Before I forget... because it freaked the shit out of me and made me think I broke the postfixadmin database.

When you create a domain in Postfixadmin, that's all fine and dandy. But when you create Mailboxes or Alias in this domain, postfixadmin performs a nameserver lookup only at THIS point in time to check the domain is valid. The helpful response is:

"The EMAIL is not valid!" (for mailbox), or "The ALIAS is not valid!".

In fact, what it means is that the domain is not valid, so this is quite misleading. So don't panic!

I thought I broke things, but all that had happened was that for this particular subdomain, while I had created an MX record for it in the zone, I hadn't reloaded DNS yet, and so a nameserver lookup was failing.

You could wait for DNS propagation (still don't understand why it wasn't almost instant, mail server was also the primary NS), or a quick getaround is to change

$CONF['emailcheck_resolve_domain']='YES';

to

$CONF['emailcheck_resolve_domain']='NO';

In the config.inc.php of postfixadmin, and it'll skip the nameserver lookup.

Phew.

Be wary when you upgrade Debian Lenny server to 5.0.1 and you use Postfix & Dovecot with a PostgreSQL backend and PostgreSQL-8.3 gets upgraded and restarts itself. My Dovecot stopped being able to connect to the database to authenticate my login requests from Thunderbird all
of a sudden with the error 'you have enabled secure authentication and this server does not support it'.

I knew I hadn't changed any Dovecot settings on how I authenticate my IMAP session so assumed it was the PostgreSQL upgrade, though PostgreSQL was running fine.

This in the dovecot logs

dovecot: 2009-04-13 10:38:15 Error: auth(default): sql(<a href="mailto:example@some--address.com">example@some--address.com</a>),): Password query failed: FATAL: terminating connection due to administrator command
dovecot: 2009-04-13 10:38:15 Error: auth(default): io_loop_handle_remove: epoll_ctl(2, 9): Bad file descriptor

I restarted Dovecot, and Postfix just to be sure :) and all is back to normal. I'm assuming it was Dovecot holding a stale connection open to PostgreSQL, and not the MTA, as it wasn't a problem with delivering mail (though it might've posed a problem for Postfix too, but didn't let it hang around long enough to find out)

I wonder, I know that some packages like openssl and whatnot, are able to check what other services are running that depend on it when it's upgraded, and offer a postinst (I assume) ncurses notification telling the user that some services should be restarted. PostgreSQL should have a similar check to see if it's being used for a vhost mail setup.

Coz I always forget them!

