Re: Switching to 587 submission

2011-12-08 Thread Grant
>> Is it alright to send on port 25 from Squirrelmail when it's on the
>> same machine as postfix?
>
> OK, but not optimal.  Better to leave on 465 to separate the traffic.
>
>>  That way I can make 587 require TLS and
>> authentication but not require that local Squirrelmail encrypt or
>> authenticate.
>
> You can use SquirrelMail on 587. It doesn't work right now because
> of your smtpd_security_level=encrypt.  You could change your
> submission restrictions to something like
>  -o smtpd_security_level=may
>  -o mynetworks=127.0.0.1
>  -o smtpd_tls_auth_only=yes
>  -o
> smtpd_recipient_restrictions=permit_mynetworks,reject_plaintext_session,permit_sasl_authenticated,reject
>  ... other stuff ...
>
> ie. allow localhost to submit mail plaintext with no auth; all
> others require STARTTLS and auth.

I've rearranged my config to the following.  I don't think
reject_plaintext_session is necessary given the rest of the config.
Is there a situation I'm overlooking where it would come into play?
Please consider everything else default.  Is this OK?

master.cf:

submission inet n   -   n   -   -   smtpd
-o smtpd_sasl_auth_enable=yes
-o 
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

main.cf:

smtpd_recipient_restrictions =
   reject_unauth_destination,
   permit

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

- Grant


Re: Switching to 587 submission

2011-12-08 Thread Philip Prindeville
On 12/8/11 5:33 PM, Reindl Harald wrote:
> 
>> Got it.  I misunderstood you before.  May I ask why using 465 for
>> Thunderbird and Squirrelmail would be better than 587 for Thunderbird
>> and 25 for Squirrelmail talking to localhost?
> 
> there is no better
> configure a server as YOU need
> 

Well, there *is* better.

587 is an IANA officially assigned port number.  465 never was.

The Internet runs on people following specifications correctly.

-Philip


Re: Switching to 587 submission

2011-12-08 Thread Philip Prindeville
On 12/8/11 4:29 PM, Grant wrote:

>>> Is it alright to send on port 25 from Squirrelmail when it's on the
>>> same machine as postfix?  That way I can make 587 require TLS and
>>> authentication but not require that local Squirrelmail encrypt or
>>> authenticate.
>>
>> No, I'd do exactly what I said we do here: run 587 on the loopback interface 
>> only, and not require authentication.
> 
> I think I can't do that because I also need to connect to 587 from
> Thunderbird in remote locations.

See Noel's message.

-Philip


Re: Switching to 587 submission

2011-12-08 Thread Michael Orlitzky

On 12/08/2011 05:18 PM, Grant wrote:


I've boiled my config down to this.  It is functional and I think it
is secure and that it rejects any attempt to send messages from
outside mynetworks unless authenticated.  Am I correct?  Please
consider all other directives to be default.


You're fine.

If you want to be better than fine, you can implement Noel's suggestion: 
it forces STARTTLS and auth only when the client is not localhost. Since 
SquirrelMail is localhost, it can send without STARTTLS/auth.


The result is that all of your outgoing mail can arrive on 587, which is 
nice when you have a lot of different restrictions for incoming/outgoing 
mail.


Re: Switching to 587 submission

2011-12-08 Thread Grant
>> Got it.  I misunderstood you before.  May I ask why using 465 for
>> Thunderbird and Squirrelmail would be better than 587 for Thunderbird
>> and 25 for Squirrelmail talking to localhost?
>
> I'm quite sure that he never said to use 465 for Thunderbird.  The
> reason you don't want to use port 25 for submission is because it
> doesn't work ideally for submission.  Port 25 generally needs to have
> much more strict anti-spam, anti-virus, etc measures on it than you
> would take with submission.  This becomes very clear if you want to
> start using postscreen which can completely screw up submission when
> doing the post-greeting tests, or if you are greylisting.  Certainly
> there are many other reasons as well.

I am using postscreen but it doesn't perform any checks on clients in
mynetworks.   The Squirrelmail client submitting to port 25 is on the
same machine as postfix.

Does postscreen only operate on port 25 by default or do I need to
configure that?

main.cf:
postscreen_greet_action = enforce
postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce
postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce

- Grant


memcache client for Postfix

2011-12-08 Thread Wietse Venema
This week I implemented a memcache client for Postfix in the hope
that it would be useful to share postscreen(8) or verify(8) caches
among multiple MTAs.  

The implementation is based on libmemcache.  This was not too much
work, given a few examples (libmemcache is under-documented).

However, robustness tests (with a single memcache server) proved
disappointing.

* After failure to connect to the memcache server, libmemcache
  reports the error once. From then on it silently discards all
  updates and silently skips all lookups (returning "not found"),
  even when the memcache server comes back in the meantime. To avoid
  this, I destroy the memcache client and create a new one each
  time that libmemcache reports an error, so that it never gets
  to silently discard requests.

* Even more problematic is that libmemcache will terminate the
  process when the memcache server connection is lost (the libmemcache
  error message is: "read(2) failed: Socket is already connected").
  Unfortunately, telling libmemcache not to terminate the process
  will result in an assertion failure followed by core dump.

Conclusion: if we want robust code, then Postfix should use its own
memcache protocol implementation, instead of libmemcache. But that
is a lot of work and I may not have that much time.

Considering the robustness problems with the memcache client I would
not bundle it with mainstream Postfix.

However, there are patches floating around that implement Postfix
memcache support without doing anything about the bugs that I
described, especially the one where libmemcache silently discards
all updates and silently skips all lookups (returning "not found")
even when the memcache server has come back in the mean time.

For the people who use those patches, what I have is a lot better
(or less worse).  Perhaps I'll make it available as a patch that
sites can apply by hand.

Wietse


Re: Switching to 587 submission

2011-12-08 Thread Noel Jones
On 12/8/2011 6:11 PM, Grant wrote:
> Got it.  I misunderstood you before.  May I ask why using 465 for
> Thunderbird and Squirrelmail would be better than 587 for Thunderbird
> and 25 for Squirrelmail talking to localhost?

The good reason to not use port 25 for local user submissions is
that it allows you to separate traffic.  While not critical, it's
good practice and likely to make your life easier in the long run.

As for 465 vs. 587, there's nothing preventing you from using both;
many people do.  And I never said to move Thunderbird to 465
(although that's OK too).

I still suggest leaving SquirrelMail on 465 since it works and there
aren't any good reasons to change; switch to 587 when you get a
newer version of SM.

Continue to use Thunderbird on 587, or with a few changes you can
switch SquirrelMail also, but that's not really necessary.

And don't get too caught up in the 465/deprecated vs. 587 stuff.
There are no security implication, just standards.

The reality is that most sites with more than a handful of remote
users enable both protocols.

Use whatever works best for your environment.


  -- Noel Jones


Re: Switching to 587 submission

2011-12-08 Thread Peter
On 09/12/11 13:11, Grant wrote:
> Got it.  I misunderstood you before.  May I ask why using 465 for
> Thunderbird and Squirrelmail would be better than 587 for Thunderbird
> and 25 for Squirrelmail talking to localhost?

I'm quite sure that he never said to use 465 for Thunderbird.  The
reason you don't want to use port 25 for submission is because it
doesn't work ideally for submission.  Port 25 generally needs to have
much more strict anti-spam, anti-virus, etc measures on it than you
would take with submission.  This becomes very clear if you want to
start using postscreen which can completely screw up submission when
doing the post-greeting tests, or if you are greylisting.  Certainly
there are many other reasons as well.


Peter


Re: Switching to 587 submission

2011-12-08 Thread Reindl Harald


Am 09.12.2011 01:11, schrieb Grant:
>>> I think I can't do that because I also need to connect to 587 from
>>> Thunderbird in remote locations.
>>
>> You're making this way too complicated.
>>
>> Either continue to happily use 465 as you always have, or make the
>> changes to submission I suggested a few minutes ago.  These changes
>> still allow thunderbird to securely submit from remote locations.
>>
>> Repeating myself:
> 
> Got it.  I misunderstood you before.  May I ask why using 465 for
> Thunderbird and Squirrelmail would be better than 587 for Thunderbird
> and 25 for Squirrelmail talking to localhost?

there is no better
configure a server as YOU need



signature.asc
Description: OpenPGP digital signature


Re: Switching to 587 submission

2011-12-08 Thread Grant
>> I think I can't do that because I also need to connect to 587 from
>> Thunderbird in remote locations.
>
> You're making this way too complicated.
>
> Either continue to happily use 465 as you always have, or make the
> changes to submission I suggested a few minutes ago.  These changes
> still allow thunderbird to securely submit from remote locations.
>
> Repeating myself:

Got it.  I misunderstood you before.  May I ask why using 465 for
Thunderbird and Squirrelmail would be better than 587 for Thunderbird
and 25 for Squirrelmail talking to localhost?

