Re: python-policyd-spf doesn't check mail from my own domain

[Dominic Raferd]

On 31 January 2018 at 03:44, li...@lazygranch.com  wrote:
> On Tue, 30 Jan 2018 10:50:18 +
> Dominic Raferd  wrote:
>
>> On 30 January 2018 at 10:11, li...@lazygranch.com
>>  wrote:
>> > I've installed the opendmarc milter. I'm not rejecting mail from it
>> > at the moment. I've noticed that if I send myself a message, the
>> > policyd-spf milter isn't run. That in turn causes mail I send
>> > myself to fail in opendmarc. Any ideas?
>> >
>> > The various email verifiers do show that my email passes spf.
>> >
>> > It is easy enough just to whitelist your own domains from opendmarc,
>> > but that would allow spoofed email to get through.
>>
>> Which version of opendmarc? (opendmarc -V) If you have 1.3.2+ you can
>> use opendmarc's own spf instead (SPFSelfValidate True) - not reliable
>> for earlier versions though.
>>
>> Anyway, in general:
>>
>> /etc/opendmarc.conf:
>> ...
>> IgnoreAuthenticatedClients true
>> IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt
>> ...
>>
>> /etc/opendkim.conf:
>> ...
>> InternalHosts /etc/postfix/opendmarc-ignorehosts.txt
>> ...
>>
>> /etc/postfix/opendmarc-ignorehosts.txt
>> # emails from localhost are not authenticated but should be signed by
>> opendkim and not tested by opendmarc
>> 127.0.0.1
>> # similarly any ips from which we accept unauthenticated originating
>> emails (e.g. lan, or none)
>
>
> opendmarc: OpenDMARC Filter v1.3.2
> SMFI_VERSION 0x101
> libmilter version 1.0.1
> Active code options:
> WITH_SPF
> WITH_SPF2
>
> I suppose it is dumb to check spf if authenticated, but then again dkim
> is checked.
>
> I will work on the bypasses as suggested. I kind of like the
> python-policyd-spf since...well...it is working. (Something that works
> is something I don't like to change.)
>
> Still I wonder what part of the email food chain determines that spf
> wasn't needed. I commented out the local reference in
> pythod-policyd-spf, but that didn't change anything.
>
> Lots of spam gets marked as fail in opendmarc. I can't wait to start
> "trusting" it.

It shouldn't be a problem to continue using python-policyd-spf. You
would expect it to give a fail when testing mail from authenticated
clients. Opendkim needs to run in such cases not to test them but to
add the dkim header.

I use opendmarc (obvs) but I have to say I don't see it blocking many
emails. Looking at my records over a few months: 38000 mails came
through of which 50 were rejected by opendmarc and 30 quarantined. Of
those 80, 34 appear to have come via mailing lists (including
postfix.org) so may just reflect senders using the mailing list but
with incompatible dmarc settings on their domain. The reality is that
comparatively few domains are set up with dmarc and with p=reject (or
p=quarantine). If you see a large number of opendmarc fails (in
opendmarc log: action!=2) then I fear there is something wrong with
your setup.

Here is my entire opendmarc.conf:

PidFile /var/run/opendmarc/opendmarc.pid
RejectFailures true
Syslog true
UMask 0002
UserID opendmarc:opendmarc
PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat
IgnoreAuthenticatedClients true
AuthservID  myauthserv.tld
AuthservIDWithJobID yes
IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt
Socket inet:8893@localhost
HistoryFile /var/tmp/opendmarc.log
RecordAllMessages True
# ignore any external spf results
SPFIgnoreResults True
# use internal spf checker
SPFSelfValidate True

and the matching /etc/opendkim.conf:

Syslog yes
SyslogSuccess yes
UMask 0002
Canonicalization relaxed/relaxed
OversignHeaders From
InternalHosts /etc/postfix/opendmarc-ignorehosts.txt
Domain mydomain1.tld,mydomain2.tld,mydomain3.tld
KeyFile /etc/mail/dkim.key
Selector mail
Statistics /tmp/dkim-stats
AuthservID myauthserv.tld
AlwaysAddARHeader yes

I used postfix-policyd-spf-python until recently and these were my
settings in /etc/postfix-policyd-spf-python/policyd-spf.conf:
defaultSeedOnly = 1
HELO_reject = False
Mail_From_reject = False
skip_addresses = 127.0.0.0/8,:::127.0.0.0/104,::1
# whitelist allows lan clients
Whitelist = 192.168.100.0/23
# not sure if Header_Type needs to be AR but it makes headers more
consistent (default is SPF)
Header_Type = AR
# authserv_id must match the setting in opendmarc.conf
Authserv_Id = myauthserv.tld

Re: submission rate limit advice

[Bastian Blank]

On Wed, Jan 31, 2018 at 05:01:41AM +, Voytek wrote:
> # grep _limit main.cf

Please read http://www.postfix.org/DEBUG_README.html#mail and follow it.

> smtpd_client_connection_rate_limit = 12
> smtpd_client_connection_count_limit = 5

Well, here is your problem.

>From the documentation:
| WARNING: The purpose of this feature is to limit abuse. It must not be
| used to regulate legitimate mail traffic.

> smtpd_soft_error_limit = 5
> smtpd_hard_error_limit = 10

Revert them to default, esp as the default is state dependent.

Bastian

-- 
Military secrets are the most fleeting of all.
-- Spock, "The Enterprise Incident", stardate 5027.4

Re: Connection reusing with smtp-relay.gmail.com port 465 or 587

[Bastian Blank]

On Tue, Jan 30, 2018 at 10:53:20PM -0600, Vladimir Hidalgo wrote:
> smtp_destination_concurrency_limit = 1

Please read again what this setting does.  Then remove it.

However I don't think GMail likes it to be used as mass mail sender.

> I see no conn_use on the log and I'm not sure if cache is also not
> supported on this SMTPS mode?

Nope, it is not.

Bastian

-- 
Live long and prosper.
-- Spock, "Amok Time", stardate 3372.7

Re: Connection reusing with smtp-relay.gmail.com port 465 or 587

[Vladimir Hidalgo]

Thank you Viktor, looks like my best bet is to either have another
sever that relays the TCP data from any another port to
smtp-relay.gmail.com's port 25 just to bypass the random restriction
in Google Cloud and make use of connection caching to comply their
requirements. Sadly, changing provider is not an option for me ATM.

Best regards.

Re: Connection reusing with smtp-relay.gmail.com port 465 or 587

[Viktor Dukhovni]

> On Jan 30, 2018, at 11:53 PM, Vladimir Hidalgo  wrote:
> 
> I'm using Postfix inside Google Cloud Compute Engine with outbound
> port 25 blocked by default and I want to use Postfix to relay email
> from my org.
> 
> I've setup both SSL and TLS modes successfully (diff installations)
> but the problem is that I generate an unique email for each of the
> 1000 recipients and sending this causes a DoS alert on Gmail after
> about 50 consecutive emails.
> 
> Their support advice to reuse the connection to send more than 1 email
> per connection, but as per the documentation TLS / 587 is not
> supported for connection caching.
> 
> What about SMTPS on port 465?. I've successfully configured Postfix by using:

Postfix does not support TLS connection re-use.  The destination port
plays no role in this, nor does use of wrapper-mode vs. STARTTLS.

I'm afraid you'll need to find a nexthop relay that is willing to accept
your mail traffic one message per connection.  You can configure a TLS
session cache (smtp_tls_session_cache_database) to reduce the cost of
setting up TLS for each message.  This may not appease the resource
limits imposed by your current relay provider, but it won't hurt.

-- 
Viktor.

Re: Configure Postfix for High Volume

[Viktor Dukhovni]

> On Jan 30, 2018, at 9:44 PM, Tech Gurus  wrote:
> 
> Just checking back if there is recommendation to increase outbound mail 
> delivery

First understand the source of the bottleneck.  To that end, the
"delays" field in your logs are the key data source to try to
understand the origin of the problem.  So far it looks like
the destination is congested.  If so, the solution is there.
It is not possible to deliver mail faster than the remote
end is able to accept it.

