Re: smtp restrictions

[Stan Hoeppner]

On 5/30/2013 11:43 PM, James Zee wrote:
> I was hoping someone could take a quick glance at my
> smtpd_*_restrictions configurations. While I've read and (re-)read the
> SMTPD_ACCESS_README file a few times over I would be greatly
> appreciative if someone could sanity check my work.

Reviewing people's main.cf files is not a function of the mailing list.
 Answering specific questions or solving problems related to main.cf is.
 If we did the former the list would be clogged with such requests and
responses.

Thus I'll reply off list.  It'll arrive shortly.

-- 
Stan

Re: smtp restrictions

[lists]

On Fri, 31 May 2013 00:43:51 -0400
James Zee  wrote:

> smtpd_relay_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> check_policy_service unix:private/policy-spf
> reject_unauth_destination
> 
check_policy_service must be after reject_unauth_destination.
http://www.howtoforge.com/postfix_spf

smtp restrictions

[James Zee]

I was hoping someone could take a quick glance at my
smtpd_*_restrictions configurations. While I've read and (re-)read the
SMTPD_ACCESS_README file a few times over I would be greatly
appreciative if someone could sanity check my work.

The goal is, obviously, to (a) block spammers, (b) only allow relaying
/ sending to SASL-authorized users.

-->8--

smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_policy_service unix:private/policy-spf
reject_unauth_destination

smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_non_fqdn_hostname
reject_invalid_hostname
reject_unauth_destination
reject_unauth_pipelining
reject_rbl_client zen.spamhaus.org
reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org
reject_rbl_client dnsbl.njabl.org
reject_rbl_client dnsbl.sorbs.net
reject_rhsbl_sender dsn.rfc-ignorant.org
reject_rhsbl_sender blackhole.securitysage.com

--8<--

An extra pair of eyes that could confirm things look good and things
are as "locked down" as possible (both in terms of relaying *and*
dealing with blacklisted IPs) would be greatly appreciated.

Thanks!

Re: mailman relay access deny

[Stan Hoeppner]

On 5/30/2013 1:41 PM, Mustafa Akgul wrote:
> 
> Hello,
> I ahve just upgrdaed debian  to current wheezy. I tried to use  old  
> configuration files of mailman and postfix
> 
> I have siöpied a lot, but mailman/postfix does not  deliver to list members
> 
> I am having "relaya ccess denied" messages
> 
> I have in transport map file
> domain   mailman:
> 
> 
> I any ideas, pointers ?

You haven't provided sufficient information.

Start here:  http://www.postfix.org/DEBUG_README.html#mail

-- 
Stan

Re: postscreen and Google

[LuKreme]

Wietse Venema opined on Monday 13-May-2013@07:22:03
> LuKreme:
>> I have postscreen running well after having it run in non-blocking
>> mode for awhile, but I continue to see “new" google servers every
>> day.

[snip]

> Don't enable the "after 220" tests, or wait until whitelisting
> is stable. Given that Google has many servers, manual whitelisting
> is not a long-term solution.

After looking at my log files I’ve disabled all the “after 220” test for now. 
Looking forward to the stable whitelisting support in the 2.11 when that’s 
released.

-- 
And Super Heroes come to feast
To taste the flesh not yet deceased
And all I know is still the beast is feeding.

Re: permit ip, reject domain

[Peter]

On 05/31/2013 12:34 PM, Noel Jones wrote:

No, the client is already authorized by IP.  Adding a sender domain
check is an additional restriction.  This is also a simple "some
trusted IP is sending a bunch of crap" trigger.

Good advice, but SASL is not always possible or practical. And
solving this with SASL involves reject_sender_login_mismatch, which
brings its own complications.


This is all based on an interpretation of the OPs original broken 
English posts, though.  What I was seeing was something akin to, "I need 
to prevent spammers from using my server as a relay, so I'm going to 
stop anyone who doesn't have an authorized domain in the envelope 
sender."  You probably noticed something I didn't in his posts, though.



Peter

Re: permit ip, reject domain

[Noel Jones]

On 5/30/2013 6:21 PM, Peter wrote:
> On 05/31/2013 03:50 AM, Feel Zhou wrote:
>> I don't think that document is good to fix this problem
>> I want sender address match my customer's domain name
>> If not match ,mean that sender address was fake
> 
> Hi Tom,
> 
> This is a bad idea, it is very easy for a spammer to spoof your
> customer's sender domain in order to relay mail through your server
> and then your server becomes not much better than an open relay.

