Transport Based on Destination MX record and not Destination Domain?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Transport Based on Destination MX record and not Destination Domain?

Rodre Ghorashi-Zadeh-2

Hello List,

This is my first post to this list so please excuse any indiscretions. I have a problem where my carrier's/ISP entire CIDR/Subnet is blacklisted by some email carriers. My ISP does provide a relay/smarthost for outbound SMTP but it doesn't use TLS, so I don't want to route all of our company's email through it by setting the 'relayhost' parameter. I have been able to put the destination domains in the /etc/postfix/transport file and use my ISPs smarthost as the next hop MTA, however, I noticed that most of the destination domains I am experiencing problems with are all being handled by a specific email carrier. What I want to do is put that email carriers entire CIDR into my postfix configuration and basically say "if the MX host for any destination domains IP address belongs to this CIDR, use my ISPs smarthost, instead of having to add the domains one at a time. Is this possible?

~Rodre
_________________________________________________________________
If you like crossword puzzles, then you'll love Flexicon, a game which combines four overlapping crossword puzzles into one!
http://g.msn.ca/ca55/208
Reply | Threaded
Open this post in threaded view
|

Re: Transport Based on Destination MX record and not Destination Domain?

Noel Jones-2
Rodre Ghorashi-Zadeh wrote:
> Hello List,
>
> This is my first post to this list so please excuse any indiscretions. I have a problem where my carrier's/ISP entire CIDR/Subnet is blacklisted by some email carriers. My ISP does provide a relay/smarthost for outbound SMTP but it doesn't use TLS, so I don't want to route all of our company's email through it by setting the 'relayhost' parameter. I have been able to put the destination domains in the /etc/postfix/transport file and use my ISPs smarthost as the next hop MTA, however, I noticed that most of the destination domains I am experiencing problems with are all being handled by a specific email carrier. What I want to do is put that email carriers entire CIDR into my postfix configuration and basically say "if the MX host for any destination domains IP address belongs to this CIDR, use my ISPs smarthost, instead of having to add the domains one at a time. Is this possible?
>
> ~Rodre
>

You can use a check_recipient_mx_access map with a FILTER
action to set the next-hop destination to your IPS' smarthost.
http://www.postfix.org/postconf.5.html#check_recipient_mx_access
http://www.postfix.org/access.5.html

# main.cf
smtpd_sender_restrictions =
   check_recipient_mx_access cidr:/etc/postfix/smarthost.cidr

# smarthost.cidr
10.11.12.0/24  FILTER smtp:my.isp.smarthost


If you are using a content_filter, the setup is a little more
complicated...  The check_recipient_mx_access table must be
defined in master.cf in the after-filter smtpd listener.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Log Message Headers

Bugzilla from j@mesrobertson.com
Apologies if this has been asked before.

I would like to log the message headers of email passing through postfix
so I can review them.

What is the recommended way to do this and will it have an effect on
performance?  our mail server does not process a very high volume of mail.

Thanks.

James
Reply | Threaded
Open this post in threaded view
|

Re: Log Message Headers

Ralf Hildebrandt
* James Robertson <[hidden email]>:
> Apologies if this has been asked before.
>
> I would like to log the message headers of email passing through postfix  
> so I can review them.
>
> What is the recommended way to do this and will it have an effect on  
> performance?  our mail server does not process a very high volume of mail.

Use header_checks with the pattern:

/./ WARN

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de                              I'm looking for a job
Official postfix-users mantra: post FULL log information when asking
questions, since most of us have no ESP abilities.
Reply | Threaded
Open this post in threaded view
|

RE: Transport Based on Destination MX record and not Destination Domain?

Rodre Ghorashi-Zadeh-2
In reply to this post by Noel Jones-2

Hello,

Thanks for your response. According to http://www.postfix.org/access.5.html the filter would override my content_filter setting in main.cf, which I am currently using with amavisd-new:

FILTER transport:destination
              After  the  message is queued, send the entire mes-
              sage through the specified external content filter.
              The  transport:destination  syntax  is described in
              the transport(5)  manual  page.   More  information
              about  external  content  filters is in the Postfix
              FILTER_README file.

              Note: this action overrides the content_filter set-
              ting,  and  currently affects all recipients of the
              message.

              This feature is available in Postfix 2.0 and later.



Is this definitely the case?

