postgrey between own domains

Hi all!
I've a Debian Sarge with Postfix 2.1.5 installation working
well with five domains.
Postgrey is working very well but there's one thing I'd want
to avoid.

If some new user from, say domain1.com sends a mail to
otheruserdomain2.com -both
domains are handled by the same postfix- the messages get
greylisted. Postfix doesn't
attempt to re-send the e-mail to himself -or sends if after
the delay period- so the mail
is lost.

¿How can I force postgrey to bypass all the local domains?
Or

I've added the domains to the
/etc/postgrey/whitelist_clients like

domain1.com
domain2.com
domain3.org
domain5.net

But it doesn't appear to work. I can't remember if I execute
invoke-rc.d postgrey
force-reload, perhaps that was the problem 



-- Attached file removed by Ecartis and put at URL below --
-- Type: text/x-vcard
-- Size: 370 bytes
-- URL : http://li
sts.ee.ethz.ch/p/04-abaranguan.vcf


-- 
Unsubscribe mailto:postgrey-requestlist.ee.ethz.ch?subject=unsubscribe
Archive     http://lists.ee.ethz
.ch/postgrey
WebAdmin    http://lists.ee.ethz
.ch/lsg2.cgi

Hi Asier,

did you try to put

domain1.com
domain2.com
domain3.org
domain5.net

into postgrey_whitelist_recipients? This is what I would try
first.

Olaf

-- 
Unsubscribe mailto:postgrey-requestlist.ee.ethz.ch?subject=unsubscribe
Archive     http://lists.ee.ethz
.ch/postgrey
WebAdmin    http://lists.ee.ethz
.ch/lsg2.cgi

Olaf Zaplinski escribió:
> did you try to put
> 
> domain1.com
> domain2.com
> domain3.org
> domain5.net
> 
> into postgrey_whitelist_recipients? This is what I
would try first.

No, because I believe that doing that all the mails going to
eg. domain1.com wouldn't go 
through postgrey. I need the other way: all mails coming
from domain1.com should be accepted.

I'm using the whitelist_clients file bundled with the debian
postgrey package and there 
isn't any domain writed like 'xxxx.yy', all the lines are
like this:

# wxs.nl (no retry, reported by Johannes Fehr)
/^p?smtp.*.wxs.nl$/
# ibm.com (big pool, reported by Casey Peel)
ibm.com
# messagelabs.com (big pool, reported by John Tobin)
/^maild+.messagelabs.com$/
# ptb.de (slow, reported by Joachim Schoenberg)
berlin.ptb.de
# registrarmail.net (unique sender names, reported by Simon
Waters)
registrarmail.net
# google.com (big pool, reported by Matthias Dyer)
/^.*-out-.*.google.com$/



-- Attached file removed by Ecartis and put at URL below --
-- Type: text/x-vcard
-- Size: 370 bytes
-- URL : http://li
sts.ee.ethz.ch/p/05-abaranguan.vcf


-- 
Unsubscribe mailto:postgrey-requestlist.ee.ethz.ch?subject=unsubscribe
Archive     http://lists.ee.ethz
.ch/postgrey
WebAdmin    http://lists.ee.ethz
.ch/lsg2.cgi

On Monday 19 March 2007 16:44, Asier Baranguán wrote:
> 
> How can I force postgrey to bypass all the local
domains?

Postfix should accept email from trusted IP addresses, or
authenticated users, 
before applying the greylist checks (or any other sender
checks). So you just 
have the tests out of order.

Post your main.cf for more detailed comments, or check the
Postfix archive for 
discussion of same.

In particular recipient res

smtpd_recipient_restrictions =
        permit_mynetworks,
        .......

"mynetworks" is implicitly included if this
parameter is not set.

http://www.postfix.org/postconf.5.html#smtpd_
recipient_restrictions

> I can't remember if I execute invoke-rc.d
> postgrey force-reload, perhaps that was the problem


It would need reloading, but that isn't the way to solve
this particular 
problem, so don't go there.

