47.184.132] while receiving the initial server greeting)[16:23:58] <Aprogas> I'd definitely lay the blame on smtp.centurylink.net then.[16:24:48] <yates> there's nothing i could be doing wrong?[16:25:38] *** xabbu has joined #postfix[16:26:31] <Aprogas> Theoretically you could be pipelining, and they could close the connection with you for it. A little bit more likely some NAT or firewall is playing havoc. Much more likely their server was overloaded and accepting only part of incoming connections.[16:26:55] *** keiserr has quit IRC[16:27:01] <Aprogas> You seem to SASL-login to this server, so I doubt they apply blacklists or other such things on their end.[16:27:16] <Aprogas> Also if it was against their rules to run your own mailserver, service wouldn't have been restored four hours later.[16:27:46] <Aprogas> I'm guessing you relay via them because of a port 25 block?[16:28:06] <yates> Aprogas: no[16:28:32] <Aprogas> PBL-listing of your home-IP-address then?[16:28:35] <yates> Aprogas: because i'm just a centurylink customer network and that network is blacklisted[16:28:39] <yates> yeah[16:28:50] <yates> PBL?[16:28:56] <yates> public black-listing?[16:29:11] <Aprogas> If your IP-address is sort-of-static (or true-static) most PBLs let you unlist.[16:29:12] <Aprogas> !pbl[16:29:12] <knoba> Aprogas: "pbl" : The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use. It is part of Zen as well.[16:29:20] <Aprogas> !dul[16:29:20] <knoba> Aprogas: Error: "dul" is not a valid command.[16:29:22] <yates> oh how i wish i could just directly deliver[16:29:44] <Aprogas> Try to get whitelisted at least on Spamhaus PBL and SORBS DUL (good luck with SORBS though).[16:29:47] <Aprogas> Alternatively:[16:29:49] <Aprogas> !tell yates vps[16:29:49] <knoba> yates: "vps" : A Virtual Private Server is an affordable alternative to running a mailserver at home with a consumer-grade ISP connection. See also !port_25_block and !pbl[16:30:26] <Aprogas> Just relaying mail can be done on the lowest spec cheapest VPS you can find, so long as its network is stable, and its daily/weekly/monthly traffic is enough for your needs.[16:30:36] <yates> i am dynamic ip, but i have a "static" dns via dyndns.org - does that help?[16:30:42] <Aprogas> No.[16:30:53] <Aprogas> You have set your MX to the your dyndns.org hostname?[16:30:57] <yates> yes[16:31:20] <Aprogas> My IP-address is technically static, so long as I don't shutdown my cablemodem.[16:31:31] <cpm> heh[16:31:35] <Aprogas> erm[16:31:35] <yates> mostly it's working great, but i am occasionally getting these delivery problems[16:32:00] <Aprogas> I sort of worded that wrong, but you get the picture.[16:32:13] <yates> Aprogas: that was true of my connection up until about a year ago - then they started changing it every month or so, or so it seemed[16:32:15] <yates> twc[16:32:20] <Aprogas> Some big ISPs are notoriously bad with mailservers.[16:32:43] *** UQlev has joined #postfix[16:32:44] <yates> i finally kicked twc out the window - their d/l bandwidth was often 1/5 what i was paying for[16:32:51] <yates> hence centurylink (dsl)[16:33:27] <Aprogas> I'm getting the full 30 Mbit I am paying for, am considering paying the 15 euro extra to get up to 120 Mbit.[16:33:44] *** matthewburton has left #postfix[16:33:45] <yates> where are you?[16:33:52] <Aprogas> Urban area Western Europe. :)[16:34:02] <yates> yeah, twc is screwing its customers[16:34:04] *** UQlev has quit IRC[16:34:23] <yates> i was paying for 15 mb/s but often getting < 3 mbps[16:34:43] <Aprogas> Overselling is a good practice up to a certain point.[16:34:54] <yates> yeah, that's EXACTLY what they're doing[16:35:12] <yates> we had the tech out and he said "yup, the node is overloaded, we know about it, don't know when we're going to do something about it"[16:35:15] <Aprogas> I am happier with my oversold 30 Mbit (which I mostly just get), than I would have been with a guaranteed 10 Mbit.[16:35:17] <yates> i said "OK, bye"[16:35:38] *** UQlev has joined #postfix[16:35:51] <Aprogas> But ISPs don't disclose their overselling ratio, nor do customers really demand that, so it's not competitive point.[16:36:11] <yates> i'm happier with my solid 8 Mb/s than my oversold 3 Mb/s - it's cheaper AND the u/l is faster[16:36:14] *** UQlev has quit IRC[16:36:32] <yates> it's all bullshit[16:36:36] <Aprogas> Anyway, you should look into this VPS thing, they start at like $5/month[16:36:46] *** UQlev has joined #postfix[16:36:53] <yates> well, that would defeat one of my goals[16:37:11] <yates> which is kicking out long emails quickly[16:37:13] *** UQlev has quit IRC[16:37:21] <yates> say, 10-20 MB.[16:37:27] *** UQlev has joined #postfix[16:37:40] <yates> some MUA's que it for you ala "outbox" versus "sent"[16:37:48] <yates> evolution, e.g.[16:37:50] <Aprogas> I don't see how a VPS would break that.[16:37:54] <yates> but mine doesn't :([16:38:13] <Aprogas> You can still run your mailserver on your LAN, and then have that pass it to the VPS.[16:38:24] <yates> oh[16:38:34] <Aprogas> Basically you just replace smtp.centurylink.net with your own VPS.[16:38:36] <yates> you're just saying to get a more reliable relay?[16:38:38] *** denis_ has quit IRC[16:38:43] <Aprogas> Yes, basically. :)[16:39:00] *** denis_ has joined #postfix[16:39:02] <yates> i actually probably already have one - my web site isp...[16:39:43] <yates> what does vps mean again?[16:39:46] <Aprogas> Normally we recommend people not install their own mailserver, and to just use their ISP. But in your case, I think you'll manage to run your own.[16:39:49] <Aprogas> !vps[16:39:50] <knoba> Aprogas: "vps" : A Virtual Private Server is an affordable alternative to running a mailserver at home with a consumer-grade ISP connection. See also !port_25_block and !pbl[16:40:37] <Aprogas> Of course a dedicated server would fill this role just as well, but that is usually more expensive.[16:41:50] *** fOrsberg is now known as forsberg[16:42:17] <yates> so this is a way to virtualize a piece of your machine for the mail server? basically? keeps things separate from your local OS?[16:43:42] <yates> oh, i see - no.