Re: postgrey outgoing mail whitelister

[lst_hoe02]

Zitat von /dev/rob0 :


On Wed, Apr 18, 2012 at 04:33:31AM +0300, Henrik K wrote:

Still, is it too much to ask for looking at
things from many angles or backing up claims with any kind of
statistics or science instead of personal gut feelings?


Where/how would one collect such data? My mail stream differs from
yours, as does my spam problem. The best, meticulously gathered
statistics from one site won't be applicable to another site.

Unfortunately the gut is what we have. My gut feeling is that SPF
lookups are the surest way to make this scheme work without causing
some kind of problem. Yes, my MX is also the outbound relay, but at
bigger sites this is less likely.

Another gut feeling: greylisting is past its prime. I do it using
postscreen, but I sometimes consider disabling the deep protocol
tests. The DNSBL scoring system is what blocks most of my spam.


And that's how the "gut feelings" are differ. On our site greylisting  
is by far the most effective spam-block. For a long time we had  
problems because the RBL listings for spam sources only appear after  
they have dropped their spam to us, so pure RBL/DNSBL is near useless  
for us. With greylisting a big share of the spam bots don't come back  
anyway and the ones operate longer are finally listed in the RBLs at  
the time they would pass greylisting. Combined with a big automatic  
whitelist the negative impact from greylisting is near zero because  
all business partners and the like are whitelisted.


Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

redirect null sender

[Amira Othman]

Hi all

 

I am building system that will send mails to list of users but I need to
stop receiving error emails or redirect them to another account or
/dev/null. I know it is bad idea but the application I am using will  handle
bounce mails so I don't need error email to  be sent to the end user . 

 

Regards

Re: redirect null sender

[Ralf Hildebrandt]

* Amira Othman :
> Hi all
> 
>  
> 
> I am building system that will send mails to list of users but I need to
> stop receiving error emails or redirect them to another account or
> /dev/null. I know it is bad idea but the application I am using will  handle
> bounce mails so I don't need error email to  be sent to the end user . 

If your application is handling bounce mails, why not send those
to the application then? Otherwise it cannot handle them, can it?

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

RE: redirect null sender

[Amira Othman]

* Amira Othman :
> Hi all
> 
>  
> 
> I am building system that will send mails to list of users but I need to
> stop receiving error emails or redirect them to another account or
> /dev/null. I know it is bad idea but the application I am using will  handle
> bounce mails so I don't need error email to  be sent to the end user . 

If your application is handling bounce mails, why not send those
to the application then? Otherwise it cannot handle them, can it?


I don't know how to redirect them to because it's not in the format user@domain 
it's null sender .where can I add this if it's possible?

Re: redirect null sender

[Ralf Hildebrandt]

* Amira Othman :
> 
> * Amira Othman :
> > Hi all
> > 
> >  
> > 
> > I am building system that will send mails to list of users but I need to
> > stop receiving error emails or redirect them to another account or
> > /dev/null. I know it is bad idea but the application I am using will  handle
> > bounce mails so I don't need error email to  be sent to the end user . 
> 
> If your application is handling bounce mails, why not send those
> to the application then? Otherwise it cannot handle them, can it?
> 
> 
> I don't know how to redirect them to because it's not in the format
> user@domain it's null sender.
the SENDER is null
the recipient is ???

> where can I add this if it's possible?

The bounce goes back to the original sender. The usual way is this:

When sending mail to ralf.hildebra...@charite.de, on would set the
sender to:

nameoflist-bounces+ralf.hildebrandt=charite...@sending.domain.com

So, if mail to "ralf.hildebra...@charite.de" bounces, it goes back to 
"nameoflist-bounces+ralf.hildebrandt=charite...@sending.domain.com",
and by converting "nameoflist-bounces+ralf.hildebrandt=charite.de"
back to "ralf.hildebra...@charite.de" the app knows which address
bounced.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: postgrey outgoing mail whitelister

[Charles Marcus]

On 2012-04-17 6:54 AM, Reindl Harald  wrote:

the hard facts are that EVERY site using a dedicated
spamfilter (own appliance or external service) have
different IP's for MX and outgoing mail


Not if they are using said spamfilter service for relaying their 
outbound mail *and* if the spamfilter service uses the same IP blocks 
for relaying.