http://www.fots.nl/index.php/ndr-and-smtp-reply-and-error-codes/

• 2.0.0 (nonstandard success response, see rfc876)
• 2.1.1 System status, or system help reply
• 2.1.4 Help message
• 2.2.0 Service ready
• 2.2.1 Service closing transmission channel
• 2.5.0 Requested mail action okay, completed
• 2.5.1 User not local; will forward to
• 3.5.4 Start mail input; end with .
• 4.2.1 Service not available, closing transmission channel
• 4.2.2 The recipient has exceeded their mailbox limit. It could also be that the delivery directory on the Virtual server has exceeded its limit. (Default 22 MB)
• 4.3.1 Not enough disk space on the delivery server. Microsoft say this NDR maybe reported as out-of-memory error.
• 4.3.2 Classic temporary problem, the Administrator has frozen the queue.
• 4.4.1 Intermittent network connection. The server has not yet responded. Classic temporary problem. If it persists, you will also a 5.4.x status code error.
• 4.4.2 The server started to deliver the message but then the connection was broken.
• 4.4.6 Too many hops. Most likely, the message is looping.
• 4.4.7 Problem with a timeout. Check receiving server connectors.
• 4.4.9 A DNS problem. Check your smart host setting on the SMTP connector. For example, check correct SMTP format. Also, use square brackets in the IP address [197.89.1.4] You can get this same NDR error if you have been deleting routing groups.
• 4.5.0 Requested mail action not taken: mailbox unavailable
• 4.5.1 Requested action aborted: local error in processing
• 4.5.2 Requested action not taken: insufficient system storage
• 4.6.5 Multi-language situation. Your server does not have the correct language code page installed.
• 5.0.0 Syntax error, command unrecognised. You get this NDR when you make a typing mistake when you manually try to send email via telnet. More likely, a routing group error, no routing connector, or no suitable address space in the connector. (Try adding * in the address space)
  This status code is a general error message in Exchange 2000. In fact Microsoft introduced a service pack to make sure now get a more specific code.
• 5.0.1 Syntax error in parameters or arguments
• 5.0.2 Command not implemented
• 5.0.3 Bad sequence of commands
• 5.0.4 Command parameter not implemented
• 5.1.x Problem with email address.
• 5.1.0 Often seen with contacts. Check the recipient address.
• 5.1.1 Another problem with the recipient address. Possibly the user was moved to another server in Active Directory. Maybe an Outlook client replied to a message while offline.
• 5.1.3 Another problem with contacts. Address field maybe empty. Check the address information.
• 5.1.4 Two objects have the same address, which confuses the categorizer.
• 5.1.5 Destination mailbox address invalid.
• 5.1.6 Problem with homeMDB or msExchHomeServerName - check how many users are affected. Sometimes running RUS (Recipient Update Service) cures this problem. Mailbox may have moved.
• 5.1.7 Problem with senders mail attribute, check properties sheet in ADUC.
• 5.2.x NDR caused by a problem with the large size of the email.
• 5.2.1 The message is too large. Else it could be a permissions problem. Check the recipient’s mailbox.
• 5.2.2 Sadly, the recipient has exceeded their mailbox limit.
• 5.2.3 Recipient cannot receive messages this big. Server or connector limit exceeded.
• 5.2.4 Most likely, a distribution list or group is trying to send an email. Check where the expansion server is situated.
• 5.3.0 Problem with MTA, maybe someone has been editing the registry to disable the MTA / Store driver.
• 5.3.1 Mail system full. Possibly a Standard edition of Exchange reached the 16 GB limit.
• 5.3.2 System not accepting network messages. Look outside Exchange for a connectivity problem.
• 5.3.3 Remote server has insufficient disk space to hold email. Check SMTP log.
• 5.3.4 Message too big. Check limits, System Policy, connector, virtual server.
• 5.3.5 Multiple Virtual Servers are using the same IP address and port. See Microsoft TechNet article: 321721 Sharing SMTP. Email probably looping.
• 5.4.0 DNS Problem. Check the Smart host, or check your DNS. It means that there is no DNS server that can resolve this email address. Could be Virtual Server SMTP address.
• 5.4.1 No answer from host. Not Exchange’s fault check connections.
• 5.4.2 Bad connection.
• 5.4.3 Routing server failure. No available route.
• 5.4.4 Cannot find the next hop, check the Routing Group Connector. Perhaps you have Exchange servers in different Routing Groups, but no connector.
• 5.4.6 Tricky looping problem, a contact has the same email address as an Active Directory user. One user is probably using an Alternate Recipient with the same email address as a contact.
• 5.4.7 Delivery time-out. Message is taking too long to be delivered.
• 5.4.8 Microsoft advise, check your recipient policy. SMTP address should be cp.com NOT server.cp.com.
• 5.5.0 Requested action not taken: mailbox unavailable. Underlying SMTP 500 error. Our server tried ehlo, the recipient’s server did not understand and returned a 550 or 500 error. Set up SMTP logging.
• 5.5.2 Possibly the disk holding the operating system is full. Or ‘Requested mail action aborted: exceeded storage allocation’ if you are executing an SMTP.
• 5.5.3 More than 5,000 recipients. Check the Global Settings, Message Delivery properties. Or ‘Requested action not taken: mailbox name not allowed’ if you are executing an SMTP.
• 5.5.4 Transaction failed
• 5.5.5 Wrong protocol version
• 5.6.3 More than 250 attachments.
• 5.7.1 Permissions problem. For some reason the sender is not allowed to email this account. Perhaps an anonymous user is trying to send mail to a distribution list. Check SMTP Virtual Server Access Tab. Try checking this box: Allow computers which successfully authenticate to relay. User may have a manually created email address that does not match a System Policy.
• 5.7.2 Distribution list cannot expand and so is unable to deliver its messages.
• 5.7.3 Check external IP address of ISA server. Make sure it matches the SMTP publishing rule.
• 5.7.4 Extra security features not supported. Check delivery server settings
• 5.7.5 Cryptographic failure. Try a plain message with encryption.
• 5.7.6 Certificate problem, encryption level maybe to high.
• 5.7.7 Message integrity problem.

