June 13, 2013 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | >
June 13, 2013 [00:03:50] *** mibofra has quit IRC[00:04:22] *** amboss has quit IRC[00:07:05] *** warhead has joined #postfix[00:09:15] *** wald00 has quit IRC[00:09:28] *** war4head has quit IRC[00:09:30] *** wald00 has joined #postfix[00:13:07] *** robinho86 has quit IRC[00:14:36] *** bitg has quit IRC[00:14:38] *** p3rror has quit IRC[00:15:23] *** err-or_ has joined #postfix[00:16:09] *** err-or has quit IRC[00:16:38] *** amboss has joined #postfix[00:20:30] *** bitg has joined #postfix[00:29:30] *** stljim has joined #postfix[00:41:26] *** MaximusColourum has quit IRC[00:44:39] *** danblack has joined #postfix[00:48:11] *** freezey has joined #postfix[00:51:57] *** danblack has quit IRC[01:03:30] *** aindilis2 has quit IRC[01:05:29] *** danblack has joined #postfix[01:05:48] *** nutron has quit IRC[01:09:35] *** wald00 has quit IRC[01:09:47] *** wald00 has joined #postfix[01:15:18] *** danblack has quit IRC[01:28:30] *** danblack has joined #postfix[01:33:25] *** gu1lle_ has quit IRC[01:38:12] *** mooperd has quit IRC[01:42:50] *** whoami has joined #postfix[01:45:43] *** lunaphyte has quit IRC[01:51:16] *** shinao1 has quit IRC[01:55:12] *** lunaphyte has joined #postfix[01:55:56] *** bkfitz has joined #postfix[01:56:57] *** bkfitz_ has joined #postfix[02:01:24] *** gu1lle_ has joined #postfix[02:04:54] *** LeLutin has quit IRC[02:05:08] *** bkfitz has quit IRC[02:05:24] *** bkfitz_ has quit IRC[02:05:36] *** LeLutin has joined #postfix[02:05:55] *** gu1lle_ has quit IRC[02:12:13] *** wald00 has quit IRC[02:12:27] *** wald00 has joined #postfix[02:14:46] *** kiri has quit IRC[02:19:35] *** [diablo] has quit IRC[02:21:28] *** kiri has joined #postfix[02:22:56] *** grknight has joined #postfix[02:24:01] *** whoami has quit IRC[02:25:23] *** whoami has joined #postfix[02:38:29] *** bkfitz has joined #postfix[02:38:46] *** bkfitz_ has joined #postfix[02:50:20] *** nutron has joined #postfix[02:51:41] *** stljim has quit IRC[03:05:31] *** wald00 has quit IRC[03:05:50] *** wald00 has joined #postfix[03:07:24] *** kdephil has joined #postfix[03:11:54] *** wald00 has quit IRC[03:15:29] *** Quadro has quit IRC[03:15:54] *** Quadro has joined #postfix[03:16:44] *** biggimat has quit IRC[03:16:49] *** spY|da has quit IRC[03:17:22] *** spY|da has joined #postfix[03:19:32] *** bkfitz has quit IRC[03:30:38] *** freezey has quit IRC[03:35:19] *** Ulver has quit IRC[03:36:37] *** terr1 has quit IRC[03:37:10] *** abyss_ has quit IRC[03:37:42] *** on1ald has quit IRC[03:38:05] *** on1ald has joined #postfix[03:38:41] *** terr1 has joined #postfix[03:38:56] *** abyss has joined #postfix[03:42:56] *** Bry8Star has quit IRC[03:44:47] *** Bry8Star has joined #postfix[04:00:09] *** kdephil has quit IRC[04:25:10] *** heath has joined #postfix[04:41:53] *** wald00 has joined #postfix[04:48:21] *** multi_io has joined #postfix[04:52:16] *** bkfitz_ has quit IRC[04:52:39] <multi_io> considering the recent PRISM outfall and all, does anyone have any numbers on what percentage of all publicly sent emails are delivered via unencrypted SMTP?[04:53:00] <adaptr> 99.99%[04:53:07] <multi_io> just curiosity on my part :P[04:53:15] <thumbs> multi_io: mx servers use port 25 and don't use encryption.[04:53:21] <multi_io> adaptr: yeah. thought so :)[04:53:28] <lunaphyte> some do, but not very many[04:53:29] <multi_io> thumbs: there's STARTTLS...[04:53:42] <adaptr> multi_io: MAs can only provide transport-level security. this does not protect your email. in any way.[04:53:45] <adaptr> *MTAs[04:54:01] <rob0> Encryption enroute means nothing if the receiver is sharing data with the bad guys.[04:54:25] <lunaphyte> yeah, it's realy a quite moot point, in the context of "prism"[04:54:28] <multi_io> adaptr: of course, but that's what counts if we're talking about the feds snooping data at some public/backbone routers[04:54:32] <lunaphyte> *really?[04:54:50] <lunaphyte> why bother? there's lower hanging fruit[04:54:56] <adaptr> multi_io: no, it really isn't. they don't. they just ask your ISP.[04:55:10] <adaptr> and the whole POINT of te PRISM relevantions of monday was that they don't NEED TO ASK ANYMORE>[04:55:16] <adaptr> they are given direct, open access[04:55:55] <multi_io> the companies are all denying that...[04:55:56] <adaptr> PRISM doesn't mine internet data. it mines personal data present at commercial companies.[04:56:13] <lunaphyte> e.g. low hanging fruit[04:56:26] <lunaphyte> methinks the lady doth protest too much...[04:57:05] <lunaphyte> the companies are all denying that - ok, so we've ruled that out then. it's definitely not the companies, since they'd said so. :)[04:57:31] *** Kellin has quit IRC[04:57:57] * adaptr has spotted a flaw[04:58:13] <lunaphyte> another?[04:58:17] <lunaphyte> how'd it get in?[04:58:44] <multi_io> well, I think that most likely "PRISM" is really the implementation of what we always knew NSA is doing[04:59:00] <multi_io> i.e. snooping public data, not "backdoors"[04:59:30] <lunaphyte> pretty much[05:01:02] <multi_io> even the term "prism" kinda gives it away, referring to beam splitting to snoop fiber-optic communications and such :P[05:08:42] *** Kellin has joined #postfix[05:08:42] *** Kellin has joined #postfix[05:13:58] *** laner has quit IRC[05:18:30] *** laner has joined #postfix[05:18:56] *** Verilium has joined #postfix[05:26:38] <pj> well, I'd trust google's word more than other companies. According to google they only share data for specific legal requests, not wholesale for everyone. I don't trust anyone else, though.