SV: Is this a correct way to define PCRE lists?

[Sebastian Nielsen]

Thank you.
The reason I do use DISCARD is that REJECT simply doesn't work. I tried, if
I use REJECT, the spammer just switch to a new domain.
I noticed I got a large amount of spam from, for example *@mediablueinc.ga,
put a reject rule, then they started spamming from *@mediablueinc.com,
And so on. I then changed into DISCARD and that actually works, the spam
ceased, because the spammer won't notice they get blocked and switch to a
new domain.

Yes, im using it in main.cf. It was just that I wanted to be sure that I
didn't do something wrong so I block too much or too little.
I had a hash: list before, but now I noticed they started spamming from
certain TLD so I had to change into a pcre:.

Best regards, Sebastian Nielsen

-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] För Bill Shirley
Skickat: den 13 december 2015 05:58
Till: postfix-users@postfix.org
Ämne: Re: Is this a correct way to define PCRE lists?

I don't see anything "wrong".  The default for .pcre is case independence.

I use "REJECT Spam not allowed." instead of DISCARD.

You're not escaping your period (\.com).

You can combine some of these into a single rule:
/mediablueinc\.(cf|com|ga)$/REJECT Spam not allowed (1).
/\.(top|ninja|download)$/   REJECT Spam not allowed (2).
If you number them you'll see in the log file which rule matched.


You have to use the table in main.cf.  Something like:
smtpd_recipient_restrictions =
 permit_mynetworks
 permit_sasl_authenticated
 check_sender_access pcre:/etc/postfix/my.tables/sender_access.pcre
 reject_rbl_client zen.spamhaus.org
 reject_rbl_client dnsbl.sorbs.net


Bill


On 12/12/2015 2:47 PM, Sebastian Nielsen wrote:
> I have a check_sender_access to weed out spam from spam domains.
>
> The check_sender_access is a pcre: list.
>
> And the pcre list is:
>
> /mediablueinc.cf$/i DISCARD
>
> /mediablueinc.com$/i DISCARD
>
> /mediablueinc.ga$/i DISCARD
>
> /abstreeltg.eu$/i DISCARD
>
> /\.top$/i DISCARD
>
> (Yeah, the .top domain is a spam hole. Got over 100 spam mails from 
> that TLD with random words in the domain like psoraris-doctor.top and 
> so on, and I will never get a legit mail from that spam hole)
>
> Or are im doing something wrong?
>



smime.p7s
Description: S/MIME Cryptographic Signature

Local delivery and relaying

[Jan Ceuleers]

Hi

I'm a new Postfix user, having just switched from sendmail (which I set
up years ago and then forgot how).

I want my Postfix server to locally deliver emails for my own accounts
and those of my housemates, but relay all others. So for example:

Locally deliver these:
us...@example1.net
us...@example1.net
us...@example2.net
us...@example3.net

But relay all other destinations to the smart host.

I'm currently using the virtual_alias_domains feature, but this tries to
locally deliver all accounts within example1.net, example2.net and
example3.net. What I want is local delivery only of the accounts listed
in the virtual_alias_maps file, and relaying of all other destinations,
regardless of whether their domain.

I've done a lot of googling but could not find the answer (probably
because I don't know what search terms to use).

Any hints would be gratefully received.

Thanks, Jan

Re: postfix and multiple TLS certificates (SNI support?)

[Dirk Stöcker]

On Sat, 12 Dec 2015, Viktor Dukhovni wrote:


And SMTP has the big advantage, that you can define the name of the host in
MX, so the name of the mail server can be independent from the domain of the
email address.

Simply wait a bit longer and maybe that issue solves itself :-)


Thanks for the moral support.  I agree that SNI is not particularly
compelling for port 25.  The more strongest arguments for SNI that
I've seen are for port 587 submission, where there's no MX indirection,
users' MUAs have statically configured SMTP servers.


At least for Thunderbird and some open source mail software I got rid of 
this issue as well by implementing the autoconfig procedure:

https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
That's much more powerful than SNI alone. Parsing the postfix files 
it gives each of my users the correct settings for all of their email 
addresses.


Negative: If fully implemented it allows everybody to find the username 
for a given mail address but I decided that's worth the additional 
comfort. Usually guessing gives you the username not much slower (with 
some uncertainity).


I tried also to implement the Microsoft variant but till now I do not 
think setup is really correct. :-)


Ciao
--
http://www.dstoecker.eu/ (PGP key available)

Re: postfix and multiple TLS certificates (SNI support?)

[Alice Wonder]

On 12/13/2015 11:55 AM, Dirk Stöcker wrote:

On Sat, 12 Dec 2015, Viktor Dukhovni wrote:


And SMTP has the big advantage, that you can define the name of the
host in
MX, so the name of the mail server can be independent from the domain
of the
email address.

Simply wait a bit longer and maybe that issue solves itself :-)


Thanks for the moral support.  I agree that SNI is not particularly
compelling for port 25.  The more strongest arguments for SNI that
I've seen are for port 587 submission, where there's no MX indirection,
users' MUAs have statically configured SMTP servers.


At least for Thunderbird and some open source mail software I got rid of
this issue as well by implementing the autoconfig procedure:
https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
That's much more powerful than SNI alone. Parsing the postfix files it
gives each of my users the correct settings for all of their email
addresses.

Negative: If fully implemented it allows everybody to find the username
for a given mail address but I decided that's worth the additional
comfort. Usually guessing gives you the username not much slower (with
some uncertainity).

I tried also to implement the Microsoft variant but till now I do not
think setup is really correct. :-)

Ciao


A big negative to Thunderbird autoconfig - it looks for http before 
https resulting in MITM vulnerability.


They say it is because hosting companies like godaddy don't want to have 
a TLS cert for every e-mail domain.


They should have a DNS TXT field like _moz_auto.domain.tld or something 
that points to the authoritative TLS autoconfig server but they don't 
want to do that.

cleanup service and removing headers

[Alex]

Hi,

I'd like to use the cleanup service to remove internal headers for
privacy. I'd also like to make sure to not break DKIM signing in the
process.

I've tried to redefine the cleanup service to auth-cleanup for
submission. I already have a submission service that works
successfully.

auth-cleanup   unix  n   -   n   -   0   cleanup
   -o syslog_name=postfix/auth-cleanup
   -o header_checks=pcre:/etc/postfix/auth_header_checks.pcre

submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o receive_override_options=$submission_overrides
  -o syslog_name=postfix/submission
  -o cleanup_service_name=auth-cleanup

/etc/postfix/auth_header_checks.pcre
/^\s*(Received: from)[^\n]*(?!inside.example.com).*/ REPLACE $1
[127.0.0.1] (localhost 127.0.0.1])

Received: from sage.inside.example.com (sage.inside.example.com
[192.168.1.7]) (using TLSv1.2
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did
not present a certificate) (Authenticated sender: alex)
by orion.example.com (Postfix) with ESMTPSA id DE862A60121
for ; Sun, 13 Dec 2015 21:57:00 -0500 (EST)

Dec 13 21:57:00 orion postfix/submission/smtpd[30338]: DE862A60121:
client=sage.inside.example.com[192.168.1.
7], sasl_method=PLAIN, sasl_username=alex
Dec 13 21:57:00 orion postfix/auth-cleanup/cleanup[30346]:
DE862A60121: message-id=<566e2ffc.20...@example.com>

I'm not very good with regular expressions. Could that be the problem here?

Please let me know if there's other information I can provide to help.

Thanks,
Alex