[pfx] Re: Preventing unauthorised senders
On Wed, 10 Jul 2024 at 18:56, Serhii via Postfix-users < postfix-users@postfix.org> wrote: > On 7/10/24 08:40, Gilgongo via Postfix-users wrote: > > As you can see, it goes straight to the MX of the domain of the > recipient. The same is true if I use mail.mailutils or other clients. So I > was wondering how I might both allow sending but also (reliably) prevent > abuse. Perhaps doing both isn't really possible? > > You can implement firewall rules preventing access to 25/tcp for other > users (not postfix and root): > > > iptables -A OUTPUT -m owner --gid-owner $postfix_gid_here -p tcp -m tcp > --dport 25 -j ACCEPT > > iptables -A OUTPUT -m owner --uid-owner 0 -p tcp -m tcp --dport 25 -j > ACCEPT > > iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with > icmp-port-unreachable > > Similar feature is possible via nftables, the syntax is following: > > nft 'add rule ip filter OUTPUT skgid $postfix_gid_here tcp dport 25 > counter accept> nft 'add rule ip filter OUTPUT skgid 0 tcp dport 25 counter > accept > > nft 'add rule ip filter OUTPUT tcp dport 25 counter reject' > Ah OK, thanks - I'll give that a go. Ideally I'd like to minimise the disruption for users who want to send out with their own clients, but I guess that would mean some kind of onvoluted local open relay proxy arrangement that's not worth constructing. I was just checking on the list that I'd not missed some "standard method" of restricting access :-) Jonathan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Preventing unauthorised senders
On Wed, 10 Jul 2024 at 09:06, Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > > When you say "the client", what do you mean? Do applications do "direct > to MX" mail transmission? That seems odd, because they generally lack > the capability to queue and retry messages if there's a temporary error. > > Is "the client" Postfix, or really some application? > Yes, I mean clients other than Postfix. So for example, a user has a Wordpress site which is compromised to send spam, or a user logs in and sends email out in another way. Here's an example using swaks to send to an external email address. I'm running this on the mail server itself (but could be any machine on the LAN): $ swaks --to u...@protonmail.com --from m...@mydomain.com === Trying mail.protonmail.ch:25... === Connected to mail.protonmail.ch. <- 220-mailin054.protonmail.ch ESMTP Postfix <- 220 mailin054.protonmail.ch ESMTP Postfix -> EHLO fre.localdomain <- 250-mailin054.protonmail.ch ... etc. <- 250 2.0.0 Ok: queued as 4WJrYr75Phz3f -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host. As you can see, it goes straight to the MX of the domain of the recipient. The same is true if I use mail.mailutils or other clients. So I was wondering how I might both allow sending but also (reliably) prevent abuse. Perhaps doing both isn't really possible? Jonathan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Preventing unauthorised senders
On Tue, 9 Jul 2024 at 15:39, Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Tue, Jul 09, 2024 at 12:54:38PM +0100, Gilgongo via Postfix-users wrote: > > Just configure content inspection on all the submission pathways. > > > My first thought was to start by firewalling off mail ports on the local > > machine to only allow processes owned by root or postfix. > > Why? Just inspect the messages they submit, SASL is not required. > Apologies - perhaps I've misunderstood, but if I use (for example) mail.mailutils to send to u...@yahoo.com from m...@mydomain.com then I see the client communicate directly with the MX of yahoo.com over port 25. I'd like it to communicate with my mail server instead. Jonathan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Preventing unauthorised senders