- Grant


>> You can use SquirrelMail on 587. It doesn't work right now because
>> of your smtpd_security_level=encrypt.  You could change your
>> submission restrictions to something like
>>  -o smtpd_security_level=may
>>  -o mynetworks=127.0.0.1
>>  -o smtpd_tls_auth_only=yes
>>  -o
>> smtpd_recipient_restrictions=permit_mynetworks,reject_plaintext_session,permit_sasl_authenticated,reject
>>   ... other stuff ...
>>
>> ie. allow localhost to submit mail plaintext with no auth; all
>> others require STARTTLS and auth.


Re: SMTP hangs when MySQL is down

2011-12-08 Thread Sebastian Wiesinger
* Wietse Venema  [2011-12-09 01:01]:
> > And that is where I disagree. IMHO a mailsystem should respond with a
> > temporary error if it is experiencing a temporary error (like a lookup
> > table not being availabe) not simply hang there and do.. nothing.
> 
> We know that. What are you going to do about it besides whining?

Well, at the moment I'm trying to convince you and the other people
here to perhaps consider changing the way this is handled today. Not
very successfully it seems so I'll stop "whining" as you put it and
just live with it the way it is. Thanks for your answers.

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant


Re: SMTP hangs when MySQL is down

2011-12-08 Thread Wietse Venema
Sebastian Wiesinger:
> * lst_ho...@kwsoft.de  [2011-12-08 14:46]:
> > >And I had hoped that perhaps this would be an improvement to postfix.
> > >Sadly it seems it was some kind of blasphemy to question the way
> > >postfix does handle this stuff.
> > 
> > No, it means until now no one needs this so important to step up
> > with code/patches to improve it. If you really need a reliable
> > mailsystem you simply have to use reliable parts. If your mailsystem
> > respond with 4xx or simply hang in case it is not able to move any
> > mail is just a matter of taste.
> 
> And that is where I disagree. IMHO a mailsystem should respond with a
> temporary error if it is experiencing a temporary error (like a lookup
> table not being availabe) not simply hang there and do.. nothing.

We know that. What are you going to do about it besides whining?

Wietse


Re: SMTP hangs when MySQL is down

2011-12-08 Thread Sebastian Wiesinger
* lst_ho...@kwsoft.de  [2011-12-08 14:46]:
> >And I had hoped that perhaps this would be an improvement to postfix.
> >Sadly it seems it was some kind of blasphemy to question the way
> >postfix does handle this stuff.
> 
> No, it means until now no one needs this so important to step up
> with code/patches to improve it. If you really need a reliable
> mailsystem you simply have to use reliable parts. If your mailsystem
> respond with 4xx or simply hang in case it is not able to move any
> mail is just a matter of taste.

And that is where I disagree. IMHO a mailsystem should respond with a
temporary error if it is experiencing a temporary error (like a lookup
table not being availabe) not simply hang there and do.. nothing.

> >But perhaps I'm only getting the wrong impression here.
> 
> Yes
> 
> Help is always welcome, simply demand how things could be better is useless.

I'm not demanding anything (at least I hope I'm not doing it) but I'm
not too happy with a simple "don't do it" and no explanation (but
that's my problem, isn't it?). When I try to understand why postfix
behaves the way it does I get no reply either. I hoped that on this ML
someone would know enough about the inner postfix workings to explain
it to me. I'm still waiting for the "use the source" shouts.

Noone even told me that they think it is fine as it is now and that a
4xx error would be the wrong thing. The only think I've been told is
"don't do it".

At the moment it seems pretty simple (on a high level) to me without
knowing any of the code: When the trivial-rewrite daemon fails (which
postfix can clearly detect, it states it in the logfile), return a 4xx
error. Would it be simple to implement? No idea, that's why I'm here
on this list to ask people who probably know the code.

Am I demanding it to be implemented? No! Would I be happy if it would
be implemented? Yes! I like postfix very much, I think it's a great
program but I also like it to get better, or at least what I think of
being better.

Regards

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant


Re: Switching to 587 submission

2011-12-08 Thread Noel Jones
On 12/8/2011 5:29 PM, Grant wrote:
> I think I can't do that because I also need to connect to 587 from
> Thunderbird in remote locations.

You're making this way too complicated.

Either continue to happily use 465 as you always have, or make the
changes to submission I suggested a few minutes ago.  These changes
still allow thunderbird to securely submit from remote locations.

Repeating myself:
> You can use SquirrelMail on 587. It doesn't work right now because
> of your smtpd_security_level=encrypt.  You could change your
> submission restrictions to something like
>  -o smtpd_security_level=may
>  -o mynetworks=127.0.0.1
>  -o smtpd_tls_auth_only=yes
>  -o
> smtpd_recipient_restrictions=permit_mynetworks,reject_plaintext_session,permit_sasl_authenticated,reject
>   ... other stuff ...
> 
> ie. allow localhost to submit mail plaintext with no auth; all
> others require STARTTLS and auth.


  -- Noel Jones


Re: Switching to 587 submission

2011-12-08 Thread Grant
> 25 is used by your MTA to receive *incoming* messages from other 
> administrative domains (organizations).

 Port 25 is never used to submit outbound messages?  If not, I'm
 confused as to why Squirrelmail describes its "SMTP Port" setting this
 way:

 This is the port to connect to for SMTP.  Usually 25.
>>>
>>> It *was* used to submit outbound messages, but this has proven susceptible 
>>> to open-relay exploits, etc.
>>>
>>> You're really better off using 587 exclusively.
>>
>> Is it alright to send on port 25 from Squirrelmail when it's on the
>> same machine as postfix?  That way I can make 587 require TLS and
>> authentication but not require that local Squirrelmail encrypt or
>> authenticate.
>
> No, I'd do exactly what I said we do here: run 587 on the loopback interface 
> only, and not require authentication.

I think I can't do that because I also need to connect to 587 from
Thunderbird in remote locations.

>> Also, should I have some sort of config that prevents the port 25
>> open-relay exploit you mentioned?
>>
>> - Grant
>
> You already have it in the form of the $relay_domains list.

OK, I just have the default:

#relay_domains = $mydestination

- Grant


Re: Switching to 587 submission

2011-12-08 Thread Philip Prindeville
On 12/8/11 1:49 PM, Grant wrote:
 25 is used by your MTA to receive *incoming* messages from other 
 administrative domains (organizations).
>>>
>>> Port 25 is never used to submit outbound messages?  If not, I'm
>>> confused as to why Squirrelmail describes its "SMTP Port" setting this
>>> way:
>>>
>>> This is the port to connect to for SMTP.  Usually 25.
>>
>> It *was* used to submit outbound messages, but this has proven susceptible 
>> to open-relay exploits, etc.
>>
>> You're really better off using 587 exclusively.
> 
> Is it alright to send on port 25 from Squirrelmail when it's on the
> same machine as postfix?  That way I can make 587 require TLS and
> authentication but not require that local Squirrelmail encrypt or
> authenticate.

No, I'd do exactly what I said we do here: run 587 on the loopback interface 
only, and not require authentication.


> Also, should I have some sort of config that prevents the port 25
> open-relay exploit you mentioned?
> 
> - Grant

You already have it in the form of the $relay_domains list.

-Philip


Re: Switching to 587 submission

2011-12-08 Thread Grant
>> So I should specify smtpd_client_restrictions or
>> smtpd_recipient_restrictions, but not both?
>>
>
> I think most people find it easier to put all of the restrictions under
> smtpd_recipient_restrictions, since you can just read them top-to-bottom
> with smtpd_delay_reject = yes (the default).
>
> But no, you probably wouldn't need it in both places unless you had some
> default restrictions you wanted to override in both places.

I've boiled my config down to this.  It is functional and I think it
is secure and that it rejects any attempt to send messages from
outside mynetworks unless authenticated.  Am I correct?  Please
consider all other directives to be default.

master.cf:

submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes

main.cf:

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
permit

- Grant


Re: Switching to 587 submission

2011-12-08 Thread Noel Jones
On 12/8/2011 2:49 PM, Grant wrote:
> Is it alright to send on port 25 from Squirrelmail when it's on the
> same machine as postfix?

