[pfx] inet_interfaces and loopback
Hi, I have a fedora38 system with postfix-3.7.9 that fails to start on boot because of the below problem. I have intentionally set inet_interfaces to only 127.0.0.1 because it's my outbound interface that communicates with amavisd on 10025. This must be related to the fedora systemd scripts using an old grep format, but I don't understand why it's complaining about not including my public IP when it's not needed. postfix[1350]: egrep: warning: egrep is obsolescent; using grep -E postfix-out/postfix-script[1355]: starting the Postfix mail system postfix-out/master[1357]: daemon started -- version 3.7.9, configuration /etc/postfix-out postfix[1361]: fatal: parameter inet_interfaces: no local interface found for 130.250.NNN.197 # postconf -n -c /etc/postfix-out inet_interfaces inet_interfaces = 127.0.0.1 I'm not sure that it's needed, but here's the output from "ip addr" for completeness. 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: ens18: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 82:1f:81:94:32:4e brd ff:ff:ff:ff:ff:ff altname enp0s18 inet 130.250.NNN.197/28 brd 130.250.NNN.207 scope global noprefixroute ens18 valid_lft forever preferred_lft forever inet 130.250.NNN.198/32 scope global noprefixroute ens18 valid_lft forever preferred_lft forever inet 130.250.NNN.199/28 brd 130.250.NNN.207 scope global secondary noprefixroute ens18 valid_lft forever preferred_lft forever inet 130.250.NNN.200/28 brd 130.250.NNN.207 scope global secondary noprefixroute ens18 valid_lft forever preferred_lft forever inet 130.250.NNN.201/28 brd 130.250.NNN.207 scope global secondary noprefixroute ens18 valid_lft forever preferred_lft forever inet 130.250.NNN.202/28 brd 130.250.NNN.207 scope global secondary noprefixroute ens18 valid_lft forever preferred_lft forever inet 130.250.NNN.203/28 brd 130.250.NNN.207 scope global secondary noprefixroute ens18 valid_lft forever preferred_lft forever inet6 fe80::801f:81ff:fe94:324e/64 scope link noprefixroute valid_lft forever preferred_lft forever 4: docker0: mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:c7:73:3d:21 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever 5: MailBridge: mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 22:67:80:40:61:5d brd ff:ff:ff:ff:ff:ff ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: pushing changes to remote system
Hi guys, On Thu, Mar 7, 2024 at 6:01 PM Steffen Nurpmeso via Postfix-users < postfix-users@postfix.org> wrote: > Dan Mahoney via Postfix-users wrote in > <56abb6d4-e690-4f94-aadb-2f646a6d1...@prime.gushi.org>: > |> On Mar 6, 2024, at 16:52, Wietse Venema via Postfix-users > |> @postfix.org> wrote: > |> Alex via Postfix-users: > |>> Hi, > |>> I have a few postfix systems on fedora38 with nearly identical > |>> configurations. I'd like to be able to push changes to them from a > third > |>> system without having to login to them directly to do so. What's the > |>> best/most secure way to do this? > |>> > |>> For example, I'd like to push the recipient access file to both > systems > |>> since they both relay mail for the same domains. Currently I'm doing \ > |>> this > |>> with rsync/ssh as root but would like to use a regular user. > |> > |> rsync renames files into place. That is good, because there is no > |> risk that it overwrites a file while some program reads from it. > |> > |> But if an unprivileged user can replace files in /etc/postfix, they > |> they are root equivalent. That is not the improvement that you > |> appear to be looking for. > |> > |> Maybe you can use a pull model instead, like curl and a REST server. > | > |This is a solved problem, using tools like ansible, chef, or puppet. \ > | Puppet specifically can be configured to do periodic pulls without \ > |having to login. > > I use git for all that. Plus some hooks/scripts. > Special repo with a special post-receive hook would surely do your > specific use case. > It's taken me some time to get to this, but I hoped I could ask for your help. Do you have more information you can share about how I might do this? The main system would push the updates to git, then perhaps a cron script (as root?) that run git checkout on each host to check for updates? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] recipient_bcc_maps with multi-instance
Hi, I'm using postfix-3.7.9 multi-instance on fedora38 and can't figure out why always_bcc and recipient_bcc_maps aren't working on the outbound instance. It would work best in the outbound instance because of other processing that's happening in the inbound instances. # postmulti -l - - y /etc/postfix postfix-out mta y /etc/postfix-out postfix-117 mta y /etc/postfix-117 postfix-114 mta y /etc/postfix-114 postfix-116 mta y /etc/postfix-116 postfix-118 mta y /etc/postfix-118 postfix-115 mta y /etc/postfix-115 In the postfix-out instance, I've tried different combinations of always_bcc and recipient/sender_bcc_maps but I don't think I understand properly how they work. # postconf -n -c /etc/postfix-out |grep bcc recipient_bcc_maps = pcre:/etc/postfix-out/recipient_bcc_maps sender_bcc_maps = pcre:/etc/postfix-out/recipient_bcc_maps /etc/postfix-out/recipient_bcc_maps: /^.*@domain.com$/ bcc-user /./bcc-user In the transport map, I have the server name delivering locally: xavier.example.com local: .xavier.example.com local: I don't understand what's different about the postfix-out instance that prevents it from processing the always_bcc or the bcc_maps parameters. Did I read properly that the no_address_mappings could be preventing it? 127.0.0.1:10025 inet n- n - 16smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8,209.111.90.0/24 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings -o local_header_rewrite_clients= ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Implementing ARC with postfix to allow/assist with forwarding
Hi, I'm using postfix-3.7.9 on fedora38 and would like to implement ARC to assist with authenticating emails being forwarded by users to Gmail and others. The research I've done points to OpenARC as a dead project. This looks like a great guide to get started, but I'm having trouble identifying which milter(?) to use for this. https://blog.mystrika.com/arc/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: sender_login_maps and dovecot and roundcube
Hi, > > I've set up a domain with a catch-all to deliver emails to any address > > to a > > single recipient address by specifying it in my virtual_alias_maps. > > However, the user wants to be able to send mail as any user in that > > domain. > > The problem is that it's rejected with "sender address rejected" > > because > > the user isn't defined in the smtpd_sender_login_maps. > > That last sentence provides such a specific and clear problem > description that it virtually provides the solution: Add a suitable > entry to the sender_login_maps file. Run postmap on the file. > > That entry probably should look like: > > @example.com alex > Thank you - I initially didn't think the format supported that, but also just realized it. Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] sender_login_maps and dovecot and roundcube
HI,
I've set up a domain with a catch-all to deliver emails to any address to a
single recipient address by specifying it in my virtual_alias_maps.
However, the user wants to be able to send mail as any user in that domain.
The problem is that it's rejected with "sender address rejected" because
the user isn't defined in the smtpd_sender_login_maps.
Mar 28 15:55:01 cipher roundcube: SMTP Error: Failed to add
recipient 're...@gmail.com': 5.7.1 : Sender address
rejected: not owned by user alex (Code: 553) in
/usr/share/roundcubemail/program/lib/Roundcube/rcube.php on line 1794 (POST
/webmail/?_task=mail&_unlock=loading1711655700954&_framed=1&_action=send)
# postconf smtpd_sasl_security_options smtpd_sender_login_maps
smtpd_sender_restrictions
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sender_login_maps = ${indexed}sender_login_maps
smtpd_sender_restrictions = check_sasl_access ${indexed}sasl-access
sasl-access is just:
alexenforce_login
I know this is something I've done with different identities in Thunderbird
before, just by changing the From address, but dovecot apparently requests
auth from submission?
I also thought of using the recipient_delimiter, so sending something like
user1+a...@mydomain.com might work, but it's not what was asked for.
Maybe this is a dovecot config option I'm missing?
