Re: Postfix 20 years ago

[jose-marcio martins da cruz]

On 02/12/2017 07:06 PM, Wietse Venema wrote:

Last month it was 20 years ago that I started writing Postfix code.
After coming to IBM research in November 1996, I spent most of
December and January making notes on paper. I knew that writing a
mail system was more work than any of my prior projects.


There are few "big" software which remains with the original open source spirit 
of those days. Postfix is one of them.

I hope it will stay alive still for a long time.

Thanks

--

Re: SMFIP_RCPT_REJ Milter support

[Jose-Marcio Martins da Cruz]

Hello Wietse,

Thanks very much ! That's nice !

Jose-Marcio


Wietse Venema wrote:

The Postfix 2.6 Milter interface now implements SMFIP_RCPT_REJ,
meaning that postfix can report rejected recipients to Milter
applications.

Postfix will report the following macro values, as decribed in
Sendmail 8.14.0 documentation:

{rcpt_mailer} = "error",

{rcpt_host} = enhanced status code (e.g., "5.7.1"),

{rcpt_addr} = reason to reject (e.g., "Relay access denied").

This will be available in release candidate postfix-2.6.0-RC2
and in experimental release postfix-2.7-20090426.

Wietse




--
 ---------------
 Jose Marcio MARTINS DA CRUZ   http://j-chkmail.ensmp.fr
 Ecole des Mines de Paris
 60, bd Saint Michel  75272 - PARIS CEDEX 06
 mailto:jose-marcio.mart...@mines-paristech.fr

Re: Confirmation email with captcha

[Jose-Marcio Martins da Cruz]

Hello,

M. Fioretti wrote:

On Wed, Jun 10, 2009 09:24:09 AM +0200, Gabriel Hahmann wrote:

Good morning,


...



if you aren't convinced yet, there is also
http://www.cl.cam.ac.uk/~rnc1/cr/index.html


If you're still not yet convinced, take a look at w3.org opinion :

http://www.w3.org/TR/turingtest/

Also, no problem if you don't have blind people in your address book. If yes, take a look 
at youtube to see how a blind perceives captchas :


http://www.youtube.com/watch?v=4jrgMlufa7w

or go to http://www.afb.org (American Foundation for the Blind) and type captcha in the 
search dialog box.


I apologize for this message, as the subject is a little out of topic (not related to 
postfix).


José-Marcio

Re: couple of doubts about postfix milters

[Jose-Marcio Martins da Cruz]

Noel Jones wrote:

On 11/9/2010 8:39 AM, Lima Union wrote:




clamav-milter operates on the message data, so all postfix 
smtpd_*_restrictions -- which operate on the envelope -- will get a 
chance to reject mail before the data is transmitted.


sid-milter operates on the envelope.  It will probably run before 
smtpd_recipient_restrictions, but that's not such a big deal since it's 
a fairly lightweight process (minimal CPU, but it does trigger a DNS 
lookup).



Not sure. The MTA sequentially calls each milter at each SMTP step.

See :

  https://www.milter.org/developers/overview#ControlFlow

So, e.g., for each recipient, postfix will call each milter one after the other.

However, I don't know if postfix checks smtpd_recipient_restrictions before 
calling milters or after. I suppose before, but I'm not sure. Wietse ???


José-Marcio




Now that I've had more coffee and can think better, this modifies the 
answer I gave earlier -- even though you can't specify sid-miler > 
greylist > clamav-milter, that's how it will effectively run.

Re: couple of doubts about postfix milters

[Jose-Marcio Martins da Cruz]

Victor Duchovni wrote:

However, I don't know if postfix checks smtpd_recipient_restrictions before 
calling milters or after. I suppose before, but I'm not sure. Wietse ???


The "RCPT TO" command is passed to the milter after Postfix restriction
processing. Even rejected commands are are passed to milters, but the
milter is informed that the command (recipient) is rejected.



Thanks for confirming this.

Yes, this is something I asked for. This allows me to count, inside the milter, 
how many errors the client did.


--

Re: Does postfix support POP3 & anyone used Cerberus Helpdesk with Postfix

[Jose-Marcio Martins da Cruz]

sunhux G wrote:




Will the messages still be located on the Exch server after POP3 is
disabled?  

No, there's no messages stored on the Exch server : in fact currently
the Cerberus Hdesk software will connect up to the Exch server quite
frequently (I'm not sure how frequent) such that any emails sent to
the MS Exch server will get cleared away from the MS Exch (think
it's within a couple of minutes) & then these emails will be stored
in Cerberus.


