[pfx] Re: secure the email system
Jeff Peng via Postfix-users: > Hello Wietse, > > I have added this line: > smtpd_reject_unlisted_sender = yes > > into main.cf. > May I ask, this option is for submission request, or for MX request? All services that use smtpd. Wietse > On 2024-06-14 04:14, Wietse Venema via Postfix-users wrote: > > Wietse Venema via Postfix-users: > >> A paranoid configuration could add: > >> > >> smtpd_reject_unlisted_sender = yes > >> > >> That is, do not send mail with a sender address that is known to > >> be invalid (the SMTP server would reject mail for the address with > >> "user unknown"). > >> > >> For more details (what is valid, why reject invalid senders) see > >> https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender > > > > This will respect address extensions, because it reuses the logic for > > rejecting unknown recipients. Less code, more functionality. > > > > Wietse > > ___ > > Postfix-users mailing list -- postfix-users@postfix.org > > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: secure the email system
Hello Wietse, I have added this line: smtpd_reject_unlisted_sender = yes into main.cf. May I ask, this option is for submission request, or for MX request? Thanks. On 2024-06-14 04:14, Wietse Venema via Postfix-users wrote: Wietse Venema via Postfix-users: A paranoid configuration could add: smtpd_reject_unlisted_sender = yes That is, do not send mail with a sender address that is known to be invalid (the SMTP server would reject mail for the address with "user unknown"). For more details (what is valid, why reject invalid senders) see https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender This will respect address extensions, because it reuses the logic for rejecting unknown recipients. Less code, more functionality. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: secure the email system
Would this respect recipient_delimiter, i.e. "tagged" sender addresses? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Need help with postfix
See inline comments. Paul Schmehl paul.schm...@gmail.com > On Jun 13, 2024, at 3:12 PM, Wietse Venema via Postfix-users > wrote: > > Paul Schmehl via Postfix-users: >> I'm 77. I've been retired for 10 years. Now I'm struggling trying >> to get postfix working with Dovecot and Spamasassin on a CentOS 7 >> server. I manage a small hobby domain for some friends (for free), >> and the changes in systems are so dramatic that I feel I'm losing >> touch. > > Welcome back. I'm also updating some different infrastructure from > a similar vintage, and translating configurations from the past to > the present can be challenging. Thank you for the kind words. > >> >> Here's the spamassassin bits in master.cf: >> >> smtp inet n - n - - smtpd >>-o content_filter=spamassassin >> >> spamassassin unix - n n - - pipe >> user=spamd argv=/usr/local/bin/spamc -f -e >> /usr/sbin/sendmail -oi -f ${sender} ${recipient} > > So that one seems to be failing. It was failing because spamc was located in /usr/bin, not /usr/local/bin. That’s been fixed. Also, the spamd user did not exist. That also has been fixed. So, yes, it was a bad configuration. I copied the text from the article that i linked to and forget to verify the location of the binaries. Skipping. > >> I'm not sure if all these parameters are still in use or if I even need them. > >> I'm seeing a lot of these, but I assume this is just a nefarious actor: >> Jun 13 13:16:18 ded602 postfix/smtpd[2438]: warning: non-SMTP command from >> unknown[80.244.11.148]: >> \026\003\001\000\342\001\000\000\336\003\003iRf+\246d\261&]\303\034/;\315\213\372\t4\005L\253\250 > > That's a TLS handshake. If this is on port 25 or 587 that is the > client's mistake. With modern master.cf files, Postfix will log > the service name for user mail user agents as postfix/submission/smtpd, > postfix/smtps/smtpd, or postfix/submissions/smtpd. > >> Please be gentle. I'm far from a pro, and I've been out of the game for a >> decade. > > No problem. Could you be so kind not to include a 80 kilobyte > HTML attachment? I didn’t even realize that Apple mail was sending as html. I’ll have to see if I can change that. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: secure the email system
Wietse Venema via Postfix-users: > A paranoid configuration could add: > > smtpd_reject_unlisted_sender = yes > > That is, do not send mail with a sender address that is known to > be invalid (the SMTP server would reject mail for the address with > "user unknown"). > > For more details (what is valid, why reject invalid senders) see > https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender This will respect address extensions, because it reuses the logic for rejecting unknown recipients. Less code, more functionality. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Need help with postfix
