Re: ANN: vim syntax highlighting for Postfix
Am 15.11.2016 um 21:57 schrieb Patrick Ben Koetter: Good morning Patrick & List members, please find attached a modified version of the scripts that sets the CAT var to either gz (as on my opensuse 42.1) or bz2. Feel free to use it according to the GNU GENERAL PUBLIC LICENSE Version 2, June 1991 provided by Patrick under https://github.com/sys4/vim-postfix/blob/master/LICENSE > vim comes with syntax highlighting for Postfix, but the syntax file is > outdated and doesn't cover LDAP and other drivers. > > For those who like an up to date syntax highlighting that reflects your > Postfix installation take a look at https://github.com/sys4/vim-postfix. > > Christian (Rößner) took the time to create two scripts that will create syntax > files. The README tells how to install them. Worked out of the box for me. > > p@rick > > === Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx! #!/bin/bash # #set -x POSTCONF1=/usr/share/man/man1/postconf.1.gz POSTCONF5=/usr/share/man/man5/postconf.5.gz TEMP="`ls $POSTCONF1|cut -d "." -f 2`" if [ "$TEMP" == "gz" ] ; then CAT=/usr/bin/gzip CATPARAM=-dc elif [ "$TEMP" == "bz2" ] ; then CAT=/usr/bin/bzcat CATPARAM= fi ### TEMP=/tmp/$(basename $0)-pfmain-$$ trap -- "rm -f ${TEMP}" EXIT [[ -x ${CAT} ]] || exit 1 [[ -f ${POSTCONF1} ]] || exit 1 [[ -f ${POSTCONF5} ]] || exit 1 cat > ${TEMP} << EOB " Vim syntax file " Language: Postfix main.cf configuration " Maintainer: Christian Roessner" Last Change: 2016 Nov 13 " Version: 0.40 " Comment: Auto-generated if version < 600 syntax clear elseif exists("b:current_syntax") finish endif if version >= 600 setlocal iskeyword=@,48-57,_,- else set iskeyword=@,48-57,_,- endif syntax case match syntax sync minlines=1 EOB ${CAT} ${CATPARAM} ${POSTCONF5} | \ awk '/^\.SH ([a-z0-9_]+).+/ { print "syntax keyword pfmainConf "$2 }' \ >> ${TEMP} ${CAT} ${CATPARAM} ${POSTCONF5}| \ awk 'match($0, /\\fItransport\\fR(_[a-z_]+) /, a) { print "syntax match pfmainConf \""a[1]"\\>\"" }' \ >> ${TEMP} echo >> ${TEMP} ${CAT} ${CATPARAM} ${POSTCONF5} | \ awk '/^\.SH ([a-z0-9_]+).+/ { print "syntax match pfmainRef \"$\\<"$2"\\>\"" }' \ >> ${TEMP} echo >> ${TEMP} ${CAT} ${CATPARAM} ${POSTCONF5} | \ awk 'match($0, /^\.IP \"\\fB([a-z0-9_]+) ?\\f[RI]/, a) { print "syntax keyword pfmainWord "a[1] }' \ >> ${TEMP} echo >> ${TEMP} function paragraph() { ${CAT} ${CATPARAM} ${POSTCONF1} | \ awk -v text="$3" 'BEGIN { s = 0 } { if (s == 0) { if ($0 ~ /\.IP \\fB\\\'"${1}"'\\fR/) { s = 1; } } else { if ($0 ~ /\.IP \\fB\\\'"${2}"'\\fR/) { exit; } if (match($0, /^\.IP \"?\\fB([a-z]+)\\fR\"?/, a)) { print text, a[1] } } }' >> ${TEMP} } paragraph "-m" "-M" "syntax keyword pfmainDict" echo >> ${TEMP} paragraph "-a" "-A" "syntax keyword pfmainSASLType" echo >> ${TEMP} paragraph "-l" "-m" "syntax keyword pfmainLock" cat >> ${TEMP} << EOB syntax keyword pfmainQueueDir incoming active deferred corrupt hold syntax keyword pfmainTransport smtp lmtp unix local relay uucp virtual syntax keyword pfmainAnswer yes no syntax match pfmainComment "#.*$" syntax match pfmainNumber "\<\d\+\>" syntax match pfmainTime "\<\d\+[hmsd]\>" syntax match pfmainIP "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>" syntax match pfmainVariable "\$\w\+" contains=pfmainRef syntax match pfmainVariable2"\${\w\+}" contains=pfmainConf syntax match pfmainSpecial "\ " syntax match pfmainSpecial "\ " syntax match pfmainSpecial "\ " syntax match pfmainSpecial "\ " syntax match pfmainSpecial "\ " syntax match pfmainSpecial "\ " syntax match pfmainSpecial "\ " syntax match pfmainSpecial "\ " syntax match pfmainSpecial "\ " syntax match pfmainSpecial "\ " syntax match pfmainSpecial "\ " syntax match pfmainSpecial "\ " syntax match pfmainSpecial "\ " syntax match pfmainSpecial
RE: milter to decode quoted-printable, base64, ...
