10.6.8 Postfix Question

Similar Messages

• Postfix Question: executing scripts

  Hi All,
  Postfix is a wonderful MTA but its man pages are not friendly-readable.
  So I'm stll here asking for help on configuration.
  I have setup postfix to receive mail for different virtual users and all seems to work fine.
  Now i need to deliver mail for [email protected] to usermailboxfile and also to a bash script (it's not a daemon, so it should be launched every time).
  (this script will read mail headers and will publish statistics to an html file.
  so,
  Is it possible to tell postifix (in the aliases file) to deliver mail to a mailbox and also to execute a script for every new incoming mail ?
  I hope yes !
  thanks in advance

  Filippo,
  The format would be something like:
  Username: |scriptname.sh
  Have you looked at the aliases manpage? In particular, the section below?
  |command
  Mail is piped into command. Commands that contain special char-
  acters, such as whitespace, should be enclosed between double
  quotes. See local(8) for details of delivery to command.
  When the command fails, a limited amount of command output is
  mailed back to the sender. The file /usr/include/sysexits.h
  defines the expected exit status codes. For example, use |"exit
  67" to simulate a "user unknown" error, and |"exit 0" to imple-
  ment an expensive black hole.

• Postfix question:  postscreen_dnsbl_sites

  % postconf -n | grep postscreen_dnsbl_sites
  postscreen_dnsbl_sites = zen.spamhaus.org*2
  Can anyone tell me what the *2 signifies?
  Thanks,
  Rusty

  nh1256 wrote:Mar 09 06:03:31 mail postfix/pipe[18980]: EDC9B1C8047C: to=<[email protected]>, relay=dovecot, delay=592, delays=592/0.05/0/0.12, dsn=4.3.0, status=deferred (temporary failure)
  The dovecot logs should tell why dovecot fails to accept the mail.

• Postfix Question

  Hi all,
  I think i need a postfix guru.
  I have a Posffix mail server on a Tiger 10.4.9.
  The osx-box has two gateways and two IPs. The first is the default gateway (en0 - IP 82.100.xxx.xxx) and the second should be the Postfix gateway (en2 - IP 88.80.xx.xx).
  In Postfix's main.cf file setting the inet_interfaces to 88.80.xx.xx mean that Postfix will accept connctions to 88.80.xx.xx IP, but it will deliver mails through the default gateway ( en0 - 82.100.xxx.xxx). I need Postfix to deliver mail through the nondefaultgateway (en2 - 82.80.xx.xx).
  Is there a way to do this ?
  P.S. I cannot exchange the default_gateway with the nondefaultgateway.
  TIA

  The osx-box has two gateways and two IPs. The first is the default gateway (en0 - IP 82.100.xxx.xxx) and the second should be the Postfix gateway (en2 - IP 88.80.xx.xx).
  You can't do this. It has nothing to do with Postfix, its basic TCP/IP networking.
  Your system can only have one default gateway, and that gateway address will be used for all non-local traffic that does not have a more specific route defined. Normally this means that traffic to any host not on a local network will go through the one default gateway.
  You can use a second gateway address, but only by telling the OS specifically which addresses to send through that router. Since routing is based on IP address and not protocol you cannot say 'send all mail through w.x.y.z', you can only say 'send all mail for a.b.c.d through w.x.y.z'. Unless you can predict the IP address of every mail server you're going to talk to, you're out of luck.

• Question about NSS, clustering Postfix over NSS shared vol.

  Hi all!
  I have a question related to NSS. I am thinking to deploy an antispam server
  using Postfix, spam assassin, clam av, etc. So the first step on my implementation
  is to port Postfix to a cluster-service using NCS and move the Postfix queue to a shared
  volume, on a NSS volume from a SAN. So, here is the problem. I didnt have any problems
  migrating MySQL to a resource and the data dir to a shared NSS volume but with Postfix
  I am having a lot of problems moving the queue dir to a NSS filesystem.
  I think that the problem comes to the special file types like sockets, named pipes, etc.
  I have set up the users on LUM and assigned it on the NSS file system with rights command,
  but when Postfix tries to start, I have this error:
  host postfix/master[15616]: fatal: fifo_listen: create fifo public/pickup: Operation not permitted
  I'm afraid that the problem is that pickup is a special file. So the question basically is, is
  NSS able to manage this type of files? I am doing well moving the queue dir to a
  NSS shared volume?
  And, finally, If this could not be possible, Could I use a ext3 filesystem over NSS? I am a little
  lost about that...
  So much thanks!

