Re: No SMTP AUTH when TLS enabled
* froinds J froi...@gmail.com: What should I use keylength and digest when creating both the CA cert and the smtpd cert? That's an invitation for long discussions... In Germany, the federal institution BSI (administration for security), recommends 4096 Bit for CA certificates and 2048 for server certificates. For ciphers I can't say which is 'the best'. If you plan to use mobiles (cell phone etc.) a lot you might want to use ECC certificates. They provide the same security level as the others at a shorter key length, which makes it easier and faster for weak processors (cell phone) to use them. Should I leave the passwords blank? Create them with and remove the passwords when you export the certificates. Why? The server (Postfix smtpd) can't type it it when it needs to be unlocked for usage. ;) p...@rick Thanks On Sat, Jan 2, 2010 at 6:04 PM, Patrick Ben Koetter p...@state-of-mind.dewrote: * froinds J froi...@gmail.com: Ah you so were right. I set up postfix to use the certs that cyrus-imapd creates by default and everything works now. What's weird is that cyrus-imapd was using the same certs postfix was using and it didn't complain. I was able to receive email when I turned off TSL for postfix. So I guess the problem is that I'm not creating good self-signed certificates. I've done this more than 20 times following every source on the internet including the guides in postfix.org. My certs have always worked with cyrus-imapd and apache, but I always run into trouble with postfix. Can you provide a set of instructions to follow? You can use TinyCA http://tinyca.sm-zone.net/ to setup a CA and the required certificates. Then configure Postfix. When your done, send postconf -n output and we will have a look at the config. p...@rick Thanks so much. On Sat, Jan 2, 2010 at 4:02 PM, Patrick Ben Koetter p...@state-of-mind.de wrote: * froinds J froi...@gmail.com: Oops! I forgot to check SSL. My client now seems to start a TLS session and still nothing. Here is the log with the SSL error. TLS log. My favourite waste of time. Everything is layed out so clear... :/ There are two lines in your log that make me think (think, not know!) that your client doesn't like the server certificate. Read below. -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: How to ensure that either FROM or TO is local
Questions similar to yours come up fairly often, I'm not sure why noone's jumped in yet with a rough solution that will do what you want. What you've mentioned you want: How do I ensure that my mail server can only send mails either to or from mydomains? Consider that there are three situations you want to worry about: 1. Postfix receiving a mail for final delivery as the destination (local delivery) 2. Postfix receiving a mail for delivery to somewhere else on the internet (relaying) 3. Postfix receiving a mail submitted locally, destined for somewhere else on the internet (this is a special case of (2) because local is usually privileged) * Assume we ignore (2) because Postfix will not act as an anonymous relay by default. * Postfix will only accept mail for local domains, so (1) works as you expect. Accepting mail for remote domains would be considered relaying * Postfix (by default) *will* accept mail and relay it to remote domains, if the client is local. That covers case (3) I *think* the short, correct answer is to use a policy server: http://www.postfix.org/SMTPD_POLICY_README.html Another alternative may be restriction classes, but that can get a bit messy. I personally wouldn't trust myself to get this right, so I have no examples of my own to offer. http://www.postfix.org/RESTRICTION_CLASS_README.html When I add the following to main.cf, this should perform the check, so only people I know are allowed to send through postfix and they can send anywhere. This should also prevent anyone to send mail from an address that isn't one of mine. smtpd_reject_unlisted_recipient = no smtpd_reject_unlisted_sender = yes smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination smtpd_sender_restrictions = I've not used the smtpd_reject_unlisted_* options before myself, but I suspect that won't work as you expect. Unfortunately, it does not work. When you report that something doesn't work, it's best to provide log entries that support what you're saying. Basically, it's most helpful if you: 1. Describe what you expected to happen 2. Describe what you saw actually happened. 3. Show the log entries so we can see what happened. The output of postconf -n snip mydestination = This is likely to be wrong. I can see you're using virtual mailboxes, but not having any local domains at all is odd. mynetworks = 0.0.0.0 This is *definitely* very wrong! smtpd_recipient_restrictions will allow ANY client in mynetworks to relay mail to any destination. I don't know if using smtpd_reject_unlisted_sender would prevent anything going wrong here, but this is likely to make you an open relay.
