hey
I know this isn't an OS question, but I'm lost!!
New to configuring Postfix, with a few questions about how to configure Postfix.
I'm running Fedora, with Postfix, from the basic yum install. The Sendmail process has been stopped.
I can easily send a basic test mail from the cmdline. Ie:
mail foo@gmail.com subject: blah test . Cc:
works with no issue. However, the email on the gmail end, is in the Spam folder, which is to be expected.
As I understand the different articles I've seen, Postfix can be configured to allow me to authenticate emails, to in effect, relay/send them using the authenticaion of a valid email user/passwd from a valid gmail account. (or from my own isp user/passwd). This would then allow the emails to be in the Inbox folder!
I've seen a great deal of online articles, but I'm still confused as to exactly what's required to make this happen.
I know that the main.cf, as well as the transports/sasl-passwd files have to be modified. I'm confused as to whether certs are actually required, or if TSL is/is not required....
So, I'm trying to figure out exactly what config files have to be modified, as well as what has to be inserted in the config files.
If I could see the confi files from someone who's actually gone through this process, I could more quickly get my head around what I've screwed up!
Thanks
On Thu, 2010-03-04 at 11:49 -0800, bruce wrote:
hey
I know this isn't an OS question, but I'm lost!!
New to configuring Postfix, with a few questions about how to configure Postfix.
I'm running Fedora, with Postfix, from the basic yum install. The Sendmail process has been stopped.
I can easily send a basic test mail from the cmdline. Ie:
mail foo@gmail.com subject: blah test . Cc:
works with no issue. However, the email on the gmail end, is in the Spam folder, which is to be expected.
As I understand the different articles I've seen, Postfix can be configured to allow me to authenticate emails, to in effect, relay/send them using the authenticaion of a valid email user/passwd from a valid gmail account. (or from my own isp user/passwd). This would then allow the emails to be in the Inbox folder!
I've seen a great deal of online articles, but I'm still confused as to exactly what's required to make this happen.
I know that the main.cf, as well as the transports/sasl-passwd files have to be modified. I'm confused as to whether certs are actually required, or if TSL is/is not required....
So, I'm trying to figure out exactly what config files have to be modified, as well as what has to be inserted in the config files.
If I could see the confi files from someone who's actually gone through this process, I could more quickly get my head around what I've screwed up!
---- configuration on the postfix server probably factors little into the decisions made by a 'spam' filter but generally, you can check the mail headers of any e-mail in a spam folder (like on Gmail) to see if it has the 'scoring' which will tell you exactly which factors led to it scoring to a number that caused it to believe it was spam.
At this stage, I simply will not accept mail from any smtp server whose forward & reverse DNS don't match. So if you are sending me e-mails from server mail.example.com you better have a reverse DNS address that tells me that your ip address points to mail.example.com. Perhaps if Gmail accepts that type of e-mail, it gets a really big scoring penalty where pretty much any other factor will push it over the top and be marked spam. You could also try to use things like SPF or domainkeys to up the trust factor of your server.
Whether you used TLS to authenticate to your mail server in order to send is not too likely to affect the spam scoring and there's little reason to duplicate the excellent documentation over at postfix.org's web site which tells you what to do to implement TLS & SASL authentication, how to generate certificates, etc.
Craig
hey craig.
Thanks for the reply. I've been knee deep in docs since last night.. as well as testing some of what I've read. I've been looking at various sites, as well as the postfix.org site.
At this point, I was looking to see where I'm screwing up, by taking a look at the conf files of someone who's actually gotten something like this implemented...
Right now, I'm more or less spinnning my wheels!!
Thanks!
ps. I know something like this is doable, as I've created basic php apps in the past that did this kind of thing (the auth user/passwd) in php...
On Thu, Mar 4, 2010 at 12:42 PM, Craig White craigwhite@azapple.com wrote:
On Thu, 2010-03-04 at 11:49 -0800, bruce wrote:
hey
I know this isn't an OS question, but I'm lost!!
New to configuring Postfix, with a few questions about how to configure Postfix.
I'm running Fedora, with Postfix, from the basic yum install. The Sendmail process has been stopped.
I can easily send a basic test mail from the cmdline. Ie:
mail foo@gmail.com subject: blah test . Cc:
works with no issue. However, the email on the gmail end, is in the Spam folder, which is to be expected.