  antoniogutierrez wrote:
  >
  > Hi all!
  >
  > I have a question related to NSS. I am thinking to deploy an antispam
  > server
  > using Postfix, spam assassin, clam av, etc. So the first step on my
  > implementation
  > is to port Postfix to a cluster-service using NCS and move the Postfix
  > queue to a shared
  > volume, on a NSS volume from a SAN. So, here is the problem. I didnt
  > have any problems
  > migrating MySQL to a resource and the data dir to a shared NSS volume
  > but with Postfix
  > I am having a lot of problems moving the queue dir to a NSS
  > filesystem.
  >
  > I think that the problem comes to the special file types like sockets,
  > named pipes, etc.
  > I have set up the users on LUM and assigned it on the NSS file system
  > with rights command,
  > but when Postfix tries to start, I have this error:
  >
  > host postfix/master[15616]: fatal: fifo_listen: create fifo
  > public/pickup: Operation not permitted
  >
  > I'm afraid that the problem is that pickup is a special file. So the
  > question basically is, is
  > NSS able to manage this type of files? I am doing well moving the queue
  > dir to a
  > NSS shared volume?
  >
  > And, finally, If this could not be possible, Could I use a ext3
  > filesystem over NSS? I am a little
  > lost about that...
  >
  > So much thanks!
  >
  >
  I would try and have the socket file to be local to the machine. Mysql sets
  up the same way when clustering. I have never even tried to get socket files
  to load on an nss volume. There really is not a reason to do that.

• Postfix Virtual Mailbox Question

  Hi all,
  i've configured postfix to act as smtp server ...
  the mailbox are all virual.
  and this is the related main.cf section
  virtualmailboxbase = /var/spool/virtual
  virtualmailboxmaps = hash:/var/spool/virtual/vmailbox
  virtualmailboxdomains = hash:/var/spool/virtual/vmaildomains
  virtualuidmaps = static:200
  virtualgidmaps = static:200
  virtualminimunuid = 200
  virtualmailboxlock = dotlock
  now, for some users i need to send a copy of every mail to a differend address (not local)
  For ex. every mail for abuse@mydomain should be in the [email protected] mailbox AND [email protected]
  Is there anyone can help me ?
  TIA

  Hi Jeff,
  thanks a million for your help ... you can't believe how is appreciated !!!
  Well, i do this:
  in /etc/postfix/main.cf (added the bolded line)
  virtualmailboxbase = /var/spool/virtual
  virtualmailboxmaps = hash:/var/spool/virtual/vmailbox
  virtualmailboxdomains = hash:/var/spool/virtual/vmaildomains
  virtualaliasmaps = hash:/var/spool/virtual/aliases
  virtualuidmaps = static:200
  virtualgidmaps = static:200
  virtualminimunuid = 200
  virtualmailboxlock = dotlock
  now: # cat /var/spool/virtual/aliases
  test@mydomain mydomain/test, [email protected]
  (NOTE: Just for privacy reason i've edited my domain name (FQDN) with mydomain and [email protected] is a real (hidden here) email account)
  now: # postmap /var/spool/virtual/vmailbox
  now: # postmap /var/spool/virtual/vmaildomains
  now: # postmap /var/spool/virtual/aliases
  now: # ls /var/spool/virtual/
  aliases aliases.db mydomain vmailbox
  vmailbox.db vmaildomains vmaildomains.db
  now: # postfix stop && postfix start
  Ok, that's all i do.
  if i try to send a mail to test@mydomain it bounce back.
  Questions: the user test has been already defined in the vmailbox file.
  If i comment the virtualaliasmaps directive in main.cf the user test@mydomain is able to receive mails.
  Any tips ?

• Postfix relay=none, ... status=deferred (Host or domain name not found...

  Hi,
  I actually posted this question 2 weeks ago but under the wrong topic. So, first of all wanted to apologise for double-posting... but since no one replied, I thought I'd try again under the right topic.
  I've been trying to solve this all day today (that was Feb 26th). I used to be able to send emails but for some reason it does not work anymore. At first I thought it was a problem with php (I use entropy pack php 5.2.6) but after searching the topic, I think it is a problem with my network. BTW OS is 10.5.5 and Postfix version 2.4.3
  First of all, after computer restart, I don't think postfix starts automatically
  Running 'sudo postfix start' gives me:
  postfix/postfix-script: starting the Postfix mail system
  Looking at '/var/log/mail.log' I find:
  Feb 27 12:51:04 AMs-MBP postfix/qmgr331: AA70A7A7C77: from=<[email protected]>, size=842, nrcpt=1 (queue active)
  Feb 27 12:52:19 AMs-MBP postfix/smtp456: AA70A7A7C77: to=<[email protected]>, relay=none, delay=3437, delays=3362/0.02/75/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=email.com type=MX: Host not found, try again)
  Running 'sudo postfix check' does not give me any errors
  Checking my '/etc/resolv.conf' it has nameserver 192.168.1.1
  Running 'ifconfig | grep netmask | grep -v 127.0.0.1 | awk {'print $2'}L' gives:
  192.168.1.5
  Checking http://switch.richard5.net/2006/08/19/fatal-open-lock-file-pidmasterpid/ and running 'launchctl list' gives me a long list but no item matches org.postfix.master
  Running 'ps aux|grep postfix' gives
  AM 546 0.3 0.0 599820 468 s000 S+ 1:41pm 0:00.00 grep postfix
  _postfix 331 0.0 0.0 599816 824 ?? S 11:56am 0:00.04 qmgr -l -t fifo -u
  root 329 0.0 0.0 600784 752 ?? Ss 11:56am 0:00.11 /usr/libexec/postfix/master
  _postfix 519 0.0 0.0 599768 752 ?? S 1:36pm 0:00.01 pickup -l -t fifo -u
  Running 'postconf inet_interfaces' at first gave me
  inet_interfaces = localhost
  which I changed to All in '/etc/postfix/main.cf'
  I looked at http://www.postfix-book.com/debugging.html
  Running 'telnet localhost 25' gives me
  Trying ::1...
  telnet: connect to address ::1: Connection refused
  Trying fe80::1...
  telnet: connect to address fe80::1: Connection refused
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  220 AMs-MBP.local ESMTP Postfix
  quit
  221 2.0.0 Bye
  Connection closed by foreign host.
  But running 'telnet 10.1.2.233 25' gives me
  Trying 10.1.2.233...
  telnet: connect to address 10.1.2.233: Operation timed out
  telnet: Unable to connect to remote host
  Running 'ping 134.169.9.107' takes a long time. After a while I stop it and get:
  PING 134.169.9.107 (134.169.9.107): 56 data bytes
  ^C
  o
  + 134.169.9.107 ping statistics ---
  28 packets transmitted, 0 packets received, 100% packet loss
  I have not idea what the problem is and/or how to fix it. I know the messages get to the postfix daemon but for some reason they do not continue on their way.
  Please, does anyone have an idea of how to fix this?
  TIA,
  Elle

