Trouble setting up SASL authentication with postfix

[Lists]

Hi all,

Not sure if this is the right place to post, apologies if it is not.

This is my first MailScanner / Postfix install - on CentOS 5.2

I have attempted to setup the smtp authentication using SASL following 
various tutorials.

When I attempted to authenticate I am getting the following error
pam_succeed_if(smtp:auth):error retrieving information about user test

I have been searching the net for a couple of hours but havn't been able 
to get it to work.


Any help would be greatly appreciated.

Cheers
Kate

Re: Trouble setting up SASL authentication with postfix

[Lists]

Hi here is my postconf (I have changed domain and hostname and RELAY IP)

- I have attached the output from saslfinger -s
Thanks
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
local_transport = local
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = domain.co.nz
myhostname = box.domain.co.nz
mynetworks = 192.168.1.88
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = hash:/etc/postfix/relay_domains
relayhost = IP OF RELAY
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination, 
check_policy_service unix:/var/spool/postfix/postgrey/socket

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

Sahil Tandon wrote:

Lists <[EMAIL PROTECTED]> wrote:

  

Not sure if this is the right place to post, apologies if it is not.

This is my first MailScanner / Postfix install - on CentOS 5.2

I have attempted to setup the smtp authentication using SASL following 
various tutorials.

When I attempted to authenticate I am getting the following error
pam_succeed_if(smtp:auth):error retrieving information about user test

I have been searching the net for a couple of hours but havn't been able to 
get it to work.



Start here:

http://www.postfix.org/DEBUG_README.html#mail
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
http://www.postfix.org/SASL_README.html

Give more information; at least the output of 'postconf -n' and
saslfinger.

  



saslfinger - postfix Cyrus sasl configuration Wed Oct  1 14:42:58 NZDT 2008
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.3.3
System: CentOS release 5.2 (Final)

-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x001f8000)

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname


-- listing of /usr/lib/sasl --
total 56
drwxr-xr-x  2 root root  4096 Oct  1 09:07 .
drwxr-xr-x 68 root root 36864 Oct  1 10:02 ..
-rw-r--r--  1 root root47 Aug 15 09:06 smtpd.conf

-- listing of /usr/lib/sasl2 --
total 3468
drwxr-xr-x  2 root root   4096 Oct  1 12:52 .
drwxr-xr-x 68 root root  36864 Oct  1 10:02 ..
-rwxr-xr-x  1 root root884 Jan  8  2007 libanonymous.la
-rwxr-xr-x  1 root root  14372 Jan  8  2007 libanonymous.so
-rwxr-xr-x  1 root root  14372 Jan  8  2007 libanonymous.so.2
-rwxr-xr-x  1 root root  14372 Jan  8  2007 libanonymous.so.2.0.22
-rwxr-xr-x  1 root root870 Jan  8  2007 libcrammd5.la
-rwxr-xr-x  1 root root  16832 Jan  8  2007 libcrammd5.so
-rwxr-xr-x  1 root root  16832 Jan  8  2007 libcrammd5.so.2
-rwxr-xr-x  1 root root  16832 Jan  8  2007 libcrammd5.so.2.0.22
-rwxr-xr-x  1 root root893 Jan  8  2007 libdigestmd5.la
-rwxr-xr-x  1 root root  47204 Jan  8  2007 libdigestmd5.so
-rwxr-xr-x  1 root root  47204 Jan  8  2007 libdigestmd5.so.2
-rwxr-xr-x  1 root root  47204 Jan  8  2007 libdigestmd5.so.2.0.22
-rwxr-xr-x  1 root root933 Jan  8  2007 libgssapiv2.la
-rwxr-xr-x  1 root root  26528 Jan  8  2007 libgssapiv2.so
-rwxr-xr-x  1 root root  26528 Jan  8  2007 libgssapiv2.so.2
-rwxr-xr-x  1 root root  26528 Jan  8  2007 libgssapiv2.so.2.0.22
-rwxr-xr-x  1 root root877 Jan  8  2007 libldapdb.la
-rwxr-xr-x  1 root root  15472 Jan  8  2007 libldapdb.so
-rwxr-xr-x  1 root root  15472 Jan  8  2007 libldapdb.so.2
-rwxr-xr-x  1 root root  15472 Jan  8  2007 libldapdb.so.2.0.22
-rwxr-xr-x  1 root root856 Jan  8  2007 liblogin.la
-rwxr-xr-x  1 root root  14752 Jan  8  2007 liblogin.so
-rwxr-xr-x  1 root root  14752 Jan  8  2007 liblogin.so.2
-rwxr-xr-x  1 root root  14752 Jan  8  2007 liblogin.so.2.0.22
-rwxr-xr-x  1 root root858 Jan  8  2007 libntlm.la
-rwxr-xr-x  1 root root  31516 Jan  8  2007 libntlm.so
-rwxr-xr-x  1 root root  31516 Jan  8  2007 libntlm.so.2
-rwxr-xr-x  1 root root  31516 Jan  8  2007 libntlm.so.2.0.22
-rwxr-xr-x  1 root root856 Jan  8  2007 libplain.la
-rwxr-xr-x  1 root root  14848 Jan  8  2007 libplain.so
-rwxr-xr-x  1 root root  14848 Jan  8  2007 libplain.so.2
-rwxr-xr-x  1 root root  14848 Jan  8  2007 libplain.so.2.0.22
-rwxr-xr-x  1 root root930 Jan  8  2007 libsasldb.la
-rwxr-xr-x  1 root root 905200 Jan  8  2007 libsasldb.so
-rwxr-xr-x  1 root root 905200 Jan  8  2007 libsasldb.so.2
-rwxr-xr-x  1 root root 905200 Jan  8  2007 libsasldb.so.2.0.22
-rwxr-xr-x  1 root root878 Jan  8  2007 libsql.la

Re: Trouble setting up SASL authentication with postfix

[Lists]

Hi Patrick,

I want a single username and password to be used for all people sending 
through this install.

Which method would be best for this?

Kate

Patrick Ben Koetter wrote:

* Lists <[EMAIL PROTECTED]>:
  

Not sure if this is the right place to post, apologies if it is not.

This is my first MailScanner / Postfix install - on CentOS 5.2

I have attempted to setup the smtp authentication using SASL 
following various tutorials.

When I attempted to authenticate I am getting the following error
pam_succeed_if(smtp:auth):error retrieving information about user test



You are using the saslauthd daemon to connect via PAM to a password backend.
If the backend is the local shadow file, reconfigure saslauthd to use "shadow"
as method and not "pam".
If you need to use PAM to access credentials in e.g. a MySQL database, then
you need to fix your PAM setup /etc/pam.d/smtp.
Use the "testsaslauthd" command to test saslauthd SASL authentication. Proceed
to Postfix and mail clients only if testsaslauthd succeeds. A typical
testsaslauthd call using PAM looks like this:

$ testsaslauthd -s smtp -r /path/to/saslauthd/socket -u test -p password

[EMAIL PROTECTED]




  
I have been searching the net for a couple of hours but havn't been 
able to get it to work.



Start here:

http://www.postfix.org/DEBUG_README.html#mail
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
http://www.postfix.org/SASL_README.html

Give more information; at least the output of 'postconf -n' and
saslfinger.

  
  



  

saslfinger - postfix Cyrus sasl configuration Wed Oct  1 14:42:58 NZDT 2008
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.3.3
System: CentOS release 5.2 (Final)

-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x001f8000)

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname


-- listing of /usr/lib/sasl --
total 56
drwxr-xr-x  2 root root  4096 Oct  1 09:07 .
drwxr-xr-x 68 root root 36864 Oct  1 10:02 ..
-rw-r--r--  1 root root47 Aug 15 09:06 smtpd.conf

-- listing of /usr/lib/sasl2 --
total 3468
drwxr-xr-x  2 root root   4096 Oct  1 12:52 .
drwxr-xr-x 68 root root  36864 Oct  1 10:02 ..
-rwxr-xr-x  1 root root884 Jan  8  2007 libanonymous.la
-rwxr-xr-x  1 root root  14372 Jan  8  2007 libanonymous.so
-rwxr-xr-x  1 root root  14372 Jan  8  2007 libanonymous.so.2
-rwxr-xr-x  1 root root  14372 Jan  8  2007 libanonymous.so.2.0.22
-rwxr-xr-x  1 root root870 Jan  8  2007 libcrammd5.la
-rwxr-xr-x  1 root root  16832 Jan  8  2007 libcrammd5.so
-rwxr-xr-x  1 root root  16832 Jan  8  2007 libcrammd5.so.2
-rwxr-xr-x  1 root root  16832 Jan  8  2007 libcrammd5.so.2.0.22
-rwxr-xr-x  1 root root893 Jan  8  2007 libdigestmd5.la
-rwxr-xr-x  1 root root  47204 Jan  8  2007 libdigestmd5.so
-rwxr-xr-x  1 root root  47204 Jan  8  2007 libdigestmd5.so.2
-rwxr-xr-x  1 root root  47204 Jan  8  2007 libdigestmd5.so.2.0.22
-rwxr-xr-x  1 root root933 Jan  8  2007 libgssapiv2.la
-rwxr-xr-x  1 root root  26528 Jan  8  2007 libgssapiv2.so
-rwxr-xr-x  1 root root  26528 Jan  8  2007 libgssapiv2.so.2
-rwxr-xr-x  1 root root  26528 Jan  8  2007 libgssapiv2.so.2.0.22
-rwxr-xr-x  1 root root877 Jan  8  2007 libldapdb.la
-rwxr-xr-x  1 root root  15472 Jan  8  2007 libldapdb.so
-rwxr-xr-x  1 root root  15472 Jan  8  2007 libldapdb.so.2
-rwxr-xr-x  1 root root  15472 Jan  8  2007 libldapdb.so.2.0.22
-rwxr-xr-x  1 root root856 Jan  8  2007 liblogin.la
-rwxr-xr-x  1 root root  14752 Jan  8  2007 liblogin.so
-rwxr-xr-x  1 root root  14752 Jan  8  2007 liblogin.so.2
-rwxr-xr-x  1 root root  14752 Jan  8  2007 liblogin.so.2.0.22
-rwxr-xr-x  1 root root858 Jan  8  2007 libntlm.la
-rwxr-xr-x  1 root root  31516 Jan  8  2007 libntlm.so
-rwxr-xr-x  1 root root  31516 Jan  8  2007 libntlm.so.2
-rwxr-xr-x  1 root root  31516 Jan  8  2007 libntlm.so.2.0.22
-rwxr-xr-x  1 root root856 Jan  8  2007 libplain.la
-rwxr-xr-x  1 root root  14848 Jan  8  2007 libplain.so
-rwxr-xr-x  1 root root  14848 Jan  8  2007 libplain.so.2
-rwxr-xr-x  1 root root  14848 Jan  8  2007 libplain.so.2.0.22
-rwxr-xr-x  1 root root930 Jan  8  2007 libsasldb.la
-rwxr-xr-x  1 root root 905200 Jan  8  2007 libsasldb.so
-rwxr-xr-x  1 root root 905200 Jan  8  2007 libsasldb.so.2
-rwxr-xr-x  1 root root 905200 Jan  8  2007 libsasldb.so.2.0.22
-rwxr-xr-x  1 root root878 Jan  8  2007 libsql.la
-rwxr-xr-x  1 root root  23084 Jan  8  2007 libsql.so
-rwxr-xr-x  1 root root  23084 Jan  8  2007 libsql.so.2
-rwxr-xr-x  1 root root  23084 Jan  8  2007 libsql.so.2.0.22
-rw-r--r--  1 root root 49 Oct  1 09:21 smtpd.conf

-- listing of /etc/sasl2 --
total 24
drwxr-xr-x  2 root root  4096 Jan  8  2007 .
drwxr-xr-x 86 root root 12288 Oct  1 11:45 ..




-- content of /usr/lib/sasl/smtpd.conf --
pwcheck_method: saslauthd
saslauthd_version: 2

-- content of 

Re: Trouble setting up SASL authentication with postfix

[Lists]

Thanks for the suggestions, sounds like a good idea.
Which method is the simplest to implement and get up and running?
I am running MailScanner, Postfix, Spamassassin.



Patrick Ben Koetter wrote:

* Lists <[EMAIL PROTECTED]>:
  

Hi Patrick,

I want a single username and password to be used for all people sending  
through this install.

Which method would be best for this?



Any method as long as you only create one user and use that for all mail
clients, but I totally agree with Victor: You don't want to do that.

If you want to simplify things, consider using the main mail address as
username. That makes one thing less your users will have to think about.

They will have to provide their credentials to the mail client anyway, if they
want to be able to pick up mail (POP/IMAP). Almost all clients support an
optional switch that will let the client reuse these credentials for SMTP
Authentication.

Use the same password backend for SMTP/POP/IMAP.

[EMAIL PROTECTED]



  

Kate

Patrick Ben Koetter wrote:
    

* Lists <[EMAIL PROTECTED]>:
  
  

Not sure if this is the right place to post, apologies if it is not.

This is my first MailScanner / Postfix install - on CentOS 5.2

I have attempted to setup the smtp authentication using SASL  
following various tutorials.

When I attempted to authenticate I am getting the following error
pam_succeed_if(smtp:auth):error retrieving information about user test



You are using the saslauthd daemon to connect via PAM to a password backend.
If the backend is the local shadow file, reconfigure saslauthd to use "shadow"
as method and not "pam".
If you need to use PAM to access credentials in e.g. a MySQL database, then
you need to fix your PAM setup /etc/pam.d/smtp.
Use the "testsaslauthd" command to test saslauthd SASL authentication. Proceed
to Postfix and mail clients only if testsaslauthd succeeds. A typical
testsaslauthd call using PAM looks like this:

$ testsaslauthd -s smtp -r /path/to/saslauthd/socket -u test -p password

[EMAIL PROTECTED]




  
  
I have been searching the net for a couple of hours but havn't 
been able to get it to work.



Start here:

http://www.postfix.org/DEBUG_README.html#mail
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
http://www.postfix.org/SASL_README.html

Give more information; at least the output of 'postconf -n' and
saslfinger.


  


  
  

saslfinger - postfix Cyrus sasl configuration Wed Oct  1 14:42:58 NZDT 2008
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.3.3
System: CentOS release 5.2 (Final)

-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x001f8000)

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname


-- listing of /usr/lib/sasl --
total 56
drwxr-xr-x  2 root root  4096 Oct  1 09:07 .
drwxr-xr-x 68 root root 36864 Oct  1 10:02 ..
-rw-r--r--  1 root root47 Aug 15 09:06 smtpd.conf

-- listing of /usr/lib/sasl2 --
total 3468
drwxr-xr-x  2 root root   4096 Oct  1 12:52 .
drwxr-xr-x 68 root root  36864 Oct  1 10:02 ..
-rwxr-xr-x  1 root root884 Jan  8  2007 libanonymous.la
-rwxr-xr-x  1 root root  14372 Jan  8  2007 libanonymous.so
-rwxr-xr-x  1 root root  14372 Jan  8  2007 libanonymous.so.2
-rwxr-xr-x  1 root root  14372 Jan  8  2007 libanonymous.so.2.0.22
-rwxr-xr-x  1 root root870 Jan  8  2007 libcrammd5.la
-rwxr-xr-x  1 root root  16832 Jan  8  2007 libcrammd5.so
-rwxr-xr-x  1 root root  16832 Jan  8  2007 libcrammd5.so.2
-rwxr-xr-x  1 root root  16832 Jan  8  2007 libcrammd5.so.2.0.22
-rwxr-xr-x  1 root root893 Jan  8  2007 libdigestmd5.la
-rwxr-xr-x  1 root root  47204 Jan  8  2007 libdigestmd5.so
-rwxr-xr-x  1 root root  47204 Jan  8  2007 libdigestmd5.so.2
-rwxr-xr-x  1 root root  47204 Jan  8  2007 libdigestmd5.so.2.0.22
-rwxr-xr-x  1 root root933 Jan  8  2007 libgssapiv2.la
-rwxr-xr-x  1 root root  26528 Jan  8  2007 libgssapiv2.so
-rwxr-xr-x  1 root root  26528 Jan  8  2007 libgssapiv2.so.2
-rwxr-xr-x  1 root root  26528 Jan  8  2007 libgssapiv2.so.2.0.22
-rwxr-xr-x  1 root root877 Jan  8  2007 libldapdb.la
-rwxr-xr-x  1 root root  15472 Jan  8  2007 libldapdb.so
-rwxr-xr-x  1 root root  15472 Jan  8  2007 libldapdb.so.2
-rwxr-xr-x  1 root root  15472 Jan  8  2007 libldapdb.so.2.0.22
-rwxr-xr-x  1 root root856 Jan  8  2007 liblogin.la
-rwxr-xr-x  1 root root  14752 Jan  8  2007 liblogin.so
-rwxr-xr-x  1 root root  14752 Jan  8  2007 liblogin.so.2
-rwxr-xr-x  1 root root  14752 Jan  8  2007 liblogin.so.2.0.22
-rwxr-xr-x  1 root root858 Jan  8  2007 libntlm.la
-rwxr-xr-x  1 root root  31516 Jan  8  2007 libntlm.so
-rwxr-xr-x  1 root root  31516 Jan  8  2007 libntlm.so.2
-rwxr-xr-x  1 root root  31516 Jan  8  2007 libntlm.so.2.0.22
-rwxr-xr-x  1 root root856 Jan  8  2007 libplain.la
-rwxr-xr-

Re: Trouble setting up SASL authentication with postfix

[Lists]

We connect the spam machine through to a MailEnable email program that 
handles both the pop and imap.
I will have a go at using sasldb. Thanks for the explanation on the 
different methods it helps a lot.


