myorigin = $mydomain, but where is mydomain defined?

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

myorigin = $mydomain, but where is mydomain defined?

MountainX
I was reading the SOHO doc and decied that setting "myorigin = $mydomain" might address my needs. (I was just guessing, because it isn't clear to me exactly what this setting does.) After making the change, I have the problem where my postfix logs show emails addressed like this:
from=<root@com> 
and if that is obfuscated, it is:
from=<root-at-com>
There is no domain name. Obviously, I must not have defined mydomain. How and where do I do this? Thanks.

FYI, I did this before posting my question:
http://www.google.com/search?q=postfix+define+mydomain
but I'm not finding the answer yet...
Reply | Threaded
Open this post in threaded view
|

Re: myorigin = $mydomain, but where is mydomain defined?

Brian Evans - Postfix List
MountainX wrote:

> I was reading the SOHO doc and decied that setting "myorigin = $mydomain"
> might address my needs. (I was just guessing, because it isn't clear to me
> exactly what this setting does.) After making the change, I have the problem
> where my postfix logs show emails addressed like this:
> from=<root@com>
> and if that is obfuscated, it is:
> from=<root-at-com>
> There is no domain name. Obviously, I must not have defined mydomain. How
> and where do I do this? Thanks.
>
> FYI, I did this before posting my question:
> http://www.google.com/search?q=postfix+define+mydomain
> but I'm not finding the answer yet...
>  
The official documentation is often the best source.

http://www.postfix.org/postconf.5.html#mydomain

Brian
Reply | Threaded
Open this post in threaded view
|

Re: myorigin = $mydomain, but where is mydomain defined?

MountainX

Brian Evans - Postfix List wrote
MountainX wrote:
> I was reading the SOHO doc and decied that setting "myorigin = $mydomain"
> might address my needs. (I was just guessing, because it isn't clear to me
> exactly what this setting does.) After making the change, I have the problem
> where my postfix logs show emails addressed like this:
> from=<root@com> 
> and if that is obfuscated, it is:
> from=<root-at-com>
> There is no domain name. Obviously, I must not have defined mydomain. How
> and where do I do this? Thanks.
>
> FYI, I did this before posting my question:
> http://www.google.com/search?q=postfix+define+mydomain
> but I'm not finding the answer yet...
>  
The official documentation is often the best source.

http://www.postfix.org/postconf.5.html#mydomain

Brian
Thank you. Now I realize I have a config that may not be right.
I have mydomain = example.com
and myhostname = example.com

and in generic, I have:
@localhost    me-at-example.com

Are those settings all OK?
Reply | Threaded
Open this post in threaded view
|

Re: myorigin = $mydomain, but where is mydomain defined?

Brian Evans - Postfix List
MountainX wrote:

>
> Brian Evans - Postfix List wrote:
>  
>> MountainX wrote:
>>    
>>> I was reading the SOHO doc and decied that setting "myorigin = $mydomain"
>>> might address my needs. (I was just guessing, because it isn't clear to
>>> me
>>> exactly what this setting does.) After making the change, I have the
>>> problem
>>> where my postfix logs show emails addressed like this:
>>> from=<root@com>
>>> and if that is obfuscated, it is:
>>> from=<root-at-com>
>>> There is no domain name. Obviously, I must not have defined mydomain. How
>>> and where do I do this? Thanks.
>>>
>>> FYI, I did this before posting my question:
>>> http://www.google.com/search?q=postfix+define+mydomain
>>> but I'm not finding the answer yet...
>>>  
>>>      
>> The official documentation is often the best source.
>>
>> http://www.postfix.org/postconf.5.html#mydomain
>>
>> Brian
>>
>>
>>    
>
> Thank you. Now I realize I have a config that may not be right.
> I have mydomain = example.com
> and myhostname = example.com
>
>  

In  your case, you should have something like:
mydomain = example.com
myhostname = mail.example.com

myhostname must be the fully qualified name.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: myorigin = $mydomain, but where is mydomain defined?

MountainX

Brian Evans - Postfix List wrote
MountainX wrote:
>
> Brian Evans - Postfix List wrote:
>  
>> MountainX wrote:
>>    
>>> I was reading the SOHO doc and decied that setting "myorigin = $mydomain"
>>> might address my needs. (I was just guessing, because it isn't clear to
>>> me
>>> exactly what this setting does.) After making the change, I have the
>>> problem
>>> where my postfix logs show emails addressed like this:
>>> from=<root@com> 
>>> and if that is obfuscated, it is:
>>> from=<root-at-com>
>>> There is no domain name. Obviously, I must not have defined mydomain. How
>>> and where do I do this? Thanks.
>>>
>>> FYI, I did this before posting my question:
>>> http://www.google.com/search?q=postfix+define+mydomain
>>> but I'm not finding the answer yet...
>>>  
>>>      
>> The official documentation is often the best source.
>>
>> http://www.postfix.org/postconf.5.html#mydomain
>>
>> Brian
>>
>>
>>    
>
> Thank you. Now I realize I have a config that may not be right.
> I have mydomain = example.com
> and myhostname = example.com
>
>  

In  your case, you should have something like:
mydomain = example.com
myhostname = mail.example.com

myhostname must be the fully qualified name.

