RE: Can Postscreen and Smapassassin be used together

[L . P . H . van Belle]

Hai, 

I thinking why not put them together 

Ik run a setup like this 
https://wiki.dest-unreachable.net/pages/viewpage.action?pageId=15892484 

which uses postscreen spamassassin clamav and this works very wel for me. 
And the load is not to much, but depends on the amount of emails your 
processing. 

The extra thing i added in above setup is fail2ban + ufw to offload 
the dns queries and the server a bit.

I created the following in fail2ban. 
Jail.local 
[postfix-dnsblog]
enabled  = true
port = all
filter   = postfix-dnsblog
banaction = ufw-all
maxretry = 1
logpath  = /var/log/mail.log
bantime  = 84600

and in filter.d/postfix-dnsblog.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = addr  listed by domain

and the action 
/etc/fail2ban/action.d/ufw-all.conf
# Fail2Ban configuration file
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from  to any
actionunban = ufw delete deny from  to any



Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: li...@planetcobalt.net [mailto:owner-postfix-us...@postfix.org]
> Namens Ansgar Wiechers
> Verzonden: donderdag 10 september 2015 9:27
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Can Postscreen and Smapassassin be used together
> 
> On 2015-09-10 Robert Chalmers wrote:
> > I’m currently running postscreen, and am wondering how I would add
> > spamassassin to the main.cf configuration, or are they mutually
> > exclusive?
> 
> I'm not sure if they technically can't be used together, but they
> shouldn't be. Spamassassin is rather heavyweight whereas Postscreen was
> designed to be a lightweight zombie deflection tool. You'd lose that
> low resource impact advantage by mixing the two.
> 
> Regards
> Ansgar Wiechers
> --
> "Abstractions save us time working, but they don't save us time learning."
> --Joel Spolsky

Re: Can Postscreen and Smapassassin be used together

[Patrick Ben Koetter]

* Ansgar Wiechers :
> On 2015-09-10 Robert Chalmers wrote:
> > I’m currently running postscreen, and am wondering how I would add
> > spamassassin to the main.cf configuration, or are they mutually
> > exclusive?
> 
> I'm not sure if they technically can't be used together, but they
> shouldn't be. Spamassassin is rather heavyweight whereas Postscreen was
> designed to be a lightweight zombie deflection tool. You'd lose that
> low resource impact advantage by mixing the two.

They can't *and* it doesn't make sense. See this graph. It shows the various
filter groups in Postfix and the sequence in which they take place. This is
how a message runs through the Postfix filters when a client tries to deliver
a message to Postfix:

connection filter -> session filter -> content filter

Postscreen is a connection filter. It "sees" client IP addresses and it
implements a fake SMTP server. The fake SMTP server does lightweight tests
only. Postscreens job is to keep Postfix' service available. It decides within
very short time if a connection request should be passed on to the Postfix
smtpd SMTP server component. The focus here is on lightweight and maximum
speed.

Spamassassin is a content filter. It "sees" IP addresses, session data and
content. It examines the content for signs indicating a message might contain
spam or ham. It runds hundreds of tests to find out if a message contains
spam or not. It is heavyweight and it takes (very) long to determine a
result.

So technically the two programs take place at different stages during the
delivery process and it is not possible to run a content filter during
the connection stage in a useful way. All the content filter would "see" are
IP addresses - no content.

It wouldn't make sense to expand postscreens' capabilities either to feed a
content filter, because that would sacrifice the use is has been build for.

If you want/need to increase the systems filter effectiveness tell us about
the current problems you face and we can start sharing ideas and concepts.

p@rick

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
 

Re: Can Postscreen and Smapassassin be used together

[Wietse Venema]

Robert Chalmers:
> I?m currently running postscreen, and am wondering how I would add 
> spamassassin to the main.cf configuration, or are they mutually exclusive?

They are meant to coexist.  postscreen implements the first layer
in a multi-layer defense, header/body_checks are somewhere in the
middle, and deep content inspection (spamassassin) the last layer.

Wietse

Re: Can Postscreen and Smapassassin be used together

[Ansgar Wiechers]

On 2015-09-10 Robert Chalmers wrote:
> I’m currently running postscreen, and am wondering how I would add
> spamassassin to the main.cf configuration, or are they mutually
> exclusive?

I'm not sure if they technically can't be used together, but they
shouldn't be. Spamassassin is rather heavyweight whereas Postscreen was
designed to be a lightweight zombie deflection tool. You'd lose that
low resource impact advantage by mixing the two.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Postfix ML Configuration for Sender Header

[Sebastian Wiesinger]

Hello,

a while ago I changed my mail configuration for mailinglists. I have
individual mail addresses for every mailing list and the configuration
now looks like this:

From: Sebastian Wiesinger 
Sender: postfix-us...@ml.karotte.org

This has the advantage that off-list answers go to my main
mailaddress.

This seems to work with all of my mailinglists (most of them use
Mailman I think) but not with postfix-users. Here my list address
needs to be in the From: field.

Is this something that can be changed in Majordomo (and you would be
willing to change)?

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: AntiSpam & AntiVirus Integration with Postfix: lots of tools, but which one's AREN'T 'dead'?

[Sebastian Wiesinger]

* joh...@fastmail.com  [2015-09-09 03:03]:
> Ken
> 
> On Tue, Sep 8, 2015, at 05:49 PM, Ken Peng wrote:
> > How about Spamassassin? we have been using it for a long time.
> 
> And how are you integrating it into Postfix.  That was my question
> not whether to use Spamassassin.  I kindof decided on that already
> in the original post.

I do it like this (albeit with Dovecot als MDA):

master.cf:

dovecot-sa   unix  -   n   n   -   -   pipe
  flags=ODRhu user=vmail:mail argv=/usr/bin/spamc -u
  ${user}@${nexthop} -e /usr/lib/dovecot/deliver -f ${sender} -a
  ${recipient} -d ${user}@${nexthop}



main.cf:

virtual_transport = dovecot-sa
dovecot-sa_destination_recipient_limit = 1

Spamassassin is getting the user config from MySQL and users can
change settings with Roundcube.

Works very reliably for some years now.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Can Postscreen and Smapassassin be used together

[Peter]

On 09/10/2015 06:37 PM, Robert Chalmers wrote:
> I’m currently running postscreen, and am wondering how I would add
> spamassassin to the main.cf configuration, or are they mutually
> exclusive?

