January 28, 2016 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | >
January 28, 2016 [00:03:27] <pj> JCDay: the only thing I can think of that could be causing your issue is if something is adding a BCC to another recipient into the pipe. The logs appear to be trying to deliver to both the correct MX and the mx2.free.fr one, which suugests taht there are actually two recipients for the message...[00:04:57] *** edux has joined #postfix[00:04:59] <pj> JCDay: I would check the MUAs that the message originates from, but what I really suspect is that the opendkim milter you're using is somehow injecting an extra recipient. Can you, for testing purposes, comment out the smtpd_milters line in your master.cf and see if the problem goes away?[00:07:10] *** edux__ has quit IRC[00:07:44] <pj> one thing that does confuse me is why is smtp not giving a more complete error message for mx2.free.fr, it should look more like the errors to the correct MXes, but it's ommitting a bunch of info.[00:09:33] <pj> ...and that, makes me think that something much worse may be happening here, such as a compromised smtp or something.[00:11:13] <pj> if you're running a packaged distro that can verify the checksums of the installed binaries from postfix I would check those.[00:28:21] *** Hoffe has quit IRC[00:32:06] *** DefunctProcess is now known as DefunctProcessZZ[00:36:59] *** Batch has joined #postfix[00:38:06] *** necrogami has quit IRC[00:45:52] *** necrogami has joined #postfix[00:45:52] *** necrogami has joined #postfix[00:46:26] *** githogori has quit IRC[00:50:40] <JCDay> @pj: free.fr is actively blocking us, hence no additional handshakes.[00:51:02] <JCDay> checking um... checksums.[00:56:44] *** necrogami has quit IRC[01:00:15] *** setProfile has joined #postfix[01:01:22] <JCDay> debsums -c only responded with:[01:01:30] <JCDay> debsums: missing file /tmp/nova-agent-install/nova-agent-1.39.1.tar.gz (from nova-agent package)[01:01:36] <JCDay> so, all clear there.[01:03:22] *** necrogami has joined #postfix[01:06:16] <pj> ok[01:06:49] <pj> JCDay: note that postfix says "After DATA", in the log from free.fr[01:07:14] <pj> that means that it managed to send everything to free.fr including all the recipients and the actual data before the message rejected.[01:08:07] <JCDay> Ah, good catch. Many other logs just show too many errors... from free.fr[01:08:58] <JCDay> I see it, at the end of the entry. (in reply to DATA command)[01:09:08] <pj> anyways, as I said, I think there's a BCC added somewhere, possibly from your miler, that is a recipient in free.fr[01:09:33] <JCDay> I'm pinging developers and infra to check upstream. Thanks.[01:10:32] <JCDay> I'm hesitant to remove the milter from this machine insofar as without DKIM we will suffer loss for all other domain deliveries, and they are numerous.[01:10:48] <guampa> in access tables, is it ACCEPT a synonym for OK?[01:10:56] <pj> JCDay: that's understandable[01:11:05] <pj> !access[01:11:05] <knoba> pj: "access" : http://www.postfix.org/SMTPD_ACCESS_README.html : An overview of access(5) controls in the Postfix smtpd(8) SMTP server.[01:11:27] <pj> guampa: read access(5), it tells you there.[01:12:04] <guampa> thanks pj, did read prior to asking and it only showed "OK" as valid, but wanted to confirm[01:30:10] <guampa> it confuses me that in a cidr whitelist for postscreen, I have an entry for the google block 209.85.128.0/17. If I have the result for the entry as "PERMIT", then postscreen whitelists the google clients. If I change the result to "OK" it runs its pipelining tests[01:31:30] <guampa> man cidr_table also shows the "OK" result as "OK"[01:32:49] *** jwing has joined #postfix[01:32:50] *** jwing has joined #postfix[01:33:28] <guampa> I've verified that in all cases the client IPs were within the block[01:40:41] <guampa> welp, results will stay as "PERMIT". The log entries contradict what appears in man cidr_table[01:40:52] <guampa> postfix/postscreen[50247]: warning: cidr:/etc/postfix/maps/cidr_access.cidr: unknown command: OK -- ignoring the remainder of this access list[01:41:33] *** DefunctProcessZZ is now known as DefunctProcess[01:59:37] *** namyzarc has joined #postfix[02:16:36] *** internat has quit IRC[02:16:43] *** internat has joined #postfix[02:17:58] *** spookah has quit IRC[02:21:53] *** k-man_ has joined #postfix[02:28:41] *** k-man_ has quit IRC[02:39:28] <madduck> given that .forward takes precedence over mailbox_transport_maps, can you fathom a way by which I could tell postfix to HOLD all messages local(8) would send to a local recipient, such that I can individually release them into the .forward command?[02:40:07] *** Kellin has joined #postfix[02:53:18] *** dstarh has joined #postfix[03:06:30] *** sputnik has quit IRC[03:07:57] *** michelangelo has joined #postfix[03:11:35] *** donmichelangelo has quit IRC[03:13:26] *** DefunctProcess is now known as DefunctProcessZZ[03:19:51] *** err-or has joined #postfix[03:23:35] *** err-or_ has quit IRC[03:35:02] *** Chill_Surf has quit IRC[03:35:18] *** edux has quit IRC[03:43:39] *** edux has joined #postfix[03:48:06] *** edux has quit IRC[03:52:42] *** sputnik has joined #postfix[03:55:15] <ratatine> I'm struggling with the docs on smtpd_recipient_restrictions. I have a db file I created with "email at domain dot com reject" and have entered smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/rejected_recips intot he config but after applying I just get a 451 "Recipient address rejected: Server configuration error".