Re: master.cf - integrating Postfix with DKIM proxy
* Michael p...@nettrust.co.nz: In reference to the following page: http://dkimproxy.sourceforge.net/postfix-outbound-howto.html it includes the following: submission inet n - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes -o content_filter=dksign:[127.0.0.1]:10027 -o receive_override_options=no_address_mappings -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject however I do not send emails from my desktop using port 587, I use port 25 as standard. How could I include the line -o content_filter=dksign:[127.0.0.1]:10027 in a manner where only OUTBOUND emails only are passed through DKIM proxy, and not incoming emails? Yes, I am well aware that SMTP does not draw a distinction between the 2, but I am thinking there must be a way, or do I have to send emails via a port other then 25 to achieve this? I am using amavisd-new for DKIM signing (I was using it anyways, so I saw no potential gain in including another piece of software, e.g. dkimproxy, into the toolchain). Using a custom package, one can match for a header line which states that the mail was received by one's own MTA using SMTP AUTH (RFC 3848). So the first step is to define a new policy bank in amavisd-new: #v+ $policy_bank{'MINI-SUBMISSION'} = { originating = 1, }; #v- Then add a custom script loading this policy bank (this example will match mail.incertum.net. Code base contributed by Alexander Wirt, bad PCRE is my fault, not his): #v+ package Amavis::Custom; use strict; BEGIN { import Amavis::Conf qw(:platform :confvars c cr ca $myhostname); import Amavis::Util qw(do_log untaint safe_encode safe_decode); import Amavis::rfc2821_2822_Tools; import Amavis::Notify qw(build_mime_entity); } sub new { my($class,$conn,$msginfo) = @_; my($self) = bless {}, $class; my $sasl_owned = 0; foreach my $line (@{$msginfo-{'orig_header'}}) { $line =~ s/\n\t/ /g; $sasl_owned = 1 if $line =~ m/^Received:.*by mail.incertum.net.*with ESMTP(S)?A.*/i; } if ($sasl_owned) { do_log(2, sprintf(Load SASL policy bank)); Amavis::load_policy_bank('MINI-SUBMISSION') } return $self; } 1; # insure a defined return #v- This way, offering AUTH on the port 25, one could offer MX and submission services within one Postfix instance. I _think_ (and I'm really not 100% sure if this would work) another possibility would be to use a feature introduced with Postfix 2.7, namely sender_dependent_default_transport_maps. You could define a transport which passes all mail to the DKIM proxy. The proxy itself would have to reinject the mails to a dedicated smtpd(8) clone, defined in master.cf, with and empty sender_dependent_default_transport_maps (or at least one which doesn't include the entry for your DKIM proxy). Then populate the map referenced in sender_dependent_default_transport_maps with all your domains you want to sign. As I said, this might be a bad idea. On this topic has anyone found a good DKIM signing solution that will work with multiple domains? I don't understand that question. You can only sign domains for which you have the private key. Stefan
Re: master.cf - integrating Postfix with DKIM proxy
* Stefan Foerster cite+postfix-us...@incertum.net: I _think_ (and I'm really not 100% sure if this would work) another possibility would be to use a feature introduced with Postfix 2.7, namely sender_dependent_default_transport_maps. You could define a transport which passes all mail to the DKIM proxy. The proxy itself would have to reinject the mails to a dedicated smtpd(8) clone, defined in master.cf, with and empty sender_dependent_default_transport_maps (or at least one which doesn't include the entry for your DKIM proxy). Then populate the map referenced in sender_dependent_default_transport_maps with all your domains you want to sign. As I said, this might be a bad idea. Bad idea. As stated in the release notes, sender_dependent_default_transport_maps don't support the nexthop feature of a regular transport map entry. You could try with sender_dependent_relayhost_maps, available as of Postfix 2.3. Stefan
Re: master.cf - integrating Postfix with DKIM proxy
Michael a écrit : In reference to the following page: http://dkimproxy.sourceforge.net/postfix-outbound-howto.html it includes the following: submission inet n - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes -o content_filter=dksign:[127.0.0.1]:10027 -o receive_override_options=no_address_mappings -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject however I do not send emails from my desktop using port 587, I use port 25 as standard. How could I include the line -o content_filter=dksign:[127.0.0.1]:10027 in a manner where only OUTBOUND emails only are passed through DKIM proxy, and not incoming emails? Yes, I am well aware that SMTP does not draw a distinction between the 2, but I am thinking there must be a way, or do I have to send emails via a port other then 25 to achieve this? better move to 587, which is the standard submission port. If you insist (but once again, 587 is simpler and brings other benefits), you can still use the FILTER statement in an access check: smtpd_client_restrictions = check_client_access pcre:/etc/postfix/filter_trusted permit_mynetwork permit_sasl_authenticated check_client_access pcre:/etc/postfix/filter_default == filter_trusted /./ FILTER filter:[127.0.0.1]:10586 == filter_default /./ FILTER filter:[127.0.0.1]:10024 note that with this, content_filter settings are unused. On this topic has anyone found a good DKIM signing solution that will work with multiple domains? If you are not happy with dkim-proxy, you can try dkim-milter or amavisd-new.