  Dynamic IP addresses with DynDNS Updater (or equivalent) makes it pretty darned reliable, particularly if you buy DynDNS' Mailhop Forward service, which prevents the likes of roadrunner.com and aol.com from blocking mail coming from your server just because it lives in dynamicIP-land. Way cheaper than paying your ISP extra for a static IPA, too, and totally acceptable for low-volume, residential-based servers for personal not-for-profit use.
  Regarding reliable delivery to a dynIPA server, you are only at risk of non-receipt for perhaps a few minutes immediately following when your ISP rotates your WAN IPA, until DynDNS Updater (or equivalent) updates the DynDNS (or equivalent) servers with your new WAN IPA. But that's really not a problem because I think all, well, okay, most, smtp servers will queue for a redelivery attempt if the initial delivery attempt just happens to occur at that time.
  I wouldn't suggest this practice for high-volume enterprise-class servers or for people trying to run a bootleg mail server business for profit (besides, the ISP would shut it down as an abuse of terms of service, anyways), but for low-volume, residential-based servers for personal use and enjoyment, which I suspect is the case for the O.P., I can't say that I find anything unreliable about my dynamic IP-based mail server.

• Question about download file in OAS4

  Question about download file in OAS4:
  I use Oracle Application Server 4.0.7 on my Windows NT 4.0 SP6;
  I use PL/Sql Cartridge developer a document system; It's use the
  upload/download in PL/Sql Cartridge;
  I read the document , the Upload/download in Pl/Sql Base on the
  Oracle Application Server's Content Service. the Problem is when I
  download a document, If I upload a Html or MsWord file, It will store in a LongRaw column, when me download ; It's tell me can't
  find a application to open this file; I will select a application
  from list to open the download file;
  As normal, It will open MsWord Automatic when download a "doc" file ; also It will open a new window of Browser to view a Html file;
  I check the download process on client Browser; when download
  file, The content-type always return "application/octet-stream";
  Also the download File will lost the postfix of the file,
  So Browser don't open the File Automatic;
  I think If I set the correct Content-Type , Browser can know how open the file; So I use owa_content.set_content_type procedure
  set the Doc file to "application/msword" , but the WEb Server always
  return "application/octet-stream";
  I didn't know how to do this problem, Plese help me.
  null

  I have a Tecra M2 and rely on your email update to ensure I have the latest drivers on my machine.
  When I received a Toshiba support email on 14 April 2005 giving reference to a QFE from Microsoft I assumed it would be necessary for my Tecra.
  I was very confused when I found that this QFE and subsequent ones posted on the 16 April 2005 relate to Pre SP2 critical updates no9t required if one has already taken earlier advice of updating to Service Pack, at the very least your narrative should make mention of this. I find it very difficult to believe that your updates are two+ years out of date.