[16:43:46] <Aprogas> A VPS is a cheaper way to offer servers. Rather than each client having a seperate physical machine, needing rackspace, eating electricity, and idling 99% of the time; something like Xen is used to run multiple OSes on the same hardware.[16:44:06] <yates> this is at an isp, then[16:44:11] <Aprogas> Memory and diskspace are usually dedicated, CPU-time and network is shared.[16:44:45] <Aprogas> Many hosting providers offer VPSes.[16:44:46] <yates> yeah, i think that's what my web isp has, via BSD[16:44:57] <yates> hosting provider, yeah, that's the term[16:45:00] <yates> not ISP[16:45:49] <Aprogas> I have one for about 10 euro per month, to bypass my ISPs port block. On a side-note, my ISP didn't understand MAAWG and they block incoming to port 25, but not outgoing to port 25.[16:46:08] <yates> but i'd still need to run mailserver locally for the "quick smtp" exchange, would i not?[16:46:25] <yates> quick smpt exchange between mua and first smtp server, i.e.[16:46:35] <Aprogas> If you want to offload your MUA as quick as possible, yes that is probably the fastest way.[16:46:49] <yates> yes, that was a big part of my motivation[16:46:50] <Aprogas> Because otherwise a 20 MB message is limited by your upload speed or the VPS download speed.[16:46:58] <yates> exactly[16:47:01] *** UQlev has quit IRC[16:47:03] <Aprogas> I run a mailserver on my LAN, that uses my VPS as relayhost.[16:47:15] *** UQlev has joined #postfix[16:47:24] <yates> why can't centurylink just run a reasoanble server? ![16:47:42] *** UQlev has quit IRC[16:47:53] <Aprogas> Probably because half of their paying customers have infected Windows hosts, continuously spewing out viruses and spam, requiring intensive filtering.[16:48:06] <lunaphyte_> why bother? people are still happily giving them money even without one.[16:48:08] <yates> yeah, i don't do windoze either!...[16:48:19] <yates> lunaphyte_: good point! not this people, though![16:48:35] <yates> been "microsoft-free" since 2006[16:48:44] <Aprogas> How often does this happen? Sometimes a mailserver just goes down.[16:48:52] *** UQlev has joined #postfix[16:48:54] <yates> yeah, i'm not sure. good question[16:48:59] <Aprogas> We cannot build a reputation of smtp.centurylink.net based on one incident.[16:49:03] <yates> i'll keep an eye on it. thanks much for the help[16:49:12] <Aprogas> Personally I also use my VPS to get around some EU laws.[16:49:25] <Aprogas> ISPs, but not hosting providers, are required by law to store emails of their customers.[16:49:32] <yates> aha![16:49:34] <yates> assholes.[16:49:42] <yates> that's another reason i wanted my own[16:49:45] <Aprogas> No, no, it's against the terrorists![16:49:52] <yates> yeah, right[16:50:15] <yates> do they store outgoing smtp messages too?[16:50:16] <henriknj_> Aprogas: EU law?[16:50:42] <henriknj_> I dont think it apply to every eu country[16:50:45] <Aprogas> henriknj_: Maybe technically it is a "policy" or "guideline", but the NL law based on it is even more strict than the EU.[16:50:54] <yates> not that i have anything to hide - just the principle[16:50:54] *** Moofius has joined #postfix[16:50:57] <Aprogas> NL does plenty of data retention.[16:51:38] <yates> Aprogas et al: thank you - gotta do some work.[16:51:40] *** yates has quit IRC[16:52:02] <henriknj_> in DK the ISPs only have to store information about the connections, so not the content[16:55:36] *** denis_ has quit IRC[17:02:15] *** forsberg is now known as fOrsberg[17:05:59] *** Trengo has joined #postfix[17:06:10] *** bluethundr has joined #postfix[17:08:59] *** Moofius has quit IRC[17:09:08] <t3cnerd> !reject_rbl_client[17:09:09] <knoba> t3cnerd: Error: "reject_rbl_client" is not a valid command.[17:10:48] <t3cnerd> anybody knows some real good blacklists?[17:11:23] <Aprogas> zen.spamhaus.org is pretty decent, and includes various others[17:11:38] *** e-jones has quit IRC[17:11:52] <t3cnerd> is there a blacklist which is feed by user input? e.g. 30 users mark a mail as spam, so others won't get this mail anymore?[17:12:13] <Aprogas> Personally I believe in the hostkarma.junkemailfilter.com concept that whitelists and yellowlists are an integral part of a blacklist setup.[17:12:14] <t3cnerd> Aprogas: thx[17:12:55] <Aprogas> Many blacklists are fed by automated spamtraps, if you want to decide spamminess based on how many other people have received the same email, look into Pyzor, Razor and/or DCC. But those are all things that don't integrate on the MTA-level.[17:13:17] <t3cnerd> i see[17:13:44] <Aprogas> Blacklists are pretty good in blocking bad hosts, but some are not so good in not blocking good hosts.[17:13:59] <t3cnerd> do you know if it's possible to intergate it in exchange?[17:14:35] <Trengo> well postfix does support milter[17:14:44] <Aprogas> SpamAssassin supports Pyzor, Razor and DCC. But all those things are really only suitable for low-traffic.[17:14:58] <Trengo> and there are milters for all of those[17:15:11] <Aprogas> Trengo: I'm still afraid to run such rather heavy filters before-queue.[17:15:22] <Trengo> Aprogas im fine with all of them[17:15:41] <Trengo> the only one that really hit me bad was SA's bayes[17:15:50] <t3cnerd> Aprogas my mailserver only supports a small company, so there shouldn't be a problem with high traffic[17:16:27] <Trengo> even OCR filtering was acceptable - just not worth it[17:16:34] *** makomi has quit IRC[17:16:44] *** makomi has joined #postfix[17:16:52] <Aprogas> !tell t3cnerd cheatsheet[17:16:52] <knoba> t3cnerd: "cheatsheet" : http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt : A HOWTO for pre-DATA spam control.[17:18:21] <t3cnerd> knoba: thx[17:18:34] <t3cnerd> Aprogas: thx[17:18:57] <Aprogas> t3cnerd: Don't copy their blacklists though, and some of those settings are old-style.