[05:27:14] <pj> the problem with google is if they ever change that policy they have quite a bit of data to share.[05:31:12] *** echelog has joined #postfix[05:34:14] *** Ulver has joined #postfix[05:34:22] *** ncp has joined #postfix[05:49:40] *** cristian has joined #postfix[05:51:14] *** cristian_ has quit IRC[05:53:30] *** laner has quit IRC[05:57:48] *** Colt has joined #postfix[06:04:50] *** rotbeard has joined #postfix[06:07:14] *** grknight has quit IRC[06:07:25] *** aindilis2 has joined #postfix[06:13:24] *** danblack has quit IRC[06:17:28] *** Colt has quit IRC[06:27:20] *** danblack has joined #postfix[06:40:47] *** cristian has quit IRC[06:40:56] *** cristian has joined #postfix[06:53:00] *** danblack has quit IRC[07:06:07] *** danblack has joined #postfix[07:18:30] *** danblack has quit IRC[07:18:50] *** danblack has joined #postfix[07:23:51] *** wald00 has quit IRC[07:39:36] *** shinao1 has joined #postfix[07:48:09] *** trusktr has joined #postfix[08:00:05] *** Uranio has quit IRC[08:00:51] *** Uranio has joined #postfix[08:04:53] *** synapt has quit IRC[08:05:26] *** _ruben_ has joined #postfix[08:06:15] *** _ruben has quit IRC[08:06:46] *** biggi_mat has joined #postfix[08:07:10] *** synapt has joined #postfix[08:11:55] *** trusktr has quit IRC[08:28:12] *** hparker has quit IRC[08:29:14] *** trusktr has joined #postfix[08:29:32] *** hparker has joined #postfix[08:35:31] *** hparker has quit IRC[08:36:35] *** sep has joined #postfix[08:45:15] *** hparker has joined #postfix[08:45:15] *** hparker has joined #postfix[08:53:27] *** hparker has quit IRC[08:55:24] *** mooperd has joined #postfix[08:55:27] *** cilly has joined #postfix[08:59:33] *** cilly has quit IRC[09:13:48] *** danblack has quit IRC[09:22:50] <yezariaely> I used a Mysql based config and had two entries within my alias table for one key. This worked fine, postfix sent the emails to both the referenced email adresses. Now I use btree based files and postmap complains about a double entry. How can I achieve this with a pure file config: having an alias which points to two or more target addresses[09:23:19] *** trusktr has quit IRC[09:24:07] *** cilly has joined #postfix[09:24:13] <Zerberus> yezariaely: alias: recipient1, recipient2, ...[09:24:32] <yezariaely> ah, so simple :_)[09:24:34] <yezariaely> :-)[09:24:43] <Zerberus> I am pretty sure this is documented[09:25:18] <yezariaely> probably it is... :/ sorry[09:25:44] *** danblack has joined #postfix[09:27:26] *** ffiore has joined #postfix[09:29:07] *** trusktr has joined #postfix[09:37:31] *** Ulver has quit IRC[09:42:11] *** wdp has joined #postfix[09:42:11] *** wdp has joined #postfix[09:47:17] *** sphenxes has joined #postfix[09:51:10] *** cilly has left #postfix[09:51:40] *** hparker has joined #postfix[09:51:40] *** hparker has joined #postfix[09:53:19] *** ncp has quit IRC[09:53:32] *** ncp has joined #postfix[09:53:35] *** sphenxes has quit IRC[10:16:17] *** danblack has quit IRC[10:16:36] *** damyan^ has quit IRC[10:20:39] *** nveselinov has quit IRC[10:21:08] *** damyan^ has joined #postfix[10:32:48] *** bundy has joined #postfix[10:32:51] *** mooperd has quit IRC[10:39:46] *** mooperd has joined #postfix[10:48:53] *** mooperd has quit IRC[10:53:45] *** [diablo] has joined #postfix[10:58:17] *** shinao1 has quit IRC[11:03:47] *** Kako has joined #postfix[11:06:46] *** bungalo_ has joined #postfix[11:08:46] *** bungalo_ is now known as bungalo[11:16:10] *** ncp has quit IRC[11:18:06] *** ncp has joined #postfix[11:28:57] *** zorg1 has joined #postfix[11:29:45] *** zorg1 has quit IRC[11:38:34] *** mooperd has joined #postfix[11:41:03] *** zorg1 has joined #postfix[11:42:50] *** mooperd has left #postfix[11:45:57] *** bundy has quit IRC[12:05:20] *** trusktr has quit IRC[12:13:02] *** cilly has joined #postfix[12:24:41] *** tapout has quit IRC[12:27:53] *** chrisq has joined #postfix[12:29:36] *** Tomer- has quit IRC[12:30:57] *** tapout has joined #postfix[12:35:40] *** tapout has quit IRC[12:41:47] *** danblack has joined #postfix[12:59:36] *** cilly has quit IRC[13:04:46] *** jarif_ has quit IRC[13:19:57] *** UQlev has joined #postfix[13:25:18] *** sphenxes has joined #postfix[13:28:44] *** sphenxes has quit IRC[13:30:53] *** sphenxes has joined #postfix[13:36:05] *** sphenxes has quit IRC[14:02:36] *** JC_SoCal has quit IRC[14:07:42] *** NightTrain has joined #postfix[14:14:33] *** sphenxes has joined #postfix[14:14:45] *** mibofra has joined #postfix[14:14:45] *** mibofra has joined #postfix[14:19:21] *** UQlev has quit IRC[14:23:47] *** Section1 has joined #postfix[14:27:25] *** grknight has joined #postfix[14:44:14] *** robinho86 has joined #postfix[14:54:03] *** jarif has joined #postfix[14:54:55] *** Olive67 has joined #postfix[14:56:51] <grknight> Olive67: now please follow the /topic here and we can figure out how to remove uribl.com so you can start getting emails again[15:05:11] <Olive67> Since few days now, my mail server is not receiving any email. I have tried to send an email to one of the email accounts hosted on my server, and got replied back the following error: http://pastebin.com/0tGPtdhE , any idea?[15:05:15] <Olive67> postconf output: http://pastebin.com/47YmufWa[15:09:29] <grknight> Olive67: ick, those rbls are a MESS[15:10:23] <Olive67> ick? rbls?