[pfx] Re: dnsbl submissions

2024-07-07 Thread Cody Millard via Postfix-users 
As of the first week of 2021, the Composite Blocklist (CBL) is being 
retired. This data, however, is included in the eXploits Blocklist 
(XBL). We advise any users currently accessing the CBL through 
cbl.abuseat.org to reconfigure and query xbl.spamhaus.org.


https://www.spamhaus.org/resource-hub/dnsbl/update-for-composite-blocklist-cbl-users/

Might change the RBL that is being used as cbl.abuseat.org was retired 
in 2021.




Every main.cf config I've seen uses commas. Ive added them to your quote 
below.


On 7/6/2024 11:18 PM, Nick Edwards via Postfix-users wrote:

Main:
submission_recipient_restrictions =
        reject_rbl_client cbl.abuseat.org 
=127.0.0.[2..255],

        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject



Is _submission__recipient_restrictions a real config parameter? 
Shouldn't it be _smtpd__recipient_restrictions?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

2024-06-23 Thread Cody Millard via Postfix-users 

Check out this link showing a example postfix configuration.

https://portal.spamhaus.com/dqs/#3.1.2

I found it to be very helpful in displaying the ranged syntax that 
spamhaus supports.


On 6/22/2024 4:25 PM, Bill Cole via Postfix-users wrote:
On 2024-06-22 at 16:58:26 UTC-0400 (Sat, 22 Jun 2024 16:58:26 -0400 
(EDT))

Wietse Venema via Postfix-users 
is rumored to have said:


Bill Cole via Postfix-users:

On 2024-06-22 at 15:19:42 UTC-0400 (Sat, 22 Jun 2024 15:19:42 -0400
(EDT))
Wietse Venema via Postfix-users 
is rumored to have said:

[...]

The rbl_reply_maps are searched with the domain specified with
reject_rbl_client.

That includes the optional "=address" portion, added in Postfix
2.8, but that was not added to the much older rbl_reply_maps
documentation.

There is an rbl_reply_maps example (a hash map) at
https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/MTAs/020-Postfix.html 



    your_DQS_key.zen.dq.spamhaus.net=127.0.0.[2..11]
    554 $rbl_class $rbl_what blocked using ZEN - see ... for 
details


Are you certain that the range syntax works?


Absolutely. If you specify

    reject_rbl_client string-with-complex-syntax

Then the rbl_reply_maps seach key will be that 
string-with-complex-syntax.


OK. Right now I have multiple items like this in 
smtpd_recipient_retrictions


    reject_rbl_client KEY.zen.dq.spamhaus.net=127.0.0.2
    reject_rbl_client KEY.zen.dq.spamhaus.net=127.0.0.3
    [... etc.]

So the string being searched is 'KEY.zen.dq.spamhaus.net=127.0.0.2', 
but if I consolidated those into a single restriction:


reject_rbl_client KEY.zen.dq.spamhaus.net=127.0.0.[2..11]

that would then search for 'KEY.zen.dq.spamhaus.net=127.0.0.[2..11]', 
matching the existing map entry.



Is that correct?



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] DQS key in error responses

2024-06-22 Thread Cody Millard via Postfix-users 

|Hello list.|

|
|

|I included Spamhaus XBL in client restrictions for my server. An error 
is supplied to the individual/bot that is trying to connect that looks 
like the follow:


|

|Transcript of session follows. Out: 554 5.7.1 Service unavailable; 
Client host [57.152.56.248] blocked using .xbl.dq.spamhaus.net; 
Listed by XBL, see https://check.spamhaus.org/query/ip/57.152.56.248 In: 
??? Out: 500 5.5.2 Error: bad UTF-8 syntax In: Out: 500 5.5.2 Error: bad 
UTF-8 syntax In: ? Out: 221 2.7.0 Error: I can break rules, too. 
Goodbye. For other details, see the local mail logfile *You can see my 
dqs key in the err*|*or send to the client. Is this a problem? If so, how could I remove the 
DQS key from the response? *
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

