[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
Oh. I thought I would see them like I see these 10025 entries: Jun 29 00:00:02 cjbnew postfix/smtp[15813]: < 127.0.0.1[127.0.0.1]:10025: 220 filter.mynetwork.local ESMTP including the port number. I added your suggestion and I see the traffic now for spampd but 10026 is not mentioned in those log entries. Just saying looks like my expectations were off... On 6/29/24 11:59, Matus UHLAR - fantomas via Postfix-users wrote: On 29.06.24 10:28, Curtis J Blank via Postfix-users wrote: I meant to mention I do not see any connections/traffic on port 10026 in the mail logs. see how? You haven't overridden the syslog_name in smtpd options on port 10026. The logs in your original mail: Jun 27 00:00:01 cjbnew*mydomain postfix/smtpd[20770]: connect from localhost[::1] are mostly related to port 10026. Add " -o syslog_name=postfix/spampd-in" to master.cf options to see them ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
I meant to mention I do not see any connections/traffic on port 10026 in the mail logs. -Curt On 6/29/24 10:21, Curtis J Blank via Postfix-users wrote: On 6/29/24 04:01, Matus UHLAR - fantomas via Postfix-users wrote: On 29.06.24 01:41, Curtis J Blank via Postfix-users wrote: No I am not confusing inbound and outbound not you, someone other perhaps :-) and for this I'm only concerned about inbound and actually only on ports 10024-26 that are for lack of a better way to put it a customization. :10026 inet n - n - 10 smtpd ... -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 This is the problem, together with setting spampd to deliver to "localhost". This causes acept mail on port 10026, both ipv4 and ipv6 (when inet_protocols set to "all") but if spampd is set to deliver to "localhost" and uses ipv6, all the recipients are rejected because ipv6 localhost is not in mynetworks. if you want this settings work with ipv6 too, you must add [::1] to mynetworks: -o mynetworks=127.0.0.0/8,[::1] I do not necessarily want it to work with ::1, this is how spampd is current running: SPAMPD_OPTIONS="--host=127.0.0.1:10025 --relayhost=127.0.0.1:10026 --user=vscan --tagall --children=5 --maxsize=7168 --homedir=/home/vscan" -Curt ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
On 6/29/24 09:38, Bill Cole via Postfix-users wrote: On 2024-06-28 at 23:45:33 UTC-0400 (Fri, 28 Jun 2024 22:45:33 -0500) Curtis J Blank via Postfix-users is rumored to have said: OK I tired this. What "mydestination" is set to does not matter whether it's localhost or 127.0.0.1 if spampd is set to use localhost and not 127.0.0.1 it will not work. So I'm convinced that was the root cause of my problem, spampd set to use localhost when postfix is set to use 127.0.01 explicitly. If anyone can explain the detailed why I am curious to know. It's fairly simple: *anywhere* you configure a loopback in the modern world, you need to use the same way of doing it, and sticking with a loopback IP instead of "localhost" is the best approach because different software (e.g. spampd and Postfix) may resolve the name differently to only either a v4 or v6 address. Generally speaking, when configuring any listener, using an explicit address is the best approach because that way you don't have the potential for the name being resolved in unexpected ways Thanks. That is what I did with postfix's conf and now with spampd's config. -Curt ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
On 6/29/24 08:40, Ralph Seichter via Postfix-users wrote: * Curtis J. Blank via Postfix-users: Everything except this that is: mydestination = $myhostname, localhost.$mydomain, $mydomain, www.$mydomain Should this be set to: mydestination = $myhostname, 127.0.0.1.$mydomain, $mydomain, www.$mydomain To keep ::1 from being used? No, that is not what 'mydestination' governs. In the above setting localhost is a string literal, so it means mydestination = ... localhost.example.com ... after variable expansion. That tells Postfix that recipients like j...@localhost.example.com designate "local delivery addresses." The Postfix documentation explains this better and in more detail, but changing to 127.0.0.1.example.com won't do you any good. Thanks. Yeah that is what I found out when I tried it so it is set as it was. -Curt -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
On 6/29/24 04:01, Matus UHLAR - fantomas via Postfix-users wrote: On 29.06.24 01:41, Curtis J Blank via Postfix-users wrote: No I am not confusing inbound and outbound not you, someone other perhaps :-) and for this I'm only concerned about inbound and actually only on ports 10024-26 that are for lack of a better way to put it a customization. :10026 inet n - n - 10 smtpd ... -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 This is the problem, together with setting spampd to deliver to "localhost". This causes acept mail on port 10026, both ipv4 and ipv6 (when inet_protocols set to "all") but if spampd is set to deliver to "localhost" and uses ipv6, all the recipients are rejected because ipv6 localhost is not in mynetworks. if you want this settings work with ipv6 too, you must add [::1] to mynetworks: -o mynetworks=127.0.0.0/8,[::1] I do not necessarily want it to work with ::1, this is how spampd is current running: SPAMPD_OPTIONS="--host=127.0.0.1:10025 --relayhost=127.0.0.1:10026 --user=vscan --tagall --children=5 --maxsize=7168 --homedir=/home/vscan" -Curt ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
No I am not confusing inbound and outbound and for this I'm only concerned about inbound and actually only on ports 10024-26 that are for lack of a better way to put it a customization. -Curt postconf -Mf smtp inet n - n - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache postlog unix-dgram n - n - 1 postlogd scan unix - - n - 10 smtp :10026 inet n - n - 10 smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o myhostname=filter.mynetwork.local -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_use_tls=no -o smtp_use_tls=no spamtnsp unix - n n - - local -o alias_maps=lmdb:/etc/aliaases On 6/29/24 01:26, Peter via Postfix-users wrote: On 29/06/24 18:09, Curtis J Blank via Postfix-users wrote: I don't know how many times now I have said this but I will day it again. I have postfix set up to only listen on/use 127.0.0.1 *not* ::1. What postfix listens on is irrelevant, this has to do with which IP postfix connects to spampd with. And. I am not using spamd, it listens on port 783. I am using spampd which shows up as perl because is it written in perl and it listens on 10025. Okay, but that does not change things. Here is the proof: new:/etc/postfix # netstat -putan |grep -e ^Active -e ^Proto -e 127\.0\.0\.1\: -e \:\:1\: This shows nothing of interest, except that perl is only listening on 127.0.0.1 which we already knew because you changed that setting just now. Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2360/cupsd tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 2441/spamd tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 5063/amavisd (maste tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 13980/perl tcp6 0 0 ::1:783 :::* LISTEN 2441/spamd tcp6 0 0 ::1:631 :::* LISTEN 2360/cupsd tcp6 0 0 ::1:10024 :::* LISTEN 5063/amavisd (maste udp 0 0 127.0.0.1:323 0.0.0.0:* 2399/chronyd udp 0 0 127.0.0.1:659 0.0.0.0:* 2580/rpc.statd udp6 0 0 ::1:323 :::* 2399/chronyd new:/etc/postfix # So you said " Ideally you want to either configure postfix to never try to connect to ::1 (but only connect to 127.0.0.1)". That is one of two possible solutions that I proposed. That is what I want and I've been saying all along that that is how I have it configured. Unless I'm totally not understanding something here... You are confusing outbound connections with inbound (listening) connections. You are also confusing what different settings do. It is obvious that postfix is configured to connect to ::1 because it *is* attempting to connect to ::1. Postfix does not go against its configuration. content_filter = scan:[127.0.0.1]:10025 This is the setting that controls the connection, but it's connecting through the scan: service which
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
ect_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_domains = lmdb:/etc/postfix/virtual virtual_alias_maps = lmdb:/etc/postfix/virtual On 6/28/24 23:27, Peter via Postfix-users wrote: On 29/06/24 15:16, Curtis J Blank via Postfix-users wrote: Peter, my misunderstanding, sorry. This is what I discovered today in my testing. I explicitly used 127.0.0.1 and not localhost or so I thought, I explain that below. Back on topic. I did some more testing. This was the spampd options used: SPAMPD_OPTIONS="--host=localhost:10025 --relayhost=localhost:10026 --user=vscan --tagall --children=5 --maxsize=7168 --homedir=/home/vscan" I changed it to: SPAMPD_OPTIONS="--host=127.0.0.1:10025 --relayhost=127.0.0.1:10026 --user=vscan --tagall --children=5 --maxsize=7168 --homedir=/home/vscan" This would work, kind of, but not the way that you think, see below. There is no global mynetworks = something in main.cf. mynetworks is immaterial to this, it has nothing to do with this issue. inet_protocols was set back to: inet_protocols = all And all works just fine. So, spampd set to use localhost when everything in postfix was set to use 127.0.0.1 probably explains why smtp thought spampd was trying to relay via a ::1 connection and denied it. So the change you made to spamd changed it so that it no longer listens on ::1 but rather it now just listens on 127.0.0.1, before it was listening on both (being set to localhost). There is another setting which you have set to 127.0.0.1 which controls which connections spamd will accept mail from, this is not the same setting as the one you just changed. So before you had spamd listening on both 127.0.0.1 and on ::1 but only accepting mail from 127.0.0.1, so if postfix tried to connect from 127.0.0.1 spamd would be happy, but if postfix tried to connect from ::1 spamd would answer the connection (because it's listening) allow postfix to continue with the RCPT TO stage and then reject the message with a 454 relay access denied response, this causes Postfix to defer the connection and retry it at a later time, and when it retries there is a good chance it will try ::1 again. So Postfix sees a good connection but the spamd is deferring the message. So what is likely happening now is Postfix still attempts to connect to ::1 (because you didn't change the postfix settings in this regard) but spamd is no longer listening on ::1 so postfix cannot connect at all. Postfix seeing this then immediately tries to connect to 127.0.0.1 and is able to connect to spamd and relay the message. So Postfix is still configured to connect to the wrong IP but because spamd isn't even listening on that IP address at all postfix tries the next possibility which is the correct IP and it does so right away because there is no deferral. Note that this is not the most ideal way of solving the problem. Ideally you want to either configure postfix to never try to connect to ::1 (but only connect to 127.0.0.1) or you want to configure spamd both listen and accept messages on both ::1 and 127.0.0.1. This way there should never even be an attempt to connect to a non-working address (unless spamd actually is down). But the part I still don't understand is why smtp was trying to use ::1 when everything postfix wise is set to use 127.0.0.1. To answer that I would need to see your config, specifically the output of the two commands I gave you before. Everything except this that is: mydestination = $myhostname, localhost.$mydomain, $mydomain, www.$mydomain Should this be set to: mydestination = $myhostname, 127.0.0.1.$mydomain, $mydomain, www.$mydomain mydestination has nothing to do with this issue. To keep ::1 from being used? If so oversight on my part, not thinking that through, so setting it to 127.0.0.1 would probably allow me to revert the spamd options back to what they were. Maybe I'll just try it and see. Send your config. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
OK I tired this. What "mydestination" is set to does not matter whether it's localhost or 127.0.0.1 if spampd is set to use localhost and not 127.0.0.1 it will not work. So I'm convinced that was the root cause of my problem, spampd set to use localhost when postfix is set to use 127.0.01 explicitly. If anyone can explain the detailed why I am curious to know. Thanks, -Curt On 6/28/24 22:16, Curtis J Blank via Postfix-users wrote: Peter, my misunderstanding, sorry. This is what I discovered today in my testing. I explicitly used 127.0.0.1 and not localhost or so I thought, I explain that below. Back on topic. I did some more testing. This was the spampd options used: SPAMPD_OPTIONS="--host=localhost:10025 --relayhost=localhost:10026 --user=vscan --tagall --children=5 --maxsize=7168 --homedir=/home/vscan" I changed it to: SPAMPD_OPTIONS="--host=127.0.0.1:10025 --relayhost=127.0.0.1:10026 --user=vscan --tagall --children=5 --maxsize=7168 --homedir=/home/vscan" There is no global mynetworks = something in main.cf. inet_protocols was set back to: inet_protocols = all And all works just fine. So, spampd set to use localhost when everything in postfix was set to use 127.0.0.1 probably explains why smtp thought spampd was trying to relay via a ::1 connection and denied it. But the part I still don't understand is why smtp was trying to use ::1 when everything postfix wise is set to use 127.0.0.1. Everything except this that is: mydestination = $myhostname, localhost.$mydomain, $mydomain, www.$mydomain Should this be set to: mydestination = $myhostname, 127.0.0.1.$mydomain, $mydomain, www.$mydomain To keep ::1 from being used? If so oversight on my part, not thinking that through, so setting it to 127.0.0.1 would probably allow me to revert the spamd options back to what they were. Maybe I'll just try it and see. -Curt On 6/28/24 21:01, Peter via Postfix-users wrote: On 29/06/24 03:17, Curtis J Blank via Postfix-users wrote: Well Peter all the "mynetworks =" that I have defined explicitly state 127.0.0.1 not localhost and all the logging shows 127.0.0.1 not localhost. So that is why I say I am using 127.0.0.1. So I cannot follow Ralph's suggestion changing localhost to 127.0.0.1 because there are no localhost's used in the configs to change. I never said the problem was with mynetworks, and neither did Ralph. Someone else said that and it's incorrect. The problem is with whatever setting you have pointing to localhost:10025 as per your initial email: "The problem was handing messages off to localhost:10025 for spamassassin to scan before delivery" ...this is likely your content_filter setting but could be done in other settings instead. Also, smtp_address_preference is not set to anything on the old server, it is set to "any" in the new server and I think you hit on the why I was looking for, thank you. Wonder if the default setting in 2.11 is ipv4 and not "any". The default in 2.11 is any and any is probably the best setting under most circumstances, except it will cause some attempts to be made to ipv6 and some to ipv4, so you'd get ransom rejections based on which is tried first. I was not aware of that parameter until you mentioned it and things like that are exactly why I started this thread. And I don't have compatibility_level set in the old sever either, it is set to 3.9 in the new server. Another one I was not aware of. 3.9 is where you want it set. Even though I did a line by line config comparison I glossed over things that weren't in the old and the new. I see in this case that was a mistake, those parameters by name are enough to clue me in. I will look to see what SA is set to use but I bet you're right. Again, thanks all, this really helps and I'm bet'n I'll be able to set "inet_protocols = all" shortly. You should either explicitly set [127.0.0.1]:10025 for your content_filter (or whatever setting you're using for that) or set your SpamAssassin config to accept the mail on both 127.0.0.1 and ::1. either of these whould work and are probably the best recommendation I can give for a fix. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
Yeah I thought of including the config but that OP was long due to all the logging so I didn't want to make it longer. I did say in my OP I would provide anything if requested. -Curt On 6/28/24 21:11, Peter via Postfix-users wrote: On 29/06/24 05:59, Curtis J Blank via Postfix-users wrote: Always in a good mood. It's a waste not to be. When I'm focused on something I just state the facts as I understand them and sometimes that doesn't come across well. Yeah I know localhost can be either that's why I used 127.0.0.1 in the config and don't/didn't use localhost anywhere, as I later stated. I errored in my OP by not making that clear and using the word localhost. But to me localhost is 127.0.0.1, I don't even think about ::1 as far as localhost goes. I know I should. So that is why I can't understand why ::1:10025 was being used to do the SA connection and I still need to determine that why. We went by what you said in your OP. You never did post your config. It would help a great deal if you would post the output of: postconf -nf; postconf -Mf Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
Peter, my misunderstanding, sorry. This is what I discovered today in my testing. I explicitly used 127.0.0.1 and not localhost or so I thought, I explain that below. Back on topic. I did some more testing. This was the spampd options used: SPAMPD_OPTIONS="--host=localhost:10025 --relayhost=localhost:10026 --user=vscan --tagall --children=5 --maxsize=7168 --homedir=/home/vscan" I changed it to: SPAMPD_OPTIONS="--host=127.0.0.1:10025 --relayhost=127.0.0.1:10026 --user=vscan --tagall --children=5 --maxsize=7168 --homedir=/home/vscan" There is no global mynetworks = something in main.cf. inet_protocols was set back to: inet_protocols = all And all works just fine. So, spampd set to use localhost when everything in postfix was set to use 127.0.0.1 probably explains why smtp thought spampd was trying to relay via a ::1 connection and denied it. But the part I still don't understand is why smtp was trying to use ::1 when everything postfix wise is set to use 127.0.0.1. Everything except this that is: mydestination = $myhostname, localhost.$mydomain, $mydomain, www.$mydomain Should this be set to: mydestination = $myhostname, 127.0.0.1.$mydomain, $mydomain, www.$mydomain To keep ::1 from being used? If so oversight on my part, not thinking that through, so setting it to 127.0.0.1 would probably allow me to revert the spamd options back to what they were. Maybe I'll just try it and see. -Curt On 6/28/24 21:01, Peter via Postfix-users wrote: On 29/06/24 03:17, Curtis J Blank via Postfix-users wrote: Well Peter all the "mynetworks =" that I have defined explicitly state 127.0.0.1 not localhost and all the logging shows 127.0.0.1 not localhost. So that is why I say I am using 127.0.0.1. So I cannot follow Ralph's suggestion changing localhost to 127.0.0.1 because there are no localhost's used in the configs to change. I never said the problem was with mynetworks, and neither did Ralph. Someone else said that and it's incorrect. The problem is with whatever setting you have pointing to localhost:10025 as per your initial email: "The problem was handing messages off to localhost:10025 for spamassassin to scan before delivery" ...this is likely your content_filter setting but could be done in other settings instead. Also, smtp_address_preference is not set to anything on the old server, it is set to "any" in the new server and I think you hit on the why I was looking for, thank you. Wonder if the default setting in 2.11 is ipv4 and not "any". The default in 2.11 is any and any is probably the best setting under most circumstances, except it will cause some attempts to be made to ipv6 and some to ipv4, so you'd get ransom rejections based on which is tried first. I was not aware of that parameter until you mentioned it and things like that are exactly why I started this thread. And I don't have compatibility_level set in the old sever either, it is set to 3.9 in the new server. Another one I was not aware of. 3.9 is where you want it set. Even though I did a line by line config comparison I glossed over things that weren't in the old and the new. I see in this case that was a mistake, those parameters by name are enough to clue me in. I will look to see what SA is set to use but I bet you're right. Again, thanks all, this really helps and I'm bet'n I'll be able to set "inet_protocols = all" shortly. You should either explicitly set [127.0.0.1]:10025 for your content_filter (or whatever setting you're using for that) or set your SpamAssassin config to accept the mail on both 127.0.0.1 and ::1. either of these whould work and are probably the best recommendation I can give for a fix. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
A bit off topic but it just happened to dawn on me that that Ethernet Tap I referred to was a H4000. My brain works that way. Just to see if my memory hadn't failed me I googled it. Yep H4000. And I even found a Wiki page on it with a picture of the backbone cable and the H4000. And the tool to drill the hole in the cable. When the DESTA came out and you could use Thinwire (coax) that was a revolution!. Yes I'm old. LOL https://gunkies.org/wiki/DEC_Ethernet_Transceivers On 6/28/24 12:59, Curtis J Blank via Postfix-users wrote: Always in a good mood. It's a waste not to be. When I'm focused on something I just state the facts as I understand them and sometimes that doesn't come across well. Yeah I know localhost can be either that's why I used 127.0.0.1 in the config and don't/didn't use localhost anywhere, as I later stated. I errored in my OP by not making that clear and using the word localhost. But to me localhost is 127.0.0.1, I don't even think about ::1 as far as localhost goes. I know I should. So that is why I can't understand why ::1:10025 was being used to do the SA connection and I still need to determine that why. I got my first computer at home in the late 70's. I cut my teeth on networking back in '79 on DECNET where Ethernet was a huge thick cable that you used a tool to drill a hole in and mount a Tap as it was called to branch off that backbone. TCP/IP was in it's infancy too at the time. That was over 30 years before ipv6 was around so localhost was 127.0.0.1 and now to me, oh yeah, ::1 is too now. -Curt On 6/28/24 12:09, Ralph Seichter via Postfix-users wrote: * Curtis J. Blank via Postfix-users: What I am looking for is pretty simple. How to get it to work with "inet_protocols = all" like my existing server is currently set up to do and not be limited to ipv4 only. Well, you seem to be in a good mood. ;-) And it is already set to use 127.0.0.1 so why it is using [::1] instead when the old server uses 127.0.01, that is part of the mystery. The configs are exactly the same yet they operate differently. Like I wrote, localhost is not the same as 127.0.0.1 or ::1. It is just a name that your server needs to resolve into an IP address, which is a possible source of two servers behaving differently. If you explicitly use IP addresses instead of localhost in your configuration (Postfix, SpamAssassin, etc., both for binding and connecting), as I suggested, you can avoid DNS related problems. This technique was old 20 years ago, but it still works today. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