As I understand the different articles I've seen, Postfix can be configured to allow me to authenticate emails, to in effect, relay/send them using the authenticaion of a valid email user/passwd from a valid gmail account. (or from my own isp user/passwd). This would then allow the emails to be in the Inbox folder!
I've seen a great deal of online articles, but I'm still confused as to exactly what's required to make this happen.
I know that the main.cf, as well as the transports/sasl-passwd files have to be modified. I'm confused as to whether certs are actually required, or if TSL is/is not required....
So, I'm trying to figure out exactly what config files have to be modified, as well as what has to be inserted in the config files.
If I could see the confi files from someone who's actually gone through this process, I could more quickly get my head around what I've screwed up!
configuration on the postfix server probably factors little into the decisions made by a 'spam' filter but generally, you can check the mail headers of any e-mail in a spam folder (like on Gmail) to see if it has the 'scoring' which will tell you exactly which factors led to it scoring to a number that caused it to believe it was spam.
At this stage, I simply will not accept mail from any smtp server whose forward & reverse DNS don't match. So if you are sending me e-mails from server mail.example.com you better have a reverse DNS address that tells me that your ip address points to mail.example.com. Perhaps if Gmail accepts that type of e-mail, it gets a really big scoring penalty where pretty much any other factor will push it over the top and be marked spam. You could also try to use things like SPF or domainkeys to up the trust factor of your server.
Whether you used TLS to authenticate to your mail server in order to send is not too likely to affect the spam scoring and there's little reason to duplicate the excellent documentation over at postfix.org's web site which tells you what to do to implement TLS & SASL authentication, how to generate certificates, etc.
Craig
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
On Thu, 2010-03-04 at 13:01 -0800, bruce wrote:
hey craig.
Thanks for the reply. I've been knee deep in docs since last night.. as well as testing some of what I've read. I've been looking at various sites, as well as the postfix.org site.
At this point, I was looking to see where I'm screwing up, by taking a look at the conf files of someone who's actually gotten something like this implemented...
Right now, I'm more or less spinnning my wheels!!
Thanks!
ps. I know something like this is doable, as I've created basic php apps in the past that did this kind of thing (the auth user/passwd) in php...
---- start here...
http://www.postfix.org/SASL_README.html
http://www.postfix.org/TLS_README.html
if you have specific questions, I would be happy to give specific answers.
Craig
Hi Craig...
I'm getting an err in my maillog file Mar 4 13:42:17 lserver6 postfix/master[12985]: daemon started -- version 2.3.3, configuration /etc/postfix Mar 4 13:42:17 lserver6 postfix/qmgr[12988]: C01AF2DEEEE: from=root@lserver6.tmesa.com, size=550, nrcpt=1 (queue active) Mar 4 13:42:18 lserver6 postfix/smtp[12990]: C01AF2DEEEE: to=badouglas@gmail.com, relay=smtp.gmail.com[74.125.43.109]:587, delay=125, delays=124/0.04/0.71/0.17, dsn=5.7.0, status=bounced (host smtp.gmail.com[74.125.43.109] said: 530 5.7.0 Must issue a STARTTLS command first. 13sm724730bwz.15 (in reply to MAIL FROM command)) Mar 4 13:42:47 lserver6 sendmail[12995]: o24Lgl76012995: from=root, size=57, class=0, nrcpts=1, msgid=201003042142.o24Lgl76012995@lserver6.tmesa.com, relay=root@localhost Mar 4 13:42:47 lserver6 postfix/smtpd[12996]: connect from localhost.localdomain[127.0.0.1] Mar 4 13:42:47 lserver6 postfix/smtpd[12996]: 534892DEF05: client=localhost.localdomain[127.0.0.1] Mar 4 13:42:47 lserver6 postfix/cleanup[12998]: 534892DEF05: message-id=201003042142.o24Lgl76012995@lserver6.tmesa.com Mar 4 13:42:47 lserver6 postfix/qmgr[12988]: 534892DEF05: from=root@lserver6.tmesa.com, size=555, nrcpt=1 (queue active) Mar 4 13:42:47 lserver6 sendmail[12995]: o24Lgl76012995: to=badouglas@gmail.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30057, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as 534892DEF05) Mar 4 13:42:47 lserver6 postfix/smtpd[12996]: disconnect from localhost.localdomain[127.0.0.1]
!!!!!! ERROR !!!!!!!!!