OK, but not optimal.  Better to leave on 465 to separate the traffic.

>  That way I can make 587 require TLS and
> authentication but not require that local Squirrelmail encrypt or
> authenticate.

You can use SquirrelMail on 587. It doesn't work right now because
of your smtpd_security_level=encrypt.  You could change your
submission restrictions to something like
 -o smtpd_security_level=may
 -o mynetworks=127.0.0.1
 -o smtpd_tls_auth_only=yes
 -o
smtpd_recipient_restrictions=permit_mynetworks,reject_plaintext_session,permit_sasl_authenticated,reject
  ... other stuff ...

ie. allow localhost to submit mail plaintext with no auth; all
others require STARTTLS and auth.


  -- Noel Jones


Re: Switching to 587 submission

2011-12-08 Thread Reindl Harald


Am 08.12.2011 21:49, schrieb Grant:
 25 is used by your MTA to receive *incoming* messages from other 
 administrative domains (organizations).
>>>
>>> Port 25 is never used to submit outbound messages?  If not, I'm
>>> confused as to why Squirrelmail describes its "SMTP Port" setting this
>>> way:
>>>
>>> This is the port to connect to for SMTP.  Usually 25.
>>
>> It *was* used to submit outbound messages, but this has proven susceptible 
>> to open-relay exploits, etc.
>>
>> You're really better off using 587 exclusively.
> 
> Is it alright to send on port 25 from Squirrelmail when it's on the
> same machine as postfix?  That way I can make 587 require TLS and
> authentication but not require that local Squirrelmail encrypt or
> authenticate.

jesus christ it is YOUR decision as you are maintain both parts
so if 127.0.0.1 is in mynetworks it can be used without restrictions

and if you decide to open "10030" on localhost for Squirrelmail do it
this is an example to allow only a spamfirewall with no restirctions
submit messages on port 10026, usually you act the same way for amavis

10.0.0.15:10026   inet   n   -   n   -   -   smtpd
 -o mynetworks=10.0.0.20
 -o smtpd_client_connection_count_limit=75
 -o smtpd_recipient_restrictions=permit_mynetworks, reject
 -o receive_override_options=no_header_body_checks,no_milters
 -o local_header_rewrite_clients=
 -o sender_dependent_relayhost_maps=
 -o content_filter=
 -o smtpd_delay_reject=no
 -o smtpd_client_restrictions=
 -o smtpd_helo_restrictions=
 -o smtpd_helo_required=no
 -o smtpd_sender_restrictions=
 -o smtpd_sender_login_maps=
 -o smtpd_data_restrictions=
 -o smtpd_end_of_data_restrictions=
 -o smtpd_restriction_classes=
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001
 -o smtpd_hard_error_limit=1000
 -o smtpd_client_connection_rate_limit=0
 -o smtpd_peername_lookup=no
 -o smtpd_use_tls=no
 -o smtpd_tls_security_level=none
 -o smtpd_sasl_auth_enable=no
 -o smtpd_reject_footer=
 -o max_idle=1h
 -o max_use=1000

> Also, should I have some sort of config that prevents the port 25
> open-relay exploit you mentioned?

reject any try to send messages from outside mynetworks to foreign domains
this is mandatory on any mailserver

smtpd_recipient_restrictions = permit_mynetworks
 reject_non_fqdn_recipient
 reject_non_fqdn_sender
 reject_unlisted_sender
 permit_sasl_authenticated
 reject_unauth_destination
 reject_unknown_sender_domain
 reject_unknown_recipient_domain
 reject_invalid_hostname
 reject_unknown_reverse_client_hostname
 reject_unauth_pipelining








signature.asc
Description: OpenPGP digital signature


Re: Stress Test Postfix

2011-12-08 Thread lst_hoe02

Zitat von Peter Tselios :


Hallo, 
I have 2 postfix setup with openLDAP as back ends. I need to stress  
test my configuration. 
I tried with the smtp-source but I don't know it is OK to test with  
1 connection or more. How is postfix handles the connections with  
the smtp-source? Is it reliable? I mean, if I use 200 connections on  
the smtp-source, does that mean that I simulate 200 concurrent  
connections, from different users, on the postfix?


You should use a many connections as your hardwae is able to handle  
and only as many as your process limit for smtpd is set in master.cf.  
With only one smtp-source process you only stress the filesystem to  
some extend. Furthermore testing with smtp-source will not test your  
DNS (RBLs etc.) and not your LDAP server performance. If you need more  
insight what your mailserver is able to handle you might have a look  
at postal (http://doc.coker.com.au/projects/postal/) or something  
similar.


Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature


Re: Switching to 587 submission

2011-12-08 Thread Grant
>>> 25 is used by your MTA to receive *incoming* messages from other 
>>> administrative domains (organizations).
>>
>> Port 25 is never used to submit outbound messages?  If not, I'm
>> confused as to why Squirrelmail describes its "SMTP Port" setting this
>> way:
>>
>> This is the port to connect to for SMTP.  Usually 25.
>
> It *was* used to submit outbound messages, but this has proven susceptible to 
> open-relay exploits, etc.
>
> You're really better off using 587 exclusively.

Is it alright to send on port 25 from Squirrelmail when it's on the
same machine as postfix?  That way I can make 587 require TLS and
authentication but not require that local Squirrelmail encrypt or
authenticate.

Also, should I have some sort of config that prevents the port 25
open-relay exploit you mentioned?

- Grant


RE: SMTP hangs when MySQL is down

2011-12-08 Thread Gary Smith
> Hi,
> 
> I'm using Postfix with MySQL via proxy:mysql maps. The documentation
> states that mails should get deferred if no mysql server is reachable.
> 
> However when I shut down MySQL, SMTP transaction freeze after I enter
> the "MAIL FROM:<...>" statement.
> 
> Any ideas how I can change that? There seems to be no timeout, I left
> the SMTP dialog open for a few minutes at least.
> 

Sebastian,

Sorry for the delayed response, but I thought you might find this useful.

I used to love the flexability of the mysql maps but I ran into similar 
problems with performance and such.  Though I'm a smaller shop now I've gone 
away from mysql on the frontend.  That's not to say I don't use it, I just 
changed the methodology.

What I do instead is I export all of the records out into a file, one for 
domains and the other for aliases, and I have a batch job that runs every 1 
minute and updates an internal site with these, then on the frontend postfix 
servers I run do a pull every one minute as well and get the latest.

The implementation is much better than what I presented above, and it seems to 
solve all of those cases where mysql is offline for maintenance, updates, 
whatever.  We've also extended it to push static updates (such as holds, 
rejects, mynetwork exclusions, etc).  I think if you look into something like 
that you'd be much happier with the performance.

Best thing is that when there is an update to the database there usually only a 
60 second delay.

Only thing I had to do is setup an apache server (any web server will do) and a 
bash script that uses basic bash commands.

If you are interested, I can email you some sample scripts of the 
backend/frontend.  The SQL is tweaked for our database format but that should 
be simple enough to figure out.

Gary Smith


Re: postfix skipping bad MXs ??

2011-12-08 Thread Leonardo Rodrigues

Em 07/12/11 13:58, Noel Jones escreveu:

On 12/7/2011 6:03 AM, Leonardo Rodrigues wrote:

 Anyway, i'm having hard times trying to figure out why, for some
messages, like the queueid i posted the full log, postfix is
apparently not even trying to delivery to the primary MX for some
large periods of time.

Postfix does not include the QUEUEID on log entries of failed
connections.  If the connection to the primary fails, you won't see
it grepping the log for the QUEUEID.

To find all failed connections, grep the logs for the process id of
the smtp delivery process that reported the deferred delivery.



Hi Noel,

It turns out that postfix was not even doing connections attempts, 
because that specific domain was in postfix's temporary "dead" site 
list, as pointed by Wietse.


http://www.postfix.org/TUNING_README.html#hammer

this 'temporary dead site list' was something i was looking for 
since the beggining. I was imaging something like this was happening, 
but i couldnt find the correct name and, thus, i couldnt find on my 
searches.



--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it






Re: Switching to 587 submission

2011-12-08 Thread Michael Orlitzky

On 12/08/2011 03:24 PM, Grant wrote:


So I should specify smtpd_client_restrictions or
smtpd_recipient_restrictions, but not both?



I think most people find it easier to put all of the restrictions under 
smtpd_recipient_restrictions, since you can just read them top-to-bottom 
with smtpd_delay_reject = yes (the default).