[03:55:23] <ratatine> I've tried a number of ways to do this but the documentation is .. not eassy for someone unaccustomed.[03:56:54] <ratatine> Any pointers on that configuration would be greatly appreciated. The use case is simply to reject a specific address from relay.[03:57:07] <ratatine> (RCPT_TO that is)[03:58:47] <lunaphyte> "just get a 451" - where?[04:02:03] *** edux has joined #postfix[04:06:48] *** edux has quit IRC[04:11:15] *** edux has joined #postfix[04:12:00] <ratatine> In response to the rcpt to:<email at domain dot com>[04:12:32] <ratatine> Actually when I put that into main.cf every rcpt to is rejected with a server configuration error.[04:12:50] <lunaphyte> you need to look at the logs[04:13:54] <ratatine> I will go back and look. That config appears correct then?[04:14:23] <lunaphyte> the general premise is accurate.[04:15:55] *** edux has quit IRC[04:18:26] *** Zeeshan_M has quit IRC[04:20:21] *** Zeeshan_M has joined #postfix[04:20:23] *** edux has joined #postfix[04:20:48] <ratatine> Thanks for the advice. I will dig.[04:25:10] *** edux has quit IRC[04:29:35] *** edux has joined #postfix[04:33:49] *** chachasmooth has quit IRC[04:34:02] *** edux has quit IRC[04:35:50] *** chachasmooth has joined #postfix[04:36:07] <rob0> It's probably an older version, 2.9 or earlier.[04:36:16] <rob0> !smtpd_recipient_restrictions[04:36:16] <knoba> rob0: "smtpd_recipient_restrictions" : Configuration parameter in main.cf: Access restrictions that the smtpd(8) applies in the context of the RCPT TO command. See access(5) for an overview of access restriction features. These restrictions control relaying to external domains. Default is to relay only for client IP addresses in $mynetworks; See: http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions[04:36:32] <rob0> !smtpd_relay_restrictions[04:36:32] <knoba> rob0: "smtpd_relay_restrictions" : Restrictions to control relaying, implemented in Postfix 2.10. Prior to 2.10 smtpd_recipient_restrictions included this functionality. See !access and http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions[04:47:53] *** edux has joined #postfix[04:52:10] *** edux has quit IRC[04:52:57] *** gu1lle_ has joined #postfix[05:02:44] *** leprechau has quit IRC[05:05:18] *** leprechau has joined #postfix[05:05:22] *** Zeeshan_M has quit IRC[05:30:26] *** namyzarc has quit IRC[05:35:47] *** defanor has joined #postfix[05:37:57] *** monkeynuts has joined #postfix[05:38:42] <monkeynuts> Could someone point me to some information on address delimiting/tagging for postfix?[05:47:59] *** TyrfingM1olnir has joined #postfix[05:48:00] *** TyrfingM1olnir has quit IRC[05:48:32] *** TyrfingMjolnir has quit IRC[05:48:52] *** TyrfingMjolnir has joined #postfix[05:50:43] <lunaphyte> !tell monkeynuts recipient_delimiter[05:50:44] <knoba> monkeynuts: "recipient_delimiter" : a configuration parameter in the main.cf: The separator between user names and address extensions (user+foo). See canonical(5), local(8), relocated(5) and virtual(5) for the effects this has on aliases, canonical, virtual, relocated and on .forward file lookups. Basically, the software tries user+foo and .forward+foo before trying user and .forward.[05:50:55] *** edux has joined #postfix[05:50:56] <monkeynuts> thanks luna[05:51:32] <lunaphyte> you're welcome[05:54:34] *** defanor has left #postfix[05:56:22] *** edux has quit IRC[06:00:18] *** edux has joined #postfix[06:04:40] *** edux has quit IRC[06:09:25] *** edux has joined #postfix[06:14:04] *** edux has quit IRC[06:18:35] *** edux has joined #postfix[06:19:59] *** skyroveRR has joined #postfix[06:20:08] *** Zeeshan_M has joined #postfix[06:21:49] <skyroveRR> Is it possible to increase the amount of time it takes to print the statistics logs? It's annoying to see those messages every couple of mins after a someone has connected and disconnected.[06:22:04] *** tonythomas has joined #postfix[06:23:14] *** edux has quit IRC[06:27:36] *** edux has joined #postfix[06:27:56] *** defanor has joined #postfix[06:30:10] <defanor> hello. does postfix support unicode in error responses (e.g., as a REJECT reason)?