[17:20:37] *** henriknj_ has quit IRC[17:21:49] *** fOrsberg is now known as forsberg[17:24:41] *** Niz-8] has quit IRC[17:25:19] *** Niz-8] has joined #postfix[17:30:06] *** Moofius has joined #postfix[17:33:43] *** JonnyV has joined #postfix[17:33:44] *** lunaphyte_ has quit IRC[17:34:10] *** lunaphyte_ has joined #postfix[17:34:20] *** smica has joined #postfix[17:35:23] *** tryskall has quit IRC[17:36:25] *** shadey_ has joined #postfix[17:39:29] *** rajijoom has quit IRC[17:42:59] *** neekfenwick__ has quit IRC[17:46:20] *** Dosshell has quit IRC[17:50:11] *** robotarmy has joined #postfix[17:50:42] *** Ryushin has joined #postfix[17:51:00] *** cpm has quit IRC[17:53:28] *** Dosshell has joined #postfix[17:58:15] *** cpm has joined #postfix[17:58:44] *** MariusKarthaus has quit IRC[17:59:57] *** hesco has joined #postfix[18:00:30] *** Twinkletoes has quit IRC[18:02:17] <hesco> I've got a "lost connection with [IP] while sending DATA command" error, although nmap run from the production server checking the port on our mail server reports: "25/tcp open smtp". Any idea why that might be, please?[18:02:53] *** micols has quit IRC[18:05:19] *** micols has joined #postfix[18:06:18] <Zerberus> hesco: use tcpdump / wireshark if that happens again, the nmap test is mostly worthless[18:06:37] *** micols_ has joined #postfix[18:07:55] *** micols__ has joined #postfix[18:08:03] *** micols___ has joined #postfix[18:08:12] *** micols has quit IRC[18:08:12] *** micols___ has quit IRC[18:08:12] *** micols__ has quit IRC[18:08:13] *** micols_ has quit IRC[18:10:03] <Aprogas> Does this happen often and with clients you care about?[18:10:55] *** henriknj has joined #postfix[18:12:27] <hesco> Frequently this morning and the company has a major mailing going out in the next hour and I'm getting complaints about test emails not being received.[18:12:43] <cpm> while sending DATA, or sending end of data[18:12:51] <cpm> what is the exact error?[18:13:06] <hesco> while sending DATA[18:13:12] *** p3rror has quit IRC[18:13:14] <Aprogas> He meant for you to pastebin some actual logs.[18:13:16] <cpm> never seen that one.[18:13:27] <cpm> and yes, please as Aprogas says[18:14:38] <UQlev> hesco, they must have ignored reject of the receiving server[18:15:17] <hesco> I restarted both postfix servers and mail is once again flowing through the mail server, although the the deferred queue on the production server is taking its sweet time to empty itself.[18:16:01] <Aprogas> "221 2.7.0 Error: I can break rules, too. Goodbye." haha, didn't know that one yet.[18:16:40] *** car has quit IRC[18:16:53] *** Ryushin has quit IRC[18:17:04] <UQlev> Aprogas, seems like SPF check's work[18:17:57] <hesco> but postqueue -f seems to get things moving again[18:18:35] *** Tykling has joined #postfix[18:19:50] *** p3rror has joined #postfix[18:24:48] *** juergen_dose has joined #postfix[18:26:58] <Aprogas> hesco: Don't play with queues on a hogged system.[18:27:05] <Aprogas> Also it's too late now.[18:27:25] <Aprogas> Flushing a queue larger than Postfix can handle only leads to more trouble and slower delivery.[18:31:01] <cpm> leave the danged queues alone unless you really know what you are doing.[18:31:09] <adaptr> hesco: retries from the defer queue will still be bound by any delivery rate controls[18:31:39] <adaptr> best way to upfuck globally is to requeue -f a 10K queue bound for a concurrency=1 transport[18:32:13] <adaptr> chances are the queue run will come around again before the current run is halfway finished[18:38:46] <Aprogas> adaptr: Actually I think a "postsuper -r ALL" is even better to mess things up than "postqueue -f" :)[18:39:11] <adaptr> Aprogas: well, that would give him the chance to blackhole certain destinations[18:39:17] <adaptr> let's not give him that loophole[18:40:18] *** sphenxes has joined #postfix[18:46:51] *** Dominian has quit IRC[18:47:06] *** Dominian has joined #postfix[18:47:51] *** sphenxes has quit IRC[18:50:02] *** sphenxes has joined #postfix[18:52:29] *** sebbow has quit IRC[18:52:29] *** joschi has quit IRC[18:52:50] *** sebbow has joined #postfix[18:52:50] *** joschi has joined #postfix[18:54:59] *** oasisfleeting has quit IRC[19:00:04] *** p3rror has quit IRC[19:01:27] *** micols has joined #postfix[19:01:52] *** cga has joined #postfix[19:02:39] <Aprogas> I am baffled why nearly all Postfix+Amavis guides set smtpd_(soft|hard)_error_limit to (1001|1000). Is this all just people copypasting eachother without really understanding?[19:03:05] <Aprogas> Or does Amavis really need to throw 999 errors before it can make a succesful delivery? :)[19:03:53] <thumbs> Aprogas: hehe[19:04:08] <adaptr> the error limit determines when an smtp connection is forcibly closed - since amavis can pipeline delivery back into postfix, you don't want the risk of killing it off[19:04:33] <adaptr> however, a high limit would only be useful with a related high throughput[19:04:39] <Aprogas> adaptr: Yes, I can understand that part, but wouldn't the defaults of 10 and 20 be safe enough already, rather than 1001 and 1000?[19:04:53] <Aprogas> I assume Amavis just talks valid SMTP with Postfix.[19:05:14] <adaptr> true, and it's generally single-message as well[19:05:22] <adaptr> it processes one at a time[19:05:29] <Aprogas> And I also assume that if it does hit 20 errors, that would be the cause of a loop, so it just as easily would hit 1000.[19:05:46] <adaptr> you could google for the first occurence of this factoid[19:05:49] <adaptr> and blame them[19:05:59] <Aprogas> I always left it in my config too under the idea of "I don't want to risk losing mail".[19:06:08] <Aprogas> So I suspect that is how everybody kept it in. :)[19:06:19] <adaptr> don't forget that postfix is developed fairly quickly, so any guide over a year or 2 old will be woefully out of date[19:06:38] <Aprogas> Makes me wonder why they also put smtpd_data_restrictions=reject_unauth_pipelining.[19:06:49] <twobithacker> and yet we keep linking to those horribly out of date anti-UCE guidelines[19:06:50] <adaptr> ahahah[19:06:55] <Aprogas> They clear most other restrictions, but apparently if Amavis ever were to unauth pipeline, it should be rejected.[19:06:58] <adaptr> twobithacker: make a bettah one![19:07:07] <adaptr> Aprogas: I agree! bad amavis[19:07:22] <Aprogas> I had a glance at the anti-UCE cheatsheet, seems still relevant mostly.[19:07:30] <adaptr> ...not really[19:07:33] <Aprogas> I don't have a very real server though, just a personal account.