> > I've got some clients that are really simple and don't understand > > various > > message encoding types, such as quoted-printable, base64, possibly > > others. > > They understand plain text only. So, for users in specific domains, > > I'd > > like to convert quoted-printable, base64 and possibly other encoded > > messages > > to plain text. > > Do you understand why QP, Base64, and other encodings exist? Yes > > It is because some messages cannot be represented as plain text, due to > the fact that "plain text" for email is a subset of the US-ASCII > character set. QP and Base64 exist to translate 8-bit characters and > arbitrary binary data into a stream of 8-bit characters that are in a > 'mail safe' subset of US-ASCII. Yup. But if the original message content is all plain text, then the encoding adds no value and can be removed without changing the message. > > I presume I need a content-filter to perform this work post-queue. > > One actually should only do anything like this with client-side > software. You presumably intend to throw away information (such as the > difference between o, ô, and ö) Yes. Although the likelihood of such characters in the original content is virtually nil in this application. And, even if it does exist, such characters can't be used by the receiving client anyway. > and it is best to allow those choices > to remain with end users. Generally true. But not in this case. The client is what it is. So I either find a way to decode such messages externally before delivering them to the client, or else the messages can't be read at all (at least the base64 type). > > I looked here: http://www.postfix.org/addon.html > > > > . but didn't see anything that addresses the issue. Any ideas would > > be > > helpful. > > Or maybe not, as I'm entirely serious when I say that your best choice > is to not do this. Solve whatever problem you are trying to solve in > some other way. I understand and appreciate what you're saying as a general rule. But I also understand this particular application. And for this particular application, recovering the original plain text message before sending to the client is what's needed. But thanks for your thoughts, Bill. Your postings on this list are always informative. Michael
Re: milter to decode quoted-printable, base64, ...
On 15 Nov 2016, at 23:35, Michael Fox wrote: I've got some clients that are really simple and don't understand various message encoding types, such as quoted-printable, base64, possibly others. They understand plain text only. So, for users in specific domains, I'd like to convert quoted-printable, base64 and possibly other encoded messages to plain text. Do you understand why QP, Base64, and other encodings exist? It is because some messages cannot be represented as plain text, due to the fact that "plain text" for email is a subset of the US-ASCII character set. QP and Base64 exist to translate 8-bit characters and arbitrary binary data into a stream of 8-bit characters that are in a 'mail safe' subset of US-ASCII. I presume I need a content-filter to perform this work post-queue. One actually should only do anything like this with client-side software. You presumably intend to throw away information (such as the difference between o, ô, and ö) and it is best to allow those choices to remain with end users. I looked here: http://www.postfix.org/addon.html . but didn't see anything that addresses the issue. Any ideas would be helpful. Or maybe not, as I'm entirely serious when I say that your best choice is to not do this. Solve whatever problem you are trying to solve in some other way.
Re: Using consecutive IPs in a client access file
On 15 Nov 2016, at 23:05, Peter wrote: On 16/11/16 12:20, Bill Cole wrote: No, there's not. Yes there is. Read what I was responding to more carefully. Rich was seeking to avoid manually entering single addresses and CIDR blocks. However, I happened to have an old Perl script This is completely insane! I have to disagree. It's only partly insane. I'd argue for somewhat less than 10% insane, but that depends on how you quantify such things... Postfix fully supports CIDR notation in the CIDR table type, this works for access lists or any other settings that reference tables: http://www.postfix.org/cidr_table.5.html Yes, and a Postfix CIDR table is what that script emits, given a list of single address and hyphenated ranges as Rich described.
milter to decode quoted-printable, base64, ...
I've got some clients that are really simple and don't understand various message encoding types, such as quoted-printable, base64, possibly others. They understand plain text only. So, for users in specific domains, I'd like to convert quoted-printable, base64 and possibly other encoded messages to plain text. I presume I need a content-filter to perform this work post-queue. I looked here: http://www.postfix.org/addon.html . but didn't see anything that addresses the issue. Any ideas would be helpful. Thanks, Michael
Re: Using consecutive IPs in a client access file
On 16/11/16 12:20, Bill Cole wrote: > No, there's not. Yes there is. > However, I happened to have an old Perl script This is completely insane! Postfix fully supports CIDR notation in the CIDR table type, this works for access lists or any other settings that reference tables: http://www.postfix.org/cidr_table.5.html Peter
Re: Using consecutive IPs in a client access file
On 16/11/16 07:07, Gomes, Rich wrote: > Just a quick question since I have not found a way in my Googling. > > We are replacing some of our internal Exchange relays with postfix. > Currently we have other internal postfix relays which utilize a client access > file to allow relaying. > The file contains all single IPs, no ranges. > > The exchange servers have some groups of consecutive IPs on their allow list, > some cover 5 or 6 IPs, others 100. > Is there a way to provide the same list .i.e. > 192.168.0.2-12OK > > without: > > Listing them all individually > i.e. > 192.168.0.2 OK > 192.168.0.3 OK > Etc... > Or > Allowing an entire subnet > 192.168.0.0/24OK You can use any table type listed in http://www.postfix.org/DATABASE_README.html that has been compiled into your postfix for an access file. For this you would simply want to use either a CIDR table (http://www.postfix.org/cidr_table.5.html) which allows you to use CIDR notation or a pcre (http://www.postfix.org/pcre_table.5.html) or regexp (http://www.postfix.org/regexp_table.5.html) table which would allow you to match against regular expressions. Peter
Re: Was the Dovecot working well?