>>>>>>>>>>>>>>>>>>>>>>>>>
Mar 4 13:42:48 lserver6 postfix/smtp[12999]: 534892DEF05: to=badouglas@gmail.com, relay=smtp.gmail.com[72.14.221.111]:587, delay=0.94, delays=0.07/0.03/0.67/0.17, dsn=5.7.0, status=bounced (host smtp.gmail.com[72.14.221.111] said: 530 5.7.0 Must issue a STARTTLS command first. e20sm1840001fga.10 (in reply to MAIL FROM command)) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< !!!!!! ERROR !!!!!!!!!
I've got the following in my conf files:
main.cf smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = relayhost = smtp.gmail.com:587
sasl_passwd smtp.gmail.com foo@gmail.com:foopasswd
transports gmail.com smtp:[smtp.gmail.com]:587
i did a /usr/sbin/postmap sasl-passwd /usr/sbin/postmap transports
/sbin/service postfix restart
any thoughts/comments?
thanks
On Thu, Mar 4, 2010 at 1:20 PM, Craig White craigwhite@azapple.com wrote:
On Thu, 2010-03-04 at 13:01 -0800, bruce wrote:
hey craig.
Thanks for the reply. I've been knee deep in docs since last night.. as well as testing some of what I've read. I've been looking at various sites, as well as the postfix.org site.
At this point, I was looking to see where I'm screwing up, by taking a look at the conf files of someone who's actually gotten something like this implemented...
Right now, I'm more or less spinnning my wheels!!
Thanks!
ps. I know something like this is doable, as I've created basic php apps in the past that did this kind of thing (the auth user/passwd) in php...
start here...
http://www.postfix.org/SASL_README.html
http://www.postfix.org/TLS_README.html
if you have specific questions, I would be happy to give specific answers.
Craig
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
On Thu, 2010-03-04 at 14:05 -0800, bruce wrote:
Hi Craig...
I'm getting an err in my maillog file Mar 4 13:42:17 lserver6 postfix/master[12985]: daemon started -- version 2.3.3, configuration /etc/postfix Mar 4 13:42:17 lserver6 postfix/qmgr[12988]: C01AF2DEEEE: from=root@lserver6.tmesa.com, size=550, nrcpt=1 (queue active) Mar 4 13:42:18 lserver6 postfix/smtp[12990]: C01AF2DEEEE: to=badouglas@gmail.com, relay=smtp.gmail.com[74.125.43.109]:587, delay=125, delays=124/0.04/0.71/0.17, dsn=5.7.0, status=bounced (host smtp.gmail.com[74.125.43.109] said: 530 5.7.0 Must issue a STARTTLS command first. 13sm724730bwz.15 (in reply to MAIL FROM command)) Mar 4 13:42:47 lserver6 sendmail[12995]: o24Lgl76012995: from=root, size=57, class=0, nrcpts=1, msgid=201003042142.o24Lgl76012995@lserver6.tmesa.com, relay=root@localhost Mar 4 13:42:47 lserver6 postfix/smtpd[12996]: connect from localhost.localdomain[127.0.0.1] Mar 4 13:42:47 lserver6 postfix/smtpd[12996]: 534892DEF05: client=localhost.localdomain[127.0.0.1] Mar 4 13:42:47 lserver6 postfix/cleanup[12998]: 534892DEF05: message-id=201003042142.o24Lgl76012995@lserver6.tmesa.com Mar 4 13:42:47 lserver6 postfix/qmgr[12988]: 534892DEF05: from=root@lserver6.tmesa.com, size=555, nrcpt=1 (queue active) Mar 4 13:42:47 lserver6 sendmail[12995]: o24Lgl76012995: to=badouglas@gmail.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30057, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as 534892DEF05) Mar 4 13:42:47 lserver6 postfix/smtpd[12996]: disconnect from localhost.localdomain[127.0.0.1]
!!!!!! ERROR !!!!!!!!!
>>>>>>>>>>>>>>>>>>>>>>>>>>
Mar 4 13:42:48 lserver6 postfix/smtp[12999]: 534892DEF05: to=badouglas@gmail.com, relay=smtp.gmail.com[72.14.221.111]:587, delay=0.94, delays=0.07/0.03/0.67/0.17, dsn=5.7.0, status=bounced (host smtp.gmail.com[72.14.221.111] said: 530 5.7.0 Must issue a STARTTLS command first. e20sm1840001fga.10 (in reply to MAIL FROM command)) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< !!!!!! ERROR !!!!!!!!!