My question is, after it is disabled, will you still need to get the
messages off the Exchange server?  

No, I don't need to get the messages off the Exchange server.
Technically, I could have used Gmail to substitute for the Exch
server & Cerberus could interface into Gmail to clear out mails
from Gmail via POP3.  Cerberus may send a ticket to whoever
send emails to the Gmail account so that it would appear to
the sender that the ticket is being sent from the Gmail account.
Gmail supports POP3 if I'm not mistaken. Unfortunately I'm not
allowed to use Gmail due to the sensitivity of the project &
information in the emails & Helpdesk CRs being issued.


Will new helpdesk messages continue to put on the Exchange?  Or
is mail routing being changed so that these helpdesk emails are
routed to your "new" server, whether it be the helpdesk server or other?

If I replace the Exch with Gmail, the Gmail account will only
"temporarily" store emails sent to it for a couple of minutes
before Cerberus clears away the emails from the Gmail account
& then store the emails in Cerberus.


If this mail server will be used only for this, you can just install postfix and a 
simple pop server. You can use dovecot or even Qualcomm qpopper, which 
configuration is simpler. Make sure that all messages sent to this account get 
into the mail server (with some mechanism like MX records, forwarding, or so...).

Re: postfix as incoming relay to protect exchange server /recipient lookup

[Jose-Marcio Martins da Cruz]

Victor Duchovni wrote:

On Wed, Dec 01, 2010 at 11:43:30PM -0600, Stan Hoeppner wrote:



The lookup is always a cache miss. Then an SMTP probe is sent. Dictionary
attacks always yield cache misses.



You are forgetting that dictionary attacks are almost exclusively queries
for non-existent users. Think clearly, and think outside the box about
worst-case behaviour.



Because I am not thinking about normal loads that don't matter. One
needs to survive hostile loads.



Just to illustrate with numbers, what Viktor says, a daily activity on one of our servers (not a big 
one) : from all connections reaching a "RCPT To" step, 18313 are to real users and 76623 to non 
existing users. Well, this is a daily normal activity, not even a hostile load. Clearly, most checks 
are cache misses.

Re: postfix as incoming relay to protect exchange server /recipient lookup

[Jose-Marcio Martins da Cruz]

Stan Hoeppner wrote:

Jose-Marcio Martins da Cruz put forth on 12/2/2010 2:40 AM:

Victor Duchovni wrote:

On Wed, Dec 01, 2010 at 11:43:30PM -0600, Stan Hoeppner wrote:
The lookup is always a cache miss. Then an SMTP probe is sent. Dictionary
attacks always yield cache misses.
You are forgetting that dictionary attacks are almost exclusively queries
for non-existent users. Think clearly, and think outside the box about
worst-case behaviour.
Because I am not thinking about normal loads that don't matter. One
needs to survive hostile loads.


Just to illustrate with numbers, what Viktor says, a daily activity on
one of our servers (not a big one) : from all connections reaching a
"RCPT To" step, 18313 are to real users and 76623 to non existing users.
Well, this is a daily normal activity, not even a hostile load. Clearly,
most checks are cache misses.


Whether 'most' would be cache misses would depend on how you have your
verify(8) database cache configured (it does cache negative results),
and the nature of those 76623 connections.  Search those 76623 and see
how many are duplicates.  It's probably alot more than you'd think,
because spammers have been spamming to scraped message IDs for years.


I'm not using verify. I'm just telling the number of RCPT commands (18xxx + 76xxx), and how many of 
them resulted in user unknown (76xxx) and user OK (18xxx). Should add those relaying denied and 
other rejections.


On the other hand, real numbers should be much higher than I said as any SMTP commands are rejected 
if the client do more than some number of RCPT errors. This is done by a milter and the potentially 
real numbers aren't counted in the above.


So, to continue, I took longer times : 10 days, individually and 10 days all together. What is 
constant is that from the list of unknown users, there are something like 1/4 are different 
recipients, each day. But when I have the whole 10 days together, if falls just from ~25% to ~15%. 
That means that the set of unique unknown recipients changes each day.


But indeed, and I insist to say, this is a normal situation. A hostile situation should be when 
someone intentionnaly floods you with 10 times more than the usual "unknown users" rate, using 
different recipients. You shall protect against this, not against normal situations. Still, my 
numbers correspond to a small server.