Paul Schmehl via Postfix-users: > I'm 77. I've been retired for 10 years. Now I'm struggling trying > to get postfix working with Dovecot and Spamasassin on a CentOS 7 > server. I manage a small hobby domain for some friends (for free), > and the changes in systems are so dramatic that I feel I'm losing > touch. Welcome back. I'm also updating some different infrastructure from a similar vintage, and translating configurations from the past to the present can be challenging. > I read this doc to help me understand the new setup: > https://samhobbs.co.uk/2014/03/raspberry-pi-email-server-part-4-spam-detection-spamassassin > > I used to use filter.sh and didn't run the spamd daemon, but I > thought that using the daemon would be the best way to go now. > > I uninstalled postfix 2.10 and installed postfix 3.9. I installed > spamassassin 3.4. I copied my old 2.1 master.cf and main.cf to the > new configs (after backing those up) and started up both daemons. > (I don't know if that's a mistake. > > I can send and receive email, including remotely using saslauth. > But, I'm not gettting headers altered by spamassassin and I'm > seeing some warnings in the logs that bother me. > > Here's the spamassassin bits in master.cf: > > smtp inet n - n - - smtpd > -o content_filter=spamassassin > > spamassassin unix - n n - - pipe >user=spamd argv=/usr/local/bin/spamc -f -e >/usr/sbin/sendmail -oi -f ${sender} ${recipient} So that one seems to be failing. > Jun 13 13:10:34 ded602 postfix/master[31118]: warning: > /usr/libexec/postfix/pipe: bad command startup -- throttling > Jun 13 13:10:34 ded602 postfix/master[31118]: warning: process > /usr/libexec/postfix/pipe pid 2404 exit status 1 This is the exist status when the pipe daemon detects a bad configuration. I suspect that the pipe daemon is logging some details along the linesof: unknown flag: unknown username unknown group > Jun 13 13:10:34 ded602 postfix/qmgr[31120]: warning: private/spamassassin > socket: malformed response That is to be expected when the pipe daemon detects a configuyration problem. > [root@ded602 etc]# postconf -n Skipping that for now. > I'm not sure if all these parameters are still in use or if I even need them. > I'm seeing a lot of these, but I assume this is just a nefarious actor: > Jun 13 13:16:18 ded602 postfix/smtpd[2438]: warning: non-SMTP command from > unknown[80.244.11.148]: > \026\003\001\000\342\001\000\000\336\003\003iRf+\246d\261&]\303\034/;\315\213\372\t4\005L\253\250 That's a TLS handshake. If this is on port 25 or 587 that is the client's mistake. With modern master.cf files, Postfix will log the service name for user mail user agents as postfix/submission/smtpd, postfix/smtps/smtpd, or postfix/submissions/smtpd. > Please be gentle. I'm far from a pro, and I've been out of the game for a > decade. No problem. Could you be so kind not to include a 80 kilobyte HTML attachment? Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Need help with postfix
I trimmed a lot of my original message from this reply.. I figured out what was wrong. The spamassassin install didn’t create the spamd accont. It’s working fine now. I would appreciate if if some of you pros could look over my postconf and advise me on any settings that I need to alter or delete. Since I copied my 2.10 setup to 3.9, I’m sure there’s some detritus in there that needs to be culled. Paul Schmehl paul.schm...@gmail.com > On Jun 13, 2024, at 12:21 PM, Paul Schmehl wrote: > > I’m 77. I’ve been retired for 10 years. Now I’m struggling trying to get > postfix working with Dovecot and Spamasassin on a CentOS 7 server. I manage a > small hobby domain for some friends (for free), and the changes in systems > are so dramatic that I feel I’m losing touch. > > I read this doc to help me understand the new setup: > https://samhobbs.co.uk/2014/03/raspberry-pi-email-server-part-4-spam-detection-spamassassin > Paul Schmehl > paul.schm...@gmail.com > > > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Need help with postfix
I’m 77. I’ve been retired for 10 years. Now I’m struggling trying to get postfix working with Dovecot and Spamasassin on a CentOS 7 server. I manage a small hobby domain for some friends (for free), and the changes in systems are so dramatic that I feel I’m losing touch. I read this doc to help me understand the new setup: https://samhobbs.co.uk/2014/03/raspberry-pi-email-server-part-4-spam-detection-spamassassin I used to use filter.sh and didn’t run the spamd daemon, but I thought that using the daemon would be the best way to go now. I uninstalled postfix 2.10 and installed postfix 3.9. I installed spamassassin 3.4. I copied my old 2.1 master.cf and main.cf to the new configs (after backing those up) and started up both daemons. (I don’t know if that’s a mistake. I can send and receive email, including remotely using saslauth. But, I’m not gettting headers altered by spamassassin and I’m seeing some warnings in the logs that bother me. Here’s the spamassassin bits in master.cf: smtp inet n - n - - smtpd -o content_filter=spamassassin spamassassin unix - n n - - pipe user=spamd argv=/usr/local/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} [root@ded602 etc]# postconf -n alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases allow_mail_to_commands = alias,forward allow_mail_to_files = alias,forward allow_percent_hack = no anvil_status_update_time = 1d biff = no broken_sasl_auth_clients = yes command_directory = /usr/sbin compatibility_level = 2 config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 debug_peer_list = 127.0.0.1 debugger_command = PATH=/usr/bin: xxgdb $daemon_directory/$process_name $process_id & sleep 5 default_privs = nobody default_process_limit = 75 delay_warning_time = 1d home_mailbox = Maildir/ html_directory = /usr/share/doc/postfix inet_interfaces = all inet_protocols = ipv4 lmtp_destination_recipient_limit = 3000 lmtp_sasl_auth_enable = no local_destination_concurrency_limit = 2 local_destination_recipient_limit = 100 local_recipient_maps = unix:passwd.byname $alias_maps mail_owner = postfix mailbox_size_limit = 9 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maximal_queue_lifetime = 5d message_size_limit = 9 meta_directory = /etc/postfix milter_default_action = accept mydestination = $myhostname, localhost.