[pfx] Re: How to check whether "smtpd_recipient_restrictions"entries get parsed?

2024-08-07 Thread Ansgar Wiechers via Postfix-users 
On 2024-08-07 Martin Stenzel via Postfix-users wrote:
> this is part of my main.cf file
> 
> smtpd_recipient_restrictions = check_recipient_access 
> pcre:/etc/postfix/recipient_access.pcre, permit_mynetworks, 
> permit_sasl_authenticated, permit_dnswl_client 
> 626cf513f08bea5051b8c928c93b99.white.mail.abusix.zone, 
> reject_unauth_destination, reject_rhsbl_client 
> 626cf513f08bea5051b8c928c93b99.dblack.mail.abusix.zone, reject_rhsbl_helo 
> 626cf513f08bea5051b8c928c93b99.dblack.mail.abusix.zone, reject_rhsbl_sender 
> 626cf513f08bea5051b8c928c93b99.dblack.mail.abusix.zone, reject_rbl_client 
> 626cf513f08bea5051b8c928c93b99.combined.mail.abusix.zone
> Now I wonder, how do I know that the later rules (starting
> with reject_rhsbl) get parsed? 
> These are blacklist and whitelist entries to fight spam. Can I have
> this information by expanding verbosity of postfix logging?

The postconf utility will show you the active configuration:

postconf -n smtpd_recipient_restrictions

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

2024-06-19 Thread Ansgar Wiechers via Postfix-users 
On 2024-06-19 Ralph Seichter via Postfix-users wrote:
> * Bjoern Franke via Postfix-users:
> 
> > From: Ralph Seichter via Postfix-users 
> > Reply-To: Ralph Seichter 
> 
> Dang, blindsided by Mailman 3, sorry. What I wrote about my dislike of
> using "nore...@foo.bar" type addresses remains unchanged, however. If
> sender A sends mail to recipient B, A needs to be prepared to receive a
> response from B. Proper email communiction is not a hit-and-run.

Umm... yeah. Let's see ...

| : host ra.horus-it.com[65.108.3.114] said: 451 4.7.1
| Policy violation; see https://www.horus-it.com/policy3/?S=5 (in reply to
| end of DATA command)

Quoting from that page:

| What does it mean?
|
| The owner of address name@example.domain has decided to only accept
| correspondence from a list of known contacts, which is usually done to
| counter address harvesting, and your sender address was rejected
| because it is not a member of said list.
|
| How can I register as a contact?
|
| If you have a legitimate reason to send email to this particular
| recipient address, please write to postmaster@example.domain first.
| State the full sender and recipient addresses, and explain why you
| require clearance. If the recipient agrees to accept your request, you
| will usually receive a notification within two working days.

Oh, well. Guess what just happened to horus-it.com on my mail server.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

2024-06-19 Thread Ansgar Wiechers via Postfix-users 
On 2024-06-19 Jeff Peng via Postfix-users wrote:
> On 2024-06-19 17:29, Matt Kinni via Postfix-users wrote:
>> On 2024-06-19 02:27, Matt Kinni via Postfix-users wrote:
>>> On 2024-06-16 15:21, Cody Millard via Postfix-users wrote:
 smtpd_helo_restrictions =
 ...
 reject_non_fqdn_helo_hostname,
 ...
>>> I've found this to block some legitimate mails in the past
>> Sorry, I meant "reject_unknown_helo_hostname".
>
> what's unknown_helo_hostname? does it mean it has neither A nor mx record?

>From `man 5 postconf`:

| reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname)
| Reject the request when the HELO or EHLO hostname has no DNS A or MX 
record.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: OT: VPS w/FDE suggestions?

2024-02-20 Thread Ansgar Wiechers via Postfix-users 
On 2024-02-21 MRob via Postfix-users wrote:
[ off-topic ]

It never ceases to amaze me how people *know* that what they're posting
is off-topic, yet decide it's okay for them to post it anyway if they
just label it as off-topic. Hint: it's not.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: check sender trouble

2023-11-17 Thread Ansgar Wiechers via Postfix-users 
On 2023-11-17 Колесников Александр wrote:
> I added in main.cf options
> 
> local_header_rewrite_clients=
> mynetworks=
> 
> master.cf
> 192.168.250.35:27 inet n - n - - smtpd
> 
> instead of 127.0.0.1:27
> 
> and I'm trying to connect from another host. It didn't help

"It didn't help" is not a valid problem description.

Please remove the two lines you added to main.cf and reload the Postfix
configuration. Then re-try the telnet connection from the other host.
Double-check that the IP address of that other host is not within the
range(s) listed by `postconf mynetworks`.

If a localpart-only sender address still is accepted: show the output of
`postconf -n` and `postconf -M` as well as the transcript of the
`telnet` dialog.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: check sender trouble

2023-11-17 Thread Ansgar Wiechers via Postfix-users 
On 2023-11-17 Колесников Александр via Postfix-users wrote:
> Thank you very much for the clarification. I added in main.cf options
> 
> append_at_myorigin=no
> append_dot_mydomain=no

AFAIK those are for outbound mails, not for inbound.

> but it didn't help. How to configure postfix so that it does not
> accept messages from addresses without a domain part?

The restriction reject_non_fqdn_sender should already take care of that.
However, in your test you're connecting from localhost, which is by
default in $mynetworks and thus whitelisted. Try connecting from outside
$mynetworks and you should see a response like

504 5.5.2 : Sender address rejected: need fully-qualified address

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: check sender trouble

2023-11-16 Thread Ansgar Wiechers via Postfix-users 
On 2023-11-17 Колесников Александр via Postfix-users wrote:
> I'm testing a new server. This is part of the config:
>
> master.cf:
> 
>
> 127.0.0.1:27  inet  n   -   n   -   -   smtpd
> -o syslog_name=postfix/$service_name
> -o smtpd_delay_reject=no
> -o 
> smtpd_sender_restrictions=pcre:/etc/postfix/senders_cgp.pcre,reject_non_fqdn_sender,reject
>
> ~
>
> /etc/postfix/senders_cgp.pcre:
>
> /^\S+\@domain\.com$/ OK
> /^\S+\@host\.domain\.com$/   OK
> /^<>$/OK
> /.*/ reject
[...]
> /etc/postfix > telnet localhost 27
> Connected to localhost.
> Escape character is '^]'.
> 220 domain.com ESMTP Postfix
[...]
> mail from: w.w
> 250 2.1.0 Ok
> rset
> 250 2.0.0 Ok
> mail from: w@w.w
> 554 5.7.1 : Sender address rejected: Access denied
[...]
> Connection closed by foreign host.
>
> Why does postfix accept mail from an incorrect sender address similar to 
> "w.w"?
>  What am I doing wrong?

You seem to assume that "mail from: w.w" would refer to the domain
"w.w", but it actually specifies a localpart "w.w". Postfix then appends
its own domain ($myorigin, presumably "domain.com") to this localpart.
Hence the sender address effectively becomes "w...@domain.com", which is
allowed.

As a side note: Please avoid making up arbitrary domain names for
examples. There are official domains reserved specifically for this
purpose. See RFC 2606[1] for details.

[1]: 

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org