• 10.5.2 Virtual Domains - 2 user questions

  (NOTE: Generic host and domain names used in this mail, real ones are used for the actual machine)
  Clean 10.5.1 install, immediately hit software update multiple times till 10.5.2 and any other offered updates were installed.
  Went into WGM and created the accounts for my virtual domain users (I will not be doing any mail accounts on the main server which is called localhost.local) using the same setup as the 10.5.1 tutorial referenced many times on this site. I made no by-hand file changes other than making the bounces soft instead of hard, as I think that virtual domains are supposed to work now with 10.5.2.
  Went into Server Admin, added Mail as a service and configured it with my virtual domain in the Advanced/Hosting tab and turned on debug output for SMTP and POP.
  Pointed my firewall at the new mail server so that DNS would be correct
  Tried sending a mail from my test user to my test user from a mail client on my LAN.
  YAY! It works!
  Ok, so with the WGM version of virtual domains, where do I put the dreaded catch-all user for the one domain that required it?
  Do I just make a virtual user account with the second shortname being @mydomain1.com?
  And, for forward-only mail addresses do I make a virtual user account with the "mail" tab set to forward?
  Or, do I still use the tutorial method for those features where I edit files directly?
  Thanks, and (fingers crossed) last question for a while.
  ------ main.cf ------
  queue_directory = /private/var/spool/postfix
  command_directory = /usr/sbin
  daemon_directory = /usr/libexec/postfix
  mail_owner = _postfix
  unknown_local_recipient_reject_code = 450
  unknown_virtual_alias_reject_code = 450
  unknown_virtual_mailbox_reject_code = 450
  debug_peer_level = 2
  debugger_command =
  PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
  xxgdb $daemon_directory/$process_name $process_id & sleep 5
  sendmail_path = /usr/sbin/sendmail
  newaliases_path = /usr/bin/newaliases
  mailq_path = /usr/bin/mailq
  setgid_group = _postdrop
  html_directory = no
  manpage_directory = /usr/share/man
  sample_directory = /usr/share/doc/postfix/examples
  readme_directory = /usr/share/doc/postfix
  mydomain_fallback = localhost
  message_size_limit = 10485760
  myhostname = localhost.local
  mailbox_transport = cyrus
  mailbox_size_limit = 0
  mydomain = local
  enable_server_options = yes
  inet_interfaces = all
  smtpd_client_restrictions = permit_mynetworks reject_rbl_client zen.spamhaus.org permit
  maps_rbl_domains =
  content_filter = smtp-amavis:[127.0.0.1]:10024
  smtpd_sasl_auth_enable = yes
  smtpd_use_pw_server = yes
  smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit
  smtpd_pw_server_security_options = cram-md5
  virtual_transport = lmtp:unix:/var/imap/socket/lmtp
  virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
  ---------- virtual --------
  This file is empty other than comments
  ----------- virtual_domains ----------
  mydomain1.com allow
  mydoamin2.net allow

  Thanks for the feedback. Good to hear virtual domains set up from scratch work in 10.5.2.
  Ok, so with the WGM version of virtual domains, where do I put the dreaded catch-all user for the
  one domain that required it?
  Do I just make a virtual user account with the second shortname being @mydomain1.com?
  To be honest, I never tried, but I seriously doubt this will work (worth trying though). I'd put it in /etc/postfix/virtual (can coexist fine with WGM, but you'll need to add the reference to it to main.cf
  And, for forward-only mail addresses do I make a virtual user account with the "mail" tab set to forward?
  As above, worth trying. Doubt it'll work through WGM.
  Generally speaking and from my experience and assuming there are no bugs, Server Admin and WGM allow for basic setups. Anything slightly advanced is better done through the command line. Sad but true.

• To Server, or Not to Server, that is the question

  Recently we decided to upgrade our (centuries) old mail and web server from WebStar. Being UNIX neophytes, we purchased a copy of Server 10.3 so as to not have to deal with all that icky sudo pico make stuff.
  Alas, as I'm sure you all would have told us, we've spent the past two weeks doing exactly that.
  So, my question is; if all we are going to do is web and mail services are we better off just using regular 10.4? Seems that in order to use postfix effectively means we can't use the server interface anyway.
  Thanks - --joe
  g4 powerbook   Mac OS X (10.3.9)  

  So, my question is; if all we are going to do is web
  and mail services are we better off just using
  regular 10.4? Seems that in order to use postfix
  effectively means we can't use the server interface
  anyway.
  Thanks - --joe
  g4
  powerbook   Mac OS X (10.3.9)  
  The difference between Client and Server is on well-done installation of the software rather than its GUI (Server Admin/ Workgroup Manager).
  The GUI does not cover all software possibilities, some extra configurations needs to be made on terminal.
  On Client you'll find a pre-installed Apache (the same as Server) with therefore the same modules (php too), no chaching no GUI absolutely, but if you ask google you'll find some setup utilities but it's better you take a look at the manual.
  Postfix on Client is also installed but you have to enable it. You can do it
  also in this case some utilities with no pain but what about installing a MTA (Cyrus), or a junk mail filter suite (spamassassin,razor,clamav) and join all together?
  If you are not familiar with Unix and server installations, i suggest to consider to split your service in two serate machine,
  a MacOsX Server machine for Mail service/Lan service and another one (MacOsXclient) for your Web Service.
  Of course there are many other differences/vantages between Server and Client System software.
  I use both.
  bye bye
  PowerBook G4 15" AL   Mac OS X (10.4.7)   1.5 Gb Ram

• How to use Message FIlter to log postfix authenticated sender header

  I'm trying to log the username from the postfix authenticated sender header information.
  Here is an example of the header:
  Received: from [123.123.123.123] (client.domain.edu [234.234.234.234])
  (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client
   certificate requested) (Authenticated sender: [email protected]) by
   postfix.domain.edu (Postfix) with ESMTPSA id DE8A3E9429 for
   <[email protected]>; Thu, 12 Jun 2014 12:16:56 -0700 (PDT)
  And here is the message filter I'm working on:
  if (recv-int == "OutboundIP") {
  if(header('Received') == '\\(Authenticated sender: .+@ad\\.domain\\.edu\\)') {
  log-entry("Authenticated Sender: '$MatchedContent'");
  Everything is working except for the $MatchedContent variable.  It is creating the custom log entry but it is only showing as "Authenticated Sender: "
  Does anyone have any ideas on how to get the $MatchedContent variable to work or another way to log that username?