[15:10:34] <grknight> dsbl.org is long dead[15:11:17] <grknight> and why on earth do you query every RBL TWICE per session?!?[15:12:14] <Olive67> probably beca&use I follofwed some tut a while ago when setting up this server, and overall I don't know what I'm doing when it reffers to postfix[15:12:25] <grknight> !tell Olive67 tutorial[15:12:25] <knoba> Olive67: "tutorial" : A very common problem is that some people prefer to follow a step-by-step tutorial that shows them how to setup their server w/out reading the documentation or understanding what they are doing. If something goes wrong, they have no clue whatsoever about where to find hints, and they sometimes decide to start from scratch using a different tutorial. This is not The Proper Way.[15:12:52] <Olive67> +1[15:13:24] <grknight> Olive67: first, nuke smtpd_client_restrictions out of the config. it is redundant[15:14:03] <Olive67> so I remove all this: smtpd_client_restrictions = permit_mynetworks, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client multi.uribl.com, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, re[15:14:03] <Olive67> ject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client combined.rbl.msrbl.net, reject_rbl_client rabl.nuclearelephant.com, permit[15:14:17] *** sphenxes has quit IRC[15:14:25] <Olive67> correct?[15:15:32] <wdp> Olive67, probably you should just start to read the documentation[15:15:56] <wdp> and try to understand the settings you're using.[15:16:59] *** cilly has joined #postfix[15:19:38] <Olive67> wdp: it is going to take me a while. I agree that's a proper way to do it, and otherwise I shouldn't setup a mail server. But right now I just want to be able to receive mails again and prevent my server from being a spam relay. Right now I'm completely stuck for action I need to take on some websites that requires confirmation from the email address I used to register.[15:20:24] <Olive67> please help[15:21:00] <wdp> remove the blacklists from your restrictions and check the log.[15:21:37] <wdp> some of the blacklists you've listed do not exist anymore.[15:22:26] <grknight> Olive67: second, set "smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client combined.rbl.msrb[15:24:57] <grknight> i'm especially not sure on combined.rbl.msrbl.net. may be dead too[15:25:22] <Olive67> so I should endup with something like this: http://pastebin.com/PKmsZadA[15:25:25] <Olive67> ?[15:27:15] <grknight> Olive67: close, take off msrbl.net because it doesn't seem to be responding[15:27:58] *** p3rror has joined #postfix[15:31:29] *** rotbeard has quit IRC[15:32:40] <Olive67> I don't get it: the only msrbl.net I can find WAS in the smtpd_client_restrictions you told me to remove[15:33:07] <Olive67> ho wait[15:34:13] <Olive67> all good? http://pastebin.com/9V1FnAu6[15:37:18] <grknight> Olive67: looks better. you were abusing RBLs for two reasons. any client that connected, INCLUDING YOUR OWN network was checked against EVERY RBL twice!! In addition, it checked every RBL even if you were not responsible for the email[15:38:03] <Olive67> a lot of useless request indeed[15:39:09] *** Bry8Star has quit IRC[15:40:24] <Olive67> restarted postfix[15:40:27] *** Bry8Star has joined #postfix[15:40:32] <Olive67> mailserver receivinng again[15:40:45] *** KaiForce has joined #postfix[15:40:46] *** sphenxes has joined #postfix[15:40:50] <Olive67> GREAT THX grknight :-))))[15:40:54] <grknight> Olive67: also, if you do not have a caching DNS server locally, it's a great idea to have one[15:41:36] *** sphenxes has quit IRC[15:42:35] <Olive67> I guess I'll have to explore this possibility, thx[15:42:46] <KaiForce> I have two user accounts (used on machines that were infected with a virus from an email attachment) that are now spamming. The logs show the accounts are authenticating with SASL. I deleted the accounts and they are still able to send SPAM. What should I look at?[15:43:09] <KaiForce> (Deleted the accounts with postfixadmin[15:44:16] *** sphenxes has joined #postfix[15:49:28] *** UQlev has joined #postfix[15:53:07] *** RayS has joined #postfix[15:56:59] <KaiForce> Anyone? I'm at a complete loss at how they are doing this.[15:58:11] <Zerberus> KaiForce: read the mail log[15:58:23] <Zerberus> KaiForce: inspect postconf -n[15:58:33] <Zerberus> KaiForce: see /topic about how to ask here[16:00:46] *** Kako has quit IRC[16:01:16] <KaiForce> ok i"ve read the mail logs, and as I've indicated they are authenticating.[16:01:48] <KaiForce> in postconf, I have this: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit[16:02:47] <KaiForce> If nobody is going to respond because they think I'm too stupid, please let me know so I don't waste any time here.[16:03:04] <KaiForce> I have no ego, I just need to fix this.[16:03:46] <grknight> KaiForce: if you've really deleted the accounts, perhaps you need to restart your auth daemon to notice that they are gone[16:04:00] <grknight> or you have bigger problems than you realize[16:15:42] <KaiForce> grknight: thanks, that seemed to do it. or... they stopped spamming at the same time coincidentally.[16:17:56] <KaiForce> Even with that, this is a pretty big problem.[16:19:02] *** freezey has joined #postfix[16:28:04] <KaiForce> I'm getting auth failures in auth.log, so a restart of the daemon was necessary to stop them. Anyone ever seen that happen ??[16:29:20] <jelly> KaiForce: which daemon?