I've got the following in my conf files:
main.cf smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = relayhost = smtp.gmail.com:587
sasl_passwd smtp.gmail.com foo@gmail.com:foopasswd
transports gmail.com smtp:[smtp.gmail.com]:587
i did a /usr/sbin/postmap sasl-passwd /usr/sbin/postmap transports
/sbin/service postfix restart
any thoughts/comments?
---- yes, you are trying to send mail through Gmail's servers (smarthost?) and you would necessarily have to configure that using Gmail's configuration requirements which have absolutely nothing to do postfix authentication with client SASL or client TLS.
I just did a google search for 'postfix smarthost gmail' http://www.google.com/search?q=postfix+smarthost +gmail&btnG=Search&hl=en&sa=2
and I am sure one of the first 10 items (if not all of them) would help.
Craig
hey craig...
not so fast!!
i've seen some of those links.. and tried what they've stated. don't work!!!
i've seen a few sites that imply that you need to set the cert(s) in order to get the process to work correctly..
which is why i wanted to see the conf files of an actual centos user, who''s running postfilx, so i can do a more complete apples to apples comparison..
thanks!
On Thu, Mar 4, 2010 at 2:28 PM, Craig White craigwhite@azapple.com wrote:
On Thu, 2010-03-04 at 14:05 -0800, bruce wrote:
Hi Craig...
I'm getting an err in my maillog file Mar 4 13:42:17 lserver6 postfix/master[12985]: daemon started -- version 2.3.3, configuration /etc/postfix Mar 4 13:42:17 lserver6 postfix/qmgr[12988]: C01AF2DEEEE: from=root@lserver6.tmesa.com, size=550, nrcpt=1 (queue active) Mar 4 13:42:18 lserver6 postfix/smtp[12990]: C01AF2DEEEE: to=badouglas@gmail.com, relay=smtp.gmail.com[74.125.43.109]:587, delay=125, delays=124/0.04/0.71/0.17, dsn=5.7.0, status=bounced (host smtp.gmail.com[74.125.43.109] said: 530 5.7.0 Must issue a STARTTLS command first. 13sm724730bwz.15 (in reply to MAIL FROM command)) Mar 4 13:42:47 lserver6 sendmail[12995]: o24Lgl76012995: from=root, size=57, class=0, nrcpts=1, msgid=201003042142.o24Lgl76012995@lserver6.tmesa.com, relay=root@localhost Mar 4 13:42:47 lserver6 postfix/smtpd[12996]: connect from localhost.localdomain[127.0.0.1] Mar 4 13:42:47 lserver6 postfix/smtpd[12996]: 534892DEF05: client=localhost.localdomain[127.0.0.1] Mar 4 13:42:47 lserver6 postfix/cleanup[12998]: 534892DEF05: message-id=201003042142.o24Lgl76012995@lserver6.tmesa.com Mar 4 13:42:47 lserver6 postfix/qmgr[12988]: 534892DEF05: from=root@lserver6.tmesa.com, size=555, nrcpt=1 (queue active) Mar 4 13:42:47 lserver6 sendmail[12995]: o24Lgl76012995: to=badouglas@gmail.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30057, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as 534892DEF05) Mar 4 13:42:47 lserver6 postfix/smtpd[12996]: disconnect from localhost.localdomain[127.0.0.1]
!!!!!! ERROR !!!!!!!!!
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Mar 4 13:42:48 lserver6 postfix/smtp[12999]: 534892DEF05: to=badouglas@gmail.com, relay=smtp.gmail.com[72.14.221.111]:587, delay=0.94, delays=0.07/0.03/0.67/0.17, dsn=5.7.0, status=bounced (host smtp.gmail.com[72.14.221.111] said: 530 5.7.0 Must issue a STARTTLS command first. e20sm1840001fga.10 (in reply to MAIL FROM command)) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< !!!!!! ERROR !!!!!!!!!
I've got the following in my conf files:
main.cf smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = relayhost = smtp.gmail.com:587
sasl_passwd smtp.gmail.com foo@gmail.com:foopasswd
transports gmail.com smtp:[smtp.gmail.com]:587
i did a /usr/sbin/postmap sasl-passwd /usr/sbin/postmap transports
/sbin/service postfix restart
any thoughts/comments?
yes, you are trying to send mail through Gmail's servers (smarthost?) and you would necessarily have to configure that using Gmail's configuration requirements which have absolutely nothing to do postfix authentication with client SASL or client TLS.