~Rod
----------------------------------------

> Date: Tue, 19 Aug 2008 22:56:38 -0500
> From: [hidden email]
> To: [hidden email]; [hidden email]
> Subject: Re: Transport Based on Destination MX record and not Destination Domain?
>
> Rodre Ghorashi-Zadeh wrote:
>> Hello List,
>>
>> This is my first post to this list so please excuse any indiscretions. I have a problem where my carrier's/ISP entire CIDR/Subnet is blacklisted by some email carriers. My ISP does provide a relay/smarthost for outbound SMTP but it doesn't use TLS, so I don't want to route all of our company's email through it by setting the 'relayhost' parameter. I have been able to put the destination domains in the /etc/postfix/transport file and use my ISPs smarthost as the next hop MTA, however, I noticed that most of the destination domains I am experiencing problems with are all being handled by a specific email carrier. What I want to do is put that email carriers entire CIDR into my postfix configuration and basically say "if the MX host for any destination domains IP address belongs to this CIDR, use my ISPs smarthost, instead of having to add the domains one at a time. Is this possible?
>>
>> ~Rodre
>>
>
> You can use a check_recipient_mx_access map with a FILTER
> action to set the next-hop destination to your IPS' smarthost.
> http://www.postfix.org/postconf.5.html#check_recipient_mx_access
> http://www.postfix.org/access.5.html
>
> # main.cf
> smtpd_sender_restrictions =
>    check_recipient_mx_access cidr:/etc/postfix/smarthost.cidr
>
> # smarthost.cidr
> 10.11.12.0/24  FILTER smtp:my.isp.smarthost
>
>
> If you are using a content_filter, the setup is a little more
> complicated...  The check_recipient_mx_access table must be
> defined in master.cf in the after-filter smtpd listener.
>
> --
> Noel Jones

_________________________________________________________________

Reply | Threaded
Open this post in threaded view
|

Re: Transport Based on Destination MX record and not Destination Domain?

mouss-2
Rodre Ghorashi-Zadeh wrote:
> Hello,
>
> Thanks for your response. According to http://www.postfix.org/access.5.html the filter would override my content_filter setting in main.cf, which I am currently using with amavisd-new:
>

yes. use the mx_access FILTER in the after-amavisd-new smtpd.


Alternatively, use NAT to send the packets to your ISP if they were
going to the "guilty" MX. the relay= logs would be wrong, but since you
know it...
Reply | Threaded
Open this post in threaded view
|

Re: Transport Based on Destination MX record and not Destination Domain?

Noel Jones-2
In reply to this post by Rodre Ghorashi-Zadeh-2
Rodre Ghorashi-Zadeh wrote:

> Hello,
>
> Thanks for your response. According to http://www.postfix.org/access.5.html the filter would override my content_filter setting in main.cf, which I am currently using with amavisd-new:
>
> FILTER transport:destination
>               After  the  message is queued, send the entire mes-
>               sage through the specified external content filter.
>               The  transport:destination  syntax  is described in
>               the transport(5)  manual  page.   More  information
>               about  external  content  filters is in the Postfix
>               FILTER_README file.
>
>               Note: this action overrides the content_filter set-
>               ting,  and  currently affects all recipients of the
>               message.
>
>               This feature is available in Postfix 2.0 and later.
>
>
>
> Is this definitely the case?
>
> ~Rod

Please don't top-post, it makes the thread hard to follow.

You are awarded extra credit for reading the docs, and then
asking an intelligent question.

However, you seem to have missed part of my answer.
As I said earlier:

>> If you are using a content_filter, the setup is a little more
>> complicated...  The check_recipient_mx_access table must be
>> defined in master.cf in the after-filter smtpd listener.
>>

So instead of changing main.cf you would edit master.cf and
find the smtpd listener where mail comes back into postfix
from your content_filter (usually port 10025) and add to that:

   -o
smtpd_sender_restrictions=check_recipient_mx_access,cidr:/etc/postfix/smarthost.cidr

Note the only space in the above line is between "-o" and
"smtp_sender..."

The smarthost.cidr table would be the same in either case.

