Hello Victor,
> -----Oorspronkelijk bericht----- > Van: postfix-us...@dukhovni.org > [mailto:owner-postfix-us...@postfix.org] Namens Viktor Dukhovni > Verzonden: dinsdag 13 maart 2018 15:27 > Aan: Postfix users > Onderwerp: Re: question about envelop from. > > > > > On Mar 13, 2018, at 8:54 AM, L.P.H. van Belle > <be...@bazuin.nl> wrote: > > > > Feb 7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: > reject: RCPT from smtp1.xxxxxxxx.nl[x.xx.xxx.xx]]: 450 4.1.8 > <MAILER-DAEMON@apmcsqa01.poort>: Sender address rejected: > Domain not found; from=<MAILER-DAEMON@apmcsqa01.poort> > > > > about this: > > envelope-from="MAILER-DAEMON@apmcsqa01.poort" > > > > Im looking for the correct rfc where its described that the > part @apmcsqa01.poort should be @thesendingdomain.tld > > where thesendingdomain.tld is also a resolvable domain, > because not it does not make sence because the now > mailer-daemon wil never be accepted because its non resolveable > > In addition to not being resolvable, the envelope sender > address here is also > problematic because "MAILER-DAEMON@" should only ever appear > in the message > headers and NEVER as the envelope sender. The correct > envelope sender for > bounces is the empty (or null) sender: > > MAIL FROM:<> > > not > > MAIL FROM:<mailer-dae...@example.net> > > Sure, some domain could in theory have an actual user mailbox named > "mailer-daemon", but that is most unlikely. It is rather clear that > the server in question is generating backscatter with a non-empty > envelope sender address, thus potentially leading to mail loops. > > It is good that your server is rejecting this traffic. > > Finally, it seems you may be requesting client certificates > on port 25, > (incoming TLS status is "Untrusted" rather than "Anonymous") I wonder > why... > > http://www.postfix.org/FORWARD_SECRECY_README.html#status > > do you have "smtpd_tls_ask_ccert = yes"? > > -- > Viktor. > Yes, i've set smtpd_tls_ask_ccert to yes. I do also have Anonymous messages Anonymous TLS connection established from mail187-16.suw11.mandrillapp.com[198.2.187.16]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must be a miss on my side after the switch from 2.10 to 3.1 postfix. I need ssl verification, in not running a high volume site and i just enabled DKIM SPF TLSA and DANE for this server. Any tips on my config. Im running this config atm, postfix 3.1.8 (Debian) ( config below ) Best regards, Louis ### General Defaults smtpd_banner = $myhostname ESMTP Ready mail_version = 007 biff = no append_dot_mydomain = no delay_warning_time = 4h readme_directory = no compatibility_level = 2 mailbox_size_limit = 0 recipient_delimiter = + empty_address_recipient = MAILER-DAEMON ### Limit the info given to outside servers show_user_unknown_table_name = no ### no one needs to ask our server who is on it disable_vrfy_command = yes #### user!domain != user@domain swap_bangpath = no #### user%domain != user@domain allow_percent_hack = no ### Tarpit until RCPT TO: to reject the email for nagios compatability smtpd_delay_reject = yes ### Tarpit those bots/clients/spammers who send errors or scan for accounts smtpd_error_sleep_time = 20 smtpd_soft_error_limit = 1 smtpd_hard_error_limit = 3 smtpd_junk_command_limit = 2 ### Tranports and slowdown delivery to per domain are set here also. transport_maps = hash:/etc/postfix/personal/transport_maps.map ## Transports Tuning outgoing connections ! Esa max concurrent connections (polite) ## see also transport file and master.cf # Throttle limit policy mail (global) smtp_destination_concurrency_limit = 5 smtp_extra_recipient_limit = 2 # Polite policy polite_destination_concurrency_limit = 3 polite_destination_rate_delay = 0 polite_destination_recipient_limit = 5 # Turtle policy turtle_destination_concurrency_limit = 2 turtle_destination_rate_delay = 1s turtle_destination_recipient_limit = 2 ## ### ## 100 Mb size limit message_size_limit = 102400000 # Postfix before 3.0 by default permits non-ASCII content in headers and addresses. strict_7bit_headers = yes 2bounce_notice_recipient = postmas...@somedomain.tld 2bounce_notice_recipient = postmas...@somedomain.tld bounce_notice_recipient = postmas...