-- 
Viktor.

submission rate limit advice

[Voytek]

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from d27-99-95-44.bla2.nsw.optusnet.com.au[27.99.95.44] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from d27-99-95-44.bla2.nsw.optusnet.com.au[27.99.95.44] for
service submission
# grep 'rate limit' /var/log/maillog | grep 27.99.95.44 | wc
1131808   18784
#

currently have:

# grep _limit main.cf

smtpd_client_event_limit_exceptions = .yy
message_size_limit = 30971520
dovecot_destination_recipient_limit = 1
smtp-amavis_destination_recipient_limit = 1
body_checks_size_limit = 15
smtpd_client_connection_rate_limit = 12
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
smtpd_junk_command_limit = 2
smtpd_client_connection_count_limit = 5
postscreen_command_count_limit = 8
postscreen_command_time_limit = 30
#

Connection reusing with smtp-relay.gmail.com port 465 or 587

[Vladimir Hidalgo]

Hi,

I'm using Postfix inside Google Cloud Compute Engine with outbound
port 25 blocked by default and I want to use Postfix to relay email
from my org.

I've setup both SSL and TLS modes successfully (diff installations)
but the problem is that I generate an unique email for each of the
1000 recipients and sending this causes a DoS alert on Gmail after
about 50 consecutive emails.

Their support advice to reuse the connection to send more than 1 email
per connection, but as per the documentation TLS / 587 is not
supported for connection caching.

What about SMTPS on port 465?. I've successfully configured Postfix by using:

relayhost = [smtp-relay.gmail.com]:465
smtp_use_tls = no
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_connection_cache_destinations = smtp-relay.gmail.com
connection_cache_ttl_limit = 5m
smtp_destination_concurrency_limit = 1
smtp_destination_rate_delay = 5s


And testing with 1000 emails in queue I got:

Jan 31 04:51:03 edited--email-relay-2 postfix/smtp[9728]: C0C926255F:
to=,
relay=smtp-relay.gmail.com[74.125.28.28]:465, delay=3541,
delays=1885/1656/0.49/0.27, dsn=2.0.0, status=sent (250 2.0.0 OK
1517374263 u74sm4385834itb.2 - gsmtp)


I see no conn_use on the log and I'm not sure if cache is also not
supported on this SMTPS mode?

Thanks for any advice on how to cache the connections!

Re: python-policyd-spf doesn't check mail from my own domain

[li...@lazygranch.com]

On Tue, 30 Jan 2018 10:50:18 +
Dominic Raferd  wrote:

> On 30 January 2018 at 10:11, li...@lazygranch.com
>  wrote:
> > I've installed the opendmarc milter. I'm not rejecting mail from it
> > at the moment. I've noticed that if I send myself a message, the
> > policyd-spf milter isn't run. That in turn causes mail I send
> > myself to fail in opendmarc. Any ideas?
> >
> > The various email verifiers do show that my email passes spf.
> >
> > It is easy enough just to whitelist your own domains from opendmarc,
> > but that would allow spoofed email to get through.  
> 
> Which version of opendmarc? (opendmarc -V) If you have 1.3.2+ you can
> use opendmarc's own spf instead (SPFSelfValidate True) - not reliable
> for earlier versions though.
> 
> Anyway, in general:
> 
> /etc/opendmarc.conf:
> ...
> IgnoreAuthenticatedClients true
> IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt
> ...
> 
> /etc/opendkim.conf:
> ...
> InternalHosts /etc/postfix/opendmarc-ignorehosts.txt
> ...
> 
> /etc/postfix/opendmarc-ignorehosts.txt
> # emails from localhost are not authenticated but should be signed by
> opendkim and not tested by opendmarc
> 127.0.0.1
> # similarly any ips from which we accept unauthenticated originating
> emails (e.g. lan, or none)


opendmarc: OpenDMARC Filter v1.3.2
SMFI_VERSION 0x101
libmilter version 1.0.1
Active code options:
WITH_SPF
WITH_SPF2

I suppose it is dumb to check spf if authenticated, but then again dkim
is checked. 

I will work on the bypasses as suggested. I kind of like the
python-policyd-spf since...well...it is working. (Something that works
is something I don't like to change.)

Still I wonder what part of the email food chain determines that spf
wasn't needed. I commented out the local reference in
pythod-policyd-spf, but that didn't change anything.

Lots of spam gets marked as fail in opendmarc. I can't wait to start
"trusting" it. 

Re: Configure Postfix for High Volume

[Tech Gurus]

Just checking back if there is recommendation to increase outbound mail
delivery  .

On Fri, Jan 26, 2018 at 11:04 AM, Stephen Satchell 
wrote:

> On 01/25/2018 05:58 PM, Viktor Dukhovni wrote:
>
>> This is not good advice, it breaks delivery to other domains.  Much better
>> to run a local caching resolver.  Note also that the OP reports that
>> raising
>> concurrency does not improve throughput by much.  If DNS lookups were slow
>> higher concurrency would lead to a significant throughput increase.
>>
>
> +1
>
> In the dim, dark past, when I was mail administrator for a hosting
> company, I configured a PostFix instance (bare metal, not VM) that
> smart-hosted (I'm guessing) 40-50 instances of qmail and exim in Web
> control panel systems.  The outgoing mail volume was on the order of tens
> of thousands per hour.  (That server did per-domain throttling for the
> major mail services, to avoid being nailed by the traffic monitors on those
> services.)  At peak outgoing load, it still loafed.
>
> On that outbound MX server, I configured a local caching DNS server. The
> key to success was to configure the size of the memory cache up and up and
> up.  That limited the number of recursive look-ups that had to go
> off-system.
>
> For the incoming MX (on a separate box) I did something similar, yet
> another local caching DNS server, to ease the DNS resolver traffic for
> PostFix, DNSBLs, and spam assassin.
>
> The reason I don't recall the actual size of the CNS cache is that I
> "tuned" the size of each DNS cache until the amount of outbound query
> traffic was acceptable to me.  Neither box had minimum hold times set up,
> so it didn't do all that much for domains with short (~300 seconds or less)
> hold times, but those were a small percentage of the look-ups that were
> cached.
>
> N.B.:  Before doing the smarthost consolidation, my main DNS servers were
> running at red-line.
>

Re: Email and information helpfull to have in the headers/logs for police enquiries

[Ghislain Adnet]

Le 30/01/2018 à 19:26, Viktor Dukhovni a écrit :

> 
> http://www.postfix.org/postconf.5.html#smtpd_client_port_logging
> 

oh this one i did not found before thanks a lot i gonna try it asap.

Karol : yes this is not a law that ask me to log them but it is important to me 
that if a bad guy blackmail or threaten
a client of mine i can track the ip+port so ISP can go up the chain to expose 
him. having ip+port is nothing more than
ip we had for years before the ipv4 lack and Nat system started to appear so 
this is no more than we done since years.
Just adapt it to the current situation.

Karol: thanks, will have a look at postscreen too


Thanks for all your answers.

Best regards,
Ghislain.

Re: multi instance postfix with 2 IP address and 2 sending domains

[Anvar Kuchkartaev]

I just have modified SPF record to a mx ip4:... ~all and included all IP 
addresses of the server. Since TTL was 5 seconds propogation took not 
too long but without luck.


Server has 4 IP addresses and customer requested to have send only mail 
server on 3rd and 4th addresses of their OpenVZ server. Postfix 
configured on 3rd address as primary instance with "/etc/postfix" 
configs working well.


I used:
http://www.linuxpcfix.com/configure-postfix-with-multiple-instances-on-centos/

as tutorial for multi instance postfix. What other options could causing 
issue?



On 30/01/18 22:32, Fabian A. Santiago wrote:

January 30, 2018 4:08 PM, "Anvar Kuchkartaev"  wrote:


currently spf record of both domains are the same:
"v=spf1 a mx ptr ptr:sendingdomain1.com ptr:sendingdomain2.com ~all"

Might PTR causing issue because of it is deprecated?

On 30/01/18 22:00, Fabian A. Santiago wrote:


January 30, 2018 3:56 PM, "Anvar Kuchkartaev"  wrote:


Hello,

I have configured server to support 2 sending IP addresses with corresponding 2 
sending domains.
DKIM, SPF, reverse hostname works correct, primary and secondary instances are 
setup with
corresponding myhostname and smtp_helo_name. smtp_bind_address also configured 
correct on both
instances. But for some reason Gmail or Microsoft Outlook detecting second 
domain as spam but first
one working well. How to debug this? I can provide any details if needed.

