[pfx] Re: SASL login username in log
Wietse Venema via Postfix-users: Fixed with Postfix 3.8.3, 3.7.8, 3.6.12, 3.5.22: that's all right. thank you Wietse. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 10:11 PM, Viktor Dukhovni via Postfix-users wrote:
On Wed, May 29, 2024 at 11:58:31AM +1000, Viktor Dukhovni via Postfix-users
wrote:
You might in fact want to reject XBL IPs early, before they even
attempt authentication. So I have:
465inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...
submission inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
Example logs showing early enforcement for the above:
postfix/smtps/smtpd[3583655]: connect from unknown[115.44.140.188]
postfix/smtps/smtpd[3583655]: Anonymous TLS connection established from
unknown[115.44.140.188]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
postfix/smtps/smtpd[3583655]: NOQUEUE: reject: CONNECT from
unknown[115.44.140.188]:
554 5.7.1 Service unavailable; Client host [115.44.140.188] blocked
using zen.spamhaus.org;
Listed by XBL, see https://check.spamhaus.org/query/ip/115.44.140.188 /
Listed by CSS, see https://check.spamhaus.org/query/ip/115.44.140.188;
proto=SMTP
postfix/smtps/smtpd[3583655]: lost connection after CONNECT from
unknown[115.44.140.188]
postfix/smtps/smtpd[3583655]: disconnect from unknown[115.44.140.188]
commands=0/0
postfix/submission/smtpd[3583513]: connect from
burger.census.shodan.io[66.240.219.146]
postfix/submission/smtpd[3583513]: NOQUEUE: reject: CONNECT from
burger.census.shodan.io[66.240.219.146]:
554 5.7.1 Service unavailable; Client host [66.240.219.146] blocked
using zen.spamhaus.org;
Listed by CSS, see https://check.spamhaus.org/query/ip/66.240.219.146 /
Listed by XBL, see https://check.spamhaus.org/query/ip/66.240.219.146;
proto=SMTP
postfix/submission/smtpd[3583513]: lost connection after CONNECT from
burger.census.shodan.io[66.240.219.146]
postfix/submission/smtpd[3583513]: disconnect from
burger.census.shodan.io[66.240.219.146] ehlo=0/1 commands=0/1
The wrapper-mode TLS "smtps" rejects are naturally after the TLS handshake.
465inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...
submission inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
All set up this way.
I will let it run overnight and see what hits.
Thank you
--john
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On Tue, May 28, 2024 at 10:03:05PM -0400, John Hill via Postfix-users wrote: > Mail all works but I still can't block these SASL attempt. To block SASL authentication attempts (rather than mail transactions), you need to do the RBL check in "smtpd_client_restrictions", and have "smtpd_delay_reject=no", per my just posted follow up. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On Wed, May 29, 2024 at 11:58:31AM +1000, Viktor Dukhovni via Postfix-users
wrote:
> You might in fact want to reject XBL IPs early, before they even
> attempt authentication. So I have:
>
> 465inet n - n - - smtpd
> -o smtpd_delay_reject=no
> -o {smtpd_client_restrictions=reject_rbl_client
> zen.spamhaus.org=127.0.0.4}
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> ...
>
> submission inet n - n - - smtpd
> -o smtpd_delay_reject=no
> -o {smtpd_client_restrictions=reject_rbl_client
> zen.spamhaus.org=127.0.0.4}
> -o
> smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
>
Example logs showing early enforcement for the above:
postfix/smtps/smtpd[3583655]: connect from unknown[115.44.140.188]
postfix/smtps/smtpd[3583655]: Anonymous TLS connection established from
unknown[115.44.140.188]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
postfix/smtps/smtpd[3583655]: NOQUEUE: reject: CONNECT from
unknown[115.44.140.188]:
554 5.7.1 Service unavailable; Client host [115.44.140.188] blocked
using zen.spamhaus.org;
Listed by XBL, see https://check.spamhaus.org/query/ip/115.44.140.188 /
Listed by CSS, see https://check.spamhaus.org/query/ip/115.44.140.188;
proto=SMTP
postfix/smtps/smtpd[3583655]: lost connection after CONNECT from
unknown[115.44.140.188]
postfix/smtps/smtpd[3583655]: disconnect from unknown[115.44.140.188]
commands=0/0
postfix/submission/smtpd[3583513]: connect from
burger.census.shodan.io[66.240.219.146]
postfix/submission/smtpd[3583513]: NOQUEUE: reject: CONNECT from
burger.census.shodan.io[66.240.219.146]:
554 5.7.1 Service unavailable; Client host [66.240.219.146] blocked
using zen.spamhaus.org;
Listed by CSS, see https://check.spamhaus.org/query/ip/66.240.219.146 /
Listed by XBL, see https://check.spamhaus.org/query/ip/66.240.219.146;
proto=SMTP
postfix/submission/smtpd[3583513]: lost connection after CONNECT from
burger.census.shodan.io[66.240.219.146]
postfix/submission/smtpd[3583513]: disconnect from
burger.census.shodan.io[66.240.219.146] ehlo=0/1 commands=0/1
The wrapper-mode TLS "smtps" rejects are naturally after the TLS handshake.
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 9:58 PM, Viktor Dukhovni via Postfix-users wrote:
On Tue, May 28, 2024 at 09:32:29PM -0400, John Hill via Postfix-users wrote:
On 5/28/24 9:23 PM, Viktor Dukhovni via Postfix-users wrote:
-o { smtpd_recipient_restrictions =
reject_rbl_client zen.spamhaus.org=127.0.0.4,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject }
I had experimented and came close to this.
I will use it.
Question as I use zen 127.0.0.[2..11] on port 25
This is includes the PBL, covering much of the "dynamic" ISP consumer
address space, including homes, hotels, airports, ... You probably
don't want to block these. The XBL (127.0.0.4) is a conservative
choice. You might in fact want to reject XBL IPs early, before they
even attempt authentication. So I have:
465inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...
submission inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
(The "permit_mynetworks" is for a couple of machine-to-machine submission use
cases).
Mail all works but I still can't block these SASL attempt.
I use fail2ban to throw them into an SASL ass holes list.
Every number I check is listed in XBL PBL on Spamhaus
But it is not trying to check.
-o { smtpd_recipient_restrictions =
reject_rbl_client zen.spamhaus.org=127.0.0.4,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject }
May 28 21:51:43 proteus.noach.com postfix/submission/smtpd[768476]:
connect from unknown[136.41.160.87]
May 28 21:51:44 proteus.noach.com postfix/submission/smtpd[768476]:
discarding EHLO keywords: CHUNKING
May 28 21:51:46 proteus.noach.com postfix/submission/smtpd[768476]:
Anonymous TLS connection established from unknown[136.41.160.87]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 28 21:51:46 proteus.noach.com postfix/submission/smtpd[768476]:
discarding EHLO keywords: CHUNKING
May 28 21:51:51 proteus.noach.com postfix/submission/smtpd[768476]:
warning: unknown[136.41.160.87]: SASL LOGIN authentication failed:
(reason unavailable), sasl_username=clpow...@noach.com
May 28 21:51:51 proteus.noach.com postfix/submission/smtpd[768476]: too
many errors after AUTH from unknown[136.41.160.87]
May 28 21:51:51 proteus.noach.com postfix/submission/smtpd[768476]:
disconnect from unknown[136.41.160.87] ehlo=2 starttls=1 auth=0/1
commands=3/4
Thanks
--john
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On Tue, May 28, 2024 at 09:32:29PM -0400, John Hill via Postfix-users wrote:
> On 5/28/24 9:23 PM, Viktor Dukhovni via Postfix-users wrote:
> >-o { smtpd_recipient_restrictions =
> > reject_rbl_client zen.spamhaus.org=127.0.0.4,
> > reject_sender_login_mismatch,
> > permit_sasl_authenticated,
> > reject }
>
>
> I had experimented and came close to this.
>
> I will use it.
>
> Question as I use zen 127.0.0.[2..11] on port 25
This is includes the PBL, covering much of the "dynamic" ISP consumer
address space, including homes, hotels, airports, ... You probably
don't want to block these. The XBL (127.0.0.4) is a conservative
choice. You might in fact want to reject XBL IPs early, before they
even attempt authentication. So I have:
465inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...
submission inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
(The "permit_mynetworks" is for a couple of machine-to-machine submission use
cases).
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 9:23 PM, Viktor Dukhovni via Postfix-users wrote:
-o { smtpd_recipient_restrictions =
reject_rbl_client zen.spamhaus.org=127.0.0.4,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject }
I had experimented and came close to this.
