Re: Backup MX setup - alternative to db?

[CSS]

> On Apr 29, 2017, at 1:12 PM, CSS <c...@morefoo.com> wrote:
> 
> 
>> On Apr 29, 2017, at 6:41 AM, li...@lazygranch.com wrote:
>> 
>> I've never used rsync in daemon mode (if that is the right way to phrase 
>> it), but wouldn't that do everything automatically? 
> 
> I’m all set on transferring data, my main interest is in dumping the data 
> from mysql and then creating the same maps in another db storage format like 
> dbm for the other two hosts.
> 
> I got excited briefly when I saw the postmap “-s” flag, I was hoping I could 
> use that, but apparently that flag is not yet supported for mysql:
> 
> root@nac /home/spork]# postmap -s 
> mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
> postmap: fatal: table 
> mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf: sequence 
> operation is not supported
> [root@nac /home/spork]#
> 
> And it looks like the postmap “-q” flag can’t just take a wildcard and return 
> everything.
> 
> So my only option is to query mysql directly I think (again, unless someone 
> has some other clever way of doing it!).  Given how modular postfix appears, 
> I was thinking that one of the bundled utilities might be able to dump all 
> the maps in a common format.


This is what I ended up with.  It’s pretty basic, and probably can fail in bad 
ways, but it works.  On the other end there’s a short shell script that puts 
the files in place and runs postmap on all the relevant files.  The sync 
directory also includes some other files that I want to have the same, like a 
badrcpt file, postscreen whitelist, etc.

Charles

#!/usr/local/bin/perl -w

use DBI;
use Net::OpenSSH;

# db connection params
$db_user="mail";
$db_pass=“XXX";
$db_host="localhost";
$db_name="mail";
# files
$domain_file="/usr/local/etc/postfix-sync/relay_domains";
$recip_file="/usr/local/etc/postfix-sync/relay_recipients";
# rsync params
my $rhost = "sea.XXX.com";
my $ruser = "syncer";
my $srcdir  = '/usr/local/etc/postfix-sync/*';
my $destdir = "/home/syncer/postfix/";
my $rkey = "/root/.ssh/id_rsa_syncer”;

# connect to db
my $dbh = DBI->connect ("DBI:mysql:database=$db_name:host=$db_host", $db_user, 
$db_pass) or die "Can't connect to db: $DBI::errstr\n";

# query domain list
my $sth = $dbh->prepare( "SELECT domain FROM domain WHERE active = '1' AND 
domain != 'ALL'");

$sth->execute();

open(my $fh, '>', $domain_file) or die "Could not open file '$domain_file' $!”;

print $fh "# start of domains\n";

while ( my @row = $sth->fetchrow_array( ) )  {
 #print "@row\n";
 print $fh "@row\n\tx";
}
warn "Problem in retrieving results", $sth->errstr( ), "\n"
if $sth->err( );

print $fh "# end of domains\n";
close $fh;

open($fh, '>', $recip_file) or die "Could not open file '$recip_file' $!";

# query alias/mailbox list - this uses the postfixadmin schema
$sth = $dbh->prepare( "SELECT address FROM alias WHERE active = '1'");

$sth->execute();

print $fh "# start of aliases\n";

while ( @row = $sth->fetchrow_array( ) )  {
 #print "@row\n";
 print $fh "@row\tx\n";
}
warn "Problem in retrieving results", $sth->errstr( ), "\n"
if $sth->err( );

print $fh "# end of aliases\n";
close $fh;

# scp
my $ssh = Net::OpenSSH->new($rhost, user => $ruser, key_path => $rkey);
$ssh->scp_put({glob => 1}, $srcdir, $destdir)
or die "scp failed: " . $ssh->error;

exit;


> 
> Thanks,
> 
> Charles
> 
>> 
>> I know on Digital Ocean you can use a special network between "droplets" 
>> (VMs) that is local. There is no transit cost. Perhaps Vultr does the same 
>> thing.‎ 
>> 
>> Vultr has a free DNS.  
>> 
>> If I wasn't running FreeBSD, I'd probably be on Linode.
>> ‎https://www.vpsbenchmarks.com/
>> 
>> 
>> 
>> 
>> 
>>  Original Message  
>> From: CSS
>> Sent: Friday, April 28, 2017 12:49 PM
>> To: Postfix users
>> Subject: Backup MX setup - alternative to db?
>> 
>> Hi all,
>> 
>> I have a handful of personal domains that I host myself - both as a place to 
>> experiment a bit (I roll new things out here before using them on paying 
>> clients), and a place to play with things that don’t scale well. As of now, 
>> I just have a single MXer with a pretty standard Postfix setup. Domain/user 
>> maps are all in mysql.
>> 
>> I just grabbed a few VPSs since they are cheap and I wanted to try out 
>> Vultr.com. I bought the smallest possible -

Re: Backup MX setup - alternative to db?

[CSS]

> On Apr 29, 2017, at 6:41 AM, li...@lazygranch.com wrote:
> 
> I've never used rsync in daemon mode (if that is the right way to phrase it), 
> but wouldn't that do everything automatically? 

I’m all set on transferring data, my main interest is in dumping the data from 
mysql and then creating the same maps in another db storage format like dbm for 
the other two hosts.

I got excited briefly when I saw the postmap “-s” flag, I was hoping I could 
use that, but apparently that flag is not yet supported for mysql:

root@nac /home/spork]# postmap -s 
mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
postmap: fatal: table 
mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf: sequence operation 
is not supported
[root@nac /home/spork]#

And it looks like the postmap “-q” flag can’t just take a wildcard and return 
everything.

So my only option is to query mysql directly I think (again, unless someone has 
some other clever way of doing it!).  Given how modular postfix appears, I was 
thinking that one of the bundled utilities might be able to dump all the maps 
in a common format.

Thanks,

Charles

> 
> I know on Digital Ocean you can use a special network between "droplets" 
> (VMs) that is local. There is no transit cost. Perhaps Vultr does the same 
> thing.‎ 
> 
> Vultr has a free DNS.  
> 
> If I wasn't running FreeBSD, I'd probably be on Linode.
> ‎https://www.vpsbenchmarks.com/
> 
> 
> 
> 
> 
>   Original Message  
> From: CSS
> Sent: Friday, April 28, 2017 12:49 PM
> To: Postfix users
> Subject: Backup MX setup - alternative to db?
> 
> Hi all,
> 
> I have a handful of personal domains that I host myself - both as a place to 
> experiment a bit (I roll new things out here before using them on paying 
> clients), and a place to play with things that don’t scale well. As of now, I 
> just have a single MXer with a pretty standard Postfix setup. Domain/user 
> maps are all in mysql.
> 
> I just grabbed a few VPSs since they are cheap and I wanted to try out 
> Vultr.com. I bought the smallest possible - only 512MB of RAM. I’m running 
> nsd for DNS services (found setting up two small VPS’s to be cheaper, more 
> fun than paying for secondary NS), and I’d like to add backup MX to both 
> hosts. I do NOT want to run mysql or anything else that’s a memory pig on 
> these.‎
> 
> My idea to get my lookup maps in place is just to write a small perl script 
> that dumps my config info from mysql into flat files, uses scp to copy the 
> files over to the backup MXers, and then runs postmap on the output on the 
> backup MXers. Before I go ahead with this, any clever options that I’m 
> overlooking to have the same data on servers using different backing stores 
> for the maps?
> 
> Thanks,
> 
> Charles

Backup MX setup - alternative to db?

[CSS]

Hi all,

I have a handful of personal domains that I host myself - both as a place to 
experiment a bit (I roll new things out here before using them on paying 
clients), and a place to play with things that don’t scale well.  As of now, I 
just have a single MXer with a pretty standard Postfix setup.  Domain/user maps 
are all in mysql.

