Greylisting in 10.5 server?
In 10.4 Server, I have used the guide on the link below to install greylisting on 10.4 Server. Have not found any info on how to accomplish this in 10.5. Since niutil dont exist nowadays it must be done in some other way. Any ideas?
Guide: http://www.afp548.com/article.php?story=20051127235810230
hi,
can you give me the new commands? The -commands are not compatible
Here is the niutil code:
niutil -create . /groups/postgrey
niutil -createprop . /groups/postgrey gid 25
niutil -create . /users/postgrey
niutil -createprop . /users/postgrey uid 25
niutil -createprop . /users/postgrey gid 25
niutil -createprop . /users/postgrey shell /bin/tcsh
niutil -createprop . /users/postgrey home /tmp
niutil -createprop . /users/postgrey passwd "*"
Similar Messages
-
How do I disable Greylisting in OS X Server (10.8)?
How do I disable Greylisting in OS X Server?
Thanks!It looks like it is the same way I did it in OS X 10.7 Lion Server
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination permit'
sudo postfix reload
for a quick fix.
And follow the instructions here to make it permanent:
http://www.practiceofcode.com/post/15543512691/disable-greylisting-under-lion-se rver
Hope this helps -
Can't keep greylisting disabled on Lion Server.
If I remove the greylisting settings from /etc/postfix/main.cf, If the mail server is restarted, the greylisting entry is recreated. Is there any way around this?
I know why greylisting works, and I know it does its job well. But it's incompatible with the way we work here. Many of our emails are time-sensitive and often from new people. I also find that a lot of auto-response type emails just plain don't get past greylisting (password resets and such).claytonfromgermantown hills wrote:
How do you manually replace the line.
We stated it above, but here's the run-down:
Edit: /etc/postfix/main.cf
Toward the bottom, change the line beginning with with smtpd_recipient_restrictions to be:
smtpd_recipient_restrictions="permit_sasl_authenticated permit_mynetworks reject_unauth_destination permit"
(essentially, you'll just remove the check_policy_service unix:private/policy entries from the line).
Save the file, then reload postfix:
$ sudo postfix reload -
OS X 10.9 Server Mail Domain Whitelisting
I just cannot understand why this isn't working.
I've added gmail, googlemail, mac, me, icloud to the whitelist, but emails from those domains still get greylisted:
$ sudo serveradmin settings Mail | grep whitelist
Mail:postfix:add_whitelist_domain:_array_index:5 = "gmail.com"
Mail:postfix:add_whitelist_domain:_array_index:6 = "googlemail.com"
Mail:postfix:add_whitelist_domain:_array_index:7 = "mac.com"
Mail:postfix:add_whitelist_domain:_array_index:8 = "me.com"
Mail:postfix:add_whitelist_domain:_array_index:9 = "icloud.com"
Mail:postfix:domain_whitelist:_array_index:5 = "gmail.com"
Mail:postfix:domain_whitelist:_array_index:6 = "googlemail.com"
Mail:postfix:domain_whitelist:_array_index:7 = "mac.com"
Mail:postfix:domain_whitelist:_array_index:8 = "me.com"
Mail:postfix:domain_whitelist:_array_index:9 = "icloud.com"
I tried:
$ sudo serveradmin settings Mail:postfix:whitelist_enabled = yes
2014-05-02 02:56:37.103 serveradmin[2894:507] Error: servermgr_mail: postconf read error: /usr/sbin/postconf: warning: whitelist_enabled: unknown parameter
2014-05-02 02:56:37.104 serveradmin[2894:507] unable to save key: whitelist_enabled (unknown parameter)
I've tried restarting the mail service and restarting the computer.
Has anyone been successful in whitelisting a domain on 10.9 Server?
May 2 02:37:47 example.com postfix/smtpd[1398]: connect from mail-oa0-f48.google.com[209.85.219.48]
May 2 02:37:47 example /usr/libexec/postfix/greylist.pl[1403]: Temporary message rejection to: <[email protected]> from: <[email protected]> sent from: [209.85.219.48] for: 60 seconds due to greylisting
May 2 02:37:48 example.com postfix/smtpd[1398]: NOQUEUE: reject: RCPT from mail-oa0-f48.google.com[209.85.219.48]: 450 4.7.1 <[email protected]>: Recipient address rejected: Service is unavailable; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail-oa0-f48.google.com>
May 2 02:37:48 example.com postfix/smtpd[1398]: disconnect from mail-oa0-f48.google.com[209.85.219.48]#!/usr/bin/perl
use DB_File;
use Fcntl;
use Sys::Syslog qw(:DEFAULT setlogsock);
# Usage: greylist.pl [-v]
# Demo delegated Postfix SMTPD policy server. This server implements
# greylisting. State is kept in a Berkeley DB database. Logging is
# sent to syslogd.
# How it works: each time a Postfix SMTP server process is started
# it connects to the policy service socket, and Postfix runs one
# instance of this PERL script. By default, a Postfix SMTP server
# process terminates after 100 seconds of idle time, or after serving
# 100 clients. Thus, the cost of starting this PERL script is smoothed
# out over time.
# To run this from /etc/postfix/master.cf:
# policy unix - n n - - spawn
# user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
# To use this from Postfix SMTPD, use in /etc/postfix/main.cf:
# smtpd_recipient_restrictions =
# reject_unauth_destination
# check_policy_service unix:private/policy
# NOTE: specify check_policy_service AFTER reject_unauth_destination
# or else your system can become an open relay.
# To test this script by hand, execute:
# % perl greylist.pl
# Each query is a bunch of attributes. Order does not matter, and
# the demo script uses only a few of all the attributes shown below:
# request=smtpd_access_policy
# protocol_state=RCPT
# protocol_name=SMTP
# helo_name=some.domain.tld
# queue_id=8045F2AB23
# [email protected]
# [email protected]
# client_address=1.2.3.4
# client_name=another.domain.tld
# instance=123.456.7
# sasl_method=plain
# sasl_username=you
# sasl_sender=
# size=12345
# [empty line]
# The policy server script will answer in the same style, with an
# attribute list followed by a empty line:
# action=dunno
# [empty line]
# greylist status database and greylist time interval. DO NOT create the
# greylist status database in a world-writable directory such as /tmp
# or /var/tmp. DO NOT create the greylist database in a file system
# that can run out of space.
# In case of database corruption, this script saves the database as
# $database_name.time(), so that the mail system does not get stuck.
$database_name="/Library/Server/Mail/Data/gldb/greylist.db";
$whitelist_host_file="/Library/Server/Mail/Data/gldb/whitelist_host";
$whitelist_domain_file="/Library/Server/Mail/Data/gldb/whitelist_domain";
$whitelist_db_name="/Library/Server/Mail/Data/gldb/whitelist.db";
$greylist_delay=60;
# Auto-whitelist threshold. Specify 0 to disable, or the number of
# successful "come backs" after which a client is no longer subject
# to greylisting.
$auto_whitelist_threshold = 10;
# Syslogging options for verbose mode and for fatal errors.
# NOTE: comment out the $syslog_socktype line if syslogging does not
# work on your system.
$syslog_socktype = 'unix'; # inet, unix, stream, console
$syslog_facility="mail";
$syslog_options="pid";
$syslog_priority="info";
sub add_whitelist {
# check for null host name
my ($_host_name) = $attr{"host_name"};
if ($_host_name eq "") {
syslog $syslog_priority, "Warning: missing whitelist host name attribute";
return 0;
# Open the database on the fly.
open_whitelist_db() unless $whitelist_db_obj;
# Is host already in white list
$value = read_whitelist_db($attr{"host_name"});
# Add host if not in database
if ($value == 0) {
syslog $syslog_priority, "adding host: %s to whitelist host", $attr{"host_name"} if $verbose;
update_whitelist_db($attr{"host_name"}, 1);
open WHITELIST_FILE, ">> $whitelist_host_file" or
syslog $syslog_priority, "Error: unable to open whitelist host file: %s", $whitelist_host_file;
print WHITELIST_FILE "$attr{\"host_name\"}\n";
close WHITELIST_FILE;
sub add_whitelist_domain {
# check for null host name
my ($_domain_name) = $attr{"domain_name"};
if ($_domain_name eq "") {
syslog $syslog_priority, "Warning: missing whitelist domain name attribute";
return 0;
# Open the database on the fly.
open_whitelist_db() unless $whitelist_db_obj;
# Is domain already in white list
$value = read_whitelist_db($attr{"domain_name"});
# Add domain if not in database
if ($value == 0) {
syslog $syslog_priority, "adding domain: %s to whitelist doman", $attr{"domain_name"} if $verbose;
update_whitelist_db($attr{"domain_name"}, 1);
open WHITELIST_FILE, ">> $whitelist_domain_file" or
syslog $syslog_priority, "Error: unable to open whitelist domain file: %s", $whitelist_domain_file;
print WHITELIST_FILE "$attr{\"domain_name\"}\n";
close WHITELIST_FILE;
# Demo SMTPD access policy routine. The result is an action just like
# it would be specified on the right-hand side of a Postfix access
# table. Request attributes are available via the %attr hash.
sub smtpd_access_policy {
my($key, $time_stamp, $now, $count, $domain);
# Open the database on the fly.
open_database() unless $database_obj;
# Open the whitelist database on the fly.
open_whitelist_db() unless $whitelist_db_obj;
# Check if domain is whitelisted
$domain = get_domain_name($attr{"client_name"});
$count = read_whitelist_db($domain);
if ($count > 0) {
syslog $syslog_priority, "domain: %s is whitelisted", $domain if $verbose;
return "dunno";
# Check if host is whitelisted
$count = read_whitelist_db($attr{"client_name"});
if ($count > 0) {
syslog $syslog_priority, "host: %s is whitelisted", $attr{"client_name"} if $verbose;
return "dunno";
# Search the auto-whitelist.
if ($auto_whitelist_threshold > 0) {
$count = read_database($attr{"client_address"});
if ($count > $auto_whitelist_threshold) {
return "dunno";
