from:"Brian Schang"

Re: Best way to handle a Delivered-To exploit??

2012-11-05 Thread Brian Schang

Hello:

On 11/5/2012 5:18 AM, Reindl Harald wrote:
 Am 05.11.2012 03:45, schrieb Brian Schang:
 What is the best way to handle a problem like this? Right now I'm
 soft_bouncing until I find a more permanent solution. The best I've
 found on the net is to set up a header_check. Is this a good solution?
 If so, are there any tricks in setting this up correctly?
 
 we need the log lines from one example message and output
 of postconf -n to see what happens

Sure.

Here is an example from the log file. Note that my email gets sent to
amavis and is then re-injected into postfix:

Oct 31 06:32:02 server2 postfix/smtpd[4615]: connect from
crunhmailsapps.info[176.126.168.1]
Oct 31 06:32:03 server2 postfix/smtpd[4615]: 8671D963AF:
client=crunhmailsapps.info[176.126.168.1]
Oct 31 06:32:03 server2 postfix/cleanup[4611]: 8671D963AF:
message-id=2683ffb1-5344-2058-3ac6-a2edca36c...@crunhmailsapps.info
Oct 31 06:32:04 server2 postfix/qmgr[23776]: 8671D963AF:
from=simply...@crunhmailsapps.info, size=6438, nrcpt=1 (queue active)
Oct 31 06:32:04 server2 postfix/smtpd[4615]: disconnect from
crunhmailsapps.info[176.126.168.1]
Oct 31 06:32:05 server2 postfix/smtpd[4629]: connect from
localhost[127.0.0.1]
Oct 31 06:32:05 server2 postfix/smtpd[4629]: 9AF30963F8:
client=crunhmailsapps.info[176.126.168.1]
Oct 31 06:32:05 server2 postfix/cleanup[4611]: 9AF30963F8:
message-id=2683ffb1-5344-2058-3ac6-a2edca36c...@crunhmailsapps.info
Oct 31 06:32:05 server2 postfix/smtpd[4629]: disconnect from
localhost[127.0.0.1]
Oct 31 06:32:05 server2 postfix/qmgr[23776]: 9AF30963F8:
from=simply...@crunhmailsapps.info, size=7045, nrcpt=1 (queue active)
Oct 31 06:32:05 server2 postfix/smtp[4623]: 8671D963AF:
to=jenni...@schang.net, relay=127.0.0.1[127.0.0.1]:10024, delay=2.5,
delays=0.86/0/0/1.7, dsn=2.0.0, status=sent (250 2.0.
0 Ok, id=04180-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
9AF30963F8)
Oct 31 06:32:05 server2 postfix/qmgr[23776]: 8671D963AF: removed
Oct 31 06:32:05 server2 postfix/local[5208]: 9AF30963F8:
to=jenni...@schang.net, relay=local, delay=0.16, delays=0.09/0/0/0.07,
dsn=5.4.6, status=bounced (mail forwarding loop fo
r jenni...@schang.net)
Oct 31 06:32:05 server2 postfix/cleanup[4611]: C2F6896401:
message-id=20121031103205.c2f6896...@s2.schang.net
Oct 31 06:32:05 server2 postfix/bounce[5423]: 9AF30963F8: sender
non-delivery notification: C2F6896401
Oct 31 06:32:05 server2 postfix/qmgr[23776]: C2F6896401: from=,
size=8924, nrcpt=1 (queue active)
Oct 31 06:32:05 server2 postfix/qmgr[23776]: 9AF30963F8: removed