Cheers
Kate

Patrick Ben Koetter wrote:

* Lists <[EMAIL PROTECTED]>:
  

Thanks for the suggestions, sounds like a good idea.
Which method is the simplest to implement and get up and running?



Depends on the POP/IMAP you want to use. If you use Cyrus IMAP, then sasldb
will probably be the simpliest thing you can do.

If you want to use Courier IMAP you can use authdaemond as SASL password
verification service along with any backend Courier IMAP uses.

If you choose Dovecot, you may want to drop Cyrus SASL in favor of Dovecot
SASL support in Postfix. It will use any backend Dovecot uses.

In any case - if you want login names in [EMAIL PROTECTED] style - you need
a backend that allows such notation. Such a backend would be a MySQL,
PostgreSQL, SQLlite database, the sasldb database or an LDAP server, which you
could contact either using saslauthd or the ldapdb plugin.

Out of all of those sasldb is the simpliest in combination with Cyrus IMAP.
For all the others it is probably MySQL (depending on how much you know about
that product). Be aware, that if you use any SQL or LDAP backend in
combination with Cyrus SASL that passwords need to be stored in cleartext or
authentication will not work. This is due to the mechanisms that are used in
combination with those backends and what these mechanisms require.

[EMAIL PROTECTED]




  

I am running MailScanner, Postfix, Spamassassin.



Patrick Ben Koetter wrote:
    

* Lists <[EMAIL PROTECTED]>:
  
  

Hi Patrick,

I want a single username and password to be used for all people 
sending  through this install.

Which method would be best for this?



Any method as long as you only create one user and use that for all mail
clients, but I totally agree with Victor: You don't want to do that.

If you want to simplify things, consider using the main mail address as
username. That makes one thing less your users will have to think about.

They will have to provide their credentials to the mail client anyway, if they
want to be able to pick up mail (POP/IMAP). Almost all clients support an
optional switch that will let the client reuse these credentials for SMTP
Authentication.

Use the same password backend for SMTP/POP/IMAP.

[EMAIL PROTECTED]



  
  

Kate

Patrick Ben Koetter wrote:



* Lists <[EMAIL PROTECTED]>:

  

Not sure if this is the right place to post, apologies if it is not.

This is my first MailScanner / Postfix install - on CentOS 5.2

I have attempted to setup the smtp authentication using SASL  
following various tutorials.

When I attempted to authenticate I am getting the following error
pam_succeed_if(smtp:auth):error retrieving information about user test



You are using the saslauthd daemon to connect via PAM to a password backend.
If the backend is the local shadow file, reconfigure saslauthd to use "shadow"
as method and not "pam".
If you need to use PAM to access credentials in e.g. a MySQL database, then
you need to fix your PAM setup /etc/pam.d/smtp.
Use the "testsaslauthd" command to test saslauthd SASL authentication. Proceed
to Postfix and mail clients only if testsaslauthd succeeds. A typical
testsaslauthd call using PAM looks like this:

$ testsaslauthd -s smtp -r /path/to/saslauthd/socket -u test -p password

[EMAIL PROTECTED]





  
I have been searching the net for a couple of hours but 
havn't been able to get it to work.



Start here:

http://www.postfix.org/DEBUG_README.html#mail
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
http://www.postfix.org/SASL_README.html

Give more information; at least the output of 'postconf -n' and
saslfinger.

  
  



  

saslfinger - postfix Cyrus sasl configuration Wed Oct  1 14:42:58 NZDT 2008
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.3.3
System: CentOS release 5.2 (Final)

-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x001f8000)

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname


-- listing of /usr/lib/sasl --
total 56
drwxr-xr-x  2 root root  4096 Oct  1 09:07 .
drwxr-xr-x 68 root root 36864 Oct  1 10:02 ..
-rw-r--r--  1 root root47 Aug 15 09:06 smtpd.conf

-- listing of /usr/lib/sasl2 --
total 3468
drwxr-xr-x  2 root root   4096 Oct  1 12:52 .
drwxr-xr-x 68 root root  36864 Oct  1 10:02 ..
-rwxr-xr-x  1 root root884 Jan  8  2007 libanonymous.la
-rwxr-xr-x  1 root root  14372 Jan  8  2007 libanonymous.so
-rwxr-xr-x  1 root root  14372 Jan  8  2007 libano

query re setup

[Lists]

Hi,

I have got dovecot setup as the postfix smtp authentication now YAY - 
man its cool!

Just wanted to check if my setup was good practice.

I have it authenticating against a mysql database(MailEnable mysql db) 
with passwords stored as plain text.

Is this ok?

the passwd-file is to allow for backward compatibility with single 
username and password that some of our clients will still be using.


in my dovecot.conf i have
auth default {
 mechanisms = plain login
 passdb sql {
 args = /etc/dovecot-sql.conf
 }
 userdb passwd {
 }
 passdb passwd-file {
 args = /etc/passwd.dovecot
 }
 socket listen {
   client {
 path = /var/spool/postfix/private/auth
 mode = 0660
 user = postfix
 group = postfix
   }
 }
   }

cheers
Kate

Re: query re setup

[Lists]

I have spent the last couple of hours trying to get TLS working, sadly 
no luck.
When I telnet and and do STARTTLS I get the error no server certs 
available TLS won't be enabled.
I followed the instructions on the how to forge (the link I was given 
before was a tad over my head)

The certs are all made and in the /etc/postfix/ssl/mailserver directory

as an aside - does this require a purchased security certificate to work?
Also to check I understand does the client (i.e. thunderbird) send a 
request to send to the server which sends them back a key that gets 
'attached' to the email that is sent which then authenticates when it 
reaches the server and is allowed to be sent? Or have I got it all wrong.


Thanks
Kate

Noel Jones wrote:

Lists wrote:

Hi,

I have got dovecot setup as the postfix smtp authentication now YAY - 
man its cool!

Just wanted to check if my setup was good practice.

I have it authenticating against a mysql database(MailEnable mysql 
db) with passwords stored as plain text.

Is this ok?

the passwd-file is to allow for backward compatibility with single 
username and password that some of our clients will still be using.


in my dovecot.conf i have
auth default {
 mechanisms = plain login
 passdb sql {
 args = /etc/dovecot-sql.conf
 }
 userdb passwd {
 }
 passdb passwd-file {
 args = /etc/passwd.dovecot
 }
 socket listen {
   client {
 path = /var/spool/postfix/private/auth
 mode = 0660
 user = postfix
 group = postfix
   }
 }
   }

cheers
Kate



The above are reasonable settings for dovecot.

The PLAIN and LOGIN protocols are plain-text equivilant, so postfix 
should be configured to use TLS if you haven't done this already.  
http://www.postfix.org/TLS_README.html
To force the client to protect the password with TLS, set in postfix 
main.cf:

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

You should enable the postfix "submission" service on port 587 (and 
maybe also the deprecated "smtps" service on 465, still used by some 
Microsoft products) so your users can submit mail if their ISP blocks 
port 25.  See the commented entries in master.cf.

Re: query re setup

[Lists]

Will have a go at those instructions thanks.
I don't want to make things difficult for our clients. I like the setup 
that allows the client to use pop details to authenticate - I even 
managed to get that working ;)
What I was trying to do with TLS was to encrypt the password that gets 
sent (but i'm not sure this is even necessary)
Would it be alright to leave out TLS support? / OR / if TLS support is 
enabled does it have to be used or will the pop details still authenticate?


Sorry am getting myself horribly confused at this stage. I really 
appreciate all the assistance.


Kate

Noel Jones wrote:

Lists wrote:
I have spent the last couple of hours trying to get TLS working, 
sadly no luck.
When I telnet and and do STARTTLS I get the error no server certs 
available TLS won't be enabled.
I followed the instructions on the how to forge (the link I was given 
before was a tad over my head)

The certs are all made and in the /etc/postfix/ssl/mailserver directory


Undo whatever you've done and follow the "quick and dirty" 
instructions in the postfix TLS_README.

http://www.postfix.org/TLS_README.html#quick-start



as an aside - does this require a purchased security certificate to 
work?


No, self signed certificates are fine.

However, after you get everything working you might want to buy a 
certificate to make it easier on your users (assuming more than a 
small group).  I like rapidsslonline for cheap, widely accepted 
certificates, but there are others.


The only reason to buy a certificate is so your users don't have mess 
with importing your own root certificate into their client, or to keep 
from training them to ignore "invalid certificate" errors.


Also to check I understand does the client (i.e. thunderbird) send a 
request to send to the server which sends them back a key that gets 
'attached' to the email that is sent which then authenticates when it 
reaches the server and is allowed to be sent? Or have I got it all 
wrong.


Nothing is attached to the email, maybe you're thinking about DKIM.  
google for "how TLS works" or similar.

Re: query re setup

[Lists]

Charles Marcus wrote:

On 10/7/2008, Lists ([EMAIL PROTECTED]) wrote:
  

I like the setup that allows the client to use pop details to
authenticate - I even managed to get that working  ;)



If you're talking about pop-b4-smtp, then you should know that it is
insecure and likely to cause you trouble.

Just go with smtpauth (using sasl)... its not hard to set up, and much
more secure.

  
I mean where the person in the mail client checks my server requires 
authentication and then selects use same credentials as pop server 
(thereby using username and password)
I set this up using dovecot. I also have saslauthd setup for static 
username password (that we currently use).

Re: query re setup

[Lists]

Noel Jones wrote:

Please don't top-post.  Put your answers below the text you refer to.

Lists wrote:

Will have a go at those instructions thanks.
I don't want to make things difficult for our clients. I like the 
setup that allows the client to use pop details to authenticate - I 
even managed to get that working ;)
What I was trying to do with TLS was to encrypt the password that 
gets sent (but i'm not sure this is even necessary)
Would it be alright to leave out TLS support? / OR / if TLS support 
is enabled does it have to be used or will the pop details still 
authenticate?


TLS encryption is a separate feature from authentication. They can be 
used individually or together.  So wether you use TLS or not doesn't 
really affect your authentication scheme.


While TLS isn't a requirement, it's very highly recommended because 
the PLAIN and LOGIN authentication methods send the username/password 
in what is essentially plain text.  Using TLS will protect the 
credentials (and all your mail content too!) from any eavesdroppers.  
While you're at it, make sure dovecot is configured to use TLS with 
POP/IMAP.


As a stopgap, you can enable the CRAM-MD5 method in the auth section 
of your dovecot.conf. Just add it to the mechanisms list and restart 
dovecot:

   mechanisms = login plain cram-md5
The cram-md5 method is not "strong" encryption, but better than 
nothing.  Clients that can use it will automatically pick it over the 
PLAIN or LOGIN methods.  Postfix will log which method a client uses.  
Note that cram-md5 only encrypts the credentials, not the whole mail 
session, so it's not a replacement for TLS.



Sorry about the top post.
I havn't managed to get TLS working the error logs say it can't find the 
security certificates (which are there) so I will have to continue 
trying this.
Would I need to set dovecot to use TLS with POP/IMAP if dovecot isn't 
actually handling the emails (as they go through to MailEnable)?

I will add the CRAM-MD5 as suggested.

Thanks

Re: query re setup

[Lists]

Charles Marcus wrote:

On 10/8/2008, Lists ([EMAIL PROTECTED]) wrote:
  

I mean where the person in the mail client checks my server requires
authentication and then selects use same credentials as pop server
(thereby using username and password)



Ok then... just making sure... :)

  
Thanks for checking I appreciate it as I am not very confident with 
doing this stuff yet.

How to know what i'm looking at in the log file

[Lists]

Hi all,

Does anyone know where I could find information on the commonly seen 
messages in maillog so that I can begin to better understand the log file?


Many thanks
Kate

query re process of dealing with bounce

[Lists]

Hi all,

Setup is: we have a server that does the spam checking running 
MailScanner / Spamassassin and of course postfix


Mail is then delivered to a machine running MailEnable (where the boxes 
are held)


We had a situation where the MailEnable machine went down

*In the maillog of the server running postfix were:*
Oct 29 08:42:08 postfix/smtp[3619]: 37D5362E8A0: 
to=, 
relay=ipofmailenableserver[ipofmailenableserver]:25, delay=0.98, 
delays=0.93/0/0/0.05, dsn=5.7.1, status=bounced (host 
ipofmailenableserver[ipofmailenableserver] said: 550 5.7.1 Unable to 
relay for originallocalrecipi...@domain.co.nz (in reply to RCPT TO command))
Oct 29 08:42:08 postfix/cleanup[3449]: 2B11F62E8A2: 
message-id=<20091028194208.2b11f62e...@posfixserver.ourdomain>
Oct 29 08:42:08 postfix/qmgr[29235]: 2B11F62E8A2: from=<>, size=14216, 
nrcpt=1 (queue active)
Oct 29 08:42:08 postfix/bounce[4201]: 37D5362E8A0: sender non-delivery 
notification: 2B11F62E8A2

Oct 29 08:42:08 postfix/qmgr[29235]: 37D5362E8A0: removed
Oct 29 08:42:08 postfix/smtp[3619]: 2B11F62E8A2: 
to=, 
relay=ipofmailenableserver[ipofmailenableserver]:25, delay=0.05, 
delays=0/0/0/0.04, dsn=5.7.1, status=bounced (host 
ipofmailenableserver[ipofmailenableserver] said: 550 5.7.1 Unable to 
relay for originallocalsen...@domain.co.nz (in reply to RCPT TO command))

Oct 29 08:42:08 postfix/qmgr[29235]: 2B11F62E8A2: removed

Neither the original recipient or the original sender received 
notification that there was a problem or any form of bounce message. The 
original recipient also never received the email.


My question is what happened to the email and the bounces and how can I 
change the setup so that if this occured in the future (i.e. the spam 
checking server can't communicate with the mailenable server) mail does 
not disappear.


Thanks
Kate

Re: query re process of dealing with bounce

[Lists]

Wietse Venema wrote:

Lists:
  

Hi all,

Setup is: we have a server that does the spam checking running 
MailScanner / Spamassassin and of course postfix


Mail is then delivered to a machine running MailEnable (where the boxes 
are held)


We had a situation where the MailEnable machine went down

*In the maillog of the server running postfix were:*
Oct 29 08:42:08 postfix/smtp[3619]: 37D5362E8A0: 
to=, 
relay=ipofmailenableserver[ipofmailenableserver]:25, delay=0.98, 
delays=0.93/0/0/0.05, dsn=5.7.1, status=bounced (host 
ipofmailenableserver[ipofmailenableserver] said: 550 5.7.1 Unable to 
relay for originallocalrecipi...@domain.co.nz (in reply to RCPT TO command))
Oct 29 08:42:08 postfix/cleanup[3449]: 2B11F62E8A2: 
message-id=<20091028194208.2b11f62e...@posfixserver.ourdomain>
Oct 29 08:42:08 postfix/qmgr[29235]: 2B11F62E8A2: from=<>, size=14216, 
nrcpt=1 (queue active)
Oct 29 08:42:08 postfix/bounce[4201]: 37D5362E8A0: sender non-delivery 
notification: 2B11F62E8A2

Oct 29 08:42:08 postfix/qmgr[29235]: 37D5362E8A0: removed
Oct 29 08:42:08 postfix/smtp[3619]: 2B11F62E8A2: 
to=, 
relay=ipofmailenableserver[ipofmailenableserver]:25, delay=0.05, 
delays=0/0/0/0.04, dsn=5.7.1, status=bounced (host 
ipofmailenableserver[ipofmailenableserver] said: 550 5.7.1 Unable to 
relay for originallocalsen...@domain.co.nz (in reply to RCPT TO command))

Oct 29 08:42:08 postfix/qmgr[29235]: 2B11F62E8A2: removed

Neither the original recipient or the original sender received 
notification that there was a problem or any form of bounce message. The 
original recipient also never received the email.



Indeed. The original message was rejected with a permanent error
("550 5.7.1 Unable to relay"), as was the non-delivery notification.

  
My question is what happened to the email and the bounces and how can I 
change the setup so that if this occured in the future (i.e. the spam 
checking server can't communicate with the mailenable server) mail does 
not disappear.



Configure the Mailenable system such that it doesn't reject mail
with a PERMANENT error for conditions that you don't consider
permanent.

You can configure the Postfix SMTP client to pretend that permanent
errors aren't permanent, but that introduces other risks.

Wietse
  
I heard back from MailEnable and it occurs when MailEnable can't access 
the boxes. This is ok and probably as it should be.
When you say I can configure Postfix SMTP client to pretend that 
permanent errors aren't permanent is this something I could change 
temporarily (say for the time the MailEnable machine is rebooting) and 
then change back?