--

Best regards,

Charles

Re: postgrey outgoing mail whitelister

[Reindl Harald]

Am 18.04.2012 14:13, schrieb Charles Marcus:
> On 2012-04-17 6:54 AM, Reindl Harald  wrote:
>> the hard facts are that EVERY site using a dedicated
>> spamfilter (own appliance or external service) have
>> different IP's for MX and outgoing mail
> 
> Not if they are using said spamfilter service for relaying their outbound 
> mail 
> *and* if the spamfilter service uses the same IP blocks for relaying.

"IP blocks" does not matter and if you whitelist BLOCKS
you are making a major mistake - there are way to much
single addresses with static IP and a mailserver where
the other IPs in the address-block are totally different
customers of the ISP owning the netblock

so you should only whitelist single addresses

a spamfilter usually does not relay
if you have a managed network outgoing mails are usually not spam
so the spamfilter-appliance is a dedicated IP and receives
incoming mail from the internet, realy it after scan to the
mailserver and the mailserver itself relays directly





signature.asc
Description: OpenPGP digital signature

RE: redirect null sender

[Amira Othman]

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Ralf Hildebrandt
Sent: Wednesday, April 18, 2012 2:08 PM
To: postfix-users@postfix.org
Subject: Re: redirect null sender

* Amira Othman :
> 
> * Amira Othman :
> > Hi all
> > 
> >  
> > 
> > I am building system that will send mails to list of users but I need to
> > stop receiving error emails or redirect them to another account or
> > /dev/null. I know it is bad idea but the application I am using will  handle
> > bounce mails so I don't need error email to  be sent to the end user . 
> 
> If your application is handling bounce mails, why not send those
> to the application then? Otherwise it cannot handle them, can it?
> 
> 
> I don't know how to redirect them to because it's not in the format
> user@domain it's null sender.
the SENDER is null
the recipient is ???

> where can I add this if it's possible?

The bounce goes back to the original sender. The usual way is this:

When sending mail to ralf.hildebra...@charite.de, on would set the
sender to:

nameoflist-bounces+ralf.hildebrandt=charite...@sending.domain.com

So, if mail to "ralf.hildebra...@charite.de" bounces, it goes back to 
"nameoflist-bounces+ralf.hildebrandt=charite...@sending.domain.com",
and by converting "nameoflist-bounces+ralf.hildebrandt=charite.de"
back to "ralf.hildebra...@charite.de" the app knows which address
bounced.

But the original sender will not be user on my mail server .it will be any 
client that sends mail through application. I don't want client to receive 
bounces. How can I do that? 

Re: redirect null sender

[Ralf Hildebrandt]

> But the original sender will not be user on my mail server. 

It doesn't have to be.

> it will be any client that sends mail through application. 

No. A client is a client. The sender is specified by the application.

> I don't want client to receive bounces. How can I do that? 

Frankly, I don't think you should be doing this. 

Possible solutions:
===

1) Specify the null sender as sender, thus mails cannot bounce.
2) Specify a sender domain pointing to another server (e.g. bounces.example.com)

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: redirect null sender

[DTNX Postmaster]

On Apr 18, 2012, at 14:38, Amira Othman wrote:

>>> I am building system that will send mails to list of users but I need to
>>> stop receiving error emails or redirect them to another account or
>>> /dev/null. I know it is bad idea but the application I am using will  handle
>>> bounce mails so I don't need error email to  be sent to the end user . 
>> 
>> I don't know how to redirect them to because it's not in the format
>> user@domain it's null sender.
> 
>> where can I add this if it's possible?
> 
> But the original sender will not be user on my mail server .it will be any 
> client that sends mail through application. I don't want client to receive 
> bounces. How can I do that? 

