Re: ANN: vim syntax highlighting for Postfix

[Florian Piekert]

Am 15.11.2016 um 21:57 schrieb Patrick Ben Koetter:

Good morning Patrick & List members,

please find attached a modified version of the scripts that sets the CAT var
to either gz (as on my opensuse 42.1) or bz2. Feel free to use it according
to the
 GNU GENERAL PUBLIC LICENSE
   Version 2, June 1991
provided by Patrick under
https://github.com/sys4/vim-postfix/blob/master/LICENSE

> vim comes with syntax highlighting for Postfix, but the syntax file is
> outdated and doesn't cover LDAP and other drivers.
> 
> For those who like an up to date syntax highlighting that reflects your
> Postfix installation take a look at https://github.com/sys4/vim-postfix.
> 
> Christian (Rößner) took the time to create two scripts that will create syntax
> files. The README tells how to install them. Worked out of the box for me.
> 
> p@rick
> 
> 

===
Note:  this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  flo...@floppy.org. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to  this address of mine.Thx!
#!/bin/bash
#
#set -x

POSTCONF1=/usr/share/man/man1/postconf.1.gz
POSTCONF5=/usr/share/man/man5/postconf.5.gz

TEMP="`ls $POSTCONF1|cut -d "." -f 2`"
if [ "$TEMP" == "gz" ] ; then
  CAT=/usr/bin/gzip
  CATPARAM=-dc
elif [ "$TEMP" == "bz2" ] ; then
  CAT=/usr/bin/bzcat
  CATPARAM=
fi

###

TEMP=/tmp/$(basename $0)-pfmain-$$
trap -- "rm -f ${TEMP}" EXIT

[[ -x ${CAT} ]] || exit 1
[[ -f ${POSTCONF1} ]] || exit 1
[[ -f ${POSTCONF5} ]] || exit 1

cat > ${TEMP} << EOB
" Vim syntax file
" Language: Postfix main.cf configuration
" Maintainer:   Christian Roessner 
" Last Change:  2016 Nov 13
" Version:  0.40
" Comment:  Auto-generated

if version < 600
syntax clear
elseif exists("b:current_syntax")
finish
endif

if version >= 600
setlocal iskeyword=@,48-57,_,-
else
set iskeyword=@,48-57,_,-
endif

syntax case match
syntax sync minlines=1

EOB

${CAT} ${CATPARAM} ${POSTCONF5} | \
awk '/^\.SH ([a-z0-9_]+).+/ { print "syntax keyword pfmainConf "$2 }' \
>> ${TEMP}

${CAT} ${CATPARAM} ${POSTCONF5}| \
awk 'match($0, /\\fItransport\\fR(_[a-z_]+) /, a) { print "syntax match 
pfmainConf \""a[1]"\\>\"" }' \
>> ${TEMP}

echo >> ${TEMP}

${CAT} ${CATPARAM} ${POSTCONF5} | \
awk '/^\.SH ([a-z0-9_]+).+/ { print "syntax match pfmainRef 
\"$\\<"$2"\\>\"" }' \
>> ${TEMP}

echo >> ${TEMP}

${CAT} ${CATPARAM} ${POSTCONF5} | \
awk 'match($0, /^\.IP \"\\fB([a-z0-9_]+) ?\\f[RI]/, a) { print "syntax 
keyword pfmainWord "a[1] }' \
>> ${TEMP}

echo >> ${TEMP}

function paragraph() {
${CAT} ${CATPARAM} ${POSTCONF1} | \
awk -v text="$3" 'BEGIN { s = 0 } {
if (s == 0) {
if ($0 ~ /\.IP \\fB\\\'"${1}"'\\fR/) { 
s = 1;
} 
} else {
if ($0 ~ /\.IP \\fB\\\'"${2}"'\\fR/) {
exit;
}
if (match($0, /^\.IP \"?\\fB([a-z]+)\\fR\"?/, 
a)) { 
print text, a[1]
}
} 
}' >> ${TEMP}
}

paragraph "-m" "-M" "syntax keyword pfmainDict"
echo >> ${TEMP}

paragraph "-a" "-A" "syntax keyword pfmainSASLType"
echo >> ${TEMP}

paragraph "-l" "-m" "syntax keyword pfmainLock"

cat >> ${TEMP} << EOB

syntax keyword pfmainQueueDir   incoming active deferred corrupt hold
syntax keyword pfmainTransport  smtp lmtp unix local relay uucp virtual
syntax keyword pfmainAnswer yes no

syntax match pfmainComment  "#.*$"
syntax match pfmainNumber   "\<\d\+\>"
syntax match pfmainTime "\<\d\+[hmsd]\>"
syntax match pfmainIP   "\<\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\>"
syntax match pfmainVariable "\$\w\+" contains=pfmainRef
syntax match pfmainVariable2"\${\w\+}" contains=pfmainConf

syntax match pfmainSpecial  "\"
syntax match pfmainSpecial  "\"
syntax match pfmainSpecial  "\"
syntax match pfmainSpecial  "\"
syntax match pfmainSpecial  "\"
syntax match pfmainSpecial  "\"
syntax match pfmainSpecial  "\"
syntax match pfmainSpecial  "\"
syntax match pfmainSpecial  "\"

syntax match pfmainSpecial  "\"
syntax match pfmainSpecial  "\"
syntax match pfmainSpecial  "\"
syntax match pfmainSpecial  "\"
syntax match pfmainSpecial  

RE: milter to decode quoted-printable, base64, ...

[Michael Fox]

> > I've got some clients that are really simple and don't understand
> > various
> > message encoding types, such as quoted-printable, base64, possibly
> > others.
> > They understand plain text only.  So, for users in specific domains,
> > I'd
> > like to convert quoted-printable, base64 and possibly other encoded
> > messages
> > to plain text.
> 
> Do you understand why QP, Base64, and other encodings exist?

Yes

> 
> It is because some messages cannot be represented as plain text, due to
> the fact that "plain text" for email is a subset of the US-ASCII
> character set. QP and Base64 exist to translate 8-bit characters and
> arbitrary binary data into a stream of 8-bit characters that are in a
> 'mail safe' subset of US-ASCII.