I will use it.
Question as I use zen 127.0.0.[2..11] on port 25
I have only 10 users that should have access to port 587.
Why not us zen 127.0.0.[2..11] there as well?
Thanks
--john
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On Tue, May 28, 2024 at 08:18:06PM -0400, John Hill via Postfix-users wrote:
> -o
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_rbl_client=zen.spamhaus,org=127.0.0.4,reject
>
> > I added and = after reject_rbl_client=
That's wrong, in multiple ways.
0. The RBL check should come first.
1. "reject_rbl_client" is separated from the DNS name and optional
"=" suffix by whitespace or commas.
2. Note the "," instead of "." before "org".
The correct definition is:
-o { smtpd_recipient_restrictions = reject_rbl_client
zen.spamhaus.org=127.0.0.4, permit_sasl_authenticated, reject }
You can split it over multiple logical (indented) lines for readability:
-o { smtpd_recipient_restrictions =
reject_rbl_client zen.spamhaus.org=127.0.0.4,
permit_sasl_authenticated,
reject }
The "permit_sasl_authenticated" is not optional. If you want to enforce
a matching sender address based on the SASL login, you then need:
-o { smtpd_recipient_restrictions =
reject_rbl_client zen.spamhaus.org=127.0.0.4,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject }
in that order.
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 29/05/2024 02:18, John Hill via Postfix-users wrote: On 5/28/24 8:10 PM, John Hill via Postfix-users wrote: On 5/28/24 8:00 PM, Bill Cole via Postfix-users wrote: On 2024-05-28 at 19:18:10 UTC-0400 (Tue, 28 May 2024 19:18:10 -0400) John Hill via Postfix-users is rumored to have said: [... On 5/28/24 7:13 PM, Bill Cole via Postfix-users wrote: On 2024-05-28 at 19:04:37 UTC-0400 (Tue, 28 May 2024 19:04:37 -0400) John Hill via Postfix-users is rumored to have said: [...] Sending of the message failed. An error occurred while sending mail. The mail server responded: : Sender address rejected: Email blocked by security policy. Please check the message recipient "postfix-users@postfix.org" and try again. What does the log say about that attempt? I believe that specific text indicates a problem in smtpd_sender_restrictions. May 28 19:02:04 proteus.noach.com opendmarc[504352]: ignoring connection from gibson.noach.com May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: discarding EHLO keywords: CHUNKING May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: Anonymous TLS connection established from gibson.noach.com[192.168.200.253]: TLSv1.3 with cipher TLS_AES_128_GC M_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: discarding EHLO keywords: CHUNKING May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: NOQUEUE: reject: RCPT from gibson.noach.com[192.168.200.253]: 554 5.7.1 : Sender address rejec ted: Email blocked by security policy; from= to= proto=ESMTP helo=<[192.168.200.253]> May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: too many errors after RCPT from gibson.noach.com[192.168.200.253] May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: disconnect from gibson.noach.com[192.168.200.253] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 commands=5/6 It's not something in smtpd_sender_restrictions, but this is as the log says, a *Sender* stage failure. I don't see an XBL hit (which makes sense, given the private client address) or anything indicating a failure at the EHLO or client phases. I see from earlier in the thread that you have smtpd_sender_login_maps set and "Email blocked by security policy" seems like something you might get from that lookup failing. The session summary shows that you did authenticate but I see no indication of what your SASL login was. I suspect that if you perform a query on your database for the sender 'jh...@noach.com' it will not return whatever login you authenticated as. I also thought for a moment that the problem was due to having 'permit_my_networks' before 'permit_sasl_authenticated' in 2 restriction lists and you hence never needing to authenticate, but the session summary says otherwise. Note that if all of your submission clients use authentication, permit_my_networks is unnecessary. I do not have a solution handy for you, but you have at least gotten beyond the XBL issue. It seems possible that you only need to harmonize the login used for authentication in Thunderbird with that in your sender login map database. Yes close, I'll figure it out, trial and error! Thanks --john this worked - I think -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_rbl_client=zen.spamhaus,org=127.0.0.4,reject I added and = after reject_rbl_client= --john I doubt it. By the time smtpd_recipient_restrictions is evaluated there is the possibility that AUTH attempts have already been allowed. Benny's suggestion elsewhere in this thread looks correct to me (substituting his rbl with zen and return code 127.0.0.4). John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 29/05/2024 01:11, Bill Cole via Postfix-users wrote: On 2024-05-28 at 18:50:11 UTC-0400 (Wed, 29 May 2024 00:50:11 +0200) John Fawcett via Postfix-users is rumored to have said: [...] Hi John I think you are missing the following in master.cf for the submission service -o smtpd_delay_reject=no Without that the smtpd_client_restrictions will not be evaluated when the client connects and so you will allow the connected client to try authentication. That is not what is happening here. The order of restrictions within the same restriction list matters, and Postfix is careful about logic. If you put permit_sasl_authenticated ahead of reject_rbl_client, the permit must be able to take effect without evaluating the reject condition. That demands allowing as many AUTH commands as your other config will allow to fail. Hi Bill You're right that the order matters and the reject_rbl_client should be the first restriction in smtpd_client_restrictions for the submission service. Actually it is probably the only one that is really needed. I may be wrong but I don't believe that specifying permit_sasl_authenticated influences behaviour in allowing AUTH attempts. I believe it will just evaluate to permitting the access if at the time of the evaluation the user is authenticated. John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 8:10 PM, John Hill via Postfix-users wrote: On 5/28/24 8:00 PM, Bill Cole via Postfix-users wrote: On 2024-05-28 at 19:18:10 UTC-0400 (Tue, 28 May 2024 19:18:10 -0400) John Hill via Postfix-users is rumored to have said: [... On 5/28/24 7:13 PM, Bill Cole via Postfix-users wrote: On 2024-05-28 at 19:04:37 UTC-0400 (Tue, 28 May 2024 19:04:37 -0400) John Hill via Postfix-users is rumored to have said: [...] Sending of the message failed. An error occurred while sending mail. The mail server responded: : Sender address rejected: Email blocked by security policy. Please check the message recipient "postfix-users@postfix.org" and try again. What does the log say about that attempt? I believe that specific text indicates a problem in smtpd_sender_restrictions. May 28 19:02:04 proteus.noach.com opendmarc[504352]: ignoring connection from gibson.noach.com May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: discarding EHLO keywords: CHUNKING May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: Anonymous TLS connection established from gibson.noach.com[192.168.200.253]: TLSv1.3 with cipher TLS_AES_128_GC M_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: discarding EHLO keywords: CHUNKING May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: NOQUEUE: reject: RCPT from gibson.noach.com[192.168.200.253]: 554 5.7.1 : Sender address rejec ted: Email blocked by security policy; from= to= proto=ESMTP helo=<[192.168.200.253]> May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: too many errors after RCPT from gibson.noach.com[192.168.200.253] May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: disconnect from gibson.noach.com[192.168.200.253] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 commands=5/6 It's not something in smtpd_sender_restrictions, but this is as the log says, a *Sender* stage failure. I don't see an XBL hit (which makes sense, given the private client address) or anything indicating a failure at the EHLO or client phases. I see from earlier in the thread that you have smtpd_sender_login_maps set and "Email blocked by security policy" seems like something you might get from that lookup failing. The session summary shows that you did authenticate but I see no indication of what your SASL login was. I suspect that if you perform a query on your database for the sender 'jh...@noach.com' it will not return whatever login you authenticated as. I also thought for a moment that the problem was due to having 'permit_my_networks' before 'permit_sasl_authenticated' in 2 restriction lists and you hence never needing to authenticate, but the session summary says otherwise. Note that if all of your submission clients use authentication, permit_my_networks is unnecessary. I do not have a solution handy for you, but you have at least gotten beyond the XBL issue. It seems possible that you only need to harmonize the login used for authentication in Thunderbird with that in your sender login map database. Yes close, I'll figure it out, trial and error! Thanks --john this worked - I think -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_rbl_client=zen.spamhaus,org=127.0.0.4,reject I added and = after reject_rbl_client= --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 2024-05-28 at 19:23:19 UTC-0400 (Tue, 28 May 2024 19:23:19 -0400) John Hill via Postfix-users is rumored to have said: [...] Dovecot log May 28 19:00:45 proteus.noach.com dovecot[504384]: lmtp(504721): Connect from local May 28 19:00:58 proteus.noach.com dovecot[504384]: auth: Error: auth-worker: Aborted PASSL request for jh...