[06:31:56] *** edux has quit IRC[06:34:07] <defanor> it looks like it replaces unicode with spaces, but probably that's just my client[06:34:19] *** monkeynuts has left #postfix[06:34:22] <defanor> and another server, too[06:36:08] <defanor> ah, found http://www.postfix.org/SMTPUTF8_README.html[06:36:44] *** edux has joined #postfix[06:41:16] *** edux has quit IRC[06:45:44] *** edux has joined #postfix[06:50:15] *** edux has quit IRC[06:54:52] *** edux has joined #postfix[06:59:53] *** edux has quit IRC[07:06:40] *** joulez has joined #postfix[07:08:06] *** joules has quit IRC[07:12:08] *** echan has quit IRC[07:16:13] *** spookah has joined #postfix[07:24:39] *** setProfile1 has joined #postfix[07:24:57] *** Batch has quit IRC[07:25:26] *** setProfile has quit IRC[07:25:28] *** setProfile1 is now known as setProfile[07:25:45] *** echan has joined #postfix[07:30:44] *** gu1lle_ has quit IRC[07:32:26] *** gu1lle_ has joined #postfix[07:33:17] *** gu1lle_ has quit IRC[07:39:34] *** setProfile1 has joined #postfix[07:40:29] *** edux has joined #postfix[07:40:48] *** setProfile has quit IRC[07:40:49] *** setProfile1 is now known as setProfile[07:42:57] *** joules has joined #postfix[07:44:46] *** edux has quit IRC[07:45:26] *** joulez has quit IRC[07:49:33] *** edux has joined #postfix[07:53:50] *** edux has quit IRC[07:58:36] *** edux has joined #postfix[08:03:11] *** edux has quit IRC[08:07:57] *** edux has joined #postfix[08:08:21] *** carl- has joined #postfix[08:11:55] *** edux has quit IRC[08:21:57] *** spookah has quit IRC[08:22:03] *** skylite has joined #postfix[08:34:35] *** edux has joined #postfix[08:40:11] *** edux has quit IRC[08:42:13] *** zorg1 has joined #postfix[08:44:09] *** edux has joined #postfix[08:48:26] *** edux has quit IRC[08:48:47] *** lrea has joined #postfix[08:51:45] *** Haudegen has quit IRC[08:53:09] *** edux has joined #postfix[08:57:21] *** Hoffe has joined #postfix[08:58:08] *** edux has quit IRC[09:02:12] *** edux has joined #postfix[09:06:54] *** edux has quit IRC[09:09:07] *** Haudegen has joined #postfix[09:15:56] *** JanC_ has joined #postfix[09:17:40] *** JanC has quit IRC[09:19:29] *** chachasmooth has quit IRC[09:19:56] *** sphenxes02 has quit IRC[09:20:27] *** edux has joined #postfix[09:20:36] *** sphenxes02 has joined #postfix[09:21:46] *** chachasmooth has joined #postfix[09:24:40] *** edux has quit IRC[09:29:32] *** edux has joined #postfix[09:33:58] *** edux has quit IRC[09:38:36] *** edux has joined #postfix[09:42:48] *** SCHAAP137 has joined #postfix[09:43:00] *** edux has quit IRC[09:47:42] *** edux has joined #postfix[09:48:57] *** joulez has joined #postfix[09:49:53] *** SCHAAP137 has quit IRC[09:51:20] *** joules has quit IRC[09:52:26] *** edux has quit IRC[09:56:49] *** edux has joined #postfix[10:01:06] *** edux has quit IRC[10:04:11] *** infides has joined #postfix[10:05:52] *** edux has joined #postfix[10:10:58] *** edux has quit IRC[10:12:45] *** stemid has joined #postfix[10:13:36] <stemid> hey I have a service in master.cf for spf but I started getting command time limit exceeded. I had set the service to default 100 processes, but my smtp service has 300 processes. so this is a recipe for disaster right?[10:13:42] <stemid> I changed my spf policy service to 300 processes now[10:13:52] <stemid> but I'm unsure if it really needs 300, it's just a python script.[10:13:54] <stemid> from openspf[10:14:02] <stemid> I assume it handles one request then exits[10:14:08] <tuxick> 300??[10:14:20] <tuxick> something is very slow or you need better filters[10:14:21] <stemid> yes that is a consequence of pre-queue filtering we're doing[10:14:25] <tuxick> ah[10:14:29] <stemid> we must use pre-queue filtering due to laws[10:14:34] <tuxick> k[10:14:52] <stemid> but what I'm trying to establish is if the policy service needs an equal amount of processes as the smtp service.[10:15:07] <stemid> anyways, I'm checking for timeouts now that I've raised its limit to 300.[10:15:08] <stemid> we'll see[10:15:09] *** edux has joined #postfix[10:19:26] *** edux has quit IRC[10:40:05] *** internat has quit IRC[10:40:11] *** internat has joined #postfix[10:41:51] *** edux has joined #postfix[10:43:16] *** Hoffe has quit IRC[10:47:03] *** edux has quit IRC[10:47:33] *** tonythomas has quit IRC[10:47:51] *** Hoffe has joined #postfix[10:51:08] *** SCHAAP137 has joined #postfix[10:51:20] *** edux has joined #postfix[10:55:48] *** edux has quit IRC[10:57:20] *** Hoffe has quit IRC[10:57:31] *** Hoffe has joined #postfix[10:57:34] <pj> stemid: it would probably help to allow the policy service 300 processes, yes. Also I would (1) make sure you're using postscreen to its full advantage to cut back on your pre-queue filtering load and (2) run your own DNS and make sure it is fast...[10:57:56] <pj> stemid: also what exactly does this law say you can't do?[11:00:49] <stemid> we do have our own internal dnsmasq with a high cache setting. unfortunately I'm stuck on rhel6 for another year so I'll wait for postscreen until rhel7.[11:01:23] <stemid> and there's a data retention law because it's a part of government, so we prefer to block spam before they hit disk as a loophole. then we aren't forced to store the mails for 3 months.[11:01:35] <stemid> swedish government, not sure how it is anywhere else.[11:01:41] <pj> !tell stemid centos[11:01:41] <knoba> stemid: "centos" : New postfix packages are available for all current versions of CentOS, RHEL, SL and other RHEL-derivatives from the GhettoForge gf-plus repository at www.ghettoforge.org.[11:01:57] <stemid> thanks, good tip[11:02:11] <pj> stemid: GhettoForge has Postfix 3.0 which definately has postscreen, for el6[11:03:19] <pj> stemid: ok, and the data retention law makes sense, I would definately look into postscreen, it will cut back on your spam filter load dramatically.