How to stop postfix sending emails

[Lists]

Hi All,

We are doing an upgrade on the machine that holds the postboxes 
(mailenable) during the upgrade the server will need to be rebooted 
which renders the boxes unreachable.
This causes a 550 error to be sent back to our spam catching server 
(running MailScanner spamassassin and postfix).


In order to prevent the loss of emails I was going to change the postfix 
config in the following way


soft_bounce  = yes


Is this going to achieve what I need (i.e. that 550 responses are not 
treated as permenant and will try again).


Alternatively I was considering stopping the spam server from sending 
out emails during the upgrade time but I am unsure how to alter the 
behaviour of postfix so that it receives in email but will then hold it 
in queue and not attempt to send on.


Thoughts appreciated.

Thanks
Kate

Re: How to stop postfix sending emails

[Lists]

Wietse Venema wrote:

Lists:
  

Hi All,

We are doing an upgrade on the machine that holds the postboxes 
(mailenable) during the upgrade the server will need to be rebooted 
which renders the boxes unreachable.
This causes a 550 error to be sent back to our spam catching server 
(running MailScanner spamassassin and postfix).



That is a terrible configuration error. A host outage should
never result in 5xx mail rejects.

Wietse
  
I don't love it either but it is how MailEnable works when it can't 
access the box, it responds with -
550 5.7.1 Unable to relay for originallocalsen...@domain.co.nz (in reply 
to RCPT TO command))


Hopefully the MailEnable server won't be in the state where it can't 
access the boxes for long - i'm just trying to ensure no mail ends up lost.

Re: How to stop postfix sending emails

[Lists]

Eero Volotinen wrote:

Lists wrote:

Hi All,

We are doing an upgrade on the machine that holds the postboxes 
(mailenable) during the upgrade the server will need to be rebooted 
which renders the boxes unreachable.
This causes a 550 error to be sent back to our spam catching server 
(running MailScanner spamassassin and postfix).


In order to prevent the loss of emails I was going to change the 
postfix config in the following way


soft_bounce <http://www.postfix.org/postconf.5.html#soft_bounce> = yes


Is this going to achieve what I need (i.e. that 550 responses are not 
treated as permenant and will try again).


Alternatively I was considering stopping the spam server from sending 
out emails during the upgrade time but I am unsure how to alter the 
behaviour of postfix so that it receives in email but will then hold 
it in queue and not attempt to send on.


Maybe you can tell spam filter postfix to HOLD all mails to your 
domains and then just remove hold and postsuper -H ALL ?


--
Eero
Yeah I just had a look at the postsuper -h ALL - it only seems to move 
emails present in the queues at that moment to the hold bin but doesn't 
put subsequent ones in their.
Is there a way for it to keep moving them until the postsuper -r ALL is 
given?

warn_if_reject ignored

[Lists]

Hi guys,

Running Postfix 2.3.3-2.1.el5_2 (RHEL5.5), I have the following in main.cf:

smtpd_helo_restrictions = warn_if_reject reject_invalid_hostname 
regexp:/etc/postfix/helo.regexp


and in helo.regexp:

/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant
/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant

But for some reason, mail is still getting rejected based on the above:

Nov 12 08:37:38 post9 postfix/smtpd[20628]: NOQUEUE: reject: RCPT from 
unknown[95.58.28.18]: 550 5.7.1 <95.58.28.18>: Helo command rejected: 
Your software is not RFC 2821 compliant; from= 
to= proto=ESMTP helo=<95.58.28.18>


Is it normal for warn_if_reject not to work on some restrictions?


Along the same lines, is there a way to get warn_if_reject like 
behaviour for parameters like:


strict_rfc821_envelopes = yes
smtpd_helo_required = yes

Thanks

Re: warn_if_reject ignored

[Lists]

On 12/11/10 08:58, Ralf Hildebrandt wrote:

smtpd_helo_restrictions = warn_if_reject reject_invalid_hostname 
regexp:/etc/postfix/helo.regexp


actually means:

smtpd_helo_restrictions =
warn_if_reject reject_invalid_hostname
regexp:/etc/postfix/helo.regexp

which actually means

smtpd_helo_restrictions =
warn_if_reject reject_invalid_hostname
check_helo_access regexp:/etc/postfix/helo.regexp


Thanks Ralph, that makes sense.  I copied the original line from this 
list many years ago - just noticed in postconf (5) that 
reject_invalid_hostname has been replaced with 
reject_invalid_helo_hostname since Postfix 2.3.


Thanks!

log query

[Lists]

Hi all,
As part of my mail system I am using postgrey.

I am running Centos 5.2, MailScanner latest version with postfix and 
spamassassin


When stuff is stopped at the gate (so to speek) i.e. it doesn't even get 
into the the system is there a log kept of this?

I thought it might be in the maillog file but i'm not convinced it is.

Thanks
Kate

Re: log query

[Lists]

LuKreme wrote:

On 26-May-2009, at 17:39, Lists wrote:

As part of my mail system I am using postgrey.

When stuff is stopped at the gate (so to speek) i.e. it doesn't even 
get into the the system is there a log kept of this?


postgrey logs to the maillog. lines look like this:

May 26 16:27:18 mail postgrey[949]: action=greylist, reason=new, 
client_name=n21z152l106.broadband.ctm.net, 
client_address=202.86.152.106, sender=ne...@netch.kiev.ua, 
recipient=krem...@kreme.com
May 26 20:39:53 mail postgrey[949]: action=pass, reason=triplet found, 
client_name=web59008.mail.re1.yahoo.com, client_address=66.196.101.4, 
sender=agogaz...m, recipient=keym



Hi yes thanks this is what I needed to know. We are having a problem 
with someone sending into us from a Microsoft Exchange 2007 server and I 
checked in my maillog file and couldn't see any information on the 
connection at all. So then I started to wonder if the system could 
reject it without notificiation.


Good to know that it does in-fact log.

Many thanks for all the responses.

Kate

Re: Rev DNS not match SMTP Banner, will it bite me ?

[lists]

> Am 09.04.2011 08:44, schrieb Voytek Eymont:

> however you can set
>
> smtpd_banner =
>
> in main.cf

Robert, thanks

what I'm after is, should I set banner to match real host name;
or, can I get away with using my own host name ;

will it cause problems down the road ?

migrating to new server ?

[lists]

I'm migrating virtual mail domain/users to new Postfix server,
new server setup and working, I'm altering MX to point to the new server;

I want the 'old' server to forward any new traffic over to the new server,
last time what I used was static entry in main.cf like:

transport_maps = static:smtp:new.server.tld

that doesn't seem to be doing anything for me this time..?
what do I need ?

can I do this on domain basis, individual domains at a time ?

or whole server at once ?

ot: head office/branch office mailserver howto?

[lists]

can anyone point me to any howtos if such exist: on setting up a head
office/branch office mail servers (is that correct way to name it?)


we have a mail server in Australia, the office is split up between AUS and
Asia, most of the users are in Asia, so emails from physically adjacent
users travel to Australia and back

so what I was thinking, mail server in AUS receives all emails, emails for
Asia get 'forwared' to Asia branch mail server on premises of the branch
office, emails for AUS users stay on main server;
and, obviously, Asia/Asia emails get handled by branch mail server on the
premises

does that make sense ?

thanks for any pointers (or words of encouragements), thanks for all the
help in the past.

Voytek

Re: OT: dsbl.org queries return 'false positives'

[lists]

On Fri, August 10, 2012 11:20 pm, wolfgang wrote:
> FYI: DNS queries for *.dsbl.org currently return the IP 74.92.59.67 of
> shelob.surriel.com.
> Time to remove the discontinued RBL dsbl.org from your postfix configs
> if you haven't done so yet, see www.dsbl.org


wolfgang, thanks.

what are current 'recommended' rbl lists that people use ?

I have from long ago as below, perhaps I should revisit this:

 reject_rbl_client zen.spamhaus.org,
 reject_rhsbl_client dbl.spamhaus.org,
 reject_rhsbl_sender dbl.spamhaus.org,
 reject_rbl_client psbl.surriel.com,
 reject_rbl_client bl.spamcop.net,
 reject_rhsbl_sender dsn.rfc-ignorant.org,

accepting rely emails from my dynamic ip server ?

[lists]

I have a postfix mail server, 'server', all works fine

the 'old' server that was formerly used has been 'decommissioned' and is
on a NAT 192.x.x.x IP behind dynamic ADSL as a 'backup'

the old server still has it's old fullyQ tld.au hostname in it's config

in the backup server I've entered:

/etc/postfix/main.cf:
transport_maps = static:smtp:server.tld.au:587

should I use IP:587 instead of hostname:587 ?

what should I do on real server to make it accept all emails from this
dynamic IP ? fwiw, dynamic IP has a backup.tld.au CNAME, can that be used?

I suspect 'you are not in domain.tld' rejects from server might kick in?

thanks

correcting incorrect to address in mailq ?

[lists]

I have two email stuck in outbound queue, sender forgot to include '.au'
and has domain.tld where it should be domain.tld.au,

is there an approved way to edit/correct such errors on queued email, how ?

Re: correcting incorrect to address in mailq ?

[lists]

On Fri, August 17, 2012 7:02 am, Ralf Hildebrandt wrote:

>
> Rewrite using virtual_alias_maps, then (after you edited
> virtual_alias_maps &/ postmapped it), requeue using postsuper -r ID

Ralf,

thanks

I have it in mysql, so I would need to do like domain.tld to domain.tld.au
entry ?

as there is only two, both from same sender, might be easier to kill them
and, telephone the sender...

thanks again

# cat mysql_virtual_alias_maps.cf
user = aaa
password = xxx
hosts = 127.0.0.1
dbname = ppp
table = alias
select_field = goto
where_field = address

Re: accepting rely emails from my dynamic ip server ?

[lists]

On Fri, August 17, 2012 8:26 am, Noel Jones wrote:
> On 8/16/2012 3:43 PM, li...@sbt.net.au wrote:

> If just delivering mail for your own domain, it should still work.

> If you need to relay through the new server, you'll need to set up
> some sort of authentication -- either SASL or use private TLS certificates.
>  http://www.postfix.org/SASL_README.html
> http://www.postfix.org/TLS_README.html

Noel, thanks

so, if old_server is forwarding to port 587, that will work same as it
does for SMTP-AUTH client, yes ? (I think..?)

(old_server)
transport_maps = static:smtp:server.tld:587

Re: correcting incorrect to address in mailq ?

[lists]

On Fri, August 17, 2012 8:21 am, Noel Jones wrote:
> On 8/16/2012 4:12 PM, li...@sbt.net.au wrote:

> Your decision.  Or you can add a transport entry to fail the bad
> domain and return it to the sender. # transport
> domain.tld  error:5.1.2 try @domain.tld.au instead

Noel,

thanks, that was easy, queuegraph back to 0

CAfile question: ca-bundle.trust.crt ?

[lists]

I'm just setting up a new Postix server with TLS on Centos 6, I've
generated self certified certificate, that all seems OK as follows:

smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key

but I'm 'missing' the CAfile part

looking at where my key/certificates are in /etc/pki/tls/certs/ I have

so, is 'ca-bundle.trust.crt' what I put in

smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.trust.crt

or the ca-bundle.crt ??

/etc/pki/tls/certs/
-rw-r--r--. 1 root root 571450 Apr  8  2010 ca-bundle.crt
-rw-r--r--. 1 root root 651083 Apr  8  2010 ca-bundle.trust.crt
-rw---. 1 root root   1155 Jun 17 14:23 localhost.crt
-r. 1 root root   1383 Jul  7 00:01 server.crt
-r  1 root root   1094 Jul  7 00:01 server.csr
-r  1 root root   1675 Jul  6 23:59 server.key


head ca-bundle.trust.crt

# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
# format and have trust bits set accordingly.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Generated from:
# $RCSfile: certdata.txt,v $
# $Revision: 1.63 $


head ca-bundle.crt

# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Generated from:
# $RCSfile: certdata.txt,v $
# $Revision: 1.63 $
# $Date: 2010/04/03 18:58:17 $

smtpd_tls_auth_only yes?

[lists]

setting up new Postfix 2.6.6 server on Centos 6 with SMTP AUTH

sending is only allowed with SMTP AUTH on 587

should I set  smtpd_tls_auth_only = yes ?

currently have 'no', is likely to bite me if I change to 'yes' ?

continous attempted connection/timeouts after ehlo

[lists]

just noticed I have large increase in smtp connections, looking at logs I
noticed a single ip continuous attempting connection, searching for that
IP in maillog I see like;

is this like a mail attack..?
I blocked the IP for now, how to monitor and get warned when such
incidents happen ?

grep 203.125.143.198 /var/log/maillog | wc
   8741   78745  894728


Aug 25 14:11:36 postfix/anvil[32254]: statistics: max connection rate
80/60s for (smtp:203.125.143.198) at Aug 25 14:01:42
Aug 25 14:11:36 postfix/anvil[32254]: statistics: max connection count 11
for (smtp:203.125.143.198) at Aug 25 14:01:49
Aug 25 14:12:20 postfix/smtpd[28271]: timeout after EHLO from
lshfs01.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[28271]: disconnect from
lshfs01.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[26798]: timeout after EHLO from
mailsvr.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[26798]: disconnect from
mailsvr.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[26647]: timeout after EHLO from
mail.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[26647]: disconnect from
mail.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[26802]: timeout after EHLO from
lshfs01.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[26802]: disconnect from
lshfs01.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[25430]: timeout after EHLO from
mailsvr.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[25430]: disconnect from
mailsvr.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:21 postfix/smtpd[25428]: timeout after AUTH from
mail.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:21 postfix/smtpd[25428]: disconnect from
mail.elp-lsh.com.sg[203.125.143.198]


and

Aug 25 13:21:36 postfix/anvil[32254]: statistics: max connection rate
75/60s for (smtp:203.125.143.198) at Aug 25 13:21:35
Aug 25 13:21:36 postfix/anvil[32254]: statistics: max connection count 13
for (smtp:203.125.143.198) at Aug 25 13:21:33
Aug 25 13:31:36 postfix/anvil[32254]: statistics: max connection rate
82/60s for (smtp:203.125.143.198) at Aug 25 13:23:42
Aug 25 13:31:36 postfix/anvil[32254]: statistics: max connection count 13
for (smtp:203.125.143.198) at Aug 25 13:22:52
Aug 25 13:41:36 postfix/anvil[32254]: statistics: max connection rate
70/60s for (smtp:203.125.143.198) at Aug 25 13:31:53
Aug 25 13:41:36 postfix/anvil[32254]: statistics: max connection count 16
for (smtp:203.125.143.198) at Aug 25 13:32:21
Aug 25 13:51:36 postfix/anvil[32254]: statistics: max connection rate
74/60s for (smtp:203.125.143.198) at Aug 25 13:42:09
Aug 25 13:51:36 postfix/anvil[32254]: statistics: max connection count 12
for (smtp:203.125.143.198) at Aug 25 13:43:04
Aug 25 14:01:36 postfix/anvil[32254]: statistics: max connection rate
78/60s for (smtp:203.125.143.198) at Aug 25 13:57:35
Aug 25 14:01:36 postfix/anvil[32254]: statistics: max connection count 17
for (smtp:203.125.143.198) at Aug 25 13:58:35
Aug 25 14:11:36 postfix/anvil[32254]: statistics: max connection rate
80/60s for (smtp:203.125.143.198) at Aug 25 14:01:42
Aug 25 14:11:36 postfix/anvil[32254]: statistics: max connection count 11
for (smtp:203.125.143.198) at Aug 25 14:01:49

Re: continous attempted connection/timeouts after ehlo

[lists]

On Sat, August 25, 2012 7:37 pm, Reindl Harald wrote:
> Am 25.08.2012 07:09, schrieb li...@sbt.net.au:

> most likely an attack
> there is no need to get notified because you can rate-control
> anvil_rate_time_unit  = 1800s smtpd_client_connection_rate_limi = 50

Reindl, thanks

how do I monitor to see if it 'kicked in' and from whom ?

Re: continous attempted connection/timeouts after ehlo

[lists]

On Sat, August 25, 2012 7:37 pm, Reindl Harald wrote:
> Am 25.08.2012 07:09, schrieb li...@sbt.net.au:

> most likely an attack
> there is no need to get notified because you can rate-control
> anvil_rate_time_unit  = 1800s smtpd_client_connection_rate_limi = 50

Reindl, thanks

how do I monitor to see if it 'kicked in' and from whom ?

(sorry, hit 'send too quick)

is it a 'good idea' to firewall block such when they're from unresolvable
host like this ?

Host 50.112.115.27.in-addr.arpa. not found: 3(NXDOMAIN)

# grep "max connection rate"  /var/log/maillog
Aug 26 03:45:43 geko postfix/anvil[19189]: statistics: max connection rate
28/1800s for (smtp:27.115.112.50) at Aug 26 03:40:49
...
Aug 26 04:35:43 geko postfix/anvil[19189]: statistics: max connection rate
22/1800s for (smtp:27.115.112.50) at Aug 26 04:35:12
Aug 26 04:45:43 geko postfix/anvil[19189]: statistics: max connection rate
28/1800s for (smtp:27.115.112.50) at Aug 26 04:41:50

Re: Interim NDR

[lists]

On Sun, August 26, 2012 9:21 am, Wietse Venema wrote:
> Voytek:

> Yes, if you really want to. However I haven't used this code since
> it was written many years ago. Let me know if it still works.