@noach.com: Lookup timed out May 28 19:00:58 proteus.noach.com dovecot[504384]: auth-worker(504414): Error: sqlpool(mysql): Finished query 'SELECT email as user, password FROM virtual_users where email='jhill @noach.com';' in 60006 msecs: Query timed out (no free connections for 60 secs) May 28 19:00:58 proteus.noach.com dovecot[504384]: auth-worker(504414): Error: conn unix:auth-worker (pid=504400,uid=109): auth-worker<1>: sql(jh...@noach.com): Password query fai led: Not connected to database May 28 19:00:58 proteus.noach.com dovecot[504384]: auth-worker(504414): Warning: conn unix:auth-worker (pid=504400,uid=109): Auth master disconnected us while handling request for jh...@noach.com for 60 secs (result=FAIL) May 28 19:00:58 proteus.noach.com dovecot[504384]: auth: Error: auth-worker: Auth request was queued for 55 seconds, 2 left in queue (see auth_worker_max_count) Weird. I do not understand why Postfix did not log that as an authentication failure. EXCEPT: that this is over a minute prior to the other log you showed. This is a problem between Dovecot and your SQL database, and I sincerely wish you good luck on finding help with that. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 8:00 PM, Bill Cole via Postfix-users wrote: On 2024-05-28 at 19:18:10 UTC-0400 (Tue, 28 May 2024 19:18:10 -0400) John Hill via Postfix-users is rumored to have said: [... On 5/28/24 7:13 PM, Bill Cole via Postfix-users wrote: On 2024-05-28 at 19:04:37 UTC-0400 (Tue, 28 May 2024 19:04:37 -0400) John Hill via Postfix-users is rumored to have said: [...] Sending of the message failed. An error occurred while sending mail. The mail server responded: : Sender address rejected: Email blocked by security policy. Please check the message recipient "postfix-users@postfix.org" and try again. What does the log say about that attempt? I believe that specific text indicates a problem in smtpd_sender_restrictions. May 28 19:02:04 proteus.noach.com opendmarc[504352]: ignoring connection from gibson.noach.com May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: discarding EHLO keywords: CHUNKING May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: Anonymous TLS connection established from gibson.noach.com[192.168.200.253]: TLSv1.3 with cipher TLS_AES_128_GC M_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: discarding EHLO keywords: CHUNKING May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: NOQUEUE: reject: RCPT from gibson.noach.com[192.168.200.253]: 554 5.7.1 : Sender address rejec ted: Email blocked by security policy; from= to= proto=ESMTP helo=<[192.168.200.253]> May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: too many errors after RCPT from gibson.noach.com[192.168.200.253] May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: disconnect from gibson.noach.com[192.168.200.253] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 commands=5/6 It's not something in smtpd_sender_restrictions, but this is as the log says, a *Sender* stage failure. I don't see an XBL hit (which makes sense, given the private client address) or anything indicating a failure at the EHLO or client phases. I see from earlier in the thread that you have smtpd_sender_login_maps set and "Email blocked by security policy" seems like something you might get from that lookup failing. The session summary shows that you did authenticate but I see no indication of what your SASL login was. I suspect that if you perform a query on your database for the sender 'jh...@noach.com' it will not return whatever login you authenticated as. I also thought for a moment that the problem was due to having 'permit_my_networks' before 'permit_sasl_authenticated' in 2 restriction lists and you hence never needing to authenticate, but the session summary says otherwise. Note that if all of your submission clients use authentication, permit_my_networks is unnecessary. I do not have a solution handy for you, but you have at least gotten beyond the XBL issue. It seems possible that you only need to harmonize the login used for authentication in Thunderbird with that in your sender login map database. Yes close, I'll figure it out, trial and error! Thanks --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL login username in log
Northwind via Postfix-users: > Hello, > > Is it possible to set mail.log for recording sasl login usernames? > > May 29 06:52:45 mx postfix/smtps/smtpd[3022855]: warning: > unknown[138.185.193.64]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 > May 29 06:52:57 mx postfix/smtpd[3023133]: warning: > unknown[49.156.148.93]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 > May 29 06:53:03 mx postfix/smtps/smtpd[3022864]: warning: > unknown[167.179.45.182]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 > May 29 06:53:07 mx postfix/smtps/smtpd[3022912]: warning: > unknown[165.227.46.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 > May 29 06:53:08 mx postfix/smtps/smtpd[3022901]: warning: > unknown[112.199.181.114]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 > May 29 06:53:12 mx postfix/smtpd[3023133]: warning: > unknown[58.23.17.120]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 > May 29 06:53:14 mx postfix/smtps/smtpd[3022912]: warning: > unknown[165.227.46.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 > May 29 06:53:19 mx postfix/smtps/smtpd[3022869]: warning: > unknown[58.174.79.124]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 > > For example, for the failed login events above, I want to know what > usernames they happened on. https://www.postfix.org/announcements/postfix-3.8.3.html Fixed with Postfix 3.8.3, 3.7.8, 3.6.12, 3.5.22: ... * Usability: the Postfix SMTP server (finally) attempts to log the SASL username after authentication failure. In Postfix logging, this appends ", sasl_username=xxx" after the reason for SASL authentication failure. The logging replaces an unavailable reason with "(reason unavailable)", and replaces an unavailable sasl_username with "(unavailable)". Based on code by Jozsef Kadlecsik. ... Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 2024-05-28 at 19:18:10 UTC-0400 (Tue, 28 May 2024 19:18:10 -0400) John Hill via Postfix-users is rumored to have said: [... On 5/28/24 7:13 PM, Bill Cole via Postfix-users wrote: On 2024-05-28 at 19:04:37 UTC-0400 (Tue, 28 May 2024 19:04:37 -0400) John Hill via Postfix-users is rumored to have said: [...] Sending of the message failed. An error occurred while sending mail. The mail server responded: : Sender address rejected: Email blocked by security policy. Please check the message recipient "postfix-users@postfix.org" and try again. What does the log say about that attempt? I believe that specific text indicates a problem in smtpd_sender_restrictions. May 28 19:02:04 proteus.noach.com opendmarc[504352]: ignoring connection from gibson.noach.com May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: discarding EHLO keywords: CHUNKING May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: Anonymous TLS connection established from gibson.noach.com[192.168.200.253]: TLSv1.3 with cipher TLS_AES_128_GC M_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: discarding EHLO keywords: CHUNKING May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: NOQUEUE: reject: RCPT from gibson.noach.com[192.168.200.253]: 554 5.7.1 : Sender address rejec ted: Email blocked by security policy; from= to= proto=ESMTP helo=<[192.168.200.253]> May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: too many errors after RCPT from gibson.noach.com[192.168.200.253] May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: disconnect from gibson.noach.com[192.168.200.253] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 commands=5/6 It's not something in smtpd_sender_restrictions, but this is as the log says, a *Sender* stage failure. I don't see an XBL hit (which makes sense, given the private client address) or anything indicating a failure at the EHLO or client phases. I see from earlier in the thread that you have smtpd_sender_login_maps set and "Email blocked by security policy" seems like something you might get from that lookup failing. The session summary shows that you did authenticate but I see no indication of what your SASL login was. I suspect that if you perform a query on your database for the sender 'jh...@noach.com' it will not return whatever login you authenticated as. I also thought for a moment that the problem was due to having 'permit_my_networks' before 'permit_sasl_authenticated' in 2 restriction lists and you hence never needing to authenticate, but the session summary says otherwise. Note that if all of your submission clients use authentication, permit_my_networks is unnecessary. I do not have a solution handy for you, but you have at least gotten beyond the XBL issue. It seems possible that you only need to harmonize the login used for authentication in Thunderbird with that in your sender login map database. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 7:18 PM, John Hill via Postfix-users wrote:
On 5/28/24 7:13 PM, Bill Cole via Postfix-users wrote:
On 2024-05-28 at 19:04:37 UTC-0400 (Tue, 28 May 2024 19:04:37 -0400)
John Hill via Postfix-users
is rumored to have said:
On 5/28/24 6:54 PM, Bill Cole via Postfix-users wrote:
-o { smtpd_client_restrictions=permit_mynetworks,reject_rbl_client
xbl.spamhaus,org=127.0.0.4,permit_sasl_authenticated,reject }
tried to rspond
Sending of the message failed.
An error occurred while sending mail. The mail server responded:
: Sender address rejected: Email blocked by
security policy.
Please check the message recipient "postfix-users@postfix.org" and
try again.