Always in a good mood. It's a waste not to be. When I'm focused on something I just state the facts as I understand them and sometimes that doesn't come across well. Yeah I know localhost can be either that's why I used 127.0.0.1 in the config and don't/didn't use localhost anywhere, as I later stated. I errored in my OP by not making that clear and using the word localhost. But to me localhost is 127.0.0.1, I don't even think about ::1 as far as localhost goes. I know I should. So that is why I can't understand why ::1:10025 was being used to do the SA connection and I still need to determine that why. I got my first computer at home in the late 70's. I cut my teeth on networking back in '79 on DECNET where Ethernet was a huge thick cable that you used a tool to drill a hole in and mount a Tap as it was called to branch off that backbone. TCP/IP was in it's infancy too at the time. That was over 30 years before ipv6 was around so localhost was 127.0.0.1 and now to me, oh yeah, ::1 is too now. -Curt On 6/28/24 12:09, Ralph Seichter via Postfix-users wrote: * Curtis J. Blank via Postfix-users: What I am looking for is pretty simple. How to get it to work with "inet_protocols = all" like my existing server is currently set up to do and not be limited to ipv4 only. Well, you seem to be in a good mood. ;-) And it is already set to use 127.0.0.1 so why it is using [::1] instead when the old server uses 127.0.01, that is part of the mystery. The configs are exactly the same yet they operate differently. Like I wrote, localhost is not the same as 127.0.0.1 or ::1. It is just a name that your server needs to resolve into an IP address, which is a possible source of two servers behaving differently. If you explicitly use IP addresses instead of localhost in your configuration (Postfix, SpamAssassin, etc., both for binding and connecting), as I suggested, you can avoid DNS related problems. This technique was old 20 years ago, but it still works today. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
Thank you, Alexander, Matus, Jaroslaw, Peter, and Bill, just the kind of ideas I was looking for. My old postfix server is running 2.11 and I have not dealt much with postfix really since then because like I said it just worked, did what I needed it to do. Currently I'm working with 3.9 and I expected there to be changes. So no I did not validate that spamassassin was using 127.0.01 *and* ::1 because I was not expecting it too. Like I said the new server is configured as a carbon copy of the old server and the old server does not use ::1. When I say carbon copy I diff -y the config files and go through them line by line. Yes spamassassin is listening on 10025, amavis on 10024. netstat -tapn |grep :100 tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 4866/amavisd (maste tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 4791/perl tcp 0 0 0.0.0.0:10026 0.0.0.0:* LISTEN 4952/master tcp 0 0 :::10026 :::* LISTEN 4952/master I had not been using a global "mynetworks =" in the old server or the new server only using "-o mynetworsk =" where needed and no ::1 was not in any of them. Did not need to be because it worked without that on the old server. I did try a: "mynetworks = 127.0.0.0/8, 192.168.0.0/24" on the new server but that did not fix the problem I was having. Well Peter all the "mynetworks =" that I have defined explicitly state 127.0.0.1 not localhost and all the logging shows 127.0.0.1 not localhost. So that is why I say I am using 127.0.0.1. So I cannot follow Ralph's suggestion changing localhost to 127.0.0.1 because there are no localhost's used in the configs to change. Also, smtp_address_preference is not set to anything on the old server, it is set to "any" in the new server and I think you hit on the why I was looking for, thank you. Wonder if the default setting in 2.11 is ipv4 and not "any". I was not aware of that parameter until you mentioned it and things like that are exactly why I started this thread. And I don't have compatibility_level set in the old sever either, it is set to 3.9 in the new server. Another one I was not aware of. Even though I did a line by line config comparison I glossed over things that weren't in the old and the new. I see in this case that was a mistake, those parameters by name are enough to clue me in. I will look to see what SA is set to use but I bet you're right. Again, thanks all, this really helps and I'm bet'n I'll be able to set "inet_protocols = all" shortly. On 6/28/24 08:04, Bill Cole via Postfix-users wrote: On 2024-06-28 at 05:23:27 UTC-0400 (Fri, 28 Jun 2024 11:23:27 +0200) Matus UHLAR - fantomas via Postfix-users is rumored to have said: Who exactly listens on port 10025? looks like postfix sends mail to itself, or is it another postfix instance? Historically that has been a port commonly used for the SMTP proxy form of filtering using Amavis. Since SpamAssassin has no SMTP proxy function and his logs show both sides of a SMTP chat between 2 smtpd processes, I think Amavis is the most likely thing listening. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
What I am looking for is pretty simple. How to get it to work with "inet_protocols = all" like my existing server is currently set up to do and not be limited to ipv4 only. And it is already set to use 127.0.0.1 so why it is using [::1] instead when the old server uses 127.0.01, that is part of the mystery. The configs are exactly the same yet they operate differently. I want to know why. If you don't know and understand the root cause of something that is not a good position to be in going forward. Good enough is not good enough... On 6/28/24 00:40, Ralph Seichter via Postfix-users wrote: * Curtis J. Blank via Postfix-users: I would like to get some insight as to the cause and correct configuration to use. [...] Maybe it is simply too early in the morning for me to get your point, but what insight are you looking for, exactly? You already found out that localhost does not necessarily resolve to 127.0.0.1 if both IPv4 and IPv6 are used. That's not a problem. If you do need to make the distinction, you can be explicit by using either [127.0.0.1] or [::1] in your settings. Does this help? -Ralph ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Handing off via localhost:10025 to spamassassin for scanning failure
I would like to get some insight as to the cause and correct configuration to use. Building a new server that in part is my postfix server and spent the last couple of days pulling my hair out trying to get it to deliver mail. I have an existing postfix server that has been working since 2014 maybe even back to 2011. I basically set up this new server exactly how the old one is set up. So this is not a newbie asking for help. The fix I finally figured out boggles my mind. The problem was handing messages off to localhost:10025 for spamassassin to scan before delivery, every attempt to do so was denied. Below is an explanation of what I found what I finally did to get it to work. If configs, logs, anything else is needed to diagnose this let me know, there's already a lot here so I figured i'd wait before I add more. When "inet_protocols = all" the connection to filter.mynetwork.local localhost port 10025 to hand off the message to spamassassin for scanning fails with "Relay access denied". What I finally noticed is that the connection in coming from "localhost[::1]" a ipv6 connection. So on a long-shot I changed "inet_protocols = ipv4" and then delivery worked. Jun 27 00:00:01 cjbnew*mydomain postfix/smtpd[20766]: connect from localhost[::1] Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: < 127.0.0.1[127.0.0.1]:10025: 220 filter.mynetwork.local ESMTP Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: > 127.0.0.1[127.0.0.1]:10025: EHLO mydomain.com Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: < 127.0.0.1[127.0.0.1]:10025: 250-filter.mynetwork.local Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: < 127.0.0.1[127.0.0.1]:10025: 250-PIPELINING Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: < 127.0.0.1[127.0.0.1]:10025: 250-SIZE Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: < 127.0.0.1[127.0.0.1]:10025: 250-ETRN Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: < 127.0.0.1[127.0.0.1]:10025: 250-ENHANCEDSTATUSCODES Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: < 127.0.0.1[127.0.0.1]:10025: 250-8BITMIME Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: < 127.0.0.1[127.0.0.1]:10025: 250-DSN Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: < 127.0.0.1[127.0.0.1]:10025: 250-SMTPUTF8 Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: < 127.0.0.1[127.0.0.1]:10025: 250 CHUNKING Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: server features: 0x20900f size 0 Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: Using ESMTP PIPELINING, TCP send buffer size is 2626560, PIPELINING buffer size is 4096 Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: smtp_stream_setup: maxtime=300 enable_deadline=0 min_data_rate=0 Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: > 127.0.0.1[127.0.0.1]:10025: MAIL FROM: SIZE=426 Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: > 127.0.0.1[127.0.0.1]:10025: RCPT TO: ORCPT=rfc822;bobby@gmail.com Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: > 127.0.0.1[127.0.0.1]:10025: DATA Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20757]: smtp_stream_setup: maxtime=300 enable_deadline=0 min_data_rate=0 Jun 27 00:00:01 cjbnew*mydomain postfix/smtpd[20770]: connect from localhost[::1] Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: < 127.0.0.1[127.0.0.1]:10025: 220 filter.mynetwork.local ESMTP Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: > 127.0.0.1[127.0.0.1]:10025: EHLO mydomain.com Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: < 127.0.0.1[127.0.0.1]:10025: 250-filter.mynetwork.local Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: < 127.0.0.1[127.0.0.1]:10025: 250-PIPELINING Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: < 127.0.0.1[127.0.0.1]:10025: 250-SIZE Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: < 127.0.0.1[127.0.0.1]:10025: 250-ETRN Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: < 127.0.0.1[127.0.0.1]:10025: 250-ENHANCEDSTATUSCODES Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: < 127.0.0.1[127.0.0.1]:10025: 250-8BITMIME Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: < 127.0.0.1[127.0.0.1]:10025: 250-DSN Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: < 127.0.0.1[127.0.0.1]:10025: 250-SMTPUTF8 Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: < 127.0.0.1[127.0.0.1]:10025: 250 CHUNKING Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: server features: 0x20900f size 0 Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: Using ESMTP PIPELINING, TCP send buffer size is 2626560, PIPELINING buffer size is 4096 Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: smtp_stream_setup: maxtime=300 enable_deadline=0 min_data_rate=0 Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: > 127.0.0.1[127.0.0.1]:10025: MAIL FROM: SIZE=417 Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: > 127.0.0.1[127.0.0.1]:10025: RCPT TO: ORCPT=rfc822;BobbyJoe@cjbnew Jun 27 00:00:01 cjbnew*mydomain postfix/smtp[20763]: >
[pfx] Stupid questions
Hello list, At least I think they're stupid questions. I'm running Postfix with rspamd which is a milter. At what point in the email conversation does the DKIM lookup happen? Does Postfix handle that or am I asking on the wrong list and I should be asking the question on the rspamd list? I'm getting a DNS failure on my setup that gmail is not getting. It's a delegated subdomain. I'm getting this temp error. the relevant message header is below. Authentication-Results: sirius.xyonet.com; dkim=temperror ("DNS error when getting key") header.d=news.circadian.com header.s=default header.b=KGxjxIVc; spf=temperror (sirius.xyonet.com: error in processing during lookup ofxyo...@news.circadian.com: DNS error)smtp.mailfrom=xyo...@news.circadian.com; dmarc=temperror reason="query refused" header.from=circadian.com (policy=temperror) SPF, DKIM, and DMARC all pass at gmail. Thanks, Curtis ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix: running a script on authentication failure
On 6/23/23 04:26, Luciano Mannucci via Postfix-users wrote: On Thu, 22 Jun 2023 21:05:35 +0200 André Rodier via Postfix-users wrote: What are you using on your side ? I have a small script that scans the log for failed login attempts, banning the offending ip via firewall if it sees more than a certain number of attempts (initially set to 24, now lowered to 22). Ir runs every 2 minutes and seems quite effective: in 10 years I've had just one false positive (so far) that I had to set free by hand. You can also lower the threshold of failed attempts in fail2ban as well. I have a long list of banned ip addresses in my system. I've also changed the length of time addresses get banned for from hours to months. --Curtis ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [P-U] Re: Postfix lists are migrating to a new list server
On 3/8/23 15:30, Scott Techlist via Postfix-users wrote: On Tue, 7 Mar 2023, John Stoffel via Postfix-users wrote: So what's the option for a more upto date version of DKIM milter for debian? rspamd does DKIM, SPF, DMARC and ARC (and lots more), and doesn't segfault (so far ;-) I'm STILL trying to figure out rspamd's documentation enough to understand how to enable and configure all of those, so that I can have one milter instead of four. I too would be grateful for a pointer to a decent how-to/guide on setting it up. I'm still using amavis and clamd. Always apprehensive to change horses. I use it with ispconfig on devuan (debian bullseye without systemd). It's works very well. It was easy to set up and configure. A lot of the configuration can be done through it's web interface. Setting scores marking and rejecting are done via the ispconfig interface. I agree that it's documentation is cryptic and not for the faint of heart. They surely don't stick to the KISS method. -- Curtis https://curtis.maurand.com ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [P-U] Re: Postfix lists are migrating to a new list server
On 3/7/23 15:36, Bernardo Reino via Postfix-users wrote: On Tue, 7 Mar 2023, John Stoffel via Postfix-users wrote: So what's the option for a more upto date version of DKIM milter for debian? rspamd does DKIM, SPF, DMARC and ARC (and lots more), and doesn't segfault (so far ;-) I've been running rspamd for nearly a year and I've been very happy with it. It's a huge improvement over amavis/spamassassin. It is very fast. --Curtis -- Curtis https://curtis.maurand.com ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
Re: [EXTERNAL] Re: Mail queue took 3 hours to recover from a flood. Suggestions ?
On 1/23/23 12:30, White, Daniel E. (GSFC-770.0)[AEGIS] wrote: “replace Amavis with something faster” Any suggestions ? RSPAMD *From: * on behalf of Viktor Dukhovni *Reply-To: *"postfix-users@postfix.org" *Date: *Monday, January 23, 2023 at 12:28 *To: *"postfix-users@postfix.org" *Subject: *Re: [EXTERNAL] Re: Mail queue took 3 hours to recover from a flood. Suggestions ? On Mon, Jan 23, 2023 at 05:06:34PM +, White, Daniel E. (GSFC-770.0)[AEGIS] wrote: There was no outage. The queue filled faster than the processes could process them through. I do not know which limit to increase to accommodate such bursts of traffic. I did find 27 instances of this block of info in the logs: postfix/qmgr[PID]: QUEUE_ID: from=, size=1370, nrcpt=1 (queue active) postfix/qmgr[PID]: warning: mail for [127.0.0.1]:10024 is using up NUMBER of NUMBER active queue entries postfix/qmgr[PID]: warning: you may need to reduce smtp-amavis connect and helo timeouts postfix/qmgr[PID]: warning: so that Postfix quickly skips unavailable hosts postfix/qmgr[PID]: warning: you may need to increase the main.cf minimal_backoff_time and maximal_backoff_time postfix/qmgr[PID]: warning: so that Postfix wastes less time on undeliverable mail postfix/qmgr[PID]: warning: you may need to increase the master.cf smtp-amavis process limit postfix/qmgr[PID]: warning: please avoid flushing the whole queue when you have postfix/qmgr[PID]: warning: lots of deferred mail, that is bad for performance postfix/qmgr[PID]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0 Your amavis is too slow. Perhaps it is doing remote DNS lookups. But where do I find smtp-amavis connect timeout ? Tweaking the timeouts won't help in this case, the real issue is Amavis performance. Disable the content inspection features that make it slow, or replace Amavis with something faster. -- Viktor. -- Curtis https://curtis.maurand.com
Re: mail.protection.outlook.com rejections
Sadly MS is as fallible as the rest of us. Sent from my iPhone > On Nov 2, 2022, at 4:56 AM, Linkcheck wrote: > > Thanks, Viktor. That's interesting. You'd think someone like MS could get it > right. :( >
Re: Odd DNS issue requiring reboot.
On 9/5/22 11:23, Wietse Venema wrote: Viktor Dukhovni: Perhaps your resolver settings in the chroot jail become stale, and are fixed when the "init script" resyncs the chroot with the /etc. You might try running without chroot. To turn off chroot for all Postfix daemons, update master.cf: postconf -F "*/*/chroot = n" postfix reload Wietse Are you sure it's not systemd-resolvd. It will happily override your resolver settings if it doesn't like your resolver. I've found that in my setups, to install my own resolver (usually pdns-recursor) and disable systemd-resolvd and dnsmasq. speeds things up dramatically. Makes things much more reliable. I have much harsher opinions about systemd, but that's not for this list. --Curtis -- Curtis https://curtis.maurand.com
Re: Where to place spamhaus tests
I might also suggest pdns-recursor. very fast. Sent from my iPhone > On Aug 8, 2022, at 4:18 PM, Demi Marie Obenour wrote: > > On 8/7/22 09:50, Linkcheck wrote: >>> On 07/08/2022 1:12 pm, Rob McGee wrote: >>> dig 2.0.0.127.zen.spamhaus.org. any >> >> ANY has to be after DIG, not at the end, but... >> >> >> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> any 2.0.0.127.zen.spamhaus.org. >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18750 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;2.0.0.127.zen.spamhaus.org.INANY >> >> ;; ANSWER SECTION: >> 2.0.0.127.zen.spamhaus.org. 3579 INA127.255.255.254 >> >> ;; Query time: 1 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Sun Aug 07 14:34:59 BST 2022 >> ;; MSG SIZE rcvd: 71 >> >> >> And I use a local copy of Unbound for all DNS work. > > You need to check the following: > > 1. Unbound MUST be operating as a recursive resolver, NOT a > stub resolver. That means that it is making requests from > upstream nameservers directly, rather than via an upstream > recursive resolver. In the case of Unbound, this means that all > forward-zone: directives in the configuration file must be removed, > unless they are restricted (via name:) to zones that are not a > suffix of zen.spamhaus.org. > > 2. Your instance of Unbound MUST NOT be accessible from the Internet. > That is, unauthorized users must not be able to submit DNS queries > to it. If they can, I suspect it would be considered a public > recursive resolver and blocked. > > Can you provide your `unbound.conf` as well as all of the files > it includes? > -- > Sincerely, > Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: Binary data OpenPGP_signature Description: Binary data
Re: Postfix-fg and maillog_file to stdout
Perfect. That was the other solution I had been looking at. ==C On Sat, 2021-11-06 at 10:25 -0300, Rafael Azevedo wrote: > Since it was a container, I was not running any syslog, just using > the log modules from docker.This is a sample output from postfix > stdout. > I fixed it using syslog-ng within the container. > Em sáb., 6 de nov. de 2021 às 09:56, Curtis Maurand < > cur...@maurand.com> escreveu: > > On Fri, 2021-11-05 at 13:34 -0300, Rafael Azevedo wrote: > > > One last thing, is it possible to change the date format of the > > > output? > > > Current format: > > > Nov 05 13:20:06 smtp21 postfix/smtp[136]: 9D86C60BBE > > > > > > I'd like to use ISO format: > > > 2021-10-29T19:37:52.017684-03:00 smtp21 postfix/smtp > > > > > > Could that be possible? > > > > > > > > > > My systems use rsyslog. The timestamp format is configurable. > > > > > Thanks > > > Em sex., 5 de nov. de 2021 às 13:10, Rafael Azevedo < > > > raf...@gmail.com> escreveu: > > > > Thanks Wietse, > > > > After disabling chroot, everything worked just as expected. > > > > > > > > Thanks a lot guys. > > > > > > > > BR, > > > > R > > > > Em sex., 5 de nov. de 2021 às 13:01, Wietse Venema < > > > > wie...@porcupine.org> escreveu: > > > > > Rafael Azevedo: > > > > > > > > > > > After disabling chroot, it worked! > > > > > > > > > > > > > > > > > > > > LINUX bites, if chroot breaks relative pathnames for UNIX- > > > > > domain > > > > > > > > > > DGRAM sockets. > > > > > > > > > > > > > > > > > > > > (If chroot broke relative pathnames for UNIX-domain STREAM > > > > > sockets, > > > > > > > > > > there should have been lots of bug reports already). > > > > > > > > > > > > > > > > > > > > > Any clue about how can I have milliseconds in this output? > > > > > > > > > > > > > > > > > > > > That is currently not implemented. > > > > > > > > > > > > > > > > > > > > Postfix alreadey provides sub-second logging for different > > > > > stages > > > > > > > > > > of delivery (time since arrival, time in active queue, time > > > > > to > > > > > > > > > > connect, time to transmit message). > > > > > > > > > > > > > > > > > > > > http://www.postfix.org/postconf.5.html#delay_logging_resolution_limit > > > > > > > > > > > > > > > > > > > > Example: > > > > > > > > > > > > > > > > > > > > Nov 5 11:48:59 spike postfix/local[445]: 4Hm4gH1RlnzJrP5: > > > > > to=, relay=local, delay=0.21, > > > > > delays=0.2/0.0003/0/0.0036, dsn=2.0.0, status=sent (delivered > > > > > to command: umask 077; exec /usr/local/bin/filter) > > > > > > > > > > > > > > > > > > > > Wietse > > > > > > > > > > >
Re: Postfix-fg and maillog_file to stdout
On Fri, 2021-11-05 at 13:34 -0300, Rafael Azevedo wrote: > One last thing, is it possible to change the date format of the > output? > Current format: > Nov 05 13:20:06 smtp21 postfix/smtp[136]: 9D86C60BBE > > I'd like to use ISO format: > 2021-10-29T19:37:52.017684-03:00 smtp21 postfix/smtp > > Could that be possible? > > My systems use rsyslog. The timestamp format is configurable. > Thanks > Em sex., 5 de nov. de 2021 às 13:10, Rafael Azevedo > escreveu: > > Thanks Wietse, > > After disabling chroot, everything worked just as expected. > > > > Thanks a lot guys. > > > > BR, > > R > > Em sex., 5 de nov. de 2021 às 13:01, Wietse Venema < > > wie...@porcupine.org> escreveu: > > > Rafael Azevedo: > > > > > > > After disabling chroot, it worked! > > > > > > > > > > > > LINUX bites, if chroot breaks relative pathnames for UNIX-domain > > > > > > DGRAM sockets. > > > > > > > > > > > > (If chroot broke relative pathnames for UNIX-domain STREAM > > > sockets, > > > > > > there should have been lots of bug reports already). > > > > > > > > > > > > > Any clue about how can I have milliseconds in this output? > > > > > > > > > > > > That is currently not implemented. > > > > > > > > > > > > Postfix alreadey provides sub-second logging for different stages > > > > > > of delivery (time since arrival, time in active queue, time to > > > > > > connect, time to transmit message). > > > > > > > > > > > > http://www.postfix.org/postconf.5.html#delay_logging_resolution_limit > > > > > > > > > > > > Example: > > > > > > > > > > > > Nov 5 11:48:59 spike postfix/local[445]: 4Hm4gH1RlnzJrP5: to=< > > > spam...@porcupine.org>, relay=local, delay=0.21, > > > delays=0.2/0.0003/0/0.0036, dsn=2.0.0, status=sent (delivered to > > > command: umask 077; exec /usr/local/bin/filter) > > > > > > > > > > > > Wietse > > >
Re: How to tell postfix to be more verbose on the smtp port?