Thanks for any ideas on what I'm missing here.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] pushing changes to remote system
Hi, I have a few postfix systems on fedora38 with nearly identical configurations. I'd like to be able to push changes to them from a third system without having to login to them directly to do so. What's the best/most secure way to do this? For example, I'd like to push the recipient access file to both systems since they both relay mail for the same domains. Currently I'm doing this with rsync/ssh as root but would like to use a regular user. Postifx complains when changing ownership of these files to a regular user, so I thought of using setfacl on the individual files I need. Will that cause a problem? # setfacl -m g:appuser:rwx /etc/postfix # setfacl -m g:appuser:wx /etc/postfix/client_checks.cidr # setfacl -m g:appuser:wx /etc/postfix/recipient_checks $ postmap recipient_checks $ ls -l recipient_checks* -rw-rwxr--+ 1 rootroot1065 Nov 15 2020 recipient_checks -rw-r--r-- 1 appuser appuser 2305 Mar 6 18:37 recipient_checks.cdb ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: ARC or DKIM or SRS?
Hi, On Mon, Feb 12, 2024 at 5:39 AM Jaroslaw Rafa via Postfix-users < postfix-users@postfix.org> wrote: > Dnia 11.02.2024 o godz. 17:47:05 Alex via Postfix-users pisze: > > My concern would be with multiple MX records for the same domain - is it > > possible it would come back to try again with another MX and be delayed > yet > > again? > > MX are the addresses that *receive* mail for a given domain, not the > addresses from which mail is sent. These would be specified in SPF record > (if present). > Yes, of course. I'm sorry I gave you another impression of what I was asking. I'll check out postscreen_cache_map in case it can do most of what I need, but my interest is from the server side, which is where postscreen is also run, of course. Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: ARC or DKIM or SRS?
Hi, > It has multiple benefits against bots, like: > > - few seconds delay for refusing clients that send helo/ehlo before > > esmtp greeting (I have used this for years with sendmail) > > - dnwsl/dnsbl scoring system. > > > > These are pretty safe to use. > > These are the tests that are enabled by default. If you also enable the > other after-220 tests then postscreen will, after whitelisting the > connecting IP, give a 450 response which tells the sending server to > defer (disconnect and try again later). This is very similar to how > greylisting works. > My concern would be with multiple MX records for the same domain - is it possible it would come back to try again with another MX and be delayed yet again? The sqlgrey perl script has the ability to consult a database to see if enough time has elapsed as well as cluster servers to see if the client has attempted a connection to one of the other MX servers. I'm not sure I ever managed to set it up successfully, however. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] ARC or DKIM or SRS?
Hi, I'm hoping I could ask for some advice. We have a pretty large percentage of users who forward mail through our systems to personal Gmail accounts. Sometimes it is mail from bulk senders like mailgun and lanyon/cvent. Would ARC help here, or is DKIM enough for DMARC alignment with forwarded messages? Perhaps ARC will help in those cases where DKIM fails with forwarded messages? Is it used on the sending server or on the relay? Is it installed using a milter alongside openSPF/DKIM using openarc? https://github.com/trusteddomainproject/OpenARC/issues/139 I've also thought about implementing SRS over the years, but it has its own problems, so I wondered if people were still implementing that? This has become particularly important with the recent news about Google requiring senders (or forwarders, in my case) to do more to ensure delivery. https://support.google.com/a/answer/81126?visit_id=638429520681370280-1110640002=1#zippy=%2Crequirements-for-all-senders ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] client checks with suspect IPs
Hi,
I need help with making a decision involved in determining whether to add
an IP to my client_checks to bypass a blocklist entry on the Barracuda
blocklist that is impacting one of our users. The problem is that
this would also bypass the checks for other Zix hosted customers.
Jan 16 12:04:30 xavier postfix-118/postscreen[1006916]: NOQUEUE: reject:
RCPT from 74.203.184.40]:3602: 550 5.7.1 Service unavailable; client
[74.203.184.40] blocked using DNS Blocklist (barracuda); from=<
jbraz...@myclient.com>, to=, proto=ESMTP, helo=<
zh-gw.zixsmbhosted.com>
I was also thinking I could add a sender_check for users at myclient.com
domain only, but that didn't work. The above entry relates to a client
reject, but shouldn't a sender_check involving myclient.com work as well?
smtpd_client_restrictions =
permit_mynetworks,
check_client_access ${indexed}client_checks,
check_client_access pcre:$config_directory/client_checks.pcre,
check_reverse_client_hostname_access
pcre:$config_directory/reverse_client_hostname_access.pcre,
check_client_access cidr:$config_directory/client_access_blocklist
/etc/postfix-118/client_checks.pcre:
/74\.203\.184\.40/ OK
smtpd_sender_restrictions =
permit_mynetworks,
check_sender_access ${indexed}sender_checks,
check_sender_access pcre:$config_directory/sender_checks.pcre,
reject_unknown_sender_domain
/etc/postfix-118/sender_checks.pcre:
/myclient\.com/ permit
Any ideas greatly appreciated.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] python-policyd-spf and whitelisting
Hi, I'm using python-policyd-spf with postfix as a check_policy_service and having some trouble with domains very broadly being whitelisted. My policy is to reject on mailfrom fail. However, we have few domains that need to be whitelisted, like mycuservices.com, because they are sending from an IP not in their SPF record. Oct 10 07:55:17 mail01 policyd-spf[590801]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=depositretu...@mycuservices.com;ip=74.203.184.40;r= However, whitelisting it also brings in all of the servers listed in their SPF record, including microsoft/outlook. I realize it's probably okay to whitelist microsoft/outlook anyway, but I'm unsure of the impact this has on spamassassin and its ability to use the SPF rules. Here is the postfix logs for outlook.com, despite only mycuservices.com being in the whitelist. Oct 13 09:05:40 mail01 policyd-spf[2127431]: prepend X-Comment: SPF skipped for whitelisted relay domain - client-ip=12.20.249.10; helo= zixgateway01.midatlanticcorporate.org; envelope-from= payme...@mycuservices.com; receiver= Header data from an email: >From depositretu...@mycuservices.com Tue Oct 10 07:55:25 2023 Return-Path: X-Comment: SPF skipped for whitelisted relay domain - client-ip=12.20.249.10; helo=zixgateway01.midatlanticcorporate.org; envelope-from=payme...@mycuservices.com; receiver= This is a header from a completely unrelated email, showing outlook.com and consequently this other random domain being whitelisted: X-Comment: SPF skipped for whitelisted relay domain - client-ip=40.107.237.65; helo=nam12-bn8-obe.outbound.protection.outlook.com; envelope-from=carl_willi...@nzinganet.net; receiver= Any ideas on how to handle this would be greatly appreciated. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tls and cert problem for submission
Hi, > I think I'm having a problem with my certificate for submission not > > being configured properly. I'm trying to install roundcube but having > > a problem with properly configuring the cert for submission, but when > > using openssl to check, it reports a cert problem. This is a cert from > > Digicert. > > Which, you've decided to obfuscate, for little gain. :-( Certificates > are *public* data, anyone connecting to your server gets a copy as part > of the TLS handshake... > It's more a matter of being a little embarrassed that I couldn't figure it out on my own. Especially when, after putting this all together, I realized my mistake shortly thereafter. > I'm also using tls_server_sni_maps to support multiple domains. > > That's perhaps more advanced than you need. Do you really need multiple > MX hostnames for your various domains. A common MX hostname is MUCH > easier to manage, and does not then require SNI. > The problem is that I'm forced to use the mail.example.com cert and some users would be confused seeing Example, Inc. in the cert when it is not that company providing those services. Thank you so much for your help. Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] tls and cert problem for submission