Wietse,
thanks.

hmmm, I think maybe it's not the best idea... perhaps I should try a cacti
threshold trigger first, (or just keep checking queuegraph/mq)

thanks again,
Voytek

Re: continous attempted connection/timeouts after ehlo

[lists]

On Sun, August 26, 2012 8:35 am, Reindl Harald wrote:

>> is it a 'good idea' to firewall block such when they're from
>
> depends on your business
> i tend to do so at least for some days

Reindl,

so either of the two anvil/IP log lines indicates excess, yes ?

Aug 27 06:00:03 postfix/anvil[4396]: statistics: max connection rate
15/1800s for (smtp:27.115.112.50) at Aug 27 05:59:14
Aug 27 06:00:03 postfix/anvil[4396]: statistics: max connection count 1
for (smtp:27.115.112.50) at Aug 27 05:50:26
Aug 27 06:00:03 postfix/anvil[4396]: statistics: max cache size 51 at Aug
27 05:59:47

you wouldn't happen to have a regex to pick up the offending IP ?

my new Centos came with 'csf' so might try to feed offending IPs to csf
for temp block (if I can figure out regex first)

thanks again
Voytek

Re: continous attempted connection/timeouts after ehlo

[lists]

On Mon, August 27, 2012 6:27 am, Reindl Harald wrote:

>> Aug 27 06:00:03 postfix/anvil[4396]: statistics: max connection rate
>> 15/1800s for (smtp:27.115.112.50) at Aug 27 05:59:14
>> Aug 27 06:00:03 postfix/anvil[4396]: statistics: max connection count 1
>> for (smtp:27.115.112.50) at Aug 27 05:50:26 Aug 27 06:00:03
>> postfix/anvil[4396]: statistics: max cache size 51 at Aug
>> 27 05:59:47
>>
>
> why do you niot read what you post?
>
> ONE connection from 27.115.112.50
> where do you see excess?

Reindl, thanks

sorry, doesn't this mean to warn me of 'high-er' connect rates: 15/1800s ?

"max connection rate 15/1800s "

so what do I look for in anvil output ?

mail accepted from non-resolving host config question

[lists]

I've just received a 'open enclosed ZIP' email, looking at the header, it
was sent from non-resolving host, which I thought my Postfix should refuse

have I got something missing in my config, or am I misinterpreting logs
again ?


--
smtpd_recipient_restrictions =
 permit_sasl_authenticated,
 permit_mynetworks,
 reject_unauth_destination,
 check_recipient_access hash:/etc/postfix/recipient_no_checks,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_invalid_hostname,
 reject_non_fqdn_hostname,
 reject_unknown_sender_domain,
 reject_unknown_reverse_client_hostname,
 reject_unlisted_recipient,
 check_sender_access hash:/etc/postfix/freemail_access,
 check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
 check_helo_access hash:/etc/postfix/helo_checks,
 check_sender_access hash:/etc/postfix/sender_checks,
 check_client_access hash:/etc/postfix/client_checks,
 check_client_access pcre:/etc/postfix/client_checks.pcre,
 reject_rbl_client zen.spamhaus.org,
 reject_rhsbl_client dbl.spamhaus.org,
 reject_rhsbl_sender dbl.spamhaus.org,
 reject_rbl_client psbl.surriel.com,
 reject_rbl_client bl.spamcop.net,
 reject_rhsbl_sender dsn.rfc-ignorant.org,
 check_policy_service inet:127.0.0.1:10031,
 permit


--

header is;

Return-Path: 
Delivered-To: 
Received: from mailhost.sbt.net.au
 by mailhost.sbt.net.au (Dovecot) with LMTP id 6N2sMSGOPlD3RwAAyLbbsQ
 for ; Thu, 30 Aug 2012 07:48:56 +1000
Received: from localhost (localhost.localdomain [127.0.0.1])
 by mailhost.sbt.net.au (Postfix) with ESMTP id 33A1A380E84
 for ; Thu, 30 Aug 2012 07:48:56 +1000 (EST)
X-Virus-Scanned: amavisd-new at sbt.net.au
X-Spam-Flag: NO
X-Spam-Score: 2.616
X-Spam-Level: **
X-Spam-Status: No, score=2.616 required=5.8 tests=[BAYES_20=-0.001,
 RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_XBL=0.375, RDNS_NONE=0.793]
 autolearn=no
Received: from mailhost.sbt.net.au ([127.0.0.1])
 by localhost (mailhost.sbt.net.au [127.0.0.1]) (amavisd-new port 10024)
 with LMTP id ZEo5s1z0_GI2 for ;
 Thu, 30 Aug 2012 07:48:22 +1000 (EST)
Received: from [201.218.211.131] (unknown [201.218.211.131])
 by mailhost.sbt.net.au (Postfix) with ESMTP id 7F62338029F
 for ; Thu, 30 Aug 2012 07:48:21 +1000 (EST)
Received: from unknown (HELO vmms.mmsc.telstra.com) ([10.156.74.4])
 by hmkt8-sms-irp05.msg.in.telstra.com.au with ESMTP; Wed, 29 Aug 2012
15:48:20 -0600
From: Telstra Online 
To:
Date: Wed, 29 Aug 2012 15:48:20 -0600
Subject: Telstra Online - Your Account Balance
Message-ID: 
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="--ijbtdaw"
-
host 201.218.211.131
Host 131.211.218.201.in-addr.arpa. not found: 3(NXDOMAIN)

---
 grep KJQELG3GPVSMKV /var/log/maillog

Aug 30 07:48:22 postfix/cleanup[18366]: 7F62338029F:
message-id=
Aug 30 07:48:56 postfix/cleanup[18428]: 33A1A380E84:
message-id=
Aug 30 07:48:56 amavis[8662]: (08662-11) Passed CLEAN {RelayedInbound},
[201.218.211.131]:51624 [201.218.211.131]  ->
, Message-ID: ,
mail_id: ZEo5s1z0_GI2, Hits: 2.616, size: 26447, queued_as: 33A1A380E84,
33395 ms
Aug 30 07:48:56 dovecot: lmtp(18423, v...@dom.tld): 6N2sMSGOPlD3RwAAyLbbsQ:
msgid=: saved mail to INBOX

#  grep 7F62338029F  /var/log/maillog
Aug 30 07:48:21 postfix/smtpd[18426]: 7F62338029F:
client=unknown[201.218.211.131]
Aug 30 07:48:22 postfix/cleanup[18366]: 7F62338029F:
message-id=
Aug 30 07:48:22 postfix/qmgr[4326]: 7F62338029F:
from=, size=26447, nrcpt=1 (queue active)
Aug 30 07:48:56 postfix/lmtp[18367]: 7F62338029F: to=,
relay=127.0.0.1[127.0.0.1]:10024, delay=35, delays=1.3/0/0/33, dsn=2.0.0,
status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok:
queued as 33A1A380E84)
Aug 30 07:48:56 postfix/qmgr[4326]: 7F62338029F: removed

#  grep  33A1A380E84  /var/log/maillog
Aug 30 07:48:56 postfix/smtpd[18400]: 33A1A380E84:
client=localhost.localdomain[127.0.0.1]
Aug 30 07:48:56 postfix/cleanup[18428]: 33A1A380E84:
message-id=
Aug 30 07:48:56 postfix/qmgr[4326]: 33A1A380E84:
from=, size=27101, nrcpt=1 (queue active)
Aug 30 07:48:56 amavis[8662]: (08662-11) Passed CLEAN {RelayedInbound},
[201.218.211.131]:51624 [201.218.211.131]  ->
, Message-ID: ,
mail_id: ZEo5s1z0_GI2, Hits: 2.616, size: 26447, queued_as: 33A1A380E84,
33395 ms
Aug 30 07:48:56 postfix/lmtp[18367]: 7F62338029F: to=,
relay=127.0.0.1[127.0.0.1]:10024, delay=35, delays=1.3/0/0/33, dsn=2.0.0,
status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok:
queued as 33A1A380E84)
Aug 30 07:48:56 postfix/lmtp[18422]: 33A1A380E84: to=,
relay=mailhost.sbt.net.au[private/dovecot-lmtp], delay=0.09,
delays=0.02/0.01/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 
6N2sMSGOPlD3RwAAyLbbsQ Saved)
Aug 30 07:48:56 postfix/qmgr[4326]: 33A1A380E84: removed

Re: Interim NDR

[lists]

On Sun, August 26, 2012 9:21 am, Wietse Venema wrote:

>> Is there a way to warn postmaster/admin of such?
>> at the moment, i go 'mailq' and check \queuegraph few times daily to
>> watch for potential problems, what can one do get notified of such
>> potential issues ?
>
> Yes, if you really want to. However I haven't used this code since
> it was written many years ago. Let me know if it still works.


how can I create some 'test' deffered queue emails..? that will hang
around till I don't want test anymore

I made a cacti threshold warnings of ">0 over 45 min" and ">5 over 5 min",
and, I'm trying to test it rather than wait for real problem.

Re: Interim NDR

[lists]

On Sat, September 1, 2012 8:15 pm, Ralf Hildebrandt wrote:

>> how can I create some 'test' deffered queue emails..? that will hang
>> around till I don't want test anymore
>
> send mail to someb...@hotmial.com

Ralf,

thanks, but, got 250 OK:

Sep  1 20:34:27 postfix/lmtp[4812]: 77471380B88:
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=25,
delays=0.07/0.01/0/25, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4A7AC3806E4)
Sep  1 20:34:28 postfix/smtp[4832]: 4A7AC3806E4:
to=, relay=nullmx.hotmial.com[209.181.247.105]:25,
delay=1.5, delays=0.02/0/0.7/0.74, dsn=2.0.0, status=sent (250 ok
1346495668 qp 25021)

Re: Interim NDR

[lists]

On Sat, September 1, 2012 9:00 pm, Ralf Hildebrandt wrote:


> Oh wow, somebody got that domain :(
> Currently in my queue for ages:

> gm.de zfl.org bausch-lomb.de

Ralf,

thanks for your help!
trigger worked, BUT, I was still missing notify enable, now all seems
good, get email with cacti png, this sure beats idea of diverting NDR to
postmaster, I think;
let's see how it comes out in the wash during the week:

---
An Alert has been issued that requires your attention.
Host: postfix (127.0.0.1)
URL: http://xxx//graph.php?local_graph_id=214&rra_id=1
Message: ALERT: postfix - postfix queue deferred [postfix_qdeferred]
[postfix_qdeferred] went above threshold of 5 with
6

voytek

ot: iPhone smtp setup

[lists]

I have Postfix with smtp-auth, port 587, all works good

I'm having problems setting an iPhone with smtp-auth sending, hoping some
iPhone experts can point me in correct direction

on this iPhone, under SMTP, it has 'primary' SMTP server, correct host,
port 587, SSL;
under 'additional' there are ISP SMTPs (ADSL, cellular) servers, but, all
entries are disabled, only 'primary' is enabled

Emails are retrieved OK {same host as SMTP, IMAP, SSL)

When i tried sending, sending failed, got this error on iPhone:
'copy placed in outbox,sender rejected by server'

There is no apparent log entry at the SMTP server from this attempt;

Later, after iPhone device returned 'home' the outbox email got delivered
over WiFi/ISP's SMTP

So, it seems to me, there is another SMTP entry, of ISP, that takes
precedence??

again, under SMTP, only primary server is enabled (the one i'd like to
use), other SMTP servers are disabled, but, email was delivered via ADSL
ISP's smtp server to my Postfix server

Perplexed,
Voytek

Re: ot: iPhone smtp setup

[lists]

On Wed, October 24, 2012 8:55 am, Jeroen Geilman wrote:

Jeroen, thanks

> SSL != STARTTLS, which is what postfix submission supports normally.
> Either you should choose TLS/STARTTLS here, or you need to provide an
> SMTPS (465) interface for the device to connect to.
> Postfix does not directly support SMTPS, but it can manage by using an
> SSL wrappermode.
> Regardless, any connection attempt to your postfix server will be logged.

I might be using wrong terminology, sorry

port 587 smtp auth works ok on this server, with other iPhone users as
well with Android, Outlook, TB, etc


>> There is no apparent log entry at the SMTP server from this attempt;
>>
>
> Then you're either looking at the wrong log, or looking at the log
> wrong, or the device did not connect to your postfix server.

as far as I can tell, this iPhone was not even trying to connect to
postfix server

>> Later, after iPhone device returned 'home' the outbox email got
>> delivered over WiFi/ISP's SMTP
>> So, it seems to me, there is another SMTP entry, of ISP, that takes
>> precedence??
>
> Impossible to say, but on the face of it, unlikely.
> You say you could successfully configure the device's "primary" SMTP
> connection with values that are correct for your server. It stands to
> reason that that is what it would use to send mail.
>
>> again, under SMTP, only primary server is enabled (the one i'd like to
>> use), other SMTP servers are disabled, but, email was delivered via
>> ADSL
>> ISP's smtp server to my Postfix server
>>
>
> No, the message was rejected by the server, as you said above.
> Of course, you don't indicate which server this was.

the error message didn't say, I've screenshoted it, not sure if iPhone has
some other log access one can see ?

> What happens after you connect to wifi is likely something completely
> different from what happens when you connect to a mobile broadband
> network.
>
> Read your mail server logs closely, and post the relevant lines of at
> least one entire submission attempt, if you desire further help.

the 'failed on cell, delivered later on wifi' header below, sender
name/dom and mailhost name altered:

I created the message around 9:35am, iPhone seems to have it as 9:45 (fwiw)

Return-Path: 
Delivered-To: 
Received: from mailhost.sbt.net.au
 by mailhost.sbt.net.au (Dovecot) with LMTP id ZWMHHdmXgFBDFAAAyLbbsQ
 for ; Fri, 19 Oct 2012 10:59:21 +1100
Received: from localhost (localhost.localdomain [127.0.0.1])
 by mailhost.sbt.net.au (Postfix) with ESMTP id 6A85538285A
 for ; Fri, 19 Oct 2012 10:59:21 +1100 (EST)
X-Virus-Scanned: amavisd-new mailhost at sbt.net.au
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 required=5.8 tests=[BAYES_00=-1.9,
 RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mailhost.sbt.net.au ([127.0.0.1])
 by localhost (mailhost.sbt.net.au [127.0.0.1]) (amavisd-new mailhost,
port 10024)
 with LMTP id TLIWowtuJHmr for ;
 Fri, 19 Oct 2012 10:58:53 +1100 (EST)
Received: from icp-osb-irony-out1.external.iinet.net.au
(icp-osb-irony-out1.external.iinet.net.au [203.59.1.210])
 by mailhost.sbt.net.au (Postfix) with ESMTP id 46607382834
 for ; Fri, 19 Oct 2012 10:58:53 +1100 (EST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result:
ArYIAPiWgFB8qsKC/2dsb2JhbAANOIF1BAGJCYMgtgIhZ4EWsgWTdJE6YAObb40z
X-IronPort-AV: E=Sophos;i="4.80,609,1344182400";
 d="scan'208";a="50825038"
Received: from unknown (HELO [192.168.100.106]) ([124.170.194.130])
 by icp-osb-irony-out1.iinet.net.au with ESMTP; 19 Oct 2012 07:58:51
+0800
Subject: Test
From: iPhone 
Content-Type: text/plain; charset=us-ascii
Message-Id: <7c5ba16f-9c9e-47d0-ae7b-e91c74b3e...@tld.com.au>
Date: Fri, 19 Oct 2012 09:45:51 +1100
To: Voytek 
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (iPhone Mail 8J2)
X-Mailer: iPhone Mail (8J2)


how/what should I search for in mail log ?

scrolling manually around 9:35 (the time I was attempting to sub,mit
email) I couldn't find anything that indicated attempted access from this
user, it's possible I was looking incorrectly

but, my understanding of mail header above, it was submitted to ISP's mail
server, not postfix server, yet, the only enabled smtp I saw on iphone was
my postfix server (unless iPhone user fiddled the iPhone..?)


thanks again for any pointers
Voytek

Re: postfix and cacti (snmp ?)

[lists]

> I was lurking around for the best solution to graph postfix usage, the
> most detailed possible, in order to prevent and foresee problems.
> I'm finding sparse results, I'm not sure which one is the most current /
> complete.
> Do you have any suggestions ?

have a look at Glen's cacti stuff

http://www.pitt-pladdy.com/blog/_20091122-164951__Postfix_stats_on_Cacti_via_SNMP_/

ot: bcc smtp-auth for a user? monitoring a user's mails?

[lists]

we have a contractor given an email address for use in contacting clients,
the boss would like to bcc all his outbound mails, is there a way to bcc
all outbound emails for one user ?