On 9/28/21 10:23 AM, Viktor Dukhovni wrote: On Tue, Sep 28, 2021 at 09:50:11AM +0200, Christophe Lohr wrote: Well.. so, my question is: how to configure postfix to be more verbose? (not in the log files, but on the smtp connexions) This would be a programming exercise. The relevant source files are: src/smtpd/smtpd.c - Protocol engine src/smtpd/smtpd_state.c - Connection state structure and methods src/smtpd/smtpd_chat.c - Request/Response logic You may need to record additional data in the state structure, and then emit appropriate messages when responding to the client. Most likely it is easier to just write a Perl or Python script, or Haskell or Go program that is an ESMTP server that emits detailed error messages. Choose a language in which it is easy to write a parser that emits detailed error diagnostics. It is not clear why Postfix would be a compelling choice of an an SMTP server for students new to network protocols looking for verbose error messages. I did a search and found this about custom bounce messages. https://www.howtoforge.com/configure-custom-postfix-bounce-messages Cheers, --Curtis
Re: Warning: Hostname Does Not Resolve
your a record and fqdn, your helo/ehlo hostname and the ptr record all need to match. Sent from my iPhone > On Mar 9, 2021, at 12:36 PM, Greg Sims wrote: > > > We are receiving the following in our email logs: > > Mar 09 08:12:15 mail01.raystedman.org postfix/smtpd[13431]: warning: hostname > mail01.raystedman.org does not resolve to address 192.168.122.12 > > This warning is in fact true. I believe something is not configured correctly. > > The postfix mail server at mail01.raystedman.org has two network interfaces: > WAN and LAN. The WAN hostname is mail01.raystedman.org which resolves to > 166.88.17.149. The LAN hostname is mail01-p.raystedman.org which resolves to > 192.168.122.12. > > main.cf contains: > > mynetworks = 192.168.122.0/24, aaa.bbb.ccc.ddd/32, 127.0.0.0/8 > > where aaa.bbb.ccc.ddd/32 is the only acceptable WAN address (protected here > and at the firewall level). We also accept email from the LAN and localhost > networks. > > We recently started accepting email from the single WAN address and added the > IP to mynetworks. This likely has something to do with the configuration > issue. > > Thanks, Greg > www.RayStedman.org
Re: Deprecated: white is better than black
I totally agree with this and I am going to work to scrub the prior terminology from my system. Thank you, Wietse —Curtis Sent from my iPhone > On Feb 24, 2021, at 12:12 PM, Wietse Venema wrote: > > The following is from the postfix-3.6-20210221 release notes. > >Wietse > > Postfix version 3.6 deprecates terminology that implies white is > better than black. Instead, Postfix prefers 'allowlist', 'denylist', > and variations on those words. > > Noel Jones assisted with the initial transition. > > Changes in documentation > > > Documentation was updated to use 'allowlist', 'denylist', etc. > These documentation changes do not affect Postfix behavior. > > Changes in parameter names > -- > > The following parameters replace names that contain 'blacklist' or > 'whitelist': > >postscreen_allowlist_interfaces >postscreen_denylist_action >postscreen_dnsbl_allowlist_threshold > > These new parameters have backwards-compatible default settings > that support the old parameter names, so that the name change should > not affect Postfix behavior. This means that existing management tools > that use the old parameter names should keep working as before. > > This compatibility safety net may break when some management tools > use the new parameter names, and some use the old names, such that > different tools will disagree on how Postfix works. > > Changes in logging > -- > > The following logging replaces forms that contain 'blacklist' or > 'whitelist': > >postfix/postscreen[pid]: ALLOWLIST VETO [address]:port >postfix/postscreen[pid]: ALLOWLISTED [address]:port >postfix/postscreen[pid]: DENYLISTED [address]:port > > To avoid breaking logfile analysis tools, Postfix keeps logging the old > forms by default, as long as the compatibility_level parameter setting > is less than 3.6, and the respectful_logging parameter is not explicitly > configured. As a reminder, Postfix will log the following: > >postfix/postscreen[pid]: Using backwards-compatible default setting >respectful_logging=no for client [address]:port > > To keep logging the old form, make the setting "respectful_logging = > no" permanent in main.cf, for example: > ># postconf "respectful_logging = no" ># postfix reload > > To stop the reminder, configure the respectful_logging parameter to > "yes" or "no", or configure "compatibility_level = 3.6".
Re: Mail from @somedomain.tld allowed only from some CIDR ranges?
Sent from my iPhone > On Feb 7, 2021, at 11:44 AM, Benny Pedersen wrote: > > On 2021-02-07 17:33, Marek Kozlowski wrote: >> :-) > > +1 > >> Presumably it's my fault but I cannot find such an option. If so - >> thank you for directing me to it. I'm wondering if it possible to >> limit incoming mail with '...@somedomain.tld' specified as a sender >> address*) to IPs belonging from some CIDR ranges: > > sure > >> - if addresses from the ranges belong to 'somedomain.tld'? >> - if addresses from the ranges and 'somedomain.tld' A records don;t >> cover the same sets of hosts? > > you should not accept local envelope sender on port 25, its not you :-) > >> *) For both envelope and internal 'from:' would be perfect; if not - >> for only one of them. > > From: can only be protected with dkim I would suggest giving higher preference to SPF. You can even reject if SPF fails. I just went through this with a client because we bounced a message back because they were set up on outlook.com but, for whatever reason, they were trying to send via google. SPF said nay, nay the policy says all incoming mail from x.tld should come from spf.protection.outlook.com not the ip address that google owns from which the message originated. Cheers, Curtis
Re: Corner cases in SSL_shutdown.
Jumping in as an observer with 25 years of admin experience with public facing equipment and servers. this problem seems more of a problem with the tls libraries. it’s not up to the app to close the tls connection. that layer is below the application layer. when the application terminates its connection the tls library should be smart enough to close the socket properly itself. this seems to be a problem of the tls layer not playing nicely with its peers. the smtp protocol is clear about its connection termination handshake. it doesn’t seem like the tls layer is. just my $0.02 -Curtis Sent from my iPhone > On Feb 2, 2021, at 10:31 AM, Bill Cole > wrote: > > On 2 Feb 2021, at 9:49, Leo Bicknell wrote: > >> Perhaps Postfix does not support returning to clear text from a STARTTLS >> session and doing futher protocol operations. I have not looked. But if it >> does, I believe the proper shutdown behavior is a MUST. > > No SMTP server should ever support downgrade of an established STARTTLS > session to clear text. > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire
Re: New postfix server, authentication confusion
for the blackhole lists, etc. take a look ar mxtoolbox.com postfix should be passing sasl requests to dovecot’s imap process. I use a tool called ispconfig which sets all of this up along with other tools such as clamav, rspamd or amavisd along with per user policies. my $0.02. I like its security way better than cpanel. it’s closer to plesk in that regard. best of all it’s free. Sent from my iPhone > On Jan 24, 2021, at 6:43 AM, Jeff Abrahamson wrote: > > > I've set up a new postfix instance which more or less duplicates an older > one. The main change (besides being newer) is that the old one used real > users with real accounts while this one uses virtual users. Some bits work, > some don't. I'm a bit confused on how to test it, really, short of > connecting with a regular email client (mutt, thunderbird, etc.). > > But I've a few questions, mostly about auth, which is what has most changed > and which I've clearly not got going correctly. (And I'm aware that auth may > be handled by dovecot and so not be appropriate to this list. But I'm not > yet convinced of that, so I have to ask here first.) > > 1. Users need to provide user + password to send (smtps) and receive > (imaps). I see where I've configured this for dovecot, which is > /etc/dovecot/passwd.db. That file contains lines like this: > > j...@mobilitains.fr:{BLF-CRYPT}$2y$05$c... > > I do not see how postfix knows who is allowed to connect, however. Does > postfix delegate SASL to dovecot? This is the relevant config, I think: > > [T] jeff@nantes-m1:log $ postconf -n | grep -i sasl > broken_sasl_auth_clients = yes > smtpd_recipient_restrictions = > reject_unknown_client_hostname,reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_sender > smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated > defer_unauth_destination > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_local_domain = > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous > smtpd_sasl_type = dovecot > > [T] jeff@nantes-m1:log $ postconf -Mf > smtp inet n - y - - smtpd > submission inet n - y - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions= > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > -o milter_macro_daemon_name=ORIGINATING > smtps inet n - y - - smtpd > -o syslog_name=postfix/smtps > -o smtpd_tls_wrappermode=yes > -o smtpd_sasl_auth_enable=yes > -o smtpd_reject_unlisted_recipient=no > -o smtpd_client_restrictions= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions= > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > -o milter_macro_daemon_name=ORIGINATING > ... > > 2. Any suggestions on how to test this (and continue testing it)? First, > about today, as in, are there good commandline tools to poke at a postfix > instance? > > Second, for later, I'm aware of some very useful online web-based tools > (mxtoolbox, etc.), but I'd be quite happy to have some process run on another > host and periodically check that my MX isn't on any blackhole lists, that the > reasonably foreseeable stuff is all working correctly, etc. I've not found > that. Any suggestions? > > Many thanks for any pointers. > > -- > Jeff Abrahamson > +33 6 24 40 01 57 > +44 7920 594 255 > > http://p27.eu/jeff/ > http://transport-nantes.com/
Re: Ignoring a failing dictionary ?
Sent from my iPhone > On Jan 20, 2021, at 10:27 AM, Jaroslaw Rafa wrote: > > Dnia 20.01.2021 o godz. 15:48:29 Ganael Laplanche pisze: >>> So just try to create some simple "proxy" to your LDAP server that does only >>> one thing: if LDAP is available, just return the response from LDAP; if >>> not, just returns "not found". And use that proxy in Postfix in place of >>> your actual LDAP server. This will require probably some development, but >>> it shouldn't be very much. >> >> Yes, that would probably be an idea and this is what Viktor was suggesting >> (I >> suppose) whan he was writing about socketmap. > > There's no need to use socketmap if your proxy would be an actual proxy, ie. > it would speak LDAP protocol to the connecting clients. You'll need to just > replace your original LDAP server with the proxy in your configuration. > > Searching the web for "LDAP proxy", this is one of the first results I > found: https://ldaptor.readthedocs.io/en/latest/cookbook/ldap-proxy.html . > It's a Python library for LDAP, and this documentation presents some example > code for creating LDAP proxies using this library. A thought would be to have a separate process that checks for ldap availability. if not, issue a postconf command to change the setting on the fly. when the ldap server comes back, issue a new postconf command to reverse the process to go back to the ldap server. > -- > Regards, > Jaroslaw Rafa > r...@rafa.eu.org > -- > "In a million years, when kids go to school, they're gonna know: once there > was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Ignoring a failing dictionary ?
> On Jan 19, 2021, at 10:00 AM, Viktor Dukhovni > wrote: > > On Tue, Jan 19, 2021 at 03:03:49PM +0100, Ganael Laplanche wrote: > >>> http://www.postfix.org/memcache_table.5.html >> >> Maybe memcache with a *very* long TTL could be used here, but I was looking >> for a pseudo-dictionay such as unionmap (maybe something like 'noretrymap') >> that would ignore DICT_ERR_RETRY from failing backends and get the first >> useable result from child dicts. >> >> Would there be another option ? > > The only solution that comes to mind is "socketmap". You can write your > own (for reasonable performance, not single-threaded) server that keeps > track of whether LDAP is producing acceptable answers, and if not, falls > back to stale local sources). > > You'll need an LDAP connection pool, and some way to determine whether > the LDAP replies are acceptable (that's the hard part). > > -- >Viktor. I’ve been watching this thread and all the contortions you are truung to do to get postfix to do something it’s not designed to do. You can change postfix parameters on the fly. Please pardon me if you think this might be a stupid question, but LDAP has excellent replication capabilities. How about multiple LDAP servers in a high availability setup? instead of continual replication, replicate once per week. If you’re virtualized, make sure the LDAP guests reside on different hosts. See Linux heartbeat setups. that doesn’t satisfy your needing to read from backup data, though. another idea would be to script it. write a daemon ( if you need it to check more than once per minute) that checks the ldap server periodically to see that it’s returning correct information. if it is not, the script can issue a postconf command to change ldap servers on the fly. by that matter a script could simply repopulate that section of its database from the dump file you created and that can also be done on the fly. importing the ldif file doesn’t take much time, even for large files. alternatively, you could get the ldap server to reverse its replication direction and simply repopulate the master from the backup server. the reconciliation will only take a few seconds. you could also build a quick webapp for your team that could restore a single or multiple accounts from the slave server back to the master with the accidental deletion. there are ways to automate this in such a way that downtime or rejected mail time is minimal. there is also the matter of restoring the mailbox, too. Ther is also btrfs or zfs with snapshot capabilities. stop the ldap server, restore the database from the snapshot, start the server. that can also be automated and have it happen in seconds. —Curtis Sent from my iPhone
Re: Reject email containing Google forms
How about a general sieve rule in your dovecot server or a filter in your delivery agent? Sent from my iPhone > On Dec 1, 2020, at 5:11 PM, lists wrote: > > About 70% of my spam these days contains links to Google Forms. I've been > googling for tips on how to reject such email but Google find hits for the > converse. (People are complaining about Gmail blocking Google Forms which is > ironic.) > > My current configuration doesn't include SpamAssassin since rbls and the > existence of a reverse pointer was good enough. > > I'm looking for advice specifically to bounce email that contains a link to > any Google form. If this is inappropriate for this list serve then I'm fine > with the moderator nuking the request. I can take it up with stackexchange > but it had been my experience that the postfix list has the best gurus. > > > >
Re: Recommended milters for small setup
October 15 2020 3:33 PM, "Patrick Ben Koetter" wrote: > * Ian Evans : > >> The long story short is that due to dealing with family medical issues over >> the past few years, my Combo web/postfix server is still on Ubuntu 14.04. >> >> In a couple of months I will have some time to upgrade. Instead of risking >> an in place upgrade, I am going to fire up a new droplet on Digitalocean, >> install the latest stuff over there, and migrate my data. >> >> My site has two email users, me and the missus. I currently run an email >> stack of postfix, amavis, spamassassin, clamav and dovecot. The Postfix >> also has dkim, dmarc, spf and postscreen. >> >> Is there a more efficient, memory stingy, faster milter way to run >> spamassassin, clamav, etc, or would you recommend sticking with amavis? > > If you need quarantine and per user policies you want to stick with amavis. I > recommend to use amavis via the amavis-milter bridge. > > Other than that you might want to give rspamd a shot. It can sign/verify DKIM, > verify DMARC and IIRC it can to SPF as well. There's a way to plug ClamAV into > rspamd and of course it can detect and reject spam as well. If you use rspamd > it is recommended *not* to use postscreen as this keeps clients away from > rspamd and that prevents it from learning and becoming more efficient. > I would suggest the clamav-milter if you're going to use rspamd
Re: Raw postfix newbie here...
> On Aug 9, 2020, at 8:09 PM, Viktor Dukhovni > wrote: > > - Mail to managed lists with an owner-alias >- Mail to pipes >- Mail to :include:/some/file lists. this can be put into the transports table and you can skip the /etc/aliases altogether.
Re: Postfix behind NAT -> failover IP -> wrong HELO
easier than that. use linux heartbeat on the two postfix service. the failover happens within seconds. use the unison file system to keep the spool folders and other necessary folders needed to pick up on the failover machine and when the primary fails, whatever services that need to be running on the primary will be off on the secondary. at failover heartbeat will spin up daemons that need to be started for things to continue with only a brief interruption. On 7/1/20 12:29 PM, Istvan Prosinger wrote: On 7/1/20 1:20 AM, Bill Cole wrote: On 30 Jun 2020, at 15:40, Istvan Prosinger wrote: Hi, I hope this letter finds you well, I have Postfix behind NAT, and added one failover IP to the main router. I wanted to "get by cheaply" by just doing something like iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to on the firewall machine. So, all well, the only problem is that Postfix in this case has a wrong HELO compared to the rDNS that I have defined for the It does throw a warning that the doesn't resolve to it's hostname, but I'm not sure if I ca n define some kind of helo_host_maps ;) to resolve this. At this point, I wouldn't mind if someone pinpoints me to the right direction. Can't you just fix the DNS? Use a HELO name that resolves to both IPs and give both IPs PTR records that point back to the name you use. Fix the DNS? All reverse DNS should have an A record pointed back in the DNS zone. This would be a real mess best, Istvan
Re: Postfix behind NAT -> failover IP -> wrong HELO
On 6/30/20 6:40 PM, Wietse Venema wrote: Istvan Prosinger: On 6/30/20 10:34 PM, Wietse Venema wrote: Istvan Prosinger: On 6/30/20 9:49 PM, Wietse Venema wrote: Istvan Prosinger: Hi, I hope this letter finds you well, I have Postfix behind NAT, and added one failover IP to the main router. I wanted to "get by cheaply" by just doing something like iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to on the firewall machine. So, all well, the only problem is that Postfix in this case has a wrong HELO compared to the rDNS that I have defined for the It does throw a warning that the doesn't resolve to it's hostname, but I'm not sure if I can define some kind of helo_host_maps ;) to resolve this. At this point, I wouldn't mind if someone pinpoints me to the right direction. Postfix does not compare the HELO command argument with forward or reverse DNS information. Antispam engines on the recipient side do Thanks for clearing uo that 'It does throw a warning' is not talking about Postfix. Every MTA behind a NAT should send HELO to external hists using the name of the outside NAT IP address. Use smtp_helo_name. This is clear. But my problem is that I do the (pre)nating on the firewall, I don't change any config for Postfix. To simplify the question, it's - is it possible to have it use the correct HELO depending on the outbound IP set on the firewall? I do not change any relay maps, I just default it to anouther outbound IP on the firewall. Firewalls on a moving IP address? What has the world come to. Assuming that Postfix runs on the firewall, otherwise you will need to add telepathic vision to Postfix and also set smtp_proxy_address to avoid "mail loops back to myself" errors. host1_mynetworks = output from "postconf mynetworks" with external address 1 bind1_address = 1.2.3.4 bind2_address = 1.2.3.5 smtp_helo_name = ${ {$mynetworks} == {$host1_mynetworks} ? {$bind1_address} : {$bind2_address} } It's really better to execute a command that sets both the external address AND Postfix settings. Wietse Wietse's solution is better. what he said. --Curtis
Re: Postfix behind NAT -> failover IP -> wrong HELO
It's part of the config in main.cf You can specify "myhostname" myhostname = host.domain.tld Cheers, Curtis On 6/30/20 4:55 PM, Istvan Prosinger wrote: On 6/30/20 10:34 PM, Wietse Venema wrote: Istvan Prosinger: On 6/30/20 9:49 PM, Wietse Venema wrote: Istvan Prosinger: Hi, I hope this letter finds you well, I have Postfix behind NAT, and added one failover IP to the main router. I wanted to "get by cheaply" by just doing something like iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to on the firewall machine. So, all well, the only problem is that Postfix in this case has a wrong HELO compared to the rDNS that I have defined for the It does throw a warning that the doesn't resolve to it's hostname, but I'm not sure if I can define some kind of helo_host_maps ;) to resolve this. At this point, I wouldn't mind if someone pinpoints me to the right direction. Postfix does not compare the HELO command argument with forward or reverse DNS information. Antispam engines on the recipient side do Thanks for clearing uo that 'It does throw a warning' is not talking about Postfix. Every MTA behind a NAT should send HELO to external hists using the name of the outside NAT IP address. Use smtp_helo_name. This is clear. But my problem is that I do the (pre)nating on the firewall, I don't change any config for Postfix. To simplify the question, it's - is it possible to have it use the correct HELO depending on the outbound IP set on the firewall? I do not change any relay maps, I just default it to anouther outbound IP on the firewall. best, Istvan
Re: Postfix "IPv6-only" - experience/recommendation question
In message "michae...@rocketmail.com" writes: > THANKS to a all who answered!!! > > A lot of shared experience, learned a lot, cool. It's always very > interesting how threads are meandering, somehow, adding new aspects to > unasked but also relevant questions. Crowd as it's best :-) Summarized > your valuable hints, I'll stay with my Postfix configured for both > IPv4 and IPv6. No IPv6-only currently. Wait for the future. > > Regards, > Michael Good plan. Meantime I might try creating another IPv6-only email domain and see how well it does. Last I tried (long time ago) it was OK for IETF work, with IPv4 only people replying about bounces to replies that went to me plus to the list, but I got the list copy.