Read up on the difference between the envelope sender (MAIL FROM) and the 
sender specified in the 'From:' header. The former is what is used to handle 
bounces and errors, the latter is what the recipient sees in their mail 
application.

The bounces should return to your server where you can process them, based on 
the envelope sender. Use a domain here that you control, or have your clients 
delegate a subdomain. See Ralf's message for suggestions on how you can 
retrieve the original recipient from the bounce address.

And if you set the 'From:' and 'Reply-To:' headers right, the recipient will be 
able to reply to the messages your clients are sending. It will appear as if 
sent by them, without coming back to you.

Most importantly though, be sure that you know what you are getting yourself 
into. Research your options. Read the Postfix documentation. Read the relevant 
RFCs. Understand all of the above. Use existing functionality, in proven 
software.

Avoid reinventing the wheel, basically :-)

And don't discard errors lightly.

HTH,
Jona

Virtual domain postfix configuration problem

[Deron Kazmaier]

Seems like this is a semi-common problem, but I just can't get my head 
around this. I've been struggling with this for over 5 days, and I could 
really use a fresh pair of eyes:


Trying to send an email from an outside domain (t...@pagestream.org in 
this case) to an email on my server which hosts several domains using 
virtualmin/webmin to configure everything. The emails never make it, but 
get refused. Doesn't make a difference where they come from. I've tried 
many different configurations, so it may well be worse now than when I 
started.


In the current configuration, here is the "final word" from the log 
(complete log at the end):


Apr 18 22:33:43 lisn-mdv postfix/smtpd[8419]: NOQUEUE: reject: RCPT from 
a2s61.a2hosting.com[75.98.165.130]: 554 5.7.1 : 
Recipient address rejected: Access denied; from= 
to= proto=ESMTP helo=
Apr 18 22:33:43 lisn-mdv postfix/smtpd[8419]: generic_checks: 
name=reject status=2
Apr 18 22:33:43 lisn-mdv postfix/smtpd[8419]: > 
a2s61.a2hosting.com[75.98.165.130]: 554 5.7.1 : 
Recipient address rejected: Access denied


postmap -q t...@marksteiner.ag hash:/etc/postfix/virtual returns 
test.marksteiner.ag but I don't see trivial-rewrite making that 
substitution.


The other troublesome bit is that the fqdn is lisn-mdv.razercut.com, but 
a virtualmin user suggested it should be ns1.razercut.com. They both 
resolve to the same ip, so I'm not sure what that gains me and it a 
non-trivial change.


So could someone give a crazed nut a hand?

Thanks!

Deron

--

Output from postfinger:

postfinger - postfix configuration on Wed Apr 18 22:40:56 EDT 2012
version: 1.30

--System Parameters--
mail_version = 2.8.5
hostname = lisn-mdv.razercut.com
uname = Linux lisn-mdv.razercut.com 2.6.38-11-generic #48-Ubuntu SMP Fri 
Jul 29 19:02:55 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux


--Packaging information--
looks like this postfix comes from deb package: postfix-2.8.5-2~build0.11.04

--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
allow_percent_hack = no
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
debug_peer_level = 5
debug_peer_list = 
marksteiner.ag,75.98.165.130,faroutprojects.com,75.104.6.189

home_mailbox = Maildir/
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mydestination = lisn-mdv.razercut.com, localhost.razercut.com, , 
localhost, marksteiner.ag, faroutprojects.com, whdt.net

mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
readme_directory = no
recipient_delimiter = +
sender_bcc_maps = hash:/etc/postfix/bcc
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_mynetworks 
permit_sasl_authenticated reject

smtpd_sasl_auth_enable = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
virtual_alias_maps = hash:/etc/postfix/virtual