But no, you probably wouldn't need it in both places unless you had some 
default restrictions you wanted to override in both places.




Squirrelmail and postfix are on the same machine.  I've changed
Squirrelmail to send to port 25 with no authentication and no TLS and
it works!  It must have been failing before because it was trying to
authenticate?

So this is working because Squirrelmail is part of $mynetworks
(localhost) and there are no security implications or any need to
enable authentication or TLS as long as Squirrelmail remains on the
same machine as postfix?  That's a nice way around the Squirrelmail
STARTTLS problem.


It's a lot simpler with SquirrelMail on the same machine. Your localhost 
should be in $mynetworks, so it can send on port 25 thanks to 
permit_mynetworks.


There's no need to encrypt anything, since the traffic travels over the 
loopback interface.


Re: Switching to 587 submission

2011-12-08 Thread /dev/rob0
On Thursday 08 December 2011 14:24:00 Grant wrote:
> Squirrelmail and postfix are on the same machine.  I've changed
> Squirrelmail to send to port 25 with no authentication and no TLS
> and it works!  It must have been failing before because it was
> trying to authenticate?
> 
> So this is working because Squirrelmail is part of $mynetworks
> (localhost) and there are no security implications or any need to
> enable authentication or TLS as long as Squirrelmail remains on the
> same machine as postfix?  That's a nice way around the Squirrelmail
> STARTTLS problem.

Reindl Harald asked about this last night, 01:16 UTC. What a wild 
goose/squirrel chase this was!

(I'm sure there is a Boris Badenov / Natasha joke in there somewhere: 
"Ees kaput for goose and squirrel!")
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header


Re: Switching to 587 submission

2011-12-08 Thread Philip Prindeville
On 12/8/11 1:06 PM, Grant wrote:
>> I don't think you're really getting the significance of port 587 vs. port 25.
> 
> I think you're right.
> 
>> 587 can be used encrypted or unencrypted, authenticated (preferably) or 
>> not... you could for instance just limit 587 connections from a particular 
>> subnet, etc.
> 
> Why then won't Squirrelmail send mail on port 587 unencrypted with
> "Secure SMTP (TLS) : false"?  I get:
> 
> 530 5.7.0 Must issue a STARTTLS command first

Squirrelmail seems perfectly happy to send unencrypted email on 587... but your 
smtpd instance doesn't like that.

We use 587 without TLS here, but only on the loopback interface:

127.0.0.1:submission inet n   -   n   -   -   smtpd
  -o milter_macro_daemon_name=ORIGINATING


>> But the main difference is this:
>>
>> 587 is used by MUA's (i.e. clients) to submit *outbound* messages to your 
>> MTA (relay).
>>
>> 25 is used by your MTA to receive *incoming* messages from other 
>> administrative domains (organizations).
> 
> Port 25 is never used to submit outbound messages?  If not, I'm
> confused as to why Squirrelmail describes its "SMTP Port" setting this
> way:
> 
> This is the port to connect to for SMTP.  Usually 25.

It *was* used to submit outbound messages, but this has proven susceptible to 
open-relay exploits, etc.

You're really better off using 587 exclusively.

-Philip


> - Grant



Re: Switching to 587 submission

2011-12-08 Thread Grant
>>> You don't really need the permit_sasl_authenticated, since you shouldn't
>>> be
>>> trying to auth on port 25. It doesn't hurt, though.
>>
>>
>> I just noticed that I can't send mail from Thunderbird unless I
>> include permit_sasl_authenticated in the above
>> smtpd_recipient_restrictions block.  I get relay access denied
>> otherwise.
>
>
> Oh, sorry. You have this in master.cf:
>
>
>> submission inet n       -       n       -       -       smtpd
>>  -o smtpd_tls_security_level=encrypt
>>  -o smtpd_sasl_auth_enable=yes
>>  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
>
> The -o smtpd_foo_restrictions here is supposed to override the restrictions
> in main.cf:
>
>
>> smtpd_recipient_restrictions =
>>        permit_sasl_authenticated,
>>        permit_mynetworks,
>>        reject_unauth_destination,
>>        permit
>
>
> So you should change 'client' to 'recipient' in master.cf before you remove
> the 'permit_sasl_authenticated' in main.cf.

So I should specify smtpd_client_restrictions or
smtpd_recipient_restrictions, but not both?

> At that point, SquirrelMail (or anything else) won't be able to send mail
> unless it authenticates on port 587, sends to one of your domains on port
> 25, or is in $mynetworks and sends on port 25.
>
> The path of least resistance is probably to add the SquirrelMail box to
> $mynetworks, and have it send to port 25. If someone can gain control of the
> SquirrelMail box, you're screwed mail-wise anyway, so I don't think you lose
> any security that way.

Squirrelmail and postfix are on the same machine.  I've changed
Squirrelmail to send to port 25 with no authentication and no TLS and
it works!  It must have been failing before because it was trying to
authenticate?

So this is working because Squirrelmail is part of $mynetworks
(localhost) and there are no security implications or any need to
enable authentication or TLS as long as Squirrelmail remains on the
same machine as postfix?  That's a nice way around the Squirrelmail
STARTTLS problem.

- Grant


> The alternative that you had working was letting SquirrelMail auth in plain
> text on port 25, which is, should someone compromise the SquirrelMail box,
> not going to save you.


Re: Switching to 587 submission

2011-12-08 Thread /dev/rob0
On Thursday 08 December 2011 14:06:15 Grant wrote:
Philip:
> > 587 can be used encrypted or unencrypted, authenticated
> > (preferably) or not... you could for instance just limit 587
> > connections from a particular subnet, etc.
> 
> Why then won't Squirrelmail send mail on port 587 unencrypted with
> "Secure SMTP (TLS) : false"?  I get:
> 
> 530 5.7.0 Must issue a STARTTLS command first

Sounds like you are requiring TLS for AUTH, a good idea.

http://www.postfix.org/SASL_README.html#smtpd_sasl_security_options
http://www.postfix.org/TLS_README.html#server_tls_auth
http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only

> > But the main difference is this:
> > 
> > 587 is used by MUA's (i.e. clients) to submit *outbound* messages
> > to your MTA (relay).
> > 
> > 25 is used by your MTA to receive *incoming* messages from other
> > administrative domains (organizations).
> 
> Port 25 is never used to submit outbound messages?  If not, I'm
> confused as to why Squirrelmail describes its "SMTP Port" setting
> this way:
> 
> This is the port to connect to for SMTP.  Usually 25.

Much of the world thinks this is so. They are wrong. We are not. You 
should keep submission separate from mail exchange, and port 587 is 
the standard means for doing so.

BTW I think Noel had the ultimate answer to this thread: just stick 
with your smtps on 465 until Squirrelmail catches up and implements 
STARTTLS.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header


Re: Virtual Aliasing for any user

2011-12-08 Thread Noel Jones
On 12/8/2011 2:13 PM, James Day wrote:
> Thanks Noel.
> 
> I'm forwarding the aliased mail to catch all Pop3 boxes to prevent back 
> scatter. I don't have a valid recipient list for all these domains hence the 
> request for a wild card type solution. I gather this function isn't built in 
> so maybe, as you suggest, a script is the way to go.
> 

Use recipient verification to reject unknown recipients.
http://www.postfix.org/ADDRESS_VERIFICATION_README.html



  -- Noel Jones


Re: Virtual Aliasing for any user

2011-12-08 Thread James Day
Thanks Noel.

I'm forwarding the aliased mail to catch all Pop3 boxes to prevent back 
scatter. I don't have a valid recipient list for all these domains hence the 
request for a wild card type solution. I gather this function isn't built in so 
maybe, as you suggest, a script is the way to go.

***Sent via RoadSync® for Android™

-Original Message-
From: Noel Jones
Sent: Dec 08, 2011 7:56 PM
To: James Day, postfix-users@postfix.org
Subject: Re: Virtual Aliasing for any user




On 12/8/2011 6:45 AM, James Day wrote:
> Hello,
>
> First post to the list, I would really appreciate any help/advice.
>
> In my current setup I act as a Spam and Virus filter for several domains. 
> Mail is then relayed to their local Exchange servers once it has been scanned.
>
> In the event that their Exchange server is down and they require emergency 
> access to their emails I have configured virtual_alias_maps as below:
>
> user@domain   user@domain,user@otherdomain
>
> This way the original mail is still cached in the queue for delivery to 
> Exchange and a copy is sent to the same user at anotherdomain (an 
> IMAP/Webmail server).
>

Yes, that's the correct procedure.


> My question is: Rather than setting up each user and their alias individually 
> can I use a wildcard to accept for anyuser and forward to the same username 
> on the other domain.

Using wildcards will cause postfix to accept mail for undeliverable
recipients, so that's not a good solution.

Use a script to generate the mappings you need.  The size of the
resulting file is not a concern, hash maps can handle millions of
entries efficiently.



  -- Noel Jones


Re: smtpd_recipient_restrictions -- Best Practices

2011-12-08 Thread Noel Jones
On 12/8/2011 1:17 PM, Peter L. Berghold wrote:
> smtpd_recipient_restrictions =
> permit_mynetworks,

OK.

> permit_auth_destination,


Permits all mail handled by your server.

> reject_unauth_destination,

Rejects all mail not handled by your server.

Nothing left after that...  None of the following rules are
currently being used.


Probably should remove the permit_auth_destination.


> check_sender_access hash:/etc/postfix/access,
> permit_sasl_authenticated,

This is too late for sasl auth.  Move this to just after
permit_mynetworks.

> reject_unauth_pipelining,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,

Since you've already rejected mail for domains not handled by your
server, the only possible unknown recipient domain is your own when
your DNS hiccups.


> reject_unkown_helo_hostname,
> reject_invalid_hostname,
> reject_unknown_hostname,

reject_unknown_hostname is likely to reject legit mail.  Use with
caution.

> reject_rbl_client blackholes.easynet.nl,

dead rbl.  It's important to review your RBLs every once in a while
to make sure they are still active and that their policies still
seem reasonable to you.


> reject_rbl_client bl.spamcop.net,
> reject_rbl_client cbl.abuseat.org,
>reject_rbl_client cbl.abuseat.org,

repeated.

> reject_rbl_client dnsbl.njabl.org,
>reject_rbl_client dul.dnsbl.sorbs.net,
> reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
> reject_rbl_client list.dsbl.org,
>reject_rbl_client list.dsbl.org,

dead.

> reject_rbl_client multihop.dsbl.org,
> reject_rbl_client opm.blitzed.org,
> reject_rbl_client sbl.spamhaus.org,
>reject_rbl_client sbl-xbl.spamhaus.org,

repeated.  Use zen.spamhaus.org instead.

> permit
> 




  -- Noel Jones


Re: smtpd_recipient_restrictions -- Best Practices

2011-12-08 Thread /dev/rob0
Where did you find this list? There are major issues here.

On Thursday 08 December 2011 13:17:44 Peter L. Berghold wrote:

> smtpd_recipient_restrictions =
> permit_mynetworks,

fine ...

> permit_auth_destination,

"If the destination is served by this host, accept the mail."

> reject_unauth_destination,

"If the destination is NOT hosted here, reject the mail."

Nothing goes past this point, ever.

> check_sender_access hash:/etc/postfix/access,

Bad practice to use a file name "access"; name it for the function it 
serves and/or the type of lookup: "sender_access" makes sense. 
Furthermore, sender address lookups are very ineffective against spam, 
if that was the goal in having it here; and unsafe in whitelisting, if 
that was the goal.

> permit_sasl_authenticated,

Needs to come before reject_unauth_destination, if it is to have any 
use.

> reject_unauth_pipelining,

Okay, except per above that this is never evaluated,

> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,

Even if these were evaluated, you'd never see such messages at this 
point.

> reject_unkown_helo_hostname,

Misspelled, and risky even if spelled right.

> reject_invalid_hostname,

Old syntax, but okay. reject_non_fqdn_helo_hostname might help more.

> reject_unknown_hostname,

This is the old syntax for the one you misspelled.

> reject_rbl_client blackholes.easynet.nl,

I'm not familiar with the policies of this list. Are you?

> reject_rbl_client bl.spamcop.net,

Spamcop recommends against being used for outright rejection, it WILL 
block some non-spam sometime, because of their automated procedures.

Always ALWAYS know the policies of any third-party service you are 
trusting to block mail for you.

> reject_rbl_client cbl.abuseat.org,
>reject_rbl_client cbl.abuseat.org,

"It's déjà vu all over again"

> reject_rbl_client dnsbl.njabl.org,
>reject_rbl_client dul.dnsbl.sorbs.net,

These two are probably okay, but did you know that?

> reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,

What does this do?

> reject_rbl_client list.dsbl.org,
>reject_rbl_client list.dsbl.org,
> reject_rbl_client multihop.dsbl.org,

"It's déjà vu all over again", and what's worse, DSBL shut down in 
2008, over three years ago! Were you following some old howto? That 
does not work in email land. Spammers change frequently, as do the 
antispam tools at our disposal.

> reject_rbl_client opm.blitzed.org,

I can't remember when this one closed. Before DSBL, I think.

> reject_rbl_client sbl.spamhaus.org,
>reject_rbl_client sbl-xbl.spamhaus.org,

SBL is included in SBL-XBL, and CBL (above) is included in the latter. 
In addition, all of these are included in the newer (and recommended) 
Zen list.

> permit

The answer to your original question is that permit_auth_destination 
prevents any other restrictions from being used.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header


Re: smtpd_recipient_restrictions -- Best Practices

2011-12-08 Thread Brian Evans - Postfix List
On 12/8/2011 2:17 PM, Peter L. Berghold wrote:
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_auth_destination,
This restriction at this location will IGNORE all RBL lookups when mail
is destined for your system.
I suggest removing it as it is implied if reject_unauth_destination
fails to reject.

> reject_unauth_destination,
> check_sender_access hash:/etc/postfix/access,
> permit_sasl_authenticated,

This placement of permit_sasl_authenticated will only skip checks below
it.  Is this what you intend?

> reject_unauth_pipelining,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_unkown_helo_hostname,
> reject_invalid_hostname,
> reject_unknown_hostname,
> reject_rbl_client blackholes.easynet.nl,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client cbl.abuseat.org,
>reject_rbl_client cbl.abuseat.org,

Listing an RBL twice won't increase the chance of it being caught.
> reject_rbl_client dnsbl.njabl.org,
>reject_rbl_client dul.dnsbl.sorbs.net,
> reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
> reject_rbl_client list.dsbl.org,
>reject_rbl_client list.dsbl.org,

Ditto on last comment, plus dsbl.org has been dead a while

> reject_rbl_client multihop.dsbl.org,
> reject_rbl_client opm.blitzed.org,
> reject_rbl_client sbl.spamhaus.org,
>reject_rbl_client sbl-xbl.spamhaus.org,
> permit

Permit at then end is harmless as it is also implied if all others pass.

Suggest reviewing all RBLs. Some are dead, and some can be combined.
zen.spamhaus.org will include (sbl|xbl|pbl).spamhaus.org
xbl.spamhaus.org includes cbl.abuseat.org

Brian


Re: Switching to 587 submission

2011-12-08 Thread Grant
 I don't see why local Squirrelmail won't send mail over 587,
 but remote Thunderbird will.  Squirrelmail also won't send mail over
 port 25, but it will send mail over 465.
>>>
>>>
>>> Do you have a new-enough SquirrelMail? From the looks of it, the only
>>> version >= 1.5.1 is the development snapshot. (Do you know about Roundcube?)
>>
>> OK, that must be why Squirrelmail can't send mail over 587.  I'm on
>> the latest version in Portage.  You spelled it out for me before but I
>> didn't pick up on it.  Since 587 uses STARTTLS, I would have thought I
>> could connect unencrypted but apparently encryption is required there?
>>
>> Is Squirrelmail failing to send mail over port 25 because
>> authentication isn't allowed on port 25?  If so, do I need a dedicated
>> port for unencrypted local Squirrelmail mail?
>
> I don't think you're really getting the significance of port 587 vs. port 25.

I think you're right.

> 587 can be used encrypted or unencrypted, authenticated (preferably) or 
> not... you could for instance just limit 587 connections from a particular 
> subnet, etc.

Why then won't Squirrelmail send mail on port 587 unencrypted with
"Secure SMTP (TLS) : false"?  I get:

530 5.7.0 Must issue a STARTTLS command first

> But the main difference is this:
>
> 587 is used by MUA's (i.e. clients) to submit *outbound* messages to your MTA 
> (relay).
>
> 25 is used by your MTA to receive *incoming* messages from other 
> administrative domains (organizations).

Port 25 is never used to submit outbound messages?  If not, I'm
confused as to why Squirrelmail describes its "SMTP Port" setting this
way:

This is the port to connect to for SMTP.  Usually 25.

- Grant


Re: Switching to 587 submission

2011-12-08 Thread Noel Jones
On 12/8/2011 1:28 PM, Michael Orlitzky wrote:
> On 12/08/2011 02:21 PM, Gary Smith wrote:
>>
>> Wouldn't it be smarter to just tell SquirrelMail to use port 587 and
>> pass through authentication?  This way if the server is compromised
>> or has another exploit there isn't a simple internal email server to
>> send all that spam from.
>>
>> This is exactly what we do for both horde and roundcube.
>>
> 
> That was my first suggestion, but the stable version of SquirrelMail
> (and the one supplied by Gentoo) doesn't support STARTTLS.


I suggest staying on smtps/465 until SM stable supports STARTTLS.
There's nothing that says you need to stop using 465, and no
security implications to continuing to use it.


  -- Noel Jones


Re: smtpd_recipient_restrictions -- Best Practices

2011-12-08 Thread Duane Hill
On Thursday, December 08, 2011 at 19:17:44 UTC, pe...@berghold.net confabulated:

> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_auth_destination,
> reject_unauth_destination,
> check_sender_access hash:/etc/postfix/access,
> permit_sasl_authenticated,
> reject_unauth_pipelining,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_unkown_helo_hostname,
> reject_invalid_hostname,
> reject_unknown_hostname,
> reject_rbl_client blackholes.easynet.nl,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client cbl.abuseat.org,
>reject_rbl_client cbl.abuseat.org,

No  need  to  check  cbl.abuseat.org  twice?  You  can remove it as it
is included in zen.spamhaus.org which you have below.

> reject_rbl_client dnsbl.njabl.org,
>reject_rbl_client dul.dnsbl.sorbs.net,
> reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
> reject_rbl_client list.dsbl.org,
>reject_rbl_client list.dsbl.org,
> reject_rbl_client multihop.dsbl.org,

dsbl.org has been dead since June of 2008.

> reject_rbl_client opm.blitzed.org,

opm.blized.org ended in May of 2006.

> reject_rbl_client sbl.spamhaus.org,
>reject_rbl_client sbl-xbl.spamhaus.org,

These both are included in zen.spamhaus.org.

> permit

-- 
There  are  10  kinds  of  people in the world... Those who understand
binary, and those who don't.



Re: Virtual Aliasing for any user

2011-12-08 Thread Noel Jones
On 12/8/2011 6:45 AM, James Day wrote:
> Hello,
> 
> First post to the list, I would really appreciate any help/advice.
> 
> In my current setup I act as a Spam and Virus filter for several domains. 
> Mail is then relayed to their local Exchange servers once it has been scanned.
> 
> In the event that their Exchange server is down and they require emergency 
> access to their emails I have configured virtual_alias_maps as below:
> 
> user@domain   user@domain,user@otherdomain
> 
> This way the original mail is still cached in the queue for delivery to 
> Exchange and a copy is sent to the same user at anotherdomain (an 
> IMAP/Webmail server).
> 

Yes, that's the correct procedure.


> My question is: Rather than setting up each user and their alias individually 
> can I use a wildcard to accept for anyuser and forward to the same username 
> on the other domain.

Using wildcards will cause postfix to accept mail for undeliverable
recipients, so that's not a good solution.

Use a script to generate the mappings you need.  The size of the
resulting file is not a concern, hash maps can handle millions of
entries efficiently.



  -- Noel Jones


Re: Switching to 587 submission

2011-12-08 Thread Philip Prindeville
On 12/8/11 8:46 AM, Grant wrote:
>>> I don't see why local Squirrelmail won't send mail over 587,
>>> but remote Thunderbird will.  Squirrelmail also won't send mail over
>>> port 25, but it will send mail over 465.
>>
>>
>> Do you have a new-enough SquirrelMail? From the looks of it, the only
>> version >= 1.5.1 is the development snapshot. (Do you know about Roundcube?)
> 
> OK, that must be why Squirrelmail can't send mail over 587.  I'm on
> the latest version in Portage.  You spelled it out for me before but I
> didn't pick up on it.  Since 587 uses STARTTLS, I would have thought I
> could connect unencrypted but apparently encryption is required there?
> 
> Is Squirrelmail failing to send mail over port 25 because
> authentication isn't allowed on port 25?  If so, do I need a dedicated
> port for unencrypted local Squirrelmail mail?

I don't think you're really getting the significance of port 587 vs. port 25.

587 can be used encrypted or unencrypted, authenticated (preferably) or not... 
you could for instance just limit 587 connections from a particular subnet, etc.

But the main difference is this:

587 is used by MUA's (i.e. clients) to submit *outbound* messages to your MTA 
(relay).

25 is used by your MTA to receive *incoming* messages from other administrative 
domains (organizations).

-Philip


> Javascript gives me the creeps (yeah I use Gmail anyway) so I'm happy
> to stick with Squirrelmail over Roundcube.
> 
> - Grant



Re: Switching to 587 submission

2011-12-08 Thread Michael Orlitzky

On 12/08/2011 02:21 PM, Gary Smith wrote:


Wouldn't it be smarter to just tell SquirrelMail to use port 587 and
pass through authentication?  This way if the server is compromised
or has another exploit there isn't a simple internal email server to
send all that spam from.

This is exactly what we do for both horde and roundcube.



That was my first suggestion, but the stable version of SquirrelMail 
(and the one supplied by Gentoo) doesn't support STARTTLS.


RE: Switching to 587 submission

2011-12-08 Thread Gary Smith
> So you should change 'client' to 'recipient' in master.cf before you
> remove the 'permit_sasl_authenticated' in main.cf.
> 
> At that point, SquirrelMail (or anything else) won't be able to send
> mail unless it authenticates on port 587, sends to one of your domains
> on port 25, or is in $mynetworks and sends on port 25.
> 
> The path of least resistance is probably to add the SquirrelMail box to
> $mynetworks, and have it send to port 25. If someone can gain control of
> the SquirrelMail box, you're screwed mail-wise anyway, so I don't think
> you lose any security that way.

Wouldn't it be smarter to just tell SquirrelMail to use port 587 and pass 
through authentication?  This way if the server is compromised or has another 
exploit there isn't a simple internal email server to send all that spam from.

This is exactly what we do for both horde and roundcube.



Re: smtpd_recipient_restrictions -- Best Practices

2011-12-08 Thread Peter L. Berghold
smtpd_recipient_restrictions =
permit_mynetworks,
permit_auth_destination,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/access,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unkown_helo_hostname,
reject_invalid_hostname,
reject_unknown_hostname,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
   reject_rbl_client cbl.abuseat.org,
reject_rbl_client dnsbl.njabl.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
reject_rbl_client list.dsbl.org,
   reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client sbl.spamhaus.org,
   reject_rbl_client sbl-xbl.spamhaus.org,
permit







-- 
Peter L. Berghold 



Re: smtpd_recipient_restrictions -- Best Practices

2011-12-08 Thread /dev/rob0
On Thursday 08 December 2011 13:04:13 Peter L. Berghold wrote:
> Is there are "best practice" concerning the ordering of the
> directives to the right hand side of the "=" for
> smtpd_recipient_restrictions?

Consider the relative costs of the restrictions. For example, a hash: 
table access(5) lookup will have very little cost, whereas a 
reject_rbl_client restriction incurs the delay and bandwidth of a DNS 
lookup.

Furthermore, be aware of the potential problem of 'permit' results 
allowing open relay:

http://www.postfix.org/SMTPD_ACCESS_README.html#danger

> The reason I'm asking is I added a set of lines for RBL reverse DNS
> and they don't seem to be having any effect.

The "real" question lacks adequate information to answer. See:

http://www.postfix.org/DEBUG_README.html#mail
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header


Re: Switching to 587 submission

2011-12-08 Thread Michael Orlitzky

On 12/08/2011 11:24 AM, Grant wrote:


You don't really need the permit_sasl_authenticated, since you shouldn't be
trying to auth on port 25. It doesn't hurt, though.


I just noticed that I can't send mail from Thunderbird unless I
include permit_sasl_authenticated in the above
smtpd_recipient_restrictions block.  I get relay access denied
otherwise.


Oh, sorry. You have this in master.cf:


submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject


The -o smtpd_foo_restrictions here is supposed to override the 
restrictions in main.cf:



smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
permit


So you should change 'client' to 'recipient' in master.cf before you 
remove the 'permit_sasl_authenticated' in main.cf.


At that point, SquirrelMail (or anything else) won't be able to send 
mail unless it authenticates on port 587, sends to one of your domains 
on port 25, or is in $mynetworks and sends on port 25.


The path of least resistance is probably to add the SquirrelMail box to 
$mynetworks, and have it send to port 25. If someone can gain control of 
the SquirrelMail box, you're screwed mail-wise anyway, so I don't think 
you lose any security that way.


The alternative that you had working was letting SquirrelMail auth in 
plain text on port 25, which is, should someone compromise the 
SquirrelMail box, not going to save you.


Re: smtpd_recipient_restrictions -- Best Practices

2011-12-08 Thread Matt Hayes

On 12/8/2011 2:04 PM, Peter L. Berghold wrote:

Hi folks,

Hope this isn't too dumb a question, but here goes:

Is there are "best practice" concerning the ordering of the directives
to the right hand side of the "=" for smtpd_recipient_restrictions?

The reason I'm asking is I added a set of lines for RBL reverse DNS and
they don't seem to be having any effect.




Peter,

Can you send us the smtpd_recipient_restrictions line from your main.cf? 
 Might help to see how you have them ordered and what else you may be 
able to add to help benefit you.


-Matt


smtpd_recipient_restrictions -- Best Practices

2011-12-08 Thread Peter L. Berghold
Hi folks,

Hope this isn't too dumb a question, but here goes:   

Is there are "best practice" concerning the ordering of the directives
to the right hand side of the "=" for smtpd_recipient_restrictions?  

The reason I'm asking is I added a set of lines for RBL reverse DNS and
they don't seem to be having any effect.


-- 
Peter L. Berghold 



Re: postfix-pgsql on centos6

2011-12-08 Thread ml

Le 08.12.2011 16:50, Kwasi Gyasi - Agyei a écrit :

The building of postfix with pgsql is proving to be rather
complicated, I think it doesn't like my Kernel

(echo "# Do not edit -- this file documents how Postfix was built for
your machine."; /bin/sh makedefs) >makedefs.tmp
ATTENTION:
ATTENTION: Unknown system type: Linux 3.0.4-linode38
ATTENTION:
make: *** [Makefiles] Error 1
make: *** [makefiles] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.OnGA25 (%build)


RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.OnGA25 (%build)



it seems that you are using a kernel 3 .* I do not know if the 
compilation of Simon J Mudd rpm is possible in such a case. do with 
SJMudd and Wietse






On Thu, Dec 8, 2011 at 3:40 PM, ml  wrote:


Le jeudi 08 décembre 2011 à 15:33 +1300, Peter a écrit :

On 08/12/11 15:28, Kwasi Gyasi - Agyei wrote:
> Thanks, where can I get src.rpm for v2.6.6, the highest version 
from

> here http://postfix.wl0.org/en/available-packages/ is 2.5.

...picking a CentOS mirror at random:

http://mirrors.usc.edu/pub/linux/distributions/centos/6/os/SRPMS/Packages/postfix-2.6.6-2.el6.src.rpm



its easy to recompile the source rpm of simon J Mudd for centos 6

see the documentation



--
 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
 gpg --keyserver pgp.mit.edu --recv-key 092164A7

 http://urlshort.eu fakessh @
 http://gplus.to/fakessh
 http://gplus.to/john.swilting


Re: Switching to 587 submission

2011-12-08 Thread Grant
>>> You've probably got permit_mynetworks near the top of your
>>> smtpd_foo_restrictions, which are inherited by default. The "-o
>>
>>
>> The only smtpd_foo_restrictions I have in main.cf are:
>>
>> smtpd_recipient_restrictions =
>>         permit_sasl_authenticated,
>>         permit_mynetworks,
>>         reject_unauth_destination,
>>         permit
>
>
> You don't really need the permit_sasl_authenticated, since you shouldn't be
> trying to auth on port 25. It doesn't hurt, though.

I just noticed that I can't send mail from Thunderbird unless I
include permit_sasl_authenticated in the above
smtpd_recipient_restrictions block.  I get relay access denied
otherwise.

- Grant


Re: Switching to 587 submission

2011-12-08 Thread Grant
>> I don't see why local Squirrelmail won't send mail over 587,
>> but remote Thunderbird will.  Squirrelmail also won't send mail over
>> port 25, but it will send mail over 465.
>
>
> Do you have a new-enough SquirrelMail? From the looks of it, the only
> version >= 1.5.1 is the development snapshot. (Do you know about Roundcube?)

OK, that must be why Squirrelmail can't send mail over 587.  I'm on
the latest version in Portage.  You spelled it out for me before but I
didn't pick up on it.  Since 587 uses STARTTLS, I would have thought I
could connect unencrypted but apparently encryption is required there?

Is Squirrelmail failing to send mail over port 25 because
authentication isn't allowed on port 25?  If so, do I need a dedicated
port for unencrypted local Squirrelmail mail?

Javascript gives me the creeps (yeah I use Gmail anyway) so I'm happy
to stick with Squirrelmail over Roundcube.

- Grant


Re: SMTP hangs when MySQL is down

2011-12-08 Thread Reindl Harald


Am 08.12.2011 15:15, schrieb lst_ho...@kwsoft.de:
> Zitat von Reindl Harald :
> 
>> Am 08.12.2011 14:45, schrieb lst_ho...@kwsoft.de:
>>
>>> Help is always welcome, simply demand how things could be better is useless
>>
>> you have a bad attitude!
>>
>> demand how things could be better is useful, everywhere
>> because it is a hint what can be improved
> 
> You have missed the difference between "point out " and "demand". If you got 
> something for free *demanding* to get
> something other is useless and will ever be.
> 
> You really should check your attitude...

oh yes, come on and nail a non-native speaker down on one single word
if you are feeling better than - if you would want you could understand
what i meant




signature.asc
Description: OpenPGP digital signature


Re: SMTP hangs when MySQL is down

2011-12-08 Thread lst_hoe02

Zitat von Reindl Harald :




Am 08.12.2011 14:45, schrieb lst_ho...@kwsoft.de:


Help is always welcome, simply demand how things could be better is useless


you have a bad attitude!

demand how things could be better is useful, everywhere
because it is a hint what can be improved


You have missed the difference between "point out " and "demand". If  
you got something for free *demanding* to get something other is  
useless and will ever be.


You really should check your attitude...

Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature


Re: SMTP hangs when MySQL is down

2011-12-08 Thread Reindl Harald


Am 08.12.2011 14:45, schrieb lst_ho...@kwsoft.de:

> Help is always welcome, simply demand how things could be better is useless

you have a bad attitude!

demand how things could be better is useful, everywhere
because it is a hint what can be improved

you need not always to be able making things better to give
hints for imporvements and this hints can often result in a
brainstorming of developers and possibly with a small change
in the code be optimized from peopole who are knowing how to do

calling user-feedback "useless" and "why do you not patch it yourself"
was, is and will always be a bad attitude



signature.asc
Description: OpenPGP digital signature


Re: SMTP hangs when MySQL is down

2011-12-08 Thread lst_hoe02

Zitat von Sebastian Wiesinger :


* Wietse Venema  [2011-12-08 13:09]:

Sebastian Wiesinger:
> I really would like to know if it is not possible to have a temporary
> error when trivial-rewrite fails to access the MySQL database. I don't
> see any apparent reason for it. If there is one I would like to know.

You have the right to ask these questions. I recommend that you
spend the energy to make your MySQL server more redundant, if you
care so much about email performance.


I just don't want to have connections hang when there could be a
temporary error which would close down these connections. I don't care
so much about mail performance more about (again, in my opinion)
better error handling.

And I had hoped that perhaps this would be an improvement to postfix.
Sadly it seems it was some kind of blasphemy to question the way
postfix does handle this stuff.


No, it means until now no one needs this so important to step up with  
code/patches to improve it. If you really need a reliable mailsystem  
you simply have to use reliable parts. If your mailsystem respond with  
4xx or simply hang in case it is not able to move any mail is just a  
matter of taste.



But perhaps I'm only getting the wrong impression here.


Yes

Help is always welcome, simply demand how things could be better is useless.

Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature


Re: postfix-pgsql on centos6

2011-12-08 Thread ml

Le jeudi 08 décembre 2011 à 15:33 +1300, Peter a écrit :
> On 08/12/11 15:28, Kwasi Gyasi - Agyei wrote:
> > Thanks, where can I get src.rpm for v2.6.6, the highest version from
> > here http://postfix.wl0.org/en/available-packages/ is 2.5.
> 
> ...picking a CentOS mirror at random:
> http://mirrors.usc.edu/pub/linux/distributions/centos/6/os/SRPMS/Packages/postfix-2.6.6-2.el6.src.rpm


its easy to recompile the source rpm of simon J Mudd for centos 6

see the documentation



Re: SMTP hangs when MySQL is down

2011-12-08 Thread Sebastian Wiesinger
* Wietse Venema  [2011-12-08 13:09]:
> Sebastian Wiesinger:
> > I really would like to know if it is not possible to have a temporary
> > error when trivial-rewrite fails to access the MySQL database. I don't
> > see any apparent reason for it. If there is one I would like to know.
> 
> You have the right to ask these questions. I recommend that you
> spend the energy to make your MySQL server more redundant, if you
> care so much about email performance.

I just don't want to have connections hang when there could be a
temporary error which would close down these connections. I don't care
so much about mail performance more about (again, in my opinion)
better error handling.

And I had hoped that perhaps this would be an improvement to postfix.
Sadly it seems it was some kind of blasphemy to question the way
postfix does handle this stuff.

But perhaps I'm only getting the wrong impression here.

Regards

Sebastian


-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant


Virtual Aliasing for any user

2011-12-08 Thread James Day
Hello,

First post to the list, I would really appreciate any help/advice.

In my current setup I act as a Spam and Virus filter for several domains. Mail 
is then relayed to their local Exchange servers once it has been scanned.

In the event that their Exchange server is down and they require emergency 
access to their emails I have configured virtual_alias_maps as below:

user@domain user@domain,user@otherdomain

This way the original mail is still cached in the queue for delivery to 
Exchange and a copy is sent to the same user at anotherdomain (an IMAP/Webmail 
server).

My question is: Rather than setting up each user and their alias individually 
can I use a wildcard to accept for anyuser and forward to the same username on 
the other domain.

Rather than use virtual_alias_maps:

@domain catchall@otherdomain

I would like virtual_alias_maps:

%anything%@domain   %anything%@otherdomain

I hope I have explained that clearly enough .

I did attempt to configure virtual_alias_maps like this:

@domain @otherdomain

But this tries to literally forward to @otherdomain (as an address without the 
user portion).

Thanks in advance.

James


Re: SMTP hangs when MySQL is down

2011-12-08 Thread Wietse Venema
Wietse Venema:
> Sebastian Wiesinger:
> > I really would like to know if it is not possible to have a temporary
> > error when trivial-rewrite fails to access the MySQL database. I don't
> > see any apparent reason for it. If there is one I would like to know.
> 
> You have the right to ask these questions. I recommend that you
> spend the energy to make your MySQL server more redundant, if you
> care so much about email performance.

OK, one reply. In Postfix do not spend a lot of time on optimizing
the handling of internal errors such as broken MySQL servers.

Wietse


Re: SMTP hangs when MySQL is down

2011-12-08 Thread Wietse Venema
Sebastian Wiesinger:
> I really would like to know if it is not possible to have a temporary
> error when trivial-rewrite fails to access the MySQL database. I don't
> see any apparent reason for it. If there is one I would like to know.

You have the right to ask these questions. I recommend that you
spend the energy to make your MySQL server more redundant, if you
care so much about email performance.

Wietse


Stress Test Postfix

2011-12-08 Thread Peter Tselios
Hallo, 
I have 2 postfix setup with openLDAP as back ends. I need to stress test my 
configuration. 
I tried with the smtp-source but I don't know it is OK to test with 1 
connection or more. How is postfix handles the connections with the 
smtp-source? Is it reliable? I mean, if I use 200 connections on the 
smtp-source, does that mean that I simulate 200 concurrent connections, from 
different users, on the postfix?

B/R
Peter.


Re: CISCO breaks DKIM on their ASA/PIX (again)

2011-12-08 Thread Robert Schetterer
Am 08.12.2011 09:53, schrieb Ralf Hildebrandt:
> Over the last few days I discussed SMTP delivery problems with a czech
> site which was using Postfix and a CISCO ASA with "smtp protocol
> fixup" enabled.
> 
> I was able to work around the delivery problems by stripping the DKIM
> headers on outgoing mails (as so often).
> 
> Some interesting info got out:
> 
> I've also discussed these results with local Cisco support and they
> confirmed it's a known bug (not published) with DKIM and smtp inspection
> engine in latest IOS versions.
> 
> This should be fixed in some newer IOS version (8.4(10)) which is not
> public yet (latest is 8.4(2)).
> 

so now its public *g
there really should be a public inform by cisco
and we all have to look at it *g
any big mailers known for this bug?
-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria


Re: SMTP hangs when MySQL is down

2011-12-08 Thread Sebastian Wiesinger
* Wietse Venema  [2011-12-07 17:20]:
> Yes it was. I point the attention to the RIGHT problem, which is
> fixing the suboptimal configuration that does domain queries from
> SQL.

Hi,

with all due respect but for me the important thing at the moment
would be to understand why it works the way it works. I understand
that it is apparently not the "right" way to do it but to be honest
there is not a lot information to point that out.

* There is no information regarding this limitation in trivial-rewrite(8),
  MYSQL_README or mysql_table(5). Maybe it's somewhere else where I
  did not find it.

* Every setup guide or how-to regarding MySQL and postfix that I
  found set up the domain alias table and domain table in
  MySQL. So people are using it.

* Doing a Google Search for "virtual_mailbox_domains = proxy:mysql:"
  returns 74k results, "virtual_mailbox_domains = mysql:" returns 41k
  results. So there are probably a few people using it.

* From my standpoint it makes no sense to have everything in a central
  database and then leave out the domain and domain alias tables. (But
  that is debatable)

* SMTP is not realtime messaging but customers/users nowadays expect that the
  configuration gets active at the same time they enter it into
  the system. If you can't provide that they go elsewere.

I really would like to know if it is not possible to have a temporary
error when trivial-rewrite fails to access the MySQL database. I don't
see any apparent reason for it. If there is one I would like to know.

Last but not least I would really appreciate it if that capability
would be added (make it optional by all means). I think that at least
a few people would benefit from it.

Regards,

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant


Re: CISCO breaks DKIM on their ASA/PIX (again)

2011-12-08 Thread Ralf Hildebrandt
* Rolf E. Sonneveld :

> >I was able to work around the delivery problems by stripping the DKIM
> >headers on outgoing mails (as so often).
> 
> Do you mean a Cisco ASA/PIX firewall with 'smtp protocol fixup'
> effectively blocks _any_ message carrying a DKIM-signature header?

No, it's blocking SOME, but in order to make those pass, I had to
strip off the DKIM Headers, and suddenly they would go through:

smtp_header_checks=pcre:/etc/postfix/no_dkim.pcre

/^DKIM-Signature:/  IGNORE
# this strips a DKIM Signature

> I've always wondered why they call it 'smtp protocol fixup', they'd
> better call it 'smtp protocol breakdown'.

One really has to wonder about this.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de



Re: CISCO breaks DKIM on their ASA/PIX (again)

2011-12-08 Thread Rolf E. Sonneveld

Hi, Ralf,

On 12/8/11 9:53 AM, Ralf Hildebrandt wrote:

Over the last few days I discussed SMTP delivery problems with a czech
site which was using Postfix and a CISCO ASA with "smtp protocol
fixup" enabled.

I was able to work around the delivery problems by stripping the DKIM
headers on outgoing mails (as so often).


Do you mean a Cisco ASA/PIX firewall with 'smtp protocol fixup' 
effectively blocks _any_ message carrying a DKIM-signature header?



Some interesting info got out:

I've also discussed these results with local Cisco support and they
confirmed it's a known bug (not published) with DKIM and smtp inspection
engine in latest IOS versions.

This should be fixed in some newer IOS version (8.4(10)) which is not
public yet (latest is 8.4(2)).


I've always wondered why they call it 'smtp protocol fixup', they'd 
better call it 'smtp protocol breakdown'.


/rolf


CISCO breaks DKIM on their ASA/PIX (again)

2011-12-08 Thread Ralf Hildebrandt
Over the last few days I discussed SMTP delivery problems with a czech
site which was using Postfix and a CISCO ASA with "smtp protocol
fixup" enabled.

I was able to work around the delivery problems by stripping the DKIM
headers on outgoing mails (as so often).

Some interesting info got out:

I've also discussed these results with local Cisco support and they
confirmed it's a known bug (not published) with DKIM and smtp inspection
engine in latest IOS versions.

This should be fixed in some newer IOS version (8.4(10)) which is not
public yet (latest is 8.4(2)).

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de