On 15/11/2016 9:52 PM, Sean Greenslade wrote: On Tue, Nov 15, 2016 at 04:21:17AM -0500, Ron Wheeler wrote: Fail2ban might be able to do the whack-a-mole in a sensible manner that allowed for innocent interruptions but banned the bad guys For the kind of attempts I typically see, F2B won't do much. It's usually not a brute force type of attach. Generally it's only a single connection that either attempts to fingerprint the server (checking for known vulns) or just tries a few "easy" passwords (e.g. root/root, pi/raspberry). F2B is pretty flexible. You can say that any IP that fails to login on root or pi 3 times in a week should be banned for a month or forever if you really see a subtle attack. You have control of the frequency of log messages that constitute an attack. You can look for any string in the log so you can watch for the vulnerability probes as well as login attempts. Ron I would suggest simple connection rate limiting and enforcing strong passwords as a better (in my opinion) option. --Sean -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
Re: Let's Encrypt + Postfix TLS + iOS Mail
On Mon, Nov 14, 2016 at 7:22 PM, Sebastian Nielsenwrote: > You need to be more clear here. > > When you say Gmail account on port 587 I don’t entirely understand what > you are doing. Are you using Gmail as upstream smarthost? > 1. Open Gmail 2. Press gear icon and select "Settings" 3. Select "Accounts and import" 4. Hit "Add another address you own" 5. Uncheck "Treat as an alias" and continue through setting up an account inside Gmail that will allow you to authenticate and send mail through any SMTP server for which you are authorized. > This does not then have any bearing on what clients see or react to, as > your server acts as a proxy to Gmail. > I was stating this only to say that for web clients such as Gmail, it's quite happy sending mail through an SMTP server with an LE cert. > If the iOS mail client complains about certificate being untrusted, its > because the Let’s encrypt root is not imported or trusted, or that the > entire chain excluding the root certificate, is not sent. > As Viktor pointed out, I think the latter is what I should focus on. > Note that Let’s encrypt is a pretty new actor so if your iOS device is > old, it will always untrust. Try visiting a site that has Let’s encrypt > deployed. If you get cert errors, this is the case. > It's an iPhone 6. I hope that's not considered too old, yet. ;)
Re: Let's Encrypt + Postfix TLS + iOS Mail
On Mon, Nov 14, 2016 at 7:23 PM,wrote: > Have you tried to add the certs to the root store on your phone? I'm not > on an iPhone, but that is what I did for Let's Encrypt. And it doesn't seem > to always work. > I can do that, but I don't want to make all the other users on this mail server (a few dozen) have to do it, too. I want to do whatever I can on my end so that it "just works" for them.
Re: Let's Encrypt + Postfix TLS + iOS Mail
On Mon, Nov 14, 2016 at 7:17 PM, Viktor Dukhovniwrote: > > > On Nov 14, 2016, at 9:08 PM, Steve Jenkins > wrote: > > > > # postconf -n | grep tls > > smtp_tls_CAfile = $smtpd_tls_CAfile > > smtp_tls_loglevel = 1 > > smtp_tls_security_level = may > > The above, being outgoing (SMTP client) settings have no bearing > on the TLS behaviour of your server when receiving mail. > Understood. With the complaints of people not posting enough config info, I figured doing a postconf -n | grep tls would be the best way to show what is (and isn't) configured regarding anything TLS-related. > > > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem > > This is unlikely to be useful in constructing a complete > chain for Let's Encrypt if it is certs for cacert.org. > Good point, however, I'd previously added the Let's Encrypt fullchain.pem to the end of that file while experimenting, in the hopes it would solve the issue (it didn't). > > smtpd_tls_auth_only = yes > > smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt > > smtpd_tls_key_file = /etc/pki/tls/private/example.com.key > > You *really* should not use "example" certs/keys. I'm *really* not. :) My actual domain name is used in the actual main.cf file. > > It breaks (on iOS) if I change the smtpd_tls_cert_file and > smtpd_tls_key_file to the Let's Encrypt cert and key. > > If iOS is happy with random "example" certs, perhaps it is > because it was explicitly configured to trust these. > > In any case the right thing to do is in fact to populate the > cert file with your server's Let's Encrypt certificate and > issuing CA certificate in that order. The key file must have > the corresponding private key. > Thanks, Viktor. That seems like a shove in the right direction. I'll give that a go.
Re: Was the Dovecot working well?
On Tue, Nov 15, 2016 at 04:21:17AM -0500, Ron Wheeler wrote: > Fail2ban might be able to do the whack-a-mole in a sensible manner that > allowed for innocent interruptions but banned the bad guys For the kind of attempts I typically see, F2B won't do much. It's usually not a brute force type of attach. Generally it's only a single connection that either attempts to fingerprint the server (checking for known vulns) or just tries a few "easy" passwords (e.g. root/root, pi/raspberry). I would suggest simple connection rate limiting and enforcing strong passwords as a better (in my opinion) option. --Sean
Re: Move deferred mails to another SMTP server
Aban Dokht: > Hi all, > > I'm searching for a hint, how to move deferred mails to another SMTP > server after an adjustable time, e.g. after 4 hours. > > I've already found the fallback_relay setting, but this will move > deferred mails immediately after the first failed delivery attempt. If you want to get mail out quickly, smtp_fallback_relay is a better solution than letting email sit in the queue for 4 hours. High-volume deliveries require short SMTP timeouts (10-20 seconds at most), while problematic destinations require much longer timeouts. The the two are incompatible with each other. Wietse
Re: use of dash [and other] characters in parameter names
btb: [ Charset windows-1252 converted... ] > On 2016.11.15 11.44, Wietse Venema wrote: > > btb: > >> since parameters can be user defined, i think it would be good if > >> the documentation stated this, maybe in postconf(5)? it would > >> alleviate guessing games. > >> > >> possibly something like: > >> > >> Postfix main.cf file format [...] ? A logical line starts with > >> non-whitespace text. A line that starts with whitespace continues a > >> logical line. > >> > >> ? Parameter names are limited to the character set [a-zA-z0-9_]. > > > > This is inaccurate. The above parameter name syntax limitation exists > > only with $name or ${name}, i.e. when a parameter value is used > > in another parameter setting. A name can contain any non-space > > character with 'name = value' or with master.cf service names. > > i see, thanks for clarifying this > > > Would spelling out such intricate rules make Postfix easier to use? > > i can't speak for everyone, of course, but it might, if it could be done > concisely. when postfix tells me there was a syntax error, i've become > accustomed to finding valid syntax defined in the documentation. > > would this be acceptable?: > > The expressions "$name" and "${name}" are recursively replaced with the > value of the named parameter, except where noted. An undefined parameter > value is replaced with the empty value. Named parameters are limited to > the character set [a-zA-Z0-9_]. The disclaimer applies to all other ${...} forms. I will add similar text there. Wietse