# Lookup the time stamp for this client/sender/recipient.
$key =
lc $attr{"client_address"}."/".$attr{"sender"}."/".$attr{"recipient"};
$time_stamp = read_database($key);
$now = time();
# If this is a new request add this client/sender/recipient to the database.
if ($time_stamp == 0) {
$time_stamp = $now;
update_database($key, $time_stamp);
# The result can be any action that is allowed in a Postfix access(5) map.
# To label mail, return ``PREPEND'' headername: headertext
# In case of success, return ``DUNNO'' instead of ``OK'' so that the
# check_policy_service restriction can be followed by other restrictions.
# In case of failure, specify ``DEFER_IF_PERMIT optional text...''
# so that mail can still be blocked by other access restrictions.
syslog $syslog_priority, "request age %d", $now - $time_stamp if $verbose;
if ($now - $time_stamp > $greylist_delay) {
# Update the auto-whitelist.
if ($auto_whitelist_threshold > 0) {
update_database($attr{"client_address"}, $count + 1);
return "dunno";
} else {
# Apple
syslog $syslog_priority, "Temporary message rejection to: <$attr{\"recipient\"}> from: <$attr{\"sender\"}> sent from: [$attr{\"client_address\"}] for: $greylist_delay seconds due to greylisting";
return "defer_if_permit Service is unavailable";
# You should not have to make changes below this point.
sub LOCK_SH { 1 }; # Shared lock (used for reading).
sub LOCK_EX { 2 }; # Exclusive lock (used for writing).
sub LOCK_NB { 4 }; # Don't block (for testing).
sub LOCK_UN { 8 }; # Release lock.
# Log an error and abort.
sub fatal_exit {
my($first) = shift(@_);
syslog "err", "fatal: $first", @_;
exit 1;
# Open hash database.
sub open_database {
my($database_fd);
# Use tied database to make complex manipulations easier to express.
$database_obj = tie(%db_hash, 'DB_File', $database_name,
O_CREAT|O_RDWR, 0644, $DB_BTREE);
if ( !$database_obj ) {
# don't prevent mail deliveries due to corrupt database
my $db_backup = $database_name . "." . time();
syslog $syslog_priority, "Warning: open failed for: %s : backing up to: %s",
$database_name, $db_backup;
rename $database_name, $db_backup ||
fatal_exit "Can't save %s as %s: $!", $database_name, $db_backup;
# try again
$database_obj = tie(%db_hash, 'DB_File', $database_name,
O_CREAT|O_RDWR, 0644, $DB_BTREE) ||
fatal_exit "Cannot open database %s: $!", $database_name;
$database_fd = $database_obj->fd;
open DATABASE_HANDLE, "+<&=$database_fd" ||
fatal_exit "Cannot fdopen database %s: $!", $database_name;
syslog $syslog_priority, "open %s", $database_name if $verbose;
# Open hash whitelist database.
sub open_whitelist_db {
my($whitelist_db_fd);
# Use tied database to make complex manipulations easier to express.
$whitelist_db_obj = tie(%db_hash, 'DB_File', $whitelist_db_name,
O_CREAT|O_RDWR, 0644, $DB_BTREE);
if ( !$whitelist_db_obj ) {
# don't prevent mail deliveries due to corrupt database
my $db_backup = $whitelist_db_name . "." . time();
syslog $syslog_priority, "Warning: open failed for: %s : backing up to: %s",
$whitelist_db_name, $db_backup;
rename $whitelist_db_name, $db_backup ||
fatal_exit "Can't save %s as %s: $!", $whitelist_db_name, $db_backup;
# try again
$whitelist_db_obj = tie(%db_hash, 'DB_File', $whitelist_db_name,
O_CREAT|O_RDWR, 0644, $DB_BTREE) ||
fatal_exit "Cannot open database %s: $!", $whitelist_db_name;
$whitelist_db_fd = $whitelist_db_obj->fd;
open WHITELIST_DB_HANDLE, "+<&=$whitelist_db_fd" ||
fatal_exit "Cannot fdopen database %s: $!", $whitelist_db_name;
syslog $syslog_priority, "open %s", $whitelist_db_name if $verbose;
# Read database. Use a shared lock to avoid reading the database
# while it is being changed. XXX There should be a way to synchronize
# our cache from the on-file database before looking up the key.
sub read_database {
my($key) = @_;
my($value);
flock DATABASE_HANDLE, LOCK_SH ||
fatal_exit "Can't get shared lock on %s: $!", $database_name;
# XXX Synchronize our cache from the on-disk copy before lookup.
$value = $db_hash{$key};
syslog $syslog_priority, "lookup %s: %s", $key, $value if $verbose;
flock DATABASE_HANDLE, LOCK_UN ||
fatal_exit "Can't unlock %s: $!", $database_name;
return $value;
# Read database. Use a shared lock to avoid reading the database
# while it is being changed. XXX There should be a way to synchronize
# our cache from the on-file database before looking up the key.
sub read_whitelist_db {
my($key) = @_;
my($value);
flock WHITELIST_DB_HANDLE, LOCK_SH ||
fatal_exit "Can't get shared lock on %s: $!", $whitelist_db_name;
# XXX Synchronize our cache from the on-disk copy before lookup.
$value = $db_hash{$key};
syslog $syslog_priority, "whitelist lookup %s: %s", $key, $value if $verbose;
flock WHITELIST_DB_HANDLE, LOCK_UN ||
fatal_exit "Can't unlock %s: $!", $whitelist_db_name;
return $value;
# Update database. Use an exclusive lock to avoid collisions with
# other updaters, and to avoid surprises in database readers. XXX
# There should be a way to synchronize our cache from the on-file
# database before updating the database.
sub update_database {
my($key, $value) = @_;
syslog $syslog_priority, "store %s: %s", $key, $value if $verbose;
flock DATABASE_HANDLE, LOCK_EX ||
fatal_exit "Can't exclusively lock %s: $!", $database_name;
# XXX Synchronize our cache from the on-disk copy before update.
$db_hash{$key} = $value;
$database_obj->sync() &&
fatal_exit "Can't update %s: $!", $database_name;
flock DATABASE_HANDLE, LOCK_UN ||
fatal_exit "Can't unlock %s: $!", $database_name;
# Update database. Use an exclusive lock to avoid collisions with
# other updaters, and to avoid surprises in database readers. XXX
# There should be a way to synchronize our cache from the on-file
# database before updating the database.
sub update_whitelist_db {
my($key, $value) = @_;
syslog $syslog_priority, "store whitelist host %s: %s", $key, $value if $verbose;
flock WHITELIST_DB_HANDLE, LOCK_EX ||
fatal_exit "Can't exclusively lock %s: $!", $whitelist_db_name;
# XXX Synchronize our cache from the on-disk copy before update.
$db_hash{$key} = $value;
$whitelist_db_obj->sync() &&
fatal_exit "Can't update %s: $!", $whitelist_db_name;
flock WHITELIST_DB_HANDLE, LOCK_UN ||
fatal_exit "Can't unlock %s: $!", $whitelist_db_name;
# Parse hostname to obtain domain name
sub get_domain_name {
my($in_host_name) = @_;
my($value);
my($count) = 0;
@tokens = split(/\./, $in_host_name);
$count = $#tokens;
$value=$tokens[$count-1] . "." . $tokens[$count];
return $value;
# Signal 11 means that we have some kind of database corruption (yes
# Berkeley DB should handle this better). Move the corrupted database
# out of the way, and start with a new database.
sub sigsegv_handler {
my $backup = $database_name . "." . time();
rename $database_name, $backup ||
fatal_exit "Can't save %s as %s: $!", $database_name, $backup;
fatal_exit "Caught signal 11; the corrupted database is saved as $backup";
my $wl_backup = $whitelist_db_name . "." . time();
rename $whitelist_db_name, $wl_backup ||
fatal_exit "Can't save %s as %s: $!", $whitelist_db_name, $wl_backup;
fatal_exit "Caught signal 11; the corrupted database is saved as $wl_backup";
$SIG{'SEGV'} = 'sigsegv_handler';
# This process runs as a daemon, so it can't log to a terminal. Use
# syslog so that people can actually see our messages.
setlogsock $syslog_socktype;
openlog $0, $syslog_options, $syslog_facility;
# We don't need getopt() for now.
while ($option = shift(@ARGV)) {
if ($option eq "-v") {
$verbose = 1;
} else {
syslog $syslog_priority, "Invalid option: %s. Usage: %s [-v]",
$option, $0;
exit 1;
# Unbuffer standard output.
select((select(STDOUT), $| = 1)[0]);