[11:03:36] <stemid> I have drooled over postscreen manuals already but I didn't know about ghettoforge[11:03:45] <stemid> now at least I have the chance to schedule this change before we upgrade to rhel7[11:03:56] <pj> I build the packages for GF myself, so I can vouch for them.[11:04:38] <pj> but, the downside, of course, is they are not official Red Hat packages, so you won't get any support from Red Hat for them.[11:05:31] <stemid> that's fine, self-support licenses. there is really no reason for us using RHEL other than the company behind the distro. management feels safe. this is actually up for discussion. I would prefer centos.[11:06:39] <pj> yes, well I have no problems with someone using RHEL, CentOS needs people to use RHEL because if everyone switched to CentOS there wouldn't be a RHEL, and consequently there wouldn't be a CentOS anymore either.[11:06:58] <stemid> yes that's interesting. anyways, I think my goal will be to get a rhel7 upgrade through the CAB.[11:07:01] <stemid> instead of gf[11:07:30] <stemid> just because we should upgrade within a year anyways[11:07:39] <stemid> so switching to gf now, for less than a year, seems like a hassle.[11:07:46] <stemid> I could just push for an early upgrade[11:08:10] <stemid> but at least now I have the option of using gf[11:08:36] <pj> do keep in mind that the version of postfix with el7 is not the most recent either. EL7 has 2.11, GF has 3.0[11:09:03] *** zhb has joined #postfix[11:09:57] <stemid> so 3.0 introduces even more sexy features than postscreen? I'm so far only interested in postscreen. otherwise postfix 2.6 works great.[11:10:08] <pj> and on the flip side, RHEL6 has support until 2020 and even after that it will have extended life support for another 3 or 4 years (but I won't be building GF packages for el6 after 2020).[11:10:32] <stemid> yeah, EPEL has already retired some packages from el6. you're doing good work.[11:11:10] <pj> well, EPEL retires packages when there are no longer maintainers for them, it doesn't really have much of anything to do with el6, but more about the package itself.[11:11:29] <pj> and yeah, I still maintain current postfix packages for el5.[11:12:24] <pj> there are some new features of 3.0, btw, you should have a look at the release notes and then decide. You never know if you might discover it has something you really like.[11:14:09] <pj> from a packager's perspective 3.0 is far superior because it now has dynamic database loading, which means I can now create a base postfix package, and then a postfix-mysql package which adds mysql support and a postfix-pcre package, etc. It means I can offer all the db types without forcing everyone who installs my package to install the libs for all the db types.[11:25:18] *** tonythomas has joined #postfix[11:25:58] *** SunGod has joined #postfix[11:26:26] *** setProfile has quit IRC[11:27:12] *** higuita has quit IRC[11:31:03] *** Numline1 has joined #postfix[11:31:39] *** ntnlzr has joined #postfix[11:32:03] <ntnlzr> !postconf[11:32:03] <knoba> ntnlzr: "postconf" : The configuration management tool for Postfix, see 'man postconf' or http://www.postfix.org/postconf.1.html for details. See also !postconf_5[11:32:05] *** higuita has joined #postfix[11:32:11] <ntnlzr> !log[11:32:11] <knoba> ntnlzr: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.[11:32:33] <ntnlzr> !configuration[11:32:33] <knoba> ntnlzr: Error: "configuration" is not a valid command.[11:32:38] <ntnlzr> uff[11:32:44] <ntnlzr> i forgot it :([11:32:54] <pj> ntnlzr: there is a link to the full page of factoids in the channel /topic[11:33:22] <pj> which one are you looking for anyways?[11:33:34] <Numline1> Hello guys. Is there any smart way to limit our users to only use their address in From header? Thanks![11:33:42] <Numline1> I've been googling for 20 minutes, can't find anything[11:34:25] <Numline1> or at least limit it to existing users[11:34:39] <pj> Numline1: you can for the envelope sender, but the From: header is significantly more difficult.[11:34:58] <Hoffe> Numline1, take a look at smtpd_sender_login_maps[11:35:14] <pj> correct, that's for the envelope sender.[11:35:31] <Numline1> pj hmm, I'm not even sure what envelope sender is though. I've seen From being restricted to owners domain before, I'm just not sure how it was done. In my case, we store all this in database, shouldn't be as difficult[11:35:39] <Numline1> Hoffe I'll check it out, ty[11:35:40] <pj> !from!=sender[11:35:41] <knoba> pj: "from!=sender" : There are two different from addresses in an email, the From: header and the envelope sender. Postfix only cares about the envelope sender. See also !to!=recipient[11:36:10] <pj> Numline1: the From: header is part of the email content and is not actually used for routing.[11:36:47] <Numline1> pj I see. So the envelope is the one used for routing. I wonder if I could check From in SpamAssassin or somehow through amavis[11:36:52] <pj> the envelope sender is not an actual header, it is passed via an SMTP command. usually the envelope sender is the same as the from header.[11:37:17] <Numline1> oh, gotcha[11:37:36] <Numline1> anyway, I'll have a look at the smtpd_sender_login_maps thingie and I'll get back to you guys :)[11:37:47] <pj> ok[11:37:57] <Numline1> thanks so far though[11:38:03] <pj> yw[11:38:11] <Hoffe> no problem ;)[11:38:39] *** yrter has quit IRC[11:39:12] <pj> the only way to really do what you are asking, btw, is with a milter.