Re: Backup MX setup - alternative to db?
> On Apr 29, 2017, at 1:12 PM, CSS <c...@morefoo.com> wrote: > > >> On Apr 29, 2017, at 6:41 AM, li...@lazygranch.com wrote: >> >> I've never used rsync in daemon mode (if that is the right way to phrase >> it), but wouldn't that do everything automatically? > > I’m all set on transferring data, my main interest is in dumping the data > from mysql and then creating the same maps in another db storage format like > dbm for the other two hosts. > > I got excited briefly when I saw the postmap “-s” flag, I was hoping I could > use that, but apparently that flag is not yet supported for mysql: > > root@nac /home/spork]# postmap -s > mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf > postmap: fatal: table > mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf: sequence > operation is not supported > [root@nac /home/spork]# > > And it looks like the postmap “-q” flag can’t just take a wildcard and return > everything. > > So my only option is to query mysql directly I think (again, unless someone > has some other clever way of doing it!). Given how modular postfix appears, > I was thinking that one of the bundled utilities might be able to dump all > the maps in a common format. This is what I ended up with. It’s pretty basic, and probably can fail in bad ways, but it works. On the other end there’s a short shell script that puts the files in place and runs postmap on all the relevant files. The sync directory also includes some other files that I want to have the same, like a badrcpt file, postscreen whitelist, etc. Charles #!/usr/local/bin/perl -w use DBI; use Net::OpenSSH; # db connection params $db_user="mail"; $db_pass=“XXX"; $db_host="localhost"; $db_name="mail"; # files $domain_file="/usr/local/etc/postfix-sync/relay_domains"; $recip_file="/usr/local/etc/postfix-sync/relay_recipients"; # rsync params my $rhost = "sea.XXX.com"; my $ruser = "syncer"; my $srcdir = '/usr/local/etc/postfix-sync/*'; my $destdir = "/home/syncer/postfix/"; my $rkey = "/root/.ssh/id_rsa_syncer”; # connect to db my $dbh = DBI->connect ("DBI:mysql:database=$db_name:host=$db_host", $db_user, $db_pass) or die "Can't connect to db: $DBI::errstr\n"; # query domain list my $sth = $dbh->prepare( "SELECT domain FROM domain WHERE active = '1' AND domain != 'ALL'"); $sth->execute(); open(my $fh, '>', $domain_file) or die "Could not open file '$domain_file' $!”; print $fh "# start of domains\n"; while ( my @row = $sth->fetchrow_array( ) ) { #print "@row\n"; print $fh "@row\n\tx"; } warn "Problem in retrieving results", $sth->errstr( ), "\n" if $sth->err( ); print $fh "# end of domains\n"; close $fh; open($fh, '>', $recip_file) or die "Could not open file '$recip_file' $!"; # query alias/mailbox list - this uses the postfixadmin schema $sth = $dbh->prepare( "SELECT address FROM alias WHERE active = '1'"); $sth->execute(); print $fh "# start of aliases\n"; while ( @row = $sth->fetchrow_array( ) ) { #print "@row\n"; print $fh "@row\tx\n"; } warn "Problem in retrieving results", $sth->errstr( ), "\n" if $sth->err( ); print $fh "# end of aliases\n"; close $fh; # scp my $ssh = Net::OpenSSH->new($rhost, user => $ruser, key_path => $rkey); $ssh->scp_put({glob => 1}, $srcdir, $destdir) or die "scp failed: " . $ssh->error; exit; > > Thanks, > > Charles > >> >> I know on Digital Ocean you can use a special network between "droplets" >> (VMs) that is local. There is no transit cost. Perhaps Vultr does the same >> thing. >> >> Vultr has a free DNS. >> >> If I wasn't running FreeBSD, I'd probably be on Linode. >> https://www.vpsbenchmarks.com/ >> >> >> >> >> >> Original Message >> From: CSS >> Sent: Friday, April 28, 2017 12:49 PM >> To: Postfix users >> Subject: Backup MX setup - alternative to db? >> >> Hi all, >> >> I have a handful of personal domains that I host myself - both as a place to >> experiment a bit (I roll new things out here before using them on paying >> clients), and a place to play with things that don’t scale well. As of now, >> I just have a single MXer with a pretty standard Postfix setup. Domain/user >> maps are all in mysql. >> >> I just grabbed a few VPSs since they are cheap and I wanted to try out >> Vultr.com. I bought the smallest possible -
Re: Backup MX setup - alternative to db?
> On Apr 29, 2017, at 6:41 AM, li...@lazygranch.com wrote: > > I've never used rsync in daemon mode (if that is the right way to phrase it), > but wouldn't that do everything automatically? I’m all set on transferring data, my main interest is in dumping the data from mysql and then creating the same maps in another db storage format like dbm for the other two hosts. I got excited briefly when I saw the postmap “-s” flag, I was hoping I could use that, but apparently that flag is not yet supported for mysql: root@nac /home/spork]# postmap -s mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf postmap: fatal: table mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf: sequence operation is not supported [root@nac /home/spork]# And it looks like the postmap “-q” flag can’t just take a wildcard and return everything. So my only option is to query mysql directly I think (again, unless someone has some other clever way of doing it!). Given how modular postfix appears, I was thinking that one of the bundled utilities might be able to dump all the maps in a common format. Thanks, Charles > > I know on Digital Ocean you can use a special network between "droplets" > (VMs) that is local. There is no transit cost. Perhaps Vultr does the same > thing. > > Vultr has a free DNS. > > If I wasn't running FreeBSD, I'd probably be on Linode. > https://www.vpsbenchmarks.com/ > > > > > > Original Message > From: CSS > Sent: Friday, April 28, 2017 12:49 PM > To: Postfix users > Subject: Backup MX setup - alternative to db? > > Hi all, > > I have a handful of personal domains that I host myself - both as a place to > experiment a bit (I roll new things out here before using them on paying > clients), and a place to play with things that don’t scale well. As of now, I > just have a single MXer with a pretty standard Postfix setup. Domain/user > maps are all in mysql. > > I just grabbed a few VPSs since they are cheap and I wanted to try out > Vultr.com. I bought the smallest possible - only 512MB of RAM. I’m running > nsd for DNS services (found setting up two small VPS’s to be cheaper, more > fun than paying for secondary NS), and I’d like to add backup MX to both > hosts. I do NOT want to run mysql or anything else that’s a memory pig on > these. > > My idea to get my lookup maps in place is just to write a small perl script > that dumps my config info from mysql into flat files, uses scp to copy the > files over to the backup MXers, and then runs postmap on the output on the > backup MXers. Before I go ahead with this, any clever options that I’m > overlooking to have the same data on servers using different backing stores > for the maps? > > Thanks, > > Charles
Backup MX setup - alternative to db?