Yup.  But if the original message content is all plain text, then the encoding 
adds no value and can be removed without changing the message.


> > I presume I need a content-filter to perform this work post-queue.
> 
> One actually should only do anything like this with client-side
> software. You presumably intend to throw away information (such as the
> difference between o, ô, and ö)

Yes.  Although the likelihood of such characters in the original content is 
virtually nil in this application.  And, even if it does exist, such characters 
can't be used by the receiving client anyway.


> and it is best to allow those choices
> to remain with end users.

Generally true.  But not in this case.  The client is what it is.  So I either 
find a way to decode such messages externally before delivering them to the 
client, or else the messages can't be read at all (at least the base64 type).


> > I looked here:  http://www.postfix.org/addon.html
> >
> > . but didn't see anything that addresses the issue.  Any ideas would
> > be
> > helpful.
> 
> Or maybe not, as I'm entirely serious when I say that your best choice
> is to not do this. Solve whatever problem you are trying to solve in
> some other way.

I understand and appreciate what you're saying as a general rule.  But I also 
understand this particular application.  And for this particular application, 
recovering the original plain text message before sending to the client is 
what's needed.  But thanks for your thoughts, Bill.  Your postings on this list 
are always informative.

Michael

Re: milter to decode quoted-printable, base64, ...

[Bill Cole]

On 15 Nov 2016, at 23:35, Michael Fox wrote:

I've got some clients that are really simple and don't understand 
various
message encoding types, such as quoted-printable, base64, possibly 
others.
They understand plain text only.  So, for users in specific domains, 
I'd
like to convert quoted-printable, base64 and possibly other encoded 
messages

to plain text.


Do you understand why QP, Base64, and other encodings exist?

It is because some messages cannot be represented as plain text, due to 
the fact that "plain text" for email is a subset of the US-ASCII 
character set. QP and Base64 exist to translate 8-bit characters and 
arbitrary binary data into a stream of 8-bit characters that are in a 
'mail safe' subset of US-ASCII.



I presume I need a content-filter to perform this work post-queue.


One actually should only do anything like this with client-side 
software. You presumably intend to throw away information (such as the 
difference between o, ô, and ö) and it is best to allow those choices 
to remain with end users.



I looked here:  http://www.postfix.org/addon.html

. but didn't see anything that addresses the issue.  Any ideas would 
be

helpful.


Or maybe not, as I'm entirely serious when I say that your best choice 
is to not do this. Solve whatever problem you are trying to solve in 
some other way.

Re: Using consecutive IPs in a client access file

[Bill Cole]

On 15 Nov 2016, at 23:05, Peter wrote:


On 16/11/16 12:20, Bill Cole wrote:

No, there's not.


Yes there is.


Read what I was responding to more carefully. Rich was seeking to avoid 
manually entering single addresses and CIDR blocks.



However, I happened to have an old Perl script




This is completely insane!


I have to disagree. It's only partly insane. I'd argue for somewhat less 
than 10% insane, but that depends on how you quantify such things...



Postfix fully supports CIDR notation in the
CIDR table type, this works for access lists or any other settings 
that

reference tables:
http://www.postfix.org/cidr_table.5.html


Yes, and a Postfix CIDR table is what that script emits, given a list of 
single address and hyphenated ranges as Rich described.

milter to decode quoted-printable, base64, ...

[Michael Fox]

I've got some clients that are really simple and don't understand various
message encoding types, such as quoted-printable, base64, possibly others.
They understand plain text only.  So, for users in specific domains, I'd
like to convert quoted-printable, base64 and possibly other encoded messages
to plain text.

 

I presume I need a content-filter to perform this work post-queue.

I looked here:  http://www.postfix.org/addon.html

. but didn't see anything that addresses the issue.  Any ideas would be
helpful.

 

Thanks,

Michael

 

Re: Using consecutive IPs in a client access file

[Peter]

On 16/11/16 12:20, Bill Cole wrote:
> No, there's not.

Yes there is.

> However, I happened to have an old Perl script



This is completely insane!  Postfix fully supports CIDR notation in the
CIDR table type, this works for access lists or any other settings that
reference tables:
http://www.postfix.org/cidr_table.5.html


Peter

Re: Using consecutive IPs in a client access file

[Peter]

On 16/11/16 07:07, Gomes, Rich wrote:
> Just a quick question since I have not found a way in my Googling.
> 
> We are  replacing some of our internal Exchange relays with postfix. 
> Currently we have other internal postfix relays which utilize a client access 
> file to allow relaying.
> The file contains all single IPs, no ranges.
> 
> The exchange servers have some groups of consecutive IPs on their allow list, 
> some cover 5 or 6 IPs, others 100.
> Is there a way to provide the same list .i.e. 
> 192.168.0.2-12OK
> 
> without:
> 
> Listing them all individually
> i.e. 
> 192.168.0.2   OK
> 192.168.0.3   OK
> Etc...
> Or 
> Allowing an entire subnet
> 192.168.0.0/24OK

You can use any table type listed in
http://www.postfix.org/DATABASE_README.html that has been compiled into
your postfix for an access file.  For this you would simply want to use
either a CIDR table
(http://www.postfix.org/cidr_table.5.html) which allows you to use CIDR
notation or a pcre
(http://www.postfix.org/pcre_table.5.html) or regexp
(http://www.postfix.org/regexp_table.5.html) table which would allow you
to match against regular expressions.


Peter

Re: Was the Dovecot working well?

[Ron Wheeler]

On 15/11/2016 9:52 PM, Sean Greenslade wrote:

On Tue, Nov 15, 2016 at 04:21:17AM -0500, Ron Wheeler wrote:

Fail2ban might be able to do the whack-a-mole in a sensible manner that
allowed for innocent interruptions but banned the bad guys

For the kind of attempts I typically see, F2B won't do much. It's
usually not a brute force type of attach. Generally it's only a single
connection that either attempts to fingerprint the server (checking for
known vulns) or just tries a few "easy" passwords (e.g. root/root,
pi/raspberry).

F2B is pretty flexible.
You can say that any IP that fails to login on root or pi 3 times in a 
week should be banned for a month or forever if you really see a subtle 
attack.