[19:07:36] <twobithacker> it's mostly old syntax rather than old ideas[19:07:39] <adaptr> I find it covers too few real-world scenarios[19:07:53] <Aprogas> twobithacker: True. And the blacklists it uses are old.[19:08:32] <Aprogas> I did some amount of research into which blacklists are good nowadays. For years I have forsaken blacklists under the idea of "too many false positives", but recently found that was just some idea planted into my head by using the wrong SORBS list.[19:08:50] <Aprogas> Plus with weighted scoring systems, and using whitelists, that problem is mostly eliminated.[19:09:02] <Aprogas> And with whitelisting postmaster@ and abuse@ it is fixable.[19:09:21] <Aprogas> I used to get spam to postmaster@ and abuse@, but haven't seen that in a while; I think the spammers blacklist that on their end now. :)[19:10:21] <twobithacker> for my personal server, I really have very little spam make it past the DNSBLs[19:10:39] *** sphenxes has quit IRC[19:10:42] <twobithacker> just using zen.spamhaus and bl.spamcop and a couple of the more sane rfci's[19:11:21] <Aprogas> Is bl.spamcop.net still good? I got the impression it doesn't have many entries.[19:11:46] <Aprogas> I've been using http://www.sdsc.edu/~jeff/spam/cbc.html and http://www.intra2net.com/en/support/antispam/index.php.html mostly to pick blacklists.[19:12:35] <twobithacker> huh, apparently I stopped using bl.spamcop.net[19:12:51] <twobithacker> I remember it getting very little than spamhaus missed[19:12:58] <twobithacker> so it's probably not worth it these days[19:14:59] *** higuita has quit IRC[19:14:59] <Aprogas> b.barracudacentral.org also seems good, if you are low-traffic and register[19:17:27] *** higuita has joined #postfix[19:19:15] *** micols has quit IRC[19:21:31] *** VaNNi has quit IRC[19:24:41] <hesco> on another issue, I have been asked to route mail destined for certain domains through an alternate mail server. Is there some easy way to accomplish this task?[19:25:20] <Aprogas> virtual_alias_maps or transport_maps, depending on what the other side is expecting[19:25:55] <hesco> thank you[19:26:08] *** sphenxes has joined #postfix[19:26:24] <adaptr> for routing only, use transport_maps[19:26:28] <Aprogas> Beware of backscatter, i.e. you forwarding mail that they then reject.[19:27:24] <Aprogas> Demand from the alternate mail server that they make available a periodically updated lists of valid localparts.[19:27:59] <adaptr> Aprogas: or that they deliver DSNs personally - reject any DSNs from them :)[19:28:06] <adaptr> easier solution, still their mess[19:28:20] *** VaNNi has joined #postfix[19:28:23] *** Schnoobby has joined #postfix[19:28:28] <Aprogas> heh[19:28:45] <Aprogas> Or that they let you recipient callout to them and cache the results.[19:29:11] <adaptr> I'm always in favour of the solution that gives them the thermonuclear reactor and the instruction manual, and leaves them to figure it out[19:29:41] <adaptr> all I need to do is reject mail from russia for 50 years aferwards[19:30:36] <Aprogas> I'm always in favour of not forcing someone to choose between lesser evils, when a more proper solution is available too. It's not fair to drop the backscatter or silent-drop choice on someone, if provide-valid-users is an option too.[19:30:41] *** cilly has quit IRC[19:31:11] <Aprogas> Although if you have an IP-address to spare, you could just push all backscatter through a dedicated mailserver, and get it blacklisted.[19:32:28] *** cilly has joined #postfix[19:33:02] <adaptr> Aprogas: urm. that would require you to know which was backscatter, in which case dropping it would be a bit simpler[19:33:25] *** Tom-B has joined #postfix[19:33:25] *** Moofius has quit IRC[19:33:25] *** Tom-B has quit IRC[19:33:25] *** Tom-B has joined #postfix[19:34:13] <Aprogas> adaptr: In my opinion all bounces directed towards the Internet are backscatter. Only bounce to your own users.[19:35:27] <adaptr> if you're not somebody's relayhost, you're most probably correct in that[19:36:10] <Aprogas> If I'm someone's relayhost, their users are my users too, I guess.[19:38:08] <adaptr> ...not if you don't have their userlist, in which case see you previous point[19:38:19] <adaptr> I'd ask for a reverse userlist then[19:39:19] *** Vivek has quit IRC[19:40:28] *** forsberg is now known as fOrsberg[19:43:03] *** Gambaroni has joined #postfix[19:43:54] <Gambaroni> How do I forward emails to a certain address to another one? If I add it to /etc/aliases, do I need a system account then? What is the virtual_aliases_maps for?[19:44:34] <adaptr> !virtual_alias_maps[19:44:34] <knoba> adaptr: "virtual_alias_maps" : A configuration parameter in the main.cf: Optional lookup tables that alias specific mail addresses or domains to other local or remote addresses. The table format and lookups are documented in virtual(5).[19:44:41] <adaptr> Gambaroni: that will do everything you want[19:44:59] <Aprogas> !tell Gambaroni virtual[19:44:59] <knoba> Gambaroni: "virtual" : a way to configure additional domains and user accounts (that do not need to exist in your /etc/passwd). See: http://www.postfix.org/VIRTUAL_README.html[19:45:07] <Gambaroni> adaptr so add in /etc/aliases won't be a nice idea?[19:45:07] <Aprogas> But read that whole readme anyway, to make sure you know all the details.[19:45:12] <adaptr> Gambaroni: /etc/aliases only works for local users. virtual works for any address[19:45:35] <Aprogas> Actually I think you can add nonexistent to /etc/aliases and have it point outside.[19:45:45] <Gambaroni> adaptr ok, this is for mail to this domain but to a user that doesn't exists[19:45:49] <adaptr> if somebody sent a message to your server to forward to, say, joe at gmail dot com, you could alias joe at gmail dot com to pres at whitehouse dot gov[19:45:57] <adaptr> Aprogas: on local domains, yes[19:46:03] <adaptr> virtual has no such restrictions[19:46:21] <Aprogas> adaptr: Correct, but I'm not sure which one Gambaroni is looking for.[19:47:07] <adaptr> Aprogas: my point is that it doesn't matter :)[19:47:12] <adaptr> virtual ALWAYS works[19:47:18] <Gambaroni> Ok :)[19:47:31] <Aprogas> True, local aliases are mostly for (1) backwards compatibility with sendmail (2) delivering to files and pipes[19:47:52] <Aprogas> Other than that, virtual aliases are more flexible.