[16:29:23] <KaiForce> Ah, here is a message addressing it: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2013-March/002597.html[16:29:28] <KaiForce> saslauthd[16:30:19] *** Kalavera has left #postfix[16:32:22] *** Kalavera has joined #postfix[16:32:28] <Kalavera> KaiForce: maybe you would like to take rid of this: permit_mynetworks leaving it all to permit_sasl_authenticated[16:35:12] *** NightTrain has quit IRC[16:35:21] <KaiForce> Kalavera: you are exactly right[16:35:27] *** NightTrain has joined #postfix[16:35:48] <Kalavera> KaiForce: good to know[16:42:57] *** wald00 has joined #postfix[16:46:51] *** lunaphyte_ has joined #postfix[16:48:06] *** RayS has quit IRC[16:51:12] *** RayS has joined #postfix[16:53:24] *** lapache has joined #postfix[16:54:20] *** [diablo] has quit IRC[16:58:09] <lapache> Hello, i want to relay local users mail to my personal mailbox but when i "sendmail root" , the mail is sende to root@$myhostname and it is not matching /etc/aliases as i want to[16:58:36] <lapache> Do you know why ? (i precise newaliases already done for sure ....)[16:59:25] *** wald00 has quit IRC[16:59:54] *** ffiore has quit IRC[17:04:44] <grknight> lapache: when you don't specify a qualified email address, postfix will append $myorigin to an email[17:04:53] <grknight> !tell lapache myorigin[17:04:53] <knoba> lapache: "myorigin" : a configuration parameter in the main.cf: The default domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. The default $myhostname, which is fine for small sites. If you run a domain with multiple machines, you should (1) change this to $mydomain and (2) set up a domain-wide alias database that aliases each user to user at that dot users.mailhost.[17:05:25] *** freezey has quit IRC[17:06:11] <lapache> ok so i can't send mail to local users using postfix sendmail ?[17:08:38] *** mactimes_ is now known as mactimes[17:10:40] <grknight> lapache: no, i never said that[17:15:22] *** madduck_ is now known as madduck[17:18:18] *** wdp has quit IRC[17:18:21] *** danblack has quit IRC[17:18:22] *** RayS has quit IRC[17:18:23] <Zerberus> lapache: that's bad practice[17:23:26] *** KaiForce has quit IRC[17:24:10] *** cilly has quit IRC[17:25:41] <lapache> ok, i'll keep searching, thank you[17:42:37] *** RayS has joined #postfix[17:47:13] *** RayS has quit IRC[17:48:10] *** RayS has joined #postfix[17:56:54] *** Uranio has quit IRC[17:56:58] *** RayS has quit IRC[17:58:55] <lapache> Zerberus, could you tell me which is the best partice in this case ?[18:02:16] *** mactimes is now known as mactimes_[18:03:45] *** Eagleman7 has quit IRC[18:04:06] *** [diablo] has joined #postfix[18:04:06] *** [diablo] has joined #postfix[18:10:56] <Zerberus> lapache: yes, use a configurable mail user agent[18:11:56] *** RadoQ has quit IRC[18:19:07] *** sniffell1 has quit IRC[18:22:50] *** toothe has joined #postfix[18:23:00] *** toothe has joined #postfix[18:23:00] *** toothe has joined #postfix[18:23:39] <toothe> What is the process to have postfix receive email on one machine, but then store the email data on another machine behind a firewall?[18:24:06] <toothe> I would not simply use NFS because then if the public-facing postfix server was compromised, the email files would be as well.[18:24:21] <jimpop> postfwd ?[18:25:07] <toothe> is that what I want to google?[18:25:12] <jimpop> yes[18:25:41] *** RayS has joined #postfix[18:25:48] <jimpop> and ty for not asking us to bing it for you. ;-)[18:25:52] *** matt1982 has joined #postfix[18:26:09] <Zerberus> toothe: it is simply setting up a relay host, no need for postfwd[18:26:55] <jimpop> toothe: or do as Zerberus recommends.[18:34:32] *** p3rror has quit IRC[18:35:36] *** wald00 has joined #postfix[18:35:41] <toothe> a relay host...[18:35:48] <toothe> that sounds simple enough[18:43:01] *** Tormin has quit IRC[18:45:52] *** mactimes_ is now known as mactimes[18:48:36] *** coredumb has joined #postfix[18:48:38] <coredumb> Hello[18:52:06] <coredumb> i have a postfix installation that allow my network to relay two specific domains using check_recipient_access in smtpd_recipient_restrictions. I'd like to add a rule to allow a specific ip adress on mynetwork to also send to a specific destination. Any idea to do so ?[18:56:23] *** Tormin has joined #postfix[18:59:02] *** sniffell1 has joined #postfix[18:59:55] *** UQlev has quit IRC[19:07:44] *** cilly has joined #postfix[19:09:50] *** matt1982 has quit IRC[19:11:15] *** matt1982 has joined #postfix[19:17:00] *** Jaac has quit IRC[19:31:28] *** ncp has quit IRC[19:32:35] *** ncp has joined #postfix[19:34:01] <adaptr> I'm confused. you allow relaying by.. not using relaying ?[19:42:12] *** tabakhase has quit IRC[19:42:12] *** tabakhase has joined #postfix[19:42:59] *** tolkor has quit IRC[19:48:56] *** trusktr has joined #postfix[19:53:18] *** ncp has quit IRC[19:54:49] *** tolkor has joined #postfix[19:56:04] *** ncp has joined #postfix[20:01:42] <coredumb> adaptr: i want to relay to only specific domains actually[20:02:09] <coredumb> not let "mynetwork" go wild and send emails anywhere[20:14:40] *** matt1982 has quit IRC[20:15:38] *** matt1982 has joined #postfix[20:16:05] *** matt1982 has quit IRC[20:16:34] *** trusktr has quit IRC[20:16:36] *** UQlev has joined #postfix[20:22:11] *** bkfitz has joined #postfix[20:28:18] <adaptr> ... again, what does that have to do with relaying ?