I just grabbed a few VPSs since they are cheap and I wanted to try out 
Vultr.com.  I bought the smallest possible - only 512MB of RAM.  I’m running 
nsd for DNS services (found setting up two small VPS’s to be cheaper, more fun 
than paying for secondary NS), and I’d like to add backup MX to both hosts. I 
do NOT want to run mysql or anything else that’s a memory pig on these.

My idea to get my lookup maps in place is just to write a small perl script 
that dumps my config info from mysql into flat files, uses scp to copy the 
files over to the backup MXers, and then runs postmap on the output on the 
backup MXers.  Before I go ahead with this, any clever options that I’m 
overlooking to have the same data on servers using different backing stores for 
the maps?

Thanks,

Charles

Re: clients connecting to port 25 with ssl/tls

[CSS]

> On Feb 22, 2016, at 5:11 PM, Rich Wales  wrote:
> 
> Regarding port 465 --
> 
> The last time I checked, iPhones and iPads refused to do STARTTLS on
> mail submission.  Since I use an iPad, I had no choice but to enable
> submission via port 465 (SSL) on my mail server -- in addition to
> STARTTLS on port 587 for use by other, saner devices.

That’s odd.  I’ve not used an iOS device since 6.x, but at that point I was 
running six accounts, and all were using port 587 and STARTTLS.

Charles

> 
> I would love, of course, to hear either that I was mistaken, or that
> Apple has enabled 587/STARTTLS on current iOS devices.
> 
> Rich Wales
> ri...@richw.org

OpenSSL CVE-2016-0701

[CSS]

http://intothesymmetry.blogspot.com/2016/01/openssl-key-recovery-attack-on-dh-small.html

It seems that there are a number of factors (that I do not understand) that 
determine whether an application is vulnerable.  For example, Apache/mod_ssl is 
not.

Is there enough information here to determine whether or not Postfix is 
vulnerable in typical configurations?

Charles

Re: OpenSSL CVE-2016-0701

[CSS]

> On Jan 28, 2016, at 8:38 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> 
> wrote:
> 
> On Thu, Jan 28, 2016 at 08:36:02PM -0500, CSS wrote:
> 
>> http://intothesymmetry.blogspot.com/2016/01/openssl-key-recovery-attack-on-dh-small.html
>> 
>> It seems that there are a number of factors (that I do not understand)
>> that determine whether an application is vulnerable.  For example,
>> Apache/mod_ssl is not.
>> 
>> Is there enough information here to determine whether or not Postfix is
>> vulnerable in typical configurations?
> 
> Postfix has never re-used public DH exponents, and it has never
> been possible to misconfigure Postfix to do so.

Awesome, thanks for replying!

Charles

> 
> -- 
>   Viktor.

Re: AntiSpam & AntiVirus Integration with Postfix: lots of tools, but which one's AREN'T 'dead'?

[CSS]

On Sep 8, 2015, at 11:20 PM, Wolfe, Robert  wrote:

> The best one I've found and what I use to host other people's spam filtering 
> is 
> http://www.virtualtothecore.com/en/efa-nice-free-spam-filter-virtual-appliance/
> 
> I have a separate VM with this set up and all mail goes through that before 
> hitting my Postfix box and my Exchange 2010 box.

On a slightly different tangent, I’m about to start working with this as a way 
to streamline how everything plugs into Postfix for inbound:

http://fuglu.org/

What attracted me is that it looks like it would simplify switching between 
various options, be it spam filtering, virus filtering, etc.

Charles


> 
> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ken Peng
> Sent: Tuesday, September 08, 2015 8:06 PM
> To: postfix-users@postfix.org
> Subject: Re: AntiSpam & AntiVirus Integration with Postfix: lots of tools, 
> but which one's AREN'T 'dead'?
> 
> Google and just found one,
> https://www.digitalocean.com/community/tutorials/how-to-install-and-setup-spamassassin-on-ubuntu-12-04
> 
> HTH, :)
> 
> On 2015/9/9 星期三 9:01, joh...@fastmail.com wrote:
>> Ken
>> 
>> On Tue, Sep 8, 2015, at 05:49 PM, Ken Peng wrote:
>>> How about Spamassassin? we have been using it for a long time.
>> 
>> And how are you integrating it into Postfix.  That was my question not 
>> whether to use Spamassassin.  I kindof decided on that already in the 
>> original post.
>> 
>> John
>> 

Re: Security Compatibility

[CSS]

On May 24, 2015, at 9:28 AM, Viktor Dukhovni postfix-us...@dukhovni.org wrote:

 On Sun, May 24, 2015 at 06:38:50AM -0400, Postfix User wrote:
 
 smtpd_tls_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols = !SSLv2, !SSLv3
 
 Wouldn't the following be more secure:
 
 smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 
 No, these are less secure.  Bleeding edge security settings mean
 more email sent in the clear, or not delivered at all.

That is an excellent point.

 
 I thought I saw that listed on this forum earlier this year.
 
 Don't believe all the nonsense posted on the Internet.

Related to the previous paragraph, I know that when I fiddle with
SSL settings on a web server, I can easily dig up information on
exactly what OS/browser combinations Ill be denying service to (so
far, XP + IE6).  Having that confidence in knowing what possible
visitors Im denying is nice.

Is there any good reference for MTAs and MUAs out there?  Im
thinking of something like the matrix Qualsys shows in their test
results.

Whoever started this thread, thanks.  Its always been a little fuzzy
to me where OpenSSL and Postfix meet and decide which parameters are
set by default (or arent available).

Any future plans to incorporate other SSL libraries?

Thanks,

Charles

 -- 
   Viktor.

Re: spam fighting

[CSS]

On Apr 28, 2015, at 1:04 PM, Terry Barnum te...@dop.com wrote:

 
 On Apr 28, 2015, at 1:47 AM, Marius Gologan marius.golo...@gmail.com wrote:
 
 Hi Terry,
 
 I use amavisd-new/spamassassin in post-queue configuration with few
 adjustments: increased score for SPF_FAIL, DKIM_ADSP_DISCARD, Bayes_80,
 Bayes_95, Bayes_99, Bayes_999 and few others.
 Local DNS server - critical for RBL queries.
 As for postscreen, I preffer postscreen_greet_action = enforce only which
 doesn't require the client to retry (as opposite to greylist behavior),
 while is pretty effective against bots.
 
 Marius.
 
 Thank you for the reply Marius. Do the RBL queries from 
 amavisd-new/spamassassin require a local DNS because they're more resource 
 intensive than postscreen_dnsbl_sites or reject_rhsbl_* queries?

Regarding DNS lookups, depending on your mail volume, between postscreen, 
spamassassin and whatever else you’re running, you can generate quite a few 
queries on every connection attempt.  Depending on your overall architecture, 
having a dedicated recursor instance (or two or three) can really help.  You 
don’t want a large influx of email to have an impact on other consumers of DNS 
lookups.

I really like PowerDNS (recursor), as it’s quite efficient - at one point I had 
it running on an ancient dual P-III box and peaked at 10K queries/second, which 
was about double what I could achieve on the same hardware with dnscache 
(djbdns).  BIND is probably not at all appropriate for this (but may be perfect 
for other internal use where you need more features).

Charles

 
 I've received 16 UCE emails in the last hour--weight loss, wrinkle creams, 
 bird feeders, pharmacies. More pointers (favorite postfix techniques and/or 
 add-ons, sites to read, etc.) from those who've been successful in reducing 
 spam load are greatly appreciated.
 
