Re: (Semi OT) RBL shakedown

[Bill Cole]

On 24 Oct 2016, at 16:54, li...@lazygranch.com wrote:

So you block all of AS14061 because there supposedly is a spammer in 
the block?


The relevant TXT record in that DNSBL asserts 276 "abusers" on AS14061 
in the past week. Eyeballing the visible routes for AS14061, that seems 
to be something like 0.2% of the advertised addresses.


I grumblingly agreed when Wietse said it was proper to block a 
specific IP when only one user was spamming, but this seems excessive.


It is, which is why UCEPROTECT  and especially their "Level 3" list are 
not widely trusted as a basis for absolute banning. I don't recall 
seeing evidence that *any* of their lists are used as outright banning 
criteria by any sites with a significant number of users outside of 
German-speaking Europe.

Re: OT: "X-PHP-Script" header

[Bill Cole]

On 24 Oct 2016, at 12:29, Allen Coates wrote:



Over the weekend I had three spam messages get through to my in-box. 
Two

contained an "X-PHP-Script" header

one was
X-PHP-Script:
folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php
for 110.83.63.152

and the other
X-PHP-Script:
118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php
for 110.83.62.203

I suppose I could block them using  header_checks, but first, does
anybody know what they (are supposed to) do?   I have not encountered
them before.


They are added by the PHP mail() function (if the active PHP config has 
them turned on) as a weak but surprisingly useful way for web server 
admins to identify exactly where some spam-sending malware has been 
deployed. This is a weak tool in theory because a script can effectively 
clobber the pathname component, but apparently the folks writing that 
class of malware include examples of "any moron can write working PHP" 
because I still see these with apparently real values (as above) in spam 
at a substantial rate despite this feature existing for over a decade.


I wouldn't advise using the existence of a X-PHP-Script header as an 
absolute reason to block mail. In my personal archives I have 30 
entirely legitimate, desired messages with that header and 173 spam. In 
a workplace account which gets essentially no spam I have no spam with 
it in the past 8 years, during which I've received dozens (maybe 
hundreds) of absolutely non-spam messages with X-PHP-Script headers 
generated by various tools that use PHP (e.g. MediaWiki page change 
notices) and from external sources. The content of a X-PHP-Script header 
can be useful in more complex filtering systems (e.g. SpamAssassin) 
because the spamware scripts often hide themselves in odd directories 
like /tmp, /images, and frequently claim to be triggered from IPs that 
bear no relationship to the source host (like the above: consumer 
broadband IPs in Fuqing, Fujian, China.) You can't do that sort of 
analysis in Postfix itself.

incoming queue question: 'not found'

[Voytek]

I monitor Postfix queue with Cacti, normally see warning on deffered
queue, charts in red, sends treshold warning, when there is some issues

today, first time ever saw that, I see incoming queue in Cacti growing, up
to 14/16, (charts blue) never observed that before...?

mailq gives nothing, pfqueue has like(1);

how to better asses what's going on?

 Queue: 'incoming', 7 messages, 0 tagged, unsorted  
ATCSB
 ID FromTo
 E29D64CBC2 *Not found* *Not found*
 1B8654CBC1 *Not found* *Not found*
 93E464CBBB *Not found* *Not found*
 080504CBB8 *Not found* *Not found*
 D2B494CB7F *Not found* *Not found*
 172154CBCA *Not found* *Not found*
 24A8F4CBAF *Not found* *Not found*

Re: (Semi OT) RBL shakedown

[Niklaas Baudet von Gersdorff]

li...@lazygranch.com [2016-10-24 14:52 -0700] :

> Oh, I didn't me YOU as in you personally. Sorry about that.
> Maybe it is an American was of speaking. 

No offenSe taken. ;-)

> The reply from Digital Ocean is just to change my IP. I'm
> shocked they don't want to defend their IP space. I suppose if
> I actually get blocked, I will go though the hassle of changing
> the IP. (‎Not trivial).

Have you checked your logs whether you already got rejected
because of level 3?

