smtp auth connection restrictions
Morning List. I was wondering id there is any way to specify a destination_concurrency_limit for clients which have used SMTP_AUTH and whose source is not on the $mynetworks. We currently have a problem where the accounts of clients (who have used weak passwords), are being used to spam. I am looking for a way to reduce the impact of this while we contact all these users. many thanks Tom.
Re: MX vs A records
On 11/10/2012 14:48, Wietse Venema wrote: Tom Kinghorn: check_sender_ns_access type:table Search the specified access(5) database for the DNS servers for the MAIL FROM address, and execute the corresponding action. Note: a result of OK is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later. Use this only for known-bad providers. Wietse I have added this but it is not working on my setup. All mail to the domains gets queued. setup is as follows: smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access_whitelist check_recipient_access hash:/etc/postfix/recipient_access_blacklist check_recipient_ns_access hash:/etc/postfix/recipient_ns_host reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject i tested using ad...@cpf.co.za cpf.co.za is hosted at sedoparking.com in the recipient_ns_host file I have sedoparking.comREJECTRecipient hosted at sedoparking.com thanks Tom
Re: MX vs A records
On 10/17/12 10:05 AM, Tom Kinghorn wrote: On 11/10/2012 14:48, Wietse Venema wrote: Tom Kinghorn: check_sender_ns_access type:table Search the specified access(5) database for the DNS servers for the MAIL FROM address, and execute the corresponding action. Note: a result of OK is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later. Use this only for known-bad providers. Wietse I have added this but it is not working on my setup. All mail to the domains gets queued. setup is as follows: smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access_whitelist check_recipient_access hash:/etc/postfix/recipient_access_blacklist check_recipient_ns_access hash:/etc/postfix/recipient_ns_host ... You're testing NS records for the recipient address here, not the sender. i tested using ad...@cpf.co.za cpf.co.za is hosted at sedoparking.com in the recipient_ns_host file I have sedoparking.comREJECTRecipient hosted at sedoparking.com thanks Tom
Re: MX vs A records
On 17/10/2012 10:14, Tom Hendrikx wrote: On 10/17/12 10:05 AM, Tom Kinghorn wrote: You're testing NS records for the recipient address here, not the sender. i tested using ad...@cpf.co.za cpf.co.za is hosted at sedoparking.com in the recipient_ns_host file I have sedoparking.comREJECTRecipient hosted at sedoparking.com thanks Tom That is correct. cpf.co.za (the recipient domain) has no MX record BUT does have an A record, which does not accept mail. As such, the mail sits in the queue until it expires. I am trying to test recipient NS, If the NS is sedoparking, then Reject the message. Thanks for the reply. Tom
Re: smtp auth connection restrictions
On Wed, Oct 17, 2012 at 09:35:33AM +0200, Tom Kinghorn wrote: I was wondering id there is any way to specify a destination_concurrency_limit for clients which have used SMTP_AUTH and whose source is not on the $mynetworks. We currently have a problem where the accounts of clients (who have used weak passwords), are being used to spam. This issue last came up on this list way back in 2012, on the 16th of October, Alert of unusually large queue. As per that thread, the solution is a combination of rate limiting by means of a policy service and content filtering of submission. I am looking for a way to reduce the impact of this while we contact all these users. I'd revoke their credentials ASAP, as soon as the compromised account is identified. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: Unable to execute a java program from postfix
On Tue, Oct 16, 2012 at 09:33:38PM -0500, Stan Hoeppner wrote: On 10/16/2012 9:17 PM, Neil Aggarwal wrote: I am trying to execute a java program from postfix using a pipe alias. When I send an email to the alias, I get this back from postfix: Command died with status 1: /root/webapps/cbsweb/WEB-INF/bin/mdcm/mailHandler. Command output: Exception in thread main java.lang.NoClassDefFoundError: mdcm/MailHandler Caused by: java.lang.ClassNotFoundException: mdcm.MailHandler at java.net.URLClassLoader$1.run(URLClassLoader.java:217) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:205) at java.lang.ClassLoader.loadClass(ClassLoader.java:321) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294) at