Hi, I think I'm having a problem with my certificate for submission not being configured properly. I'm trying to install roundcube but having a problem with properly configuring the cert for submission, but when using openssl to check, it reports a cert problem. This is a cert from Digicert. openssl s_client -starttls smtp -connect mail.example.com:587 CONNECTED(0003) depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com verify return:1 Certificate chain 0 s:C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Feb 14 00:00:00 2023 GMT; NotAfter: Jan 31 23:59:59 2024 GMT --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) Regular email client users have no problem, but it still looks like something is missing. When going through the roundcube config process, it fails to connect for what also looks like a cert problem. This is from "smtpd -v" output: Oct 5 15:49:21 cipher postfix/submission/smtpd[1509791]: TLS SNI cipher.example.com from cipher.example.com[209.216.111.60] not matched, using default chain Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: SSL_accept error from cipher.example.com[209.216.111.60]: -1 Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: warning: TLS library problem: error:0A000418:SSL routines::tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1586:SSL alert number 48: I'm also using tls_server_sni_maps to support multiple domains. I've also tried concatenating the digicert crt file and the DigiCertCA.crt to create the mail.example.com-2023.crt chain file below. $ postconf -n |grep tls smtp_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_security_level = may smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_tls_chain_files = /var/www/mail.example.com-443/ssl/mail.example.com-2023.key, /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_received_header = yes smtpd_tls_security_level = may tls_preempt_cipherlist = yes tls_random_source = dev:/dev/urandom tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map /etc/postfix/vmail_ssl.map: clients.example1.com /etc/letsencrypt/privkey.pem /etc/letsencrypt/fullchain.cer mail.example.com /var/www/mail.example.com-443/ssl/mail.example.com-2023.key /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt $ ls -l *vmail* -rw-r--r-- 1 root root 468 May 14 10:53 vmail_ssl.map -rw-r--r-- 1 root root 36864 Aug 7 06:18 vmail_ssl.map.db $ postconf -fM ... submission inet n - n - - smtpd -v -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o receive_override_options=$submission_overrides -o smtp_tls_mandatory_protocols=TLSv1 -o syslog_name=postfix/submission I've also tried using "localhost" and "mail.example.com" and the actual hostname in the roundcube config: $config['smtp_host'] = 'tls://cipher.example.com:587'; Thank you so much for any ideas. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] error:0A0000C1:SSL routines::no shared cipher:ssl/st atem/statem_srvr.c:2220:
Hi, I have a postfix-3.7.4 server with openssl-3.0.9 on fedora38 and receiving the following errors in my logs: Sep 11 14:19:51 cipher postfix/smtps/smtpd[3992923]: warning: TLS library problem: error:0AC1:SSL routines::no shared cipher:ssl/statem/statem_srvr.c:2220: What kind of clients is this impacting? I found this post that says I can add ECDHE-RSA-AES256-SHA384 to the cipher list to fix this. https://encryp.ch/blog/amazon-ses-encryption-misconfiguration/ # postconf -n|grep -E 'cipher|protocol' smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 tls_preempt_cipherlist = yes ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Rate limiting gmail
Hi, I'm hoping I could ask what is probably an FAQ but I haven't seen anything on it recently. I've already implemented some type of rate limiting for delivering to gmail, but it's apparently not working satisfactorily for them. Notice it's already going through my throttled transport. This mail server unfortunately has quite a few users who use ~/.forward to forward mail through to their personal gmail account from their corporate account. Aug 22 15:33:08 cipher postfix-gmail/smtp[2551987]: 5EF9820E0E1E8: host gmail-smtp-in.l.google.com[64.233.176.27] said: 421-4.7.28 [209.216.111.60 15] Our system has detected an unusual rate of 421-4.7.28 unsolicited mail originating from your IP address. To protect our 421-4.7.28 users from spam, mail sent from your IP address has been temporarily 421-4.7.28 rate limited. Please visit 421-4.7.28 https://support.google.com/mail/?p=UnsolicitedRateLimitError to 421 4.7.28 review our Bulk Email Senders Guidelines. 185- transport_maps = regexp:/etc/postfix/transport_limit, regexp:/etc/postfix/transport_gmail, regexp:/etc/postfix/transport_yahoo, regexp:/etc/postfix/transport_microsoft, regexp:/etc/postfix/transport_fast gmail_initial_destination_concurrency = 1 gmail_destination_concurrency_limit = 4 gmail_destination_recipient_limit = 15 gmail_connect_timeout=3s gmail_connection_cache_on_demand=no /etc/postfix/transport_gmail: /googlemail.com$/ gmail: /gmail.com$/gmail: /google.com$/ gmail: /etc/postfix/master.cf: gmail unix - - n - - smtp -o syslog_name=postfix-gmail -o smtp_connect_timeout=$gmail_connect_timeout -o smtp_connection_cache_on_demand=$gmail_connection_cache_on_demand Any ideas for further tweaking? I'd imagine this is primarily for bulk email (as the message says), so perhaps I need a separate transport specifically for bulk email? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Troubleshooting mail loop issue
Hi, On Tue, Aug 15, 2023 at 8:49 AM Bill Cole via Postfix-users < postfix-users@postfix.org> wrote: > On 2023-08-14 at 17:23:34 UTC-0400 (Mon, 14 Aug 2023 17:23:34 -0400) > Alex via Postfix-users > is rumored to have said: > > > Hi, > > I have what appears to be a complicated mail loop problem that I can't > > figure out. I suspect that their receiving system (M365) is somehow > > reinjecting the message back to our mail server after it's been > > successfully delivered to them. > > For loose values of "success"... > > > > We are acting as MX for two small companies, and occasionally, when > > companyA emails companyB, it is first received by raven.example.com, > > 209.216.111.115, > > which is the MX we have created for them, processed by amavisd, then > > routed > > to the destination through our postfix-out instance > > xavier.example.com, > > 209.216.111.114. The companyB server accepts the message, but then > > somehow > > companyA appears to connect to our server again and send the same > > message > > again. > > Yes, it is a loop. The loop occurs inside MS365. Apparently Microsoft > does not understand how to get mail from CompanyA to CompanyB > internally, so they follow the DNS. > but it should then send it to another tenant, correct? The sending M365 server ultimately gets a "too many hops" error, reportedly by our xavier server, but we don't always have a record of that. Diagnostic information for administrators: Generating server: PH0PR02MB7736.namprd02.prod.outlook.com r...@companyb.com xavier.example.com Remote server returned '554 5.4.0 Error: too many hops' Here's one reported today: Aug 15 12:32:15 xavier postfix-out/smtp[223443]: 549A0305F4A07: to=, relay=companyB-com.mail.protection.outlook.com[52.101.40.2]:25, delay=2.1, delays=0.01/0/0.45/1.7, dsn=2.6.0, status=sent (250 2.6.0 < mw4pr02mb74739e55fd642380cc07b22ec2...@mw4pr02mb7473.namprd02.prod.outlook.com> [InternalId=154820686141293, Hostname= CH2PR02MB6806.namprd02.prod.outlook.com] 189859 bytes in 0.317, 583.850 KB/sec Queued mail for delivery) I can trace the queue ID here back to find the other four successful deliveries of this same message, as well as find it in my always_bcc user mbox. Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Troubleshooting mail loop issue
Hi, On Tue, Aug 15, 2023 at 11:53 AM Paul Enlund via Postfix-users < postfix-users@postfix.org> wrote: > Hi > > One thing to check is that your MX server allowed recipients is in sync > with M365 allowed recipients. > Can you explain more of what you mean here? In this case, the recipient does exist. I don't believe it's ever happened with a non-existent recipient. We aren't pulling the list of valid recipients, but instead just letting their system send us the reject for non-existent recipients. Thanks, Alex > Regards Paul > On 14/08/2023 22:23, Alex via Postfix-users wrote: > > Hi, > I have what appears to be a complicated mail loop problem that I can't > figure out. I suspect that their receiving system (M365) is somehow > reinjecting the message back to our mail server after it's been > successfully delivered to them. > > We are acting as MX for two small companies, and occasionally, when > companyA emails companyB, it is first received by raven.example.com, > 209.216.111.115, > which is the MX we have created for them, processed by amavisd, then routed > to the destination through our postfix-out instance xavier.example.com, > 209.216.111.114. The companyB server accepts the message, but then somehow > companyA appears to connect to our server again and send the same message > again. > > It's very difficult to trace what's happening, so I hoped someone could > help. I think the sending server is somehow reconnecting to our server and > resending the same message, but it eventually dies with the sending server > saying "Error: too many hops". Our server never sees that message. They > have forwarded the bounce to me and I've pasted it here: > https://pastebin.com/ChcnDwjK > > It appears like it delivers five different copies, but each version has > all the received headers of the previous version. > > I'm sorry if this is confusing. I've spent probably six hours or more > reading through this one email trying to trace the problem and correlate it > with the postfix/amavis logs. I believe it's only happened a few times - I > don't quite understand all the circumstances under which it happens. We > also don't always see the reject/too many hops message. Here is a recent > one: > > Aug 4 09:01:13 xavier postfix-115/smtp[125455]: 88D5F246: to= > , > relay=127.0.0.1[127.0.0.1]:11024, delay=0.67, delays=0.21/0/0/0.45, > dsn=5.4.