(I realize he can simply change his smtp to another smtp server to
overcome this, but, that's what the boss wants...)

other suggestions to monitor emails welcomed, tia

v

unable to resolve host name issue ?

[lists]

I have postfix 2.6.6 on centos 6, in use about 1 year, no known issues

couple of weeks ago struck a problem unable to deliver email to any user
on domain "pinewood.ie" with "A record/host not found" (1):

pinewood.ie mx are on cleanmail02.cdsoft.ie/cleanmail01.cdsoft.ie

tried putting MX IP/hostname in /etc/hosts, doesn't seem to help:

host hostname segfaults (see below)
dig +trace fails (see below)

I'm not sure what to try...?
or, what to ask remote side to do/try/test ?
is this some sort of ipv4/ipv6 issue maybe ??
people at pinewood.ie tell me all's well at their end...?
telnet to ip:25 works OK

# cat hosts
127.0.0.1   localhost.localdomain   localhost4 
localhost4.localdomain4localhost
::1 localhost6  localhost6.localdomain6
89.28.178.25cleanmail01.cdsoft.ie
89.28.178.26cleanmail02.cdsoft.ie

trying to resolve it get:

# host cleanmail02.cdsoft.ie
;; connection timed out; trying next origin
Segmentation fault (core dumped)

dig trace fails (see below)

I can telnet to ip:25 address OK, not to hostname:25

telnet 89.28.178.25  25
Trying 89.28.178.25...
Connected to 89.28.178.25.
Escape character is '^]'.
220 Welcome To CDSofts Cleanmail02 Service - Ready to receive mail -=- ESMTP
ehlo me.com
250-Welcome To CDSofts Cleanmail02 Service - Ready to receive mail -=-
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-PIPELINING
250 8BITMIME


# telnet  cleanmail02.cdsoft.ie 25
telnet: cleanmail02.cdsoft.ie: Name or service not known
cleanmail02.cdsoft.ie: Host name lookup failure


1.
-Queue ID- --Size-- Arrival Time -Sender/Recipient---
EAB18382A0C 1272 Sat Mar  2 13:04:00  voy...@sbt.net.au
(Host or domain name not found. Name service error for
name=cleanmail02.cdsoft.ie type=A: Host not found, try again)
 x...@pinewood.ie

 dig mx pinewood.ie

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> mx pinewood.ie
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61283
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pinewood.ie.   IN  MX

;; ANSWER SECTION:
pinewood.ie.2541IN  MX  10 cleanmail01.cdsoft.ie.
pinewood.ie.2541IN  MX  20 cleanmail02.cdsoft.ie.

;; Query time: 1724 msec
;; SERVER: 180.235.130.244#53(180.235.130.244)
;; WHEN: Sat Mar  2 13:21:42 2013
;; MSG SIZE  rcvd: 92

# dig a cleanmail02.cdsoft.ie +trace

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> a
cleanmail02.cdsoft.ie +trace
;; global options: +cmd
.   97783   IN  NS  b.root-servers.net.
.   97783   IN  NS  k.root-servers.net.
.   97783   IN  NS  e.root-servers.net.
.   97783   IN  NS  f.root-servers.net.
.   97783   IN  NS  h.root-servers.net.
.   97783   IN  NS  c.root-servers.net.
.   97783   IN  NS  a.root-servers.net.
.   97783   IN  NS  l.root-servers.net.
.   97783   IN  NS  m.root-servers.net.
.   97783   IN  NS  j.root-servers.net.
.   97783   IN  NS  d.root-servers.net.
.   97783   IN  NS  g.root-servers.net.
.   97783   IN  NS  i.root-servers.net.
;; Received 449 bytes from 180.235.130.244#53(180.235.130.244) in 1585 ms

ie. 172800  IN  NS  a.iedr.ie.
ie. 172800  IN  NS  b.iedr.ie.
ie. 172800  IN  NS  c.iedr.ie.
ie. 172800  IN  NS  d.iedr.ie.
ie. 172800  IN  NS  ns3.ns.esat.net.
ie. 172800  IN  NS  gns1.domainregistry.ie.
ie. 172800  IN  NS  gns2.domainregistry.ie.
ie. 172800  IN  NS  ns-ie.nic.fr.
;; Received 428 bytes from 193.0.14.129#53(193.0.14.129) in 2781 ms

cdsoft.ie.  172800  IN  NS  ns1.cdsoft-irl.net.
cdsoft.ie.  172800  IN  NS  ns2.cdsoft-irl.net.
;; Received 89 bytes from 192.93.0.4#53(192.93.0.4) in 10352 ms

;; connection timed out; no servers could be reached

Re: Forwarding from a particular email address

[lists]

On Wed, 10 Apr 2013 14:06:44 +0300
"Indiana Jones"  wrote:

> How can I forward all e-mail messages sent to a particular 
> address on my domain  to another address on another domain?
> 
> What particular settings shall I add to Postfix?
> 
The easy way, you can use dot forward (.forward) file, put
the another address inside dot forward.

Re: reality-check on 2016 practical advice re: requiring inbound TLS?

[lists]

Per the DROWN mitigation, I stopped allowing sslv2 and sslv3, so I made it a 
point to read the headers and look for encryption issues. 

My conclusion is there is always "that one guy" that doesn't use encryption. In 
my case, literally one guy. Not being able to get his "regular" email to work, 
I got him to switch to gmail. ‎

This is on my personal server. If you have customers, then each customer can 
have that "one guy", so it depends on how much time you want to sink into 
getting a third party to encrypt. 

I also made it a point to look for use of SPF and DKIM. Excluding the spammers 
that got through, nearly every user had both SPF and DKIM, but not all. One 
lacking SPF is a new business partner. The account without DKIM was a 
commercial vendor. My point here was I had considered setting up policies to 
reject email that didn't have both SPF and DKIM, but doing a survey realized 
there would be real situations where legitimate email would not get through.  
One person I know uses pobox.com, and that fails SPF. 

I think policing everyone's email set up will lead to a lot of busy work. 



  Original Message  
From: jaso...@mail-central.com
Sent: Saturday, April 9, 2016 8:47 AM
To: postfix-users@postfix.org
Subject: reality-check on 2016 practical advice re: requiring inbound TLS?

I'm setting up mandatory TLS policy for a couple of private client servers, 
using

-   smtpd_tls_security_level = may
+   smtpd_tls_security_level = encrypt

I started wondering whether it wouldn't be a bad thing to require ALL email 
delivered to my server, from anywhere, to use TLS.

Reading at

http://www.postfix.org/TLS_README.html

It warns against doing this.

You can ENFORCE the use of TLS, so that the Postfix SMTP server announces 
STARTTLS and accepts no mail without TLS encryption, by setting 
"smtpd_tls_security_level = encrypt". According to RFC 2487 this MUST NOT be 
applied in case of a publicly-referenced Postfix SMTP server. This option is 
off by default and should only seldom be used.

That RFC, though, is from January 1999

http://tools.ietf.org/html/rfc2487

and afaict has been superceded by

http://tools.ietf.org/html/rfc3207

from February 2002, which also says

"A publicly-referenced SMTP server MUST NOT require use of the
STARTTLS extension in order to deliver mail locally."

It's 14 years later, and a lot's changed in SSL usage.

Are there any later relevant RFCs that change this advice against forced TLS?

Regardless of RFC, in today's "SSL everywhere" atmosphere, is this still good, 
practical advice?

I've turned on smtpd_tls_loglevel=1, and will watch for awhile on my own 
servers.

What do you 'real world' Postfix admins see/do these days?

Jason

Re: reality-check on 2016 practical advice re: requiring inbound TLS?

[lists]

Would  a guru comment on my "interpretation" of these documents?

1) It looks ‎to me that starttls really only protects the path to the first 
server. Classic case being sending email over the non-secure coffee shop wifi. 

2) Mail between Google/yahoo servers will enforce TLS, but other transit may 
not? My view of starttls email is this. At best, you only protect the 
endpoints. 

The snail mail analogy is you leave a message in an envelope for the mail 
carrier. That message makes it to the post office in the envelope. As the mail 
transits between post offices, some of those non-postal carriers may remove 
your envelope. The destination post office, should it find your message lacking 
an envelope, puts your message in another envelope, then delivers it.

3) I reviewed the DMARC. All my accounts have functional spf and dkim. If I set 
DMARC to quarantine, will  my email  at least be delivered? 

I've looked at dnssec, but it seems like I need a 2nd server to make it work. 
If not, can someone provide what they consider a good link on the topic?

My understanding is only pgp or s/mime has end to end encryption.

  Original Message  
From: Viktor Dukhovni
Sent: Saturday, April 9, 2016 2:03 PM
To: postfix-users@postfix.org
Reply To: postfix-users@postfix.org
Subject: Re: reality-check on 2016 practical advice re: requiring inbound TLS?

On Sat, Apr 09, 2016 at 08:46:54AM -0700, jaso...@mail-central.com wrote:

> I'm setting up mandatory TLS policy for a couple of private client servers, 
> using
> 
> - smtpd_tls_security_level = may
> + smtpd_tls_security_level = encrypt
> 
> I started wondering whether it wouldn't be a bad thing to require
> ALL email delivered to my server, from anywhere, to use TLS.

Your server, your rules, but be prepared to refuse a lot of legitimate
email.

https://www.google.com/transparencyreport/saferemail/
https://www.ietf.org/proceedings/95/slides/slides-95-irtfopen-1.pdf
https://www.elie.net/publication/neither-snow-nor-rain-nor-mitm-an-empirical-analysis-of-email-delivery-security

-- 
Viktor.

Re: reality-check on 2016 practical advice re: requiring inbound TLS?

[lists]

I'm going to set the DMARC to  quarantine ‎and see what happens. I suppose I 
can always undo the DMARC to none.

Regarding dnssec, my registrar is Hover. Their faq is mighty convoluted since 
they provide a DNS server, though I use the one provided by Digital Ocean. Best 
to just get in a chat with hover and DO. 


  Original Message  
From: Curtis Villamizar
Sent: Saturday, April 9, 2016 6:32 PM
To: li...@lazygranch.com
Reply To: Curtis Villamizar
Cc: Viktor Dukhovni
Subject: Re: reality-check on 2016 practical advice re: requiring inbound TLS?

In message <20160409230701.5468245.39956@lazygranch.com>
li...@lazygranch.com writes:
> 
> Would a guru comment on my "interpretation" of these documents?

Not a guru but ...

> 1) It looks to me that starttls really only protects the path to the
> first server. Classic case being sending email over the non-secure
> coffee shop wifi.

If you are using TLS to port 587 then that is protecting the first
hop. If both your MUA (email app) and the MSA (mail submission agent)
you are talking to insist on using TLS and have some means to mutually
authenticate (such as either a client cert or mutual_auth in postfix
on the MSA end), then this is subject to MITM. Postfix does not
support validating the client cert (AFAIK - not a guru I said).

There is really no name to validate the client cert against, other
than the hostname provided in the EHLO. For the MSA that could be
useful or the MSA could have a sender to name to validate mapping and
CAfile to use. In principle, IMAP servers could do the same. But I
don't think there is much demand for that. It would mean getting
clients to put certs in the MUA.

The point of the article is that unless both ends insist on TLS then
MITM is possible. There is a lot of discussion of STARTTLS
stripping. There was not discussion of TLS downgrade attacks but
those are not as easy as STARTTLS stripping.

The focus of the paper was on the use of TLS between the MSA and the
MX of the destination domain (an MTA - mail transfer agent). That is
usually the next hop.

> 2) Mail between Google/yahoo servers will enforce TLS, but other
> transit may not? My view of starttls email is this. At best, you
> only protect the endpoints.

Google, yahoo, and many others offer STARTTLS. None require that you
use TLS or check a client cert.

> The snail mail analogy is you leave a message in an envelope for the
> mail carrier. That message makes it to the post office in the
> envelope. As the mail transits between post offices, some of those
> non-postal carriers may remove your envelope. The destination post
> office, should it find your message lacking an envelope, puts your
> message in another envelope, then delivers it.

Sort of. More like if each post office always removed the envelope
and put your mail in a new one before sending to the next post office,
sometime a transparent envelope.

> 3) I reviewed the DMARC. All my accounts have functional spf and
> dkim. If I set DMARC to quarantine, will my email at least be
> delivered?

No. I will be held and you (or some email address that is indicated
in the DMARC record) will be notified that mail for that domain is
held - typically in a daily summary for the domain.

> I've looked at dnssec, but it seems like I need a 2nd server to make
> it work. If not, can someone provide what they consider a good link on
> the topic?

You need to sign you domain RRs and then go to your domain registrar
and ask that a DS record be added for your domain. In that order.

http://www.internetsociety.org/deploy360/dnssec/
http://www.internetsociety.org/deploy360/home/content-providers/dnssec/
http://dnssec-debugger.verisignlabs.com/
https://www.dnssec-tools.org/test/

The last one has a link to a tutorial.

Also regarding DANE:

http://www.internetsociety.org/deploy360/resources/dane/
http://dane.verisignlabs.com/
https://dane.sys4.de
https://dane.sys4.de/common_mistakes

> My understanding is only pgp or s/mime has end to end encryption.

Correct. SMTP TLS is not end-to-end.

Of course to encrypt using pgp or s/mime both ends must support pgp or
s/mime which has been a problem. People within various communities of
interest use pgp or s/mime (for example, the security community) but
use is very sparse.

Curtis


> > Original Message
> > From: Viktor Dukhovni
> > Sent: Saturday, April 9, 2016 2:03 PM
> > To: postfix-users@postfix.org
> > Reply To: postfix-users@postfix.org
> > Subject: Re: reality-check on 2016 practical advice re: requiring inbound 
> > TLS?
> > 
> > On Sat, Apr 09, 2016 at 08:46:54AM -0700, jaso...@mail-central.com wrote:
> > 
> > > I'm setting up mandatory TLS policy for a couple of private client
> > > servers, using
> > > 
> > > - smtpd_tls_security_level = may
> > > + smtpd_tls_security_level = encrypt
> > > 
> > > I started wondering whether it wouldn't be a bad thing to require
> > > ALL email delivered to my server, from anywhere, to use TLS.
> > 
> > Your server, your rules, but be prepared 

Re: reality-check on 2016 practical advice re: requiring inbound TLS?

[lists]

One interesting take away is that the corporate email servers were less likely 
to have SPF and DKIM in use. On the weekends, more email was sent from home 
users who tended to use Google, Hotmail, etc., which did use SPF and DKIM. 

I will admit my original intent on getting SPF and DKIM was to get a good score 
from SpamAssassin. You would think corporate emailers would want this as well. 

This went out on hacker news a few days ago :
https://news.ycombinator.com/item?id=11396089‎

  Original Message  
From: Viktor Dukhovni
Sent: Saturday, April 9, 2016 7:42 PM
To: postfix-users@postfix.org
Reply To: postfix-users@postfix.org
Subject: Re: reality-check on 2016 practical advice re: requiring inbound TLS?

On Sat, Apr 09, 2016 at 09:36:09PM -0400, Curtis Villamizar wrote:

> > https://www.google.com/transparencyreport/saferemail/
> > https://www.ietf.org/proceedings/95/slides/slides-95-irtfopen-1.pdf
> > https://www.elie.net/publication/neither-snow-nor-rain-nor-mitm-an-empirical-analysis-of-email-delivery-security
> 
> Thanks for the links. I emailed one of the authors asking why so
> little was said about DNSSEC and nothing at all about DANE.

https://www.ietf.org/mail-archive/web/uta/current/msg01458.html
https://www.youtube.com/watch?v=36WDbfKEIRI (final minutes of Q&A)
https://www.ietf.org/mail-archive/web/uta/current/msg01459.html

Short version from my perspective:

The authors seem to have STS/WebPKI tunnel-vision and appear to be
buying the party line that DNSSEC is too difficult to deploy, while
underestimating the deployment timescale for STS.

STS can only be deployed quickly between the handful of large
providers, and, on that scale, they have simpler means to exchange
the same data without new complex protocols. This is of course
much faster than deploying DANE for a substantial fraction of the
Internet.

Deployment of STS for the Internet at large is unlikely to be much
faster than doing DANE at the same scale, and DANE is less kludgey
in this space.

That said, we may well support both at some point, when STS becomes
stable enough. It need not be an either/or story.

-- 
Viktor.

Re: bad.psky.me RBL?

[lists]

When this question first arrived, I mediated on why would anyone even bother to 
set up a RBL these days, as if there aren't enough players. Some do charge for 
the service if you are a large volume user, but to charge you do need a track 
record to prove your worth. RBL seems like a not so profitable place for a 
start up.

Now a RBL does get a stream of meta data. To some degree, they know who is 
emailing to who. If you are the only user of a domain, the meta data is 
focused. I suppose that data could be sold. 

That was the limit of my "deep thinking" (cough cough).  

Regarding Digital Ocean, I'm on their VPS. I catch very sporadic ‎hacking from 
their clients, like one every one or two months. Being a client, I report the 
incidents. But unless you are on a one month free trial account, sending spam 
or hacking from a VPS seems like a bad idea since your IP is unique. On a 
hosting company, your IP is mixed with all their clients. You get lost in the 
noise.