RE: Using consecutive IPs in a client access file
Awesome! Thank you, I will give this a shot. -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Bill Cole Sent: Tuesday, November 15, 2016 6:20 PM To: Postfix usersSubject: Re: Using consecutive IPs in a client access file On 15 Nov 2016, at 13:07, Gomes, Rich wrote: > Just a quick question since I have not found a way in my Googling. > > We are replacing some of our internal Exchange relays with postfix. > Currently we have other internal postfix relays which utilize a client > access file to allow relaying. > The file contains all single IPs, no ranges. > > The exchange servers have some groups of consecutive IPs on their > allow list, some cover 5 or 6 IPs, others 100. > Is there a way to provide the same list .i.e. > 192.168.0.2-12OK > > without: > > Listing them all individually > i.e. > 192.168.0.2 OK > 192.168.0.3 OK > Etc... > Or > Allowing an entire subnet > 192.168.0.0/24OK > > > If not possible, that's fine, I will just list them by hand, just > hoping there was a native way to do it. No, there's not. However, I happened to have an old Perl script laying around for other purposes that took about 2 minutes to turn into something that takes a loosely-formatted text file with one IP spec (single, range, or CIDR) per line and spits out a Postfix CIDR table with the aggregate of all specs in a minimal set of CIDR blocks, each with OK as the action. On many systems you'd need to install the Net::CIDR::Lite Perl module for this to work. If your input is a clean list of single IPs and ranges, one per line, you can remove lines 17-25 (which are an artifact of my original script's loose input.) #!/usr/bin/env perl # Input file is text with lines of the general form: # # [IP|IP range|CIDR][whitespace+comment] # # Ranges are de-spaced, then anything from the first whitespace to EOL is discarded # # Output is a Postfix CIDR table with lines of form: # # OK use Net::CIDR::Lite; $list=Net::CIDR::Lite->new ; while (<>) { # de-space ranges s/ ?- ?/-/; # toss out comments after the IP spec & whitespace s/\s+.*//; # oops, this was an indented line with no IP spec, move along next if ( ! m/./ ); # canonicalize shorthanded ranges if ( m/^\d+\.\d+.\d+\.\d+-\d+$/) { s/^(\d+)\.(\d+).(\d+)\.(\d+)-(\d+)$/\1.\2.\3.\4-\1.\2.\3.\5/; } $list->add_any($_); } $list->clean(); @cidrs=$list->list; foreach $cidr (@cidrs) { print "$cidr\tOK\n"; }
Re: Using consecutive IPs in a client access file
On 15 Nov 2016, at 13:07, Gomes, Rich wrote: Just a quick question since I have not found a way in my Googling. We are replacing some of our internal Exchange relays with postfix. Currently we have other internal postfix relays which utilize a client access file to allow relaying. The file contains all single IPs, no ranges. The exchange servers have some groups of consecutive IPs on their allow list, some cover 5 or 6 IPs, others 100. Is there a way to provide the same list .i.e. 192.168.0.2-12 OK without: Listing them all individually i.e. 192.168.0.2 OK 192.168.0.3 OK Etc... Or Allowing an entire subnet 192.168.0.0/24 OK If not possible, that's fine, I will just list them by hand, just hoping there was a native way to do it. No, there's not. However, I happened to have an old Perl script laying around for other purposes that took about 2 minutes to turn into something that takes a loosely-formatted text file with one IP spec (single, range, or CIDR) per line and spits out a Postfix CIDR table with the aggregate of all specs in a minimal set of CIDR blocks, each with OK as the action. On many systems you'd need to install the Net::CIDR::Lite Perl module for this to work. If your input is a clean list of single IPs and ranges, one per line, you can remove lines 17-25 (which are an artifact of my original script's loose input.) #!/usr/bin/env perl # Input file is text with lines of the general form: # # [IP|IP range|CIDR][whitespace+comment] # # Ranges are de-spaced, then anything from the first whitespace to EOL is discarded # # Output is a Postfix CIDR table with lines of form: # # OK use Net::CIDR::Lite; $list=Net::CIDR::Lite->new ; while (<>) { # de-space ranges s/ ?- ?/-/; # toss out comments after the IP spec & whitespace s/\s+.*//; # oops, this was an indented line with no IP spec, move along next if ( ! m/./ ); # canonicalize shorthanded ranges if ( m/^\d+\.\d+.\d+\.\d+-\d+$/) { s/^(\d+)\.(\d+).(\d+)\.(\d+)-(\d+)$/\1.\2.\3.\4-\1.\2.\3.\5/; } $list->add_any($_); } $list->clean(); @cidrs=$list->list; foreach $cidr (@cidrs) { print "$cidr\tOK\n"; }
Move deferred mails to another SMTP server
Hi all, I'm searching for a hint, how to move deferred mails to another SMTP server after an adjustable time, e.g. after 4 hours. I've already found the fallback_relay setting, but this will move deferred mails immediately after the first failed delivery attempt. Any idea, how to move deferred mails after x failed delivery attempts or x hours to another SMTP relay? -- Aban Dokht aban.do...@abando.de --
Re: regexp for allowing helo host
On 15 Nov 2016, at 13:46, Eric Abrahamsen wrote: Eric Abrahamsenwrites: I'm trying to successfully receive emails from my state's health care service, which is apparently broken in the way it sends emails. These are the errors: ericabrahamsen.net/smtpd[24193]: warning: hostname\ mail-relay.secure-24.net does not resolve to address 199.71.239.178 ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\ unknown[199.71.239.178]: 550 5.7.1\ : Helo command rejected: Host\ not found; from= \ to= proto=ESMTP\ helo= The helo host seems to change ever time; at least there are a lot of them. I just want to check here: is it safe to change my check_helo_access from a hash to a regexp, and do: /msp.secure-24.net/ OK Is that likely to cause me any problems? Hmm, I just tried it, and it didn't actually work! Anyway, any advice on this would be much appreciated... You've got reject_unknown_helo_hostname in a smtpd_*_restrictions list. Which one is unknown, as you've ignored the suggestions provided when you subscribed here and about a dozen times per week on the list about how to help us help you. The ordering of directives in each restriction list and which list has reject_unknown_helo_hostname in it determines how you would need to whitelist patterns against it. Provide postconf -nf output for more specific help. Be aware that if you use reject_unknown_helo_hostname you will have a steady stream of cases for which you will have to make special exceptions. How steady that stream is depends more on your volume and diversity of legitimate mail than on how heavily spammed you are.