Hi all, I have a handful of personal domains that I host myself - both as a place to experiment a bit (I roll new things out here before using them on paying clients), and a place to play with things that don’t scale well. As of now, I just have a single MXer with a pretty standard Postfix setup. Domain/user maps are all in mysql. I just grabbed a few VPSs since they are cheap and I wanted to try out Vultr.com. I bought the smallest possible - only 512MB of RAM. I’m running nsd for DNS services (found setting up two small VPS’s to be cheaper, more fun than paying for secondary NS), and I’d like to add backup MX to both hosts. I do NOT want to run mysql or anything else that’s a memory pig on these. My idea to get my lookup maps in place is just to write a small perl script that dumps my config info from mysql into flat files, uses scp to copy the files over to the backup MXers, and then runs postmap on the output on the backup MXers. Before I go ahead with this, any clever options that I’m overlooking to have the same data on servers using different backing stores for the maps? Thanks, Charles
Re: clients connecting to port 25 with ssl/tls
> On Feb 22, 2016, at 5:11 PM, Rich Waleswrote: > > Regarding port 465 -- > > The last time I checked, iPhones and iPads refused to do STARTTLS on > mail submission. Since I use an iPad, I had no choice but to enable > submission via port 465 (SSL) on my mail server -- in addition to > STARTTLS on port 587 for use by other, saner devices. That’s odd. I’ve not used an iOS device since 6.x, but at that point I was running six accounts, and all were using port 587 and STARTTLS. Charles > > I would love, of course, to hear either that I was mistaken, or that > Apple has enabled 587/STARTTLS on current iOS devices. > > Rich Wales > ri...@richw.org
OpenSSL CVE-2016-0701
http://intothesymmetry.blogspot.com/2016/01/openssl-key-recovery-attack-on-dh-small.html It seems that there are a number of factors (that I do not understand) that determine whether an application is vulnerable. For example, Apache/mod_ssl is not. Is there enough information here to determine whether or not Postfix is vulnerable in typical configurations? Charles
Re: OpenSSL CVE-2016-0701
> On Jan 28, 2016, at 8:38 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: > > On Thu, Jan 28, 2016 at 08:36:02PM -0500, CSS wrote: > >> http://intothesymmetry.blogspot.com/2016/01/openssl-key-recovery-attack-on-dh-small.html >> >> It seems that there are a number of factors (that I do not understand) >> that determine whether an application is vulnerable. For example, >> Apache/mod_ssl is not. >> >> Is there enough information here to determine whether or not Postfix is >> vulnerable in typical configurations? > > Postfix has never re-used public DH exponents, and it has never > been possible to misconfigure Postfix to do so. Awesome, thanks for replying! Charles > > -- > Viktor.
Re: AntiSpam & AntiVirus Integration with Postfix: lots of tools, but which one's AREN'T 'dead'?
On Sep 8, 2015, at 11:20 PM, Wolfe, Robertwrote: > The best one I've found and what I use to host other people's spam filtering > is > http://www.virtualtothecore.com/en/efa-nice-free-spam-filter-virtual-appliance/ > > I have a separate VM with this set up and all mail goes through that before > hitting my Postfix box and my Exchange 2010 box. On a slightly different tangent, I’m about to start working with this as a way to streamline how everything plugs into Postfix for inbound: http://fuglu.org/ What attracted me is that it looks like it would simplify switching between various options, be it spam filtering, virus filtering, etc. Charles > > -Original Message- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ken Peng > Sent: Tuesday, September 08, 2015 8:06 PM > To: postfix-users@postfix.org > Subject: Re: AntiSpam & AntiVirus Integration with Postfix: lots of tools, > but which one's AREN'T 'dead'? > > Google and just found one, > https://www.digitalocean.com/community/tutorials/how-to-install-and-setup-spamassassin-on-ubuntu-12-04 > > HTH, :) > > On 2015/9/9 星期三 9:01, joh...@fastmail.com wrote: >> Ken >> >> On Tue, Sep 8, 2015, at 05:49 PM, Ken Peng wrote: >>> How about Spamassassin? we have been using it for a long time. >> >> And how are you integrating it into Postfix. That was my question not >> whether to use Spamassassin. I kindof decided on that already in the >> original post. >> >> John >>
Re: Security Compatibility
On May 24, 2015, at 9:28 AM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Sun, May 24, 2015 at 06:38:50AM -0400, Postfix User wrote: smtpd_tls_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 Wouldn't the following be more secure: smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1 No, these are less secure. Bleeding edge security settings mean more email sent in the clear, or not delivered at all. That is an excellent point. I thought I saw that listed on this forum earlier this year. Don't believe all the nonsense posted on the Internet. Related to the previous paragraph, I know that when I fiddle with SSL settings on a web server, I can easily dig up information on exactly what OS/browser combinations Ill be denying service to (so far, XP + IE6). Having that confidence in knowing what possible visitors Im denying is nice. Is there any good reference for MTAs and MUAs out there? Im thinking of something like the matrix Qualsys shows in their test results. Whoever started this thread, thanks. Its always been a little fuzzy to me where OpenSSL and Postfix meet and decide which parameters are set by default (or arent available). Any future plans to incorporate other SSL libraries? Thanks, Charles -- Viktor.