# Receive a bunch of attributes, evaluate the policy, send the result.
while (<STDIN>) {
if (/([^=]+)=(.*)\n/) {
$attr{substr($1, 0, 512)} = substr($2, 0, 512);
} elsif ($_ eq "\n") {
if ($verbose) {
for (keys %attr) {
syslog $syslog_priority, "Attribute: %s=%s", $_, $attr{$_};
if ( $attr{"request"} eq "smtpd_access_policy" ) {
$action = smtpd_access_policy();
} elsif ( $attr{"request"} eq "whitelist" ) {
$action = add_whitelist();
} elsif ( $attr{"request"} eq "whitelist_domain" ) {
$action = add_whitelist_domain();
} else {
fatal_exit "unrecognized request type: '%s'", $attr{request};
syslog $syslog_priority, "Action: %s", $action if $verbose;
print STDOUT "action=$action\n\n";
%attr = ();
} else {
chop;
syslog $syslog_priority, "warning: ignoring garbage: %.100s", $_; -
Perl 5.12 Crash on Mail Service
Hi to all
since this morning i got Console full of messages telling that perl 5.12 crashed every 10 seconds
this is the issue:
Jun 18 17:38:51 mail postfix/smtpd[44496]: warning: problem talking to server private/policy: Undefined error: 0
Jun 18 17:38:53 mail postfix/spawn[44997]: warning: command /usr/bin/perl killed by signal 10
I post here also the output from my "postconf -n", i hope this helps
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /Library/Server/Mail/Data/mta
debug_peer_level = 2
enable_server_options = yes
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /private/etc/postfix/submit.cred
inet_interfaces = all
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 20971520
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, smtp.reteambiente.it, mail.reteambiente.it, reteambiente.it
mydomain = reteambiente.it
mydomain_fallback = localhost
myhostname = mail.reteambiente.it
mynetworks = 127.0.0.0/8,[::1]/128,192.168.0.0/24,92.62.161.120
newaliases_path = /usr/bin/newaliases
postscreen_dnsbl_sites = zen.spamhaus.org*2
queue_directory = /Library/Server/Mail/Data/spool
readme_directory = /usr/share/doc/postfix
recipient_canonical_maps = hash:/etc/postfix/system_user_maps
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
smtpd_pw_server_security_options = cram-md5,login,plain
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/certificates/mail.reteambiente.it.E9E736E5B8168C9B44FA41332CB109F82713E3AF .chain.pem
smtpd_tls_cert_file = /etc/certificates/mail.reteambiente.it.E9E736E5B8168C9B44FA41332CB109F82713E3AF .cert.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/mail.reteambiente.it.E9E736E5B8168C9B44FA41332CB109F82713E3AF .key.pem
smtpd_use_pw_server = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes
virtual_alias_maps = $virtual_maps
Any idea?
thank in advance!hi, i solved just deleting whitelist.db and greylist.db from/Library/Server/Mail/Data/mta
Anyway i disabled GreyListing features from Mail service because it's too buggy... -
Hello,
I need to whitelist a domain on 10.10 server:
sudo serveradmin settings mail:postfix:add_whitelist_domain = "domain.com"
but for this i get result:
mail:postfix:add_whitelist_domain = _empty_array
What should I correct?
Is there any documentation how to properly add values to settings in serveradmin?
I found this: mail:postfix:host_whitelist = _empty_array – Add whitelisted hosts
But I not helped.Hi,
the following things you need to do:
Forget what the Server Admin guide says, it doesn't work that way.
I'm assuming you want to use greylisting, right?
/usr/libexec/postfix/greylist.pl has issues in 10.10.x you need to replace it with correct version i.e. from OS X Mavericks (see further down)
delete the files in the following directory to start fresh: sudo rm /Library/Server/Mail/Data/gldb/*
restart the Mail Server
Type the following command to add a domain that should be whitelisted: sudo serveradmin settings mail:postfix:add_whitelist_domain = "google.com"
when it's done it will give you a list of already whitelisted domains and/or the one you just entered
in this case google.com will be whitelisted and will pass through the greylist without the initial temporary rejection
you can follow-up in the smtp.log in the server app to see that it works.
I tested this in 10.10.2 OS X Server 4.0.3.
I don't know what Apple did with the greylist.pl file it's missing some important code.
This is what you need to put in you greylist.pl file to restore what's missing:
#!/usr/bin/perl
use DB_File;
use Fcntl;
use Sys::Syslog qw(:DEFAULT setlogsock);
# Usage: greylist.pl [-v]
# Demo delegated Postfix SMTPD policy server. This server implements
# greylisting. State is kept in a Berkeley DB database. Logging is
# sent to syslogd.
# How it works: each time a Postfix SMTP server process is started
# it connects to the policy service socket, and Postfix runs one
# instance of this PERL script. By default, a Postfix SMTP server
# process terminates after 100 seconds of idle time, or after serving
# 100 clients. Thus, the cost of starting this PERL script is smoothed
# out over time.
# To run this from /etc/postfix/master.cf:
# policy unix - n n - - spawn
# user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
# To use this from Postfix SMTPD, use in /etc/postfix/main.cf:
# smtpd_recipient_restrictions =
# reject_unauth_destination
# check_policy_service unix:private/policy
# NOTE: specify check_policy_service AFTER reject_unauth_destination
# or else your system can become an open relay.
# To test this script by hand, execute:
# % perl greylist.pl
# Each query is a bunch of attributes. Order does not matter, and
# the demo script uses only a few of all the attributes shown below:
# request=smtpd_access_policy
# protocol_state=RCPT
# protocol_name=SMTP
# helo_name=some.domain.tld
# queue_id=8045F2AB23
# [email protected]
# [email protected]
# client_address=1.2.3.4
# client_name=another.domain.tld
# instance=123.456.7
# sasl_method=plain
# sasl_username=you
# sasl_sender=
# size=12345
# [empty line]
# The policy server script will answer in the same style, with an
# attribute list followed by a empty line:
# action=dunno
# [empty line]
# greylist status database and greylist time interval. DO NOT create the
# greylist status database in a world-writable directory such as /tmp
# or /var/tmp. DO NOT create the greylist database in a file system
# that can run out of space.
# In case of database corruption, this script saves the database as
# $database_name.time(), so that the mail system does not get stuck.
$database_name="/Library/Server/Mail/Data/gldb/greylist.db";
$whitelist_host_file="/Library/Server/Mail/Data/gldb/whitelist_host";
$whitelist_domain_file="/Library/Server/Mail/Data/gldb/whitelist_domain";
$whitelist_db_name="/Library/Server/Mail/Data/gldb/whitelist.db";
$greylist_delay=60;
# Auto-whitelist threshold. Specify 0 to disable, or the number of
# successful "come backs" after which a client is no longer subject
# to greylisting.
$auto_whitelist_threshold = 10;
# Syslogging options for verbose mode and for fatal errors.
# NOTE: comment out the $syslog_socktype line if syslogging does not
# work on your system.
$syslog_socktype = 'unix'; # inet, unix, stream, console
$syslog_facility="mail";
$syslog_options="pid";
$syslog_priority="info";
sub add_whitelist {
# check for null host name
my ($_host_name) = $attr{"host_name"};
if ($_host_name eq "") {
syslog $syslog_priority, "Warning: missing whitelist host name attribute";
return 0;
# Open the database on the fly.
open_whitelist_db() unless $whitelist_db_obj;
# Is host already in white list
$value = read_whitelist_db($attr{"host_name"});
# Add host if not in database
if ($value == 0) {
syslog $syslog_priority, "adding host: %s to whitelist host", $attr{"host_name"} if $verbose;
update_whitelist_db($attr{"host_name"}, 1);
open WHITELIST_FILE, ">> $whitelist_host_file" or
syslog $syslog_priority, "Error: unable to open whitelist host file: %s", $whitelist_host_file;
print WHITELIST_FILE "$attr{\"host_name\"}\n";
close WHITELIST_FILE;
sub add_whitelist_domain {
# check for null host name
my ($_domain_name) = $attr{"domain_name"};
if ($_domain_name eq "") {
syslog $syslog_priority, "Warning: missing whitelist domain name attribute";
return 0;
# Open the database on the fly.
open_whitelist_db() unless $whitelist_db_obj;
# Is domain already in white list
$value = read_whitelist_db($attr{"domain_name"});
# Add domain if not in database
if ($value == 0) {
syslog $syslog_priority, "adding domain: %s to whitelist doman", $attr{"domain_name"} if $verbose;
update_whitelist_db($attr{"domain_name"}, 1);
open WHITELIST_FILE, ">> $whitelist_domain_file" or
syslog $syslog_priority, "Error: unable to open whitelist domain file: %s", $whitelist_domain_file;
print WHITELIST_FILE "$attr{\"domain_name\"}\n";
close WHITELIST_FILE;
# Demo SMTPD access policy routine. The result is an action just like
# it would be specified on the right-hand side of a Postfix access
# table. Request attributes are available via the %attr hash.
sub smtpd_access_policy {
my($key, $time_stamp, $now, $count, $domain);
# Open the database on the fly.
open_database() unless $database_obj;
# Open the whitelist database on the fly.
open_whitelist_db() unless $whitelist_db_obj;
# Check if domain is whitelisted
$domain = get_domain_name($attr{"client_name"});
$count = read_whitelist_db($domain);
if ($count > 0) {
syslog $syslog_priority, "domain: %s is whitelisted", $domain if $verbose;
return "dunno";
# Check if host is whitelisted
$count = read_whitelist_db($attr{"client_name"});
if ($count > 0) {
syslog $syslog_priority, "host: %s is whitelisted", $attr{"client_name"} if $verbose;
return "dunno";
# Search the auto-whitelist.
if ($auto_whitelist_threshold > 0) {
$count = read_database($attr{"client_address"});
if ($count > $auto_whitelist_threshold) {
return "dunno";
# Lookup the time stamp for this client/sender/recipient.
$key =
lc $attr{"client_address"}."/".$attr{"sender"}."/".$attr{"recipient"};
$time_stamp = read_database($key);
$now = time();
# If this is a new request add this client/sender/recipient to the database.
if ($time_stamp == 0) {
$time_stamp = $now;
update_database($key, $time_stamp);
# The result can be any action that is allowed in a Postfix access(5) map.
# To label mail, return ``PREPEND'' headername: headertext
# In case of success, return ``DUNNO'' instead of ``OK'' so that the
# check_policy_service restriction can be followed by other restrictions.
# In case of failure, specify ``DEFER_IF_PERMIT optional text...''
# so that mail can still be blocked by other access restrictions.
syslog $syslog_priority, "request age %d", $now - $time_stamp if $verbose;
if ($now - $time_stamp > $greylist_delay) {
# Update the auto-whitelist.
if ($auto_whitelist_threshold > 0) {
update_database($attr{"client_address"}, $count + 1);
return "dunno";
} else {
# Apple
syslog $syslog_priority, "Temporary message rejection to: <$attr{\"recipient\"}> from: <$attr{\"sender\"}> sent from: [$attr{\"client_address\"}] for: $greylist_delay seconds due to greylisting";
return "defer_if_permit Service is unavailable";
# You should not have to make changes below this point.
sub LOCK_SH { 1 }; # Shared lock (used for reading).
sub LOCK_EX { 2 }; # Exclusive lock (used for writing).
sub LOCK_NB { 4 }; # Don't block (for testing).
sub LOCK_UN { 8 }; # Release lock.
