I have a postfix mail server which sends email from both virtual addresses and from local Unix accounts, through a PHP script using mail().
I've installed Amavis and have successfully configured filtering and and the addition of mail signatures for the virtual addresses, but the signatures are not added for any mail sent by the local accounts (e.g. through a script or the mail command)
I've tried a heap of config and routing changes but no luck- does anyone please know how to filter such local outgoing mail?
Thanks!
For future reference, the answer was a postfix configuration setting:
non_smtpd_milters =
The postfix content filtering setting (content_filter) does not seem to apply to non-smtpd traffic, such as that sent by Unix accounts or PHP mail() script.
Actually this is wrong. From Stef on the mailing list changing the message body is not implemented via milter interface:
Have a look at the following documentation:
- http://www.amavis.org/README.postfix.html
- http://www.postfix.org/FILTER_README.html [Advanced content filter example]
A quick run through the config files [this is a quick cut-and-paste from my config files; beware that the port numbers might not match the above documents]:
/etc/amavisd.conf
$notify_method = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[127.0.0.1]:10025';
$inet_socket_port = [10024, 10026];
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
}
/etc/postfix/master.cf
smtp inet n - n - - smtpd
-o content_filter = smtp-amavis:[127.0.0.1]:10024
[ you can also have the above config_filter configuration in /etc/postfix/main.cf as a default setting.
The options below override the defaults in main.cf ]
smtp-amavis unix - - n - 4 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
-o smtp_generic_maps=
localhost:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_delay_reject=no
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_authorized_xclient_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8,[::1]/128
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o local_header_rewrite_clients=
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
pickup unix n - n 60 1 pickup
-o content_filter=smtp-amavis:[127.0.0.1]:10026
Quick comments:
- incoming e-mail enters on port 25; with the “content-filter” option, it is sent to a mavis on port 10024
- amavis scans, tags, quarantines, … — if mail goes through, it goes to (postfix) port 10025 (this is done with the “$forward_method” in amavisd.conf)
- postfix (listening on port 10025) delivers the e-mail
outgoing e-mail should enter on the submission port [587] or delivered with the pickup service (“local e-mail”).
postfix forwards this e-mail to amavis on port 10026 (!)
the configuration of amavis is changed because of a “policy bank”
again, amavis forwards e-mail to postfix on port 10025
postfix (listening on port 10025) delivers e-mail
Kind regards,
Stef
I had a similar problem (in my case I use amavis to add the dkim signature) and it turns out that the problem was that, in master.cf, the pickup service was defined with "-o content_filter=", that's why content_filter wasn't working for locally generated emails, i.e.
pickup fifo n - n 60 1 pickup
-o content_filter=
-o receive_override_options=
Once I commented out the "-o content_filter=" amavis started filtering even the locally generated messages.
I'm adding a solution since I cannot add a comment and this is the first result when I searched for "postfix content_filter doesn't work for locally generated mail".
Related
I setup a mailserver with a couple different tutorials of Postfix and Dovecot. None of them seemed to actually work 100%. I did get it working with IMAP with SSL on 993 and SMTP with StartTLS on 465. However, mxtoolbox said this might be an open relay.
I wanted to get rid of this error so I added in some smtp restrictions. It gets rid of the error, but now I cannot send via mail clients.
It just sits on sending for a long time and then times out. I pulled the restrictions off of a question here, including fixes to the tutorials to get it working before.
Here is the master.cf:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
465 inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension}
${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
This is my main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Raspbian) This is not an open
relay.
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /root/fullchain.pem
smtpd_tls_key_file = /root/privkey.pem
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions =
# subject even authenticated users and trusted networks
# to the policy check
check_policy_service inet:127.0.0.1:10031
permit_mynetworks
reject_unknown_sender_domain
permit_sasl_authenticated
defer_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
# we exclude our networks and SASL authenticated users
# from all further checks.
# since I don't know if the policy service is relevant
# for unauthenticated mail, I commented it out here
# check_policy_service inet:127.0.0.1:10031
warn_if_reject reject_non_fqdn_hostname
warn_if_reject reject_non_fqdn_sender
reject_invalid_hostname
reject_unknown_sender_domain
smtpd_data_restrictions = reject_unauth_pipelining
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mail.smbecker.tk
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost =
mynetworks = 0.0.0.0/0 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
#Handing off local delivery to Dovecot's LMTP, and telling it where to store
mail
virtual_transport = lmtp:unix:private/dovecot-lmtp
#Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-
domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
inet_protocols = ipv4
Basically, I want to be able to send and receive mail from anywhere as long as the domain and user exist on the server and authenticate with IMAP SSL on 993 and SMTP StartTLS on 465. The RPI has no firewall setup, but has a hardware firewall to the web only allowing ports 25,993,465. The client I am having an issue with though is a local PC without a firewall in between.
Before I made the changes to main.cf regarding:
smtpd_relay_restrictions =
# subject even authenticated users and trusted networks
# to the policy check
check_policy_service inet:127.0.0.1:10031
permit_mynetworks
reject_unknown_sender_domain
permit_sasl_authenticated
defer_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
# we exclude our networks and SASL authenticated users
# from all further checks.
# since I don't know if the policy service is relevant
# for unauthenticated mail, I commented it out here
# check_policy_service inet:127.0.0.1:10031
warn_if_reject reject_non_fqdn_hostname
warn_if_reject reject_non_fqdn_sender
reject_invalid_hostname
reject_unknown_sender_domain
smtpd_data_restrictions = reject_unauth_pipelining
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
I was able to telnet on port 465. Now, I cannot. The mail log shows:
Jan 6 18:54:41 raspberrypi postfix/smtpd[30109]: lost connection after
CONNECT from unknown[10.100.100.1]
Before making changes, it just said:
smtpd_recipient_restrictions =
With nothing there.