You have control of the frequency of log messages that constitute an attack.

You can look for any string in the log so you can watch for the 
vulnerability probes as well as login attempts.


Ron


I would suggest simple connection rate limiting and enforcing strong
passwords as a better (in my opinion) option.

--Sean





--
Ron Wheeler
President
Artifact Software Inc
email: rwhee...@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102

Re: Let's Encrypt + Postfix TLS + iOS Mail

[Steve Jenkins]

On Mon, Nov 14, 2016 at 7:22 PM, Sebastian Nielsen 
wrote:

> You need to be more clear here.
>
> When you say Gmail account on port 587 I don’t entirely understand what
> you are doing. Are you using Gmail as upstream smarthost?
>

1. Open Gmail
2. Press gear icon and select "Settings"
3. Select "Accounts and import"
4. Hit "Add another address you own"
5. Uncheck "Treat as an alias" and continue through setting up an account
inside Gmail that will allow you to authenticate and send mail through any
SMTP server for which you are authorized.


> This does not then have any bearing on what clients see or react to, as
> your server acts as a proxy to Gmail.
>

I was stating this only to say that for web clients such as Gmail, it's
quite happy sending mail through an SMTP server with an LE cert.



>  If the iOS mail client complains about certificate being untrusted, its
> because the Let’s encrypt root is not imported or trusted, or that the
> entire chain excluding the root certificate, is not sent.
>

As Viktor pointed out, I think the latter is what I should focus on.


> Note that Let’s encrypt is a pretty new actor so if your iOS device is
> old, it will always untrust. Try visiting a site that has Let’s encrypt
> deployed. If you get cert errors, this is the case.
>

It's an iPhone 6. I hope that's not considered too old, yet. ;)

Re: Let's Encrypt + Postfix TLS + iOS Mail

[Steve Jenkins]

On Mon, Nov 14, 2016 at 7:23 PM,  wrote:

> Have you tried to add the certs to the root store on your phone? I'm not
> on an iPhone, but that is what I did for Let's Encrypt. And it doesn't seem
> to always work.
>

I can do that, but I don't want to make all the other users on this mail
server (a few dozen) have to do it, too. I want to do whatever I can on my
end so that it "just works" for them.

Re: Let's Encrypt + Postfix TLS + iOS Mail

[Steve Jenkins]

On Mon, Nov 14, 2016 at 7:17 PM, Viktor Dukhovni  wrote:

>
> > On Nov 14, 2016, at 9:08 PM, Steve Jenkins 
> wrote:
> >
> > # postconf -n | grep tls
> > smtp_tls_CAfile = $smtpd_tls_CAfile
> > smtp_tls_loglevel = 1
> > smtp_tls_security_level = may
>
> The above, being outgoing (SMTP client) settings have no bearing
> on the TLS behaviour of your server when receiving mail.
>

Understood. With the complaints of people not posting enough config info, I
figured doing a postconf -n | grep tls would be the best way to show what
is (and isn't) configured regarding anything TLS-related.


>
> > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
>
> This is unlikely to be useful in constructing a complete
> chain for Let's Encrypt if it is certs for cacert.org.
>

Good point, however, I'd previously added the Let's Encrypt fullchain.pem
to the end of that file while experimenting, in the hopes it would solve
the issue (it didn't).


> > smtpd_tls_auth_only = yes
> > smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt
> > smtpd_tls_key_file = /etc/pki/tls/private/example.com.key
>
> You *really* should not use "example" certs/keys.


I'm *really* not. :) My actual domain name is used in the actual main.cf
file.



> > It breaks (on iOS) if I change the smtpd_tls_cert_file and
> smtpd_tls_key_file to the Let's Encrypt cert and key.
>
> If iOS is happy with random "example" certs, perhaps it is
> because it was explicitly configured to trust these.
>
> In any case the right thing to do is in fact to populate the
> cert file with your server's Let's Encrypt certificate and
> issuing CA certificate in that order.  The key file must have
> the corresponding private key.
>

Thanks, Viktor. That seems like a shove in the right direction. I'll give
that a go.

Re: Was the Dovecot working well?

[Sean Greenslade]

On Tue, Nov 15, 2016 at 04:21:17AM -0500, Ron Wheeler wrote:
> Fail2ban might be able to do the whack-a-mole in a sensible manner that
> allowed for innocent interruptions but banned the bad guys

For the kind of attempts I typically see, F2B won't do much. It's
usually not a brute force type of attach. Generally it's only a single
connection that either attempts to fingerprint the server (checking for
known vulns) or just tries a few "easy" passwords (e.g. root/root,
pi/raspberry).

I would suggest simple connection rate limiting and enforcing strong
passwords as a better (in my opinion) option.

--Sean

Re: Move deferred mails to another SMTP server

[Wietse Venema]

Aban Dokht:
> Hi all,
> 
> I'm searching for a hint, how to move deferred mails to another SMTP 
> server after an adjustable time, e.g. after 4 hours.
> 
> I've already found the fallback_relay setting, but this will move 
> deferred mails immediately after the first failed delivery attempt.

If you want to get mail out quickly, smtp_fallback_relay is a better
solution than letting email sit in the queue for 4 hours.

High-volume deliveries require short SMTP timeouts (10-20 seconds
at most), while problematic destinations require much longer timeouts.
The the two are incompatible with each other.

Wietse

Re: use of dash [and other] characters in parameter names

[Wietse Venema]

btb:
[ Charset windows-1252 converted... ]
> On 2016.11.15 11.44, Wietse Venema wrote:
> > btb:
> >> since parameters can be user defined, i think it would be good if
> >> the documentation stated this, maybe in postconf(5)?  it would
> >> alleviate guessing games.
> >> 
> >> possibly something like:
> >> 
> >> Postfix main.cf file format [...] ? A logical line starts with
> >> non-whitespace text. A line that starts with whitespace continues a
> >> logical line.
> >> 
> >> ? Parameter names are limited to the character set [a-zA-z0-9_].
> > 
> > This is inaccurate. The above parameter name syntax limitation exists
> > only with $name or ${name}, i.e. when a parameter value is used
> > in another parameter setting. A name can contain any non-space 
> > character with 'name = value' or with master.cf service names.
> 
> i see, thanks for clarifying this
> 
> > Would spelling out such intricate rules make Postfix easier to use?
> 
> i can't speak for everyone, of course, but it might, if it could be done
> concisely.  when postfix tells me there was a syntax error, i've become
> accustomed to finding valid syntax defined in the documentation.
> 
> would this be acceptable?:
> 
> The expressions "$name" and "${name}" are recursively replaced with the
> value of the named parameter, except where noted. An undefined parameter
> value is replaced with the empty value.  Named parameters are limited to
> the character set [a-zA-Z0-9_].