# Log an error and abort.
sub fatal_exit {
my($first) = shift(@_);
syslog "err", "fatal: $first", @_;
exit 1;
# Open hash database.
sub open_database {
my($database_fd);
# Use tied database to make complex manipulations easier to express.
$database_obj = tie(%db_hash, 'DB_File', $database_name,
O_CREAT|O_RDWR, 0644, $DB_BTREE);
if ( !$database_obj ) {
# don't prevent mail deliveries due to corrupt database
my $db_backup = $database_name . "." . time();
syslog $syslog_priority, "Warning: open failed for: %s : backing up to: %s",
$database_name, $db_backup;
rename $database_name, $db_backup ||
fatal_exit "Can't save %s as %s: $!", $database_name, $db_backup;
# try again
$database_obj = tie(%db_hash, 'DB_File', $database_name,
O_CREAT|O_RDWR, 0644, $DB_BTREE) ||
fatal_exit "Cannot open database %s: $!", $database_name;
$database_fd = $database_obj->fd;
open DATABASE_HANDLE, "+<&=$database_fd" ||
fatal_exit "Cannot fdopen database %s: $!", $database_name;
syslog $syslog_priority, "open %s", $database_name if $verbose;
# Open hash whitelist database.
sub open_whitelist_db {
my($whitelist_db_fd);
# Use tied database to make complex manipulations easier to express.
$whitelist_db_obj = tie(%db_hash, 'DB_File', $whitelist_db_name,
O_CREAT|O_RDWR, 0644, $DB_BTREE);
if ( !$whitelist_db_obj ) {
# don't prevent mail deliveries due to corrupt database
my $db_backup = $whitelist_db_name . "." . time();
syslog $syslog_priority, "Warning: open failed for: %s : backing up to: %s",
$whitelist_db_name, $db_backup;
rename $whitelist_db_name, $db_backup ||
fatal_exit "Can't save %s as %s: $!", $whitelist_db_name, $db_backup;
# try again
$whitelist_db_obj = tie(%db_hash, 'DB_File', $whitelist_db_name,
O_CREAT|O_RDWR, 0644, $DB_BTREE) ||
fatal_exit "Cannot open database %s: $!", $whitelist_db_name;
$whitelist_db_fd = $whitelist_db_obj->fd;
open WHITELIST_DB_HANDLE, "+<&=$whitelist_db_fd" ||
fatal_exit "Cannot fdopen database %s: $!", $whitelist_db_name;
syslog $syslog_priority, "open %s", $whitelist_db_name if $verbose;
# Read database. Use a shared lock to avoid reading the database
# while it is being changed. XXX There should be a way to synchronize
# our cache from the on-file database before looking up the key.
sub read_database {
my($key) = @_;
my($value);
flock DATABASE_HANDLE, LOCK_SH ||
fatal_exit "Can't get shared lock on %s: $!", $database_name;
# XXX Synchronize our cache from the on-disk copy before lookup.
$value = $db_hash{$key};
syslog $syslog_priority, "lookup %s: %s", $key, $value if $verbose;
flock DATABASE_HANDLE, LOCK_UN ||
fatal_exit "Can't unlock %s: $!", $database_name;
return $value;
# Read database. Use a shared lock to avoid reading the database
# while it is being changed. XXX There should be a way to synchronize
# our cache from the on-file database before looking up the key.
sub read_whitelist_db {
my($key) = @_;
my($value);
flock WHITELIST_DB_HANDLE, LOCK_SH ||
fatal_exit "Can't get shared lock on %s: $!", $whitelist_db_name;
# XXX Synchronize our cache from the on-disk copy before lookup.
$value = $db_hash{$key};
syslog $syslog_priority, "whitelist lookup %s: %s", $key, $value if $verbose;
flock WHITELIST_DB_HANDLE, LOCK_UN ||
fatal_exit "Can't unlock %s: $!", $whitelist_db_name;
return $value;
# Update database. Use an exclusive lock to avoid collisions with
# other updaters, and to avoid surprises in database readers. XXX
# There should be a way to synchronize our cache from the on-file
# database before updating the database.
sub update_database {
my($key, $value) = @_;
syslog $syslog_priority, "store %s: %s", $key, $value if $verbose;
flock DATABASE_HANDLE, LOCK_EX ||
fatal_exit "Can't exclusively lock %s: $!", $database_name;
# XXX Synchronize our cache from the on-disk copy before update.
$db_hash{$key} = $value;
$database_obj->sync() &&
fatal_exit "Can't update %s: $!", $database_name;
flock DATABASE_HANDLE, LOCK_UN ||
fatal_exit "Can't unlock %s: $!", $database_name;
# Update database. Use an exclusive lock to avoid collisions with
# other updaters, and to avoid surprises in database readers. XXX
# There should be a way to synchronize our cache from the on-file
# database before updating the database.
sub update_whitelist_db {
my($key, $value) = @_;
syslog $syslog_priority, "store whitelist host %s: %s", $key, $value if $verbose;
flock WHITELIST_DB_HANDLE, LOCK_EX ||
fatal_exit "Can't exclusively lock %s: $!", $whitelist_db_name;
# XXX Synchronize our cache from the on-disk copy before update.
$db_hash{$key} = $value;
$whitelist_db_obj->sync() &&
fatal_exit "Can't update %s: $!", $whitelist_db_name;
flock WHITELIST_DB_HANDLE, LOCK_UN ||
fatal_exit "Can't unlock %s: $!", $whitelist_db_name;
# Parse hostname to obtain domain name
sub get_domain_name {
my($in_host_name) = @_;
my($value);
my($count) = 0;
@tokens = split(/\./, $in_host_name);
$count = $#tokens;
$value=$tokens[$count-1] . "." . $tokens[$count];
return $value;
# Signal 11 means that we have some kind of database corruption (yes
# Berkeley DB should handle this better). Move the corrupted database
# out of the way, and start with a new database.
sub sigsegv_handler {
my $backup = $database_name . "." . time();
rename $database_name, $backup ||
fatal_exit "Can't save %s as %s: $!", $database_name, $backup;
fatal_exit "Caught signal 11; the corrupted database is saved as $backup";
my $wl_backup = $whitelist_db_name . "." . time();
rename $whitelist_db_name, $wl_backup ||
fatal_exit "Can't save %s as %s: $!", $whitelist_db_name, $wl_backup;
fatal_exit "Caught signal 11; the corrupted database is saved as $wl_backup";
$SIG{'SEGV'} = 'sigsegv_handler';
# This process runs as a daemon, so it can't log to a terminal. Use
# syslog so that people can actually see our messages.
setlogsock $syslog_socktype;
openlog $0, $syslog_options, $syslog_facility;
# We don't need getopt() for now.
while ($option = shift(@ARGV)) {
if ($option eq "-v") {
$verbose = 1;
} else {
syslog $syslog_priority, "Invalid option: %s. Usage: %s [-v]",
$option, $0;
exit 1;
# Unbuffer standard output.
select((select(STDOUT), $| = 1)[0]);
# Receive a bunch of attributes, evaluate the policy, send the result.
while (<STDIN>) {
if (/([^=]+)=(.*)\n/) {
$attr{substr($1, 0, 512)} = substr($2, 0, 512);
} elsif ($_ eq "\n") {
if ($verbose) {
for (keys %attr) {
syslog $syslog_priority, "Attribute: %s=%s", $_, $attr{$_};
if ( $attr{"request"} eq "smtpd_access_policy" ) {
$action = smtpd_access_policy();
} elsif ( $attr{"request"} eq "whitelist" ) {
$action = add_whitelist();
} elsif ( $attr{"request"} eq "whitelist_domain" ) {
$action = add_whitelist_domain();
} else {
fatal_exit "unrecognized request type: '%s'", $attr{request};
syslog $syslog_priority, "Action: %s", $action if $verbose;
print STDOUT "action=$action\n\n";
%attr = ();
} else {
chop;
syslog $syslog_priority, "warning: ignoring garbage: %.100s", $_; -
Whitelisting in OS X Server (pass greylisting without disabling it)
To whitelist domains from greylisting so mails from that domain arrive instantly, enter
sudo serveradmin settings mail:postfix:add_whitelist_domain = "example.com"
and replace example.com with the domain you intend to whitelist. It seems like you can also whitelist hostnames (server.example.com) and mail users ([email protected]), but I don't know how to do that yet, using:
mail:postfix:add_whitelist_host = _empty_array
mail:postfix:whitelist_fromI am using Mac OS X 10.8.5 with Server 2.2.2, but I think the same will probably apply in Mavericks. I have in the past been trying these same commands but they were not always reliable in passing on the settings to the greylisting system. So, I found out where they write by analyzing /usr/libexec/postfix/greylist.pl and now maintain these by by hand. The unexpected thing is that this is not maintained in the Config directory tree but in the Data directory tree of Mail.
Go to the directory /Library/Server/Mail/Data/gldb
(gldb = greylisting database). Here, the greylisting script maintains the database of sending systems that have past the greylisting trick. Here I have added info to two files:
whitelist_domain
and
whitelist_host
These are static data files that are read by the greylisting script.
