[pfx] Re: secure the email system
Jeff Peng via Postfix-users: > Hello Wietse, > > I have added this line: > smtpd_reject_unlisted_sender = yes > > into main.cf. > May I ask, this option is for submission request, or for MX request? All services that use smtpd. Wietse > On 2024-06-14 04:14, Wietse Venema via Postfix-users wrote: > > Wietse Venema via Postfix-users: > >> A paranoid configuration could add: > >> > >> smtpd_reject_unlisted_sender = yes > >> > >> That is, do not send mail with a sender address that is known to > >> be invalid (the SMTP server would reject mail for the address with > >> "user unknown"). > >> > >> For more details (what is valid, why reject invalid senders) see > >> https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender > > > > This will respect address extensions, because it reuses the logic for > > rejecting unknown recipients. Less code, more functionality. > > > > Wietse > > ___ > > Postfix-users mailing list -- postfix-users@postfix.org > > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: secure the email system
Hello Wietse, I have added this line: smtpd_reject_unlisted_sender = yes into main.cf. May I ask, this option is for submission request, or for MX request? Thanks. On 2024-06-14 04:14, Wietse Venema via Postfix-users wrote: Wietse Venema via Postfix-users: A paranoid configuration could add: smtpd_reject_unlisted_sender = yes That is, do not send mail with a sender address that is known to be invalid (the SMTP server would reject mail for the address with "user unknown"). For more details (what is valid, why reject invalid senders) see https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender This will respect address extensions, because it reuses the logic for rejecting unknown recipients. Less code, more functionality. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: secure the email system
Would this respect recipient_delimiter, i.e. "tagged" sender addresses? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Need help with postfix
See inline comments.
Paul Schmehl
paul.schm...@gmail.com
> On Jun 13, 2024, at 3:12 PM, Wietse Venema via Postfix-users
> wrote:
>
> Paul Schmehl via Postfix-users:
>> I'm 77. I've been retired for 10 years. Now I'm struggling trying
>> to get postfix working with Dovecot and Spamasassin on a CentOS 7
>> server. I manage a small hobby domain for some friends (for free),
>> and the changes in systems are so dramatic that I feel I'm losing
>> touch.
>
> Welcome back. I'm also updating some different infrastructure from
> a similar vintage, and translating configurations from the past to
> the present can be challenging.
Thank you for the kind words.
>
>>
>> Here's the spamassassin bits in master.cf:
>>
>> smtp inet n - n - - smtpd
>>-o content_filter=spamassassin
>>
>> spamassassin unix - n n - - pipe
>> user=spamd argv=/usr/local/bin/spamc -f -e
>> /usr/sbin/sendmail -oi -f ${sender} ${recipient}
>
> So that one seems to be failing.
It was failing because spamc was located in /usr/bin, not /usr/local/bin.
That’s been fixed. Also, the spamd user did not exist. That also has been
fixed.
So, yes, it was a bad configuration. I copied the text from the article that i
linked to and forget to verify the location of the binaries.
Skipping.
>
>> I'm not sure if all these parameters are still in use or if I even need them.
>
>> I'm seeing a lot of these, but I assume this is just a nefarious actor:
>> Jun 13 13:16:18 ded602 postfix/smtpd[2438]: warning: non-SMTP command from
>> unknown[80.244.11.148]:
>> \026\003\001\000\342\001\000\000\336\003\003iRf+\246d\261&]\303\034/;\315\213\372\t4\005L\253\250
>
> That's a TLS handshake. If this is on port 25 or 587 that is the
> client's mistake. With modern master.cf files, Postfix will log
> the service name for user mail user agents as postfix/submission/smtpd,
> postfix/smtps/smtpd, or postfix/submissions/smtpd.
>
>> Please be gentle. I'm far from a pro, and I've been out of the game for a
>> decade.
>
> No problem. Could you be so kind not to include a 80 kilobyte
> HTML attachment?
I didn’t even realize that Apple mail was sending as html. I’ll have to see if
I can change that.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: secure the email system
Wietse Venema via Postfix-users: > A paranoid configuration could add: > > smtpd_reject_unlisted_sender = yes > > That is, do not send mail with a sender address that is known to > be invalid (the SMTP server would reject mail for the address with > "user unknown"). > > For more details (what is valid, why reject invalid senders) see > https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender This will respect address extensions, because it reuses the logic for rejecting unknown recipients. Less code, more functionality. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Need help with postfix
Paul Schmehl via Postfix-users:
> I'm 77. I've been retired for 10 years. Now I'm struggling trying
> to get postfix working with Dovecot and Spamasassin on a CentOS 7
> server. I manage a small hobby domain for some friends (for free),
> and the changes in systems are so dramatic that I feel I'm losing
> touch.