--
Noel Jones


> ----------------------------------------
>> Date: Tue, 19 Aug 2008 22:56:38 -0500
>> From: [hidden email]
>> To: [hidden email]; [hidden email]
>> Subject: Re: Transport Based on Destination MX record and not Destination Domain?
>>
>> Rodre Ghorashi-Zadeh wrote:
>>> Hello List,
>>>
>>> This is my first post to this list so please excuse any indiscretions. I have a problem where my carrier's/ISP entire CIDR/Subnet is blacklisted by some email carriers. My ISP does provide a relay/smarthost for outbound SMTP but it doesn't use TLS, so I don't want to route all of our company's email through it by setting the 'relayhost' parameter. I have been able to put the destination domains in the /etc/postfix/transport file and use my ISPs smarthost as the next hop MTA, however, I noticed that most of the destination domains I am experiencing problems with are all being handled by a specific email carrier. What I want to do is put that email carriers entire CIDR into my postfix configuration and basically say "if the MX host for any destination domains IP address belongs to this CIDR, use my ISPs smarthost, instead of having to add the domains one at a time. Is this possible?
>>>
>>> ~Rodre
>>>
>> You can use a check_recipient_mx_access map with a FILTER
>> action to set the next-hop destination to your IPS' smarthost.
>> http://www.postfix.org/postconf.5.html#check_recipient_mx_access
>> http://www.postfix.org/access.5.html
>>
>> # main.cf
>> smtpd_sender_restrictions =
>>    check_recipient_mx_access cidr:/etc/postfix/smarthost.cidr
>>
>> # smarthost.cidr
>> 10.11.12.0/24  FILTER smtp:my.isp.smarthost
>>
>>
>> If you are using a content_filter, the setup is a little more
>> complicated...  The check_recipient_mx_access table must be
>> defined in master.cf in the after-filter smtpd listener.
>>
>> --
>> Noel Jones
>
> _________________________________________________________________
>

Reply | Threaded
Open this post in threaded view
|

RE: Transport Based on Destination MX record and not Destination Domain?

Rodre Ghorashi-Zadeh-2

Hello,

I am sorry, I don't know what you mean by "top post" all I did was hit "reply" in hotmail. I tried adding this in my master.cf but it didn't work. I think the problem is that check_recipient_mx_access is expecting an "access" table type and not a CIDR table type:

check_recipient_mx_access type:table
    Search the specified access(5) database for the MX hosts for the RCPT TO domain, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later.

Can anyone confirm or deny?

~Rod

----------------------------------------

> Date: Wed, 20 Aug 2008 14:57:31 -0500
> From: [hidden email]
> To: [hidden email]; [hidden email]
> Subject: Re: Transport Based on Destination MX record and not Destination Domain?
>
> Rodre Ghorashi-Zadeh wrote:
>> Hello,
>>
>> Thanks for your response. According to http://www.postfix.org/access.5.html the filter would override my content_filter setting in main.cf, which I am currently using with amavisd-new:
>>
>> FILTER transport:destination
>>               After  the  message is queued, send the entire mes-
>>               sage through the specified external content filter.
>>               The  transport:destination  syntax  is described in
>>               the transport(5)  manual  page.   More  information
>>               about  external  content  filters is in the Postfix
>>               FILTER_README file.
>>
>>               Note: this action overrides the content_filter set-
>>               ting,  and  currently affects all recipients of the
>>               message.
>>
>>               This feature is available in Postfix 2.0 and later.
>>
>>
>>
>> Is this definitely the case?
>>
>> ~Rod
>
> Please don't top-post, it makes the thread hard to follow.
>
> You are awarded extra credit for reading the docs, and then
> asking an intelligent question.
>
> However, you seem to have missed part of my answer.
> As I said earlier:
>
>>> If you are using a content_filter, the setup is a little more
>>> complicated...  The check_recipient_mx_access table must be
>>> defined in master.cf in the after-filter smtpd listener.
>>>
>
> So instead of changing main.cf you would edit master.cf and
> find the smtpd listener where mail comes back into postfix
> from your content_filter (usually port 10025) and add to that:
>
>    -o
> smtpd_sender_restrictions=check_recipient_mx_access,cidr:/etc/postfix/smarthost.cidr
>
> Note the only space in the above line is between "-o" and
> "smtp_sender..."
>
> The smarthost.cidr table would be the same in either case.
>
> --
> Noel Jones
>
>
>> ----------------------------------------
>>> Date: Tue, 19 Aug 2008 22:56:38 -0500
>>> From: [hidden email]
>>> To: [hidden email]; [hidden email]
>>> Subject: Re: Transport Based on Destination MX record and not Destination Domain?
>>>
>>> Rodre Ghorashi-Zadeh wrote:
>>>> Hello List,
>>>>
>>>> This is my first post to this list so please excuse any indiscretions. I have a problem where my carrier's/ISP entire CIDR/Subnet is blacklisted by some email carriers. My ISP does provide a relay/smarthost for outbound SMTP but it doesn't use TLS, so I don't want to route all of our company's email through it by setting the 'relayhost' parameter. I have been able to put the destination domains in the /etc/postfix/transport file and use my ISPs smarthost as the next hop MTA, however, I noticed that most of the destination domains I am experiencing problems with are all being handled by a specific email carrier. What I want to do is put that email carriers entire CIDR into my postfix configuration and basically say "if the MX host for any destination domains IP address belongs to this CIDR, use my ISPs smarthost, instead of having to add the domains one at a time. Is this possible?
>>>>
>>>> ~Rodre
>>>>
>>> You can use a check_recipient_mx_access map with a FILTER
>>> action to set the next-hop destination to your IPS' smarthost.
>>> http://www.postfix.org/postconf.5.html#check_recipient_mx_access
>>> http://www.postfix.org/access.5.html
>>>
>>> # main.cf
>>> smtpd_sender_restrictions =
>>>    check_recipient_mx_access cidr:/etc/postfix/smarthost.cidr
>>>
>>> # smarthost.cidr
>>> 10.11.12.0/24  FILTER smtp:my.isp.smarthost
>>>
>>>
>>> If you are using a content_filter, the setup is a little more
>>> complicated...  The check_recipient_mx_access table must be
>>> defined in master.cf in the after-filter smtpd listener.
>>>
>>> --
>>> Noel Jones
>>
>> _________________________________________________________________
>>
>

