Solved

Postfix Questions

Posted on 2013-06-22
12
875 Views
Last Modified: 2013-07-02
Hi,

Thank you for looking at my question.
I have a new server with postfix setup + amavisd-new + clamav, etc.

All is running fine and works well. However i made this "Domain Health Report" with ultratools.com and there are a few things I can not figure out and wonder if someone has the answer for me.

The main things is that there should be an hostmaster, abuse and postmaster email for all domains. I have 100 domains on the machine and wonder if I can map one abuse that works for all domains.

I thought something like:

abuse           root

would work but it apparently does not.
What is the best practice or do I really have to do 100 mappings?

Secondly I get a warning on my test:
The mail server at xxx.xxx.xxx.xxx responded with a banner that included niether the IP address or the host name.
The mail server at  xxx.xxx.xxx.xxx  responded with a banner that does not contain Service Ready.

I have:
smtpd_banner = $myhostname ESMTP $mail_name
I am not sure why it gives this error, also I do not know on why it possible would not show Service Ready.

Any assistance on this would be very welcome.

Best wishes,
Thomas
0
Comment
Question by:Thomanji
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 19

Expert Comment

by:bevhost
ID: 39267715
You didn't really provide enough information to answer the question.
How are your mailboxes configured?

See http://www.postfix.org/VIRTUAL_README.html

if you are using unix accounts with shared domains,
the your config above should work.

If you have 100 domains, I'm going to assume that you are using virtual domains,
in which case you will have to create a map for each domain.

If you're storing the maps in SQL, then you should be able to insert the maps easily.
0
 
LVL 3

Expert Comment

by:rajeev2353
ID: 39267720
hi,
you can install postfixadmin package for graphical control of domain with mysql
0
 

Author Comment

by:Thomanji
ID: 39267879
Hi,

Thank you bot for the answer.
I am running CentOS 6 with postfix.
Its not really about the domains but mainly if it is possible to set-up something like

send an email addresses to postmaster@ any host to user root
e.g.:
something like:

postmaster@*     root
But I assume this does not work

Its not really about the work to set it up but all these entries which would be about 300 if we calculate to be compliant for 100 domains.

Any idea on the second part of the question:
Secondly I get a warning on my test:
The mail server at xxx.xxx.xxx.xxx responded with a banner that included niether the IP address or the host name.
The mail server at  xxx.xxx.xxx.xxx  responded with a banner that does not contain Service Ready.

I have:
smtpd_banner = $myhostname ESMTP $mail_name
I am not sure why it gives this error, also I do not know on why it possible would not show Service Ready.

Best wishes,
Thomas
0
 
LVL 76

Expert Comment

by:arnold
ID: 39267963
SMTP/ESMTP only requires postmaster account on the mail server domain, FQDN.
Similarly for the abuse account.

Is your postfix using a mysql backend of users.
The alias map where you add the postmaster@ rule is likely be superseded by the catch-all configuration of the 100 domains.
0
 
LVL 19

Expert Comment

by:bevhost
ID: 39268336
The warnings with xxx.xxx.xxx.xxx are most probably because your Reverse DNS PTR record does not match any forward A lookups for your machine,
eg
Here is an example of a machine with matching hostname, A record and PTR record.
root@server ~ # host box4.bevhost.net
box4.bevhost.net has address 96.9.149.85
root@server ~ # host 96.9.149.85
85.149.9.96.in-addr.arpa domain name pointer box4.bevhost.net.
root@server ~ # telnet box4.bevhost.net 25
Trying 96.9.149.85...
Connected to box4.bevhost.net.
Escape character is '^]'.
220 box4.bevhost.net ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@server ~ #

This machine accepts mail for lots of domains,
but it's own domain is the one that matches everywhere.
0
 
LVL 19

Assisted Solution

by:bevhost
bevhost earned 150 total points
ID: 39268338
I agree that you probably don't need abuse@ and postmaster@ all 100 domains.

There WAS an RBL called rfc-ignorant.org which was used by people to block mail from domains that had not abuse@ or postmaster@, however that RBL has been shutdown completely and I don't think that this is an issue anymore.

On the other hand, if you own a block of IP Addresses, then there should be an abuse email listed in the whois data for the block of IP's but not anywhere else to my knowledge.

If someone can point me to a recent RFC that indicates otherwise then that would be interesting to see, but I don't think this is much of a requirement in practice.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 76

Expert Comment

by:arnold
ID: 39268457
It was a while back, but the rbl rfc-ignorant only dealt with mail servers that did not have a postmaster/abuse mailbox.  I think the test was for postmaster and abuse without specifying a domain.