[19:47:54] *** higuita has quit IRC[19:48:03] <Gambaroni> Why am I getting this? fatal: open database /etc/postfix/virtual.db: No such file or directory[19:48:09] <adaptr> do not underestimate the fu of (2) ![19:48:19] <adaptr> Gambaroni: because you have to create it and convert it[19:48:24] <adaptr> read moar[19:48:28] <adaptr> !postmap[19:48:28] <knoba> adaptr: "postmap" : a command to 'compile' text files to hash databases. Example: a file transport will be converted to transport.db by running 'postmap transport'. Your main.cf will contain something like transport_maps = hash:/etc/postfix/transport (without the '.db')[19:48:31] <Aprogas> adaptr: Can always have a virtual alias deliver to @localhost and pipe that.[19:48:43] <adaptr> Aprogas: yes, I did say that :) implicitly...[19:49:18] <Gambaroni> adaptr I see, and what is virtual.db for? because /etc/postfix/virtual is just a manual?[19:50:24] <adaptr> yerwhut ?[19:50:38] *** higuita has joined #postfix[19:50:38] <adaptr> Gambaroni: did you read the above factoid ?[19:50:45] *** micols has joined #postfix[19:50:45] <Gambaroni> adaptr yes[19:51:22] <Schnoobby> postfix will look in the virtual.db for the virtual aliases[19:51:30] <Gambaroni> I guessed so[19:51:46] <Gambaroni> BUT, wouldn't /etc/postfix/virtual contain the virtual aliases?[19:51:57] <adaptr> yes, it does, since YOU wrote it[19:52:14] <Schnoobby> postfix likes to have database files[19:52:21] <Gambaroni> adaptr I didn't. But it looks like a man file[19:52:22] <Schnoobby> so you need postmap[19:52:45] <adaptr> Gambaroni: I posit that you don't know enough to accurately recognize an unformatted man page[19:52:54] <adaptr> they look quite different[19:53:17] *** Vivek has joined #postfix[19:54:37] *** t3cnerd has quit IRC[19:55:24] *** sphenxes has quit IRC[19:55:26] <Gambaroni> adaptr I see[19:55:32] <Gambaroni> Where is postmap located?[19:55:33] *** sphenxes has joined #postfix[19:55:40] <adaptr> Gambaroni: did you try to RUN it ?[19:56:44] <Gambaroni> adaptr yes[19:57:07] <adaptr> ...and?[19:57:11] <Gambaroni> And command not found[19:57:15] *** tjikkun has quit IRC[19:57:20] <Gambaroni> That is why I wonder where it is located :)[19:57:25] <adaptr> are you root ?[19:57:28] <Gambaroni> yes[19:57:46] <adaptr> then postfix is not installed, or you are not actually root, or you screwed up your root path[19:58:19] <Gambaroni> adaptr something could be screwed with the paths, yes. I didn't set this server up[19:58:42] <Gambaroni> Very many commands isn't found, like shutdown etc[19:58:51] <Aprogas> postmap is in sbin, that is not always in path[19:58:59] <adaptr> "very many" ? shutdown is not a stock linux/gnu command[19:59:05] <adaptr> Aprogas: the root path ? you wanna bet ?[19:59:22] <adaptr> what frecking use would it be if it wasn't in root's path ?!?[19:59:38] <Gambaroni> Aprogas are you sure? :P[19:59:41] <Aprogas> adaptr: none, but that doesn't stop silly admins from putting incorrect .profiles in /root[20:00:09] *** cozwei has joined #postfix[20:02:24] *** tjikkun has joined #postfix[20:04:18] <Gambaroni> Ah, now it works better[20:04:19] <Gambaroni> Thanks :)[20:05:05] <adaptr> "now" ? tell us what you did wrong![20:05:12] *** rajijoom has joined #postfix[20:07:51] <Gambaroni> adaptr didn't fill virtual-file and didn't find postmap and didn't run postmap[20:07:53] <Gambaroni> :)[20:26:13] *** brancaleone has quit IRC[20:33:38] *** Vivek has quit IRC[20:33:38] *** Vivek has joined #postfix[20:38:36] *** shmock has quit IRC[20:42:24] <lunaphyte_> why didn't you do that adaptr?[20:42:54] <adaptr> I don't know ! I didnt' know I was supposed to !! I feel so... so.. kafkaesque![20:51:31] *** higuita has quit IRC[20:52:35] <lunaphyte_> i wonder if virtual-file takes regular or if it requires a high octane.[20:53:59] *** higuita has joined #postfix[21:02:14] <adaptr> mine's a decaf[21:05:56] *** cga has quit IRC[21:09:59] *** UQlev has quit IRC[21:12:23] *** blackxored has joined #postfix[21:12:54] *** n1md4 is now known as n1md4_afk[21:14:11] <blackxored> hi guys[21:14:40] <blackxored> sasl_password.db not found, although i'm seeing it and it's 644 so it's readable, can someone tell me why my logs are throwing no such file or directory?[21:15:30] <blackxored> any of you[21:15:39] <adaptr> !sasl[21:15:39] <knoba> adaptr: "sasl" : SASL is 'Simple Authentication and Security Layer', necessary for SMTP AUTH, and provided to Postfix by addin software. Cyrus SASL and/or Dovecot IMAP/POP3 can provide SASL. See http://www.postfix.org/SASL_README.html for details.[21:16:03] <adaptr> also, consider chroot[21:16:55] <blackxored> adaptr, thanks for the tip, but can you provide something more specific about this particular error?[21:17:45] <Zerberus> blackxored: please see the /topic and please provide sufficient information[21:17:50] *** cpm has quit IRC[21:18:23] <blackxored> Zerberus, i'm trying to make postfix work with gmail, and i assumed i did everything right, but still throws me fatal, can't find sasl_password.db[21:18:25] <blackxored> on the logs[21:18:53] <adaptr> ah, so you'd be wanting to use client sasl[21:18:59] <Zerberus> blackxored: postconf -n and log entries demonstrating the problem[21:18:59] <adaptr> that might have been relevant to mention[21:19:50] <blackxored> in a sec[21:20:23] *** xabbu has quit IRC[21:20:51] <blackxored> http://pastebin.com/i5XNcXKi[21:20:57] <blackxored> http://pastebin.com/kXUdrfHe[21:27:34] <adaptr> blackxored: so, does /etc/postfix/sasl-password.db exist ?[21:27:42] *** makomi has quit IRC[21:28:39] <Zerberus> with underscore[21:28:59] <adaptr> nitpick[21:29:09] <Zerberus> :P[21:33:12] *** dxtr has quit IRC[21:34:18] <Aprogas> Is it safe to share the same TLS cert between dovecot, postfix smtpd and postfix smtp?[21:34:19] *** dxtr has joined #postfix[21:34:36] <adaptr> "safe" depends on what you intend to do with them[21:34:50] <adaptr> for postfix SMTP, I would certainly not use the same certificate I used for receiving mail[21:35:29] <Aprogas> I use seperate now, but I should probably look into this Untrusted/Anonymous thing.