The disclaimer applies to all other ${...} forms. I will add similar
text there.

Wietse

RE: Using consecutive IPs in a client access file

[Gomes, Rich]

Awesome!

Thank you, I will give this a shot.

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Bill Cole
Sent: Tuesday, November 15, 2016 6:20 PM
To: Postfix users 
Subject: Re: Using consecutive IPs in a client access file

On 15 Nov 2016, at 13:07, Gomes, Rich wrote:

> Just a quick question since I have not found a way in my Googling.
>
> We are  replacing some of our internal Exchange relays with postfix.
> Currently we have other internal postfix relays which utilize a client 
> access file to allow relaying.
> The file contains all single IPs, no ranges.
>
> The exchange servers have some groups of consecutive IPs on their 
> allow list, some cover 5 or 6 IPs, others 100.
> Is there a way to provide the same list .i.e.
> 192.168.0.2-12OK
>
> without:
>
> Listing them all individually
> i.e.
> 192.168.0.2   OK
> 192.168.0.3   OK
> Etc...
> Or
> Allowing an entire subnet
> 192.168.0.0/24OK
>
>
> If not possible, that's fine, I will just list them by hand, just 
> hoping there was a native way to do it.

No, there's not.

However, I happened to have an old Perl script laying around for other purposes 
that took about 2 minutes to turn into something that takes a loosely-formatted 
text file with one IP spec (single, range, or CIDR) per line and spits out a 
Postfix CIDR table with the aggregate of all specs in a minimal set of CIDR 
blocks, each with OK as the action. On many systems you'd need to install the 
Net::CIDR::Lite Perl module for this to work. If your input is a clean list of 
single IPs and ranges, one per line, you can remove lines 17-25 (which are an 
artifact of my original script's loose input.)

#!/usr/bin/env perl
# Input file is text with lines of the general form:
#
#  [IP|IP range|CIDR][whitespace+comment] # # Ranges are de-spaced, then 
anything from the first whitespace to EOL is discarded # # Output is a Postfix 
CIDR table with lines of form:
#
#  OK

use Net::CIDR::Lite;

$list=Net::CIDR::Lite->new ;
while (<>)
{
# de-space ranges
s/ ?- ?/-/;

# toss out comments after the IP spec & whitespace
s/\s+.*//;

# oops, this was an indented line with no IP spec, move along
next if ( !  m/./ );

# canonicalize shorthanded ranges
if ( m/^\d+\.\d+.\d+\.\d+-\d+$/) {
   s/^(\d+)\.(\d+).(\d+)\.(\d+)-(\d+)$/\1.\2.\3.\4-\1.\2.\3.\5/;
}
$list->add_any($_);
}

$list->clean();
@cidrs=$list->list;

foreach $cidr (@cidrs) { print "$cidr\tOK\n"; }

Re: Using consecutive IPs in a client access file

[Bill Cole]

On 15 Nov 2016, at 13:07, Gomes, Rich wrote:


Just a quick question since I have not found a way in my Googling.

We are  replacing some of our internal Exchange relays with postfix.
Currently we have other internal postfix relays which utilize a client 
access file to allow relaying.

The file contains all single IPs, no ranges.

The exchange servers have some groups of consecutive IPs on their 
allow list, some cover 5 or 6 IPs, others 100.

Is there a way to provide the same list .i.e.
192.168.0.2-12  OK

without:

Listing them all individually
i.e.
192.168.0.2 OK
192.168.0.3 OK
Etc...
Or
Allowing an entire subnet
192.168.0.0/24  OK


If not possible, that's fine, I will just list them by hand, just 
hoping there was a native way to do it.


No, there's not.

However, I happened to have an old Perl script laying around for other 
purposes that took about 2 minutes to turn into something that takes a 
loosely-formatted text file with one IP spec (single, range, or CIDR) 
per line and spits out a Postfix CIDR table with the aggregate of all 
specs in a minimal set of CIDR blocks, each with OK as the action. On 
many systems you'd need to install the Net::CIDR::Lite Perl module for 
this to work. If your input is a clean list of single IPs and ranges, 
one per line, you can remove lines 17-25 (which are an artifact of my 
original script's loose input.)


#!/usr/bin/env perl
# Input file is text with lines of the general form:
#
#  [IP|IP range|CIDR][whitespace+comment]
#
# Ranges are de-spaced, then anything from the first whitespace to EOL 
is discarded

#
# Output is a Postfix CIDR table with lines of form:
#
#  OK

use Net::CIDR::Lite;

$list=Net::CIDR::Lite->new ;
while (<>)
{
   # de-space ranges
   s/ ?- ?/-/;

   # toss out comments after the IP spec & whitespace
   s/\s+.*//;

   # oops, this was an indented line with no IP spec, move along
   next if ( !  m/./ );

   # canonicalize shorthanded ranges
   if ( m/^\d+\.\d+.\d+\.\d+-\d+$/) {
  s/^(\d+)\.(\d+).(\d+)\.(\d+)-(\d+)$/\1.\2.\3.\4-\1.\2.\3.\5/;
   }
   $list->add_any($_);
}

$list->clean();
@cidrs=$list->list;

foreach $cidr (@cidrs) { print "$cidr\tOK\n"; }

Move deferred mails to another SMTP server

[Aban Dokht]

Hi all,

I'm searching for a hint, how to move deferred mails to another SMTP 
server after an adjustable time, e.g. after 4 hours.


I've already found the fallback_relay setting, but this will move 
deferred mails immediately after the first failed delivery attempt.


