[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
Michel Verdier via Postfix-users wrote in
<87jzu4c5qi@free.fr>:
|On 2023-08-09, Steffen Nurpmeso via Postfix-users wrote:
|
|> 192.0.2.1:submission inet n - n - - smtpd
|> -o syslog_name=vpnsub
|> -o smtpd_sasl_auth_enable=no
|> -o smtpd_relay_restrictions=permit_mynetworks,reject_unauth_des\
|> tination
|> -o cleanup_service_name=vpnsub_cleanup
|> vpnsub_cleanup unix n - n - 0 cleanup
|> -o {header_checks=regexp:{{/^Received:/ IGNORE}}}
|>
|> where 192.0.2.1 is the address where postfix listens on the VPN.
|> Shouldn't this be adoptable? (Ie special "cleanup" service.)
|
|You apply header_checks on cleanup. I think the header is added by
|postfix after incoming. Personnally I put header_checks in main.cf to
|apply filters also when sending. You can use smtp_header_checks if you
|want to apply only on sending.
I only did what i was told. :) It is that mail flow of mine, and
it works just fine. .. You mean no special cleanup but simply
anything going out .. which is then covered by the mentioned?
Well i could try this, thanks for the suggestion. The above was
because the VPN IP address is mistreat by Spamassassin. Of
course, mailing-list and such (on the otherwise valid server IP)
indeed still sends via 127.0.0.1, which luckily was no problem at
all for now.
--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
Michel Verdier via Postfix-users:
> On 2023-08-09, Steffen Nurpmeso via Postfix-users wrote:
>
> > 192.0.2.1:submission inet n - n - - smtpd
> > -o syslog_name=vpnsub
> > -o smtpd_sasl_auth_enable=no
> > -o
> > smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination
> > -o cleanup_service_name=vpnsub_cleanup
> > vpnsub_cleanup unix n - n - 0 cleanup
> > -o {header_checks=regexp:{{/^Received:/ IGNORE}}}
> >
> > where 192.0.2.1 is the address where postfix listens on the VPN.
> > Shouldn't this be adoptable? (Ie special "cleanup" service.)
>
> You apply header_checks on cleanup. I think the header is added by
> postfix after incoming.
It is added by the smtpd process, i.e. before mail is queued.
The exception is that the header is omitted by an smtpd process
before an smtpd_proxy_filter. This was done to avoid stutter (two
near-identical headers from the smtpd processes before and after a
filter) but that overlooked the possibility that the filter is
delivering the message to a non-local SMTP server.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
On 2023-08-09, Steffen Nurpmeso via Postfix-users wrote:
> 192.0.2.1:submission inet n - n - - smtpd
> -o syslog_name=vpnsub
> -o smtpd_sasl_auth_enable=no
> -o
> smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination
> -o cleanup_service_name=vpnsub_cleanup
> vpnsub_cleanup unix n - n - 0 cleanup
> -o {header_checks=regexp:{{/^Received:/ IGNORE}}}
>
> where 192.0.2.1 is the address where postfix listens on the VPN.
> Shouldn't this be adoptable? (Ie special "cleanup" service.)
You apply header_checks on cleanup. I think the header is added by
postfix after incoming. Personnally I put header_checks in main.cf to
apply filters also when sending. You can use smtp_header_checks if you
want to apply only on sending.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
Viktor Dukhovni via Postfix-users:
> On Wed, Aug 09, 2023 at 02:53:02PM -0400, Wietse Venema wrote:
>
> > > > vpnsub_cleanup unix n - n - 0 cleanup
> > > > -o {header_checks=regexp:{{/^Received:/ IGNORE}}}
> > >
> > > I am not aware of any suport for such inline regexp tables. What
> > > release of Postfix supports this?
> >
> > Postfix 3.7 introduced inline tables for regexp, pcre, and cidr
> > tables. I used the regexp support to get better logging with ALPACA
> > attacks (http://www.postfix.org/wip.html).
>
> Cool. Somehow that feature flew under my "radar". This rather
> simplifies my advice in another thread today (dummy address this time):
>
> check_client_access cidr:{
> { 192.0.2.1 = DUNNO },
> { 0.0.0.0/0 = reject_unauth_pipelining },
> { ::/0 = reject_unauth_pipelining }
> }
Caution: these tables don't use '='. The format of the inner {text}
is dictated by the regexp_table, pcre_table and cidr_table manpages.
> I expect there's no "if ... endif" support in the inline forms (none
> documented).