2024-06-19 Thread Cody Millard via Postfix-users 

Mornin'

|# Error reporting
error_notice_recipient = postmaster@email.broker 
#https://www.postfix.org/postconf.5.html#error_notice_recipient
notify_classes = bounce, delay, policy, protocol, resource, software 
#https://www.postfix.org/postconf.5.html#notify_classes

|

The above will insure many errors are reported directly to the 
postmasters inbox. The default is to only notify of resource and 
software class errors, I have also included the bounce, delay, policy, 
and protocol classes in my config. There are about 20-40 emails a day 
depending on the tenacity of the bots.



On 6/19/2024 4:27 AM, Matt Kinni via Postfix-users wrote:

On 2024-06-16 15:21, Cody Millard via Postfix-users wrote:

smtpd_helo_restrictions =
 ...
 reject_non_fqdn_helo_hostname,
 ...

I've found this to block some legitimate mails in the past from Bank of
America, so you may want to grep your logs for "Helo command rejected:
Host not found" just in case!

___
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

2024-06-18 Thread Cody Millard via Postfix-users 

Hi Viktor.

Please check my original post. Your comments are on the postfix defaults 
and not my current settings.


as for why I set these explicitly, I figured that more random bits means 
more secure.


tls_random_bytes = 64
tls_daemon_random_bytes = 64

On 6/18/2024 9:56 PM, Viktor Dukhovni via Postfix-users wrote:

On Tue, Jun 18, 2024 at 04:15:33PM -0500, Cody Millard via Postfix-users wrote:


The defaults for those settings, as far as postfix is concerned, are as
follows:

smtpd_tls_auth_only = no

Why? Surely, "yes" is the better choice...


smtpd_tls_security_level =

Why empty?  Surely "may" is the better choice, with suitable settings
for the certificate chain file and key file?


tls_random_bytes = 32
tls_daemon_random_bytes = 32

Why set these explicitly?


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

2024-06-18 Thread Cody Millard via Postfix-users 

I am not sure what SRS or AUC are right now.

The defaults for those settings, as far as postfix is concerned, are as 
follows:


|smtpd_sasl_auth_enable = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_auth_only = no
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = >=TLSv1
smtpd_tls_security_level =
tls_random_bytes = 32
tls_daemon_random_bytes = 32|


As for which is better.. couldn't say. I have configured these to the 
more secure according to my understanding of 
https://www.postfix.org/postconf.5.html

AND tbh, its probably overkill. I'm not hiding state secrets.


On 6/16/2024 8:20 PM, Jeff Peng via Postfix-users wrote:




# SMTPd SERVER TLS/SSL Settings
tls_daemon_random_bytes = 64
tls_random_bytes = 64
smtpd_tls_cert_file = /etc/letsencrypt/live/email.broker/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/email.broker/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_mandatory_protocols = >=TLSv1.2
# SASL settings
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
# Moved to master.cf
#smtpd_sasl_type = dovecot
#smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = no



for ssl stuff. is it better to use the system defaults?
I am also the postmaster of tls-mail.com. I have a suggestion that, 
for your homepage, can you add the protocol of SRS and AUC?


regards.
Jeff


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Best practices?

2024-06-16 Thread Cody Millard via Postfix-users 

Hi list.

I am a novice postmaster that started a email server last year.

There is nothing wrong that I can currently tell but I am the only user 
and there is only so much that I can test.


Here are my config files, I am curious to know what seasoned postmasters 
think.



MAIN.CF-

|# General server settings
myhostname = EMAIL.BROKER
mydomain = EMAIL.BROKER
myorigin = EMAIL.BROKER
mydestination = localhost
mynetworks = 127.0.0.1
inet_interfaces = all
inet_protocols = ipv4
compatibility_level=3.6

# SMTPd SERVER Settings
smtpd_banner = EMAIL.BROKER ESMTP

# Error reporting
error_notice_recipient = postmaster@email.broker
notify_classes = bounce, delay, policy, protocol, resource, software

# SMTP CLIENT SETTINGS
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may

smtp_tls_loglevel = 1

# https://www.postfix.org/header_checks.5.html
# FILTERS WHILE DELIVERING MAIL
smtp_header_checks = regexp:/etc/postfix/outgoing_header_checks
smtp_mime_header_checks = regexp:/etc/postfix/outgoing_header_checks

# LMTP settings
lmtp_sasl_security_options= noanonymous

# SMTPd SERVER TLS/SSL Settings
tls_daemon_random_bytes = 64
tls_random_bytes = 64
smtpd_tls_cert_file = /etc/letsencrypt/live/email.broker/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/email.broker/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_mandatory_protocols = >=TLSv1.2
# SASL settings
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
# Moved to master.cf
#smtpd_sasl_type = dovecot
#smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = no

# http://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline
smtpd_forbid_bare_newline = yes

# COMMENTED OUT: Supposed to be handled by RSPAMD.
#rbl_reply_maps = hash:/etc/postfix/dnsbl-reply-map

# INCOMING connection restrictions
# Client restrictions
smtpd_client_auth_rate_limit = 1
smtpd_client_restrictions =
    reject_unauth_pipelining,
# Supposed to be handled by RSPAMD.
#    reject_rhsbl_sender .dbl.dq.spamhaus.net=127.0.1.[2..99],
#    reject_rhsbl_helo .dbl.dq.spamhaus.net=127.0.1.[2..99],
#    reject_rhsbl_reverse_client 
.dbl.dq.spamhaus.net=127.0.1.[2..99],

#    reject_rhsbl_sender .zrd.dq.spamhaus.net=127.0.2.[2..24],
#    reject_rhsbl_helo .zrd.dq.spamhaus.net=127.0.2.[2..24],
#    reject_rhsbl_reverse_client 
.zrd.dq.spamhaus.net=127.0.2.[2..24],

#    reject_rbl_client .zen.dq.spamhaus.net=127.0.0.[2..255]
    reject_unknown_client_hostname,
    reject_unknown_reverse_client_hostname,
    reject_unauth_pipelining,
    check_reverse_client_hostname_access 
mysql:/etc/postfix/mysql-ptr_rejections.cf,

    check_client_access mysql:/etc/postfix/mysql-ptr_rejections.cf

# HELO restrictions
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname,
    check_helo_access mysql:/etc/postfix/mysql-helo_access.cf

# DELAYS
# Limit errors allowed by clients before slowing down server responses.
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 5
smtpd_error_sleep_time = 10
#  Wait until the RCPT TO command before evaluating 
$smtpd_client_restrictions, $smtpd_helo_restrictions and 
$smtpd_sender_restrictions, or wait until the ETRN command before 
evaluating $sm>

smtpd_delay_reject = no
# Postpone the start of an SMTP mail transaction until a valid RCPT TO 
command is received.

smtpd_delay_open_until_valid_rcpt = no
# The maximal number of connection attempts any client is allowed to 
make to this service per time unit.

smtpd_client_connection_rate_limit = 10
# The maximal number of new (i.e., uncached) TLS sessions that a remote 
SMTP client is allowed to negotiate with this service per time unit.

smtpd_client_new_tls_session_rate_limit = 5

# Alias settings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
recipient_delimiter = +

# Virtual Mailbox settings
virtual_mailbox_base = /var/vmail/
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
    mysql:/etc/postfix/mysql-email2email.cf
virtual_mailbox_domains = 
mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-email2email.cf,
    mysql:/etc/postfix/mysql-virtual-alias-maps.cf

# RSPAMD Intergration
smtpd_milters = inet:127.0.0.1:11332
non_smtpd_milters = inet:127.0.0.1:11332
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}

# Increase the maximal number of error/delivery retries
maximal_queue_lifetime = 7d
bounce_queue_lifetime = 7d
maximal_backoff_time = 4h
minimal_backoff_time = 15m

# Leave enabled.