As a comparable "side effect", in greylisting filters, you can think about the database of of 
triplets waiting to be validated as some sort of cache. Well, some of these filters don't do 
recipient check before adding pending entries in the database. A simple way to attack these filters 
is to fill up their databases with a lot (a million or more) of entries which will never be 
validated. Growing this "cache" without limits may not be a problem for small idle servers, but 
indeed is for huge servers.




I'll have to do some checking, but I'm pretty sure that at $mydomain
about 80% of all spam addressed to non existent users is addressed to
scraped message IDs or butchered variants of them.  This happens when


Please, check. Speculate is good to begin thinking about something, but better is to verify if the 
first idea is good or not.



spammers pass/sell their lists amongst one another and don't take any
care when exporting/copying the address data.  In the case of message ID
spam, the verify(8) cache would work well.  Of note, I've never seen an
actual 'dictionary' attack on any of my MX machines.  Note I didn't say
they don't occur, only that I've yet to see one.  I have seen dictionary
attacks against FTP and SSH ports, but not SMTP.  Given how fruitless
they are, I would suspect even dumb spammers probably avoid dictionary
spamming today.


I see every day. I can't tell that one kind of pattern is more frequent than others (cluttered 
variants of existing addresses, common first names, random user parts, ...). I guess it's almost the 
same. I see all of them.

Re: always get 450 for non-existent domain

[Jose-Marcio Martins da Cruz]

D G Teed wrote:
On Fri, Dec 18, 2009 at 7:52 PM, Wietse Venema > wrote:




Due to the hardwired default of 450, all sent mail becomes sluggish
on the Exchange queue as hundreds of messages are retried
every few minutes (one mistyped domain in a mail list triggers this
behaviour in MS Exchange).


Every few minutes ? Maybe MS Exchange behaviour is wrong :

From RFC 5321 :

   The sender MUST delay retrying a particular destination after one
   attempt has failed.  In general, the retry interval SHOULD be at
   least 30 minutes; however, more sophisticated and variable strategies
   will be beneficial when the SMTP client can determine the reason for
   non-delivery.

--

Re: 3000 recipients

[Jose-Marcio Martins da Cruz]

richard lucassen wrote:

On Sun, 3 Jan 2010 14:28:11 -0600
Kenneth Marshall  wrote:

[mlm]


I will second that using a real MLM is usually a much, much better
option that will allow you to prevent collateral damage to your mail
reputation when there is a delivery problem. For example, when using
the aliases option, you should only allow the one address/user to send
mail to the alias or you open up an avenue for spammers to abuse your
system.


Ok, thanks guys, you have convinced me to use a mlm. I'll dive into that
matter. I've only played with ezmlm some 10 years ago when I was using
qmail, but I haven't looked at these mlm's ever since.

Which mlm would you recommend to use for this purpose? I use Debian
Lenny with (of course) Postfix.


Sympa ?

http://www.sympa.org

JM



R.




--

Re: How to not reject valid MTAs for inconsistent forward/reverse DNS.

[Jose-Marcio Martins da Cruz]

Stan Hoeppner wrote:


Rejecting mail due to lack of a PTR is an anti bot spam tactic.  It is as
prevalent today as it was 5 years ago, but probably less effective.  Many ISPs
went PTR crazy, assigning them to all their dynamic consumer IP ranges.  DULs
and generic PTR regexes are now more effective in this regard.  Even so, there
are still large amounts of consumer IP space without PTRs, so this tactic is
still valid, and still widely used.


The problem is that in countries under developpement (e.g. in Africa), there are lots of legitimate 
mail servers who aren't well administered (accordingly with our "best practices"). So rejecting 
messages coming from servers without PTR is a way to reject communications with these countries. 
It's okay if don't communicate with people from these countries.


JM

Re: How to not reject valid MTAs for inconsistent forward/reverse DNS.

[Jose-Marcio Martins da Cruz]

Daniel V. Reinhardt wrote:


JM,

There are various online tutorials that describe how to setup a proper name 
server, and how to administer one.  If they are unable to teach themselves, 
then they should get rejected till they become better educated in the practices 
of Information Technology and System Administration.  Most of those countries 
you speak of setup e-mail for only one thing, and that is to propagate spam out 
to the world.  Ever received email from a prince stating they will give you 50 
Million USD if you send him 10K?  If yes, then you know what I am talking about.



Sure... But have you ever maintained some communication with people from these countries ? Small 
companies, NGOs (non gouvernemental organisations), small schools. Sometimes, in non english talking 
countries their mail admins don't even talk/read english fluently and there are hardly tutorials 
written in their language. And they have more serious problems to handle than a "perfectly defined 
PTR for their mail server".


