RE: Can Postscreen and Smapassassin be used together
Hai, I thinking why not put them together Ik run a setup like this https://wiki.dest-unreachable.net/pages/viewpage.action?pageId=15892484 which uses postscreen spamassassin clamav and this works very wel for me. And the load is not to much, but depends on the amount of emails your processing. The extra thing i added in above setup is fail2ban + ufw to offload the dns queries and the server a bit. I created the following in fail2ban. Jail.local [postfix-dnsblog] enabled = true port = all filter = postfix-dnsblog banaction = ufw-all maxretry = 1 logpath = /var/log/mail.log bantime = 84600 and in filter.d/postfix-dnsblog.conf [INCLUDES] before = common.conf [Definition] failregex = addr listed by domain and the action /etc/fail2ban/action.d/ufw-all.conf # Fail2Ban configuration file [Definition] actionstart = actionstop = actioncheck = actionban = ufw insert 1 deny from to any actionunban = ufw delete deny from to any Greetz, Louis > -Oorspronkelijk bericht- > Van: li...@planetcobalt.net [mailto:owner-postfix-us...@postfix.org] > Namens Ansgar Wiechers > Verzonden: donderdag 10 september 2015 9:27 > Aan: postfix-users@postfix.org > Onderwerp: Re: Can Postscreen and Smapassassin be used together > > On 2015-09-10 Robert Chalmers wrote: > > I’m currently running postscreen, and am wondering how I would add > > spamassassin to the main.cf configuration, or are they mutually > > exclusive? > > I'm not sure if they technically can't be used together, but they > shouldn't be. Spamassassin is rather heavyweight whereas Postscreen was > designed to be a lightweight zombie deflection tool. You'd lose that > low resource impact advantage by mixing the two. > > Regards > Ansgar Wiechers > -- > "Abstractions save us time working, but they don't save us time learning." > --Joel Spolsky
Re: Can Postscreen and Smapassassin be used together
* Ansgar Wiechers: > On 2015-09-10 Robert Chalmers wrote: > > I’m currently running postscreen, and am wondering how I would add > > spamassassin to the main.cf configuration, or are they mutually > > exclusive? > > I'm not sure if they technically can't be used together, but they > shouldn't be. Spamassassin is rather heavyweight whereas Postscreen was > designed to be a lightweight zombie deflection tool. You'd lose that > low resource impact advantage by mixing the two. They can't *and* it doesn't make sense. See this graph. It shows the various filter groups in Postfix and the sequence in which they take place. This is how a message runs through the Postfix filters when a client tries to deliver a message to Postfix: connection filter -> session filter -> content filter Postscreen is a connection filter. It "sees" client IP addresses and it implements a fake SMTP server. The fake SMTP server does lightweight tests only. Postscreens job is to keep Postfix' service available. It decides within very short time if a connection request should be passed on to the Postfix smtpd SMTP server component. The focus here is on lightweight and maximum speed. Spamassassin is a content filter. It "sees" IP addresses, session data and content. It examines the content for signs indicating a message might contain spam or ham. It runds hundreds of tests to find out if a message contains spam or not. It is heavyweight and it takes (very) long to determine a result. So technically the two programs take place at different stages during the delivery process and it is not possible to run a content filter during the connection stage in a useful way. All the content filter would "see" are IP addresses - no content. It wouldn't make sense to expand postscreens' capabilities either to feed a content filter, because that would sacrifice the use is has been build for. If you want/need to increase the systems filter effectiveness tell us about the current problems you face and we can start sharing ideas and concepts. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Can Postscreen and Smapassassin be used together
Robert Chalmers: > I?m currently running postscreen, and am wondering how I would add > spamassassin to the main.cf configuration, or are they mutually exclusive? They are meant to coexist. postscreen implements the first layer in a multi-layer defense, header/body_checks are somewhere in the middle, and deep content inspection (spamassassin) the last layer. Wietse
Re: Can Postscreen and Smapassassin be used together
On 2015-09-10 Robert Chalmers wrote: > I’m currently running postscreen, and am wondering how I would add > spamassassin to the main.cf configuration, or are they mutually > exclusive? I'm not sure if they technically can't be used together, but they shouldn't be. Spamassassin is rather heavyweight whereas Postscreen was designed to be a lightweight zombie deflection tool. You'd lose that low resource impact advantage by mixing the two. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
Postfix ML Configuration for Sender Header
Hello, a while ago I changed my mail configuration for mailinglists. I have individual mail addresses for every mailing list and the configuration now looks like this: From: Sebastian WiesingerSender: postfix-us...@ml.karotte.org This has the advantage that off-list answers go to my main mailaddress. This seems to work with all of my mailinglists (most of them use Mailman I think) but not with postfix-users. Here my list address needs to be in the From: field. Is this something that can be changed in Majordomo (and you would be willing to change)? Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: AntiSpam & AntiVirus Integration with Postfix: lots of tools, but which one's AREN'T 'dead'?