[20:28:37] <adaptr> if youi specifically want to RELAY to certain DOMAINS, there is a specific setting for that[20:28:49] <adaptr> I suggest you use that[20:30:51] <coredumb> adaptr: yes but how can i relay to certain domains AND also allow some sources to send to some destinations outside the relay domains ?[20:30:57] *** gu1lle_ has joined #postfix[20:32:04] <adaptr> these things are entirely unrelated[20:32:28] <adaptr> if those "sources" have static IPs, you can add them to mynetworks[20:32:54] <adaptr> or use a check_client_access map in case you want to order the restrictions sanely[20:33:04] <adaptr> but normally, you enforce submission for submitting user mail[20:34:00] *** heath has quit IRC[20:34:29] <coredumb> adaptr: they are actually in mynetworks[20:34:35] *** heath has joined #postfix[20:34:41] <coredumb> same subnet[20:35:14] <adaptr> well, "actually", mynetworks should be limited to localhost, 99% of the time, unless you know really well what you're doing.[20:39:08] <coredumb> well for a relay server wouldn't i achieve the same point setting my local subnet in mynetworks than setting mynetworks to localhost and having my local subnet in client_access map ?[20:39:30] <adaptr> ...that doesn't make any sense[20:39:42] <adaptr> and no, none of that controls relaying to specific domains[20:50:59] *** mbarr has joined #postfix[20:51:35] <mbarr> !welcome[20:51:35] <knoba> mbarr: "welcome" : welcome to #postfix! if you're joining for the first time, or are new to irc, the first thing you'll want to do is read the channel topic (/topic). it includes crucial instructions on how to effectively ask for help here, and what data you should include with your questions. the degree of success you'll have is directly related to how effectively you're able to follow those guidelines.[20:52:56] <mbarr> Is there an SMTP equivalent of : lmtp_tcp_port ? I need to set, on a per postfix instance basis, the default outbound SMTP port to something other than 25.[20:53:31] <adaptr> edit the transport to use the port you require[20:53:41] <mbarr> (this will get rewritten by the firewalls & load balancer to be 25 when it gets opened in actuallity.[20:54:31] *** aarcane has quit IRC[20:54:53] <mbarr> Hmm… I was looking at the transport, but that's not defined in the transport map file… let me go look again.[20:55:08] <adaptr> transports are defined in master.cf[20:55:12] <mbarr> ( I saw the inbound port for SMTPD in master.)[20:55:22] <mbarr> but may not have looked down far enough :([20:57:48] <grknight> mbarr: 'man 5 transport' roughly line 150[20:59:01] <grknight> mbarr: but that requires an upstream that i know of[20:59:12] <adaptr> why ?[20:59:57] <mbarr> Yes, something like this would work if I was using an upstream relay…[21:00:02] <mbarr> example.com smtp:bar.example:2025[21:00:06] <adaptr> you shouldn't use transport_maps for this[21:00:22] <adaptr> just alter the existing transport[21:00:25] <mbarr> But i'm not. Transport maps is wrong for this :)[21:00:26] <grknight> adaptr: how can smtp know to switch ports? not smtpd[21:00:40] <adaptr> how does smtp know which port to use in the first place ?[21:00:49] <mbarr> It looks master.cf just specifies to use the command smtp[21:01:14] <mbarr> Docs say that's the command, vs the unix service name.[21:01:19] <adaptr> the first column of master.cf service entries is the *service name*.[21:01:33] <adaptr> now tell me what it means if that says "smtp"[21:01:42] <mbarr> It means 25...[21:01:45] <adaptr> exactly[21:01:59] <adaptr> 2025 inet - - n - - smtp[21:02:02] <adaptr> done[21:02:14] <mbarr> Will postfix actually use that to send anything, then?[21:02:18] <mbarr> is the key.[21:02:30] <adaptr> !default_transport[21:02:30] <knoba> adaptr: "default_transport" : a configuration parameter in the main.cf: The default mail delivery transport for domains that do not match $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or $relay_domains. This information can be overruled with the transport(5) table.[21:03:59] <adaptr> this is one of the rare cases where you may set that explicitly[21:04:02] <mbarr> (it wasn't clear that the "service" listed in the first column was, in fact, a unix service name, nor that it would automatically be used for servicing outbound queues.[21:04:07] <mbarr> Gotcha.[21:04:08] <grknight> adaptr: what i don't get is if i define a custom smtp transport like "deadbeats" it still uses port 25[21:04:11] <adaptr> mbarr: that is documented very clearly[21:04:25] <adaptr> grknight: so define it as deadbeats:25[21:04:32] <adaptr> also documented[21:04:33] <mbarr> (Immediately being the operative word. Sorry about that.[21:04:38] <grknight> it uses it and i do not define it[21:05:07] <adaptr> the default depends on the service. for smtp(8), that would be port 25[21:05:53] <adaptr> mbarr: you can also duplicate the existing smtp(8) service and comment out the original, then set a named defaulT-transport if you like[21:05:58] <adaptr> there's many ways to achieve this[21:06:28] <adaptr> (but transport_maps isn't it, because if you wildcard that, it will be used for ALL mail. including local mail.)[21:06:43] <adaptr> I'm not even sure if transport(5) allows a full wildcard[21:08:11] <adaptr> mbarr: it's not used "automatically". the stock distributed service name for smtp(8) is "smtp". the default value for default_transport is also "smtp".[21:08:17] <adaptr> this is why[21:08:34] <adaptr> you should see postfix as a gigantic Lego box.[21:08:43] <mbarr> Oh, I do. that's what I figured.[21:08:46] <adaptr> you plug shit together any which way. some will be useless, some will be pretty.