SV: Is this a correct way to define PCRE lists?
Thank you. The reason I do use DISCARD is that REJECT simply doesn't work. I tried, if I use REJECT, the spammer just switch to a new domain. I noticed I got a large amount of spam from, for example *@mediablueinc.ga, put a reject rule, then they started spamming from *@mediablueinc.com, And so on. I then changed into DISCARD and that actually works, the spam ceased, because the spammer won't notice they get blocked and switch to a new domain. Yes, im using it in main.cf. It was just that I wanted to be sure that I didn't do something wrong so I block too much or too little. I had a hash: list before, but now I noticed they started spamming from certain TLD so I had to change into a pcre:. Best regards, Sebastian Nielsen -Ursprungligt meddelande- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Bill Shirley Skickat: den 13 december 2015 05:58 Till: postfix-users@postfix.org Ämne: Re: Is this a correct way to define PCRE lists? I don't see anything "wrong". The default for .pcre is case independence. I use "REJECT Spam not allowed." instead of DISCARD. You're not escaping your period (\.com). You can combine some of these into a single rule: /mediablueinc\.(cf|com|ga)$/REJECT Spam not allowed (1). /\.(top|ninja|download)$/ REJECT Spam not allowed (2). If you number them you'll see in the log file which rule matched. You have to use the table in main.cf. Something like: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access pcre:/etc/postfix/my.tables/sender_access.pcre reject_rbl_client zen.spamhaus.org reject_rbl_client dnsbl.sorbs.net Bill On 12/12/2015 2:47 PM, Sebastian Nielsen wrote: > I have a check_sender_access to weed out spam from spam domains. > > The check_sender_access is a pcre: list. > > And the pcre list is: > > /mediablueinc.cf$/i DISCARD > > /mediablueinc.com$/i DISCARD > > /mediablueinc.ga$/i DISCARD > > /abstreeltg.eu$/i DISCARD > > /\.top$/i DISCARD > > (Yeah, the .top domain is a spam hole. Got over 100 spam mails from > that TLD with random words in the domain like psoraris-doctor.top and > so on, and I will never get a legit mail from that spam hole) > > Or are im doing something wrong? > smime.p7s Description: S/MIME Cryptographic Signature
Local delivery and relaying
Hi I'm a new Postfix user, having just switched from sendmail (which I set up years ago and then forgot how). I want my Postfix server to locally deliver emails for my own accounts and those of my housemates, but relay all others. So for example: Locally deliver these: us...@example1.net us...@example1.net us...@example2.net us...@example3.net But relay all other destinations to the smart host. I'm currently using the virtual_alias_domains feature, but this tries to locally deliver all accounts within example1.net, example2.net and example3.net. What I want is local delivery only of the accounts listed in the virtual_alias_maps file, and relaying of all other destinations, regardless of whether their domain. I've done a lot of googling but could not find the answer (probably because I don't know what search terms to use). Any hints would be gratefully received. Thanks, Jan
Re: postfix and multiple TLS certificates (SNI support?)
On Sat, 12 Dec 2015, Viktor Dukhovni wrote: And SMTP has the big advantage, that you can define the name of the host in MX, so the name of the mail server can be independent from the domain of the email address. Simply wait a bit longer and maybe that issue solves itself :-) Thanks for the moral support. I agree that SNI is not particularly compelling for port 25. The more strongest arguments for SNI that I've seen are for port 587 submission, where there's no MX indirection, users' MUAs have statically configured SMTP servers. At least for Thunderbird and some open source mail software I got rid of this issue as well by implementing the autoconfig procedure: https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat That's much more powerful than SNI alone. Parsing the postfix files it gives each of my users the correct settings for all of their email addresses. Negative: If fully implemented it allows everybody to find the username for a given mail address but I decided that's worth the additional comfort. Usually guessing gives you the username not much slower (with some uncertainity). I tried also to implement the Microsoft variant but till now I do not think setup is really correct. :-) Ciao -- http://www.dstoecker.eu/ (PGP key available)
Re: postfix and multiple TLS certificates (SNI support?)
On 12/13/2015 11:55 AM, Dirk Stöcker wrote: On Sat, 12 Dec 2015, Viktor Dukhovni wrote: And SMTP has the big advantage, that you can define the name of the host in MX, so the name of the mail server can be independent from the domain of the email address. Simply wait a bit longer and maybe that issue solves itself :-) Thanks for the moral support. I agree that SNI is not particularly compelling for port 25. The more strongest arguments for SNI that I've seen are for port 587 submission, where there's no MX indirection, users' MUAs have statically configured SMTP servers. At least for Thunderbird and some open source mail software I got rid of this issue as well by implementing the autoconfig procedure: https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat That's much more powerful than SNI alone. Parsing the postfix files it gives each of my users the correct settings for all of their email addresses. Negative: If fully implemented it allows everybody to find the username for a given mail address but I decided that's worth the additional comfort. Usually guessing gives you the username not much slower (with some uncertainity). I tried also to implement the Microsoft variant but till now I do not think setup is really correct. :-) Ciao A big negative to Thunderbird autoconfig - it looks for http before https resulting in MITM vulnerability. They say it is because hosting companies like godaddy don't want to have a TLS cert for every e-mail domain. They should have a DNS TXT field like _moz_auto.domain.tld or something that points to the authoritative TLS autoconfig server but they don't want to do that.
cleanup service and removing headers
Hi, I'd like to use the cleanup service to remove internal headers for privacy. I'd also like to make sure to not break DKIM signing in the process. I've tried to redefine the cleanup service to auth-cleanup for submission. I already have a submission service that works successfully. auth-cleanup unix n - n - 0 cleanup -o syslog_name=postfix/auth-cleanup -o header_checks=pcre:/etc/postfix/auth_header_checks.pcre submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o receive_override_options=$submission_overrides -o syslog_name=postfix/submission -o cleanup_service_name=auth-cleanup /etc/postfix/auth_header_checks.pcre /^\s*(Received: from)[^\n]*(?!inside.example.com).*/ REPLACE $1 [127.0.0.1] (localhost 127.0.0.1]) Received: from sage.inside.example.com (sage.inside.example.com [192.168.1.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: alex) by orion.example.com (Postfix) with ESMTPSA id DE862A60121 for; Sun, 13 Dec 2015 21:57:00 -0500 (EST) Dec 13 21:57:00 orion postfix/submission/smtpd[30338]: DE862A60121: client=sage.inside.example.com[192.168.1. 7], sasl_method=PLAIN, sasl_username=alex Dec 13 21:57:00 orion postfix/auth-cleanup/cleanup[30346]: DE862A60121: message-id=<566e2ffc.20...@example.com> I'm not very good with regular expressions. Could that be the problem here? Please let me know if there's other information I can provide to help. Thanks, Alex