If my memory serves, and the docs seem to support it, the sender_dependent_default_transport_maps setting doesn't use the wildcard in the table. http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps
> The tables are searched by the envelope sender address and @domain.
Defining nexthop using relayhost or default_transport instead of the wildcard is probably the way to go.
You can likely check the mail.log to see through which channel it's coming through. You can up the verbosity using http://www.postfix.org/DEBUG_README.html. The better thing to do is wipe and rebuild from a known-good backup.
You are talking about virtual domains. There is a bit of a learning curve ahead for you, but it gets easier the more you do it.
Start here (Postfix Virtual Domain Hosting)
Once you get the hang of that, I would recommend Modoboa as a Web Admin interface.
Also try and get into using Ansible. Once you solve a problem you can use it as many times as you want.
That's great! Thank you so much!
Do you know if there is any way I can throttle on the to address? like should only be able to receive 10 emails per anvil_rate_time_unit? smtpd_client_recipient_rate_limit (http://www.postfix.org/postconf.5.html#smtpd_client_recipient_rate_limit) seems promising but I'm not sure.
> My TLS is auto-signed so not from a CA, but my clients can still send mails so that doesn't really make sense to me ?
I do not understand what you mean by auto-signed. If you did not force the use of TLS clients still can deliver without TLS in standard config - see http://www.postfix.org/postconf.5.html#smtpd_enforce_tls as a reference.
> Also i don't see any mention of TLS in the logs ..
As I've mentioned in my last response, you will only see TLS related information in your logs if STARTTLS is used.
I would recommend your try to connect to your relay with telnet and port 25 and see if your relay offers STARTTLS after the ehlo and go from there. Good luck!
is this for real?
That link posted looks kind of sketchy, and the Postfix home page shows 3.6.3 as the latest update.
http://www.postfix.org/announcements.html
Maybe they are just slow to update.
A private address is not-routable. Meaning from anywhere on the Internet I cannot ping your 192.168.1.10 address. So it simply won't work. What will work is if you use an A record to point to your external IP of something like 80.70.60.50. Then at your router you'll use either port-forwarding or Network Address Translation to get your server to reply to the traffic.
Will the email be going to outside recipients? If so, you're going to need to put a little more work into your infrastructure. If you're sending mail without receiving it, you'll never get Non-Delivery Reports. Email Admins will use this to figure out if their email is bouncing, or other issues.
At the very basic level, you can setup Postfix as a satellite system, then use a Gmail account with POP enabled to send a small number of messages. A step up from there is to set up a Postfix server correctly in your DMZ with A/MX/PTR/rDNS records. If you'd rather not deal with it and just want something to point to, you can use something like ConstantContact, MailChimp, VerticalResponse.
And at the end of it all, if you'd rather forge ahead with an internal, non-routable send-only SMTP server, you can follow this guide: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-14-04
Again, please let us know if you run into any roadblocks.
Where are you seeing this? If it is in your logs, Postfix will log all connections attempts - even rejected ones. The logs (/var/log/maillog) will tell you how the connection attempt was handled. As long as the connection was blocked and wasn't accepted you are good.
Also, if you haven't done so already, I would recommend setting up DKIM, DMARC and SFP. I would also use one of the various online SMTP server testers, such as mxtoolbox to make sure your server is RFC compliant.
My first thought would be to move to a VPS and install Mail-in-a-Box. There are similar options out there of course, such as iredmail, mailcow, etc., but I am most familiar with MiaB. I think that MiaB will check most of your boxes, and be not too difficult to migrate to considering your previous sys admin experience as this will be a custom deal.
Feel free to hit me up here or on the Mail-in-a-Box Slack if you'd like to explore this idea further.
> ... in case it was quarantined ...
Not to be a bug, but you should read the documentation...
http://www.postfix.org/MILTER_README.html#non-smtp-milters - see error handling... and then...
http://www.postfix.org/QSHAPE_README.html#hold_queue
man postsuper, info postsuper, setup a cron/anacron job and try not to use the pickup queue to resend a lot of email.
Postfix has a native LDAP integration if that's what you're looking for.
http://www.postfix.org/ldap_table.5.html
​
There aren't as many tutorials on that compared to Postfix/mysql combos, but you might want to look up one of those postfix/sql combo config files, since the config syntax is pretty much the same. So you know how to build your config file ;)
I'm running Postfix on Debian, and the main postfix
package does not depend on netcat
. I've also been unable to find a path from any Postfix module to any version of Netcat. (Debian ships both netcat-traditional
and netcat-openbsd
.) Also, there is no mention of any dependency on Netcat, even an optional one, in the Postfix Installation From Source Code instructions.
I therefore strongly suspect that Postfix does not call Netcat under normal operation. Unless you've set up some weird service in /etc/postfix/master.cf
that you forgot about which calls nc
, then I think it might be worth looking more closely into the possibility that you've been compromised. Especially if Netcat is being used to listen for incoming connections on all interfaces on a non-assigned port (i.e. anything not listed in /etc/services
).