_________________________________________________________________

Reply | Threaded
Open this post in threaded view
|

Re: Transport Based on Destination MX record and not Destination Domain?

Michael-129
Rodre Ghorashi-Zadeh wrote:
> Hello,
>
> I am sorry, I don't know what you mean by "top post" all I did was hit "reply" in hotmail. I tried adding this in my master.cf but it didn't work. I think the problem is that check_recipient_mx_access is expecting an "access" table type and not a CIDR table type:
>

Top-posting is considered bad form in most mailing lists.

Please read: http://www.catb.org/jargon/html/T/top-post.html

Michael
Reply | Threaded
Open this post in threaded view
|

RE: Transport Based on Destination MX record and not Destination Domain?

Rodre Ghorashi-Zadeh-2



>> I am sorry, I don't know what you mean by "top post" all I did was hit "reply" in hotmail. I tried adding this in my master.cf but it didn't work. I think the problem is that check_recipient_mx_access is expecting an "access" table type and not a CIDR table type:
>>
>
> Top-posting is considered bad form in most mailing lists.
>
> Please read: http://www.catb.org/jargon/html/T/top-post.html
>

Ok got it. Thanks.

~Rodre
_________________________________________________________________

Reply | Threaded
Open this post in threaded view
|

Re: Transport Based on Destination MX record and not Destination Domain?

Brian Evans - Postfix List
In reply to this post by Rodre Ghorashi-Zadeh-2
Rodre Ghorashi-Zadeh wrote:
> Hello,
>
> I am sorry, I don't know what you mean by "top post" all I did was hit "reply" in hotmail. I tried adding this in my master.cf but it didn't work. I think the problem is that check_recipient_mx_access is expecting an "access" table type and not a CIDR table type:
>
> check_recipient_mx_access type:table
>     Search the specified access(5) database for the MX hosts for the RCPT TO domain, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later.
>
> Can anyone confirm or deny?
>  
An access formatted table does not care which type as long as it returns
values that are expected.
Any supported table type is valid for access tables.
man 5 cidr_table for details as what is expected on the left hand side.
access(5) values are expected on the right hand side.