What does the log say about that attempt?
I believe that specific text indicates a problem in
smtpd_sender_restrictions.
May 28 19:02:04 proteus.noach.com opendmarc[504352]: ignoring
connection from gibson.noach.com
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]:
discarding EHLO keywords: CHUNKING
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]:
Anonymous TLS connection established from
gibson.noach.com[192.168.200.253]: TLSv1.3 with cipher TLS_AES_128_GC
M_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS
(2048 bits) server-digest SHA256
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]:
discarding EHLO keywords: CHUNKING
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]:
NOQUEUE: reject: RCPT from gibson.noach.com[192.168.200.253]: 554
5.7.1 : Sender address rejec
ted: Email blocked by security policy; from=
to= proto=ESMTP helo=<[192.168.200.253]>
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]:
too many errors after RCPT from gibson.noach.com[192.168.200.253]
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]:
disconnect from gibson.noach.com[192.168.200.253] ehlo=2 starttls=1
auth=1 mail=1 rcpt=0/1 commands=5/6
Dovecot log
May 28 19:00:45 proteus.noach.com dovecot[504384]: lmtp(504721): Connect
from local
May 28 19:00:58 proteus.noach.com dovecot[504384]: auth: Error:
auth-worker: Aborted PASSL request for jh...@noach.com: Lookup timed out
May 28 19:00:58 proteus.noach.com dovecot[504384]: auth-worker(504414):
Error: sqlpool(mysql): Finished query 'SELECT email as user, password
FROM virtual_users where email='jhill
@noach.com';' in 60006 msecs: Query timed out (no free connections for
60 secs)
May 28 19:00:58 proteus.noach.com dovecot[504384]: auth-worker(504414):
Error: conn unix:auth-worker (pid=504400,uid=109): auth-worker<1>:
sql(jh...@noach.com): Password query fai
led: Not connected to database
May 28 19:00:58 proteus.noach.com dovecot[504384]: auth-worker(504414):
Warning: conn unix:auth-worker (pid=504400,uid=109): Auth master
disconnected us while handling request for
jh...@noach.com for 60 secs (result=FAIL)
May 28 19:00:58 proteus.noach.com dovecot[504384]: auth: Error:
auth-worker: Auth request was queued for 55 seconds, 2 left in queue
(see auth_worker_max_count)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 7:13 PM, Bill Cole via Postfix-users wrote:
On 2024-05-28 at 19:04:37 UTC-0400 (Tue, 28 May 2024 19:04:37 -0400)
John Hill via Postfix-users
is rumored to have said:
On 5/28/24 6:54 PM, Bill Cole via Postfix-users wrote:
-o { smtpd_client_restrictions=permit_mynetworks,reject_rbl_client
xbl.spamhaus,org=127.0.0.4,permit_sasl_authenticated,reject }
tried to rspond
Sending of the message failed.
An error occurred while sending mail. The mail server responded:
: Sender address rejected: Email blocked by security
policy.
Please check the message recipient "postfix-users@postfix.org" and
try again.
What does the log say about that attempt?
I believe that specific text indicates a problem in
smtpd_sender_restrictions.
May 28 19:02:04 proteus.noach.com opendmarc[504352]: ignoring
connection from gibson.noach.com
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]:
discarding EHLO keywords: CHUNKING
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]:
Anonymous TLS connection established from
gibson.noach.com[192.168.200.253]: TLSv1.3 with cipher TLS_AES_128_GC
M_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS
(2048 bits) server-digest SHA256
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]:
discarding EHLO keywords: CHUNKING
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]:
NOQUEUE: reject: RCPT from gibson.noach.com[192.168.200.253]: 554
5.7.1 : Sender address rejec
ted: Email blocked by security policy; from=
to= proto=ESMTP helo=<[192.168.200.253]>
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]:
too many errors after RCPT from gibson.noach.com[192.168.200.253]
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]:
disconnect from gibson.noach.com[192.168.200.253] ehlo=2 starttls=1
auth=1 mail=1 rcpt=0/1 commands=5/6
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 2024-05-28 at 19:04:37 UTC-0400 (Tue, 28 May 2024 19:04:37 -0400)
John Hill via Postfix-users
is rumored to have said:
On 5/28/24 6:54 PM, Bill Cole via Postfix-users wrote:
-o { smtpd_client_restrictions=permit_mynetworks,reject_rbl_client
xbl.spamhaus,org=127.0.0.4,permit_sasl_authenticated,reject }
tried to rspond
Sending of the message failed.
An error occurred while sending mail. The mail server responded:
: Sender address rejected: Email blocked by security
policy.
Please check the message recipient "postfix-users@postfix.org" and try
again.
What does the log say about that attempt?
I believe that specific text indicates a problem in
smtpd_sender_restrictions.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 2024-05-28 at 18:50:11 UTC-0400 (Wed, 29 May 2024 00:50:11 +0200) John Fawcett via Postfix-users is rumored to have said: [...] Hi John I think you are missing the following in master.cf for the submission service -o smtpd_delay_reject=no Without that the smtpd_client_restrictions will not be evaluated when the client connects and so you will allow the connected client to try authentication. That is not what is happening here. The order of restrictions within the same restriction list matters, and Postfix is careful about logic. If you put permit_sasl_authenticated ahead of reject_rbl_client, the permit must be able to take effect without evaluating the reject condition. That demands allowing as many AUTH commands as your other config will allow to fail. Personally I use zen.spamhaus.org=127.0.0.4 for submission, but I'm not surgge that makes any difference respect to xbl.spamhaus.org=127.0.0.4. Good catch, because it could have. I believe that originally (before Zen) XBL returned 127.0.0.2 but that is apparently no longer true. The test address returns 127.0.0.4: $ host 2.0.0.127.xbl.spamhaus.org 2.0.0.127.xbl.spamhaus.org has address 127.0.0.4 That is probably for the best, as anyone using xbl alone is unlikely to be explicitly checking for anything else. In principle -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 6:54 PM, Bill Cole via Postfix-users wrote:
-o { smtpd_client_restrictions=permit_mynetworks,reject_rbl_client
xbl.spamhaus,org=127.0.0.4,permit_sasl_authenticated,reject }
tried to rspond
Sending of the message failed.
An error occurred while sending mail. The mail server responded:
: Sender address rejected: Email blocked by security
policy.
Please check the message recipient "postfix-users@postfix.org" and try
again.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] SASL login username in log
Hello, Is it possible to set mail.log for recording sasl login usernames? May 29 06:52:45 mx postfix/smtps/smtpd[3022855]: warning: unknown[138.185.193.64]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 29 06:52:57 mx postfix/smtpd[3023133]: warning: unknown[49.156.148.93]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 29 06:53:03 mx postfix/smtps/smtpd[3022864]: warning: unknown[167.179.45.182]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 29 06:53:07 mx postfix/smtps/smtpd[3022912]: warning: unknown[165.227.46.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 29 06:53:08 mx postfix/smtps/smtpd[3022901]: warning: unknown[112.199.181.114]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 29 06:53:12 mx postfix/smtpd[3023133]: warning: unknown[58.23.17.120]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 29 06:53:14 mx postfix/smtps/smtpd[3022912]: warning: unknown[165.227.46.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 29 06:53:19 mx postfix/smtps/smtpd[3022869]: warning: unknown[58.174.79.124]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 For example, for the failed login events above, I want to know what usernames they happened on. Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 2024-05-28 at 18:27:05 UTC-0400 (Tue, 28 May 2024 18:27:05 -0400)
John Hill via Postfix-users
is rumored to have said:
[...]
11 -o
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
xbl.spamhaus,org=127.0.0.4, reject}
reject_rbl_client doing nothing.
Order matters. In this order, Postfix MUST allow clients to make AUTH
attempts before rejecting due to the reject_rbl_client directive. If the
client never tries anything but AUTH and hangs up when those fail,
Postfix has no opportunity to actually reject it for being on the XBL
SASL logon fails ips are in manually found in XBL
But they are probably never sending a command that Postfix can use to
send a useful rejection response.
Move the permit_sasl_authenticated directive to right before the reject
directive:
-o { smtpd_client_restrictions=permit_mynetworks,reject_rbl_client
xbl.spamhaus,org=127.0.0.4,permit_sasl_authenticated,reject }
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 29/05/2024 00:27, John Hill via Postfix-users wrote:
On 5/28/24 4:50 PM, John Hill via Postfix-users wrote:
On 5/28/24 4:43 PM, Benny Pedersen via Postfix-users wrote:
John Hill via Postfix-users skrev den 2024-05-28 22:12:
On 5/28/24 3:38 PM, Benny Pedersen via Postfix-users wrote:
John Hill via Postfix-users skrev den 2024-05-28 21:14:
I had dumped the configs but here is what I had.
