Re: Removing trace records on submission MSA

2018-04-06 Thread Karol Augustin 
On 06/04/2018 09:27 PM, J Doe wrote:
> Hi Philip,
> 
>>> Thank you for your reply.
>>>
>>> I currently use DKIM and as per the RFC for DKIM, I don’t include trace 
>>> headers in the message hash that makes up the DKIM signature.  I am under 
>>> the impression that my DKIM signatures should be correct in this case if I 
>>> use your solution and it re-writes the first trace header - is that true or 
>>> are there any other DKIM issues I might run into ?
>>
>> Unless you have specifically configured your DKIM setup to include trace 
>> headers in the hash (which you should not do according to the RFC), your 
>> DKIM signatures will continue to be correct if you anonymise the first trace 
>> header like I do.
> 
> Thank you for your reply.
> 
> I configured master.cf and created the regular expression lookup
> table, but my installation of Postfix (3.1.0), does not appear to
> support PCRE as placing “pcre:” as the dictionary type in master.cf
> generated an error that "this dictionary type is unsupported".
> 
> Some Googling revealed that I may be able to install support for that,
> but rather than install something else I switched to “regexp:”. 
> Unfortunately, regexp stated there was an error in the regular
> expression string (the error indicated the line but not the character
> in the regexp that it did not like).
> 
> My regular expression skills are rusty, so I went with an unoptimized
> search string:
> 
> /etc/postifx/submission_header_rules
> 
> /Received: from/ REPLACE Received: from [127.0.0.1]
> (localhost [127.0.0.1]) by server.com <http://server.com/>
> 
> … where server.com <http://server.com/> is the FQDN for my mail server.
> 
> As I have this configured for submission, I then tested sending e-mail
> to Gmail and can confirm that my DKIM is still valid (as expected - I
> don’t include Received: headers in the DKIM hash, as the DKIM RFC
> recommends), and this is not doing any unwanted edits on mail over
> port 25.
> 
> I figured this was sufficient but further reading indicates that some
> anti spam software pays attention to the Received: headers (although
> most sources noted this was an issue when configuring Postfix to
> *DELETE* the first header, which I don’t want to do).
> 
> With that in mind, I had two questions:
> 
> ** Is there any anti spam software that checks for the date and time
> at the end of the Received: string ?  My very basic search string does
> not capture the date and time after the semicolon and therefore does
> not show up.
> 
> ** If there is anti spam software that looks for the date and time,
> could you help me construct a “regexp:” compatible search string ?  I
> experimented with captures but again, my regular expression skills are
> bad at the moment.
> 
I am using this:

/^(Received:) from.*]\).*(.{2}by mail\.nimitz\.pl.*Postfix.*) (with
[E]{0,1}SMTP[S]{0,1}[A]{0,1}) (.*)/ REPLACE $1 from mail.nimitz.pl
(localhost [127.0.0.1])$2 with SMTP $4

Just change 'mail.nimitz.pl' with FQDN of your server. This expression
works for me and also removes information about the connection, which in
my case can tell if the mail was sent from webmail (unencrypted
connection from webmail host to postfix host) or client's MUA
(encrypted).

It can probably fail on some systems due to .* matching, which is
greedy, but I wrote it many years ago and it works, so I am not fixing
it.

k.



-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: SMTP session caching

2018-03-15 Thread Karol Augustin 
On 2018-03-15 13:58, Matus UHLAR - fantomas wrote:
>>> >A. Schulze:
>>> >> I like to ask about a documented limitation
>>> >> (http://www.postfix.org/CONNECTION_CACHE_README.html#limitations)
>>> >>
>>> >> "For this reason, the Postfix smtp(8) client always closes the
>>> >> connection after completing an attempt to deliver mail over TLS."
>>>
>>> On 07.03.18 09:07, Wietse Venema wrote:
>>> >Indeed. Postfix can migrate the TCP connection from one process to
>>> >another, but the TLS library does not support migration of live TLS
>>> >state. It supports reuse on new connections only.
>>> >
>>> >Possible solutions would be:
> 
>>Matus UHLAR - fantomas:
>>> a smtp client that able to process multiple mails in a single run is not
>>> planned, correct?
> 
> On 15.03.18 09:22, Wietse Venema wrote:
>>Wasn't a dedicated per-destination delivery agent one of the possible
>>solutions?
> 
> if you mean this one:
> 
>> - For each destination, use dedicated SMTP clients that handle all
>> TLS sessions with that destination (no inter-process migration),
>> and cache TCP+TLS state in those processes. Unfortunately, that
>> does not scale to thousands of destinations.
> 
> ... which does not scale, I was under impression that it requires site
> configuration, or keeping multiple clients alive.
> 
> what I meant, is that if SMTP client connecting to destination couldn't
> try to deliver multiple (all) mail directed to the destination and then
> quit, the only difference would be it could deliver more than just one mail.