Best regards,

-- Anvar Kuchkartaev
an...@anvartay.com

do your spf record(s) specify both IP's? Maybe the 2nd domain uses the wrong IP 
as per your SPF
record?

--

Thanks,

Fabian S.

OpenPGP: 3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC

-- Anvar Kuchkartaev
an...@anvartay.com

not sure..hmmm. mine is structured as "mx a ... -all", with the IP addresses 
associated with my email server in CIDR format. but you do what is right for your 
domains. i've read that ptr records are used when more than one MX server (such as in a 
cluster) represent a domain's valid sending server(s).

--

Thanks,

Fabian S.

OpenPGP: 3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC


--
Anvar Kuchkartaev
an...@anvartay.com

Re: multi instance postfix with 2 IP address and 2 sending domains

[Fabian A. Santiago]

January 30, 2018 4:08 PM, "Anvar Kuchkartaev"  wrote:

> currently spf record of both domains are the same:
> "v=spf1 a mx ptr ptr:sendingdomain1.com ptr:sendingdomain2.com ~all"
> 
> Might PTR causing issue because of it is deprecated?
> 
> On 30/01/18 22:00, Fabian A. Santiago wrote:
> 
>> January 30, 2018 3:56 PM, "Anvar Kuchkartaev"  wrote:
>> 
>>> Hello,
>>> 
>>> I have configured server to support 2 sending IP addresses with 
>>> corresponding 2 sending domains.
>>> DKIM, SPF, reverse hostname works correct, primary and secondary instances 
>>> are setup with
>>> corresponding myhostname and smtp_helo_name. smtp_bind_address also 
>>> configured correct on both
>>> instances. But for some reason Gmail or Microsoft Outlook detecting second 
>>> domain as spam but first
>>> one working well. How to debug this? I can provide any details if needed.
>>> 
>>> Best regards,
>>> 
>>> -- Anvar Kuchkartaev
>>> an...@anvartay.com
>> 
>> do your spf record(s) specify both IP's? Maybe the 2nd domain uses the wrong 
>> IP as per your SPF
>> record?
>> 
>> --
>> 
>> Thanks,
>> 
>> Fabian S.
>> 
>> OpenPGP: 3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC
> 
> -- Anvar Kuchkartaev
> an...@anvartay.com

not sure..hmmm. mine is structured as "mx a ... -all", with the IP addresses 
associated with my email server in CIDR format. but you do what is right for 
your domains. i've read that ptr records are used when more than one MX server 
(such as in a cluster) represent a domain's valid sending server(s). 

--

Thanks,

Fabian S.

OpenPGP: 3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC

Re: multi instance postfix with 2 IP address and 2 sending domains

[Anvar Kuchkartaev]

currently spf record of both domains are the same:
"v=spf1 a mx ptr ptr:sendingdomain1.com ptr:sendingdomain2.com ~all"

Might PTR causing issue because of it is deprecated?


On 30/01/18 22:00, Fabian A. Santiago wrote:

January 30, 2018 3:56 PM, "Anvar Kuchkartaev"  wrote:


Hello,

I have configured server to support 2 sending IP addresses with corresponding 2 
sending domains.
DKIM, SPF, reverse hostname works correct, primary and secondary instances are 
setup with
corresponding myhostname and smtp_helo_name. smtp_bind_address also configured 
correct on both
instances. But for some reason Gmail or Microsoft Outlook detecting second 
domain as spam but first
one working well. How to debug this? I can provide any details if needed.

Best regards,

-- Anvar Kuchkartaev
an...@anvartay.com

do your spf record(s) specify both IP's? Maybe the 2nd domain uses the wrong IP 
as per your SPF record?

--

Thanks,

Fabian S.

OpenPGP: 3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC


--
Anvar Kuchkartaev
an...@anvartay.com

Re: multi instance postfix with 2 IP address and 2 sending domains

[Fabian A. Santiago]

January 30, 2018 3:56 PM, "Anvar Kuchkartaev"  wrote:

> Hello,
> 
> I have configured server to support 2 sending IP addresses with corresponding 
> 2 sending domains.
> DKIM, SPF, reverse hostname works correct, primary and secondary instances 
> are setup with
> corresponding myhostname and smtp_helo_name. smtp_bind_address also 
> configured correct on both
> instances. But for some reason Gmail or Microsoft Outlook detecting second 
> domain as spam but first
> one working well. How to debug this? I can provide any details if needed.
> 
> Best regards,
> 
> -- Anvar Kuchkartaev
> an...@anvartay.com

do your spf record(s) specify both IP's? Maybe the 2nd domain uses the wrong IP 
as per your SPF record?

--

Thanks,

Fabian S.

OpenPGP: 3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC

multi instance postfix with 2 IP address and 2 sending domains

[Anvar Kuchkartaev]

Hello,

I have configured server to support 2 sending IP addresses with 
corresponding 2 sending domains. DKIM, SPF, reverse hostname works 
correct, primary and secondary instances are setup with corresponding 
myhostname and smtp_helo_name. smtp_bind_address also configured correct 
on both instances. But for some reason Gmail or Microsoft Outlook 
detecting second domain as spam but first one working well. How to debug 
this? I can provide any details if needed.


Best regards,

--
Anvar Kuchkartaev
an...@anvartay.com

Re: Email and information helpfull to have in the headers/logs for police enquiries

[Andrew Sullivan]

On Tue, Jan 30, 2018 at 05:27:40PM +, Karol Augustin wrote:
> 
> I don't know why it is important to you to log the port number so if you
> could explain I would be grateful.

It's because of a Large Scale Nat using address+port.  The same
address is given out to more than one ISP customer along with a range
of ports that they may use, and you can only identify the customer by
knowing both the address and the range of ports they're using.  This
will become more common in the future.

> You can deploy postscreen, which is a
> good idea anyway and you will have port numbers in the logs:

Yes, a good idea anyway.

Best regards,

A

-- 
Andrew Sullivan
a...@anvilwalrusden.com

Re: Email and information helpfull to have in the headers/logs for police enquiries

[Viktor Dukhovni]

> On Jan 30, 2018, at 11:44 AM, Ghislain Adnet  wrote:
> 
> In postfix the IP is logged but not the TCP port. To be ahead in future legal 
> issues i wanted to know if there is a way
> to :
> 
> - add the TCP port to the log messages
> - add the  tcp port to a header in the mail (so it stick to it)


http://www.postfix.org/postconf.5.html#smtpd_client_port_logging

-- 
Viktor.

Re: Duplicate email troubleshooting

[Viktor Dukhovni]

> On Jan 30, 2018, at 10:55 AM, Asai  wrote:
> 
> I'm running into an issue with a mailbox that also has aliases assigned to it.
> 
> e.g. u...@domain.net has alias u...@domain.net, us...@otherdomain.net, and 
> us...@otherdomain.net
> 
> What's weird is user1 and user2 are getting duplicate emails, but I don't 
> have this problem with other users set up in a similar fashion.
> 
> I've tried to debug this, read the threads, pore over the logs, and do due 
> diligence on this, but I'm stumped.  I have amavis running spamassassin and 
> clamd.
> 
> Can anyone point me in the right direction on this?

When a message is sent to two recipient addresses, that happen to share the same
mailbox, duplicate delivery is often a fact of life.  Deduplication is 
ultimately
up to the mailstore and the mail-user-agent.

However, in Postfix, you can somewhat reduce the incidence of duplicate 
deliveries
with:

   http://www.postfix.org/postconf.5.html#enable_original_recipient

   enable_original_recipient = no

Whether this would help you or not is hard to say without logs showing all
the log entries for the queue file(s) that were logged by cleanup(8) to have
the Message-Id in question.

-- 
Viktor.