Any idea, how to move deferred mails after x failed delivery attempts or 
x hours to another SMTP relay?



--
 Aban Dokht   aban.do...@abando.de
--

Re: regexp for allowing helo host

[Bill Cole]

On 15 Nov 2016, at 13:46, Eric Abrahamsen wrote:


Eric Abrahamsen  writes:


I'm trying to successfully receive emails from my state's health care
service, which is apparently broken in the way it sends emails. These
are the errors:

ericabrahamsen.net/smtpd[24193]: warning: hostname\
 mail-relay.secure-24.net does not resolve to address 
199.71.239.178


ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\
 unknown[199.71.239.178]: 550 5.7.1\
 : Helo command rejected: 
Host\

 not found; from=\
 to= proto=ESMTP\
 helo=

The helo host seems to change ever time; at least there are a lot of
them.

I just want to check here: is it safe to change my check_helo_access
from a hash to a regexp, and do:

/msp.secure-24.net/ OK

Is that likely to cause me any problems?


Hmm, I just tried it, and it didn't actually work! Anyway, any advice 
on

this would be much appreciated...


You've got reject_unknown_helo_hostname in a smtpd_*_restrictions list. 
Which one is unknown, as you've ignored the suggestions provided when 
you subscribed here and about a dozen times per week on the list about 
how to help us help you. The ordering of directives in each restriction 
list and which list has reject_unknown_helo_hostname in it determines 
how you would need to whitelist patterns against it. Provide postconf 
-nf output for more specific help.


Be aware that if you use reject_unknown_helo_hostname you will have a 
steady stream of cases for which  you will have to make special 
exceptions. How steady that stream is depends more on your volume and 
diversity of legitimate mail than on how heavily spammed you are.

ANN: vim syntax highlighting for Postfix

[Patrick Ben Koetter]

vim comes with syntax highlighting for Postfix, but the syntax file is
outdated and doesn't cover LDAP and other drivers.

For those who like an up to date syntax highlighting that reflects your
Postfix installation take a look at https://github.com/sys4/vim-postfix.

Christian (Rößner) took the time to create two scripts that will create syntax
files. The README tells how to install them. Worked out of the box for me.

p@rick


-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
 

Re: Blocking users sending spam

[Przemysław.Orzechowski]

On Tue, 15 Nov 2016 14:09:03 +0100, Volker Cordes 
wrote:
> Hello,
> 
> I just stopped our server from sending out spam mails. A password from
> one of our customers was hacked or somehow leaked so that the mails were
> sent by an authenticated user. Now I was wondering if it is possible to
> block users that authenticate themselves from a lot of different IP
> addresses in a short timespan or to implement blocking using
> geoip-services (99% of our customers are based in germany).
> 
> Thanks,
> Volker

hi

cbpolicyd and fiew other throttling solutions are effective (if the limits
are low enough to discourage spammers) 

besides of them im also using a script that traces ips from which user
logged in in a time limit and if threre are more ip addresses than set
limit user is locked out from sending mails
the script counts actually 2 things logins and amount of mails sent and
locks out user if limit for either one in a time window is exceeded 
Lockout is achived either by update to mysql table or by mosyfying postfix
check_sender_access file
unblocking is from commandline but its quite effective most of the time

Re: Blocking users sending spam

[Ralph Seichter]

On 15.11.2016 14:09, Volker Cordes wrote:

> I was wondering if it is possible to [...] implement blocking using
> geoip-services (99% of our customers are based in germany).

Will any of the users be travelling and/or utilizing anonymity networks
like Tor (see https://www.torproject.org/)? Tor exit nodes are scattered
across the globe, so blocking by GeoIP (which by the way is not always
exact) can potentially have a downside.

-Ralph

Re: [postfix-users] Using consecutive IPs in a client access file

[Kiss Gabor (Bitman)]

> The exchange servers have some groups of consecutive IPs on their allow list, 
> some cover 5 or 6 IPs, others 100.
> Is there a way to provide the same list .i.e. 
> 192.168.0.2-12OK
> 
> without:
> 
> Listing them all individually
> i.e. 
> 192.168.0.2   OK
> 192.168.0.3   OK
> Etc...
> Or 
> Allowing an entire subnet
> 192.168.0.0/24OK

Try

192.168.0.2/31  OK
192.168.0.4/30  OK
192.168.0.8/30  OK
192.168.0.12OK

or

192.168.0.0/31  REJECT
192.168.0.13REJECT
192.168.0.14/31 REJECT
192.168.0.0/28  OK

or

192.168.0.0/31  REJECT
192.168.0.12OK
192.168.0.12/29 REJECT
192.168.0.0/28  OK

Gabor

Re: regexp for allowing helo host

[Eric Abrahamsen]

Eric Abrahamsen  writes:

> I'm trying to successfully receive emails from my state's health care
> service, which is apparently broken in the way it sends emails. These
> are the errors:
>
> ericabrahamsen.net/smtpd[24193]: warning: hostname\
>  mail-relay.secure-24.net does not resolve to address 199.71.239.178
>
> ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\
>  unknown[199.71.239.178]: 550 5.7.1\
>  : Helo command rejected: Host\
>  not found; from=\
>  to= proto=ESMTP\
>  helo=
>
> The helo host seems to change ever time; at least there are a lot of
> them.
>
> I just want to check here: is it safe to change my check_helo_access
> from a hash to a regexp, and do:
>
> /msp.secure-24.net/ OK
>
> Is that likely to cause me any problems?

Hmm, I just tried it, and it didn't actually work! Anyway, any advice on
this would be much appreciated...