Here is my postconf -n output:

address_verify_map = btree:/var/lib/postfix/verify
address_verify_negative_cache = yes
address_verify_negative_expire_time = 6d
address_verify_negative_refresh_time = 1d
address_verify_positive_expire_time = 6d
address_verify_positive_refresh_time = 1d
alias_database = $alias_maps
alias_maps = hash:/etc/aliases, hash:/etc/postfix/aliases,
ldap:/etc/postfix/ldap_aliases.cf
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
defer_transports =
delay_warning_time = 4h
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
!facebook.schang.net,!football.schang.net,!linux.schang.net,!lists.schang.net,!wixom.schang.net,schang.net
masquerade_exceptions = root
message_size_limit = 2048
mydestination =
$myhostname,localhost.$mydomain,localhost,$mydomain,server2.schang.net
mydomain = schang.net
myhostname = s2.schang.net
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
notify_classes = resource,software,2bounce
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relay_domains = hash:/etc/postfix/relay_domains
relay_recipient_maps =
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = no
smtp_tls_security_level = none
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = hash:/etc/postfix/access
reject_unknown_reverse_client_hostname  reject_non_fqdn_sender
reject_non_fqdn_recipient   reject_unlisted_recipient
reject_unknown_sender_domain reject_unknown_recipient_domain
permit_mynetworks

Best way to handle a Delivered-To exploit??

2012-11-04 Thread Brian Schang

Hello:

I have been using Postfix for many years. I'm a hobbiest and have
learned a lot by reading this newsgroup. Based on the advice shared
here, I have been able to avoid bouncing emails by rejecting them before
messages are queued. Until recently...

In the past week, my server has accepted dozens of emails that were not
deliverable. In all cases the issue has been a mail forwarding loop
which resulted in the email bouncing. Given that my configuration has
not changed in many months, I was puzzled. However, a little research
led me to look into a Delivered-To exploit. I looked at a few of the
messages in the queue (postcat), and sure enough those messages had a
Delivered-To header line.

Now I'm trying to learn how to handle this. I understand that the
Delivered-To headers are there for a reason and don't want to defeat
their value. But I also don't want to bounce bogus emails either. I'm
not sure how to best balance these two.

What is the best way to handle a problem like this? Right now I'm
soft_bouncing until I find a more permanent solution. The best I've
found on the net is to set up a header_check. Is this a good solution?
If so, are there any tricks in setting this up correctly?

I'd appreciate any advice.

Thank you.

-- 
Brian

Re: Questions on virtual aliases and mailboxes

2010-01-01 Thread Brian Schang


Viktor:

On 12/29/2009 11:47 AM, Victor Duchovni wrote:


Virtual alias rewriting happens for all domains, not just virtual
alias domains. However, if you want a virtual alias domain, you must
list it in virtual_alias_domains (which defaults to
$virtual_alias_maps).

Not listing the domain means:

- Postfix won't accept mail for the domain from untrusted clients -
- Postfix won't reject unlisted recipients in that domain.


Thank you for the explanation. I had overlooked the fact that virtual 
alias rewriting happens for all domains. The behavior I saw makes 
perfect sense now.


Thank you for taking the time to answer my question. I appreciate it.

--
Brian Schang

Questions on virtual aliases and mailboxes

2009-12-29 Thread Brian Schang


Hello:

I have had virtual aliases and mailboxes working well for years. I have 
always had a separated virtual_*_domains and virtual_*_maps file. Now I 
am combining them to make administration easier.


For virtual aliases, I simply commented out the virtual_alias_domains 
directive in the main.cf file. Since it defaults to virtual_alias_maps, 
everything works. I tested by adding the following line:

  br...@junk.schang.net brian
... Everything works. :-)

For virtual mailboxes, I did the same. It's my understanding that 
virtual_mailbox_domains defaults to virtual_mailbox_maps. However it 
didn't work as I expected. When I add the following line:

  br...@junk2.schang.net brian_mail/somefile
... I get a domain not found error.
However if I add another line:
  junk2.schang.net 1
... Everything works. :-)

Actually the behavior for virtual mailboxes is what I expected -- the 
need to have the domain defined on the left-hand-side of the lookup. I 
was surprised that the virtual alias didn't require that.