anti spam measures
I am running postfix with anti spam filter (policyd-weight, sqlgrey, grossd, dkim, senderid-milter, dspam) . With this configuration, I am down to under 10 spams a day. Looking at my backend server which is exchange 2007, I find that all of the remaining spam messages have spam confidence level of 7 or greater, which implies this is blatant spam. Is there spam filter software software that works with postfix that can perform checks similar to that of exchange 2007 spam confidence level? Thanks in advance
Re: anti spam measures
Original-Nachricht Datum: Sun, 3 Jan 2010 10:02:32 -0500 Von: Roman Gelfand rgelfa...@gmail.com An: postfix users list postfix-users@postfix.org Betreff: anti spam measures I am running postfix with anti spam filter (policyd-weight, sqlgrey, grossd, dkim, senderid-milter, dspam) . With this configuration, I am down to under 10 spams a day. Looking at my backend server which is exchange 2007, I find that all of the remaining spam messages have spam confidence level of 7 or greater, which implies this is blatant spam. And your current Anti-Spam solution did not tag them as Spam? Is there spam filter software software that works with postfix that can perform checks similar to that of exchange 2007 spam confidence level? Thanks in advance -- Preisknaller: GMX DSL Flatrate für nur 16,99 Euro/mtl.! http://portal.gmx.net/de/go/dsl02
Re: How to ensure that either FROM or TO is local
I *think* the short, correct answer is to use a policy server: http://www.postfix.org/SMTPD_POLICY_README.html I will look into those then I read into http://www.postfix.org/SMTPD_POLICY_README.html, but I do not see how I can use this to solve my problem. Perhaps I am missing something... Any help is greatly appreciated Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en
Re: anti spam measures
On Sun, Jan 3, 2010 at 10:13 AM, Steve stev...@gmx.net wrote: Original-Nachricht Datum: Sun, 3 Jan 2010 10:02:32 -0500 Von: Roman Gelfand rgelfa...@gmail.com An: postfix users list postfix-users@postfix.org Betreff: anti spam measures I am running postfix with anti spam filter (policyd-weight, sqlgrey, grossd, dkim, senderid-milter, dspam) . With this configuration, I am down to under 10 spams a day. Looking at my backend server which is exchange 2007, I find that all of the remaining spam messages have spam confidence level of 7 or greater, which implies this is blatant spam. And your current Anti-Spam solution did not tag them as Spam? No. Since, I posted this message, I saw your discussion about s25r. I am trying it now. My first impression is that it is making a dent. You were, at one point, trying out geoip patched policyd-weight where you added points to a total score based on distance between servers. If so, would you mind sharing the patched script along with configuration file? Is there spam filter software software that works with postfix that can perform checks similar to that of exchange 2007 spam confidence level? Thanks in advance -- Preisknaller: GMX DSL Flatrate für nur 16,99 Euro/mtl.! http://portal.gmx.net/de/go/dsl02 Thanks again
Re: How to ensure that either FROM or TO is local
Serge Fonville: I *think* the short, correct answer is to use a policy server: http://www.postfix.org/SMTPD_POLICY_README.html I will look into those then I read into http://www.postfix.org/SMTPD_POLICY_README.html, but I do not see how I can use this to solve my problem. Perhaps I am missing something... Any help is greatly appreciated The policy server can reject mail from a remote network with a local sender address. Isn't that what you want? As an added bonus, it can also reject mail from a local network with a remote sender address. This can help to stop outbound spam from zombie-infested PCs. Wietse
Re: How to ensure that either FROM or TO is local
Wietse, Thx for the reply The policy server can reject mail from a remote network with a local sender address. Isn't that what you want? As an added bonus, it can also reject mail from a local network with a remote sender address. This can help to stop outbound spam from zombie-infested PCs. Yes exactly. I read into the page again and it seems to be suitable for my purpose. Unfortunately it also seems to mean I have to write my own policy server.. At least I have a starting point from now on. Thanks a lot for the help! Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en
3000 recipients
Hello list, I want to send once a week a simple mail to a list of 3000 recipients. I can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to higher limits, but is there a better way to handle this? R. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+
Re: 3000 recipients
* richard lucassen postfix-us...@cloud9.net: I want to send once a week a simple mail to a list of 3000 recipients. I can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to higher limits, but is there a better way to handle this? Chosse a client/write a script that breaks the list of 3.000 recipients down to batches of 50 recipients. IIRC that's the maximum (RFC) number of recipients any SMTP server must accept. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: 3000 recipients
richard lucassen wrote: Hello list, I want to send once a week a simple mail to a list of 3000 recipients. I can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to higher limits, but is there a better way to handle this? Yes. Install a proper mailing list management system, such as Mailman or majordomo. 3000 recipients is waaay too many to do in a single shot using Bcc. Mark
Re: anti spam measures