In spite of what others have said, you can certainly use them together
and many many installations do exactly that.

Postscreen is a lightweight triage server that sits in front of postfix
and will get rid of the bulk of SPAM without hardly any impact on system
performance.  Spamassassin is more thorough and will get rid of most of
the SPAM that postscreen misses.

Because of the heavyweight nature of Spamassassin it helps quite a bit
to cut back on its load by running postscreen first, then there is not
anywhere near as many messages left for SA to have to process and you
can cut back on required system resources significantly.  Spamassassin
then processes and gets rid of (most of) the rest of the SPAM that
postscreen misses.

What you don't want to do is run postscreen and postgrey on the same
system.  I see a lot of people make that mistake and it results in
serious mail delays because messages end up being deferred twice (first
by postscreen then by postgrey).  I always suggest that people get rid
of postgrey and just use postscreen in this case.


Peter

ASPL: discarding a single recipient or a set of them from a multi-recipient message

[Francis Brosnan Blázquez]

Hello there,

First of all, congratulate all folks behind this remarkable, predictable
and reliable software that is postfix, which...at the same time is
well documented (bonus). It is is difficult to find software with some
of these attributes, but postfix have them all.

--== CONTEXT OF THE PROBLEM ==--

Having said that, we are trying to implement a discard for a particular
recipient of a multi-recipient message (which seems to be something
recurrent). At this point, we are trying to discard based on the
destination domain and/or the local-part@ (without considering the
destination domain) by reporting a DISCARD code using delegation
protocol (with valvula [1]).

At the same time, we are using the following type of declarations at
master.cf, combined with FILTER command (delegation), to make a
particular sasl user to use a particular outgoing ip when accepted:

transport16  unix -   -   n   -   -   smtp
-o smtp_bind_address=X.X.X.X
-o syslog_name=postfix16

--== WHAT FAILS ==--

After reviewing documentation about why discard applies to all
recipient, we have found that this is documented and expected behaviour:

   http://www.postfix.org/access.5.html

   Note:  this  action currently affects all recipients of the 
  message.  To discard only  one  recipient  without 
  discarding  the entire message, use the transport(5) table to
  direct mail to the discard(8) service.

After that, we have tried to implement suggested solution by declaring a

  transport_maps = hash:/etc/postfix/transports
  
...where we declare destination domains we want to discard. 

  # with format
  yahoogroups.com discard:
 .yahoogroups.com discard:

  # and the corresponding 
  >> postmap /etc/postfix/transports

However, we are finding two problems:

1) When a FILTER command is issued to a particular transport to use a
particular outbound IP (as shown in the example above, transport16), the
smtp(8) client created that delivers that message, entirely ignores any
declaration found for transport_maps = ..., so domains declared there,
aren't discarded. 

2) Even though having previous point working, we haven't found any
possible solution to "discard:" (via transport) or DISCARD (via
delegation) based on the local-part@ in for a particular recipient in a
multi-recipient message.

--== QUESTIONS ==--

1) Is there a way do a DISCARD of a particular recipient in a
mult-recipient message and at the same time calling FILTER+trasnport16
to select a particular outgoing IP as we did?

2) Same question as 1) but from a different point of view, is there a
way to flag as "already handled/delivered" a particular recipient in a
message directly in the queue?   

3) Are we wrong or the only solution is to go with a smtp-like content
filter that does the recipient removal? 

Thanks for your time and patience, 
Best Regards,

[1] http://www.aspl.es/valvula

-- 
Francis Brosnan Blázquez 
ASPL
91 134 14 22 - 91 134 14 45 - 91 116 07 57

AVISO LEGAL

Este mensaje se dirige exclusivamente a su destinatario. Los datos
incluidos en el presente correo son confidenciales y sometidos a secreto
profesional, se prohíbe divulgarlos, en virtud de las leyes vigentes. Si
usted no lo es y lo ha recibido por error o tiene conocimiento del mismo
por cualquier motivo, le rogamos que nos lo comunique por este medio y
proceda a destruirlo o borrarlo.

En virtud de lo dispuesto en la Ley Orgánica 15/1999, de 13 de
diciembre, de Protección de Datos de Carácter Personal, le informamos de
que sus datos de carácter personal, recogidos de fuentes accesibles al
público o datos que usted nos ha facilitado previamente, proceden de
bases de datos propiedad de Advanced Software Production Line, S.L.
(ASPL). No obstante, usted puede ejercitar sus derechos de acceso,
rectificación, cancelación y oposición dispuestos en la mencionada Ley
Orgánica, notificándolo por escrito a:
ASPL - Protección Datos, C/Antonio Suárez 10 A-102, 28802, Alcalá de
Henares (Madrid).

Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message

[Wietse Venema]

Francis Brosnan Bl?zquez:
> At this point, we are trying to discard based on the destination
> domain and/or the local-part@ (without considering the destination
> domain) by reporting a DISCARD code using delegation protocol (with
> valvula [1]).

As documented, the DISCARD action discards the message, not the
recipient.  To drop only the recipient, use transport_maps to send
the recipient to the discard(8) service.

/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport:
u...@example.comdiscard:

After changing the file, do "postmap hash:/etc/postfix/transport".

To discard a recipient based on localpart, use a pcre table instead;
this requires no postmap command.

/etc/postfix/main.cf:
transport_maps = pcre:/etc/postfix/transport

/etc/postfix/transport:
# The ^ at the beginning is required to avoid false matches.
/^user@/discard:

Of course this will have collateral damage; it discards mail for
recipients in unrelated domains.

Wietse

Re: Postfix ML Configuration for Sender Header

[Wietse Venema]

Sebastian Wiesinger:
> Hello,
> 
> a while ago I changed my mail configuration for mailinglists. I have
> individual mail addresses for every mailing list and the configuration
> now looks like this:
> 
> From: Sebastian Wiesinger 
> Sender: postfix-us...@ml.karotte.org
> 
> This has the advantage that off-list answers go to my main
> mailaddress.
> 
> This seems to work with all of my mailinglists (most of them use
> Mailman I think) but not with postfix-users. Here my list address
> needs to be in the From: field.
> 
> Is this something that can be changed in Majordomo (and you would be
> willing to change)?

Sorry, that sounds bogus. No-one replies to the sender: address.