java.lang.ClassLoader.loadClass(ClassLoader.java:266) Could not find the main class: mdcm.MailHandler. Program will exit. Obviously, it is invoking the java vm, but for some reason it is not finding my main class. Postfix doesn't run as root. Well, master(8) does, but you are probably on the right track. I can execute my script file from the command line and it works fine. As what user? With what environment? Here is my alias in /etc/aliases: # Forward mdcm messages to mail handler mdcm: |/root/webapps/cbsweb/WEB-INF/bin/mdcm/mailHandler You're running the script as root. No, it won't run as root. Assuming /etc/aliases is owned by root, this command is run by $default_privs user (default: nobody.) http://www.postfix.org/local.8.html http://www.postfix.org/aliases.5.html http://www.postfix.org/postconf.5.html#default_privs Why this would be in a subdirectory under /root is entirely another question. /root should be private, for the superuser only. If nobody can access this file, directory permissions are wrong. I would definitely suggest moving this to a better location. Any ideas? Run the script in the context of the Postfix user, assigning necessary permissions to the script and all related files. Oh, my, no! The $mail_owner user (default: postfix) should never be used for this; not for *anything* other than internal processes of the Postfix MTA itself. But as I said, you were on the right track. If nobody can access the script and files it needs, it might work. http://www.postfix.org/OVERVIEW.html http://www.postfix.org/postconf.5.html#default_privs[1] http://www.postfix.org/postconf.5.html#mail_owner [1] Quote: DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: 4xx too many errors question
Tomas Macek: So my question is how can I get this error message on my own computer, when I did not sent any email to the server in last hour? According to this experience, this seems to be per server settings. Or am I missing something? The error counter is a PER SESSION property. It starts at zero, then it is incremented by one for every error reply. - What error replies does the client receive? Look at the maillog file after: # postconf -e debug_peer_list = address-of-client # postfix reload - How many error replies before Postfix hangs up? $ postconf smtpd_hard_error_limit Wietse
Re: MX vs A records
On 10/17/2012 3:31 AM, Tom Kinghorn wrote: On 17/10/2012 10:14, Tom Hendrikx wrote: On 10/17/12 10:05 AM, Tom Kinghorn wrote: You're testing NS records for the recipient address here, not the sender. i tested using ad...@cpf.co.za cpf.co.za is hosted at sedoparking.com in the recipient_ns_host file I have sedoparking.comREJECTRecipient hosted at sedoparking.com thanks Tom That is correct. cpf.co.za (the recipient domain) has no MX record BUT does have an A record, which does not accept mail. As such, the mail sits in the queue until it expires. I am trying to test recipient NS, If the NS is sedoparking, then Reject the message. Thanks for the reply. Tom Show postconf -n and the postfix logs of your test. -- Noel Jones
Re: 4xx too many errors question
On Wed, 17 Oct 2012, Wietse Venema wrote:
Tomas Macek:
So my question is how can I get this error message on my own computer,
when I did not sent any email to the server in last hour? According to
this experience, this seems to be per server settings. Or am I missing
something?
The error counter is a PER SESSION property. It starts at zero,
then it is incremented by one for every error reply.
- What error replies does the client receive? Look at the
maillog file after:
# postconf -e debug_peer_list = address-of-client
# postfix reload
- How many error replies before Postfix hangs up?
$ postconf smtpd_hard_error_limit
Wietse
The part of the log is here:
Oct 11 12:26:44 mail postfix/smtpd[4546]: my.pc.host.name[x.x.x.x]: RSET
Oct 11 12:26:44 mail postfix/smtpd[4546]: my.pc.host.name[x.x.x.]: 250 2.0.0
Ok
Oct 11 12:26:44 mail postfix/smtpd[4546]: my.pc.host.name[x.x.x.x]: 421 4.7.0
our.server.name Error: too many errors
Oct 11 12:26:44 mail postfix/smtpd[4546]: too many errors after RSET from
my.pc.host.name[x.x.x.x]
The postconf smtpd_hard_error_limit output:
smtpd_hard_error_limit = ${stress?1}${stress:20}
The strange thing is, that my IP adress was blocked with 421, when I send
that day just a few mails (using Alpine on Linux). But the server was
under heavy load, so the
smtpd_*_error_limit seemed to me to be per server options, not per
session, because I didn't see any reason why my computer should receive
421 from the server.