Yes, From the documentation mynetworks = hash:/etc/postfix/mynetworks
would contain all your IPs in one file, one address per line.
IPv6 addresses should be surrounded in square brackets [ ] since typical hash files use the colon character to separate record fields.
This what you are looking for? You may also want to bump the concurrency variable down. A lot of people create an additional transport for their slow transport that rate limits and concurrency limits email being sent to certain domains (yahoo being a big one).
You don't mention whether the connection is retrieving or sending mail so I'm assuming you are sending since this is the postfix subreddit and not a dovecot reddit.
Alternatively there are ways to limit the connections further, either using a policy server/service, or some iptables magick (probably not what you are looking for).
Yes, through ACL policies such as smtpd_recipient_restrictions, for example. With "permit mynetworks", you allow internal IP ranges first, and then further down the list you can have a map of internal domain names that you reject, unless they come from mynetworks. Essentially, you trust your own internal IP's, and if a message from an IP outside that range for one of your domains comes in, it gets rejected.
I'm pretty sure you just include /etc/aliases in your alias_maps
as well. Then postfix knows about your virtual users and the local users on the machine. See: http://www.postfix.org/ADDRESS_REWRITING_README.html#aliases
But as you also want to effect the destination address you need to rewrite the header iirc and/or transport mail.
If you only have specific destination domains you can use smtp_generic_maps http://www.postfix.org/postconf.5.html#smtp_generic_maps . That will rewrite your *@yourdestination.domain to
Have a reread over the postfix docs. Running a mail server is hard. And spending a couple of hours just reading all of the docs and attempting to understand each of the config options regardless if they relate to you or not will help you understand the rediculous monstrosity that is mail systems.
As root, edit /etc/postfix/master.cf . On the line that starts with smtp (and/or relay, depending on which port your mail is getting delivered to), add "-v" (no quotes) to the very end of the line after "smptd". Then restart postfix ("service postfix restart" as root). Your mail logs should be in /var/log/mail.log. The resulting logs are very detailed (so you'll probably want to turn off -v as soon as you're done). I recommend getting ready to send a message, "tail -f /var/log/mail.log", clear the console while the tail is running, and then send your message, followed by ctrl+c. That'll make it easier to find the relevant log lines.
You can find some more detailed instructions here on reconfiguring postfix.
Instead of adding postgrey why not add local DNS resolvers so it's cached DNS requests.
Personally postgrey added more headaches for my clients over the years.
Also straight from the docs:
> always specify "check_policy_service" AFTER "reject_unauth_destination" or else your system could become an open relay.
> relayhost works fine but sends the email as which O365 rejects (obviously)
Use relayhost, but you'll need to set/map credentials so it authenticates correctly.
http://www.postfix.org/SASL_README.html#client_sasl_sender
Found via this link: https://stackoverflow.com/questions/27138337/postfix-sender-dependent-relayhost
In addition to the good suggestions made by others, I'd turn on postscreen. It works a charm and allows for much more flexible RBL checks (for example, you can combine and weight them, which is very useful).
Once you're a bit more comfortable I'd make use of a caching resolver rather than your ISPs DNS servers. Many RBLs have per-IP quotas for non-paying customers and having your queries lumped in with the queries of all of your ISP's other customers can cause you to run over the daily quota. Running your own resolver on your own IP will prevent this.
I use :
sender_bcc_maps = regexp:/etc/postfix/archive_domain recipient_bcc_maps = regexp:/etc/postfix/archive_domain
and
if !/www-data/ /@mydomain.co.uk$/ endif
to bcc mail that's not from www-data. Something similar ought to work for you.
See also :
You should really use postscreen and only reject messages based on a combined score derived from several blacklists.
http://www.postfix.org/POSTSCREEN_README.html
If you reject, based on one list's opinion about a sending IP, it is highly likely that you will be blocking legitimate messages.
You can use a content_filter for such things (see e.g. http://codepoets.co.uk/2015/python-content_filter-for-postfix-rewriting-the-subject/ for a token example) - however you may be best of using a sender_bcc_maps or recipient_bcc_maps or always_bcc and chucking the mail in a separate mailbox ( see http://www.postfix.org/postconf.5.html )
Chucking it in a mailbox means the processing can wait until afterwards, and you don't have to worry about an error in your content filter resulting in a bounce/whatever to end users.
There's also probably more code out there which will show you how to fetch mail over pop3/imap/or locally ....
thanks for your answer,
these are lan only machines and not accessible from the internet.
and i am just trying to send mail between the two servers as a part of a school project to demonstrate SMTP protocol.
i should note tho that both servers can send emails through the internet to multiple temp mail services like temp-mail.org for example . google and yahoo don't want to accept my emails due to spam concerns and that's understandable.