ANN: vim syntax highlighting for Postfix
vim comes with syntax highlighting for Postfix, but the syntax file is outdated and doesn't cover LDAP and other drivers. For those who like an up to date syntax highlighting that reflects your Postfix installation take a look at https://github.com/sys4/vim-postfix. Christian (Rößner) took the time to create two scripts that will create syntax files. The README tells how to install them. Worked out of the box for me. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Blocking users sending spam
On Tue, 15 Nov 2016 14:09:03 +0100, Volker Cordeswrote: > Hello, > > I just stopped our server from sending out spam mails. A password from > one of our customers was hacked or somehow leaked so that the mails were > sent by an authenticated user. Now I was wondering if it is possible to > block users that authenticate themselves from a lot of different IP > addresses in a short timespan or to implement blocking using > geoip-services (99% of our customers are based in germany). > > Thanks, > Volker hi cbpolicyd and fiew other throttling solutions are effective (if the limits are low enough to discourage spammers) besides of them im also using a script that traces ips from which user logged in in a time limit and if threre are more ip addresses than set limit user is locked out from sending mails the script counts actually 2 things logins and amount of mails sent and locks out user if limit for either one in a time window is exceeded Lockout is achived either by update to mysql table or by mosyfying postfix check_sender_access file unblocking is from commandline but its quite effective most of the time
Re: Blocking users sending spam
On 15.11.2016 14:09, Volker Cordes wrote: > I was wondering if it is possible to [...] implement blocking using > geoip-services (99% of our customers are based in germany). Will any of the users be travelling and/or utilizing anonymity networks like Tor (see https://www.torproject.org/)? Tor exit nodes are scattered across the globe, so blocking by GeoIP (which by the way is not always exact) can potentially have a downside. -Ralph
Re: [postfix-users] Using consecutive IPs in a client access file
> The exchange servers have some groups of consecutive IPs on their allow list, > some cover 5 or 6 IPs, others 100. > Is there a way to provide the same list .i.e. > 192.168.0.2-12OK > > without: > > Listing them all individually > i.e. > 192.168.0.2 OK > 192.168.0.3 OK > Etc... > Or > Allowing an entire subnet > 192.168.0.0/24OK Try 192.168.0.2/31 OK 192.168.0.4/30 OK 192.168.0.8/30 OK 192.168.0.12OK or 192.168.0.0/31 REJECT 192.168.0.13REJECT 192.168.0.14/31 REJECT 192.168.0.0/28 OK or 192.168.0.0/31 REJECT 192.168.0.12OK 192.168.0.12/29 REJECT 192.168.0.0/28 OK Gabor
Re: regexp for allowing helo host
Eric Abrahamsenwrites: > I'm trying to successfully receive emails from my state's health care > service, which is apparently broken in the way it sends emails. These > are the errors: > > ericabrahamsen.net/smtpd[24193]: warning: hostname\ > mail-relay.secure-24.net does not resolve to address 199.71.239.178 > > ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\ > unknown[199.71.239.178]: 550 5.7.1\ > : Helo command rejected: Host\ > not found; from= \ > to= proto=ESMTP\ > helo= > > The helo host seems to change ever time; at least there are a lot of > them. > > I just want to check here: is it safe to change my check_helo_access > from a hash to a regexp, and do: > > /msp.secure-24.net/ OK > > Is that likely to cause me any problems? Hmm, I just tried it, and it didn't actually work! Anyway, any advice on this would be much appreciated...