For instance, if you want to whitelist all servers from facebook.com (because their myriad of file servers defeats the greylisting assumptions) you add a line to whitelist_domain that says facebook.com and one that says facebookmail.com. The domains to add, you can find by analyzing mail.log and look for the greylisting 'error' messages.
Some obvious entries are:
amazon.com
facebook.com
facebookmail.com
messagelabs.com -
how can I change the messages that are greylisted or the time?
It says
for: 60 seconds due to greylisting
but sometimes it takes 15-20 mins until I get the message. Or is it depending also on the other server, I have tested it with google mail.
and why does it always greylist the same adress shouldn't it learn the adresses that are once accepted that it is ok?
rgds janusing command line as sudo edit the main.cf at the line
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_pol icy_service unix:private/policy permit
remove the check_policy_service unix:private/policy
once done you will thenhave to lock the file because if you restart or a pidgeon flies past the system puts it back in.
To lock a file enter #chflags nouchg main.cf -
Milter-greylist and Messaging Server
I have been using the milter-greylist for a long time on the sendmail servers and relays, and at least with the older releases I thought this milter only supports local sockets to interact with sendmail (and can listen on the network for peering with other milter-greylist instances). I reviewed the recent release's README, there's no notes of non-local sockets either.
The Wiki [http://msg.wikidoc.info/index.php/About_milter_plugin] suggests, however, that all milters may (and for Messaging Server - must) be configured on a networking socket. It also states that milter-greylist was tested as working with the Sun Messaging Server.
Can somebody please elaborate (ideally - write up a step-by-step how-to on the Wiki) how to integrate this milter with Sun MS, which versions are supported, where do we configure the network-listening socket (is it greylist config or libmilter config), etc.?
Thanks in advance :)JimKlimov wrote:
The Wiki [http://msg.wikidoc.info/index.php/About_milter_plugin] suggests, however, that all milters may (and for Messaging Server - must) be configured on a networking socket. It also states that milter-greylist was tested as working with the Sun Messaging Server.
I hit this very issue when writing up the guide you refer to -- there is little in the way of information on the Internet regarding the sendmail milter library and getting the milter to listen on a non-unix socket.
Can somebody please elaborate (ideally - write up a step-by-step how-to on the Wiki) how to integrate this milter with Sun MS, which versions are supported, where do we configure the network-listening socket (is it greylist config or libmilter config), etc.?For the milter-greylist I made the following change to the greylist.conf file:
replace:
socket "/var/milter-greylist/milter-greylist.sock"
with:
socket "inet:19025"This causes the milter to listen on an INET port (19025 in this example) vs. a unix socket. You will find that a similar approach will work with other milters that use the sendmail milter library and this is why I mentioned it in the guide:
<snip>
3. Run the milter-server, configure it to run on the INET:<TCP port number> socket.
</snip>
As for writing up wiki's on supported versions and what-not (we don't support specific milters rather we support the milter interface) this is something I simply don't have the time to do. Feel free however to update the milter wiki page with your own testing results.
I did however fix up a number of broken links on the page -- it seems sendmail have moved their milter related information to a new site (milter.org) since I created the page.
If you are looking at greylisting addresses, I would recommend you consider using the following instead as it is far more efficient then calling out to a milter server for this purpose.
http://code.google.com/p/gross/wiki/readme
http://iamthek.com/archives/30
Regards,
Shane. -
Emails to/from server always bounce to some domains
Sorry if I'm posting this in the wrong place. I've wasted 2 full days and sporadic time throughout the last 3 weeks on this.
I recently migrated a site from Server 2003 to a new Windows Server 2008 server. Ever since the move, my emails to and from my email address bounce from the server. I've spent 3 weeks with tech support on both ends getting nowhere.
Here's a rundown of the problem and what I've done about it:
Problem 1: Email from my domain (call it mydomain .tld) sent to the new server (call it serverdomain .tld) always bounces
Emails sent from mydomain .tld to serverdomain .tld get bounced back INSTANTLY with the error "550-The mail server could not deliver mail to "user@ serverdomain .tld". The account or domain may not exist, they may be blacklisted, or missing the proper
dns entries."
Problem 2: Email from serverdomain .tld sent to mydomain .tld always bounces
Emails sent from serverdomain .tld directly to mydomain .tld always bounce back after a 5-10 second delay with the error "550 Sender verify failed."
All emails were sent directly from server to server using webmail interfaces.
Possible problems/solutions I've explored:
Spam Filtering:
The new server's mail server (SmarterMail 2010) has spam filter bouncing disabled. No blacklists or greylists are defined.
The server hosting my email account is a shared hosted server, so I don't have access to its spam settings, but I have been assured by their technical support that the server's IP address is not blacklisted or blocked in any way.
Blacklist tests at MXToolBox.org all come up clean.
SPF Records:
I have defined an SPF (TXT) record for the domain "v=spf1 ip4:xxx.xxx.xxx.xxx -all", which points to the IP address of the mail server / web server. I do not have a type (SPF) record as Windows Server doesn't have an option for this type of record.
SPF test passes without errors at www . kitterman.com/spf/validate.html. Test email through spf-test@ openspf.net returns no errors.
Reverse Lookup:
I have a working reverse IP set up and is confirmed by checking it at ipadmin.junkemailfilter.com/rdns.php that points back to serverdomain .tld.
Testing through Telnet actually works:
I followed the steps at technet.microsoft.com/en-us/library/bb123686.aspx to log into the SMTP server on the new server's end and was able to successfully send an email manually to the new server, even using the same email address that keeps failing to send
directly to the server.
Some observations from the logs:
When sending email from mydomain .tld to serverdomain .tld, NO LOG ENTRIES are created at serverdomain .tld. This leads me to believe something is blocking it before it ever connects to the server.
When sending email from serverdomain .tld to mydomain .tld, the following log entries are created:
13:02:50 [60055] Delivery started for user@ serverdomain .tld at 1:02:50 PM
13:02:53 [60055] Skipping spam checks: No local recipients
13:02:56 [60055] Sending remote mail for user@ serverdomain .tld
13:02:56 [60055] Initiating connection to xxx.xxx.xxx.xxx
13:02:56 [60055] Connecting to xxx.xxx.xxx.xxx:25 (Id: 1)
13:02:56 [60055] Connection to xxx.xxx.xxx.xxx:25 from xxx.xxx.xxx.xxx:65260 succeeded (Id: 1)
13:02:56 [60055] RSP: 220-mydomain-host.tld ESMTP Exim 4.77 #2 Wed, 24 Oct 2012 13:02:58 -0700
13:02:56 [60055] RSP: 220-We do not authorize the use of this system to transport unsolicited,
13:02:56 [60055] RSP: 220 and/or bulk e-mail.
13:02:56 [60055] CMD: EHLO serverdomain .tld
13:02:56 [60055] RSP: 250-mydomain-host.tld Hello serverdomain .tld [xxx.xxx.xxx.xxx]
13:02:56 [60055] RSP: 250-SIZE 52428800
13:02:56 [60055] RSP: 250-AUTH PLAIN LOGIN
13:02:56 [60055] RSP: 250-STARTTLS
13:02:56 [60055] RSP: 250 HELP
13:02:56 [60055] CMD: MAIL FROM:<user@ serverdomain .tld> SIZE=951
13:02:56 [60055] RSP: 250 OK
13:02:56 [60055] CMD: RCPT TO:<user@ mydomain .tld>
13:02:57 [60055] RSP: 550-Verification failed for <user@ serverdomain .tld>
13:02:57 [60055] RSP: 550-The mail server could not deliver mail to user@ serverdomain .tld. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
13:02:57 [60055] RSP: 550 Sender verify failed
13:02:57 [60055] CMD: QUIT
13:02:57 [60055] RSP: 221 mydomain-host.tld closing connection
13:02:57 [60055] Bounce email written to 851023860056.eml
13:02:57 [60055] Delivery for user@ serverdomain .tld to user@ mydomain .tld has completed (Bounced)
13:02:59 [60056] Delivery started for at 1:02:59 PM
13:02:59 [60055] Delivery finished for user@ serverdomain .tld at 1:02:59 PM [id:851023860055]
13:03:02 [60056] Skipping spam checks: Internally Generated Message
13:03:05 [60056] Starting local delivery to user@ serverdomain .tld
13:03:05 [60056] Delivery for to user@ serverdomain .tld has completed (Delivered) Filter: None
13:03:05 [60056] End delivery to user@ serverdomain .tld
13:03:05 [60056] Delivery finished for at 1:03:05 PM [id:851023860056]
Configuration:
The new server uses Windows Server 2008 for DNS.
The mail server is also hosted at the same IP as the DNS server.
DNS Records for Serverdomain .tld:
[All xxx.xxx.xxx.xxx IP addresses point to the server's IP address]
Forward Lookup Zone: Serverdomain .tld
(same as parent folder) (SOA) 57, servername., hostmaster.
(same as parent folder) (NS) servername
(same as parent folder) (MX) [10] xxx.xxx.xxx.xxx
(same as parent folder) (TXT) v=spf1 ip4:xxx.xxx.xxx.xxx -all
* (A) xxx.xxx.xxx.xxx
mail (A) xxx.xxx.xxx.xxx
mail (MX) [10] xxx.xxx.xxx.xxx
mail (TXT) v=spf1 ip4:xxx.xxx.xxx.xxx -all
ns1 (A) xxx.xxx.xxx.xxx
ns2 (A) xxx.xxx.xxx.xxx
www (A) xxx.xxx.xxx.xxx
Reverse Lookup Zone: xxx.xxx.xxx.in-addr.arpa (syntax of IP is backwards, does not include last 3 digits)
(same as parent folder) (SOA) 10, servername., hostmaster.
(same as parent folder) (NS) servername
xxx.xxx.xxx.xxx (PTR) Serverdomain .tld
I'm totally at a loss. This is not just blocking email to/from me, but it has blocked email to at least one other domain name as well. I can get no useful help from tech support on either end.