Re: Postfix "IPv6-only" - experience/recommendation question
In message <2eb09baa-5327-b615-47a9-0c1402385...@rocketmail.com> "michae...@rocketmail.com" writes: > > Hi all, > > I've a generic question to all more experienced than me postfix users > here: Is it nowadays (reasonable) possible to run postfix with IPv6 > only? E.g "mail.example.com" and "smtp.example.com" with only ipv6 > records in the DNS, no A / ipv4 anymore? > > Michael Tried that but not for a few years. Last I tried this in addition to IPv6, you still need a routable (non-RFC1918) IPv4 address and valid PTR for your MTA/MSA to reach some sites (like this mailing list last I checked - but I rechecked and fixed now). Alternately you need to relay thru someone that has IPv4 and IPv6 but relay might be hard to come by (never considered that). IPv6 only is fine if you only send mail to the majors providers, gmail, m$soft (live, msn, outlook, hotmail, etc), comcast, ... etc. Less so if you send mail to enterprises (or individuals) that run their own email and have IPv4 only. What I have is a mostly IPv6 only network. Dual mode are public facing: DNS, web, MTA/MSA (most are VM). I run multiple MDA (cyrus imapd), one per domain, that are IPv6 only. MTA does per domain relay to MDA. MDA does smarthost relay to MSA to handle bounce messages. MTA does the prescreen and low overhead spam checks, MDA and a common spamd host does more higher overhead checks with one honey pot domain with its own web site to train filters (all mail to that domain is spam). Client hosts (cellphone, laptop) send to MSA (port 587). Client to MSA and MTA to MDA uses DANE plus cyrus SASL and very strong encryption, etc. SASL is SCRAM256 only for MDA, SCRAM256 plus DIGEST-MD5 for MSA due to limitations of some client MUA software but this is within a TLS connection so DIGEST-MD5 is not so bad. I do have two sites with 5 usable addresses each (/29 minus net, bcast, router). I have colo so you might have a bit more trouble getting more IPv4 with VPS. Easier a few years ago. Why not point your MX at example.com if you can only get one IPv4 address. Hope this helps. Curtis > - EOM for impatient readers :-) --- > > Hi patient readers :-) > > reason for my question: > > I'm running my own small postfix/dovecot etc. environment on a > VPS. Running fine for years now, after some initial work to get my > sent emails not delivered as junk. spf record exists for my few > domains, dkim is active and passes everytime, dmarc entry is active. > https://www.mail-tester.com gives me 10/10 :-) > > All relevant for me email providers are accepting my emails without > any issue, for long, except Microsoft hotmail/outlook. Registered for > SNDS, and JMRP feed is activated. IPv4 adress is "clean" and fine for > outlook.com. > > BUT nevertheless all emails from me to any outlook.* or hotmail.* > recipients is delivered to their junk folder. > > I strongly believe that this is because of the (hopefully) only > "issue" left I know about: My PTR. > > As I have a small VPS with only one IPV4 included in price, I've set > the PTR to "example.com" and not to "mail.example.com", which is the > fqdn for my outgoing postfix sent mail. Of course I know that this is > a "should not", but as there's a lot of stuff running e.g. on Apache > on this machine, a nextcloud instance, a TYPO3 instance, > roundcubemail, jitsi meet, ..., all on separate subdomains like > "cloud.example.com", "webmail.example.com", "meet.example.com" etc., I > simply don't like to have an "unclean" PTR, pointing not the main/base > domain. "Only" because of antispam. > > As said I have only one IPv4 for my VPS, but a /64 IPv6 subnet. So > more than enough IPv6 addreses to give each of my few domains amd not > that many subdomains a unique IPv6, with a corresponding PTR. > > I'm only not sure if there might be "IPv4-only" email providers out > there, whose emails might not be routed to my "IPv6-only" postfix. > > Sorry for this long email :-) > > Regards, > Michael
Re: Query
you could set up the mail aliases in transport maps to pass them to mailman Sent from my iPhone > On Feb 14, 2020, at 10:43 AM, Peter Fraser wrote: > > > Hi All > I am trying to figure out how to get this working. I run Mailman through > Postfix. The Mailman aliases are in alias_maps. I find that when I set up a > transport map in Postfix to have Postfix forward the emails through another > email gateway, the aliases in alias_maps are bypassed so mailman will not > work. Is this expected behavior and is there are way around this? Would > really appreciate any assistance. > > Best Regards > SI > > Sent from Mail for Windows 10 >
Re: Building recipient maps from Exchange/O365
On 2/9/20 12:39 PM, Gerard E. Seibert wrote: On Sun, 9 Feb 2020 07:56:53 -0500, Curtis Maurand stated: it should be. use ldap. active directory is nothing but a glorified ldap server and listens on port 389. If it were ldap over ssl the port is 636 I believe. I stand corrected.
Re: Building recipient maps from Exchange/O365
it should be. use ldap. active directory is nothing but a glorified ldap server and listens on port 389. Sent from my iPhone > On Feb 9, 2020, at 7:04 AM, John Regan wrote: > > > Hi, > > Is it possible for postfix to directly access the email addresses or userlist > from an Exchange server using either LDAP or AD? Perhaps someone has an > external script that can be used to build the recipient maps? > > The results from my search have produced only other people looking > unsuccessfully and posts that pre-date O365. > > Thanks, > John >
Re: [OT] why ATT.net still host its email on Verizon Yahoo
Not competitors. Oligarchs. Colluders market fixers. Competition killers. Sent from my iPhone > On Sep 17, 2019, at 4:44 AM, Wesley Peng wrote: > > Hello, > > though this is a little OT, but I was curious since verizon has bought yahoo > for long days, why ATT still host its customer email accounts on yahoo > platform? we know ATT and verizon are commercial competitors. > > Thanks for any comments.
Re: warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197
I'm making an assumption, here. You know how dangerous assumptions are. My assumption is that you're running an exchange server. You need to modify the helo/ehlo repsonse. https://social.technet.microsoft.com/Forums/azure/en-US/4dde9b79-18e4-407f-8edc-896e6c40eb25/need-to-modify-server-response-to-ehlo-helo?forum=exchangesvradmin Cheers, Curtis On 7/1/19 1:24 AM, subscription1 wrote: I'd appreciate you help with the following: I'm looking after two server on 2 differents domains. During testing I found the following issue. On the sending server I get the following Jul 1 14:18:24 mail postfix/smtp[2135]: 9172F5FA8D: host mail1..com[xxx.xxx.231.229] said: 450 4.7.25 Client host rejected: cannot find your hostname, [xxx.xxx.73.197] (in reply to RCPT TO command) On the receiving server I get: Jul 1 06:18:21 mail1 postfix/postscreen[19345]: CONNECT from [xxx.xxx.73.197]:44014 to [xxx.xxx.231.229]:25 Jul 1 06:18:21 mail1 postfix/postscreen[19345]: PASS OLD [xxx.xxx.73.197]:44014 Jul 1 06:18:21 mail1 postfix/smtpd[19348]: warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197: Name or service not known Jul 1 06:18:21 mail1 postfix/smtpd[19348]: connect from unknown[xxx.xxx.73.197] Jul 1 06:18:24 mail1 postfix/smtpd[19348]: NOQUEUE: reject: RCPT from unknown[xxx.xxx.73.197]: 450 4.7.25 Client host rejected: cannot find your hostname, [150.107.73.197]; from= to= proto=ESMTP helo= I can ping 'mail.xxx.net' on this server ok. Sending Server postconf -n output alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no compatibility_level = 2 delay_warning_time = 4h inet_interfaces = 127.0.0.1, ::1, xxx.xxx.73.197 inet_protocols = all local_recipient_maps = $virtual_mailbox_maps mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 message_size_limit = 52428800 milter_default_action = accept milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_protocol = 6 mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject mydestination = $myhostname, localhost.$mydomain, localhost mydomain = xxx.net myhostname = mail.xxx.net mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname non_smtpd_milters = inet:localhost:11332 postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access postscreen_blacklist_action = drop postscreen_dnsbl_action = drop postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2 postscreen_dnsbl_threshold = 2 postscreen_greet_action = drop readme_directory = no recipient_delimiter = + relayhost = smtp_dns_support_level = dnssec smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_ciphers = high smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = mail.xxx.net smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_ptr reject_unknown_client_hostname smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_milters = inet:localhost:11332 smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination smtpd_tls_cert_file = /etc/ssl/certs/2803b51614cb032f.crt smtpd_tls_ciphers = high smtpd_tls_key_file = /etc/ssl/private/wildcard.xxx.net.key smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf virtual_transport = lmtp:unix:private/dovecot-lmtp Sending Server postconf -Mf output --- smtp inet n - y - 1 postscreen -o smtpd_sasl_auth_enable=no smtpd
Re: Authentication attempts for x...@com.au addresses
On 4/2/19 5:39 PM, @lbutlr wrote: On 2 Apr 2019, at 14:30, Esteban L wrote: The times are in seconds, so you'll need to calculate those times. a month is 2629743 seconds. An hour, of course is 3600, but I prefer 86400 which is one day. BTW, pi seconds is very close to 1 nano century. I agree with @ibutr that 86400 is a good number. Now to find the where to change the iptables rule to "-j DROP" I like to just silently drop the connection. It becomes a sort of reverse DOS in that they keep opening sockets, but you're effectively not listening. It's been very effective in my experience. To be sure, they will keep changing sources once they realize the host is unreachable from any particular source. If I end up blocking TOR or vpn users that are trying to do nefarious things, then so be it. I don't need to waste CPU cycles sending responses. fail2ban is a resource hog as it is. Cheers, Curtis -- Best Regards Curtis Maurand mailto:cur...@maurand.com
Re: consolidate virtual and relay_recipients files
I would think about using the transport file for this. It's pretty flexible. Check the docs, but I found this: *"TABLE SEARCH ORDER* With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, patterns are tried in the order as listed below: /user+extension@domain transport/:/nexthop/ Deliver mail for/user+extension@domain/ through/transport/ to/nex-/ /thop/. On 3/6/19 12:34 PM, Samuel Torton wrote: Hi, I have a postfix server configured as a incoming mail relay for my customers. One of my customers has several domain names: domain1.com (main), domain2.com, domain3.com, domain4.com. My server can receive emails on whatever domain1/2/3/4.com, but can accept emails for declared email addresses only (relay_recipients), and rejects others non declared. Here is a part of my /etc/postfix/main.cf: … virtual_alias_maps = hash:/etc/postfix/virtual relay_recipient_maps = hash:/etc/postfix/relay_recipients transport_maps = hash:/etc/postfix/transport … Here is my /etc/postfix/virtual: … @domain2.com @domain1.com @domain3.com @domain1.com @domain4.com @domain1.com … Here is my /etc/postfix/relay_recipients: … us...@domain1.com x us...@domain1.com x us...@domain1.com x us...@domain1.com x … Here is my /etc/postfix/transport: … domain1.com smtp:[10.10.10. 1] … Now, here are several scenarios happening on my server: 1/ Receiving email for us...@domain1.com <mailto:us...@domain1.com> à OK, relayed to 10.10.10.1 (for us...@domain1.com <mailto:us...@domain1.com>) 2/ Receiving email for unkn...@domain1.com <mailto:unkn...@domain1.com> à OK, rejected 3/ Receiving email for us...@domain2.com <mailto:us...@domain2.com> à OK, relayed to 10.10.10.1 (for us...@domain1.com <mailto:us...@domain1.com>) 4/ Receiving email for unkn...@domain2.com <mailto:unkn...@domain2.com> à relayed to 10.10.10.1 (for unkn...@domain1.com <mailto:unkn...@domain1.com>) !!! à and the destination mail server will reject it I’m happy with the scenarios 1/ 2/ 3/. I’m NOT happy with the scenario 4/. As I understand, the combination of virtual + relay_recipients files doesn’t work efficiently: if an email is sent to whatever@domain2/3/4.com, the relay_recipients file is bypassed by the virtual file, and the email will be automatically relayed to whate...@domain1.com on 10.10.10.1 without checking the relay_recipients. Do you have any solution / hint to avoid this ? If possible, I would like to avoid writing a list of all my user mailbox @ all domain names neither in virtual, nor in relay_recipients file. Thanks a lot for your help. Samuel -- Best Regards Curtis Maurand mailto:cur...@maurand.com
Re: postscreen_dnsbl_action "drop" not working correctly?
On 3/5/19 8:26 PM, @lbutlr wrote: On 05 Mar 2019, at 13:50, Mayhem wrote: I also have nginx/apache and sql running on the same dedicated machine, There will use much more of your system that all of postfix, including your dovecot (or whatever), and the DNS lookups are a minuscule portion of what postfix does. My very low-spec machine occasiaonly sees a single IMAP process as high as 0.12% and master might be at 0.05%. Heck, my logging system used more resources than Postfix does. CPU: 0.5% user, 0.0% nice, 0.6% system, 0.0% interrupt, 98.9% idle Try running top -Sz (or top -c a, depending on your system.top version) on your system and see what is using a lot; bet you find it is perl (assuming you are running spamassassin). I would agree. I've been running Postfix and hosting a few domains for a very long time. Postfix is never the resource hog. MySQL, and all the things that go with tearing a message apart and checking it for viruses is what eats up all the CPU. That and systemd anything. If you're having trouble with DNS lookups I would disable systemd-resolved and replace it with something faster for recursion. systemd my also try to bypass your resolvers for resolvers hard coded into the software. Those are Google public DNS and Cloudflare public DNS, both of which are slow. So is systemd. I've been running pdns recursor (very, very fast) and low on resources. pdns recursor queries the root servers directly, not through several layers. DNS has become very ugly as Google and Cloudflare attempt to monopolize it. -- Best Regards Curtis Maurand mailto:cur...@maurand.com
Re: Click tracker removal ideas?
Wouldn't procmail do something like this? I haven't used procmail for quite some time, but iirc it can handle passing to a filter program, then the filter can hand it to the lmtp (dovecot for instance). Just a thought. I now return to the lurkers lair. --Curtis On February 15, 2019 6:58:00 AM EST, Andrey Repin wrote: >Greetings, Jan P. Kessler! > >>>> Does anyone have any suggestions for a tool for filtering out click >>>> trackers from links in email bodies and rewriting the links without >>>> the click tracking? >>> Anything that does this will also break DKIM, if the email has it >>> (which many do). But perhaps you are confident that your users won't >>> be bothered about this. > >> Isn't DKIM usually checked at MX (or at a downstream content filter)? >> Then it would not necessarily bother users: > >It is checked where it is checked. This includes MUA for those capable >of >validating it. > >> Step-1: MX checks DKIM, acts on that information (reject or pass) and >> optionally removes DKIM-header >> Step-2: MX passes mail to click track remover, after that to user's >mailbox > >> Or did I miss something? > >Other message signing techniques, as indicated above. > > >-- >With best regards, >Andrey Repin >Friday, February 15, 2019 14:56:57 > >Sorry for my terrible english... -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: best practice for HA cluster
You could use Unison to keep the config folders in sync. Open source. runs on just about everything. February 8 2019 8:59 AM, "De Petter Mattheas" wrote: > Yeas we have F5 loadbalancer. > > But how do we shift the config ? as far as i know there is no central mgmt > for postfix only config > files on node 1 and node 2 > > Met vriendelijke groeten > Kind regards > De Petter Mattheas > Technical support engineer - projects team > IT-Department Jan De Nul Dredging N.V. > T +32 (0)53 73 95 53 > F +32 (0)53 21 00 31 > www.jandenul.com > > -Original Message- > From: owner-postfix-us...@postfix.org On > Behalf Of Toens Bueker > Sent: 08 February 2019 14:27 > To: Postfix users > Subject: Re: best practice for HA cluster > > De Petter Mattheas wrote: > >> But we need an active passive setup and a shared config, when config a gets >> a change be should have >> exact the same config. >> >> How would you set this up ? > > If you have a high available loadbalancer, you should use that to enable > active/passive (if node > one fails, shift traffic to node 2). > > Configuration should take place via configuration management (which should be > in place anyway). > > Kind regards, > Töns > -- > There is no safe distance. > > Any reaction to this e-mail or any other mail, including any > files transmitted therewith to sender's e-mail address(es) > shall be dealt with not as private, but as business > communication(s) and shall be registered as such. >
Re: It is possible for Postfix logging to bypass journald?
On 1/9/2019 5:55 PM, Robert L Mathews wrote: On 1/9/19 4:05 PM, Curtis wrote: We recently switched our Postfix mail servers to Ubuntu Server 18, which uses journald for logging. Since we have monitoring systems that parse /var/log/maillog, we enabled rsyslog with imuxsock so we still can parse the log like we did before journald. But, it's unreliable. Our monitoring systems are reporting failed deliveries of messages because of missing log lines in /var/log/maillog. We had this problem. It was fixed by putting this in /etc/systemd/journald.conf: # allow for busy mail logs; allows 1000 per second RateLimitInterval=5s RateLimitBurst=5000 And/or by putting this into /etc/rsyslog.conf: $SystemLogRateLimitInterval 0 (The latter is supposedly no longer necessary, but it used to be, and does not appear to be harmful.) Thanks for your input. Unfortunately, even after playing with these settings, we see no improvement. When you run "systemctl status systemd-journald" do you see any messages like this? Jan 28 18:16:01 [somehost] systemd-journald[25662]: Forwarding to syslog missed 6 messages. If others are not seeing this issue, then I am wondering if it has something to do our setup being inside of an LXC container. For now, we ended up fixing our log parsing script to make journalctl calls so that no lines are missed. Overall, journald seems like a huge downgrade for us... I get the impression it was designed for desktop users, not for servers. That said, I noticed in another thread that Wietse announced that Postfix has an option to log to a file now... ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-3.4-20190127-nonprod-logger.RELEASE_NOTES We're not ready to upgrade right now, but I'm looking forward to trying this option out in the future.
It is possible for Postfix logging to bypass journald?
We recently switched our Postfix mail servers to Ubuntu Server 18, which uses journald for logging. Since we have monitoring systems that parse /var/log/maillog, we enabled rsyslog with imuxsock so we still can parse the log like we did before journald. But, it's unreliable. Our monitoring systems are reporting failed deliveries of messages because of missing log lines in /var/log/maillog. When using journalctl to query the journal, the missing lines can be found, but these queries are too CPU intensive. We also see that journald is occasionally logging messages such as this: Jan 08 20:55:16 host123 systemd-journald[11136]: Forwarding to syslog missed 2 messages. Since this message doesn't provide any information as to why the messages were missed, I have to wonder if it's related to this warning message on the rsyslog site: "Note: It must be noted, however, that the journal tends to drop messages when it becomes busy instead of forwarding them to the system log socket. This is because the journal uses an async log socket interface for forwarding instead of the traditional synchronous one." See: https://www.rsyslog.com/doc/v8-stable/configuration/modules/imuxsock.html#imuxsock-systemd-details-label I'm aware we could switch to using imjournal, which might solve the issue since it reads the journal directly (which does seem to contain the missing messages), but I have to imagine that it would come at a very high CPU cost. See: https://www.rsyslog.com/doc/v8-stable/configuration/modules/imjournal.html So, I'm trying to figure out if it would be possible to get Postfix to use an alternate logging mechanism that would completely bypass journald so that we can have reliable loggging in a manner that is less CPU intensive than journald/imjournal. Ideas? Thanks, Curtis
Re: best practice - integrating spamassassin/clamav in postfix - amavis yes/no?
October 19 2018 3:17 AM, "Carsten Rosenberg" wrote: > amavis-milter is just a wrapper script from milter to amavis protocol. > As long amavis is not dead this is fine. > This is off-topic a bit, but amavis just got an update to 2.11.1 and the project has been transferred to a new group for management from the author. This happened within the last couple of weeks. I'm on that mailing list, too. They're working on getting the changes into the package repos. Amavis just received a new lease on life. Back to the discussion at hand, --Curtis
Re: Are sha1 & TLSv1 fully deprecated wrt mail, and time to block them?
October 15 2018 11:19 AM, "Kris Deugau" wrote: > Laura Smith wrote: > >> Honestly, you are most likely wasting your time on that point because all >> that you are likely to >> get back is a page of waffle saying "blah blah blah ... security reasons... >> blah blah blah" >>> I know this because a sysadmin ex-colleague was having problems creating >>> accounts with a FinCo >> using delimiters (e.g. nam...@example.com). FinCo's filters were rejecting >> this because it was >> "invalid". >>> Said individual wrote a carefully worded long letter to C-suite execs at >>> FinCo, also taking the >> time to attach copies of RFCs referred to in the letter so they would not >> have to look them up. >>> A couple of weeks later, a reply arrived in the post ... "blah blah blah >>> ... security reasons... >> blah blah blah... we know better... blah blah blah" >>> So the moral of this story is, unless you have friends working for FinCo, >>> don't bother trying to >> engage them on how they could improve client service by fixing their IT >> infrastructure. They are >> unlikely to listen. > > When I come across a site that won't accept a "foo+bar" username part for the > email, I roll my eyes > and use "foo_bar" instead. Thanks Wietse, for adding support for multiple > different characters in > recipient_delimiter! > > (I used to do this anyway when my personal server was running sendmail, but > there I had to add yet > another entry in virtusertable each time.) > > Of course, sometimes you don't find out that "foo+bar" isn't supported until > you notice curious > lack of email from the site... since their form doesn't validate as tightly > as their mail system. > Or sometimes the login page is the picky one. > > -kgd Looks to me like something that wants to be escaped. I'm thinking that if it's a scripting language trying to accept the connection, it might see the plus sign and try to do math on it. After all amavisd is written in Perl. --cjm
Re: server hw sizing
I've worked hard over the years trying to get a decent performing mail server. Postfix load is negligible. Postfix resource use is not heavy. It's all the things around it that you have to worry about. Most of the processing is used in dissembling each message and scanning it for viruses and spam. amavisd-new is written perl. It's a resource hog. Add fuzzy OCR and clamav and resource utilization starts going up. Lot's of regulare expressions in all those rules and policies. --Curtis October 4 2018 11:46 AM, "Viktor Dukhovni" wrote: > On Thu, Oct 04, 2018 at 04:40:03AM -0700, rmosnicka wrote: > >> For example I need something like - for 50 email per day where top is >> 100 emails per secunde minimal server configuration is .. > > There is no such document, and never will be. The above number is > just ~6 msgs/sec, and you'll typically have a hard time finding > hardware that struggles with such a small load. > > On modern server CPUs and disks, and given even modest network > resources, your server should be able to sustain over 100 msgs/sec > or ~9 million messages a day. Unless it is an outbound server > sending primarily to Gmail.com, Outlook.com, ... where the destination > imposes per-IP rate controls, or you want to run very CPU intensive > anti-virus/anti-spam engines. > > Nobody else can measure and predict your load and constraints, which > are unlikely to be determined by the hardware per-se. > > -- > Viktor.
What is the upper limit allowed for smtp_line_length_limit?
Yes, I understand that setting smtp_line_length_limit above 998 is not recommend. I agree that for most Postfix installations, where mail is relayed to the outside world, this recommendation is your best bet for email deliverability because lines longer than 1000 violates RFC 5321. I totally agree with this if your Postfix installation is sending outbound email. I manage several gateway mail servers that only accept inbound email and deliver to internal servers. Lately we've been seeing more and more DKIM signed messages. Most make it though these gateway servers without issue. However, we've recently seen some messages fail DKIM checks by the internal mail servers because some Microsoft mail clients/servers are sending messages all on one line, but after they come through our gateway servers, these messages are broken up into several lines (according to the smtp_line_length_limit setting). I do not have any control over what the senders use to send these inbound messages and so I would like to allow these messages through (even if they violate RFC specs) without alteration. Since I have no idea how long the messages might be, I am experimenting with setting the smtp_line_length_limit to 999 (almost 10MB). I had wondered if I might run into an internal upper limit that Postfix might not allow, but it seemed to accept 999 without complaint. This has allowed these DKIM signed messages to come through without issue. My questions are: 1. Considering that we're not using this setup for outbound mail, could there be some downsides to setting the smtp_line_length_limit this high? 2. Is there a limit to how high this setting can be set? Would setting it to something like 50MB cause issues for Postfix in terms of stability? Thanks, Curtis
OT (was Re: Backup MX setup - alternative to db?)