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_delay_reject=no
-o { smtpd_client_restrictions = reject_rbl_client
auth.spamrats.com=127.0.0.43, permit }
-o { smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject }
https://www.spamrats.com/postfix-configuration.php
works for me :)
Does this look correct. I'm not getting a error, waiting to see if
it works.!
submission inet n - n - - smtpd
2 -o smtpd_hard_error_limit=1
3 -o stress=yes
4 -o syslog_name=postfix/submission
5 -o smtpd_etrn_restrictions=reject
6 -o smtpd_sasl_auth_enable=yes
7 -o smtpd_sasl_type=dovecot
8 -o smtpd_sasl_path=private/auth
9 -o smtpd_sasl_security_options=noanonymous
10 -o smtpd_sasl_tls_security_options=noanonymous
11 -o
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
xbl.spamhaus,org=127.0.0.4, reject}
12 -o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
13 -o smtpd_helo_restrictions=permit_mynetworks,permit
14 -o smtpd_tls_security_level=encrypt
15 -o
smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf
16 -o milter_macro_daemon_name=ORIGINATING
17
--john
unneeded complicated
line: 2 5 7 8 9 10 13 15 fits better in main.cf
spamrats allow sending mail when recipient is only local
with your config its rejected
I have been sending mail from local/remote authenticated clients?
--john
11 -o
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
xbl.spamhaus,org=127.0.0.4, reject}
reject_rbl_client doing nothing.
SASL logon fails ips are in manually found in XBL
Postscreen spamhaus blocks work.
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] for port 25
--john
Hi John
I think you are missing the following in master.cf for the submission
service
-o smtpd_delay_reject=no
Without that the smtpd_client_restrictions will not be evaluated when
the client connects and so you will allow the connected client to try
authentication.
Personally I use zen.spamhaus.org=127.0.0.4 for submission, but I'm not
sure that makes any difference respect to xbl.spamhaus.org=127.0.0.4.
Also please check your settings in the config files. In the email above
I see a comma in xbl.spamhaus,org instead of a dot. If you copied it
from the config then the config is wrong.
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 4:50 PM, John Hill via Postfix-users wrote:
On 5/28/24 4:43 PM, Benny Pedersen via Postfix-users wrote:
John Hill via Postfix-users skrev den 2024-05-28 22:12:
On 5/28/24 3:38 PM, Benny Pedersen via Postfix-users wrote:
John Hill via Postfix-users skrev den 2024-05-28 21:14:
I had dumped the configs but here is what I had.
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_delay_reject=no
-o { smtpd_client_restrictions = reject_rbl_client
auth.spamrats.com=127.0.0.43, permit }
-o { smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject }
https://www.spamrats.com/postfix-configuration.php
works for me :)
Does this look correct. I'm not getting a error, waiting to see if
it works.!
submission inet n - n - - smtpd
2 -o smtpd_hard_error_limit=1
3 -o stress=yes
4 -o syslog_name=postfix/submission
5 -o smtpd_etrn_restrictions=reject
6 -o smtpd_sasl_auth_enable=yes
7 -o smtpd_sasl_type=dovecot
8 -o smtpd_sasl_path=private/auth
9 -o smtpd_sasl_security_options=noanonymous
10 -o smtpd_sasl_tls_security_options=noanonymous
11 -o
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
xbl.spamhaus,org=127.0.0.4, reject}
12 -o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
13 -o smtpd_helo_restrictions=permit_mynetworks,permit
14 -o smtpd_tls_security_level=encrypt
15 -o
smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf
16 -o milter_macro_daemon_name=ORIGINATING
17
--john
unneeded complicated
line: 2 5 7 8 9 10 13 15 fits better in main.cf
spamrats allow sending mail when recipient is only local
with your config its rejected
I have been sending mail from local/remote authenticated clients?
--john
11 -o
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
xbl.spamhaus,org=127.0.0.4, reject}
reject_rbl_client doing nothing.
SASL logon fails ips are in manually found in XBL
Postscreen spamhaus blocks work.
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] for port 25
--john
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 4:43 PM, Benny Pedersen via Postfix-users wrote:
John Hill via Postfix-users skrev den 2024-05-28 22:12:
On 5/28/24 3:38 PM, Benny Pedersen via Postfix-users wrote:
John Hill via Postfix-users skrev den 2024-05-28 21:14:
I had dumped the configs but here is what I had.
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_delay_reject=no
-o { smtpd_client_restrictions = reject_rbl_client
auth.spamrats.com=127.0.0.43, permit }
-o { smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject }
https://www.spamrats.com/postfix-configuration.php
works for me :)
Does this look correct. I'm not getting a error, waiting to see if it
works.!
submission inet n - n - - smtpd
2 -o smtpd_hard_error_limit=1
3 -o stress=yes
4 -o syslog_name=postfix/submission
5 -o smtpd_etrn_restrictions=reject
6 -o smtpd_sasl_auth_enable=yes
7 -o smtpd_sasl_type=dovecot
8 -o smtpd_sasl_path=private/auth
9 -o smtpd_sasl_security_options=noanonymous
10 -o smtpd_sasl_tls_security_options=noanonymous
11 -o
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
xbl.spamhaus,org=127.0.0.4, reject}
12 -o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
13 -o smtpd_helo_restrictions=permit_mynetworks,permit
14 -o smtpd_tls_security_level=encrypt
15 -o
smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf
16 -o milter_macro_daemon_name=ORIGINATING
17
--john
unneeded complicated
line: 2 5 7 8 9 10 13 15 fits better in main.cf
spamrats allow sending mail when recipient is only local
with your config its rejected
I have been sending mail from local/remote authenticated clients?
--john
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
John Hill via Postfix-users skrev den 2024-05-28 22:12:
On 5/28/24 3:38 PM, Benny Pedersen via Postfix-users wrote:
John Hill via Postfix-users skrev den 2024-05-28 21:14:
I had dumped the configs but here is what I had.
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_delay_reject=no
-o { smtpd_client_restrictions = reject_rbl_client
auth.spamrats.com=127.0.0.43, permit }
-o { smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject }
https://www.spamrats.com/postfix-configuration.php
works for me :)
Does this look correct. I'm not getting a error, waiting to see if it
works.!
submission inet n - n - - smtpd
2 -o smtpd_hard_error_limit=1
3 -o stress=yes
4 -o syslog_name=postfix/submission
5 -o smtpd_etrn_restrictions=reject
6 -o smtpd_sasl_auth_enable=yes
7 -o smtpd_sasl_type=dovecot
8 -o smtpd_sasl_path=private/auth
9 -o smtpd_sasl_security_options=noanonymous
10 -o smtpd_sasl_tls_security_options=noanonymous
11 -o
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
xbl.spamhaus,org=127.0.0.4, reject}
12 -o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
13 -o smtpd_helo_restrictions=permit_mynetworks,permit
14 -o smtpd_tls_security_level=encrypt
15 -o
smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf
16 -o milter_macro_daemon_name=ORIGINATING
17
--john
unneeded complicated
line: 2 5 7 8 9 10 13 15 fits better in main.cf
spamrats allow sending mail when recipient is only local
with your config its rejected
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 3:38 PM, Benny Pedersen via Postfix-users wrote:
John Hill via Postfix-users skrev den 2024-05-28 21:14:
I had dumped the configs but here is what I had.
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_delay_reject=no
-o { smtpd_client_restrictions = reject_rbl_client
auth.spamrats.com=127.0.0.43, permit }
-o { smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject }
https://www.spamrats.com/postfix-configuration.php
works for me :)
Does this look correct. I'm not getting a error, waiting to see if it
works.!
submission inet n - n - - smtpd
2 -o smtpd_hard_error_limit=1
3 -o stress=yes
4 -o syslog_name=postfix/submission
5 -o smtpd_etrn_restrictions=reject
6 -o smtpd_sasl_auth_enable=yes
7 -o smtpd_sasl_type=dovecot
8 -o smtpd_sasl_path=private/auth
9 -o smtpd_sasl_security_options=noanonymous
10 -o smtpd_sasl_tls_security_options=noanonymous
11 -o
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client
xbl.spamhaus,org=127.0.0.4, reject}
12 -o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
13 -o smtpd_helo_restrictions=permit_mynetworks,permit
14 -o smtpd_tls_security_level=encrypt
15 -o
smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf
16 -o milter_macro_daemon_name=ORIGINATING
17
--john
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
John Hill via Postfix-users skrev den 2024-05-28 21:14:
I had dumped the configs but here is what I had.