Tomas
local delivery: temporary failure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm new to postfix and MTAs in general; I'd like to set it up for local delivery only on my Archlinux box. I've followed the instructions on the archwiki [1] and my configuration files are exactly as explained there, except that I have *not* set neither home_mailbox nor mail_spool_directory, but instead I've setted mailbox_command = /usr/bin/procmail since I use procmail to sort my mail. mail -s test renato though silently fails (renato is my username) - i.e. mail never gets passed to procmail. In /var/log/mail.log I see something like: Oct 17 15:15:26 localhost postfix/pickup[472]: B3322200238: uid=1000 from=renato Oct 17 15:15:26 localhost postfix/cleanup[2246]: B3322200238: message-id=20121017131526.B3322200238@localhost Oct 17 15:15:26 localhost postfix/qmgr[473]: B3322200238: from=renato@localhost, size=669, nrcpt=1 (queue active) Oct 17 15:15:26 localhost postfix/local[2248]: B3322200238: to=renato@localhost, orig_to=renato, relay=local, delay=3.6, delays=3.5/0/0/0.05, dsn=4.3.0, status=deferred (temporary failure) So I guessed the error is in local; I've substitued local with local -v in master.cf and I get a much more detailed log: http://pastebin.com/Lf95k9mG which unfortunately doesn't tell me much. Could someone more expert than me point me in the right direction? many thanks, renato [1] https://wiki.archlinux.org/index.php/Local_Mail_Delivery_with_Postfix -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBAgAGBQJQfrt0AAoJEBz6xFdttjrfaHwIANWA+DcgOTOy59A9+j7bJZ/x d1XLm4kzLH/QcJGM7KMWIVP37w/il8Tv7nvETDrs2Sxhn84w1VCRTGgw6EV0NW22 Djv5ty2J5uPjsiCj6TQbZyv/fwv0hVGkHpRXKaaZYZOzMK2S+m+j5ek268QcWfKu YZ217us50OBg5A9MM3pGVYGTWhhLRiYTiju2vZanzWAecmBsN8rMmHmjbOjZdvor F3eBRrlSLcD9XX+Ft6HMBcY6Dby09Vkn5RG3Nt4b7viX+LidfiuFMiMmwgxfaT19 hpZKDExjVS9mbz1aE7iiiMdNkqkEmI5aT8zEg/KKkrGh9jTS3lBZaA6Y12Spwbo= =z8j9 -END PGP SIGNATURE-
Re: 4xx too many errors question
Tomas Macek:
The part of the log is here:
Oct 11 12:26:44 mail postfix/smtpd[4546]: my.pc.host.name[x.x.x.x]: RSET
Oct 11 12:26:44 mail postfix/smtpd[4546]: my.pc.host.name[x.x.x.]: 250
2.0.0 Ok
Oct 11 12:26:44 mail postfix/smtpd[4546]: my.pc.host.name[x.x.x.x]: 421
4.7.0 our.server.name Error: too many errors
Postfix does not allow clients to send an unlimited number of
commands like NOOP or RSET.
The default setting is:
smtpd_junk_command_limit = ${stress?1}${stress:100}
This means: under server overload conditions, Postfix will immediately
disconnect a client that sends commands like NOOP or RSET, instead
of sending mail.
Oct 11 12:26:44 mail postfix/smtpd[4546]: too many errors after RSET from
my.pc.host.name[x.x.x.x]
The postconf smtpd_hard_error_limit output:
smtpd_hard_error_limit = ${stress?1}${stress:20}
What was the effective hard error limit: 1 or 20?
Look at the output from:
$ grep STRESS the-maillog-file
Wietse
Re: Problems with authentication using dovecot
On 10/17/2012 12:54 PM, Ricardo Barbosa wrote: hi all, I deploy enviroment with postfix and dovecot but not worked. look my settings. postconf -n is preferred rather than main.cf snippings. mynetworks = 127.0.0.0/8, 172.16.1.0/24, 10.0.0.0/24, 0.0.0.0/0 0.0.0.0/0!!! Trying to be an open relay? Bad idea; remove this. smtpd_sasl_path = /var/run/dovecot/private/auth Typically should be smtpd_sasl_path = private/auth with dovecot.conf pointing to /var/spool/postfix/private/auth http://www.postfix.org/SASL_README.html#server_dovecot maillog Oct 17 13:58:26 mail postfix/smtpd[15324]: connect from unknown[xxx.xxx.xxx.xxx] Oct 17 13:58:38 mail postfix/smtpd[15324]: warning: unknown[xxx.xxx.xxx.xxx]: SASL PLAIN authentication failed: Any other warning|error|fatal|panic postfix messages? Any dovecot logging? If you need more help, please see http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: Block sending from non-US IPs
On Wed, Oct 17, 2012 at 03:41:08PM -0500, Thomas E Lackey wrote: I am looking into a system where one of the [virtual] mail accounts was compromised. Apparently the account, once compromised, was used to send spam from overseas hosts. Since the company has no overseas users, they asked if it were possible to block outbound/relaying activity from all non-US IP addresses, even from authenticated accounts, while still allowing inbound SMTP from non-US IPs. And, of course, they would like to retain sending from US IPs from authenticated accounts. I am pretty familiar with Postfix, but this combination has me scratching my head. Is it doable? Not easily, and there is little reason to think it would be very effective. If you could compile (or query) a list of the IP address ranges and use it as check_client_access, you have succeeded with that part of your goal, but you probably have not accomplished the real goal. What about when the ratware is sending from your user's US-based computer? This issue last came up on this list today, and before that, yesterday (thanks Jeroen!) The real answer is rate limiting and content filtering of authenticated senders. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: Block sending from non-US IPs