Wietse

Re: Can Postscreen and Smapassassin be used together

[Robert Schetterer]

Am 10.09.2015 um 10:47 schrieb Peter:
> What you don't want to do is run postscreen and postgrey on the same
> system. 

you can do it if you use i.e postgrey very selective
but for sure portscreen leaves not very much for postgrey

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message

[Francis Brosnan Blázquez]

Hi Wietse,

Thanks for your response. Assuming this information, it should discard
as indicated by transport_maps. However, we are not seeing this
behaviour. 

This is the course of events:

1) Mail is accepted by postfix. After that, an indication is passed to
valvula on smtpd_data_restrictions:

smtpd_data_restrictions =
  check_policy_service inet:127.0.0.1:3579

2) Then, valvula based on its configuration, reports FILTER transp2:

Sep 10 16:49:53 host valvulad[16853]: info: FILTER:
fran...@aspl.es -> w...@asplhost.com
(sasl_user=mailing-sasluser), port 3579, rcpt count=1, queue-id
11C68F762, from X.X.X.X, no-tls: transp2:

3) That causes postfix to use transp2 declared at master.cf, 

Sep 10 16:49:53 host postfix/smtpd[15410]: 11C68F762: filter:
DATA from host[X.X.X.X]: : Data command triggers FILTER
transp2:; from= to=
proto=ESMTP helo=<[192.168.0.132]>

...which activates smtp(8) transport with the following configuration at
master.cf:

transp2  unix -   -   n   -   -   smtp
   -o smtp_bind_address=X.X.X.X
   -o smtp_helo_name=outboundname.asplhost.com
   -o syslog_name=postfix2

4) But instead of discarding it, smtp(8) attempts to actually deliver it
without considering what's declared in transport_maps:

Sep 10 17:02:15 host postfix2/smtp[26624]: AC04CEA1A:
to=, relay=mx1.asplhost.com[X.X.X.X]:25,
delay=74662, delays=74268/392/0.08/1.1, dsn=5.1.1,
status=bounced (host mx1.asplhost.com[X.X.X.X] said: 550 5.1.1
: Recipient address rejected: User unknown in
virtual mailbox table (in reply to RCPT TO command))

NOTE: certainly it fails because the account does not exists,
but that's not the point: it should have been discarded


It is like smtp(8) is ignoring what's declared on transport_maps because
it already has an order to use the transport indicated by the FILTER
+transp2 (point 2). Is it right or it shouldn't happen? 

If it is the intended behaviour, how can we configure a transport
(transp2) that instructs the particular IP to be used and, at the same
time, we can discard particular recipients in a multi-recipient message
using transport_maps? 

Thanks for your time and support,
Best Regards,

PS: Here is the complete configuration file we are using:

http://www.aspl.es/postfix-main.cf.txt   (ips and host 
  names masked)
http://www.aspl.es/postfix-master.cf.txt (ips and host 
  names masked)

At the same time, /etc/postfix/local-parts-spam-traps-accounts
has the following content:

/^web@/ discard:









> > At this point, we are trying to discard based on the destination
> > domain and/or the local-part@ (without considering the destination
> > domain) by reporting a DISCARD code using delegation protocol (with
> > valvula [1]).
> 
> As documented, the DISCARD action discards the message, not the
> recipient.  To drop only the recipient, use transport_maps to send
> the recipient to the discard(8) service.
> 
> /etc/postfix/main.cf:
> transport_maps = hash:/etc/postfix/transport
> 
> /etc/postfix/transport:
> u...@example.com  discard:
> 
> After changing the file, do "postmap hash:/etc/postfix/transport".
> 
> To discard a recipient based on localpart, use a pcre table instead;
> this requires no postmap command.
> 
> /etc/postfix/main.cf:
> transport_maps = pcre:/etc/postfix/transport
> 
> /etc/postfix/transport:
> # The ^ at the beginning is required to avoid false matches.
> /^user@/discard:
> 
> Of course this will have collateral damage; it discards mail for
> recipients in unrelated domains.
> 
>   Wietse

-- 
Francis Brosnan Blázquez 
ASPL
91 134 14 22 - 91 134 14 45 - 91 116 07 57

AVISO LEGAL

Este mensaje se dirige exclusivamente a su destinatario. Los datos
incluidos en el presente correo son confidenciales y sometidos a secreto
profesional, se prohíbe divulgarlos, en virtud de las leyes vigentes. Si
usted no lo es y lo ha recibido por error o tiene conocimiento del mismo
por cualquier motivo, le rogamos que nos lo comunique por este medio y
proceda a destruirlo o borrarlo.

En virtud de lo dispuesto en la Ley Orgánica 15/1999, de 13 de
diciembre, de Protección de Datos de Carácter Personal, le informamos de
que sus datos de carácter personal, recogidos de fuentes accesibles al
público o datos que usted nos ha facilitado previamente, proceden de
bases de datos propiedad de Advanced Software Production Line, S.L.
(ASPL). No obstante, usted puede ejercitar sus derechos de acceso,
rectificación, cancelación y oposición dispuestos en la mencionada Ley

Re: Can Postscreen and Smapassassin be used together

[Robert Schetterer]

Am 10.09.2015 um 08:37 schrieb Robert Chalmers:
> I’m currently running postscreen, and am wondering how I would add 
> spamassassin to the main.cf configuration, or are they mutually exclusive?
> 
> 

no problem works nice , perhaps use it as milter


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

content_filter and transport_map on outgoing mail interaction

[Mark Clarke]

Hi there,

We have a transport map setup so that mail destined for the local domain 
or from some subdomain email servers is not routed to our relay gateway. 
These entries have a null gateway set. Mail destined for all other 
domains is routed via our relay.


e.g

serve...@server01.abc.co.za :
ad...@dms.abc.co.za :
abc.co.za :
* smtp:relay.xyz.co.za


We need to apply a content_filter to all outgoing mail. To do this we 
have set up two smtp processes in master.cf


192.168.10.73:smtp  inet  n   -   -   - -   smtpd
192.168.10.72:smtp  inet  n   -   -   - -   smtpd
   -o content_filter=dfilt:
dfilt unix-   n   n   -   -   pipe
flags=Rq user=filter argv=/etc/postfix/postfix_filter.sh -f 
${sender} -- ${recipient}



this is for the altermime script. In main.cf we have set up

smtp_bind_address = 192.168.10.72

The problem is it appears the transport map simply by passes the 
outgoing smtp server settings as defined in main.cf and with 
smtp_bind_address. I have tried editing the transport map to force it to 
use the 192.168.10.72:smtp service but this doesn't work. How can I get 
this to work? i.e route outgoing mail to a specific gateway via 
transport maps but still apply a content filter to outgoing mail?



thanks

Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message

[Francis Brosnan Blázquez]

Hi Wietse,

Thanks for your response,

> This is how Postfix content filters work:
> 
> postfix1 -> filter -> postfix2
> 
> The filter takes precedence in postfix1; 

Just to clarify we are talking about the same thing, "filter" is not a
"content filter" taking the mail from postfix and re-injecting it into
postfix, but valvula reporting "FILTER transp2:", as described at [1],
using delegation protocol ([2]),

> transport_maps takes effect in postfix2.