Niklaas

Re: (Semi OT) RBL shakedown

[lists]

Oh, I didn't me YOU as in you personally. Sorry about that. Maybe it is an 
American was of speaking. 

The reply from Digital Ocean is just to change my IP. I'm shocked they don't 
want to defend their IP space. I suppose if I actually get blocked, I will go 
though the hassle of changing the IP. (‎Not trivial).

  Original Message  
From: Niklaas Baudet von Gersdorff
Sent: Monday, October 24, 2016 2:33 PM
To: postfix-users@postfix.org
Reply To: st...@niklaas.eu
Subject: Re: (Semi OT) RBL shakedown

li...@lazygranch.com [2016-10-24 13:54 -0700] :

> ‎So you block all of AS14061 because there supposedly is
> a spammer in the block? I grumblingly agreed when Wietse said
> it was proper to block a specific IP when only one user was
> spamming, but this seems excessive.

No, I personally don't. And I don't think anyone should.

I only wanted to mention that (and I guess this is in line with
what you wrote), next to mismanaging DNSBL's, you can misuse
them.

Niklaas

Re: (Semi OT) RBL shakedown

[Niklaas Baudet von Gersdorff]

li...@lazygranch.com [2016-10-24 13:54 -0700] :

> ‎So you block all of AS14061 because there supposedly is
> a spammer in the block? I grumblingly agreed when Wietse said
> it was proper to block a specific IP when only one user was
> spamming, but this seems excessive.

No, I personally don't. And I don't think anyone should.

I only wanted to mention that (and I guess this is in line with
what you wrote), next to mismanaging DNSBL's, you can misuse
them.

Niklaas

Re: (Semi OT) RBL shakedown

[lists]

‎So you block all of AS14061 because there supposedly is a spammer in the 
block? I grumblingly agreed when Wietse said it was proper to block a specific 
IP when only one user was spamming, but this seems excessive.

One of the reasons I went VPS is not to be lumped in with spammers nor the 
occasional DDOS because some fool annoyed another fool. ‎ I guess I was 
delusional that a personal IP would solve that problem.

Grumble. I've said enough. On a positive note, freebsd ports had a postfix 
update yesterday and as usual, no problem.

  Original Message  
From: Niklaas Baudet von Gersdorff
Sent: Monday, October 24, 2016 1:41 PM
To: postfix-users@postfix.org
Reply To: st...@niklaas.eu
Subject: Re: (Semi OT) RBL shakedown

li...@lazygranch.com [2016-10-24 13:20 -0700] :

> If you use the uceprotect RBL, note that they are involved in a
> shakedown to solicit money to be removed from their list. Much like
> spamrl, I'd suggest not using them since they have an obvious false
> positive problem. 
> 
> http://www.uceprotect.net/en/rblcheck.php?ipr=107.170.248.198
> Their own system shows my domain is not the same as the spammers domain.

You're only listed on Level 3, aren't you? They (kind of)
recommend not to use that list:

We believe that a professional service provider or carrier
should be able to act promptly before listings are escalating
up to Level 3, therefore by using Level 3 the chances are
that you will mostly block “learning-resistant” service
providers or carriers and their customers. NOTE: By using
Level 3 for blocking, be prepared to lose some required mails
too. DO NOT BLAME US, YOU HAVE BEEN FOREWARNED!

The recommended use of Level 3 is incorporating it into
a scoring system, to give e.g. 2 points on a ‘match’ where
5 or more points trigger a spam tag.

Use of Level 3 for blocking is recommended only if you are
a HARDLINER and you want to cause service providers and
carriers that have spammer / abusive clients to be quickly
and effectively blocked and it does not matter to you when
required email is also rejected. This can bring a lot of
pressure on service providers and carriers to get their act
in order and resolve the issues within their responsibility.

http://www.uceprotect.net/en/index.php?m=3=5

So, normally -- in case postmasters read uceprotect's advice,
which we cannot be sure of -- your server shouldn't be blocked by
serious mail servers.