[21:09:00] <adaptr> the defaults (the piccies on the box) work.[21:10:22] <mbarr> OK : so, setup a new service smtp2501 , and then: http://pastebin.com/AVw450c4[21:10:38] <mbarr> have to find the default_transport change, specifically, but no big deal.[21:10:53] <mbarr> and probably set a transport for my internal mail bouncing.[21:11:13] <adaptr> since that originated from your domains, it is not affected by default_transport[21:11:19] <mbarr> I'll work it out- thanks.[21:11:36] <adaptr> ...that will not work.[21:11:46] <mbarr> Yeh, I figured it was wrong.[21:12:00] <adaptr> re-read the above screen. it's all laid out[21:12:10] <mbarr> but i was just going to research the setting of default_transport, as you said above, and figure it out.[21:12:17] <adaptr> excellent[21:15:19] *** amboss has quit IRC[21:16:56] *** sphenxes01 has joined #postfix[21:20:19] *** sphenxes has quit IRC[21:20:27] *** amboss has joined #postfix[21:28:15] *** bkfitz has quit IRC[21:28:25] <mbarr> OK: the line in master.cf for smtp does not mean a port number from unix services file, unless it's an inet service.[21:28:51] <mbarr> which makes much more sense. now to keep trying to figure out what the heck adaptr meant..[21:46:00] *** jarif has quit IRC[21:47:35] *** terr1 has quit IRC[21:47:49] *** Bry8Star has quit IRC[21:50:47] *** terr1 has joined #postfix[21:53:27] *** UQlev has quit IRC[21:55:53] *** Bry8Star has joined #postfix[21:57:48] <pj> there is a general distaste for using mynetworks to control authentication because mynetworks is actually used in a large number of other settings. So while adding a host to mynetworks will indeed allow relaying of default-class domains (provided you have permit_mynetworks in the right places) it may also do things that you're not expecting because of how it's used in so many other settings as well.[21:58:01] *** p3rror has joined #postfix[21:58:07] *** jarif has joined #postfix[21:58:17] <pj> This is the reason why it's generally recommended to use client_access_map instead.[21:59:26] <pj> also client_access_map allows better control of what you can do when a result is matched.[22:01:17] *** Section1 has quit IRC[22:03:10] *** lisak has joined #postfix[22:04:46] <lisak> hey, does anybody know if verp Return-Path header is being logged by postfix ?[22:05:31] *** aarcane has joined #postfix[22:06:06] *** riceandbeans has joined #postfix[22:11:02] *** Salcoder has joined #postfix[22:14:00] <pj> generally postfix doesn't log headers. You can make postfix log specific headers with header_checks, though.[22:14:06] <pj> !tell lisak header_checks[22:14:07] <knoba> lisak: "header_checks" : a configuration parameter in the main.cf: Optional lookup tables for content inspection of primary non-MIME message headers, as specified in the header_checks(5) manual page.[22:14:45] <Dominian> I've seen a few people do the return-path logging with header_.... argh nevermind pj got it... freakin' lag![22:15:28] *** Salcoder has quit IRC[22:15:54] *** _habnabit has joined #postfix[22:16:14] <_habnabit> hi, quick question: is there a way to have postfix authenticate client certificates by DN instead of fingerprint?[22:17:16] *** bkfitz has joined #postfix[22:21:25] *** master_of_master has joined #postfix[22:21:49] *** s0ber has quit IRC[22:22:19] *** master_o1_master has quit IRC[22:22:28] <adaptr> how do you mean ?[22:22:46] <adaptr> normally, client certificates are checked based on the issuer and the client's CN[22:22:56] <adaptr> this is not mail-specific[22:23:23] *** s0ber has joined #postfix[22:23:29] <_habnabit> adaptr, yes, the CN is part of the DN string in the certificate. however all of the docs i see seem to be for authenticating client certificates by the key fingerprint[22:24:37] <_habnabit> adaptr, see: http://www.postfix.org/postconf.5.html#smtpd_tls_fingerprint_digest and http://www.postfix.org/postconf.5.html#check_ccert_access[22:25:22] *** laner has joined #postfix[22:25:53] *** JC_SoCal has joined #postfix[22:28:01] <adaptr> As documented in http://www.postfix.org/TLS_README.html#server_vrfy_client, you can choose to list all fingerprints you accept, or accept all certificates signed by specified issuers.[22:28:26] <adaptr> if it is not documented, it is not supported[22:31:56] <_habnabit> adaptr, this is why i was trying to make sure there was nothing i was missing[22:32:10] <adaptr> you're not. it is not supported[22:32:14] <mbarr> adaptr: let's see if we can find something you can point me to that might work.[22:32:52] *** shinao1 has joined #postfix[22:33:08] <mbarr> from scratch, I'm trying to set the default delivery port for out bound smtp. This is not a local connection. It would seem the perfect analogue to lmtp_tcp_port.[22:33:52] <mbarr> Changing the "smtp" in the master.cf config for "smtp inet ……." will not do what is necessary. That's the inbound listening port.[22:34:16] <adaptr> you're mistaken[22:34:24] <mbarr> Please, I'd love to be :)[22:34:37] <adaptr> cut down on the righteous attitude, for starters.[22:35:06] <mbarr> No, really, i'd love for this to be as easy as me being wrong. it'd be a relief.[22:35:28] <adaptr> you're wrong. I already said that.[22:35:45] <mbarr> So: the line it sounded like you're suggesting changing : is "smtp unix …… smtp"[22:35:54] <adaptr> !smtp!=smtpd[22:35:54] <knoba> adaptr: "smtp!