On Sun, Jan 03, 2010 at 10:02:32AM -0500, Roman Gelfand wrote: I am running postfix with anti spam filter (policyd-weight, sqlgrey, grossd, dkim, senderid-milter, dspam) . With this configuration, I am down to under 10 spams a day. Looking at my backend server which is exchange 2007, I find that all of the remaining spam messages have spam confidence level of 7 or greater, which implies this is blatant spam. Is there spam filter software software that works with postfix that can perform checks similar to that of exchange 2007 spam confidence level? Thanks in advance Hi Roman, To truly check how the Exchange 2007 spam confidence level works, try passing all of the mail from postfix to the Exchange server. I would be almost certain that more than 10 messages will make it through a day. If not, then just use the Exchange processing and you are done. If you do try the test, I would be interested in the results so please post them. Regards, Ken
Re: 3000 recipients
On Sun, 3 Jan 2010 20:50:21 +0100 Patrick Ben Koetter p...@state-of-mind.de wrote: * richard lucassen postfix-us...@cloud9.net: I want to send once a week a simple mail to a list of 3000 recipients. I can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to higher limits, but is there a better way to handle this? Chosse a client/write a script that breaks the list of 3.000 recipients down to batches of 50 recipients. IIRC that's the maximum (RFC) number of recipients any SMTP server must accept. That was the first solution that I thought of, but before reinventing the wheel, I was wondering if someone else had already invented this wheel :) Btw: the defaultsettings of smtpd_recipient_limit and smtpd_recipient_overshoot_limit are as high as 1000. R. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+
Re: 3000 recipients
richard lucassen wrote: On Sun, 03 Jan 2010 19:57:41 + Mark Goodge m...@good-stuff.co.uk wrote: I want to send once a week a simple mail to a list of 3000 recipients. I can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to higher limits, but is there a better way to handle this? Yes. Install a proper mailing list management system, such as Mailman or majordomo. 3000 recipients is waaay too many to do in a single shot using Bcc. Ok, but a mlm is quite some overkill IMHO, just wondering if there was an intermediate solution. This is for a blind person who handles the mailinglist himself, so solutions are rather limited. But anyway, I can always write a small shell script that does the job. Should not be a very big problem. Your biggest problem, with that number of recipients, is handling bounces and unsubscriptions. Splitting the recipients into chunks is easy enough, but dealing with all the invalid and/or expired addresses is what makes it more complex. And if you don't handle them correctly, then you're getting into dangerous territory - that's where legitimate lists start being treated as spam, especially if any of the recipients have addresses with the major webmail operators such as Hotmail and Yahoo. Most decent MLMs allow you to import subscribers from a simple text list, so from a user point of view it's no harder (and often easier) than maintaining it in the addressbook of an email client for Bcc purposes. It's more complex for the administrator, but if you're competent enough to administer Postfix then it's hardly likely to be a problem for you! Mark
Re: 3000 recipients
On Sun, Jan 03, 2010 at 09:14:03PM +0100, richard lucassen wrote: On Sun, 03 Jan 2010 19:57:41 + Mark Goodge m...@good-stuff.co.uk wrote: I want to send once a week a simple mail to a list of 3000 recipients. I can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to higher limits, but is there a better way to handle this? Yes. Install a proper mailing list management system, such as Mailman or majordomo. 3000 recipients is waaay too many to do in a single shot using Bcc. Ok, but a mlm is quite some overkill IMHO, just wondering if there was an intermediate solution. This is for a blind person who handles the mailinglist himself, so solutions are rather limited. But anyway, I can always write a small shell script that does the job. Should not be a very big problem. R. What about using an aliases entry to read the addresses from a file: mylist: :include:/file/name mylist-owner: listowner Then the user just needs permission to update the file and mail to mylist will be broken out to the addresses in /file/name. Regards, Ken
Re: 3000 recipients
On Sun, Jan 03, 2010 at 08:23:50PM +, Mark Goodge wrote: richard lucassen wrote: On Sun, 03 Jan 2010 19:57:41 + Mark Goodge m...@good-stuff.co.uk wrote: I want to send once a week a simple mail to a list of 3000 recipients. I can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to higher limits, but is there a better way to handle this? Yes. Install a proper mailing list management system, such as Mailman or majordomo. 