  Try taking out the ' from around your '$MatchedContent'...
  My example:
  dictionary_match:
  if (dictionary-match('not_allowed_words')){
  edit-header-text ("Subject", "^", "Notice Content Matched on: $MatchedContent");
  log-entry("#---# This email had: $MatchedContent #---#");
  notify('[email protected]');
  Sent an email with a known "secret" in the email body... and "secret" is in my "not_allowed_words" dictionary... so it'll trip my "dictionary_match" message filter...
  Mail logs --->
  Thu Jun 12 23:10:46 2014 Info: New SMTP ICID 181 interface Management (172.16.6.165) address 172.16.6.1 reverse dns host unknown verified no
  Thu Jun 12 23:10:46 2014 Info: ICID 181 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
  Thu Jun 12 23:10:46 2014 Info: Start MID 105 ICID 181
  Thu Jun 12 23:10:46 2014 Info: MID 105 ICID 181 From: <[email protected]>
  Thu Jun 12 23:10:46 2014 Info: MID 105 ICID 181 RID 0 To: <[email protected]>
  Thu Jun 12 23:10:46 2014 Info: MID 105 Message-ID '<[email protected]>'
  Thu Jun 12 23:10:46 2014 Info: MID 105 Subject 'This email has an issue'
  Thu Jun 12 23:10:46 2014 Info: MID 105 ready 561 bytes from <[email protected]>
  Thu Jun 12 23:10:46 2014 Info: MID 105 Custom Log Entry: #---# This email had: secret #---#
  Thu Jun 12 23:10:46 2014 Info: Start MID 106 ICID 0
  Thu Jun 12 23:10:46 2014 Info: MID 106 was generated based on MID 105 by notify filter 'dictionary_match'
  Thu Jun 12 23:10:46 2014 Info: MID 106 ICID 0 From: <[email protected]>
  Thu Jun 12 23:10:46 2014 Info: MID 106 ICID 0 RID 0 To: <[email protected]>
  Thu Jun 12 23:10:46 2014 Info: MID 106 DomainKeys: cannot sign - no profile matches [email protected]
  Thu Jun 12 23:10:46 2014 Info: MID 106 DKIM: cannot sign - no profile matches [email protected]
  Thu Jun 12 23:10:46 2014 Info: MID 106 ready 970 bytes from <[email protected]>
  Thu Jun 12 23:10:46 2014 Info: MID 106 queued for delivery
  Thu Jun 12 23:10:46 2014 Info: MID 105 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
  Thu Jun 12 23:10:46 2014 Info: MID 105 queued for delivery
  Thu Jun 12 23:10:46 2014 Info: New SMTP DCID 53 interface 172.16.6.165 address 173.36.13.143 port 25
  Thu Jun 12 23:10:46 2014 Info: New SMTP DCID 54 interface 172.16.6.165 address 173.36.13.143 port 25
  Thu Jun 12 23:10:46 2014 Info: Delivery start DCID 54 MID 105 to RID [0]
  Thu Jun 12 23:10:47 2014 Info: DCID 53 TLS success protocol TLSv1 cipher RC4-SHA 
  Thu Jun 12 23:10:47 2014 Info: Delivery start DCID 53 MID 106 to RID [0]
  Thu Jun 12 23:10:47 2014 Info: Message done DCID 54 MID 105 to RID [0] 
  Thu Jun 12 23:10:47 2014 Info: MID 105 RID [0] Response '2.0.0 s5D3Aobe022251 Message accepted for delivery'
  Thu Jun 12 23:10:47 2014 Info: Message finished MID 105 done
  Thu Jun 12 23:10:47 2014 Info: Message done DCID 53 MID 106 to RID [0] 
  Thu Jun 12 23:10:47 2014 Info: MID 106 RID [0] Response '2.0.0 s5D3AoFH012632 Message accepted for delivery'
  Thu Jun 12 23:10:47 2014 Info: Message finished MID 106 done
  Thu Jun 12 23:10:52 2014 Info: DCID 54 close
  Thu Jun 12 23:10:52 2014 Info: DCID 53 close
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• Configure postfix to accept inbound mail only from Google