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_delay_reject=no
-o { smtpd_client_restrictions = reject_rbl_client
auth.spamrats.com=127.0.0.43, permit }
-o { smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject }
https://www.spamrats.com/postfix-configuration.php
works for me :)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
John Hill via Postfix-users:
>
> On 5/28/24 11:48 AM, Wietse Venema via Postfix-users wrote:
> > postconf -Mf submission/inet".
>
>
> May 28 10:51:07 proteus.noach.com postfix/submission/smtpd[57120]:
> warning: malformed map specification: '{ reject_rbl_client
> xbl.spamhaus.org }'
There is no reject_rbl_client in the configuration that you sent.
In any case, with parameters in master.cf the {} are used like this
-o { name = value... }
That is, the name and value INSIDE the {}.
The {} are NOT in the middle of a value like you did:
-o name=value,{ value },...
For syntax see https://www.postfix.org/master.5.html
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 11:48 AM, Wietse Venema via Postfix-users wrote:
postconf -Mf submission/inet".
May 28 10:51:07 proteus.noach.com postfix/submission/smtpd[57120]:
warning: malformed map specification: '{ reject_rbl_client
xbl.spamhaus.org }'
May 28 10:51:07 proteus.noach.com postfix/submission/smtpd[57120]:
warning: expected maptype:mapname instead of 'reject_rbl_client'
submission inet n - n - - smtpd
-o smtpd_hard_error_limit=1
-o stress=yes
-o syslog_name=postfix/submission
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_tls_security_options=noanonymou
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,{
$submission_recipient_restrictions },reject
# -o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_helo_restrictions=permit_mynetworks,permit
-o smtpd_tls_security_level=encrypt
-o smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf
-o milter_macro_daemon_name=ORIGINATING
I took a break to study.
I had dumped the configs but here is what I had.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: "delivered to command" config
Wietse Venema via Postfix-users: > Adam Weremczuk via Postfix-users: > > I've tried your suggestion. > > > > SERVER1 is still trying to deliver test email locally rather than > > forward to SERVER2: According to your postfinger output, you did not confihgure virtual_alias_maps on server1 to send bugzilla mail to server2. Therefore, Postfix on server1 will deliver it locally. There needs to be a virtual_alias_maps rule like this: bugzi...@matrixscience.co.ukbugzi...@server2.matrixscience.co.uk or like thisL bugzi...@matrixscience.com bugzi...@server2.matrixscience.co.uk or maybe both. See my previous email for how to configure and manage Postfix virtual alias maps. Wietse > > : host > > mx0.myLANdomain.com[/var/run/cyrus/socket/lmtp] said: 550-Mailbox > > unknown. Either there is no mailbox associated with this 550-name > > or you > > do not have authorization to see it. 550 5.1.1 User unknown (in > > reply to > > RCPT TO command) > > The NEW virtual_alias_maps configuration takes effect ONLY for new messages. > > For more support, follow https://www.postfix.org/DEBUG_README.html#mail > > Wiuetse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
John Hill via Postfix-users:
> Not working had recipient instead of client. Fixed that and then is says
> its not a map.
We need:
- The complete error message, exactly as logged.
- Output from "postconf -Mf submission/inet".
Wietse
>
> On 5/28/24 10:36 AM, John Hill via Postfix-users wrote:
> > Here is what IS NOT causing postfix to dump, not sure if it will work.
> >
> > main.cf
> >
> > submission_recipient_restrictions = reject_rbl_client xbl.spamhaus.org
> >
> > master.cf
> >
> > submission
> >
> > ?-o
> > smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,{
> > $submission_recipient_restrictions },reject
> >
> >
> > It sends and receives mail so far. not sure on the RBL yet.
> >
> > --john
> >
> >
> > ___
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
Not working had recipient instead of client. Fixed that and then is says
its not a map.
On 5/28/24 10:36 AM, John Hill via Postfix-users wrote:
Here is what IS NOT causing postfix to dump, not sure if it will work.
main.cf
submission_recipient_restrictions = reject_rbl_client xbl.spamhaus.org
master.cf
submission
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,{
$submission_recipient_restrictions },reject
It sends and receives mail so far. not sure on the RBL yet.
--john
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: "delivered to command" config
Adam Weremczuk via Postfix-users: > I've tried your suggestion. > > SERVER1 is still trying to deliver test email locally rather than > forward to SERVER2: > > : host > mx0.myLANdomain.com[/var/run/cyrus/socket/lmtp] said: 550-Mailbox > unknown. Either there is no mailbox associated with this 550-name > or you > do not have authorization to see it. 550 5.1.1 User unknown (in > reply to > RCPT TO command) The NEW virtual_alias_maps configuration takes effect ONLY for new messages. For more support, follow https://www.postfix.org/DEBUG_README.html#mail Wiuetse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: "delivered to command" config
I've tried your suggestion. SERVER1 is still trying to deliver test email locally rather than forward to SERVER2: : host mx0.myLANdomain.com[/var/run/cyrus/socket/lmtp] said: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command) Adam On 28/05/2024 14:28, Wietse Venema via Postfix-users wrote: Adam Weremczuk via Postfix-users: Sorry, I'm still struggling to get anywhere with that. Just to recap what I'm trying to achieve: SERVER1 is a fully blown Postfix+Cyrus stack operating over the internet and serving multiple domains. SERVER2 is a small VM on a local LAN (same LAN as SERVER1) that runs Bugzilla. Both SERVERS use the same LAN domain myLANdomain.com. You can have multiple servers with the same domain name, as long as on each server also receives mail for its own hostname (in your case: server1.myLANdomain.com and server2.myLANdomain.com, respectively). server1 : /etc/postfix/main.cf: # Execute "postfix reload" after editing this file mydestination = localhost, myLANdomain.com, server1.myLANdomain.com virtual_alias_maps = hash:/etc/postfix/virtual /etc/postfix/virtual: # Execute "postmap hash:/etc/postfix/virtual" after editing # this file bugzi...@mylandomain.combugzi...@server2.mylandomain.com server2: Here is the bugzilla account with ~bugzilla/.forward /etc/postfix/main.cf # Execute "postfix reload" after editing this file mydestination = localhost, myLANdomain.com, server2.myLANdomain.com I've installed Postfix on SERVER2 and configured it as below: Sorry, I know only Postfix settings, not thrd-prty control panels. Wietse setting synchronous mail queue updates: false setting myorigin setting destinations: server2.myLANdomain.com, server2, localhost setting relayhost: setting mynetworks: 127.0.0.0/8 192.168.0.0/24 setting mailbox_size_limit: 0 setting recipient_delimiter: + setting inet_interfaces: all setting inet_protocols: ipv4 Now, all I want to achieve is to forward all emails to bugzi...@mypublicdomain.com to a local user (unique name) bugzilla2 created on SERVER2. Whatever email is delivered to bugzilla2 on SERVER2 locally should be fed to the command defined in ~bugzilla2/.forward file So my first objective, I guess, would be to allow that local user to receive emails from outside somehow and be treated as local emails. I feel like I'm missing something fundamental here... Adam On 21/05/2024 12:00, Wietse Venema via Postfix-users wrote: Adam Weremczuk via Postfix-users: Thank you Victor. What's the easiest way to change: bugzilla@mailserver:~$ cat ~/.forward "|/vol/localhome/bugzilla/site/live/email_in.pl -vvv 2>/tmp/bz_emailin.log" to something like: remoteser...@mydomain.com:/vol/localhome/bugzilla/site/live/email_in.pl -vvv 2>/tmp/bz_emailin.log There are multiple ways: 1 On the milserver achine: In ~bugzilla/.forward bugzilla@remoteser...@mydomain.com On the remoteserver, the ~bugzilla/.forward file with email_in.pl. 2) On the mailserver achine: In /etc/aliases: bugzilla: bugzilla@remoteser...@mydomain.com run the "newaliases" command after edirting the file. On the remoteserver, the ~bugzilla/.forward file with email_in.pl. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Masters.cf
Here is what IS NOT causing postfix to dump, not sure if it will work.
main.cf
submission_recipient_restrictions = reject_rbl_client xbl.spamhaus.org
master.cf
submission
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,{
$submission_recipient_restrictions },reject
It sends and receives mail so far. not sure on the RBL yet.