 Thanks,
 -Terry
 
 -Original Message-
 From: owner-postfix-us...@postfix.org
 [mailto:owner-postfix-us...@postfix.org] On Behalf Of Terry Barnum
 Sent: Tuesday, April 28, 2015 1:15 AM
 To: postfix users
 Subject: spam fighting
 
 We've been using postscreen and dspam for quite some time but in the past
 couple months more spam is making it through. I realize there's no
 one-size-fits-all approach but because dspam isn't actively developed
 anymore I've started looking around and am curious what others are using. Is
 amavisd-new/spamassassin the preferred solution? My company is small with
 30 users.
 
 Perhaps my postscreen settings could be improved? postscreen_access.cidr is
 a small file with 4 entries to whitelist customers that aren't implicated in
 the increase in spam.
 
 $ postconf -n
 broken_sasl_auth_clients = yes
 command_directory = /opt/local/sbin
 daemon_directory = /opt/local/libexec/postfix
 data_directory = /opt/local/var/lib/postfix
 debugger_command =
 PATH=/opt/local/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
 $daemon_directory/$process_name $process_id  sleep 5
 default_privs = nobody
 delay_warning_time = 4h
 dovecot_destination_recipient_limit = 1
 dspam-lmtp_destination_recipient_limit = 1
 home_mailbox = Maildir/
 html_directory = no
 inet_protocols = ipv4
 mail_owner = _postfix
 mailq_path = /opt/local/bin/mailq
 manpage_directory = /opt/local/share/man
 message_size_limit = 5120
 mydestination = $myhostname, localhost.$mydomain, localhost
 myhostname = mailbox.dop.com
 mynetworks = 192.168.0.0/23, 127.0.0.0/8
 myorigin = $mydomain
 newaliases_path = /opt/local/bin/newaliases
 postscreen_access_list = permit_mynetworks,
 cidr:/opt/local/etc/postfix/postscreen_access.cidr
 postscreen_bare_newline_action = enforce
 postscreen_bare_newline_enable = yes
 postscreen_blacklist_action = drop
 postscreen_dnsbl_action = enforce
 postscreen_dnsbl_sites = 
 b.barracudacentral.org=127.0.0.2*7 
 dnsbl.inps.de=127.0.0.2*7 
 bl.mailspike.net=127.0.0.2*5 
 bl.mailspike.net=127.0.0.[10;11;12]*4 
 dnsbl.sorbs.net=127.0.0.10*8 
 dnsbl.sorbs.net=127.0.0.5*6 
 dnsbl.sorbs.net=127.0.0.7*3 
 dnsbl.sorbs.net=127.0.0.8*2 
 dnsbl.sorbs.net=127.0.0.6*2 
 dnsbl.sorbs.net=127.0.0.9*2 
 zen.spamhaus.org=127.0.0.[10;11]*8 
 zen.spamhaus.org=127.0.0.[4..7]*6 
 zen.spamhaus.org=127.0.0.3*4 
 zen.spamhaus.org=127.0.0.2*3 
 hostkarma.junkemailfilter.com=127.0.0.2*3 
 hostkarma.junkemailfilter.com=127.0.0.4*1 
 hostkarma.junkemailfilter.com=127.0.1.2*1 
 wl.mailspike.net=127.0.0.[18;19;20]*-2 
 list.dnswl.org=127.0.[0..255].0*-2 
 list.dnswl.org=127.0.[0..255].1*-3 
 list.dnswl.org=127.0.[0..255].2*-4 
 list.dnswl.org=127.0.[0..255].3*-5 
 hostkarma.junkemailfilter.com=127.0.0.1*-2
 postscreen_dnsbl_threshold = 3
 postscreen_dnsbl_ttl = 5m
 postscreen_greet_action = enforce
 postscreen_non_smtp_command_enable = yes
 postscreen_pipelining_action = enforce
 postscreen_pipelining_enable = yes
 proxy_interfaces = 70.167.15.110
 queue_directory = /opt/local/var/spool/postfix
 readme_directory = /opt/local/share/postfix/readme
 sample_directory = /opt/local/share/postfix/sample
 

per-user attachment blocking?

[CSS]

Google’s not feeding me much on doing this on a per-user basis…

I’d like to give users the option to block emails with certain attachments - 
zip, exe, etc.

I know that server-wide the simplest option is header checks.  I’m open to 
adding another milter to my chain of milters.  I already have sql-backed prefs 
for other purposes, so it seems like it should be easy, I just need the right 
milter…

Of course if anyone has any general hints about the current rash of malware 
coming from clean IPs that passes some fairly strict postscreen and SA checks, 
I’m more than happy to hear about that as well.

Thanks,

Charles

Re: DMARC

[CSS]

My apologies for top-posting here, but I’m going to ask for something related 
to this thread…

I’ve subscribed to this list for some time, and it’s full of good information, 
including things that don’t really have anything to do with Postfix.  I’m fine 
with that, but these threads do sometimes get shut down since they are 
technically off-topic.  Clearly people are posing questions like this here 
because they know this list is full of knowledgeable posters who have 
experience with large scale email deployments.

Given that, is there another list I’ve not found where all these spam and email 
policy topics are welcome AND there’s a good userbase?

Now back to the off-topic, but valuable DMARC discussion...

Thanks,

Charles

On Jan 18, 2015, at 8:14 PM, John j...@klam.ca wrote:

 I am not sure about implementing DMARC on my servers.
 However, is it worth adding a DMARC record to the DNS? What, if anything, 
 would it buy us.
 If we were to add such a record, what would be the best setup/set of 
 parameters be?
 
 -- 
 John Allen
 KLaM
 --
 How many of you believe in telekinesis? Raise my hand...
 



smime.p7s
Description: S/MIME cryptographic signature

Re: limit sender based on IP and email address

[CSS]

On Sep 23, 2014, at 3:40 AM, Robert Schetterer r...@sys4.de wrote:

 Am 23.09.2014 um 09:28 schrieb CSS:
 Im having a hard time copying something I did in qmail (using some
 random patch).
 
 Ive got four postfix instances, two used exclusively for submission
 (all outbound email from us), two as mxers (all inbound email,
 primary then forwards to an old qmail/vpopmail setup).
 
 Im looking to have a list of staff/role accounts defined and limit
 those senders to only be able to reach the mxers via the submission
 hosts.
 
 Example:
 
 sender: supp...@example.com
 recipient: any...@example.com
 connecting IP (from mxer’s view): either of our submission servers
 action: accept
 
 vs.
 
 sender: supp...@example.com
 recipient: any...@example.com
 connecting IP (from mxer’s view): not either of our submission servers
 action: reject
 
 vs.
 
 sender: randomcusto...@example.com
 recipient: any...@example.com
 connecting IP (from mxer’s view): not either of our submission servers
 action: accept
 
 I can block senders, I can block hosts, but Im not clear on how to
 combine the two criteria.
 
 The last example is something I dont want to support, but we do have
 people relaying through their own ISP and using a (legit) sender
 address from our domain.  This also keeps me from effectively using
 SPF, and I dont see this policy changing anytime soon.
 
 Can someone point me to the right section of the docs?
 
 Thanks,
 
 Charles
 
 ps - for the curious, qmails badmailfromnorelay patch lets you
 combine a list of senders that are banned only if the RELAYCLIENT
 env var is not set.
 
 
 perhaps this helps
 
 http://www.postfix.org/RESTRICTION_CLASS_README.html

I suspect I was making this more complicated than it needed to be.

I took the example used for the all@ alias and modified that a bit
to apply to the sender rather than recipient (the banned_senders map
is just some sender address permabans, banned_senders_norelay is the
one of interest here:

smtpd_sender_restrictions =
check_sender_access hash:$config_directory/banned_senders,
hash:$config_directory/banned_senders_norelay

banned_senders_norelay looks like this:

supp...@example.com permit_mynetworks,reject 
n...@example.compermit_mynetworks,reject
bill...@example.com permit_mynetworks,reject
[etc.]