Brian
But would it be correct to leave it as it?
One reason is that my spam settings (which I copied/pasted into postfix config) are so tight that basic functionality fails if I am using two or more domains (example.com and xyz.example.com). And I kind of like it like this. I just want it simple and I want it secure. And since I don't understand the spam settings, I want to leave them as they are, which means they only work when I use only a single domain (example.com with no hostname).

BTW, mail.example.com is defined in DNS as a CNAME record pointing to ghs.google.com, so I don't want to use that anyway.

I have the option to use xyz.example.com, but there is no A record defined for xyz.example.com nor do I want there to be one. (xyz means anything)

I simply want everything in the email headers to always show up as example.com not nnn.example.com.
My entire domain really consists of a single server hosting a blog.

Thanks for your continued assistance.
Reply | Threaded
Open this post in threaded view
|

Re: myorigin = $mydomain, but where is mydomain defined?

MountainX
In reply to this post by Brian Evans - Postfix List

Brian Evans - Postfix List wrote
MountainX wrote:
>
> Brian Evans - Postfix List wrote:
>  
>> MountainX wrote:
>>    
>>> I was reading the SOHO doc and decied that setting "myorigin = $mydomain"
>>> might address my needs. (I was just guessing, because it isn't clear to
>>> me
>>> exactly what this setting does.) After making the change, I have the
>>> problem
>>> where my postfix logs show emails addressed like this:
>>> from=<root@com> 
>>> and if that is obfuscated, it is:
>>> from=<root-at-com>
>>> There is no domain name. Obviously, I must not have defined mydomain. How
>>> and where do I do this? Thanks.
>>>
>>> FYI, I did this before posting my question:
>>> http://www.google.com/search?q=postfix+define+mydomain
>>> but I'm not finding the answer yet...
>>>  
>>>      
>> The official documentation is often the best source.
>>
>> http://www.postfix.org/postconf.5.html#mydomain
>>
>> Brian
>>
>>
>>    
>
> Thank you. Now I realize I have a config that may not be right.
> I have mydomain = example.com
> and myhostname = example.com
>
>  

In  your case, you should have something like:
mydomain = example.com
myhostname = mail.example.com

myhostname must be the fully qualified name.

Brian
Is this error related to the above changes? I did not change my spam/security settings at all.

Jan 28 12:48:43 ubuntu postfix/smtp[25852]: D23xxxx31D: to=<root@localhost>, relay=none, delay=13, delays=13/0.1/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=localhost type=AAAA: Host not found)

Any idea how I can resolve this? thanks.
Reply | Threaded
Open this post in threaded view
|

Re: myorigin = $mydomain, but where is mydomain defined?

Thomas Ackermann-3
In reply to this post by MountainX
MountainX wrote:
<snip>

You need to set mydomain yourself!
Othwise, mydomain defaults to the string "localdomain":

postconf -d mydomain
mydomain = localdomain


Just set mydomain correctly and then use "myorigin = $mydomain":

mydomain = my-own-domain.com
myorigin = $mydomain


Nothing more needed :)
Reply | Threaded
Open this post in threaded view
|

Re: myorigin = $mydomain, but where is mydomain defined?

mouss-4
In reply to this post by MountainX
MountainX a écrit :
> Brian Evans - Postfix List wrote:
>>[snip]
>> In  your case, you should have something like:
>> mydomain = example.com
>> myhostname = mail.example.com
>>
>> myhostname must be the fully qualified name.

example.com is fully qualified.

It is ok for him to use this as long as it example.com can be resolved
(in DNS) and as long as he always defines mydomain explicitely.

>> Brian
>>
>>
>
> But would it be correct to leave it as it?
> One reason is that my spam settings (which I copied/pasted into postfix
> config) are so tight that basic functionality fails if I am using two or
> more domains (example.com and xyz.example.com). And I kind of like it like
> this. I just want it simple and I want it secure. And since I don't
> understand the spam settings, I want to leave them as they are, which means
> they only work when I use only a single domain (example.com with no
> hostname).
>

myhostname is not used for your spam settings.

