[pfx] Access control review
Dear All, I would like to build a relay smtp server for a system, where this system would like to send out mails to its customers. I went through the access control documentation, and this is what I came up with (in terms of access control). The system has its own IP address range and that is added to mynetworks and also there is one SASL authenticated user should be able to send out mails. Theoretically the setup is working, but I am interested in your opinions. # ACCESS CONTROL smtpd_helo_required = yes smtpd_client_restrictions = reject_unknown_reverse_client_hostname smtpd_helo_restrictions = reject_unknown_helo_hostname reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_sender_restrictions = reject_unknown_sender_domain reject_non_fqdn_sender smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination Could you please take a look and suggest me what is wrong and what would you change? I am using Debian 12 with Postfix 3.7.4-2. I am still planning to add a strict SPF record and also DKIM. Thank you, Mitya ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: destination based rate limiting
On Mon, Mar 27, 2023 at 11:21:15AM +, Gino Ferguson via Postfix-users wrote: > How can one set up outbound rate limiting for a certain mail service > provider? Postfix rate limiting is implemented in the queue manager, which does not (and cannot without a major redesign) know the MX hosts associated with a given domain, so unavoidably rate limits are per nexthop domain. > Can postfix 'recognise' that recipientdomainA, recipientdomainB and > recipientdomainC are hosted at the same mail service provider > (bigmxprovider.com) so this limiting must be applied automatically? No. This is essentially impossible to do in a single-process queue manager. * The queue manager would have to be split into a multi-process front end responsible for address resolution and construction of message envelopes, and the actual single-process scheduler, maintaining the active queue. * This is further complication by multiple and partially overlapping MX records, which may mean that it is not clear which server's connection quota is actually used when it comes time to deliver the message. * Therefore, there would perhaps need to be a 2-stage active queue, with the second stage handling per-server rate limits, but even then it is not clear exactly how to signal back to the primary queue that certain destinations are blocked until some deliveries complete and rate delays expire. This remains a non-trivial unsolved problem. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: destination based rate limiting
Gino Ferguson via Postfix-users: > Hi, > > How can one set up outbound rate limiting for a certain mail service > provider? Did you mean concurrency limit (number of parallal deliveries) or rate limit (for example, number of deliveries per minute)? > Can postfix 'recognise' that recipientdomainA, recipientdomainB > and recipientdomainC are hosted at the same mail service provider > (bigmxprovider.com) so this limiting must be applied automatically? > > The destination is not immediately obvious by the recipient domain's > name and it would be enormous work to maintain such a list manually. You are sending multi-recipient messages, with some of those recipients in different domains that are hosted at the same email service provider. This should be possible but requires deep understanding of how Postfix works. It may be as simple as using check_recipient_mx_access with a FILTER action, or it may require a more subtle approach. Please let us know what you really need. To get an idea of the complexities, there is a thread that covers provider-dependent routing starting at https://www.mail-archive.com/postfix-users@postfix.org/msg91619.html The context is selective relaying through a content filter, but it could be tweaked to imnplement selective relaying through an email service providers. Relevant responses by Michael Storz and Viktor Dukhovni at https://www.mail-archive.com/postfix-users@postfix.org/msg91632.html https://www.mail-archive.com/postfix-users@postfix.org/msg91634.html Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Blocked Sender
Hi Yes, my pasting error smtpd_sender_restrictions = permit_mynetworks check_sender_access pcre:/etc/postfix/sender_checks.pcre reject_unknown_sender_domain ... cat /etc/postfix/sender_checks.pcre /@domain\.ltd/ OK Of course, if required, use $ at the end For me better is pcre/regexp but hash I use too W dniu 27.03.2023 o 14:16, Matus UHLAR - fantomas via Postfix-users pisze: On 27.03.23 12:39, natan via Postfix-users wrote: /etc/postfix/sender_checks.pcre /@scripkabox\.com/ /etc/postfix/recipient_checks.pcre smtpd_sender_restrictions = permit_mynetworks check_sender_access pcre:/etc/postfix/sender_checks.pcre reject_unknown_sender_domain ... cat /etc/postfix/sender_checks.pcre /@domain\.ltd/ OK which one is it then? In any case I recommend using hash tables, or putting '$' at the end of RE, so it doesn't match e.g. "scripkabox.communicate.with.me" W dniu 26.03.2023 o 21:52, Doug Hardie via Postfix-users pisze: I have a specific email sender that is getting the error "Sender addresses rejected: Domain not found". Sure enough DNS provides no response for that domain. If I drop off the first part of the domain name, then DNS returns a response. However, the organization is using the complete name which means the emails are dropped. I know the proper solution is to have the originator fix their DNS, but that is not going to happen in the near term. I have tried various ways for a temporary fix, but none have worked so far. I don't want to remove the "reject_unknown_sender_domain" function as it gets used properly a lot. Is there some way I can get postfix to accept these for local delivery? -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: destination based rate limiting
Hi Try postfwd for postfix http://postfwd.org/ratelimits.html W dniu 27.03.2023 o 13:21, Gino Ferguson via Postfix-users pisze: Hi, How can one set up outbound rate limiting for a certain mail service provider? Can postfix 'recognise' that recipientdomainA, recipientdomainB and recipientdomainC are hosted at the same mail service provider (bigmxprovider.com) so this limiting must be applied automatically? The destination is not immediately obvious by the recipient domain's name and it would be enormous work to maintain such a list manually. Thank you, Gino ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Blocked Sender
On Mon, Mar 27, 2023 at 02:16:06PM +0200, Matus UHLAR - fantomas via Postfix-users wrote: > On 27.03.23 12:39, natan via Postfix-users wrote: > >/etc/postfix/sender_checks.pcre > >/@scripkabox\.com/ > > >/@domain\.ltd/ OK > > > In any case I recommend using hash tables, or putting '$' at the end of RE, > so it doesn't match e.g. "scripkabox.communicate.with.me" Yet another example of correct use of regular expression being beyond the limited attention to detail of most users. They are a last resort, to be avoided if at all possible. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Blocked Sender
On 27.03.23 12:39, natan via Postfix-users wrote: /etc/postfix/sender_checks.pcre /@scripkabox\.com/ /etc/postfix/recipient_checks.pcre smtpd_sender_restrictions = permit_mynetworks check_sender_access pcre:/etc/postfix/sender_checks.pcre reject_unknown_sender_domain ... cat /etc/postfix/sender_checks.pcre /@domain\.ltd/ OK which one is it then? In any case I recommend using hash tables, or putting '$' at the end of RE, so it doesn't match e.g. "scripkabox.communicate.with.me" W dniu 26.03.2023 o 21:52, Doug Hardie via Postfix-users pisze: I have a specific email sender that is getting the error "Sender addresses rejected: Domain not found". Sure enough DNS provides no response for that domain. If I drop off the first part of the domain name, then DNS returns a response. However, the organization is using the complete name which means the emails are dropped. I know the proper solution is to have the originator fix their DNS, but that is not going to happen in the near term. I have tried various ways for a temporary fix, but none have worked so far. I don't want to remove the "reject_unknown_sender_domain" function as it gets used properly a lot. Is there some way I can get postfix to accept these for local delivery? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: question on relay_domains
On 2023-03-27 19:23, Matus UHLAR - fantomas via Postfix-users wrote: On 27.03.23 18:08, fh--- via Postfix-users wrote: I plan to add a backup mx for the domain. When I checked the doc for "relay_domains" which says, Note: Postfix will not automatically forward mail for domains that list this system as their primary or backup MX host. See the permit_mx_backup restriction in the postconf(5) manual page. This is for domains that are NOT in your relay_domains list. I can't understand for this point. can you help? If you put "permit_mx_backup" into smtpd_recipient_restrictions or smtpd_relay_restrictions, your server will behave as MX backup for any domain. you can restrict this to configure permit_mx_backup_networks in which case your server will behave as backup MX only for domains that point into IP addresses listed there. so, if you have two servers with multiple domains, you can put the primary IP Address into permit_mx_backup_networks and configure permit_mx_backup restriction on the backup server. all domains pointing to your primary will be accept by your secondary. Thanks a lot .that describe clearly. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: destination based rate limiting
On 2023-03-27 19:21, Gino Ferguson via Postfix-users wrote: Hi, How can one set up outbound rate limiting for a certain mail service provider? Can postfix 'recognise' that recipientdomainA, recipientdomainB and recipientdomainC are hosted at the same mail service provider (bigmxprovider.com) so this limiting must be applied automatically? You can use this one: /usr/bin/python3 /usr/bin/policyd-rate-limit regards. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: question on relay_domains
On 27.03.23 18:08, fh--- via Postfix-users wrote: I plan to add a backup mx for the domain. When I checked the doc for "relay_domains" which says, Note: Postfix will not automatically forward mail for domains that list this system as their primary or backup MX host. See the permit_mx_backup restriction in the postconf(5) manual page. This is for domains that are NOT in your relay_domains list. I can't understand for this point. can you help? If you put "permit_mx_backup" into smtpd_recipient_restrictions or smtpd_relay_restrictions, your server will behave as MX backup for any domain. you can restrict this to configure permit_mx_backup_networks in which case your server will behave as backup MX only for domains that point into IP addresses listed there. so, if you have two servers with multiple domains, you can put the primary IP Address into permit_mx_backup_networks and configure permit_mx_backup restriction on the backup server. all domains pointing to your primary will be accept by your secondary. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] destination based rate limiting
Hi, How can one set up outbound rate limiting for a certain mail service provider? Can postfix 'recognise' that recipientdomainA, recipientdomainB and recipientdomainC are hosted at the same mail service provider (bigmxprovider.com) so this limiting must be applied automatically? The destination is not immediately obvious by the recipient domain's name and it would be enormous work to maintain such a list manually. Thank you, Gino ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Blocked Sender
Hi Mayby this help you: /etc/postfix/sender_checks.pcre /@scripkabox\.com/ /etc/postfix/recipient_checks.pcre smtpd_sender_restrictions = permit_mynetworks check_sender_access pcre:/etc/postfix/sender_checks.pcre reject_unknown_sender_domain ... cat /etc/postfix/sender_checks.pcre /@domain\.ltd/ OK W dniu 26.03.2023 o 21:52, Doug Hardie via Postfix-users pisze: I have a specific email sender that is getting the error "Sender addresses rejected: Domain not found". Sure enough DNS provides no response for that domain. If I drop off the first part of the domain name, then DNS returns a response. However, the organization is using the complete name which means the emails are dropped. I know the proper solution is to have the originator fix their DNS, but that is not going to happen in the near term. I have tried various ways for a temporary fix, but none have worked so far. I don't want to remove the "reject_unknown_sender_domain" function as it gets used properly a lot. Is there some way I can get postfix to accept these for local delivery? -- Doug ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] question on relay_domains
Hi I plan to add a backup mx for the domain. When I checked the doc for "relay_domains" which says, Note: Postfix will not automatically forward mail for domains that list this system as their primary or backup MX host. See the permit_mx_backup restriction in the postconf(5) manual page. I can't understand for this point. can you help? Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Blocked Sender
Dnia 27.03.2023 o godz. 00:10:08 Doug Hardie via Postfix-users pisze: > > The first thing I noticed is that smtpd accesses some of the tables. That > I didn't expect based on the README. I don't think it is using those > tables to rewrite addresses, but it is not obvious why it accesses them. It accesses them to check if the recipient exists - if not, it has to reject the mail. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Requesting A Sanity Check, Please, + A Couple Of Qs
On Thu, Mar 23, 2023 at 05:58:13PM +1100, duluxoz via Postfix-users wrote: > Hi All, > > TL:DR: Could someone(s) please have a look-see at our config as a sanity > check for us, and also answer the questions at the end of this post - > thanks. Hi, I probably can't help with everything but I'll see what I can do. > So we're finally putting in an email stack and while I've read just about > every tutorial I can find on the web - and read *all* of the Postfix > documentation (yes, my brains *are* leaking out my ears :-) ) - we've got a > somewhat complex environment and none of the online tutorials cover exactly > how we're set up. Oh, our entire set-up is covered across multiple > tutorials, but not one single tutorial covers everything, so we've had to do > a bit of a "mix-and-match" to achieve what we want, and I'm a bit worried > about (actually I'm scared sh!tless of) our domains ending up on Blacklists. > > So we're hoping that someone (or someones) would be kind enough to have a > look-see at our (primarily Postfix) config as a "2nd set of eyes", a "sanity > check", an/or a "wise old postfix admin" and let us know if we've > "fire-trucked" things up in any way. > > Our Environment > --- > > Note: All of the following is currently working without issue, both for the > internal network and for the external Internet. > > - We have a single internal domain: example.local > - We use the following private IP networks: > - DMZ - 192.168.1.0/24 > - Internal - 192.168.2.0/24 > - We currently have the below servers on the indicated IP addresses (Note: > these are the relevant hosts; there are more/others in the domain as well): > - dns-external.example.local - 192.168.1.10 > - dns-internal.example.local - 192.168.2.10 > - freeipa.example.local - 192.168.2.11 > - haproxy.example.local - 192.168.1.11 > - mysql.example.local - 192.168.2.12 > - www.example.local - 192.168.2.13 > - There is a Gateway/NAT box on the network perimeter: > - External IP - 1.2.3.4 (ie *not* the real IP address) > - Internal IP - 192.168.1.1 > - All of the internal hosts have a FreeIPA certificate assigned to them (ie > we run our own internal Certificate Authority) > - The internal FreeIPA certificates are being renewed automatically. > - We are running a Split-Horizon DNS set-up. > - We have the below four external-facing domains: > - example.com > - example.net > - example.biz > - example.org > - We have a wildcard certificate from Let's Encrypt (LE) for each of the > external domains - ie there are four certificates > - haproxy.example.local is acting as a bastion host > - (we're thinking of loading Fail2Ban on it, but haven't done so yet as > the Gateway/NAT box is keeping things under control at the moment - but it's > not really designed for that hence thinking about Fail2Ban). > - Currently all inbound traffic (except for DNS queries to the > external-facing DNS host (dns-external.example.local)) passes through > haproxy.example.local before being forwarded to the relevant internal > server. At the moment this is primarily web traffic (for our multiple > websites). > - dns-external.example.local has the correct zones set up for the external > domains (including mx records) > - haproxy.example.local is the termination point for all inbound (ie web) > TLS traffic - ie this is the host where the LE certificates are located. > - The LE certificates are being renewed automatically. > > Desired Outcome > --- > > - A "mail-stack" server (mail.example.local - 192.168.2.14) with Postfix, > Dovecot, ClamAV, OpenDKIM, OpenDMARC, and SpamAssassin (with Pyzor and > Razor) installed > - We are using Postfix version 3.7.4 > - We are using Dovecot version 2.3.20 > - All domains will be Virtual Mailbox Domains > - All users will be Virtual Users > - Mailboxes will be Maildir style mailboxes > - The local email user account is vmail:vmail > - MySQL (ie mysql.example.local) will be used as the primary data > store/source (except for actual emails, of course) > - The LE certificates are being periodically scp'd automatically from > haproxy.example.local to mail.example.local (this is currently working) > - A Null Client Postfix install on all other hosts for forwarding reports, > web app emails, etc, to mail.example.local for further > processing/forwarding/dovecot-delivery/etc. (This config can be provided if > requested, but should not be required for this discussion.) > - All internal inbound mail will be sent/forwarded to mail.example.local > - By the above mentioned Null Client Postfix instances > - By Dovecot for user emails > - All mail for local delivery will be forwarded to Dovecot > - All external inbound mail will be routed via HAProxy > (haproxy.example.local) > - The use of an SNI Map for the external domains (to ensure we use the > correct LE certificate) > - All outbound mail needs to be forwarded to a mail relay service (eg > www.sendinblue.com) because our ISP will
[pfx] Re: Blocked Sender
> On Mar 26, 2023, at 16:23, Viktor Dukhovni via Postfix-users
> wrote:
>
>> ...
>
> Well, this does not have the "inline:{{...}}" guard.
>
>>> incoming_smtpd_restrictions =
>>> check_policy_service inet:127.0.0.1:10040,
>>> reject_invalid_hostname,
>>> reject_non_fqdn_sender,
>>> reject_non_fqdn_recipient,
>>> check_sender_access inline:{
>>> {digitalinsight.firefightersfirstcreditunion.org =
>>> permit_auth_destination}
>>> },
>>> reject_unknown_sender_domain,
>
>>
>
> You can now either whitelist the client IP, or the exclude the domain
> name from tests of DNS existence. Use whatever you think is most
> manageable (I'd go with exempting the name).
I decided to go with exempting the name as shown above. It works. However, I
have been studying the recommended:
http://www.postfix.org/ADDRESS_REWRITING_README.html
I am beginning to understand how the tables are used now. I made a list in the
order shown in that page and came to the initial conclusion that all I needed
was the virtual aliasing tables. I don't need any of the canonical,
masquerading, or bcc functions. That should be all I need to get a received
email into the queue properly. To test this, I started up ktrace on the master
process and all it's siblings, and then sent in an email. Grabbing the NAMI
entries from the output, removing the non-postfix entries and the duplicates
yields a small list:
18128 postscreen NAMI "/var/db/postfix"
18128 postscreen NAMI "/var/db/postfix/postscreen_cache.db"
18129 smtpdNAMI "/usr/local/etc/postfix/aliases.db"
18129 smtpdNAMI "/usr/local/etc/postfix/vmail_aliases.db"
18129 smtpdNAMI "/usr/local/etc/postfix/vcsc_aliases.db"
18129 smtpdNAMI "/usr/local/etc/postfix/lafn_aliases.db"
18129 smtpdNAMI "/usr/local/mailman/data/aliases.db"
18129 smtpdNAMI "/usr/local/etc/postfix/vmail_mailbox.db"
18129 smtpdNAMI "/usr/local/etc/postfix/tempfail.db"
18131 trivial-rewrite NAMI "/usr/local/etc/postfix/vmail_aliases.db"
18131 trivial-rewrite NAMI "/usr/local/etc/postfix/vcsc_aliases.db"
18131 trivial-rewrite NAMI "/usr/local/etc/postfix/lafn_aliases.db"
18131 trivial-rewrite NAMI "/usr/local/mailman/data/aliases.db"
18131 trivial-rewrite NAMI "/usr/local/etc/postfix/vmail_domains.db"
18131 trivial-rewrite NAMI "/usr/local/etc/postfix/relocated.db"
18132 cleanup NAMI "/usr/local/etc/postfix/vmail_aliases.db"
18132 cleanup NAMI "/usr/local/etc/postfix/vcsc_aliases.db"
18132 cleanup NAMI "/usr/local/etc/postfix/lafn_aliases.db"
18132 cleanup NAMI "/usr/local/mailman/data/aliases.db"
18133 localNAMI "/usr/local/etc/postfix/aliases.db"
18133 localNAMI "/usr/local/etc/postfix/aliases.db"
The first thing I noticed is that smtpd accesses some of the tables. That I
didn't expect based on the README. I don't think it is using those tables to
rewrite addresses, but it is not obvious why it accesses them. The aliases,
vmail_aliases, lafn_alises,and mailman/data/aliases are all in the
virtual_address_maps. I have them split into multiple files to make
maintenance easier. smtpd accesses the vmail_mailbox table
(virtual_mailbox_maps) also. It would appear that is required, but I don't see
why. trivial-rewrite appears to be what I expected. I don't use relocated
entries at this time, but I can see why it would use them. The rest of the
entries seem obvious.
-- Doug
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