The relays that would be sending mail with those from addresses are
already part of mynetworks, so as long as our employees relay
through those senders, they can send as those various role accounts.
If someone from outside attempts to use those addresses they are
denied.  The same rules exist on both the primary and secondary
mxers.

It appears this is accomplishing what I want without having to
resort to strict SPF checks.

Thanks for pushing me to read that README again

Charles


 
 or you try some policy server
 
 
 Best Regards
 MfG Robert Schetterer
 
 -- 
 [*] sys4 AG
 
 http://sys4.de, +49 (89) 30 90 46 64
 Franziskanerstraße 15, 81669 München
 
 Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
 Vorstand: Patrick Ben Koetter, Marc Schiffbauer
 Aufsichtsratsvorsitzender: Florian Kirstein

limit sender based on IP and email address

[CSS]

Im having a hard time copying something I did in qmail (using some
random patch).

Ive got four postfix instances, two used exclusively for submission
(all outbound email from us), two as mxers (all inbound email,
primary then forwards to an old qmail/vpopmail setup).

Im looking to have a list of staff/role accounts defined and limit
those senders to only be able to reach the mxers via the submission
hosts.

Example:

sender: supp...@example.com
recipient: any...@example.com
connecting IP (from mxer’s view): either of our submission servers
action: accept

vs.

sender: supp...@example.com
recipient: any...@example.com
connecting IP (from mxer’s view): not either of our submission servers
action: reject

vs.

sender: randomcusto...@example.com
recipient: any...@example.com
connecting IP (from mxer’s view): not either of our submission servers
action: accept

I can block senders, I can block hosts, but Im not clear on how to
combine the two criteria.

The last example is something I dont want to support, but we do have
people relaying through their own ISP and using a (legit) sender
address from our domain.  This also keeps me from effectively using
SPF, and I dont see this policy changing anytime soon.

Can someone point me to the right section of the docs?

Thanks,

Charles

ps - for the curious, qmails badmailfromnorelay patch lets you
combine a list of senders that are banned only if the RELAYCLIENT
env var is not set.

Dealing with a lookup with null result?

[CSS]

Quick question…  

I finally decided to build a web UI for our support guys to be able to manually 
kill relaying for compromised accounts using the new check_sasl_access 
(http://www.postfix.org/postconf.5.html#check_sasl_access) feature introduced 
in 2.11. 

A thread regarding this is here: 
http://thread.gmane.org/gmane.mail.postfix.user/245474

So this does work - in my main mail account db table I added a column.  If it’s 
empty, then the user is OK.  If it contains something like “REJECT 5.7.1 
Account Compromised”, then that error is returned to the sender, and all is 
well.

My main.cf checks look like this, with this check coming first:

smtpd_recipient_restrictions =
 check_sasl_access proxy:mysql:$config_directory/sasl-access.cf
 check_policy_service inet:127.0.0.1:10031,  # policyd
 permit_sasl_authenticated,
 permit_mynetworks,
 reject_unauth_destination

sasl-access.cf looks like this:

hosts = 10.88.77.xx 10.88.77.xx
user = 
password = 
dbname = vpopmail
query = SELECT postfix_deny FROM vpopmail WHERE pw_name='%u' AND pw_domain='%d’;

As noted, this functions well, but Postfix does not like the empty answer when 
there’s no match:

Sep 17 12:27:16 smtp1 postfix/proxymap[46006]: warning: table 
mysql:/usr/local/etc/postfix/sasl-access.cf: empty lookup result for: 
“x...@example.com — ignored

I briefly considered putting some kind of positive response as the default then 
realized that would short circuit my other checks (I think?).  Is there a value 
I can return that will quell this warning but not allow any sasl-auth’d user to 
relay if the other checks would have blocked them?

Thanks,

Charles

Re: Dealing with a lookup with null result?

[CSS]

On Sep 17, 2014, at 2:19 PM, Wietse Venema wie...@porcupine.org wrote:

 CSS:
 Quick question?
 
 I finally decided to build a web UI for our support guys to be
 able to manually kill relaying for compromised accounts using the
 new check_sasl_access
 (http://www.postfix.org/postconf.5.html#check_sasl_access) feature
 introduced in 2.11.
 
 A thread regarding this is here:
 http://thread.gmane.org/gmane.mail.postfix.user/245474
 
 So this does work - in my main mail account db table I added a
 column.  If it's empty, then the user is OK.  If it contains
 something like 'REJECT 5.7.1 Account Compromised' then that error
 is returned to the sender, and all is well.
 
 Postfix does not accept empty responses. If you want to report not
 found then that is what the database should respond with. If you
 cannot do that, then return DUNNO for the Postfix access map, and
 return something else human users.

Got it.  Just did a quick test and DUNNO as a response seems to
work.  I manually set my policyd tracking to look like Id sent 8,000
emails in the last 30 minutes and my checks properly went past the
DUNNO and on to the REJECT from the policyd service.  I often get
confused about the difference between responses from a policy check
and an access check.  I guess they are basically the same.

Thanks so much,

Charles

 
   Wietse

Fronting another mail server, best practices?

[CSS]

Hello,

I know it’s fairly common for people to use postfix as a spam-eating/tagging 
gateway in environments where Exchange or some other MTA is mandatory.  In my 
case, I’m fronting an old qmail/vpopmail setup which is probably never going to 
go away.  Right now I have basic transport rules that force everything to qmail 
listening on an internal IP, and that works fine.

In the interest of efficiency and making sure I’m actually doing this 
correctly, is there any other option (especially with qmail, and on the same 
host) to inject the mail into qmail?  smtp to smtp works, and I think I have my 
user/alias lookups working fine (vpopmail stores this in a db, postfix queries 
same db, and I run a policy server to verify quotas on primary and backup mx), 
but something about this seems a bit inefficient.  Am I missing any options?  I 
see postfix has a qmqp server, but not a client, not sure that if one existed 
that would be a better option or not.

Is there anything else I should be looking at for both the handoff from postfix 
to qmail and any general gotchas when handing email off to a “hidden” server?

Thanks,

Charles

Re: Killing user's session

[CSS]

On Aug 24, 2014, at 12:18 PM, D'Arcy J.M. Cain da...@vex.net wrote:

 On Sun, 24 Aug 2014 16:06:36 +
 Viktor Dukhovni postfix-us...@dukhovni.org wrote:
 Postfix 2.11 or later has a new feature:
 
http://www.postfix.org/postconf.5.html#check_sasl_access
 
 If your relay restrictions look like:
 
main.cf:
  indexed = ${default_database_type}:${config_directory}/
  smtpd_relay_restrictions =
  check_sasl_access ${indexed}sasl-access,
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination
 
 (before any user account is compromised), then once an account
 is hijacked:
 
sasl-access:
  lu...@example.com REJECT 5.7.1 Your login is compromised.
 
 This is a particularly good solution as it allows the user to continue
 receiving email so that you can send them them a message explaining
 exactly what the problem is.

And I assume this can be sql-backed, correct?  So it should be easy
to build a web-based tool for staff to nuke/un-nuke account once the
issue has been addressed.


Charles

 
 -- 
 D'Arcy J.M. Cain
 System Administrator, Vex.Net
 http://www.Vex.Net/ IM:da...@vex.net
 VoIP: sip:da...@vex.net

Re: Log the HELO/EHLO name?

[CSS]

On Feb 25, 2014, at 9:50 AM, Noel Jones wrote:

 On 2/25/2014 4:44 AM, Eivind Olsen wrote:
 Hello (or should that be EHLO? :))
 
 It has been a while since I've had a need to change my Postfix
 configuration, so I'm a bit rusty. I have searched, checked the
 configuration, etc. No luck yet.
 