> BTW, mail.example.com is defined in DNS as a CNAME record pointing to
> ghs.google.com, so I don't want to use that anyway.
>

then use another name. add a "joe.example.com" in DNS that resolves to
the server IP (if there are multiple IPs, use the IP used for sending
mail to the internet) and use it.

> I have the option to use xyz.example.com, but there is no A record defined
> for xyz.example.com nor do I want there to be one. (xyz means anything)
>
> I simply want everything in the email headers to always show up as
> example.com not nnn.example.com.

why?

> My entire domain really consists of a single server hosting a blog.
>

most "legitimate" sites have hostnames with more than two labels. by
using a two labels hostname, you look different and get exposed to more
checks:

- in one config, I used to require the heloname to reslve if it is
"short" (two labels in general).

- A lot of snowshoe spammers use "2 labels" hostnames (rustgarden.com,
deviltreez.com, blizzardheart.com, auberginefizz.com, ...). some people
may confuse you with one of these.

Reply | Threaded
Open this post in threaded view
|

Re: myorigin = $mydomain, but where is mydomain defined?

Thomas Ackermann-3
In reply to this post by MountainX
And NO, you do not need a myhostname entry!

Reply | Threaded
Open this post in threaded view
|

smtp_*_restrictions and syntax access-files

Thomas Ackermann-3
Hello,
the command "postconf smtpd_client_restrictions
smtpd_sender_restrictions" shows the following:

smtpd_client_restrictions = reject_invalid_hostname check_client_access
hash:/etc/postfix/client_access
smtpd_sender_restrictions = reject_unknown_address check_sender_access
hash:/etc/postfix/sender_access

The files have this content:

/etc/postfix/client_access:
<mail-address> REJECT

/etc/postfix/sender_access:
<mail-address> REJECT

The sender_access file get´s honored!

But if i try to send a mail to an address listed in client_access, it
get happily queued and delivered :-(

I suspect that i used the wrong restriction, the wrong hash/... thing or
whatever ...

Could you give a hint in the right direction?


But the client

Reply | Threaded
Open this post in threaded view
|

Re: smtp_*_restrictions and syntax access-files

Jimbo-3
Thomas wrote:

> smtpd_client_restrictions = reject_invalid_hostname
> check_client_access hash:/etc/postfix/client_access
>
> /etc/postfix/client_access:
> <mail-address> REJECT
>
> But if i try to send a mail to an address listed in client_access, it
> get happily queued and delivered :-(
>
> I suspect that i used the wrong restriction, the wrong hash/... thing
> or whatever ...
>
> Could you give a hint in the right direction?
Hi Thomas,

 From the documentation:
check_client_access type:table
    Search the specified access database for the client hostname, parent
domains, client IP address, or networks obtained by stripping least
significant octets. See the access(5) manual page for details.

You'd want your client_access file to list hostnames and IPs to
permit/reject, email addresses won't be queried for.


Reply | Threaded
Open this post in threaded view
|

Re: smtp_*_restrictions and syntax access-files

Thomas Ackermann-3
In reply to this post by Thomas Ackermann-3
Thomas wrote:
> But if i try to send a mail to an address listed in client_access, it
> get happily queued and delivered :-(
>
> I suspect that i used the wrong restriction, the wrong hash/... thing
> or whatever ...
>
> Could you give a hint in the right direction?

Found it:

smtpd_recipient_restrictions = permit_mynetworks
reject_unknown_recipient_domain permit_sasl_authenticated
reject_unauth_destination check_recipient_access
hash:/etc/postfix/recipient_access

It should be "recipient", not "client" ...

:)
Reply | Threaded
Open this post in threaded view
|

Re: smtp_*_restrictions and syntax access-files

Glenn English
In reply to this post by Jimbo-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James Berwick wrote:

> Thomas wrote:
>> smtpd_client_restrictions = reject_invalid_hostname
>> check_client_access hash:/etc/postfix/client_access
>>
>> /etc/postfix/client_access:
>> <mail-address> REJECT
>>
>> But if i try to send a mail to an address listed in client_access, it
>> get happily queued and delivered :-(
>>
>> I suspect that i used the wrong restriction, the wrong hash/... thing
>> or whatever ...
>>
>> Could you give a hint in the right direction?
> Hi Thomas,
>
> From the documentation:
> check_client_access type:table
>    Search the specified access database for the client hostname, parent
> domains, client IP address, or networks obtained by stripping least
> significant octets. See the access(5) manual page for details.
>
> You'd want your client_access file to list hostnames and IPs to
> permit/reject, email addresses won't be queried for.


And the client in 'check_client_access' is the host postfix is receiving
from; not the one it's sending to...


