Re: smtp disobeying smtp_bind_address
On Mon, 25 Oct 2021 12:36:35 -0400 (EDT), Wietse Venema wrote : > This would require a new setting, for example to make smtp_bind_address > failures a retryable error. > > smtp_bind_address_failure_action = warn (or defer) > > warn: current behavior > defer: treat as a faiilure to connect This looks like something I would want to use in my situation. Does the implementation complexity and maintenance cost look reasonable to you, for what seems to be a rather niche use (otherwise someone else would certainly have done the same mistake before) ? Until this is available, I will follow what Viktor suggests: monitoring and dynamically deferring emails, and notify me of the issue while at it. The email rate on this system should be low enough that the monitor will notice the issue before any significant volume went through. Regards, -- Vincent Pelletier ERP5 - open source ERP/CRM for flexible enterprises
Re: I got an email from "myself?" what the heck!
On 25/10/21 2:59 pm, Thomas Anderson wrote: Here is a clean email: Received: from example.net (unknown [192.168.1.10]) by mail.example.com (Postfix) with ESMTPSA id D7C3F1980059 for; Mon, 25 Oct 2021 03:42:29 +0200 (CEST) Here is a non-clean email: Received: by mail.example.com (Postfix, from userid 1005) id F1E621982CA9; Sun, 13 Jun 2021 15:32:28 +0200 (CEST) This looks legitimate, and generated by the sendmail binary on your system. Check your Postfix logs for a pickup entry that matches that queue id (you can grep for F1E621982CA9 and then look back for the pickup line). It likely indicates some sort of spam coming through a web form on your system, like on a php script, fix the web form to make it harder for spammers to use. Peter
Re: I got an email from "myself?" what the heck!
Benny Pedersen: > On 2021-10-25 07:11, Thomas Anderson wrote: > > The IP it came from was outside my network. > > you can reject all evevelope senders if its claims its your domain in > port 25, you will never send it there, never as never, spf is just a > global world protection not needed for postfix to make thar policy # Disallow sen...@example.com (and subdomains) from strangers. main.cf: smtpd_sender_restrictions = inline:{{ example.com = permit_mynetworks, reject }} # Allow from authenticated mail user agents. master.cf: submission ... -o smtpd_sender_restrictions= ... smtps ... -o smtpd_sender_restrictions= ... It's not the default because historically, some mailing lists did not reset the envelope sender, and your postings to such a list could have your own envelope sender address. Wietse
Re: smtp disobeying smtp_bind_address
Vincent Pelletier: > I would rather postfix just stop sending emails altogether in such case, > than send them from an unexpected ip: a delay is preferable to me to > uncertainty as to how the emails were processed by recipient SMTPs. > > Is there something else I should set so postfix stops falling back to > no binding ? This would require a new setting, for example to make smtp_bind_address failures a retryable error. smtp_bind_address_failure_action = warn (or defer) warn: current behavior defer: treat as a faiilure to connect Wietse
Re: I got an email from "myself?" what the heck!
On 2021-10-25 07:11, Thomas Anderson wrote: The IP it came from was outside my network. you can reject all evevelope senders if its claims its your domain in port 25, you will never send it there, never as never, spf is just a global world protection not needed for postfix to make thar policy
Re: smtp disobeying smtp_bind_address
On Mon, Oct 25, 2021 at 09:35:35AM +, Vincent Pelletier wrote: > I would rather postfix just stop sending emails altogether in such > case, than send them from an unexpected ip: a delay is preferable to > me to uncertainty as to how the emails were processed by recipient > SMTPs. > > Is there something else I should set so postfix stops falling back to > no binding ? No such setting is presently available in Postfix: https://github.com/vdukhovni/postfix/blob/master/postfix/src/smtp/smtp_connect.c#L231-L234 Instead, monitor your system configuration for absence of IP addresses expected by the Postfix configuration, and add any transports whose IP address is not configured to "defer_transports" (if not already present) and execute "postfix reload". You can collect the list of configured addresses via: ( postconf -xh smtp_bind_address postconf -Ph '*/unix/smtp_bind_address' ) | sort -u The warnings in the logs should also be noticed. -- Viktor.
Re: smtp disobeying smtp_bind_address
On 25/10/2021 11:35, Vincent Pelletier wrote: I would rather postfix just stop sending emails altogether in such case, than send them from an unexpected ip: a delay is preferable to me to uncertainty as to how the emails were processed by recipient SMTPs. As a categorical prevention of postfix using the wrong ip address until you found the correct postfix configuration, you could block all outgoing smtp from the wrong ip address: iptables -A OUTPUT -p tcp --dport 25 ! -s -j DROP (quote the ! when entering via bash, and co-align with all the other rules in your iptables).
smtp disobeying smtp_bind_address
Hello, I have a server with multiple IPv4 routes to the internet (multipath over tunnels, plus the default route). The multipath route is picked for outgoing connections based on the IP the client socket is bound to: ip rule from lookup ip route add table default nexthop via ... [nexthop via ... [...]] I have setup postfix to bind to for some emails that should appear as having entered the net from the ends of the multipath route (because these IPs are in SPF records). I did a mistake and accidentally removed from that system. Postfix complains (rightly) in the logs that it cannot bind to this address: postfix/smtp: warning: smtp_connect_addr: bind : Cannot assign requested address But then, it proceeded to send the email anyway, so it entered the internet from the main default route. This made some recipients' SMTP servers unhappy, which delayed some emails, but others continued to accept the mails (and could have done all sort of bad things to them, like file them in a spam box, ...). The custom postfix settings I have for this setup are: smtp_address_preference = ipv4 smtp_bind_address = I am on postfix 3.4.14 (Debian oldstable). I would rather postfix just stop sending emails altogether in such case, than send them from an unexpected ip: a delay is preferable to me to uncertainty as to how the emails were processed by recipient SMTPs. Is there something else I should set so postfix stops falling back to no binding ? Regards, -- Vincent Pelletier