One of the reasons I set up a VPS was to specifically not get tarred with 
spammers on a hosting company.

I'm not so sure Names Cheap implies a shady business these days. Old school 
registrars like Verisign have become like Go Daddy, so there is no premium 
neighborhood as far as I know.

  Original Message  
From: Bill Cole
Sent: Sunday, April 10, 2016 10:45 AM
To: Postfix users
Reply To: Postfix users
Subject: Re: bad.psky.me RBL?

On 6 Apr 2016, at 10:48, Quanah Gibson-Mount wrote:

> Is anyone familiar with this RBL and its quality? Not a whole lot of 
> info at <http://bad.psky.me/about/>. Terms seem probably ok 
> <http://bad.psky.me/terms/>.

Not trustable: in blackhat vs. whitehat terms: nowhere to put a hat)

1. Not clearly the responsibility of any human or corporate entity of 
any reputation of any sort.

2. They have illegitimately appropriated the "RBL" trademark originally 
registered to MAPS and still used by Trend Micro, owner of all of the 
old MAPS IP (and when last I dealt with them, even some vintage 2000 
MAPS operational assets...)

3. Bogus domain registration info.

4. Apparently reliant on a tiny number of commodity "cloud" VPS's for 
everything: web, base domain DNS, and DNSBL DNS.

5. Weird DNS formal structure. Wildcard SOA for *.bad.psky.me but no 
matching wildcard NS, which could lead to corner-case breakage, because 
they don't return NXDOMAIN for *ANY* query. Evidence of DNS 
incompetence, not what you want in a DNSBL operator.

6. Use of providers (NameCheap & Digital Ocean) that are notable as 
recently preferred providers of professional snowshoe spammers.

This doesn't mean that their data is bad, but unlike the Spamhaus lists 
or even the tragically shoddy Trend Micro versions of the RBL and other 
MAPS lists, it's clear that bad.psky.me is run by someone lacking a 
range of resources (courage, technical skills, cash, integrity, etc.) 
needed to merit trust in a DNSBL.

Re: reality-check on 2016 practical advice re: requiring inbound TLS?

[lists]

Then again, the customer service department for an item I ordered has no DKIM. 
The company is using netsuite.com as a portal.  I suppose I can try to contact 
their IT...

I found another legit emailer with SPF but no DKIM. A corporate user that is 
using a barracuda service of some sort. 

I've yet to find email from an actual person that doesn't have DKIM or SPF. It 
is the "and" that doesn't work.

One of the email verification services put me in the top 3% of servers based on 
security. At the time, I though that was nuts. But looking typical email 
headers, that might be true. 

‎
‎

  Original Message  
From: jaso...@mail-central.com
Sent: Sunday, April 10, 2016 4:08 PM
To: postfix-users@postfix.org
Subject: Re: reality-check on 2016 practical advice re: requiring inbound TLS?

On Sun, Apr 10, 2016, at 03:13 PM, Bill Cole wrote:
> On 9 Apr 2016, at 12:45, jaso...@mail-central.com wrote:
> 
> > I block on strict FAILs of any if SPF, DKIM or DMARC. *missing* 
> > support for those is logged, but not - yet - acted on.
> 

> as is raising the bar too high on ciphersuites.

That I'm sold on.

> This is dangerous, 

This, not so much.

> Case in point: Ditech ...

Great example & reminder.

But,

(1) I'm not an ESP
(2) If a company publishes a policy, then fails to follow it, not my problem. 
It's theirs.

Yep I know that that's gonna cost me some 'Ditech-esque' mail.

> Welcome to 2016: Sturgeon's Law remains in effect.

Unfortunately, Sturgeon -- as was Orwell -- was an optimist :-/

Jason

Re: reality-check on 2016 practical advice re: requiring inbound TLS?

[lists]

Just a quickie here on DMARC. I set one domain to "quarantine" and set up the 
rua to email me a report. Thus far, only MS Hotmail sends me anything, even 
though I have emailed yahoo accounts.  

The MS Hotmail report is in XML, which I can read in vim or whatever. I'm not 
sure what they intended me to use. 

Doing a survey of email clients with SPF and DKIM verification, I only found 
Thunderbird does this, and with a plugin.  Thunderbird is in caretaker status, 
so I don't use it. 

Thus an identification system (SPF and DKIM ) had been created that mail system 
administrators are loathe to strictly enforce for received email, and with no 
consequences, is only half heartedly complied with on the sending side.  
(Congrats to the interwebs for at least providing many DKIM/SPf verification 
websites.)

And if we agree (OK, some agree) that strict rejection of received email based 
on SPF and DKIM is not a good idea, you would think at least the email clients 
would make detection of these identification methods more automatic.

Hats off to programmers for providing/maintaining tools that the masses don't 
appreciate.

Re: reality-check on 2016 practical advice re: requiring inbound TLS?

[lists]

‎No. The report says everything is kosher. 

  Original Message  
From: Curtis Villamizar
Sent: Tuesday, April 12, 2016 10:57 AM
To: li...@lazygranch.com; postfix-users@postfix.org
Subject: Re: reality-check on 2016 practical advice re: requiring inbound TLS?

Not an expert on DMARC, but ...

On 04/12/16 01:56, li...@lazygranch.com wrote:
> Just a quickie here on DMARC. I set one domain to "quarantine" and set up the 
> rua to email me a report. Thus far, only MS Hotmail sends me anything, even 
> though I have emailed yahoo accounts.
>
> The MS Hotmail report is in XML, which I can read in vim or whatever. I'm not 
> sure what they intended me to use.

The DMARC RFC (rfc7489) indicates that this is failure reporting. That 
would imply that so far only hotmail got forged email that looked like 
it was from your domain.

If you are not getting reports from anyone else, that is a good thing. 
I don't think there is any requirement to send empty reports or that 
those reports would serve any purpose (except maybe create "I got your 
report and here is your" loops).

Curtis

Special method required for Gmail dkim/spf verification

[lists]

Google sent me a "fail" on my DMARC.  Everyone else seems happy. It turns out 
much like Google not accepting robots.txt for some search engines controls, 
they expect special fields in their DNS.

https://support.google.com/mail/answer/6227174‎

Why? Because we're Google and we can.

Re: Special method required for Gmail dkim/spf verification

[lists]

Yesterday's Google report had me passing. Could be related to adding the Google 
term to DNS.


  Original Message  
From: Tom Hendrikx
Sent: Wednesday, April 13, 2016 12:38 AM
To: postfix-users@postfix.org
Subject: Re: Special method required for Gmail dkim/spf verification



On 13-04-16 01:54, li...@lazygranch.com wrote:
> Google sent me a "fail" on my DMARC. Everyone else seems happy. It
> turns out much like Google not accepting robots.txt for some search
> engines controls, they expect special fields in their DNS.
> 
> https://support.google.com/mail/answer/6227174‎

This page describes use of google's feedback loop. This has nothing to
do with spf, dkim and dmarc. It just gives you more insight into your
delivery results. Most large mailers have such a service, and they all
are specific to that party.

The additional dns records are used to verify that they give access to
the feedback loop to someone that actually owns the domain (or at least,
can add dns entries).

> 
> Why? Because we're Google and we can.
> 
You misunderstood.

Regards,
Tom

Policyd-spf and RBL white listing

[lists]

 >From what I can tell, if you whitelist a domain, the policyd-spf check is skipped. Now I white listed domains to stop the RBL from blocking them, but it would be nice to see if SPF passes. Am I right about the SPF being skipped? While I'm at it, can you whitelist specific users at a domain, that is the full email address, or only the domain itself. 

Re: Policyd-spf and RBL white listing

[lists]

On the other hand, it looks like the restrictions can be used as another way to 
whitelist, and in this case a specific user at a specific domain. ‎Or am I 
reading this incorrectly. 
‎
/etc/postfix/recipient_access:
    joe@my.domain       permissive
    jane@my.domain      restrictive

  Original Message  
From: Christian Kivalo
Sent: Tuesday, April 19, 2016 1:12 AM
To: postfix-users@postfix.org
Subject: Re: Policyd-spf and RBL white listing

On 2016-04-19 08:52, li...@lazygranch.com wrote:
> From what I can tell, if you whitelist a domain, the policyd-spf check
> is skipped. Now I white listed domains to stop the RBL from blocking
> them, but it would be nice to see if SPF passes.
> 
> Am I right about the SPF being skipped?
> 
> While I'm at it, can you whitelist specific users at a domain, that is
> the full email address, or only the domain itself.

You could move your RBL excludes to a restriction class

smtpd_restriction_classes = rbl_exclude1, rbl_exclude2, ...

rbl_exclude1 =
check_client_access pcre:rbl_exclude1.pcre,
reject_rbl_client zen.spamhaus.org,

smtpd_recipient_restrictions =

...

rbl_exclude1,
...

See also http://www.postfix.org/RESTRICTION_CLASS_README.html

-- 
Christian Kivalo

Re: No logs between Apr 25 - 27. What happened?

[lists]

  ‎My maillog doesn't rotate. Is this an option in postfix? Trawling the interwebs, I find maillog rotation handled outside postfix with custom scripts. From: Matthias AndreeSent: Monday, May 2, 2016 11:57 PMTo: tswmmeejsdad .; postfix-users@postfix.orgSubject: Re: No logs between Apr 25 - 27. What happened?Am 3. Mai 2016 06:15:55 MESZ, schrieb "tswmmeejsdad ." :
Hi All,Anyone know what I should check for to determine why logging to /var/log/mail stopped suddenly between Apr 25-27? I can see mail logs before and after those dates but nothing was logged between those dates. Mail was working fine else we would have had customers call up during those three days.Thanks.Andy
Check for:
- Syslog crashes
- Botched log rotation especially with compression vs. Signals (logrotate, newsyslog)
- Systemd/journal* malfunction on modern Linux 
- File system issues (skipped fsck after a crash) 
- Memory and other hw issues

Postfix penetration test

[lists]

 Any suggestions on a penetration test program that will trigger sshguard or fail2ban from the maillog? 

Re: Postfix penetration test

[lists]

  Original Message  
From: Patrick Ben Koetter
Sent: Wednesday, May 18, 2016 8:07 AM
To: postfix-users@postfix.org
Reply To: postfix-users@postfix.org
Subject: Re: Postfix penetration test

* li...@lazygranch.com :
>  body { font-family: "Calibri","Slate 
> Pro",sans-serif,"sans-serif"; color:#262626 }   lang="en-US">Any suggestions on a penetration test program that will 
> trigger sshguard or fail2ban from the maillog? 
> 

Send lots of HTML markup?

Use swaks and a script and let it send mail that is supposed to trigger the
rules.

If you need massiv mail: Use mstone and let it send mail that is supposed to
trigger your rules.


p@rick



-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix penetration test

[lists]

Apologies on the html mail. I wish I could make plain email the default on my 
phone. Also apologies on the blank message I just sent. I have nerve damage and 
the phone slipped enough to slide into send.

Re: OT: dnsbl.sorbs.net - help explaining to Mozilla list maintainers why outright blocking is bad

[lists]

‎Reading the bug report, I see they have temporarily dropped SORBS. When I set 
up my email server, SORBS turned out to be useless because of false positives. 

I see Dreamhost will give you a unique IP for $6. Kind of pricey considering a 
VPS from Digital Ocean and a few others can be had for $10. They come with a 
unique IP address.

Another alternative is to use Gmail. Either free, or you can get a paid account 
that allows more control, not to mention DKIM and SPF back to your domain.

I spent 15 years on a shared IP, getting blocked on and off. I believe there is 
no solution to being blocked as long as some spammer can use the same IP 
address. When VPS arrived, I got one and never looked back. ‎However you need 
to spend time setting it up and playing sysadmin (mostly patching) . For some 
people, the additional fee that Dreamhost charges for a unique IP is the best 
solution. 

  Original Message  
From: Tanstaafl
Sent: Friday, June 17, 2016 6:11 AM
To: postfix users
Subject: OT: dnsbl.sorbs.net - help explaining to Mozilla list maintainers why 
outright blocking is bad

Hello,

I've been experiencing and on/off again problem with my shared dreamhost
account IP block getting listed by SORBS.

The only reason I know this is because apparently the Mozilla list
maintainers have configured all of the Mozilla discussion lists to
outright BLOCK based on being listed by dnsbl.sorbs.net.

After querying where/how to request this be changed through the proper
channels, I opened a bug with respect to the list infra owners, and
explained to the best of my ability why outright blocking based on SORBS
listing is bad:

https://bugzilla.mozilla.org/show_bug.cgi?id=1280451

It was immediately closed with this response:

"SORBS is an RBL service we use, and generally when you get listed its
actually for a reason and usually we push back and have the ISP to
request a delisting since you are placed on this list for a reason.
Looks like what you are sending is from a dreamhost IP range, are you
sending directly from a host? I would recommend using a mail relay or
you could talk to dreamhost about asking them to get delisted"

I responded requesting reconsideration, and re-opened it.

Would appreciate some help. Their lists are the only reason I ever find
out that dreamhosts IP block I'm on gets listed - none of the other 25+
lists I'm on have ever blocked because of it.

Re: DKIM/SPF failure to folder, not return to sender and other tricks

[lists]

That was my conclusion, but I figured to wait for a guru to comment. 

My understanding is there is a plugin for Thunderbird that checks DKIM and/or 
SPF. I no longer run Thunderbird, so I didn't pursue this. But it seems to me 
this is better handled at the client.

If someone comes up with a way to flag DKIM and SPF like SpamAssassin does, I'd 
sure like to try it. ‎But it would have to be somewhat turnkey. 

Isn't DKIM and SPF part of your SpamAssassin score? Maybe such a flag cost be 
done if you could alter the SpamAssassin score formula.


  Original Message  
From: Bill Cole
Sent: Sunday, June 26, 2016 2:53 PM
To: postfix-users@postfix.org
Reply To: postfix-users@postfix.org
Subject: Re: DKIM/SPF failure to folder, not return to sender and other tricks

On 26 Jun 2016, at 16:44, Chip wrote:

> I'm wondering if Postfix can do the following easily.

Nope, not *easily*.

> It's a real dog to get this setup in Exim.

Or Sendmail, or probably ANY MTA that isn't tightly integrated to robust 
local delivery, mailstore, and mail access subsystems OR which has a 
sophisticated flexible mechanism for arbitrary policy definition and 
enforcement. So I guess if you wrote cf-ese by hand it might be a cinch 
in Sendmail... But anyway: this is *out of scope* for a pure MTA.

[details elided]

> In other words, a database or text list of emails with corresponding 
> acceptable senders needs to be maintained and referenced for each 
> user, I believe, unless a guru here can tell me how to get the flow 
> properly.

To do this with Postfix, you need some sort of external program. The 
traditional Postfix mechanism would be a policy daemon. In modern 
Postfix you could do it in a milter such as MIMEDefang which provides a 
framework for you to create and enforce any policy that you can express 
in Perl. (which is easier than cf-ese, really...)

Within Postfix proper, I suppose you could hypothetically do this with 
restriction classes, but those don't scale well. If you had something 
checking and tagging messages for SPF & DKIM authentication in Postfix 
(e.g. any mechanism that hooks to SpamAssassin or specialized tools) you 
could then do delivery via LMTP to something like Dovecot with its 
Pigeonhole add-on and have all your per-user rules in Sieve rules.

In short: there are many different ways to skin this cat, but they all 
include the unpleasantry of skinning a cat. Ick.

Re: DKIM/SPF failure to folder, not return to sender and other tricks

[lists]

‎Well maybe. If your client supports extra folders per each mailbox and you can 
access those folders, then yes. Most clients do have such folders, but the are 
designed to be used with "filters" built in the client. The filters probably 
aren't sophisticated enough to check DKIM or SPF, which is why plugins are 
used. 

While readers of this list think filtering out email that fails ID is a great 
idea, the general public just wants the email to be delivered. 

I don't use Gmail, but I understand Google has implemented or is working on 
implementing a notification for email that fails DKIM and SPF. I would be 
interesting to get some stats on email passing both DKIM, each individually, or 
none at all. 

‎When I suggested a plugin for CLAWS email client to check DKIM and SPF, the 
silence was deafening.
  Original Message  
From: Chip
Sent: Sunday, June 26, 2016 4:41 PM
To: postfix-users@postfix.org
Reply To: jeffsch...@gmail.com
Subject: Re: DKIM/SPF failure to folder, not return to sender and other tricks

Thanks,

So it just may be easier to deliver all messages to a folder then have a 
cron job run some spf/dkim checking script against the emails.