[11:42:17] <ntnlzr> pj nothing i'm looking if my postscreen configuration it's good, it's working but i want check it here with others[11:42:18] <ntnlzr> http://hastebin.com/lefitikece.hs[11:42:28] <ntnlzr> this is master and main.cf[11:43:22] <pj> !cheatsheet[11:43:23] <knoba> pj: "cheatsheet" : (#1) http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt : A HOWTO for pre-DATA spam control., or (#2) A postscreen cheatsheet can be seen at http://rob0.nodns4.us/postscreen.html (updated 2016-01-16, now requires Postfix 2.11+)[11:43:33] <pj> ntnlzr: have a look at the second link ^^^^[11:43:47] <ntnlzr> oh nice[11:46:03] *** edux has joined #postfix[11:49:06] <ntnlzr> pj on postscreen_dnsbl_sites did you miss , or it's useless?[11:49:13] <ntnlzr> i mean for every entry[11:50:15] <ntnlzr> not it's useless sry :P[11:50:35] *** edux has quit IRC[12:16:52] *** Section1 has joined #postfix[12:25:15] <pj> I wouldn't say useless. It's optional and sometimes helpful for clarity.[12:26:49] <ntnlzr> i've tested blacklist postscreen_access.cidr i've put a record reject[12:27:16] <ntnlzr> and it's working, after i want to test whitelist[12:27:35] <ntnlzr> i've put permit instead of reject but postscreen blacklist it, it's normal?[12:27:46] <ntnlzr> i've done postmap after[12:28:27] <ntnlzr> yes maybe there is a cache time on it[12:28:30] <ntnlzr> ?[12:28:36] *** olegfusion has quit IRC[12:28:53] *** olegfusion has joined #postfix[12:29:07] <ntnlzr> found it[12:29:45] <f3ew> sysmonk: around? Coming to FOSDEM?[12:30:10] <sysmonk> f3ew: hey, unfortunately not[12:30:22] <sysmonk> they were very slow with the schedule this year[12:31:00] *** pti-jean_ has joined #postfix[12:31:02] *** Hoffe has quit IRC[12:31:15] *** Hoffe has joined #postfix[12:32:11] <tuxick> just buy some belgian beers and pretend you're there[12:32:58] * sysmonk double check airplane ticket prices[12:46:18] *** Haudegen has quit IRC[12:46:40] *** edux has joined #postfix[12:58:05] *** lucascastro has joined #postfix[13:02:15] *** wdp has joined #postfix[13:03:21] *** Haudegen has joined #postfix[13:12:51] *** zhb has quit IRC[13:19:00] *** hjb has left #postfix[13:25:17] *** jwing has quit IRC[13:29:03] *** dstarh has quit IRC[13:33:47] *** Haudegen has quit IRC[13:40:05] *** echan has quit IRC[13:52:29] *** Haudegen has joined #postfix[13:53:29] *** dupondje has joined #postfix[13:53:56] <dupondje> I want to limit emails send every day per sasl user. Which plugin fits best for that? Postfwd ? Or are there better options these days?[13:55:57] <tuxick> cluebringer/cbpolicyd[13:56:02] <tuxick> whatever the current name is[13:57:33] <tuxick> http://wiki.policyd.org/[13:57:46] <tuxick> to make things worse they also call it policy[13:58:30] <tuxick> policyd[13:58:52] <tuxick> anyway, despite the terrible naming confusing the thing works ok[14:02:55] *** damyan^ has quit IRC[14:03:19] *** damyan^ has joined #postfix[14:08:38] *** synthroid has joined #postfix[14:11:13] <lunaphyte> !postfwd[14:11:14] <knoba> lunaphyte: "postfwd" : http://postfwd.org/ : A Postfix policy daemon to combine complex restrictions in a ruleset. See also http://www.postfix.org/SMTPD_POLICY_README.html[14:17:18] *** ag4ve_ has quit IRC[14:19:33] *** robinho86 has joined #postfix[14:26:48] <ntnlzr> pj, i've put -v on postscreen for look how it's working[14:26:52] <ntnlzr> i've found warning: dnsblog_query: lookup error for DNS query 204.21.238.2.list.dnswl.org: Host or domain name not found. Name service error for name=204.21.238.2.list.dnswl.org type=A: Host not found, try again[14:27:02] <ntnlzr> my dns is working fine[14:33:33] <thumbs> ntnlzr: is this debuntu?[14:35:50] *** maciejjo has joined #postfix[14:35:56] *** grossing has quit IRC[14:36:08] <tuxick> postfwd supposed to replace cluebringer then?[14:36:35] <tuxick> ah i see[14:40:11] <ntnlzr> no thumbs[14:40:19] <ntnlzr> this is centos 6[14:42:22] <maciejjo> hello everyone, I have a question regarding mail setup I am planning to deploy. I have an account on a mail server, but I only can access it through VPN. I also run a postfix server that I can access w/o contraints. I want to send mail from this account through my postfix server, so it forwards the mail through VPN to the "real" server. Can this be acomplished?[14:42:42] <maciejjo> I connect to VPN via SOCKS proxy[14:43:52] <maciejjo> is this a job for SMTP relay?[14:47:08] *** grossing has joined #postfix[14:49:55] *** arcanine has quit IRC[14:51:37] *** infides has quit IRC[14:51:51] *** arcanine has joined #postfix[14:55:29] *** dstarh has joined #postfix[14:56:44] <ntnlzr> maciejjo, i don't understand your question[14:57:07] <ntnlzr> you've access to your mailserver only with vpn[14:57:31] <ntnlzr> but you mean access to your mta or only imap/pop service?[14:58:46] <maciejjo> ntnlzr: I mean IMAP/SMTP access[14:59:47] *** sphenxes01 has quit IRC[15:00:10] <maciejjo> I just want to enable sending/receiving mail without connecting to VPN for that on my machine[15:00:10] *** sphenxes02 has quit IRC[15:00:10] *** sphenxes has quit IRC[15:00:13] <ntnlzr> but you can't send it directly right?