[21:36:59] <Aprogas> Bottom line: I don't under TLS very well yet, and should do more homework first.[21:37:57] *** p3rror has joined #postfix[21:38:04] *** e-jones has joined #postfix[21:38:28] <Schnoobby> create your own CA and self-sign your cert[21:38:35] *** e-jones has quit IRC[21:38:38] <Aprogas> I did, and it is added to CAfile or CApath.[21:38:54] *** cilly has quit IRC[21:38:57] <seekwill> I think it's better to buy a cert...[21:39:04] <seekwill> They aren't expensive[21:39:05] <Schnoobby> and still untrusted?[21:39:22] <Schnoobby> it worked for me last time i tried[21:39:27] <Aprogas> Schnoobby: Only in one direction, I think it's because the hostname of the cert doesn't match fcrdns.[21:41:10] <Schnoobby> Aprogas, maybe, i'm not into deep in tls either[21:41:44] <Schnoobby> that sounds weird in english^^[21:47:21] <adaptr> deep schnoobies[21:49:20] <Aprogas> I think I need a policy table with verify or secure and a match against a hostname.[21:50:18] <adaptr> saw that scrolling by on the ML[21:50:23] <Aprogas> Just to tell Postfix "even though *this* cert CN doesn't match it's rDNS, *this* time it's okay".[21:50:29] <adaptr> that's already pretty deep schnoobies[21:50:49] <Aprogas> I don't read all threads, I got caught up in trying to help Richard Chapman. And somehow I have this compulsion to finish what I start.[21:51:32] <Schnoobby> adaptr, stop it[21:51:43] <adaptr> I can't help it[21:52:57] <Tom-B> Do you guys have any opinions on webmail services?[21:53:09] <adaptr> yes[21:53:25] <Schnoobby> adaptr, then share them with us please[21:53:29] <Tom-B> SM/Roundcube etc[21:53:30] <adaptr> they suck[21:53:40] <Schnoobby> i thought so :([21:53:59] <Schnoobby> SM is ugly, even with themes[21:54:09] <Tom-B> How so adaptr?[21:54:26] <adaptr> you asked for an opinion[21:54:29] <Tom-B> Yer SM is a bit "tomy my first webmail tbh"[21:54:30] <lunaphyte_> i don't mind roundcube[21:55:09] <Schnoobby> can you do autoresponders or vacations mails with roundcube?[21:55:38] <adaptr> Tom-B: squirrelmail is actually the most feature-full web client[21:56:07] <lunaphyte_> beats me. i'd never subject people i correspond with to such harrassment.[21:56:14] <adaptr> if it weren't for its stupendous not-having-inline-message-reading, roundcube would be my first choice[21:56:16] <Schnoobby> adaptr, what about Horde Framework with IMP?[21:56:16] <Tom-B> It's still ugly[21:56:22] <adaptr> Schnoobby: horrible.[21:56:33] <lunaphyte_> not having inline message reading? what's that?[21:56:36] <adaptr> Tom-B: we didn't ask you for your opinion[21:56:57] <adaptr> lunaphyte_: RC can't display both the message tree and the message, last time I checked[21:57:03] <Tom-B> Hence my choice to live in a country with free speech[21:57:10] <Schnoobby> adaptr, horrible to configure yes, but i like it anyway, we use it at our university[21:57:24] <adaptr> do you administer it there ?[21:57:38] <Schnoobby> that's the problem[21:57:42] <Tom-B> XD[21:58:03] <Tom-B> I've heard roundcube can be a bit of a resource hog[21:58:12] <lunaphyte_> adaptr: you mean like having one section of the window with the list of messages and another section of the window to display a message's contents, if clicked on in the list?[21:58:25] <adaptr> lunaphyte_: like that, yes[21:58:35] <adaptr> Tom-B: not at all[21:58:46] <adaptr> it's a lot lighter than squirrelmail[21:59:10] <lunaphyte_> adaptr: i vaguely recall it not being able to do that early on, but for ages now that's worked just fine.[21:59:12] <adaptr> but it's being actively developed, moreso than squirrelmail these days[21:59:29] <adaptr> lunaphyte_: I haven't looked at it seriously for well over a year[21:59:32] <Tom-B> I'll give it a go then[21:59:54] <Schnoobby> adaptr, so you would recommend RC over SM?[22:00:07] <Tom-B> Is there really that much of a perf difference forcing it to use imaps and stmps locally, when using no more than a half dozen users at a time?[22:00:41] <adaptr> Schnoobby: it depends on what you need. for a quick peruse of yoru messages, RC is both fast and efficient. for maximum functionality, squirrelmail offers loads of modules[22:00:49] *** nb has quit IRC[22:00:57] <adaptr> and is still not slow[22:01:09] <adaptr> Tom-B: be more specific. forcing what to do what[22:01:33] <Tom-B> Forcing RC to use SMTPS and IMAPS rather than SMTP and IMAP[22:01:43] <adaptr> and the question is ?[22:01:54] <Tom-B> I already asked the question[22:02:20] <Schnoobby> adaptr, thank you[22:03:54] <adaptr> Tom-B: perhaps it wasn't very clear, then[22:04:47] <Schnoobby> Tom-B, i don't get it either[22:05:20] <Tom-B> Then you've answered my question[22:05:29] <adaptr> Tom-B: I don't need to remind you what the result is of your uncooperative attitude, I hope[22:05:57] <seekwill> Why do you want to use SMTPS/IMAPS locally?[22:06:11] <adaptr> because he has a major dose of No Clue[22:07:31] <seekwill> When I use RC, for some weird feeling, I feel like I lose mail sometimes. Haven't proved it yet, but I wonder sometimes...[22:07:37] <seekwill> But it is very pretty[22:07:44] <adaptr> ooh shiny[22:08:51] *** nb has joined #postfix[22:09:12] *** dxtr has quit IRC[22:09:59] <Tom-B> Your contempt of anyone who meets your defintinion of "No Clue" is comically cliche[22:10:17] <Aprogas> so is your face[22:10:25] <Tom-B> XD[22:10:29] <seekwill> so is ur m0m!!!!![22:10:38] <adaptr> nazis![22:10:42] <Aprogas> When I'm not on #Postfix, I am actually quite a succesful troll.[22:10:54] <adaptr> oh you're a decent one here, too, no worries[22:11:07] <seekwill> haha[22:11:21] <seekwill> Tom-B: You haven't answered why you want to force SMTPS/IMAPS locally[22:11:53] <seekwill> Maybe I don't care then...[22:11:55] <Tom-B> I didn't say I wanted to, I asked if there was really that much of a performance hit over SMTP/IMAP for a half dozen users[22:12:29] <Aprogas> For half a dozen users, even Exchange is not a performance problem.[22:12:39] <Tom-B> XD[22:12:47] <adaptr> and we would be curious why you are asking the question in the first place. we're not here to indulge random fantasies[22:13:00] <adaptr> well, apart from cpm's fantasies[22:13:07] <seekwill> How about mine?!?!!?