I just did a google search for 'postfix smarthost gmail' http://www.google.com/search?q=postfix+smarthost +gmail&btnG=Search&hl=en&sa=2
and I am sure one of the first 10 items (if not all of them) would help.
Craig
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
On Thu, 2010-03-04 at 15:38 -0800, bruce wrote:
hey craig...
not so fast!!
i've seen some of those links.. and tried what they've stated. don't work!!!
i've seen a few sites that imply that you need to set the cert(s) in order to get the process to work correctly..
which is why i wanted to see the conf files of an actual centos user, who''s running postfilx, so i can do a more complete apples to apples comparison..
---- but my configs (or anyone else's configs) would have nothing to do whatsoever with using gmail as a relay host for outbound mail. They are entirely irrelevant to what you are trying to do.
Craig
craig...
you misunderstand...
if you were using postfix to relay through gmail's auth port (as i'm looking to do) then the conf files would be extremely relevant!
we'd be attempting to do the same thing...
however, i finally got it to work!!
and i thank you for your emails on this!
i'll do a write up, and post to the list...
thanks again!
On Thu, Mar 4, 2010 at 3:47 PM, Craig White craigwhite@azapple.com wrote:
On Thu, 2010-03-04 at 15:38 -0800, bruce wrote:
hey craig...
not so fast!!
i've seen some of those links.. and tried what they've stated. don't work!!!
i've seen a few sites that imply that you need to set the cert(s) in order to get the process to work correctly..
which is why i wanted to see the conf files of an actual centos user, who''s running postfilx, so i can do a more complete apples to apples comparison..
but my configs (or anyone else's configs) would have nothing to do whatsoever with using gmail as a relay host for outbound mail. They are entirely irrelevant to what you are trying to do.
Craig
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
On Thu, 2010-03-04 at 16:00 -0800, bruce wrote:
craig...
you misunderstand...
if you were using postfix to relay through gmail's auth port (as i'm looking to do) then the conf files would be extremely relevant!
we'd be attempting to do the same thing...
however, i finally got it to work!!
and i thank you for your emails on this!
i'll do a write up, and post to the list...
thanks again!
---- I would submit that only a very tiny amount of people would actually do what you are trying to do (use gmail as a smarthost).
Yes, it would be worth it if you leave a trail behind in case anyone else wants to do that.
Craig
hey...
one more question.
the tests i've done work, but the sender/from name on the email is the system name of the account that's doing the sending.
is there a param in the main.cf file that can be set to force the sender/from name to a given name?
thanks
On Thu, Mar 4, 2010 at 4:27 PM, Craig White craigwhite@azapple.com wrote:
On Thu, 2010-03-04 at 16:00 -0800, bruce wrote:
craig...
you misunderstand...
if you were using postfix to relay through gmail's auth port (as i'm looking to do) then the conf files would be extremely relevant!
we'd be attempting to do the same thing...
however, i finally got it to work!!
and i thank you for your emails on this!
i'll do a write up, and post to the list...
thanks again!
I would submit that only a very tiny amount of people would actually do what you are trying to do (use gmail as a smarthost).
Yes, it would be worth it if you leave a trail behind in case anyone else wants to do that.
Craig
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
On Thu, 2010-03-04 at 16:33 -0800, bruce wrote:
hey...
one more question.
the tests i've done work, but the sender/from name on the email is the system name of the account that's doing the sending.
is there a param in the main.cf file that can be set to force the sender/from name to a given name?
---- not that I am aware of because that would be a very untypical use of an smtp server. The typical usage is to pass mail on for all users and not to 'rewrite' the sender (or at least not the part before the domain).
You might want to google 'postfix rewrite sender' but as I said, in general, an smtp server is agnostic to the actual sender and Postfix is as flexible as they come.
You could possibly use generic mapping... http://www.postfix.org/ADDRESS_REWRITING_README.html#generic
but that would require a previously established mapping table.
Craig
On 03/04/2010 06:33 PM, bruce wrote:
hey...
one more question.
the tests i've done work, but the sender/from name on the email is the system name of the account that's doing the sending.
is there a param in the main.cf file that can be set to force the sender/from name to a given name?
thanks
First, please do not top post.
Then go read /usr/share/doc/postfix-2.6.5/README_FILES/ADDRESS_REWRITING_README
Mikkel
On 03/04/2010 06:27 PM, Craig White wrote:
I would submit that only a very tiny amount of people would actually do what you are trying to do (use gmail as a smarthost).
