Postfix Questions

Hi,

Thank you for looking at my question.
I have a new server with postfix setup + amavisd-new + clamav, etc.

All is running fine and works well. However i made this "Domain Health Report" with ultratools.com and there are a few things I can not figure out and wonder if someone has the answer for me.

The main things is that there should be an hostmaster, abuse and postmaster email for all domains. I have 100 domains on the machine and wonder if I can map one abuse that works for all domains.

I thought something like:

abuse           root

would work but it apparently does not.
What is the best practice or do I really have to do 100 mappings?

Secondly I get a warning on my test:
The mail server at xxx.xxx.xxx.xxx responded with a banner that included niether the IP address or the host name.
The mail server at  xxx.xxx.xxx.xxx  responded with a banner that does not contain Service Ready.

I have:
smtpd_banner = $myhostname ESMTP $mail_name
I am not sure why it gives this error, also I do not know on why it possible would not show Service Ready.

Any assistance on this would be very welcome.

Best wishes,
Thomas
ThomasPartnerAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
arnoldConnect With a Mentor Commented:
MX records should not use CNAMES.

For postfix to treat user@IP as local, you must include the IP as local.

The transmission usually goes as
connect to IP and send message to <postmaster> <abuse>

The other difficulty you likely run into is that the IP on the public side is not the IP the server has if it is behind a firewall natted.
0
 
bevhostCommented:
You didn't really provide enough information to answer the question.
How are your mailboxes configured?

See http://www.postfix.org/VIRTUAL_README.html

if you are using unix accounts with shared domains,
the your config above should work.

If you have 100 domains, I'm going to assume that you are using virtual domains,
in which case you will have to create a map for each domain.

If you're storing the maps in SQL, then you should be able to insert the maps easily.
0
 
rajeev2353Commented:
hi,
you can install postfixadmin package for graphical control of domain with mysql
0
A proven path to a career in data science

At Springboard, we know how to get you a job in data science. With Springboard’s Data Science Career Track, you’ll master data science  with a curriculum built by industry experts. You’ll work on real projects, and get 1-on-1 mentorship from a data scientist.

 
ThomasPartnerAuthor Commented:
Hi,

Thank you bot for the answer.
I am running CentOS 6 with postfix.
Its not really about the domains but mainly if it is possible to set-up something like

send an email addresses to postmaster@ any host to user root
e.g.:
something like:

postmaster@*     root
But I assume this does not work

Its not really about the work to set it up but all these entries which would be about 300 if we calculate to be compliant for 100 domains.

Any idea on the second part of the question:
Secondly I get a warning on my test:
The mail server at xxx.xxx.xxx.xxx responded with a banner that included niether the IP address or the host name.
The mail server at  xxx.xxx.xxx.xxx  responded with a banner that does not contain Service Ready.

I have:
smtpd_banner = $myhostname ESMTP $mail_name
I am not sure why it gives this error, also I do not know on why it possible would not show Service Ready.

Best wishes,
Thomas
0
 
arnoldCommented:
SMTP/ESMTP only requires postmaster account on the mail server domain, FQDN.
Similarly for the abuse account.

Is your postfix using a mysql backend of users.
The alias map where you add the postmaster@ rule is likely be superseded by the catch-all configuration of the 100 domains.
0
 
bevhostCommented:
The warnings with xxx.xxx.xxx.xxx are most probably because your Reverse DNS PTR record does not match any forward A lookups for your machine,
eg
Here is an example of a machine with matching hostname, A record and PTR record.
root@server ~ # host box4.bevhost.net
box4.bevhost.net has address 96.9.149.85
root@server ~ # host 96.9.149.85
85.149.9.96.in-addr.arpa domain name pointer box4.bevhost.net.
root@server ~ # telnet box4.bevhost.net 25
Trying 96.9.149.85...
Connected to box4.bevhost.net.
Escape character is '^]'.
220 box4.bevhost.net ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@server ~ #

This machine accepts mail for lots of domains,
but it's own domain is the one that matches everywhere.
0
 
bevhostConnect With a Mentor Commented:
I agree that you probably don't need abuse@ and postmaster@ all 100 domains.

There WAS an RBL called rfc-ignorant.org which was used by people to block mail from domains that had not abuse@ or postmaster@, however that RBL has been shutdown completely and I don't think that this is an issue anymore.

On the other hand, if you own a block of IP Addresses, then there should be an abuse email listed in the whois data for the block of IP's but not anywhere else to my knowledge.