Re: spam fighting
On Apr 28, 2015, at 1:04 PM, Terry Barnum te...@dop.com wrote: On Apr 28, 2015, at 1:47 AM, Marius Gologan marius.golo...@gmail.com wrote: Hi Terry, I use amavisd-new/spamassassin in post-queue configuration with few adjustments: increased score for SPF_FAIL, DKIM_ADSP_DISCARD, Bayes_80, Bayes_95, Bayes_99, Bayes_999 and few others. Local DNS server - critical for RBL queries. As for postscreen, I preffer postscreen_greet_action = enforce only which doesn't require the client to retry (as opposite to greylist behavior), while is pretty effective against bots. Marius. Thank you for the reply Marius. Do the RBL queries from amavisd-new/spamassassin require a local DNS because they're more resource intensive than postscreen_dnsbl_sites or reject_rhsbl_* queries? Regarding DNS lookups, depending on your mail volume, between postscreen, spamassassin and whatever else you’re running, you can generate quite a few queries on every connection attempt. Depending on your overall architecture, having a dedicated recursor instance (or two or three) can really help. You don’t want a large influx of email to have an impact on other consumers of DNS lookups. I really like PowerDNS (recursor), as it’s quite efficient - at one point I had it running on an ancient dual P-III box and peaked at 10K queries/second, which was about double what I could achieve on the same hardware with dnscache (djbdns). BIND is probably not at all appropriate for this (but may be perfect for other internal use where you need more features). Charles I've received 16 UCE emails in the last hour--weight loss, wrinkle creams, bird feeders, pharmacies. More pointers (favorite postfix techniques and/or add-ons, sites to read, etc.) from those who've been successful in reducing spam load are greatly appreciated. Thanks, -Terry -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Terry Barnum Sent: Tuesday, April 28, 2015 1:15 AM To: postfix users Subject: spam fighting We've been using postscreen and dspam for quite some time but in the past couple months more spam is making it through. I realize there's no one-size-fits-all approach but because dspam isn't actively developed anymore I've started looking around and am curious what others are using. Is amavisd-new/spamassassin the preferred solution? My company is small with 30 users. Perhaps my postscreen settings could be improved? postscreen_access.cidr is a small file with 4 entries to whitelist customers that aren't implicated in the increase in spam. $ postconf -n broken_sasl_auth_clients = yes command_directory = /opt/local/sbin daemon_directory = /opt/local/libexec/postfix data_directory = /opt/local/var/lib/postfix debugger_command = PATH=/opt/local/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 default_privs = nobody delay_warning_time = 4h dovecot_destination_recipient_limit = 1 dspam-lmtp_destination_recipient_limit = 1 home_mailbox = Maildir/ html_directory = no inet_protocols = ipv4 mail_owner = _postfix mailq_path = /opt/local/bin/mailq manpage_directory = /opt/local/share/man message_size_limit = 5120 mydestination = $myhostname, localhost.$mydomain, localhost myhostname = mailbox.dop.com mynetworks = 192.168.0.0/23, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /opt/local/bin/newaliases postscreen_access_list = permit_mynetworks, cidr:/opt/local/etc/postfix/postscreen_access.cidr postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = yes postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.4*1 hostkarma.junkemailfilter.com=127.0.1.2*1 wl.mailspike.net=127.0.0.[18;19;20]*-2 list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 hostkarma.junkemailfilter.com=127.0.0.1*-2 postscreen_dnsbl_threshold = 3 postscreen_dnsbl_ttl = 5m postscreen_greet_action = enforce postscreen_non_smtp_command_enable = yes postscreen_pipelining_action = enforce postscreen_pipelining_enable = yes proxy_interfaces = 70.167.15.110 queue_directory = /opt/local/var/spool/postfix readme_directory = /opt/local/share/postfix/readme sample_directory = /opt/local/share/postfix/sample
per-user attachment blocking?
Google’s not feeding me much on doing this on a per-user basis… I’d like to give users the option to block emails with certain attachments - zip, exe, etc. I know that server-wide the simplest option is header checks. I’m open to adding another milter to my chain of milters. I already have sql-backed prefs for other purposes, so it seems like it should be easy, I just need the right milter… Of course if anyone has any general hints about the current rash of malware coming from clean IPs that passes some fairly strict postscreen and SA checks, I’m more than happy to hear about that as well. Thanks, Charles
Re: DMARC
My apologies for top-posting here, but I’m going to ask for something related to this thread… I’ve subscribed to this list for some time, and it’s full of good information, including things that don’t really have anything to do with Postfix. I’m fine with that, but these threads do sometimes get shut down since they are technically off-topic. Clearly people are posing questions like this here because they know this list is full of knowledgeable posters who have experience with large scale email deployments. Given that, is there another list I’ve not found where all these spam and email policy topics are welcome AND there’s a good userbase? Now back to the off-topic, but valuable DMARC discussion... Thanks, Charles On Jan 18, 2015, at 8:14 PM, John j...@klam.ca wrote: I am not sure about implementing DMARC on my servers. However, is it worth adding a DMARC record to the DNS? What, if anything, would it buy us. If we were to add such a record, what would be the best setup/set of parameters be? -- John Allen KLaM -- How many of you believe in telekinesis? Raise my hand... smime.p7s Description: S/MIME cryptographic signature
Re: limit sender based on IP and email address
On Sep 23, 2014, at 3:40 AM, Robert Schetterer r...@sys4.de wrote: Am 23.09.2014 um 09:28 schrieb CSS: Im having a hard time copying something I did in qmail (using some random patch). Ive got four postfix instances, two used exclusively for submission (all outbound email from us), two as mxers (all inbound email, primary then forwards to an old qmail/vpopmail setup). Im looking to have a list of staff/role accounts defined and limit those senders to only be able to reach the mxers via the submission hosts. Example: sender: supp...@example.com recipient: any...@example.com connecting IP (from mxer’s view): either of our submission servers action: accept vs. sender: supp...@example.com recipient: any...@example.com connecting IP (from mxer’s view): not either of our submission servers action: reject vs. sender: randomcusto...@example.com recipient: any...@example.com connecting IP (from mxer’s view): not either of our submission servers action: accept I can block senders, I can block hosts, but Im not clear on how to combine the two criteria. The last example is something I dont want to support, but we do have people relaying through their own ISP and using a (legit) sender address from our domain. This also keeps me from effectively using SPF, and I dont see this policy changing anytime soon. Can someone point me to the right section of the docs? Thanks, Charles ps - for the curious, qmails badmailfromnorelay patch lets you combine a list of senders that are banned only if the RELAYCLIENT env var is not set. perhaps this helps http://www.postfix.org/RESTRICTION_CLASS_README.html I suspect I was making this more complicated than it needed to be. I took the example used for the all@ alias and modified that a bit to apply to the sender rather than recipient (the banned_senders map is just some sender address permabans, banned_senders_norelay is the one of interest here: smtpd_sender_restrictions = check_sender_access hash:$config_directory/banned_senders, hash:$config_directory/banned_senders_norelay banned_senders_norelay looks like this: supp...@example.com permit_mynetworks,reject n...@example.compermit_mynetworks,reject bill...@example.com permit_mynetworks,reject [etc.] The relays that would be sending mail with those from addresses are already part of mynetworks, so as long as our employees relay through those senders, they can send as those various role accounts. If someone from outside attempts to use those addresses they are denied. The same rules exist on both the primary and secondary mxers. It appears this is accomplishing what I want without having to resort to strict SPF checks. Thanks for pushing me to read that README again Charles or you try some policy server Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
limit sender based on IP and email address
Im having a hard time copying something I did in qmail (using some random patch). Ive got four postfix instances, two used exclusively for submission (all outbound email from us), two as mxers (all inbound email, primary then forwards to an old qmail/vpopmail setup). Im looking to have a list of staff/role accounts defined and limit those senders to only be able to reach the mxers via the submission hosts. Example: sender: supp...@example.com recipient: any...@example.com connecting IP (from mxer’s view): either of our submission servers action: accept vs. sender: supp...@example.com recipient: any...@example.com connecting IP (from mxer’s view): not either of our submission servers action: reject vs. sender: randomcusto...@example.com recipient: any...@example.com connecting IP (from mxer’s view): not either of our submission servers action: accept I can block senders, I can block hosts, but Im not clear on how to combine the two criteria. The last example is something I dont want to support, but we do have people relaying through their own ISP and using a (legit) sender address from our domain. This also keeps me from effectively using SPF, and I dont see this policy changing anytime soon. Can someone point me to the right section of the docs? Thanks, Charles ps - for the curious, qmails badmailfromnorelay patch lets you combine a list of senders that are banned only if the RELAYCLIENT env var is not set.