There is, it just looks ugly. The mapping from
{ {text1} {text2} {text3} }
to
text1
text2
text3
is map-type independent and does not care if some text contains 'f'
or 'endif'. The pcre_table etc. parser, of course, do care.
Unfortunately the Postfix 3.0 inline:{} table does use '='.
This is because it reuses main.cf parsing infrastructure.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
On Wed, Aug 09, 2023 at 02:53:02PM -0400, Wietse Venema wrote:
> > > vpnsub_cleanup unix n - n - 0 cleanup
> > > -o {header_checks=regexp:{{/^Received:/ IGNORE}}}
> >
> > I am not aware of any suport for such inline regexp tables. What
> > release of Postfix supports this?
>
> Postfix 3.7 introduced inline tables for regexp, pcre, and cidr
> tables. I used the regexp support to get better logging with ALPACA
> attacks (http://www.postfix.org/wip.html).
Cool. Somehow that feature flew under my "radar". This rather
simplifies my advice in another thread today (dummy address this time):
check_client_access cidr:{
{ 192.0.2.1 = DUNNO },
{ 0.0.0.0/0 = reject_unauth_pipelining },
{ ::/0 = reject_unauth_pipelining }
}
I expect there's no "if ... endif" support in the inline forms (none
documented).
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
Wietse Venema via Postfix-users:
> Viktor Dukhovni via Postfix-users:
> > On Wed, Aug 09, 2023 at 06:48:11PM +0200, Steffen Nurpmeso via
> > Postfix-users wrote:
> >
> > > Yeah the wonderful suggestion of this super helpful list (thanks
> > > again!) for my setup (laptop postfix on "forbidden address" relays
> > > to in-VPN postfix which then sends out) was
> > >
> > > 192.0.2.1:submission inet n - n - - smtpd
> > > -o syslog_name=vpnsub
> > > -o smtpd_sasl_auth_enable=no
> > > -o
> > > smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination
> > > -o cleanup_service_name=vpnsub_cleanup
> > > vpnsub_cleanup unix n - n - 0 cleanup
> > > -o {header_checks=regexp:{{/^Received:/ IGNORE}}}
> >
> > I am not aware of any suport for such inline regexp tables. What
> > release of Postfix supports this?
>
> Postfix 3.7 introduced inline tables for regexp, pcre, and cidr
> tables. I used the regexp support to get better logging with ALPACA
> attacks (http://www.postfix.org/wip.html).
Well, the ALPACA attack was easy to detect because it sends HTTP
commands which Postfix smtpd_forbidden_commands already recognized.
The regexp pattern is for abuse thath isn't so well-behaved.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
Viktor Dukhovni via Postfix-users:
> On Wed, Aug 09, 2023 at 06:48:11PM +0200, Steffen Nurpmeso via Postfix-users
> wrote:
>
> > Yeah the wonderful suggestion of this super helpful list (thanks
> > again!) for my setup (laptop postfix on "forbidden address" relays
> > to in-VPN postfix which then sends out) was
> >
> > 192.0.2.1:submission inet n - n - - smtpd
> > -o syslog_name=vpnsub
> > -o smtpd_sasl_auth_enable=no
> > -o
> > smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination
> > -o cleanup_service_name=vpnsub_cleanup
> > vpnsub_cleanup unix n - n - 0 cleanup
> > -o {header_checks=regexp:{{/^Received:/ IGNORE}}}
>
> I am not aware of any suport for such inline regexp tables. What
> release of Postfix supports this?
Postfix 3.7 introduced inline tables for regexp, pcre, and cidr
tables. I used the regexp support to get better logging with ALPACA
attacks (http://www.postfix.org/wip.html).
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
On Wed, Aug 09, 2023 at 06:48:11PM +0200, Steffen Nurpmeso via Postfix-users
wrote:
> Yeah the wonderful suggestion of this super helpful list (thanks
> again!) for my setup (laptop postfix on "forbidden address" relays
> to in-VPN postfix which then sends out) was
>
> 192.0.2.1:submission inet n - n - - smtpd
> -o syslog_name=vpnsub
> -o smtpd_sasl_auth_enable=no
> -o
> smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination
> -o cleanup_service_name=vpnsub_cleanup
> vpnsub_cleanup unix n - n - 0 cleanup
> -o {header_checks=regexp:{{/^Received:/ IGNORE}}}
I am not aware of any suport for such inline regexp tables. What
release of Postfix supports this?