 Is it possible to get Postfix to log the hostname presented to it during
 HELO/EHLO? Any configuration setting I've missed? Or will I have to change
 the sourcecode for this?
 
 
 If you don't want to patch the source, an easy workaround is to add
 to your header_checks file:
 /^From: / WARN
 which will log some information including the helo. This works with
 any version of postfix.
 
 
 
 If you don't mind a little patch, here's a simple patch I've used
 for years to log the HELO hostname. This will apply to postfix 2.8
 and newer.

That is so qmail-esque (in a good way, seriously).  I really like
the idea of logging the helo from a data analysis perspective.

I wonder if you could do this with a simple policy server?  IIRC,
the helo is one of the bits of data passed to the policy server, and
logging the IP, to/from, helo and a few other things seems like it
would be pretty simple.  And just return an OK.  Of course it would
be a totally separate log file, but you'd have the data and you
wouldn't have to alter the postfix source.

Also a quick question on the patch below - if you're running
postscreen, and it has decided a sending host is bad, will the
connection ever hit the real smtpd daemon and be logged?

Thanks,

Charles

ps - I lurk here and just wanted to say thanks to all for postfix
and the list denizens.  I just started work on putting an old
qmail/vpopmail setup behind postfix and I'm just consistently blown
away by the flexibility of postfix - it's hard to find an unsolvable
problem.

 
 Sample log entry:
 Feb 25 08:40:39 mx1 postfix/smtpd[30241]: NOQUEUE:
 client=mail.example.com[192.2.0.2], helo=mail.example.com
 
 Note the modified log entry may break some log parsers, but is
 compatible with pflogsumm.pl and postfix-logwatch.
 
 
 (beware line wrapping)
 
 --- /usr/local/src/postfix-2.8-20100728/src/smtpd/smtpd.c   Mon
 Jul 26 18:39:39 2010
 +++ src/smtpd/smtpd.c   Tue Aug 10 16:42:36 2010
 @@ -1916,13 +1916,16 @@
 #define PRINT2_OR_NULL(cond, name, value) \
PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond),
 (value))
 
 -   msg_info(%s: client=%s%s%s%s%s,
 +   msg_info(%s: client=%s%s%s%s%s%s%s%s%s,
 (state-queue_id ? state-queue_id : NOQUEUE),
 state-namaddr,
 PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
, orig_queue_id=,
 FORWARD_IDENT(state)),
 PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
 -   , orig_client=,
 FORWARD_NAMADDR(state)));
 +   , orig_client=,
 FORWARD_NAMADDR(state)),
 +, helo=, state-helo_name ? state-helo_name : ,
 +PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
 +   , orig_helo=,  FORWARD_HELO(state)
 ? FORWARD_HELO(state) : ));
 return (0);
 }
 
 --- /usr/local/src/postfix-2.8-20100728/src/smtpd/smtpd_sasl_proto.c
   Mon Jul 26 18:40:14 2010
 +++ src/smtpd/smtpd_sasl_proto.cTue Aug 10 17:56:42 2010
 @@ -243,7 +243,7 @@
 #define PRINT2_OR_NULL(cond, name, value) \
PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond),
 (value))
 
 -msg_info(%s: client=%s%s%s%s%s%s%s%s%s%s%s,
 +msg_info(%s: client=%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s,
 (state-queue_id ? state-queue_id : NOQUEUE),
 state-namaddr,
 PRINT2_OR_NULL(state-sasl_method,
 @@ -255,7 +255,10 @@
 PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
, orig_queue_id=, FORWARD_IDENT(state)),
 PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
 -   , orig_client=, FORWARD_NAMADDR(state)));
 +   , orig_client=, FORWARD_NAMADDR(state)),
 +, helo=, state-helo_name ? state-helo_name : ,
 +PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
 +   , orig_helo=,  FORWARD_HELO(state) ?
 FORWARD_HELO(state) : ));
 }
 
 /* smtpd_sasl_mail_reset - SASL-specific MAIL FROM cleanup */
 
 
 
 
 
 
  -- Noel Jones

Re: Log the HELO/EHLO name?

[CSS]

On Feb 25, 2014, at 7:35 PM, Noel Jones wrote:

 On 2/25/2014 6:06 PM, CSS wrote:
 
 On Feb 25, 2014, at 9:50 AM, Noel Jones wrote:
 
 On 2/25/2014 4:44 AM, Eivind Olsen wrote:
 Hello (or should that be EHLO? :))
 
 It has been a while since I've had a need to change my Postfix
 configuration, so I'm a bit rusty. I have searched, checked the
 configuration, etc. No luck yet.
 
 Is it possible to get Postfix to log the hostname presented to it during
 HELO/EHLO? Any configuration setting I've missed? Or will I have to change
 the sourcecode for this?
 
 
 If you don't want to patch the source, an easy workaround is to add
 to your header_checks file:
 /^From: / WARN
 which will log some information including the helo. This works with
 any version of postfix.
 
 
 
 If you don't mind a little patch, here's a simple patch I've used
 for years to log the HELO hostname. This will apply to postfix 2.8
 and newer.
 
 That is so qmail-esque (in a good way, seriously).  I really like
 the idea of logging the helo from a data analysis perspective.
 
 I wonder if you could do this with a simple policy server?  IIRC,
 the helo is one of the bits of data passed to the policy server, and
 logging the IP, to/from, helo and a few other things seems like it
 would be pretty simple.  And just return an OK.  Of course it would
 be a totally separate log file, but you'd have the data and you
 wouldn't have to alter the postfix source.
 
 Yes, that's possible.  Make sure your policy service always returns
 DUNNO, not OK, to postfix.  But having a separate log seems messy.

Just to make sure I understand this, DUNNO is going to let any
further policy checks happen, OK would stop the match and any
further checks would not happen (which would be bad), correct?
Bear with me, I've skated along with minimal knowledge of Postfix
for years and have just started ingesting the docs on the policy
stuff…

I don't think I'd personally implement such a thing, although I am
now thinking it might be nifty to try my hand at a simple statistics
gathering policy server as a little exercise in putting such a thing
together.  I know you can grab lots of information with various log
analysis tools, but as an exercise it might be fun.

 Also a quick question on the patch below - if you're running
 postscreen, and it has decided a sending host is bad, will the
 connection ever hit the real smtpd daemon and be logged?
 
 Postfix always includes the helo (if available) in a reject log
 entry, whether the reject happens in postscreen or elsewhere. No
 patch needed for that.

Good to know, thanks.  Wietse confirmed what I was assuming was
true, that in the very specific case of the patch that was posted,
it would not see any connections that postscreen blocked.

Thanks,

Charles

 
 
 
  -- Noel Jones
 
 
 Thanks,
 
 Charles
 
 ps - I lurk here and just wanted to say thanks to all for postfix
 and the list denizens.  I just started work on putting an old
 qmail/vpopmail setup behind postfix and I'm just consistently blown
 away by the flexibility of postfix - it's hard to find an unsolvable
 problem.
 
 
 Sample log entry:
 Feb 25 08:40:39 mx1 postfix/smtpd[30241]: NOQUEUE:
 client=mail.example.com[192.2.0.2], helo=mail.example.com
 
 Note the modified log entry may break some log parsers, but is
 compatible with pflogsumm.pl and postfix-logwatch.
 