[22:13:08] <Tom-B> You are, and you don't even know it[22:13:14] <adaptr> but they're hardly random - they're utterly predictable[22:13:14] * seekwill goes for thumbs anyday[22:13:19] <Tom-B> I can type twice as fast as this under normal circumstance.[22:13:41] *** [Jasper] has joined #postfix[22:13:53] <[Jasper]> hej guys, I have a question. Im getting relay access denied when sending an email to a certain adress[22:13:59] <[Jasper]> almost any adres works, except this one[22:14:19] <Dominian> !relay_denied[22:14:19] <knoba> Dominian: "relay_denied" : NOQUEUE: reject: RCPT from CLIENT_HOST[CLIENT_IP]: 554 5.7.1 <RECIPIENT@RCPT_DOMAIN>: Relay access denied; from=<SENDER@SENDER_DOMAIN> to=<RECIPIENT@RCPT_DOMAIN> proto=ESMTP helo=<HELO>: This typically means that CLIENT_IP is not in mynetworks (and did not AUTH), and that RCPT_DOMAIN was not recognized as one of this Postfix's domains (not listed in mydestination, relay_domains or virtual_*_domains).[22:14:39] *** brancaleone has joined #postfix[22:15:32] <[Jasper]> hmm[22:15:33] *** uqlev has joined #postfix[22:16:32] <Tom-B> We need more info [Jasper][22:16:40] <adaptr> you certainly do[22:16:42] <[Jasper]> Tom-B I realise that...[22:17:00] <[Jasper]> the ip which was used is not in the allowed ips....the email account used is a valid account though[22:17:16] <Aprogas> !tell [Jasper] welcome[22:17:16] <knoba> Aprogas: Error: "Jasper" is not a valid command.[22:17:19] <[Jasper]> could it be that the sender is NOT logging in for outgoing email sending with the smtp server[22:17:22] <Tom-B> It's like down-nose linux cliche anonymous hour.[22:17:27] <Aprogas> Silly knoba.[22:17:31] *** rajijoom has quit IRC[22:17:47] <adaptr> Aprogas: now you forgot how the bot works[22:17:47] <[Jasper]> hello to you Aprogas :)[22:17:55] <adaptr> !tell [Jasper] > welcome[22:17:55] <knoba> adaptr: Error: "Jasper" is not a valid command.[22:17:57] <adaptr> hahaha[22:18:06] <adaptr> [] is a special command I think[22:18:07] <Aprogas> !tell Jasper welcome[22:18:07] <knoba> Jasper: "welcome" : welcome to #postfix! if you're joining for the first time, or are new to irc, the first thing you'll want to do is read the channel topic (/topic). it includes crucial instructions on how to effectively ask for help here, and what data you should include with your questions. the degree of success you'll have is directly related to how effectively you're able to follow those guidelines.[22:18:23] <Tom-B> Good call Aprogas[22:18:32] <adaptr> fanboi[22:18:32] <[Jasper]> I gave some more information didn't I?[22:18:33] <[Jasper]> :P[22:18:34] *** dxtr has joined #postfix[22:18:49] <Tom-B> Just commending him on thinking outside of the box.[22:18:54] <Aprogas> [Jasper]: We need postconf -n, relevant logs, and possible other things, read the welcome factoid and the topic[22:22:21] <Tom-B> I wonder if you got the pun.[22:24:23] <adaptr> hahahahaha yes, it was hilarious![22:25:10] *** juergen_dose has left #postfix[22:28:00] <Schnoobby> gn8[22:28:15] *** Schnoobby has quit IRC[22:28:35] <Aprogas> My brain just typed "postmash" instead of "postmap hash", funny how that works.[22:29:47] <Tom-B> XD[22:30:01] <Tom-B> Gotta be up at lol'oclock ;/[22:30:02] <Tom-B> CBA[22:42:14] *** Dosshell has quit IRC[22:42:55] *** Dosshell has joined #postfix[22:44:21] *** blackxored has quit IRC[22:45:00] *** higuita has quit IRC[22:47:47] *** higuita has joined #postfix[22:48:47] *** sphenxes has quit IRC[22:50:55] * Aprogas decides to follow his own mantra: read first, tinker later[22:51:39] <Tom-B> Coward =)[22:53:39] <Aprogas> He who reads and goes to bed, lives to not make config bad.[22:53:57] *** smica has quit IRC[22:54:05] <Tom-B> Just back em up and tinker baby[22:55:52] *** s0ber has quit IRC[22:56:05] *** Aikar has joined #postfix[22:57:42] *** s0ber has joined #postfix[22:58:03] *** smica has joined #postfix[23:00:06] <Aikar> hi guys, i use postfix on my server to auto forward mail to my gmail account, and i was checking the header on a mail that got flagged as spam but was real (Blizzard for WoW), and i noticed the spf was hard failing because it relayed through my server. heres headers: https://gist.github.com/f79588138b19fb1f0dd4 anything i can change to fix this, what settings do i need to show you guys?[23:01:14] <Tom-B> !tell Aikar welcome[23:01:14] <knoba> Aikar: "welcome" : welcome to #postfix! if you're joining for the first time, or are new to irc, the first thing you'll want to do is read the channel topic (/topic). it includes crucial instructions on how to effectively ask for help here, and what data you should include with your questions. the degree of success you'll have is directly related to how effectively you're able to follow those guidelines.[23:02:42] *** joc has joined #postfix[23:03:05] <joc> Hi everybody[23:03:53] *** googlah has quit IRC[23:05:30] <Aikar> https://gist.github.com/f79588138b19fb1f0dd4 updated gist with postconf -n[23:06:21] <joc> Does anyone know what it is called the method for sending mail to another device such as an anti-spam that was sent to clean the external domains?[23:06:25] <Aikar> with the /etc/postfix/virtual file having aikar xxx at gmail dot com line in it for the aikar@ portion[23:07:44] <adaptr> Aikar: if your server is forwarding the message, there should not be any spf information attached to it[23:07:57] <adaptr> or if you have spf, yours should replace the original[23:08:35] <Aikar> well i just got basic forwarding going on, complete noob to this. it works fine, just as you see in header its failing spf[23:09:34] <adaptr> sure, so how are you getting this message ?[23:09:42] <Aikar> it was in my spam box[23:09:43] <adaptr> show the logs[23:11:04] <Aprogas> !tell Aikar srs[23:11:04] <knoba> Aikar: "srs" : sender rewriting scheme (srs) is a technique to re-mail an email message so that eventual delivery status notifications can reach the original message sender. in this context, re-mailing is an alternative to email forwarding, which is not allowed by the sender policy framework. see http://en.wikipedia.org/wiki/Sender_Rewriting_Scheme for more info.