I think what Matus is asking here is the RSET implementation in postfix
client. For example I have software that send some automated e-mail over
night using single SMTP connection (written in perl). After each e-mail
it does $smtp->reset(); and than delivers next e-mail using the same
connection. Final effect looks like that: 

disconnect from localhost[127.0.0.1]:51596 ehlo=1 mail=63 rcpt=71
data=63 rset=63 quit=1 commands=262

I believe Matus is asking if that could be implemented in postfix so it
connects to remote SMTP server and delivers one e-mail after another
issuing RSET after each one and not disconnecting.

Karol


-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Content filter with script

2018-03-08 Thread Karol Augustin 
On 2018-03-07 21:47, Alex K wrote:

> Hi all, 
> 
> Just checking if anyone can provide any hints on the below. 
> 
> Thanx, Alex 
> 
> On Tue, Mar 6, 2018 at 3:16 PM, Alex K <rightkickt...@gmail.com> wrote:
> 
>> Hi all, 
>> 
>> I am trying to setup a simple script, which will be used to check the mail 
>> size and count the emails per user (the script does only mail size checks at 
>> the moment). I am currently checking the logic with a simple script and I 
>> have followed the http://www.postfix.org/FILTER_README.html, the advanced 
>> option to avoid loops. When putting script at pickup I had loops.

Check mtpolicyd, it has accounting plugin which might be what you are
looking for.

Karol


-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: postwhite? (why not?)

2018-03-05 Thread Karol Augustin 
On 2018-03-05 6:39, Bill Cole wrote:
> On 3 Mar 2018, at 14:25, J Doe wrote:
> 
>> Should I then continue to use postscreen for the zombie detection but then 
>> move my DNSRBL entries to smtpd restrictions ?
>>
>> Apologies for belabouring the point - I’m just not understanding.
> 
> Not all DNSBLs are equivalent. SOME are suited for use in postscreen
> as absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL
> configuration should be designed to only block IPs that *only* send
> spam. There are DNSBLs designed to be hyper-sensitive, to not give any
> sender a free pass, and to generate occasional collateral damage.
> There are DNSBLs designed to be used in complex anti-spam systems and
> NOT as a unilateral basis for blocking. Those sorts of DNSBL should
> not be used in postscreen with a score at or above
> postscreen_dnsbl_threshold.

Hi Bill,

Would you mind sharing which RBLs you recommend to use in postscreen?

k.

-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: postwhite? (why not?)

2018-03-03 Thread Karol Augustin 
On 2018-03-03 5:06, MRob wrote:
> On 2018-03-02 13:46, Karol Augustin wrote:
>> I also added some hosts to my list from banks, Amazon SES etc. I have
>> about 800 lines in the generated file, which is reasonable. I have about
>> 60-75% passing connections whitelisted now.
> 
> Would you share those you've added?

custom_hosts="ulsterbank.com amazonses.com nodeping.com
spamassassin.apache.org outages.org paypal.com allegro.pl"

k.


-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: postwhite? (why not?)