 
 (beware line wrapping)
 
 --- /usr/local/src/postfix-2.8-20100728/src/smtpd/smtpd.c   Mon
 Jul 26 18:39:39 2010
 +++ src/smtpd/smtpd.c   Tue Aug 10 16:42:36 2010
 @@ -1916,13 +1916,16 @@
 #define PRINT2_OR_NULL(cond, name, value) \
   PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond),
 (value))
 
 -   msg_info(%s: client=%s%s%s%s%s,
 +   msg_info(%s: client=%s%s%s%s%s%s%s%s%s,
(state-queue_id ? state-queue_id : NOQUEUE),
state-namaddr,
PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
   , orig_queue_id=,
 FORWARD_IDENT(state)),
PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
 -   , orig_client=,
 FORWARD_NAMADDR(state)));
 +   , orig_client=,
 FORWARD_NAMADDR(state)),
 +, helo=, state-helo_name ? state-helo_name : ,
 +PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
 +   , orig_helo=,  FORWARD_HELO(state)
 ? FORWARD_HELO(state) : ));
return (0);
 }
 
 --- /usr/local/src/postfix-2.8-20100728/src/smtpd/smtpd_sasl_proto.c
  Mon Jul 26 18:40:14 2010
 +++ src/smtpd/smtpd_sasl_proto.cTue Aug 10 17:56:42 2010
 @@ -243,7 +243,7 @@
 #define PRINT2_OR_NULL(cond, name, value) \
   PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond),
 (value))
 
 -msg_info(%s: client=%s%s%s%s%s%s%s%s%s%s%s,
 +msg_info(%s: client=%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s,
(state-queue_id ? state-queue_id : NOQUEUE),
state-namaddr,
PRINT2_OR_NULL(state

more logging of policy servers

[CSS]

Hello,

I'm having trouble chasing down an occasional delay in our submission service.  
We run policyd to enforce sending quotas, and I sometimes see a 1 minute to 2 
minute delay between the connect from… line in the postix log and the line 
from cbpolicyd that lists the information it's inserting into the quota 
tracking table.  The delay almost feels like a dns issue to me, but I'm not 
seeing anything obvious.

Is there any way for me to get some more verbose logging out of postfix in the 
specific area of policy server connects, transactions and results?  I haven't 
seen anything in the policy server section of the postfix online docs, but I 
suspect I may have missed something.  Ideally I'd at least like to see a log of 
when postfix connects to the policy server, when it sends the data, and when it 
receives the data.  I know I should be able to get this from policyd, but as I 
turn up the verbosity, I'm not getting any useful (to me) data - just more 
verbose info about the db query it makes.

Thanks,

Charles

Re: more logging of policy servers

[CSS]

On May 27, 2013, at 5:58 PM, Wietse Venema wrote:

 CSS:
 Hello,
 
 I'm having trouble chasing down an occasional delay in our submission
 service.  We run policyd to enforce sending quotas, and I sometimes
 see a 1 minute to 2 minute delay between the connect from? line
 in the postix log and the line from cbpolicyd that lists the
 
 1) How many concurrent connections will the policy daemon handle?

Ah.  Thank you.

# Medium mailserver: 4, 4, 12, 25, 1000
# Large mailserver: 8, 8, 16, 64, 1000
#
min_servers=4
min_spare_servers=4
max_spare_servers=12
max_servers=25
max_requests=1000

 2) How many concurrent connections will the Postfix SMTP daemon handle?

smtpd_client_connection_count_limit = 50

 The answer to 1) must not be smaller than the answer to 2),
 otherwise there will be 100-second delays.

smtpd_policy_service_timeout = 100s

Thanks, that's obviously part of my problem.

The other part is figuring out why with less than 2,000 active users I'm seeing 
all slots used up.  Two hosts answer for 'smtp.mydomain.com', so I can accept 
(roughly) 100 concurrent connections.  These hosts only do relay, they aren't 
mxers for anything, so there must be some sort of shenanigans going on here 
with some bots or something do auth guessing or similar.

I'll break out a log analyzer and see what my connection rate looks like over 
time.

Thanks for your help, much appreciated.

Charles

 
   Wietse

Re: Alert of unusually large queue

[CSS]

On Oct 20, 2012, at 4:08 PM, Jan P. Kessler wrote:

 Hey guys,
 
 if [ `$mailq_count` -gt 50 ]; then echo Mail count on Server is 
 `$mailq_count`|/usr/sbin/sendmail -f r...@example.com repo...@example.com ; 
 fi
 
 I'm not sure, if sending an e-mail about a full mailqueue-condition is
 the best way to go ;-)

Any of these checks could be handled by Nagios or anything else that can easily 
execute a remote command.  Or tie it into your snmp daemon…

But yeah, a problem with a giant queue that piles up between cron'd intervals 
could certainly lead to some missed alerts. :)

Charles

 cheers, Jan
 

Re: Block sending from non-US IPs

[CSS]

On Oct 17, 2012, at 4:51 PM, /dev/rob0 wrote:

 On Wed, Oct 17, 2012 at 03:41:08PM -0500, Thomas E Lackey wrote:
 I am looking into a system where one of the [virtual] mail accounts 
 was compromised.
 
 Apparently the account, once compromised, was used to send spam 
 from overseas hosts.  Since the company has no overseas users, they 
 asked if it were possible to block outbound/relaying activity from 
 all non-US IP addresses, even from authenticated accounts, while 
 still allowing inbound SMTP from non-US IPs.  And, of course, they 
 would like to retain sending from US IPs from authenticated 
 accounts.
 
 I am pretty familiar with Postfix, but this combination has me
 scratching my head.  Is it doable?
 
 Not easily, and there is little reason to think it would be very 
 effective. If you could compile (or query) a list of the IP address 
 ranges and use it as check_client_access, you have succeeded with 
 that part of your goal, but you probably have not accomplished the
 real goal. What about when the ratware is sending from your user's 
 US-based computer?
 
 This issue last came up on this list today, and before that, 
 yesterday (thanks Jeroen!) The real answer is rate limiting and
 content filtering of authenticated senders.

I can add too that if you're using policyd2 for the outbound rate
limiting, it stores the per-user tracking informtion in a database,
which makes it really easy to monitor.  If you tighten up the rules
to something like a few hundred messages an hour and have your
existing monitoring system do a simple sql query against the policyd
db so you get alerted when someone trips the limit (or starts 
approaching the limit) you can respond to hijacked accounts pretty 
quickly and avoid most of the collateral damage.

Charles

 -- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if /dev/rob0 is in the Subject:

Re: BCP on throttling outbound mail

[CSS]

On Jul 24, 2012, at 2:37 AM, Stan Hoeppner wrote:

 On 7/24/2012 12:44 AM, CSS wrote:
 
 On Jul 24, 2012, at 1:24 AM, Stan Hoeppner wrote:
 
 On 7/23/2012 4:16 PM, CSS wrote:
 
 I'd like to take some measures to limit what an authenticated sender can 
 do but not limit legitimate use.
 
 See:
 http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit
 
 You would apply this to your submission service, eg:
 
 587  inet  n   -   n   -   -   smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_connection_rate_limit=1
 
 This limits spammers and legit users to 1 msg/min, 60 msgs per hour.
 Postfix is not psychic.
 
 This may be a problem for roaming users who send batches of mails when
 they get a connection--10 msgs takes 10 minutes.  Thus, as with
 anything, some analysis and [re]tuning will be required.  If you trust
 some users to never have their acct compromised, you can always create
 multiple submission services on different ports and have different
 limits for different sets of users, or even no limits for some.
 
 Not a perfect solution, but better than what you have now.
 
 If I can cobble this thing together, the quota module offers things like 
 messages per day or per hour, which is a fairly reasonable way to restrict 
 customers.
 
 Apparently you didn't read the docs I provided.
 http://www.postfix.org/postconf.5.html#anvil_rate_time_unit

I actually have some rate-limiting already, but obviously not enough.

 
 The time unit over which client connection rates and other rates are
 calculated.
 