I've set up our mail server (with some help from this list, for which much thanks) to scan sasl-auth senders for spam and viruses with Amavis. I'd now like to make sure that rogue processes can't bypass those checks, particularly web servers (I already have PHP using msmtp to enforce well-behaved scripts to do that at least). My first thought was to start by firewalling off mail ports on the local machine to only allow processes owned by root or postfix. Then make any non-root sending processes use smtp-auth to send out. But is there a better way? Jonathan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Question on DKIM process ordering
On Fri, 5 Jul 2024 at 09:10, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > I think in case of amavis it's just the order of logs being written. > IIUC amavis does not confirm receiving message from postfix until after > it's > scanned and passed further, which is why new scanned message is logger > before OK that's what I was hoping. > > BTW, amavis can DKIM-sign the message itself. > Yes, it's just that we already have OpenDKIM signing for 200+ domains so I thought I'd leave that alone. > >Unfortunately, I can't tell whether the DKIM sig is OK or not in my test > >setup, but I'd like to ensure it's the last thing to happen before > sending. > >How can I do that? > > deliver it to mailbox locally and run spamassassin scan, it should tell > you > whether the signature is correct. > > Ah yes, thanks! :-) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Question on DKIM process ordering
I'm setting up a server to handle outbound mail for sasl auth accounts and would like to scan that mail for spam and malware before DKIM signing because I assume scanning might potentially add headers that could break the sig. Right now I have the following (extract) in my Amavis conf: $interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} # forward to a smtpd service providing DKIM signing service forward_method => 'smtp:[127.0.0.1]:10027', notify_method => 'smtp:[127.0.0.1]:10025', With master.cf as: submission inet n - n- - smtpd ... configs... -o content_filter=smtp-amavis:[127.0.0.1]:10026 smtp-amavisunix--n-2smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 # For sending notifications about actions 127.0.0.1:10025inetn-n--smtpd -o syslog_name=notify configs... # For OpenDKIM signing 127.0.0.1:10027inetn-n--smtpd ... configs... -o smtpd_milters=inet:127.0.0.1:8891 So I assume DKIM should come last. But the logs imply the spam/virus check is done after? postfix/cleanup[1685]: BB20880330: message-id=<20240705073351.001500@fre.localdomain> opendkim[700]: BB20880330: DKIM-Signature field added (s=dkim20200516, d= bakerbates.com) postfix/qmgr[1558]: BB20880330: from=, size=945, nrcpt=1 (queue active) amavis[1563]: (01563-01) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [192.168.0.241]:51084 [etc.] postfix/smtp[1686]: 76C0C80266: to=, relay=127.0.0.1[127.0.0.1]:10026, [etc.] postfix/qmgr[1558]: 76C0C80266: removed Unfortunately, I can't tell whether the DKIM sig is OK or not in my test setup, but I'd like to ensure it's the last thing to happen before sending. How can I do that? Jonathan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Using postfwd for sasl auth clients only?
I have some simple postfwd rules that count the number of emails being sent per hour/day per sasl account (and reject once a limit is reached). I'm not sure how best to implement that though, Should I just have the following in master.cf? So if an account sent a CC to [n] addresses, the rules would be evaluated [n] times? submission inet n - n - - smtpd ... current configs here... -o { smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10040 permit_sasl_authenticated } Thanks for any help. Jonathan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF hostname and domainname
On Thu, 20 Jun 2024, 2:01 pm Emmanuel Seyman via Postfix-users, < postfix-users@postfix.org> wrote: > > So there's a confusion between the hostname of the mailer and the > doamin to be used for the SPF check. Is anybody else seeing this ? > Yes, I had to recently add an "a:" record to an SPF (for the sending hostname) as I was seeing some of these I think. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Best practices?