As far as I understand their policy, probably you're listed
because your network has quite some spammers.

> Plenty of good RBLs out there. No uses feeding the criminals
> (uceprotect) or the incompetent (spamrl).

Niklaas

Re: (Semi OT) RBL shakedown

[Niklaas Baudet von Gersdorff]

li...@lazygranch.com [2016-10-24 13:20 -0700] :

> If you use the uceprotect RBL, note that they are involved in a
> shakedown to solicit money to be removed from their list. Much like
> spamrl, I'd suggest not using them since they have an obvious false
> positive problem. 
> 
> http://www.uceprotect.net/en/rblcheck.php?ipr=107.170.248.198
> Their own system shows my domain is not the same as the spammers domain.

You're only listed on Level 3, aren't you? They (kind of)
recommend not to use that list:

  We believe that a professional service provider or carrier
  should be able to act promptly before listings are escalating
  up to Level 3, therefore by using Level 3 the chances are
  that you will mostly block “learning-resistant” service
  providers or carriers and their customers. NOTE: By using
  Level 3 for blocking, be prepared to lose some required mails
  too. DO NOT BLAME US, YOU HAVE BEEN FOREWARNED!

  The recommended use of Level 3 is incorporating it into
  a scoring system, to give e.g. 2 points on a ‘match’ where
  5 or more points trigger a spam tag.

  Use of Level 3 for blocking is recommended only if you are
  a HARDLINER and you want to cause service providers and
  carriers that have spammer / abusive clients to be quickly
  and effectively blocked and it does not matter to you when
  required email is also rejected. This can bring a lot of
  pressure on service providers and carriers to get their act
  in order and resolve the issues within their responsibility.

   http://www.uceprotect.net/en/index.php?m=3=5

So, normally -- in case postmasters read uceprotect's advice,
which we cannot be sure of -- your server shouldn't be blocked by
serious mail servers.

As far as I understand their policy, probably you're listed
because your network has quite some spammers.

> Plenty of good RBLs out there. No uses feeding the criminals
> (uceprotect) or the incompetent (spamrl).

Niklaas

SV: (Semi OT) RBL shakedown

[Sebastian Nielsen]

Agreed, they even list AS23456 , which is a reserved AS used for BGP32
routers to annouce themselves to BGP16 routers. (the BGP32 ASN is then
embedded in the payload of the BGP16 packet, which result that when this
BGP16 router then further annouce themselves to a BGP32 router, the real 32
bit ASN will unfold itself).

UCEprotect then list this reserved ASN, instead of unfolding the packet and
looking at the real payload, causing every BGP32 network which annouce BGP16
compatibility, to be listed in UCEPROTECT L3.

-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] För li...@lazygranch.com
Skickat: den 24 oktober 2016 22:20
Till: postfix-users@postfix.org
Ämne: (Semi OT) RBL shakedown

If you use the uceprotect RBL, note that they are involved in a shakedown to
solicit money to be removed from their list. Much like spamrl, I'd suggest
not using them since they have an obvious false positive problem. 

http://www.uceprotect.net/en/rblcheck.php?ipr=107.170.248.198
Their own system shows my domain is not the same as the spammers domain.

Plenty of good RBLs out there. No uses feeding the criminals
(uceprotect) or the incompetent (spamrl).



smime.p7s
Description: S/MIME Cryptographic Signature

(Semi OT) RBL shakedown

[li...@lazygranch.com]

If you use the uceprotect RBL, note that they are involved in a
shakedown to solicit money to be removed from their list. Much like
spamrl, I'd suggest not using them since they have an obvious false
positive problem. 

http://www.uceprotect.net/en/rblcheck.php?ipr=107.170.248.198
Their own system shows my domain is not the same as the spammers domain.

Plenty of good RBLs out there. No uses feeding the criminals
(uceprotect) or the incompetent (spamrl).

Re: Blacklisting googlegroups

[Nikolaos Milas]

On 24/10/2016 6:46 μμ, Noel Jones wrote:


header_checks can't be used there.  Use a second check_sender_access
instead.