Re: Email and information helpfull to have in the headers/logs for police enquiries

[micah]

Karol Augustin  writes:

> On 2018-01-30 16:44, Ghislain Adnet wrote:
>> hi,
>> 
>>  We participated in some police enquiries about emails sent to
>> blackmail people and get the source IP. The ISP answered
>> that they use proxy systems and they requires IP+port to be able to
>> track the source. We just helped the case but it
>> sparkle the idea that i better start to log the tcp port as well on 
>> my servers logs.
>> 
>> 
>>  In postfix the IP is logged but not the TCP port. To be ahead in
>> future legal issues i wanted to know if there is a way
>> to

Unless you are required by law to log additional information, it is
generally better to log as little information as necessary.

Re: Duplicate email troubleshooting

[Asai]

> On Jan 30, 2018, at 9:21 AM, Matus UHLAR - fantomas  wrote:
> 
> On 30.01.18 08:55, Asai wrote:
>> I'm running into an issue with a mailbox that also has aliases assigned to 
>> it.
> 
> please avoid HTML mail.
>> e.g. u...@domain.net has alias u...@domain.net, us...@otherdomain.net, and 
>> us...@otherdomain.net
> 
>> What's weird is user1 and user2 are getting duplicate emails, but I don't 
>> have this problem with other users set up in a similar fashion.
> 
> so, are they aliases to user or different users?
> how are they aliased - virtual users, virtual aliases … ?
> 

Thank you for your assistance.

They are aliases to a user.  u...@domain.net  that also 
has an alias in the alias table, u...@domain.net  along 
with us...@otherdomain.net  and 
us...@otherdomain.net 

All users and aliases are virtual users and aliases mapped in a MySQL database.

Asai

Re: Email and information helpfull to have in the headers/logs for police enquiries

[Karol Augustin]

On 2018-01-30 16:44, Ghislain Adnet wrote:
> hi,
> 
>  We participated in some police enquiries about emails sent to
> blackmail people and get the source IP. The ISP answered
> that they use proxy systems and they requires IP+port to be able to
> track the source. We just helped the case but it
> sparkle the idea that i better start to log the tcp port as well on 
> my servers logs.
> 
> 
>  In postfix the IP is logged but not the TCP port. To be ahead in
> future legal issues i wanted to know if there is a way
> to :
> 
> - add the TCP port to the log messages
> - add the  tcp port to a header in the mail (so it stick to it)
> 
> 
>  i did not find in the mailling list archive or the googlebrain or the
> doc any way to do that. Perhaps a very simple
> milter but i also did not find a logging milter (but they seems hard
> to find those milters anyway). Any ideas or
> experience doing that ?
> 
> 
> best regards,
> Ghislain.

I don't know why it is important to you to log the port number so if you
could explain I would be grateful. You can deploy postscreen, which is a
good idea anyway and you will have port numbers in the logs:

Jan 30 17:12:09 mail postfix/postscreen[20169]: CONNECT from
[2607:f8b0:4001:c0b::234]:38670 to
[2a05:d018:76d:5af6:d050:9b30:6bf7:df98]:25
Jan 30 17:12:09 mail postfix/postscreen[20169]: WHITELISTED
[2607:f8b0:4001:c0b::234]:38670
Jan 30 17:12:09 mail postfix/smtpd[20618]: connect from
mail-it0-x234.google.com[2607:f8b0:4001:c0b::234]

Jan 30 17:07:11 mail postfix/postscreen[20169]: CONNECT from
[137.135.42.190]:1072 to [10.1.0.20]:25
Jan 30 17:07:11 mail postfix/postscreen[20169]: BLACKLISTED
[137.135.42.190]:1072
Jan 30 17:07:11 mail postfix/postscreen[20169]: DISCONNECT
[137.135.42.190]:1072

Jan 30 17:15:07 mail postfix/postscreen[20169]: CONNECT from
[168.100.1.3]:45124 to [10.1.0.20]:25
Jan 30 17:15:07 mail postfix/postscreen[20169]: PASS OLD
[168.100.1.3]:45124
Jan 30 17:15:07 mail postfix/smtpd[20618]: connect from
camomile.cloud9.net[168.100.1.3]

Which reminds me to whitelist 168.100.1.3.

Karol


-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Two different IP for one mx

On 30 Jan 2018 7:00 p.m., "Bill Shirley" 
wrote:

On 1/30/2018 9:15 AM, Karol Augustin wrote:

>From the information you provided it looks like problem is not fixable by
you. It's ok to have private address configured on your server if it is
properly translated upstream. Amazon does that. You have private IP
configured on your machine but it is translated to the same public address
for both incoming and outgoing connections. Talk to your ISP about this.


Karol



-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312 <+353%2085%20775%205312>


In an earlier post:
Becouse I prefer to use fail2ban for brute force attacks and fail2ban
depends source IP address.In this setup I can't see source IP. Also I'll
use iptables as a permanent filter for some IPv4 blocks (like china).

He needs to see the real public addresses of those who connect to this new
server.


You said this machine has address 192.168.34.30/24.  Who gave it this
address?

Bill

ISP has a OS deployment team. They prepare this machine for us. I do not
have much choice becouse our company outsourced some jobs (like os
installations and network definitions) and this is the one of them. You
wrote specs and they prepare for you.

Email and information helpfull to have in the headers/logs for police enquiries

[Ghislain Adnet]

hi,

 We participated in some police enquiries about emails sent to blackmail people 
and get the source IP. The ISP answered
that they use proxy systems and they requires IP+port to be able to track the 
source. We just helped the case but it
sparkle the idea that i better start to log the tcp port as well on  my servers 
logs.


 In postfix the IP is logged but not the TCP port. To be ahead in future legal 
issues i wanted to know if there is a way
to :

- add the TCP port to the log messages
- add the  tcp port to a header in the mail (so it stick to it)


 i did not find in the mailling list archive or the googlebrain or the doc any 
way to do that. Perhaps a very simple
milter but i also did not find a logging milter (but they seems hard to find 
those milters anyway). Any ideas or
experience doing that ?


best regards,
Ghislain.

Re: Duplicate email troubleshooting

[Matus UHLAR - fantomas]

On 30.01.18 08:55, Asai wrote:

I'm running into an issue with a mailbox that also has aliases assigned to it.


please avoid HTML mail.

e.g. u...@domain.net has alias u...@domain.net, us...@otherdomain.net, and 
us...@otherdomain.net



What's weird is user1 and user2 are getting duplicate emails, but I don't have 
this problem with other users set up in a similar fashion.


so, are they aliases to user or different users?
how are they aliased - virtual users, virtual aliases ... ?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...

Re: Two different IP for one mx

[Karol Augustin]

On 2018-01-30 15:59, Bill Shirley wrote:

> 
> In an earlier post:
> Becouse I prefer to use fail2ban for brute force attacks and fail2ban depends 
> source IP address.In this setup I can't see source IP. Also I'll use iptables 
> as a permanent filter for some IPv4 blocks (like china).  
> 
> He needs to see the real public addresses of those who connect to this new 
> server.

Of course, but what I meant is that the reason he doesn't, and he
definitely has to, is because the upstream configuration is broken, not
because he has private address assigned to the NIC. You can have private
address assigned to the NIC and be perfectly capable of seeing original
source address. This is how it should be configured.

Karol




-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Two different IP for one mx

[Bill Shirley]

On 1/30/2018 9:15 AM, Karol Augustin wrote:
From the information you provided it looks like problem is not fixable by you. It's ok to have private address configured on 
your server if it is properly translated upstream. Amazon does that. You have private IP configured on your machine but it is 
translated to the same public address for both incoming and outgoing connections. Talk to your ISP about this.



Karol



--
Karol Augustin
ka...@augustin.pl 
http://karolaugustin.pl/
+353 85 775 5312


In an earlier post:
Becouse I prefer to use fail2ban for brute force attacks and fail2ban depends source IP address.In this setup I can't see source 
IP. Also I'll use iptables as a permanent filter for some IPv4 blocks (like china).


He needs to see the real public addresses of those who connect to this new 
server.


You said this machine has address 192.168.34.30/24.  Who gave it this address?

Bill

Duplicate email troubleshooting

[Asai]

Greetings,

I'm running into an issue with a mailbox that also has aliases assigned to it.

e.g. u...@domain.net  has alias u...@domain.net, 
 us...@otherdomain.net,  
and us...@otherdomain.net 

What's weird is user1 and user2 are getting duplicate emails, but I don't have 
this problem with other users set up in a similar fashion.