* joh...@fastmail.com[2015-09-09 03:03]: > Ken > > On Tue, Sep 8, 2015, at 05:49 PM, Ken Peng wrote: > > How about Spamassassin? we have been using it for a long time. > > And how are you integrating it into Postfix. That was my question > not whether to use Spamassassin. I kindof decided on that already > in the original post. I do it like this (albeit with Dovecot als MDA): master.cf: dovecot-sa unix - n n - - pipe flags=ODRhu user=vmail:mail argv=/usr/bin/spamc -u ${user}@${nexthop} -e /usr/lib/dovecot/deliver -f ${sender} -a ${recipient} -d ${user}@${nexthop} main.cf: virtual_transport = dovecot-sa dovecot-sa_destination_recipient_limit = 1 Spamassassin is getting the user config from MySQL and users can change settings with Roundcube. Works very reliably for some years now. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: Can Postscreen and Smapassassin be used together
On 09/10/2015 06:37 PM, Robert Chalmers wrote: > I’m currently running postscreen, and am wondering how I would add > spamassassin to the main.cf configuration, or are they mutually > exclusive? In spite of what others have said, you can certainly use them together and many many installations do exactly that. Postscreen is a lightweight triage server that sits in front of postfix and will get rid of the bulk of SPAM without hardly any impact on system performance. Spamassassin is more thorough and will get rid of most of the SPAM that postscreen misses. Because of the heavyweight nature of Spamassassin it helps quite a bit to cut back on its load by running postscreen first, then there is not anywhere near as many messages left for SA to have to process and you can cut back on required system resources significantly. Spamassassin then processes and gets rid of (most of) the rest of the SPAM that postscreen misses. What you don't want to do is run postscreen and postgrey on the same system. I see a lot of people make that mistake and it results in serious mail delays because messages end up being deferred twice (first by postscreen then by postgrey). I always suggest that people get rid of postgrey and just use postscreen in this case. Peter
ASPL: discarding a single recipient or a set of them from a multi-recipient message
Hello there, First of all, congratulate all folks behind this remarkable, predictable and reliable software that is postfix, which...at the same time is well documented (bonus). It is is difficult to find software with some of these attributes, but postfix have them all. --== CONTEXT OF THE PROBLEM ==-- Having said that, we are trying to implement a discard for a particular recipient of a multi-recipient message (which seems to be something recurrent). At this point, we are trying to discard based on the destination domain and/or the local-part@ (without considering the destination domain) by reporting a DISCARD code using delegation protocol (with valvula [1]). At the same time, we are using the following type of declarations at master.cf, combined with FILTER command (delegation), to make a particular sasl user to use a particular outgoing ip when accepted: transport16 unix - - n - - smtp -o smtp_bind_address=X.X.X.X -o syslog_name=postfix16 --== WHAT FAILS ==-- After reviewing documentation about why discard applies to all recipient, we have found that this is documented and expected behaviour: http://www.postfix.org/access.5.html Note: this action currently affects all recipients of the message. To discard only one recipient without discarding the entire message, use the transport(5) table to direct mail to the discard(8) service. After that, we have tried to implement suggested solution by declaring a transport_maps = hash:/etc/postfix/transports ...where we declare destination domains we want to discard. # with format yahoogroups.com discard: .yahoogroups.com discard: # and the corresponding >> postmap /etc/postfix/transports However, we are finding two problems: 1) When a FILTER command is issued to a particular transport to use a particular outbound IP (as shown in the example above, transport16), the smtp(8) client created that delivers that message, entirely ignores any declaration found for transport_maps = ..., so domains declared there, aren't discarded. 2) Even though having previous point working, we haven't found any possible solution to "discard:" (via transport) or DISCARD (via delegation) based on the local-part@ in for a particular recipient in a multi-recipient message. --== QUESTIONS ==-- 1) Is there a way do a DISCARD of a particular recipient in a mult-recipient message and at the same time calling FILTER+trasnport16 to select a particular outgoing IP as we did? 2) Same question as 1) but from a different point of view, is there a way to flag as "already handled/delivered" a particular recipient in a message directly in the queue? 3) Are we wrong or the only solution is to go with a smtp-like content filter that does the recipient removal? Thanks for your time and patience, Best Regards, [1] http://www.aspl.es/valvula -- Francis Brosnan BlázquezASPL 91 134 14 22 - 91 134 14 45 - 91 116 07 57 AVISO LEGAL Este mensaje se dirige exclusivamente a su destinatario. Los datos incluidos en el presente correo son confidenciales y sometidos a secreto profesional, se prohíbe divulgarlos, en virtud de las leyes vigentes. Si usted no lo es y lo ha recibido por error o tiene conocimiento del mismo por cualquier motivo, le rogamos que nos lo comunique por este medio y proceda a destruirlo o borrarlo. En virtud de lo dispuesto en la Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal, le informamos de que sus datos de carácter personal, recogidos de fuentes accesibles al público o datos que usted nos ha facilitado previamente, proceden de bases de datos propiedad de Advanced Software Production Line, S.L. (ASPL). No obstante, usted puede ejercitar sus derechos de acceso, rectificación, cancelación y oposición dispuestos en la mencionada Ley Orgánica, notificándolo por escrito a: ASPL - Protección Datos, C/Antonio Suárez 10 A-102, 28802, Alcalá de Henares (Madrid).
Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message
Francis Brosnan Bl?zquez: > At this point, we are trying to discard based on the destination > domain and/or the local-part@ (without considering the destination > domain) by reporting a DISCARD code using delegation protocol (with > valvula [1]). As documented, the DISCARD action discards the message, not the recipient. To drop only the recipient, use transport_maps to send the recipient to the discard(8) service. /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transport /etc/postfix/transport: u...@example.comdiscard: After changing the file, do "postmap hash:/etc/postfix/transport". To discard a recipient based on localpart, use a pcre table instead; this requires no postmap command. /etc/postfix/main.cf: transport_maps = pcre:/etc/postfix/transport /etc/postfix/transport: # The ^ at the beginning is required to avoid false matches. /^user@/discard: Of course this will have collateral damage; it discards mail for recipients in unrelated domains. Wietse
Re: Postfix ML Configuration for Sender Header
Sebastian Wiesinger: > Hello, > > a while ago I changed my mail configuration for mailinglists. I have > individual mail addresses for every mailing list and the configuration > now looks like this: > > From: Sebastian Wiesinger> Sender: postfix-us...@ml.karotte.org > > This has the advantage that off-list answers go to my main > mailaddress. > > This seems to work with all of my mailinglists (most of them use > Mailman I think) but not with postfix-users. Here my list address > needs to be in the From: field. > > Is this something that can be changed in Majordomo (and you would be > willing to change)? Sorry, that sounds bogus. No-one replies to the sender: address. Wietse
Re: Can Postscreen and Smapassassin be used together
Am 10.09.2015 um 10:47 schrieb Peter: > What you don't want to do is run postscreen and postgrey on the same > system. you can do it if you use i.e postgrey very selective but for sure portscreen leaves not very much for postgrey Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message
Hi Wietse, Thanks for your response. Assuming this information, it should discard as indicated by transport_maps. However, we are not seeing this behaviour. This is the course of events: 1) Mail is accepted by postfix. After that, an indication is passed to valvula on smtpd_data_restrictions: smtpd_data_restrictions = check_policy_service inet:127.0.0.1:3579 2) Then, valvula based on its configuration, reports FILTER transp2: Sep 10 16:49:53 host valvulad[16853]: info: FILTER: fran...@aspl.es -> w...@asplhost.com (sasl_user=mailing-sasluser), port 3579, rcpt count=1, queue-id 11C68F762, from X.X.X.X, no-tls: transp2: 3) That causes postfix to use transp2 declared at master.cf, Sep 10 16:49:53 host postfix/smtpd[15410]: 11C68F762: filter: DATA from host[X.X.X.X]: : Data command triggers FILTER transp2:; from=to= proto=ESMTP helo=<[192.168.0.132]> ...which activates smtp(8) transport with the following configuration at master.cf: transp2 unix - - n - - smtp -o smtp_bind_address=X.X.X.X -o smtp_helo_name=outboundname.asplhost.com -o syslog_name=postfix2 4) But instead of discarding it, smtp(8) attempts to actually deliver it without considering what's declared in transport_maps: Sep 10 17:02:15 host postfix2/smtp[26624]: AC04CEA1A: to= , relay=mx1.asplhost.com[X.X.X.X]:25, delay=74662, delays=74268/392/0.08/1.1, dsn=5.1.1, status=bounced (host mx1.asplhost.com[X.X.X.X] said: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command)) NOTE: certainly it fails because the account does not exists, but that's not the point: it should have been discarded It is like smtp(8) is ignoring what's declared on transport_maps because it already has an order to use the transport indicated by the FILTER +transp2 (point 2). Is it right or it shouldn't happen? If it is the intended behaviour, how can we configure a transport (transp2) that instructs the particular IP to be used and, at the same time, we can discard particular recipients in a multi-recipient message using transport_maps? Thanks for your time and support, Best Regards, PS: Here is the complete configuration file we are using: http://www.aspl.es/postfix-main.cf.txt (ips and host names masked) http://www.aspl.es/postfix-master.cf.txt (ips and host names masked) At the same time, /etc/postfix/local-parts-spam-traps-accounts has the following content: /^web@/ discard: > > At this point, we are trying to discard based on the destination > > domain and/or the local-part@ (without considering the destination > > domain) by reporting a DISCARD code using delegation protocol (with > > valvula [1]). > > As documented, the DISCARD action discards the message, not the > recipient. To drop only the recipient, use transport_maps to send > the recipient to the discard(8) service. > > /etc/postfix/main.cf: > transport_maps = hash:/etc/postfix/transport > > /etc/postfix/transport: > u...@example.com discard: > > After changing the file, do "postmap hash:/etc/postfix/transport". > > To discard a recipient based on localpart, use a pcre table instead; > this requires no postmap command. > > /etc/postfix/main.cf: > transport_maps = pcre:/etc/postfix/transport > > /etc/postfix/transport: > # The ^ at the beginning is required to avoid false matches. > /^user@/discard: > > Of course this will have collateral damage; it discards mail for > recipients in unrelated domains. > > Wietse -- Francis Brosnan Blázquez ASPL 91 134 14 22 - 91 134 14 45 - 91 116 07 57 AVISO LEGAL Este mensaje se dirige exclusivamente a su destinatario. Los datos incluidos en el presente correo son confidenciales y sometidos a secreto profesional, se prohíbe divulgarlos, en virtud de las leyes vigentes. Si usted no lo es y lo ha recibido por error o tiene conocimiento del mismo por cualquier motivo, le rogamos que nos lo comunique por este medio y proceda a destruirlo o borrarlo. En virtud de lo dispuesto en la Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal, le informamos de que sus datos de carácter personal, recogidos de fuentes accesibles al público o datos que usted nos ha facilitado previamente, proceden de bases de datos propiedad de Advanced Software Production Line, S.L. (ASPL). No obstante, usted puede ejercitar sus derechos de acceso, rectificación, cancelación y oposición dispuestos en la mencionada Ley
Re: Can Postscreen and Smapassassin be used together
Am 10.09.2015 um 08:37 schrieb Robert Chalmers: > I’m currently running postscreen, and am wondering how I would add > spamassassin to the main.cf configuration, or are they mutually exclusive? > > no problem works nice , perhaps use it as milter Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