 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
 The default time unit is s (seconds)

Perhaps I'm misunderstanding this, but I was under the impression that the 
anvil limits were all enforced on a per-connection or per-IP limit.  I'm really 
after something that can track a particular sasl-authenticated user and punish 
them (and not other users).  I'll re-read what I can find on anvil again, the 
recommendations against its use in this situation may have been dated.

 
 Are there any other specific policy daemons I've missed that deal explicitly 
 with rate-limiting?
 
 Probably.  But I think you summarily discounted the inbuilt Postfix
 equivalent too quickly, without even looking at it.  You can having it
 running in less than 60 seconds.

Which I may just do in hopes it can provide a base level of protection.

 
 It seems like the internet as whole would certainly benefit from a 
 dead-simple policy daemon that could thwart the attempts of spammers using 
 hijacked credentials to spew their junk.
 
 You'd think humans beings would be smart enough to follow directions and
 use strong passwords, AV software, etc, and not fall for phishing scams.
 Your adversary in this war isn't the spammers, it's not the technology,
 but your users.

I've worked with end users since 1995.  They aren't changing.  In fact, the 
facebook-ization of the internet is bringing us right back to the good old AOL 
days of walled gardens.  Users are getting less, not more savvy.

 
 You should not be expending any more time/effort on the tech piece of
 the solution beyond finding the most basic rate limiting tool and
 enabling it to prevent spewage, right now.  This is the smallest battle
 in this war.

Funny, as I was speaking to my partner about this issue and he was wondering 
why all the spam wars are being fought on the recipient end - so many cpu 
cycles and hardware to filter the 20% or so of good mail from the bad.  He 
could not grasp why the source of the spam could not be legislated away.

 The big battles are user education (AV software on their machines, safe
 surfing habits, anti-phish education, etc), and wholesale forcing all
 users to change to *enforced* strong passwords.

I had suspected a guessable password, and I was wrong.  This customer routinely 
calls in with various issues and the tech that works with them has the password 
so he can login to webmail as the customer and verify whatever oddity they see. 
 It was not the best, but it was random, mixed-case, mixed numbers and letters. 
 Was it a *unique* password?  Probably not...

 The user related stuff wins this war.  The tech portion merely decreases
 the amount of damage per clueless user battle.

The war will be lost.  TimeWarner, Comcast, Verizon and everyone else is not 
going to either lose customers by cutting off the ever-infected clueless or 
spend time (money) educating them...

Charles


 -- 
 Stan
 

Re: BCP on throttling outbound mail

[CSS]

On Jul 24, 2012, at 6:23 AM, Len Conrad wrote:

 At 04:16 PM 7/23/2012, you wrote:
 Hello,
 
 Sorry for the broad question, but is there any sort of best common practice 
 these days regarding limiting outbound email?  We recently had a customer's 
 account compromised (not sure if it was brute-forced or keylogged) and then 
 the perp proceeded to use their credentials to smtp-auth themselves a huge 
 load of vxa spam.
 
 I'd like to take some measures to limit what an authenticated sender can do 
 but not limit legitimate use.  I assume this is not an uncommon scenario, 
 but pointers from those with more Postfix experience would be quite welcome.
 
 I do have amavis available for outbound virus scanning, and could 
 conceivably have it do the same with spam scanning but that feels not quite 
 right (and probably fairly resource intensive if someone was trying to cram 
 tens of thousands of messages through the system).
 
 Thanks,
 
 Charles
 
 I've been using postfwd.org for rate-limiting outbound senders, and inbound 
 senders and IPs, plus lots of other inbound filtering, for a 2+ years.  It 
 killed our horrible problem of cracked passwords.

If you could share some of the basics of that config, I'd love to see them.  I 
looked at that briefly before slogging through policyd/cluebringer, and a (very 
quick) read of their intro page didn't make it obvious that you could track 
per-user message counts.

Does anyone use the old non-perl policyd1?  That looked like an easy setup, but 
it's quite old.

For anyone interested, a very basic per-user (more specifically, per 
authenticated user, which is the only kind of user I've got outside of web apps 
submitting w/php) setup ended up being fairly easy to implement.  The config is 
all sql-based, I'd be more than happy to share a dump of the config I ended up 
with.  I have some doubts about how well it scales, and I've also added another 
single point of failure to all inbound and outbound email, but it does what it 
says it does.

The policy I setup basically matches all sasl-authenticated users and puts them 
in a queue that limits them to 100 messages per hour.  That's my starting 
point, I'll probably adjust it at some point.  For web applications, I'm going 
to install ssmtp and configure that to send with a dedicated username which 
will have its own limits.

Thanks,

Charles

 Len
 
 
 
 
 
 
 

BCP on throttling outbound mail

[CSS]

Hello,

Sorry for the broad question, but is there any sort of best common practice 
these days regarding limiting outbound email?  We recently had a customer's 
account compromised (not sure if it was brute-forced or keylogged) and then the 
perp proceeded to use their credentials to smtp-auth themselves a huge load of 
viagra spam.

I'd like to take some measures to limit what an authenticated sender can do but 
not limit legitimate use.  I assume this is not an uncommon scenario, but 
pointers from those with more Postfix experience would be quite welcome.

I do have amavis available for outbound virus scanning, and could conceivably 
have it do the same with spam scanning but that feels not quite right (and 
probably fairly resource intensive if someone was trying to cram tens of 
thousands of messages through the system).

Thanks,

Charles

Re: BCP on throttling outbound mail

[CSS]

On Jul 24, 2012, at 1:24 AM, Stan Hoeppner wrote:

 On 7/23/2012 4:16 PM, CSS wrote:
 
 I'd like to take some measures to limit what an authenticated sender can do 
 but not limit legitimate use.
 
 See:
 http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit
 
 You would apply this to your submission service, eg:
 
 587  inet  n   -   n   -   -   smtpd
   -o smtpd_enforce_tls=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_connection_rate_limit=1
 
 This limits spammers and legit users to 1 msg/min, 60 msgs per hour.
 Postfix is not psychic.
 
 This may be a problem for roaming users who send batches of mails when
 they get a connection--10 msgs takes 10 minutes.  Thus, as with
 anything, some analysis and [re]tuning will be required.  If you trust
 some users to never have their acct compromised, you can always create
 multiple submission services on different ports and have different
 limits for different sets of users, or even no limits for some.
 
 Not a perfect solution, but better than what you have now.

I'm looking at policyd2/cluebringer as well, but it's non-intuitive to say 
the least.  Install is easy, hooking in to postfix is easy, but there's a huge 
lack of howto docs on configuring the actual policies for specific use cases.  
The quota module looks great, but getting data into the config to delineate 
internal vs. external domains (and what about a sasl-authenticated user sending 
from another domain?) is quite challenging.  If I can cobble this thing 
together, the quota module offers things like messages per day or per hour, 
which is a fairly reasonable way to restrict customers.

Are there any other specific policy daemons I've missed that deal explicitly 
with rate-limiting?

It seems like the internet as whole would certainly benefit from a dead-simple 
policy daemon that could thwart the attempts of spammers using hijacked 
credentials to spew their junk.

Thanks,

Charles

 
 -- 
 Stan
 

Re: Replacing sendmail with postfix for local mail in FreeBSD

[CSS]

On Feb 10, 2012, at 3:42 PM, Jorge Luis Gonzalez wrote:

 I'm posting this to the postfix list rather than the FreeBSD list
 because I've found the level of expertise here to be almost
 unsurpassed.
 