Dealing with a lookup with null result?
Quick question… I finally decided to build a web UI for our support guys to be able to manually kill relaying for compromised accounts using the new check_sasl_access (http://www.postfix.org/postconf.5.html#check_sasl_access) feature introduced in 2.11. A thread regarding this is here: http://thread.gmane.org/gmane.mail.postfix.user/245474 So this does work - in my main mail account db table I added a column. If it’s empty, then the user is OK. If it contains something like “REJECT 5.7.1 Account Compromised”, then that error is returned to the sender, and all is well. My main.cf checks look like this, with this check coming first: smtpd_recipient_restrictions = check_sasl_access proxy:mysql:$config_directory/sasl-access.cf check_policy_service inet:127.0.0.1:10031, # policyd permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination sasl-access.cf looks like this: hosts = 10.88.77.xx 10.88.77.xx user = password = dbname = vpopmail query = SELECT postfix_deny FROM vpopmail WHERE pw_name='%u' AND pw_domain='%d’; As noted, this functions well, but Postfix does not like the empty answer when there’s no match: Sep 17 12:27:16 smtp1 postfix/proxymap[46006]: warning: table mysql:/usr/local/etc/postfix/sasl-access.cf: empty lookup result for: “x...@example.com — ignored I briefly considered putting some kind of positive response as the default then realized that would short circuit my other checks (I think?). Is there a value I can return that will quell this warning but not allow any sasl-auth’d user to relay if the other checks would have blocked them? Thanks, Charles
Re: Dealing with a lookup with null result?
On Sep 17, 2014, at 2:19 PM, Wietse Venema wie...@porcupine.org wrote: CSS: Quick question? I finally decided to build a web UI for our support guys to be able to manually kill relaying for compromised accounts using the new check_sasl_access (http://www.postfix.org/postconf.5.html#check_sasl_access) feature introduced in 2.11. A thread regarding this is here: http://thread.gmane.org/gmane.mail.postfix.user/245474 So this does work - in my main mail account db table I added a column. If it's empty, then the user is OK. If it contains something like 'REJECT 5.7.1 Account Compromised' then that error is returned to the sender, and all is well. Postfix does not accept empty responses. If you want to report not found then that is what the database should respond with. If you cannot do that, then return DUNNO for the Postfix access map, and return something else human users. Got it. Just did a quick test and DUNNO as a response seems to work. I manually set my policyd tracking to look like Id sent 8,000 emails in the last 30 minutes and my checks properly went past the DUNNO and on to the REJECT from the policyd service. I often get confused about the difference between responses from a policy check and an access check. I guess they are basically the same. Thanks so much, Charles Wietse
Fronting another mail server, best practices?
Hello, I know it’s fairly common for people to use postfix as a spam-eating/tagging gateway in environments where Exchange or some other MTA is mandatory. In my case, I’m fronting an old qmail/vpopmail setup which is probably never going to go away. Right now I have basic transport rules that force everything to qmail listening on an internal IP, and that works fine. In the interest of efficiency and making sure I’m actually doing this correctly, is there any other option (especially with qmail, and on the same host) to inject the mail into qmail? smtp to smtp works, and I think I have my user/alias lookups working fine (vpopmail stores this in a db, postfix queries same db, and I run a policy server to verify quotas on primary and backup mx), but something about this seems a bit inefficient. Am I missing any options? I see postfix has a qmqp server, but not a client, not sure that if one existed that would be a better option or not. Is there anything else I should be looking at for both the handoff from postfix to qmail and any general gotchas when handing email off to a “hidden” server? Thanks, Charles
Re: Killing user's session
On Aug 24, 2014, at 12:18 PM, D'Arcy J.M. Cain da...@vex.net wrote: On Sun, 24 Aug 2014 16:06:36 + Viktor Dukhovni postfix-us...@dukhovni.org wrote: Postfix 2.11 or later has a new feature: http://www.postfix.org/postconf.5.html#check_sasl_access If your relay restrictions look like: main.cf: indexed = ${default_database_type}:${config_directory}/ smtpd_relay_restrictions = check_sasl_access ${indexed}sasl-access, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination (before any user account is compromised), then once an account is hijacked: sasl-access: lu...@example.com REJECT 5.7.1 Your login is compromised. This is a particularly good solution as it allows the user to continue receiving email so that you can send them them a message explaining exactly what the problem is. And I assume this can be sql-backed, correct? So it should be easy to build a web-based tool for staff to nuke/un-nuke account once the issue has been addressed. Charles -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net
Re: Log the HELO/EHLO name?