--john
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Master.cf
I have yet to get a proper configuration to add xbl.spamhaus.org to submission. -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject Everything I try fails. I have researched the list but can't find the answer. I'm still getting hammered by SASL failures. I check the number on spamhaus and they come back listed. I am correct, postscreen is on port 25. I use 587 for submissions. Sorry to be so dense. --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: "delivered to command" config
Adam Weremczuk via Postfix-users: > Sorry, I'm still struggling to get anywhere with that. > > Just to recap what I'm trying to achieve: > > SERVER1 is a fully blown Postfix+Cyrus stack operating over the internet > and serving multiple domains. > > SERVER2 is a small VM on a local LAN (same LAN as SERVER1) that runs > Bugzilla. > > Both SERVERS use the same LAN domain myLANdomain.com. You can have multiple servers with the same domain name, as long as on each server also receives mail for its own hostname (in your case: server1.myLANdomain.com and server2.myLANdomain.com, respectively). server1 : /etc/postfix/main.cf: # Execute "postfix reload" after editing this file mydestination = localhost, myLANdomain.com, server1.myLANdomain.com virtual_alias_maps = hash:/etc/postfix/virtual /etc/postfix/virtual: # Execute "postmap hash:/etc/postfix/virtual" after editing # this file bugzi...@mylandomain.combugzi...@server2.mylandomain.com server2: Here is the bugzilla account with ~bugzilla/.forward /etc/postfix/main.cf # Execute "postfix reload" after editing this file mydestination = localhost, myLANdomain.com, server2.myLANdomain.com > I've installed Postfix on SERVER2 and configured it as below: Sorry, I know only Postfix settings, not thrd-prty control panels. Wietse > setting synchronous mail queue updates: false > setting myorigin > setting destinations: server2.myLANdomain.com, server2, localhost > setting relayhost: > setting mynetworks: 127.0.0.0/8 192.168.0.0/24 > setting mailbox_size_limit: 0 > setting recipient_delimiter: + > setting inet_interfaces: all > setting inet_protocols: ipv4 > > Now, all I want to achieve is to forward all emails to > bugzi...@mypublicdomain.com to a local user (unique name) bugzilla2 > created on SERVER2. > > Whatever email is delivered to bugzilla2 on SERVER2 locally should be > fed to the command defined in ~bugzilla2/.forward file > > So my first objective, I guess, would be to allow that local user to > receive emails from outside somehow and be treated as local emails. > > I feel like I'm missing something fundamental here... > > Adam > > > On 21/05/2024 12:00, Wietse Venema via Postfix-users wrote: > > Adam Weremczuk via Postfix-users: > >> Thank you Victor. > >> > >> What's the easiest way to change: > >> > >> bugzilla@mailserver:~$ cat ~/.forward > >> "|/vol/localhome/bugzilla/site/live/email_in.pl -vvv 2>/tmp/bz_emailin.log" > >> > >> to something like: > >> > >> remoteser...@mydomain.com:/vol/localhome/bugzilla/site/live/email_in.pl > >> -vvv 2>/tmp/bz_emailin.log > > > > There are multiple ways: > > > > 1 On the milserver achine: > > > >In ~bugzilla/.forward > > bugzilla@remoteser...@mydomain.com > > > >On the remoteserver, the ~bugzilla/.forward file with email_in.pl. > > > > 2) On the mailserver achine: > > > >In /etc/aliases: > >bugzilla: bugzilla@remoteser...@mydomain.com > > > >run the "newaliases" command after edirting the file. > > > >On the remoteserver, the ~bugzilla/.forward file with email_in.pl. > > > > Wietse > > ___ > > Postfix-users mailing list -- postfix-users@postfix.org > > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Capture Bounced Email Headers & Content
On Tue, May 28, 2024 at 6:49 AM Wietse Venema via Postfix-users < postfix-users@postfix.org> wrote: > In recent experience with my personal porcupine.org email address, > they not only want SPF or DKIM, they *also* want a DMARC policy > with p=quarantine or p=reject. We have run p=reject for years. DMARC is currently p=none because of the issue you are helping with. I feel like we have a solution now -- time will tell. I hope to be p=reject once again soon! Thanks Wietse, Greg ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: "delivered to command" config
Sorry, I'm still struggling to get anywhere with that. Just to recap what I'm trying to achieve: SERVER1 is a fully blown Postfix+Cyrus stack operating over the internet and serving multiple domains. SERVER2 is a small VM on a local LAN (same LAN as SERVER1) that runs Bugzilla. Both SERVERS use the same LAN domain myLANdomain.com. I've installed Postfix on SERVER2 and configured it as below: setting synchronous mail queue updates: false setting myorigin setting destinations: server2.myLANdomain.com, server2, localhost setting relayhost: setting mynetworks: 127.0.0.0/8 192.168.0.0/24 setting mailbox_size_limit: 0 setting recipient_delimiter: + setting inet_interfaces: all setting inet_protocols: ipv4 Now, all I want to achieve is to forward all emails to bugzi...@mypublicdomain.com to a local user (unique name) bugzilla2 created on SERVER2. Whatever email is delivered to bugzilla2 on SERVER2 locally should be fed to the command defined in ~bugzilla2/.forward file So my first objective, I guess, would be to allow that local user to receive emails from outside somehow and be treated as local emails. I feel like I'm missing something fundamental here... Adam On 21/05/2024 12:00, Wietse Venema via Postfix-users wrote: Adam Weremczuk via Postfix-users: Thank you Victor. What's the easiest way to change: bugzilla@mailserver:~$ cat ~/.forward "|/vol/localhome/bugzilla/site/live/email_in.pl -vvv 2>/tmp/bz_emailin.log" to something like: remoteser...@mydomain.com:/vol/localhome/bugzilla/site/live/email_in.pl -vvv 2>/tmp/bz_emailin.log There are multiple ways: 1 On the milserver achine: In ~bugzilla/.forward bugzilla@remoteser...@mydomain.com On the remoteserver, the ~bugzilla/.forward file with email_in.pl. 2) On the mailserver achine: In /etc/aliases: bugzilla: bugzilla@remoteser...@mydomain.com run the "newaliases" command after edirting the file. On the remoteserver, the ~bugzilla/.forward file with email_in.pl. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 5/28/24 5:39 AM, Christophe Kalt via Postfix-users wrote: smtpd_delay_reject to no I had it at yes. Changed it. --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Capture Bounced Email Headers & Content
Greg Sims via Postfix-users: > > On Mon, May 27, 2024 at 3:40?AM Viktor Dukhovni via Postfix-users < > postfix-users@postfix.org> wrote: > > > You really should have posted "collate" output, which would have shown > > the envelope sender address in the "qmgr active" log entry. Perhaps > > the actual domain used did not have the expected SPF records. > > Wietse: > > notify_classes is working well. Postmaster is hosted by Google and we are > seeing sequences like the following as a result. I had to move > notify_classes to main.cf to cover all of our email. For debug it would > likely be best to have Postmaster email remain on our server -- instead of > sending it to Google. Please see below as I believe we may have a > better understanding without the email headers. It does not have to be postmaster: https://www.postfix.org/postconf.5.html#bounce_notice_recipient https://www.postfix.org/postconf.5.html#notify_classes Or: "Delivering some but not all accounts locally": https://www.postfix.org/STANDARD_CONFIGURATION_README.html#some_local > Viktor: > > The "collate" for this issue is enlightening. Here is an instance: > > May 28 02:11:41 mail01.raystedman.org postfix/bounce[19442]: > B78BC305D5A9: postmaster non-delivery notification: 4A841305D5BE > May 28 02:11:41 mail01.raystedman.org postfix/cleanup[19458]: > 4A841305D5BE: message-id=<20240528091141.4a841305d...