Yes, it would be worth it if you leave a trail behind in case anyone else wants to do that.
If you think of it that narrowly, then you are correct. But if you take it as an example on how to set up using a smart host with sasl, then you have a wider audience.
For that matter, you get people like me, that 3 different smart hosts, depending on the email address doing the sending. Then there is the general relay host for the mail that does not match those rules. Because this setup is on my home network, I can not send the mail directly from here. For some reason the DSL IP addresses are on the DUN list. ;)
Mikkel
On Thu, 2010-03-04 at 20:04 -0600, Mikkel wrote:
On 03/04/2010 06:27 PM, Craig White wrote:
I would submit that only a very tiny amount of people would actually do what you are trying to do (use gmail as a smarthost).
Yes, it would be worth it if you leave a trail behind in case anyone else wants to do that.
If you think of it that narrowly, then you are correct. But if you take it as an example on how to set up using a smart host with sasl, then you have a wider audience.
For that matter, you get people like me, that 3 different smart hosts, depending on the email address doing the sending. Then there is the general relay host for the mail that does not match those rules. Because this setup is on my home network, I can not send the mail directly from here. For some reason the DSL IP addresses are on the DUN list. ;)
---- I was just generally referring to the issue of smarthost = gmail which has nothing to do with SASL as far as I could imagine. For that matter, smarthost setup really has nothing to do with SASL.
I am definitely certain that few can match your ingenuity if you are doing 3 smarthost routing methods based upon sender e-mail address because you already know that while you are providing testimony to postfix's flexibility, it was not really designed to scratch that itch.
I can appreciate that it is probably not the easiest thing to get DSL IP addresses, especially dynamically assigned addresses out of Taiwan to be recognized as smtp sources these days... even if you get the e-mails delivered, I would suspect that the spam score would make it somewhat difficult.
Craig
On Thu, 2010-03-04 at 13:42 -0700, Craig White wrote:
At this stage, I simply will not accept mail from any smtp server whose forward & reverse DNS don't match. So if you are sending me e-mails from server mail.example.com you better have a reverse DNS address that tells me that your ip address points to mail.example.com.
That's a rather bad idea, and simply not workable for an *awful* lot of people. You *will* be rejecting legit mail with that methodology.
Although many of us have our own domains, many of them will be hosted by a service which hosts hundreds or thousands of other sites using virtual named based hosting. We don't each get an IP, and it's completely impractical to expect that in an IPv4 world. The reverse IP will point to the host's domain name, not ours.
You need to do *better* testing than simply forward and reverse checking of one domain name.
On 10-03-04 23:10:45, Tim wrote:
On Thu, 2010-03-04 at 13:42 -0700, Craig White wrote:
At this stage, I simply will not accept mail from any smtp server whose forward & reverse DNS don't match. So if you are sending me e-mails from server mail.example.com you better have a reverse DNS address that tells me that your ip address points to
mail.example.com.
That's a rather bad idea, and simply not workable for an *awful* lot of people. You *will* be rejecting legit mail with that methodology.
Although many of us have our own domains, many of them will be hosted by a service which hosts hundreds or thousands of other sites using virtual named based hosting. We don't each get an IP, and it's completely impractical to expect that in an IPv4 world. The reverse IP will point to the host's domain name, not ours.
You need to do *better* testing than simply forward and reverse checking of one domain name.
Yes, Craig's method won't work with any form of virtual hosting or even when the server runs more than one service, as only one of them can be the official name. Servers I run specify which host they are, e.g., my own rapidxen.georgeanelson.com, which won't work with Craig's method. RFC 1912 FCrDNS simply checks that one of the results of a reverselookup maps back to that IP.[1]
[1] http://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS
On Fri, 2010-03-05 at 14:40 +1030, Tim wrote:
On Thu, 2010-03-04 at 13:42 -0700, Craig White wrote:
At this stage, I simply will not accept mail from any smtp server whose forward & reverse DNS don't match. So if you are sending me e-mails from server mail.example.com you better have a reverse DNS address that tells me that your ip address points to mail.example.com.
That's a rather bad idea, and simply not workable for an *awful* lot of people. You *will* be rejecting legit mail with that methodology.
Although many of us have our own domains, many of them will be hosted by a service which hosts hundreds or thousands of other sites using virtual named based hosting. We don't each get an IP, and it's completely impractical to expect that in an IPv4 world. The reverse IP will point to the host's domain name, not ours.