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 554 5.4.0 > id=136757-17 - Rejected by next-hop MTA on relaying, from > MTA(smtp:[127.0.0.1]:11025): 554 5.4.0 Error: too many hops (in reply to > end of DATA command)) > > Any ideas for either what's going on with this email or what I can do to > troubleshoot this further would really be appreciated. > > Thanks, > Alex > > > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Troubleshooting mail loop issue
Hi, On Tue, Aug 15, 2023 at 11:02 AM Wietse Venema via Postfix-users < postfix-users@postfix.org> wrote: > Your loop, based on Received: headers, newer at the top, older at > the bottom: > > Received: from xavier.example.com (209.216.111.114) by > CO1PEPF44F7.mail.protection.outlook.com (10.167.241.197) with > Microsoft S > Received: from localhost by xavier.example.com (Postfix) with ESMTP id > 30B17305F4A07;Fri, 11 Aug 2023 11:57:49 -0400 (EDT) > Received: from xavier.example.com ([209.216.111.115]) by localhost > (amavis, port 11024) with ESMTP id HL0GE5Q4v_xp; Fri, 11 Aug 2023 > Received: from NAM11-BN8-obe.outbound.protection.outlook.com (using > TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) > Received: from CY5PR04CA0018.namprd04.prod.outlook.com by > SA1PR02MB9916.namprd02.prod.outlook.com (2603:10b6: > Received: from CY4PEPFEE3E.namprd03.prod.outlook.com by > CY5PR04CA0018.outlook.office365.com (2603:10 > Received: from xavier.example.com (209.216.111.114) by > CY4PEPFEE3E.mail.protection.outlook.com (10.167.242.18) with > Microsoft SM > > In summary: > > 1 xavier.example.com ([209.216.111.114]) sends a message to Microsoft > > 2 After some internal hops, Microsoft sends the message to the > inbound MX xavier.example.com (209.216.111.115) for company A, B, > which filters it with amavis. > > 3 GOTO 1. > > Which step is in error? > We are relay for both companyA and companyB. Both are also on M365, so mail originates from M365 at companyA, goes through our xavier, then out to M365 at companyB. I also see five relay=companyB entries in the logs, but companyB doesn't report ever receiving five copies. Thanks so much, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Troubleshooting mail loop issue
Hi, I have what appears to be a complicated mail loop problem that I can't figure out. I suspect that their receiving system (M365) is somehow reinjecting the message back to our mail server after it's been successfully delivered to them. We are acting as MX for two small companies, and occasionally, when companyA emails companyB, it is first received by raven.example.com, 209.216.111.115, which is the MX we have created for them, processed by amavisd, then routed to the destination through our postfix-out instance xavier.example.com, 209.216.111.114. The companyB server accepts the message, but then somehow companyA appears to connect to our server again and send the same message again. It's very difficult to trace what's happening, so I hoped someone could help. I think the sending server is somehow reconnecting to our server and resending the same message, but it eventually dies with the sending server saying "Error: too many hops". Our server never sees that message. They have forwarded the bounce to me and I've pasted it here: https://pastebin.com/ChcnDwjK It appears like it delivers five different copies, but each version has all the received headers of the previous version. I'm sorry if this is confusing. I've spent probably six hours or more reading through this one email trying to trace the problem and correlate it with the postfix/amavis logs. I believe it's only happened a few times - I don't quite understand all the circumstances under which it happens. We also don't always see the reject/too many hops message. Here is a recent one: Aug 4 09:01:13 xavier postfix-115/smtp[125455]: 88D5F246: to=, relay=127.0.0.1[127.0.0.1]:11024, delay=0.67, delays=0.21/0/0/0.45, dsn=5.4.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 554 5.4.0 id=136757-17 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:11025): 554 5.4.0 Error: too many hops (in reply to end of DATA command)) Any ideas for either what's going on with this email or what I can do to troubleshoot this further would really be appreciated. Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: bounce management
Hi, > > We're only doing basic spam protection for them, > > What is the nature of the "basic spam protection"? Can it be done > pre-queue? > Yes, most likely, I would think. It's a basic spamassassin setup with a few rules looking for specific patterns, as well as some RBL network checks. The only plausible solution on your end is to not queue mail for this > domain, but rather proxy it through to the destination, with the > response to "." coming from the final downstream systems. This may be > possible with: > > http://www.postfix.org/postconf.5.html#smtpd_proxy_filter > > provided you can dedicate an IP address (port 25 smtpd(8) instance) for > this destination. So I would do this in place of the transport filter I currently have in place? example.comsmtp:mx1.hc4719.iphmx.com Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] bounce management
Hi, I have a postfix-3.7.3 system on fedora37 and we're routing mail for a business using an Ironport device at their border. Instead of accepting all messages from us as their MX, there are some messages that it has determined are spam or otherwise undeliverable, which are resulting in them bouncing them back to us, where our system is then queuing them. These messages are undeliverable (this one was from mail.sqribblepro.shop), so it just sits in our queue, continually trying to be delivered unsuccessfully until we either remove it or it expires. Aug 5 11:03:14 xavier postfix-out/smtp[224468]: 59291305F59C3: to=< nca...@example1.com>, relay=mx1.hc4719.iphmx.com[207.54.11.59]:25, delay=0.98, delays=0/0/0.8/0.18, dsn=5.0.0, status=bounced (host mx1.hc4719.iphmx.com[207.54.11.59] said: 550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. (in reply to DATA command)) Aug 5 11:03:14 xavier postfix-out/cleanup[225801]: 55453305F59C9: message-id=<20230804150314.55453305f5...@xavier.example.com> Aug 5 11:03:14 xavier postfix-out/bounce[224445]: 59291305F59C3: sender non-delivery notification: 55453305F59C9 Aug 5 11:03:14 xavier postfix-out/qmgr[193207]: 55453305F59C9: from=<>, size=12276, nrcpt=1 (queue active) Aug 5 11:03:14 xavier postfix-out/qmgr[193207]: 59291305F59C3: removed We're only doing basic spam protection for them, and while this mail server may be on a blocklist now, it wasn't then. It's also not always spam that they reject, but otherwise legitimate messages that are blocked by policy. I also realize having them adjust their policy is probably the best solution, but that's not possible right now. How can I either immediately drop these messages or simply not allow them to refuse these messages? Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
Hi, On Mon, May 22, 2023 at 9:47 PM Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Mon, May 22, 2023 at 06:06:00PM -0400, Alex wrote: > > > Yes, I wasn't aware that's how it worked. I've now explicitly defined the > > bcc-user to use the same transport, but the problem is that there is one > > bcc-user but multiple transports, each with their own policy. > > This is where recipient_bcc_maps comes into play, you can have a bcc > recipient per domain or per-user (the latter preserves the message > envelope as part of the BCC side-channel). > > Or (in a multi-instance configuration), you can add Bcc recipients > in a per-domain output (back-end) instance. > recipient_bcc_maps worked beautifully, thanks. Thanks so much for so selflessly helping the community. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
Hi,
>
> The BCC recipient is processed in much the same way as any other message
> recipient. The only special handling that comes to mind is DSN, where
> this recipient is treated as if NOTIFY=NEVER were specified.