Charles, At one point I used homegrown shell and perl for my CA maintenance, DNS zone files, and server configs were all in a set of files with substitutions list ${{HOST}}, ${{DOMAIN}}, ${{FQDN}}, ${{IPv4::fqdn}}, ${{IPv6::fqdn}}, and ${{CNAME::fqdn}} used so that a generic config can cover multiple hosts. I do have two physical sites about 2 hours apart so two DNS servers, MTAs, etc. Each site has a subdomain and one has multiple subnets each with a subdomain. I added some CNAMEs in DNS and for things like ${{default-route.${{DOMAIN that occur in configs plus ${{CNAME::msa.${{DOMAIN and ${{CNAME::msa.${{DOMAIN. I used perl and shell to do the substitutions (looking up DNS stuff in local files, not DNS itself) a few shell scripts and scp/ssh to distribute files and also gmake to simplify things a bit more. rsynce would work as well as scp/ssh but I'd need the substitution and need to create a local staging dir. This worked fine for years (over a decade for this set of tools, almost three decades for this approach). Somewhat recently the key rollover handled by the CA tools became problematic so I rewrote that in C++. I'm in the process of rewriting the DNS stuff in C++ since the config language for DNS was ... uhm ... suboptimal (maybe a bit kludgy). The DNS tool rewrite will affect the tools downstream. Becasue of that ongoing rewrite the tools are in slight disarray at this exact moment so can't share. I also wouldn't want to share the tools widely at this point due to insufficient documentation. I can set it up, but without documentation this set of code is not a good solution for others. Its also a bit quirky and fragile in places. I have used this or earlier iterations at previous employers with their written acknowledgement that they had no IPR claims on the tools. Shell and perl for substitutions and scp/ssh or rsync for distribution do work fine. You can wrap in make or gmake. The way I did it was gmake REMOTE_HOST=host_or_fqdn {all,compare,install}, where the make target "all" mostly checks CA for time to rollover, checks DNS (where DNS depends on CA for TLSA), checks local files (which depend on DNS local files) and does substitutions for that host. If you make an ns it includes making named.conf and signed zone files. The goal is to install a host (a physical host or VM or BSD jail) from scratch (FreeBSD locally compiled distribution, plus locally compiled packages tar file), add a /root/.ssh/authorized_keys file and "gmake REMOTE_HOST=fqdn install" and I'm done - just reboot the newly installed host. Its almost that easy. I does install packages (like openssl and postfix) used by that particular type of host. I have to "cd install_certs; gmake REMOTE_HOST=fqdn install" to add TLS key, cert, and CA cert files for some hosts. I don't know if this helps since I can't at this time share the tools. But the point is it can be done and can be improved over time. Curtis In message <20170429104108.5714008.75481.27...@lazygranch.com> li...@lazygranch.com writes: > > I've never used rsync in daemon mode (if that is the right way to > phrase it), but wouldn't that do everything automatically? > > I know on Digital Ocean you can use a special network between > "droplets" (VMs) that is local. There is no transit cost. Perhaps > Vultr does the same thing. > > Vultr has a free DNS. > > If I wasn't running FreeBSD, I'd probably be on Linode. > https://www.vpsbenchmarks.com/ > > > > > > Original Message > From: CSS > Sent: Friday, April 28, 2017 12:49 PM > To: Postfix users > Subject: Backup MX setup - alternative to db? > > Hi all, > > I have a handful of personal domains that I host myself - both as a > place to experiment a bit (I roll new things out here before using > them on paying clients), and a place to play with things that don't > scale well. As of now, I just have a single MXer with a pretty > standard Postfix setup. Domain/user maps are all in mysql. > > I just grabbed a few VPSs since they are cheap and I wanted to try out > Vultr.com. I bought the smallest possible - only 512MB of RAM. I'm > running nsd for DNS services (found setting up two small VPS's to be > cheaper, more fun than paying for secondary NS), and I'd like to add > backup MX to both hosts. I do NOT want to run mysql or anything else > that's a memory pig on these. > > My idea to get my lookup maps in place is just to write a small perl > script that dumps my config info from mysql into flat files, uses scp > to copy the files over to the backup MXers, and then runs postmap on > the output on the backup MXers. Before I go ahead with this, any > clever options that I'm overlooking to have the same data on servers > using different backing stores for the maps? > > Thanks, > > Charles
Re: (OT)Ham Radio + SMTP (was Re: How to restrict encrypted email)
In message <20160716192156.09767350@kendramatic> jdebert writes: > > On Sat, 16 Jul 2016 11:42:44 -0400 > Yuval Levy <post...@sfina.com> wrote: > > > It is indeed a matter of interpretation, and I would like to see the > > FCC rules text. Questions: > > (1) how do they define "encrypted"? > > The rules and regulations are very clear on what is permitted. They do > not need to define anything else. > > > (2) on who is the obligation imposed? > > On all licensed amateur radio operators. > > > > > Imposing the onus on the SMTP server operator is like imposing the > > onus on gas stations for fueling vehicles used in criminal > > endeavors. It does not fly because the gas station can't possibly > > know what the user will use the vehicle for, other than (probably) > > driving. > > > > By the definition of encryption, an SMTP server operator can't > > possibly know that a message is encrypted unless the end-user is kind > > enough to say so, e.g. in the MIME headers. > > > > > > > Don't let them push you down this slippery slope. If you are > > > really worried about it, call the FCC or a private attorney and get > > > a solid interpretation. > > > > If I was the SMTP server operator and they came to me, I'd tell them > > to take a walk. > > The encryption ban dates almost from the earliest days of ham radio. It > has included unencrypted digital communications formats as well. It has > been extremely restrictive until recently. The use of ASCII was > prohibited until recently, for example. Violation of the regulations > can result in severe fines and forfeiture of license and equipment. > > These are regulations, not laws. There is no due process as there > may be in criminal cases. It's a completely different legal universe. > Enforcement of regulations is administrative and not dealt with in the > courts, until criminal enforcement is necessary. > > Please review part 97 of the FCC regulations, which pertains to amateur > radio operation. For the FCC's authority, that would be in Title 47 of > the United States Code. Way OT but ... Perhaps check out https://www.tapr.org/ or http://www.arrl.org/ . My understanding is that packet radio has been allowed in part of the HAM band and in part of the Marine SSB band for quite a long time. It is extremely slow. In HAM one purpose (as in the purpose of HAM itself) is experimentation (within constraints) and technical innovations. In Marine SSB the purpose is largely safety as it is the most effient way to get relatively error free detailed weather data when hundreds or thousands of miles from shore (and one way, though not the preferred way, to get assistance at sea). Maybe more technically problematic than the restriction on encryption is the restriction that the exchange cannot be in any way commercial and if personal should be extremely brief. That's a tough filter to implement. OTOH - encryption might get you in much deeper trouble. btw- Unfortunately, a long time ago X.25 was picked. This has sort of kept packet radio in the digital stone ages. BSD dropped X.25 a decade ago but Linux still has code (marked experimental and does not seem to be supported). The ITU has pull in a lot of places so X.25 is mandated for packet radio in a lot of places. That said I'm no expert on this (or much of anything :) Curtis
OT: can't connect to Bill Cole's MX
FYI- connect to sc1.scconsult.com[67.149.19.4]:25: Connection refused Its been two days. Maybe Bill has me blacklisted? Is it something I said? :-( On the off chance that this is an error, I'm sending a heads up. btw- #host -t mx billmail.scconsult.com billmail.scconsult.com mail is handled by 100 sc1.scconsult.com. billmail.scconsult.com mail is handled by 10 toaster.scconsult.com. # host toaster.scconsult.com. toaster.scconsult.com has address 67.149.19.4 # host sc1.scconsult.com. sc1.scconsult.com has address 67.149.19.4 Two MX with the same IP address? And no IPv6! Hello Bill. What's up? Curtis ps - sorry - I'd send direct to Bill ... but can't. Maybe the list is getting through.
Re: reality-check on 2016 practical advice re: requiring inbound TLS?
On 04/12/16 14:26, Noel Jones wrote: On 4/12/2016 11:38 AM, Curtis Villamizar wrote: On 04/12/16 06:25, Wietse Venema wrote: Curtis Villamizar: I recently had a problem with mail where an ESP was in three blacklists plus SPF failed and spamassassin tossed some mail. That ESP is down to one blacklist now. A sender got to me out-of-band and I dug up the maillog from a few days earlier and informed them about how good their ESP was serving them. btw- If I had been using postscreen back then, I could not have found this in the logs based on sender email. Incorrect. In the recommended configuration, postscreen will log IP address, helo, sender, and recipient. Wietse My inexperience with debugging problems with postscreen logs is showing. Curtis Note the helpful logging of helo/sender/recipient requires the offending test be set to "enforce" rather than "drop". This is noted in the docs. See the various postscreen_*_action parameters for details, such as: http://www.postfix.org/postconf.5.html#postscreen_dnsbl_action -- Noel Jones I have nothing set to drop. Just been running postscreen for such a short time and on a little used domain (not this one) that mostly gets spammed a lot but gets a small amount of legit email from people that forgot that I told them not to use it. So I haven't had to debug a "got a bounce" issue with postscreen. Thanks for the heads up. By the time I run postscreen on a domain that matters I hope to have a good configuration. Curtis
Re: reality-check on 2016 practical advice re: requiring inbound TLS?
Not an expert on DMARC, but ... On 04/12/16 01:56, li...@lazygranch.com wrote: Just a quickie here on DMARC. I set one domain to "quarantine" and set up the rua to email me a report. Thus far, only MS Hotmail sends me anything, even though I have emailed yahoo accounts. The MS Hotmail report is in XML, which I can read in vim or whatever. I'm not sure what they intended me to use. The DMARC RFC (rfc7489) indicates that this is failure reporting. That would imply that so far only hotmail got forged email that looked like it was from your domain. If you are not getting reports from anyone else, that is a good thing. I don't think there is any requirement to send empty reports or that those reports would serve any purpose (except maybe create "I got your report and here is your" loops). Curtis
Re: reality-check on 2016 practical advice re: requiring inbound TLS?
On 04/12/16 06:25, Wietse Venema wrote: Curtis Villamizar: I recently had a problem with mail where an ESP was in three blacklists plus SPF failed and spamassassin tossed some mail. That ESP is down to one blacklist now. A sender got to me out-of-band and I dug up the maillog from a few days earlier and informed them about how good their ESP was serving them. btw- If I had been using postscreen back then, I could not have found this in the logs based on sender email. Incorrect. In the recommended configuration, postscreen will log IP address, helo, sender, and recipient. Wietse My inexperience with debugging problems with postscreen logs is showing. Curtis
Re: reality-check on 2016 practical advice re: requiring inbound TLS?
On 04/12/16 12:06, Robert Schetterer wrote: Am 12.04.2016 um 07:56 schrieb li...@lazygranch.com: Just a quickie here on DMARC. I set one domain to "quarantine" and set up the rua to email me a report. Thus far, only MS Hotmail sends me anything, even though I have emailed yahoo accounts. The MS Hotmail report is in XML, which I can read in vim or whatever. I'm not sure what they intended me to use. or use https://dmarcian.com/dmarc-xml/ Since programs will usually be reading the XML and producing reports locally, XML is a good format. Plenty of perl and python modules to parse XML. I use emacs and it does a nice job of coloring XML according to function (element, attribute, etc). Its no worse that reading HTML source. Doing a survey of email clients with SPF and DKIM verification, I only found Thunderbird does this, and with a plugin. Thunderbird is in caretaker status, so I don't use it. I use my phone and thunderbird to preview my IMAP accounts and occasionally respond on one or the other. Then I run fetchmail (with TLS) to empty the folder and actually read and archive my mail. DKIM signature should be done by the MSA. That would mean postfix for most of the people on this list. Therefore mail sent from any client gets DKIM signed. There is an opendkim milter for this. MSA should authenticate, match to sender (or verify sender somehow) and then DKIM sign. Thus an identification system (SPF and DKIM ) had been created that mail system administrators are loathe to strictly enforce for received email, and with no consequences, is only half heartedly complied with on the sending side. (Congrats to the interwebs for at least providing many DKIM/SPf verification websites.) That might be partially because they don't understand how it was intended to be deployed. DKIM signature is not intended to be done by the MUA as the general case. And if we agree (OK, some agree) that strict rejection of received email based on SPF and DKIM is not a good idea, you would think at least the email clients would make detection of these identification methods more automatic. Hats off to programmers for providing/maintaining tools that the masses don't appreciate. Rejection of mail with DNS records that indicate that mail MUST be from a given address range, or MUST be signed, should be honored to prevent forgery. Those domains are saying that they do have their act together and know where their mail should be originating from and have the the ability to sign it. The error in DKIM design was that there is no way to determine that unsigned mail should have been signed and DMARC fixes that. Best Regards MfG Robert Schetterer Curtis
Re: reality-check on 2016 practical advice re: requiring inbound TLS?
On 04/11/16 04:09, lst_ho...@kwsoft.de wrote: Zitat von jaso...@mail-central.com: On Sun, Apr 10, 2016, at 07:46 PM, Bill Cole wrote: On a system where you know enough about all your users to know that they don't want to get critical email from clueless sources, you can make restrictive choices with no trouble. If you don't actually know that, choosing to require senders to use rigorous security correctly will often lead to unpleasant surprises. Ya gotta break a few eggs to make an omelette ;-) And if you don't want to receive e-mail you should not operate a mail server or even publish a mail address. The conversation was about SPF, DKIM, and DMARC (I think). (Drifted from TLS). If the sender (or sending ESP) has no clue about what SPF, DKIM, and DMARC is, then they don't get penalized (or don't get penalized much). If they publish SPF and/or DKIM records that are wrong, then they get penalized more, but still not much. If the publish SPF and/or DKIM records that are wrong and they publish a DMARC record that says "toss my email if SPF or DKIM doesn't match", then guess what some mail servers are going to do - including the big ESPs. The reason DMARC exists is to prevent sender forgery. Expect some of the big boys to enforce DMARC, meaning that if you publish a DMARC record that says "toss and increment statistic if SPF or DKIM is wrong", they will do exactly that. If you don't publish a DMARC record, then someone could forge as you, but your legitimate mail won't get tossed. As far as strict TLS - been there, done that - don't recommend it. If you use ECDSA, then have a long key RSA as a backup. I've had no trouble AFAIK setting TLS to high though Viktor doesn't recommend it. I have not yet analyzed logs to see how often this is causing a fallback. I recently had a problem with mail where an ESP was in three blacklists plus SPF failed and spamassassin tossed some mail. That ESP is down to one blacklist now. A sender got to me out-of-band and I dug up the maillog from a few days earlier and informed them about how good their ESP was serving them. btw- If I had been using postscreen back then, I could not have found this in the logs based on sender email. Curtis ps - works for google, though dmarc says "accept and report". Google and Yahoo are allegedly enforcing or will soon be enforcing dmarc (if you publish a dmarc record). gmail.com descriptive text "v=spf1 redirect=_spf.google.com" 20120113._domainkey.gmail.com descriptive text "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD0" "7y2+07wlNWwIt8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB _dmarc.gmail.com descriptive text "v=DMARC1; p=none; rua=mailto:mailauth-repo...@google.com;
Re: reality-check on 2016 practical advice re: requiring inbound TLS?
In message <500a9284-b549-460d-8207-f52534e09...@billmail.scconsult.com> "Bill Cole" writes: > > On 9 Apr 2016, at 12:45, jaso...@mail-central.com wrote: > > > I block on strict FAILs of any if SPF, DKIM or DMARC. *missing* > > support for those is logged, but not - yet - acted on. > > This is dangerous, as is raising the bar too high on ciphersuites. > > Case in point: Ditech is one of the largest mortgage servicing companies > in the US, servicing millions of loans ultimately held by the federal > government. They send email responses to customer service inquiries out > via Microsoft's Office365 service, which signs it for the > "gtservicing.onmicrosoft.com" domain, but has it routed through Cisco > (formerly Ironport's) "iphmx.com" infrastructure for no visible reason, > where the From header is apparently re-written to > <donotre...@ditech.com>, breaking the DKIM signature. While the > iphmx.com machines accept mail from Microsoft using the suboptimal > AES256-SHA ciphersuite, they inexplicably use the affirmatively weak > TLSv1/RC4-SHA to pass it along. Because of this arcane routing, the > envelope sender (donotre...@gtservicing.com) has a domain with an SPF > record that is invalid due to its excessive complexity. Topping this > off, their messages consistently contain nothing but a bunch of > disclaimer boilerplate plus a link to the REAL message (which thankfully > is also usually low-content boilerplate) in a .doc file on the > sharefile.com service, with no authentication required to access the > link. > > This is how security-competent a significant US financial services > company is regarding email: broken DKIM signatures, invalid SPF records, > and confidential information regarding mortgage accounts sitting at URLs > accessible by anyone who can intercept a piece of email which AT BEST is > transported using encryption which may be crackable in reasonable time > by entities much weaker than the NSA. > > BUT: People *REALLY* want their customer service email from Ditech. If > you block invalid SPF, it fails. If you block invalid DKIM signatures, > it fails. If you require strong encryption, it fails. It is possible (I > have not tested...) that if you require strong encryption or none ("may" > with a restrictive cipherlist) they may deliver potentially critically > private information in the clear. > > Welcome to 2016: Sturgeon's Law remains in effect. Great anecdote of a really bad email setup but ... For a lot of us missing out on Ditech, a specialist in preditory lending, is not a compelling reason not to enable SPF, DKIM and DMARC. For my domains (all automated DNS zone file generation) I publish SPF and DKIM (and any relevant DNSSEC crud and TLSA) and was planning to update the homegrown tool to add DMARC. By publishing those records, you just avoid having someone forge mail as you (including to you, but there are plenty of simpler ways to protect against that). I was also planning to reject based on opendmarc at some point in the not-so-distant future. Curtis
Re: gmail servers requiring postscreen_access whitelisting
In message <b1132232-5b45-4a7b-8fb8-f240cea1f...@kreme.com> "@lbutlr" writes: > > On Apr 10, 2016, at 10:24 AM, Curtis Villamizar = > <cur...@orleans.occnc.com> wrote: > > postscreen_dnsbl_sites =3D > > list.dnswl.org*-5 > > # followed by some blacklist sites > > It was my understanding that eh the order of test said not matter > because all the dnsbls listed would be checked, a final score > computed, and then that compound number passed along to postscreen. Nobody ever said there was an order dependence. btw- I don't think list.dnswl.org is a viable workaround for the post 220 problem. This just affects the dnsbl score which would already be zero. The post 220 checks would still be run before putting the gmail server IP into the temporary whitelist. Manual maintenance of postscreen_access is the only thing that would work. Curtis
Re: what error is being reported back to sender, and how to avoid reporting back internal server ports?