Welcome back. I'm also updating some different infrastructure from
a similar vintage, and translating configurations from the past to
the present can be challenging.
> I read this doc to help me understand the new setup:
> https://samhobbs.co.uk/2014/03/raspberry-pi-email-server-part-4-spam-detection-spamassassin
>
> I used to use filter.sh and didn't run the spamd daemon, but I
> thought that using the daemon would be the best way to go now.
>
> I uninstalled postfix 2.10 and installed postfix 3.9. I installed
> spamassassin 3.4. I copied my old 2.1 master.cf and main.cf to the
> new configs (after backing those up) and started up both daemons.
> (I don't know if that's a mistake.
>
> I can send and receive email, including remotely using saslauth.
> But, I'm not gettting headers altered by spamassassin and I'm
> seeing some warnings in the logs that bother me.
>
> Here's the spamassassin bits in master.cf:
>
> smtp inet n - n - - smtpd
> -o content_filter=spamassassin
>
> spamassassin unix - n n - - pipe
>user=spamd argv=/usr/local/bin/spamc -f -e
>/usr/sbin/sendmail -oi -f ${sender} ${recipient}
So that one seems to be failing.
> Jun 13 13:10:34 ded602 postfix/master[31118]: warning:
> /usr/libexec/postfix/pipe: bad command startup -- throttling
> Jun 13 13:10:34 ded602 postfix/master[31118]: warning: process
> /usr/libexec/postfix/pipe pid 2404 exit status 1
This is the exist status when the pipe daemon detects a bad
configuration. I suspect that the pipe daemon is logging some
details along the linesof:
unknown flag:
unknown username
unknown group
> Jun 13 13:10:34 ded602 postfix/qmgr[31120]: warning: private/spamassassin
> socket: malformed response
That is to be expected when the pipe daemon detects a configuyration problem.
> [root@ded602 etc]# postconf -n
Skipping that for now.
> I'm not sure if all these parameters are still in use or if I even need them.
> I'm seeing a lot of these, but I assume this is just a nefarious actor:
> Jun 13 13:16:18 ded602 postfix/smtpd[2438]: warning: non-SMTP command from
> unknown[80.244.11.148]:
> \026\003\001\000\342\001\000\000\336\003\003iRf+\246d\261&]\303\034/;\315\213\372\t4\005L\253\250
That's a TLS handshake. If this is on port 25 or 587 that is the
client's mistake. With modern master.cf files, Postfix will log
the service name for user mail user agents as postfix/submission/smtpd,
postfix/smtps/smtpd, or postfix/submissions/smtpd.
> Please be gentle. I'm far from a pro, and I've been out of the game for a
> decade.
No problem. Could you be so kind not to include a 80 kilobyte
HTML attachment?
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Need help with postfix
I trimmed a lot of my original message from this reply.. I figured out what was wrong. The spamassassin install didn’t create the spamd accont. It’s working fine now. I would appreciate if if some of you pros could look over my postconf and advise me on any settings that I need to alter or delete. Since I copied my 2.10 setup to 3.9, I’m sure there’s some detritus in there that needs to be culled. Paul Schmehl paul.schm...@gmail.com > On Jun 13, 2024, at 12:21 PM, Paul Schmehl wrote: > > I’m 77. I’ve been retired for 10 years. Now I’m struggling trying to get > postfix working with Dovecot and Spamasassin on a CentOS 7 server. I manage a > small hobby domain for some friends (for free), and the changes in systems > are so dramatic that I feel I’m losing touch. > > I read this doc to help me understand the new setup: > https://samhobbs.co.uk/2014/03/raspberry-pi-email-server-part-4-spam-detection-spamassassin > Paul Schmehl > paul.schm...@gmail.com > > > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Need help with postfix
I’m 77. I’ve been retired for 10 years. Now I’m struggling trying to get
postfix working with Dovecot and Spamasassin on a CentOS 7 server. I manage a
small hobby domain for some friends (for free), and the changes in systems are
so dramatic that I feel I’m losing touch.
I read this doc to help me understand the new setup:
https://samhobbs.co.uk/2014/03/raspberry-pi-email-server-part-4-spam-detection-spamassassin
I used to use filter.sh and didn’t run the spamd daemon, but I thought that
using the daemon would be the best way to go now.
I uninstalled postfix 2.10 and installed postfix 3.9. I installed spamassassin
3.4. I copied my old 2.1 master.cf and main.cf to the new configs (after
backing those up) and started up both daemons. (I don’t know if that’s a
mistake.