content_filter and transport_map on outgoing mail interaction
Hi there, We have a transport map setup so that mail destined for the local domain or from some subdomain email servers is not routed to our relay gateway. These entries have a null gateway set. Mail destined for all other domains is routed via our relay. e.g serve...@server01.abc.co.za : ad...@dms.abc.co.za : abc.co.za : * smtp:relay.xyz.co.za We need to apply a content_filter to all outgoing mail. To do this we have set up two smtp processes in master.cf 192.168.10.73:smtp inet n - - - - smtpd 192.168.10.72:smtp inet n - - - - smtpd -o content_filter=dfilt: dfilt unix- n n - - pipe flags=Rq user=filter argv=/etc/postfix/postfix_filter.sh -f ${sender} -- ${recipient} this is for the altermime script. In main.cf we have set up smtp_bind_address = 192.168.10.72 The problem is it appears the transport map simply by passes the outgoing smtp server settings as defined in main.cf and with smtp_bind_address. I have tried editing the transport map to force it to use the 192.168.10.72:smtp service but this doesn't work. How can I get this to work? i.e route outgoing mail to a specific gateway via transport maps but still apply a content filter to outgoing mail? thanks
Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message
Hi Wietse, Thanks for your response, > This is how Postfix content filters work: > > postfix1 -> filter -> postfix2 > > The filter takes precedence in postfix1; Just to clarify we are talking about the same thing, "filter" is not a "content filter" taking the mail from postfix and re-injecting it into postfix, but valvula reporting "FILTER transp2:", as described at [1], using delegation protocol ([2]), > transport_maps takes effect in postfix2. I'm confused about this statement because it is not what's happening right now and I have shown an example that demonstrates it :-? If I update valvula's configuration to report DUNNO, and hence, disabling the activation of "FILTER transp2:", then configurations declared at transport_maps are honoured, Sep 10 18:53:06 host postfix/smtpd[17286]: connect from tarsonis.asplhost.com[X.X.X.X] Sep 10 18:53:07 host postfix/smtpd[17286]: 156A3FB18: client=tarsonis.asplhost.com[X.X.X.X], sasl_method=PLAIN, sasl_username=mailing-sasluser Sep 10 18:53:08 host valvulad[16853]: info: DUNNO: fran...@aspl.es -> w...@asplhost.com (sasl_user=mailing-sasluser), port 3579, rcpt count=1, queue-id 156A3FB18, from X.X.X.X, no-tls Sep 10 18:53:08 host postfix/discard[17530]: 156A3FB18: to=, relay=none, delay=1, delays=1/0/0/0, dsn=2.0.0, status=sent (asplhost.com) Sep 10 18:53:09 host postfix/smtpd[17286]: disconnect from tarsonis.asplhost.com[X.X.X.X] But if I make valvula to report "FILTER transp2:", then postfix2, in the diagram "postfix1 -> filter -> postfix2" completely ignores transport_maps: Sep 10 18:56:59 host postfix/smtpd[25423]: connect from tarsonis.asplhosting.com[X.X.X.X] Sep 10 18:56:59 host postfix/smtpd[25423]: A1A0AEB03: client=tarsonis.asplhost.com[X.X.X.X], sasl_method=PLAIN, sasl_username=mailing-sasluser Sep 10 18:56:59 host valvulad[16853]: info: FILTER: fran...@aspl.es -> w...@asplhost.com (sasl_user=mailing-sasluser), port 3579, rcpt count=1, queue-id A1A0AEB03, from X.X.X.X, no-tls: transp2: Sep 10 18:56:59 host postfix/smtpd[25423]: A1A0AEB03: filter: DATA from tarsonis.asplhost.com[X.X.X.X]: : Data command triggers FILTER transp2:; from= to= proto=ESMTP helo=<[192.168.0.132]> Sep 10 18:57:00 host postfix/smtpd[25423]: disconnect from tarsonis.asplhost.com[X.X.X.X] Sep 10 18:57:00 host postfix2/smtp[23095]: A1A0AEB03: to= , relay=mx1.aspl.es[89.140.237.70]:25, delay=1.3, delays=0.07/0/0.17/1, dsn=5.1.1, status=bounced (host mx1.aspl.es[89.140.237.70] said: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command)) What I'm missing? Thanks for your patience and time, Best Regards, > Wietse [1] http://www.postfix.org/access.5.html [2] http://www.postfix.org/SMTPD_POLICY_README.html
Re: content_filter and transport_map on outgoing mail interaction
On Thu, Sep 10, 2015 at 06:12:44PM +0200, Mark Clarke wrote: > We need to apply a content_filter to all outgoing mail. To do this we have > set up two smtp processes in master.cf > > 192.168.10.73:smtp inet n - - - - smtpd > 192.168.10.72:smtp inet n - - - - smtpd >-o content_filter=dfilt: These are Postfix SMTP servers (accept incoming mail). > dfilt unix- n n - - pipe > flags=Rq user=filter argv=/etc/postfix/postfix_filter.sh -f ${sender} -- > ${recipient} > > > this is for the altermime script. In main.cf we have set up > > smtp_bind_address = 192.168.10.72 This is a configuration parameter of the SMTP client (sends outgoing mail). It has nothing to do with which SMTP service mail will be sent to. > The problem is it appears the transport map simply by passes the outgoing > smtp server settings as defined in main.cf and with smtp_bind_address. There's no bypass, you're simply confused. > I have tried editing the transport map to force it to use the > 192.168.10.72:smtp service but this doesn't work. To send to that service, you'd make the transport: smtp:[192.168.10.72] but that will almost certainly create a mai loop. > How can I get this to > work? i.e route outgoing mail to a specific gateway via transport maps but > still apply a content filter to outgoing mail? That's what Postfix does. It first applies content filters, and then once the mail is re-injected into queue (by a mechanism that does set a content_filter) uses the transport table. You're just confused. -- Viktor.
Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message
On Thu, Sep 10, 2015 at 07:01:59PM +0200, Francis Brosnan Blázquez wrote: > > This is how Postfix content filters work: > > > > postfix1 -> filter -> postfix2 > > > > The filter takes precedence in postfix1; > > Just to clarify we are talking about the same thing, "filter" is not a > "content filter" taking the mail from postfix and re-injecting it into > postfix, but valvula reporting "FILTER transp2:", as described at [1], > using delegation protocol ([2]), If your policy service says "FILTER ..." it is setting a content_filter that preempts transport table routing for *all* recipients. > I'm confused about this statement because it is not what's happening > right now and I have shown an example that demonstrates it :-? Yes, you're confused. No, you don't have a counter-example. > But if I make valvula to report "FILTER transp2:", then postfix2, in the > diagram "postfix1 -> filter -> postfix2" completely ignores > transport_maps: Exactly as it should, it is up to "transp2" to re-inject the mail back into Postfix (bypassing the policy service with its FILTER replies). -- Viktor.
Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message
Hi Wietse, > transport_maps takes effect ONLY AFTER the filter has processed the message. Ok, so because transport_maps takes effect after filter, do you mean transport_maps declarations will never take effect because at the time filter finished, the delivery attempt was already made? > Wietse Best Regards,
Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message
Francis Brosnan Bl?zquez: > Hi Wietse, > > > transport_maps takes effect ONLY AFTER the filter has processed the message. > > Ok, so because transport_maps takes effect after filter, do you mean > transport_maps declarations will never take effect because at the time > filter finished, the delivery attempt was already made? This is how Postfix content filters work: postfix1 -> filter -> postfix2 The filter takes precedence in postfix1; transport_maps takes effect in postfix2. Wietse
Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message
Francis Brosnan Bl?zquez: > 2) Then, valvula based on its configuration, reports FILTER transp2: > > Sep 10 16:49:53 host valvulad[16853]: info: FILTER: > fran...@aspl.es -> w...@asplhost.com > (sasl_user=mailing-sasluser), port 3579, rcpt count=1, queue-id > 11C68F762, from X.X.X.X, no-tls: transp2: transport_maps takes effect ONLY AFTER the filter has processed the message. Wietse
Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message
On Thu, Sep 10, 2015 at 07:52:37PM +0200, Francis Brosnan Blázquez wrote: > Ok, so Victor, going back to the initial question, assuming that: > > 1) We need that "FILTER transp2:", through the delegation protocol, to > setup different outgoing IP (it seems there's no other way to do this), By sender: http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps Outgoing IP by recipient domain is just normal transport lookup (with the IP address part of the master.cf transport definition). Content filters are NOT how you should do mail routing. > 2) And we need some way to discard a single recipient (by destination > domain or destination local-part@) in a multi-recipient message, Resolve that recipient to the "discard" transport. > Is there any way to do it without having to write an external > content-filter (as described in [1])? If you don't abuse content_filters for routing, then using the "discard" transport works. Postfix is not a one-stop-shopping solution for a snow-shoe spam MTA. Removing pesky recipients like me who'll report the sender to RBL maintainers and abuse departments needs to happen in the upstream lists, not in the MTA. Turn-away customers with harvested lists, or you'll find your outbound IPs on RBLs. -- Viktor.
Re: Require DNSSEC signed MX RRs
On Thu, Sep 10, 2015 at 08:39:38PM +0200, Michael Ströder wrote: > Maybe there should be some additional text for 'dane-only' in [1]? > I'm not sure about the correct wording though. I think it is fine as-is. The "dane-only" security level requires that a peer be DANE authenticated, which means "secure" MX RRset, "secure" address RRset for the MX host and "secure" matching TLSA records. All the links in the chain have to be valid. > > I gather you're looking for something like: > > > > example.com secure match=nexthop:dot-nexthop:hostname dnssec=yes > > > > where "dnssec=yes" would be a new policy option, that requires a > > "secure" MX RRset, or "secure" absence of an MX host. > > Yes. :-) Just to be clear, is that what you had in mind when you started this thread? Or did I suggest a feature that you decided you want? One might also imagine an alternative interface: example.com secure match=nexthop:dot-nexthop:dnssec-hostname Where "dnssec-hostname" matches the hostname only if securely obtained. This would not require secure MX RRsets, but would make use of them to "improve" PKIX name matching when present. This might be better. -- Viktor.
Re: Require DNSSEC signed MX RRs
Viktor Dukhovni wrote: > On Thu, Sep 10, 2015 at 07:44:19PM +0200, Michael Ströder wrote: > >> Looking at [1] it's not clear to me whether it's possible to require MX RRs >> of >> a recipient domain to be DNSSEC signed. Any other configuration option for >> that? > > Postfix, at present, does not support requiring a DNSSEC-signed MX > RRset, except as part of a "dane-only" security level, which also > requires that the A/ records of at least one MX host are signed > and that MX host has correct TLSA records. Maybe there should be some additional text for 'dane-only' in [1]? I'm not sure about the correct wording though. >> [1] http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps > > Policy requiring DNSSEC signed MX RRsets could well apply even for > domains with which TLS is not used, this is not directly related > to TLS authentication. Agreed. > Of course such a policy might allow the "verify" security level to > apply Web PKI PKIX authentication to a verifed MX host name. Still > if the domain ever does change their MX records, you might well > find that the peer certificate is now self-signed, or no longer > matches the MX hostname, ... So this would have to be used with care. I make use of TLS policy and it works quite well. Of course the policy options are chosen carefully depending on how reliable the information about the particular target domains are. > I gather you're looking for something like: > > example.com secure match=nexthop:dot-nexthop:hostname dnssec=yes > > where "dnssec=yes" would be a new policy option, that requires a > "secure" MX RRset, or "secure" absence of an MX host. Yes. :-) Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message