Thank you Noel,

Your suggestion worked fine!

The only change I did was to escape the + sign:

/^oursuperclub-members\+bnc(.*)@googlegroups\.com$/  REJECT

All the best,
Nick

Re: OT: "X-PHP-Script" header

[Allen Coates]

On 24/10/16 17:37, Jan Ceuleers wrote:
> On 24/10/16 18:29, Allen Coates wrote:
>> Over the weekend I had three spam messages get through to my in-box. Two
>> contained an "X-PHP-Script" header
>>
>> one was
>> X-PHP-Script:
>> folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php
>> for 110.83.63.152
>>
>> and the other
>> X-PHP-Script:
>> 118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php
>> for 110.83.62.203
>>
>> I suppose I could block them using  header_checks, but first, does
>> anybody know what they (are supposed to) do?   I have not encountered
>> them before.
> First Google hit?

How to insert / remove / munge them, but not what they do.

Or their value as a spam indicator.


>

Re: OT: "X-PHP-Script" header

[Jan Ceuleers]

On 24/10/16 18:29, Allen Coates wrote:
> 
> Over the weekend I had three spam messages get through to my in-box. Two
> contained an "X-PHP-Script" header
> 
> one was
> X-PHP-Script:
> folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php
> for 110.83.63.152
> 
> and the other
> X-PHP-Script:
> 118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php
> for 110.83.62.203
> 
> I suppose I could block them using  header_checks, but first, does
> anybody know what they (are supposed to) do?   I have not encountered
> them before.

First Google hit?

OT: "X-PHP-Script" header

[Allen Coates]

Over the weekend I had three spam messages get through to my in-box. Two
contained an "X-PHP-Script" header

one was
X-PHP-Script:
folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php
for 110.83.63.152

and the other
X-PHP-Script:
118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php
for 110.83.62.203

I suppose I could block them using  header_checks, but first, does
anybody know what they (are supposed to) do?   I have not encountered
them before.

Allen C

Re: How to limite incoming email with defined mail sender?

[Noel Jones]

On 10/24/2016 8:02 AM, vod vos wrote:
> Hi guys,
> 
> I want to set up only the defined mail sender from outside can send
> mail to defined user on my server, and reject the undefined sender, 
> 
> how to do it?
> 
> thanks.
> 

perhaps you're looking for the smtpd_reject_unlisted_sender parameter.
http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender



  -- Noel Jones

Re: chrooting cleanup process ?

[Noel Jones]

On 10/24/2016 3:58 AM, Mickaël DEQUIDT wrote:
> Hello all,
> 
> I have been trying to build a canonical address mapping through
> ldap, in order to replace login names by better-looking addresses,
> as stated in the ADDRESS_REWRITING_README, and I stumbled upon a
> weird behaviour : with the canonical_maps on, every time a mail is
> sent to my server, Postfix refuses to treat it and the logs state
> the following :
> 
> Oct 20 13:57:13 server postfix/master[pid]: warning:
> /usr/lib/postfix/cleanup: bad command startup -- throttling
> Oct 20 13:58:13 server postfix/master[pid]: warning: process
> /usr/lib/postfix/cleanup pid 18924 killed by signal 11

Look for a prior warning or error.  The cleanup service should run
fine chroot, and config files are loaded before the chroot. Perhaps
some system library is missing from your chroot directory.

That said, non-chroot is the default shipping configuration.
Enabling chroot is an advanced configuration and may require
additional setup.



  -- Noel Jones

Re: How to limite incoming email with defined mail sender?

[vod vos]

For example;



only allow receiving sender



j...@example.com 



from example.com to send mail to my server



foo.com, and user only alex can receive it. 



a...@foo.com 



how to configure postfix/main.cf ?



Thanks.




 On 星期一, 24 十月 2016 06:02:32 -0700vod vos vod...@zoho.com wrote 




Hi guys,



I want to set up only the defined mail sender from outside can send mail to 
defined user on my server, and reject the undefined sender, 



how to do it?



thanks.