Re: regexp for allowing helo host
On 11/15/16 13:43, Eric Abrahamsen wrote: > I'm trying to successfully receive emails from my state's health care > service, which is apparently broken in the way it sends emails. These > are the errors: > > ericabrahamsen.net/smtpd[24193]: warning: hostname\ > mail-relay.secure-24.net does not resolve to address 199.71.239.178 You could just whitelist 199.71.236.0/22 > > ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\ > unknown[199.71.239.178]: 550 5.7.1\ > : Helo command rejected: Host\ > not found; from=\ > to= proto=ESMTP\ > helo= > > The helo host seems to change ever time; at least there are a lot of > them. > > I just want to check here: is it safe to change my check_helo_access > from a hash to a regexp, and do: > > /msp.secure-24.net/ OK > > Is that likely to cause me any problems? > > Thanks! > Eric > -- John PGP Public Key: 412934AC
regexp for allowing helo host
I'm trying to successfully receive emails from my state's health care service, which is apparently broken in the way it sends emails. These are the errors: ericabrahamsen.net/smtpd[24193]: warning: hostname\ mail-relay.secure-24.net does not resolve to address 199.71.239.178 ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\ unknown[199.71.239.178]: 550 5.7.1\ : Helo command rejected: Host\ not found; from=\ to= proto=ESMTP\ helo= The helo host seems to change ever time; at least there are a lot of them. I just want to check here: is it safe to change my check_helo_access from a hash to a regexp, and do: /msp.secure-24.net/ OK Is that likely to cause me any problems? Thanks! Eric
Re: Blocking users sending spam
On 15/11/2016 21:09, Volker Cordes wrote: I just stopped our server from sending out spam mails. A password from one of our customers was hacked or somehow leaked so that the mails were sent by an authenticated user. Now I was wondering if it is possible to block users that authenticate themselves from a lot of different IP addresses in a short timespan or to implement blocking using geoip-services (99% of our customers are based in germany). I use the following, http://wiki.policyd.org/start with the quota module activated. Then there is this cron script (found from the internet) that sends an email to the administrator once the user starts sending more that 50% of the limit set. #!/bin/bash #parameters: # 0.5 ... if counter is above 50% of the limit # timestampdiff() <= 1 ... seen in the last hour #if there are no results the output is empty, otherwise cron sends the #result per mail echo "select TrackKey, FROM_UNIXTIME(LastUpdate) as LastSeen, Counter, CounterLimit, Counter / CounterLimit * 100 as Percentage from quotas_tracking left join quotas_limits on quotasLimitsID = quotas_limits.ID where Counter / CounterLimit > 0.5 and TIMESTAMPDIFF(HOUR, FROM_UNIXTIME(LastUpdate), CURRENT_TIMESTAMP()) <= 1 order by counter desc;" | mysql --user=databaseuser --password=password database P.V.Anthony smime.p7s Description: S/MIME Cryptographic Signature
Using consecutive IPs in a client access file
Just a quick question since I have not found a way in my Googling. We are replacing some of our internal Exchange relays with postfix. Currently we have other internal postfix relays which utilize a client access file to allow relaying. The file contains all single IPs, no ranges. The exchange servers have some groups of consecutive IPs on their allow list, some cover 5 or 6 IPs, others 100. Is there a way to provide the same list .i.e. 192.168.0.2-12 OK without: Listing them all individually i.e. 192.168.0.2 OK 192.168.0.3 OK Etc... Or Allowing an entire subnet 192.168.0.0/24 OK If not possible, that's fine, I will just list them by hand, just hoping there was a native way to do it. Thanks, Rich
Re: use of dash [and other] characters in parameter names
On 2016.11.15 11.44, Wietse Venema wrote: > btb: >> since parameters can be user defined, i think it would be good if >> the documentation stated this, maybe in postconf(5)? it would >> alleviate guessing games. >> >> possibly something like: >> >> Postfix main.cf file format [...] ? A logical line starts with >> non-whitespace text. A line that starts with whitespace continues a >> logical line. >> >> ? Parameter names are limited to the character set [a-zA-z0-9_]. > > This is inaccurate. The above parameter name syntax limitation exists > only with $name or ${name}, i.e. when a parameter value is used > in another parameter setting. A name can contain any non-space > character with 'name = value' or with master.cf service names. i see, thanks for clarifying this > Would spelling out such intricate rules make Postfix easier to use? i can't speak for everyone, of course, but it might, if it could be done concisely. when postfix tells me there was a syntax error, i've become accustomed to finding valid syntax defined in the documentation. would this be acceptable?: The expressions "$name" and "${name}" are recursively replaced with the value of the named parameter, except where noted. An undefined parameter value is replaced with the empty value. Named parameters are limited to the character set [a-zA-Z0-9_]. -ben
Re: possible typo in postconf(5) documentation
On 2016.11.15 11.32, Wietse Venema wrote: > btb: >> in the postconf(5) documentation, the format section says: >> >> The expressions "${name:value}" and "${name?{value}}" are replaced >> with "value" when "$name" is empty. These forms are supported with >> Postfix versions ? 2.2 and ? 3.0, respectively. >> >> should the ? in "${name?{value}}" be a :? > > Yes. This was corrected in Postfix 3.1. it looks like it may have been missed in html/postconf.5.html and proto/postconf.html.prolog, at least as of postfix-3.2-20161106. -ben
Re: use of dash [and other] characters in parameter names
btb: > since parameters can be user defined, i think it would be good if the > documentation stated this, maybe in postconf(5)? it would alleviate > guessing games. > > possibly something like: > > Postfix main.cf file format > [...] > ? A logical line starts with non-whitespace text. A line that starts > with whitespace continues a logical line. > > ? Parameter names are limited to the character set [a-zA-z0-9_]. This is inaccurate. The above parameter name syntax limitation exists only with $name or ${name}, i.e. when a parameter value is used in another parameter setting. A name can contain any non-space character with 'name = value' or with master.cf service names. Would spelling out such intricate rules make Postfix easier to use? Wietse
Re: possible typo in postconf(5) documentation