On Wed, 19 Jun 2024 at 03:57, Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Tue, Jun 18, 2024 at 04:15:33PM -0500, Cody Millard via Postfix-users > wrote: > > > The defaults for those settings, as far as postfix is concerned, are as > > follows: > > > > smtpd_tls_auth_only = no > > Why? Surely, "yes" is the better choice... You need to set this to "yes" if you plan to have accounts sending mail out through your mail server. Because that's potentially a security risk, Postfix doesn't set this to "yes" by default. As to smtpd_tls_security_level, you are right that (for port 25 smtp) it is better as "may", but the reason the default is none is that you will need to set up TLS certificate first, which isn't in the scope of what Postfix does. So that's why it sets none as the default. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Help with reject_sender_login_mismatch
On Tue, 18 Jun 2024 at 08:55, Jeff Peng wrote: > I did have tried this line (with just one value > reject_sender_login_mismatch). > But then I even can't send mail from the valid user (the user who login > into RC). > Oh, sorry I didn't see you weren't using smtpd_sender_login_maps. I'm pretty sure you'll need that to list the allowed logins (and/or their aliases if needed). See https://www.postfix.org/postconf.5.html for how that works. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Help with reject_sender_login_mismatch
On Tue, 18 Jun 2024 at 08:31, Jeff Peng via Postfix-users < postfix-users@postfix.org> wrote: > Hello, > > I have this section in master.cf: > > smtps inet n - y - - smtpd >-o syslog_name=postfix/smtps >-o smtpd_tls_wrappermode=yes >-o smtpd_sasl_auth_enable=yes >-o > > smtpd_sender_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch,reject >-o smtpd_relay_restrictions=permit_sasl_authenticated,reject I think all you need is: -o smtpd_sender_restrictions=reject_sender_login_mismatch Right now you're letting sasl-auth clients in without that check since postfix evaluates left to right. (By chance I was just looking at this when I saw your mail: https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/ ) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Sanity check/suggestions appreciated
On Tue, 11 Jun 2024 at 16:14, Noel Jones via Postfix-users < postfix-users@postfix.org> wrote: > If you need permit_mx_backup, that means postfix doesn't have a > clear idea of domains it is responsible for. > > Please read and study: > http://www.postfix.org/BASIC_CONFIGURATION_README.html > > mydestination should contain domains that are delivered locally by > postfix on the same machine. > > relay_domains should contain a list of all domains that are passed > further downstream for final delivery outside of "this" postfix, > such as to another process on the same server, or to a different server. > > It shouldn't be that hard to tell postfix what domains it is > responsible for. > > Apologies - I've confused the conversation with my question about permit_mx_backup. The server has been working with its present configuration using permit_mx_backup for almost a decade (and keeping out of RBLs, etc. in that time). I don't doubt there are some suboptimal things going on in the configs, but I'd rather not tinker with them. What I understand is that in my proposed *new* (and untested, hence my posting here) configuration https://pastebin.com/2X8gqVVq - permit_mx_backup isn't going to be needed. Further, I think I should look at de-duplicating the smtpd configs in master.cf as suggested, and also look at using postscreen. That said, I think I'll enlist some professional help in all this, as debugging the details on the mailing list seems rather more tricky than I'd expected :-) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Sanity check/suggestions appreciated
On Tue, 11 Jun 2024 at 11:52, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > On 11.06.24 11:02, Gilgongo via Postfix-users wrote: > >OK so I assume I can use the IP address of the primary and secondary MX > >servers, since all our domains are hosted on those IPs. > > It would make sense to use permit_mx_backup on secondary MX server and > setting the permit_mx_backup_networks to IP of primary server. > > That way, you don't have to list domains pointing to primary MX, but your > server still accepts mail for anyone who lists your servers as MX, even if > your primary MX does not accept it (address verification would help) > Thanks, I'll try that. > I only see there: > > relay_domains = $mydestination > > wich makes little sense, because this way you would only relay fo > - domains that are local (and thus not relayed) > - their subdomains (due to parent_domain_matches_subdomains setting) > I think because $mydestination (further down the config file) includes "/etc/postfix/localdomains" (containing a list of the domains we relay for), then that works? This is an example of one of the reasons why I wanted to sort out some confusions in the config... > Since I don't see any of those double bounces, I can only guess it's a > symptom of other problem: > > myhostname = mx0.domain.org.uk > myorigin = $mydomain > mydestination = $myhostname, alice.$mydomain, localhost.$mydomain, > localhost, /etc/postfix/localdomains > > I can guess your server sends mail from "domain.org.uk" but can't process > those. > > Not sure. The domain is listed in the "localdomains" file though. But this is all clearly rather mysterious. I think it may be necessary to hire some professional help, rather than trying to debug it on the mailing list. If anyone reading this would like to take this on, feel free to mail me off list. Jonathan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Sanity check/suggestions appreciated