No, the client is already authorized by IP.  Adding a sender domain
check is an additional restriction.  This is also a simple "some
trusted IP is sending a bunch of crap" trigger.

> 
> You should look into SASL AUTH, this is a much better way for your
> customers to authenticate to your server for relaying:
> http://www.postfix.org/SASL_README.html

Good advice, but SASL is not always possible or practical. And
solving this with SASL involves reject_sender_login_mismatch, which
brings its own complications.


> 
> 
> Peter



  -- Noel Jones

Re: permit ip, reject domain

[Peter]

On 05/31/2013 03:50 AM, Feel Zhou wrote:

I don't think that document is good to fix this problem
I want sender address match my customer's domain name
If not match ,mean that sender address was fake


Hi Tom,

This is a bad idea, it is very easy for a spammer to spoof your 
customer's sender domain in order to relay mail through your server and 
then your server becomes not much better than an open relay.


You should look into SASL AUTH, this is a much better way for your 
customers to authenticate to your server for relaying:

http://www.postfix.org/SASL_README.html


Peter

Re: Virtual User Aliases

[Wietse Venema]

Simon B:
> That's what I thought.  I did your suggestion and postfix did not
> complain.  Not doing postfix stop/start or even /etc/init.d/postfix
> start/stop..
> 
> So, now I'm stumped.  There are other master.cf on the system, but I'm
> pretty sure it's not using any of them..

It's in the output from the command: "postconf config_directory"

Wietse

Re: Virtual User Aliases

[Viktor Dukhovni]

On Thu, May 30, 2013 at 07:58:19PM +0200, Simon B wrote:

> > Indeed, that is not right; cleanup -v produces /dozens/ of log lines for a
> > single message.
> > Make sure you're editing the right configuration.
> > Replace the -v with something invalid, like -@, and reload.
> > If that does not complain, you're not editing the right config.
> 
> That's what I thought.  I did your suggestion and postfix did not
> complain.  Not doing postfix stop/start or even /etc/init.d/postfix
> start/stop..
> 
> So, now I'm stumped.  There are other master.cf on the system, but I'm
> pretty sure it's not using any of them..

Post the content of your master.cf file (with the "-v" flag you added
for cleanup).  Along with this repost the output of "postconf -n".

-- 
Viktor.

mailman relay access deny

[Mustafa Akgul]

Hello,
I ahve just upgrdaed debian  to current wheezy. I tried to use  old  
configuration files of mailman and postfix

I have siöpied a lot, but mailman/postfix does not  deliver to list members

I am having "relaya ccess denied" messages

I have in transport map file
domain   mailman:


I any ideas, pointers ?

Regards
Mustafa Akgul

Re: Virtual User Aliases

[Simon B]

On 29 May 2013 20:05, Jeroen Geilman  wrote:
> On 05/29/2013 11:26 AM, Simon B wrote:
>>
>> On 28 May 2013 20:35, Viktor Dukhovni  wrote:
>>>
>>> On Tue, May 28, 2013 at 08:22:56PM +0200, Simon B wrote:
>>>
 On 28 May 2013 19:34, "Viktor Dukhovni" 
 wrote:
>
> On Tue, May 28, 2013 at 07:25:02PM +0200, Simon B wrote:
>
>> On 28 May 2013 18:33, Benny Pedersen  wrote:
>>>
>>> Simon B skrev den 2013-05-28 17:33:
>>>
 May 27 23:30:17 mail postfix/pipe[16721]: 57FF6C8C033:
 to=, relay=dovecot, delay=2, delays=2/0/0/0.05,
 dsn=2.0.0, status=sent (delivered via dovecot se
 rvice)
>
> Virtual alias rewriting is performed by cleanup(8) per the override
> flags passed from smtpd.  Since this address was not rewritten,
> and what changed recently is a newly disabled filter.  Despite
> reports to the contrary the problem is receive_override_options or
> last resort a cleanup service with master.cf overrides for
> virtual_alias_maps, ...

 I know you're right. I just can't find it and I'd rather not rip things
 out
 in trial and error.