(I had to put spaces in all links in this post because it wouldn't let me post links. Also, this forum crashes every single time I try to post in IE9, but works fine in FireFox. How ironic is that...)I can only help with Exchange, but generally speaking, that line;
13:02:57 [60055] RSP: 550-The mail server could not deliver mail to user@ serverdomain .tld. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
Mean the server checked the GAL (it's global adress book) and it refused it. It's usually a simple antispam and antirelay configuration. The strange thing is the log after, that the email is received...
That lead me to think the antispam software/hardware is badly configured, and for a reason X, it does not block the email from passing by it's filter. So yes, their answer is correct, but that mean all email is filtered in some way, so it's not
correct in some way too.
Does they configured your domain alias correctly and such basic information ? I have a big doubth at this point.
Run some wireshark to be sure the problem is not in your CIE, and after pass that to their IT's tech, if the email is sent correctly, and you receive a server answer back, then something in their config is not ok.
Don't forget that if the packet X is sent on your WAN to their datacenter, they are responsable for the correct receiving when it enter their datacenter.
(edited: A last point; don't forget they HAVE to run a antispam's box, as the MX is the same IP, so basicly the antispam box dispatch the email to the correct server (like check
https://www.barracudanetworks.com/ns/downloads/Setup_Guides/Barracuda_Email_Security_Service_SG_US.pdf) you will see what I mean, a list of domain and server)
MCP | MCTS 70-236: Exchange Server 2007, Configuring
Want to follow me ? | Blog:
http://www.jabea.net | http://blogs.technet.com/b/wikininjas/ -
So after purchasing my new Xserve which i will be using as my company's primary mail server.
i own a domain hosted by my ISP, and I have a static IP. I have also purchased a sonicwall pro 2040 firewall and have opened up the ports needed for the mail service smtp, pop, imap and web for webmail.
I have already configured the MX and A settings with my ISP DNS server.
i will be using an example.com as my domain.
My current settings are,
Computer Name : mail.example.com
In Computer Services under Mail i have the following things checked off.
General (the list below i have checked off)
-> Enable Pop
-> Enable SMTP
-> Allow incoming mail
domain :example.com
hostname : mail.example.com
Relay (the list below i have checked off)
-> Accept SMTP relays only from these hosts and networks
127.0.0.1/32
my static ip
my mail server local lan address
-> Use these junk mail rejection servers
zen.spamhaus.org
Filters (the list below i have checked off)
-> Scan email for Junk @ 5 junk score
-> Scan email for virus and delete
-> update the junk mail and virus 1 time a day
Quotas
-> Refuse incoming mail larger the 25MB
Advanced
Not sure what i should do here, my staff will be accessing email from all over north america and ideas i have played around a bit but nothing makes me able to set a mail client up to my server.
Hosting -> local host and my domain.
In my log files for mail access its also says empty option value on line 15 of the config file.
Anyone have any ideas.You might also want to harden OSX.4 Tiger server against spam. I wrote an article which details implementing greylisting, blackholes, backscatter filtering, checking the sending mail server, recipient and email content. This supplements the anti-virus and spam checks already included in OSX Server to significantly reduce spam received and load on the mail server.
Go http://happymac.info/node/10 -
10.6 Clean server Junk Mail Says Stopped
Hello,
I migrated from 10.4 and had all sorts of troubles so I started with a clean 10.4 server, imported users and groups and brought the email back without touching the settings to stay clean. Ran the upgrade to 10.6 and updates.
Now the server says Junk Mail Filtering and Virus Filtering stopped in the overview. In settings I have a hyphen in junkmail and a full tick in virus.
Because of many complaints of greylisting I disable that. (osx.topicdesk.com)
Any ideas for the stopped condition. The main.cf looks cluttered, I haven't seen that much in the cf before...
mailbox_size_limit = 0
smtpd_tls_key_file =
myhostname = services
mailbox_transport = dovecot
mynetworks = 127.0.0.1/32,10.0.1.0/24
mydomain = sunstudiosaustralia.com
enable_server_options = yes
smtpd_sasl_auth_enable = yes
smtpd_use_pw_server = yes
#smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination permit
smtpd_pw_server_security_options = login,plain,cram-md5
message_size_limit = 20971520
mydestination = $myhostname, localhost.$mydomain, localhost, sunstudiosaustralia.com, sunstudiosaustralia.com.au, sunstudios.com.au
virtual_alias_maps =
content_filter = smtp-amavis:[127.0.0.1]:10024
nested_header_checks = $header_checks
smtp_connection_cache_time_limit = 2s
lmtp_rcpt_timeout = 300s
tls_export_cipherlist = ALL:+RC4:@STRENGTH
smtp_sasl_auth_cache_name =
check_for_od_forward = yes
default_verp_delimiters = +=
showq_service_name = showq
smtp_enforce_tls = no
milter_macro_daemon_name = $myhostname
smtpd_tls_security_level =
command_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
smtpd_tls_mandatory_exclude_ciphers =
milter_connect_timeout = 30s
local_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
default_delivery_slot_loan = 3
smtp_destination_recipient_limit = $default_destination_recipient_limit
default_transport = smtp
lmtp_defer_if_no_mx_address_found = no
lmtp_pix_workaround_maps =
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
lmtp_tls_enforce_peername = yes
lmtp_tls_fingerprint_digest = md5
flush_service_name = flush
non_fqdn_reject_code = 504
smtpd_tls_req_ccert = no
lmtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
ipc_idle = 5s
smtp_discard_ehlo_keyword_address_maps =
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
address_verify_map =
lmtp_tls_key_file = $lmtp_tls_cert_file
smtpd_enforce_tls = no
connection_cache_status_update_time = 600s
always_bcc =
smtpd_starttls_timeout = 300s
berkeley_db_create_buffer_size = 16777216
forward_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
smtpd_client_port_logging = no
myorigin = $myhostname
smtp_tls_per_site =
default_recipient_refill_delay = 5s
lmtp_pix_workaround_delay_time = 10s
lmtp_sasl_type = cyrus
deliver_lock_delay = 1s
lmtp_tls_loglevel = 0
local_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
lmtp_send_xforward_command = no
smtp_tls_secure_cert_match = nexthop, dot-nexthop
undisclosed_recipients_header = To: undisclosed-recipients:;
dont_remove = 0
sender_canonical_maps =
smtpd_policy_service_max_idle = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_null_access_lookup_key =
bounce_size_limit = 50000
tls_random_exchange_name = ${data_directory}/prng_exch
milter_connect_macros = j {daemon_name} v
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
virtual_initial_destination_concurrency = $initial_destination_concurrency
smtp_sasl_mechanism_filter =
alias_database = hash:/etc/aliases
smtp_sasl_auth_soft_bounce = yes
fallback_transport_maps =
reject_code = 554
cleanup_service_name = cleanup
lmtp_tls_session_cache_database =
unverified_recipient_reject_code = 450
lmtp_lhlo_name = $myhostname
qmgr_message_recipient_minimum = 10
relayhost = smtp.iprimus.com.au
smtpd_banner = $myhostname ESMTP $mail_name
virtual_alias_domains = $virtual_alias_maps
mail_release_date = 20080902
lmtp_mail_timeout = 300s
smtpd_use_tls = no
smtpd_tls_loglevel = 0
smtpd_tls_cert_file =
lmtp_pix_workaround_threshold_time = 500s
tls_high_cipherlist = ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
transport_maps =
smtp_bind_address6 =
resolve_numeric_domain = no
default_recipient_refill_limit = 100
tls_daemon_random_bytes = 32
smtp_rset_timeout = 20s
smtpd_discard_ehlo_keywords =
smtp_sasl_type = cyrus
cyrus_sasl_config_path =
qmqpd_timeout = 300s
anvil_rate_time_unit = 60s
smtpd_sasl_authenticated_header = no
virtual_mailbox_base =
virtual_uid_maps =
tls_low_cipherlist = ALL:!EXPORT:+RC4:@STRENGTH
relay_domains = $mydestination
relay_domains_reject_code = 554
address_verify_negative_cache = yes
lmtp_nested_header_checks =
tls_random_prng_update_period = 3600s
smtp_pix_workaround_threshold_time = 500s
relay_clientcerts =
smtp_tls_dcert_file =
smtpd_authorized_xforward_hosts =
delay_notice_recipient = postmaster
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
anvil_status_update_time = 600s
virtual_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
lmtp_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_exclude_ciphers =
local_initial_destination_concurrency = $initial_destination_concurrency
smtp_connection_reuse_time_limit = 300s
duplicate_filter_limit = 1000
queue_file_attribute_count_limit = 100
mail_spool_directory = /var/mail
local_command_shell =
proxy_interfaces =
unknown_relay_recipient_reject_code = 550
address_verify_relay_transport = $relay_transport
smtp_generic_maps =
smtpd_policy_service_max_ttl = 1000s
virtual_gid_maps =
smtp_fallback_relay = $fallback_relay
relay_destination_recipient_limit = $default_destination_recipient_limit
local_header_rewrite_clients = permit_inet_interfaces
smtp_tls_note_starttls_offer = no
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
bounce_notice_recipient = postmaster
default_destination_concurrency_negative_feedback = 1
authorized_mailq_users = static:anyone
smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghi jklmnopqrstuvwxyz{|}~
smtp_helo_timeout = 300s
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
tls_random_bytes = 32
local_destination_recipient_limit = 1
mail_name = Postfix
smtpd_discard_ehlo_keyword_address_maps =
mailbox_delivery_lock = flock, dotlock
sender_canonical_classes = envelope_sender, header_sender
debug_peer_list =
smtp_tls_mandatory_ciphers = medium
strict_mailbox_ownership = yes
lmtp_header_checks =