The environnement in these countries isn't the same as in United States, and you simply can't impose 
the same requirements you can impose to mail servers in USA.


A good example now are mail servers in Haiti which shall probably be operating in difficult 
conditions. And they too are more concerned in survival than having good PTRs. You just can't reject 
messages coming from Haiti mailservers just because their mailservers may not have a perfectly 
defined PTR record.


In my humble personnal opinion, I agree that we can give less priority to these servers but not just 
reject messages from these kind of servers.


José-Marcio

--

Re: How to not reject valid MTAs for inconsistent forward/reverse DNS.

[Jose-Marcio Martins da Cruz]

LuKreme wrote:

On Jan 17, 2010, at 17:27, Stan Hoeppner  wrote:

Then I'd surmise your experience is very limited.


I have only been running a mailserver for 17 years or so.


Almost the same...

>> Join spam-l and ask this
>> naked PTR question.  You will be clued.

What is their authority ? Where they designated by the World Government to run the Internet Police 
Departement ? Did they wrote any RFC about this "naked question" ? What do IETF say about this ? Is 
there any RFC which says mailservers "MUST" have a valid PTR record ???


I agree that mailservers without PTR may be a (strong) indicator of spam, but none says that "no PTR 
record implies spam".


Also, it seems to me that this discusion is becoming OT and risks to become a "flame war". So, I 
think it's better to stop it.


--

Re: Milter by domain

[Jose-Marcio Martins da Cruz]

Noel Jones wrote:

On 1/28/2010 1:46 AM, Jonathan Cutting wrote:




I guess some sort of domain:port_number mapping would suffice. Is this
possible using milters or might it be easier to use a custom script?


A single milter that handles all domains is what you need.  Or maybe a 
"master" milter that can connect to multiple secondary milters based on 
the recipient.


Or easiest would be to use MX records to send mail for each domain to 
its own postfix instance.


Another reason to do it this way (multiple MXs and multiple instances of postfix) is that a single 
message can be sent to many recipients in different domains hosted by your mailserver.



--

Re: adding a header via milter

[Jose-Marcio Martins da Cruz]

Viktor Dukhovni wrote:

On Fri, May 18, 2012 at 10:11:10AM -0400, Ben Rosengart wrote:



...


   2. I never liked milters (multi-threading complexity, and poor degradation
  when CPU is scarce under high load).


Take a look at libmilter with a pool of workers. It's a FFR : _FFR_WORKERS_POOL. Try it with the one 
shipped with sendmail 8.14.5.


--

Re: Bulk Mailing Performance

[Jose-Marcio Martins da Cruz]

DTNX Postmaster wrote:



They aren't my perfect world criteria, but a direct quote from Sam
Jones' earlier buzzword compliant reply.

It was meant to illustrate the often ridiculous nature of vendor
benchmarks, how useless they are in real world situations, and
therefore how silly it is to pick software based on theoretical limits
you will most likely never hit.


Not really ridiculous. All those benchmarks are interesting, as they represent, 
say, the "intrinsic performance of the software". The problem is to tell (for 
the vendor) and to take into account (for the reader) the conditions at which 
the benchmark was done.


But, sure, two pieces of software can be compared only if measurings are done 
with the same conditions. And one software which has better "intrinsic 
performance" may not be better in real world conditions.



--

Re: avoiding overload on port 587

[Jose-Marcio Martins da Cruz]

Stan Hoeppner wrote:

On 11/30/2012 4:48 PM, Reindl Harald wrote:


in the real world submission is useless if IMAP is down
because the client will fail to store in "sent messages"


In the real world most road warriors use POP, not IMAP, and those with
consistent connectivity that do make use of IMAP do it via web mail.  So
the "sent items" folder isn't an issue.  Note the OP mentioned "laptop
users" as his submitters, not desktop users.  "Laptop" implies roaming,
or he'd have used a different descriptive term.


More and more people are roaming users. Roaming users shall have their mail in 
the server : so IMAP is the choice. Some use webmail, and some use heavy clients 
(Thunderbird, Outlook, ...), the latter are people who need to work both online 
and offline.


Yes... storing messages in "sent messages" folder may be an issue, not only when 
the IMAP server is down, but also when it's overloaded.





PHYSICAL boxes are not needed in 900 out of 1000 environments


Reindl, nobody here has ever heard of virtualization, so it's good that
you give us all a lesson with every 3rd post. ;)



H... tell this to vmware/zimbra guys...  8-)

Just my two cents...