 I'll keep digging..
>>>
>>> At the very least run "postfix reload", or even "stop/start" perhaps
>>> master.cf does not match run-time reality.  You can also briefly
>>> run "cleanup -v" to see what cleanup is doing with rewriting and what
>>> flags it receives from smtpd.
>
>> Okay, so now this is really odd.  I had previously issued postfix
>> reload, but for safety, I now issued the stop/start after adding -v to
>> cleanup.  No extra detail in the logs and the alias is still not
>> expanded.
>>
>> That's not right, surely?
>
>
> Indeed, that is not right; cleanup -v produces /dozens/ of log lines for a
> single message.
> Make sure you're editing the right configuration.
> Replace the -v with something invalid, like -@, and reload.
> If that does not complain, you're not editing the right config.

That's what I thought.  I did your suggestion and postfix did not
complain.  Not doing postfix stop/start or even /etc/init.d/postfix
start/stop..

So, now I'm stumped.  There are other master.cf on the system, but I'm
pretty sure it's not using any of them..

mail:~# locate master.cf
/etc/postfix/.master.cf.swp
/etc/postfix/master.cf
/usr/lib/postfix/master.cf
/usr/share/postfix/master.cf.dist
/usr/src/postfix-2.7.1/conf/master.cf
/usr/src/postfix-2.7.1/libexec/master.cf

I even tried explicitly starting with the -c option to force it to the
directory with a -@  and it doesn't complain..

Any other advice would be appreciated.

Simon

Re: permit ip, reject domain

[Noel Jones]

On 5/30/2013 6:39 AM, Feel Zhou wrote:
> Hello, My friend
> 
> This is Tom, I'm sending my greeting from China
> I Use postfix for few month, My customer send mail via my mail
> server, So, some IP is in mynetworks setting. for example,
> my_customer_server_ip is permit send mail via my server But there is
> something serious with my postfix server
> 
> The correct log is just like that
> May 30 08:09:01   [my_customer_server_ip] [my_customer_client_ip]
>  ->  >,
> 
> The wrong log is just like that,(hotmail.com ,
> yahoo.com  is the example)
> May 29 18:05:35 , [my_customer_server_ip] [other_ip]
> mailto:any...@hotmail.com>> ->
> mailto:some...@example.com>>,
> May 29 16:05:37 , [my_customer_server_ip] [other_ip]
> mailto:any...@yahoo.com>> ->  >,
> 
> any...@hotmail.com , any...@yahoo.com
> , etc. maybe real address in the internet
> mail system, but it's not a real mail account in my customer's mail
> system.
> 
> My purpose is permit my_customer_ip send mail via my mail server,
> only permit my customer domain address send mail, reject any other
> domain send mail via my_customer_ip, how can I setting in my postfix.
> 
> Thanks a lot
> Tom
> 

[please don't top-post, please post plain-text only. thanks.]

Yes, restriction classes are the solution.  First use a
check_client_access map to see if the IP matches one of your
clients, chain that to a check_sender_access map that only allows
the proper sender domain.  General instructions are here:
http://www.postfix.org/RESTRICTION_CLASS_README.html
adapt the examples to your use.

Alternately, you could use a policy service such as postfwd.
http://www.postfix.org/SMTPD_POLICY_README.html
http://postfwd.org/

In any case, the check must be done in smtpd_sender_restrictions to
prevent open relay accidents, and before permit_mynetworks.



  -- Noel Jones

Re: permit ip, reject domain

[Feel Zhou]

Thanks,Mikael
I don't think that document is good to fix this problem
I want sender address match my customer's domain name
If not match ,mean that sender address was fake
Thanks for your help
Tom


2013/5/30 Mikael Bak 

> On 05/30/2013 01:39 PM, Feel Zhou wrote:
> [snip]
> >
> > My purpose is permit my_customer_ip send mail via my mail server, only
> > permit my customer domain address send mail, reject any other domain
> > send mail via my_customer_ip, how can I setting in my postfix.
> >
> > Thanks a lot
> > Tom
> >
>
> Hi Tom,
>
> I think you can do this with postfix restriction classes:
> http://www.postfix.org/RESTRICTION_CLASS_README.html
>
> HTH,
> Mikael
>
>

Re: permit ip, reject domain

[Mikael Bak]

On 05/30/2013 01:39 PM, Feel Zhou wrote:
[snip]
> 
> My purpose is permit my_customer_ip send mail via my mail server, only
> permit my customer domain address send mail, reject any other domain
> send mail via my_customer_ip, how can I setting in my postfix.
> 
> Thanks a lot
> Tom
> 

