Re: tls_policy_map, combination with transport_maps
On 2014-10-23 16:27, Noel Jones wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/23/2014 8:32 AM, Patrik Båt wrote: Hello! *main.cf config:* smtp_tls_policy_maps = hash:/etc/postfix/maps/tls_policy transport_maps = proxy:mysql:/etc/postfix/mysql/relay-transport.cf *Postmap query:* postmap -q i...@testkund.domain.tld mysql:/etc/postfix/mysql/relay-transport.cf smtp:d748.dev-cust.domain.tld: No brackets. postmap -q [d748.dev-cust.domain.tld]: hash:/etc/postfix/maps/tls_policy [d748.dev-cust.domain.tld]: none brackets. The entries don't match. -- Noel Jones Oh, Thanks for the heads up! without [] it works. Another question, if I do the lookup of transport in transport_maps, I can't use the domain in tls_policy_map? Have I understand that right? /The TLS policy table is indexed by the full next-hop destination, which is either the recipient domain, or the verbatim next-hop specified in the transport table, $local_transport, $virtual_transport, $relay_transport or $default_transport. This includes any enclosing square brackets and any non-default destination server port suffix. The LMTP socket type prefix (inet: or unix:) is not included in the lookup key./ * **default setting is:* smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_protocols = !SSLv2,!TLSv1.1,!TLSv1.2 smtp_tls_exclude_ciphers = 3DES:MD5 smtp_tls_policy_maps = hash:/etc/postfix/maps/tls_policy It isn't using the tls_policy_maps setting. I've must have done something wrong or totally misunderstood this. This isn’t working as-well: testkund.domain.tld none (in tls_policy_maps) postfix 2.9.6-2 amd64 (on debian wheezy) (tested 2.11.1 as-well) Mailflow: ORGINATING-SMTPD-AFTER-QUEUE-Amavisd-new-SMTPD:10030-SMTP-END (all in some instance( /etc/postfix)) And between (SMTP-END) I want to use the tls_policy_map. I hope I’ve described the problem so you understands me :) PS. no chroot what-so ever. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUSRBQAAoJEJGRUHb5Oh6gAzAIAIhVX40/yufZAShzQXO1hI15 eYaz3oXqEcVPTO/JojQGeXgZHsCwlmeyNOX4e8qtYtx0rHXpBhe7Vl52yDGPSOyU /2ARYgiy128ycLW7UEeVCS7shdPaeJtv3S3EJ/FZzbJWL/tzruneiOr+QCmLAzJY il8cznI+Mm6TApVK+F/6FN5gYeYohY6fIvLs2AMelmBCC9cu6si2Kr9N2dvtK5hH TdWJjO0qBP0X7VUy9bkLG0tkDkf1hcZq9pjsHK3P80PQSiuIAYwKuJKmwiQ30uZH VWgoKXZefEskylwdRkpitLt3pX4dT6gBvpr+QDvbJ00iYyFCH6JRI27i9n5IJgw= =seIX -END PGP SIGNATURE-
Re: Postfix/milter benchmarking
Hi, In c67094e5-49db-40bc-98ba-8bdc82b25...@mehnle.net Postfix/milter benchmarking on Thu, 23 Oct 2014 08:45:06 -0700, Julian Mehnle jul...@mehnle.net wrote: I'm developing a new milter and I need to benchmark it when plugged into Postfix. What are my best options for generating an SMTP stream of messages directed at a single Postfix instance at rates on the order of hundreds per second, and measuring SMTP acceptance rates and SMTP response latency? I can run processes on multiple machines if necessary, but the more efficient the better. ... Are there any other tools people use to benchmark their Postfix setups or, more specifically, milters? I'm developing some milters. I created two tools to benchmark and test my milters: * milter-test-server: http://milter-manager.sourceforge.net/reference/milter-test-server.html It talks milter protocol. It means that you don't need Postfix, you just need milter. It just does one milter session and reports elapsed time. * milter-performance-check: http://milter-manager.sourceforge.net/reference/milter-performance-check.html It talks SMTP. You can measure elapsed time for Postfix + milter. It sends multiple mails and reports performance statistics. See the above URL for details. See the following URL how to install these tools: http://milter-manager.sourceforge.net/reference/install-to.html Thanks, -- kou
What exactly does that mean: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified
Dear postfix users, today we discovered a problem with one of our mailrelays. Maillog contains lines like the following: Oct 23 10:53:00 rv-smtpext-201 postfix/pickup[11413]: [ID 947731 mail.warning] warning: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified Looking deeper, we see the following: # egrep 6B8F696F6|2737698C0 /var/log/maillog Oct 23 10:46:58 rv-smtpext-201 postfix/smtpd[1020]: [ID 197553 mail.info] 6B8F696F6: client=mail-la0-f45.google.com[209.85.215.45] Oct 23 10:46:58 rv-smtpext-201 postfix/cleanup[27791]: [ID 197553 mail.info] 6B8F696F6: message-id=jsfcy39dev1kncus40xhttb6.1414053900...@email.android.com Oct 23 10:46:59 rv-smtpext-201 postfix/qmgr[16441]: [ID 197553 mail.info] 6B8F696F6: from=anonsen...@gmail.com, size=129401, nrcpt=1 (queue active) Oct 23 10:50:19 rv-smtpext-201 postfix/qmgr[10619]: [ID 197553 mail.info] 6B8F696F6: from=anonsen...@gmail.com, size=129401, nrcpt=1 (queue active) Oct 23 10:51:21 rv-smtpext-201 postfix/qmgr[11414]: [ID 197553 mail.info] 6B8F696F6: skipped, still being delivered Oct 23 10:51:26 rv-smtpext-201 postfix/smtp[10823]: [ID 197553 mail.info] 6B8F696F6: to=ANONRCPT@local, relay=smail1.mailintern.local[10.1.1.1]:25, delay=270, delays=203/57/10/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B489018F20B5) Oct 23 10:53:00 rv-smtpext-201 postfix/pickup[11413]: [ID 197553 mail.info] 2737698C0: uid=12345 from=anonsen...@gmail.com orig_id=6B8F696F6 Oct 23 10:53:00 rv-smtpext-201 postfix/cleanup[12657]: [ID 197553 mail.info] 2737698C0: message-id=jsfcy39dev1kncus40xhttb6.1414053900...@email.android.com Oct 23 10:53:00 rv-smtpext-201 postfix/pickup[11413]: [ID 947731 mail.warning] warning: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified Can somebody explain, what is happening here? The machine also is very slow (see delays) and might be osomewhat overloaded. Jan