3000 recipients is waaay too many to do in a single shot using Bcc. Ok, but a mlm is quite some overkill IMHO, just wondering if there was an intermediate solution. This is for a blind person who handles the mailinglist himself, so solutions are rather limited. But anyway, I can always write a small shell script that does the job. Should not be a very big problem. Your biggest problem, with that number of recipients, is handling bounces and unsubscriptions. Splitting the recipients into chunks is easy enough, but dealing with all the invalid and/or expired addresses is what makes it more complex. And if you don't handle them correctly, then you're getting into dangerous territory - that's where legitimate lists start being treated as spam, especially if any of the recipients have addresses with the major webmail operators such as Hotmail and Yahoo. Most decent MLMs allow you to import subscribers from a simple text list, so from a user point of view it's no harder (and often easier) than maintaining it in the addressbook of an email client for Bcc purposes. It's more complex for the administrator, but if you're competent enough to administer Postfix then it's hardly likely to be a problem for you! Mark I will second that using a real MLM is usually a much, much better option that will allow you to prevent collateral damage to your mail reputation when there is a delivery problem. For example, when using the aliases option, you should only allow the one address/user to send mail to the alias or you open up an avenue for spammers to abuse your system. Regards, Ken
Re: 3000 recipients
On Sun, 03 Jan 2010 19:57:41 + Mark Goodge m...@good-stuff.co.uk wrote: I want to send once a week a simple mail to a list of 3000 recipients. I can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to higher limits, but is there a better way to handle this? Yes. Install a proper mailing list management system, such as Mailman or majordomo. 3000 recipients is waaay too many to do in a single shot using Bcc. Ok, but a mlm is quite some overkill IMHO, just wondering if there was an intermediate solution. This is for a blind person who handles the mailinglist himself, so solutions are rather limited. But anyway, I can always write a small shell script that does the job. Should not be a very big problem. R. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+
Re: 3000 recipients
On Sun, 3 Jan 2010 14:28:11 -0600 Kenneth Marshall k...@rice.edu wrote: [mlm] I will second that using a real MLM is usually a much, much better option that will allow you to prevent collateral damage to your mail reputation when there is a delivery problem. For example, when using the aliases option, you should only allow the one address/user to send mail to the alias or you open up an avenue for spammers to abuse your system. Ok, thanks guys, you have convinced me to use a mlm. I'll dive into that matter. I've only played with ezmlm some 10 years ago when I was using qmail, but I haven't looked at these mlm's ever since. Which mlm would you recommend to use for this purpose? I use Debian Lenny with (of course) Postfix. R. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+
Re: 3000 recipients
richard lucassen wrote: On Sun, 3 Jan 2010 14:28:11 -0600 Kenneth Marshall k...@rice.edu wrote: [mlm] I will second that using a real MLM is usually a much, much better option that will allow you to prevent collateral damage to your mail reputation when there is a delivery problem. For example, when using the aliases option, you should only allow the one address/user to send mail to the alias or you open up an avenue for spammers to abuse your system. Ok, thanks guys, you have convinced me to use a mlm. I'll dive into that matter. I've only played with ezmlm some 10 years ago when I was using qmail, but I haven't looked at these mlm's ever since. Which mlm would you recommend to use for this purpose? I use Debian Lenny with (of course) Postfix. My personal preference is Mailman. I run that on Debian with Postfix, and it was pretty simple to install. Mark
Re: 3000 recipients
richard lucassen wrote: On Sun, 3 Jan 2010 14:28:11 -0600 Kenneth Marshall k...@rice.edu wrote: [mlm] I will second that using a real MLM is usually a much, much better option that will allow you to prevent collateral damage to your mail reputation when there is a delivery problem. For example, when using the aliases option, you should only allow the one address/user to send mail to the alias or you open up an avenue for spammers to abuse your system. Ok, thanks guys, you have convinced me to use a mlm. I'll dive into that matter. I've only played with ezmlm some 10 years ago when I was using qmail, but I haven't looked at these mlm's ever since. Which mlm would you recommend to use for this purpose? I use Debian Lenny with (of course) Postfix. Sympa ? http://www.sympa.org JM R. --
Re: 3000 recipients
* richard lucassen postfix-us...@cloud9.net: On Sun, 3 Jan 2010 14:28:11 -0600 Kenneth Marshall k...@rice.edu wrote: [mlm] I will second that using a real MLM is usually a much, much better option that will allow you to prevent collateral damage to your mail reputation when there is a delivery problem. For example, when using the aliases option, you should only allow the one address/user to send mail to the alias or you open up an avenue for spammers to abuse your system. Ok, thanks guys, you have convinced me to use a mlm. I'll dive into that matter. I've only played with ezmlm some 10 years ago when I was using qmail, but I haven't looked at these mlm's ever since. Which mlm would you recommend to use for this purpose? I use Debian Lenny with (of course) Postfix. Use mailman and configure mailman to produce alias files for Postfix. Make Postfix a member of the group list. Then link the alias file from your main.cf. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: How to ensure that either FROM or TO is local