  I like to host my own email on a Mac Mini running OS X Server.  I’ve also looked for solutions that allow filtering out SPAM before the mail gets sent to my server.  For many years I used Postini’s spam filtering service to clean incoming email before Postini forwarded the mail on to my server.  I now use Google mail, part of Google Apps service to remove spam and to archive all the mail.
  The approach of letting Google clean emal before sending the mail on to my OS X Server uses two domains, one a “public” domain for incoming email and another a “private” domain used only for  forwarding the filtered email to OS X server.
  All went well with the defult Postfix configuration that came with OS X Server for a few months, then SPAM started creeping into my “private” domain as various spammers discovered my private email address and started sending mail directly to the Mac Mini, bypassing Google.
  Whenever I had spare time I would search the web looking for how to configure Postfix on OS X server so that email from Google and my other machines would be accepted and all other email would be blocked.  There were lots of write-ups on how to relay outgoing email to Google, but I couldn’t find straightforward configuration instructions for configuring Postfix to only allow incoming email forwarded by Google or coming from my machines and block all other sources.
  With a Google apps account you get telephone support so I gave Google a call and within a few rings got a very pleasant guy who listened to what I wanted to do and didn’t have the configuration setup, but did offer to send me a document showing the blocks of IP addresses used by Google for sending email. 
  I’ve posted several requests for help doing this type of configuration and never received responses that made sense.  So in the interest of helping anyone else that wants to configure Postfix to accept connections from a set of specific IP addresses and refuse connections from all other connections for inbound email, here is what will get you going:
  Use your favorite text editor to edit the Postfix configuration file (I use BBEDIT) but use whatever you like. 
  On the OS X Server open this file:
  /Library/Server/Mail/Config/postfix/main.cf
  Immediately do a “save as…” to make a backup copy with a different name, such as …mail.df.back1 in the same directory so you can revert to the backup if necessary.
  substitute your domain names in the following commands:
  public.com   -  change to your publicly advertised  routable domain
  hidden.com  -  change to your OS X Server  routable domain
  lan.com - change to your OS X Server lan domain, should be registered to make things clean and shouldn’t be .local
  10.6.18.0/24 - change to your LAN subnet
  host - change to your host name
  Your Postfix configuration file should contain these commands (and probably more).  Each situation varies so do what you have to for your situation….
  Have Postfix add your public domain name in the email header
  myorigin = public.com
  mydomain_fallback = localhost
  message_size_limit = 41943040
  biff = no
  aaa.bbb.ccc.ddn - Your publicly routable IP addresses provided by your ISP
  Let Postfix know your LAN network, the routable addresses you have from your ISP, and the Google networks where the Google email servers live.  Get the latest list of Google networks hosting email at this address: https://support.google.com/a/answer/3070269
  mynetworks =
            10.6.18.0/24,
            127.0.0.0/8
  # ISP provided routable  IP Addresses, individually or cidr aaa.bbb.ccc.0/24 notation if possible
            aaa.bbb.ccc.dd1,
            aaa.bbb.ccc.dd2,
            aaa.bbb.ccc.dd3,
            aaa.bbb.ccc.dd4,
  # Google networks 
            64.18.0.0/20
            64.233.160.0/19
            66.102.0.0/20
            66.249.80.0/20
            72.14.192.0/18
            74.125.0.0/16
            173.194.0.0/16
            207.126.144.0/20
            209.85.128.0/17
            216.239.32.0/19
  smtpd_client_restrictions =
            permit_mynetworks
            permit_sasl_authenticated
  #  Comment out the spam blacklist sites since Google does spam filtering for you
  #          reject_rbl_client bl.spamcop.net
  #          reject_rbl_client zen.spamhaus.org
  #          permit
  #  If you get this far, reject because the IP address isn’t one of yours or Google’s
            REJECT
  The rest of the config file should be  pretty much what you already have in place
  recipient_delimiter = +
  smtpd_tls_ciphers = medium
  inet_protocols = all
  inet_interfaces = all
  config_directory = /Library/Server/Mail/Config/postfix
  smtpd_enforce_tls = no
  smtpd_use_pw_server = yes
  relayhost =
  smtpd_tls_cert_file =  your cert file path here
  mydomain = hidden.com
  smtpd_pw_server_security_options = cram-md5,digest-md5,login,plain
  smtpd_sasl_auth_enable = yes
  smtpd_helo_required = yes
  smtpd_tls_CAfile = your file path here
  content_filter = smtp-amavis:[127.0.0.1]:10024
  smtpd_recipient_restrictions =
       permit_mynetworks,
       permit_sasl_authenticated,
       check_policy_service unix:private/policy,
       reject_unauth_pipelining,
       reject_invalid_hostname,
       reject_unauth_destination,
       reject_unknown_recipient_domain,
       reject_non_fqdn_recipient,
       permit
  header_checks = pcre:/Library/Server/Mail/Config/postfix/custom_header_checks
  myhostname = host.hidden.com
  smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
  smtpd_use_tls = yes
  smtpd_tls_key_file = your path here
  enable_server_options = yes
  recipient_canonical_maps = hash:/Library/Server/Mail/Config/postfix/system_user_maps
  virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users
  virtual_alias_domains = $virtual_alias_maps hash:/Library/Server/Mail/Config/postfix/virtual_domains
  mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, ipv6.$mydomain, public.com
  mailbox_transport = dovecot
  postscreen_dnsbl_sites = zen.spamhaus.org*2
  maps_rbl_domains =
  This config file should do the job of keeping out everyone but the Google email servers and devices on your WAN and LAN.
  Any suggestions to make this better or more efficient welcomed!