-- 
Unsubscribe mailto:postgrey-requestlist.ee.ethz.ch?subject=unsubscribe
Archive     http://lists.ee.ethz
.ch/postgrey
WebAdmin    http://lists.ee.ethz
.ch/lsg2.cgi

On Mon, Mar 19, 2007 at 05:44:25PM +0100, Asier Baranguán
wrote:
> Hi all!
> I've a Debian Sarge with Postfix 2.1.5 installation
working well with five domains.
> Postgrey is working very well but there's one thing I'd
want to avoid.
> 
> If some new user from, say domain1.com sends a mail to
otheruserdomain2.com -both
> domains are handled by the same postfix- the messages
get greylisted. Postfix doesn't
> attempt to re-send the e-mail to himself -or sends if
after the delay period- so the mail
> is lost.
> 
> ?How can I force postgrey to bypass all the local
domains? Or
> 
> I've added the domains to the
/etc/postgrey/whitelist_clients like
> 
> domain1.com
> domain2.com
> domain3.org
> domain5.net

Clients = connecting servers, not emails. So obviously that
don't work.

You should always whitelist at the first possible step,
Postfix that is. Set
mynetworks correctly (127.0.0.1 and your servers IP) and
have permit_mynetworks
before the check_policy_service in
smtpd_recipient_restrictions (I assume you
have it there). That way it stops there before postgrey.

Cheers,
Henrik

-- 
Unsubscribe mailto:postgrey-requestlist.ee.ethz.ch?subject=unsubscribe
Archive     http://lists.ee.ethz
.ch/postgrey
WebAdmin    http://lists.ee.ethz
.ch/lsg2.cgi

Simon Waters escribió:
> Postfix should accept email from trusted IP addresses,
or authenticated users, 
> before applying the greylist checks (or any other
sender checks). So you just 
> have the tests out of order.

I believe the tests are in the correct order, but I'll post
the main.cf file (comments are 
in spanish, I can translate if needed)

> Post your main.cf for more detailed comments, or check
the Postfix archive for 
> discussion of same.

 > - - - - - [ /etc/postfix/main.cf ] - - - - - - - - - -
- - - -
# See /usr/share/postfix/main.cf.dist for a commented, more
complete version
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed
mail" warnings
delay_warning_time = 1h

# Monitorización de e-mail
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc_map
sender_bcc_maps = hash:/etc/postfix/sender_bcc_map

myhostname = correo.elpagestion.com
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = correo.elpagestion.com, localhost,
$transport_maps
relayhost =
mynetworks = 127.0.0.0/8, correo.elpagestion.com
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

message_size_limit = 200000000

alias_maps = hash:/etc/aliases,
hash:/etc/minimalist-aliases, 
mysql:/etc/postfix/mysql-aliases.cf
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
transport_maps = mysql:/etc/postfix/mysql-transport.cf
virtual_alias_maps =  hash:/etc/minimalist-maps,
mysql:/etc/postfix/mysql-virtual.cf
local_recipient_maps = $virtual_mailbox_maps
unix:passwd.byname
virtual_mailbox_base = /var/vcorreo
virtual_mailbox_maps =
mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_uid_maps = static:1501
virtual_gid_maps = static:1501
virtual_mailbox_limit = 200000000


# Activamos la autenticacion mediante SASL.
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = elpagestion.com
broken_sasl_auth_clients = yes

smtpd_use_tls = yes
smtpd_tls_key_file =
/etc/postfix/ssl/correo.elpagestion.com.key
smtpd_tls_cert_file =
/etc/postfix/ssl/correo.elpagestion.com.pem
smtpd_tls_CAfile = /etc/postfix/ssl/elpaca.pem

smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# Antivirus
content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings

# Medidas anti-spam ligeras
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes

# Politica de RELAY.
smtpd_recipient_restrictions = permit_mynetworks,
          reject_invalid_hostname,
          reject_non_fqdn_sender,
          reject_non_fqdn_recipient,
          reject_unknown_sender_domain,
          reject_unknown_recipient_domain,
          permit_sasl_authenticated,
          reject_unauth_destination,
          reject_rbl_client list.dsbl.org,
          reject_rbl_client sbl.spamhaus.org,
          reject_rbl_client cbl.abuseat.org,
          reject_rbl_client dul.dnsbl.sorbs.bet,
          check_policy_service
inet:correo.elpagestion.com:60000,
          permit

smtpd_data_restrictions = reject_unauth_pipelining,
         permit

 > - - - - - [ /etc/postfix/main.cf ] - - - - - - - - - -
- - - -

Postgrey is listening at 127.0.0.1:60000, and clamsmtp at
10025. The hosted domains are 
netsignia.es, elpagestion.com and some others. What I need
is this:

The first time a triplet is builded (client
ip/sender/recipient) if the user sending the 
mail if from one of the 'trusted', the mail will not be
greylisted.



-- Attached file removed by Ecartis and put at URL below --
-- Type: text/x-vcard
-- Size: 383 bytes
-- URL : http://li
sts.ee.ethz.ch/p/06-abaranguan.vcf


-- 
Unsubscribe mailto:postgrey-requestlist.ee.ethz.ch?subject=unsubscribe
Archive     http://lists.ee.ethz
.ch/postgrey
WebAdmin    http://lists.ee.ethz
.ch/lsg2.cgi

Henrik Krohns escribió:
> On Mon, Mar 19, 2007 at 05:44:25PM +0100, Asier
Baranguán wrote:
>> Hi all!
>> I've a Debian Sarge with Postfix 2.1.5 installation
working well with five domains.
>> Postgrey is working very well but there's one thing
I'd want to avoid.
>>
>> If some new user from, say domain1.com sends a mail to
otheruserdomain2.com -both
>> domains are handled by the same postfix- the
messages get greylisted. Postfix doesn't
>> attempt to re-send the e-mail to himself -or sends
if after the delay period- so the mail
>> is lost.
>>
>> ?How can I force postgrey to bypass all the local
domains? Or
>>
>> I've added the domains to the
/etc/postgrey/whitelist_clients like
>>
>> domain1.com
>> domain2.com
>> domain3.org
>> domain5.net
> 
> Clients = connecting servers, not emails. So obviously
that don't work.
> 
> You should always whitelist at the first possible step,
Postfix that is. Set
> mynetworks correctly (127.0.0.1 and your servers IP)
and have permit_mynetworks
> before the check_policy_service in
smtpd_recipient_restrictions (I assume you
> have it there). That way it stops there before
postgrey.
Ok, I've added the IP of the server to the mynetworks policy
and binded postgrey to the 
host external IP address (correo.elpagestion.com) and posted
the main.cf here.

Previously only 127.0.0.1 was there, no
'correo.elpagestion.com'.

I've logs of clients authenticated being greylisted:

 > - - - - - - - - - - - - -
Mar 16 12:11:40 correo postfix/smtpd[30621]: connect from 
229.Red-88-2-97.staticIP.rima-tde.net[88.2.97.229]
Mar 16 12:11:40 correo postfix/smtpd[30621]: NOQUEUE:
reject: RCPT from 
229.Red-88-2-97.staticIP.rima-tde.net[88.2.97.229]: 450
<xxxxxxxelpagestion.com>: 
Recipient address rejected: Greylisted for 180 seconds (see
http://isg.ee.ethz.ch/to

ols/postgrey/help/elpagestion.com.html); from=<yyyyynetsignia.es> 
to=<xxxxxxelpagestion.com> proto=ESMTP
helo=<pcJRn
s01>
 > - - - - - - - - - - - - -

This users are using IMAP or POP3 ¿that matters?