Login process creation

login_processes_count and login_max_processes_count setting control how new login processes are created. login_processes_count specifies the number of login processes that are tried to be kept listening for new connections. However when a lot of connections arrive at the same
time this number will increase automatically as described below.

To prevent fork-bombing Dovecot's login process creation works in a similiar way to Apache: Initially set "wanted listening process count" to same as login_processes_count and start the processes. Then check every second if we need to start up new processes to keep the listening
process count the same as the wanted count. If all the listening processes have been used, double the wanted count. If we haven't used all of them, decrease the wanted count by one (unless it goes below login_processes_count), but don't destroy already created processes.

login_max_processes_count specifies the maximum number of login processes there can exist at a time (listening, non-listening and SSL/TLS-proxying processes combined).

Didn't know you could do this.. both the ability to specify individuals rather than whole domains, and the retry: logic.

In the transport map

< user >@< destination.com >               retry:4.0.0 Temporarily suspended

I was migrating my mail server to a new machine the other day and in the process, I sorted out my smtp/sasl logic.

I'm using virtual domains/mailboxes/aliases with Postfix, PostfixAdmin and Postgresql on Debian servers, works like a charm, but my sasl config was such that it wasn't using the same postfix database for password lookups and I was having to use saslpasswd2 to add accounts so that I could send mail using this server for SMTP as it was using its own sasldb or whatever.

Madness.

This time I've implemented Dovecot's SASL mechanism, it reduced double-up and means the authentication is done via the database in the same way that logging in to *retrieve* mail was being performed (as far as I understand it anyway. I'm not a mailserver guru).

All I changed was in /etc/dovecot/dovecot.conf
# It's possible to export the authentication interface to other programs:
 
socket listen {
client {
path = /var/spool/postfix/private/auth-client
mode = 0660 user = postfix group = postfix
}
}
And in /etc/postfix/main.cf
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination

Other than following the steps outlined in the INSTALL.txt file of Virtual Vacation’s directory in postfix admin, I had to do these to make it work properly as well:

Added

vacation_destination_recipient_limit = 1

to /etc/postfix/main.cf

At this point things work, so long as your recipient who's on holidays is not a member of any virtual aliases (ie he or she doesn't receive mail sent to generic addresses like info@ or help@).

If they do, you'll soon notice a heap of 'permission denied' errors being spat back either as a bounce or in mail.log, syslog, and the vacation-debug log. This is because the vacation user doesn't have access to select from the alias table in your postfix database.

To fix, you need to grant this privilege to the vacation user with an SQL query:

GRANT SELECT ON TABLE alias TO vacation;

All fixed, now email sent to an alias will send back a vacation auto-reply as well.

Making vacation autoresponder in Debian

Make the .forward file in user's home directory:

\<a href="mailto:user@email.com">user@email.com</a>
"|/usr/bin/vacation user"

Make the .vacation.msg in user's home directory:

From: <a href="mailto:user@email.com">user@email.com</a> (Joe Bloggs)
Subject: I am on Annual Leave
Delivered-By-The-Graces-Of: The Vacation program
Precedence: bulk
E-mail message goes here

cd out of the user's home directory to /home and run:

vacation -i user && chmod 644 user/.vacation.db && chown user:user user/.vacation.db

imapsync --host1 server_a --user1 user@server_a --password1 xxxxxxxxxxx --ssl1 --authmech1 login --host2 server_b --user2 user@server_b --password2 xxxxxxxxxxx --ssl2 --fast --nofoldersizes --subscribe --authmech2 login