On Feb 25, 2014, at 9:50 AM, Noel Jones wrote: On 2/25/2014 4:44 AM, Eivind Olsen wrote: Hello (or should that be EHLO? :)) It has been a while since I've had a need to change my Postfix configuration, so I'm a bit rusty. I have searched, checked the configuration, etc. No luck yet. Is it possible to get Postfix to log the hostname presented to it during HELO/EHLO? Any configuration setting I've missed? Or will I have to change the sourcecode for this? If you don't want to patch the source, an easy workaround is to add to your header_checks file: /^From: / WARN which will log some information including the helo. This works with any version of postfix. If you don't mind a little patch, here's a simple patch I've used for years to log the HELO hostname. This will apply to postfix 2.8 and newer. That is so qmail-esque (in a good way, seriously). I really like the idea of logging the helo from a data analysis perspective. I wonder if you could do this with a simple policy server? IIRC, the helo is one of the bits of data passed to the policy server, and logging the IP, to/from, helo and a few other things seems like it would be pretty simple. And just return an OK. Of course it would be a totally separate log file, but you'd have the data and you wouldn't have to alter the postfix source. Also a quick question on the patch below - if you're running postscreen, and it has decided a sending host is bad, will the connection ever hit the real smtpd daemon and be logged? Thanks, Charles ps - I lurk here and just wanted to say thanks to all for postfix and the list denizens. I just started work on putting an old qmail/vpopmail setup behind postfix and I'm just consistently blown away by the flexibility of postfix - it's hard to find an unsolvable problem. Sample log entry: Feb 25 08:40:39 mx1 postfix/smtpd[30241]: NOQUEUE: client=mail.example.com[192.2.0.2], helo=mail.example.com Note the modified log entry may break some log parsers, but is compatible with pflogsumm.pl and postfix-logwatch. (beware line wrapping) --- /usr/local/src/postfix-2.8-20100728/src/smtpd/smtpd.c Mon Jul 26 18:39:39 2010 +++ src/smtpd/smtpd.c Tue Aug 10 16:42:36 2010 @@ -1916,13 +1916,16 @@ #define PRINT2_OR_NULL(cond, name, value) \ PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value)) - msg_info(%s: client=%s%s%s%s%s, + msg_info(%s: client=%s%s%s%s%s%s%s%s%s, (state-queue_id ? state-queue_id : NOQUEUE), state-namaddr, PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state), , orig_queue_id=, FORWARD_IDENT(state)), PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state), - , orig_client=, FORWARD_NAMADDR(state))); + , orig_client=, FORWARD_NAMADDR(state)), +, helo=, state-helo_name ? state-helo_name : , +PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state), + , orig_helo=, FORWARD_HELO(state) ? FORWARD_HELO(state) : )); return (0); } --- /usr/local/src/postfix-2.8-20100728/src/smtpd/smtpd_sasl_proto.c Mon Jul 26 18:40:14 2010 +++ src/smtpd/smtpd_sasl_proto.cTue Aug 10 17:56:42 2010 @@ -243,7 +243,7 @@ #define PRINT2_OR_NULL(cond, name, value) \ PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value)) -msg_info(%s: client=%s%s%s%s%s%s%s%s%s%s%s, +msg_info(%s: client=%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, (state-queue_id ? state-queue_id : NOQUEUE), state-namaddr, PRINT2_OR_NULL(state-sasl_method, @@ -255,7 +255,10 @@ PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state), , orig_queue_id=, FORWARD_IDENT(state)), PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state), - , orig_client=, FORWARD_NAMADDR(state))); + , orig_client=, FORWARD_NAMADDR(state)), +, helo=, state-helo_name ? state-helo_name : , +PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state), + , orig_helo=, FORWARD_HELO(state) ? FORWARD_HELO(state) : )); } /* smtpd_sasl_mail_reset - SASL-specific MAIL FROM cleanup */ -- Noel Jones
Re: Log the HELO/EHLO name?
On Feb 25, 2014, at 7:35 PM, Noel Jones wrote: On 2/25/2014 6:06 PM, CSS wrote: On Feb 25, 2014, at 9:50 AM, Noel Jones wrote: On 2/25/2014 4:44 AM, Eivind Olsen wrote: Hello (or should that be EHLO? :)) It has been a while since I've had a need to change my Postfix configuration, so I'm a bit rusty. I have searched, checked the configuration, etc. No luck yet. Is it possible to get Postfix to log the hostname presented to it during HELO/EHLO? Any configuration setting I've missed? Or will I have to change the sourcecode for this? If you don't want to patch the source, an easy workaround is to add to your header_checks file: /^From: / WARN which will log some information including the helo. This works with any version of postfix. If you don't mind a little patch, here's a simple patch I've used for years to log the HELO hostname. This will apply to postfix 2.8 and newer. That is so qmail-esque (in a good way, seriously). I really like the idea of logging the helo from a data analysis perspective. I wonder if you could do this with a simple policy server? IIRC, the helo is one of the bits of data passed to the policy server, and logging the IP, to/from, helo and a few other things seems like it would be pretty simple. And just return an OK. Of course it would be a totally separate log file, but you'd have the data and you wouldn't have to alter the postfix source. Yes, that's possible. Make sure your policy service always returns DUNNO, not OK, to postfix. But having a separate log seems messy. Just to make sure I understand this, DUNNO is going to let any further policy checks happen, OK would stop the match and any further checks would not happen (which would be bad), correct? Bear with me, I've skated along with minimal knowledge of Postfix for years and have just started ingesting the docs on the policy stuff… I don't think I'd personally implement such a thing, although I am now thinking it might be nifty to try my hand at a simple statistics gathering policy server as a little exercise in putting such a thing together. I know you can grab lots of information with various log analysis tools, but as an exercise it might be fun. Also a quick question on the patch below - if you're running postscreen, and it has decided a sending host is bad, will the connection ever hit the real smtpd daemon and be logged? Postfix always includes the helo (if available) in a reject log entry, whether the reject happens in postscreen or elsewhere. No patch needed for that. Good to know, thanks. Wietse confirmed what I was assuming was true, that in the very specific case of the patch that was posted, it would not see any connections that postscreen blocked. Thanks, Charles -- Noel Jones Thanks, Charles ps - I lurk here and just wanted to say thanks to all for postfix and the list denizens. I just started work on putting an old qmail/vpopmail setup behind postfix and I'm just consistently blown away by the flexibility of postfix - it's hard to find an unsolvable problem. Sample log entry: Feb 25 08:40:39 mx1 postfix/smtpd[30241]: NOQUEUE: client=mail.example.com[192.2.0.2], helo=mail.example.com Note the modified log entry may break some log parsers, but is compatible with pflogsumm.pl and postfix-logwatch. (beware line wrapping) --- /usr/local/src/postfix-2.8-20100728/src/smtpd/smtpd.c Mon Jul 26 18:39:39 2010 +++ src/smtpd/smtpd.c Tue Aug 10 16:42:36 2010 @@ -1916,13 +1916,16 @@ #define PRINT2_OR_NULL(cond, name, value) \ PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value)) - msg_info(%s: client=%s%s%s%s%s, + msg_info(%s: client=%s%s%s%s%s%s%s%s%s, (state-queue_id ? state-queue_id : NOQUEUE), state-namaddr, PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state), , orig_queue_id=, FORWARD_IDENT(state)), PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state), - , orig_client=, FORWARD_NAMADDR(state))); + , orig_client=, FORWARD_NAMADDR(state)), +, helo=, state-helo_name ? state-helo_name : , +PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state), + , orig_helo=, FORWARD_HELO(state) ? FORWARD_HELO(state) : )); return (0); } --- /usr/local/src/postfix-2.8-20100728/src/smtpd/smtpd_sasl_proto.c Mon Jul 26 18:40:14 2010 +++ src/smtpd/smtpd_sasl_proto.cTue Aug 10 17:56:42 2010 @@ -243,7 +243,7 @@ #define PRINT2_OR_NULL(cond, name, value) \ PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value)) -msg_info(%s: client=%s%s%s%s%s%s%s%s%s%s%s, +msg_info(%s: client=%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, (state-queue_id ? state-queue_id : NOQUEUE), state-namaddr, PRINT2_OR_NULL(state