I can send and receive email, including remotely using saslauth. But, I’m not
gettting headers altered by spamassassin and I’m seeing some warnings in the
logs that bother me.
Here’s the spamassassin bits in master.cf:
smtp inet n - n - - smtpd
-o content_filter=spamassassin
spamassassin unix - n n - - pipe
user=spamd argv=/usr/local/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
[root@ded602 etc]# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_mail_to_commands = alias,forward
allow_mail_to_files = alias,forward
allow_percent_hack = no
anvil_status_update_time = 1d
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debug_peer_list = 127.0.0.1
debugger_command = PATH=/usr/bin: xxgdb $daemon_directory/$process_name
$process_id & sleep 5
default_privs = nobody
default_process_limit = 75
delay_warning_time = 1d
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix
inet_interfaces = all
inet_protocols = ipv4
lmtp_destination_recipient_limit = 3000
lmtp_sasl_auth_enable = no
local_destination_concurrency_limit = 2
local_destination_recipient_limit = 100
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 9
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 5d
message_size_limit = 9
meta_directory = /etc/postfix
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost mail.$mydomain,
www.$mydomain, lists.$mydomain, $mydomain
mydomain = stovebolt.com
myhostname = mail.$mydomain
mynetworks = 127.0.0.0/8,162.250.226.170/32
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = $smtpd_milters
owner_request_special = no
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = enforce
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = btree:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_client_connection_count_limit = $smtpd_client_connection_count_limit
postscreen_command_count_limit = 20
postscreen_command_filter =
postscreen_command_time_limit = ${stress?10}${stress:300}s
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_discard_ehlo_keyword_address_maps =
$smtpd_discard_ehlo_keyword_address_maps
postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_ttl = 1h
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = no
postscreen_pipelining_ttl = 30d
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = $smtpd_reject_footer
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_watchdog_timeout = 10s
postscreen_whitelist_interfaces = static:all
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.7.2/README_FILES
recipient_delimiter = +
relay_domains = $mydestination, www.stovebolt.com, server1.stovebolt.com
sample_directory = /usr/share/doc/postfix3-3.7.2/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_loglevel = 0
smtp_tls_security_level = may
smtp_tls_session_cache_database =
[pfx] Re: secure the email system
A paranoid configuration could add: smtpd_reject_unlisted_sender = yes That is, do not send mail with a sender address that is known to be invalid (the SMTP server would reject mail for the address with "user unknown"). For more details (what is valid, why reject invalid senders) see https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Working around load balancers
On second consideration, if an *SQL "server_hosts" setting specifies only one target (host or IP address), then Postfix has little to lose if it pretends that the name is given twice, and retries once immediately, especially of it turns off the logic to avoid a failed *SQL server for 60 seconds. The logic for LMTP and SMTP can be similar: if a next-hop destination resolves to exactly one IP address, pretend that it is given twice, and retry once immediately. If both attempts fail, defer mail as usual. Bulk mailers may want to skip the immediate SMTP retry if the error was at the network-level (no connection) because an SMTP client that is retrying a "down" host cannot be used to deliver mail. This retry logic does not aply to milters, where a failure in the middle of an SMTP conversation is not immediately recoverable. Commands would have to be replayed and message changes would have to be undone. Instead, the remote SMTP client has to retry the entire transaction later. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: secure the email system
On 2024-06-13 15:07, Dimitris via Postfix-users wrote: Στις 13/6/24 03:51, ο/η Jeff Peng via Postfix-users έγραψε: 3. use policyd-rate-limit to limit sending rate. 5. use policyd-spf to check sender IP's SPF and reject the failed one. 6. use opendmarc to check sender domain's DMARC and reject the failed one. 7. opendkim is also deployed for either incoming messages (check signatures) or outgoing messages (add signatures). 9. rspamd for email content security (not deployed yet). 3,5,6,7 can be achieved with 9 (=rspamd when deployed). there are rspamd modules for those features. that's great to know. I will check more details on rspamd. thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: secure the email system
Στις 13/6/24 03:51, ο/η Jeff Peng via Postfix-users έγραψε: 3. use policyd-rate-limit to limit sending rate. 5. use policyd-spf to check sender IP's SPF and reject the failed one. 6. use opendmarc to check sender domain's DMARC and reject the failed one. 7. opendkim is also deployed for either incoming messages (check signatures) or outgoing messages (add signatures). 9. rspamd for email content security (not deployed yet). 3,5,6,7 can be achieved with 9 (=rspamd when deployed). there are rspamd modules for those features. so, no need to keep extra daemons if you dont specifically need those... 2c. d. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