Are you using a "single" mail server to handle the multiple domains, or does your system have multiple IPs to which different domains are mapped?

IP1 domain1-10
ip2 domain11-20
ip3 etc.
0
 

Author Comment

by:Thomanji
ID: 39270260
Hi,

Thank you for the answers.
@bevhost - the PTR records are fine and all works well in this regard.
Its all about RBL compliance to ensure my mail is as secure and compatible as possible.

It is good to know what the ruling was changed and that only the mail server require the entries.

I have setup the Zones so that all domains use the same single mail server and the same cname for the MX record.

What is strange is that I create a abuse@ip address but it seems to not work. If I send a google message to it I get a error:

Delivery to the following recipient failed permanently:

     abuse@xxx.xxx.xxx.xxx

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx].

The error that the other server returned was:
501 5.1.3 Bad recipient address syntax

All this just was challenged when I used ultratools.com domain health report and got the messages that I do not comply to best practices in terms of abuse, postmaster and hostmaster addresses.

Here is the report:

Mail servers accept mail to postmaster
BESTPRACTICE
The mail server at xxx.xxx.xxx.xxx did not accept a recipient in the form of postmaster@yourdomain.tld.
Description: Listing a Postmaster address at your domain's mail server is a best practice to allow communication with the administrator of your mail server, in the case of a security issue for example. It is common practice by SPAM lists to validate a mail server by checking for a valid Postmaster listing as a factor in determining that it is a legitimate mail server. The Postmaster address should also be setup to route the messages to a real person responsible for the operation of your mail hosts so that important messages do not sit in a queue. For more information, please consult the following RFC's: RFC 2142, RFC 822

Mail servers accept mail to abuse
BESTPRACTICE
The mail server at xxx.xxx.xxx.xxx did not accept a recipient in the form of abuse@yourdomain.tld.
Description: Listing an Abuse address at your domain's mail server is a best practice to allow communication with the administrator of your mail server, in the case of a SPAM issue for example. It is common practice by SPAM lists to validate a mail server by checking for a valid Abuse listing as a factor in determining that it is a legitimate mail server. The Abuse address should also be setup to route the messages to a real person responsible for the operation of your mail hosts so that important messages do not sit in a queue. For more information, please consult the following RFC's: RFC 2142, RFC 822

Mail servers accept mail to postmaster@IP
BESTPRACTICE
The mail server at xxx.xxx.xxx.xxx did not accept a recipient in the form of postmaster@ip-address.
Description: In cases where a mail server's host name is not known to the DNS system, its IP address is an acceptable alternative to reach the mail server. It is recommended that a mail server accept mail requests to the literal address, or IP. For more information, please consult the following RFC's: RFC 2821
0
 
LVL 76

Accepted Solution

by:
arnold earned 350 total points
ID: 39270277
MX records should not use CNAMES.

For postfix to treat user@IP as local, you must include the IP as local.

The transmission usually goes as
connect to IP and send message to <postmaster> <abuse>

The other difficulty you likely run into is that the IP on the public side is not the IP the server has if it is behind a firewall natted.
0
 

Author Comment

by:Thomanji
ID: 39286310
Hi,

Sorry for the delayed response, had to have this server up for the deadline and lots of little issues cropped up as usual.
I do of course run a firewall with NAT translation so it seems to be a bit of a challenge since I tried several things. I do understand that the real abuse IP is listed with ARIN but it actually became a bit of a personal interest.
In general I did not want to map name@ip specifically but rather just "name" where if this name is emailed and it is on the local server it would accept the mail and send it to a mailbox.

I do think that I might found the solution but I did not implement it as of now because some other pressing matters have priority.

However check out:
http://www.seaglass.com/postfix/faq.html#vrtglal

I will update this

Best wishes,
Thom
0
 

Author Comment

by:Thomanji
ID: 39295332
I've requested that this question be closed as follows:

Accepted answer: 0 points for Thomanji's comment #a39286310
Assisted answer: 250 points for bevhost's comment #a39268338
Assisted answer: 250 points for arnold's comment #a39270277

for the following reason:

Thank guys, still have a slicht issue with the @IP part but I think it will work. As for the first part of the question I found the

/abuse@.*/            abuse

if I map like this then I only need one mapping and it will work for all domains.

Thanks,
Thom
0
 

Author Closing Comment

by:Thomanji
ID: 39295333
Thank guys, still have a slicht issue with the @IP part but I think it will work. As for the first part of the question I found the

/abuse@.*/            abuse

if I map like this then I only need one mapping and it will work for all domains.

Thanks,
Thom
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Resolve DNS query failed errors for Exchange
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now