btb: > in the postconf(5) documentation, the format section says: > > The expressions "${name:value}" and "${name?{value}}" are replaced with > "value" when "$name" is empty. These forms are supported with Postfix > versions ? 2.2 and ? 3.0, respectively. > > should the ? in "${name?{value}}" be a :? Yes. This was corrected in Postfix 3.1. Wietse
Re: Temporary storage of email per SMTP daemon
max: > Let me try to describe what we try to achieve. > > We want to intercept e-mail from the different servers (preferably in > separated mail boxes), do some content inspection and send them out again at > a later time. > > We'd use java mail to do the content inspection, strip CC en BCC en use > X-Original-To header to re-injecting it into postfix. > > What would be a better solution? We'd consider filters, but that doesn't > solve the scheduling. You can combine the Postfix content filter mechanism with the 'hold' action. For example: /etc/postfix/master.cf: smtp .. .. .. .. smtpd -o smtpd_client_restrictions=static:hold -o content_filter=foo:bar (note: no space around the '='). See FILTER_README for content filter options. Issue the 'postsuper -H' command to release a message and have its content inspected. You can programmatically inspect the queue with "postqueue -j" (JSON output, available with Postfix 3.1 and later) or "postqueue -p" (roll your own parser). Wietse
Re: Blocking users sending spam
I would say that GeoIP would be the best. And those users that need to travel need to pre-request travelling access through a captcha-protected AND geoip restricted web interface prior to travelling. (but once opened, they can extend access out-of-country) And then they need to specify time spent away. (which will be deducted from their total) Also to prevent people from opening travel access without need, make it so they can open a maximum lets say TOTAL=30 days per 180 days. Volker Cordesskrev: (15 november 2016 14:09:03 CET) >Hello, > >I just stopped our server from sending out spam mails. A password from >one of our customers was hacked or somehow leaked so that the mails >were >sent by an authenticated user. Now I was wondering if it is possible to >block users that authenticate themselves from a lot of different IP >addresses in a short timespan or to implement blocking using >geoip-services (99% of our customers are based in germany). > >Thanks, >Volker smime.p7s Description: S/MIME Cryptographic Signature
possible typo in postconf(5) documentation
in the postconf(5) documentation, the format section says: The expressions "${name:value}" and "${name?{value}}" are replaced with "value" when "$name" is empty. These forms are supported with Postfix versions ≥ 2.2 and ≥ 3.0, respectively. should the ? in "${name?{value}}" be a :? -ben
Re: Blocking users sending spam
On 2016-11-15 08:09 AM, Volker Cordes wrote: Hello, I just stopped our server from sending out spam mails. A password from one of our customers was hacked or somehow leaked so that the mails were sent by an authenticated user. Now I was wondering if it is possible to block users that authenticate themselves from a lot of different IP addresses in a short timespan or to implement blocking using geoip-services (99% of our customers are based in germany). I simply throttle my users. We offer mailing list access (mailman) so there is hardly ever any reason to bulk send from a personal account. I picked 100 as a reasonable number of messages to send in an hour and check the previous hour every 15 minutes. If the above happens they get stopped very quickly. I also get email so that I can deal with the user. I let them know that I can temporarily whitelist them if they do have a legitimate need to send out a one time mass mailing. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net
Re: Blocking users sending spam
Am 15.11.2016 um 14:09 schrieb Volker Cordes: Good afternoon Volker, dear List. We had a similar incident last year. What I then did was to parse the logfiles on a daily basis to check where the logins occur from. We have a customer base from Germany mainly (except business travelling people), so I compiled a list of most probable ip ranges/dyn dialup domains, against whom I grep -v the logfile entries and then get a mail each midnight of the ones not matching those expectations. I can see that geo blocking may be a solution, but with globally travelling people it's not really an option. Same applies to a lot of changes of ips (if they come from the same range, e.g. provider). I know it's far from perfect, but from an 80:20 approach a good one. You can probably put in (much) more effort to produce a maybe more reliable, automated approch of some kind. And yes, it was a pure reactive measure and ofcourse did not prevent setting off spams until we noticed (actually it never happened since then, so I can't really tell)... > Hello, > > I just stopped our server from sending out spam mails. A password from > one of our customers was hacked or somehow leaked so that the mails were > sent by an authenticated user. Now I was wondering if it is possible to > block users that authenticate themselves from a lot of different IP > addresses in a short timespan or to implement blocking using > geoip-services (99% of our customers are based in germany). > > Thanks, > Volker > > === Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx! signature.asc Description: OpenPGP digital signature
Blocking users sending spam
Hello, I just stopped our server from sending out spam mails. A password from one of our customers was hacked or somehow leaked so that the mails were sent by an authenticated user. Now I was wondering if it is possible to block users that authenticate themselves from a lot of different IP addresses in a short timespan or to implement blocking using geoip-services (99% of our customers are based in germany). Thanks, Volker
Interaction between restriction classes and milter.
Helo all, What I am trying to do is whitelist cidr ranges stored in a mysql database and fallback to smtp auth for the previous unmatched ip addresses. This is the pseudocode: if (client_ip in whitelist_mysql_cidr_ranges){ accept } else if (sender is smtp_authenticated ) { accept} else { reject} for individual ip addresses (key-value tables) I would use something like this: smtpd_relay_restrictions = permit_mynetworks, check_client_access mysql:/etc/postfix/mysql_whitelist.conf,permit_sasl_authenticated, reject since postfix only can use cidr with local files, I use a milter (mimedefang) to do the cidr whitelist part, but milter and restricction classes seems two separate mechanisms so this configuration isn't possible, am I right?? The only way seems be to use a different port with a sumission service configurated.