-- Attached file removed by Ecartis and put at URL below --
-- Type: text/x-vcard
-- Size: 370 bytes
-- URL : http://li
sts.ee.ethz.ch/p/07-abaranguan.vcf


-- 
Unsubscribe mailto:postgrey-requestlist.ee.ethz.ch?subject=unsubscribe
Archive     http://lists.ee.ethz
.ch/postgrey
WebAdmin    http://lists.ee.ethz
.ch/lsg2.cgi

On Mon, Mar 19, 2007 at 07:35:18PM +0100, Asier Baranguán
wrote:
> 
> I've logs of clients authenticated being greylisted:
> 
>  > - - - - - - - - - - - - -
> Mar 16 12:11:40 correo postfix/smtpd[30621]: connect
from 
> 229.Red-88-2-97.staticIP.rima-tde.net[88.2.97.229]
> Mar 16 12:11:40 correo postfix/smtpd[30621]: NOQUEUE:
reject: RCPT from 
> 229.Red-88-2-97.staticIP.rima-tde.net[88.2.97.229]: 450
<xxxxxxxelpagestion.com>: 
> Recipient address rejected: Greylisted for 180 seconds
(see http://isg.ee.ethz.ch/to

> ols/postgrey/help/elpagestion.com.html);
from=<yyyyynetsignia.es> 
> to=<xxxxxxelpagestion.com> proto=ESMTP
helo=<pcJRn
> s01>
>  > - - - - - - - - - - - - -
> 
> This users are using IMAP or POP3 ?that matters?

Please understand how the restriction chain works. First
match stops it.

Either you add your static users (like 88.2.97.229) to
mynetworks, or use
authentication so permit_sasl_authenticated line matches.

Cheers,
Henrik

-- 
Unsubscribe mailto:postgrey-requestlist.ee.ethz.ch?subject=unsubscribe
Archive     http://lists.ee.ethz
.ch/postgrey
WebAdmin    http://lists.ee.ethz
.ch/lsg2.cgi

Henrik Krohns escribió:
>> I've logs of clients authenticated being
greylisted:
>>
>>  > - - - - - - - - - - - - -
>> Mar 16 12:11:40 correo postfix/smtpd[30621]:
connect from 
>> 229.Red-88-2-97.staticIP.rima-tde.net[88.2.97.229]
>> Mar 16 12:11:40 correo postfix/smtpd[30621]:
NOQUEUE: reject: RCPT from 
>> 229.Red-88-2-97.staticIP.rima-tde.net[88.2.97.229]:
450 <xxxxxxxelpagestion.com>: 
>> Recipient address rejected: Greylisted for 180
seconds (see http://isg.ee.ethz.ch/to

>> ols/postgrey/help/elpagestion.com.html);
from=<yyyyynetsignia.es> 
>> to=<xxxxxxelpagestion.com> proto=ESMTP
helo=<pcJRn
>> s01>
>>  > - - - - - - - - - - - - -
>>
>> This users are using IMAP or POP3 ?that matters?
> 
> Please understand how the restriction chain works.
First match stops it.
> 
> Either you add your static users (like 88.2.97.229) to
mynetworks, or use
> authentication so permit_sasl_authenticated line
matches.

Hmmm, ok, I see that this could be a postfix question more
than a postgrey question... In 
the log, if the mail reaches postgrey is because have passed
all the restrictions. I know 
how that chain works, that's why I've the
smtpd_recipient_restrictions like this:

smtpd_recipient_restrictions = permit_mynetworks,
           reject_invalid_hostname,
           reject_non_fqdn_sender,
           reject_non_fqdn_recipient,
           reject_unknown_sender_domain,
           reject_unknown_recipient_domain,
           permit_sasl_authenticated,
           reject_unauth_destination,
           reject_rbl_client list.dsbl.org,
           reject_rbl_client sbl.spamhaus.org,
           reject_rbl_client cbl.abuseat.org,
           reject_rbl_client dul.dnsbl.sorbs.bet,
	  check_policy_service inet:83.175.218.133:60000,
           permit