unknown_hostname_reject_code = 450
message_strip_characters =
smtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
lmtp_tls_CApath =
process_id_directory = pid
smtpd_client_connection_rate_limit = 0
smtpd_client_connection_count_limit = 50
address_verify_service_name = verify
non_smtpd_milters =
maximal_backoff_time = 4000s
transport_retry_time = 60s
qmgr_clog_warn_time = 300s
lmtp_tls_verify_cert_match = hostname
config_directory = /etc/postfix
smtpd_recipient_overshoot_limit = 1000
milter_unknown_command_macros =
hash_queue_depth = 1
address_verify_transport_maps = $transport_maps
defer_service_name = defer
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_CAfile =
tls_random_reseed_period = 3600s
luser_relay =
prepend_delivered_header = command, file, forward
qmqpd_error_delay = 1s
virtual_transport = virtual
smtpd_junk_command_limit = 100
line_length_limit = 2048
smtpd_sasl_path = smtpd
resolve_null_domain = no
smtpd_tls_ccert_verifydepth = 9
lmtp_body_checks =
smtp_tls_exclude_ciphers =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
lmtp_randomize_addresses = yes
virtual_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
queue_minfree = 0
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
lmtp_tls_security_level =
forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
bounce_template_file =
application_event_drain_time = 100s
smtp_send_xforward_command = no
virtual_minimum_uid = 100
lmtp_tls_cert_file =
lmtp_sasl_path =
smtp_use_tls = no
smtpd_noop_commands =
lmtp_host_lookup = dns
canonical_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
daemon_timeout = 18000s
data_directory = /var/lib/postfix
address_verify_default_transport = $default_transport
lmtp_connection_cache_time_limit = 2s
smtp_tls_enforce_peername = yes
smtpd_soft_error_limit = 10
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
ipc_timeout = 3600s
recipient_canonical_classes = envelope_recipient, header_recipient
smtpd_sasl_type = cyrus
masquerade_exceptions =
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
frozen_delivered_to = yes
relay_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
virus_db_last_update = 2009-07-09 15:07:59 +1000
lmtp_destination_recipient_limit = $default_destination_recipient_limit
spam_domain_name = sunstudiosaustralia.com
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtp_quit_timeout = 300s
default_extra_recipient_limit = 1000
mime_header_checks = $header_checks
smtp_sasl_tls_security_options = $smtp_sasl_security_options
bounce_service_name = bounce
ipc_ttl = 1000s
address_verify_positive_refresh_time = 7d
lmtp_tcp_port = 24
lmtp_initial_destination_concurrency = $initial_destination_concurrency
pickup_service_name = pickup
receive_override_options =
smtp_tls_session_cache_database =
virtual_alias_expansion_limit = 1000
default_delivery_slot_discount = 50
fast_flush_domains = $relay_domains
relocated_maps =
smtp_tls_fingerprint_digest = md5
relay_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
smtpd_delay_open_until_valid_rcpt = yes
lmtp_sasl_security_options = noplaintext, noanonymous
lmtp_destination_rate_delay = $default_destination_rate_delay
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
smtp_line_length_limit = 990
header_size_limit = 102400
lmtp_connection_cache_on_demand = yes
header_checks = pcre:/etc/postfix/custom_header_checks
tls_random_source =
smtp_sasl_path =
fallback_transport =
smtpd_history_flush_threshold = 100
backwards_bounce_logfile_compatibility = yes
smtpd_tls_mandatory_ciphers = medium
smtp_tls_CApath =
qmgr_message_recipient_limit = 20000
connection_cache_service_name = scache
relay_destination_concurrency_limit = $default_destination_concurrency_limit
in_flow_delay = 1s
milter_end_of_header_macros = i
smtp_initial_destination_concurrency = $initial_destination_concurrency
lmtp_tls_per_site =
smtpd_proxy_timeout = 100s
lmtp_discard_lhlo_keywords =
lmtp_tls_scert_verifydepth = 9
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
smtp_sasl_password_maps =
smtp_starttls_timeout = 300s
tls_null_cipherlist = eNULL:!aNULL
unverified_sender_reject_code = 450
smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
lmtp_enforce_tls = no
hopcount_limit = 50
smtpd_forbidden_commands = CONNECT GET POST
message_reject_characters =
lmtp_sasl_auth_cache_time = 90d
unknown_address_reject_code = 450
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit
smtp_tls_security_level =
lmtp_quote_rfc821_envelope = yes
lmtp_tls_note_starttls_offer = no
default_destination_concurrency_limit = 20
local_transport = local:$myhostname
permit_mx_backup_networks =
smtp_tls_policy_maps =
lmtp_mime_header_checks =
lmtp_line_length_limit = 990
lmtp_tls_mandatory_exclude_ciphers =
smtp_nested_header_checks =
lmtp_xforward_timeout = 300s
send_cyrus_sasl_authzid = no
smtp_xforward_timeout = 300s
lmtp_mx_session_limit = 2
address_verify_negative_expire_time = 3d
smtpd_client_message_rate_limit = 0
smtp_mx_session_limit = 2
header_address_token_limit = 10240
smtp_rcpt_timeout = 300s
smtpd_tls_dcert_file =
mime_nesting_limit = 100
lmtp_bind_address6 =
relay_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
connection_cache_protocol_timeout = 5s
error_service_name = error
virtual_destination_concurrency_limit = $default_destination_concurrency_limit
lmtp_rset_timeout = 20s
smtp_tls_session_cache_timeout = 3600s
notify_classes = resource, software
smtpd_timeout = 300s
virtual_mailbox_maps =
alias_maps = hash:/etc/aliases
sender_bcc_maps =
execution_directory_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
lmtp_tls_dcert_file =
default_recipient_limit = 20000
virtual_mailbox_lock = fcntl, dotlock
authorized_flush_users = static:anyone
lmtp_connection_reuse_time_limit = 300s
double_bounce_sender = double-bounce
relay_recipient_maps =
smtp_pix_workaround_maps =
maximal_queue_lifetime = 5d
smtpd_tls_always_issue_session_ids = yes
smtp_defer_if_no_mx_address_found = no
address_verify_sender = $double_bounce_sender
lmtp_mx_address_limit = 5
smtpd_tls_CApath =
stale_lock_time = 500s
smtpd_tls_dh1024_param_file =
trace_service_name = trace
default_destination_concurrency_positive_feedback = 1
smtp_mx_address_limit = 5
default_privs = nobody
deliver_lock_attempts = 20
lmtp_starttls_timeout = 300s
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_a uthorized_clients,relay_domains,smtpd_access_maps
lmtp_cname_overrides_servername = no
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_data_xfer_timeout = 180s
smtpd_client_new_tls_session_rate_limit = 0
lmtp_sasl_auth_cache_name =
lmtp_tls_secure_cert_match = nexthop
smtp_tls_loglevel = 0
milter_end_of_data_macros = i
smtpd_reject_unlisted_recipient = yes
command_execution_directory =
authorized_submit_users = static:anyone
syslog_name = postfix
smtpd_end_of_data_restrictions =
lmtp_generic_maps =
default_minimum_delivery_slots = 3
smtp_helo_name = $myhostname
access_map_reject_code = 554
lmtp_sasl_mechanism_filter =
lmtp_sasl_auth_soft_bounce = yes
lmtp_sender_dependent_authentication = no
address_verify_relayhost = $relayhost
smtpd_tls_received_header = no
smtp_mime_header_checks =
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
smtpd_tls_dh512_param_file =
rewrite_service_name = rewrite
mailbox_transport_maps =
error_notice_recipient = postmaster
milter_content_timeout = 300s
smtpd_error_sleep_time = 1s
destination_concurrency_feedback_debug = no
fault_injection_code = 0
internal_mail_filter_classes =
smtpd_peername_lookup = yes
lmtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
propagate_unmatched_extensions = canonical, virtual
unknown_virtual_mailbox_reject_code = 550
smtp_mail_timeout = 300s
smtpd_authorized_xclient_hosts =
address_verify_positive_expire_time = 31d
delay_logging_resolution_limit = 2
qmgr_fudge_factor = 100
lmtp_data_xfer_timeout = 180s
max_use = 100
milter_data_macros = i
maps_rbl_reject_code = 554
qmqpd_authorized_clients =
allow_mail_to_commands = alias, forward
relay_transport = relay
bounce_queue_lifetime = 5d
masquerade_domains =
smtp_sender_dependent_authentication = no
smtpd_sender_login_maps =
lmtp_tls_CAfile =
address_verify_poll_delay = 3s
smtp_discard_ehlo_keywords =
delay_warning_time = 0h
smtp_connect_timeout = 30s
smtp_tls_mandatory_exclude_ciphers =
service_throttle_time = 60s
milter_default_action = tempfail
smtp_data_init_timeout = 120s
detect_8bit_encoding_header = yes
2bounce_notice_recipient = postmaster
default_delivery_slot_cost = 5
smtp_tls_verify_cert_match = hostname
qmqpd_client_port_logging = no
smtpd_tls_ask_ccert = no
masquerade_classes = envelope_sender, header_sender, header_recipient
qmgr_message_active_limit = 20000
address_verify_local_transport = $local_transport
lmtp_tls_fingerprint_cert_match =
connection_cache_ttl_limit = 2s
smtpd_etrn_restrictions =
virtual_destination_rate_delay = $default_destination_rate_delay
export_environment = TZ MAIL_CONFIG LANG
lmtp_tls_exclude_ciphers =
virtual_alias_recursion_limit = 1000
stress =
smtpd_hard_error_limit = 20
smtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
smtp_connection_cache_on_demand = yes
smtp_tls_key_file = $smtp_tls_cert_file
trigger_timeout = 10s
address_verify_poll_count = 3
fast_flush_refresh_time = 12h
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_proxy_ehlo = $myhostname
relay_destination_rate_delay = $default_destination_rate_delay
lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
lmtp_destination_concurrency_limit = $default_destination_concurrency_limit
mail_version = 2.5.5
relay_initial_destination_concurrency = $initial_destination_concurrency
remote_header_rewrite_domain =
max_idle = 100s
mailbox_command_maps =
empty_address_relayhost_maps_lookup_key =
default_destination_concurrency_failed_cohort_limit = 1
multi_recipient_bounce_reject_code = 550
smtpd_sasl_exceptions_networks =
smtpd_tls_auth_only = no
use_od_delivery_path = no
verp_delimiter_filter = -=+
smtpd_sender_restrictions =
smtp_pix_workaround_delay_time = 10s
smtp_data_done_timeout = 600s
smtpd_restriction_classes =
mailbox_command =