Hi Victor, Thanks for your response, > If your policy service says "FILTER ..." it is setting a > content_filter that preempts transport table routing for *all* > recipients. Ok, thanks for clarifying this. It was one of questions we did but wasn't resolved (from my previous mail): It is like smtp(8) is ignoring what's declared on transport_maps because it already has an order to use the transport indicated by the FILTER +transp2 (point 2). Is it right or it shouldn't happen? > > I'm confused about this statement because it is not what's happening > > right now and I have shown an example that demonstrates it :-? > > Yes, you're confused. No, you don't have a counter-example. :-) > > But if I make valvula to report "FILTER transp2:", then postfix2, in > the> diagram "postfix1 -> filter -> postfix2" completely ignores > > transport_maps: > > Exactly as it should, it is up to "transp2" to re-inject the mail > back into Postfix (bypassing the policy service with its FILTER > replies). Ok, so Victor, going back to the initial question, assuming that: 1) We need that "FILTER transp2:", through the delegation protocol, to setup different outgoing IP (it seems there's no other way to do this), 2) And we need some way to discard a single recipient (by destination domain or destination local-part@) in a multi-recipient message, Is there any way to do it without having to write an external content-filter (as described in [1])? Can it be done reusing postfix components? ...or there's no other option :-( ? Thanks for your time, Best Regards, [1] http://www.postfix.org/FILTER_README.html
Re: Require DNSSEC signed MX RRs
Viktor Dukhovni wrote: > On Thu, Sep 10, 2015 at 08:39:38PM +0200, Michael Ströder wrote: > >> Maybe there should be some additional text for 'dane-only' in [1]? >> I'm not sure about the correct wording though. > > I think it is fine as-is. The "dane-only" security level requires > that a peer be DANE authenticated, which means "secure" MX RRset, > "secure" address RRset for the MX host and "secure" matching TLSA > records. All the links in the chain have to be valid. > >>> I gather you're looking for something like: >>> >>> example.com secure match=nexthop:dot-nexthop:hostname dnssec=yes >>> >>> where "dnssec=yes" would be a new policy option, that requires a >>> "secure" MX RRset, or "secure" absence of an MX host. >> >> Yes. :-) > > Just to be clear, is that what you had in mind when you started > this thread? Yes. And I also thought to myself that such a policy option would be useful for all TLS security levels. > Or did I suggest a feature that you decided you want? No, you guessed my wish. > One might also imagine an alternative interface: > > example.com secure match=nexthop:dot-nexthop:dnssec-hostname > > Where "dnssec-hostname" matches the hostname only if securely > obtained. This would not require secure MX RRsets, but would make > use of them to "improve" PKIX name matching when present. Maybe I do not fully understand what you're saying. But personally I consider the TLS hostname matching to be sufficiently secured (because I likely also limit the CA cert used for validation). Mainly it's the MX lookup what I'm concerned about. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Require DNSSEC signed MX RRs
HI! Looking at [1] it's not clear to me whether it's possible to require MX RRs of a recipient domain to be DNSSEC signed. Any other configuration option for that? Ciao, Michael. [1] http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps smime.p7s Description: S/MIME Cryptographic Signature
Re: Check NS (name or IP) against RBL
On Fri, Sep 11, 2015 at 12:25:56AM +0300, Marius Gologan wrote: > Is there any way to check the name server (name and/or IP) of the Sender > domain against RBL service? Only via a policy service that does the relevant DNS lookups. -- Viktor.
Re: Check NS (name or IP) against RBL
Viktor Dukhovni: > On Fri, Sep 11, 2015 at 12:25:56AM +0300, Marius Gologan wrote: > > > Is there any way to check the name server (name and/or IP) of the Sender > > domain against RBL service? > > Only via a policy service that does the relevant DNS lookups. I have used check_sender_ns_access to block persistent spammers. There are also check_sender_mx_access, and similar features for client, helo, recipient. Wietse
Dynamic 'myhostname'
Hi, I'm trialling DMARC to two of my domains. On checking the results when posting from the secondary domain I receive 'SPF Domain Alignment Result = FAIL'. I think this is because postfix always says HELO with the primary domain name, which is obviously different to the secondary. Is there a way to rewrite the message envelope to say HELO using the same domain used in the from field? Thanks, Mick.
Re: Require DNSSEC signed MX RRs
On Thu, Sep 10, 2015 at 08:57:50PM +0200, Michael Ströder wrote: > > One might also imagine an alternative interface: > > > > example.com secure match=nexthop:dot-nexthop:dnssec-hostname > > > > Where "dnssec-hostname" matches the hostname only if securely > > obtained. This would not require secure MX RRsets, but would make > > use of them to "improve" PKIX name matching when present. > > Maybe I do not fully understand what you're saying. Indeed you did not understand. "Securely obtained" means obtained from a "secure" MX RRset. > Mainly it's the MX lookup what I'm concerned about. That's what the alternative feature does, it makes MX hostnames available *only* when they are resistant against active attacks. But in this variant there is no requirement for dnssec. Rather, without DNSSEC only names related to the nexthop domain are checked, and "insecure" MX hostnames are not. I think the second way is more broadly useful. -- Viktor.