- --
Glenn English
[hidden email]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmA+e8ACgkQ04yQfZbbTLbN+gCeKQBe0RBOQc+H9gCFiJGvS9u/
fKsAn1SpeptVaX8ehHh+7vKtOOX5EpmN
=XdKQ
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: smtp_*_restrictions and syntax access-files

Thomas Ackermann-3
ghe wrote:

> James Berwick wrote:
>  
>> From the documentation:
>> check_client_access type:table
>>    Search the specified access database for the client hostname, parent
>> domains, client IP address, or networks obtained by stripping least
>> significant octets. See the access(5) manual page for details.
>>
>> You'd want your client_access file to list hostnames and IPs to
>> permit/reject, email addresses won't be queried for.
>>    
>
>
> And the client in 'check_client_access' is the host postfix is receiving
> from; not the one it's sending to...
>
>  

Thanx a bunch!

Could you give some advice on my current postfix setup?

Currently i use the following:

smtpd_client_restrictions = reject_invalid_hostname check_client_access
hash:/etc/postfix/client_access
So, reject_invalid_hostname will check for the server we are receiving
mail from.
Is that OK, or would be change this?
Better change or add other things?

I ask about smtpd_sender_restrictions and smtpd_recipient_restrictions
in later mails ...

Reply | Threaded
Open this post in threaded view
|

Re: smtp_*_restrictions and syntax access-files

Victor Duchovni
In reply to this post by Thomas Ackermann-3
On Thu, Jan 29, 2009 at 01:09:08AM +0100, Thomas wrote:

> hash:/etc/postfix/client_access
> smtpd_sender_restrictions = reject_unknown_address check_sender_access
> hash:/etc/postfix/sender_access

Don't make stuff up. Keep it simple, and use only what you have
understood after reading the corresponding documentation.

If you do that, you will notice that there is no documentation for
"reject_unknown_address", hence you should not use it (there is
no such restriction, if that is not clear by now).

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: smtp_*_restrictions and syntax access-files

Thomas Ackermann-3
Victor Duchovni wrote:
> If you do that, you will notice that there is no documentation for
> "reject_unknown_address", hence you should not use it (there is
> no such restriction, if that is not clear by now).
>  

Uh.
Thanx!

I changed to the following:

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access

Or would you add reject_unknown_sender_domain? It is already used in
"smptp_recipient_restrictions:


smtpd_recipient_restrictions = permit_mynetworks
reject_unknown_recipient_domain permit_sasl_authenticated
reject_unauth_destination check_recipient_access
pcre:/etc/postfix/recipient_access

OK, so far?
Add something? Remove something?


The client line looks like this:

smtpd_client_restrictions = reject_invalid_helo_hostname
check_client_access hash:/etc/postfix/client_access

OK, so far?
Add something? Remove "reject_invalid_helo_hostname"?

Reply | Threaded
Open this post in threaded view
|

Re: smtp_*_restrictions and syntax access-files

Victor Duchovni
On Thu, Jan 29, 2009 at 03:35:11AM +0100, Thomas wrote:

>
> Or would you add reject_unknown_sender_domain? It is already used in
> "smptp_recipient_restrictions:
>
>
> smtpd_recipient_restrictions = permit_mynetworks
> reject_unknown_recipient_domain permit_sasl_authenticated
> reject_unauth_destination check_recipient_access
> pcre:/etc/postfix/recipient_access
>
> OK, so far?
> Add something? Remove something?

I mentioned that I think you should only use restrictions you
understand. You are asking me to recommend that you use restrictions
you don't understand to achieve objectives you have not described.

I can't honestly recommend anything other than start with the
default:

    smtpd_client_restrictions =
    smtpd_helo_restrictions =
    smtpd_sender_restrictions =
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
    smtpd_data_restrictions =

and add one primitive at a time, provided:

    - You understand what you are adding and why.

    - You test each evolutionary step to confirm that your understanding
      is correct.

For sufficiently small sites, with a DNS cache not forwarded via the ISP,
it is often enough to add zen.spamhaus.org RBL checks. More sophisticated
checks can be added only as needed and as your experience grows.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: smtp_*_restrictions and syntax access-files

Thomas Ackermann-3
Victor Duchovni schrieb:
>
> I can't honestly recommend anything other than start with the
> default:
>  

I suspect, you are right :)

After another check of my logfiles, i reduced my restriction lists
 to the following:

smtpd_client_restrictions = reject_unknown_reverse_client_hostname,
check_client_access hash:/etc/postfix/client_access

smtpd_helo_restrictions = reject_invalid_helo_hostname

smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/sender_access

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_access

That seems to help against most spammers i can find and does not
restrict the regular mails ...

Thanx!