You need to do *better* testing than simply forward and reverse checking of one domain name.
---- first... at the point where AOL and other big user systems started enforcing that rule, it made total sense for me to do likewise. If you don't have forward/reverse dns resolution for your smtp server, you aren't getting e-mail through to the mail servers with a large user base, you aren't getting through to my servers either. You can stand on a soap box and shout about what you think is practical but if you can't get mail through to the big boys...
I actually have a long set of postfix rules which determine which mail gets through - far more than 'simply forward and reverse checking' and I'm surprised that you would think I would do less. I start with greylisting, I also require a full helo/ehlo, valid user, resolvable domain and more. I also use MailScanner which fully scores for spam and also implements phishing, virus checking and much more. I do this for many companies that are my clients and I get absolutely no complaints (and very little spam).
Craig
On Thu, 2010-03-04 at 23:42 -0500, Tony Nelson wrote:
On 10-03-04 23:10:45, Tim wrote:
On Thu, 2010-03-04 at 13:42 -0700, Craig White wrote:
At this stage, I simply will not accept mail from any smtp server whose forward & reverse DNS don't match. So if you are sending me e-mails from server mail.example.com you better have a reverse DNS address that tells me that your ip address points to
mail.example.com.
That's a rather bad idea, and simply not workable for an *awful* lot of people. You *will* be rejecting legit mail with that methodology.
Although many of us have our own domains, many of them will be hosted by a service which hosts hundreds or thousands of other sites using virtual named based hosting. We don't each get an IP, and it's completely impractical to expect that in an IPv4 world. The reverse IP will point to the host's domain name, not ours.
You need to do *better* testing than simply forward and reverse checking of one domain name.
Yes, Craig's method won't work with any form of virtual hosting or even when the server runs more than one service, as only one of them can be the official name. Servers I run specify which host they are, e.g., my own rapidxen.georgeanelson.com, which won't work with Craig's method. RFC 1912 FCrDNS simply checks that one of the results of a reverselookup maps back to that IP.[1]
[1] http://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS
---- no - actually it works quite fine - you just can't have a virtual host on a shared IP or if you are sharing an IP, then the server name simply must resolve forward and backward. There's nothing that says you can't send mail from server.example.com for any particular domain that isn't example.com at all and you can even use SPF and domainkeys for any domain to identify the specific server(s) permitted.
I think you guys are confusing the point.
Craig
Craig White:
I actually have a long set of postfix rules which determine which mail gets through - far more than 'simply forward and reverse checking' and I'm surprised that you would think I would do less.
Might have something to do with you saying this:
"At this stage, I simply will not accept mail from any smtp server whose forward & reverse DNS don't match. So if you are sending me e-mails from server mail.example.com you better have a reverse DNS address that tells me that your ip address points to mail.example.com."
If you didn't mean what you said, you should have said something different. Because, quite frankly, what you *said* isn't going to work.
While I set all possible domain names (web server, mail server, MX records, etc.), to use my domain name instead of the hosting services, I cannot set the PTR for my host's mail server to point to my domain. And neither can thousands of other people.
This, is laughable, too:
I do this for many companies that are my clients and I get absolutely no complaints (and very little spam).
They're not going to know if they've not received real mail that was falsely identified as spam. Nor will you know about it if you make it impossible to email you about it.
On 03/04/2010 09:25 PM, Craig White wrote:
On Thu, 2010-03-04 at 20:04 -0600, Mikkel wrote:
If you think of it that narrowly, then you are correct. But if you take it as an example on how to set up using a smart host with sasl, then you have a wider audience.
For that matter, you get people like me, that 3 different smart hosts, depending on the email address doing the sending. Then there is the general relay host for the mail that does not match those rules. Because this setup is on my home network, I can not send the mail directly from here. For some reason the DSL IP addresses are on the DUN list. ;)
I was just generally referring to the issue of smarthost = gmail which has nothing to do with SASL as far as I could imagine. For that matter, smarthost setup really has nothing to do with SASL.
Well, part of the thread was the problems he was having setting up SASL to work with the connection. Gmail does not like plain text user name/password when connecting to their server.
I am definitely certain that few can match your ingenuity if you are doing 3 smarthost routing methods based upon sender e-mail address because you already know that while you are providing testimony to postfix's flexibility, it was not really designed to scratch that itch.