>
> > local_transport = error:5.1.1 Mailbox unavailable
> > default_transport = smtp:[127.0.0.1]:10024
> > relay_transport = $default_transport
> > virtual_transport = $default_transport
> > transport_maps = ${indexed}transport
>
> Perhaps the BCC recipient (domain) did not match any transport
> table keys, but the real recipient did?
>
Yes, I wasn't aware that's how it worked. I've now explicitly defined the
bcc-user to use the same transport, but the problem is that there is one
bcc-user but multiple transports, each with their own policy.
>
> > /etc/postfix-120/transport
> > domain1.comalex:[127.0.0.1]:10029
>
> What is the domain part of the always BCC address.
>
It's the same as the hostname, while domain1.com (and domain2, domain3,
etc) each use their own transport. Associating bcc-user with the policy
that corresponds with domain would help me to better understand how the
policy is being applied to users and be able to view header details as if
they were to the actual user. Hopefully that makes sense. Email to one
domain may be blocked with a given policy, while email to another domain
may not, so it would be good to have the same policy applied to the always
BCC user as every other user using that transport.
Thanks,
Alex
>
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain header/body checks?
Hi, > According to the subject, you appear to be looking for per-domain > header/body check. That is not the right tool, and I would not > spend my cycles on a design for that. > > Instead I recommend filters between a front and back-end instance, > using transport_maps to select a filter depending on the domain. > I recall that you are familiar with Amavis as a content filter. > That would be a better tool for the job. Each domain can then have > its own Amavis config that receives mail on its own port. > I am coming to the same realization. Thank you so much. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain header/body checks?
Hi, > > > > internet -> front-end Postfix instance -> filter -> back-end > > > Postfix > > > > > instance > > > > > > > > > > The front-end Postfix instance uses transport_maps to select a > suitable > > > > > filter. > > > > > > > > > > example.com: smtp: > > > > > example.org: smtp: > > > > > > > > > > Each filter then delivers to the back-end Postfix. > > > > > > > > This implies one IP per domain as well, correct? > > > > > > No. One front-end instance can receive mail for N domains, and they > > > can share (MX) IP addresses. > > > > > > You can have multiple front ends, again that is not required for > > > per-domain filters to work. > > > > I'm starting to understand and really appreciate your help. Can I ask you > > to provide me with an example of what you mean? Are you referring to > what's > > That is shown above, expressed in terms of transport maps and > customized content filters in-between general-purpose Postfix > instances. > > header/body checks don't generalize beyond narrow use cases. > I'm trying really hard, but I just don't understand what you mean. I set up multi-instance with Viktor's help some time ago, where each instance essentially processes mail for a somewhat related group of domains. Adding transport maps to the front-end instance would be different than what I remember doing with Viktor. I don't have any content filters set up in the front-end postfix. How do I connect the front-end postfix with the filters? I think this is something I can implement, but I need more of a description of how it should work, please. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain header/body checks?
Hi, On Sun, May 21, 2023 at 4:41 PM Wietse Venema via Postfix-users < postfix-users@postfix.org> wrote: > Alex via Postfix-users: > > > > I'd say, start with one instance per domain. The 'cost' of doing so > > > > is really small. > > > > > > Once you run out of IP addresses, you will need policy selection > > > based on the recipient domain. For example: > > > > > > internet -> front-end Postfix instance -> filter -> back-end > Postfix > > > instance > > > > > > The front-end Postfix instance uses transport_maps to select a suitable > > > filter. > > > > > > example.com: smtp: > > > example.org: smtp: > > > > > > Each filter then delivers to the back-end Postfix. > > > > > > > This implies one IP per domain as well, correct? > > No. One front-end instance can receive mail for N domains, and they > can share (MX) IP addresses. > > You can have multiple front ends, again that is not required for > per-domain filters to work. > I'm starting to understand and really appreciate your help. Can I ask you to provide me with an example of what you mean? Are you referring to what's outlined in FILTER_README as an after-queue filter? How would I reference my header_checks.pcre from within the shell script filter? example.com: smtp:/usr/bin/filter-example.com.sh I would then need to send the email to the port where amavisd is listening to process mail for that specific domain, correct? amavisd would then send the email to the back-end postfix to be delivered. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain header/body checks?
Hi, On Sun, May 21, 2023 at 12:39 PM Wietse Venema via Postfix-users < postfix-users@postfix.org> wrote: > Wietse Venema via Postfix-users: > > Alex via Postfix-users: > > > Hi, > > > I'm using multi-instance postfix-3.7.2 on fedora37 and would like to be > > > able to control which header and body checks apply to which domain in a > > > specific instance. I'm looking for advice on the best way to do this. > > > > > > I have about ten domains right now, and would probably need a number of > > > policies that control filtering for these domains. I was thinking I > could > > > create a new instance for each domain, but I only have a limited > number of > > > IP addresses. Is it possible to do this using content filters with a > > > multi-instance postfix configuration? Do you have any examples of how > this > > > might work? > > > > > > I also recall reading about using a milter for this, but would that > require > > > me to develop my own application for this? Or is there one already > created > > > and supported that might help here? > > > > > > I've used if/endif conditionals in check_recipient_access in the past, > but > > > this doesn't work for header/body checks? > > > > > > I'm not sure where to start, so I'm also not sure what other config > details > > > I should provide to help make this determination. > > > > I'd say, start with one instance per domain. The 'cost' of doing so > > is really small. > > Once you run out of IP addresses, you will need policy selection > based on the recipient domain. For example: > > internet -> front-end Postfix instance -> filter -> back-end Postfix > instance > > The front-end Postfix instance uses transport_maps to select a suitable > filter. > > example.com: smtp: > example.org: smtp: > > Each filter then delivers to the back-end Postfix. > This implies one IP per domain as well, correct? Which then also means one MX for each domain, plus a backup. This is my current postmulti setup for this server: $ postmulti -l - - y /etc/postfix postfix-out mta y /etc/postfix-out postfix-120 mta y /etc/postfix-120 In your above scenario, the filter instance is my postfix-120, correct? This is where I would add the header and body checks? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
Hi,
Can I follow up on this? I can't figure out why always_bcc mail is being
sent through the default content filter while mail designated for my
domain-specific transport is sent through another in my multi-instance
postfix config. I'd like the always_bcc user mail to still benefit from
being filtered through amavis, but through the transport designed for the
domain for which it was intended.
local_transport = error:5.1.1 Mailbox unavailable
default_transport = smtp:[127.0.0.1]:10024
relay_transport = $default_transport
virtual_transport = $default_transport
transport_maps = ${indexed}transport
/etc/postfix-120/transport
domain1.comalex:[127.0.0.1]:10029
I've tried adding "receive_override_options = no_address_mappings" in
main.cf but it seems to be ignored.
I thought it might be helpful to show the log entries (except for the more
involved amavisd entries). cable.example.com is my mail router. domain1.com
is the recipient domain. I believe this shows how the mail goes from
gmail.com to the domain1.com transport on port 10029 (amavisd). Both emails
were then sent back to postfix-out on 10025 to be relayed on (or the
always_bcc user to be delivered locally).