On Sun, Jan 03, 2010 at 09:58:15PM +1100, Barney Desmond wrote: mynetworks = 0.0.0.0 This is *definitely* very wrong! smtpd_recipient_restrictions will allow ANY client in mynetworks to relay mail to any destination. I While it was intended, no doubt, to be very wrong, it failed. Lacking a valid CIDR expression, that only matches the single IPv4 address of 0.0.0.0, which, having special meaning in networking, is unroutable. A setting of equivalent functionality is mynetworks =. The OP would be well advised to review the BASIC_CONFIGURATION_README, listing in $mynetworks the client networks which should be allowed to relay. If the OP does not wish to allow any to relay on the basis of IP address unless using a local sender, as the $SUBJECT suggests, the solution is pretty simple. main.cf : mynetworks = real.IP.add.ress/CIDR[, ...] smtpd_recipient_restrictions = reject_unlisted_sender, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination[, ...] don't know if using smtpd_reject_unlisted_sender would prevent anything going wrong here, but this is likely to make you an open relay. If the wrong thing had been done correctly ;) I think this would have worked too, that is, if I understood the OP's goal correctly. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: 3000 recipients
-- From: Jose-Marcio Martins da Cruz jose-marcio.mart...@ensmp.fr Sent: Sunday, January 03, 2010 4:13 PM To: postfix-us...@cloud9.net Subject: Re: 3000 recipients richard lucassen wrote: On Sun, 3 Jan 2010 14:28:11 -0600 Kenneth Marshall k...@rice.edu wrote: [mlm] I will second that using a real MLM is usually a much, much better option that will allow you to prevent collateral damage to your mail reputation when there is a delivery problem. For example, when using the aliases option, you should only allow the one address/user to send mail to the alias or you open up an avenue for spammers to abuse your system. Ok, thanks guys, you have convinced me to use a mlm. I'll dive into that matter. I've only played with ezmlm some 10 years ago when I was using qmail, but I haven't looked at these mlm's ever since. Which mlm would you recommend to use for this purpose? I use Debian Lenny with (of course) Postfix. Sympa ? http://www.sympa.org JM I used sympa for years - great software, but maybe an overkill in this case. however - it handles bounces nicely... - Vadim R. --
Re: 3000 recipients
On Jan 3, 2010, at 1:14 PM, richard lucassen wrote: 3000 recipients is waaay too many to do in a single shot using Bcc. Ok, but a mlm is quite some overkill IMHO, just wondering if there was an intermediate solution. This is for a blind person who handles the mailinglist himself, so solutions are rather limited. I know nothing about your situation, but blind caught my attention. Over the past couple years, I wrote a program to try to interface some blind kids to a computer, at a pretty basic level and for a specific set of tasks -- http://www.auraluserinterface.com. The kids in TX were quite empowered by it, even though it's far from ready for prime time. If you think it might help the list manager, let me know and I'll see if I can't make it run mailman list adds and deletes via ssh or http... -- Glenn English g...@slsware.com
Re: anti spam measures
On Sun, Jan 3, 2010 at 2:59 PM, Kenneth Marshall k...@rice.edu wrote: On Sun, Jan 03, 2010 at 10:02:32AM -0500, Roman Gelfand wrote: I am running postfix with anti spam filter (policyd-weight, sqlgrey, grossd, dkim, senderid-milter, dspam) . With this configuration, I am down to under 10 spams a day. Looking at my backend server which is exchange 2007, I find that all of the remaining spam messages have spam confidence level of 7 or greater, which implies this is blatant spam. Is there spam filter software software that works with postfix that can perform checks similar to that of exchange 2007 spam confidence level? Thanks in advance Hi Roman, To truly check how the Exchange 2007 spam confidence level works, try passing all of the mail from postfix to the Exchange server. I would be almost certain that more than 10 messages will make it through a day. If not, then just use the Exchange processing and you are done. If you do try the test, I would be interested in the results so please post them. No question, exchange 2007 leaves a lot to be desired compared to postfix, dspam and other filtering features. Believe me I have tried both. Without the edge server, I was getting in access of 400 spams a day. With the current setup I was getting at most 10 spams a day. Out of those ten spams, the spam confidence level ranged between 7-9 which tells exchange, without a doubt, this is spam. My thoughts are, it can't be that exchange caught it and postfix and friends didn't. Therefore, it must something to do with my postfix configuration and/or additional filtering servers and their configurations. I just saw one spam email where the policyd-weight is -8.5, as this ip is not blacklised, and SPF is PASS, but exchange's spam confidence level is 8. BTW.. Just for the features alone it is worth switching to postfix. I think it is light years ahead and without all the fluff. Thanks Regards, Ken
Re: 3000 recipients
* Glenn English g...@slsware.com: On Jan 3, 2010, at 1:14 PM, richard lucassen wrote: 3000 recipients is waaay too many to do in a single shot using Bcc. Ok, but a mlm is quite some overkill IMHO, just wondering if there was an intermediate solution. This is for a blind person who handles the mailinglist himself, so solutions are rather limited. I know nothing about your situation, but blind caught my attention. Over the past couple years, I wrote a program to try to interface some blind kids to a computer, at a pretty basic level and for a specific set of tasks -- http://www.auraluserinterface.com. The kids in TX were quite empowered by it, even though it's far from ready for prime time. If you think it might help the list manager, let me know and I'll see if I can't make it run mailman list adds and deletes via ssh or http... Mailman 3 will have a web interface that adheres Web Content Accessibility Guidelines (WCAG). We're at the very beginning, but it is on the roadmap. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: anti spam measures