Actually, it is. Take a look at "sender_dependent_relayhost_maps" - it will let you map relay hosts by user.
I can appreciate that it is probably not the easiest thing to get DSL IP addresses, especially dynamically assigned addresses out of Taiwan to be recognized as smtp sources these days... even if you get the e-mails delivered, I would suspect that the spam score would make it somewhat difficult.
It isn't that hard to get one from AT&T - you just have to be willing to pay for it. It is cheaper to pay $12/year for web hosting and route email through their server. But when I use my Gmail or Yahoo e-mail addresses, I like the message to come from the correct server. On the other hand, if my infinity-ltd.com mail was sent through their servers, it would get rejected by many mail servers.
Mikkel
On Fri, 2010-03-05 at 18:12 +1030, Tim wrote:
Craig White:
I actually have a long set of postfix rules which determine which mail gets through - far more than 'simply forward and reverse checking' and I'm surprised that you would think I would do less.
Might have something to do with you saying this:
"At this stage, I simply will not accept mail from any smtp server whose forward & reverse DNS don't match. So if you are sending me e-mails from server mail.example.com you better have a reverse DNS address that tells me that your ip address points to mail.example.com."
If you didn't mean what you said, you should have said something different. Because, quite frankly, what you *said* isn't going to work.
While I set all possible domain names (web server, mail server, MX records, etc.), to use my domain name instead of the hosting services, I cannot set the PTR for my host's mail server to point to my domain. And neither can thousands of other people.
---- maybe AOL, Gmail, Hotmail are meaningless to your neck of the woods but there are millions of AOL, Gmail and Hotmail users and you aren't going to get e-mail through unless you hae a reverse PTR. For example...
http://postmaster.aol.com/guidelines/standards.html
AOL's mail servers will reject connections from any IP address that does not have reverse DNS (a PTR record). All e-mail servers connecting to AOL's mail servers must have valid and meaningful (not dynamic-looking) reverse DNS records. For example: * Meaningful RDNS: mail.domain.com * Generic RDNS: 1.2.3.4.domain.isp.com
If you can't get e-mail through to AOL or Hotmail or Gmail or ..., you can't get e-mail through to my mail servers. Done ----
This, is laughable, too:
I do this for many companies that are my clients and I get absolutely no complaints (and very little spam).
They're not going to know if they've not received real mail that was falsely identified as spam. Nor will you know about it if you make it impossible to email you about it.
---- You are suggesting it is possible that the same idiot system administrators that don't understand that a reverse DNS PTR record is essential on any mail server today also fails to notify the sender within minutes that his e-mail has been refused by the recipients mail server, my experience has been that even the most misconfigured Exchange server does in fact let the sender know.
Umm Tim, they actually know when their e-mail is rejected. While I can whitelist some senders and some smtp servers for spam & phishing detection, I refuse to make concessions for people that can't get a reverse PTR record for the smtp server... the truth is I don't have to. They aren't getting e-mail through to many of the big mail box providers like AOL, Hotmail, etc. so their problems are much bigger than my servers. I thought you actually understood what it takes to run a mail server these days... I guess not.
Craig
On Fri, 2010-03-05 at 07:34 -0600, Mikkel wrote:
On 03/04/2010 09:25 PM, Craig White wrote:
I was just generally referring to the issue of smarthost = gmail which has nothing to do with SASL as far as I could imagine. For that matter, smarthost setup really has nothing to do with SASL.
Well, part of the thread was the problems he was having setting up SASL to work with the connection. Gmail does not like plain text user name/password when connecting to their server.
---- I didn't realize that Postfix uses SASL nomenclature to define outbound smtp authentication which really isn't using SASL at all but rather is just using SSL and/or TLS for the provided user/password and whatever internal technology Gmail uses is not relevant or transparent to the person/server that is authenticating beyond the SSL/TLS protocols.
It seems to me that Postfix is just creating confusion by calling it SASL.
Craig
On 03/05/2010 09:21 AM, Craig White wrote:
I didn't realize that Postfix uses SASL nomenclature to define outbound smtp authentication which really isn't using SASL at all but rather is just using SSL and/or TLS for the provided user/password and whatever internal technology Gmail uses is not relevant or transparent to the person/server that is authenticating beyond the SSL/TLS protocols.
It seems to me that Postfix is just creating confusion by calling it SASL.
Actually, it uses the SASL library as well.
Mikkel