On 06/26/2016 05:53 PM, Bill Cole wrote:
> On 26 Jun 2016, at 16:44, Chip wrote:
>
>> I'm wondering if Postfix can do the following easily.
>
> Nope, not *easily*.
>
>> It's a real dog to get this setup in Exim.
>
> Or Sendmail, or probably ANY MTA that isn't tightly integrated to 
> robust local delivery, mailstore, and mail access subsystems OR which 
> has a sophisticated flexible mechanism for arbitrary policy definition 
> and enforcement. So I guess if you wrote cf-ese by hand it might be a 
> cinch in Sendmail... But anyway: this is *out of scope* for a pure MTA.
>
> [details elided]
>
>> In other words, a database or text list of emails with corresponding 
>> acceptable senders needs to be maintained and referenced for each 
>> user, I believe, unless a guru here can tell me how to get the flow 
>> properly.
>
> To do this with Postfix, you need some sort of external program. The 
> traditional Postfix mechanism would be a policy daemon. In modern 
> Postfix you could do it in a milter such as MIMEDefang which provides 
> a framework for you to create and enforce any policy that you can 
> express in Perl. (which is easier than cf-ese, really...)
>
> Within Postfix proper, I suppose you could hypothetically do this with 
> restriction classes, but those don't scale well. If you had something 
> checking and tagging messages for SPF & DKIM authentication in Postfix 
> (e.g. any mechanism that hooks to SpamAssassin or specialized tools) 
> you could then do delivery via LMTP to something like Dovecot with its 
> Pigeonhole add-on and have all your per-user rules in Sieve rules.
>
> In short: there are many different ways to skin this cat, but they all 
> include the unpleasantry of skinning a cat. Ick.
>

Re: DKIM/SPF failure to folder, not return to sender and other tricks

[lists]

  ‎It does look like SpamAssassin has a SPF hook.  https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#scoring_options   From: Jeffs ChipsSent: Sunday, June 26, 2016 5:20 PMTo: li...@lazygranch.comCc: postfix-users@postfix.orgSubject: Re: DKIM/SPF failure to folder, not return to sender and other tricksThis projects is not for normal email delivery but an esoteric use not usually associated with email - can't really divulge more but I'm starting to see no easy solution. There are spf scripts that can run against files separately from the stuff built into spam assassin and postfix/exim etc. 
On Jun 26, 2016 7:57 PM,   wrote:‎Well maybe. If your client supports extra folders per each mailbox and you can access those folders, then yes. Most clients do have such folders, but the are designed to be used with "filters" built in the client. The filters probably aren't sophisticated enough to check DKIM or SPF, which is why plugins are used. 

While readers of this list think filtering out email that fails ID is a great idea, the general public just wants the email to be delivered. 

I don't use Gmail, but I understand Google has implemented or is working on implementing a notification for email that fails DKIM and SPF. I would be interesting to get some stats on email passing both DKIM, each individually, or none at all. 

‎When I suggested a plugin for CLAWS email client to check DKIM and SPF, the silence was deafening.
  Original Message  
From: Chip
Sent: Sunday, June 26, 2016 4:41 PM
To: postfix-users@postfix.org
Reply To: jeffsch...@gmail.com
Subject: Re: DKIM/SPF failure to folder, not return to sender and other tricks

Thanks,

So it just may be easier to deliver all messages to a folder then have a
cron job run some spf/dkim checking script against the emails.

On 06/26/2016 05:53 PM, Bill Cole wrote:
> On 26 Jun 2016, at 16:44, Chip wrote:
>
>> I'm wondering if Postfix can do the following easily.
>
> Nope, not *easily*.
>
>> It's a real dog to get this setup in Exim.
>
> Or Sendmail, or probably ANY MTA that isn't tightly integrated to
> robust local delivery, mailstore, and mail access subsystems OR which
> has a sophisticated flexible mechanism for arbitrary policy definition
> and enforcement. So I guess if you wrote cf-ese by hand it might be a
> cinch in Sendmail... But anyway: this is *out of scope* for a pure MTA.
>
> [details elided]
>
>> In other words, a database or text list of emails with corresponding
>> acceptable senders needs to be maintained and referenced for each
>> user, I believe, unless a guru here can tell me how to get the flow
>> properly.
>
> To do this with Postfix, you need some sort of external program. The
> traditional Postfix mechanism would be a policy daemon. In modern
> Postfix you could do it in a milter such as MIMEDefang which provides
> a framework for you to create and enforce any policy that you can
> express in Perl. (which is easier than cf-ese, really...)
>
> Within Postfix proper, I suppose you could hypothetically do this with
> restriction classes, but those don't scale well. If you had something
> checking and tagging messages for SPF & DKIM authentication in Postfix
> (e.g. any mechanism that hooks to SpamAssassin or specialized tools)
> you could then do delivery via LMTP to something like Dovecot with its
> Pigeonhole add-on and have all your per-user rules in Sieve rules.
>
> In short: there are many different ways to skin this cat, but they all
> include the unpleasantry of skinning a cat. Ick.
>

Re: DKIM/SPF failure to folder, not return to sender and other tricks

[lists]

  ‎I'd say you are onto something.  http://www.willamowius.de/claws-spf.html‎Unfortunately SPF has a very high failure rate due to remailers. But it's a start.   From: ChipSent: Sunday, June 26, 2016 6:28 PMTo: li...@lazygranch.comReply To: jeffsch...@gmail.comCc: postfix-users@postfix.orgSubject: Re: DKIM/SPF failure to folder, not return to sender and other tricks
  

  
  
There is dkimverify and spfquery, two command line tools that you
can run against a message in the first case and a domain with ip in
the second case.

Trivial to put in a script and run against messages for sorting.

No?

On 06/26/2016 09:14 PM,
  li...@lazygranch.com wrote:


  ‎It
does look like SpamAssassin has a SPF hook. 
  
  
  https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#scoring_options
  
  
  

  

  
From: Jeffs Chips
Sent: Sunday, June 26, 2016 5:20 PM
To: li...@lazygranch.com
Cc: postfix-users@postfix.org
Subject: Re: DKIM/SPF failure to folder,
  not return to sender and other tricks
  

  

  
  
  
This projects is not for normal email delivery but
  an esoteric use not usually associated with email - can't
  really divulge more but I'm starting to see no easy solution.
  There are spf scripts that can run against files separately
  from the stuff built into spam assassin and postfix/exim etc.

On Jun 26, 2016 7:57 PM, 
  wrote:
  ‎Well
maybe. If your client supports extra folders per each
mailbox and you can access those folders, then yes. Most
clients do have such folders, but the are designed to be
used with "filters" built in the client. The filters
probably aren't sophisticated enough to check DKIM or SPF,
which is why plugins are used. 

While readers of this list think filtering out email that
fails ID is a great idea, the general public just wants the
email to be delivered. 

I don't use Gmail, but I understand Google has implemented
or is working on implementing a notification for email that
fails DKIM and SPF. I would be interesting to get some stats
on email passing both DKIM, each individually, or none at
all. 

‎When I suggested a plugin for CLAWS email client to check
DKIM and SPF, the silence was deafening.
  Original Message  
From: Chip
Sent: Sunday, June 26, 2016 4:41 PM
To: postfix-users@postfix.org
Reply To: jeffsch...@gmail.com
Subject: Re: DKIM/SPF failure to folder, not return to
sender and other tricks

Thanks,

So it just may be easier to deliver all messages to a folder
then have a
cron job run some spf/dkim checking script against the
emails.

On 06/26/2016 05:53 PM, Bill Cole wrote:
> On 26 Jun 2016, at 16:44, Chip wrote:
>
>> I'm wondering if Postfix can do the following
easily.
>
> Nope, not *easily*.
>
>> It's a real dog to get this setup in Exim.
>
> Or Sendmail, or probably ANY MTA that isn't tightly
integrated to
> robust local delivery, mailstore, and mail access
subsystems OR which
> has a sophisticated flexible mechanism for arbitrary
policy definition
> and enforcement. So I guess if you wrote cf-ese by hand
it might be a
> cinch in Sendmail... But anyway: this is *out of scope*
for a pure MTA.
>
> [details elided]
>
>> In other words, a database or text list of emails
with corresponding
>> acceptable senders needs to be maintained and
referenced for each
   

Re: DKIM/SPF failure to folder, not return to sender and other tricks

[lists]

  I think that is in the Claws email client. To do this filtering in postfix, you would need a "parallel" mailbox to place the suspect messages. Then your client would just read both the good mailbox and the bad mailbox. You would need to prevent mail going directly to the bad mailbox, though I suppose that wouldn't be the end of the world. To be a bit redundant here, as far as I know, your only means to flag the mail that doesn't meet both DKIM and SPF is to do a rewrite on the subject line like SpamAssassin does. Now if you could achieve that, then filtering in the email client is trivial. That is, you write a very simple filter to look for a keyword. I'd be shocked if there exists an email client that couldn't do that. (Well maybe Pine.)The more I think about it, doing the subject line rewrite to indicate SPF/DKIM failure is the best approach. ‎You could even run a rule on the very simple email clients found on phones, or just use your eyeballs. From: ChipSent: Sunday, June 26, 2016 7:25 PMTo: li...@lazygranch.comReply To: jeffsch...@gmail.comCc: postfix-users@postfix.orgSubject: Re: DKIM/SPF failure to folder, not return to sender and other tricks
  

  
  
Very interesting and thanks for sending.

Now if you look at the command line, reproduced below, is that a
command line calling a file that contains the message(s) to be
examined, or is this something put in Postfix somewhere?  Pardon my
ignorance.

 To add SPF filtering, add a filter with condition

test "!(sylpheed-spf.pl -c < %F)"



On 06/26/2016 10:13 PM,
  li...@lazygranch.com wrote:


  ‎I'd
say you are onto something. 
  http://www.willamowius.de/claws-spf.html
  
  
  ‎Unfortunately
SPF has a very high failure rate due to remailers. But it's a
start.
  

  

  

  
From: Chip
Sent: Sunday, June 26, 2016 6:28 PM
To: li...@lazygranch.com
Reply To: jeffsch...@gmail.com
Cc: postfix-users@postfix.org
Subject: Re: DKIM/SPF failure to folder,
  not return to sender and other tricks
  

  

  
  
  

There is dkimverify and spfquery, two command line tools that
you can run against a message in the first case and a domain
with ip in the second case.

Trivial to put in a script and run against messages for sorting.

No?

On 06/26/2016 09:14 PM, li...@lazygranch.com
  wrote:


  ‎It does look like SpamAssassin has a SPF hook. 
  
  
  https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#scoring_options
  
  
  

  

  
From: Jeffs Chips
Sent: Sunday, June 26, 2016 5:20 PM
To: li...@lazygranch.com
Cc: postfix-users@postfix.org
Subject: Re: DKIM/SPF failure to
  folder, not return to sender and other tricks
  

  

  
  
  
This projects is not for normal email delivery
  but an esoteric use not usually associated with email -
  can't really divulge more but I'm starting to see no easy
  solution. There are spf scripts that can run against files
  separately from the stuff built into spam assassin and
  postfix/exim etc. 
On Jun 26, 2016 7:57 PM, 

  wrote:
  ‎Well
maybe. If your client supports extra folders per each
mailbox and you can access those folders, then yes. Most
clients do have such folders, but the are designed to be
used with "filters" built in the client. The filters
probably aren't sophisticated enough to check DKIM or
SPF, which is why plugins are used. 

While readers of this list think filtering out email
 

Re: DKIM/SPF failure to folder, not return to sender and other tricks

[lists]

  Well the detection and rewrite is the hard part. ;-) But now I'm convinced it is the only solution at the server side, and really the best solution. Postfix has so many places to hook that I bet it could be done. But in my case, someone would have to do the dirty work. I'm not a coder. From: ChipSent: Sunday, June 26, 2016 7:59 PMTo: li...@lazygranch.comReply To: jeffsch...@gmail.comCc: postfix-users@postfix.orgSubject: Re: DKIM/SPF failure to folder, not return to sender and other tricks
  

  
  
Ok this is good.  But the project cannot use mail clients, only mail
servers because post processing calls other programs not related to
postfix or exim or any program similar.

Now the idea of rewriting subject is the best I've heard so far - is
there a facility in Postfix to do that based on DKIM and SPF failing
that you know of?




On 06/26/2016 10:43 PM,
  li...@lazygranch.com wrote:


  I
think that is in the Claws email client. 
  
  
  To
do this filtering in postfix, you would need a "parallel"
mailbox to place the suspect messages. Then your client would
just read both the good mailbox and the bad mailbox. You would
need to prevent mail going directly to the bad mailbox, though I
suppose that wouldn't be the end of the world. 
  
  
  To
be a bit redundant here, as far as I know, your only means to
flag the mail that doesn't meet both DKIM and SPF is to do a
rewrite on the subject line like SpamAssassin does. Now if you
could achieve that, then filtering in the email client is
trivial. That is, you write a very simple filter to look for a
keyword. I'd be shocked if there exists an email client that
couldn't do that. (Well maybe Pine.)
  
  
  The
more I think about it, doing the subject line rewrite to
indicate SPF/DKIM failure is the best approach. ‎You could even
run a rule on the very simple email clients found on phones, or
just use your eyeballs. 
  
  
  
  
  

  

  
From: Chip
Sent: Sunday, June 26, 2016 7:25 PM
To: li...@lazygranch.com
Reply To: jeffsch...@gmail.com
Cc: postfix-users@postfix.org
Subject: Re: DKIM/SPF failure to folder,
  not return to sender and other tricks
  

  

  
  
  

Very interesting and thanks for sending.

Now if you look at the command line, reproduced below, is that a
command line calling a file that contains the message(s) to be
examined, or is this something put in Postfix somewhere?  Pardon
my ignorance.

 To add SPF filtering, add a filter with condition

test "!(sylpheed-spf.pl -c < %F)"



On 06/26/2016 10:13 PM, li...@lazygranch.com
  wrote:


  ‎I'd say you are onto something. 
  http://www.willamowius.de/claws-spf.html
  
  
  ‎Unfortunately SPF has a very high failure rate
due to remailers. But it's a start.
  

  

  

  
From: Chip
Sent: Sunday, June 26, 2016 6:28 PM
To: li...@lazygranch.com
Reply To: jeffsch...@gmail.com
Cc: postfix-users@postfix.org
Subject: Re: DKIM/SPF failure to
  folder, not return to sender and other tricks
  

  

  
  
  

There is dkimverify and spfquery, two command line tools
that you can run against a message in the first case and a
domain with ip in the second case.

Trivial to put in a script and run against messages for
sorting.

No?

On 06/26/2016 09:14 PM, li...@lazygranch.com
  wrote:


 

Re: DKIM/SPF failure to folder, not return to sender and other tricks

[lists]

"As a relatively simple example, I use amavisd-new and Spamassassin to
flag mail with a spam header. Then Dovecot LMTP with sieve looks for
this header and if it is present it delivers to the user's "Spam" folder."

Well this is interesting. I have a similar setup for postfix. With my desktop 
email client (Claws), the program "builds the tree" based on what I assume 
resides on the email server. So what on the server creates this spam folder? 

I still rather just let the client filter the message based on the header 
rewrite. Less work. 

Re: DKIM/SPF failure to folder, not return to sender and other tricks

[lists]

  But you need Dovecot or something similar and eventually an email client, so I don't quite follow you here. You have a client, they have filters, so just use that filter. Now if you want to set up a system where the end user never sees the failed email, then I would use Dovecot and Sieve. I'm imagining a corporate scenario where email that fails ID goes to some expert to check the email, perhaps contact the sender out of band, etc. In any event, if the hive (postfix list users) can come up with the means to do the subject line rewrite, we can divert on the next step of post processing. You can use Dovecot plus Sieve and  I will just use a rule in the email client. From: ChipSent: Sunday, June 26, 2016 7:58 PMTo: li...@lazygranch.comReply To: jeffsch...@gmail.comCc: postfix-users@postfix.orgSubject: Re: DKIM/SPF failure to folder, not return to sender and other tricks
  

  
  
Ok this is good.  But the project cannot use mail clients, only mail
servers because post processing calls other programs not related to
postfix or exim or any program similar.

Now the idea of rewriting subject is the best I've heard so far - is
there a facility in Postfix to do that based on DKIM and SPF failing
that you know of?




On 06/26/2016 10:43 PM,
  li...@lazygranch.com wrote:


  I
think that is in the Claws email client. 
  
  
  To
do this filtering in postfix, you would need a "parallel"
mailbox to place the suspect messages. Then your client would
just read both the good mailbox and the bad mailbox. You would
need to prevent mail going directly to the bad mailbox, though I
suppose that wouldn't be the end of the world. 
  
  
  To
be a bit redundant here, as far as I know, your only means to
flag the mail that doesn't meet both DKIM and SPF is to do a
rewrite on the subject line like SpamAssassin does. Now if you
could achieve that, then filtering in the email client is
trivial. That is, you write a very simple filter to look for a
keyword. I'd be shocked if there exists an email client that
couldn't do that. (Well maybe Pine.)
  
  
  The
more I think about it, doing the subject line rewrite to
indicate SPF/DKIM failure is the best approach. ‎You could even
run a rule on the very simple email clients found on phones, or
just use your eyeballs. 
  
  
  
  
  

  

  
From: Chip
Sent: Sunday, June 26, 2016 7:25 PM
To: li...@lazygranch.com
Reply To: jeffsch...@gmail.com
Cc: postfix-users@postfix.org
Subject: Re: DKIM/SPF failure to folder,
  not return to sender and other tricks
  

  

  
  
  

Very interesting and thanks for sending.