  After a few telnet tests I can answer my own question: It makes an open relay server to spammers! But to solve the former issue with the connection refuse, I had to switch to virtual hosting in the advanced tab of the mail service and add my own domains.

• A question about sendmail on solaris(10 and 11)

  I have a private network for working,all machines are linux or unix.
  I have one smtp server running postfix,wich force all connection
  to make tls(escuse my english relly bad).
  On hpux 11.31 i use this .mc
  divert(0)dnl
  VERSIONID(`$Id: generic-hpux10.mc,v 8.13 2001/05/29 17:29:52 ca Exp $')
  OSTYPE(hpux11)dnl
  DOMAIN(generic)dnl
  define(`_X400_UUCP_')dnl
  define(`_MASQUERADE_ENVELOPE_')dnl
  define(`MASQUERADE_NAME')dnl
  define(`confTRY_NULL_MX_LIST',`T')dnl
  define(`LUSER_RELAY',`name_of_luser_relay')dnl
  define(`DATABASE_MAP_TYPE',`dbm')dnl
  define(`_CLASS_U_')dnl
  define(`LOCAL_RELAY')dnl
  define(`MAIL_HUB')dnl
  TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5')dnl
  FEATURE(always_add_domain)dnl
  MAILER(local)dnl
  MAILER(smtp)dnl
  MAILER(openmail)dnl
  MAILER(uucp)dnl
  define(`SMART_HOST', `posta.domain.com')
  define(`confCACERT_PATH', `/etc/mail/certs')dnl
  define(`confCACERT', `/etc/mail/certs/domain.com.crt')dnl
  define(`confSERVER_CERT', `/etc/mail/certs/hpux2.domain.com.crt')dnl
  define(`confSERVER_KEY', `/etc/mail/certs/hpux2.domain.com.key')dnl
  define(`confCLIENT_CERT', `/etc/mail/certs/hpux2.domain.com.crt')dnl
  define(`confCLIENT_KEY', `/etc/mail/certs/hpux2.domain.com.key')dnl
  define(`confRAND_FILE',`egd:/dev/urandom')dnl
  D{tls_version}TLSv1
  O UseTLS=True
  On Solaris this
  divert(0)dnl
  VERSIONID(`sendmail.mc (Sun)')
  OSTYPE(`solaris11')dnl
  DOMAIN(`solaris-generic')dnl
  define(`confFALLBACK_SMARTHOST', `mailhost$?m.$m$.')dnl
  FEATURE(genericstable)dnl
  FEATURE(mailertable)dnl
  FEATURE(domaintable)dnl
  FEATURE(allmasquerade)dnl
  FEATURE(promiscuous_relay)dnl
  FEATURE(accept_unresolvable_domains)dnl
  FEATURE(accept_unqualified_senders)dnl
  FEATURE(no_default_msa)
  DOMAIN(`posta.domain.local')dnl
  MAILER(`local')dnl
  MAILER(`smtp')dnl
  define(`confSMTP_LOGIN_MSG', `$j Sendmail $b')
  define(`SMART_HOST', `posta.domain.com')
  define(`confCACERT_PATH', `/etc/mail/certs')dnl
  define(`confCACERT', `/etc/mail/certs/domain.local.crt')dnl
  define(`confSERVER_CERT', `/etc/mail/certs/solaris.domaincrt')dnl
  define(`confSERVER_KEY', `/etc/mail/certs/solaris.domain.coml.key')dnl
  define(`confCLIENT_CERT', `/etc/mail/certs/solaris.domain.com.crt')dnl
  define(`confCLIENT_KEY', `/etc/mail/certs/solaris.domain.com.key')dnl
  define(`confRAND_FILE',`egd:/dev/urandom')dnl
  D{tls_version}TLSv1
  On hpux all works fine,send mail,on solaris give me those errors
  [192.168.3.252], dsn=5.0.0, stat=Service unavailable
  Diagnostic-Code: SMTP; 530 5.7.0 Must issue a STARTTLS command first
  I try to set UseTLS=True even on solaris but give me error and sendmail don't start
  How to set sendmail to use tls?
  thank to who help me