On Sun, Jan 3, 2010 at 3:37 PM, Steve stev...@gmx.net wrote: Original-Nachricht Datum: Sun, 3 Jan 2010 12:50:26 -0500 Von: Roman Gelfand rgelfa...@gmail.com An: Steve stev...@gmx.net CC: postfix-users@postfix.org Betreff: Re: anti spam measures On Sun, Jan 3, 2010 at 10:13 AM, Steve stev...@gmx.net wrote: Original-Nachricht Datum: Sun, 3 Jan 2010 10:02:32 -0500 Von: Roman Gelfand rgelfa...@gmail.com An: postfix users list postfix-users@postfix.org Betreff: anti spam measures I am running postfix with anti spam filter (policyd-weight, sqlgrey, grossd, dkim, senderid-milter, dspam) . With this configuration, I am down to under 10 spams a day. Looking at my backend server which is exchange 2007, I find that all of the remaining spam messages have spam confidence level of 7 or greater, which implies this is blatant spam. And your current Anti-Spam solution did not tag them as Spam? No. Since DSPAM is the Anti-Spam engine you are using, you should train DSPAM to catch those Spam mails. I do train DSPAM and it works great. However, if I could block it before it gets to DSPAM, why not. I wouldn't feel bad if exchange told me this is perfectly good email. I am, looking, to do away with exchange server altogether. Thanks Since, I posted this message, I saw your discussion about s25r. I am trying it now. My first impression is that it is making a dent. It's a cheep (in terms of resources) way to block a lot of unwanted mails. You were, at one point, trying out geoip patched policyd-weight where you added points to a total score based on distance between servers. Yes. I implemented that into policyd-weight after reading about SNARE (Spatio-temporal Network-level Automatic Reputation Engine). If so, would you mind sharing the patched script along with configuration file? I have no problem sharing this code but to be honest: The discussion does not belong here in the Postfix mailing list. Is there spam filter software software that works with postfix that can perform checks similar to that of exchange 2007 spam confidence level? Thanks in advance -- Preisknaller: GMX DSL Flatrate für nur 16,99 Euro/mtl.! http://portal.gmx.net/de/go/dsl02 Thanks again Please let's move that discussion out of the Postfix mailing list since it really does not belong here. Okay? Understood. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
Re: anti spam measures
Roman Gelfand a écrit : I am running postfix with anti spam filter (policyd-weight, sqlgrey, grossd, dkim, senderid-milter, dspam) . With this configuration, I am down to under 10 spams a day. Looking at my backend server which is exchange 2007, I find that all of the remaining spam messages have spam confidence level of 7 or greater, which implies this is blatant spam. Is there spam filter software software that works with postfix that can perform checks similar to that of exchange 2007 spam confidence level? we can't really tell since we didn't see the messages that made it through postfix+friends. if the messages contained a URI listed at uribl or surbl, then you could try using uribl/surbl via milter-link or via spamassassin (via amavisd-new). anyway, You can add spamassassin (via amavisd-new) to your chain and see if it improves your filtering. at one time, the question becomes: is the additional effort worth the pain?
Re: anti spam measures
Original-Nachricht Datum: Sun, 03 Jan 2010 23:37:18 +0100 Von: mouss mo...@ml.netoyen.net An: postfix users list postfix-users@postfix.org Betreff: Re: anti spam measures Roman Gelfand a écrit : I am running postfix with anti spam filter (policyd-weight, sqlgrey, grossd, dkim, senderid-milter, dspam) . With this configuration, I am down to under 10 spams a day. Looking at my backend server which is exchange 2007, I find that all of the remaining spam messages have spam confidence level of 7 or greater, which implies this is blatant spam. Is there spam filter software software that works with postfix that can perform checks similar to that of exchange 2007 spam confidence level? we can't really tell since we didn't see the messages that made it through postfix+friends. if the messages contained a URI listed at uribl or surbl, then you could try using uribl/surbl via milter-link or via spamassassin (via amavisd-new). anyway, You can add spamassassin (via amavisd-new) to your chain and see if it improves your filtering. I am for sure one of the people that should keep his mouth shut since I have a to strong bias but SpamAssassin? Why? He is using DSPAM and if I would purpose him another free solution then only something like CMR114 or OSBF-Lua. at one time, the question becomes: is the additional effort worth the pain? Good question. -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
Re: possible bugs in the documentation
Hi Wietse. The following could be another case were the scripts you've mentioned create incorrect links: http://www.postfix.org/MAILDROP_README.html#direct links in the first sentence with the word maildrop to http://www.postfix.org/QSHAPE_README.html#maildrop_queue . But I think the word refers to the maildrop MDA while the link target is about the maildrop queue as used by the pickup service. Thanks, Chris. This message was sent using IMP, the Internet Messaging Program.