I'm confused about this statement because it is not what's happening
right now and I have shown an example that demonstrates it :-?

If I update valvula's configuration to report DUNNO, and hence,
disabling the activation of "FILTER transp2:", then configurations
declared at transport_maps are honoured, 

Sep 10 18:53:06 host postfix/smtpd[17286]: connect from 
tarsonis.asplhost.com[X.X.X.X]
Sep 10 18:53:07 host postfix/smtpd[17286]: 156A3FB18: 
client=tarsonis.asplhost.com[X.X.X.X], sasl_method=PLAIN, 
sasl_username=mailing-sasluser
Sep 10 18:53:08 host valvulad[16853]: info: DUNNO: fran...@aspl.es -> 
w...@asplhost.com (sasl_user=mailing-sasluser), port 3579, rcpt count=1, 
queue-id 156A3FB18, from X.X.X.X, no-tls
Sep 10 18:53:08 host postfix/discard[17530]: 156A3FB18: 
to=, relay=none, delay=1, delays=1/0/0/0, dsn=2.0.0, 
status=sent (asplhost.com)
Sep 10 18:53:09 host postfix/smtpd[17286]: disconnect from 
tarsonis.asplhost.com[X.X.X.X]

But if I make valvula to report "FILTER transp2:", then postfix2, in the
diagram "postfix1 -> filter -> postfix2" completely ignores
transport_maps:

Sep 10 18:56:59 host postfix/smtpd[25423]: connect from 
tarsonis.asplhosting.com[X.X.X.X]
Sep 10 18:56:59 host postfix/smtpd[25423]: A1A0AEB03: 
client=tarsonis.asplhost.com[X.X.X.X], sasl_method=PLAIN, 
sasl_username=mailing-sasluser
Sep 10 18:56:59 host valvulad[16853]: info: FILTER: fran...@aspl.es -> 
w...@asplhost.com (sasl_user=mailing-sasluser), port 3579, rcpt count=1, 
queue-id A1A0AEB03, from X.X.X.X, no-tls: transp2:
Sep 10 18:56:59 host postfix/smtpd[25423]: A1A0AEB03: filter: DATA from 
tarsonis.asplhost.com[X.X.X.X]: : Data command triggers FILTER transp2:; 
from= to= proto=ESMTP helo=<[192.168.0.132]>
Sep 10 18:57:00 host postfix/smtpd[25423]: disconnect from 
tarsonis.asplhost.com[X.X.X.X]
Sep 10 18:57:00 host postfix2/smtp[23095]: A1A0AEB03: 
to=, relay=mx1.aspl.es[89.140.237.70]:25, delay=1.3, 
delays=0.07/0/0.17/1, dsn=5.1.1, status=bounced (host 
mx1.aspl.es[89.140.237.70] said: 550 5.1.1 : Recipient 
address rejected: User unknown in virtual mailbox table (in reply to RCPT TO 
command))

What I'm missing? Thanks for your patience and time,
Best Regards,

> Wietse 

[1] http://www.postfix.org/access.5.html
[2] http://www.postfix.org/SMTPD_POLICY_README.html

Re: content_filter and transport_map on outgoing mail interaction

[Viktor Dukhovni]

On Thu, Sep 10, 2015 at 06:12:44PM +0200, Mark Clarke wrote:

> We need to apply a content_filter to all outgoing mail. To do this we have
> set up two smtp processes in master.cf
> 
> 192.168.10.73:smtp  inet  n   -   -   - -   smtpd
> 192.168.10.72:smtp  inet  n   -   -   - -   smtpd
>-o content_filter=dfilt:

These are Postfix SMTP servers (accept incoming mail).

> dfilt unix-   n   n   -   -   pipe
> flags=Rq user=filter argv=/etc/postfix/postfix_filter.sh -f ${sender} --
> ${recipient}
> 
> 
> this is for the altermime script. In main.cf we have set up
> 
> smtp_bind_address = 192.168.10.72

This is a configuration parameter of the SMTP client (sends outgoing
mail).  It has nothing to do with which SMTP service mail will be
sent to.

> The problem is it appears the transport map simply by passes the outgoing
> smtp server settings as defined in main.cf and with smtp_bind_address.

There's no bypass, you're simply confused.

> I have tried editing the transport map to force it to use the
> 192.168.10.72:smtp service but this doesn't work.

To send to that service, you'd make the transport:

smtp:[192.168.10.72]

but that will almost certainly create a mai loop.

> How can I get this to
> work? i.e route outgoing mail to a specific gateway via transport maps but
> still apply a content filter to outgoing mail?

That's what Postfix does.  It first applies content filters, and
then once the mail is re-injected into queue (by a mechanism that
does set a content_filter) uses the transport table.

You're just confused.

-- 
Viktor.

Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message

[Viktor Dukhovni]

On Thu, Sep 10, 2015 at 07:01:59PM +0200, Francis Brosnan Blázquez wrote:

> > This is how Postfix content filters work:
> > 
> > postfix1 -> filter -> postfix2
> > 
> > The filter takes precedence in postfix1; 
> 
> Just to clarify we are talking about the same thing, "filter" is not a
> "content filter" taking the mail from postfix and re-injecting it into
> postfix, but valvula reporting "FILTER transp2:", as described at [1],
> using delegation protocol ([2]),

If your policy service says "FILTER ..." it is setting a content_filter
that preempts transport table routing for *all* recipients.

> I'm confused about this statement because it is not what's happening
> right now and I have shown an example that demonstrates it :-?