Brian

> ~Rod
>
> ----------------------------------------
>  
>> Date: Wed, 20 Aug 2008 14:57:31 -0500
>> From: [hidden email]
>> To: [hidden email]; [hidden email]
>> Subject: Re: Transport Based on Destination MX record and not Destination Domain?
>>
>> Rodre Ghorashi-Zadeh wrote:
>>    
>>> Hello,
>>>
>>> Thanks for your response. According to http://www.postfix.org/access.5.html the filter would override my content_filter setting in main.cf, which I am currently using with amavisd-new:
>>>
>>> FILTER transport:destination
>>>               After  the  message is queued, send the entire mes-
>>>               sage through the specified external content filter.
>>>               The  transport:destination  syntax  is described in
>>>               the transport(5)  manual  page.   More  information
>>>               about  external  content  filters is in the Postfix
>>>               FILTER_README file.
>>>
>>>               Note: this action overrides the content_filter set-
>>>               ting,  and  currently affects all recipients of the
>>>               message.
>>>
>>>               This feature is available in Postfix 2.0 and later.
>>>
>>>
>>>
>>> Is this definitely the case?
>>>
>>> ~Rod
>>>      
>> Please don't top-post, it makes the thread hard to follow.
>>
>> You are awarded extra credit for reading the docs, and then
>> asking an intelligent question.
>>
>> However, you seem to have missed part of my answer.
>> As I said earlier:
>>
>>    
>>>> If you are using a content_filter, the setup is a little more
>>>> complicated...  The check_recipient_mx_access table must be
>>>> defined in master.cf in the after-filter smtpd listener.
>>>>
>>>>        
>> So instead of changing main.cf you would edit master.cf and
>> find the smtpd listener where mail comes back into postfix
>> from your content_filter (usually port 10025) and add to that:
>>
>>    -o
>> smtpd_sender_restrictions=check_recipient_mx_access,cidr:/etc/postfix/smarthost.cidr
>>
>> Note the only space in the above line is between "-o" and
>> "smtp_sender..."
>>
>> The smarthost.cidr table would be the same in either case.
>>
>> --
>> Noel Jones
>>
>>
>>    
>>> ----------------------------------------
>>>      
>>>> Date: Tue, 19 Aug 2008 22:56:38 -0500
>>>> From: [hidden email]
>>>> To: [hidden email]; [hidden email]
>>>> Subject: Re: Transport Based on Destination MX record and not Destination Domain?
>>>>
>>>> Rodre Ghorashi-Zadeh wrote:
>>>>        
>>>>> Hello List,
>>>>>
>>>>> This is my first post to this list so please excuse any indiscretions. I have a problem where my carrier's/ISP entire CIDR/Subnet is blacklisted by some email carriers. My ISP does provide a relay/smarthost for outbound SMTP but it doesn't use TLS, so I don't want to route all of our company's email through it by setting the 'relayhost' parameter. I have been able to put the destination domains in the /etc/postfix/transport file and use my ISPs smarthost as the next hop MTA, however, I noticed that most of the destination domains I am experiencing problems with are all being handled by a specific email carrier. What I want to do is put that email carriers entire CIDR into my postfix configuration and basically say "if the MX host for any destination domains IP address belongs to this CIDR, use my ISPs smarthost, instead of having to add the domains one at a time. Is this possible?
>>>>>
>>>>> ~Rodre
>>>>>
>>>>>          
>>>> You can use a check_recipient_mx_access map with a FILTER
>>>> action to set the next-hop destination to your IPS' smarthost.
>>>> http://www.postfix.org/postconf.5.html#check_recipient_mx_access
>>>> http://www.postfix.org/access.5.html
>>>>
>>>> # main.cf
>>>> smtpd_sender_restrictions =
>>>>    check_recipient_mx_access cidr:/etc/postfix/smarthost.cidr
>>>>
>>>> # smarthost.cidr
>>>> 10.11.12.0/24  FILTER smtp:my.isp.smarthost
>>>>
>>>>
>>>> If you are using a content_filter, the setup is a little more
>>>> complicated...  The check_recipient_mx_access table must be
>>>> defined in master.cf in the after-filter smtpd listener.
>>>>
>>>> --
>>>> Noel Jones
>>>>        
>>> _________________________________________________________________
>>>
>>>      
>
> _________________________________________________________________
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: Transport Based on Destination MX record and not Destination Domain?

Noel Jones-2
In reply to this post by Rodre Ghorashi-Zadeh-2
Rodre Ghorashi-Zadeh wrote:

> Hello,
>
> I am sorry, I don't know what you mean by "top post" all I did was hit "reply" in hotmail. I tried adding this in my master.cf but it didn't work. I think the problem is that check_recipient_mx_access is expecting an "access" table type and not a CIDR table type:
>
> check_recipient_mx_access type:table
>     Search the specified access(5) database for the MX hosts for the RCPT TO domain, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later.
>
> Can anyone confirm or deny?
>
> ~Rod
>

Put your answer below text you are replying to.  Trim excess text.