On Tue, 11 Jun 2024 at 10:36, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > > >BTW in the meantime, if I add this (where mx2.mydomain.com is our > secondary > >MX hostname), I take it that would be a good idea: > > > >permit_mx_backup_networks = $mynetworks mx2. mydomain.com > > no, these are IP addreses or ranged, not hostnames. > have you added those domains to relay_domains? > OK so I assume I can use the IP address of the primary and secondary MX servers, since all our domains are hosted on those IPs. All the domains are in relay_domains, yes (the current setup we have has been running fine for many years: https://pastebin.com/S2q1fvaB and https://pastebin.com/MmWvZaVQ - I'm just wanting to bring it more up to date). > > To answer your previous question: yes, relay_domains is the list of > domains > your server is supposed to provide backup MX for, independently on > permit_mx_backup > and permit_mx_backup_networks setting. > > Thanks, but if that's the case what I don't understand is why the mail queue filled up with double-bounce messages to postmaster when I tried removing permit_mx_backup from the config. It seems that mx_backup is somehow necessary for our normal operation. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Sanity check/suggestions appreciated
On Tue, 11 Jun 2024 at 05:17, Noel Jones via Postfix-users < postfix-users@postfix.org> wrote: > You should remove permit_mx_backup. > > This feature is intended for ISP-scale users that may not have a > complete list of domains that use their server as a backup MX. In > this case, permit_mx_backup_networks would define the ISP's customer > network space. > > I've just tried that, but the mail queue filled up with double-bounce messages being sent to postmaster. This is partly the reason why I'd like to sort out my configs, as there's clearly some stuff going on that I don't understand. BTW in the meantime, if I add this (where mx2.mydomain.com is our secondary MX hostname), I take it that would be a good idea: permit_mx_backup_networks = $mynetworks mx2. mydomain.com or is there a way of replacing address verification (if that's what is going on) with something better? Thanks for your help BTW. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Sanity check/suggestions appreciated
On Mon, 10 Jun 2024 at 12:58, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > > 3. > smtpd_recipient_restrictions = permit_mx_backup > > avoid this whenever possible. Or at least define permit_mx_backup_networks > > Thanks - I forgot to ask about this. Am I right in saying that the relay_domains configuration will take care of secondary MX relaying (if that's what permit_mx_backup was originally for?), and I can remove permit_mx_backup? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Sanity check/suggestions appreciated
On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, < postfix-users@postfix.org> wrote: > why not postscreen for this purpose? > Thanks - I thought about postscreen, but wasn't sure if it would be overkill for such a small server? Could look again though. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Sanity check/suggestions appreciated
Hi - I've got a small mail server (~50 users) and our Postfix (3.6.4) config is pretty old and confusing, and may not be doing things we want. So I'd like to re-jig it. Here's how I think I'd like to have it: 1. Incoming mail (not from $mynetworks or sasl auth): RBL, SPF/DKIM verification and SA (and maybe DMARC as not doing so currently). 2. Mail originating from $mynetworks and also from sasl-auth clients: DKIM signing, SA, Rate/IP limiting (and maybe RBL checks? Not sure). I think I can do that by having all our "global" settings in main.cf https://pastebin.com/VKfNW0hu and then specifying various extra bits and overrides in master.cf: https://pastebin.com/Qcpt29PV BTW I'm using a script (policyd.pl) that does weighted scoring for RBLs (as well as SPF), which I'd prefer rather than doing that with Postfix directly. I've put a couple of questions in as comments in the configs - any thoughts/suggestions very much appreciated! :-) Jonathan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: FYI: SORBS Closing announcement from the mailop list.
Hi Viktor, I'm not questioning the veracity of this, but equally I'm not sure I can justify turning off one of our more important RLBs just on the strength of an email on this list. It would be good to have something from Proofpoint about the closure to refer to if possible. Google isn't coming up with any other information about it. Are you able to get back to Michelle to ask her? Thanks. On Wed, 5 Jun 2024 at 08:48, Peter via Postfix-users < postfix-users@postfix.org> wrote: > On 5/06/24 19:23, Peter via Postfix-users wrote: > > On 5/06/24 16:20, Viktor Dukhovni via Postfix-users wrote: > >> Original text: > > > > Is there a link to the announcement online? > > I see it's from the mailop list which, unfortunately has the archives > set private so it doesn't help me to be able to link to the original post. > > > Peter > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org