Re: Define exception(s) from catchall domain
* Noel Jones njo...@megan.vbhcs.org [2014-10-24 00:36]: I tried to implement this by using a check_recipient_access pcre_table like this: /etc/postfix# cat recipient_access.pcre /^postfix-reject-address@.+$/ REJECT This must match the recipient address as sent by the client and logged by postfix smtpd process, NOT the rewritten address. Yes, I figured this out and found a way to do what I wanted. I now have the following: smtpd_recipient_restrictions = check_recipient_access proxy:mysql:$config_directory/sql/mysql_check_recipient_access.cf, ... (Also I had to extend proxy_read_maps for this). The .cf contains the following query: query = SELECT 'REJECT' FROM alias WHERE address='%s' AND goto='reject@postfix.access' AND active = '1' So all the users have to do is add an alias from their address to reject@postfix.access to reject a specific alias. smtpd_recipient_restrictions = check_recipient_access pcre:$config_directory/recipient_access.pcre, ... It's generally unwise to put any access tables before permit_mynetworks. Extra caution is needed to make sure you don't accidentally create an open relay. In this specific case I think it is okay because I want noone to be able to mail to these addresses. It should be as if the alias does not exist. As for the open relay, I moved all that stuff to smtpd_relay_restrictions. And telling them to add an alias to postfix-reject-address@$THEIR_DOMAIN This should not be necessary. It's the way postfixadmin works. Without coding up an extension that lets user block specific aliases this is the fastest way to do it. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: What exactly does that mean: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified
Jan P. Kessler: Dear postfix users, today we discovered a problem with one of our mailrelays. Maillog contains lines like the following: Oct 23 10:53:00 rv-smtpext-201 postfix/pickup[11413]: [ID 947731 mail.warning] warning: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified The Postfix sendmail command awas invoked with no recipients on the command line, and (with -t) with no recipients in the message header. The machine also is very slow (see delays) and might be osomewhat overloaded. I suppose some software creates mailformed email messages because it fails to detect some errors up-stream. Wietse
Re: Define exception(s) from catchall domain
Sebastian Wiesinger: smtpd_recipient_restrictions = smtpd_recipient_restrictions = check_recipient_access proxy:mysql:$config_directory/sql/mysql_check_recipient_access.cf, ... (Also I had to extend proxy_read_maps for this). Argh. I forgot to include that in the default proxy_read_maps setting. As for the open relay, I moved all that stuff to smtpd_relay_restrictions. Good! Wietse
Re: What exactly does that mean: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified
Oct 23 10:53:00 rv-smtpext-201 postfix/pickup[11413]: [ID 947731 mail.warning] warning: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified The Postfix sendmail command awas invoked with no recipients on the command line, and (with -t) with no recipients in the message header. I suppose some software creates mailformed email messages because it fails to detect some errors up-stream. To be honest. I don't understand this yet. The machine acts as a relay which takes mails from the internet (here: gmail) and forwards them to the next station (here: smail1.mailintern.local). There is no content filtering, no reinjection or such - nothing that should invoke sendmail. The configuration is quite trivial (please see below). I even do not understand what happened after queueid 6B8F696F6 has been delivered. # egrep 6B8F696F6|2737698C0 /var/log/maillog Oct 23 10:46:58 rv-smtpext-201 postfix/smtpd[1020]: [ID 197553 mail.info] 6B8F696F6: client=mail-la0-f45.google.com[209.85.215.45] Oct 23 10:46:58 rv-smtpext-201 postfix/cleanup[27791]: [ID 197553 mail.info] 6B8F696F6: message-id=jsfcy39dev1kncus40xhttb6.1414053900...@email.android.com Oct 23 10:46:59 rv-smtpext-201 postfix/qmgr[16441]: [ID 197553 mail.info] 6B8F696F6: from=anonsen...@gmail.com, size=129401, nrcpt=1 (queue active) Oct 23 10:50:19 rv-smtpext-201 postfix/qmgr[10619]: [ID 197553 mail.info] 6B8F696F6: from=anonsen...@gmail.com, size=129401, nrcpt=1 (queue active) - Why do we see this line twice? Oct 23 10:51:21 rv-smtpext-201 postfix/qmgr[11414]: [ID 197553 mail.info] 6B8F696F6: skipped, still being delivered Oct 23 10:51:26 rv-smtpext-201 postfix/smtp[10823]: [ID 197553 mail.info] 6B8F696F6: to=ANONRCPT@local, relay=smail1.mailintern.local[10.1.1.1]:25, delay=270, delays=203/57/10/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B489018F20B5) - Here it got delivered. Why is the rest happening? Oct 23 10:53:00 rv-smtpext-201 postfix/pickup[11413]: [ID 197553 mail.info] 2737698C0: uid=12345 from=anonsen...