Yes, you're confused.  No, you don't have a counter-example.

> But if I make valvula to report "FILTER transp2:", then postfix2, in the
> diagram "postfix1 -> filter -> postfix2" completely ignores
> transport_maps:

Exactly as it should, it is up to "transp2" to re-inject the mail
back into Postfix (bypassing the policy service with its FILTER
replies).

-- 
Viktor.

Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message

[Francis Brosnan Blázquez]

Hi Wietse,

> transport_maps takes effect ONLY AFTER the filter has processed the message.

Ok, so because transport_maps takes effect after filter, do you mean
transport_maps declarations will never take effect because at the time
filter finished, the delivery attempt was already made? 

>   Wietse

Best Regards,

Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message

[Wietse Venema]

Francis Brosnan Bl?zquez:
> Hi Wietse,
> 
> > transport_maps takes effect ONLY AFTER the filter has processed the message.
> 
> Ok, so because transport_maps takes effect after filter, do you mean
> transport_maps declarations will never take effect because at the time
> filter finished, the delivery attempt was already made? 

This is how Postfix content filters work:

postfix1 -> filter -> postfix2

The filter takes precedence in postfix1; transport_maps takes effect
in postfix2.

Wietse

Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message

[Wietse Venema]

Francis Brosnan Bl?zquez:
> 2) Then, valvula based on its configuration, reports FILTER transp2:
> 
> Sep 10 16:49:53 host valvulad[16853]: info: FILTER:
> fran...@aspl.es -> w...@asplhost.com
> (sasl_user=mailing-sasluser), port 3579, rcpt count=1, queue-id
> 11C68F762, from X.X.X.X, no-tls: transp2:

transport_maps takes effect ONLY AFTER the filter has processed the message.

Wietse

Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message

[Viktor Dukhovni]

On Thu, Sep 10, 2015 at 07:52:37PM +0200, Francis Brosnan Blázquez wrote:

> Ok, so Victor, going back to the initial question, assuming that:
> 
> 1) We need that "FILTER transp2:", through the delegation protocol, to
> setup different outgoing IP (it seems there's no other way to do this), 

By sender:


http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps

Outgoing IP by recipient domain is just normal transport lookup
(with the IP address part of the master.cf transport definition).

Content filters are NOT how you should do mail routing.

> 2) And we need some way to discard a single recipient (by destination
> domain or destination local-part@) in a multi-recipient message, 

Resolve that recipient to the "discard" transport.

> Is there any way to do it without having to write an external
> content-filter (as described in [1])? 

If you don't abuse content_filters for routing, then using the
"discard" transport works.

Postfix is not a one-stop-shopping solution for a snow-shoe spam
MTA.  Removing pesky recipients like me who'll report the sender
to RBL maintainers and abuse departments needs to happen in the
upstream lists, not in the MTA.  Turn-away customers with harvested
lists, or you'll find your outbound IPs on RBLs.

-- 
Viktor.

Re: Require DNSSEC signed MX RRs

[Viktor Dukhovni]

On Thu, Sep 10, 2015 at 08:39:38PM +0200, Michael Ströder wrote:

> Maybe there should be some additional text for 'dane-only' in [1]?
> I'm not sure about the correct wording though.

I think it is fine as-is.  The "dane-only" security level requires
that a peer be DANE authenticated, which means "secure" MX RRset,
"secure" address RRset for the MX host and "secure" matching TLSA
records.  All the links in the chain have to be valid.

> > I gather you're looking for something like:
> > 
> > example.com secure match=nexthop:dot-nexthop:hostname dnssec=yes
> > 
> > where "dnssec=yes" would be a new policy option, that requires a
> > "secure" MX RRset, or "secure" absence of an MX host.
> 
> Yes. :-)

Just to be clear, is that what you had in mind when you started
this thread?  Or did I suggest a feature that you decided you want?

One might also imagine an alternative interface:

example.com secure match=nexthop:dot-nexthop:dnssec-hostname

Where "dnssec-hostname" matches the hostname only if securely
obtained.  This would not require secure MX RRsets, but would make
use of them to "improve" PKIX name matching when present.

This might be better.

-- 
Viktor.

Re: Require DNSSEC signed MX RRs

[Michael Ströder]

Viktor Dukhovni wrote:
> On Thu, Sep 10, 2015 at 07:44:19PM +0200, Michael Ströder wrote:
> 
>> Looking at [1] it's not clear to me whether it's possible to require MX RRs 
>> of
>> a recipient domain to be DNSSEC signed. Any other configuration option for 
>> that?
> 
> Postfix, at present, does not support requiring a DNSSEC-signed MX
> RRset, except as part of a "dane-only" security level, which also
> requires that the A/ records of at least one MX host are signed
> and that MX host has correct TLSA records.

Maybe there should be some additional text for 'dane-only' in [1]?
I'm not sure about the correct wording though.

>> [1] http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
> 
> Policy requiring DNSSEC signed MX RRsets could well apply even for
> domains with which TLS is not used, this is not directly related
> to TLS authentication.

Agreed.

> Of course such a policy might allow the "verify" security level to
> apply Web PKI PKIX authentication to a verifed MX host name.  Still
> if the domain ever does change their MX records, you might well
> find that the peer certificate is now self-signed, or no longer
> matches the MX hostname, ... So this would have to be used with care.

I make use of TLS policy and it works quite well. Of course the policy options
are chosen carefully depending on how reliable the information about the
particular target domains are.

> I gather you're looking for something like:
> 
> example.com secure match=nexthop:dot-nexthop:hostname dnssec=yes
> 
> where "dnssec=yes" would be a new policy option, that requires a
> "secure" MX RRset, or "secure" absence of an MX host.

Yes. :-)

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message

[Francis Brosnan Blázquez]

Hi Victor,

Thanks for your response,

> If your policy service says "FILTER ..." it is setting a
> content_filter that preempts transport table routing for *all*
> recipients.

Ok, thanks for clarifying this. It was one of questions we did but
wasn't resolved (from my previous mail):

It is like smtp(8) is ignoring what's declared on transport_maps
because it already has an order to use the transport indicated
by the FILTER +transp2 (point 2). Is it right or it shouldn't
happen? 

> > I'm confused about this statement because it is not what's happening
> > right now and I have shown an example that demonstrates it :-?
> 
> Yes, you're confused.  No, you don't have a counter-example.