[15:00:29] *** sphenxes has joined #postfix[15:00:34] *** sphenxes01 has joined #postfix[15:00:47] <maciejjo> no, I can only connect via VPN[15:00:54] <tuxick> crazy[15:00:54] *** sphenxes02 has joined #postfix[15:01:21] <maciejjo> I have persistent tunnel set up on my server which I have access to[15:01:32] <ntnlzr> you've to make a pat on your router/firewall for port 25[15:02:05] *** zZap-X has joined #postfix[15:02:14] <ntnlzr> and if you have other port like 465 and 587[15:02:21] <ntnlzr> too.[15:02:47] <maciejjo> ok, but I then I will mask the postfix server I am running[15:03:29] <zZap-X> i have setup reverse DNS on the IP of my remote server, ie. server IP + example.com, however i dont have reverse DNS setup on mail.example.com does that matter?[15:03:48] <tuxick> huh?[15:03:59] <zZap-X> tuxick: i did this test: http://mxtoolbox.com/diagnostic.aspx[15:04:04] <ntnlzr> you mean reverse ptr?[15:04:10] <zZap-X> and it said there is a problem with my reverse DNS[15:04:15] <zZap-X> yes[15:04:23] <ntnlzr> you've to ask @ your isp[15:04:37] <ntnlzr> make a reverse ptr record for your ip[15:05:19] <zZap-X> ntnlzr: i can make the changes on my remote server, but does it matter? if i use mail.example.com on SMTP, should that be a exact reverse match?[15:05:29] <ntnlzr> yes[15:05:33] <zZap-X> right ok[15:06:02] <zZap-X> so that means a mail server needs its own dedicated IP with a reverse DNS match[15:06:13] <zZap-X> i thought example.com would be good enough[15:06:21] <ntnlzr> no you can just use pat[15:06:47] <ntnlzr> mx.example.com point to a public ip[15:07:01] <ntnlzr> and reverse public ip give mx.example.com[15:07:03] *** FinboySlick has joined #postfix[15:07:13] <ntnlzr> but you can only PAT on your router/firewall port 25[15:07:23] <ntnlzr> 465 and 587 (if you need)[15:08:03] <maciejjo> ok, I will look into this[15:08:05] <ntnlzr> and ports for your imap/pop/watherver[15:08:18] <tuxick> you need a very good excuse for using 465[15:08:39] <tuxick> like a zombiefied manager who refuses die die despite multiple attempts[15:08:51] <tuxick> s/die die/to die/[15:10:51] <patdk-wk> I have stupid printers[15:10:59] <patdk-wk> that support ssl, but only on 465[15:11:06] <zZap-X> one can only have 1x reverse DNS match per IP? ie. 1.2.3.4 reverse dns can not show example.com as well as mail.example.com ?[15:11:29] <patdk-wk> !ptr[15:11:29] <knoba> patdk-wk: "ptr" : A PTR record or pointer record, maps an IPv4 address to the canonical name for that host. Setting up a PTR record for a hostname in the in-addr.arpa domain that corresponds to an IP address implements reverse DNS lookup for that address[15:11:50] <patdk-wk> multible ptr is unreliable for fcrdns[15:11:52] <patdk-wk> !fcrdns[15:11:52] <knoba> patdk-wk: "fcrdns" : http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS : your IP address should resolve to $myhostname, which in turn should resolve back to your IP. This is very important if you want big sites to accept your mail. If you can't have it from your ISP, see !relayhost[15:12:01] <zZap-X> ok thanks for your help[15:12:30] <zZap-X> i use the same IP to host websites, i dont think it matters for web hosting if the ip reverse matches mail.example.com ?[15:13:21] <zZap-X> or maybe i should get a few more IPs and dedicate 1 for hosting and 1 for the mail server?[15:14:09] *** skylite has quit IRC[15:15:15] *** synthroid has quit IRC[15:17:45] <ntnlzr> zZap-X, you can use same ip of your webserver[15:17:50] <ntnlzr> just use PAT[15:19:26] <patdk-wk> how does pat have anything to do with ptr?[15:20:43] <ntnlzr> nothing[15:21:10] <ntnlzr> he said can i use same ip address of my webserver?[15:21:28] <ntnlzr> and i've answer yes just use PAT for postfix ports[15:23:41] <rob0> I'm not familiar with what "PAT" means?[15:25:00] <patdk-wk> port address translation[15:25:06] <patdk-wk> nat :)[15:25:42] <patdk-wk> no, he didn't say that[15:26:59] <ntnlzr> i said it[15:27:41] <ntnlzr> it means 1 public ip address[15:28:21] <patdk-wk> he didn't say he used several servers behind a single router/firewall[15:28:25] <patdk-wk> he said he used the same ip[15:28:29] <ntnlzr> yes[15:28:37] <ntnlzr> ahhhhhhhh[15:28:47] <ntnlzr> he means same server?[15:28:54] <patdk-wk> he didn't say[15:29:21] <ntnlzr> <zZap-X> i use the same IP to host websites, i dont think it matters for web hosting if the ip reverse matches mail.example.com ?[15:29:25] <ntnlzr> same ip[15:30:20] <rob0> The PTR value generally does not matter in HTTP. It's extremely important in SMTP.[15:31:21] <rob0> and !fcrdns (which you have already seen) describes in a nutshell what you should do.[15:32:15] <ntnlzr> rob0, he means use public ip address of webserver for mx record[15:32:35] <zZap-X> rob0: my remote server IP now reverse matches email.example.com before it matched just example.com[15:32:36] <ntnlzr> and reverse ptr and yes he can use it[15:32:44] <ntnlzr> it is good zZap-X[15:33:20] <zZap-X> ok will leave it like that, i dont think it will effect other services running on the box[15:33:46] <rob0> If "myhostname = email.example.com" that may be correct.