Hi Tom,

I think you can do this with postfix restriction classes:
http://www.postfix.org/RESTRICTION_CLASS_README.html

HTH,
Mikael

permit ip, reject domain

[Feel Zhou]

Hello, My friend

This is Tom, I'm sending my greeting from China
I Use postfix for few month, My customer send mail via my mail server, So,
some IP is in mynetworks setting. for example, my_customer_server_ip is
permit send mail via my server But there is something serious with my
postfix server

The correct log is just like that
May 30 08:09:01   [my_customer_server_ip] [my_customer_client_ip]
 -> ,

The wrong log is just like that,(hotmail.com, yahoo.com is the example)
May 29 18:05:35 , [my_customer_server_ip] [other_ip] 
-> ,
May 29 16:05:37 , [my_customer_server_ip] [other_ip]  -> <
some...@example.com>,

any...@hotmail.com, any...@yahoo.com, etc. maybe real address in the
internet mail system, but it's not a real mail account in my customer's
mail system.

My purpose is permit my_customer_ip send mail via my mail server, only
permit my customer domain address send mail, reject any other domain send
mail via my_customer_ip, how can I setting in my postfix.

Thanks a lot
Tom

Re: sent mail to the mail list which contains myself

[Charles Marcus]

On 2013-05-29 7:20 PM, LuKreme  wrote:

On 29 May 2013, at 01:03 , Bu Xiaobing  wrote:

Else if we choose mailman, the mail lists or mail groups will maintained by 
mailman, and then we cannot maintain members in lists by one administrator.

Why not? Mailman is quite simple to maintain.


Mailman 3 (which is currently at beta 3 release, and quite stable from 
what I hear) is able to use external sources for maintaining list and 
list membership data, and the word is it would be relatively easy for an 
LDAP adapter to be written - and indeed, I hear it is already planned, 
but if you (or someone else) beats them to it, I'm sure they'd 
appreciate it.


Bottom line... it would be doable, if you and or someone or more on your 
team are comfortable using beta software and 'rolling your own' as far 
as installing it and getting it working...


--

Best regards,

Charles

Re: virtual domains, cyrus and lmtp integration

[Wietse Venema]

Viktor Dukhovni:
> > http://www.jmaimon.com/sendmail/anfi.homeunix.net/sendmail/rtcyrus2.html
> 
> Perhaps someone would like to contribute a table driver for the Cyrus
> socketmap interface, or you could query it via a "tcp" table.

Postfix 2.10 supports sendmail-style socketmap.

Wietse

Re: virtual domains, cyrus and lmtp integration

[Carl Brewer]

On 30/05/2013 7:47 PM, Stan Hoeppner wrote:


If you deliver from Postfix to Cyrus via LMTP it may be possible to
target RAV against the Cyrus' LMTP server.

http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient

I don't know if anyone has tried RAV via LMTP, but since RCPTO exists in
LMTP this should be able to work.  There are some caveats to using RAV,
but this should meet your single user database requirement.


Awesome, thank you, I'll read up on it!

Carl

Re: virtual domains, cyrus and lmtp integration

[Stan Hoeppner]

On 5/29/2013 10:30 PM, Carl Brewer wrote:
> On 30/05/2013 1:23 PM, Viktor Dukhovni wrote:
...
>> At previous employer Cyrus was used with users defined in LDAP.
> 
> I want to avoid multiple places where user data is stored, at present
> it's in cyrus and using sasldb for passwords, I'd like to keep that if I
> can.  LDAP is just another thing I'd have to learn and maintain.

If you deliver from Postfix to Cyrus via LMTP it may be possible to
target RAV against the Cyrus' LMTP server.

http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient

I don't know if anyone has tried RAV via LMTP, but since RCPTO exists in
LMTP this should be able to work.  There are some caveats to using RAV,
but this should meet your single user database requirement.

-- 
Stan

Re: Timeouts sending to a particular server

[Ralf Hildebrandt]

* Nikolaos Milas :

> mail.cospico.gr[62.38.156.203] timed out while sending end of data
> -- message may be sent more than once)
> 
> Can you please advise me on what may be the cause of this problem?

I usually disable ESMTP when encountering those problems:

transport_maps:
cospico.gr noesmtp:

noesmtp being defined in master.cf as:

noesmtp   unix  -   -   -   -   -   smtp
 -o smtp_never_send_ehlo=yes
 -o smtp_always_send_ehlo=no
  
-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein