Re: needing to log all outbound emails
Am 17.04.2012 05:29, schrieb Mike Zupan: We are looking to log all outbound emails in code.. not tailing a lot or anything.. is there an area of the code I can look at first to get an idea of where the final stop for emails through postfix go before they are sent out. We are looking to log all cc/bcc emails also. We have a compliance regulation that we need to meet to prove we sent the client an email and want to provide support an easy tool. Plus it will be a fun little hack for us. If this is the wrong list.. which one should I post to? thanks! Mike as all mails are in the log, you simply only have to right a log grep matching your senders -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Configuration advices for a 50000 mailboxes server(s)
Hello I need some feedbacks advices of experienced admins I will have to setup in few monthes an email system for approx 50K intensives users. The only mandatory thing will be I must use HP proliant servers The operating system will be FreeBSD or Linux Thank you for any advices
RE: Another issue with SMTPD AUTH
Yes, for sure I did. [root@fsrv02 log.d]# ll /usr/lib/sasl2/ total 52 -rwxr-xr-x 1 root root 957 2011-01-18 17:35 liblogin.la* lrwxrwxrwx 1 root root18 2012-04-12 11:21 liblogin.so - liblogin.so.2.0.23* lrwxrwxrwx 1 root root18 2012-04-12 11:21 liblogin.so.2 - liblogin.so.2.0.23* -rwxr-xr-x 1 root root 17900 2011-01-18 17:35 liblogin.so.2.0.23* -rwxr-xr-x 1 root root 957 2011-01-18 17:35 libplain.la* lrwxrwxrwx 1 root root18 2012-04-12 11:22 libplain.so - libplain.so.2.0.23* lrwxrwxrwx 1 root root18 2012-04-12 11:22 libplain.so.2 - libplain.so.2.0.23* -rwxr-xr-x 1 root root 17900 2011-01-18 17:35 libplain.so.2.0.23* Franck --- M: +33 6 6042 7249 E: m...@civis.net -Message d'origine- De : owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] De la part de Patrick Ben Koetter Envoyé : mardi 17 avril 2012 07:16 À : postfix-users@postfix.org Objet : Re: Another issue with SMTPD AUTH * Franck MAHE m...@civis.net: [root@fsrv02 postfix]# tail /var/log/mail/errors.log Apr 17 01:59:09 fsrv02 postfix/smtpd[7889]: fatal: no SASL authentication mechanisms [root@fsrv02 postfix]# tail /var/log/mail/warnings.log Apr 17 01:59:09 fsrv02 postfix/smtpd[7889]: warning: xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms The libsasl library in Postfix smtpd daemon can't find SASL authentication mechanisms. Have you installed them? $ ls /usr/lib64/sasl p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
RE: Another issue with SMTPD AUTH
Here it is [root@fsrv02 log.d]# ps auxw | grep sasl root 20425 0.0 0.0 34484 812 ?Ss 10:49 0:00 saslauthd -a shadow root 20426 0.0 0.0 34484 536 ?S10:49 0:00 saslauthd -a shadow root 20427 0.0 0.0 34484 520 ?S10:49 0:00 saslauthd -a shadow root 20428 0.0 0.0 34484 520 ?S10:49 0:00 saslauthd -a shadow root 20429 0.0 0.0 34484 520 ?S10:49 0:00 saslauthd -a shadow root 20447 0.0 0.0 7368 848 pts/1S+ 10:49 0:00 grep --color sasl Franck --- E: mailto:m...@civis.net m...@civis.net De : jeffrey j donovan [mailto:dono...@beth.k12.pa.us] Envoyé : mardi 17 avril 2012 03:59 À : Franck MAHE Cc : postfix-users@postfix.org Objet : Re: Another issue with SMTPD AUTH Greetings cyrus is doing your auth for you. is saslauthd running ? what does your output look like from ps -ax | grep sasl -j
Re: Configuration advices for a 50000 mailboxes server(s)
You may try look up ZhangHuangbin, author of iredmail.org dbmailadmin.org, a great postfix mail integrator. Nice guy. For your case, see dbmail.org, a fast scalable sql based mail services. Best regards. Snowie On Tuesday, April 17, 2012 03:54 PM, Frank Bonnet wrote: Hello I need some feedbacks advices of experienced admins I will have to setup in few monthes an email system for approx 50K intensives users. The only mandatory thing will be I must use HP proliant servers The operating system will be FreeBSD or Linux Thank you for any advices
Re: Another issue with SMTPD AUTH
* Franck MAHE m...@civis.net: Yes, for sure I did. [root@fsrv02 log.d]# ll /usr/lib/sasl2/ your examples use /usr/lib64/... but you post /usr/lib/... Could it be your problem is wrong paths e.g. for the saslauthd socket? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
RE: Another issue with SMTPD AUTH
You're right, [root@fsrv02 log.d]# ll /usr/lib64/sasl2/ total 0 :-( [root@fsrvpsg02 log.d]# rpm -qa | grep sasl2 lib64sasl2-2.1.23-1.1mdv2010.0 libsasl2-plug-plain-2.1.23-1.1mdv2010.0 libsasl2-plug-login-2.1.23-1.1mdv2010.0 libsasl2-2.1.23-1.1mdv2010.0 So I missed the point, I just installed the relevant lib64sasl2-plug, and it works. Thanks to all for your guidance, I think I was tired last night. Franck --- E: m...@civis.net -Message d'origine- De : owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] De la part de Patrick Ben Koetter Envoyé : mardi 17 avril 2012 11:21 À : postfix-users@postfix.org Objet : Re: Another issue with SMTPD AUTH * Franck MAHE m...@civis.net: Yes, for sure I did. [root@fsrv02 log.d]# ll /usr/lib/sasl2/ your examples use /usr/lib64/... but you post /usr/lib/... Could it be your problem is wrong paths e.g. for the saslauthd socket? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
postgrey outgoing mail whitelister
Hi, as nobody seems to have a working solution I built a little Perl script that adds the IP of the server receiving outgoing mail to postgrey_clients.db It's still a little unfinished but working fine on my server. There's room for improvement though (IPv6 missing, rsyslog spawning and lastline fetching is non-optimal). Maybe I will improve this with piping and a fifo. If somebody wants to help/try it, here it is: Requirements: * A log file containing only postfix/smtp delivery success messages * Method to start the script when a new delivery is logged For these I used rsyslog like that: rsyslog.conf: if $syslogtag contains 'postfix/smtp' and $msg contains 'status=sent' then /var/log/mail.outgoing ^/root/postgrey_clients_add.pl Perl Script (works on debian): postgrey_clients_add.pl: #!/usr/bin/perl -w # Add IPs to postgrey's auto-whitelist use BerkeleyDB; use Socket; my $dbdir = '/var/lib/postgrey'; my $logfile = '/var/log/mail.outgoing'; sub main() { my %db; my $dbenv = BerkeleyDB::Env-new( -Home = $dbdir, -Flags= DB_INIT_TXN|DB_INIT_MPOOL|DB_INIT_LOG, ) or die ERROR: can't open DB environment: $!\n; tie(%db, 'BerkeleyDB::Btree', -Filename = postgrey_clients.db, -Env = $dbenv, ) or die ERROR: can't open database $dbdir/postgrey_clients.db: $!\n; my $lastlogline = `tail -n1 $logfile`; my($lastip) = $lastlogline =~ /.*relay=.*\[([0-9\.]+)\]/; exit(1) if (!$lastip); open LOGFILE, '', $logfile; print LOGFILE postgrey whitelister: ; if (exists $db{$lastip}){ print LOGFILE $lastip exists: $db{$lastip}\n; }else{ #default purge time is 35days give client 5 days and 4 tries my $tstamp = time - 30*24*60*60; $db{$lastip} = 4,$tstamp; print LOGFILE $lastip added: $db{$lastip}\n; } close LOGFILE; untie %db; } main; # vim: sw=4 -- Claudius
Re: postgrey outgoing mail whitelister
Am 17.04.2012 11:48, schrieb Claudius: Hi, as nobody seems to have a working solution I built a little Perl script that adds the IP of the server receiving outgoing mail to postgrey_clients.db It's still a little unfinished but working fine on my server. There's room for improvement though (IPv6 missing, rsyslog spawning and lastline fetching is non-optimal). Maybe I will improve this with piping and a fifo. are you aware that you are whitelisting this way servers which sent spam to a user with autorply? signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On Tue, 2012-04-17 at 11:50 +0200, Reindl Harald wrote: Am 17.04.2012 11:48, schrieb Claudius: Hi, as nobody seems to have a working solution I built a little Perl script that adds the IP of the server receiving outgoing mail to postgrey_clients.db It's still a little unfinished but working fine on my server. There's room for improvement though (IPv6 missing, rsyslog spawning and lastline fetching is non-optimal). Maybe I will improve this with piping and a fifo. are you aware that you are whitelisting this way servers which sent spam to a user with autorply? And I would add that an inbound MX does not necessarily === the same outbound server a domain would use. Typically anti-spam gateways or hosted services used inbound on one IP, whereas outbound mail coming from another IP and server. Just imagine whitelisting a shared, spammy server because a domain is hosted on it. Naturally it will probably come through greylisting in the end anyway, but I'd not go out of my way to make it easy on them!
Re: postgrey outgoing mail whitelister
Am 17.04.2012 11:50, schrieb Reindl Harald: Am 17.04.2012 11:48, schrieb Claudius: Hi, as nobody seems to have a working solution I built a little Perl script that adds the IP of the server receiving outgoing mail to postgrey_clients.db It's still a little unfinished but working fine on my server. There's room for improvement though (IPv6 missing, rsyslog spawning and lastline fetching is non-optimal). Maybe I will improve this with piping and a fifo. are you aware that you are whitelisting this way servers which sent spam to a user with autorply? what about using some tecs from here http://mailfud.org/postpals/ -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: postgrey outgoing mail whitelister
Am 17.04.2012 12:09, schrieb Robert Schetterer: Am 17.04.2012 11:50, schrieb Reindl Harald: Am 17.04.2012 11:48, schrieb Claudius: Hi, as nobody seems to have a working solution I built a little Perl script that adds the IP of the server receiving outgoing mail to postgrey_clients.db It's still a little unfinished but working fine on my server. There's room for improvement though (IPv6 missing, rsyslog spawning and lastline fetching is non-optimal). Maybe I will improve this with piping and a fifo. are you aware that you are whitelisting this way servers which sent spam to a user with autorply? what about using some tecs from here http://mailfud.org/postpals/ this all will not work in most cases how do you act with us as example? you are sending a message to me to MX barracuda.thelounge.net well, you whitelist barracuda.thelounge.net but you will never receive any message from our spamfirewall this is a typical business case signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 12:12:53PM +0200, Reindl Harald wrote: Am 17.04.2012 12:09, schrieb Robert Schetterer: Am 17.04.2012 11:50, schrieb Reindl Harald: Am 17.04.2012 11:48, schrieb Claudius: Hi, as nobody seems to have a working solution I built a little Perl script that adds the IP of the server receiving outgoing mail to postgrey_clients.db It's still a little unfinished but working fine on my server. There's room for improvement though (IPv6 missing, rsyslog spawning and lastline fetching is non-optimal). Maybe I will improve this with piping and a fifo. are you aware that you are whitelisting this way servers which sent spam to a user with autorply? what about using some tecs from here http://mailfud.org/postpals/ this all will not work in most cases how do you act with us as example? you are sending a message to me to MX barracuda.thelounge.net well, you whitelist barracuda.thelounge.net but you will never receive any message from our spamfirewall this is a typical business case Stop spreading stupid FUD. It works in _majority_ of cases. For a certain large organization, 28% of total traffic matched a known entry and only 0.1% of those were spam. Most of that spam originated from large relays that should not be rejected directly at MTA anyway. And yes this was from my government organization with several thousands of users across many domains. If you don't understand what benefits such whitelisting achieves, then just be silent and don't use it.
Re: postgrey outgoing mail whitelister
Am 17.04.2012 12:38, schrieb Henrik K: On Tue, Apr 17, 2012 at 12:12:53PM +0200, Reindl Harald wrote: how do you act with us as example? you are sending a message to me to MX barracuda.thelounge.net well, you whitelist barracuda.thelounge.net but you will never receive any message from our spamfirewall this is a typical business case Stop spreading stupid FUD. It works in _majority_ of cases. If you don't understand what benefits such whitelisting achieves, then just be silent and don't use it. the majority has outgoing and incoming on the same IP? in which world are you living? i don't use it BECAUSE i understand the non-benefits signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 12:42:16PM +0200, Reindl Harald wrote: Am 17.04.2012 12:38, schrieb Henrik K: On Tue, Apr 17, 2012 at 12:12:53PM +0200, Reindl Harald wrote: how do you act with us as example? you are sending a message to me to MX barracuda.thelounge.net well, you whitelist barracuda.thelounge.net but you will never receive any message from our spamfirewall this is a typical business case Stop spreading stupid FUD. It works in _majority_ of cases. If you don't understand what benefits such whitelisting achieves, then just be silent and don't use it. the majority has outgoing and incoming on the same IP? in which world are you living? Statistics speak for themselves. Come back with hard facts instead of your FUD. i don't use it BECAUSE i understand the non-benefits Non-benefits? Like wasting few bytes of memory for keeping barracuda.thelounge.net in database even if it never matches? I guess if you are very short on memory then yes.. otherwise I don't understand what you example has anything to do with anything.
Re: postgrey outgoing mail whitelister
Am 17.04.2012 12:47, schrieb Henrik K: the majority has outgoing and incoming on the same IP? in which world are you living? Statistics speak for themselves. Come back with hard facts instead of your FUD. are you really too stupid not use the term FUD as long you are not understand what it means the hard facts are that EVERY site using a dedicated spamfilter (own appliance or external service) have different IP's for MX and outgoing mail additionally most big sites have MANY outgoing mailservers i don't use it BECAUSE i understand the non-benefits Non-benefits? Like wasting few bytes of memory for keeping barracuda.thelounge.net in database even if it never matches? what excatly do you not understand in the word benefit? where did i say anything about wasting memory? please consult google the explain benefit however, do what YOU want if you are happy, but accept that there other people which are calling it nonsense signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On 2012-04-17 12:04, Sam Jones wrote: And I would add that an inbound MX does not necessarily === the same outbound server a domain would use. Typically anti-spam gateways or hosted services used inbound on one IP, whereas outbound mail coming from another IP and server. Just imagine whitelisting a shared, spammy server because a domain is hosted on it. Naturally it will probably come through greylisting in the end anyway, but I'd not go out of my way to make it easy on them! Valid point, thanks for the input. That's why I decided to white-list with a date in the past. In case there is no reply the white-list goes away soon. The main idea of this script was to have faster replies for mails to people we have sent mail ourselves. Some mail servers have ridiculously long retry periods and waiting an hour for a mail just sent made people impatient. This actually helped a lot. I could do a SPF lookup to white-list the outgoing remote servers though. On 2012-04-17 11:50, Reindl Harald wrote: are you aware that you are whitelisting this way servers which sent spam to a user with autorply? Haven't actually though about that. Thanks for bringing it up. I guess filtering autoreplies would be a good idea if I can figure out how.
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 12:54:10PM +0200, Reindl Harald wrote: the hard facts are that EVERY site using a dedicated spamfilter (own appliance or external service) have different IP's for MX and outgoing mail So? Postpals also looks at whole /24 subnets and also can compare sender/recipient emails. additionally most big sites have MANY outgoing mailservers I guess this would be new information for someone who doesn't have a clue. And it has little to do with how postpals performs in real life. Have you even READ the description? This is important because many legimate servers are located in dynamic looking networks etc, which commonly result in false rejects. Catching your big sites is not a goal worth mentioning. Your big sites are very likely to be on global whitelists already. i don't use it BECAUSE i understand the non-benefits Non-benefits? Like wasting few bytes of memory for keeping barracuda.thelounge.net in database even if it never matches? what excatly do you not understand in the word benefit? where did i say anything about wasting memory? please consult google the explain benefit You haven't actually said _anything_, only spread unnecessary doubt to everyone. however, do what YOU want if you are happy, but accept that there other people which are calling it nonsense Some people actually test theories before calling them nonsense. You haven't made a single point why there would be non-benefits in running postpals.
Re: postgrey outgoing mail whitelister
On 2012-04-17 12:09, Robert Schetterer wrote: what about using some tecs from here http://mailfud.org/postpals/ Thanks for the link, that's pretty much what I was looking for. Guess I'll have to improve my search engine skills ;) -- Claudius
Re: postgrey outgoing mail whitelister
Am 17.04.2012 13:05, schrieb Henrik K: Some people actually test theories before calling them nonsense. You haven't made a single point why there would be non-benefits in running postpals. maybe you should have read my replies? you are sending to the MX you are whitelisting the MX wonderful, the MX is mistly not the outgoing server you are receiving a spam-message your user has a autoreply with bad luck you are whitelisting the spamming server use greylisting or do not but it makes little sense to make AUTOMATIC whitelisting if you think it makes sense for you do it but realize that others have more practical expierience over years which can not be displayed in a single log snippet saying that it is a really bad idea signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 11:04:43AM +0100, Sam Jones wrote: Just imagine whitelisting a shared, spammy server because a domain is hosted on it. Naturally it will probably come through greylisting in the end anyway, but I'd not go out of my way to make it easy on them! It's fine to imagine many worst case scenarios, but it doesn't mean that you actually ever encounter one or that they even exist. A shared server or similar could be sending both ham and spam. I'm sure you would rather receive the ham instead of rejecting it straight away. After all, you do have _more_ defence layers than just the simple rbl/greylisting at MTA stage which we are talking about bypassing here? Someone commented about autoresponders.. every good admin should block them to suspicious mails anyway. I sure have lots of processing on my relay which prevents autoreplying to anything even smelling like spam. Stupid Outlookers..
Re: postgrey outgoing mail whitelister
Am 17.04.2012 13:37, schrieb Henrik K: On Tue, Apr 17, 2012 at 11:04:43AM +0100, Sam Jones wrote: Just imagine whitelisting a shared, spammy server because a domain is hosted on it. Naturally it will probably come through greylisting in the end anyway, but I'd not go out of my way to make it easy on them! It's fine to imagine many worst case scenarios, but it doesn't mean that you actually ever encounter one or that they even exist. A shared server or similar could be sending both ham and spam. I'm sure you would rather receive the ham instead of rejecting it straight away. this would be true if greylisting would rejecting straight away but greylisting don't by design it kills only RFC ignorant MTA's servers of people with permanent communication are whitelisted automatically by design, the other messages are only delayed so this sounds like having solution, searching for problem signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 01:29:23PM +0200, Reindl Harald wrote: you are sending to the MX you are whitelisting the MX wonderful, the MX is mistly not the outgoing server you are receiving a spam-message your user has a autoreply with bad luck you are whitelisting the spamming server So a imaginary bad luck scenario. It's funny I haven't encountered any in the two years I've been doing this _in the real world_. Also read my autoreply comment in other post. use greylisting or do not but it makes little sense to make AUTOMATIC whitelisting You do realize that the whitelisting should only apply to direct MTA rbl/greylisting/ptr/etc rules? If that's your _only_ defence, then yes I guess you should not use postpals. if you think it makes sense for you do it but realize that others have more practical expierience over years which can not be displayed in a single log snippet saying that it is a really bad idea Hopefully by now people realize that your practical expierience is questionable.
Re: postgrey outgoing mail whitelister
Am 17.04.2012 13:43, schrieb Henrik You do realize that the whitelisting should only apply to direct MTA rbl/greylisting/ptr/etc rules? If that's your _only_ defence, then yes I guess you should not use postpals. if you think it makes sense for you do it but realize that others have more practical expierience over years which can not be displayed in a single log snippet saying that it is a really bad idea Hopefully by now people realize that your practical expierience is questionable. -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
Am 17.04.2012 13:43, schrieb Henrik K: Hopefully by now people realize that your practical expierience is questionable. my practical expierience is managing some hundret domains with 15.000 RCPT since years - so stop your idiotic personal attacks while nobody attacked you until you creeped out of your hole and replied to a message which was not sent as reply to one of yours signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
Zitat von Reindl Harald h.rei...@thelounge.net: Am 17.04.2012 13:43, schrieb Henrik K: Hopefully by now people realize that your practical expierience is questionable. my practical expierience is managing some hundret domains with 15.000 RCPT since years - so stop your idiotic personal attacks while nobody attacked you until you creeped out of your hole and replied to a message which was not sent as reply to one of yours Calm down boys. The world is not true/false but mostly it depends. If you really insist in pissing contest take it somewhere else, most of us don't care. Andreas
Re: postgrey outgoing mail whitelister
Am 17.04.2012 14:00, schrieb Henrik K: On Tue, Apr 17, 2012 at 01:53:50PM +0200, Reindl Harald wrote: Am 17.04.2012 13:43, schrieb Henrik K: Hopefully by now people realize that your practical expierience is questionable. my practical expierience is managing some hundret domains with 15.000 RCPT since years - so stop your idiotic personal attacks while nobody attacked you until you creeped out of your hole and replied to a message which was not sent as reply to one of yours Feel sorry for your users.. it's pretty obvious that your expierience and PRACTICAL expierience are different things. to remember: the Stop spreading stupid FUD was your first reply in this thread you are a blindly idiot play around with your childish solutions for problems which are not existing while other people are using dedicated spamfirewalls since many years which do no need greylisting at all because spam protection will never be made by one setting the right way really - leave me fuck in peace this is a typical business case Stop spreading stupid FUD. It works in _majority_ of cases. signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 02:06:34PM +0200, Reindl Harald wrote: Am 17.04.2012 14:00, schrieb Henrik K: On Tue, Apr 17, 2012 at 01:53:50PM +0200, Reindl Harald wrote: Am 17.04.2012 13:43, schrieb Henrik K: Hopefully by now people realize that your practical expierience is questionable. my practical expierience is managing some hundret domains with 15.000 RCPT since years - so stop your idiotic personal attacks while nobody attacked you until you creeped out of your hole and replied to a message which was not sent as reply to one of yours Feel sorry for your users.. it's pretty obvious that your expierience and PRACTICAL expierience are different things. to remember: the Stop spreading stupid FUD was your first reply in this thread you are a blindly idiot I apologize my Reply-To was left intact for private replies.. this was not meant for postfix-users. On my part this is already finished.
How to extend smtpd_sender_restrictions to DISCARD mail for all recipients if just one matches in a hash table?
Hey! I finally installed a postfix mail server this past weekend. Pretty straightforward with the awesome docs! Well, once ya find it all ;-) In my config, I declared smtpd_sender_restrictions=check_recipient_access,hash:/etc/postfix/lists/traps with entries in /etc/postfix/lists/traps, b...@domain.com DISCARD Mail sent to that address appears to be accepted, but really gets quietly DISCARDed, and processing stops. Like it's supposed to. If there are additional recipients in the TO: list that are not in the hash list, they still are delivered. So if there's a mail sent TO: both b...@domain.com and m...@domain.com one copy gets accepted for the m...@domain.com recipient. I want to change the behavior so if ANY of the TO: recipient addresses are in the hash table the mail is discarded for ALL the recipients, accpeted delivered for noone. With all the flexibility it's gotta be possible. I just can't find the right topic on the docs for it though. Got a suggestion for me how to get this done? Cheers, Niemh
Re: How to extend smtpd_sender_restrictions to DISCARD mail for all recipients if just one matches in a hash table?
On 2012-04-17 20:20, n756...@50mail.com wrote: Hey! I finally installed a postfix mail server this past weekend. Pretty straightforward with the awesome docs! Well, once ya find it all ;-) In my config, I declared smtpd_sender_restrictions=check_recipient_access,hash:/etc/postfix/lists/traps This is incorrect; the format is described clearly as: smtpd_sender_restrictions=check_recipient_access hash:/etc/postfix/lists/traps with entries in /etc/postfix/lists/traps, b...@domain.com DISCARD Mail sent to that address appears to be accepted, but really gets quietly DISCARDed, and processing stops. Like it's supposed to. No. Do not discard mail unless you have absolutely no alternative. In this case you provide no arguments for discarding mail; use REJECT instead. If there are additional recipients in the TO: list that are not in the hash list, they still are delivered. So if there's a mail sent TO: both b...@domain.com and m...@domain.com one copy gets accepted for the m...@domain.com recipient. Provide evidence that this happens. Please see the welcome message you received when joining this list on how to provide adequate information: http://www.postfix.org/DEBUG_README.html#mail -- J.
Re: How to extend smtpd_sender_restrictions to DISCARD mail for all recipients if just one matches in a hash table?
On 4/17/2012 1:20 PM, n756...@50mail.com wrote: Hey! I finally installed a postfix mail server this past weekend. Pretty straightforward with the awesome docs! Well, once ya find it all ;-) In my config, I declared smtpd_sender_restrictions=check_recipient_access,hash:/etc/postfix/lists/traps with entries in /etc/postfix/lists/traps, b...@domain.com DISCARD Mail sent to that address appears to be accepted, but really gets quietly DISCARDed, and processing stops. Like it's supposed to. If there are additional recipients in the TO: list that are not in the hash list, they still are delivered. So if there's a mail sent TO: both b...@domain.com and m...@domain.com one copy gets accepted for the m...@domain.com recipient. I want to change the behavior so if ANY of the TO: recipient addresses are in the hash table the mail is discarded for ALL the recipients, accpeted delivered for noone. The access(5) man page includes, in part: DISCARD optional text... Claim successful delivery and silently discard the message. Log the optional text if specified, oth- erwise log a generic message. Note: this action currently affects all recipients of the message. To discard only one recipient without discarding the entire message, use the transport(5) table to direct mail to the discard(8) service. So your claim is not supported by the documentation. http://www.postfix.org/access.5.html If you wish to make a case that postfix does not behave as documented, you'll need to provide clear evidence of your claim. And as food for thought, DISCARD works as documented for me. -- Noel Jones
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 12:55:05PM +0200, Claudius wrote: On 2012-04-17 12:04, Sam Jones wrote: And I would add that an inbound MX does not necessarily === the same outbound server a domain would use. Typically anti-spam gateways or hosted services used inbound on one IP, whereas outbound mail coming from another IP and server. Just imagine whitelisting a shared, spammy server because a domain is hosted on it. Naturally it will probably come through greylisting in the end anyway, but I'd not go out of my way to make it easy on them! Valid point, thanks for the input. Eh, I'd call that a red herring. That's why I decided to white-list with a date in the past. In case there is no reply the white-list goes away soon. The main idea of this script was to have faster replies for mails to people we have sent mail ourselves. Some mail servers have ridiculously long retry periods and waiting an hour for a mail just sent made people impatient. This actually helped a lot. I could do a SPF lookup to white-list the outgoing remote servers though. That would make sense. As long as your whitelist merely bypasses greylisting you're not going to cause much harm with it. On 2012-04-17 11:50, Reindl Harald wrote: are you aware that you are whitelisting this way servers which sent spam to a user with autorply? Haven't actually though about that. Thanks for bringing it up. I guess filtering autoreplies would be a good idea if I can figure out how. In itself this is not a significant issue. An autoreply to spam is rarely going to go to the spammer: it will go to an innocent third party, or to an address which is not valid. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: How to extend smtpd_sender_restrictions to DISCARD mail for all recipients if just one matches in a hash table?
On Tue, Apr 17, 2012, at 02:25 PM, Noel Jones wrote: The access(5) man page includes, in part: ... So your claim is not supported by the documentation. http://www.postfix.org/access.5.html If you wish to make a case that postfix does not behave as documented, you'll need to provide clear evidence of your claim. I read the docs. That's where I started. I thought I configured it right, but I'm not seeing the 'DISCARD for all' happen so I'm asking here. I'm not making any kind of 'case'. I'm 'claiming' what I'm seeing. If I'm misunderstanding something, that's why I'm asking. I logged into my webmail @myprovider I sent one test mail FROM: n###@###.com TO: b...@domain.com, m...@domain.com For that message send, postfix logs on my end show: Apr 17 11:52:48 mail postfix/smtpd[23367]: connect from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:48 mail postfix/smtpd[23369]: connect from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:49 mail postfix/smtpd[23367]: setting up TLS connection from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:49 mail postfix/smtpd[23369]: setting up TLS connection from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:49 mail postfix/smtpd[23367]: Anonymous TLS connection established from smtp.myprovider.com[1.2.3.4]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Apr 17 11:52:49 mail postfix/smtpd[23369]: Anonymous TLS connection established from smtp.myprovider.com[1.2.3.4]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Apr 17 11:52:49 mail postfix/smtpd[23369]: NOQUEUE: discard: RCPT from smtp.myprovider.com[1.2.3.4]: b...@domain.com: Recipient address triggers DISCARD action; from=n###@###.com to=b...@domain.com proto=ESMTP helo=smtp.myprovider.com Apr 17 11:52:49 mail postfix/smtpd[23369]: 7D4EA6039A: client=smtp.myprovider.com[1.2.3.4] Apr 17 11:52:49 mail postfix/smtpd[23369]: disconnect from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:50 mail postfix/smtpd[23367]: 10FED6039A: client=smtp.myprovider.com[1.2.3.4] Apr 17 11:52:50 mail postfix/cleanup[23372]: 10FED6039A: message-id=9846513213.98464.842132465432132.8cc36...@horde.myprovider.com Apr 17 11:52:50 mail postfix/qmgr[18330]: 10FED6039A: from=n###@###.com, size=1903, nrcpt=1 (queue active) Apr 17 11:52:50 mail postfix/smtpd[23367]: disconnect from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:56 mail postfix/smtpd[23391]: connect from localhost.localdomain[127.0.0.1] Apr 17 11:52:56 mail postfix/smtpd[23391]: 6B0636039F: client=localhost.localdomain[127.0.0.1] Apr 17 11:52:56 mail postfix/cleanup[23372]: 6B0636039F: message-id=9846513213.98464.842132465432132.8cc36...@horde.myprovider.com Apr 17 11:52:56 mail postfix/qmgr[18330]: 6B0636039F: from=n###@###.com, size=2850, nrcpt=1 (queue active) Apr 17 11:52:56 mail postfix/smtp[23375]: 10FED6039A: to=m...@domain.com, relay=127.0.0.1[127.0.0.1]:10024, delay=7.1, delays=0.71/0.01/0.02/6.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6B0636039F) Apr 17 11:52:56 mail postfix/qmgr[18330]: 10FED6039A: removed Apr 17 11:52:56 mail postfix/lmtp[23412]: 6B0636039F: to=m...@domain.com, relay=domain.com[10.0.0.1]:7025, delay=0.27, delays=0.12/0.03/0/0.12, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK) It looks to me like it's being handled as two separate transactions where one gets discarded and one passes through. Niemh
Re: How to extend smtpd_sender_restrictions to DISCARD mail for all recipients if just one matches in a hash table?
On 4/17/2012 3:55 PM, n756...@50mail.com wrote: FROM: n###@###.com TO: b...@domain.com, m...@domain.com For that message send, postfix logs on my end show: Apr 17 11:52:48 mail postfix/smtpd[23367]: connect from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:48 mail postfix/smtpd[23369]: connect from smtp.myprovider.com[1.2.3.4] Notice 2 connections. Apr 17 11:52:49 mail postfix/smtpd[23369]: NOQUEUE: discard: RCPT from smtp.myprovider.com[1.2.3.4]: b...@domain.com: Recipient address triggers DISCARD action; from=n###@###.com to=b...@domain.com proto=ESMTP helo=smtp.myprovider.com Apr 17 11:52:49 mail postfix/smtpd[23369]: 7D4EA6039A: client=smtp.myprovider.com[1.2.3.4] OK queue id 7D4EA6039A from process 22369 triggered the DISCARD action. Great. Apr 17 11:52:49 mail postfix/smtpd[23369]: disconnect from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:50 mail postfix/smtpd[23367]: 10FED6039A: client=smtp.myprovider.com[1.2.3.4] Queue id 10FED6039A was received by 23367 Apr 17 11:52:50 mail postfix/cleanup[23372]: 10FED6039A: message-id=9846513213.98464.842132465432132.8cc36...@horde.myprovider.com Apr 17 11:52:50 mail postfix/qmgr[18330]: 10FED6039A: from=n###@###.com, size=1903, nrcpt=1 (queue active) Apr 17 11:52:50 mail postfix/smtpd[23367]: disconnect from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:56 mail postfix/smtpd[23391]: connect from localhost.localdomain[127.0.0.1] Apr 17 11:52:56 mail postfix/smtpd[23391]: 6B0636039F: client=localhost.localdomain[127.0.0.1] Apr 17 11:52:56 mail postfix/cleanup[23372]: 6B0636039F: message-id=9846513213.98464.842132465432132.8cc36...@horde.myprovider.com Apr 17 11:52:56 mail postfix/qmgr[18330]: 6B0636039F: from=n###@###.com, size=2850, nrcpt=1 (queue active) Apr 17 11:52:56 mail postfix/smtp[23375]: 10FED6039A: to=m...@domain.com, relay=127.0.0.1[127.0.0.1]:10024, delay=7.1, delays=0.71/0.01/0.02/6.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6B0636039F) Connection from 23367 after queue filter is now 6B0636039F. Apr 17 11:52:56 mail postfix/qmgr[18330]: 10FED6039A: removed Apr 17 11:52:56 mail postfix/lmtp[23412]: 6B0636039F: to=m...@domain.com, relay=domain.com[10.0.0.1]:7025, delay=0.27, delays=0.12/0.03/0/0.12, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK) It looks to me like it's being handled as two separate transactions where one gets discarded and one passes through. This is a case of your provider trying to be helpful and splitting each recipient into a new message. The second message does not include the discarded recipient, so Postfix accepts it.
Re: How to extend smtpd_sender_restrictions to DISCARD mail for all recipients if just one matches in a hash table?
On 4/17/2012 2:55 PM, n756...@50mail.com wrote: On Tue, Apr 17, 2012, at 02:25 PM, Noel Jones wrote: The access(5) man page includes, in part: ... So your claim is not supported by the documentation. http://www.postfix.org/access.5.html If you wish to make a case that postfix does not behave as documented, you'll need to provide clear evidence of your claim. I read the docs. That's where I started. I thought I configured it right, but I'm not seeing the 'DISCARD for all' happen so I'm asking here. I'm not making any kind of 'case'. I'm 'claiming' what I'm seeing. If I'm misunderstanding something, that's why I'm asking. I logged into my webmail @myprovider I sent one test mail FROM: n###@###.com TO: b...@domain.com, m...@domain.com For that message send, postfix logs on my end show: Apr 17 11:52:48 mail postfix/smtpd[23367]: connect from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:48 mail postfix/smtpd[23369]: connect from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:49 mail postfix/smtpd[23367]: setting up TLS connection from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:49 mail postfix/smtpd[23369]: setting up TLS connection from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:49 mail postfix/smtpd[23367]: Anonymous TLS connection established from smtp.myprovider.com[1.2.3.4]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Apr 17 11:52:49 mail postfix/smtpd[23369]: Anonymous TLS connection established from smtp.myprovider.com[1.2.3.4]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Apr 17 11:52:49 mail postfix/smtpd[23369]: NOQUEUE: discard: RCPT from smtp.myprovider.com[1.2.3.4]: b...@domain.com: Recipient address triggers DISCARD action; from=n###@###.com to=b...@domain.com proto=ESMTP helo=smtp.myprovider.com Apr 17 11:52:49 mail postfix/smtpd[23369]: 7D4EA6039A: client=smtp.myprovider.com[1.2.3.4] Apr 17 11:52:49 mail postfix/smtpd[23369]: disconnect from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:50 mail postfix/smtpd[23367]: 10FED6039A: client=smtp.myprovider.com[1.2.3.4] Apr 17 11:52:50 mail postfix/cleanup[23372]: 10FED6039A: message-id=9846513213.98464.842132465432132.8cc36...@horde.myprovider.com Apr 17 11:52:50 mail postfix/qmgr[18330]: 10FED6039A: from=n###@###.com, size=1903, nrcpt=1 (queue active) Apr 17 11:52:50 mail postfix/smtpd[23367]: disconnect from smtp.myprovider.com[1.2.3.4] Apr 17 11:52:56 mail postfix/smtpd[23391]: connect from localhost.localdomain[127.0.0.1] Apr 17 11:52:56 mail postfix/smtpd[23391]: 6B0636039F: client=localhost.localdomain[127.0.0.1] Apr 17 11:52:56 mail postfix/cleanup[23372]: 6B0636039F: message-id=9846513213.98464.842132465432132.8cc36...@horde.myprovider.com Apr 17 11:52:56 mail postfix/qmgr[18330]: 6B0636039F: from=n###@###.com, size=2850, nrcpt=1 (queue active) Apr 17 11:52:56 mail postfix/smtp[23375]: 10FED6039A: to=m...@domain.com, relay=127.0.0.1[127.0.0.1]:10024, delay=7.1, delays=0.71/0.01/0.02/6.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6B0636039F) Apr 17 11:52:56 mail postfix/qmgr[18330]: 10FED6039A: removed Apr 17 11:52:56 mail postfix/lmtp[23412]: 6B0636039F: to=m...@domain.com, relay=domain.com[10.0.0.1]:7025, delay=0.27, delays=0.12/0.03/0/0.12, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK) It looks to me like it's being handled as two separate transactions where one gets discarded and one passes through. Niemh Looks as if your provider is sending two separate messages. Note the log line from qmgr (the queue manager) with nrcpt=1 -- that means the message was submitted with one recipient. There's not much you can do about that from the receiving end. It might be tempting to use header_checks to DISCARD the message if the To: header contains a banned recipient, but that's likely to bite you in the nether region one day, and not recommended. -- Noel Jones
Re: How to extend smtpd_sender_restrictions to DISCARD mail for all recipients if just one matches in a hash table?
Brian On Tue, Apr 17, 2012, at 04:09 PM, Brian Evans - Postfix List wrote: It looks to me like it's being handled as two separate transactions where one gets discarded and one passes through. This is a case of your provider trying to be helpful and splitting each recipient into a new message. The second message does not include the discarded recipient, so Postfix accepts it. So those really ARE two separate connections from the outside :-/ That didn't dawn on me as possible or likley. My own server/mailer never do that. Seems like it'd be work to get it to do that. That would sure explain it though. Just looking at the postfix logs I didn't know that that wasn't somehow Postfix doing it as a result of my config. Unless my helpful provider adds some detectable header info, I guess that once the recipients are split that Postfix has no way to detect that the two connections are correlated to one another. So for mail from this provider I have to live with it unless they fix it. Do you know if that kind of recipient-splitting is specifically disallowed by any RFC? In the meantime I dug up a dusty gmail account and redid the mail send test to both recipients. This time one connection, one DISCARD, nothing gets delivered. That's what I hoped for in the first place. Cheers Niemh
Re: postgrey outgoing mail whitelister
Quoting Henrik K h...@hege.li: On Tue, Apr 17, 2012 at 11:04:43AM +0100, Sam Jones wrote: Just imagine whitelisting a shared, spammy server because a domain is hosted on it. Naturally it will probably come through greylisting in the end anyway, but I'd not go out of my way to make it easy on them! A shared server or similar could be sending both ham and spam. I'm sure you would rather receive the ham instead of rejecting it straight away. After all, you do have _more_ defence layers than just the simple rbl/greylisting at MTA stage which we are talking about bypassing here? Someone commented about autoresponders.. every good admin should block them to suspicious mails anyway. I sure have lots of processing on my relay which prevents autoreplying to anything even smelling like spam. Stupid Outlookers.. Why bother whitelisting any ip address? I have my system flag the outgoing and incoming email address. If the from address and the to address, are reversed from how the email went from me to them, AND it passes other checks, like spf, THEN that email can come directly in. This isn't affected by shared servers, whitelisting incorrect ip addresses, and other issues. I also run most of my domains with different incoming and outgoing ip addresses for email.
Re: How to extend smtpd_sender_restrictions to DISCARD mail for all recipients if just one matches in a hash table?
n756...@50mail.com: Do you know if that kind of recipient-splitting is specifically disallowed by any RFC? It is not forbidden, and it is in fact the basis of how qmail works. Wietse
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 04:44:49PM -0400, Patrick Domack wrote: Why bother whitelisting any ip address? I have my system flag the outgoing and incoming email address. Am I defensive or stupid for wondering what's the point of your question? Surely people whitelist all kinds of things with different methods? Why do dnswl.org or other IP whitelisting exist? There are too many angles to consider. If the from address and the to address, are reversed from how the email went from me to them, AND it passes other checks, like spf, THEN that email can come directly in. Nothing wrong with this. Of course it's just one method amongst others and targets a pretty narrow area. This isn't affected by shared servers, whitelisting incorrect ip addresses, and other issues. Makes it sound like there are severe issues. All this is rare and in reality the whitelisting we are talking about is only about skipping some MTA rules that might directly delay or reject mail. Things change the more deeper you apply. I also run most of my domains with different incoming and outgoing ip addresses for email. But are they in the same subnet? Even if they aren't, it makes no difference. There are plenty enough servers that are. Different methods target different things. I'm truly sorry if I sound harsh or defensive, but that may be the direct Finnish way. Still, is it too much to ask for looking at things from many angles or backing up claims with any kind of statistics or science instead of personal gut feelings?
Re: postgrey outgoing mail whitelister
On Wed, Apr 18, 2012 at 04:33:31AM +0300, Henrik K wrote: Still, is it too much to ask for looking at things from many angles or backing up claims with any kind of statistics or science instead of personal gut feelings? Where/how would one collect such data? My mail stream differs from yours, as does my spam problem. The best, meticulously gathered statistics from one site won't be applicable to another site. Unfortunately the gut is what we have. My gut feeling is that SPF lookups are the surest way to make this scheme work without causing some kind of problem. Yes, my MX is also the outbound relay, but at bigger sites this is less likely. Another gut feeling: greylisting is past its prime. I do it using postscreen, but I sometimes consider disabling the deep protocol tests. The DNSBL scoring system is what blocks most of my spam. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: outgoing mail whitelister
On Tue, Apr 17, 2012 at 09:13:55PM -0500, /dev/rob0 wrote: On Wed, Apr 18, 2012 at 04:33:31AM +0300, Henrik K wrote: Still, is it too much to ask for looking at things from many angles or backing up claims with any kind of statistics or science instead of personal gut feelings? Where/how would one collect such data? I guess we would need to have consensus first on what exactly to measure. Maybe I'll do some scripts later so everyone can test on their own logs. To be very clear, let me tell me my basic assumption again. All I've hypothesized is that any server accepting incoming mail is a legimate one. Any server meaning those that my users have sent real mail in the past. Domain names and everything else is irrelevant to me, only the IP matters. In fact I just use the whole /24 subnet. And yes I've been doing this already for two years. My reason for whitelisting such servers at the MTA STAGE is that any number of changing reasons might get the server blocked by RBLs, greylisted, PTR might have accidently changed to bad etc. You can also use the data for scoring in SA just like you would use any other reputation or whitelist thing. One is free to argue that this might or might not have any meaningful helping effect. Yet the same could be said for any number of rules and checks that people use. For my use, this brings no overhead or admin costs, so it's a no brainer here. Others might want to keep things extremely simple, or just sadly directly claim things nonsense. My mail stream differs from yours, as does my spam problem. The best, meticulously gathered statistics from one site won't be applicable to another site. Of course. But you can generalize to some extent using common sense. Let's theorize that dynamic looking IPs send mostly spam. I'm pretty sure it's true for many if not all sites. Naturally the percentages might differ some. Unfortunately the gut is what we have. My gut feeling is that SPF lookups are the surest way to make this scheme work without causing some kind of problem. Yes, my MX is also the outbound relay, but at bigger sites this is less likely. My gut tells me that what I wish to whitelist using my method might rarely use SPF. ;-) And I don't even care about the domains.. Another gut feeling: greylisting is past its prime. I do it using postscreen, but I sometimes consider disabling the deep protocol tests. The DNSBL scoring system is what blocks most of my spam. Selective greylisting is fine tool. It can reduce your DNS lookups and give time for RBLs etc to catch up etc. Generalizing that it's past its prime might not be appropriate, since there are many pros and cons to consider for different scenarios. But please let's not start yet again another unneeded greylisting debate, there has been plenty enough. ;-)