[15:34:06] <zZap-X> yes i have that in main.cf[15:34:10] <rob0> Do check that other basic settings are correct,[15:34:13] <rob0> !basic[15:34:13] <knoba> rob0: "basic" : http://www.postfix.org/BASIC_CONFIGURATION_README.html : a good starting place for Postfix beginners, many common questions are answered here.[15:34:25] <zZap-X> ok will check[15:34:27] <rob0> !myhostname[15:34:27] <knoba> rob0: "myhostname" : a configuration parameter in the main.cf: The internet hostname of this mail system. The default is to use the fully-qualified domain name from gethostname(). $myhostname is used as a default value for many other configuration parameters.[15:34:41] <rob0> "used as a default value for many other configuration parameters."[15:34:57] *** olegfusion has quit IRC[15:34:57] <zZap-X> i guess i could scrap the mail part and just use example.com for everything[15:35:31] <rob0> Or just be sure that everything is set as it should be.[15:35:40] <zZap-X> if i was running a IRC server using the same IP, that could be a problem, ie. irc.example.com and mail.example.com[15:35:41] <rob0> which you must do in any case[15:35:54] <zZap-X> because irc needs to reverse match the dns to work properly[15:37:14] <rob0> for an IRC server, I don't think that matters, and for a client, it's just so the ircd can say nick!user@hostname rather than @ip.add.re.ss[15:37:40] <zZap-X> but the best thing to do is get another IP for my remote server and dedicate that for the mail server[15:38:19] <rob0> I doubt it matters, but if you can afford it, have fun.[15:39:00] <ntnlzr> no zZap-X you can use an alias[15:39:10] <ntnlzr> for you irc server[15:39:27] <ntnlzr> and share same public ip :P[15:40:28] <zZap-X> i thought mail server would be ok as long as there is a mx record of the mail server in example.com[15:41:12] <zZap-X> as long as i get green ticks here i should be ok http://mxtoolbox.com/diagnostic.aspx[15:41:36] <ntnlzr> fqdn name it's good[15:41:49] <ntnlzr> not just example.com[15:42:45] <zZap-X> maybe i should change myhostname = mail.example.com to myhostname = example.com[15:43:21] *** synthroid has joined #postfix[15:44:19] <ntnlzr> no leave it fqdn[15:44:51] <zZap-X> ok[15:45:02] <tuxick> and stop guessing[15:46:09] <ntnlzr> :P[15:46:11] *** Jonukas has joined #postfix[15:52:45] <ntnlzr> someone can try to put in master.cf postscreen -v and test if getting same error warning: dnsblog_query: lookup error for DNS query 204.21.238.2.list.dnswl.org: Host or domain name not found. Name service error for name=204.21.238.2.list.dnswl.org type=A: Host not found, try again[15:53:00] <ntnlzr> try more than one time maybe this is overload issue?[15:55:02] *** Hoffe has quit IRC[15:55:08] <tuxick> broken resolver?[15:56:14] <tuxick> hmm[15:56:22] <ntnlzr> i don't think so cause my dns it's working fine and i've checked netdns[15:56:33] <ntnlzr> perl library and it's working :([15:57:20] <ntnlzr> maybe too many request for same ip in that list[15:58:02] <ntnlzr> cause now it's working and no error[16:00:38] <rob0> DNS queries fail sometimes. That's why the DNS protocol provides redundancy.[16:02:49] <rob0> Also, I don't see the significance of that particular name; 2.238.63.209 is not listed in DNSWL, and it appears to be a dynamic IP address in Italy. Probably a zombie, although right now it's not in Zen.[16:03:05] <ntnlzr> my home ip :P[16:03:30] <rob0> oh, why are you hitting port 25 from there?[16:03:48] *** heroux has quit IRC[16:03:50] <ntnlzr> just testing from "zombie" :P[16:04:02] <rob0> If you mean to submit mail, use submission. postscreen does not play well with MUAs.[16:04:09] <rob0> ok[16:04:14] <ntnlzr> ehehe[16:04:19] *** heroux has joined #postfix[16:04:30] <ntnlzr> i like the -v in master.cf i didn't know it[16:05:39] <rob0> it's interesting on a small scale, but overwhelming on a busy server. You can DoS yourself with too much syslog. Plus, it's really hard to find the important stuff in all the junk.[16:05:58] *** troulouliou_div2 has joined #postfix[16:06:11] <ntnlzr> i'm on testing environment[16:06:17] <ntnlzr> not a production server[16:06:24] <rob0> yes, I gathered that :)[16:06:29] <ntnlzr> eheheh[16:07:33] <rob0> If you take the time to read through the verbose stuff and to understand it, you'll learn something about how Postfix works.[16:10:59] <stemid> I asked earlier about command time limit exceeded for policy spawn commands and apparently the solution was in the SMTP_POLICY_README, increasing policy_time_limit solved my timeouts.