So that's my question: why does a virtual mailbox domain need to be 
explicitly defined on the LHS of virtual_mailbox_maps, while a virtual 
alias domain works without the domain defined on the LHS of 
virtual_alias_maps?


Thank you.

--
Brian Schang
address_verify_map = btree:/var/lib/postfix/verify
address_verify_negative_cache = yes
address_verify_negative_expire_time = 6d
address_verify_negative_refresh_time = 1d
address_verify_positive_expire_time = 6d
address_verify_positive_refresh_time = 1d
alias_database = $alias_maps
alias_maps = hash:/etc/aliases, hash:/etc/postfix/aliases, 
ldap:/etc/postfix/ldap_aliases.cf
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
defer_transports = 
delay_warning_time = 4h
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
mailbox_transport = 
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains = 
!bb.schang.net,!blackberry.schang.net,!facebook.schang.net,!football.schang.net,!linux.schang.net,!lists.schang.net,!mobile.schang.net,!wireless.schang.net,!wixom.schang.net,schang.net
masquerade_exceptions = root
message_size_limit = 2048
mydestination = 
$myhostname,localhost.$mydomain,localhost,$mydomain,server2.schang.net
mydomain = schang.net
myhostname = s2.schang.net
mynetworks = cidr:/etc/postfix/network_table.cidr
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
notify_classes = resource,software,2bounce
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relay_domains = hash:/etc/postfix/relay_domains
relay_recipient_maps = 
relayhost = 
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = no
smtp_tls_security_level = none
smtpd_client_restrictions = 
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = no
smtpd_helo_restrictions = 
smtpd_recipient_restrictions = hash:/etc/postfix/access 
reject_unknown_reverse_client_hostname  reject_non_fqdn_sender  
reject_non_fqdn_recipient   reject_unlisted_recipient   
reject_unknown_sender_domainreject_unknown_recipient_domain 
permit_mynetworks   reject_unlisted_sender  check_client_access 
hash:/etc/postfix/client_checks reject_non_fqdn_helo_hostname   
reject_invalid_helo_hostnamereject_unauth_destination   
check_recipient_access hash:/etc/postfix/recipient_checks   
reject_rbl_client zen.spamhaus.org  reject_rbl_client bl.spamcop.net
smtpd_sasl_auth_enable = no
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = 
smtpd_tls_CAfile = /etc/postfix/ca.crt
smtpd_tls_cert_file = /etc/postfix/postfix-crt.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/postfix/postfix-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = none
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps, 
ldap:/etc/postfix/ldap_virtual_alias.cf
virtual_gid_maps = hash:/etc/postfix/virtual_gid_maps
virtual_mailbox_base = /var/spool/mail

Changing virtual mailbox for large messages

2009-03-29 Thread Brian Schang


Hello:

I have read through the Postfix documentation and have Googled for an an 
answer, but I have not found a solution for the following problem...


In a nutshell, I have a number of virtual_mailbox_domains and 
virtual_mailbox_maps and everything is working perfectly. Now for a 
given virtual user, I'd like to change the virtual mailbox being used if 
the message is over a given size.


For instance, assume that I have the following entry in 
virtual_mailbox_maps:

u...@example.comexample.com/user/mail/inbox

And then assume that u...@example.com gets a large message. In this 
case, I'd like the equivalent of the following:

u...@example.comexample.com/user/mail/large

Is there any way to do this in native Postfix? If not, I presume that I 
could accomplish what I'm looking for by using either procmail or 
maildrop. But since I'm using virtual as my virtual_transport, that will 
require some work. In this case, does anyone have any references to suggest?


Thanks.

Brian Schang

Re: Best way to handle a Delivered-To exploit??

Best way to handle a Delivered-To exploit??

Re: Questions on virtual aliases and mailboxes

Questions on virtual aliases and mailboxes

Changing virtual mailbox for large messages

5 matches

Site Navigation

Mail list logo

Footer information