Strange behavior on virtual_alias

[Davide Gmail]

Hi, my problem is this:

i have in my postfix (ver. 2.11.3 installed on a debian stable box)  
installation placed in front of a dovecot server a virtual_alias_map 
like this


local_recipient_maps = $virtual_alias_maps
virtual_mailbox_domains = mail.cgilfe.it, cgilfe.it
virtual_alias_maps = mysql:/etc/postfix/mysql-valias.cf

if i query the "map" with below command

postmap -q @mail.cgilfe.it mysql:/etc/postfix/mysql-alias.cf

i receive the correct composition of the virtual-alias but in some cases 
dovecot pass the alias to the lmtp service installed on dovecot (in this 
case delivery faile with 5.5.0 error)


in other cases with virtual_alias retrived from map all go smoothly.

i dont know why this happens only for some aliases and not for all.

Thanks in advance for helping me.

RE: Blacklisting googlegroups

[Fazzina, Angelo]

Personally I have a test postfix server, so I try all my configs to confirm 
they do what I want.
Use telnet to send an email to trigger the rule is my advice.

Also my REGEX example may not be the best solution.
I got the idea from this line in my server, it's part of the 
virtual_alias_maps=  setting.

regexp:/etc/postfix/maps/subaddressing

which is this
/^(.*)\+(.*)@(.*).mydomain.dom/ ${1}@${3}.mydomain.com

-ALF

-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG-Linux/ M
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Nikolaos Milas
Sent: Monday, October 24, 2016 10:25 AM
To: postfix users 
Subject: Re: Blacklisting googlegroups

On 24/10/2016 5:15 μμ, Fazzina, Angelo wrote:

> Can't you use REGEX to write a rule to catch them, and then decide what you 
> want to do with those emails ?

Would the following be valid?

smtpd_recipient_restrictions =
 ...
 check_sender_access hash:/etc/postfix/blacklisted_senders
 header_checks pcre:/etc/postfix/blacklisted_maillists
 ...

/etc/postfix/blacklisted_maillists

/^Return-Path: / REJECT

Nick

Re: Blacklisting googlegroups

[Nikolaos Milas]

On 24/10/2016 5:15 μμ, Fazzina, Angelo wrote:


Can't you use REGEX to write a rule to catch them, and then decide what you 
want to do with those emails ?


Would the following be valid?

smtpd_recipient_restrictions =
...
check_sender_access hash:/etc/postfix/blacklisted_senders
header_checks pcre:/etc/postfix/blacklisted_maillists
...

/etc/postfix/blacklisted_maillists

/^Return-Path: / REJECT

Nick

Re: Blacklisting googlegroups

[Ralf Hildebrandt]

* Nikolaos Milas :
> On 24/10/2016 5:15 μμ, Fazzina, Angelo wrote:
> 
> > Can't you use REGEX to write a rule to catch them, and then decide what you 
> > want to do with those emails ?
> 
> Would the following be valid?
> 
> smtpd_recipient_restrictions =
>  ...
>  check_sender_access hash:/etc/postfix/blacklisted_senders
>  header_checks pcre:/etc/postfix/blacklisted_maillists
>  ...

No.

header_checks cannot be listed in smtpd_recipient_restrictions

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
   
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

RE: Blacklisting googlegroups

[Fazzina, Angelo]

Hi,
Can't you use REGEX to write a rule to catch them, and then decide what you 
want to do with those emails ?



Maybe:
/etc/postfix/catch_spammer file has this:

/^oursuperclub-members(.*)@googlegroups.com ${1}@spammer.google.bad

Not sure where you add the file to do the rejection, maybe mynetworks line in 
main.cf ??



-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG-Linux/ M
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Nikolaos Milas
Sent: Monday, October 24, 2016 10:06 AM
To: postfix users 
Subject: Blacklisting googlegroups

Hello,

I am using:

smtpd_recipient_restrictions =
 ...
 check_sender_access hash:/etc/postfix/blacklisted_senders
 ...

to blacklist certain senders in blacklisted_senders file.