@gmail.com orig_id=6B8F696F6 Oct 23 10:53:00 rv-smtpext-201 postfix/cleanup[12657]: [ID 197553 mail.info] 2737698C0: message-id=jsfcy39dev1kncus40xhttb6.1414053900...@email.android.com Oct 23 10:53:00 rv-smtpext-201 postfix/pickup[11413]: [ID 947731 mail.warning] warning: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified - UID 12345 is the postfix user: # grep 12345 /etc/passwd postfix:x:12345:12345:Postfix:/var/empty:/bin/false Postconf -n follows. Let me know if anything else is needed: address_verify_map = btree:$data_directory/VERIFY_ADDRESS address_verify_negative_cache = yes address_verify_negative_expire_time = 3d address_verify_negative_refresh_time = 3h address_verify_poll_count = 3 address_verify_poll_delay = 6 address_verify_positive_expire_time = 31d address_verify_positive_refresh_time = 7d address_verify_sender = postmaster@local address_verify_transport_maps = btree:/etc/postfix/verify_transport alias_database = hash:/etc/postfix/aliases alias_maps = $alias_database alternate_config_directories = /etc/postfix/OUT, /etc/postfix/TLSONLY body_checks = pcre:/etc/postfix/body_checks body_checks_size_limit = 512000 bounce_queue_lifetime = 3d bounce_template_file = /etc/postfix/bounce.cf command_directory = /opt/vrnetze/postfix/sbin config_directory = /etc/postfix daemon_directory = /opt/vrnetze/postfix/libexec data_directory = /var/spool/postfix/DATA debug_peer_level = 2 default_privs = nobody delay_warning_time = 12h disable_vrfy_command = yes fast_flush_domains = $relay_domains header_checks = pcre:/etc/postfix/header_checks html_directory = no inet_interfaces = all luser_relay = g_vrnetze_cna_fw@local mail_name = Mailservice mail_owner = postfix mailbox_size_limit = 5601 mailq_path = /usr/bin/mailq manpage_directory = /opt/vrnetze/postfix/man maximal_queue_lifetime = 3d message_size_limit = 5600 mime_header_checks = pcre:/etc/postfix/mime_header_checks mydestination = $myhostname, localhost.$mydomain mydomain = local myhostname = mail2.local mynetworks = /etc/postfix/relay_from_networks myorigin = $myhostname newaliases_path = /usr/bin/newaliases plaintext_reject_code = 554 proxy_interfaces = 195.145.180.23, 195.145.180.24, 195.145.180.25, 195.145.180.26, 195.145.180.27, 195.145.180.28, 195.145.180.29, 195.145.180.30 queue_directory = /var/spool/postfix readme_directory = /opt/vrnetze/postfix/doc relay_domains = $config_directory/relay_to_domains remote_header_rewrite_domain = domain.invalid sample_directory = /etc/postfix sender_canonical_maps = btree:/etc/postfix/sender_canonical sendmail_path = /usr/lib/sendmail setgid_group = postdrop smtp_data_done_timeout = 660s smtp_data_init_timeout = 240s smtp_data_xfer_timeout = 360s smtp_enforce_tls = no smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem smtp_tls_key_file = /etc/postfix/CERTS/key.pem smtp_tls_loglevel = 1 smtp_tls_policy_maps =
Re: What exactly does that mean: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified
On Fri, Oct 24, 2014 at 01:59:57PM +0200, Jan P. Kessler wrote: # egrep 6B8F696F6|2737698C0 /var/log/maillog Oct 23 10:46:58 rv-smtpext-201 postfix/smtpd[1020]: [ID 197553 mail.info] 6B8F696F6: client=mail-la0-f45.google.com[209.85.215.45] Oct 23 10:46:58 rv-smtpext-201 postfix/cleanup[27791]: [ID 197553 mail.info] 6B8F696F6: message-id=jsfcy39dev1kncus40xhttb6.1414053900...@email.android.com Oct 23 10:46:59 rv-smtpext-201 postfix/qmgr[16441]: [ID 197553 mail.info] 6B8F696F6: from=anonsen...@gmail.com, size=129401, nrcpt=1 (queue active) Notice that the queue-manager process id changes below! Something is running frequent postfix reload operations. Oct 23 10:50:19 rv-smtpext-201 postfix/qmgr[10619]: [ID 197553 mail.info] 6B8F696F6: from=anonsen...@gmail.com, size=129401, nrcpt=1 (queue active) - Why do we see this line twice? Oct 23 10:51:21 rv-smtpext-201 postfix/qmgr[11414]: [ID 197553 mail.info] 6B8F696F6: skipped, still being delivered And the queue-manager pid changes yet again! DO NOT DO THAT! Oct 23 10:51:26 rv-smtpext-201 postfix/smtp[10823]: [ID 197553 mail.info] 6B8F696F6: to=ANONRCPT@local, relay=smail1.mailintern.local[10.1.1.1]:25, delay=270, delays=203/57/10/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B489018F20B5) Finally the message is delivered, but in the mean-time: Oct 23 10:53:00 rv-smtpext-201 postfix/pickup[11413]: [ID 197553 mail.info] 2737698C0: uid=12345 from=anonsen...@gmail.com orig_id=6B8F696F6 Oct 23 10:53:00 rv-smtpext-201 postfix/cleanup[12657]: [ID 197553 mail.info] 2737698C0: Someone has moved the queue file to the maildrop directory while that was happening via postsuper -r ALL. message-id=jsfcy39dev1kncus40xhttb6.1414053900...@email.android.com Oct 23 10:53:00 rv-smtpext-201 postfix/pickup[11413]: [ID 947731 mail.warning] warning: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified TOO MUCH MANUAL QUEUE MANAGEMENT. smtpd_tls_exclude_ciphers = EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA If you don't want 3DES, better would be: smtpd_tls_exclude_ciphers = 3DES There are more 3DES ciphers these days. smtpd_tls_mandatory_exclude_ciphers = EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA This is redundant, the ciphers excluded with opportunistic TLS are also excluded with mandatory TLS. smtpd_use_tls = yes Better: smtpd_tls_security_level = may -- Viktor.