Re: regexp for allowing helo host

[John Peach]

On 11/15/16 13:43, Eric Abrahamsen wrote:
> I'm trying to successfully receive emails from my state's health care
> service, which is apparently broken in the way it sends emails. These
> are the errors:
> 
> ericabrahamsen.net/smtpd[24193]: warning: hostname\
>  mail-relay.secure-24.net does not resolve to address 199.71.239.178


You could just whitelist 199.71.236.0/22

> 
> ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\
>  unknown[199.71.239.178]: 550 5.7.1\
>  : Helo command rejected: Host\
>  not found; from=\
>  to= proto=ESMTP\
>  helo=
> 
> The helo host seems to change ever time; at least there are a lot of
> them.
> 
> I just want to check here: is it safe to change my check_helo_access
> from a hash to a regexp, and do:
> 
> /msp.secure-24.net/ OK
> 
> Is that likely to cause me any problems?
> 
> Thanks!
> Eric
> 




-- 
John
PGP Public Key: 412934AC

regexp for allowing helo host

[Eric Abrahamsen]

I'm trying to successfully receive emails from my state's health care
service, which is apparently broken in the way it sends emails. These
are the errors:

ericabrahamsen.net/smtpd[24193]: warning: hostname\
 mail-relay.secure-24.net does not resolve to address 199.71.239.178

ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\
 unknown[199.71.239.178]: 550 5.7.1\
 : Helo command rejected: Host\
 not found; from=\
 to= proto=ESMTP\
 helo=

The helo host seems to change ever time; at least there are a lot of
them.

I just want to check here: is it safe to change my check_helo_access
from a hash to a regexp, and do:

/msp.secure-24.net/ OK

Is that likely to cause me any problems?

Thanks!
Eric

Re: Blocking users sending spam

[P.V.Anthony]

On 15/11/2016 21:09, Volker Cordes wrote:


I just stopped our server from sending out spam mails. A password from
one of our customers was hacked or somehow leaked so that the mails were
sent by an authenticated user. Now I was wondering if it is possible to
block users that authenticate themselves from a lot of different IP
addresses in a short timespan or to implement blocking using
geoip-services (99% of our customers are based in germany).


I use the following,

http://wiki.policyd.org/start

with the quota module activated.

Then there is this cron script (found from the internet) that sends an 
email to the administrator once the user starts sending more that 50% of 
the limit set.


#!/bin/bash
#parameters:
#  0.5 ... if counter is above 50% of the limit
#  timestampdiff() <= 1 ... seen in the last hour

#if there are no results the output is empty, otherwise cron sends the
#result per mail

echo "select TrackKey, FROM_UNIXTIME(LastUpdate) as LastSeen, Counter, 
CounterLimit, Counter / CounterLimit * 100 as Percentage from 
quotas_tracking left join quotas_limits on quotasLimitsID = 
quotas_limits.ID where Counter / CounterLimit > 0.5 and 
TIMESTAMPDIFF(HOUR, FROM_UNIXTIME(LastUpdate), CURRENT_TIMESTAMP()) <= 1 
order by counter desc;" | mysql --user=databaseuser --password=password 
database


P.V.Anthony







smime.p7s
Description: S/MIME Cryptographic Signature

Using consecutive IPs in a client access file

[Gomes, Rich]

Just a quick question since I have not found a way in my Googling.

We are  replacing some of our internal Exchange relays with postfix. 
Currently we have other internal postfix relays which utilize a client access 
file to allow relaying.
The file contains all single IPs, no ranges.

The exchange servers have some groups of consecutive IPs on their allow list, 
some cover 5 or 6 IPs, others 100.
Is there a way to provide the same list .i.e. 
192.168.0.2-12  OK

without:

Listing them all individually
i.e. 
192.168.0.2 OK
192.168.0.3 OK
Etc...
Or 
Allowing an entire subnet
192.168.0.0/24  OK


If not possible, that's fine, I will just list them by hand, just hoping there 
was a native way to do it.


Thanks,
Rich

Re: use of dash [and other] characters in parameter names

[btb]

On 2016.11.15 11.44, Wietse Venema wrote:
> btb:
>> since parameters can be user defined, i think it would be good if
>> the documentation stated this, maybe in postconf(5)?  it would
>> alleviate guessing games.
>> 
>> possibly something like:
>> 
>> Postfix main.cf file format [...] ? A logical line starts with
>> non-whitespace text. A line that starts with whitespace continues a
>> logical line.
>> 
>> ? Parameter names are limited to the character set [a-zA-z0-9_].
> 
> This is inaccurate. The above parameter name syntax limitation exists
> only with $name or ${name}, i.e. when a parameter value is used
> in another parameter setting. A name can contain any non-space 
> character with 'name = value' or with master.cf service names.

i see, thanks for clarifying this

> Would spelling out such intricate rules make Postfix easier to use?

i can't speak for everyone, of course, but it might, if it could be done
concisely.  when postfix tells me there was a syntax error, i've become
accustomed to finding valid syntax defined in the documentation.

would this be acceptable?:

The expressions "$name" and "${name}" are recursively replaced with the
value of the named parameter, except where noted. An undefined parameter
value is replaced with the empty value.  Named parameters are limited to
the character set [a-zA-Z0-9_].

-ben

Re: possible typo in postconf(5) documentation

[btb]

On 2016.11.15 11.32, Wietse Venema wrote:
> btb:
>> in the postconf(5) documentation, the format section says:
>> 
>> The expressions "${name:value}" and "${name?{value}}" are replaced
>> with "value" when "$name" is empty. These forms are supported with
>> Postfix versions ? 2.2 and ? 3.0, respectively.
>> 
>> should the ? in "${name?{value}}" be a :?
> 
> Yes. This was corrected in Postfix 3.1.

it looks like it may have been missed in html/postconf.5.html and
proto/postconf.html.prolog, at least as of postfix-3.2-20161106.

-ben

Re: use of dash [and other] characters in parameter names

[Wietse Venema]

btb:
> since parameters can be user defined, i think it would be good if the
> documentation stated this, maybe in postconf(5)?  it would alleviate
> guessing games.
> 
> possibly something like:
> 
> Postfix main.cf file format
> [...]
> ? A logical line starts with non-whitespace text. A line that starts
> with whitespace continues a logical line.
> 
> ? Parameter names are limited to the character set [a-zA-z0-9_].

This is inaccurate. The above parameter name syntax limitation
exists only with $name or ${name}, i.e. when a parameter value
is used in another parameter setting. A name can contain any non-space
character with 'name = value' or with master.cf service names.

Would spelling out such intricate rules make Postfix easier to use?