Re: content_filter and transport_map on outgoing mail interaction
Ok, figured it out. Read up more on the postfix architecture and confirmed that it should work as the content_filter will run on the mail once it has been received and before it is delivered via smtp to its destination. The issue was that I am submitting on the submission port 587 and needed to add the content_filter there. In fact I don't need two IP addresses for the smtp delivered mail :) On 09/10/2015 06:12 PM, Mark Clarke wrote: > Hi there, > > We have a transport map setup so that mail destined for the local > domain or from some subdomain email servers is not routed to our relay > gateway. These entries have a null gateway set. Mail destined for all > other domains is routed via our relay. > > e.g > > serve...@server01.abc.co.za : > ad...@dms.abc.co.za : > abc.co.za : > * smtp:relay.xyz.co.za > > > We need to apply a content_filter to all outgoing mail. To do this we > have set up two smtp processes in master.cf > > 192.168.10.73:smtp inet n - - - - smtpd > 192.168.10.72:smtp inet n - - - - smtpd >-o content_filter=dfilt: > dfilt unix- n n - - pipe > flags=Rq user=filter argv=/etc/postfix/postfix_filter.sh -f > ${sender} -- ${recipient} > > > this is for the altermime script. In main.cf we have set up > > smtp_bind_address = 192.168.10.72 > > The problem is it appears the transport map simply by passes the > outgoing smtp server settings as defined in main.cf and with > smtp_bind_address. I have tried editing the transport map to force it > to use the 192.168.10.72:smtp service but this doesn't work. How can I > get this to work? i.e route outgoing mail to a specific gateway via > transport maps but still apply a content filter to outgoing mail? > > > thanks -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Re: Dynamic 'myhostname'
Mick: > Hi, > > I'm trialling DMARC to two of my domains. On checking the results when > posting from the secondary domain I receive 'SPF Domain Alignment Result > = FAIL'. I think this is because postfix always says HELO with the > primary domain name, which is obviously different to the secondary. Is > there a way to rewrite the message envelope to say HELO using the same > domain used in the from field? I suspect that the problem is that the SMTP client IP address no not match the SPF rule. You may want to set up sender_dependent_default_transport to use different Postfix SMTP clients depending on the envelope sender email address, with "-o smtp_bind_address" settings in master.cf for the proper client IP address. Wietse
Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message
Hi Victor, Thanks for your response. At least, now we know the path we don't have to follow, > > 1) We need that "FILTER transp2:", through the delegation protocol, to > > setup different outgoing IP (it seems there's no other way to do this), > > By sender: > > > http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps > > Outgoing IP by recipient domain is just normal transport lookup > (with the IP address part of the master.cf transport definition). Yes, but this doesn't work if you need to adjust outgoing IP based on the sasl user (published solutions insist on using FILTER :-( [1]) > Content filters are NOT how you should do mail routing. Ok, I'll review this, > > 2) And we need some way to discard a single recipient (by destination > > domain or destination local-part@) in a multi-recipient message, > > Resolve that recipient to the "discard" transport. > > > Is there any way to do it without having to write an external > > content-filter (as described in [1])? > > If you don't abuse content_filters for routing, then using the > "discard" transport works. Ok. > Postfix is not a one-stop-shopping solution for a snow-shoe spam > MTA. Removing pesky recipients like me who'll report the sender > to RBL maintainers and abuse departments needs to happen in the > upstream lists, not in the MTA. Turn-away customers with harvested > lists, or you'll find your outbound IPs on RBLs. :-) Hehe...I'd really like to (turn away those customers), but daily life reality is far from there... Anyway, certainly, that "FILTER" for transport selection we are doing is very disruptive (according to postfix way of doing things). I'll take me time to review this, Thanks for taking your time, Best Regards, [1] http://comments.gmane.org/gmane.mail.postfix.user/250046 -- Francis Brosnan BlázquezASPL 91 134 14 22 - 91 134 14 45 - 91 116 07 57 AVISO LEGAL En virtud de lo dispuesto en la Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal, le informamos de que sus datos de carácter personal, recogidos de fuentes accesibles al público o datos que usted nos ha facilitado previamente, proceden de bases de datos propiedad de Advanced Software Production Line, S.L. (ASPL). ASPL garantiza que los datos serán tratados con la finalidad de mantener las oportunas relaciones comerciales o promocionales con usted o la entidad que usted representa. No obstante, usted puede ejercitar sus derechos de acceso, rectificación, cancelación y oposición dispuestos en la mencionada Ley Orgánica, notificándolo por escrito a ASPL - Protección Datos, C/Antonio Suárez 10 A-102, 28802, Alcalá de Henares (Madrid).
Re: Can Postscreen and Smapassassin be used together
--On September 10, 2015 at 7:37:09 AM +0100 Robert Chalmerswrote: I’m currently running postscreen, and am wondering how I would add spamassassin to the main.cf configuration, or are they mutually exclusive? After reading all the answers (I confess I was amazed by some of them), I can assure you that you can run the two together. I have been for years. You don't add spamassassin filtering to main.cf, however. You add it to master.cf. Here's the relevant sections in my master.cf, but you need to read the FILTER_README docs and understand them before implementing this: DO NOT JUST COPY THIS STUFF WITHOUT READING THE DOCS: # grep filter /usr/local/etc/postfix/master.cf smtp inet n - n - - smtpd -o content_filter=filter:dummyr filterunix - n n - 10 pipe flags=Rq user=filter argv=/usr/local/bin/filter.sh -f ${sender} -- ${recipient} smtpd pass - - n - - smtpd -o content_filter=filter:dummy If you want to run mail through spamd, you would use something like this: #smtp inet n - - - - smtpd # -o content_filter=spamassassin #spamassassin unix - n n - - pipe # user=spamd argv=/usr/local/bin/spamc -f -e # /usr/sbin/sendmail -oi -f ${sender} ${recipient}n The filter script is in the FILTER_README doc. Read it carefully. You can either feed mail directly to the spamassassin daemon, spamd, or fun it through a filter script that calls spamassassin for each individual email. I've tried both, but I use the filter script because it allows me to write mail to a directory and then sort through it for any legitimate mail. And frankly, there is very little, if any, legitimate mail in there. This is a very small mail domain with only two recipients. The owners don't want to see spam at all, so I am very aggressive. I also send anything lower than 5 to myself so I can screen it before they see it. Here's my filter script, which is essentially a ripoff of Weitse's script: #!