 In trying to substitute postfix for sendmail on FreeBSD 8.0, I've come
 across a problem with mail sent from the command line (including mail
 from the syslogd daemon).
 No matter what I do to disable the sendmail binary (using mailwrapper)
 sendmail seems to grab port 25 on the localhost and any mail sent from
 the command line that's destined
 for a local account is shunted off, even while the mail reaches
 procmail and is properly forwarded to gmail as per my recipe.

Your logs don't indicate sendmail listening on port 25 at all.

You should post the sendmail_* lines in /etc/rc.conf and the contents
of /etc/mail/mailer.conf.

What you're showing here really looks like you don't have 
mailer.conf properly configured.

Thanks,

Charles

 
 After going through all the steps of disabling sendmail in rc.conf and
 setting up mainwrapper I am getting the following error:
 
 [satyr ~]$ mail -s test jorge
 test
 .
 
 [satyr ~]$ WARNING: RunAsUser for MSP ignored, check group ids
 (egid=1002, want=25)
 can not chdir(/var/spool/clientmqueue/): Permission denied
 Program mode requires special privileges, e.g., root or TrustedUser.
 
 Here's the corresponding logfile entry, which seems pretty clearly to
 point to the (presumably) disabled sendmail:
 
 satyr# tail /var/log/maillog
 Feb  9 09:16:00 satyr sendmail[63415]: NOQUEUE: SYSERR(jorge): can not
 chdir(/var/spool/clientmqueue/): Permission denied
 
 Here are the permissions and owners of the queue:
 
 satyr# ls -ld /var/spool/clientmqueue/
 drwxrwx---  2 smmsp  smmsp  512 Feb  9 06:57 /var/spool/clientmqueue/
 
 I then ran across the following sendmail README on FreeBSD:
 
 [...]
 
 As of sendmail 8.12, in order to improve security, the sendmail binary no
 longer needs to be set-user-ID root.  Instead, a set-group-ID binary
 accepts command line mail and relays it to a full mail transfer agent via
 SMTP.  A group writable client mail queue (/var/spool/clientmqueue/ by
 default) holds the mail if an MTA can not be contacted.
 
 To accomplish this, under the default setup, an MTA must be listening on
 localhost port 25.  If the rc.conf sendmail_enable option is set to NO,
 a sendmail daemon will still be started and bound only to the localhost
 interface in order to accept command line submitted mail (note that this
 does not work inside jail(2) systems as jails do not allow binding to
 just the localhost interface).  If this is not a desirable solution, it
 can be disabled using the sendmail_submit_enable rc.conf option.  However,
 if both sendmail_enable and sendmail_submit_enable are set to NO
 [this is true in my case],
 you must do one of two things for command line submitted mail:
 
 1. Designate an alternative host for the submission agent to contact
   by altering /etc/mail/freebsd.submit.mc (or setting SENDMAIL_SUBMIT_MC
   in /etc/make.conf to an alternate .mc file) and using
   'make install-submit-cf' in /etc/mail/.  Change the FEATURE(msp) line
   to FEATURE(msp, hostname) where hostname is the fully qualified hostname
   of the alternative host.
 
 Or:
 
 2. Return to using a set-user-ID root sendmail binary by changing the
   ownership and permissions on the sendmail binary and removing the
   /etc/mail/submit.cf file:
chown root /usr/libexec/sendmail/sendmail
chmod 4755 /usr/libexec/sendmail/sendmail
rm /etc/mail/submit.cf
   If you install from source, set the SENDMAIL_SET_USER_ID flag in
   /etc/make.conf.
 
 [...]
 
 The first of the two suggestions isn't an option for me; I control
 only this single mailserver.  And I'm not quite sure about the
 second: I'd rather avoid a set-user-ID root sendmail if possible.  I
 just want postfix to handle mail that comes from the command
 line destined for localhost 25.
 
 In case there's something I can do inside postfix so that it binds the
 daemon to localhost 25 before the vestigal sendmail
 gets there, here are my postfix settings:
 
 [satyr ~]$ postconf -n
 alias_database = hash:/etc/mail/aliases
 alias_maps = hash:/etc/mail/aliases
 allow_percent_hack = no
 append_at_myorigin = yes
 append_dot_mydomain = no
 biff = no
 bounce_queue_lifetime = 4h
 bounce_size_limit = 1
 broken_sasl_auth_clients = yes
 command_directory = /usr/local/sbin
 config_directory = /usr/local/etc/postfix
 daemon_directory = /usr/local/libexec/postfix
 data_directory = /var/db/postfix
 default_destination_concurrency_limit = 10
 default_privs = nobody
 delay_warning_time = 1h
 disable_vrfy_command = yes
 fast_flush_domains = $relay_domains
 header_checks = regexp:/etc/postfix/header_checks
 html_directory = no
 inet_interfaces = all
 local_destination_concurrency_limit = 2
 local_recipient_maps = unix:passwd.byname, $alias_maps
 luser_relay =
 mail_name = $mydomain Mail Daemon
 mail_owner = postfix
 

Re: Replacing sendmail with postfix for local mail in FreeBSD

[CSS]

On Feb 10, 2012, at 10:29 PM, Jorge Luis Gonzalez wrote:

 On Fri, Feb 10, 2012 at 10:15 PM, Wietse Venema wie...@porcupine.org wrote:
 What happens when you execute /usr/sbin/mailwrapper by hand?
 (it should complain about no mapping in /etc/mail/mailer.conf).
 
 [jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge  /etc/motd
 WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25)
 
 That is not right. Your mailwrapper program has been replaced.
 
 
 You're quite right, I believe:
 
 satyr# ls -l /usr/sbin/mailwrapper
 lrwxr-xr-x  1 root  wheel  30 Feb  8 10:36 /usr/sbin/mailwrapper -
 /usr/libexec/sendmail/sendmail
 
 satyr# ls -l /usr/sbin/sendmail
 lrwxr-xr-x  1 root  wheel  21 Feb  8 16:20 /usr/sbin/sendmail -
 /usr/sbin/mailwrapper
 
 How do I rectify this?

If you've got the src tree installed, it looks like you can pretty easily build 
and reinstall mailwrapper:

cd /usr/src/usr.sbin/mailwrapper
make obj depend
make install

Pulling it out of the base distribution is probably kind of a pain, but if 
you've got the livefs cd/dvd you could easily grab it from there.  Perms are 
basic, world read and execute, owner root:wheel.

Make sure you get rid of those symlinks first though. 

Thanks,

Charles


 Thanks very much,
 
Jorge
 
 -- 
 Jorge Luis González jlg.in...@gmail.com
 http://people.umass.edu/jlg/

routing mail based on inbound port?

[CSS]

Hello,

This is a bit of an odd question, and I don't see an obvious way to do
this, but perhaps there's a non-obvious way.

We're looking to try Postfix out in some queues that would benefit
from Postfix's throttling and rate-limiting features, and I'm trying
to model this after our current qmail implementation, or at least get
a fairly similar setup working.  We currently have our own internal
mail router that splits inbound mailing list messages based on both
sender and destination.  It then directs the message(s) to the
appropriate qmail instance via qmqp.

We run multiple qmail instances on each host, and each instance
listens on a different qmqp port and also has different config
parameters (outgoing IP, remote concurrency).

I've had no issues with the qmqpd server in Postfix, but I'm trying to
figure out a way to route mail to a different transport based on which
qmqpd listener the message came in on.  In other words, if I've got
multiple qmqp listeners on ports 628 through 640, I want to map
messages from each listener to a specific outbound smtp transport.  If
a message comes in on a qmqp listener on port 628, I want it to use
transport1, if it comes in on the listener on port 629, I want it to
use transport2.  Each transport would have a different outgoing IP,
different concurrency settings, etc.  I would like to avoid running
multiple full instances of Postfix because I think having one shared
queue will likely perform better.

Any ideas on how to accomplish this?

Thanks,
Charles