Wietse

Re: possible typo in postconf(5) documentation

[Wietse Venema]

btb:
> in the postconf(5) documentation, the format section says:
> 
> The expressions "${name:value}" and "${name?{value}}" are replaced with
> "value" when "$name" is empty. These forms are supported with Postfix
> versions ? 2.2 and ? 3.0, respectively.
> 
> should the ? in "${name?{value}}" be a :?

Yes. This was corrected in Postfix 3.1.

Wietse

Re: Temporary storage of email per SMTP daemon

[Wietse Venema]

max:
> Let me try to describe what we try to achieve.
> 
> We want to intercept e-mail from the different servers (preferably in
> separated mail boxes), do some content inspection and send them out again at
> a later time.
> 
> We'd use java mail to do the content inspection, strip CC en BCC en use
> X-Original-To header to re-injecting it into postfix. 
> 
> What would be a better solution? We'd consider filters, but that doesn't
> solve the scheduling.

You can combine the Postfix content filter mechanism with the 'hold'
action.  For example:

/etc/postfix/master.cf:
smtp .. .. .. .. smtpd
-o smtpd_client_restrictions=static:hold
-o content_filter=foo:bar

(note: no space around the '=').

See FILTER_README for content filter options.

Issue the 'postsuper -H' command to release a message and have its
content inspected.

You can programmatically inspect the queue with "postqueue -j" (JSON
output, available with Postfix 3.1 and later) or "postqueue -p"
(roll your own parser).

Wietse

Re: Blocking users sending spam

[Sebastian Nielsen]

I would say that GeoIP would be the best.
And those users that need to travel need to pre-request travelling access 
through a captcha-protected AND geoip restricted web interface prior to 
travelling. (but once opened, they can extend access out-of-country)

And then they need to specify time spent away. (which will be deducted from 
their total)

Also to prevent people from opening travel access without need, make it so they 
can open a maximum lets say TOTAL=30 days per 180 days.

Volker Cordes  skrev: (15 november 2016 14:09:03 CET)
>Hello,
>
>I just stopped our server from sending out spam mails. A password from
>one of our customers was hacked or somehow leaked so that the mails
>were
>sent by an authenticated user. Now I was wondering if it is possible to
>block users that authenticate themselves from a lot of different IP
>addresses in a short timespan or to implement blocking using
>geoip-services (99% of our customers are based in germany).
>
>Thanks,
>Volker


smime.p7s
Description: S/MIME Cryptographic Signature

possible typo in postconf(5) documentation

[btb]

in the postconf(5) documentation, the format section says:

The expressions "${name:value}" and "${name?{value}}" are replaced with
"value" when "$name" is empty. These forms are supported with Postfix
versions ≥ 2.2 and ≥ 3.0, respectively.

should the ? in "${name?{value}}" be a :?

-ben

Re: Blocking users sending spam

[D'Arcy Cain]

On 2016-11-15 08:09 AM, Volker Cordes wrote:

Hello,

I just stopped our server from sending out spam mails. A password from
one of our customers was hacked or somehow leaked so that the mails were
sent by an authenticated user. Now I was wondering if it is possible to
block users that authenticate themselves from a lot of different IP
addresses in a short timespan or to implement blocking using
geoip-services (99% of our customers are based in germany).


I simply throttle my users.  We offer mailing list access (mailman) so 
there is hardly ever any reason to bulk send from a personal account.  I 
picked 100 as a reasonable number of messages to send in an hour and 
check the previous hour every 15 minutes.  If the above happens they get 
stopped very quickly.  I also get email so that I can deal with the 
user.  I let them know that I can temporarily whitelist them if they do 
have a legitimate need to send out a one time mass mailing.



--
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:da...@vex.net
VoIP: sip:da...@vex.net

Re: Blocking users sending spam

[Florian Piekert]

Am 15.11.2016 um 14:09 schrieb Volker Cordes:

Good afternoon Volker,
dear List.

We had a similar incident last year. What I then did was to parse the
logfiles on a daily basis to check where the logins occur from. We have a
customer base from Germany mainly (except business travelling people), so I
compiled a list of most probable ip ranges/dyn dialup domains, against whom
I grep -v the logfile entries and then get a mail each midnight of the ones
not matching those expectations.

I can see that geo blocking may be a solution, but with globally travelling
people it's not really an option. Same applies to a lot of changes of ips
(if they come from the same range, e.g. provider).

I know it's far from perfect, but from an 80:20 approach a good one. You can
probably put in (much) more effort to produce a maybe more reliable,
automated approch of some kind. And yes, it was a pure reactive measure and
ofcourse did not prevent setting off spams until we noticed (actually it
never happened since then, so I can't really tell)...

> Hello,
> 
> I just stopped our server from sending out spam mails. A password from
> one of our customers was hacked or somehow leaked so that the mails were
> sent by an authenticated user. Now I was wondering if it is possible to
> block users that authenticate themselves from a lot of different IP
> addresses in a short timespan or to implement blocking using
> geoip-services (99% of our customers are based in germany).
> 
> Thanks,
> Volker
> 
> 

===
Note:  this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  flo...@floppy.org. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to  this address of mine.Thx!



signature.asc
Description: OpenPGP digital signature

Blocking users sending spam

[Volker Cordes]

Hello,

I just stopped our server from sending out spam mails. A password from
one of our customers was hacked or somehow leaked so that the mails were
sent by an authenticated user. Now I was wondering if it is possible to
block users that authenticate themselves from a lot of different IP
addresses in a short timespan or to implement blocking using
geoip-services (99% of our customers are based in germany).

Thanks,
Volker

Interaction between restriction classes and milter.

[mailing lists]

Helo all,
What I am trying to do is whitelist cidr ranges stored in a mysql database and 
fallback to smtp auth for the previous unmatched ip addresses. This is the 
pseudocode:
if (client_ip in whitelist_mysql_cidr_ranges){    accept
} else if (sender is smtp_authenticated ) {    accept} else {    reject}

for individual ip addresses (key-value tables) I would use something like this:

smtpd_relay_restrictions = permit_mynetworks,  check_client_access 
mysql:/etc/postfix/mysql_whitelist.conf,permit_sasl_authenticated, reject
since postfix only can use cidr with local files, I use a milter (mimedefang) 
to do the cidr whitelist part, but milter and restricction classes seems two 
separate mechanisms so this configuration isn't possible, am I right??
The only way seems be to use a different port with a sumission service 
configurated.