Maybe this is even the preferred approach? I'm not used to seeing it this
way, but I would think the transport corresponding with the recipient would
be the one that should be used for the always_bcc user.
May 21 13:40:12 cable postfix-120/qmgr[3714211]: 494948B53: from=<
mysqlstud...@gmail.com>, size=3214, nrcpt=2 (queue active)
May 21 13:40:12 cable amavis[3558243]: (3558243-06) ESMTP [127.0.0.1]:10024
/var/spool/amavisd/tmp/amavis-20230521T020900-3558243-jefENl_V: <
mysqlstud...@gmail.com> -> SIZE=3214 Received:
from cable.example.com ([145.239.111.120]) by localhost (cable.example.com
[127.0.0.1]) (amavis, port 10024) with ESMTP for ;
Sun, 21 May 2023 13:40:12 -0400 (EDT)
May 21 13:40:12 cable amavis[3558246]: (3558246-06) ESMTP [127.0.0.1]:10029
/var/spool/amavisd/tmp/amavis-20230521T032452-3558246-T4MBowCR: <
mysqlstud...@gmail.com> -> Received: from
cable.example.com ([145.239.111.120]) by localhost (cable.example.com
[127.0.0.1]) (amavis, port 10029) with ESMTP for ; Sun,
21 May 2023 13:40:12 -0400 (EDT)
May 21 13:40:18 cable amavis[3558246]: (3558246-06) yz4rjN5FRAbF FWD from <
mysqlstud...@gmail.com> -> , BODY=7BIT 250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0671630014B43
May 21 13:40:18 cable amavis[3558243]: (3558243-06) 1GoUW-HU8Lsg FWD from <
mysqlstud...@gmail.com> -> , BODY=7BIT 250
2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as
070A730014B58
May 21 13:40:18 cable postfix/alex/smtp[3719703]: 494948B53: to=<
jre...@domain1.com>, relay=127.0.0.1[127.0.0.1]:10029, delay=6.9,
delays=1.2/0.02/0.01/5.7, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0671630014B43)
May 21 13:40:19 cable postfix-out/smtp[3719782]: 0671630014B43: to=<
jre...@domain1.com>, relay=68.195.111.42[68.195.111.42]:25, delay=1.2,
delays=0.01/0.02/0.82/0.33, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
E293A8078BEB)
Thanks,
Alex
>> > Maybe my issue is that the always_bcc user is going through a transport
>> at
>> > all, and instead should just be delivered locally, or perhaps processed
>> > only by the local_transport? How can I do that?
>> >
>> > I recall many years ago doing that, before I set up multi-instance
>> postfix.
>>
>> A not uncommon issue is that virtual alias expansion or other address
>> rewriting actions are performed twice, once on each side of a
>> content_filter. This is covered in the "Advanced content filter:
>> requesting that all mail is filtered" section of:
>>
>> http://www.postfix.org/FILTER_README.html#advanced_filter
>>
>> (receive_override_options).
>>
>> And of course you can always go multi-instance, and configure suitable
>> rewriting for the pre and post filter instances.
>>
>
> Yes, that's exactly what I'd like to do. I have multi-instance already
> configured, but adding always_bcc to postfix-out doesn't seem to work.
>
> I've also just experimented with "receive_override_options =
> no_address_mappings" (I also remember doing that many years ago, but would
> have never been able to figure that out on my own this time), and it now
> just doesn't actually create a copy of the email for the always_bcc user.
>
> Ideas on how to do it in my postfix-out instance? Ideally, I'd like it to
> have been processed by amavis so I can benefit from the additional header
> info.
>
>
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] per-domain header/body checks?
Hi, I'm using multi-instance postfix-3.7.2 on fedora37 and would like to be able to control which header and body checks apply to which domain in a specific instance. I'm looking for advice on the best way to do this. I have about ten domains right now, and would probably need a number of policies that control filtering for these domains. I was thinking I could create a new instance for each domain, but I only have a limited number of IP addresses. Is it possible to do this using content filters with a multi-instance postfix configuration? Do you have any examples of how this might work? I also recall reading about using a milter for this, but would that require me to develop my own application for this? Or is there one already created and supported that might help here? I've used if/endif conditionals in check_recipient_access in the past, but this doesn't work for header/body checks? I'm not sure where to start, so I'm also not sure what other config details I should provide to help make this determination. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
Viktor, On Thu, May 18, 2023 at 7:16 PM Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Thu, May 18, 2023 at 09:20:38AM -0400, Alex via Postfix-users wrote: > > > Maybe my issue is that the always_bcc user is going through a transport > at > > all, and instead should just be delivered locally, or perhaps processed > > only by the local_transport? How can I do that? > > > > I recall many years ago doing that, before I set up multi-instance > postfix. > > A not uncommon issue is that virtual alias expansion or other address > rewriting actions are performed twice, once on each side of a > content_filter. This is covered in the "Advanced content filter: > requesting that all mail is filtered" section of: > > http://www.postfix.org/FILTER_README.html#advanced_filter > > (receive_override_options). > > And of course you can always go multi-instance, and configure suitable > rewriting for the pre and post filter instances. > Yes, that's exactly what I'd like to do. I have multi-instance already configured, but adding always_bcc to postfix-out doesn't seem to work. I've also just experimented with "receive_override_options = no_address_mappings" (I also remember doing that many years ago, but would have never been able to figure that out on my own this time), and it now just doesn't actually create a copy of the email for the always_bcc user. Ideas on how to do it in my postfix-out instance? Ideally, I'd like it to have been processed by amavis so I can benefit from the additional header info. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
Hi,
> Is there a way to control smtpd_recipient_restrictions on a per-domain
> > basis so I can relax some of these restrictions for cases like this,
> > instead of a more reactive approach where I'm always adding
> > sender_checks.pcre entries?
>
> Instead of
>
> /etc/postfix/main.cf:
> smtpd_recipient_restrictions =
> ... reject_unknown_sender_domain ...
>
> Use
>
> /etc/postfix/main.cf:
> smtpd_recipient_restrictions =
> ... check_sender_access pcre:/etc/postfix/sender_access.pcre ...
>
> /etc/postfix/sender_access.pcre:
> /\.example\.com$/ DUNNO
> /./ reject_unknown_sender_domain
>
> Though I wonder how one would ever be able to reply to the sender.
>
There are a ton of entries like this, where it appears DNS for the sending
domain is horribly broken, my name server isn't forgiving enough to allow
for those misconfigurations, or both.
May 18 18:24:00 cable postfix-120/smtpd[2919509]: NOQUEUE: reject: RCPT
from send106.emailfilter.io[185.54.163.144]: 450 4.1.8 :
Sender address rejected: Domain not found; from= to=<
vojisla...@example.com> proto=ESMTP helo=
If I interpret your instructions properly, this is kind of an as-needed
fqdn bypass, when what I'm trying to do is allow non-fqdn senders just for
certain recipient domains.
The users apparently don't mind receiving the additional spam this may
create, but I also realize if their DNS isn't working, then they likely
have no SPF record either.
Given my circumstance, perhaps there's another way to resolve this?