I would like to block a certain spam googlegroups mailing list but 
sender is not constant; it's like:

oursuperclub-members+bncbcg7bjnotikrbewdwpaakgqeabvw...@googlegroups.com

and the  part is constantly changing.

Which would be the best way to block this?

Please advise.

Thanks,
Nick

Blacklisting googlegroups

[Nikolaos Milas]

Hello,

I am using:

smtpd_recipient_restrictions =
...
check_sender_access hash:/etc/postfix/blacklisted_senders
...

to blacklist certain senders in blacklisted_senders file.

I would like to block a certain spam googlegroups mailing list but 
sender is not constant; it's like:


   oursuperclub-members+bncbcg7bjnotikrbewdwpaakgqeabvw...@googlegroups.com

and the  part is constantly changing.

Which would be the best way to block this?

Please advise.

Thanks,
Nick

How to limite incoming email with defined mail sender?

[vod vos]

Hi guys,



I want to set up only the defined mail sender from outside can send mail to 
defined user on my server, and reject the undefined sender, 



how to do it?



thanks.

RE: Open relay, found it

[L . P . H . van Belle]

Hai Paul, 

I saw you got it fixed, comprimized pass as i suspected.  ;-) 

I saw also this in you log. 
from [127.0.0.1] (87-92-55-206.bb.dnainternet.fi [87.92.55.206] 

This should never be allowed. ( from 127.0.0.1 ) ( on the external ip )
Thats impossible imo.

To fix that you can use something like below. 
Just make sure every known hostname and ipnumber of the server is listed here. 

Beware with these 3, these can give false positives.
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname, 


(pcre:/etc/postfix/helo.pcre) 
## Namebase
/^ip6-localhost$/   554 Don't use my own hostname
/^localhost$/   554 Don't use my own hostname
/^localhost\.localdomain$/  554 Don't use my own hostname
/^localhost\.yourdomain\.tld$/   554 Don't use my own hostname
/^localhost\.subdom\.yourdomain\.tld$/554 Don't use my own hostname

/^yourdomain\.tld$/  554 Don't use my own domainname
/^hostname\.yourdomain\.tld$/  554 Don't use my own hostname
/^hostname\.subdom\.yourdomain\.tld$/   554 Don't use my own hostname

## IP Based
/^127\.0\.0\.1$/554 Don't use my own IP address
/^\[127\.0\.0\.1\]$/554 Don't use my own IP address
/^\:\:1$/   554 Don't use my own IP address
/^\[\:\:1\]$/   554 Don't use my own IP address
/^\1\.2\.3\.4$/ 554 Don't use my own IP address
/^\[1\.2\.3\.4]$/   554 Don't use my own IP address
# and add ipv6 ip if you use it.

## Optional, but can gives false blocks.
#/^[0-9.]+$/ 554 Your software is not RFC 2821 compliant: 
EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in 
brackets)
#/^[0-9]+(\.[0-9]+){3}$/ 554 Your software is not RFC 2821 compliant: 
EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in 
brackets)
# /^[0-9.-]+$/   550 Your software is not RFC 2821 compliant: 
EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in 
brackets)
# /^[0-9]+(\.[0-9]+){3}$/   REJECT Invalid hostname


# added in main.cf
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map
check_helo_access pcre:/etc/postfix/pcre/helo.pcre,
permit_sasl_authenticated,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_unknown_helo_hostname,
reject_unauth_destination,
reject_unauth_pipelining


Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: p...@vandervlis.nl [mailto:owner-postfix-us...@postfix.org] Namens
> Paul van der Vlis
> Verzonden: zondag 23 oktober 2016 13:51
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Open relay, found it
> 
> Op 23-10-16 om 13:32 schreef Ansgar Wiechers:
> > On 2016-10-23 Paul van der Vlis wrote:
> >> Op 22-10-16 om 18:23 schreef /dev/rob0:
> >>> The only actual conclusion is that you have failed to put forth the
> >>> necessary information, as Bill [I think] pointed you to the
> >>> http://www.postfix.org/DEBUG_README.html#mail link.
> >>
> >> The problem is that somebody did send spam using port 587 with a not
> >> excisting username, and I am interested how that is possible.
> >>
> >> sigmund:/var/log# postconf -Mf
> >
> > So you finally decided to show the output of "postconf -Mf" and
> > "saslfinger -s". Good. Now you just need to provide the rest of the
> > information Bill Cole asked of you 2 days ago:
> >
> > - Full output of "postconf -nf".
> > - Full headers of a sample message (you may obfuscate personal
> >   information about the recipient).
> > - All log lines associated with that particular message. At the very
> >   least the output of "grep  /var/log/mail.log".
> 
> I am sorry when I did not give the right information. I did read the
> link, and did what was asked there.
> 
> >   In case you don't know how to find the queue ID in a log message, it's
> >   this part of the log line:
> >
> > postfix/smtpd[]: 2758BBF4062: ...
> >   ^^^
> > And did you already investigate why the authentication backend considers
> > "p...@puk.nl" a valid user, as Noel Jones asked? What did you find out?
> 
> Yes, and I found out that when the username is "p...@puk.nl" SASL
> actually checks on "piet":
> --
> saslauthd[19855] :do_auth : auth success: [user=piet]
> [service=smtp] [realm=puk.nl] [mech=pam]
> --
> 
> I did some more tests, and it seems to be that the spammer actually did
> know the password. After changing the password, the logging changed:
> --
> saslauthd[20161] :do_auth : auth failure: [user=piet]
> [service=smtp] [realm=puk.nl] [mech=pam]
> -
> 
> 
> 
> With regards,
> Paul van der Vlis.
> 
> 
> 
> --
> Paul van der Vlis Linux systeembeheer Groningen
> https://www.vandervlis.nl/

chrooting cleanup process ?

[Mickaël DEQUIDT]

Hello all,

I have been trying to build a canonical address mapping through ldap, in 
order to replace login names by better-looking addresses, as stated in 
the ADDRESS_REWRITING_README, and I stumbled upon a weird behaviour : 
with the canonical_maps on, every time a mail is sent to my server, 
Postfix refuses to treat it and the logs state the following :


Oct 20 13:57:13 server postfix/master[pid]: warning: 
/usr/lib/postfix/cleanup: bad command startup -- throttling
Oct 20 13:58:13 server postfix/master[pid]: warning: process 
/usr/lib/postfix/cleanup pid 18924 killed by signal 11


I understood that it came from the fact that my cleanup process was 
chrooted - which means, I suppose, that the files I was using to store 
the ldap config for postfix were out of its permission area. When I 
un-chroot the process, everything works fine.


Now, my question would be : obviously chroot isn't necessary for cleanup 
to work, but is it not a bit dangerous to let it run outside of the cage 
? Could you tell me what are the risks of such a configuration ?


Thanks,

--
Mickaël DEQUIDT
IFREMER - Service IMN/IDM/RIC
Centre Ifremer Bretagne - ZI de la pointe du diable
CS 10070 - 29280 Plouzané
Tel : +33 (0)2 98 22 46 04 - Fax : +33 (0)2 98 22 46 47



smime.p7s
Description: Signature cryptographique S/MIME

Re: Problem with ldap failover

[Michal Žáček]

Yes, these three are FreeIPA DS servers. Ldap in Dovecot running on the same 
server works fine.
Regards, Michal.

21. října 2016 23:46:46 CEST, "A. Schulze"  napsal:
>
>
>Am 21.10.2016 um 13:49 schrieb MichalZ:
>> server_host =   ldaps://ldap3.img.local:636
>> ldaps://ldap2.img.local:636
>> ldaps://ldap.img.local:636
>
>did you check that every single server work without the others?
>
>try1: server_host = ldaps://ldap3.img.local:636
>try2: server_host = ldaps://ldap2.img.local:636
>try3: server_host = ldaps://ldap.img.local:636