=smtpd" : Postfix smtp_* and smtpd_* configuration parameters have different meanings. smtp_ = client and smtpd_ = server, the client-side sends mail whilst the server-side receives mail. (smtp = client = sends mail) (smtpd = server = receives mail)[22:36:34] <mbarr> smtp unix - specifies the queue, which is then passed to the smtp command.[22:36:51] <mbarr> smtp(8) does not offer a config to change the outbound, destination port.[22:37:03] <mbarr> it does offer the lmtp_tcp_port.[22:37:09] <mbarr> which is exactly what I want, but for smtp.[22:37:56] <adaptr> you're wrong, again. the smtp transport has no relation to the queue[22:39:28] <mbarr> OK.Yep, i see where i misread that in master(5).[22:39:37] <mbarr> that's used for local submission, it appears.[22:40:50] <mbarr> Sorry, wrong again. Meh.[22:42:27] <lisak> pj, thank you, that's exactly what I needed[22:42:41] <mbarr> Just to be clear: you are saying the fix is to have the correct settings in a line similar to:[22:42:42] <mbarr> smtp unix - - n - - smtp[22:43:06] <adaptr> mbarr: it appears you cannot change the smtp destination port globally. the port is part of the nexthop field in the envelope.[22:43:21] <mbarr> That's what I was afraid of.[22:43:26] <adaptr> you COULD hack it together (very dangerously) by re-using the recipient domain, but that wil undo any other routing you have[22:43:46] <adaptr> a regex map with /.*/ smtp:$1:2025 would work[22:43:55] <adaptr> very ugly, and not bug-proof at all[22:44:03] *** jgm has joined #postfix[22:44:18] <mbarr> OK. And as long as a i had a map for the 1 local domain, for errors, I'd be OK.[22:44:22] <adaptr> a firewall that REQUIRES you to change aninternet standard port is... meh[22:44:23] *** bkfitz has quit IRC[22:44:36] <adaptr> pretty lousy design[22:44:42] <mbarr> It's a design to go ahead and deal with SPOF's.[22:44:49] <adaptr> nonsense.[22:45:01] <mbarr> we use the outbound port to determine which of 13 IP's to send from,[22:45:08] <mbarr> and rewrite the destination port to 25.[22:45:16] <adaptr> even bigger nonsense[22:45:20] <thumbs> jeebus[22:45:24] <lunaphyte_> eww, icky[22:45:29] <adaptr> thumbs: that's my word![22:45:36] <adaptr> (glad you like it)[22:45:39] <mbarr> How would you recommend sharing the same IP across 4 servers?[22:46:05] <adaptr> ...for OUTGOING, you use a NAT pool. it's called "dynamic NAT", read up on it.[22:46:08] <mbarr> when there are 13 of the IP's in question, and we need to ensure that traffic from a specific workflow goes out a specific IP?[22:46:34] <adaptr> ...yeah, that's not a sane requirement to begin with. you're now officially a "suspected spammer"[22:47:02] <mbarr> Of course I am. Which is why I'm doing this work, to be a good citizen. It's sending 5 million messages a day,[22:47:21] <jelly-home> a newsletter company that used 10 IP address to push mail out. A single postfwd rule dealt with their IP range[22:47:22] <mbarr> And by ensuring I always come from the same IP's, i at least keep my reputation.[22:47:34] <jelly-home> s/that //[22:48:07] <mbarr> jelly-home: I'll have to go look.[22:48:11] <adaptr> if you need 4 servers, you're doing it wrong. postfix will easily do that on a single instance.[22:48:14] <mbarr> any writeup, or thoughts?[22:48:21] <jelly-home> mbarr: on my side, to block them[22:48:23] <adaptr> and if yo uhave proof of it crashing, feel free to submit a bug[22:48:31] <mbarr> 2, 4, not much difference.[22:48:45] <mbarr> I need 2 servers because I can't have a SPOF on one server.[22:48:57] <jgm> Hi I'm trying to set up a mail server on ubuntu 13.04 / postfix 2.10.0. The submission service in master.cf has a few options of the form 'smtpd_client_restrictions=$mua_client_restrictions' and when I uncomment them postfix complains about not being able to find them. Should I be altering these manually in master.cf or should postfix be substituting the $mua_* from somewhere?[22:49:03] <mbarr> I need multiple IP's so that you can get billing confirmations that you've been charged,[22:49:29] <adaptr> jgm: they're user-defined parameters. you can define them, or not use them. your choice.[22:49:33] <mbarr> vs if we have any kind of issue w/ gmail over something a user said in their email to you,… which could get blocked as spam.[22:49:41] <adaptr> mbarr: stop it already. nobody cares.[22:49:48] <mbarr> OK. Thanks.[22:49:49] <jgm> adaptr: great, thanks[22:50:15] * jelly-home uses a custom content_filter to relay mail based on sender and recipient criteria to different instances[22:50:39] *** mbarr has left #postfix[22:50:45] <jelly-home> those different instances each have their own outbound ip[22:51:32] <jgm> adaptr: if I just remoe them will the service fall back to using whatever I have already set in main.cf? Specifically, for those smtpd_*_restrictions[22:51:44] *** grknight has quit IRC[22:52:06] <adaptr> yes. main.cf specifies the defaults for all services of that type.[22:52:29] <adaptr> you normally do wnat different restrictions on submission though[22:52:58] <adaptr> specifically, you can normally get away with permit_sasl, reject. (that's what I use) and empty all the others.[22:53:13] <adaptr> it simplifies things enormously[22:57:02] <jgm> Sounds handy. Put that on the smtpd_recipient_restrictions ?[22:57:37] <adaptr> in master.cf, under the submission entry, yes.[22:57:48] <jgm> Excellent, will go give it a try[22:58:10] <adaptr> no spaces in master.cf![22:58:16] <thumbs> this is a prime example of someone that listens, jgm, and someone that didn't, mbarr.