[23:11:58] <adaptr> not allowed ? what kind of a useless scheme is that[23:12:05] <adaptr> no wonder it sucks[23:12:39] <Aikar> i added logs to the gist, dont really see much useful info in it lol[23:13:09] <Aprogas> Yes, it is a bit of a hack. SPF sort of assumes all mail delivery follows mua->msa->mda->mua route.[23:13:54] <Aprogas> Aikar: I think Google is doing the SPF lookup and subsequent Spam flagging.[23:13:58] <Aikar> so what can i do? i have quite a few domains i receive email on, and i send them all to the same account.[23:14:08] <Aikar> yea i was wondering if theres anything i can do to help fix that[23:14:13] <Aprogas> Maybe Google Apps is a solution, if you want your mail to go to Google anyway.[23:14:18] <Aprogas> Why not just make them your MX ?[23:14:31] * adaptr is going to make you his MbX[23:14:31] <Aikar> im sending to a single non apps account[23:14:46] <Aikar> since apps lags behind in features :([23:14:53] <Tom-B> Why not set-up a bunch of auto forwarders with the hosting[23:14:56] <Aprogas> I never used it myself. I don't even have a GMail.[23:15:15] <Aikar> Tom-B: thats what ive done[23:15:54] <Aprogas> I think you can only get IP-whitelisted with Google Apps, not regular GMail.[23:15:57] <Aikar> i have postfix relaying all mails it receives to my gmail. the from/to headers remain untouched[23:16:20] <Tom-B> I don't really know what I'm talking about[23:16:25] <adaptr> amen[23:16:36] <Aprogas> Actually I think even with normal GMail, they let you SASL-login to their MSA.[23:16:38] <Tom-B> But 209.239.114.7 is your postfix server yes?[23:16:46] <Aikar> yes[23:17:02] <Aprogas> Being SASL-logged-in might countbalance the SPF-hardfail in terms of Spam scoring.[23:17:04] *** Gambaroni has quit IRC[23:17:15] <Aikar> it hosts mail for aikar.co, but is setup to relay it to gmail[23:17:31] <Aprogas> SRS is still an option.[23:17:40] <Aikar> you mean sending the mail to gmail with authentication?[23:17:54] <Aprogas> Yes, using SASL might be simpler than SRS.[23:18:42] <Aikar> how would i go about doing that? I simply have aikar<space>myrealgmail at gmail dot com in /etc/postfix/virtual file, and that tells it where to forward to[23:18:58] <Aprogas> I'm not sure, I don't have much experience with SASL.[23:19:26] <Aikar> i like having my from/to headers remain untouched in my gmail interface, so i still see "noreply at blizzard dot com sent to aikar at aikar dot co" and from UI point of view you dont see anything about my SMTP server[23:20:01] <adaptr> Aikar: let's pretend we live in a sane universe and that is secondary to it actually WORKING[23:20:43] <Aprogas> postfix/smtp will not attempt SASL if there is no entry in the password maps.[23:21:36] <Aprogas> You should probably use a transport map to override delivery to your gmail address to go via their MSA.[23:21:42] <Aprogas> This is all getting to be a bit of an ugly hack.[23:22:22] <Tom-B> Why not run a proper smtp server and let gmail check your accounts?[23:22:40] <Aprogas> Tom-B: What does that mean?[23:23:01] <Tom-B> You can have gmail pickup email from various accounts yer?[23:23:21] <Aikar> Tom-B: that would be slow o.o[23:23:26] <Tom-B> Ok[23:23:30] <Aikar> this is 2010 we live on push now :p[23:23:36] <Aprogas> Also that probably wouldn't be handled with SMTP.[23:23:48] <seekwill> Of course not![23:23:48] <Tom-B> No he'd need dovecot or similar[23:24:01] <Aikar> this sasl looks like a posibility Aprogas[23:24:16] <Aikar> i think i just gotta configure it for gmail's domain[23:24:17] <Tom-B> As I said I don't really know what I'm talking about so... =)[23:24:21] <seekwill> adaptr: I can't believe some of these people are allowed to play on port25 :([23:24:27] <Tom-B> Yay for the plucky brit though 8)[23:24:37] *** TomHome has joined #postfix[23:24:49] <adaptr> seekwill: I can't believe you're allowed to play outside unsupervised![23:24:51] <Aprogas> Aikar: Either just for gmail.com, or even only for xxxxxxx at gmail dot com[23:25:01] <seekwill> adaptr: I got a hall pass![23:25:10] <adaptr> lemme see your fake ID[23:25:16] <Aikar> smtp_sasl_password_maps[23:25:26] <Aikar> that setting, i can put an email instead of smtp server addr?[23:25:27] <Aprogas> Aikar: On the longer term and grander scale, if Google finds you consistently submitting mail to their MSA from "fake" domains, that may lead to other problems.[23:25:28] <seekwill> apt-get install fake_id_generator[23:25:34] <Aikar> ie xxx at gmail dot com user:pass ?[23:25:48] <Aikar> ive had my mail setup like this for years o.o[23:26:06] <Aprogas> I think the MSA of GMail is seperate from their MXen, so you'd need a transport_maps anyway.[23:26:07] <Aikar> its really common on shared hosting[23:26:30] <Aikar> in cPanel webhosting, if you setup an alias it does exactly what im doing[23:26:35] <Aikar> err forward*[23:26:52] <Aikar> just never noticed it was triggering SPF records[23:27:52] <Aikar> http://wiki.zimbra.com/wiki/Outgoing_SMTP_Authentication is what im looking at[23:28:14] <Aprogas> Why?[23:29:13] <Aikar> it talks about setting up SASL password auth for smept[23:29:15] <Aikar> smtp*[23:29:26] <Aprogas> !tell Aikar sasl[23:29:26] <knoba> Aikar: "sasl" : SASL is 'Simple Authentication and Security Layer', necessary for SMTP AUTH, and provided to Postfix by addin software. Cyrus SASL and/or Dovecot IMAP/POP3 can provide SASL. See http://www.postfix.org/SASL_README.html for details.[23:30:17] *** JonnyV has quit IRC[23:41:17] *** tomocha6 has quit IRC[23:48:59] <hesco> what is the best practice for throttling the rate at which mail to a particular domain is processed?[23:51:39] <Aprogas> Not sure if there is a direct _maps sort of way to specify concurrency or rate_delay per domain, but it is possible via custom transport definitions.[23:52:57] <Aprogas> e.g. clone the smtp (not smtpd) transport in master.cf to smtp-relaxed and with some -o options make it less aggressive, then use smtp-relaxed: as transport for all domains that you know don't like fast delivery.[23:54:27] <hesco> thanks, on it[23:59:15] *** smica has quit IRC