I've tried to debug this, read the threads, pore over the logs, and do due 
diligence on this, but I'm stumped.  I have amavis running spamassassin and 
clamd.

Can anyone point me in the right direction on this?

Postconf follows:

alias_maps = hash:/etc/aliases

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

content_filter = amavisfeed:[127.0.0.1]:10024

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5

dovecot_destination_recipient_limit = 1

 

header_checks = pcre:/etc/postfix/header_checks

html_directory = no

inet_protocols = ipv4

mail_owner = postfix

mailbox_size_limit = 0

mailq_path = /usr/bin/mailq

manpage_directory = /usr/local/man

maximal_backoff_time = 600s

maximal_queue_lifetime = 1d

message_size_limit = 0

milter_default_action = accept

milter_macro_daemon_name = ORIGINATING

milter_protocol = 2

minimal_backoff_time = 300s

mydestination = $myhostname, localhost.$mydomain, localhost

mydomain = globalchangemultimedia.net

myhostname = triata.globalchangemultimedia.net

newaliases_path = /usr/bin/newaliases

niann = check_sender_access 
regexp:/etc/postfix/gcca_recipient_restrictions/niann, permit

non_smtpd_milters = $smtpd_milters

postscreen_access_list = permit_mynetworks, 
cidr:/etc/postfix/postscreen_access.cidr

postscreen_dnsbl_action = enforce

postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.10*8 
zen.spamhaus.org=127.0.0.[10;11]*8 b.barracudacentral.org=127.0.0.2*7 
dnsbl.inps.de=127.0.0.2*7 dnsbl.sorbs.net=127.0.0.5*7 
zen.spamhaus.org=127.0.0.[4..7]*7 zen.spamhaus.org=127.0.0.3*5 
bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 
bl.spamcop.net=127.0.0.2*4 bl.spameatingmonkey.net=127.0.0.[2;3]*4 
dnsrbl.swinog.ch=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 
dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 
dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 
wl.mailspike.net=127.0.0.[18;19;20]*-2 list.dnswl.org=127.0.[0..255].0*-2 
list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 
list.dnswl.org=127.0.[0..255].3*-5

postscreen_dnsbl_threshold = 8

postscreen_dnsbl_ttl = 5m

postscreen_greet_action = enforce

postscreen_greet_wait = ${stress?3}${stress:10}s

queue_directory = /var/spool/postfix

queue_run_delay = 300s

readme_directory = no

relay_domains = $mydestination, 
mysql:/etc/postfix/mysql_virtual_relay_domains.cf

sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

show_user_unknown_table_name = no

smtp_sasl_mechanism_filter = plain, login

smtp_tls_security_level = may

smtpd_client_restrictions = check_client_access 
mysql:/etc/postfix/mysql_blacklist, permit_sasl_authenticated, 
permit_dnswl_client list.dnswl.org permit_dnswl_client wl.mailspike.net 
permit_dnswl_client iadb.isipp.com permit_dnswl_client sa-accredit.habeas.com 
permit_dnswl_client dnswl.inps.de permit_dnswl_client swl.spamhaus.org 
permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1 ${stress?sleep 
0}${stress: sleep 5} permit

smtpd_data_restrictions = reject_unauth_pipelining, permit

smtpd_delay_reject = yes

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks, check_helo_access 
mysql:/etc/postfix/mysql_helo_restrictions.cf, permit_sasl_authenticated, 
reject_invalid_hostname, permit

smtpd_milters = inet:127.0.0.1:8891

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_non_fqdn_sender, reject_unauth_destination, reject_invalid_hostname, 
reject_unknown_reverse_client_hostname, reject_non_fqdn_recipient, 
reject_unknown_sender_domain, check_recipient_access 
mysql:/etc/postfix/mysql_restricted_recipients.cf, permit

smtpd_relay_restrictions = permit_mynetworks, check_recipient_access 
mysql:/etc/postfix/mysql_restricted_recipients.cf, permit_sasl_authenticated, 
reject_unauth_destination

smtpd_restriction_classes = gcmm_only, local_only,  unrestricted

smtpd_sasl_auth_enable = no

smtpd_sasl_exceptions_networks = $mynetworks

smtpd_sasl_path = private/auth

smtpd_sasl_security_options = noanonymous

smtpd_sasl_type = dovecot

smtpd_sender_restrictions = check_sender_access 
mysql:/etc/postfix/mysql_restricted_senders.cf, check_sender_access 
mysql:/etc/postfix/mysql_blacklist, permit_sasl_authenticated, 
permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit

smtpd_tls_auth_onl

Re: Two different IP for one mx

[Karol Augustin]

On 2018-01-30 14:08, jin&hitman&Barracuda wrote:

> 2018-01-30 15:22 GMT+03:00 Bill Shirley :
> 
>> On the new Postfix server, are you using DHCP client on the WAN interface
>> to get a IP address?  You should not be.  You should assign your public 
>> address
>> to the WAN interface.
>> 
>> I have static addresses with my ISP.  My ISP's modem will hand out private 
>> addresses
>> if I use DHCP client.  I don't configure my server to use DHCP; I have it 
>> set up to
>> use the public address.
>> 
>> Bill
> 
>> 
> 
> On 1/30/2018 4:03 AM, Matus UHLAR - fantomas wrote:
> On 30.01.18 00:09, jin&hitman&Barracuda wrote:
> In-Reply-To: 
> 
> References: 
> 
>  
> hell, how did you create this e-mail? it looks like reply to thread with
> another 9 e-mails.  (Plese send new post when asking new question)
> 
> We are tring to move our mx server to another isp. They gave us an IP
> address but there is some strange points. When i try to connect any mail
> related port on that ip, it send my connection to our new postfix server. 
> this is expected, isn't it?
> 
> There is a destination nat on it. It is strange becouse i can't see my
> actual source ip. I tried with many different hosts and It looks like there
> is a source nat and i saw same ip as my source ip wherever i try. 
> this is also expected, when you have server on network with private IPs.
> 
> From new postfix server,  when i try to reach any server on internet, i see
> another ip address on the source ip field and it is fixed too.
> 
> I believe there is a mistake. Could it be feasible two different ip for
> incoming and outgoing on one mx server ? 
> it's apparently a mistake, but might not be a problem. the incoming IP and 
> outgoing IP don't need be the same, although it's
> easier when they are.
> 
> On 30 Jan 2018 12:56 a.m., "Kevin A. McGrail"  wrote:
> With NAT it could definitely be possible.  What's your machines local ip
> address with ifconfig?  Is it a reserved private address? 
> On 30.01.18 01:03, jin&hitman&Barracuda wrote:
> It is 192.168.34.30/24 [1] 
> this is a private address, not visible in the internet.
> 
> On 30 Jan 2018 3:43 a.m., "Paul"  wrote:
> What is the source IP you see making connections to your new postfix server
> ? 
> On 30.01.18 09:28, jin&hitman&Barracuda wrote:
> It is 172.27.203.20 
> this is also a private address and it should not appear in the public
> internet. Should not be a problem between servers.
> 
> If you see this IP when you connect to your postfix from the internet,
> complain to your new ISP immediately. Connections from outside should not be
> NATted.
> 
> let's clear things up:
> 
> - which IP do you have when mailing to the outside?
> - which IP you have to connect from outside in order to get to your mail 
> server?

Hi Bill 

No, there is no DHCP. All I have is one interface and it's it has a
fixed IP address (192.168.34.30) 

>From the information you provided it looks like problem is not fixable
by you. It's ok to have private address configured on your server if it
is properly translated upstream. Amazon does that. You have private IP
configured on your machine but it is translated to the same public
address for both incoming and outgoing connections. Talk to your ISP
about this. 