I'm doing sender checks in smtpd_sender_restrictions, but you've also
recommended adding the sender_access to recipient checks.
smtpd_sender_restrictions =
permit_mynetworks,
check_sender_access ${indexed}sender_checks,
check_sender_access pcre:$config_directory/sender_checks.pcre,
check_sender_access
${default_database_type}:${meta_directory}/spamsources,
check_sender_ns_access ${indexed}/blacklist_ns.cf,
reject_unknown_sender_domain
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
Hi, Maybe my issue is that the always_bcc user is going through a transport at all, and instead should just be delivered locally, or perhaps processed only by the local_transport? How can I do that? I recall many years ago doing that, before I set up multi-instance postfix. Thanks, Alex On Thu, May 18, 2023 at 8:00 AM Alex wrote: > > > On Thu, May 18, 2023 at 4:39 AM Matus UHLAR - fantomas via Postfix-users < > postfix-users@postfix.org> wrote: > >> On 17.05.23 22:11, Alex via Postfix-users wrote: >> >I'm using postfix (postmulti) with amavisd and trying to have separate >> >content filters based on the domain so I can make decisions on the >> destiny >> >of the email from within amavisd. Currently all mail is processed by the >> >same amavisd policy_bank. >> >> so, amavis returns mail to postfix always the same way? >> >> > The problem now is that mail is being sent >> >through the content filter designated in my transport map as well as the >> >default transport filter. >> >> So, when amavis sends mail back to postfix, it gets filtered again. >> > > No, looking at this again, I think what's happening is the always_bcc user > is being sent through 10024, while the actual recipient is being sent > through 10029: > > May 18 06:57:43 cable amavis[2800375]: (2800375-01) ESMTP > [127.0.0.1]:10024 > /var/spool/amavisd/tmp/amavis-20230518T065743-2800375-wHC33xAt: < > mysqlstud...@gmail.com> -> SIZE=3161 > Received: from cable.example.com ([145.239.XXX.120]) by localhost ( > cable.example.com [127.0.0.1]) (amavis, port 10024) with ESMTP for < > bcc-u...@cable.example.com>; Thu, 18 May 2023 06:57:43 -0400 (EDT) > > May 18 06:57:43 cable amavis[2800376]: (2800376-01) ESMTP > [127.0.0.1]:10029 > /var/spool/amavisd/tmp/amavis-20230518T065743-2800376-nYSpx4LR: < > mysqlstud...@gmail.com> -> Received: from > cable.example.com ([145.239.XXX.120]) by localhost (cable.example.com > [127.0.0.1]) (amavis, port 10029) with ESMTP for ; Thu, > 18 May 2023 06:57:43 -0400 (EDT) > > Before I started experimenting with multiple ports, the always_bcc user > and the actual user(s) would be part of the same transport message. > > Thanks, > Alex > > > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
On Thu, May 18, 2023 at 4:39 AM Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > On 17.05.23 22:11, Alex via Postfix-users wrote: > >I'm using postfix (postmulti) with amavisd and trying to have separate > >content filters based on the domain so I can make decisions on the destiny > >of the email from within amavisd. Currently all mail is processed by the > >same amavisd policy_bank. > > so, amavis returns mail to postfix always the same way? > > > The problem now is that mail is being sent > >through the content filter designated in my transport map as well as the > >default transport filter. > > So, when amavis sends mail back to postfix, it gets filtered again. > No, looking at this again, I think what's happening is the always_bcc user is being sent through 10024, while the actual recipient is being sent through 10029: May 18 06:57:43 cable amavis[2800375]: (2800375-01) ESMTP [127.0.0.1]:10024 /var/spool/amavisd/tmp/amavis-20230518T065743-2800375-wHC33xAt: < mysqlstud...@gmail.com> -> SIZE=3161 Received: from cable.example.com ([145.239.XXX.120]) by localhost (cable.example.com [127.0.0.1]) (amavis, port 10024) with ESMTP for ; Thu, 18 May 2023 06:57:43 -0400 (EDT) May 18 06:57:43 cable amavis[2800376]: (2800376-01) ESMTP [127.0.0.1]:10029 /var/spool/amavisd/tmp/amavis-20230518T065743-2800376-nYSpx4LR: < mysqlstud...@gmail.com> -> Received: from cable.example.com ([145.239.XXX.120]) by localhost (cable.example.com [127.0.0.1]) (amavis, port 10029) with ESMTP for ; Thu, 18 May 2023 06:57:43 -0400 (EDT) Before I started experimenting with multiple ports, the always_bcc user and the actual user(s) would be part of the same transport message. Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] content filter sends mail twice
Hi,
I'm using postfix (postmulti) with amavisd and trying to have separate
content filters based on the domain so I can make decisions on the destiny
of the email from within amavisd. Currently all mail is processed by the
same amavisd policy_bank. The problem now is that mail is being sent
through the content filter designated in my transport map as well as the
default transport filter.
default_transport = smtp:[127.0.0.1]:10024
local_transport = error:5.1.1 Mailbox unavailable
relay_transport = $default_transport
transport_maps = ${indexed}transport
virtual_transport = $default_transport
/etc/postfix-120/transport:
example.comrelay:[127.0.0.1]:10029
How do I exclude example.com from also being sent through 10024? Is it
necessary to then disable the default transport altogether and explicitly
list all relay_domains?
I recall having some difficulty with transport maps when I first set up
this multi-instance postfix, and Viktor helped me. I had content_filter
defined as:
content_filter = smtp-amavis[127.0.0.1]:10024
and the following service defined in master.cf:
smtp-amavis unix- - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
but that was disabled when I moved to a multi-instance postfix in favor of
transport maps, but I think I'm still confused.
Thanks for any ideas you might have.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
Hi,
On Tue, May 16, 2023 at 4:16 PM Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:
> On Tue, May 16, 2023 at 11:27:52AM -0400, Alex via Postfix-users wrote:
>
> > > > $ host info.apr.gov.rs
> > > > Host info.apr.gov.rs not found: 2(SERVFAIL)
> >
> > There's definitely a problem with their name servers, but it also seems
> my
> > version of bind is not permissive enough for such failures, although my
> > bind-9.16.38 system is, using the same configuration.
>
> The problems with their DNS are:
>
> - ns1.apr.gov.rs: EDNS(0) option intolerance, but returns
> FORMERR, so fallback to non-EDNS queries should (and does) work.
>
> $ dig -t a +nocomment +nocookie +nostats +nocmd +norecur +nocl
> +nottl @ns1.apr.gov.rs info.apr.gov.rs.
> ;info.apr.gov.rs. IN A
> info.apr.gov.rs.A 195.178.56.17
>
> Disabling use of cookies in your BIND configuration would suffice.
>
> - ns2.apr.gov.rs: Supports EDNS(0), but returns SERVFAIL to all
> queries.
>
> $ dig -t a +noall +comment +norecur +noedns +nocl +nottl @
> ns2.apr.gov.rs info.apr.gov.rs.
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42971
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> > Public name servers also appear to have no issues. I'm currently
> > researching these FORMERR messages.
>
> Turn off coookies for queries to this domain, or generally.
>
Turning off cookies for this server solved the problem, but it's not a very
scalable method. I realize this isn't bind-users, but can I ask if there is
a way to fallback to not using cookies, instead of having to create a
server {} section for each broken server?
I have a bind-9.16.38 system and it's apparently able to query these broken
servers without issue.
>
> --
> Viktor.
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
Hi, > I have a postfix-3.7.3 fedora37 system and have a few users who want me to > > disable reject_non_fqdn_sender because it seems many of their users have > > DNS problems. For example, email from nore...@info.apr.gov.rs fails to > > resolve with: > > > > $ host info.apr.gov.rs > > Host info.apr.gov.rs not found: 2(SERVFAIL) > > $ host info.apr.gov.rs > info.apr.gov.rs has address 195.178.56.17 > > Looks like you have a *local* DNS problem. Check your routing, > including netmasks. > There's definitely a problem with their name servers, but it also seems my version of bind is not permissive enough for such failures, although my bind-9.16.38 system is, using the same configuration. Public name servers also appear to have no issues. I'm currently researching these FORMERR messages. Is there a way to control smtpd_recipient_restrictions on a per-domain basis so I can relax some of these restrictions for cases like this, instead of a more reactive approach where I'm always adding sender_checks.pcre entries? Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] per-domain sender_checks?