--master.cf--
smtpinetn----smtpd -o 
smtpd_sasl_auth_enable=yes -v

pickupfifo  n   -   -   60  1   pickup -v
cleanup   unix  n   -   -   -   0   cleanup -v
qmgr  fifo  n   -   n   300 1   qmgr -v
tlsmgrunix  -   -   -   1000?   1   tlsmgr -v
rewrite   unix  -   -   -   -   -   trivial-rewrite -v
bounceunix  -   -   -   -   0   bounce -v
defer unix  -   -   -   -   0   bounce -v
trace unix  -   -   -   -   0   bounce -v
verifyunix  -   -   -   -   1   verify -v
flush unix  n   -   -   1000?   0   flush -v
proxymap  unix  -   -   n   -   -   proxymap -v
proxywrite unix -   -   n   -   1   proxymap -v
smtp  unix  -   -   -   -   -   smtp -v
relay unix  -   -   -   -   -   smtp -v
-o smtp_fallback_relay=
showq unix  n   -   -   -   -   showq -v
error unix  -   -   -   -   -   error -v
retry unix  -   -   -   -   -   error -v
discard   unix  -   -   -   -   -   discard -v
local unix  -   n   n   -   -   local -v
virtual   unix  -   n   n   -   -   virtual -v
lmtp  unix  -   -   -   -   -   lmtp -v
anvil unix  -   -   -   -   1   anvil -v
scacheunix  -   -   -   -   1   scache -v
maildrop  unix  -   n   n   -   -   pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp  unix  -   n   n   -   -   pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail 
($recipient)

ifma

postfix lmtp ssl failure

[fr47Tb]

Greetings:

Having difficulty with communications between cyrus-imapd lmtpd (version
2.4.14) and 
postfix lmtp (version 2.9.1) using openssl (version 1.0.0-fips 29) on Centos
(version 6) system.

Selinux is in permissive mode.
lmtptest -t "" -p 24 localhost, works without difficulty
openssl s_client -connect 127.0.0.1:24 -starttls smtp  works with known
announced fault
 (ehlo instead of lhlo, session is still established)
Certificates seem to be good.
channel_cache has been disabled.

However communication breaks down between postfix and cyrus. Using TCP (24) 
port for common link.
I appears that the read for server cipher list is requested prior to the
information being placed in buffer,
cyrus-imapd replies with 454 4.3(.3) TLS not available, then lmtp reads this
as reply cipher list and
fails with SSLv3/v2 protocol not found. This causes the handshake to fail.
Please see log output below.
Notice the first read returns a (-1) fault from buffer block.
Any suggestions appreciated.
http://old.nabble.com/file/p33705787/maillog.txt maillog.txt 
-- 
View this message in context: 
http://old.nabble.com/postfix-lmtp-ssl-failure-tp33705787p33705787.html
Sent from the Postfix mailing list archive at Nabble.com.

Re: Virtual domain postfix configuration problem

[Noel Jones]

On 4/18/2012 10:21 PM, Deron Kazmaier wrote:
> Seems like this is a semi-common problem, but I just can't get my
> head around this. I've been struggling with this for over 5 days,
> and I could really use a fresh pair of eyes:
> 

First, TURN OFF ALL THE DEBUG AND VERBOSE LOGGING!

Odds are overwhelming that normal logging contains everything you
need to diagnose and fix the problem.

Odds are also overwhelming that the thousands of extra debug lines
make the important nuggets near impossible to separate from the noise.

> mydestination = lisn-mdv.razercut.com, localhost.razercut.com, , localhost, 
> marksteiner.ag, faroutprojects.com, whdt.net 

Are all these "local" non-virtual domains?  Domains handled by
postfix should not be listed in more than one address class.
http://www.postfix.org/ADDRESS_CLASS_README.html

> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated reject

On a general purpose MTA, this must be
smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination

The final "reject" is causing your current problem.  Possibly other
problems will show up after you fix this.

If you get new errors, post the NON VERBOSE log entries and a fresh
postfinger with the new configuration.


  -- Noel Jones