Re: Temporary storage of email per SMTP daemon
Let me try to describe what we try to achieve. We want to intercept e-mail from the different servers (preferably in separated mail boxes), do some content inspection and send them out again at a later time. We'd use java mail to do the content inspection, strip CC en BCC en use X-Original-To header to re-injecting it into postfix. What would be a better solution? We'd consider filters, but that doesn't solve the scheduling. Hope you can point us in the right direction. Thanx -- View this message in context: http://postfix.1071664.n5.nabble.com/Temporary-storage-of-email-per-SMTP-daemon-tp87257p87259.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Temporary storage of email per SMTP daemon
> On Nov 15, 2016, at 5:07 AM, maxwrote: > > We setup a postfix mailserver (192.168.0.1) as a relay for our internal > network. All e-mail (disregarded the final destination) should be stored on > this machine for a period of time before we re-inject the email into postfix > and relay it to our outgoing mailserver (192.168.0.2) who'll deliver it to > the final destination. The design appears to have a show-stopper critical bug. You're losing the original message's envelope recipients, and therefore cannot resume forward delivery without losing Bcc recipients and serious risk of email loops. > Our current setup looks like this and all seems work. Looks rather broken to me. > > main.cf > # > inet_interfaces = localhost, 192.168.0.1 > mydestination = $myhostname > relayhost = 192.168.0.2:25 > mynetworks = localhost > home_mailbox = inbox/ > # > > master.cf > > # > smtp inet n - n - - smtp > > 192.168.0.1:10025 inet n - n - - smtp > -o cleanup_service_name=cleanupserver1 > -o mynetworks=192.168.0.3 > > cleanupserver1 unix n - n - 0 cleanup > -o virtual_alias_maps=static:server1 Destroys the envelope recipient information. > 192.168.0.1:20025 inet n - n - - smtp > -o cleanup_service_name= cleanupserver2 > -o mynetworks=192.168.0.4 > > cleanupserver2 unix n - n - 0 cleanup > -o virtual_alias_maps=static:server2 Ditto. > > 192.168.0.1:30025 inet n - n - - smtp > -o cleanup_service_name= cleanupserver3 > -o mynetworks=192.168.0.5 > > cleanupserver3 unix n - n - 0 cleanup > -o virtual_alias_maps=static:server3 Ditto. > On this server we created accounts server1, server2, server3 etc. All > incoming e-mail is delivered to /home/server1/inbox/, /home/server2/inbox/, > /home/server3/inbox/ etc. After which time, it is unsafe (i.e. you MUST NOT attempt) to re-inject the mail for onward delivery. > Any suggestions? Stop. What problem is this supposed to solve? -- Viktor.
Temporary storage of email per SMTP daemon
Hi, We setup a postfix mailserver (192.168.0.1) as a relay for our internal network. All e-mail (disregarded the final destination) should be stored on this machine for a period of time before we re-inject the email into postfix and relay it to our outgoing mailserver (192.168.0.2) who'll deliver it to the final destination. We'd prefer separate mail directories per source (server1 (192.168.0.3) , server2 (192.168.0.4), server3 (192.168.0.5) etc). Our current setup looks like this and all seems work. main.cf # inet_interfaces = localhost, 192.168.0.1 mydestination = $myhostname relayhost = 192.168.0.2:25 mynetworks = localhost home_mailbox = inbox/ # master.cf # smtp inet n - n - - smtp 192.168.0.1:10025 inet n - n - - smtp -o cleanup_service_name=cleanupserver1 -o mynetworks=192.168.0.3 cleanupserver1 unix n - n - 0 cleanup -o virtual_alias_maps=static:server1 192.168.0.1:20025 inet n - n - - smtp -o cleanup_service_name= cleanupserver2 -o mynetworks=192.168.0.4 cleanupserver2 unix n - n - 0 cleanup -o virtual_alias_maps=static:server2 192.168.0.1:30025 inet n - n - - smtp -o cleanup_service_name= cleanupserver3 -o mynetworks=192.168.0.5 cleanupserver3 unix n - n - 0 cleanup -o virtual_alias_maps=static:server3 # On this server we created accounts server1, server2, server3 etc. All incoming e-mail is delivered to /home/server1/inbox/, /home/server2/inbox/, /home/server3/inbox/ etc. First: Is there a way of making this more scalable (upscale without adding services to the master.cf)? Second: We would like to use virtual mailboxes instead so we don't have to create user accounts for all mailboxes. I tried to change virtual_mailbox_maps per smtp and cleanup instance but that didn't seem to work. Any suggestions? Thanx -- View this message in context: http://postfix.1071664.n5.nabble.com/Temporary-storage-of-email-per-SMTP-daemon-tp87257.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Was the Dovecot working well?
Fail2ban might be able to do the whack-a-mole in a sensible manner that allowed for innocent interruptions but banned the bad guys Ron On 14/11/2016 11:39 PM, Sean Greenslade wrote: On Mon, Nov 14, 2016 at 08:21:24PM -0800, vod vos wrote: so are there any configurations to auto ban this kind of visit, like postfix postscreen? or, I should write firewall rules to do the job? I don't know if dovecot provides such functionality. I personally don't bother, since it quickly becomes a game of whack-a-mole. Plus, it's not always a malicious event. If the connection gets interrupted before the client sends its auth credentials, it looks the same as this type of scan. Basically, make sure users are using good, secure passwords, and make sure your software is all up to date. --Sean -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102