[22:58:19] <adaptr> and mandatory whitespace before the -o[22:58:31] <thumbs> and jgm has an open mind, too.[22:58:47] <adaptr> (technically, -o options require a single token as argument)[22:59:33] <adaptr> jgm: that of course only applies if you trust your authenticated users not to abuse your submission system. but the fact that they are always logged helps a lot with punishing the perpetrators;)[22:59:58] <jgm> Yeah I'm good with that, just a local family-and-friends mailserver. AKA I know where they live :)[23:00:10] <adaptr> and you can explain to them how to set up their MUA[23:00:40] <adaptr> on that note, you also most certainly want to set smtpd_tls_auth_only = yes[23:00:50] <adaptr> that prevenst cleartext auth without TLS[23:01:02] <adaptr> so no password sniffing[23:01:55] <jgm> Yep I have it so that you start with plaintext but have to STARTTLS before you can do anything. Seems to work better with more mail clients that way (especially the mobile ones)[23:02:15] <thumbs> jgm: fair point.[23:03:01] *** D-Boy has quit IRC[23:04:15] <adaptr> jgm: you'd have to name them. I haven't really seen problems with that recently (both android and ios)[23:04:45] *** bkfitz has joined #postfix[23:04:57] <jgm> adaptr: had issues with Kaiten on android, certainly.[23:05:10] <adaptr> I don't know that one[23:05:47] <jgm> It's one of the more popular paid-for apps. Based on k-9 but prettified (and hence more expensive)[23:06:19] <jgm> Anyway, looks like my submission service is now behaving itself. Thank you very much for your help[23:06:35] <jgm> (Just dspam integration to go and I can get some sleep)[23:06:42] *** lisak has quit IRC[23:07:51] *** D-Boy has joined #postfix[23:08:38] <adaptr> heh, I haven't documented mine yet. I really should[23:08:51] <adaptr> jgm: how are you planning to integrate dspam ?[23:09:06] <thumbs> jgm: thanks for being a sensible user in a sea of clueless users that join #postfix :)[23:09:23] <adaptr> and worse, that *use* postfix[23:09:56] <jgm> thumbs: I try not to be too much of a pain[23:10:56] <jgm> adaptr: The way that I used to have it was that it ran as a service. Everything delivered through it, and then when dspam finished with it I passed it on to the real delivery service. But that was a couple of years ago and things might have changed. Will need to explore[23:11:01] <adaptr> jgm: my ultimate solution was postfix -> LMTP -> DSPAM -> LMTP -> dovecot[23:11:07] <adaptr> jgm: I can recommend it.[23:11:17] <rob0> That's my job. I'm the pain around here.[23:11:23] <adaptr> once you have it set up, it's maintenance-free[23:11:35] <adaptr> oh, yes, and I outsource the pain to rob0 . we all do.[23:11:50] <thumbs> I can attest that rob0 is a pain.[23:11:51] *** D-Boy has quit IRC[23:12:16] <jgm> adaptr: the ubuntu guys have already built in something using amavis so I need to work out how to fit that in. Hopefully I can postfix -> LMTP -> DSPAM -> LMTP -> amavis -> LMTP -> dovecot, but if they've done something weird with amavis that might throw a spanner in the works[23:12:38] <adaptr> gods, no. if you're using dspam there is absolutely ZERo reason to use amavsid[23:12:39] *** bkfitz has quit IRC[23:12:50] <adaptr> the reason I went to dspam is because I wanted to get rid of it[23:13:33] <adaptr> it has native clamav integration, and I don't want or need any other amavis "features"[23:13:56] <jgm> ah, does it now? That'll be one of the things that has changed since I last looked at it then.[23:13:56] <adaptr> the only thing wrong with dspam is its abysmal documentation and logging[23:14:05] <adaptr> jgm: yes, it's in the latest versions.[23:14:43] <jgm> Hmm... so basically if I can swap out the amavis stuff in master.cf and replace it with dspam that might work without disrupting the existing chain too much[23:15:21] *** D-Boy has joined #postfix[23:15:25] <adaptr> you used amavis in-line ?[23:15:28] <adaptr> <shudder>[23:15:50] <jgm> Yeah on my old system. It was all very manual.[23:16:01] <adaptr> amavis is so fucking SLOW[23:16:44] <jgm> Ah, looks like they set up content_filter to pass it to amavis, and them amavis passes it back to another smtp service.[23:17:04] <jgm> (I don't have a lot of traffic, but don't like slow on principal)[23:17:17] <adaptr> yes, that is what I wanted to get rid of.[23:17:22] *** _habnabit has left #postfix[23:17:24] <adaptr> my logs are now clean and understandable[23:18:56] <adaptr> postfix 2.10 -> dspam 3.10 -> dovecot 2.2[23:19:04] *** lisak has joined #postfix[23:19:04] <adaptr> IIRC, dspam 3.10 added clamav[23:19:10] <adaptr> so that is new[23:20:03] <jgm> Sounds like a plan. Might have to start again tomorrow though; brain fried with rebuilding all the virtual domains stuff (finally in a SQL database as opposed to lots of configuration files, and shared with dovecot. Yay)[23:21:41] <adaptr> it took me about a week from scratch, 4 or 5 evenings. you can probably cut that to 2 or 3 if you've seen it before[23:22:47] *** danblack has joined #postfix[23:23:06] <jgm> Yeah, shouldn't take more than another evening at this stage. Hardest thing is to stop going back looking at the old config files, because they're more of a hinderance at this stage. Everything has changed...[23:24:53] *** jgm is now known as jgm_away[23:25:08] *** Blacklite has joined #postfix[23:28:03] *** RadoQ has joined #postfix[23:34:47] *** danblack has quit IRC[23:54:40] *** lisak has quit IRC[23:57:14] *** robinho86 has left #postfix