/bin/sh # Simple shell-based filter. It is meant to be invoked as follows: # /path/to/script -f sender recipients... # Localize these. INSPECT_DIR=/usr/local/filter SPAMDIR=/var/spool/spam SENDMAIL="/usr/sbin/sendmail -i" SPAMASSASSIN=/usr/local/bin/spamassassin SPAMLIMIT=5 SPAMCK=4 # Exit codes from EX_TEMPFAIL=75 EX_UNAVAILABLE=69 # Start processing. cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; } # Clean up when done or when aborting. trap "rm -f in.$$" 0 1 2 3 15 cat | $SPAMASSASSIN -x > out.$$ || \ { echo Cannot save mail to file; exit $EX_TEMPFAIL; } if egrep -q "^X-Spam-Level: \*{$SPAMLIMIT,}" < out.$$ then mv out.$$ $SPAMDIR elif egrep -q "^X-Spam-Level: \*{$SPAMCK,}" < out.$$ then $SENDMAIL geek < out.$$ else $SENDMAIL "$@" < out.$$ fi trap "rm -f out.$$" 0 1 2 3 15 exit $? Paul Schmehl (pschm...@tx.rr.com) Independent Researcher
Re: ASPL: discarding a single recipient or a set of them from a multi-recipient message
On Thu, Sep 10, 2015 at 10:06:24PM +0200, Francis Brosnan Blázquez wrote: > > > 1) We need that "FILTER transp2:", through the delegation protocol, to > > > setup different outgoing IP (it seems there's no other way to do this), > > > > By sender: > > > > > > http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps > > > > Outgoing IP by recipient domain is just normal transport lookup > > (with the IP address part of the master.cf transport definition). > > Yes, but this doesn't work if you need to adjust outgoing IP based on > the sasl user (published solutions insist on using FILTER :-( [1]) Then perhaps we should provide a way of doing the same thing by SASL login. Both the envelope address and the SASL login name are really features of the sender. The original purpose of the feature (in the form of a sender dependent relay host) was to allow users to relay mail through the right email provider that hosts the mailbox for the sender address, and might have DKIM, SPF, ... I don't think that we're going out of our way to facilitate snow-show bulk-email (possibly legitimate, and just dealing with real obstacles, or at times trying to flying under the radar with less legitimate content). So there's a limit to how much effort in that direction is likely in the mainstream Postfix distribution. What are the legitimate use-cases for transport for SASL id? > > Postfix is not a one-stop-shopping solution for a snow-shoe spam > > MTA. Removing pesky recipients like me who'll report the sender > > to RBL maintainers and abuse departments needs to happen in the > > upstream lists, not in the MTA. Turn-away customers with harvested > > lists, or you'll find your outbound IPs on RBLs. > > :-) Hehe...I'd really like to (turn away those customers), but daily > life reality is far from there... > > Anyway, certainly, that "FILTER" for transport selection we are doing is > very disruptive (according to postfix way of doing things). I'll take me > time to review this, > > [1] http://comments.gmane.org/gmane.mail.postfix.user/250046 Well, that works provided you don't also try to do any interesting per-recipient routing (e.g. routing to discard(8)). There isn't at present a "DEFAULT ..." access(5) directive that instead of "FILTER", which preempts routing, sets the default transport. This would have to write a new record into the queue-file that the queue-manager would then convey to trivial-rewrite(8) in the "resolve" protocol request (which would need to change), so that trivial-rewrite would return the per-message default transport. Can't estimate the likelihood of this becoming an official feature. -- Viktor.
Re: Dynamic 'myhostname'
On 10/09/2015 21:13, Wietse Venema wrote: Mick: Hi, I'm trialling DMARC to two of my domains. On checking the results when posting from the secondary domain I receive 'SPF Domain Alignment Result = FAIL'. I think this is because postfix always says HELO with the primary domain name, which is obviously different to the secondary. Is there a way to rewrite the message envelope to say HELO using the same domain used in the from field? I suspect that the problem is that the SMTP client IP address no not match the SPF rule. You may want to set up sender_dependent_default_transport to use different Postfix SMTP clients depending on the envelope sender email address, with "-o smtp_bind_address" settings in master.cf for the proper client IP address. Hi Wietse, I only have 1 IP address (2 if you count the IPv6 address). A reverse DNS lookup will always find my primary domain so even if I used 'sender_dependent_default_transport' and set up multiple switches just to change HELO name, they still have to point to the same IP. If reverse DNS was then carried out, secondary domain provided in the HELO would not match and mail could be rejected. Think I'm stuffed without additional IPv4s, but at least I know why. Thanks for your advice. Mick. Wietse
Check NS (name or IP) against RBL
Hi, Is there any way to check the name server (name and/or IP) of the Sender domain against RBL service? Thank you. Marius. smime.p7s Description: S/MIME cryptographic signature
Can Postscreen and Smapassassin be used together
I’m currently running postscreen, and am wondering how I would add spamassassin to the main.cf configuration, or are they mutually exclusive?
Re: Require DNSSEC signed MX RRs
On Thu, Sep 10, 2015 at 07:44:19PM +0200, Michael Ströder wrote: > Looking at [1] it's not clear to me whether it's possible to require MX RRs of > a recipient domain to be DNSSEC signed. Any other configuration option for > that? Postfix, at present, does not support requiring a DNSSEC-signed MX RRset, except as part of a "dane-only" security level, which also requires that the A/ records of at least one MX host are signed and that MX host has correct TLSA records. > [1] http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps Policy requiring DNSSEC signed MX RRsets could well apply even for domains with which TLS is not used, this is not directly related to TLS authentication. Of course such a policy might allow the "verify" security level to apply Web PKI PKIX authentication to a verifed MX host name. Still if the domain ever does change their MX records, you might well find that the peer certificate is now self-signed, or no longer matches the MX hostname, ... So this would have to be used with care. I gather you're looking for something like: example.com secure match=nexthop:dot-nexthop:hostname dnssec=yes where "dnssec=yes" would be a new policy option, that requires a "secure" MX RRset, or "secure" absence of an MX host. -- Viktor.