In message <3qjzc32dcxzj...@spike.porcupine.org> Wietse Venema writes: > > > > No-one can connect to this from outside. > > > > That's correct. Not currently, to this current machine/port, in > > this configuration. > > If someone can connect from outside to your 127.0.0.1 port, then > you have a serious infrastructure problem. > > Wietse Or (assuming that there are no user account on the server) another service running on the same host that has been compromised. This is further leveraging a breach. Of course that means that there had to already be a non-root breach of something else (which would already be a bad thing). But that can't possibly happen (right?). I'm not a fan of mistaking the loopback interface for a hardenned security feature. Unix domain sockets or fifo (ala mkfifo and chmod) are a better choice than inet with loopback IMO, reducing the chance of leverage. Loopback is like a socket or fifo with ugo+rw perms. Curtis
Re: gmail servers requiring postscreen_access whitelisting
In message <570a341b.9000...@pajamian.dhs.org> Peter writes: > > On 10/04/16 15:00, Curtis Villamizar wrote: > > This is a workaround that shouldn't be needed. > > > > Any idea what the cause of this is? So far no legit mail except gmail > > gets caught here. > > gmail uses hundreds, or thousands of MTAs and has the unique property > that when they retry after a deferral it is almost always from a > different server (IP). So postfix clears one IP and they retry from > another which postfix did not clear yet. Rinse and repeat ad-nauseum. > > The only workaround is to either receive so much mail from google that > you eventually get most of their servers on your temporary whitelist, or > to whitelist them in some other way. newer versions of postfix allow > you to whitelist based on DNSWLS and if you use dnswl.org it will > include the google servers. In older versions of postfix you will need > to whitelist them manually like you have already done, but they change > from time to time so you need to keep the list up to date. > > Peter This seems like it could be a viable workaround for the after 220 problem. postscreen_dnsbl_sites = list.dnswl.org*-5 # followed by some blacklist sites It could occasionally delay mail from all legitimate senders not in dnswl.org (almost everyone but a few big guys) if they try both the primary and secondary MX and those two MX have independent temporary whitelists. Tying the temporary whitelists together (so the secondary immediately passes postscreen tests) using a routable address (since they are at different sites) seems horribly insecure. If there was a way to wrap the connection in TLS, then OK. Occasionally delaying legitimate mail is to be avoided and I don't see a workaround for that. OTOH, as soon as I turned this off some obvious spam got through, probably bot spam not yet listed in a dnsbl and clever enough to not get snagged by spamassasin (not all that hard apparently). The next question is whether the after 220 stops enough spam that the other tests wouldn't get to make it worth the bother. Apparently, based on Wietse's terse comment, he thinks not. So I'll go with Wietse's advice and disable after 220 tests and see if I can find an alternative to stop the remaining dribble of spam. Curtis
Re: gmail servers requiring postscreen_access whitelisting
In message <3qjz5d5s15zj...@spike.porcupine.org> Wietse Venema writes: > > Curtis Villamizar: > > Since I enabled postscreen (with soft_bounce=yes in master.cf) I was > > getting logs of this form: > > > > Apr 9 01:08:12 mta1 postfix/postscreen[18326]: > > NOQUEUE: reject: RCPT from [2607:f8b0:4002:c05::22d]:32999: > > 450 4.3.2 Service currently unavailable; > > from=<redac...@gmail.com>, to=, > > proto=ESMTP, helo= > > DO NOT turn on the after-220 tests: > > postscreen_non_smtp_command_enable = no > postscreen_pipelining_enable = no > postscreen_bare_newline_enable = no > > Wietse Based on the terseness of this authoritative response I'll assume this topic has already been beat to death and the limited benefits of these tests simply are not worth the headaches. Peter gave a useful workaround. I'll reply on that thread. I had enabled _pipelining_ and _non_smtp_command_ but not _bare_newline_. For now I've disabled these tests. Curtis
Re: gmail servers requiring postscreen_access whitelisting
In message <5709c8c8.1050...@megan.vbhcs.org> Noel Jones writes: > On 4/9/2016 10:00 PM, Curtis Villamizar wrote: > > Since I enabled postscreen (with soft_bounce=yes in master.cf) I was > > getting logs of this form: > > > > Apr 9 01:08:12 mta1 postfix/postscreen[18326]: > > NOQUEUE: reject: RCPT from [2607:f8b0:4002:c05::22d]:32999: > > 450 4.3.2 Service currently unavailable; > > from=<redac...@gmail.com>, to=, > > proto=ESMTP, helo= > > > > linefeeds added by me for readability. > > > > gmail would just keep trying a half hour later and mail never gets > > delivered. > > > > rfc3463 isn't very helpful: > > > > X.3.2 System not accepting network messages > > > > The host on which the mailbox is resident is not accepting > > messages. Examples of such conditions include an immanent > > shutdown, excessive load, or system maintenance. This is > > useful for both permanent and permanent transient errors. > > > > I have lines of the form: > > > > main.cf: > > postscreen_access_list = > > cidr:$config_directory/postscreen_access > > hash:$config_directory/postscreen_reject > > > > postscreen_access: > > # google mail servers > > 2607:f8b0:4002:c00::/60 permit > > [... other google server blocks ...] > > > > This is a workaround that shouldn't be needed. > > > > Any idea what the cause of this is? So far no legit mail except gmail > > gets caught here. > > > > Curtis > > Look for other warnings and errors in your logs, maybe just before > the reject, maybe earlier. > > -- Noel Jones This is it for that connections: Apr 9 01:07:15 mta1 postfix/postscreen[18326]: CONNECT from [2607:f8b0:4002:c05::22d]:32999 to [2001:470:88e6:1::141]:25 Apr 9 01:07:18 mta1 postfix/tlsproxy[18331]: CONNECT from [2607:f8b0:4002:c05::22d]:32999 Apr 9 01:08:12 mta1 postfix/tlsproxy[18331]: Untrusted TLS connection established from [2607:f8b0:4002:c05::22d]:32999: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Apr 9 01:08:12 mta1 postfix/postscreen[18326]: NOQUEUE: reject: RCPT from [2607:f8b0:4002:c05::22d]:32999: 450 4.3.2 Service currently unavailable; from=<redac...@gmail.com>, to=, proto=ESMTP, helo= Apr 9 01:08:12 mta1 postfix/postscreen[18326]: PASS NEW [2607:f8b0:4002:c05::22d]:32999 Apr 9 01:08:12 mta1 postfix/tlsproxy[18331]: DISCONNECT [2607:f8b0:4002:c05::22d]:32999 Apr 9 01:08:12 mta1 postfix/postscreen[18326]: DISCONNECT [2607:f8b0:4002:c05::22d]:32999 The IP address got whitelisted but then the next retry from gmail usually doesn't come from the same IP address and comes 30 minutes later. They seem to have some sort of pool of servers that work on the same set of mail queues. Today I caught 2 gmails where this happenned where I didn't have the block in the permit list but each got delivered on next attempt. I haven't had postscreen enabled long and only for two domain, one currently used only for a web site and therefore available for email testing and the other that is mostly mail to me and gets a fair amount of spam. I now have a non-gmail sender where this happened. In that case after the 450 it went immediately to the secondary MX that at this time is not running postscreen and all was fine. I'll recheck my configs, then post if I can't figure it out. Curtis
Re: reality-check on 2016 practical advice re: requiring inbound TLS?
In message <20160410024851.gu26...@mournblade.imrryr.org> Viktor Dukhovni writes: > On Sat, Apr 09, 2016 at 09:31:48PM -0400, Curtis Villamizar wrote: > > > > 1) It looks to me that starttls really only protects the path to the > > >first server. Classic case being sending email over the non-secure > > >coffee shop wifi. > > > > If you are using TLS to port 587 then that is protecting the first > > hop. If both your MUA (email app) and the MSA (mail submission agent) > > you are talking to insist on using TLS and have some means to mutually > > authenticate (such as either a client cert or mutual_auth in postfix > > on the MSA end), then this is subject to MITM. Postfix does not > > support validating the client cert (AFAIK - not a guru I said). > > This is wrong. Can you say what is wrong. Let me paraphrase and expand a bit. mutual_auth implies you are using SASL. With Opportunistic TLS without SASL in postfix you have no authentication. With TLS but with SASL plaintext you provide a MITM a means to read your password. The simplest MITM is STARTTLS stripping. If the client end doesn't insist on TLS, then STARTTLS stripping is possible. The client TCP connection can be terminated at the MITM as plain text and a TLS to the MSA can be started. In both connections the IP address can be spoofed if the MITM is in the routing middle (or acting as a L2 bridge). If both ends insist on TLS but are willing to settle for SSL, then a MITM is still possible with a TLS downgrade (but harder to do). If both ends insist on TLS and not SSL but there is no client cert and no way to tell what the client should be signing for or no CAfile to check against then a MITM is possible if a rouge CA is used (which is likely going to be a nation surveilance situation). Postfix does not support validating the client cert. Which of these are wrong? OK to pick more than one. :-) Seriously, I did say I'm not an expert. > > There is really no name to validate the client cert against, other > > than the hostname provided in the EHLO. > > Submission clients are usually authenticated via SASL, and while > that does not provide "channel binding", it is good enough in > practice, if the client properly authenticates the server. mutual_auth implies you are using SASL and with or without TLS it helps with MITM, but safe with TLS. mutual_auth such as SCRAM (or GSSAPI) are reasonably good and MITM resistant. > > The point of the article is that unless both ends insist on TLS then > > MITM is possible. > > The topic of the articles is TLS between email relays, not MUA to > submission or IMAP client to IMAP srever. > > MITM is possible when SMTP relays (sending MTAs) don't (and generally > can't even if they wanted to) authenticate the nexthop MTA. This statement was independent on MUA->MSA or MSA->MX which is a form of MTA->MTA. > > The focus of the paper was on the use of TLS between the MSA and the > > MX of the destination domain (an MTA - mail transfer agent). That is > > usually the next hop. > > No, the topic was relay-to-relay SMTP, TLS is much more prevalent > with submission and IMAP and generally works adequately with WebPKI. Sorry. We are saying the same thing here but I was keeping with MUA->MSA or MSA->MX since explaining to someone that possibly didn't know any of these terms. And MSA->MX is a form of MTA->MTA. To be pedantic, the focus of the paper is on MTA->MTA where the two MTA are in different domains. > -- > Viktor. I defer to you as an expert on this but I would like to know what is wrong in the "this is wrong" comment. Curtis
gmail servers requiring postscreen_access whitelisting
Since I enabled postscreen (with soft_bounce=yes in master.cf) I was getting logs of this form: Apr 9 01:08:12 mta1 postfix/postscreen[18326]: NOQUEUE: reject: RCPT from [2607:f8b0:4002:c05::22d]:32999: 450 4.3.2 Service currently unavailable; from=<redac...@gmail.com>, to=, proto=ESMTP, helo= linefeeds added by me for readability. gmail would just keep trying a half hour later and mail never gets delivered. rfc3463 isn't very helpful: X.3.2 System not accepting network messages The host on which the mailbox is resident is not accepting messages. Examples of such conditions include an immanent shutdown, excessive load, or system maintenance. This is useful for both permanent and permanent transient errors. I have lines of the form: main.cf: postscreen_access_list = cidr:$config_directory/postscreen_access hash:$config_directory/postscreen_reject postscreen_access: # google mail servers 2607:f8b0:4002:c00::/60 permit [... other google server blocks ...] This is a workaround that shouldn't be needed. Any idea what the cause of this is? So far no legit mail except gmail gets caught here. Curtis
Re: rate limiting
In message <5707263d.7000...@caseyconnor.org> Casey Connor writes: > > Thank you -- will it accept decimal seconds? > > We are sending on the order of 50-200+ messages per second in this > stress test, so the delay between messages could be smaller than .005 > seconds. If you are trying to simulate a very busy mailserver, then you should be concerned about connections to it from multiple hosts per second most sending one or a few messages and a realistic test would have to have a nominal TCP RTT in the range of a few to a few 10s of msec since the speed of light is limited and geographic delays come into play. I've been involved in testing and some simulation of this type but on routers and various switchy-thingies rather than mailservers. Curtis > On 04/07/2016 06:19 PM, Wietse Venema wrote: > > See: > > http://www.postfix.org/postconf.5.html#default_transport_rate_delay > > http://www.postfix.org/postconf.5.html#default_destination_rate_delay > > > > The names are similar but things work differently. > > > > Wietse
Re: rate limiting bad-bot HANGUPs in postscreen?
In message <1460213048.1937714.573722321.23756...@webmail.messagingengine.com> jaso...@mail-central.com writes: > With postscreen in place, bad bots arr getting fended off. > > Many give up and go away after a couple of tries. > > Some, these days mostly 'ymlf-pc' bots, are more persistent. > > Eg, this one > > Apr 8 04:17:20 mail01 postfix/postscreen[20412]: CONNECT from > [37.49.226.17]:52066 to [192.0.2.17]:25 > Apr 8 04:17:20 mail01 postfix/dnsblog[20417]: addr 37.49.226.17 listed > by domain zen.spamhaus.org as 127.0.0.4 > Apr 8 04:17:21 mail01 postfix/postscreen[20412]: PREGREET 14 after > 0.14 from [37.49.226.17]:52066: EHLO ylmf-pc\r\n > Apr 8 04:17:21 mail01 postfix/postscreen[20412]: DNSBL rank 6 for > [37.49.226.17]:52066 > Apr 8 04:17:21 mail01 postfix/postscreen[20412]: HANGUP after 0.85 > from [37.49.226.17]:52066 in tests after SMTP handshake > Apr 8 04:17:21 mail01 postfix/postscreen[20412]: DISCONNECT > [37.49.226.17]:52066 > Apr 8 04:17:22 mail01 postfix/postscreen[20412]: CONNECT from > [37.49.226.17]:54974 to [192.0.2.17]:25 > Apr 8 04:17:22 mail01 postfix/dnsblog[20415]: addr 37.49.226.17 listed > by domain zen.spamhaus.org as 127.0.0.4 > Apr 8 04:17:22 mail01 postfix/postscreen[20412]: PREGREET 14 after > 0.15 from [37.49.226.17]:54974: EHLO ylmf-pc\r\n > Apr 8 04:17:22 mail01 postfix/postscreen[20412]: DNSBL rank 6 for > [37.49.226.17]:54974 > Apr 8 04:17:23 mail01 postfix/postscreen[20412]: HANGUP after 0.77 > from [37.49.226.17]:54974 in tests after SMTP handshake > Apr 8 04:17:23 mail01 postfix/postscreen[20412]: DISCONNECT > [37.49.226.17]:54974 > Apr 8 04:17:25 mail01 postfix/postscreen[20412]: CONNECT from > [37.49.226.17]:58871 to [192.0.2.17]:25 > ... > > conitinues on for a total of (in this case) 237 attempts in one continuous > string over a few minutes. > > These do not appear as multiple CONCURRENT connection, which I think I can > limit with ' postscreen_client_connection_count_limit'. > > Instead, they look like SEQUENTIAL connections. > > IIUC, this is a pretty efficient disconnection by postscreen, so not a huge > load on the server. > > But, it's still making connections. > > I can rate limit these in fail2ban+firewall (e.g., > http://shorewall.net/ConnectionRate.html), but would prefer to keep this > re-action in Postfix. > > Is there a postscreen_ parameter to rate limit these "bursts"? Maybe dropping > the connection sooner? > > Jason Jason, An excerpt below from a shell script to generate a access file for postscreen. I haven't automated running it but will probably zcat a day or two of prior maillog files plus the current day (for example, using "zcat /var/log/maillog.0.bz2 | cat - /var/log/maillog | ..."). It gets rid of lots of PREGREET or HANGUP in under 1 sec. The threshhold of 5 is quite low but I don't think it will catch any legit mail servers. Still playing with this. Note that the big space before reject is three tabs. Curtis echo "# HANGUP after <1 more than 5 times in one day" grep postfix/postscreen /var/log/maillog \ | grep 'HANGUP after 0\.' \ | sed -e 's,^.*HANGUP after [0-9\.]* from ,,' \ -e 's,:[0-9]* in tests after SMTP handshake$,,' \ | sort | uniq -c | sort -n \ | egrep '^ *[6-9] |^ *[1-9][0-9][0-9]* ' \ | sed -e 's,^ *[0-9]* *\[,,' -e 's,\]$, reject,' echo "# PREGREET after <1 more than 5 times" grep postfix/postscreen /var/log/maillog \ | grep 'PREGREET [0-9]* after 0\.[0-9]* ' \ | sed -e 's,^.*PREGREET [0-9]* after 0\.[0-9]* from ,,' \ -e 's,:[0-9]*: [HE]*LO .*,,' \ | sort | uniq -c | sort -n \ | egrep '^ *[6-9] |^ *[1-9][0-9][0-9]* ' \ | sed -e 's,^ *[0-9]* *\[,,' -e 's,\]$, reject,'
Re: reality-check on 2016 practical advice re: requiring inbound TLS?
In message <20160409210245.gs26...@mournblade.imrryr.org> Viktor Dukhovni writes: > > On Sat, Apr 09, 2016 at 08:46:54AM -0700, jaso...@mail-central.com wrote: > > > I'm setting up mandatory TLS policy for a couple of private client > > servers, using > > > > - smtpd_tls_security_level = may > > + smtpd_tls_security_level = encrypt > > > > I started wondering whether it wouldn't be a bad thing to require > > ALL email delivered to my server, from anywhere, to use TLS. > > Your server, your rules, but be prepared to refuse a lot of legitimate > email. A review of maillogs would tell you how much would get tossed. I've been doing some work with automated parse of logs. If I look at that (including TLS mail rejected by postscreen vs in-the-clear mail rejected by postscreen) I'll let you know. > https://www.google.com/transparencyreport/saferemail/ > https://www.ietf.org/proceedings/95/slides/slides-95-irtfopen-1.pdf > > https://www.elie.net/publication/neither-snow-nor-rain-nor-mitm-an-empirical-analysis-of-email-delivery-security > > -- > Viktor. Thanks for the links. I emailed one of the authors asking why so little was said about DNSSEC and nothing at all about DANE. Curtis
Re: reality-check on 2016 practical advice re: requiring inbound TLS?
In message <20160409230701.5468245.39956@lazygranch.com> li...@lazygranch.com writes: > > Would a guru comment on my "interpretation" of these documents? Not a guru but ... > 1) It looks to me that starttls really only protects the path to the >first server. Classic case being sending email over the non-secure >coffee shop wifi. If you are using TLS to port 587 then that is protecting the first hop. If both your MUA (email app) and the MSA (mail submission agent) you are talking to insist on using TLS and have some means to mutually authenticate (such as either a client cert or mutual_auth in postfix on the MSA end), then this is subject to MITM. Postfix does not support validating the client cert (AFAIK - not a guru I said). There is really no name to validate the client cert against, other than the hostname provided in the EHLO. For the MSA that could be useful or the MSA could have a sender to name to validate mapping and CAfile to use. In principle, IMAP servers could do the same. But I don't think there is much demand for that. It would mean getting clients to put certs in the MUA. The point of the article is that unless both ends insist on TLS then MITM is possible. There is a lot of discussion of STARTTLS stripping. There was not discussion of TLS downgrade attacks but those are not as easy as STARTTLS stripping. The focus of the paper was on the use of TLS between the MSA and the MX of the destination domain (an MTA - mail transfer agent). That is usually the next hop. > 2) Mail between Google/yahoo servers will enforce TLS, but other >transit may not? My view of starttls email is this. At best, you >only protect the endpoints. Google, yahoo, and many others offer STARTTLS. None require that you use TLS or check a client cert. > The snail mail analogy is you leave a message in an envelope for the > mail carrier. That message makes it to the post office in the > envelope. As the mail transits between post offices, some of those > non-postal carriers may remove your envelope. The destination post > office, should it find your message lacking an envelope, puts your > message in another envelope, then delivers it. Sort of. More like if each post office always removed the envelope and put your mail in a new one before sending to the next post office, sometime a transparent envelope. > 3) I reviewed the DMARC. All my accounts have functional spf and >dkim. If I set DMARC to quarantine, will my email at least be >delivered? No. I will be held and you (or some email address that is indicated in the DMARC record) will be notified that mail for that domain is held - typically in a daily summary for the domain. > I've looked at dnssec, but it seems like I need a 2nd server to make > it work. If not, can someone provide what they consider a good link on > the topic? You need to sign you domain RRs and then go to your domain registrar and ask that a DS record be added for your domain. In that order. http://www.internetsociety.org/deploy360/dnssec/ http://www.internetsociety.org/deploy360/home/content-providers/dnssec/ http://dnssec-debugger.verisignlabs.com/ https://www.dnssec-tools.org/test/ The last one has a link to a tutorial. Also regarding DANE: http://www.internetsociety.org/deploy360/resources/dane/ http://dane.verisignlabs.com/ https://dane.sys4.de https://dane.sys4.de/common_mistakes > My understanding is only pgp or s/mime has end to end encryption. Correct. SMTP TLS is not end-to-end. Of course to encrypt using pgp or s/mime both ends must support pgp or s/mime which has been a problem. People within various communities of interest use pgp or s/mime (for example, the security community) but use is very sparse. Curtis > > Original Message > > From: Viktor Dukhovni > > Sent: Saturday, April 9, 2016 2:03 PM > > To: postfix-users@postfix.org > > Reply To: postfix-users@postfix.org > > Subject: Re: reality-check on 2016 practical advice re: requiring inbound > > TLS? > > > > On Sat, Apr 09, 2016 at 08:46:54AM -0700, jaso...@mail-central.com wrote: > > > > > I'm setting up mandatory TLS policy for a couple of private client > > > servers, using > > > > > > - smtpd_tls_security_level = may > > > + smtpd_tls_security_level = encrypt > > > > > > I started wondering whether it wouldn't be a bad thing to require > > > ALL email delivered to my server, from anywhere, to use TLS. > > > > Your server, your rules, but be prepared to refuse a lot of legitimate > > email. > > > > https://www.google.com/transparencyreport/saferemail/ > > https://www.ietf.org/proceedings/95/slides/slides-95-irtfopen-1.pdf > > https://www.elie.net/publication/neither-snow-nor-rain-nor-mitm-an-empirical-analysis-of-email-delivery-security > > > > -- > > Viktor.
Re: False positives from header_checks
Since pcre evaluates in order you could add /^Content-(Disposition|Type).*;??x-apple-part-url="[^"]+"$/x DUNNO before the pcre that does the rejection. Since "." is commonly "%2E" you could also change the "\." in the RE to "(\.|%2E)". That doesn't solve base64 encoding. Disclaimer: I haven't tried this. Curtis On 04/06/16 22:02, Laz C. Peterson wrote: This is great information. It's very odd ... Apple has been responsible for the foundation of quite a few RFC's but in our experience has actually made it difficult for our software to both comply with the RFC as well as Apple's client software. Thank you Cedric. ~ Laz Peterson Paravis, LLC On Apr 6, 2016, at 3:28 PM, Cedric Knight <ced...@gn.apc.org> wrote: The documentation for header_checks includes an example to "block attachments with bad file name extensions", and I expect many installations have a similar rule to cut down on malware. This reads: /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)( ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| hlp|ht[at]| inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}| ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" may not end with ".$4" Unfortunately, this can now block valid email from iPhone/iOS/ithing users. The second ".*" can span multiple parameters. This shows up in logs when searching for "x-apple-part-url" as follows: postfix/cleanup[1234]: 123412341234: reject: header Content-Type: application/vnd.ms-publisher;??name="redacted redacted.pub";??x-apple-part-url="abcd1234-1234-5678--123412341...@yahoo.com" What Apple has done seems legal under RFC 2045 but may make some of their users' email undeliverable. Rules can be amended to limit to "token" or "quoted-string" versions of the filename like this: /^Content-(Disposition|Type).*name\s*=\s* ("(?:[^"]|\\")*|[^();:,\/<>\@\"?=<>\[\]\ ]*) ((?:\.|=2E)( ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| hlp|ht[at]| inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}| ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| vb[esx]?|vxd|ws[cfh])(\?=)?"?)\s*(;|$)/x REJECT Attachment name $2$3 may not end with ".$4" A separate security point is that this doesn't actually block "bad" extensions if the Content-Type name is base64 encoded and the filename parameter in the Content-Disposition is percent-encoded. Hope this is useful to some. CK
Re: problem sending to outlook.com
In message <5700f376.7050...@lfweb.dk> Lars Nielsen writes: > > Hi, > This Thursday i had problems sending mails to outlook.com addresses. I > found out that MS thought my mail-server was suspicious and had blocked > me as sender. I could however mail to them and gotten my server allowed > again. > > But how can i ensure that i run a "professional" mail server that > doesn't get blocked? I have attached my "postconf -n" output here so you > can see if i miss something obvious!? > > Thanks for you help > Best regards > Lars Nielsen I have no idea but I did also get blocked. Since I only know two people that I send mail to with M$oft email services, and had only recently sent only one email I could narrow it down to the content. The content was something along the lines of "please preview this web content on web-test.a-domain-i-use and oh btw you'll need to use https and the cert doesn't cover web-test so click through the warnings". I think that was it. The email referenced a https URL with bad cert (valid for @, www, but not web-test). I called. Tech said they don't save messages or reasons for rejection and could not give a reason but once resolved you're sort of semi-whitelisted (low mail volume and a real human responded so they won't be so touchy next time). Their spam methods are proprietary. Nothing in your config jumps out as bad (to me). You could DKIM sign your mail and add DKIM and SPF DNS records (maybe DMARC, though I don't do that but might in the near future). DKIM and SPF pass can only help, even if just a little, and DKIM+SPF+DMARC can make sure that forgery doesn't penalize your domain. Maybe someone that actually knows what they are talking about will weigh in on this thread. :-) Curtis > = > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > allow_percent_hack = no > append_dot_mydomain = no > biff = no > bounce_queue_lifetime = 3d > config_directory = /etc/postfix > default_destination_concurrency_limit = 3 > delay_warning_time = 4h > disable_vrfy_command = yes > home_mailbox = Maildir/ > inet_interfaces = all > inet_protocols = all > initial_destination_concurrency = 1 > mailbox_command = > mailbox_size_limit = 0 > maximal_backoff_time = 8000s > maximal_queue_lifetime = 5d > minimal_backoff_time = 600s > mydestination = > myhostname = mail.lfw.dk > mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myhomeip/32 > myserverip/32 > mynetworks_style = host > myorigin = lfw.dk > readme_directory = no > recipient_delimiter = + > relayhost = > smtp_helo_timeout = 60s > smtp_tls_cert_file = /etc/postfix/client.pem > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, > reject_rbl_client blackholes.easynet.nl > smtpd_delay_reject = yes > smtpd_error_sleep_time = 20 > smtpd_hard_error_limit = 12 > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, > warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, > regexp:/etc/postfix/helo.regexp, permit > smtpd_junk_command_limit = 2 > smtpd_recipient_limit = 16 > smtpd_recipient_restrictions = check_client_access > hash:/etc/postfix/helo_client_exceptions check_sender_access > hash:/etc/postfix/sender_checks, permit_sasl_authenticated, > permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_recipient, > reject_unknown_sender_domain, reject_unknown_recipient_domain, > reject_unauth_destination, reject_unauth_pipelining, check_client_access > hash:/etc/postfix/rbl_client_exceptions, reject_rbl_client > cbl.abuseat.org, reject_rbl_client sbl-xbl.spamhaus.org, > reject_rbl_client bl.spamcop.net, reject_rhsbl_sender > dsn.rfc-ignorant.org, permit > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_security_options = noanonymous > smtpd_sender_restrictions = permit_mynetworks, warn_if_reject > reject_non_fqdn_sender, reject_unknown_sender_domain, > reject_unauth_pipelining, permit > smtpd_soft_error_limit = 3 > smtpd_tls_CAfile = /etc/ssl/intermediate.ca.pem > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/postfix/client.pem > smtpd_tls_key_file = /etc/ssl/mail.lfw.dk.pem > smtpd_tls_loglevel = 3 > smtpd_tls_mandatory_protocols = !SSLv2 > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > smtpd_use_tls = yes > swap_bangpath = no > tls_random_source = /dev/urandom > unknown_address_reject_code = 554 > unknown_client_reject_code = 554 > unknown_hostname_reject_code = 554 > unknown_local_recipient_reject_code = 450 > virtual_alias_maps = mysql:/etc/postfix/mysql_virtual
Re: best practice for blocking fake local domain senders
In message
Re: Hardware with non-FQDN EHLO
In message <56f6c728.2090...@megan.vbhcs.org> Noel Jones writes: > > On 3/26/2016 7:18 AM, Nicols wrote: > > Thanks Wietse and Rob, > > > > The client indeed uses SASL, but it gets rejected at HELO/EHLO time. > > I will observe these days if I can fence in a reduced CIDR range and > > use Wietse's approach, if not, I'll set up a Postfix local to the > > broken client, which indeed is a cleaner way than my original approach. > > > > Thanks! > > > > Nicols > > > > > If the client uses SASL, all you need to do is put > permit_sasl_authenticated before your reject_non_fqdn_helo_hostname. > > No need for a CIDR table or any other workarounds. > > smtpd_helo_restrictions = >permit_mynetworks >permit_sasl_authenticated >reject_non_fqdn_helo_hostname >... any other stuff... On http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions permit_sasl_authenticated is not listed. Which makes some sense since the HELO occurs before AUTH. HELO checks seem to be all IP and hostname related. > -- Noel Jones Am I missing something? Curtis > > > > Mensaje original > > De: wie...@porcupine.org > > Fecha:25/03/2016 17:56 (GMT+00:00) > > Para: Postfix users > > Asunto: Re: Hardware with non-FQDN EHLO > > > > Nicols: > >> Hi, > >> > >> I have some hardware which I've configured to send e-mails through > >> my Postfix server. Unfortunately, this hardware's firmware has > >> its' EHLO command hardcoded, not being it an FQDN. > >> > >> In Postfix, I've configured smtpd_helo_restrictions to > >> have?reject_non_fqdn_helo_hostname and I'm pretty happy with it > >> so I don't want to remove it, however it makes its' attempts to > >> get rejected. Another issue is that it's connections are made from > >> a dynamic IP address, so whitelisting its IP address is not an > >> option. However, it has a dynamic hostname which updates each time > >> it changes (a DynDNS-like host). > > > > Wrap the reject_non_fqdn_helo_hostname inside an access table: > > > > smtpd_mumble_restrictions = > > ...other stuff... > > check_client_access cidr:/etc/postfix/reject_non_fqdn_helo.cidr > > ...more stuff... > > > > /etc/postfix/reject_non_fqdn_helo.cidr: > > # Unlike hash files, cidr files are matched in the order of rules. > > # IPv4 > > 1.2.3.4 dunno > > 0.0.0.0/0 reject_non_fqdn_helo_hostname > > # IPv6 > > 1:2::3:4 dunno > > ::0/0 reject_non_fqdn_helo_hostname > > > > It's a bit clumsy with the CIDR patterns, but hash-based access > > maps don't have a wild-card pattern. > > > > Wietse
Re: Thousands of login attempts
In message <0f3f9e7a-f0da-400a-b331-514a471b4...@valo.at> Christian Kivalo writes: > > >> One minor comment: I would not even offer AUTH on port 25. > > > >I don't. I offer opportunistic TLS on port 25 for SMTPd. All mail > >submission have to be on port 587. > > You do. > > valo@uschi:~ $ telnet mail.covisp.net 25 > Trying 65.121.55.42... > Connected to mail.covisp.net. > Escape character is '^]'. > 220-mail.covisp.net ESTMP -- Please wait > 220 mail.covisp.net ESMTP Postfix 3.0.3 > ehlo test.local.host > 250-mail.covisp.net > 250-PIPELINING > 250-SIZE 26214400 > 250-ETRN > 250-STARTTLS > 250-AUTH PLAIN LOGIN > 250-AUTH=PLAIN LOGIN > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > quit > 221 2.0.0 Bye > Connection closed by foreign host. > > See the two lines offering auth on port 25. You should disable auth > on port 25. As in "smtpd_sasl_auth_enable = no". > -- > Christian Plain and login AUTH are particularly dangerous since they send passwords in the clear. See if you can find another method: http://cyrusimap.web.cmu.edu/sasl/authentication_mechanisms.html http://wiki.dovecot.org/Authentication/Mechanisms With AUTH PLAIN LOGIN and no TLS, anyone logging in over public WiFi (or non-switched ethernet, where such a thing still exists) is exposing their user ID and password to others snooping on the WiFi. That could be really bad for people who use the same password for everything (terrible practice but all too common). btw- Even with TLS, unless client certs are used anyone can connect and try brute force password guessing, which is what appears to be happenning. When presented with STARTTLS and no AUTH most attacks just go away and don't keep retrying. I suggest that if it won't break clients (if they can use TLS) use "smtpd_tls_security_level = yes" on port 587 (which implies "smtpd_tls_auth_only = yes"). Use "smtpd_sasl_auth_enable = no" on port 25 even if it means clients have to change configs. Plus set smtp_sasl_mechanism_filter to something more reasonable if it doesn't break clients to do so (and/or change mech_list in cyrus sasl conf). For example "smtpd_sasl_security_options = noanonymous, noplaintext". Client certs would be nice but a large number of client certs can be a headache to keep track of and hard to get into user's client MUAs. Filters limiting access to port 587 can then be applied a lot more strickly than filters on port 25 could be. Curtis
[OT] (was Re: Is /usr/bin/mail a link to sendmail/postfix)
In message <76865be6-8041-498d-91ae-36ef80c91...@kreme.com> "@lbutlr" writes: > > On Mar 13, 2016, at 9:06 AM, Robert Chalmers <rob...@chalmers.com.au> wrote: > > Nice hardware, but the software is really recycled FreeBSD. say what? > > This should not be news. One of the reasons I chose FreeBSD for my > servers was because I wouldn't have to change modes between OS X and > my servers. > > -- > Marriages made in heaven are not exported. Perhaps being pedantic again, but ... oh another squirrel ... The kernel has its roots in Mach (back in the late 1980s) but doesn't closely resemble Mach since long ago. The utilities are a branch from FreeBSD a very long time ago and they do track and merge in some changes but there are a lot of differences. FreeBSD also uses code that originates from places other than BSD - for example, see src/contrib and src/sys/contrib. There are some things you can get from FreeBSD ports collection to make your Mac and FreeBSD systems look even more similar. And of course Apple's window system is unique and in no way related to the Xorg or xf86 or original MIT flavors of X-windows that FreeBSD has used over time. Yes there still is a lot of similarity, but recycled version ... No - just a quick path to get closer to posix in the utilities with least restrictive licensing. Curtis
Re: OT yahoo
In message <612d47d4-9465-4031-9d48-e6a0c3a8a...@dukhovni.org> Viktor Dukhovni writes: > > > On Mar 13, 2016, at 5:42 PM, Curtis Villamizar <cur...@orleans.occnc.com> > > wrote: > > > > The NS RR are typically delivered in a fixed order, the order in the > > zone file, and while perhaps neither NS RR is properly a primary in > > the sense that MX has preference, lots of code uses the first NS > > first, then tries the second. > > Back to back queries about 1 second apart. :-) > > $ dig +noall +ans +auth +nocl +nottl -t ns orleans.occnc.com @ns01.occnc.com > orleans.occnc.com. NS ns03.occnc.com. > orleans.occnc.com. NS ns01.occnc.com. > > $ dig +noall +ans +auth +nocl +nottl -t ns orleans.occnc.com @ns01.occnc.com > orleans.occnc.com. NS ns01.occnc.com. > orleans.occnc.com. NS ns03.occnc.com. > > -- > Viktor. Hard to argue with that. I tried @8.8.8.8 and got the same thing. That implies that if the NS behind the MSO service is not seeing much action the MSO might be intercepting DNS and giving cached answers. If so, this is a free "service" to their business Internet customers that they don't bother telling those customers about. MSO intercept and cache might also be why I had trouble with my DNS being somewhat unreliable when I first turned DNSSEC on (long while ago - fine now). I just checked and found out that "rrset-order fixed" is compiled out of bind by default and has been for quite some time, but at least I can compile it into my next build so I can put a fixed order on my NS records and favor the better connected nameserver as in: rrset-order { class IN type NS order fixed; order random; }; Though if caching servers dole out cached RR random order, that might not help. Sometimes I wonder why I didn't just do it right and get colo on the west coast and have two very well connected sites (oh yeah - cost). Curtis
Re: OT yahoo
In message <3qnxhn426dzj...@spike.porcupine.org> Wietse Venema writes: > > Curtis Villamizar: > > Are you saying they only looked at the primary NS record? Maybe I > > misread a prior post but I thought you meant primary MX record. The > > former, if true, would be even more broken. > > There are no primary/secondary NS records; what matters are the NS > records for his domain the parent zone name server hands out. > > Wietse Wietse, You are correct if you want to be pedantic, but ... The NS RR are typically delivered in a fixed order, the order in the zone file, and while perhaps neither NS RR is properly a primary in the sense that MX has preference, lots of code uses the first NS first, then tries the second. For example, the bind documentation (Section 6.3 "Zone File") says: The set of resource information associated with a particular name is composed of separate RRs. The order of RRs in a set is not significant and need not be preserved by name servers, resolvers, or other parts of the DNS. However, sorting of multiple RRs is permitted for optimization purposes, for example, to specify that a particular nearby server be tried first. So I think that might count as at least weak evidence of current practice, but that has been my experience. My primary NS is better connected (at a colocation site, near an IX, with GbE the slowest hop) and is listed first and the secondary doesn't get much use from outside (which is good since its connected via a MSO "business Internet service" which is usable, but nothing like the colo). Curtis
[OT] OS heritage (was: Re: source code for MacOSX tools)
OT - therefore my first and only post on this. In message <a63e44a5-cc29-48c2-9a88-978275bd6...@rfc1035.com> Jim Reid writes: > > > On 13 Mar 2016, at 15:06, Robert Chalmers <rob...@chalmers.com.au> wrote: > > > > Nice hardware, but the software is really recycled FreeBSD. say what? > > The MacOSX kernel is based on Mach, not BSD, though that Mach kernel > presents a largely BSD-flavour/POSIX API to user mode applications. It > might be fairer to say FreeBSD is recycled MacOSX given the > engineering resources Apple has contributed to FreeBSD. :-) > > Most MacOSX command line tools come from FreeBSD or GNU, apart from > the obvious independent open source projects like postfix, openssl, > BIND, ntpd and so on. https://en.wikipedia.org/wiki/Mac_OS#OS_X https://en.wikipedia.org/wiki/Darwin_%28operating_system%29 https://en.wikipedia.org/wiki/XNU https://en.wikipedia.org/wiki/Hybrid_kernel Briefly: Mach is an OS based on a minimalist microkernel. FS, VM, all outside the microkernel. In a microkernel all OS services are outside the kernel. This is best for security and to some extent reliability. There are performance penalties. OS/X uses the Darwin OS based on XNU which is a hybrid kernel. In a hybrid kernel that evolved from a more minimalist microkernel, some OS features that are performance critical are moved into the kernel. A monolithic kernel has lots of stuff in the kernel. A classic monolithic kernel has lots of stuff running unprotected and is therefore reliant on it all being very reliable in order to be secure. BSD was originally a monolithic kernel. Various BSD flavors have moved in the hybrid kernel direction with protected kernel spaces and loadable modules and loadable drivers. BSD is considered monolithic with modules. Linux is monolithic with modules. So OS/X is neither Mach or BSD but has parts of both. XNU isn't really Mach anymore just as the utility set isn't really FreeBSD. If you have better info, then go ahead and update the wikipedia pages. > > So all I need - if I'm bothered, is the source of FreeBSD's mail, > > and rebuild it myself so it links to postfix's sendmail where I want > > it properly. > > Source code for the pretty much the entire OS excluding Apple's > GUI-based tools and the window manager can be downloaded from > http://www.opensource.apple.com. You may be better off compiling from > that instead of FreeBSD source so you know you're starting from the > same baseline code Apple is using. Maybe Apple have changed > /usr/bin/mail somehow. They probably haven't, but you'll never know > for sure unless you check. > > Some command line tools have been "enhanced" by Apple. For instance > openssh has been hacked to work with Keychain and although the source > code for those changes is freely available, it's not yet found its way > into the official openssh distribution. btw- FreeBSD base contains sendmail. Postfix 2.11, 3.1 and 3.2 are in the FreeBSD ports collection as mail/postfix211, mail/postfix, and mail/postfix-current (last I checked postfix/postfix-2.11.7.tar.gz with patches, postfix-3.1.0.tar.gz and postfix-3.2-20160224.tar.gz). It does seem that using src/usr.bin/mail might work but maybe with a little work. Most of the code in src (the base source distribution) is not keen on being pulled out and compiled in any old environment which is why "tools" is built first and everything compiled (or cross compiled) using that tool set and a known set of include files and library files. So I don't give it good odds on being a drop in and compile solution. Mail is very simple and fairly self contained and probably hasn't changed significantly in decades so it might drop in. I'd exhaust other options first. Curtis
Re: OT yahoo
In message <c2f5f6c7-83f0-4206-87f1-4ca72b91a...@kreme.com> "@lbutlr" writes: > On Fri Mar 11 2016 12:21:07 Noel Jones<njo...@megan.vbhcs.org> said: > >=20 > > This problem (postscreen delays legit mail server) is nicely solved > > by using a dns whitelist such as dnswl.org to bypass postscreen > > tests for known mail servers... not necessarily "known good" > > servers, just known to not be a bot. Then your smtpd and content > > filtering can decide if you want the mail. > > $ postconf -nf postscreen_dnsbl_sites > postscreen_dnsbl_sites =3D dul.dnsbl.sorbs.net*1 > zen.spamhaus.org=3D127.0.0.[10..11]*4 = > zen.spamhaus.org=3D127.0.0.[4..7]*6 > zen.spamhaus.org=3D127.0.0.3*6 zen.spamhaus.org=3D127.0.0.2*6 > spam.dnsbl.sorbs.net*2 multi.surbl.org*2 dnsbl-1.uceprotect.net > dnsbl-2.uceprotect.net list.dnswl.org=3D127.0.[0..255].0*-3 > list.dnswl.org=3D127.0.[0..255].1*-4 = > list.dnswl.org=3D127.0.[0..255].[2..255]*-6 > dwl.spamhaus.org=3D127.0.2.[2;3]*-3 = > swl.spamhaus.org=3D127.0.2.[12;13]*-3 > > I think yahoo maybe was only looking at the primary DNS which had gone = > offline because of the fixed IP issue, and no one else seemed to notice = > since the other DNS servers were working fine. Are you saying they only looked at the primary NS record? Maybe I misread a prior post but I thought you meant primary MX record. The former, if true, would be even more broken. Curtis
Re: OT: TLS and SNI (was Re: Postfix 3.1 and TLS Cert Files)
In message <56e0ccb4.6010...@spectralmud.org> Richard James Salts writes: > > On 10/03/16 09:32, Curtis Villamizar wrote: > > In message <56dfcd11.5010...@spectralmud.org> > > Richard James Salts writes: > > > >> On 09/03/16 06:44, Viktor Dukhovni wrote: > >>>> On Mar 8, 2016, at 2:31 PM, Curtis Villamizar <cur...@orleans.occnc.com> > >>>> wrote: > >>>> > >>>> With HTTP the server cert is provided after HTTP identifies which > >>>> virtual host it thinks its talking to. The IP address along gives no > >>>> clue. That connection is then used only for that virtual host. This > >>>> is why you can have a TLS cert per vhost (aka DNS domain). > >>> To be more precise, with HTTPS, the desired TLS server name is > >>> conveyed via the TLS SNI extension and the HTTP server presents > >>> the corresponding certificate. By contrast, the Postfix SMTP > >>> server neither supports nor needs SNI. > >> But some MUAs (i.e. user's mail clients) do support SNI and will try to > >> match against the name that was entered into the configuration. This > >> might be important if you have many white label resellers who want > >> clients to be able to enter mail.<reseller's domain> into their > >> customers mail clients. > > Which MUAs and exactly how do they use SNI? > > I'm not sure on all of them, but thunderbird does at the very least. It > uses the name in the account settings. I tested this by adding an entry > to /etc/hosts with garbage in it and changing the settings to point to > that and I got a certificate name mismatch when trying to send via > submission port(587) on my server and packet capture shows this > reflected in the client hello after starttls. At the moment a few > clients can guess what server names should be based on an email address, > but they're usually using an adhoc heuristic. For instance thunderbird > has its own list that administrators can upload configurations for their > domain to, otherwise it will fall back to trying the domain itself on > well known smtp ports, then mail.domain, then smtp.domain. There is an > rfc for publishing records indicating the server the MUA should contact, > e.g. _submission._tcp SRV 0 1 mail.example.org. but in this case the > email client is recommended to use the email domain itself to > authenticate. This changes a bit with dnssec and there is a draft which > expires in July that gives some recommendations of this > (https://tools.ietf.org/html/draft-melnikov-uta-dnssec-email-tls-certs-00#section-5.1 > > specifically), but it's still a mess. Thanks. 5.1 bullet 2 is what I described as the workaround - one cert with lots of domain names in subjectAltName. OK for self signed certs or a local CA. Bullet 4 is SNI (best choice IMHO if it was a choice). > > Most MUAs would be talking to a IMAP to receive mail and might also > > use IMAP to send mail, therefore port 993, not 25 or 587. > > > > btw- I think Dovecot imapd supports SNI but Cyrus imapd does not, but > > I'm not sure about that. > > > > If any do use port 587 do the MUAs use SNI to indicate which sender > > domain? Your statement above seems to indicate a check made by the > > client, but against what? The CN or subjectAltName(s) in the cert? > SNI requires that the client use an extension to the TLS handshake in > their client hello to say "I would like to talk to this FQDN" before it > establishes a secure connection. It's then up to the server to choose > what do do. In postfix which only supports SNI for the smtp client this > will mean it's only based on the ip/port combination and what's in > main.cf and/or overridden in master.cf with a separate listener. So you are confirming that for an MUA that uses the SNI extension, postfix smptd can't take advantage of this to send a specific cert and we have to fall back to lots of domains in subjectAltName or separate ports for each domain. OK got it. Thanks. > > AFAIK postfix has no support for SNI other than the limited support > > for DANE, but a cert with MX FQDN in CN and all domains pointing at > > that MX in subjectAltName also solves this with or without SNI. There > > does not seem to be any postfix config option to specify per SNI cert. > > Did I miss it? Otherwise, the only solution is putting everything in > > subjectAltName (which means SNI does nothing for port 587 use). > > > >>> Firstly, SMTP TLS connections are typically unauthenticated, and > >>> it does not matter which certificate the server presents, so no > >>> need
OT: TLS and SNI (was Re: Postfix 3.1 and TLS Cert Files)
In message <56dfcd11.5010...@spectralmud.org> Richard James Salts writes: > On 09/03/16 06:44, Viktor Dukhovni wrote: > >> On Mar 8, 2016, at 2:31 PM, Curtis Villamizar <cur...@orleans.occnc.com> > >> wrote: > >> > >> With HTTP the server cert is provided after HTTP identifies which > >> virtual host it thinks its talking to. The IP address along gives no > >> clue. That connection is then used only for that virtual host. This > >> is why you can have a TLS cert per vhost (aka DNS domain). > > To be more precise, with HTTPS, the desired TLS server name is > > conveyed via the TLS SNI extension and the HTTP server presents > > the corresponding certificate. By contrast, the Postfix SMTP > > server neither supports nor needs SNI. > But some MUAs (i.e. user's mail clients) do support SNI and will try to > match against the name that was entered into the configuration. This > might be important if you have many white label resellers who want > clients to be able to enter mail.<reseller's domain> into their > customers mail clients. Which MUAs and exactly how do they use SNI? Most MUAs would be talking to a IMAP to receive mail and might also use IMAP to send mail, therefore port 993, not 25 or 587. btw- I think Dovecot imapd supports SNI but Cyrus imapd does not, but I'm not sure about that. If any do use port 587 do the MUAs use SNI to indicate which sender domain? Your statement above seems to indicate a check made by the client, but against what? The CN or subjectAltName(s) in the cert? AFAIK postfix has no support for SNI other than the limited support for DANE, but a cert with MX FQDN in CN and all domains pointing at that MX in subjectAltName also solves this with or without SNI. There does not seem to be any postfix config option to specify per SNI cert. Did I miss it? Otherwise, the only solution is putting everything in subjectAltName (which means SNI does nothing for port 587 use). > > Firstly, SMTP TLS connections are typically unauthenticated, and > > it does not matter which certificate the server presents, so no > > need to have one that matches any particular name. > > > > In the rare cases that authentication does take place through > > the magic of MX record redirection a single MX host can support > > multiple domains provided that it is the MX hostname and not the > > target domain that the client authenticates. This is the case > > with DANE. > > > > https://tools.ietf.org/html/rfc7672#section-1.3 The original question I think had to do with port 587 TLS (though I admit some initial confusion on Tom's objectives) which would normally use smtpd_tls_req_ccert=yes and use smtpd_tls_security_level=encrypt on the server side. On the client side, connection to port 587 would be better off with smtp_tls_security_level=encrypt rather than dane-only and this would have nothing to do with MX records. In this context (no MX lookup at all) I'm not sure what role SNI would play (in a world where postfix supported everything even remotely useful). If the original question was related to outside users connecting via port 25 to send mail to a mailing list and getting a "per vhost cert" (Tom's words, approximately), then SNI could do something useful if postfix had a means to set smtpd_tls_key_file and smtpd_tls_cert_file per SNI. This could be supported if something existed that was like smtp_tls_policy_maps (the key feature being able to set any main.cf policy statememt in the rhs) but on the smptd_ side and using SNI as the key. (Maybe such a config option exists in a world where postfix supports everything even remotely useful, but I couldn't find it in local or online docs). This would work with or without TLSA records. If one MX supports a large number of domains, the subjectAltName could get rather large if there is no means to select key and cert based on SNI and if the client side wanted to verify per domain (as DANE does) rather than looking for the MX name in the cert. Just an observation. Did I go wrong here somewhere? Curtis
Re: Postfix 3.1 and TLS Cert Files
In message
Re: Postfix 3.1 and TLS Cert Files
Tom, I've been following this thread and also not clear on your objectives. See inline. In message
Re: Postfix Mailman integration
In message <20160229171935.gh12...@mournblade.imrryr.org> Viktor Dukhovni writes: > On Mon, Feb 29, 2016 at 11:38:26AM -0500, Ruben Safir wrote: > > > > To have mailman reinject on an extra port on localhost is how it > > > should be done. > > > > Thanks! > > Note that much of the delay was likely due to mailman hitting tarpit > controls after 10 invalid recipients in a single submission. > > http://www.postfix.org/postconf.5.html#smtpd_error_sleep_time > > Although slow DNS lookups could well have contributed. > > For submission of list messages to a large number of recipients, > I would generally use sendmail(1) rather than SMTP. Don't know > whether mailman supports that. > > -- > Viktor. IETF uses mailman and supports a large number of working group mailing lists with up to thousands of subscribers per list, with subscribers from all over the world, so clearly mailman is usable in for a large number of large mailing lists. I think most IETF mailing lists switched from majordomo some 15 years ago when mailman was fairly new. Maybe this isn't a useful response. Just pointing to an existance proof that the mailman architecture is not fundamentally broken. btw- I can't tell from headers whether they use sendmail.org sendmail or postfix or something else, but amavisd-new is mentioned in the headers. amsl.com runs most of the mailing lists. Curtis
Re: [SOLVED] Re: A bug, maybe?