Re: anti spam measures
Roman Gelfand put forth on 1/3/2010 3:44 PM: I do train DSPAM and it works great. However, if I could block it before it gets to DSPAM, why not. I wouldn't feel bad if exchange told me this is perfectly good email. I am, looking, to do away with exchange server altogether. Is managing local block lists above your effort threshold? If the answer is no... I've been building some local lists for about 1.5+ years now and it has pretty much completely clobbered my snowshoe problem. I get one to two spams a day in the inbox these days, if that. I go many days in a row with none. Every few weeks or so I'll see 5-10 spams in the inbox due to a run from a previously unknown snowshoe spammer IP or /27 or /24 range. I block it and sail mostly spam free again for another few weeks. I don't use any content filtering software, period, only smtpd checks, postgrey daemon, and zen.spamhaus.org. I filter about 10 countries and all of Africa using ipdeny.com cidr blocks and I do some rdns name regex rejections. Interestingly, I've not had a rejection from spamhaus in months. Heck, I don't even know if Postfix is querying zen anymore. I've nothing of zen in my logs since Sept 25, 2009. Postfix only logs zen rejections, not unsuccessful lookups (at my default logging level anyway). Anyway, I'm almost entirely spam free, whilst making use of no content filtering or dnsbls (although I do have on dnsbl configured, as mentioned previously). I run a small vanity server so YMMV. It's a pretty simple A/S setup but very effective. ~/spammer is my main anti-snowshoe file, mostly US IP space. It currently has 789 netblocks listed from /29s to a /12. I heard your gasp Uahh! You block a /12? OMG! OMG!. This /12 happens to belong to a cable ISP: OrgName:Mediacom Communications Corp CIDR: 173.16.0.0/12 NetName:MEDIACOM-RESIDENTIAL-CUST It was not in spamhaus PBL or any other dynamic IP dnsbls at the time I blocked it. It's entirely residential and should be policy blocked. Anyway, here's my config in case you may any of it useful. I can provide static block lists in off list email or on a web page if you like. header_checks = pcre:/etc/postfix/header_checks mime_header_checks = pcre:/etc/postfix/mime_header_checks smtpd_helo_required = yes cidr=cidr:/etc/postfix/cidr_files smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_recipient_access hash:/etc/postfix/whitelist check_sender_access hash:/etc/postfix/whitelist check_client_access hash:/etc/postfix/whitelist check_client_access hash:/etc/postfix/blacklist check_client_access regexp:/etc/postfix/fqrdns.regexp check_client_access pcre:/etc/postfix/ptr-tld.pcre check_client_access ${cidr}/countries check_client_access ${cidr}/spammer check_client_access ${cidr}/misc-spam-srcs reject_unknown_client_hostname reject_non_fqdn_sender reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname reject_unlisted_recipient reject_rbl_client zen.spamhaus.org check_policy_service inet:127.0.0.1:6 -- Stan
Client did not present a certificate
I have not been able to get any message other then Client did not present a certificate in message headers despite loading a Commodo email certificate in to Kmail. postconf -n alias_maps = hash:/etc/aliases body_checks = pcre:/etc/postfix/pcre_body_checks broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 header_checks = pcre:/etc/postfix/pcre_header_checks html_directory = /etc/postfix/HTML inet_interfaces = 202.89.44.100, localhost local_recipient_maps = $alias_maps, $virtual_mailbox_maps mail_owner = postfix mailbox_size_limit = 2048 mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man message_size_limit = 1024 mydestination = $myhostname, localhost.$mydomain, mail.$mydomain, mysql:/etc/postfix/mysql-mydestination.cf myhostname = mail.nettrust.net.nz mynetworks = $config_directory/mynetworks myorigin = $mydomain newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /etc/postfix/README relay_domains = mysql:/etc/postfix/mysql-relaydomains.cf sample_directory = /etc/postfix/SAMPLE sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname ESMTP $mail_name smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, check_recipient_access hash:/etc/postfix/recipient_access, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_starttls_timeout = 300s smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = no smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may transport_maps = mysql:/etc/postfix/mysql-transport.cf, hash:/etc/postfix/transport unknown_local_recipient_reject_code = 450 virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf virtual_gid_maps = mysql:/etc/postfix/mysql-gids.cf virtual_mailbox_base = /var/spool/mail virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_minimum_uid = 1000 virtual_uid_maps = mysql:/etc/postfix/mysql-uids.cf
Re: 3000 recipients
On Sun, 2010-01-03 at 20:37 +0100, richard lucassen wrote: Hello list, I want to send once a week a simple mail to a list of 3000 recipients. I can set smtpd_recipient_limit and smtpd_recipient_overshoot_limit to higher limits, but is there a better way to handle this? R. Do these 3000 recipients exist on your server or outside ? If outside and this is a common mail being sent to all users , then just set your postfix server to accept the mail , send the mails in smaller batches of 10 recipients each. ( default_destination_recipient_limit=10 ? ) Handling bounces,abuse complaints etc will have to be managed
Re: 3000 recipients
On Jan 3, 2010, at 13:14, richard lucassen mailingli...@lucassen.org wrote: but a mlm is quite some overkill IMHO An mlm is certainly not overkill for 3,000 recipients.