Hi,
I have a postfix-3.7.3 fedora37 system and have a few users who want me to
disable reject_non_fqdn_sender because it seems many of their users have
DNS problems. For example, email from nore...@info.apr.gov.rs fails to
resolve with:
$ host info.apr.gov.rs
Host info.apr.gov.rs not found: 2(SERVFAIL)
and the following in my bind logs:
16-May-2023 09:01:37.082 resolver: DNS format error from 195.178.56.17#53
resolving ns2.apr.gov.rs/ for : server sent FORMERR
16-May-2023 09:01:37.082 lame-servers: received FORMERR resolving '
ns2.apr.gov.rs//IN': 195.178.56.17#53
16-May-2023 09:01:41.088 lame-servers: timed out resolving '
ns2.apr.gov.rs//IN': 212.62.49.194#53
16-May-2023 09:01:41.095 lame-servers: timed out resolving '
ns1.apr.gov.rs//IN': 212.62.49.194#53
Their name servers appear to be broken.
and in the (multi-instance) postfix logs I have the following:
May 16 07:23:53 iceman postfix-199/smtpd[2634611]: NOQUEUE: reject: RCPT
from unknown[195.178.56.17]: 450 4.1.8 : Sender
address rejected: Domain not found; from= to=<
sovljansk...@example.co.rs> proto=ESMTP helo=
Without a FQDN, I'm of course concerned about disabling any form of
spoofing protection, particularly for what appears to be mail from a
government agency domain, but we also can't just block mail because of
that. The return path is also the same domain, which means we also have no
ability to verify the email origin using SPF.
I've since added an entry to my sender_checks.pcre that appears to be
working:
/info\.apr\.gov\.rs/permit
So my questions are related to this specific instance where email was being
rejected from this domain, and the way I handled it, but also the more
broader question about how to relax some of the DNS checks that we use to
prevent sender fraud. How can I find a "happy medium" to limit fraud as
much as possible, yet not reject all mail because they're having temporary
DNS issues?
$ postconf -fn -c /etc/postfix-120
...
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender, reject_unlisted_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
reject_unauth_destination, reject_rhsbl_sender
[reject_rbls ...]
${indexed}check_backscatterer, check_helo_access
pcre:$config_directory/helo_checks.pcre, check_helo_access
${indexed}helo_checks, reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname, check_policy_service
unix:private/policy-spf,
check_policy_service inet:127.0.0.1:2501, check_recipient_access
pcre:$config_directory/recipient_checks, check_recipient_access
pcre:$config_directory/relay_recips_access, check_recipient_access,
permit
Thanks so much for any ideas.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] postscreen and checking proper operation
Hi, I have postscreen implemented on postfix-3.7.3 on fedora37, and not sure I understand if it's working properly. Sometimes I see the postscreen/dnsblog combination ending with a simple DISCONNECT. In this case, it met the 8-point threshold to be rejected, but appears to only received a DISCONNECT: May 1 20:57:53 petra postfix-226/postscreen[1104961]: CONNECT from [95.214.27.139]:50021 to [5.196.7.226]:25 May 1 20:57:53 petra postfix-226/postscreen[1104961]: PREGREET 11 after 0.01 from [95.214.27.139]:50021: EHLO User\r\n May 1 20:57:53 petra postfix-226/dnsblog[1105023]: addr 95.214.27.139 listed by domain bl.mailspike.net as 127.0.0.2 May 1 20:57:53 petra postfix-226/dnsblog[1105041]: addr 95.214.27.139 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.4 May 1 20:57:53 petra postfix-226/dnsblog[1105041]: addr 95.214.27.139 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.2 May 1 20:57:53 petra postfix-226/dnsblog[1105041]: addr 95.214.27.139 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.9 May 1 20:57:53 petra postfix-226/dnsblog[1105024]: addr 95.214.27.139 listed by domain score.senderscore.com as 127.0.4.6 May 1 20:57:53 petra postfix-226/dnsblog[1105025]: addr 95.214.27.139 listed by domain sip-sip24.mykey.invaluement.com as 127.0.0.2 May 1 20:57:53 petra postfix-226/postscreen[1104961]: DNSBL rank 23 for [95.214.27.139]:50021 May 1 20:57:54 petra postfix-226/postscreen[1104961]: DISCONNECT [95.214.27.139]:50021 while other times I do see there is a NOQUEUE/reject involved: May 1 20:13:15 petra postfix-226/postscreen[1095132]: CONNECT from [185.146.23.43]:46126 to [5.196.7.226]:25 May 1 20:13:15 petra postfix-226/dnsblog[1095229]: addr 185.146.23.43 listed by domain score.senderscore.com as 127.0.4.89 May 1 20:13:15 petra postfix-226/dnsblog[1095233]: addr 185.146.23.43 listed by domain bb.barracudacentral.org as 127.0.0.2 May 1 20:13:15 petra postfix-226/dnsblog[1095232]: addr 185.146.23.43 listed by domain sip-sip24.mykey.invaluement.com as 127.0.0.2 May 1 20:13:21 petra postfix-226/postscreen[1095132]: DNSBL rank 13 for [185.146.23.43]:46124 May 1 20:13:21 petra postfix-226/postscreen[1095132]: NOQUEUE: reject: RCPT from [185.146.23.43]:46124: 550 5.7.1 Service unavailable; client [185.146.23.43] blocked using DNS Blocklist (invaluement); from=< simon...@server.sito-wp.com>, to=, proto=ESMTP, helo= What am I misunderstanding? Here is my postscreen config: postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8 score.senderscore.com=127.0.4.[0..19]*5 score.senderscore.com =127.0.4.[20..29]*4 score.senderscore.com=127.0.4.[30..49]*3 score.senderscore.com =127.0.4.[50..59]*2 score.senderscore.com=127.0.4.[60..69]*1 score.senderscore.com =127.0.4.[70..79]*-1 score.senderscore.com=127.0.4.[80..89]*-2 score.senderscore.com =127.0.4.[90..100]*-3 bb.barracudacentral.org*7 mykey.zen.dq.spamhaus.net=127.0.0.[4..7]*6 bl.mailspike.net*4 bl.spamcop.net*4 bl.spameatingmonkey.net*4 mykey.zen.dq.spamhaus.net=127.0.0.3*4 sip-sip24.mykey.invaluement.com =127.0.0.2*8 ubl.unsubscore.com=127.0.0.2*1 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org =127.[0..255].[0..255].[2..255]*-4 postscreen_dnsbl_threshold = 8 postscreen_greet_action = enforce ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Sender address rejected, but domain is found?
Hi, On Tue, Apr 25, 2023 at 1:03 PM Gerald Galster via Postfix-users < postfix-users@postfix.org> wrote: > Hi, I realize this is probably one of the most frequently asked questions, > but I really can't figure out why this was rejected. > > Apr 25 12:06:01 petra postfix-226/smtpd[592344]: NOQUEUE: reject: RCPT > from mail.email.eurobank.rs[195.242.76.237]: 450 4.1.8 < > u...@eurobank-direktna.rs>: Sender address rejected: Domain not found; > from= to= > proto=ESMTP helo= > > What am I missing? eurobank-direktna.rs and > mail.email.eurobank-direktna.rs both have forward and reverse DNS entries. > > I thought maybe it just didn't resolve properly at the time the email was > received, but it's been happening for hours. > > > Negative dns answers may be cached but usually not for hours. > Verify that the resolver running on the postfix server can > resolve that domain because this sounds like a dns problem. > > https://www.postfix.org/postconf.5.html#reject_unknown_sender_domain > > Query the resolvers listed in /etc/resolv.conf directly, e.g. > > dig @127.0.0.1 eurobank-direktna.rs a > dig @127.0.0.1 eurobank-direktna.rs mx > That was the problem, thanks. I think it may be due to a low memory issue on the mail server. Simply restarting bind fixed it, but it is definitely curious to me that it was responding properly for so long. Thanks for taking the time to help. > > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