:-)

> > But if I make valvula to report "FILTER transp2:", then postfix2, in
> the> diagram "postfix1 -> filter -> postfix2" completely ignores
> > transport_maps:
> 
> Exactly as it should, it is up to "transp2" to re-inject the mail
> back into Postfix (bypassing the policy service with its FILTER
> replies). 

Ok, so Victor, going back to the initial question, assuming that:

1) We need that "FILTER transp2:", through the delegation protocol, to
setup different outgoing IP (it seems there's no other way to do this), 

2) And we need some way to discard a single recipient (by destination
domain or destination local-part@) in a multi-recipient message, 

Is there any way to do it without having to write an external
content-filter (as described in [1])? 

Can it be done reusing postfix components? 

...or there's no other option :-( ? 

Thanks for your time,
Best Regards,

[1] http://www.postfix.org/FILTER_README.html

Re: Require DNSSEC signed MX RRs

[Michael Ströder]

Viktor Dukhovni wrote:
> On Thu, Sep 10, 2015 at 08:39:38PM +0200, Michael Ströder wrote:
> 
>> Maybe there should be some additional text for 'dane-only' in [1]?
>> I'm not sure about the correct wording though.
> 
> I think it is fine as-is.  The "dane-only" security level requires
> that a peer be DANE authenticated, which means "secure" MX RRset,
> "secure" address RRset for the MX host and "secure" matching TLSA
> records.  All the links in the chain have to be valid.
> 
>>> I gather you're looking for something like:
>>>
>>> example.com secure match=nexthop:dot-nexthop:hostname dnssec=yes
>>>
>>> where "dnssec=yes" would be a new policy option, that requires a
>>> "secure" MX RRset, or "secure" absence of an MX host.
>>
>> Yes. :-)
> 
> Just to be clear, is that what you had in mind when you started
> this thread?

Yes. And I also thought to myself that such a policy option would be useful
for all TLS security levels.

> Or did I suggest a feature that you decided you want?

No, you guessed my wish.

> One might also imagine an alternative interface:
> 
> example.com secure match=nexthop:dot-nexthop:dnssec-hostname
> 
> Where "dnssec-hostname" matches the hostname only if securely
> obtained.  This would not require secure MX RRsets, but would make
> use of them to "improve" PKIX name matching when present.

Maybe I do not fully understand what you're saying.

But personally I consider the TLS hostname matching to be sufficiently secured
(because I likely also limit the CA cert used for validation).
Mainly it's the MX lookup what I'm concerned about.

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature

Require DNSSEC signed MX RRs

[Michael Ströder]

HI!

Looking at [1] it's not clear to me whether it's possible to require MX RRs of
a recipient domain to be DNSSEC signed. Any other configuration option for that?

Ciao, Michael.

[1] http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Check NS (name or IP) against RBL

[Viktor Dukhovni]

On Fri, Sep 11, 2015 at 12:25:56AM +0300, Marius Gologan wrote:

> Is there any way to check the name server (name and/or IP) of the Sender
> domain against RBL service?

Only via a policy service that does the relevant DNS lookups.

-- 
Viktor.

Re: Check NS (name or IP) against RBL

[Wietse Venema]

Viktor Dukhovni:
> On Fri, Sep 11, 2015 at 12:25:56AM +0300, Marius Gologan wrote:
> 
> > Is there any way to check the name server (name and/or IP) of the Sender
> > domain against RBL service?
> 
> Only via a policy service that does the relevant DNS lookups.

I have used check_sender_ns_access to block persistent spammers.
There are also check_sender_mx_access, and similar features for
client, helo, recipient.

Wietse

Dynamic 'myhostname'

[Mick]

Hi,

I'm trialling DMARC to two of my domains.  On checking the results when 
posting from the secondary domain I receive 'SPF Domain Alignment Result 
= FAIL'. I think this is because postfix always says HELO with the 
primary domain name, which is obviously different to the secondary.  Is 
there a way to rewrite the message envelope to say HELO using the same 
domain used in the from field?


Thanks,

Mick.

Re: Require DNSSEC signed MX RRs

[Viktor Dukhovni]

On Thu, Sep 10, 2015 at 08:57:50PM +0200, Michael Ströder wrote:

> > One might also imagine an alternative interface:
> > 
> > example.com secure match=nexthop:dot-nexthop:dnssec-hostname
> > 
> > Where "dnssec-hostname" matches the hostname only if securely
> > obtained.  This would not require secure MX RRsets, but would make
> > use of them to "improve" PKIX name matching when present.
> 
> Maybe I do not fully understand what you're saying.

Indeed you did not understand.  "Securely obtained" means obtained
from a "secure" MX RRset.

> Mainly it's the MX lookup what I'm concerned about.

That's what the alternative feature does, it makes MX hostnames
available *only* when they are resistant against active attacks.

But in this variant there is no requirement for dnssec.  Rather,
without DNSSEC only names related to the nexthop domain are checked,
and "insecure" MX hostnames are not.

I think the second way is more broadly useful.

-- 
Viktor.

Re: content_filter and transport_map on outgoing mail interaction

[Mark Clarke]

Ok, figured it out. Read up more on the postfix architecture and
confirmed that it should work as the content_filter will run on the mail
once it has been received and before it is delivered via smtp to its
destination. The issue was that I am submitting on the submission port
587 and needed to add the content_filter there. In fact I don't need two
IP addresses for the smtp delivered mail :)



On 09/10/2015 06:12 PM, Mark Clarke wrote:
> Hi there,
>
> We have a transport map setup so that mail destined for the local
> domain or from some subdomain email servers is not routed to our relay
> gateway. These entries have a null gateway set. Mail destined for all
> other domains is routed via our relay.
>
> e.g
>
> serve...@server01.abc.co.za :
> ad...@dms.abc.co.za :
> abc.co.za :
> * smtp:relay.xyz.co.za
>
>
> We need to apply a content_filter to all outgoing mail. To do this we
> have set up two smtp processes in master.cf
>
> 192.168.10.73:smtp  inet  n   -   -   - -   smtpd
> 192.168.10.72:smtp  inet  n   -   -   - -   smtpd
>-o content_filter=dfilt:
> dfilt unix-   n   n   -   -   pipe
> flags=Rq user=filter argv=/etc/postfix/postfix_filter.sh -f
> ${sender} -- ${recipient}
>
>
> this is for the altermime script. In main.cf we have set up
>
> smtp_bind_address = 192.168.10.72
>
> The problem is it appears the transport map simply by passes the
> outgoing smtp server settings as defined in main.cf and with
> smtp_bind_address. I have tried editing the transport map to force it
> to use the 192.168.10.72:smtp service but this doesn't work. How can I
> get this to work? i.e route outgoing mail to a specific gateway via
> transport maps but still apply a content filter to outgoing mail?
>
>
> thanks


--
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately 
by e-mail if you have received this e-mail by mistake and delete this e-mail 
from your system. If you are not the intended recipient you are notified 
that disclosing, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited.