Re: What exactly does that mean: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified
A maildrop queue file is created when something submits mail with the Postfix sendmail command, or when a maildrop queue file is renamed from the incoming/active/deferred queue with the postsuper -r command. Local submission: sendmail command command-postdrop command-maildrop queue file- pickup daemon-cleanup daemon-incoming queue file postsuper -r resubmission: existing incoming or deferred queue file-maildrop queue file It would be helpful if the pickup daemon logged the owner UID of the maildrop queue file. That would help to distinguish between local submission or postsuper -r resubmission. But it doesn't. So we use a different way to make the distinction: each method produces different error messages for no recipients. Invoking postsuper -r for a queue file after all its recipients are delivered will result in the above error message. We can eliminate the postfix sendmail command from consideration, because that results in a different error when a submission has no recipients: $ sendmail /dev/null sendmail: fatal: Recipient addresses must be specified on the command line or via the -t option $ sendmail -t /dev/null sendmail: fatal: wietse(1001): No recipient addresses found in message header So I speculate that what you see was the result of a postsuper -r race condition. Wietse
Re: What exactly does that mean: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified
On Fri, Oct 24, 2014 at 09:24:13AM -0400, Wietse Venema wrote: A maildrop queue file is created when something submits mail with the Postfix sendmail command, or when a maildrop queue file is renamed from the incoming/active/deferred queue with the postsuper -r command. Local submission: sendmail command command-postdrop command-maildrop queue file- pickup daemon-cleanup daemon-incoming queue file postsuper -r resubmission: existing incoming or deferred queue file-maildrop queue file It would be helpful if the pickup daemon logged the owner UID of the maildrop queue file. That would help to distinguish between local submission or postsuper -r resubmission. But it doesn't. Actually it does and it did, that's why the original id was logged. This was a postsuper -r. -- Viktor.
Re: What exactly does that mean: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified
Viktor Dukhovni: On Fri, Oct 24, 2014 at 09:24:13AM -0400, Wietse Venema wrote: A maildrop queue file is created when something submits mail with the Postfix sendmail command, or when a maildrop queue file is renamed from the incoming/active/deferred queue with the postsuper -r command. Local submission: sendmail command command-postdrop command-maildrop queue file- pickup daemon-cleanup daemon-incoming queue file postsuper -r resubmission: existing incoming or deferred queue file-maildrop queue file It would be helpful if the pickup daemon logged the owner UID of the maildrop queue file. That would help to distinguish between local submission or postsuper -r resubmission. But it doesn't. Actually it does and it did, that's why the original id was logged. This was a postsuper -r. In any case we both deduced this was a postsuper -r race condition. Wietse
Re: tls_policy_map, combination with transport_maps
On Fri, Oct 24, 2014 at 09:14:59AM +0200, Patrik B?t wrote: Another question, if I do the lookup of transport in transport_maps, I can't use the domain in tls_policy_map? As documented, the lookup key for TLS policy is the smtp nexthop. Sometimes the nexthop is the recipient domain, other times it is some override from the transport table. Regardless the lookup key is the nexthop. When the nexthop is an unadorned domain (no [] and no :port), parent domain lookups are also performed. http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps -- Viktor.