lmtp_data_init_timeout = 120s
recipient_bcc_maps =
smtpd_tls_session_cache_database =
virtual_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
allow_mail_to_files = alias, forward
address_verify_negative_refresh_time = 3h
lmtp_tls_policy_maps =
lmtp_lhlo_timeout = 300s
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_mandatory_ciphers = medium
plaintext_reject_code = 450
initial_destination_concurrency = 5
lmtp_quit_timeout = 300s
smtpd_client_recipient_rate_limit = 0
smtpd_proxy_filter =
tls_medium_cipherlist = ALL:!EXPORT:!LOW:+RC4:@STRENGTH
default_database_type = hash
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
address_verify_sender_dependent_relayhost_maps = $sender_dependent_relayhost_maps
smtp_sasl_auth_cache_time = 90d
fast_flush_purge_time = 7d
local_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
body_checks_size_limit = 51200
smtp_body_checks =
smtp_header_checks =
unknown_client_reject_code = 450
lmtp_discard_lhlo_keyword_address_maps =
empty_address_recipient = MAILER-DAEMON
lmtp_skip_5xx_greeting = yes
smtp_destination_rate_delay = $default_destination_rate_delay
berkeley_db_read_buffer_size = 131072
virtual_mailbox_limit = 51200000
invalid_hostname_reject_code = 501
smtpd_sasl_security_options = noanonymous
address_verify_virtual_transport = $virtual_transport
inet_protocols = ipv4
default_process_limit = 100
smtp_sasl_security_options = noplaintext, noanonymous
smtp_host_lookup = dns
fork_delay = 1s
smtpd_reject_unlisted_sender = no
defer_code = 450
lmtp_connect_timeout = 0s
local_destination_rate_delay = $default_destination_rate_delay
lmtp_data_done_timeout = 600s
milter_protocol = 2
lmtp_connection_cache_destinations =
smtpd_data_restrictions =
smtp_tls_scert_verifydepth = 9
smtp_tls_CAfile =
milter_command_timeout = 30s
smtpd_tls_session_cache_timeout = 3600s
smtpd_milters =
syslog_facility = mail
smtp_tls_fingerprint_cert_match =
defer_transports =
enable_original_recipient = yes
fork_attempts = 5
use_getpwnam_ext = yes
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr}
default_destination_rate_delay = 0s
milter_rcpt_macros = i {rcpt_addr}
maps_rbl_domains =
smtp_quote_rfc821_envelope = yes
command_time_limit = 1000s
default_destination_recipient_limit = 50
lmtp_use_tls = no
smtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
smtp_tls_cert_file =
smtpd_policy_service_timeout = 100s
queue_service_name = qmgr
hash_queue_names = deferred,defer
smtp_cname_overrides_servername = no
smtpd_tls_fingerprint_digest = md5
lmtp_bind_address =
milter_macro_v = $mail_name $mail_version
smtpd_recipient_limit = 1000
mime_boundary_length_limit = 2048
smtp_connection_cache_destinations =
smtpd_tls_wrappermode = no
queue_run_delay = 300s
minimal_backoff_time = 300s
local_destination_concurrency_limit = 2
virtual_mailbox_domains = $virtual_mailbox_maps
lmtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
unknown_virtual_alias_reject_code = 550
virtual_destination_recipient_limit = $default_destination_recipient_limit
best_mx_transport =
sender_dependent_relayhost_maps =
rbl_reply_maps =
smtpd_helo_required = yes
owner_request_special = no
recipient_delimiter = +I had to rebuilt my mailserver from scratch. I think that if you modded the main.cf and/or master.cf files in postfix, then that prevents you from using Server Admin to make changes to your setup. I.e., once you go manual, you're outside of SA for good. Then when you migrate to SLS it copies over the old config files. I was able to get it working by using the default main.cf file, but then I ended up just setting up the whole thing again.
Interestingly today virus checking stopped working. Or rather it was unable to update itself. I was able to turn off the virus filter, reload postfix, and turn it back on, reload postfix, then it started working again. So, after a fresh from scratch install, SA works just fine. Lesson: don't manually monkey with your main.cf file or (in your case possibly) migrate from a manually altered one. -
I am having a major problem since moving to 10.6 mail system. A lot of my mail is being bounced and never received, my logs are indicating this error,
NOQUEUE: reject: RCPT from mail2.onlineregister.com[207.66.2.58]: 554 5.7.1 <[email protected]>: Relay access denied;
This server still has 10.5 server on it's own RAID because I'm having to basically boot 10.5 up because that mail server works properly with no problems but I understand 10.6 has a completely different mail system.
Any ideas where how to troubleshoot, I have not made any DNS changes and set up this OS with the exact DNS info as previous so I'm stumped whats possibly configured wrong. I have read numerous threads on greylisting but is this cause of the problem, doesn't make sense to turn it off if it has a specific purpose.
server:~ srvadmin$ postconf -n
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local_recipient_maps =
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 20971520
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mydomain
mydomain_fallback = localhost
myhostname = server.mydomain.ca
mynetworks = 127.0.0.0/31,10.0.0.0/24
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated hash:/etc/postfix/smtpdreject cidr:/etc/postfix/smtpdreject.cidr reject_rbl_client zen.spamhaus.org permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
smtpd_pw_server_security_options = cram-md5
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/certificates/server.mydomain.ca.xxxxxxxxxxxxxxxxxAD6F994791FF96FBE9962.cha in.pem
smtpd_tls_cert_file = /etc/certificates/server.mydomain.ca.xxxxxxxxxxxxxxxxxAD6F994791FF96FBE9962.cer t.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/server.mydomain.ca.xxxxxxxxxxxxxxxxxAD6F994791FF96FBE9962.key .pem
smtpd_tls_loglevel = 0
smtpd_use_pw_server = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps =
Thank you.I made a couple of changes to the main.cf file.
Before:
mydomain = mydomain
mydestination = $myhostname, localhost.$mydomain, localhost,
After:
mydomain = mydomain.ca
mydestination = $myhostname, localhost.$mydomain, localhost, server.mydomain.ca
Now email from my work account are going through, at first I removed greylisting too but commented out the change and left it as default, still working but some emails are delayed which os ok,it's completely bouncing I'm concerned with. Time will see today as I have not been getting hardly an email which was unusual. -
Hi
For four days now I've been having a frustrating time with Mail on both my iMac and my old iBook. This has been happening on different wireless networks. I send an email from my main account, which is an IMAP account. I see the gear next to 'sending spin' for about ten seconds, then the progress bar goes to 99% in 'mail activity' ('outgoing mail'), then the email pops onto the screen witha delivery failure and I get given a choice of mail servers to choose to try again. Here's the thing - I select the very same server that the account in question is configured to use, and the email then goes instantaneously. This is happening with every single email I send on this account, the smtp details are configured correctly, but no email will go the first time.
I sync my mail rules etc. on mobileme, which is perhaps why this is happening on both of my machines, and the behaviour started on both at the same time, though they've both had the same mail smtp configuration for that account, unchanged, for over a year without any issues.
What's happening, and how do I get mail to work as it did?You might also want to harden OSX.4 Tiger server against spam. I wrote an article which details implementing greylisting, blackholes, backscatter filtering, checking the sending mail server, recipient and email content. This supplements the anti-virus and spam checks already included in OSX Server to significantly reduce spam received and load on the mail server.
Go http://happymac.info/node/10 -
Education or companies using Apple's mail server
I am thinking of using the mail services in OS X Snow Leopard Server.
I would like to know how many server admins lurking here are using Apple's mail server in a production environment?if you're already using cyrus and squirrelmail, then you may not see much difference using the mail services built into os x server.
the only thing specifically "apple" about it is the gui for configuring the service (server admin), but if you want to do any serious configuration, you're going to use the command line anyway.
it's all postfix, dovecot, greylisting, spamassassin, clamAV, and squirrelmail under the hood.
you should read the docs here before making any decisions: http://images.apple.com/server/macosx/docs/MailService_Adminv10.6.pdf
Maybe you are looking for
-
I keep receiving this error message in a dialog box, repeatedly; so much so, in fact, that it is affecting productivity: "USB OVER CURRENT NOTICE - A USB device is currently drawing too much power. The hub to which it is attached to will be deactivat
-
Hi, When I export the report to PDF, the font size is getting reduced. It is because of the legal size I have set in the report. If I set the print size to letter the font size are retained after export to pdf. I am using CR for visual studio 2005. P
-
BEX 3.5 , enter to role, which authorization object?
Hi all, I want to give user an authorization in BW 3.5 in BEX to enter a query into role, but i can not find authorization object that is used for this. Regards,
-
Can't End Active Calll on FXO port
When I first checked the ports they had a VPM_State of FXOLS_REMOTE_RELEASE. I couldn't get any calls to traverse those ports. I did a shut/no shut on those ports and now I have a VPM_State of FXOLS_ONHOOK, but it shows a Codec of g711ulaw and a VTSP
-
How to run the process chain sucessfully
HI ALL I have a process chain loading differnt infopackages and the problem is that when ever there is no data to load the chain stops there and i have to manually make the request green and start from the next step. Is there any process type which m