@mail01.raystedman.org> > May 28 02:11:41 mail01.raystedman.org postfix/qmgr[16460]: 4A841305D5BE: > from=, size=3187, nrcpt=1 (queue > active) > May 28 02:11:41 mail01.raystedman.org postfix/t124/smtp[19403]: Trusted > TLS connection established to aspmx.l.google.com[142.250.141.27]:25: > TLSv1.3 with cipher T > LS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature > ECDSA (P-256) server-digest SHA256 > May 28 02:11:41 mail01.raystedman.org postfix/t124/smtp[19403]: > 4A841305D5BE: host aspmx.l.google.com[142.250.141.27] said: 421-4.7.26 Your > email has been rate limited because it is unauthenticated. Gmail 421-4.7.26 > requires all senders to authenticate with either SPF or DKIM. 421-4.7.26 > 421-4.7.26 Authentication results: 421-4.7.26 DKIM = did not pass > 421-4.7.26 SPF [mail01.raystedman.org] with ip: [209.73.152.124] = did not > pass 421-4.7.26 421-4.7.26 For instructions on setting up authentication, > go to 421 4.7.26 > https://support.google.com/mail/answer/81126#authentication > d2e1a72fcca58-701bc33108esi1286635b3a.272 - gsmtp (in reply to end of DATA > command) In recent experience with my personal porcupine.org email address, they not only want SPF or DKIM, they *also* want a DMARC policy with p=quarantine or p=reject. > May 28 02:11:42 mail01.raystedman.org postfix/t124/smtp[19403]: Trusted > TLS connection established to alt2.aspmx.l.google.com[74.125.126.27]:25: > TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange > X25519 server-signature ECDSA (P-256) server-digest SHA256 > May 28 02:11:42 mail01.raystedman.org postfix/t124/smtp[19403]: > 4A841305D5BE: to=, orig_to=, relay= > alt2.aspmx.l.google.com[74.125.126.27]:25, delay=1.2, delays=0/0/0.81/0.39, > dsn=2.0.0, status=sent (250 2.0.0 OK 1716887502 > ca18e2360f4ac-7eae2d6333asi30711039f.32 - gsmtp) > May 28 02:11:42 mail01.raystedman.org postfix/qmgr[16460]: 4A841305D5BE: > removed > > It appears that this bounce email was sent using the subdomain > mail01.raystedman.org. There is no "from=<>" here but the error log seems > to imply the SPF failure was associated with this subdomain. If this is > the case, we need to add an SPF record for this subdomain. Please note we > are already configured for raystedman.org and devotion.raystedman.org. Are > there any other subdomains that Postfix would use? Please let me know and > I will make the appropriate modifications to DNS. > > Thank you, Greg > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Capture Bounced Email Headers & Content
I do see the "qmgr active" active with the from=<>. I added mail01.raystedman.org SPF to DNS as a result. Thanks again, Greg > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Capture Bounced Email Headers & Content
> On Mon, May 27, 2024 at 3:40 AM Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > You really should have posted "collate" output, which would have shown > the envelope sender address in the "qmgr active" log entry. Perhaps > the actual domain used did not have the expected SPF records. Wietse: notify_classes is working well. Postmaster is hosted by Google and we are seeing sequences like the following as a result. I had to move notify_classes to main.cf to cover all of our email. For debug it would likely be best to have Postmaster email remain on our server -- instead of sending it to Google. Please see below as I believe we may have a better understanding without the email headers. Viktor: The "collate" for this issue is enlightening. Here is an instance: May 28 02:11:41 mail01.raystedman.org postfix/bounce[19442]: B78BC305D5A9: postmaster non-delivery notification: 4A841305D5BE May 28 02:11:41 mail01.raystedman.org postfix/cleanup[19458]: 4A841305D5BE: message-id=<20240528091141.4a841305d...@mail01.raystedman.org> May 28 02:11:41 mail01.raystedman.org postfix/qmgr[16460]: 4A841305D5BE: from=, size=3187, nrcpt=1 (queue active) May 28 02:11:41 mail01.raystedman.org postfix/t124/smtp[19403]: Trusted TLS connection established to aspmx.l.google.com[142.250.141.27]:25: TLSv1.3 with cipher T LS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 May 28 02:11:41 mail01.raystedman.org postfix/t124/smtp[19403]: 4A841305D5BE: host aspmx.l.google.com[142.250.141.27] said: 421-4.7.26 Your email has been rate limited because it is unauthenticated. Gmail 421-4.7.26 requires all senders to authenticate with either SPF or DKIM. 421-4.7.26 421-4.7.26 Authentication results: 421-4.7.26 DKIM = did not pass 421-4.7.26 SPF [mail01.raystedman.org] with ip: [209.73.152.124] = did not pass 421-4.7.26 421-4.7.26 For instructions on setting up authentication, go to 421 4.7.26 https://support.google.com/mail/answer/81126#authentication d2e1a72fcca58-701bc33108esi1286635b3a.272 - gsmtp (in reply to end of DATA command) May 28 02:11:42 mail01.raystedman.org postfix/t124/smtp[19403]: Trusted TLS connection established to alt2.aspmx.l.google.com[74.125.126.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 May 28 02:11:42 mail01.raystedman.org postfix/t124/smtp[19403]: 4A841305D5BE: to=, orig_to=, relay= alt2.aspmx.l.google.com[74.125.126.27]:25, delay=1.2, delays=0/0/0.81/0.39, dsn=2.0.0, status=sent (250 2.0.0 OK 1716887502 ca18e2360f4ac-7eae2d6333asi30711039f.32 - gsmtp) May 28 02:11:42 mail01.raystedman.org postfix/qmgr[16460]: 4A841305D5BE: removed It appears that this bounce email was sent using the subdomain mail01.raystedman.org. There is no "from=<>" here but the error log seems to imply the SPF failure was associated with this subdomain. If this is the case, we need to add an SPF record for this subdomain. Please note we are already configured for raystedman.org and devotion.raystedman.org. Are there any other subdomains that Postfix would use? Please let me know and I will make the appropriate modifications to DNS. Thank you, Greg ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 28/05/2024 11:39, Christophe Kalt via Postfix-users wrote: On Sun, May 26, 2024 at 5:57 AM John Fawcett via Postfix-users wrote: For submission I only use xbl (return code 127.0.0.4) excluding other other data contained in zen like pbl that lists isp dynamic ip ranges from which you would normally expect to get connections to submission. For me it's safe to use xbl for submission since I don't want connections from exploited machines and it cuts out most of the noise and some of the risk from people hammering smtp auth. It won't fit everyone's use case though. For this to be worthwhile, I assume you also set smtpd_delay_reject to no ? ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org yes, I set it in master.cf just for submission service. John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On Sun, May 26, 2024 at 5:57 AM John Fawcett via Postfix-users < postfix-users@postfix.org> wrote: For submission I only use xbl (return code 127.0.0.4) excluding other other data contained in zen like pbl that lists isp dynamic ip ranges from which you would normally expect to get connections to submission. For me it's safe to use xbl for submission since I don't want connections from exploited machines and it cuts out most of the noise and some of the risk from people hammering smtp auth. It won't fit everyone's use case though. On 28.05.24 05:39, Christophe Kalt via Postfix-users wrote: For this to be worthwhile, I assume you also set smtpd_delay_reject to no ? Good point. But only on smtps/submission level, so in master.cf services. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On Sun, May 26, 2024 at 5:57 AM John Fawcett via Postfix-users < postfix-users@postfix.org> wrote: > For submission I only use xbl (return code 127.0.0.4) excluding other > other data contained in zen like pbl that lists isp dynamic ip ranges from > which you would normally expect to get connections to submission. For me > it's safe to use xbl for submission since I don't want connections from > exploited machines and it cuts out most of the noise and some of the risk > from people hammering smtp auth. It won't fit everyone's use case though. > For this to be worthwhile, I assume you also set smtpd_delay_reject to no ? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] John Hill via Postfix-users: Is this the same thing? On 25.05.24 15:54, Wietse Venema via Postfix-users wrote: See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table with the purpose of different lookup results. To block xbl listed clients with postscreen, one would configure xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4 On 5/27/24 4:13 AM, Matus UHLAR - fantomas via Postfix-users wrote: While they are the same, I recommend using the latter, so you can benefit from caching DNS results in case the same source IP connects to smtp and submission/submissions(=smtps) services. On 27.05.24 07:31, John Hill via Postfix-users wrote: I added the zen,spamhaus,org=127.0.0.[2..11 to my submission settings in master.cf. Worked, but it blocked my AT mobile block. Go figure! The discussion was "xbl.spamhaus.org" vs. "zen.spamhaus.org=127.0.0.4" If you configured zen.spamhaus.org with different combination, no wonder you got unexpected result. I changed it to 127.0.0.4 to be more specific. It turns out AT mobile has numbers is in the XBL database. I tried bl.spamcop.net, and it does nothing. No, they are in PBL database which is designed to contain home networks. I'm not sure about spamcop, but zen.spamhaus.org=127.0.0.4 should be safe at submission level. Last night I logged "81 SASL authentication failed." That's about average. Seems I have a lot of new friends. I'm still thankful to learn more about master.cf, I had ignored it for the most part. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