If you report the error message you received rather than "it
didn't work" it's easier to offer a solution.

check_recipient_mx_access works with any supported table type.

# postconf -m
will list the table types supported by your installation of
postfix.  CIDR table support was introduced with postfix
version 2.1, which also happens to be the version that
introduced check_recipient_mx_access.

If your postfix is more ancient that that, you will need to
upgrade it to get this feature.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

RE: Transport Based on Destination MX record and not Destination Domain?

Rodre Ghorashi-Zadeh-2
In reply to this post by Brian Evans - Postfix List



> An access formatted table does not care which type as long as it returns
> values that are expected.
> Any supported table type is valid for access tables.
> man 5 cidr_table for details as what is expected on the left hand side.
> access(5) values are expected on the right hand side.
>

I have confirmed that my postfix version: postfix-2.3.3-2.1.el5_2 supports the CIDR tables using postconf -m

I checked man 5 cidr_table and it only seems to take "OK" or "REJECT" but perhaps this is not a comprehesive list? The error I was getting was:

postfix/smtpd[1230]: fatal: unexpected command-line argument: cidr:/etc/postfix/smarthost.cidr

my /etc/postfix/smarthost.cidr looks like this:

208.65.144.0/21 FILTER smtp:mail.shawcable.com

and the relevent portion of my master.cf looks like this:

127.0.0.1:10025 inet    n       -       n       -       -       smtpd
        -o content_filter=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=check_recipient_mx_access cidr:/etc/postfix/smarthost.cidr
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o smtpd_restriction_classes=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
        -o local_header_rewrite_clients=

Thanks for the help.

~Rod
_________________________________________________________________

Reply | Threaded
Open this post in threaded view
|

Re: Transport Based on Destination MX record and not Destination Domain?

Noel Jones-2
Rodre Ghorashi-Zadeh wrote:

>
>
>> An access formatted table does not care which type as long as it returns
>> values that are expected.
>> Any supported table type is valid for access tables.
>> man 5 cidr_table for details as what is expected on the left hand side.
>> access(5) values are expected on the right hand side.
>>
>
> I have confirmed that my postfix version: postfix-2.3.3-2.1.el5_2 supports the CIDR tables using postconf -m
>
> I checked man 5 cidr_table and it only seems to take "OK" or "REJECT" but perhaps this is not a comprehesive list? The error I was getting was:
>
> postfix/smtpd[1230]: fatal: unexpected command-line argument: cidr:/etc/postfix/smarthost.cidr

You used a space in the command line.   Don't do that.

>
> my /etc/postfix/smarthost.cidr looks like this:
>
> 208.65.144.0/21 FILTER smtp:mail.shawcable.com
>
> and the relevent portion of my master.cf looks like this:
>
> 127.0.0.1:10025 inet    n       -       n       -       -       smtpd
>         -o content_filter=
>         -o smtpd_delay_reject=no
>         -o smtpd_client_restrictions=permit_mynetworks,reject
>         -o smtpd_helo_restrictions=
>         -o smtpd_sender_restrictions=check_recipient_mx_access cidr:/etc/postfix/smarthost.cidr

The above line must not have any spaces in it.  Replace the
space between "...mx_access" and "cidr:..." with a "," comma,
just like in the example you were given before.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

RE: Transport Based on Destination MX record and not Destination Domain?

Rodre Ghorashi-Zadeh-2


-
>
> You used a space in the command line.   Don't do that.

OK, I replaced the space with a comma.
 

> The above line must not have any spaces in it.  Replace the
> space between "...mx_access" and "cidr:..." with a "," comma,
> just like in the example you were given before.
 
Now it is not erroring, but it doesn't seem to have any effect:

Aug 20 14:33:23 pshqma01 postfix/smtp[2523]: connect to clubzone.com.inbound10.mxlogic.net[208.65.144.2]: Connection timed out (port 25)
Aug 20 14:33:53 pshqma01 postfix/smtp[2523]: connect to clubzone.com.inbound10.mxlogic.net[208.65.144.3]: Connection timed out (port 25)
Aug 20 14:33:53 pshqma01 postfix/smtp[2523]: 016953B91271: to=, relay=none, delay=90, delays=0.01/0.02/90/0, dsn=4.4.1, status=deferred (connect to clubzone.com.inbound10.mxlogic.net[208.65.144.3]: Connection timed out)

The above messages are like what I was getting before I implemented the transport method. Thoughts? Thanks for the help.