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
Steffen Nurpmeso via Postfix-users:
> Michel Verdier via Postfix-users wrote in
> <87fs4s49y5@free.fr>:
> |On 2023-08-09, Fourhundred Thecat via Postfix-users wrote:
> |
> |> do you think this would be OK, or does the hostname and IP (be it
> |> localhost.local) have to be there ?
> |
> |Why don't you remove completely this header in your postfix using for
> |example header_checks ? Received is frequently removed to hide internal
> |IP if you don't need to trace them.
>
> Yeah the wonderful suggestion of this super helpful list (thanks
> again!) for my setup (laptop postfix on "forbidden address" relays
> to in-VPN postfix which then sends out) was
>
> 192.0.2.1:submission inet n - n - - smtpd
> -o syslog_name=vpnsub
> -o smtpd_sasl_auth_enable=no
> -o
> smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination
> -o cleanup_service_name=vpnsub_cleanup
> vpnsub_cleanup unix n - n - 0 cleanup
> -o {header_checks=regexp:{{/^Received:/ IGNORE}}}
>
> where 192.0.2.1 is the address where postfix listens on the VPN.
> Shouldn't this be adoptable? (Ie special "cleanup" service.)
We could add a section to the STANDARD_CONFIGURATION_README text
(and perhaps include that in SOHO_README). This could be useful
even with non-VPN use cases.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
Michel Verdier via Postfix-users wrote in
<87fs4s49y5@free.fr>:
|On 2023-08-09, Fourhundred Thecat via Postfix-users wrote:
|
|> do you think this would be OK, or does the hostname and IP (be it
|> localhost.local) have to be there ?
|
|Why don't you remove completely this header in your postfix using for
|example header_checks ? Received is frequently removed to hide internal
|IP if you don't need to trace them.
Yeah the wonderful suggestion of this super helpful list (thanks
again!) for my setup (laptop postfix on "forbidden address" relays
to in-VPN postfix which then sends out) was
192.0.2.1:submission inet n - n - - smtpd
-o syslog_name=vpnsub
-o smtpd_sasl_auth_enable=no
-o
smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination
-o cleanup_service_name=vpnsub_cleanup
vpnsub_cleanup unix n - n - 0 cleanup
-o {header_checks=regexp:{{/^Received:/ IGNORE}}}
where 192.0.2.1 is the address where postfix listens on the VPN.
Shouldn't this be adoptable? (Ie special "cleanup" service.)
--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
Dnia 9.08.2023 o godz. 09:22:03 Bill Cole via Postfix-users pisze: > A Received header that seems to record a SMTP > session on the loopback by Postfix is not common, Hm... I think it's quite common for webmail applications. They usually connect to IMAP/SMTP server on loopback interface. (assuming of course everything is installed on the same server) -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
On 2023-08-09, Fourhundred Thecat via Postfix-users wrote: > do you think this would be OK, or does the hostname and IP (be it > localhost.local) have to be there ? Why don't you remove completely this header in your postfix using for example header_checks ? Received is frequently removed to hide internal IP if you don't need to trace them. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
On 2023-08-09 at 03:40:20 UTC-0400 (Wed, 9 Aug 2023 09:40:20 +0200) Fourhundred Thecat via Postfix-users <400the...@gmx.ch> is rumored to have said: On 2023-08-09 07:58, Viktor Dukhovni via Postfix-users wrote: On Wed, Aug 09, 2023 at 07:34:48AM +0200, Fourhundred Thecat via Postfix-users wrote: So that the first hop looks like this: Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.xxx.yyy (Postfix) with ESMTPSA id 7E011B0 for ; Wed, 9 Aug 2023 07:04:42 +0200 (CEST) Try a small change: Received: from localhost.local (localhost.local [127.0.0.1]) by mail.xxx.yyy (Postfix) with ESMTPSA id 7E011B0 for ; Wed, 9 Aug 2023 07:04:42 +0200 (CEST) That is, use a hostname as the recorded "HELO" name, rather than address-literal, and make that name be an FQDN while you're at it. This might be enough. thank you. thinking about it now, could I remove the host and the IP entirely? You CAN do just about anything with the Received headers, as it has a long history of wildly divergent contents. How MS reacts is the more relevant question and the answer is only known to Cortana, or whatever MS calls their quasi-sentient spam filter... I have looked at what the header looks like when I send an email locally (from mutt as user on the postfix server). And there is no hostname or IP or localhost entry at all: Received: by mail.xxx.yyy (Postfix, from userid 1000) id A73CFD6; Wed, 