On Oct 17, 2012, at 4:51 PM, /dev/rob0 wrote: On Wed, Oct 17, 2012 at 03:41:08PM -0500, Thomas E Lackey wrote: I am looking into a system where one of the [virtual] mail accounts was compromised. Apparently the account, once compromised, was used to send spam from overseas hosts. Since the company has no overseas users, they asked if it were possible to block outbound/relaying activity from all non-US IP addresses, even from authenticated accounts, while still allowing inbound SMTP from non-US IPs. And, of course, they would like to retain sending from US IPs from authenticated accounts. I am pretty familiar with Postfix, but this combination has me scratching my head. Is it doable? Not easily, and there is little reason to think it would be very effective. If you could compile (or query) a list of the IP address ranges and use it as check_client_access, you have succeeded with that part of your goal, but you probably have not accomplished the real goal. What about when the ratware is sending from your user's US-based computer? This issue last came up on this list today, and before that, yesterday (thanks Jeroen!) The real answer is rate limiting and content filtering of authenticated senders. I can add too that if you're using policyd2 for the outbound rate limiting, it stores the per-user tracking informtion in a database, which makes it really easy to monitor. If you tighten up the rules to something like a few hundred messages an hour and have your existing monitoring system do a simple sql query against the policyd db so you get alerted when someone trips the limit (or starts approaching the limit) you can respond to hijacked accounts pretty quickly and avoid most of the collateral damage. Charles -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: Problems with authentication using dovecot
On 10/17/2012 2:41 PM, Ricardo Barbosa wrote: Hi jones 0.0.0.0/0!!! Trying to be an open relay? Bad idea; remove this. Its test only, because not worked no way Take it out! Not a good placeholder, even for testing. Any other warning|error|fatal|panic postfix messages? Any dovecot logging? no, nothins, my setting is equal the content site http://www.postfix.org/SASL_README.html#server_dovecot, but not worked. You might try some verbose dovecot logging, to see if dovecot is getting the AUTH request. I'm going crazy already. But from what I saw postfix is working the problem is dovecot. You earlier wrote that you were able to use dovecot for POP3 and IMAP, so dovecot is working. Postfix appears to be working. Your problem is almost certainly your dovecot config doesn't match your postfix config. The dovecot.conf auth.default section should be configured as shown here: http://www.postfix.org/SASL_README.html#server_dovecot Hmm, the postfix-supplied examples may not be correct for recent versions of dovecot. Check the dovecot wiki for further information. The online examples assume you haven't changed the postfix default values for mail_owner (postfix) and mail_spool (/var/spool/postfix) I'm almost changing by cyrus. I doubt cyrus will be any easier to configure, but use whatever works for you. -- Noel Jones
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: Right now, we can have up to 4 different processing filters in our configuration, based on what features are enabled. In general, we always have: 1) OpenDKIM for signing Then we almost always have 2) Amavis Then we sometimes have 3) A Zimbra written Milter service And rarely 4) A journaling milter I can't share experiences with configurations of similar complexity, just want to make a reminder that Milters don't work (well) before a proxy filter. In particular the Milter will not receive header, body, or end-of-body events, nor will it be able to send requests to modify the envelope or message content. Those features are implemented in the cleanup daemon as it writes the message to queue file, but of course there are no cleanup daemon or queue file before a proxy filter. network - smtpd - proxy filter - smtpd - cleanup - queue file | buffer file It would not require a lot of code to send header, body, or end-of-body events to a Milter before a proxy filter. However, requests to modify the envelope or message content would require significant coding, and without those editing features, Milter support would still be crippled. One approach is to reuse the buffer file that is created with smtpd_proxy_options = speed_adjust, and to make the queue file editing code work in that environment. It's much easier to tell people not to use Milters before a proxy filter... Wietse
Re: Problems with authentication using dovecot
* Ricardo Barbosa spidersl...@yahoo.com.br: but smtp not worked with auth plain. but I also have a mysql server by my understanding, the sasl uses to authenticate users from smtp dovecot so the parameter smtpd_sasl_type = dovecot, correct? funny that the dovecot is working, as much as pop imap. I did see the tests via smtp authentication perl -MMIME::Base64 -e 'print encode_base64(\000u...@domain.com\000123456);' AHVzZXIuY29tADEyMzQ1Ng== You don't send what you need to: $ gen-auth decode AHVzZXIuY29tADEyMzQ1Ng== user.com123456 I get a completely different string when I use gen-auth to generate the base64 identification string: $ gen-auth plain 000u...@domain.com 000123456 Auth String: ADAwMHVzZXJAZG9tYWluLmNvbQAwMDAxMjM0NTY= Use gen-auth when you generate your base64 strings. The SASL_README tells where to get it. p@rick -- [*] sys4 AG Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