@somedomain.tld delay_notice_recipient = postmas...@somedomain.tld error_notice_recipient = postmas...@somedomain.tld notify_classes = bounce, resource, software ## Being strict to the RFC not only stops unwanted mail, ## it also blocks legitimate mail from poorly-written mail applications. ## default = no strict_rfc821_envelopes = yes ############### # SASL disabled, its not use on this server. broken_sasl_auth_clients = no smtp_sasl_auth_enable = no smtpd_sasl_auth_enable = no ################# TLS parameters # Disable SSL compression tls_ssl_options = NO_COMPRESSION # cipherlists, defaults are ok. tls_preempt_cipherlist = yes tls_random_source = dev:/dev/urandom # TLS Client outgoing smtp_tls_CAfile = /etc/ssl/certs/Intermediate.cer smtp_tls_cert_file = /etc/ssl/certs/cert-2017-cert.pem smtp_tls_key_file = /etc/ssl/private/key-2017.key smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_ciphers = high smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4 smtp_tls_security_level = may smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes ## detect a mail hijacking attack based on a TLS protocol vulnerability (CVE-2009-3555) smtp_tls_block_early_mail_reply = yes # only offer authentication after STARTTLS smtpd_tls_auth_only = yes # TLS SERVER incomming smtpd_starttls_timeout = 300s smtpd_use_tls=yes smtpd_enforce_tls = no smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_ccert_verifydepth = 2 smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_always_issue_session_ids = no smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_CAfile = /etc/ssl/certs/Intermediate.cer smtpd_tls_cert_file = /etc/ssl/certs/cert-2017-cert.pem smtpd_tls_key_file = /etc/ssl/private/key-2017.key smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_ciphers = high smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES # Enable EECDH key exchange for Forward Security smtpd_tls_eecdh_grade=ultra # The 512-bit parameter file won't be used if you've disabled "EXPORT" # ciphers by setting "smtpd_tls_ciphers = medium" as recommended above. #smtpd_tls_dh512_param_file = /etc/ssl/private/dhparams2048.pem # enableing it : # which would likely result in handshake failure if a DHE EXPORT # cipher were negotiated, which is arguably a safety feature. smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams2048.pem smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache ############### Host/Ip/ADS related # ! see : /etc/postfix/main-mynetworks.cidr for your ipranges. myhostname = mail.somedomain.tld myorigin = mail.somedomain.tld mydomain = mail.somedomain.tld mydestination = mail.somedomain.tld, localhost mynetworks = cidr:/etc/postfix/personal/mynetworks.cidr inet_interfaces = all inet_protocols = ipv4 relay_domains = hash:/etc/postfix/personal/relay_domains.map masquerade_domains = hash:/etc/postfix/personal/masquerade_domains.map sender_canonical_maps = hash:/etc/postfix/personal/sender_canonical.map recipient_canonical_maps = hash:/etc/postfix/personal/recipient_canonical.map header_checks = pcre:/etc/postfix/personal/checks_header.pcre body_checks = pcre:/etc/postfix/personal/checks_body.pcre alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ads2local-aliases.cf alias_database = hash:/etc/aliases virtual_alias_maps = ldap:/etc/postfix/ads2local-redirects.cf ################################ ### Reject codes == 554 access_map_reject_code = 554 #invalid_hostname_reject_code = 554 #maps_rbl_reject_code = 554 multi_recipient_bounce_reject_code = 554 #non_fqdn_reject_code = 554 #plaintext_reject_code = 554 #reject_code = 554 relay_domains_reject_code = 554 #unknown_address_reject_code = 554 #unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 # SPF Policy policyd-spf_time_limit = 3600s # For dualdelivery - double delivery to multiple mail servers # dualdelivery in the variable name is the name of the transport from master.cf # without this setting, mail will not be delivered if the email was sent immediately # multiple users dualdelivery_destination_recipient_limit = 1 ################## Restrictions/anti-spam Strict RFC ! ## in order of processing. ## Restrictions/anti-spam Strict RFC ! # smtpd_delay_reject = yes # smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination, check_client_access cidr:/etc/postfix/personal/check_client_access-allow.cidr, check_client_access cidr:/etc/postfix/personal/check_client_access-reject.cidr, reject_non_fqdn_hostname, reject_unknown_hostname, reject_invalid_hostname, reject_unauth_pipelining ## smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_unauth_destination, check_helo_access pcre:/etc/postfix/personal/check_helo_access-hostname-checks.pcre, check_helo_access hash:/etc/postfix/personal/check_helo_access-allow.map, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, reject_unauth_pipelining ## smtpd_sender_restrictions = permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/personal/check_sender_access-allow.map check_sender_access hash:/etc/postfix/personal/check_sender_access-deny.map reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address, reject_unauth_pipelining ## smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_policy_service unix:private/policyd-spf, check_recipient_access hash:/etc/postfix/personal/check_recipient_access-allow.map check_recipient_access hash:/etc/postfix/personal/check_recipient_access-deny.map check_recipient_access pcre:/etc/postfix/personal/check_recipient_access-deny-syntax.pcre reject_multi_recipient_bounce, reject_unlisted_recipient, reject_unverified_recipient ## smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, check_recipient_access hash:/etc/postfix/personal/check_recipient_access-allow.map reject_multi_recipient_bounce, reject_non_fqdn_hostname, reject_invalid_hostname, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, defer_unauth_destination ## smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce ## smtpd_etrn_restrictions = permit_mynetworks, reject ## ### Before-220 tests (postscreen / DNSBL) postscreen_greet_banner = $myhostname, checking blacklists, please wait. # Drop connections if other server is sending too quickly postscreen_greet_action = drop #postscreen_greet_action = enforce #testing actioin = drop. postscreen_greet_wait = 3s postscreen_greet_ttl = 2d postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/personal/postscreen_access_list.cidr, pcre:/etc/postfix/personal/postscreen_access_list-reject.fqrdns.pcre cidr:/etc/postfix/personal/postscreen_access_list-drop.spamhaus-lasso.cidr postscreen_whitelist_interfaces = $mynetworks, static:all postscreen_blacklist_action = drop postscreen_dnsbl_reply_map = pcre:/etc/postfix/personal/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_action = enforce postscreen_dnsbl_ttl = 2h postscreen_dnsbl_threshold = 4 postscreen_dnsbl_sites = zen.spamhaus.org*4 b.barracudacentral.org*4 bad.psky.me*4 dnsbl.cobion.com*2 bl.spameatingmonkey.net*2 fresh.spameatingmonkey.net*2 cbl.anti-spam.org.cn=127.0.8.2*2 dnsbl.kempt.net*1 dnsbl.inps.de*2 bl.spamcop.net*2 srn.surgate.net=127.0.0.2 spam.dnsbl.sorbs.net*2 rbl.rbldns.ru*2 psbl.surriel.com*2 bl.mailspike.net*2 rep.mailspike.net=127.0.0.[13;14]*1 bl.suomispam.net*2 bl.blocklist.de*2 ix.dnsbl.manitu.net*2 dnsbl-2.uceprotect.net dnsbl.justspam.org=127.0.0.2*2 all.s5h.net=127.0.0.2*2 hostkarma.junkemailfilter.com=127.0.0.[2;4]*2 rbl.abuse.ro=127.0.0.[2;4]*2 dnsbl.spfbl.net=127.0.0.[2;4]*2 # No RDNS dnsbl.spfbl.net=127.0.0.3*1 hostkarma.junkemailfilter.com=127.0.0.3*1 # whitelists swl.spamhaus.org*-6 dnswl.spfbl.net=127.0.0.[2;3;4]*-3 list.dnswl.org=127.0.[0..255].[2;3]*-4 rep.mailspike.net=127.0.0.[17;18]*-1 rep.mailspike.net=127.0.0.[19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-4 nobl.junkemailfilter.com=127.0.0.5*-4 # ### End of before-220 tests ### After-220 tests ### WARNING -- See "Tests after the 220 SMTP server greeting" in the ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the ### following tests! This basically enables some kind of greylisting! #postscreen_bare_newline_action = enforce #postscreen_bare_newline_enable = yes #postscreen_non_smtp_command_enable = yes #postscreen_pipelining_enable = yes ### ADDENDUM: Any one of the foregoing three *_enable settings may cause ### significant and annoying mail delays. ###### Added for OpenDKIM milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:8892 non_smtpd_milters = inet:localhost:8892