2018-03-02 Thread Karol Augustin 
On 2018-03-02 12:09, MRob wrote:
> Asking for opinions about postwhite.
> https://github.com/stevejenkins/postwhite
> 
> Below is the default whitelist domains. It's nice idea, but what about
> the time when spammers got hold of 10.000 hotmail accounts?
> 
> OTOH this is only for postscreen and not whitelisted your antispam
> engine so seems like a good idea. Really like to know arguments
> against using this, please speak up.
> 
> 
> 
> webmail_hosts="aol.com google.com microsoft.com outlook.com
> hotmail.com gmx.com icloud.com mail.com inbox.com zoho.com
> fastmail.com"
> 
> social_hosts="facebook.com facebookmail.com twitter.com pinterest.com
> instagram.com tumblr.com reddit.com linkedin.com"
> 
> commerce_hosts="craigslist.org amazon.com ebay.com paypal.com"
> 
> bulk_hosts="sendgrid.com sendgrid.net mailchimp.com exacttarget.com
> cust-spf.exacttarget.com constantcontact.com icontact.com mailgun.com
> fishbowl.com fbmta.com mailjet.com sparkpost.com sparkpostmail.com"
> 
> misc_hosts="zendesk.com github.com"

Hi,

Can't really say anything against using postwhite. So these are my
experienses:

I have started using it some time ago. I have noticed that some provides
use some kind of SPF rotation daily (???) and rotate between IPv6
subnets. So it is important to run it periodically to update the file.
It might be good to implement rounding to the nearest /64 or even /56
for efficiency, but I didn't have a chance to look into that.

Other than that, I am using the generated list to whitelist postscreen
and some custom filtering that forces greylisting and honeypot checks as
well.

My main observation is that senders included in the default list you
posted will pass postscreen anyway and additional benefit is to exclude
them from RBL checks because vast majority of users would like to still
allow them, even if they hit some RBLs from time to time.

The additional benefit is huge saving on DNS queries and (for me)
avoiding greylisting if some otherwise good server finds it's way to
RBL.

I also added some hosts to my list from banks, Amazon SES etc. I have
about 800 lines in the generated file, which is reasonable. I have about
60-75% passing connections whitelisted now.

Karol




-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: postscreen_dnsbl_whitelist_threshold and SORBS and Google

2018-03-01 Thread Karol Augustin 

On 01/03/18 04:47, MRob wrote:

What other people do about this? Remove SORBS completely? Increase dnswl 
socring? Reduce SORBS scoring?


I am using postwhite to generate cidr list from SPF records of known 
senders and have them whitelisted in Postfix. It saves a lot of delays 
for postfix checks and ensures that gmail is whitelisted in case of 
similar issues. Also a lot of my mail traffic comes from I would 
describe as "good" sedners from postscreen perspective a least, so I 
don't have to screen them as they will pass anyways.


Google it and change the list of host in the script/config to suit your 
needs.


Also if RBL is listing google servers they doing it wrong. I just 
disabled SORBS for that even though I have never hit this issue myself 
as I have google CIDR records whitelisted.


k.




--
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Restricting submission to legitimate account name only

2018-02-20 Thread Karol Augustin 
On 2018-02-20 11:07, Ralph Seichter wrote:
> On 20.02.2018 10:35, Karol Augustin wrote:
> 
>> On 2018-02-19 23:13, @lbutlr wrote:
>>
>> > For example, most people have many email addresses, and rather than
>> > try to manage many different servers, they will pick their "best"
>> > server to send their email through.
>>
>> Any modern email client uses autoconfiguration this days and it is
>> actually very hard to set things up as you describe (using identities
>> etc.) in comparison to proper setup with one submission server per
>> account.
> 
> Multiple identities are "proper" and very useful, especially when it
> comes to using different addresses for different mailing lists or when
> sub-addressing is unavailable. Also, people can have different roles
> with different email addresses in an organisation. Arbitrarily enforcing
> a one-to-one-relationship between email addresses and email accounts is,
> in my experience, often unnecessary and counterproductive.
> 
> It can indeed be hard to set this up on the client side, due to the
> aforementioned restrictions of MTAs and for lack of support in MUAs.
> Mozilla Thunderbird may be dying a slow death, but I keep using it for
> its good multi-identity-support. I've asked Apple several times over the
> years why both their macOS and iOS mail clients don't support it, but
> apparently this does not even deserve an answer.
> 
>> Sending e-mails on behalf of other domains breaks SPF, DKIM, DMARC and
>> is in general considered spoofing. You should be prepared for complaints
>> if you ARE allowing this.
> 
> I run servers for myself and for customers that send email for various
> domains, with the proper config for SPF, DKIM, DMARC, DANE -- you name
> it -- and support multiple identities. It takes a bit more effort on the
> server side, but the users are happy, and I think that's worth the extra
> thought spent on the server setup.
> 
> I'm not saying everybody needs multiple identities, but I know enough
> people who consider it important, including myself.
> 
> -Ralph

Ok, so I think I misunderstood you.