~Rod
_________________________________________________________________
Find hidden words, unscramble celebrity names, or try the ultimate crossword puzzle with Live Search Games. Play now!
http://g.msn.ca/ca55/212
Reply | Threaded
Open this post in threaded view
|

Re: Transport Based on Destination MX record and not Destination Domain?

Noel Jones-2
Rodre Ghorashi-Zadeh wrote:

>
> -
>> You used a space in the command line.   Don't do that.
>
> OK, I replaced the space with a comma.
>  
>
>> The above line must not have any spaces in it.  Replace the
>> space between "...mx_access" and "cidr:..." with a "," comma,
>> just like in the example you were given before.
>  
> Now it is not erroring, but it doesn't seem to have any effect:
>
> Aug 20 14:33:23 pshqma01 postfix/smtp[2523]: connect to clubzone.com.inbound10.mxlogic.net[208.65.144.2]: Connection timed out (port 25)
> Aug 20 14:33:53 pshqma01 postfix/smtp[2523]: connect to clubzone.com.inbound10.mxlogic.net[208.65.144.3]: Connection timed out (port 25)
> Aug 20 14:33:53 pshqma01 postfix/smtp[2523]: 016953B91271: to=, relay=none, delay=90, delays=0.01/0.02/90/0, dsn=4.4.1, status=deferred (connect to clubzone.com.inbound10.mxlogic.net[208.65.144.3]: Connection timed out)
>
> The above messages are like what I was getting before I implemented the transport method. Thoughts? Thanks for the help.
>
> ~Rod

This only affects mail when it enters postfix (or more
specifically, when it leaves the content_filter).  Mail
already in the queue will not be affected.  Mail that bypasses
the content_filter will not be affected.

Why is "to=" logged above?  There must be a recipient address
to look up the recipient MX.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

RE: Transport Based on Destination MX record and not Destination Domain?

Rodre Ghorashi-Zadeh-2


> This only affects mail when it enters postfix (or more
> specifically, when it leaves the content_filter).  Mail
> already in the queue will not be affected.  Mail that bypasses
> the content_filter will not be affected.
>
> Why is "to=" logged above?  There must be a recipient address
> to look up the recipient MX.
>

I sent the test message after I made the last adjustment (replacement of the space with a comma) to the master.cf. I saw the message traverse the content_filter (amavisd):

amavis[2669]: (02669-11) Passed CLEAN, MYNETS LOCAL [192.168.x.xxx] [192.168.x.xxx]  -> , Message-ID: , mail_id: DX9iOWagdlkP, Hits: -3.748, size: 671, queued_as: 386063B91282, 316 ms

 then try and deliver directly, as apposed via the smarthost, hence the error messages.

I believe the list software must have detected and removed the email address in the "to=" field in order to stop email address harvesting. I double checked and it was definitely there in the log and in the email I sent to the list. The email address coincides with clubzone.com domain. What else can I try to debug?

~Rod

_________________________________________________________________
If you like crossword puzzles, then you'll love Flexicon, a game which combines four overlapping crossword puzzles into one!
http://g.msn.ca/ca55/208
Reply | Threaded
Open this post in threaded view
|

Re: Transport Based on Destination MX record and not Destination Domain?

Noel Jones-2
Rodre Ghorashi-Zadeh wrote:

>
>> This only affects mail when it enters postfix (or more
>> specifically, when it leaves the content_filter).  Mail
>> already in the queue will not be affected.  Mail that bypasses
>> the content_filter will not be affected.
>>
>> Why is "to=" logged above?  There must be a recipient address
>> to look up the recipient MX.
>>
>
> I sent the test message after I made the last adjustment (replacement of the space with a comma) to the master.cf. I saw the message traverse the content_filter (amavisd):
>
> amavis[2669]: (02669-11) Passed CLEAN, MYNETS LOCAL [192.168.x.xxx] [192.168.x.xxx]  -> , Message-ID: , mail_id: DX9iOWagdlkP, Hits: -3.748, size: 671, queued_as: 386063B91282, 316 ms
>
>  then try and deliver directly, as apposed via the smarthost, hence the error messages.
>
> I believe the list software must have detected and removed the email address in the "to=" field in order to stop email address harvesting. I double checked and it was definitely there in the log and in the email I sent to the list. The email address coincides with clubzone.com domain. What else can I try to debug?
>
> ~Rod
>


Postfix should note in the log if/when the FILTER action is
triggered.

You can test your cidr map with
# postmap -q ip.address.to.check cidr:mapname
which should return your FILTER statement if the ip address is
matched, or nothing if no match is found.

You can add a "-v" option to the 10025 smtpd listener to turn
on verbose logging to get more detail of what happens, but
sometimes that's more info than you need...
http://www.postfix.org/DEBUG_README.html


--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Transport Based on Destination MX record and not Destination Domain?

mouss-2
In reply to this post by Rodre Ghorashi-Zadeh-2
Rodre Ghorashi-Zadeh wrote:

>
>> This only affects mail when it enters postfix (or more
>> specifically, when it leaves the content_filter).  Mail
>> already in the queue will not be affected.  Mail that bypasses
>> the content_filter will not be affected.
>>
>> Why is "to=" logged above?  There must be a recipient address
>> to look up the recipient MX.
>>
>
> I sent the test message after I made the last adjustment (replacement of the space with a comma) to the master.cf. I saw the message traverse the content_filter (amavisd):
>
> amavis[2669]: (02669-11) Passed CLEAN, MYNETS LOCAL [192.168.x.xxx] [192.168.x.xxx]  -> , Message-ID: , mail_id: DX9iOWagdlkP, Hits: -3.748, size: 671, queued_as: 386063B91282, 316 ms
>
>  then try and deliver directly, as apposed via the smarthost, hence the error messages.
>
> I believe the list software must have detected and removed the email address in the "to=" field
> in order to stop email address harvesting.

you're being too creative. Now why would it remove the message-id?

don't accuse the list software. do you think the list software will
remove the addresses below:
        first: to=<[hidden email]>
        second: to=[hidden email]
        third: to=
(ok, the third one is a joke...)

It is _your_ (ht)mailer which fixes your writing, because it doesn't
believe in your ability to write correctly (it thinks angle brakets are
reserved for html). I am only surprised that it didn't add (TM) after
"316 ms" and that it didn't fix "MYNETS" (should be "MSN Yet").

anyway, this gives me an idea:
Q- how to block hotmail users "kindly"?
A- Ask them to put "<notspam>" (or "<secret>") in their message.

sorry, couldn't resist...

>I double checked and it was definitely there in the log and in the email I sent to the list. The email address coincides with clubzone.com domain. What else can I try to debug?

first remove (or hold) the old mail or requeue it. then make sure the
message  passes via the smtpd where you added the check_mx_access call.
As Noel said, use postmap to test your map, and if needed use -v to get
more logs.



Reply | Threaded
Open this post in threaded view
|

RE: Transport Based on Destination MX record and not Destination Domain?

Rodre Ghorashi-Zadeh-2



>
> first remove (or hold) the old mail or requeue it. then make sure the
> message  passes via the smtpd where you added the check_mx_access call.
> As Noel said, use postmap to test your map, and if needed use -v to get
> more logs.
>
>
>
postmap outputs the correct mapping:

postmap -q 208.65.144.3 cidr:/etc/postfix/smarthost.cidr
FILTER smtp:mail.shawcable.com

and the message passes through the smtpd with the check_recipient_mx_access call:


Aug 21 11:20:34 czhqma01 postfix/smtpd[10312]:>>> START Sender address RESTRICTIONS <<<
Aug 21 11:20:34 czhqma01 postfix/smtpd[10312]: generic_checks: name=check_recipient_mx_access
Aug 21 11:20:34 czhqma01 postfix/smtpd[10312]: generic_checks: name=check_recipient_mx_access status=0
Aug 21 11:20:34 czhqma01 postfix/smtpd[10312]:>>> END Sender address RESTRICTIONS <<<

but it doesn't seem to be picking up on it. What else can I try?

~Rod
_________________________________________________________________
If you like crossword puzzles, then you'll love Flexicon, a game which combines four overlapping crossword puzzles into one!
http://g.msn.ca/ca55/208
12