If someone can point me to a recent RFC that indicates otherwise then that would be interesting to see, but I don't think this is much of a requirement in practice.
0
 
arnoldCommented:
It was a while back, but the rbl rfc-ignorant only dealt with mail servers that did not have a postmaster/abuse mailbox.  I think the test was for postmaster and abuse without specifying a domain.

Are you using a "single" mail server to handle the multiple domains, or does your system have multiple IPs to which different domains are mapped?

IP1 domain1-10
ip2 domain11-20
ip3 etc.
0
 
ThomasPartnerAuthor Commented:
Hi,

Thank you for the answers.
@bevhost - the PTR records are fine and all works well in this regard.
Its all about RBL compliance to ensure my mail is as secure and compatible as possible.

It is good to know what the ruling was changed and that only the mail server require the entries.

I have setup the Zones so that all domains use the same single mail server and the same cname for the MX record.

What is strange is that I create a abuse@ip address but it seems to not work. If I send a google message to it I get a error:

Delivery to the following recipient failed permanently:

     abuse@xxx.xxx.xxx.xxx

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx].

The error that the other server returned was:
501 5.1.3 Bad recipient address syntax

All this just was challenged when I used ultratools.com domain health report and got the messages that I do not comply to best practices in terms of abuse, postmaster and hostmaster addresses.

Here is the report:

Mail servers accept mail to postmaster
BESTPRACTICE
The mail server at xxx.xxx.xxx.xxx did not accept a recipient in the form of postmaster@yourdomain.tld.
Description: Listing a Postmaster address at your domain's mail server is a best practice to allow communication with the administrator of your mail server, in the case of a security issue for example. It is common practice by SPAM lists to validate a mail server by checking for a valid Postmaster listing as a factor in determining that it is a legitimate mail server. The Postmaster address should also be setup to route the messages to a real person responsible for the operation of your mail hosts so that important messages do not sit in a queue. For more information, please consult the following RFC's: RFC 2142, RFC 822

Mail servers accept mail to abuse
BESTPRACTICE
The mail server at xxx.xxx.xxx.xxx did not accept a recipient in the form of abuse@yourdomain.tld.
Description: Listing an Abuse address at your domain's mail server is a best practice to allow communication with the administrator of your mail server, in the case of a SPAM issue for example. It is common practice by SPAM lists to validate a mail server by checking for a valid Abuse listing as a factor in determining that it is a legitimate mail server. The Abuse address should also be setup to route the messages to a real person responsible for the operation of your mail hosts so that important messages do not sit in a queue. For more information, please consult the following RFC's: RFC 2142, RFC 822

Mail servers accept mail to postmaster@IP
BESTPRACTICE
The mail server at xxx.xxx.xxx.xxx did not accept a recipient in the form of postmaster@ip-address.
Description: In cases where a mail server's host name is not known to the DNS system, its IP address is an acceptable alternative to reach the mail server. It is recommended that a mail server accept mail requests to the literal address, or IP. For more information, please consult the following RFC's: RFC 2821
0
 
ThomasPartnerAuthor Commented:
Hi,

Sorry for the delayed response, had to have this server up for the deadline and lots of little issues cropped up as usual.
I do of course run a firewall with NAT translation so it seems to be a bit of a challenge since I tried several things. I do understand that the real abuse IP is listed with ARIN but it actually became a bit of a personal interest.
In general I did not want to map name@ip specifically but rather just "name" where if this name is emailed and it is on the local server it would accept the mail and send it to a mailbox.

I do think that I might found the solution but I did not implement it as of now because some other pressing matters have priority.

However check out:
http://www.seaglass.com/postfix/faq.html#vrtglal

I will update this

Best wishes,
Thom
0
 
ThomasPartnerAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for Thomanji's comment #a39286310
Assisted answer: 250 points for bevhost's comment #a39268338
Assisted answer: 250 points for arnold's comment #a39270277

for the following reason:

Thank guys, still have a slicht issue with the @IP part but I think it will work. As for the first part of the question I found the

/abuse@.*/            abuse

if I map like this then I only need one mapping and it will work for all domains.

Thanks,
Thom
0
 
ThomasPartnerAuthor Commented:
Thank guys, still have a slicht issue with the @IP part but I think it will work. As for the first part of the question I found the

/abuse@.*/            abuse

if I map like this then I only need one mapping and it will work for all domains.

Thanks,
Thom
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.