I agree that multiple identities are useful and should be used. I use
them myself. I just don't agree that any user should be allowed to send
email from arbitrary domains using your e-mail server. For example my
users can't send e-mails From: gmail address using my server. They are
only allowed to send e-mail using addresses that they "own", which I
have configured using this ugly query (sender_login_maps):

query = select email from ((select email from virtual_users where
email='%s') union (select destination from virtual_users,
virtual_aliases where virtual_users.email = virtual_aliases.destination
and virtual_aliases.source='%s')) as adr \
join virtual_domains where SUBSTRING_INDEX(adr.email, '@', -1) =
virtual_domains.name

So if there is alias configured to deliver to particular user than user
can send e-mail from this address, but not from any address (gmail.com),
and not from his colleague's address, even if it is in the same domain.

So I agree, 1-to-1 mapping is bad but I disagree that complete freedom
for authenticated users is good.


k.


-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Restricting submission to legitimate account name only

2018-02-20 Thread Karol Augustin 
On 2018-02-19 23:13, @lbutlr wrote:
> On 2018-02-19 (09:35 MST), Alex <mysqlstud...@gmail.com> wrote:
>>
>> In other words, if the sasl_username is alice, I'd like to restrict the 
>> envelope sender and From address to only legitimate accounts belonging to 
>> that sasl user.
> 
> This may break many people's workflows.
> 
> For example, most people have many email addresses, and rather than
> try to manage many different servers, they will pick their "best"
> server to send their email through.

Any modern email client uses autoconfiguration this days and it is
actually very hard to set things up as you describe (using identities
etc.) in comparison to proper setup with one submission server per
account.

> 
> So, when I send an email to someone from my google account, it
> probably doesn't go through google's submission servers.

This might have been the case a decade ago but now doing this will most
probably put that e-mail in spam. Sending e-mails on behalf of other
domains breaks SPF, DKIM, DMARC and is in general considered spoofing.
You should be prepared for complaints if you ARE allowing this.

Try to send email from non-gmail address using gmail account. 

> 
> Now, you might not care, but you might be prepared for the complaints.
> 
> A better choice is to rate limit users.
> 
> You can also check if the sender@yourdomain is a valid account, but
> then again, there are reasons someone (a company, especially) might
> want an invalid sender.
> 
> And you'll break mailing lists if you aren't careful.

How? What restricting users to send mail only from addresses they own
has to do with mailing lists?


k.

-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Question regarding smtpd DNS resolution

2018-02-05 Thread Karol Augustin 
On 2018-02-05 12:26, Allen Coates wrote:
> On 05/02/18 00:12, Viktor Dukhovni wrote:
>>
>>
>>> On Feb 4, 2018, at 5:46 PM, J Doe <gene...@nativemethods.com> wrote:
>>>
>>> Feb 4 15:05:46 server postfix/smptd[718]: warning: hostname 
>>> 1-2-3-4.dyn.isp.net does not resolve to address 1.2.3.4: Name or service 
>>> not known
>>>
>>> Does this mean that:
>>>
>>> 1. smtpd receives a connection from an smtp client and does a reverse DNS 
>>> lookup
>>> 2. smtpd performs a forward DNS lookup on the result and compares the 
>>> resulting IP address to the initial IP
>>> 3. If the IP addresses don’t match it reports this error
>>>
>>> ... or is some other logic used to generate the error message?
>>
>> The message happens when the hostname obtained from 1 fails to resolve
>> to an IP address that can be compared in 2.  The error is a hard error
>> (NXDomain).
>>
> 
> Is this a reliable bad-host detector?   The last three instances in my
> log were subsequently rejected by a DNSBL
> 
> Allen C

It is a good indicator. All well configured mail servers should have
correct PTR records (full circle DNS). A lot of spam sending machines
have this problem as usually spammer can't control PTR records of the IP
that they are spamming from. Unfortunately a lot of legitimate mail
comes from badly configured servers and outright rejecting mail coming
from hosts with bad PTR/no PTR might prevent you from receiving
legitimate e-mail as well. But, as usual, it depends on your user base
and YMMV.

I've heard that gmail is rejecting / spam tagging email from such hosts
but never confirmed that myself. Maybe in some foreseeable future it
will be safe to reject bad PTR hosts but, in my opinion, not yet.

k.


-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Postfix upgrade breaks emails accounts from Mac OS X

2018-02-03 Thread Karol Augustin 
On 2018-02-03 17:09, @lbutlr wrote:
> On 1 Feb 2018, at 21:31, Olivier olivier.nic...@cs.ait.ac.th> wrote:
>> Is that a know problem? Is there a fix?
> 
> It is not. I have a postfix 3.2 install and primary use Macs to access
> it. Works fine one new and old accounts.
> 
> However, this sounds like a dovecot issue, not a postfix issue. And
> you didn't provide any logs for the "can't use old accounts" events,
> so it's hard to say.
> 
> Or maybe you are using something other than dovecot, in which case use 
> dovecot.
> 
> Ah, I see reading ahead that you are using cyrus.
> 
> I found cyrus to be poorly documented and fragile, and switched to
> dovecot on recommendations on this list. I've been pleased with it.
> 
> In all likelihood, the settings for authentication need to be updated
> on the Macs. Generally the Mac does a good job of setting the accounts
> up correctly, but it will not change the settings when your server
> changes.
> 
> Check the port number and the authentication method and make sure they
> match a working account.
> 
> <https://www.dropbox.com/s/85xy4tc24i5twqr/Screenshot%202018-02-03%2010.06.26.png?dl=0>
> 
> (That is for macOS High Sierra v10.13, earlier versions may look different)
> 
> I suspect either the port is wrong or the Authentication method is
> wrong, or both are wrong.


I have few people connecting using Macs. I had similar issue when I
upgraded libssl to 1.1.0f-4 all of them couldn't connect as they are
still using TLS 1.0. I had to temporarily downgrade to 1.1.0f-3 until
the problem was fixed in 1.1.0g-1. The problem was that developers
decided to disable TLS1.0, which impacted a lot of things. 

My point is: are you sure that you upgraded just postfix or maybe you
hit same issue by running apt-get upgrade or similar?

I don't know what version of Mac is still using TLS1.0 as I can't stand
Macs and avoid them at all cost. I also don't know if using TLS1.0 is
account sticky which would be ridiculous.


k.

-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Email and information helpfull to have in the headers/logs for police enquiries

2018-01-30 Thread Karol Augustin 
On 2018-01-30 16:44, Ghislain Adnet wrote:
> hi,
> 
>  We participated in some police enquiries about emails sent to
> blackmail people and get the source IP. The ISP answered
> that they use proxy systems and they requires IP+port to be able to
> track the source. We just helped the case but it
> sparkle the idea that i better start to log the tcp port as well on 
> my servers logs.
> 
> 
>  In postfix the IP is logged but not the TCP port. To be ahead in
> future legal issues i wanted to know if there is a way
> to :
> 
> - add the TCP port to the log messages
> - add the  tcp port to a header in the mail (so it stick to it)
> 
> 
>  i did not find in the mailling list archive or the googlebrain or the
> doc any way to do that. Perhaps a very simple
> milter but i also did not find a logging milter (but they seems hard
> to find those milters anyway). Any ideas or
> experience doing that ?
> 
> 
> best regards,
> Ghislain.

I don't know why it is important to you to log the port number so if you
could explain I would be grateful. You can deploy postscreen, which is a
good idea anyway and you will have port numbers in the logs:

Jan 30 17:12:09 mail postfix/postscreen[20169]: CONNECT from
[2607:f8b0:4001:c0b::234]:38670 to
[2a05:d018:76d:5af6:d050:9b30:6bf7:df98]:25
Jan 30 17:12:09 mail postfix/postscreen[20169]: WHITELISTED
[2607:f8b0:4001:c0b::234]:38670
Jan 30 17:12:09 mail postfix/smtpd[20618]: connect from
mail-it0-x234.google.com[2607:f8b0:4001:c0b::234]

Jan 30 17:07:11 mail postfix/postscreen[20169]: CONNECT from
[137.135.42.190]:1072 to [10.1.0.20]:25
Jan 30 17:07:11 mail postfix/postscreen[20169]: BLACKLISTED
[137.135.42.190]:1072
Jan 30 17:07:11 mail postfix/postscreen[20169]: DISCONNECT
[137.135.42.190]:1072

Jan 30 17:15:07 mail postfix/postscreen[20169]: CONNECT from
[168.100.1.3]:45124 to [10.1.0.20]:25
Jan 30 17:15:07 mail postfix/postscreen[20169]: PASS OLD
[168.100.1.3]:45124
Jan 30 17:15:07 mail postfix/smtpd[20618]: connect from
camomile.cloud9.net[168.100.1.3]

Which reminds me to whitelist 168.100.1.3.

Karol


-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Two different IP for one mx

2018-01-30 Thread Karol Augustin 
On 2018-01-30 15:59, Bill Shirley wrote:

> 
> In an earlier post:
> Becouse I prefer to use fail2ban for brute force attacks and fail2ban depends 
> source IP address.In this setup I can't see source IP. Also I'll use iptables 
> as a permanent filter for some IPv4 blocks (like china).  
> 
> He needs to see the real public addresses of those who connect to this new 
> server.

Of course, but what I meant is that the reason he doesn't, and he
definitely has to, is because the upstream configuration is broken, not
because he has private address assigned to the NIC. You can have private
address assigned to the NIC and be perfectly capable of seeing original
source address. This is how it should be configured.

Karol




-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Two different IP for one mx

2018-01-30 Thread Karol Augustin 
On 2018-01-30 14:08, jin wrote:

> 2018-01-30 15:22 GMT+03:00 Bill Shirley :
> 
>> On the new Postfix server, are you using DHCP client on the WAN interface
>> to get a IP address?  You should not be.  You should assign your public 
>> address
>> to the WAN interface.
>> 
>> I have static addresses with my ISP.  My ISP's modem will hand out private 
>> addresses
>> if I use DHCP client.  I don't configure my server to use DHCP; I have it 
>> set up to
>> use the public address.
>> 
>> Bill
> 
>> 
> 
> On 1/30/2018 4:03 AM, Matus UHLAR - fantomas wrote:
> On 30.01.18 00:09, jin wrote:
> In-Reply-To: 
> 
> References: 
> 
>

Re: Fwd: Re: Message-ID

2018-01-28 Thread Karol Augustin 
On 2018-01-28 9:25, CP wrote:
> on 01/27/2018 09:30 PM, Karol Augustin wrote:

> 
> With Message-ID header and dovecot lmtp (I think lda works also) you
> eliminate  (a lot!!) of these duplicates so try it if you have the same
> problem.
> In my case I have a robot account which sends (from LAN)  emails and reports
>  in two groups many times a day .  These don't get a Message-ID header
> so all
> users who are in both  groups get all these messages times two  a day.
> 
> 
> George

I have just configured it and it's working great.
if allof (not exists "list-id", duplicate :seconds 7200 )
{
  discard;
  stop;
}


So in your case you might configure rule that if sender is robot use
Date: or Subject: or other header instead of Message-ID. As it will only
apply to the robot e-mails you don't risk side effects on other e-mail.

Check 3.1 in https://tools.ietf.org/html/rfc7352

Also you can use unique:id somehow with other rules to mark e-mails that
are sent by bot. Let's say that the bot is sending e-mails not more that
once an hour. Than you can deduplicate all e-mails From:
bot and set the timeout to kick in before next time bot sends e-mail.

Karol


-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Message-ID

2018-01-27 Thread Karol Augustin 
On 2018-01-27 19:30, Karol Augustin wrote:
> On 2018-01-27 17:24, CP wrote:
>> On 01/27/2018 02:05 PM, Matus UHLAR - fantomas wrote:
>>>>> On 27.01.18 11:16, CP wrote:
>>>>>> I'm trying to eliminate a problem with duplicate emails in alias
>>>>>> expansion and I have seen that some (local generated and SMTP also)
>>>>>> messages don't have the Message-ID header .
>>>
>>> I should add that such duplicity should not happen when using aliases. 
>>> Also, it may happen that two people get different copies of the same mail
>>> (e.g. from this list).
>>>
>>> Are you sure your duplicities can't be fixed other way?
>>
>> In what way ? check alias expansion ?
>>
>> The thing is  I have some groups say group1 group2 and group3
>>
>> there may be users  that are part of only one group but there are
>> others that maybe in all groups .
>> Until I implemented lmtp and duplicate supression from it (dovecot) a
>> user who was in all 3 groups
>> would receive the message 3 times (and if send to his own email
>> address 4 !)  The problem persists
>> even with lmtp and messages that don't have Message-ID in header  ( I
>> guess  this is the criteria for supressing
>> duplicates) .
>>
>> How can I  track down this ?
>>
>>
>> Thanks  for your time
> 
> Dovecot documentation says: "For more complex applications, the
> duplicate test can also use the content of a specific header field or
> other parts of the message."
> https://wiki.dovecot.org/Pigeonhole/Sieve/Extensions/Duplicate
> 
> I couldn't find specific example but maybe dovecot list is a better
> place to ask. It might be possible to detect duplicates using different
> headers. Anyway just Message-ID might be not a perfect solution.
> 
> If I understand your issue correctly I think that I have the same
> problem that the user is a part of an alias office@ and he gets
> duplicates of all mails send to him and copied to office@.
> 
> So @office -> guy1@, @guy2. If the e-mail is addressed to guy1@, office@
> then Guy1 gets two copies and Guy2 only one. Often this e-mail is sent
> in two different SMTP sessions so I don't see any possibility that
> Postfix can catch that.
> 
> It's not a big deal so I have never looked into that but now I might.
> The problem with using solely Message-ID is that off-list replies will
> be matched with list-replies and I don't want that. Don't know if there
> are any other possible side-effects of basically discarding same
> Message-ID going to the same user in some finite timeframe.
> 
Also in the scenario I described adding Message-ID by postfix won't help
you as I think it will add different message-ids if e-mail arrives in
two SMTP sessions (like from gmail for example).

-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Message-ID

2018-01-27 Thread Karol Augustin 
On 2018-01-27 17:24, CP wrote:
> On 01/27/2018 02:05 PM, Matus UHLAR - fantomas wrote:
>>>> On 27.01.18 11:16, CP wrote:
>>>>> I'm trying to eliminate a problem with duplicate emails in alias
>>>>> expansion and I have seen that some (local generated and SMTP also)
>>>>> messages don't have the Message-ID header .
>>
>> I should add that such duplicity should not happen when using aliases. Also, 
>> it may happen that two people get different copies of the same mail
>> (e.g. from this list).
>>
>> Are you sure your duplicities can't be fixed other way?
> 
> In what way ? check alias expansion ?
> 
> The thing is  I have some groups say group1 group2 and group3
> 
> there may be users  that are part of only one group but there are
> others that maybe in all groups .
> Until I implemented lmtp and duplicate supression from it (dovecot) a
> user who was in all 3 groups
> would receive the message 3 times (and if send to his own email
> address 4 !)  The problem persists
> even with lmtp and messages that don't have Message-ID in header  ( I
> guess  this is the criteria for supressing
> duplicates) .
> 
> How can I  track down this ?
> 
> 
> Thanks  for your time

Dovecot documentation says: "For more complex applications, the
duplicate test can also use the content of a specific header field or
other parts of the message."
https://wiki.dovecot.org/Pigeonhole/Sieve/Extensions/Duplicate

I couldn't find specific example but maybe dovecot list is a better
place to ask. It might be possible to detect duplicates using different
headers. Anyway just Message-ID might be not a perfect solution.

If I understand your issue correctly I think that I have the same
problem that the user is a part of an alias office@ and he gets
duplicates of all mails send to him and copied to office@.

So @office -> guy1@, @guy2. If the e-mail is addressed to guy1@, office@
then Guy1 gets two copies and Guy2 only one. Often this e-mail is sent
in two different SMTP sessions so I don't see any possibility that
Postfix can catch that.

It's not a big deal so I have never looked into that but now I might.
The problem with using solely Message-ID is that off-list replies will
be matched with list-replies and I don't want that. Don't know if there
are any other possible side-effects of basically discarding same
Message-ID going to the same user in some finite timeframe.

Karol



-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: canonical based on login name

2018-01-22 Thread Karol Augustin 
On 2018-01-20 16:08, Joris (ideeel) wrote:
> hi list
> 
> I run a webservice (and a mail service). All websites run under the
> same UID of apa...@webserver.domain.com. I know, not ideal, but i
> cannot change that bit. Problem is that if one site gets hacked, user
> apache starts sending spam with no way to figure out which website is
> misbehaving. Thus we are going to enforce websites to use SASL-auth.
> 
> Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM
> username sometimes is still apache. I know gmail rewrites the envelope
> sender and the header sender based on the login name, but i have not
> been able to find how to do this in postfix (canonical_classes does
> not seem to help me here). I cannot really reject the mail using
> reject_authenticated_sender_login_mismatch because the mails will be
> send back to the apache user with again no knowledge of the true
> sender.

Maybe I am not getting something but if you force different SASL-auth
for each website you will have the offending username in the logs.


> 
> hope you can give me some pointers or documentation how I can solve this :)
> 
> best
> Joris


I had exactly the same problem when one of websites I was hosting got
hacked and also wanted to prevent from situation when my user is hacked
(malware) and starts sending emails with matching envelope sender but
forging From header. I ended up using vrfydmn like that:

/usr/bin/python /usr/local/sbin/vrfydmn -F -u vrfydmn -g vrfydmn -s
inet:10072@127.0.0.1 -p /var/run/vrfydmn/vrfydmn.pid

I reject emails from users that try to send them with envelope sender
that they don't own so in my case Postfix makes sure that
envelope-sender is OK (reject_sender_login_mismatch), and then vrfydmn
makes sure that From: matches.

In your case you can (apparently) force PHP to use fixed envelope-from
address. Than you can use this milter to fix From: address. Have a look,
it might be what you need.


https://github.com/croessner/vrfydmn

Karol


--
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312vrfydmn

Re: reject_unknown_client_hostname when nameserver is unreachable

2016-11-02 Thread Karol Augustin 

On 02/11/16 09:25, Karel wrote:

Hello,

I am using following smtpd_client_restriction:

  reject_unknown_client_hostname

Now, both my nameservers were offline, and postfix could not resolve IP
addresses and thus rejected all hosts:

  NOQUEUE: reject: RCPT from unknown[x.x.x.x]: 450 4.7.1 Client host
rejected: cannot find your hostname, [x.x.x.x]

I know that unreachable nameservers are a problem of its own, and that
it should not happen. But still, is there anything I can do in Postfix
to mitigate this, should it happen again?

thanks,
Karel



According to documentation

http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
http://www.postfix.org/postconf.5.html#unknown_client_reject_code

''' The reply is always 450 in case the address->name or name->address 
lookup failed due to a temporary problem. '''


So it looks like it is not configurable behavior. As you admit that no 
DNS situation is bad on it's own why do you want to accept-by-default 
all e-mail instead of deferring it? It makes little sense to me as in 
that scenario most of the anti-spam and anti-fraud systems are down 
(RBLs, DKIM, DMARC, FCRDNS checks etc) so you will be accepting pretty 
much all the garbage that hits you.


I would rather 450 all mail by default if no resolvers are available as 
no mail should be lost if you fix that soon enough.



k.

Re: WoSign/StartCom CA in the news

2016-09-28 Thread Karol Augustin 

On 28/09/16 09:25, li...@lazygranch.com wrote:

I don't want take this thread off course, but suggestions for low cost certs 
would be appreciated. I don't like how Let's Encrypt works, else that would be 
the obvious solution.

When Symantec first announced that they would compete with Let's Encrypt, I 
signed up with them. But it looks like their free cert program is more like you 
need to recruit customers for them.



I have paid ~$13/yr for three year RapidSSL through 
https://www.rapidsslonline.com/


I am using RapidSSL for many years and no problems at all. Now it is 
acquired by Symantec so I wouldn't expect any issues.



Best,
Karol


--
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312