Karol 

-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312 

Links:
--
[1] http://192.168.34.30/24

Re: Two different IP for one mx

2018-01-30 16:42 GMT+03:00 Matus UHLAR - fantomas :

> If you see this IP when you connect to your postfix from the internet,
>>> complain to your new ISP immediately.  Connections from outside
>>> should not be NATted.
>>>
>>
> On 30.01.18 14:34, jin&hitman&Barracuda wrote:
>
>> When I connecting from internet (for example from 149.XXX.164.55) I did
>> run
>> tcpdump command on postfix server and all incoming connections have same
>> source IP and it is 172.27.203.20. I doesn't matter where I choose to
>> connect I see same IP as source.
>>
>
> OK, my original words apply.
>
> complain to your ISP, they should not SNAT incoming connections from the
> internet to your server.
>
> until then, I recommend you not move the server to them.
>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> I'm not interested in your website anymore.
> If you need cookies, bake them yourself.
>


Fair enough,  I agree with you.

Fatih
-- 
*There is no place like "/home"*
*From HemiB A R R A C U D A !*

Re: Two different IP for one mx

2018-01-30 15:22 GMT+03:00 Bill Shirley :

> On the new Postfix server, are you using DHCP client on the WAN interface
> to get a IP address?  You should not be.  You should assign your public
> address
> to the WAN interface.
>
> I have static addresses with my ISP.  My ISP's modem will hand out private
> addresses
> if I use DHCP client.  I don't configure my server to use DHCP; I have it
> set up to
> use the public address.
>
> Bill


>

>
> On 1/30/2018 4:03 AM, Matus UHLAR - fantomas wrote:
>
>> On 30.01.18 00:09, jin&hitman&Barracuda wrote:
>>
>>> In-Reply-To: >> fvozze6wt00b5qzpeqf...@mail.gmail.com>
>>> References: >> ail.com>
>>> 
>>>
>>
>> hell, how did you create this e-mail? it looks like reply to thread with
>> another 9 e-mails.  (Plese send new post when asking new question)
>>
>> We are tring to move our mx server to another isp. They gave us an IP
>>> address but there is some strange points. When i try to connect any mail
>>> related port on that ip, it send my connection to our new postfix server.
>>>
>>
>> this is expected, isn't it?
>>
>> There is a destination nat on it. It is strange becouse i can't see my
>>> actual source ip. I tried with many different hosts and It looks like
>>> there
>>> is a source nat and i saw same ip as my source ip wherever i try.
>>>
>>
>> this is also expected, when you have server on network with private IPs.
>>
>> From new postfix server,  when i try to reach any server on internet, i
>>> see
>>> another ip address on the source ip field and it is fixed too.
>>>
>>> I believe there is a mistake. Could it be feasible two different ip for
>>> incoming and outgoing on one mx server ?
>>>
>>
>> it's apparently a mistake, but might not be a problem. the incoming IP
>> and outgoing IP don't need be the same, although it's
>> easier when they are.
>>
>> On 30 Jan 2018 12:56 a.m., "Kevin A. McGrail"  wrote:
>>> With NAT it could definitely be possible.  What's your machines local ip
>>> address with ifconfig?  Is it a reserved private address?
>>>
>>
>> On 30.01.18 01:03, jin&hitman&Barracuda wrote:
>>
>>> It is 192.168.34.30/24
>>>
>>
>> this is a private address, not visible in the internet.
>>
>> On 30 Jan 2018 3:43 a.m., "Paul"  wrote:
>>> What is the source IP you see making connections to your new postfix
>>> server
>>> ?
>>>
>>
>> On 30.01.18 09:28, jin&hitman&Barracuda wrote:
>>
>>> It is 172.27.203.20
>>>
>>
>> this is also a private address and it should not appear in the public
>> internet. Should not be a problem between servers.
>>
>> If you see this IP when you connect to your postfix from the internet,
>> complain to your new ISP immediately. Connections from outside should not
>> be
>> NATted.
>>
>> let's clear things up:
>>
>> - which IP do you have when mailing to the outside?
>> - which IP you have to connect from outside in order to get to your mail
>> server?
>>
>>
>
Hi Bill

No, there is no DHCP. All I have is one interface and it's it has a fixed
IP address (192.168.34.30)





-- 
*There is no place like "/home"*
*From HemiB A R R A C U D A !*

send specific NDR message for users in certain OU

[lists]

Hi,

The question can perhaps be made more generic like this:

Can postfix generate a *specific* NDR (or an autoreply) for accounts 
that meet a specific criterium, such as:

- user account was found under OU=to-delete,CN=company...
contrary to the regular location CN=Users,CN=company...

We would like to move to-be-deleted users to this container, before 
actually deleting them. That gives us an easy way to revert, if the 
deletion turns out to be erroneous.


If postfix could send a "delivery failure" specific for those accounts 
(with instructions who to contact to revert the situation) it would be 
very easy: only move the user to the specific OU, and have the system do 
the rest.


Can this be done?

(postfix 2.11.1 from debian wheezy, yes we know we should upgrade, and 
we also will, but it runs rock solid...)


MJ

Re: Two different IP for one mx

2018-01-30 14:42 GMT+03:00 G :

> On 01/29/2018 11:09 PM, jin&hitman&Barracuda wrote:
>
>> Hi
>>
>> We are tring to move our mx server to another isp.
>>
>
> You have two postfix installations then, one in your current MX record and
> a new
> which is not yet published on DNS . Is that correct ?
>
> They gave us an IP address but there is some strange points. When i try to
>> connect any mail related port on that ip, it send my connection to our new
>> postfix server. There is a destination nat on it. It is strange becouse i
>> can't see my actual source ip. I tried with many different hosts and It
>> looks like there is a source nat and i saw same ip as my source ip wherever
>> i try.
>>
>
> Are you talking about telnet to this IP to check if it works OR you're
> trying to send SMTP ? if the later is the your  case
> then it works as it supposed to , your MX record is on your current
> installation not the new one .
>
>
>> From new postfix server,  when i try to reach any server on internet, i
>> see another ip address on the source ip field and it is fixed too.
>>
>> I believe there is a mistake. Could it be feasible two different ip for
>> incoming and outgoing on one mx server ?
>>
>
> George
>

Hi George

> You have two postfix installations then, one in your current MX record
and a new
> which is not yet published on DNS . Is that correct ?

Yes that is true. Actually the old mx is a QmailToaster but that is not the
point.

> Are you talking about telnet to this IP to check if it works OR you're
trying to send SMTP ? if the later is the your  case
> then it works as it supposed to , your MX record is on your current
installation not the new one .

Actually I ran tests with basic nc (like telnet) on TCP 110, 143 and 587.
Tcp 25 is blocking state on some firewall I guess.


Fatih
-- 
*There is no place like "/home"*
*From HemiB A R R A C U D A !*

Re: Two different IP for one mx

[Matus UHLAR - fantomas]

If you see this IP when you connect to your postfix from the internet,
complain to your new ISP immediately.  Connections from outside
should not be NATted.


On 30.01.18 14:34, jin&hitman&Barracuda wrote:

When I connecting from internet (for example from 149.XXX.164.55) I did run
tcpdump command on postfix server and all incoming connections have same
source IP and it is 172.27.203.20. I doesn't matter where I choose to
connect I see same IP as source.


OK, my original words apply.

complain to your ISP, they should not SNAT incoming connections from the
internet to your server.

until then, I recommend you not move the server to them.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.

Re: Two different IP for one mx

[Bill Shirley]

On the new Postfix server, are you using DHCP client on the WAN interface
to get a IP address?  You should not be.  You should assign your public address
to the WAN interface.

I have static addresses with my ISP.  My ISP's modem will hand out private 
addresses
if I use DHCP client.  I don't configure my server to use DHCP; I have it set 
up to
use the public address.

Bill


On 1/30/2018 4:03 AM, Matus UHLAR - fantomas wrote:

On 30.01.18 00:09, jin&hitman&Barracuda wrote:

In-Reply-To: 

References: 



hell, how did you create this e-mail? it looks like reply to thread with
another 9 e-mails.  (Plese send new post when asking new question)


We are tring to move our mx server to another isp. They gave us an IP
address but there is some strange points. When i try to connect any mail
related port on that ip, it send my connection to our new postfix server.


this is expected, isn't it?


There is a destination nat on it. It is strange becouse i can't see my
actual source ip. I tried with many different hosts and It looks like there
is a source nat and i saw same ip as my source ip wherever i try.


this is also expected, when you have server on network with private IPs.