  Solution found using this mc
  divert(0)dnl
  VERSIONID(`sendmail.mc (Sun)')
  OSTYPE(`solaris11')dnl
  DOMAIN(`solaris-generic')dnl
  define(`confCACERT_PATH', `/etc/mail/certs')dnl
  define(`confCACERT', `/etc/mail/certs/domain.com.crt')dnl
  define(`confSERVER_CERT', `/etc/mail/certs/solaris11.domain.com.crt')dnl
  define(`confSERVER_KEY', `/etc/mail/certs/solaris11.domain.com.key')dnl
  define(`confCLIENT_CERT', `/etc/mail/certs/solaris11.domain.com.crt')dnl
  define(`confCLIENT_KEY', `/etc/mail/certs/solaris11.domain.com.key')dnl
  define(`confRAND_FILE',`egd:/dev/urandom')dnl
  define(`_X400_UUCP_')dnl
  define(`_MASQUERADE_ENVELOPE_')dnl
  define(`MASQUERADE_NAME')dnl
  define(`confTRY_NULL_MX_LIST',`T')dnl
  define(`LUSER_RELAY',`name_of_luser_relay')dnl
  define(`DATABASE_MAP_TYPE',`dbm')dnl
  define(`_CLASS_U_')dnl
  define(`LOCAL_RELAY')dnl
  define(`MAIL_HUB')dnl
  TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5')dnl
  FEATURE(always_add_domain)dnl
  FEATURE(access_db)dnl
  MAILER(local)dnl
  MAILER(smtp)dnl
  MAILER(uucp)dnl
  define(`SMART_HOST', `posta.domain.com')
  define(`confCACERT_PATH', `/etc/mail/certs')dnl
  define(`confCACERT', `/etc/mail/certs/domain.com.crt')dnl
  define(`confSERVER_CERT', `/etc/mail/certs/solaris11.domain.com.crt')dnl
  define(`confSERVER_KEY', `/etc/mail/certs/solaris11.domain.com.key')dnl
  define(`confCLIENT_CERT', `/etc/mail/certs/solaris11.domain.com.crt')dnl
  define(`confCLIENT_KEY', `/etc/mail/certs/solaris11.domain.com.key')dnl
  define(`confRAND_FILE',`file:/dev/random')dnl
  D{tls_version}TLSv1
  and makemap dbm access file
  Last question: how to disable ssl3 and enable tls1 only?

• Smtp sender restrictions question

  I have the following in my main.cf file for sender restrictions. permitsasl_authenticated,permit_mynetworks,rejectn onfqdnsender,permit
  Seems pretty standard, but I have had some students in my district send emails to teachers as [email protected] Now the first thing I am going to do is take the building ip ranges out of the mynetworks and require sasl on all email clients. I think this will stop this from happening.
  My question is can a student send an email as a bogus user to someone from mydomain if they don't have some way of sasl authentication? I remember in the past that when my teachers were at home and they would send emails they could send to each other mydomain to mydomain but not outside, mydomain to yahoo.com for example.
  So they were not using sasl or mynetworks because they were using their home ip. If that would still be allowed, what can I do.
  Thanks for any clarifications!
  JL
    Mac OS X (10.4.8)  

  I was a little confused by your question, so this may
  sound like more of a "buck-shot" approach to your
  problem than you would like. I apologize if this
  doesn't answer your question directly. However, if I
  were you, I would implement Pterobyte's "Frontline
  spam defense for Mac OS X Server" located at
  http://osx.topicdesk.com/downloads
  I have enabled this, it is excellent.
  In this PDF file, Pterobyte provides a set of
  restrictions for main.cf that optimizes Postfix's
  abilities to deal with unwanted mail up-front before
  it reaches your content filter.
  Concerning your question specifically, are you saying
  that a student can send mail using your mail server
  without authenticating as long as they are sending to
  another user on the server and claiming to have an
  email address originating from your TLD?
  I believe the student is using terminal or something similar on some of our less restricted osx laptops, he is then sending emails to users in my domain. If I remove the ip range from the building he is in, will it stop him from sending emails? He is making up a return address like [email protected] and sending to [email protected] He might even be using php, but I only want email to go to any user local or not, from the district, if they have set my server requires authentication in an email client.
  Will removing the ip be enough to stop this?
  Thanks!
  JL

• Can you have a mailbox named Admin AND a postfix alias named Admin that goes to one or more other actual mailboxes?

  My question is re: Mail service in Mac OS X Snow Leopard Server 10.6. Can you have an actual mailbox named Admin AND a postfix alias named Admin that goes to one or more other actual mailboxes?  Or is only one or ther other?  I have customer who currently has a bunch of mailboxes (info, admin, etc.) and those that need access to it do so via Mail client, etc.  Now they are asking about aliases so they dont have to all access same mailbox, requiring setup, etc.  Do I have to delete actual mailboxes in order to create Postfix aliases (admin, info, etc) or can they coexist?
  Thanx in advance,
  Eric

  Thanx Camelot. 
  Leads to me more questions, if you would be so kind.  The client uses Virtual Hosts on Mac OS X Server and the aliases they desire are all @virtual_domain.com.  So, do I create aliases via /etc/postfix/virtual or via /etc/postfix/aliases.  As I said before, they desire aliases that go to at least 2 if not more actual local server accounts/mailboxes, but aliases are @virtual_domain.com.
  For example: admin is local account on server @ main_domain.com.  Now they want alias admin@virtual_domain.com that goes to local accounts Bob, Susan, etc.
  Thanx again!