Re: Temporary storage of email per SMTP daemon

[max]

Let me try to describe what we try to achieve.

We want to intercept e-mail from the different servers (preferably in
separated mail boxes), do some content inspection and send them out again at
a later time.

We'd use java mail to do the content inspection, strip CC en BCC en use
X-Original-To header to re-injecting it into postfix. 

What would be a better solution? We'd consider filters, but that doesn't
solve the scheduling.

Hope you can point us in the right direction.

Thanx







--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Temporary-storage-of-email-per-SMTP-daemon-tp87257p87259.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Temporary storage of email per SMTP daemon

[Viktor Dukhovni]

> On Nov 15, 2016, at 5:07 AM, max  wrote:
> 
> We setup a postfix mailserver (192.168.0.1) as a relay for our internal
> network. All e-mail (disregarded the final destination) should be stored on
> this machine for a period of time before we re-inject the email into postfix
> and relay it to our outgoing mailserver (192.168.0.2) who'll deliver it to
> the final destination.

The design appears to have a show-stopper critical bug.
You're losing the original message's envelope recipients,
and therefore cannot resume forward delivery without losing
Bcc recipients and serious risk of email loops.

> Our current setup looks like this and all seems work.

Looks rather broken to me.

> 
> main.cf
> #
> inet_interfaces = localhost, 192.168.0.1
> mydestination = $myhostname
> relayhost = 192.168.0.2:25
> mynetworks = localhost
> home_mailbox = inbox/
> #
> 
> master.cf
> 
> #
> smtp inet  n   -   n   -   -   smtp
> 
> 192.168.0.1:10025 inet  n   -   n   -   -   smtp
> -o cleanup_service_name=cleanupserver1
> -o mynetworks=192.168.0.3
> 
> cleanupserver1 unix  n   -   n   -   0   cleanup
> -o virtual_alias_maps=static:server1

Destroys the envelope recipient information.

> 192.168.0.1:20025 inet  n   -   n   -   -   smtp
> -o cleanup_service_name= cleanupserver2
> -o mynetworks=192.168.0.4
> 
> cleanupserver2 unix  n   -   n   -   0   cleanup
> -o virtual_alias_maps=static:server2

Ditto.

> 
> 192.168.0.1:30025 inet  n   -   n   -   -   smtp
> -o cleanup_service_name= cleanupserver3
> -o mynetworks=192.168.0.5
> 
> cleanupserver3 unix  n   -   n   -   0   cleanup
> -o virtual_alias_maps=static:server3

Ditto.

> On this server we created accounts server1, server2, server3 etc. All
> incoming e-mail is delivered to /home/server1/inbox/, /home/server2/inbox/,
> /home/server3/inbox/ etc.

After which time, it is unsafe (i.e. you MUST NOT attempt) to re-inject
the mail for onward delivery.

> Any suggestions?

Stop.  What problem is this supposed to solve?

-- 
Viktor.

Temporary storage of email per SMTP daemon

[max]

Hi,

We setup a postfix mailserver (192.168.0.1) as a relay for our internal
network. All e-mail (disregarded the final destination) should be stored on
this machine for a period of time before we re-inject the email into postfix
and relay it to our outgoing mailserver (192.168.0.2) who'll deliver it to
the final destination. 

We'd prefer separate mail directories per source (server1 (192.168.0.3) ,
server2 (192.168.0.4), server3 (192.168.0.5) etc).

Our current setup looks like this and all seems work.

main.cf
#
inet_interfaces = localhost, 192.168.0.1
mydestination = $myhostname
relayhost = 192.168.0.2:25
mynetworks = localhost
home_mailbox = inbox/
#

master.cf

#
smtp inet  n   -   n   -   -   smtp

192.168.0.1:10025 inet  n   -   n   -   -   smtp
 -o cleanup_service_name=cleanupserver1
 -o mynetworks=192.168.0.3

cleanupserver1 unix  n   -   n   -   0   cleanup
 -o virtual_alias_maps=static:server1

192.168.0.1:20025 inet  n   -   n   -   -   smtp
 -o cleanup_service_name= cleanupserver2
 -o mynetworks=192.168.0.4

cleanupserver2 unix  n   -   n   -   0   cleanup
 -o virtual_alias_maps=static:server2

192.168.0.1:30025 inet  n   -   n   -   -   smtp
 -o cleanup_service_name= cleanupserver3
 -o mynetworks=192.168.0.5

cleanupserver3 unix  n   -   n   -   0   cleanup
 -o virtual_alias_maps=static:server3
#

On this server we created accounts server1, server2, server3 etc. All
incoming e-mail is delivered to /home/server1/inbox/, /home/server2/inbox/,
/home/server3/inbox/ etc.

First: Is there a way of making this more scalable (upscale without adding
services to the master.cf)?

Second: We would like to use virtual mailboxes instead so we don't have to
create user accounts for all mailboxes. I tried to change
virtual_mailbox_maps per smtp and cleanup instance but that didn't seem to
work. 

Any suggestions?

Thanx




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Temporary-storage-of-email-per-SMTP-daemon-tp87257.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Was the Dovecot working well?

[Ron Wheeler]

Fail2ban might be able to do the whack-a-mole in a sensible manner that 
allowed for innocent interruptions but banned the bad guys


Ron
On 14/11/2016 11:39 PM, Sean Greenslade wrote:

On Mon, Nov 14, 2016 at 08:21:24PM -0800, vod vos wrote:

so are there any configurations to auto ban this kind of visit, like postfix 
postscreen?

or, I should write firewall rules to do the job?

I don't know if dovecot provides such functionality. I personally don't
bother, since it quickly becomes a game of whack-a-mole. Plus, it's not
always a malicious event. If the connection gets interrupted before the
client sends its auth credentials, it looks the same as this type of
scan.

Basically, make sure users are using good, secure passwords, and make
sure your software is all up to date.

--Sean





--
Ron Wheeler
President
Artifact Software Inc
email: rwhee...@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102