[16:11:40] <ntnlzr> yes i like it[16:25:56] *** carl- has quit IRC[16:33:22] *** dml337ira has joined #postfix[16:33:47] *** gu1lle_ has joined #postfix[16:34:54] *** zorg1 has quit IRC[16:37:59] *** gu1lle_ has quit IRC[16:54:26] *** lkaughsdlfiugz has joined #postfix[17:06:57] *** andry has joined #postfix[17:07:11] *** lkaughsdlfiugz has quit IRC[17:07:22] *** ronaldo has joined #postfix[17:07:37] *** ronaldo has quit IRC[17:07:46] *** ronaldo has joined #postfix[17:08:18] *** ronaldo has quit IRC[17:08:25] *** rsx has joined #postfix[17:11:42] *** DefunctProcessZZ is now known as DefunctProcess[17:12:24] *** JanC_ is now known as JanC[17:21:46] *** skyroveRR has quit IRC[17:22:44] *** shal3r has quit IRC[17:22:46] *** skyroveRR has joined #postfix[17:23:25] *** JCDay has left #postfix[17:27:47] *** synthroid has quit IRC[17:43:54] *** puzzled has joined #postfix[17:52:15] *** internat has quit IRC[17:53:24] *** internat has joined #postfix[17:53:33] *** lrea has left #postfix[17:57:54] *** SCHAAP137 has quit IRC[18:01:00] *** rsx has quit IRC[18:07:18] *** synthroid has joined #postfix[18:15:27] *** spookah has joined #postfix[18:15:38] *** bolt has quit IRC[18:15:58] *** shal3r has joined #postfix[18:23:20] *** Southron has joined #postfix[18:27:29] *** Columbo0815 has joined #postfix[18:43:49] *** anyk has quit IRC[18:44:36] *** anyk has joined #postfix[18:49:39] *** edux has quit IRC[18:57:05] *** edux has joined #postfix[18:57:27] *** spookah1 has joined #postfix[18:57:58] *** spookah1 has left #postfix[18:58:24] *** spookah has quit IRC[18:59:22] *** gu1lle_ has joined #postfix[19:05:24] *** rsx has joined #postfix[19:32:20] *** troulouliou_div2 has quit IRC[19:36:04] *** harty83 has joined #postfix[19:37:58] *** harty83 has left #postfix[19:38:00] *** harty83 has joined #postfix[19:45:53] *** Columbo0815 has quit IRC[20:00:43] *** Section1 has quit IRC[20:07:10] *** githogori has joined #postfix[20:13:54] *** ugjka has quit IRC[20:17:56] *** lucascastro has quit IRC[20:27:33] *** tonythomas has quit IRC[20:29:39] *** lucascastro has joined #postfix[20:39:19] *** rsx has quit IRC[20:42:24] *** lucascastro has quit IRC[20:43:17] *** Hoffe has joined #postfix[20:50:58] *** synthroid has quit IRC[20:52:26] *** Hoffe has quit IRC[20:53:24] *** synthroid has joined #postfix[20:53:32] *** lucascastro has joined #postfix[20:58:59] *** Haudegen has quit IRC[21:16:12] *** Haudegen has joined #postfix[21:18:58] *** depate has joined #postfix[21:22:09] *** Hoffe has joined #postfix[21:26:58] *** marigeo has quit IRC[21:28:44] *** manman has joined #postfix[21:33:32] *** Jonukas has quit IRC[21:33:54] *** Jonukas has joined #postfix[21:38:29] *** marigeo has joined #postfix[21:43:11] *** echan has joined #postfix[21:44:08] *** depate has quit IRC[21:51:40] *** Hoffe has quit IRC[21:51:54] *** Hoffe has joined #postfix[21:55:55] *** harty83 has quit IRC[22:07:28] *** lucascastro has quit IRC[22:18:47] *** a_west has quit IRC[22:21:43] *** a_west has joined #postfix[22:25:28] *** Hoffe has quit IRC[22:25:41] *** bolt has joined #postfix[22:31:26] *** Jonukas has quit IRC[22:34:21] *** Southron has quit IRC[22:34:39] *** v1c3 has joined #postfix[22:46:53] *** synthroid has quit IRC[22:47:35] *** echan has quit IRC[22:54:36] *** echan has joined #postfix[22:56:37] *** fale has joined #postfix[22:58:39] <fale> hi, I'm trying to setup postfix to use lmtp (provided by dovecot) for everything (mail management, user authentication, check of users existence, ...), but I'm not able to find any complete guide explaining how to do so, so I'm starting to asking myself if it is feasable at all[23:06:58] *** pti-jean_ has quit IRC[23:10:50] *** iTaskmanager has joined #postfix[23:14:48] <iTaskmanager> Hm. Postfix ignore the "rbl_override"-file. What happens?[23:17:02] <iTaskmanager> https://i.taskmanager.ovh/1D69l4.txt < Thats my main.cf (recipient). Looks like fine.[23:21:04] <wdp> iTaskmanager, how do you think should anyone help you without (a) your full configuration and (b) the rbl_override file (its contents) and why do you waste my time? check the topic, please.[23:22:40] <iTaskmanager> wdp: I have not asked of you to answer me. Good day.[23:26:12] <iTaskmanager> For the others, nice people. 1. main.cf > https://i.taskmanager.ovh/5ve4O9.txt 2. master.cf > https://i.taskmanager.ovh/7u63J1.txt 3. rbl_override > https://i.taskmanager.ovh/1i11rc.txt (:[23:28:07] <iTaskmanager> And yes, I have run postmap rbl_override and restart postfix. :P[23:28:48] *** dstarh has quit IRC[23:29:44] *** robinho86 has quit IRC[23:30:10] *** v1c3_ has joined #postfix[23:31:45] *** v1c3 has quit IRC[23:34:13] <tharkun> !tell iTaskmanager showconfig[23:34:14] <knoba> iTaskmanager: "showconfig" : when asked to provide your config, pastebin postconf -nf and postconf -Mf. if your version is too old for those commands to work (< 2.9), you should upgrade, but see !showconfig_old[23:34:28] <tharkun> !tell iTaskmanager pastebin[23:34:28] <knoba> iTaskmanager: "pastebin" : (#1) see !paste, or (#2) a pastebin site lets you easily share logs and configuration. Examples are dpaste.org, fpaste.org, or pastebin.ca. Please avoid ad-supported sites such as pastebin.com if possible.[23:34:46] <iTaskmanager> Thank you.[23:34:46] <tharkun> !tell iTaskmanager paste[23:34:46] <knoba> iTaskmanager: "paste" : A pastebin is a way to share larger amounts of data with others, without flooding the channel with garbage. You can find pastebins at http://paste.debian.net, http://apaste.info and various other sites. Please avoid using pastebins with active content or intrusive ads such as pastebin.com. Remember to share the URL of the resulting paste in channel.[23:35:14] <tharkun> And please try to stick to public paste sites.[23:38:15] *** heroux has quit IRC[23:40:09] <iTaskmanager> 1. http://paste.debian.net/376231/ 2. http://paste.debian.net/376232/[23:40:11] *** heroux has joined #postfix[23:49:22] *** gu1lle_ has quit IRC