Re: Dynamic 'myhostname'

[Wietse Venema]

Mick:
> Hi,
> 
> I'm trialling DMARC to two of my domains.  On checking the results when 
> posting from the secondary domain I receive 'SPF Domain Alignment Result 
> = FAIL'. I think this is because postfix always says HELO with the 
> primary domain name, which is obviously different to the secondary.  Is 
> there a way to rewrite the message envelope to say HELO using the same 
> domain used in the from field?

I suspect that the problem is that the SMTP client IP address no
not match the SPF rule.

You may want to set up sender_dependent_default_transport to use
different Postfix SMTP clients depending on the envelope sender
email address, with "-o smtp_bind_address" settings in master.cf
for the proper client IP address.

Wietse

Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message

[Francis Brosnan Blázquez]

Hi Victor,

Thanks for your response. At least, now we know the path we don't have
to follow,

> > 1) We need that "FILTER transp2:", through the delegation protocol, to
> > setup different outgoing IP (it seems there's no other way to do this), 
> 
> By sender:
> 
> 
> http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps
> 
> Outgoing IP by recipient domain is just normal transport lookup
> (with the IP address part of the master.cf transport definition).

Yes, but this doesn't work if you need to adjust outgoing IP based on
the sasl user (published solutions insist on using FILTER :-( [1])

> Content filters are NOT how you should do mail routing.

Ok, I'll review this,

> > 2) And we need some way to discard a single recipient (by destination
> > domain or destination local-part@) in a multi-recipient message, 
> 
> Resolve that recipient to the "discard" transport.
> 
> > Is there any way to do it without having to write an external
> > content-filter (as described in [1])? 
> 
> If you don't abuse content_filters for routing, then using the
> "discard" transport works.

Ok. 

> Postfix is not a one-stop-shopping solution for a snow-shoe spam
> MTA.  Removing pesky recipients like me who'll report the sender
> to RBL maintainers and abuse departments needs to happen in the
> upstream lists, not in the MTA.  Turn-away customers with harvested
> lists, or you'll find your outbound IPs on RBLs.

:-) Hehe...I'd really like to (turn away those customers), but daily
life reality is far from there...

Anyway, certainly, that "FILTER" for transport selection we are doing is
very disruptive (according to postfix way of doing things). I'll take me
time to review this, 

Thanks for taking your time,
Best Regards,

[1] http://comments.gmane.org/gmane.mail.postfix.user/250046

-- 
Francis Brosnan Blázquez 
ASPL
91 134 14 22 - 91 134 14 45 - 91 116 07 57

AVISO LEGAL
 
En virtud de lo dispuesto en la Ley Orgánica 15/1999, de 13 de
diciembre, de Protección de Datos de Carácter Personal, le informamos de
que sus datos de carácter personal, recogidos de fuentes accesibles al
público o datos que usted nos ha facilitado previamente, proceden de
bases de datos propiedad de Advanced Software Production Line, S.L.
(ASPL).
 
ASPL garantiza que los datos serán tratados con la finalidad de mantener
las oportunas relaciones comerciales o promocionales con usted o la
entidad que usted representa. No obstante, usted puede ejercitar sus
derechos de acceso, rectificación, cancelación y oposición dispuestos en
la mencionada Ley Orgánica, notificándolo por escrito a ASPL -
Protección Datos, C/Antonio Suárez 10 A-102, 28802, Alcalá de Henares
(Madrid).

Re: Can Postscreen and Smapassassin be used together

[Paul Schmehl]

--On September 10, 2015 at 7:37:09 AM +0100 Robert Chalmers 
 wrote:



I’m currently running postscreen, and am wondering how I would add
spamassassin to the main.cf configuration, or are they mutually exclusive?



After reading all the answers (I confess I was amazed by some of them), I 
can assure you that you can run the two together.  I have been for years. 
You don't add spamassassin filtering to main.cf, however.  You add it to 
master.cf.


Here's the relevant sections in my master.cf, but you need to read the 
FILTER_README docs and understand them before implementing this:


DO NOT JUST COPY THIS STUFF WITHOUT READING THE DOCS:

# grep filter /usr/local/etc/postfix/master.cf
smtp  inet  n   -   n   -   -   smtpd -o 
content_filter=filter:dummyr

filterunix  -   n   n   -  10   pipe
 flags=Rq user=filter argv=/usr/local/bin/filter.sh -f ${sender} -- 
${recipient}
smtpd pass  -   -   n   -   -   smtpd -o 
content_filter=filter:dummy


If you want to run mail through spamd, you would use something like this:

#smtp   inet  n   -   -   -   -   smtpd
#   -o content_filter=spamassassin
#spamassassin unix -  n   n   -   -  pipe
#   user=spamd argv=/usr/local/bin/spamc -f -e
#   /usr/sbin/sendmail -oi -f ${sender} ${recipient}n

The filter script is in the FILTER_README doc.  Read it carefully.

You can either feed mail directly to the spamassassin daemon, spamd, or fun 
it through a filter script that calls spamassassin for each individual 
email.  I've tried both, but I use the filter script because it allows me 
to write mail to a directory and then sort through it for any legitimate 
mail.  And frankly, there is very little, if any, legitimate mail in there.


This is a very small mail domain with only two recipients.  The owners 
don't want to see spam at all, so I am very aggressive.  I also send 
anything lower than 5 to myself so I can screen it before they see it.