Any one got any ideas on how to fix this?
Then I can start on Roundcube, DKIM, SFP, DMARC, and getting my ISP to create a PTR for me.
Basically, deployment of Postfix is a bit sophisticated.
My first Tip: I am using a wonderful set of Tools regarding deploy an open-source mail server called "Zimbra". It will take care of all you need and gives you a web Interface for management and UI.
Btw I can help you to fix your deployment fellow like this.
My second Tip: You may check firewalls, access permission and /etc/defaults if everything is fine. Sometimes simple Issue causes the Problem.
There is a tls log setting that will help with TLS issues:
http://www.postfix.org/TLS_README.html
Solution was to add:
smtpd_tls_loglevel = 2
which then showed me where the issue was.
Issue was here:
smtpd_relay_restrictions =
# subject even authenticated users and trusted networks
# to the policy check
check_policy_service inet:127.0.0.1:10031
I commented out the:
check_policy_service inet:127.0.0.1:10031
Now everything works and mxtoolbox shows it is not an open relay because it rejects their test message.
I am trying to set up a postfix mail server with dovecot as MDA.
According to this link to set up dovecot to use LMTP I have done the following config.
postfix
main.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
master.cf
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/bin/sudo /usr/lib/dovecot/deliver -f ${sender} -d ${user}
dovecot
dovecot.conf
protocols = imap lmtp
10-mail.conf
mail_privileged_group = mail
10-master.conf
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
# Create inet listener only if you can't use the above UNIX socket
#inet_listener lmtp {
# Avoid making LMTP visible for the entire internet
#address =
#port =
#}
}
The mailboxes will be present in user's home directory /users/<username>
As stated by the link /users is the home directory of vmail user.
However with this config when I try to send mail like:
mail -s "subj" username
The mail bounces saying
warning: maildir access problem for UID/GID=<uid>/<gid>: create maildir file ~username/Maildir/tmp/<tmp file>: Permission denied
The ownership of ~username is vmail:vmail
However the mail is successfully sent when the ownership is changed to <user>:<group> for each user.
How can I get this thing working with the mail directory ownership kept as vmail:vmail ?
Note: I am not trying to set up SASL as of yet.
I am just tryin
You need to change ownership users and groups using below mentioned command.
example:-
chown -R user:group /path/to/file
-R --> recursive option
I get email alerts that are generated by a user on one of my servers. These alerts are generated by server#######.com and they have to do with third party software not working properly.
I'm trying to use procmail to copy (as I want to keep receiving these) these emails to ABC#XYZ.com.
I'm looking for emails that, in their body, have "C:" followed by 6 characters, a dot, and 3 more characters. All of that is working fine, but I want the third party to get these emails from me bruno#XXXXXX.com rather than server.
How can I copy the email to a third party AND change the from address to be bruno#XXXXX.com?
Here's the procmail file:
cat .procmailrc
DROPPRIVS=yes
LOGFILE=$HOME/procmail.log
:0 c:
* B ?? C:......\....
! ABC#XYZ.com
:0 B:
* ^To: .*alerts#XXXXXX.com
! bruno#XXXXXX.com
Inject the headers you want with formail before piping to sendmail. (Recall that ! is basically a shorthand for | $SENDMAIL $SENDMAILFLAGS.)
Do I understand correctly that the first recipe is the one you would like to modify?
:0 c # No lockfile when forwarding
* B ?? C:......\....
| formail -I 'From: bruno#XXXXXX.com' \
| $SENDMAIL $SENDMAILFLAGS ABC#XYZ.com
Your second recipe similarly should not have a lock file; see http://www.iki.fi/era/procmail/mini-faq.html#locking
syslog is consistently returning for a specific domain the following result:
relay=mail.domain.tld. [XX.XXX.XXX.XX], dsn=5.0.0, stat=Service unavailable
what is a possible cause of the service unavailability and how can this be resolved?
sendmail (by sendmail.org) - getting outgoing SMTP transcript
As root send a test message with SMTP session tracking. It may provide more hints.
#!/bin/sh
TO=recipient#domain.tld
FROM=someone#your.domain
/usr/sbin/sendmail -v -Ac -i -f$FROM -- $TO <<END
subject: test
to: $TO
from: $FROM
test
END
I have installed ssmtp on my Linux server. Apache server works under www-data user, and send mail from ssmtp. In recieved emails I see www-data in sender name. How can I change it?
Here`s my configs:
/etc/ssmtp/ssmtp.conf
mailhub=smtp.gmx.com:587
hostname=mysite.com
FromLineOverride=YES
AuthUser=username#gmx.us
AuthPass=password
UseTLS=YES
UseSTARTTLS=YES
/etc/ssmtp/revaliases
root:username#gmx.us
user:username#gmx.us
www-data:username#gmx.us
You could change the user finger information for user 'www-data', namelly the 'Full Name" finger parameter.
You may do so using Linux 'chfn' command:
chfn -f "Email Sender Name" www-data
What this does is setting/changing the real name for that user in the finger information (stored in the /etc/passwd file -cf chfn man page-).
Alternatively you could use the Linux 'usermod' command as follow (though Linux manual states this is normally modified using the chfn utility - cf user mod man page - ):
usermod -c "Email Sender Name" www-data
This worked for me.