9 Aug 2023 08:36:22 +0200 (CEST) do you think this would be OK, or does the hostname and IP (be it localhost.local) have to be there ? It is probably a good idea (if you are committed to an audit trail going nowhere and being obviously intentionally deceptive) to mimic mail that works. So the answer is testing. If sending with mutt works, fake that. A Received header that seems to record a SMTP session on the loopback by Postfix is not common, so maybe the local submission pattern will be less suspect. Test. One thing that seems to work is to not attempt to craft Received headers at all. You have to evaluate your own threat model, but the marginal value of the information in a Received header is rarely significant. On the other side, it is usually possible to detect obfuscated Received headers and it is entirely reasonable for receiving sites to see that in a message and deem it suspect on that basis. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
> On 2023-08-09 07:58, Viktor Dukhovni via Postfix-users wrote: On Wed, Aug 09, 2023 at 07:34:48AM +0200, Fourhundred Thecat via Postfix-users wrote: So that the first hop looks like this: Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.xxx.yyy (Postfix) with ESMTPSA id 7E011B0 for ; Wed, 9 Aug 2023 07:04:42 +0200 (CEST) Try a small change: Received: from localhost.local (localhost.local [127.0.0.1]) by mail.xxx.yyy (Postfix) with ESMTPSA id 7E011B0 for ; Wed, 9 Aug 2023 07:04:42 +0200 (CEST) That is, use a hostname as the recorded "HELO" name, rather than address-literal, and make that name be an FQDN while you're at it. This might be enough. thank you. thinking about it now, could I remove the host and the IP entirely? I have looked at what the header looks like when I send an email locally (from mutt as user on the postfix server). And there is no hostname or IP or localhost entry at all: Received: by mail.xxx.yyy (Postfix, from userid 1000) id A73CFD6; Wed, 9 Aug 2023 08:36:22 +0200 (CEST) do you think this would be OK, or does the hostname and IP (be it localhost.local) have to be there ? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
On Wed, Aug 09, 2023 at 07:34:48AM +0200, Fourhundred Thecat via Postfix-users wrote: > So that the first hop looks like this: > > Received: from [127.0.0.1] (localhost [127.0.0.1]) > by mail.xxx.yyy (Postfix) with ESMTPSA id 7E011B0 > for ; Wed, 9 Aug 2023 07:04:42 +0200 (CEST) Try a small change: Received: from localhost.local (localhost.local [127.0.0.1]) by mail.xxx.yyy (Postfix) with ESMTPSA id 7E011B0 for ; Wed, 9 Aug 2023 07:04:42 +0200 (CEST) That is, use a hostname as the recorded "HELO" name, rather than address-literal, and make that name be an FQDN while you're at it. This might be enough. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: email being flagged a spam for using localhost [127.0.0.1] as first hop
Dear Fourhundred, Am 09.08.23 um 07:34 schrieb Fourhundred Thecat via Postfix-users: my email was flagged as spam by Microsoft. I have the received email, together with all the headers that Microsoft added. Specifically the item: X-Microsoft-Antispam-Message-Info: I have found a tool on github, which attempts to decode this convoluted item (https://github.com/mgeeky/decode-spam-headers) And one of the decoded lines says: (5880045) - (GUESSING) Somehow related to First Hop server reputation, it's reverse-PTR resolution or domain impersonation I am using header rewrite to hide my own IP address, and use localhost [127.0.0.1] instead. So that the first hop looks like this: Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.xxx.yyy (Postfix) with ESMTPSA id 7E011B0 for ; Wed, 9 Aug 2023 07:04:42 +0200 (CEST) is this considered bad practice? Or why am I being penalized for this? All I am trying to achieve is not to disclose from where I am sending my emails Sounds like something spammers also would like to do, so it’s considered bad practice. But, it is also not feasible, as the accepting host often logs the IP address. So your strategy would only work, if you use a smarthost (SMTP relay server), deleting the `Received:` records from the header. So the receiver would only see the IP address of the smart host. As an example for your message to the list from GMX: Received: from [10.1.2.16] ([212.25.11.75]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1M3DJl-1qWda038fN-003eVr for ; Wed, 09 Aug 2023 07:34:49 +0200 mail.gmx.net is the smarthost, and would need to support to not add that Received entry (and remove possible other ones). Kind regards, Paul ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