--

Re: Milters and Aliasing

[Jose-Marcio Martins da Cruz]

Amir A. wrote:

When I mean it doesn't work is that anytime I use any sort of aliases (domain
--> domain via Zimbra's GUI) or a simple forwarder (userdne   --->
userexists in /etc/aliases) it never works with a milter however sending to the
original/real addresses always works.



This a an example of working NON-MILTERED TRANSACTION:

Jan 16 13:19:52 zimbra postfix/smtpd[13047]: dict_proxy_lookup:
table=ldap:/opt/zimbra/conf/ldap-vam.cf flags=lock|fold_fix
key=@zimbra.koala.somedomain.com -> status=0 result=@zimbra.dev.somedomain.com
Jan 16 13:19:52 zimbra postfix/smtpd[13047]: maps_find: virtual_alias_maps:
proxy:ldap:/opt/zimbra/conf/ldap-vam.cf(0,lock|fold_fix):
@zimbra.koala.somedomain.com = @zimbra.dev.somedomain.com
Jan 16 13:19:52 zimbra postfix/smtpd[13047]: mail_addr_find:
a...@zimbra.koala.somedomain.com -> @zimbra.dev.somedomain.com


...


+++

This is an example of non-WORKING MILTERED TRANSACTION


...


Jan 17 11:49:02 zimbra postfix/smtpd[26986]: NOQUEUE: milter-reject: RCPT from
mail-ie0-f175.google.com[209.85.223.175]: 550 5.1.1 User unknown;
from= to= proto=ESMTP
helo=


j-chkmail (and most milters) doesn't access any user table (aliases, ...). It 
can do recipient verification if you tell it to do (sometimes useful on a 
gateway). In this case, you shall maintain a table of valid recipients. IMHO, 
this feature is useful on a zimbra server only if it is on a border of your 
domain and you want to detect address harvest.


If this may be your problem, please post j-chkmail logs related to this, and 
post a question to me or to j-chkmail users list as this isn't a postfix problem.



--

 Envoyé de ma machine à écrire.
 ---
  Spam : Classement statistique de messages électroniques -
 Une approche pragmatique
  Chez Amazon.fr : http://amzn.to/LEscRu ou http://bit.ly/SpamJM
 ---------------
 Jose Marcio MARTINS DA CRUZhttp://www.j-chkmail.org

Re: Blocking zip attachments if filesize smaller than xx kbytes

[Jose-Marcio Martins da Cruz]

On 02/01/2014 05:09 AM, Noel Jones wrote:

On 1/31/2014 5:38 PM, Thijssen wrote:

Has someone already done this using header_checks?
If so, please post the example you use.
I'm getting fed up with those sneaky bastards trying to convince my
parents to click on their attachments. But still need to allow
incoming .zip attachments if they're larger than, say, 80 kbytes.

Who in their right mind would want to zip a file with such small size anyway?

/name=[^>]*\.(exe|zip)/ REJECT

TIA


You'll need to use a content filter or milter of some type to do a
two-factor check.


j-chkmail does this.


--

Re: Use a recipients_map for spamassassin

[Jose-Marcio Martins da Cruz]

Nicolas Letellier wrote:

Hello.

I'm looking for a solution to desactivate antispam solution for a few
recipients. 


By default, spamassassin is activated for all mails, with a rule like:
smtp  inet  n   -   n   -   -   smtpd
  -o content_filter=spamassassin

I would like to know if you have a solution to launch spamassassin
*only* if the recipient want to have an antispam solution.

For example, to have a recipients_map with all domains to analyse with
spamassassin.


What's hard with this kind of thing is :

* What about a single message for many recipients : some of them want 
the message scanned, and some other don't.


* A message sent to an alias resolving to many recipients. Same 
situation : some want the message scanned - but not all.



--
 -------
 Jose Marcio MARTINS DA CRUZ   http://j-chkmail.ensmp.fr
 Ecole des Mines de Paris
 60, bd Saint Michel
 75272 - PARIS CEDEX 06  mailto:[EMAIL PROTECTED]

Re: RBL

[Jose-Marcio Martins da Cruz]

Joey wrote:

Hello All,


Does anyone have a good reference of how to create my own RBL so I can 
load IP’s into it and check against it from postfix?


This is a simple script which converts a text file with a list of IP 
addresses into a bind zone


http://j-chkmail.ensmp.fr/tools/mk_dnsbl