From new postfix server,  when i try to reach any server on internet, i see
another ip address on the source ip field and it is fixed too.

I believe there is a mistake. Could it be feasible two different ip for
incoming and outgoing on one mx server ?


it's apparently a mistake, but might not be a problem. the incoming IP and 
outgoing IP don't need be the same, although it's
easier when they are.


On 30 Jan 2018 12:56 a.m., "Kevin A. McGrail"  wrote:
With NAT it could definitely be possible.  What's your machines local ip
address with ifconfig?  Is it a reserved private address?


On 30.01.18 01:03, jin&hitman&Barracuda wrote:

It is 192.168.34.30/24


this is a private address, not visible in the internet.


On 30 Jan 2018 3:43 a.m., "Paul"  wrote:
What is the source IP you see making connections to your new postfix server
?


On 30.01.18 09:28, jin&hitman&Barracuda wrote:

It is 172.27.203.20


this is also a private address and it should not appear in the public
internet. Should not be a problem between servers.

If you see this IP when you connect to your postfix from the internet,
complain to your new ISP immediately. Connections from outside should not be
NATted.

let's clear things up:

- which IP do you have when mailing to the outside?
- which IP you have to connect from outside in order to get to your mail server?

Re: Two different IP for one mx

[G]

On 01/29/2018 11:09 PM, jin&hitman&Barracuda wrote:

Hi

We are tring to move our mx server to another isp.


You have two postfix installations then, one in your current MX record 
and a new

which is not yet published on DNS . Is that correct ?

They gave us an IP address but there is some strange points. When i 
try to connect any mail related port on that ip, it send my connection 
to our new postfix server. There is a destination nat on it. It is 
strange becouse i can't see my actual source ip. I tried with many 
different hosts and It looks like there is a source nat and i saw same 
ip as my source ip wherever i try.


Are you talking about telnet to this IP to check if it works OR you're 
trying to send SMTP ? if the later is the your  case
then it works as it supposed to , your MX record is on your current 
installation not the new one .




From new postfix server,  when i try to reach any server on internet, 
i see another ip address on the source ip field and it is fixed too.


I believe there is a mistake. Could it be feasible two different ip 
for incoming and outgoing on one mx server ?


George

Re: Two different IP for one mx

2018-01-30 14:16 GMT+03:00 Matus UHLAR - fantomas :

> On 30 Jan 2018 3:43 a.m., "Paul"  wrote:
>>>
 What is the source IP you see making connections to your new postfix
>> server ?
>>
>
> On 30.01.18 09:28, jin&hitman&Barracuda wrote:
>
>> It is 172.27.203.20
>>
>
> 2018-01-30 12:03 GMT+03:00 Matus UHLAR - fantomas :
>>>
 If you see this IP when you connect to your postfix from the internet,
> complain to your new ISP immediately.  Connections from outside should
> not be NATted.
>

> 2018-01-30 13:29 GMT+03:00 Matus UHLAR - fantomas :
>>
>>> once again, when you connect from outside to 213.14.BBB.59, do you see
>>> the connection coming from 172.27.203.20?
>>>
>>
> On 30.01.18 14:07, jin&hitman&Barracuda wrote:
>
>> Sorry I missed your questions.
>>
>
> not misread, you have answered them properly.
>
> Yes I saw connections coming
>> from 172.27.203.20 and it was me.
>>
>
> it was you in what way?  were you connecting from inside IP (192.168.*) to
> your public IP (213.14.BBB.59) and saw the connection coming from
> 172.27.203.20?
>
> That one is called NAT loobback and is required in such case.
> In this case, 172.27.203.20 only means that the real source is in your
> internal network.
>
> The real problem happens, when you connect from the internet IP and will
> see
> 172.27.203.20 there.
>
> Which IP you see connecting on your mail server, when you connect from the
> internet?
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Linux - It's now safe to turn on your computer.
> Linux - Teraz mozete pocitac bez obav zapnut.
>

> Which IP you see connecting on your mail server, when you connect from the
> internet?

When I connecting from internet (for example from 149.XXX.164.55) I did run
tcpdump command on postfix server and all incoming connections have same
source IP and it is 172.27.203.20. I doesn't matter where I choose to
connect I see same IP as source.

> it was you in what way?  were you connecting from inside IP (192.168.*) to
> your public IP (213.14.BBB.59) and saw the connection coming from
> 172.27.203.20?

No, not inside in postfix server's network. I tried from outside. The new
postfix is not running as prod. Still testing and no DNS record published
yet. There is only me.



-- 
*There is no place like "/home"*
*From HemiB A R R A C U D A !*

Re: Two different IP for one mx

[Matus UHLAR - fantomas]

On 30 Jan 2018 3:43 a.m., "Paul"  wrote:

What is the source IP you see making connections to your new postfix
server ?



On 30.01.18 09:28, jin&hitman&Barracuda wrote:

It is 172.27.203.20



2018-01-30 12:03 GMT+03:00 Matus UHLAR - fantomas :

If you see this IP when you connect to your postfix from the internet,
complain to your new ISP immediately.  Connections from outside should
not be NATted.



2018-01-30 13:29 GMT+03:00 Matus UHLAR - fantomas :

once again, when you connect from outside to 213.14.BBB.59, do you see
the connection coming from 172.27.203.20?


On 30.01.18 14:07, jin&hitman&Barracuda wrote:

Sorry I missed your questions.


not misread, you have answered them properly.


Yes I saw connections coming
from 172.27.203.20 and it was me.


it was you in what way?  were you connecting from inside IP (192.168.*) to
your public IP (213.14.BBB.59) and saw the connection coming from
172.27.203.20?

That one is called NAT loobback and is required in such case.
In this case, 172.27.203.20 only means that the real source is in your
internal network.

The real problem happens, when you connect from the internet IP and will see
172.27.203.20 there.

Which IP you see connecting on your mail server, when you connect from the
internet?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.

Re: Two different IP for one mx

2018-01-30 13:29 GMT+03:00 Matus UHLAR - fantomas :

> On 30 Jan 2018 3:43 a.m., "Paul"  wrote:
>>>
 What is the source IP you see making connections to your new postfix
 server
 ?


>>> On 30.01.18 09:28, jin&hitman&Barracuda wrote:
>>>
 It is 172.27.203.20

>>>
> 2018-01-30 12:03 GMT+03:00 Matus UHLAR - fantomas :
>>
>>> this is also a private address and it should not appear in the public
>>> internet. Should not be a problem between servers.
>>>
>>> If you see this IP when you connect to your postfix from the internet,
>>> complain to your new ISP immediately. Connections from outside should not
>>> be
>>> NATted.
>>>
>>
> once again, when you connect from outside to 213.14.BBB.59, do you see the
> connection coming from 172.27.203.20?
>
> If so, this will hardly spoil any blacklisting or whitelisting and of
> course
> spam detection. Ask the ISP for not doing source NAT when connecting from
> outside to inside.
>
> let's clear things up:
>>>
>>> - which IP do you have when mailing to the outside?
>>> - which IP you have to connect from outside in order to get to your mail
>>> server?
>>>
>>
> On 30.01.18 13:01, jin&hitman&Barracuda wrote:
>
>> When I reach to another host, I see this address 213.74.AAA.114 as my
>> source
>> When I connect to new postfix I use this IP  213.14.BBB.59
>>
>
> no problem - you just need to have proper valir reverse (and forward) DNS
> records for 213.74.AAA.114, while MX can point to 213.14.BBB.59
>
> however I would ask the ISP if they can't provide the same IP, for easier
> troubleshooting.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> - Have you got anything without Spam in it?
> - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
>

Sorry I missed your questions. Yes I saw connections coming
from 172.27.203.20 and it was me.
I believe this setup is not fit mail servers. Becouse I prefer to use
fail2ban for brute force attacks and fail2ban depends source IP address.
In this setup I can't see source IP. Also I'll use iptables as a permanent
filter for some IPv4 blocks (like china).


Can anyone tell me that this setup has any benefit ?