$mydomain, localhost mail.$mydomain, www.$mydomain, lists.$mydomain, $mydomain mydomain = stovebolt.com myhostname = mail.$mydomain mynetworks = 127.0.0.0/8,162.250.226.170/32 myorigin = $mydomain newaliases_path = /usr/bin/newaliases non_smtpd_milters = $smtpd_milters owner_request_special = no postscreen_access_list = permit_mynetworks postscreen_bare_newline_action = ignore postscreen_bare_newline_enable = no postscreen_bare_newline_ttl = 30d postscreen_blacklist_action = enforce postscreen_cache_cleanup_interval = 12h postscreen_cache_map = btree:$data_directory/postscreen_cache postscreen_cache_retention_time = 7d postscreen_client_connection_count_limit = $smtpd_client_connection_count_limit postscreen_command_count_limit = 20 postscreen_command_filter = postscreen_command_time_limit = ${stress?10}${stress:300}s postscreen_disable_vrfy_command = $disable_vrfy_command postscreen_discard_ehlo_keyword_address_maps = $smtpd_discard_ehlo_keyword_address_maps postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org postscreen_dnsbl_threshold = 1 postscreen_dnsbl_ttl = 1h postscreen_expansion_filter = $smtpd_expansion_filter postscreen_forbidden_commands = $smtpd_forbidden_commands postscreen_greet_action = enforce postscreen_greet_banner = $smtpd_banner postscreen_greet_ttl = 1d postscreen_greet_wait = ${stress?2}${stress:6}s postscreen_helo_required = $smtpd_helo_required postscreen_non_smtp_command_action = drop postscreen_non_smtp_command_enable = no postscreen_non_smtp_command_ttl = 30d postscreen_pipelining_action = enforce postscreen_pipelining_enable = no postscreen_pipelining_ttl = 30d postscreen_post_queue_limit = $default_process_limit postscreen_pre_queue_limit = $default_process_limit postscreen_reject_footer = $smtpd_reject_footer postscreen_tls_security_level = $smtpd_tls_security_level postscreen_watchdog_timeout = 10s postscreen_whitelist_interfaces = static:all queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix3-3.7.2/README_FILES recipient_delimiter = + relay_domains = $mydestination, www.stovebolt.com, server1.stovebolt.com sample_directory = /usr/share/doc/postfix3-3.7.2/samples sendmail_path = /usr/sbin/sendmail setgid_group = postdrop shlib_directory = /usr/lib/postfix smtp_tls_loglevel = 0 smtp_tls_security_level = may smtp_tls_session_cache_database =
[pfx] Re: secure the email system
A paranoid configuration could add: smtpd_reject_unlisted_sender = yes That is, do not send mail with a sender address that is known to be invalid (the SMTP server would reject mail for the address with "user unknown"). For more details (what is valid, why reject invalid senders) see https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Working around load balancers
On second consideration, if an *SQL "server_hosts" setting specifies only one target (host or IP address), then Postfix has little to lose if it pretends that the name is given twice, and retries once immediately, especially of it turns off the logic to avoid a failed *SQL server for 60 seconds. The logic for LMTP and SMTP can be similar: if a next-hop destination resolves to exactly one IP address, pretend that it is given twice, and retry once immediately. If both attempts fail, defer mail as usual. Bulk mailers may want to skip the immediate SMTP retry if the error was at the network-level (no connection) because an SMTP client that is retrying a "down" host cannot be used to deliver mail. This retry logic does not aply to milters, where a failure in the middle of an SMTP conversation is not immediately recoverable. Commands would have to be replayed and message changes would have to be undone. Instead, the remote SMTP client has to retry the entire transaction later. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: secure the email system
On 2024-06-13 15:07, Dimitris via Postfix-users wrote: Στις 13/6/24 03:51, ο/η Jeff Peng via Postfix-users έγραψε: 3. use policyd-rate-limit to limit sending rate. 5. use policyd-spf to check sender IP's SPF and reject the failed one. 6. use opendmarc to check sender domain's DMARC and reject the failed one. 7. opendkim is also deployed for either incoming messages (check signatures) or outgoing messages (add signatures). 9. rspamd for email content security (not deployed yet). 3,5,6,7 can be achieved with 9 (=rspamd when deployed). there are rspamd modules for those features. that's great to know. I will check more details on rspamd. thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: secure the email system
Στις 13/6/24 03:51, ο/η Jeff Peng via Postfix-users έγραψε: 3. use policyd-rate-limit to limit sending rate. 5. use policyd-spf to check sender IP's SPF and reject the failed one. 6. use opendmarc to check sender domain's DMARC and reject the failed one. 7. opendkim is also deployed for either incoming messages (check signatures) or outgoing messages (add signatures). 9. rspamd for email content security (not deployed yet). 3,5,6,7 can be achieved with 9 (=rspamd when deployed). there are rspamd modules for those features. so, no need to keep extra daemons if you dont specifically need those... 2c. d. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org