Re: What exactly does that mean: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified
Viktor: TOO MUCH MANUAL QUEUE MANAGEMENT. Wietse: So I speculate that what you see was the result of a postsuper -r race condition. Thanks! That was it. A colleague told me, that the queue on that system and a subsequent content filter had been congested and users were waiting impatiently for their mail. Therefore he changed routing to skip the subsequent content filter and ran postsuper -r ALL and postfix flush several times within short timeframe - maybe even in parallel (more than 1 colleague). Some of them also used postqueue -i ALL. I'll advise them to let postfix queue management do it's job and to be careful with such actions. And also thanks for the TLS related configuration hints. I'll update the configuration accordingly. Just one more question: Looking at the queue directories, I found: # find /var/spool/postfix/defer -type f|wc -l 13532 While postqueue sais: # postqueue -p Mail queue is empty Is this also a consequence of too much manual queue management, maybe in combination with a race condition? Is it safe to stop postfix and delete these files (maybe with find -mtime +30 or such)? Nobody has reported missing e-mails and the files are rather old: -rw--- 1 postfix postfix 372 Oct 31 2011 F3A1DE7C0 -rw--- 1 postfix postfix 529 Oct 25 2011 F3A409CC5 -rw--- 1 postfix postfix 362 Oct 9 2013 F3AF29F61 -rw--- 1 postfix postfix 362 Oct 9 2013 F3B01ACC8 -rw--- 1 postfix postfix 524 Feb 24 2012 F3B84116E4 -rw--- 1 postfix postfix 337 Jul 22 2013 F3BC458AD ... Thank you very much! Jan
Re: What exactly does that mean: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified
Jan P. Kessler: Viktor: TOO MUCH MANUAL QUEUE MANAGEMENT. Just one more question: Looking at the queue directories, I found: # find /var/spool/postfix/defer -type f|wc -l 13532 Bleh. While postqueue sais: # postqueue -p Mail queue is empty Is this also a consequence of too much manual queue management, No mail is lost if these files are orphans after postsuper -r/-h manipulations. All other manipulations will result in loss of email (email that was not delivered, without sender notification). Is it safe to stop postfix and delete these files (maybe with find -mtime +30 or such)? Nobody has reported missing e-mails and the files are rather old: These files will eventually be reused, but removing old files should be safe. Wietse
Limit PHP web application to connect postfix on localhost
Hi. Hello! Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? Regards -- - _Engº Julio Cesar Covolato 0v0 ju...@psi.com.br /(_)\ F: 55-11-3129-3366 ^ ^ PSI INTERNET -
Re: Limit PHP web application to connect postfix on localhost
Am 24.10.2014 um 20:47 schrieb Julio Cesar Covolato: Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? not a postfix question at all but: * forbid the mail command in PHP * don't list 127.0.0.1 in mynetworks * and if no use-case drop port 25 exept to loopback device
Re: Limit PHP web application to connect postfix on localhost
Julio Cesar Covolato: Hi. Hello! Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? You don't want to do that in Postfix, as it would have to reject mail, and rejected mail would not be delivered. Rate limit the PHP application. Wietse
Re: Limit PHP web application to connect postfix on localhost
* on the Fri, Oct 24, 2014 at 03:41:22PM -0400, Wietse Venema wrote: Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? You don't want to do that in Postfix, as it would have to reject mail, and rejected mail would not be delivered. Rate limit the PHP application. I did this for a shared hosting system about ten years ago using the ident functionality in Exim. I installed a local ident daemon and then configured Exim to talk to it. Once Exim knew the user, it could apply user-level ratelimiting to both mail submitted via the executable and that submitted via a TCP socket together. If Postfix doesn't have ident support and allowing tcp connections for mail submission is important, you might want to take a look at Exim instead. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature
Re: Limit PHP web application to connect postfix on localhost
On 10/24/2014 2:47 PM, Julio Cesar Covolato wrote: Hi. Hello! Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? Regards Using PHP's mail() function which sends via 25 is A Bad Thing. Use something like phpmailer class to use submission and a policy server to rate limit.
Re: Limit PHP web application to connect postfix on localhost
Am 24.10.2014 um 22:22 schrieb Mike Cardwell: * on the Fri, Oct 24, 2014 at 03:41:22PM -0400, Wietse Venema wrote: Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? You don't want to do that in Postfix, as it would have to reject mail, and rejected mail would not be delivered. Rate limit the PHP application. I did this for a shared hosting system about ten years ago using the ident functionality in Exim. I installed a local ident daemon and then configured Exim to talk to it. Once Exim knew the user, it could apply user-level ratelimiting to both mail submitted via the executable and that submitted via a TCP socket together. If Postfix doesn't have ident support and allowing tcp connections for mail submission is important, you might want to take a look at Exim instead that's not the problem the problem is that a website script can't handle a temporary reject and so you end in lose random mails if for whatever reason the app exceeds the limits if you fear injected junk than install a content-filter or just remove functionality on websites which allow to define destination address by untrusted user input (recommedn page with a user-defined content part and so on)
Re: Limit PHP web application to connect postfix on localhost
Am 24.10.2014 um 22:41 schrieb Rod K: On 10/24/2014 2:47 PM, Julio Cesar Covolato wrote: Hi. Hello! Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? Regards Using PHP's mail() function which sends via 25 is A Bad Thing mail() don't use TCP, it uses pickup/sendmail Use something like phpmailer class to use submission and a policy server to rate limit don't change the fact that a web-app can't handle rate-limiting and you just lose mail which exceeds the limit - in any case you need to fix or just remove the vulnerable web-application or end with randomly lost legit mail what should the php-app do if the MTA rejetcs the mail beause you hit the rate-control? queue it? hwo and where - that's why it talks to the MTA instead to the final MX
Re: Limit PHP web application to connect postfix on localhost
Mike Cardwell: Checking application/pgp-signature: FAILURE -- Start of PGP signed section. * on the Fri, Oct 24, 2014 at 03:41:22PM -0400, Wietse Venema wrote: Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? You don't want to do that in Postfix, as it would have to reject mail, and rejected mail would not be delivered. Rate limit the PHP application. I did this for a shared hosting system about ten years ago using the ident functionality in Exim. I installed a local ident daemon and then configured Exim to talk to it. Once Exim knew the user, it could apply user-level ratelimiting to both mail submitted via the executable and that submitted via a TCP socket together. And how does Exim throttle the client? If it replies with 4xx or 5xx then you are rejecting mail, and rejected mail would not be delivered. Postfix has built-in rate limits but unlike you I am not evangelizing about those for the reasons stated in the previous paragraph. Wietse