more logging of policy servers
Hello, I'm having trouble chasing down an occasional delay in our submission service. We run policyd to enforce sending quotas, and I sometimes see a 1 minute to 2 minute delay between the connect from… line in the postix log and the line from cbpolicyd that lists the information it's inserting into the quota tracking table. The delay almost feels like a dns issue to me, but I'm not seeing anything obvious. Is there any way for me to get some more verbose logging out of postfix in the specific area of policy server connects, transactions and results? I haven't seen anything in the policy server section of the postfix online docs, but I suspect I may have missed something. Ideally I'd at least like to see a log of when postfix connects to the policy server, when it sends the data, and when it receives the data. I know I should be able to get this from policyd, but as I turn up the verbosity, I'm not getting any useful (to me) data - just more verbose info about the db query it makes. Thanks, Charles
Re: more logging of policy servers
On May 27, 2013, at 5:58 PM, Wietse Venema wrote: CSS: Hello, I'm having trouble chasing down an occasional delay in our submission service. We run policyd to enforce sending quotas, and I sometimes see a 1 minute to 2 minute delay between the connect from? line in the postix log and the line from cbpolicyd that lists the 1) How many concurrent connections will the policy daemon handle? Ah. Thank you. # Medium mailserver: 4, 4, 12, 25, 1000 # Large mailserver: 8, 8, 16, 64, 1000 # min_servers=4 min_spare_servers=4 max_spare_servers=12 max_servers=25 max_requests=1000 2) How many concurrent connections will the Postfix SMTP daemon handle? smtpd_client_connection_count_limit = 50 The answer to 1) must not be smaller than the answer to 2), otherwise there will be 100-second delays. smtpd_policy_service_timeout = 100s Thanks, that's obviously part of my problem. The other part is figuring out why with less than 2,000 active users I'm seeing all slots used up. Two hosts answer for 'smtp.mydomain.com', so I can accept (roughly) 100 concurrent connections. These hosts only do relay, they aren't mxers for anything, so there must be some sort of shenanigans going on here with some bots or something do auth guessing or similar. I'll break out a log analyzer and see what my connection rate looks like over time. Thanks for your help, much appreciated. Charles Wietse
Re: Alert of unusually large queue
On Oct 20, 2012, at 4:08 PM, Jan P. Kessler wrote: Hey guys, if [ `$mailq_count` -gt 50 ]; then echo Mail count on Server is `$mailq_count`|/usr/sbin/sendmail -f r...@example.com repo...@example.com ; fi I'm not sure, if sending an e-mail about a full mailqueue-condition is the best way to go ;-) Any of these checks could be handled by Nagios or anything else that can easily execute a remote command. Or tie it into your snmp daemon… But yeah, a problem with a giant queue that piles up between cron'd intervals could certainly lead to some missed alerts. :) Charles cheers, Jan
Re: Block sending from non-US IPs
On Oct 17, 2012, at 4:51 PM, /dev/rob0 wrote: On Wed, Oct 17, 2012 at 03:41:08PM -0500, Thomas E Lackey wrote: I am looking into a system where one of the [virtual] mail accounts was compromised. Apparently the account, once compromised, was used to send spam from overseas hosts. Since the company has no overseas users, they asked if it were possible to block outbound/relaying activity from all non-US IP addresses, even from authenticated accounts, while still allowing inbound SMTP from non-US IPs. And, of course, they would like to retain sending from US IPs from authenticated accounts. I am pretty familiar with Postfix, but this combination has me scratching my head. Is it doable? Not easily, and there is little reason to think it would be very effective. If you could compile (or query) a list of the IP address ranges and use it as check_client_access, you have succeeded with that part of your goal, but you probably have not accomplished the real goal. What about when the ratware is sending from your user's US-based computer? This issue last came up on this list today, and before that, yesterday (thanks Jeroen!) The real answer is rate limiting and content filtering of authenticated senders. I can add too that if you're using policyd2 for the outbound rate limiting, it stores the per-user tracking informtion in a database, which makes it really easy to monitor. If you tighten up the rules to something like a few hundred messages an hour and have your existing monitoring system do a simple sql query against the policyd db so you get alerted when someone trips the limit (or starts approaching the limit) you can respond to hijacked accounts pretty quickly and avoid most of the collateral damage. Charles -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: BCP on throttling outbound mail
On Jul 24, 2012, at 2:37 AM, Stan Hoeppner wrote: On 7/24/2012 12:44 AM, CSS wrote: On Jul 24, 2012, at 1:24 AM, Stan Hoeppner wrote: On 7/23/2012 4:16 PM, CSS wrote: I'd like to take some measures to limit what an authenticated sender can do but not limit legitimate use. See: http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit You would apply this to your submission service, eg: 587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_connection_rate_limit=1 This limits spammers and legit users to 1 msg/min, 60 msgs per hour. Postfix is not psychic. This may be a problem for roaming users who send batches of mails when they get a connection--10 msgs takes 10 minutes. Thus, as with anything, some analysis and [re]tuning will be required. If you trust some users to never have their acct compromised, you can always create multiple submission services on different ports and have different limits for different sets of users, or even no limits for some. Not a perfect solution, but better than what you have now. If I can cobble this thing together, the quota module offers things like messages per day or per hour, which is a fairly reasonable way to restrict customers. Apparently you didn't read the docs I provided. http://www.postfix.org/postconf.5.html#anvil_rate_time_unit I actually have some rate-limiting already, but obviously not enough. The time unit over which client connection rates and other rates are calculated. Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds) Perhaps I'm misunderstanding this, but I was under the impression that the anvil limits were all enforced on a per-connection or per-IP limit. I'm really after something that can track a particular sasl-authenticated user and punish them (and not other users). I'll re-read what I can find on anvil again, the recommendations against its use in this situation may have been dated. Are there any other specific policy daemons I've missed that deal explicitly with rate-limiting? Probably. But I think you summarily discounted the inbuilt Postfix equivalent too quickly, without even looking at it. You can having it running in less than 60 seconds. Which I may just do in hopes it can provide a base level of protection. It seems like the internet as whole would certainly benefit from a dead-simple policy daemon that could thwart the attempts of spammers using hijacked credentials to spew their junk. You'd think humans beings would be smart enough to follow directions and use strong passwords, AV software, etc, and not fall for phishing scams. Your adversary in this war isn't the spammers, it's not the technology, but your users. I've worked with end users since 1995. They aren't changing. In fact, the facebook-ization of the internet is bringing us right back to the good old AOL days of walled gardens. Users are getting less, not more savvy. You should not be expending any more time/effort on the tech piece of the solution beyond finding the most basic rate limiting tool and enabling it to prevent spewage, right now. This is the smallest battle in this war. Funny, as I was speaking to my partner about this issue and he was wondering why all the spam wars are being fought on the recipient end - so many cpu cycles and hardware to filter the 20% or so of good mail from the bad. He could not grasp why the source of the spam could not be legislated away. The big battles are user education (AV software on their machines, safe surfing habits, anti-phish education, etc), and wholesale forcing all users to change to *enforced* strong passwords. I had suspected a guessable password, and I was wrong. This customer routinely calls in with various issues and the tech that works with them has the password so he can login to webmail as the customer and verify whatever oddity they see. It was not the best, but it was random, mixed-case, mixed numbers and letters. Was it a *unique* password? Probably not... The user related stuff wins this war. The tech portion merely decreases the amount of damage per clueless user battle. The war will be lost. TimeWarner, Comcast, Verizon and everyone else is not going to either lose customers by cutting off the ever-infected clueless or spend time (money) educating them... Charles -- Stan
Re: BCP on throttling outbound mail
On Jul 24, 2012, at 6:23 AM, Len Conrad wrote: At 04:16 PM 7/23/2012, you wrote: Hello, Sorry for the broad question, but is there any sort of best common practice these days regarding limiting outbound email? We recently had a customer's account compromised (not sure if it was brute-forced or keylogged) and then the perp proceeded to use their credentials to smtp-auth themselves a huge load of vxa spam. I'd like to take some measures to limit what an authenticated sender can do but not limit legitimate use. I assume this is not an uncommon scenario, but pointers from those with more Postfix experience would be quite welcome. I do have amavis available for outbound virus scanning, and could conceivably have it do the same with spam scanning but that feels not quite right (and probably fairly resource intensive if someone was trying to cram tens of thousands of messages through the system). Thanks, Charles I've been using postfwd.org for rate-limiting outbound senders, and inbound senders and IPs, plus lots of other inbound filtering, for a 2+ years. It killed our horrible problem of cracked passwords. If you could share some of the basics of that config, I'd love to see them. I looked at that briefly before slogging through policyd/cluebringer, and a (very quick) read of their intro page didn't make it obvious that you could track per-user message counts. Does anyone use the old non-perl policyd1? That looked like an easy setup, but it's quite old. For anyone interested, a very basic per-user (more specifically, per authenticated user, which is the only kind of user I've got outside of web apps submitting w/php) setup ended up being fairly easy to implement. The config is all sql-based, I'd be more than happy to share a dump of the config I ended up with. I have some doubts about how well it scales, and I've also added another single point of failure to all inbound and outbound email, but it does what it says it does. The policy I setup basically matches all sasl-authenticated users and puts them in a queue that limits them to 100 messages per hour. That's my starting point, I'll probably adjust it at some point. For web applications, I'm going to install ssmtp and configure that to send with a dedicated username which will have its own limits. Thanks, Charles Len
BCP on throttling outbound mail
Hello, Sorry for the broad question, but is there any sort of best common practice these days regarding limiting outbound email? We recently had a customer's account compromised (not sure if it was brute-forced or keylogged) and then the perp proceeded to use their credentials to smtp-auth themselves a huge load of viagra spam. I'd like to take some measures to limit what an authenticated sender can do but not limit legitimate use. I assume this is not an uncommon scenario, but pointers from those with more Postfix experience would be quite welcome. I do have amavis available for outbound virus scanning, and could conceivably have it do the same with spam scanning but that feels not quite right (and probably fairly resource intensive if someone was trying to cram tens of thousands of messages through the system). Thanks, Charles
Re: BCP on throttling outbound mail
On Jul 24, 2012, at 1:24 AM, Stan Hoeppner wrote: On 7/23/2012 4:16 PM, CSS wrote: I'd like to take some measures to limit what an authenticated sender can do but not limit legitimate use. See: http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit You would apply this to your submission service, eg: 587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_connection_rate_limit=1 This limits spammers and legit users to 1 msg/min, 60 msgs per hour. Postfix is not psychic. This may be a problem for roaming users who send batches of mails when they get a connection--10 msgs takes 10 minutes. Thus, as with anything, some analysis and [re]tuning will be required. If you trust some users to never have their acct compromised, you can always create multiple submission services on different ports and have different limits for different sets of users, or even no limits for some. Not a perfect solution, but better than what you have now. I'm looking at policyd2/cluebringer as well, but it's non-intuitive to say the least. Install is easy, hooking in to postfix is easy, but there's a huge lack of howto docs on configuring the actual policies for specific use cases. The quota module looks great, but getting data into the config to delineate internal vs. external domains (and what about a sasl-authenticated user sending from another domain?) is quite challenging. If I can cobble this thing together, the quota module offers things like messages per day or per hour, which is a fairly reasonable way to restrict customers. Are there any other specific policy daemons I've missed that deal explicitly with rate-limiting? It seems like the internet as whole would certainly benefit from a dead-simple policy daemon that could thwart the attempts of spammers using hijacked credentials to spew their junk. Thanks, Charles -- Stan
Re: Replacing sendmail with postfix for local mail in FreeBSD
On Feb 10, 2012, at 3:42 PM, Jorge Luis Gonzalez wrote: I'm posting this to the postfix list rather than the FreeBSD list because I've found the level of expertise here to be almost unsurpassed. In trying to substitute postfix for sendmail on FreeBSD 8.0, I've come across a problem with mail sent from the command line (including mail from the syslogd daemon). No matter what I do to disable the sendmail binary (using mailwrapper) sendmail seems to grab port 25 on the localhost and any mail sent from the command line that's destined for a local account is shunted off, even while the mail reaches procmail and is properly forwarded to gmail as per my recipe. Your logs don't indicate sendmail listening on port 25 at all. You should post the sendmail_* lines in /etc/rc.conf and the contents of /etc/mail/mailer.conf. What you're showing here really looks like you don't have mailer.conf properly configured. Thanks, Charles After going through all the steps of disabling sendmail in rc.conf and setting up mainwrapper I am getting the following error: [satyr ~]$ mail -s test jorge test . [satyr ~]$ WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25) can not chdir(/var/spool/clientmqueue/): Permission denied Program mode requires special privileges, e.g., root or TrustedUser. Here's the corresponding logfile entry, which seems pretty clearly to point to the (presumably) disabled sendmail: satyr# tail /var/log/maillog Feb 9 09:16:00 satyr sendmail[63415]: NOQUEUE: SYSERR(jorge): can not chdir(/var/spool/clientmqueue/): Permission denied Here are the permissions and owners of the queue: satyr# ls -ld /var/spool/clientmqueue/ drwxrwx--- 2 smmsp smmsp 512 Feb 9 06:57 /var/spool/clientmqueue/ I then ran across the following sendmail README on FreeBSD: [...] As of sendmail 8.12, in order to improve security, the sendmail binary no longer needs to be set-user-ID root. Instead, a set-group-ID binary accepts command line mail and relays it to a full mail transfer agent via SMTP. A group writable client mail queue (/var/spool/clientmqueue/ by default) holds the mail if an MTA can not be contacted. To accomplish this, under the default setup, an MTA must be listening on localhost port 25. If the rc.conf sendmail_enable option is set to NO, a sendmail daemon will still be started and bound only to the localhost interface in order to accept command line submitted mail (note that this does not work inside jail(2) systems as jails do not allow binding to just the localhost interface). If this is not a desirable solution, it can be disabled using the sendmail_submit_enable rc.conf option. However, if both sendmail_enable and sendmail_submit_enable are set to NO [this is true in my case], you must do one of two things for command line submitted mail: 1. Designate an alternative host for the submission agent to contact by altering /etc/mail/freebsd.submit.mc (or setting SENDMAIL_SUBMIT_MC in /etc/make.conf to an alternate .mc file) and using 'make install-submit-cf' in /etc/mail/. Change the FEATURE(msp) line to FEATURE(msp, hostname) where hostname is the fully qualified hostname of the alternative host. Or: 2. Return to using a set-user-ID root sendmail binary by changing the ownership and permissions on the sendmail binary and removing the /etc/mail/submit.cf file: chown root /usr/libexec/sendmail/sendmail chmod 4755 /usr/libexec/sendmail/sendmail rm /etc/mail/submit.cf If you install from source, set the SENDMAIL_SET_USER_ID flag in /etc/make.conf. [...] The first of the two suggestions isn't an option for me; I control only this single mailserver. And I'm not quite sure about the second: I'd rather avoid a set-user-ID root sendmail if possible. I just want postfix to handle mail that comes from the command line destined for localhost 25. In case there's something I can do inside postfix so that it binds the daemon to localhost 25 before the vestigal sendmail gets there, here are my postfix settings: [satyr ~]$ postconf -n alias_database = hash:/etc/mail/aliases alias_maps = hash:/etc/mail/aliases allow_percent_hack = no append_at_myorigin = yes append_dot_mydomain = no biff = no bounce_queue_lifetime = 4h bounce_size_limit = 1 broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix default_destination_concurrency_limit = 10 default_privs = nobody delay_warning_time = 1h disable_vrfy_command = yes fast_flush_domains = $relay_domains header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all local_destination_concurrency_limit = 2 local_recipient_maps = unix:passwd.byname, $alias_maps luser_relay = mail_name = $mydomain Mail Daemon mail_owner = postfix
Re: Replacing sendmail with postfix for local mail in FreeBSD
On Feb 10, 2012, at 10:29 PM, Jorge Luis Gonzalez wrote: On Fri, Feb 10, 2012 at 10:15 PM, Wietse Venema wie...@porcupine.org wrote: What happens when you execute /usr/sbin/mailwrapper by hand? (it should complain about no mapping in /etc/mail/mailer.conf). [jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge /etc/motd WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25) That is not right. Your mailwrapper program has been replaced. You're quite right, I believe: satyr# ls -l /usr/sbin/mailwrapper lrwxr-xr-x 1 root wheel 30 Feb 8 10:36 /usr/sbin/mailwrapper - /usr/libexec/sendmail/sendmail satyr# ls -l /usr/sbin/sendmail lrwxr-xr-x 1 root wheel 21 Feb 8 16:20 /usr/sbin/sendmail - /usr/sbin/mailwrapper How do I rectify this? If you've got the src tree installed, it looks like you can pretty easily build and reinstall mailwrapper: cd /usr/src/usr.sbin/mailwrapper make obj depend make install Pulling it out of the base distribution is probably kind of a pain, but if you've got the livefs cd/dvd you could easily grab it from there. Perms are basic, world read and execute, owner root:wheel. Make sure you get rid of those symlinks first though. Thanks, Charles Thanks very much, Jorge -- Jorge Luis González jlg.in...@gmail.com http://people.umass.edu/jlg/
routing mail based on inbound port?
Hello, This is a bit of an odd question, and I don't see an obvious way to do this, but perhaps there's a non-obvious way. We're looking to try Postfix out in some queues that would benefit from Postfix's throttling and rate-limiting features, and I'm trying to model this after our current qmail implementation, or at least get a fairly similar setup working. We currently have our own internal mail router that splits inbound mailing list messages based on both sender and destination. It then directs the message(s) to the appropriate qmail instance via qmqp. We run multiple qmail instances on each host, and each instance listens on a different qmqp port and also has different config parameters (outgoing IP, remote concurrency). I've had no issues with the qmqpd server in Postfix, but I'm trying to figure out a way to route mail to a different transport based on which qmqpd listener the message came in on. In other words, if I've got multiple qmqp listeners on ports 628 through 640, I want to map messages from each listener to a specific outbound smtp transport. If a message comes in on a qmqp listener on port 628, I want it to use transport1, if it comes in on the listener on port 629, I want it to use transport2. Each transport would have a different outgoing IP, different concurrency settings, etc. I would like to avoid running multiple full instances of Postfix because I think having one shared queue will likely perform better. Any ideas on how to accomplish this? Thanks, Charles