Here's my filter script, which is essentially a ripoff of Weitse's script:

#!/bin/sh

# Simple shell-based filter. It is meant to be invoked as follows:
#   /path/to/script -f sender recipients...

# Localize these.
INSPECT_DIR=/usr/local/filter
SPAMDIR=/var/spool/spam
SENDMAIL="/usr/sbin/sendmail -i"
SPAMASSASSIN=/usr/local/bin/spamassassin
SPAMLIMIT=5
SPAMCK=4

# Exit codes from 
EX_TEMPFAIL=75
EX_UNAVAILABLE=69

# Start processing.
cd $INSPECT_DIR || {
   echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }

# Clean up when done or when aborting.
trap "rm -f in.$$" 0 1 2 3 15

cat | $SPAMASSASSIN -x > out.$$ || \
   { echo Cannot save mail to file; exit $EX_TEMPFAIL; }

if egrep -q "^X-Spam-Level: \*{$SPAMLIMIT,}" < out.$$
then
 mv out.$$ $SPAMDIR
elif egrep -q "^X-Spam-Level: \*{$SPAMCK,}" < out.$$
then
 $SENDMAIL geek < out.$$
else
 $SENDMAIL "$@" < out.$$
fi

trap "rm -f out.$$" 0 1 2 3 15

exit $?

Paul Schmehl (pschm...@tx.rr.com)
Independent Researcher

Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message

[Viktor Dukhovni]

On Thu, Sep 10, 2015 at 10:06:24PM +0200, Francis Brosnan Blázquez wrote:

> > > 1) We need that "FILTER transp2:", through the delegation protocol, to
> > > setup different outgoing IP (it seems there's no other way to do this), 
> > 
> > By sender:
> > 
> > 
> > http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps
> > 
> > Outgoing IP by recipient domain is just normal transport lookup
> > (with the IP address part of the master.cf transport definition).
> 
> Yes, but this doesn't work if you need to adjust outgoing IP based on
> the sasl user (published solutions insist on using FILTER :-( [1])

Then perhaps we should provide a way of doing the same thing by
SASL login.  Both the envelope address and the SASL login name are
really features of the sender.  The original purpose of the feature
(in the form of a sender dependent relay host) was to allow users
to relay mail through the right email provider that hosts the
mailbox for the sender address, and might have DKIM, SPF, ...

I don't think that we're going out of our way to facilitate snow-show
bulk-email (possibly legitimate, and just dealing with real obstacles,
or at times trying to flying under the radar with less legitimate
content).

So there's a limit to how much effort in that direction is likely
in the mainstream Postfix distribution.

What are the legitimate use-cases for transport for SASL id?

> > Postfix is not a one-stop-shopping solution for a snow-shoe spam
> > MTA.  Removing pesky recipients like me who'll report the sender
> > to RBL maintainers and abuse departments needs to happen in the
> > upstream lists, not in the MTA.  Turn-away customers with harvested
> > lists, or you'll find your outbound IPs on RBLs.
> 
> :-) Hehe...I'd really like to (turn away those customers), but daily
> life reality is far from there...
> 
> Anyway, certainly, that "FILTER" for transport selection we are doing is
> very disruptive (according to postfix way of doing things). I'll take me
> time to review this, 
> 
> [1] http://comments.gmane.org/gmane.mail.postfix.user/250046

Well, that works provided you don't also try to do any interesting
per-recipient routing (e.g. routing to discard(8)).

There isn't at present a "DEFAULT ..." access(5) directive that
instead of "FILTER", which preempts routing, sets the default
transport.  This would have to write a new record into the queue-file
that the queue-manager would then convey to trivial-rewrite(8) in
the "resolve" protocol request (which would need to change), so
that trivial-rewrite would return the per-message default transport.

Can't estimate the likelihood of this becoming an official feature.

-- 
Viktor.

Re: Dynamic 'myhostname'

[Mick]

On 10/09/2015 21:13, Wietse Venema wrote:

Mick:

Hi,

I'm trialling DMARC to two of my domains.  On checking the results when
posting from the secondary domain I receive 'SPF Domain Alignment Result
= FAIL'. I think this is because postfix always says HELO with the
primary domain name, which is obviously different to the secondary.  Is
there a way to rewrite the message envelope to say HELO using the same
domain used in the from field?

I suspect that the problem is that the SMTP client IP address no
not match the SPF rule.

You may want to set up sender_dependent_default_transport to use
different Postfix SMTP clients depending on the envelope sender
email address, with "-o smtp_bind_address" settings in master.cf
for the proper client IP address.

Hi Wietse,

I only have 1 IP address (2 if you count the IPv6 address).  A reverse 
DNS lookup will always find my primary domain so even if I used 
'sender_dependent_default_transport' and set up multiple switches just 
to change HELO name, they still have to point to the same IP.  If 
reverse DNS was then carried out, secondary domain provided in the HELO 
would not match and mail could be rejected. Think I'm stuffed without 
additional IPv4s, but at least I know why.



Thanks for your advice.

Mick.




Wietse

Check NS (name or IP) against RBL

[Marius Gologan]

Hi,

 

Is there any way to check the name server (name and/or IP) of the Sender
domain against RBL service?

 

Thank you.

 

Marius.



smime.p7s
Description: S/MIME cryptographic signature

Can Postscreen and Smapassassin be used together

[Robert Chalmers]

I’m currently running postscreen, and am wondering how I would add spamassassin 
to the main.cf configuration, or are they mutually exclusive?

Re: Require DNSSEC signed MX RRs

[Viktor Dukhovni]

On Thu, Sep 10, 2015 at 07:44:19PM +0200, Michael Ströder wrote:

> Looking at [1] it's not clear to me whether it's possible to require MX RRs of
> a recipient domain to be DNSSEC signed. Any other configuration option for 
> that?

Postfix, at present, does not support requiring a DNSSEC-signed MX
RRset, except as part of a "dane-only" security level, which also
requires that the A/ records of at least one MX host are signed
and that MX host has correct TLSA records.

> [1] http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps

Policy requiring DNSSEC signed MX RRsets could well apply even for
domains with which TLS is not used, this is not directly related
to TLS authentication.

Of course such a policy might allow the "verify" security level to
apply Web PKI PKIX authentication to a verifed MX host name.  Still
if the domain ever does change their MX records, you might well
find that the peer certificate is now self-signed, or no longer
matches the MX hostname, ... So this would have to be used with care.

I gather you're looking for something like:

example.com secure match=nexthop:dot-nexthop:hostname dnssec=yes

where "dnssec=yes" would be a new policy option, that requires a
"secure" MX RRset, or "secure" absence of an MX host.

-- 
Viktor.