(in the previous mail check_policy_service was with the dns
name)

I've have the  permit_sasl_authenticated as the seventh
line. If my questions sound silly 
probably it's my fault or my lack of knowledge, I know.
That's why I'm asking, to gain 
knowledge and try to help others in the future. Problems
arised after installing Postgrey. 
Perhaps I'm not asking the right way 



-- Attached file removed by Ecartis and put at URL below --
-- Type: text/x-vcard
-- Size: 370 bytes
-- URL : http://li
sts.ee.ethz.ch/p/08-abaranguan.vcf


-- 
Unsubscribe mailto:postgrey-requestlist.ee.ethz.ch?subject=unsubscribe
Archive     http://lists.ee.ethz
.ch/postgrey
WebAdmin    http://lists.ee.ethz
.ch/lsg2.cgi

On Mon, Mar 19, 2007 at 08:05:58PM +0100, Asier Baranguán
wrote:
> Henrik Krohns escribi?:
> >> I've logs of clients authenticated being
greylisted:
> >>
> >>  > - - - - - - - - - - - - -
> >> Mar 16 12:11:40 correo postfix/smtpd[30621]:
connect from 
> >>
229.Red-88-2-97.staticIP.rima-tde.net[88.2.97.229]
> >> Mar 16 12:11:40 correo postfix/smtpd[30621]:
NOQUEUE: reject: RCPT from 
> >>
229.Red-88-2-97.staticIP.rima-tde.net[88.2.97.229]: 450
<xxxxxxxelpagestion.com>: 
> >> Recipient address rejected: Greylisted for 180
seconds (see http://isg.ee.ethz.ch/to

> >> ols/postgrey/help/elpagestion.com.html);
from=<yyyyynetsignia.es> 
> >> to=<xxxxxxelpagestion.com>
proto=ESMTP helo=<pcJRn
> >> s01>
> >>  > - - - - - - - - - - - - -
> >>
> >> This users are using IMAP or POP3 ?that
matters?
> > 
> > Please understand how the restriction chain works.
First match stops it.
> > 
> > Either you add your static users (like
88.2.97.229) to mynetworks, or use
> > authentication so permit_sasl_authenticated line
matches.
> 
> Hmmm, ok, I see that this could be a postfix question
more than a postgrey question... In 
> the log, if the mail reaches postgrey is because have
passed all the restrictions. I know 
> how that chain works, that's why I've the
smtpd_recipient_restrictions like this:
> 
> smtpd_recipient_restrictions = permit_mynetworks,
>            reject_invalid_hostname,
>            reject_non_fqdn_sender,
>            reject_non_fqdn_recipient,
>            reject_unknown_sender_domain,
>            reject_unknown_recipient_domain,
>            permit_sasl_authenticated,
>            reject_unauth_destination,
>            reject_rbl_client list.dsbl.org,
>            reject_rbl_client sbl.spamhaus.org,
>            reject_rbl_client cbl.abuseat.org,
>            reject_rbl_client dul.dnsbl.sorbs.bet,
> 	  check_policy_service inet:83.175.218.133:60000,
>            permit
> 
> (in the previous mail check_policy_service was with the
dns name)
> 
> I've have the  permit_sasl_authenticated as the seventh
line. If my questions sound silly 
> probably it's my fault or my lack of knowledge, I know.
That's why I'm asking, to gain 
> knowledge and try to help others in the future.
Problems arised after installing Postgrey. 
> Perhaps I'm not asking the right way 

No problem. Now you should know how to fix it. 

If you are using authentication, then something is wrong if
permit_sasl_authenticated
doesn't match. Can't help any more, since I have never used
it, but I would imagine
quick googling would help.

Cheers,
Henrik

-- 
Unsubscribe mailto:postgrey-requestlist.ee.ethz.ch?subject=unsubscribe
Archive     http://lists.ee.ethz
.ch/postgrey
WebAdmin    http://lists.ee.ethz
.ch/lsg2.cgi