-- 
*There is no place like "/home"*
*From HemiB A R R A C U D A !*

Re: python-policyd-spf doesn't check mail from my own domain

[Dominic Raferd]

On 30 January 2018 at 10:11, li...@lazygranch.com  wrote:
> I've installed the opendmarc milter. I'm not rejecting mail from it at
> the moment. I've noticed that if I send myself a message, the
> policyd-spf milter isn't run. That in turn causes mail I send myself to
> fail in opendmarc. Any ideas?
>
> The various email verifiers do show that my email passes spf.
>
> It is easy enough just to whitelist your own domains from opendmarc,
> but that would allow spoofed email to get through.

Which version of opendmarc? (opendmarc -V) If you have 1.3.2+ you can
use opendmarc's own spf instead (SPFSelfValidate True) - not reliable
for earlier versions though.

Anyway, in general:

/etc/opendmarc.conf:
...
IgnoreAuthenticatedClients true
IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt
...

/etc/opendkim.conf:
...
InternalHosts /etc/postfix/opendmarc-ignorehosts.txt
...

/etc/postfix/opendmarc-ignorehosts.txt
# emails from localhost are not authenticated but should be signed by
opendkim and not tested by opendmarc
127.0.0.1
# similarly any ips from which we accept unauthenticated originating
emails (e.g. lan, or none)

Re: python-policyd-spf doesn't check mail from my own domain

[Benny Pedersen]

li...@lazygranch.com skrev den 2018-01-30 11:11:


It is easy enough just to whitelist your own domains from opendmarc,
but that would allow spoofed email to get through.


its simple to not accept forged senders in port 25 ?

for me i just check virtual alias senders in postfixadmin, poor manns 
spf checker cant fail here


in port 465 / 587 do not accept useers that does not sasl auth, problem 
solved


in opendmarc skip sasl auth users

in policyd-spf skip localhost ip, and maybe aswell mynetworks in postfix

Re: Two different IP for one mx

[Matus UHLAR - fantomas]

On 30 Jan 2018 3:43 a.m., "Paul"  wrote:

What is the source IP you see making connections to your new postfix
server
?



On 30.01.18 09:28, jin&hitman&Barracuda wrote:

It is 172.27.203.20



2018-01-30 12:03 GMT+03:00 Matus UHLAR - fantomas :

this is also a private address and it should not appear in the public
internet. Should not be a problem between servers.

If you see this IP when you connect to your postfix from the internet,
complain to your new ISP immediately. Connections from outside should not
be
NATted.


once again, when you connect from outside to 213.14.BBB.59, do you see the
connection coming from 172.27.203.20?

If so, this will hardly spoil any blacklisting or whitelisting and of course
spam detection. Ask the ISP for not doing source NAT when connecting from
outside to inside.


let's clear things up:

- which IP do you have when mailing to the outside?
- which IP you have to connect from outside in order to get to your mail
server?


On 30.01.18 13:01, jin&hitman&Barracuda wrote:

When I reach to another host, I see this address 213.74.AAA.114 as my source
When I connect to new postfix I use this IP  213.14.BBB.59


no problem - you just need to have proper valir reverse (and forward) DNS
records for 213.74.AAA.114, while MX can point to 213.14.BBB.59

however I would ask the ISP if they can't provide the same IP, for easier
troubleshooting.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

python-policyd-spf doesn't check mail from my own domain

[li...@lazygranch.com]

I've installed the opendmarc milter. I'm not rejecting mail from it at
the moment. I've noticed that if I send myself a message, the
policyd-spf milter isn't run. That in turn causes mail I send myself to
fail in opendmarc. Any ideas?

The various email verifiers do show that my email passes spf.

It is easy enough just to whitelist your own domains from opendmarc,
but that would allow spoofed email to get through.

Re: Two different IP for one mx

2018-01-30 12:03 GMT+03:00 Matus UHLAR - fantomas :

> On 30.01.18 00:09, jin&hitman&Barracuda wrote:
>
>> In-Reply-To: > ail.com>
>> References: > ail.com>
>> 
>>
>
> hell, how did you create this e-mail? it looks like reply to thread with
> another 9 e-mails.  (Plese send new post when asking new question)
>
> We are tring to move our mx server to another isp. They gave us an IP
>> address but there is some strange points. When i try to connect any mail
>> related port on that ip, it send my connection to our new postfix server.
>>
>
> this is expected, isn't it?
>
> There is a destination nat on it. It is strange becouse i can't see my
>> actual source ip. I tried with many different hosts and It looks like
>> there
>> is a source nat and i saw same ip as my source ip wherever i try.
>>
>
> this is also expected, when you have server on network with private IPs.
>
> From new postfix server,  when i try to reach any server on internet, i see
>> another ip address on the source ip field and it is fixed too.
>>
>> I believe there is a mistake. Could it be feasible two different ip for
>> incoming and outgoing on one mx server ?
>>
>
> it's apparently a mistake, but might not be a problem. the incoming IP and
> outgoing IP don't need be the same, although it's
> easier when they are.
>
> On 30 Jan 2018 12:56 a.m., "Kevin A. McGrail"  wrote:
>> With NAT it could definitely be possible.  What's your machines local ip
>> address with ifconfig?  Is it a reserved private address?
>>
>
> On 30.01.18 01:03, jin&hitman&Barracuda wrote:
>
>> It is 192.168.34.30/24
>>
>
> this is a private address, not visible in the internet.
>
> On 30 Jan 2018 3:43 a.m., "Paul"  wrote:
>> What is the source IP you see making connections to your new postfix
>> server
>> ?
>>
>
> On 30.01.18 09:28, jin&hitman&Barracuda wrote:
>
>> It is 172.27.203.20
>>
>
> this is also a private address and it should not appear in the public
> internet. Should not be a problem between servers.
>
> If you see this IP when you connect to your postfix from the internet,
> complain to your new ISP immediately. Connections from outside should not
> be
> NATted.
>
> let's clear things up:
>
> - which IP do you have when mailing to the outside?
> - which IP you have to connect from outside in order to get to your mail
> server?
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> There's a long-standing bug relating to the x86 architecture that
> allows you to install Windows.   -- Matthew D. Fuller
>


When I reach to another host, I see this address 213.74.AAA.114 as my source
When I connect to new postfix I use this IP  213.14.BBB.59


-- 
*There is no place like "/home"*
*From HemiB A R R A C U D A !*

Re: Two different IP for one mx

[Matus UHLAR - fantomas]

On 30.01.18 00:09, jin&hitman&Barracuda wrote:

In-Reply-To: 

References: 



hell, how did you create this e-mail? it looks like reply to thread with
another 9 e-mails.  (Plese send new post when asking new question)


We are tring to move our mx server to another isp. They gave us an IP
address but there is some strange points. When i try to connect any mail
related port on that ip, it send my connection to our new postfix server.


this is expected, isn't it?


There is a destination nat on it. It is strange becouse i can't see my
actual source ip. I tried with many different hosts and It looks like there
is a source nat and i saw same ip as my source ip wherever i try.


this is also expected, when you have server on network with private IPs.


From new postfix server,  when i try to reach any server on internet, i see
another ip address on the source ip field and it is fixed too.

I believe there is a mistake. Could it be feasible two different ip for
incoming and outgoing on one mx server ?


it's apparently a mistake, but might not be a problem. 
the incoming IP and outgoing IP don't need be the same, although it's

easier when they are.


On 30 Jan 2018 12:56 a.m., "Kevin A. McGrail"  wrote:
With NAT it could definitely be possible.  What's your machines local ip
address with ifconfig?  Is it a reserved private address?


On 30.01.18 01:03, jin&hitman&Barracuda wrote:

It is 192.168.34.30/24


this is a private address, not visible in the internet.


On 30 Jan 2018 3:43 a.m., "Paul"  wrote:
What is the source IP you see making connections to your new postfix server
?


On 30.01.18 09:28, jin&hitman&Barracuda wrote:

It is 172.27.203.20


this is also a private address and it should not appear in the public
internet. Should not be a problem between servers.

If you see this IP when you connect to your postfix from the internet,
complain to your new ISP immediately. Connections from outside should not be
NATted.

let's clear things up:

- which IP do you have when mailing to the outside?
- which IP you have to connect from outside in order to get to your mail server?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller