[pfx] Re: Postfix: running a script on authentication failure
On 23/06/23 07:05, André Rodier via Postfix-users wrote: Is there any way, with postfix, to run a script on authentication failure, with information like the IP address and the username passed, for instance. You can write your script up as a policy daemon and have it listen on an inet or unix socket (you can use the spawn daemon for this), then do something like this: smtpd_recipient_restrictions = permit_sasl_authenticated, check_policy_service unix:private/policy, reject The policy service will only be called if sasl auth fails, make sure that the policy service returns a response of either REJECT or DUNNO and it should be called with all of the relevant info you want. See SMTPD_POLICY_README, access(5) and spawn(8). Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Anyone using SMTP relay through dnsexit.com?
On 6/23/23 17:13, Christian Kivalo via Postfix-users wrote: Your lookup key is missing the [ ] you used for the relayhost setting. This results in no authentication to the dnsexit relay. This is described in the section "Enabling SASL authentication in the Postfix SMTP/LMTP client" of the SASL README file at https://www.postfix.org/SASL_README.html#client_sasl_enable You're correct, and that did fix it. Their FAQ had it that way and I didn't question it. Theirs was the only dns name I've used that had the brackets around it, so I didn't realize it was important in both places. And after almost a week of talking this over with their support folks... Guess I'll let them know how to fix their FAQ. Many thanks! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Anyone using SMTP relay through dnsexit.com?
My settings main.cf: relayhost = [relay.dnsexit.com]:587 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_auth_enable = yes smtp_sasl_security_options = And my sasl_passwd file (and yes, I did do a postmap after my changes) relay.dnsexit.com:587 myusername:mypassword Your lookup key is missing the [ ] you used for the relayhost setting. This results in no authentication to the dnsexit relay. This is described in the section "Enabling SASL authentication in the Postfix SMTP/LMTP client" of the SASL README file at https://www.postfix.org/SASL_README.html#client_sasl_enable -- Christian Kivalo ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Anyone using SMTP relay through dnsexit.com?
Hey all. Recently my ISP (Spectrum) decided (after this was working for me for almost 20 years) to make it impossible for a self hosted domain to relay through their SMTP server unless it was actually a spectrum.com email address being used. After going back and forth with them to try to find a workaround, I had to give up and look elsewhere. My next stop was with dnsexit.com. Despite following their FAQ on postfix setup (http://www.dnsexit.com/support/mailrelay/postfix.html), I kept getting the dreaded 454, Relay access denied error message when attempting to send. I verified all of my settings with their support but still couldn't relay through them, even though I had working settings previously for Spectrum (mail.twc.com). Finally, I setup an account with smtp2go.com, jumped through their hoops to set up various cname records for my domain, and once that was done, I was able to relay a test email through them on the first try. So, everything seemed to point to some issue with the dnsexit folks. My question for the list is, is anyone here relaying via dnsexit.com, and if so, did you have similar issues that got resolved? I'd rather use their service if possible as they are currently handling my dynamic DNS. My settings main.cf: relayhost = [relay.dnsexit.com]:587 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_auth_enable = yes smtp_sasl_security_options = And my sasl_passwd file (and yes, I did do a postmap after my changes) relay.dnsexit.com:587 myusername:mypassword And finally, what was logged here: Jun 21 14:39:11 localhost postfix/smtp[191554]: 3F46E412E057: host relay.dnsexit.com[64.182.102.186] said: 454 4.7.1 : Relay access denied (in reply to RCPT TO command) Jun 21 14:39:12 localhost postfix/smtp[191554]: 3F46E412E057: to=, relay=relay.dnsexit.com[64.182.102.185]:587, delay=78570, delays=78569/0.04/1.2/0.12, dsn=4.7.1, status=deferred (host relay.dnsexit.com[64.182.102.185] said: 454 4.7.1 : Relay access denied (in reply to RCPT TO command)) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Mail delivery to a higher priority MX record for a given domain.
anant--- wrote: > For a domain, we are finding in logs that, for most of the mails, > mails are getting delivered to a server of remote domain having lower > priority MX record. For some mails, the mail is getting delivered to > higher priority MX record server even though lower prioirity MX recod > is reachable (we assume). How do I debug to prove that, at that point > of delivery, lower priority MX record server is not reachable or > unable to deliver to lower priority MX record server? I read that and it is ambiguous to me if you are looking at the sending side wanting to know why your server is sending to the lower priority MX relay /OR/ if you are looking at the server side wanting to know why you are receiving mail on the lower priority mx relay. This is an important difference in the question and therefore in the responses. In either case as long as multiple MX relays are configured then mail will be sent to both and both must be fully configured to receive mail for the domain. This includes configuring relay_domains and relay_recipient_maps correctly. There is very little reason to configure multiple MX relays in the present age and state of Internet connectivity. If having multiple MX relays causes problems or confusion then reducing to exactly one where everything is simplified should be sufficient for all but the largest of email handling sites. Spammers often target lower priority MX relays with the expectation that they will be misconfigured. Bob ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix: running a script on authentication failure
On 6/23/23 04:26, Luciano Mannucci via Postfix-users wrote: On Thu, 22 Jun 2023 21:05:35 +0200 André Rodier via Postfix-users wrote: What are you using on your side ? I have a small script that scans the log for failed login attempts, banning the offending ip via firewall if it sees more than a certain number of attempts (initially set to 24, now lowered to 22). Ir runs every 2 minutes and seems quite effective: in 10 years I've had just one false positive (so far) that I had to set free by hand. You can also lower the threshold of failed attempts in fail2ban as well. I have a long list of banned ip addresses in my system. I've also changed the length of time addresses get banned for from hours to months. --Curtis ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Mail delivery to a higher priority MX record for a given domain.
anant--- via Postfix-users: Content-Description: Plaintext Message > Hello, > > For a domain, we are finding in logs that, for most of the mails, > mails are getting delivered to a server of remote domain having lower > priority MX record.? For some mails, the mail is getting delivered to > higher priority MX record server even though lower prioirity MX recod > is reachable (we assume).? How do I debug to prove that, at that point > of delivery, lower priority MX record server is not reachable or > unable to deliver to lower priority MX record server? The Postfix SMTP client logs all connection attempts, starting with the most preferred MX hosts(s), until it reaches a remote SMTP server that accepts or rejects the recipient and message content. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix: running a script on authentication failure
On Thu, 22 Jun 2023 21:05:35 +0200 André Rodier via Postfix-users wrote: > What are you using on your side ? I have a small script that scans the log for failed login attempts, banning the offending ip via firewall if it sees more than a certain number of attempts (initially set to 24, now lowered to 22). Ir runs every 2 minutes and seems quite effective: in 10 years I've had just one false positive (so far) that I had to set free by hand. Cheers, Luciano. -- /"\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 02485781 FAX: +39 0248028247 X AGAINST HTML MAIL/ E-MAIL: posthams...@sublink.sublink.org / \ AND POSTINGS/ WWW: http://www.lesassaie.IT/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Mail delivery to a higher priority MX record for a given domain.
On 23.06.23 09:34, anant--- via Postfix-users wrote: For a domain, we are finding in logs that, for most of the mails, mails are getting delivered to a server of remote domain having lower priority MX record. smtp connection caching may lead to this behaviour. For some mails, the mail is getting delivered tohigher priority MX record server even though lower prioirity MX recod is reachable (we assume). How do I debug to prove that, at that point of delivery, lower priority MX record server is not reachable or unable to deliver to lower priority MX record server? can you check it instead? running tcpdump on port 25 could show if connections are attempted. Running tcpdump on port 53 could show if you get proper DNS records, compare them to SMTP attempts -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: spamlist checks
On 23.06.23 05:14, Fourhundred Thecat via Postfix-users wrote: does anybody have experience with checking and removing email addresses from spam lists? I got this when sending email: SMTP error from remote server for RCPT TO command, host: mailrelay.nova.gr (80.245.166.6) reason: 550 Rule imposed as ***@*** is blacklisted on Spamhaus - see www.spamhaus.org spamhaus has domain block list, and this looks like the mail sender is on that blacklist Spamhaus has some removal form on their website, but the page does not work for me (it is stuck at: Checking if the site connection is secure) this is a shitty protection from cloudflare, often hits on some browsers etc. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org