Re: Limit PHP web application to connect postfix on localhost
* on the Fri, Oct 24, 2014 at 10:42:27PM +0200, li...@rhsoft.net wrote: Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? You don't want to do that in Postfix, as it would have to reject mail, and rejected mail would not be delivered. Rate limit the PHP application. I did this for a shared hosting system about ten years ago using the ident functionality in Exim. I installed a local ident daemon and then configured Exim to talk to it. Once Exim knew the user, it could apply user-level ratelimiting to both mail submitted via the executable and that submitted via a TCP socket together. If Postfix doesn't have ident support and allowing tcp connections for mail submission is important, you might want to take a look at Exim instead that's not the problem I just re-read his question, and yes, it is the problem. the problem is that a website script can't handle a temporary reject That's not true. and so you end in lose random mails if for whatever reason the app exceeds the limits Web-apps that weren't written to handle retries, don't handle retries. I'll agree with that. if you fear injected junk than install a content-filter or just remove functionality on websites which allow to define destination address by untrusted user input (recommedn page with a user-defined content part and so on) I'm guessing you've never worked for a shared hosting company which provides a platform where tens of thousands of users can upload their own php scripts. Content filtering is useful, but ratelimiting is essential in these environemts. If a user attempts to send more email than they are allowed to and the mail server starts rejecting it and the users code doesn't handle this case, then from the shared hosting companies point of view, it is a problem at the users end. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature
Re: Limit PHP web application to connect postfix on localhost
Am 24.10.2014 um 22:56 schrieb Mike Cardwell: * on the Fri, Oct 24, 2014 at 10:42:27PM +0200, li...@rhsoft.net wrote: Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? You don't want to do that in Postfix, as it would have to reject mail, and rejected mail would not be delivered. Rate limit the PHP application. I did this for a shared hosting system about ten years ago using the ident functionality in Exim. I installed a local ident daemon and then configured Exim to talk to it. Once Exim knew the user, it could apply user-level ratelimiting to both mail submitted via the executable and that submitted via a TCP socket together. If Postfix doesn't have ident support and allowing tcp connections for mail submission is important, you might want to take a look at Exim instead that's not the problem I just re-read his question, and yes, it is the problem. than you as well as the OP don't understand the real problem the problem is that a website script can't handle a temporary reject That's not true. it is true - period nobody right in his brain implements a mail queue in a scripting language like PHP where the script just get terminated after the request and so you end in lose random mails if for whatever reason the app exceeds the limits Web-apps that weren't written to handle retries, don't handle retries. I'll agree with that. see above if you fear injected junk than install a content-filter or just remove functionality on websites which allow to define destination address by untrusted user input (recommedn page with a user-defined content part and so on) I'm guessing you've never worked for a shared hosting company which provides a platform where tens of thousands of users can upload their own php scripts. Content filtering is useful, but ratelimiting is essential in these environemts. i guess i have a lot of expierience with webhosting, it's my daily job rate limiting mail from webapps just burries the issue but don't solve it and the only gain you have is that probably nobody is missing legit mail from the damaged apps If a user attempts to send more email than they are allowed to and the mail server starts rejecting it and the users code doesn't handle this case, then from the shared hosting companies point of view, it is a problem at the users end blunt speaking outside of a ivory tower it's the companies problem because if it forces me as user to try implement a mail queue in a php-application that's just incompetence and the wrong hosting company - if i have to do that i don't need the f*** MTA at all and can directly deliver to the MX
Re: Limit PHP web application to connect postfix on localhost
Mike Cardwell: If a user attempts to send more email than they are allowed to and the mail server starts rejecting it and the users code doesn't handle this case, then from the shared hosting companies point of view, it is a problem at the users end. In that case, Postfix can require that the SMTP client uses PHP's SASL support to authenticate, and with postfwd, Postfix can rate limit the sender based on SASL credentials and other attributes. No need to switch mail servers for this. SASL-based rate limits have been supported since Postfix 2.2, and postfwd has been around for many years (other policy daemons may also do the job; I have lost count). Wietse
Re: Limit PHP web application to connect postfix on localhost
On 10/24/2014 4:47 PM, li...@rhsoft.net wrote: Am 24.10.2014 um 22:41 schrieb Rod K: On 10/24/2014 2:47 PM, Julio Cesar Covolato wrote: Hi. Hello! Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? Regards Using PHP's mail() function which sends via 25 is A Bad Thing mail() don't use TCP, it uses pickup/sendmail Correct. My point was that, in the most common Apache/PHP configuration, there is no way to tell which site on a shared host sent the mail. Using SASL via submission and a policy server to rate limit, the OP gets his problem solved AND should a site be sending spam a quick check of the logs and he'll know which site generated it. Use something like phpmailer class to use submission and a policy server to rate limit don't change the fact that a web-app can't handle rate-limiting and you just lose mail which exceeds the limit - in any case you need to fix or just remove the vulnerable web-application or end with randomly lost legit mail And rate limiting would force the user to do just that, no? what should the php-app do if the MTA rejetcs the mail beause you hit the rate-control? queue it? hwo and where - that's why it talks to the MTA instead to the final MX WTF? How is the mail admin supposed to solve this problem for the user? If the user's script doesn't handle it there is nothing the mail admin can do about it. Unless you just want to accept all email from localhost and deliver it no matter what. Furthermore, even if the user's script isn't handling rejections he should be checking his error logs, no?
Re: Limit PHP web application to connect postfix on localhost
* on the Fri, Oct 24, 2014 at 11:04:18PM +0200, li...@rhsoft.net wrote: the problem is that a website script can't handle a temporary reject That's not true. it is true - period nobody right in his brain implements a mail queue in a scripting language like PHP where the script just get terminated after the request You just said that something can't be done period, and then immediately described one way of doing it... I don't know how to debate with somebody who contradicts themselves so emphatically. Are you completely oblivious to the absurdity of what you just wrote? As a web developer my self, I would say that an application which sends emails that need to be delivered, and which doesn't handle failures, is broken. and so you end in lose random mails if for whatever reason the app exceeds the limits Web-apps that weren't written to handle retries, don't handle retries. I'll agree with that. see above See what above? The bit where you said it can't be done and than said it can be done? If you're writing code which doesn't handle failures, then you're writing bad and lazy code. if you fear injected junk than install a content-filter or just remove functionality on websites which allow to define destination address by untrusted user input (recommedn page with a user-defined content part and so on) I'm guessing you've never worked for a shared hosting company which provides a platform where tens of thousands of users can upload their own php scripts. Content filtering is useful, but ratelimiting is essential in these environemts. i guess i have a lot of expierience with webhosting, it's my daily job rate limiting mail from webapps just burries the issue but don't solve it and the only gain you have is that probably nobody is missing legit mail from the damaged apps In the real world, php apps get abused to send spam. In the real world content filtering isn't perfect. If you don't rate limit mail from these platforms then you're being a bad netizen If a user attempts to send more email than they are allowed to and the mail server starts rejecting it and the users code doesn't handle this case, then from the shared hosting companies point of view, it is a problem at the users end blunt speaking outside of a ivory tower it's the companies problem because if it forces me as user to try implement a mail queue in a php-application that's just incompetence and the wrong hosting company - If you can't code your web app to notice when email attempts fail and to retry them later, then you're not qualified to write a web app and you're most likely a toxic customer. I suspect most shared hosting companies would be glad to see the back of such a customer. if i have to do that i don't need the f*** MTA at all and can directly deliver to the MX It would be an irresponsibly configured shared hosting platform which allowed users to make outgoing port 25 TCP connections. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature
Re: Limit PHP web application to connect postfix on localhost
* on the Fri, Oct 24, 2014 at 05:09:21PM -0400, Wietse Venema wrote: If a user attempts to send more email than they are allowed to and the mail server starts rejecting it and the users code doesn't handle this case, then from the shared hosting companies point of view, it is a problem at the users end. In that case, Postfix can require that the SMTP client uses PHP's SASL support to authenticate, and with postfwd, Postfix can rate limit the sender based on SASL credentials and other attributes. No need to switch mail servers for this. SASL-based rate limits have been supported since Postfix 2.2, and postfwd has been around for many years (other policy daemons may also do the job; I have lost count). That sounds like a fine solution. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature
Re: Limit PHP web application to connect postfix on localhost
Am 25.10.2014 um 00:28 schrieb Mike Cardwell: * on the Fri, Oct 24, 2014 at 11:04:18PM +0200, li...@rhsoft.net wrote: and so you end in lose random mails if for whatever reason the app exceeds the limits Web-apps that weren't written to handle retries, don't handle retries. I'll agree with that. see above See what above? The bit where you said it can't be done and than said it can be done? If you're writing code which doesn't handle failures, then you're writing bad and lazy code the reason to have a *local* MTA on the webserver is to handover SMTP failures at delivery and until now nobody was able to show a php application replacing the MTA logic in a sane way If you can't code your web app to notice when email attempts fail and to retry them later, then you're not qualified to write a web app and you're most likely a toxic customer. I suspect most shared hosting companies would be glad to see the back of such a customer i suspect most shared hosting companies would be glad to see back a customer blocking his webserver connectin by re-try outgoing network operations and make the server a victim for easy DOS happily i am the developer, web/mail/db/dns admin myself EOT
Re: Limit PHP web application to connect postfix on localhost
* on the Fri, Oct 24, 2014 at 04:51:42PM -0400, Wietse Venema wrote: I did this for a shared hosting system about ten years ago using the ident functionality in Exim. I installed a local ident daemon and then configured Exim to talk to it. Once Exim knew the user, it could apply user-level ratelimiting to both mail submitted via the executable and that submitted via a TCP socket together. And how does Exim throttle the client? If it replies with 4xx or 5xx then you are rejecting mail, and rejected mail would not be delivered. However you configure it to... In my particular case I made it accept the mail but freeze it in the queue instead of delivering it. I then had a tool which would monitor the queues for frozen mail and alert us so that it could either be thawed or rejected after a manual inspection. Alternatively I could have made it reject with a 4xx or a 5xx, or accept and bounce the message back to the account holder of the web app, or deliver it to a special mailbox, or let it through and flag the account up for inspection, or insert something into a database and alert them some other way, or a million other things... There is a suitable detachment in Exim between it noticing that a configured ratelimit has been hit and how to use that information, or not use it. Postfix has built-in rate limits but unlike you I am not evangelizing about those for the reasons stated in the previous paragraph. There is value in noticing when a user is sending an unexpectedly large amount of mail, even if you don't use that information to reject. Ratelimiting is a highly useful tool. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature
Symantec/Messagelabs starttls - ClientCertificateRequested
I've known for many years that Messagelabs, now part of Symantec, requests a valid client certificate from a narrow list of CAs if you want to use starttls with their servers, at least *.eu.messaglelabs.com. This effectively kills off the use of any self-signed, expired and invalid certificates. Through an intermediate many years ago who talked to them I learned that they did written peering agreements if you wanted to use starttls with them. Now the peering agreement seems gone, but the other requirements are still in place. Is there anyone out there with a peering agreement, and/or any other info on the configuration reasoning behind their selective choices? I just assume that a whole lot of mail must be sent in plain due to their very narrow approach? Regards, Per Thorsheim
Re: Symantec/Messagelabs starttls - ClientCertificateRequested
On Sat, Oct 25, 2014 at 01:13:38AM +0200, Per Thorsheim wrote: I've known for many years that Messagelabs, now part of Symantec, requests a valid client certificate from a narrow list of CAs if you want to use starttls with their servers, at least *.eu.messaglelabs.com. Can you explain what you're talking about? Sending mail to their servers via TLS works just fine, with no client certificates of any kind. $ posttls-finger -dsha256 symantec.com posttls-finger: Connected to cluster4.us.messagelabs.com[216.82.253.227]:25 posttls-finger: 220 server-10.tower-170.messagelabs.com ESMTP posttls-finger: EHLO amnesiac.example posttls-finger: 250-server-10.tower-170.messagelabs.com posttls-finger: 250-STARTTLS posttls-finger: 250-PIPELINING posttls-finger: 250 8BITMIME posttls-finger: STARTTLS posttls-finger: 220 ready for TLS posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25: Matched subjectAltName: cluster4.us.messagelabs.com posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25: subjectAltName: cluster4a.us.messagelabs.com posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25: subjectAltName: cluster4out.us.messagelabs.com posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25: subjectAltName: mail170.messagelabs.com posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25 CommonName mail170.messagelabs.com posttls-finger: certificate verification failed for cluster4.us.messagelabs.com[216.82.253.227]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25: subject_CN=cluster4.us.messagelabs.com, issuer_CN=Symantec Class 3 Secure Server CA - G4, fingerprint=50:F0:54:A2:DE:8B:F1:8B:30:41:08:E6:40:DF:C9:2E:68:0C:43:BD:13:F9:40:78:EB:78:C7:F8:56:B8:F4:BB, pkey_fingerprint=AC:5D:D9:85:24:52:21:7C:BE:97:C8:C9:C2:35:E9:FA:1A:8E:6E:19:12:B7:28:EF:35:A5:4C:E3:E8:8C:AA:08 posttls-finger: Untrusted TLS connection established to cluster4.us.messagelabs.com[216.82.253.227]:25: unknown with cipher DHE-RSA-AES256-SHA (256/256 bits) posttls-finger: EHLO amnesiac.example posttls-finger: 250-server-10.tower-170.messagelabs.com posttls-finger: 250-PIPELINING posttls-finger: 250 8BITMIME posttls-finger: QUIT posttls-finger: 221 server-10.tower-170.messagelabs.com Likewise receiving mail from them also works just fine over TLS, with the self-signed certificate on my server. Aug 22 21:55:45 amnesiac postfix/smtpd[28468]: connect from mail1.bemta8.messagelabs.com[216.82.243.197] Aug 22 21:55:45 amnesiac postfix/smtpd[28468]: Anonymous TLS connection established from mail1.bemta8.messagelabs.com[216.82.243.197]: TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Aug 22 21:55:46 amnesiac postfix/smtpd[28468]: 0C6C52AACA3: client=mail1.bemta8.messagelabs.com[216.82.243.197] Aug 22 21:55:46 amnesiac postfix/cleanup[27403]: 0C6C52AACA3: message-id=... Aug 22 21:55:46 amnesiac postfix/qmgr[628]: 0C6C52AACA3: from=..., size=3428, nrcpt=1 (queue active) Aug 22 21:55:46 amnesiac postfix/virtual[7634]: 0C6C52AACA3: to=..., orig_to=..., relay=virtual, delay=0.51, delays=0.51/0/0/0, dsn=2.0.0, status=sent (delivered to maildir) Aug 22 21:55:46 amnesiac postfix/qmgr[628]: 0C6C52AACA3: removed I just assume that a whole lot of mail must be sent in plain due to their very narrow approach? What narrow approach is that? Some of the larger outsourced email security services act in part like transparent proxies, mirroring the features of the sending client to the receiving system, so if the origin employs STARTTLS, so does the proxy. Thus not all the mail I've received from them is TLS protected, but most is. And indeed for my limited sample use of TLS seems to correlate with the sender domain. -- Viktor.