On 2/22/2016 3:03 PM, Viktor Dukhovni wrote: On Mon, Feb 22, 2016 at 02:57:23PM -0500, Curtis Maurand wrote: The problem was in the /etc/nsswitch.conf. I changed the line hosts: files dns to hosts:dns files and that solved the trouble. Is "delivery.mailspamprotection.com" listed in /etc/hosts? If so, then the wound was self-inflicted. If not, then the C-library getaddrinfo() is buggy, since skipping all the non-matching entries in /etc/hosts should have no effect on the results from DNS. Why yes it was. I don't even remember doing that. I will sheepishly return to my corner, now, with my head bowed in embarrassment. I'll need a bandage to stop the bleeding. --Curtis -- Curtis Maurand cur...@maurand.com <mailto:cur...@maurand.com> 207-252-7748
[SOLVED] Re: A bug, maybe?
On 2/20/2016 5:19 PM, Curtis Maurand wrote: On 2/20/2016 1:46 PM, Viktor Dukhovni wrote: On Sat, Feb 20, 2016 at 01:37:39PM -0500, Curtis Maurand wrote: Nothing is chrooted. resolv.conf is world readable. Wietse's program returns a valid address. It might not match the reverse, but it did return an address. # ./getaddr delivery.mailspamprotection.com Hostname: delivery.mailspamprotection.com Addresses: 108.163.228.171 There's your problem, it is supposed to return *all* the addresses. On my system: $ ./getaddrinfo delivery.mailspamprotection.com Hostname: delivery.mailspamprotection.com Addresses: 108.163.220.52 108.163.201.229 69.175.69.94 108.163.204.150 198.143.161.10 108.163.201.230 96.127.190.5 184.154.58.227 198.143.161.21 184.154.48.173 198.143.161.29 69.175.69.92 108.163.243.190 96.127.190.4 198.143.161.30 108.178.24.182 108.163.243.188 108.163.228.171 69.175.69.93 184.154.208.34 184.154.208.36 96.127.176.253 96.127.190.2 198.143.161.27 108.163.220.54 198.143.161.11 108.163.228.170 198.143.161.13 184.154.58.230 108.163.243.189 108.163.228.174 108.163.201.228 108.178.24.171 108.163.201.226 108.178.24.181 108.163.201.227 184.154.208.37 108.178.24.174 198.143.161.12 184.154.48.171 96.127.176.250 108.163.243.186 108.178.24.180 69.175.69.90 108.163.243.187 108.163.228.172 96.127.176.252 184.154.177.50 184.154.48.172 108.163.204.148 198.143.161.28 108.163.204.146 184.154.208.35 108.163.204.149 96.127.190.6 69.175.69.91 184.154.58.226 108.163.228.173 108.178.24.173 108.178.24.178 96.127.176.254 198.143.161.18 184.154.48.174 198.143.161.20 184.154.58.229 1 08.163.220.51 96.127.176.251 108.163.220.50 108.178.24.170 108.163.220.53 198.143.161.22 184.154.208.38 184.154.48.170 184.154.58.228 108.178.24.172 198.143.161.14 108.178.24.179 198.143.161.19 108.163.204.147 198.143.161.26 96.127.190.3 If your getaddrinfo returns only the first address, it is busted. Perhaps this is controlled via /etc/hosts.conf: http://www.linfo.org/etc_host_conf.html /etc/hosts.conf: multi on That said. Since the unit has been updated, but not rebooted, I may need to reboot to get the kernel fix. Ubuntu does, at least, backport fixes. The getaddrinfo issue is not resolved via a kernel fix, it is addressed via a glibc fix. interesting. on my 12.04 mail server it works correctly. on the 14.04 server it is not. both have "multi on" set. I fired up another virtual machine with 14.04 installed and that one works fine. As a work around, I've set my mx to the 12.04 machine that works with a transport command that sends the mail to the host that should be receiving the mail. the machine that is not working right claims to not have any updates available, thought the getaddrinfo() has been patched. frustrating. Thank you for your help. The problem appears to not be postfix. The problem was in the /etc/nsswitch.conf. I changed the line hosts: files dns to hosts:dns files and that solved the trouble. -- Curtis Maurand cur...@maurand.com <mailto:cur...@maurand.com> 207-252-7748
Re: A bug, maybe?
On 2/20/2016 1:46 PM, Viktor Dukhovni wrote: On Sat, Feb 20, 2016 at 01:37:39PM -0500, Curtis Maurand wrote: Nothing is chrooted. resolv.conf is world readable. Wietse's program returns a valid address. It might not match the reverse, but it did return an address. # ./getaddr delivery.mailspamprotection.com Hostname: delivery.mailspamprotection.com Addresses: 108.163.228.171 There's your problem, it is supposed to return *all* the addresses. On my system: $ ./getaddrinfo delivery.mailspamprotection.com Hostname: delivery.mailspamprotection.com Addresses: 108.163.220.52 108.163.201.229 69.175.69.94 108.163.204.150 198.143.161.10 108.163.201.230 96.127.190.5 184.154.58.227 198.143.161.21 184.154.48.173 198.143.161.29 69.175.69.92 108.163.243.190 96.127.190.4 198.143.161.30 108.178.24.182 108.163.243.188 108.163.228.171 69.175.69.93 184.154.208.34 184.154.208.36 96.127.176.253 96.127.190.2 198.143.161.27 108.163.220.54 198.143.161.11 108.163.228.170 198.143.161.13 184.154.58.230 108.163.243.189 108.163.228.174 108.163.201.228 108.178.24.171 108.163.201.226 108.178.24.181 108.163.201.227 184.154.208.37 108.178.24.174 198.143.161.12 184.154.48.171 96.127.176.250 108.163.243.186 108.178.24.180 69.175.69.90 108.163.243.187 108.163.228.172 96.127.176.252 184.154.177.50 184.154.48.172 108.163.204.148 198.143.161.28 108.163.204.146 184.154.208.35 108.163.204.149 96.127.190.6 69.175.69.91 184.154.58.226 108.163.228.173 108.178.24.173 108.178.24.178 96.127.176.254 198.143.161.18 184.154.48.174 198.143.161.20 184.154.58.229 108.163.220.51 96.127.176.251 108.163.220.50 108.178.24.170 108.163.220.53 198.143.161.22 184.154.208.38 184.154.48.170 184.154.58.228 108.178.24.172 198.143.161.14 108.178.24.179 198.143.161.19 108.163.204.147 198.143.161.26 96.127.190.3 If your getaddrinfo returns only the first address, it is busted. Perhaps this is controlled via /etc/hosts.conf: http://www.linfo.org/etc_host_conf.html /etc/hosts.conf: multi on That said. Since the unit has been updated, but not rebooted, I may need to reboot to get the kernel fix. Ubuntu does, at least, backport fixes. The getaddrinfo issue is not resolved via a kernel fix, it is addressed via a glibc fix. interesting. on my 12.04 mail server it works correctly. on the 14.04 server it is not. both have "multi on" set. I fired up another virtual machine with 14.04 installed and that one works fine. As a work around, I've set my mx to the 12.04 machine that works with a transport command that sends the mail to the host that should be receiving the mail. the machine that is not working right claims to not have any updates available, thought the getaddrinfo() has been patched. frustrating. Thank you for your help. The problem appears to not be postfix. -- Curtis Maurand cur...@maurand.com <mailto:cur...@maurand.com> 207-252-7748
Re: A bug, maybe?
On 2/20/2016 12:17 PM, Viktor Dukhovni wrote: On Sat, Feb 20, 2016 at 11:40:09AM -0500, Curtis Maurand wrote: i just sent myself a test message from the client's system. Here is what I got. I immediately ran the lookups using dig. postfix can't seem to resolve things properly. Running Ubuntu Server 14.04 LTS with ispconfig installed. I'm using powerdns with powerdns recursor. resolv.conf points to the localhost's external ip address. This is sort of annoying. I really don't want to open up the server's to misconfigured system as that increases the amount of spam dramatically. Do keep in mind that on Ubuntu systems Postfix tends to have many services in master.cf chooted by default, the chroot jail may have a different /etc/resolv.conf, and may have different copies of various dynamically loaded nss modules. Do disable chroot for "smtpd" if enabled, and do test your getaddrinfo() implementation. Nothing is chrooted. resolv.conf is world readable. Wietse's program returns a valid address. It might not match the reverse, but it did return an address. # ./getaddr delivery.mailspamprotection.com Hostname: delivery.mailspamprotection.com Addresses: 108.163.228.171 That said. Since the unit has been updated, but not rebooted, I may need to reboot to get the kernel fix. Ubuntu does, at least, backport fixes. -- Curtis Maurand cur...@maurand.com <mailto:cur...@maurand.com> 207-252-7748
Re: A bug, maybe?
On 2/20/2016 11:26 AM, Curtis Maurand wrote: On 2/20/2016 11:12 AM, Christian Kivalo wrote: On 2016-02-20 16:45, Curtis Maurand wrote: Not sure if I found something or not. A client tried to send email to one of my other addresses. The requisite portion of the main.cf follows at the end of the message. The logs are telling me: Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: warning: hostname delivery.mailspamprotection.com does not resolve to address 108.163.243.188 Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: connect from unknown[108.163.243.188] Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: NOQUEUE: reject: RCPT from unknown[108.163.243.188]: 450 4.7.1 Client host rejected: cannot find your hostname, [108.163.243.188]; from=<edi...@whiteeaglenews.com> to=<cmaur...@xyonet.com> proto=ESMTP helo= Have you had dns lookup problems? This is a temporary error and the client should retry delivery 450 4.7.1 Client host rejected: cannot find your hostname, [108.163.243.188]: retry timeout exceeded the original message was sent on the 15th. the return bounce on the 19th. I haven't rebooted or restarted services on that machine and all of the included lookups for this mail message were performed on the same machine this morning. i just sent myself a test message from the client's system. Here is what I got. I immediately ran the lookups using dig. postfix can't seem to resolve things properly. Running Ubuntu Server 14.04 LTS with ispconfig installed. I'm using powerdns with powerdns recursor. resolv.conf points to the localhost's external ip address. This is sort of annoying. I really don't want to open up the server's to misconfigured system as that increases the amount of spam dramatically. Feb 20 11:31:45 ispconfig postfix/smtpd[16013]: warning: hostname delivery.mailspamprotection.com does not resolve to address 108.163.220.52 Feb 20 11:31:45 ispconfig postfix/smtpd[16013]: connect from unknown[108.163.220.52] Feb 20 11:31:45 ispconfig postfix/smtpd[16013]: NOQUEUE: reject: RCPT from unknown[108.163.220.52]: 450 4.7.1 Client host rejected: cannot find your hostname, [108.163.220.52]; from=<cmaur...@whiteeaglenews.com> to=<cmaur...@xyonet.com> proto=ESMTP helo= Feb 20 11:31:45 ispconfig postfix/smtpd[16013]: disconnect from unknown[108.163.220.52] Feb 20 11:32:01 ispconfig postfix/smtpd[16013]: connect from localhost[::1] Feb 20 11:32:01 ispconfig postfix/smtpd[16013]: lost connection after CONNECT from localhost[::1] Feb 20 11:32:01 ispconfig postfix/smtpd[16013]: disconnect from localhost[::1] root@ispconfig:/var/www/webmail.xyonet.com/web# dig delivery.mailspamprotection.com |grep 108.163.220 delivery.mailspamprotection.com. 30 IN A 108.163.220.50 delivery.mailspamprotection.com. 30 IN A 108.163.220.51 delivery.mailspamprotection.com. 30 IN A 108.163.220.53 delivery.mailspamprotection.com. 30 IN A 108.163.220.54 delivery.mailspamprotection.com. 30 IN A 108.163.220.52 root@ispconfig:/var/www/webmail.xyonet.com/web# dig ptr 52.220.163.108.in-addr.arpa ; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> ptr 52.220.163.108.in-addr.arpa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32216 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;52.220.163.108.in-addr.arpa. IN PTR ;; ANSWER SECTION: 52.220.163.108.in-addr.arpa. 3495 INPTR delivery.mailspamprotection.com. -- Curtis Maurand cur...@maurand.com <mailto:cur...@maurand.com> 207-252-7748 -- Curtis Maurand cur...@maurand.com <mailto:cur...@maurand.com> 207-252-7748
Re: A bug, maybe?
On 2/20/2016 11:12 AM, Christian Kivalo wrote: On 2016-02-20 16:45, Curtis Maurand wrote: Not sure if I found something or not. A client tried to send email to one of my other addresses. The requisite portion of the main.cf follows at the end of the message. The logs are telling me: Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: warning: hostname delivery.mailspamprotection.com does not resolve to address 108.163.243.188 Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: connect from unknown[108.163.243.188] Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: NOQUEUE: reject: RCPT from unknown[108.163.243.188]: 450 4.7.1 Client host rejected: cannot find your hostname, [108.163.243.188]; from=<edi...@whiteeaglenews.com> to=<cmaur...@xyonet.com> proto=ESMTP helo= Have you had dns lookup problems? This is a temporary error and the client should retry delivery 450 4.7.1 Client host rejected: cannot find your hostname, [108.163.243.188]: retry timeout exceeded the original message was sent on the 15th. the return bounce on the 19th. I haven't rebooted or restarted services on that machine and all of the included lookups for this mail message were performed on the same machine this morning. -- Curtis Maurand cur...@maurand.com <mailto:cur...@maurand.com> 207-252-7748
A bug, maybe?
Not sure if I found something or not. A client tried to send email to one of my other addresses. The requisite portion of the main.cf follows at the end of the message. The logs are telling me: Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: warning: hostname delivery.mailspamprotection.com does not resolve to address 108.163.243.188 Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: connect from unknown[108.163.243.188] Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: NOQUEUE: reject: RCPT from unknown[108.163.243.188]: 450 4.7.1 Client host rejected: cannot find your hostname, [108.163.243.188]; from=<edi...@whiteeaglenews.com> to=<cmaur...@xyonet.com> proto=ESMTP helo= Feb 19 16:30:30 ispconfig postfix/smtpd[18437]: disconnect from unknown[108.163.243.188] deliver.mailspamprotection.com resolves to a lot of addresses (and this is a partial list): dig delivery.mailspamprotection.com |grep 108.163.243 delivery.mailspamprotection.com. 30 IN A 108.163.243.188 delivery.mailspamprotection.com. 30 IN A 108.163.243.187 delivery.mailspamprotection.com. 30 IN A 108.163.243.189 delivery.mailspamprotection.com. 30 IN A 108.163.243.190 delivery.mailspamprotection.com. 30 IN A 108.163.243.186 and ;188.243.163.108.in-addr.arpa. IN PTR ;; ANSWER SECTION: 188.243.163.108.in-addr.arpa. 3600 IN PTR delivery.mailspamprotection.com. given such a round robin setup, does postfix account for this when performing it's hostname lookup? This email should not have been rejected for any kind of ip mismatch. Forward, reverse and helo all match. Thanks, Curtis smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, regexp:/etc/postfix/tag_as_foreign.re reject_invalid_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_unknown_client, reject_invalid_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org -- Curtis Maurand cur...@maurand.com <mailto:cur...@maurand.com> 207-252-7748
Re: moving configs from /usr/local/etc/postfix to /etc/postfix
In message <211281bd-f686-4a8a-9e37-7d4368568...@kreme.com> LuKreme writes: > On Jan 30, 2016, at 22:42, Curtis Villamizar <cur...@orleans.occnc.com> wrote: > > It would be: > > > > cd /usr/local/etc > > mv postfix postfix.old > > ln -s ../../../etc/postfix postfix > > No, it most certainly would not. Your configuration files ARE in > local, if you want to pretend they are in /etc, then create a link in > etc. I've done this for years. Works just fine. > > > And yes I did try that. > > And what you tried will not work. Not to further beat a dead horse but ... We're not talking about configuring one host, though I try things out on a single host by hand edits first. I generate configs and have have tools to rebuild any host from scratch in a single command line, compare all configs on a running host to updated config templates, etc. So I have to change some path names in config templates and roll out changes. No big deal but a "ln -s" command isn't going to do the trick. As I said to Viktor, I mistakenly thought, based on reading (maybe misreading) numerous web pages of documentation with no mention of a limitation, that the -c argument was supposed to work like -c or -cf in any other package. Now I know that it doesn't. Peace, Curtis