Now if you look at the command line, reproduced below, is that a
command line calling a file that contains the message(s) to be
examined, or is this something put in Postfix somewhere?  Pardon
my ignorance.

 To add SPF filtering, add a filter with condition

test "!(sylpheed-spf.pl -c < %F)"



On 06/26/2016 10:13 PM, li...@lazygranch.com
  wrote:


  ‎I'd say you are onto something. 
  http://www.willamowius.de/claws-spf.html
  
  
  ‎Unfortunately SPF has a very high failure rate
due to remailers. But it's a start.
  

  

  

  
From: Chip
Sent: Sunday, June 26, 2016 6:28 PM
To: li...@lazygranch.com
Reply To: jeffsch...@gmail.com
Cc: postfix-users@postfix.org
Subject: Re: DKIM/SPF failure to
  folder, not return to sender and other tricks
  

  

  
  
  

There is dkimverify and spfquery, two command 

RBL claims I'm doing a dictionary search

[lists]

 I've got this ‎RBLhttps://spamrl.com/ that claims my server is doing a dictionary search. I see nothing in the maillog. I have checked for an open relay using an online website. No other RBLs claim my server is an issue.‎ I am the only user that can send email from the server. Any ideas regarding what else to check?‎ 

Spamrl.com RBL problem

[lists]

I will start this over to get rid of the HTML mail crap. This is the bounce 
reply with some sanitizing to keep this message off of the Google bot:
 

‎This is the mail system at host www.mydomain.com

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

: host smx1.web-hosting.com[209.188.21.38] said: 550 The
    sending IP (my dotted quad) is listed on https://spamrl.com as a source of
    dictionary attacks. (in reply to end of DATA command)
-

Is the "in reply to end of DATA command" significant? 

Re: Spamrl.com RBL problem

[lists]

This is probably more of a freebsd question, but it seems to me that Postfix 
should be hogging (bound) to the mail ports, so if something is sending email, 
it has to be using Postfix.

I ‎suppose modifying IPFW to log all mail port activity is also a good idea.

Wouldn't a script need to be in the rc.d to get fired up when I boot?

  Original Message  
From: Matthew McGehrin
Sent: Saturday, July 2, 2016 7:24 PM
To: Postfix users
Subject: Re: Spamrl.com RBL problem

Hello.

I would check your local system to see if you have any rogue perl 
processes running. These are generally the cause of being blacklisted 
for a dictionary attack, which implies that a script is running on your 
local server.

Generally, you can spot them by the amount of CPU time, and they try to 
mask the process id.

The end of DATA command is just the sequence at which it was denied. 
It's standard.

-- Matthew


li...@lazygranch.com wrote:
> : host smx1.web-hosting.com[209.188.21.38] said: 550 
> The
> sending IP (my dotted quad) is listed on https://spamrl.com as a source of
> dictionary attacks. (in reply to end of DATA command)
> -
>
> Is the "in reply to end of DATA command" significant? 
>
> 

Re: Spamrl.com RBL problem

[lists]

The only issue against the "dirty" IP address is for a little over a year, I 
had no problems with this RBL. My problem now is I keep clearing the block, and 
it gets reset. 

This particular RBL has a few complaints about false positives. In fact, for 
dictionary searches. However the most recent being two years ago.

If I really had a problem with the server, you would think a few other RBLs 
would be tripped.

Regarding my web server, I run Nginx. I don't have PHP. I have no CMS. In fact, 
I don't even allow "put" in the list of commands. I just serve static pages. 

I read the error log from Nginx. I investigate any hacking activity. What I see 
is minor league stuff such as attempts to log into WordPress or php admin, 
neither of which I have. Further, I look up the IP of the hacker. If from a 
VPS, data center, or anything that isn't an ISP, I block the entire address 
space associated with the hacker. If the IP goes to an ISP, I handle it on a 
case by case basis. I don't block edu, though I have in the case of UC Berkeley 
asked their researches not to fuzz my server.

  Original Message  
From: Ralf Hildebrandt
Sent: Sunday, July 3, 2016 10:03 AM
To: postfix-users@postfix.org
Subject: Re: Spamrl.com RBL problem

* Matthew McGehrin :
> Hello.
> 
> Your assuming that port 25 needs to be open on the local side to send 
> mail. this is not the case. There are two possibilities here.
> 
> 1. A dirty IP was assigned to your server, and that the previous owner 
> had a spam issue.

Give the shortages of ipv4 addresses, this is often the case

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: postfix 3.1.1 upgrade from 3.1.0

[lists]

FreeBSD 10.2. Both 3.1.0 and 3.1.1 were built from ports. I was running Postfix 
2 when I first set up the server. I suppose it is possible I missed this 
"change" when I did the installation of 3.1.0, but not likely.

It seems to work. What do you think this would break? 

Given this was an upgrade to email, I did a full backup prior to the upgrade. 
;-)‎ 

  Original Message  
From: Wietse Venema
Sent: Sunday, July 3, 2016 6:52 PM
To: Postfix users
Reply To: Postfix users
Subject: Re: postfix 3.1.1 upgrade from 3.1.0

li...@lazygranch.com:
> During the upgrade from postfix 3.1.0 to 3.1.1, the installation script
> issued the following:
> 
> --
> ===> Creating users
> Using existing user 'postfix'.

That must be a distro-specific script (different OSes have different
ways to add users, so my "original" Postfix installation procedure
doesn't try to do such things).

> Note: the following files or directories still exist but are
> no longer part of Postfix:
> 
> /usr/local/etc/postfix/virtual

Again, this appears to be distro-specific. The "original"
Postfix has not obsoleted he 'virtual' configuration file.

> Do I still need to do the following when adding new users?
> -
> postmap /usr/local/etc/postfix/virtual
> postmap /usr/local/etc/postfix/vmailbox
> ---
> 
> I did a few test emails and nothing seems broken.

Maybe you can reveal your OS distribution, and whether you were
building from source, from ports, or installing a pre-compiled
version. Then someone can say if you need those files.

Wietse

Re: Spamrl.com RBL problem

[lists]

"reject_unverified_sender" not used.

The VPS is 13 months old and I never ran rkhunter on it. Very lame in my part. 
However, no rootkit found. It did find some symbolic links that went nowhere 
regarding perl, which I deleted once I verified the problem was common. I also 
ran rkhunter on all linux boxes on hand.



  Original Message  
From: Bill Cole
Sent: Monday, July 4, 2016 2:22 PM
To: Postfix users
Reply To: Postfix users
Subject: Re: Spamrl.com RBL problem

On 3 Jul 2016, at 0:36, li...@lazygranch.com wrote:

> This is probably more of a freebsd question, but it seems to me that 
> Postfix should be hogging (bound) to the mail ports, so if something 
> is sending email, it has to be using Postfix.

That's not how TCP/IP or Postfix works. Postfix binds listeners to the 
*LOCAL* IP+port pairs that you tell it to listen on. Typically this 
includes at least port 25 on all local IP's and possibly port 587 on all 
local IPs. See your own master.cf for specifics...

This does not prevent other programs from using ephemerally-allocated 
*LOCAL* ports (typically <48k) to open connections connect to port 25 or 
587 on REMOTE addresses where other people run their MTAs on their 
machines. And of course Postfix has nothing to do with the various ports 
POP and IMAP servers can be listening on, which usually use a common 
authentication mechanism to the MTAs on the same hosts.

> I ‎suppose modifying IPFW to log all mail port activity is also a 
> good idea.

Sure, you could do that. Correlating ipfw logging of outbound SYNs and 
Postfix logs is a... um... painful task.

One approach that is useful and much less annoying to use is to make 
your mail services use only a non-default IP address, so that most forms 
of system compromise which result in something running that is not under 
your control and tries to engage in mail naughtiness can be blocked by 
ipfw (or on Linux, iptables) rules that prohibit outbound port 
25/587/465/110/143/993/995 on the IP address that a program would use by 
default if it does not specify one when opening a socket. This can be a 
bit tricky to set up if your system is directly connected to the 
Internet with only one public IP available, but it's still possible. The 
more subtle initial configuration buys you the ability to block bad 
traffic rather than just logging it and no need to use the Postfix logs 
to sift out the legitimate outbound mail traffic from the illegitimate.

Another useful tool on FreeBSD is the "jail" mechanism. On FreeBSD I 
only run Postfix in jails that include at most only a few intimately 
related services (e.g. Dovecot, Unbound) precisely because that allows 
me to prohibit all traffic to ports 25 and 587 from other jails running 
riskier things (e.g. webservers) except to the jailed Postfix.

> Wouldn't a script need to be in the rc.d to get fired up when I boot?

Not if someone has cracked your machine in a stealthy manner. There are 
cracks which don't bother trying to make themselves permanent, they just 
hide themselves very well by running under innocent names and unlinking 
their visible locations in the filesystem. There are also FreeBSD 
rootkits which are very hard to find short of booting from immutable 
media after reflashing the BIOS.

But don't go that far quite yet... There's another possible (and more 
likely) explanation.

One thing that can make Postfix act like a "dictionary attack" bot is 
the non-default abusive misfeature "reject_unverified_sender" which 
implements what is sometimes called "SMTP Callback," verifying each 
sender by running a fake SMTP transaction that looks like a bounce 
through the point of a response to RCPT and then quitting. This is done 
synchronously during each SMTP session that offers an unknown 
RFC5321.MailFrom address. This technique sounds like a great idea until 
you consider the secondary consequences and responses outside of your 
own system. If you do SMTP callback, you make your system a public 
nuisance that actual spammers can (and eventually will) use as a 
dictionary attack proxy for discovering deliverable addresses. Sender 
address verification by SMTP callback is an example of a spam-fighting 
tactic that looked and worked great when it was first conceived, as long 
as one didn't think about the scaling effects, external reactions, and 
vulnerabilities to abuse. Postfix's implementation is arguably the least 
obnoxious in widespread use, but it remains an intrinsically problematic 
tactic.

If you're using sender address verification you should stop, 
immediately. There are spamtrap tactics in fairly widespread use for 
detecting spam sources which cannot distinguish between spammer systems 
and those doing sender address verification and whose users do not see 
any reason to make such a distinction. There are DNSBLs which are fed by 
such trap mechanisms. There are useful *non-abusive* anti-spam tactics 
which break even the least-bad implementations of sender address 
verification, c

Re: Brutal attacks

[lists]

Isn't a flood attack more likely? I would look into the rate limiting. 

I used a script to flood the server and the limiting does  kick in. 

I also tried dumping random text at the mail port and it eventually makes some 
funny comment then stops listening.

There doesn't seem to be much mail server pentest programming available.



  Original Message  
From: Lefteris Tsintjelis
Sent: Saturday, July 9, 2016 8:07 AM
To: postfix-users@postfix.org
Subject: Brutal attacks

Is this a good postfix way to stall attackers (besides log parsing and 
fire walling)? Bots are increasing dramatically these days

smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 1
smtpd_error_sleep_time = 16s (or even more)

Re: This ought to be simple to stop. Am I missing something?

[lists]

‎Hopefully this won't be interpreted as thread hijacking, but can you elaborate 
of this?
---
reject_rbl_client zen.spamhaus.org=127.0.0.2,
reject_rbl_client zen.spamhaus.org=127.0.0.3,
reject_rbl_client zen.spamhaus.org=127.0.0.4,
reject_rbl_client zen.spamhaus.org=127.0.0.10,
reject_rbl_client zen.spamhaus.org=127.0.0.11,

Those are, in order: SBL(chronic spam sources), CSS(snowshoers), 
CBL(spambots), PBL(ISP-designated dynamic), and PBL(Spamhaus-determined 
dynamic)‎
-

So I gather some element of "zen" are not to your liking? That is, if you 
didn't specify the return codes, zen would do all of the above and more.

The Spamhaus write up on snow shoe spam is certainly interesting. 

Postfix update on Freebsd

[lists]

‎I'm running Postfix 3.1.1 on Freebsd 10.2. After running portsnap, I see there 
is an update. Well sort of. Checking the postfix website, there is no update, 
and as you can see, the output from 
pkg version -v | grep postfix

postfix-3.1.1,1 < needs updating (index has 3.1.1_2,1)

the rev hasn't changed. 

Any ideas what is going on here? 

Re: Postfix update on Freebsd

[lists]

Thanks to both of you. 

Generally when I've seen these "underscore" updates, I try to recompile and the 
make file indicates there is nothing to do. But that may be because my 
configuration file doesn't use a option that caused the "underscore" to be 
added.

The Freshports page timed out, but assuming bdb is the Berkeley database, I 
will give the update a try later since I do use that database. 

Email is critical, so I'm always reluctant to fix what ain't broke! I'm on a 
VPS, so I image just in the event I can't fix the problem the update caused. 

Thus far postfix updates haven't broken anything, even going from 2 to 3. Nice 
work!  

  Original Message  
From: Łukasz Wąsikowski
Sent: Wednesday, August 24, 2016 11:29 PM
To: li...@lazygranch.com; Postfix users
Subject: Re: Postfix update on Freebsd

W dniu 2016-08-25 o 08:09, li...@lazygranch.com pisze:

> ‎I'm running Postfix 3.1.1 on Freebsd 10.2. After running portsnap, I see 
> there is an update. Well sort of. Checking the postfix website, there is no 
> update, and as you can see, the output from 
> pkg version -v | grep postfix
> 
> postfix-3.1.1,1 < needs updating (index has 3.1.1_2,1)
> 
> the rev hasn't changed. 
> 
> Any ideas what is going on here? 

Read here about FreeBSD ports naming schemes:
https://www.freebsd.org/doc/en/books/porters-handbook/makefile-naming.html

And here you can check what caused PORTREVISION bump:
http://www.freshports.org/mail/postfix/ (look at commit history)

Change from 3.1.1,1 to 3.1.1._2,1 was caused by cleanup of bdb port (so
postfix had to be recompiled) and patch for building with libressl-devel.

-- 
best regards,
Lukasz Wasikowski

Re: newbie department

[lists]

‎This seems counter intuitive. So I am better off having a catch-all account 
that random emailers will fill up than not having one?

I know the postfix has a rate limiter. Isn't that enough to deter attacks?

"If the message is 5xx'd at the edge, that tells the ATTACKER that you do
NOT have a catch-all address, and the real attack will commence almost
immediately. And in earnest.‎"
  Original Message  
From: Michael J Wise
Sent: Thursday, August 25, 2016 10:22 AM
To: postfix users
Subject: Re: newbie department


> On 8/25/2016 9:59 AM, Glenn English wrote:
>> Why do I get mail to names like dcpczy3foku+gcyvikdnlcei?
>>
>> They're not a lot of them, but they show up every few days, and I can't
>> think why anybody'd do this. At first I thought somebody was trying to
>> access their bot, but Postfix rejects them after a quick look at
>> /etc/passwd...

> That's probably a Message-ID: some spammer scraped from the
> internet. Not really worth any action from you...

No. It's Not.

Here's the deal.
It's a test of your mail system.

If the message is 250'd at the edge, that tells the attacker that you have
a catch-all, and address harvesting is pointless. But they might come back
tomorrow to see if you've changed your mind.

If the message is 5xx'd at the edge, that tells the ATTACKER that you do
NOT have a catch-all address, and the real attack will commence almost
immediately. And in earnest.

Aloha mai Nai`a.
-- 
" So this is how Liberty dies ... http://kapu.net/~mjwise/
" To Thunderous Applause.

Re: newbie department

[lists]

FWIW, I rather have the wrong address email address bounce. That and I don't 
want to eyeball the catch-all to see if it caught anything useful. 

You can fail2ban the password guessers. 

In a perfect world, I would reject email that fails SPF and DKIM. I recall 
noise from Google making this a plan, which that would force all the servers to 
clean up their act.



  Original Message  
From: D'Arcy J.M. Cain
Sent: Thursday, August 25, 2016 2:56 PM
To: Michael J Wise
Cc: postfix users
Subject: Re: newbie department

On Thu, 25 Aug 2016 12:36:19 -0700
"Michael J Wise"  wrote:
> > No! Even though you don't have to have a mailbox to fill up (you
> > can direct catch-all to /dev/null) this is still a bad idea. If
> > someone sends you an important message at li...@lazygranch.com it
> > will be silently ignored. If you don't have a catch-all the
> > message will bounce and the sender will realize that he made a typo
> > and resend it. 
> 
> This fails badly for many security and privacy reasons if you are
> doing anything other than running a personal, vanity domain.

No, it's quite the opposite. I have clients who expect their email to
behave in a very clearly defined way. If someone sends an email to my
system it must do one of two things - be delivered to to a user (or at
least his spam filter) or bounced back to the sender. Anything else is a
failure. I don't want to hear that my client missed a big sale because
of a typo on their prospective client's part.

-- 
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:da...@vex.net
VoIP: sip:da...@vex.net

Re: advice on securing a transport

[lists]

‎First of all, be wary taking advice from a newbie like me. That said, if you 
enforce SPF and DKIM in postfix, you will be rejecting a lot of mail. If there 
is a way to enforce SPF and DKIM on specific senders, that would be another 
story.

But look at this line from the original message :

"What I would really like to do is be
able to send structured emails to the server, and have postfix pass them
through a transport to the webapp (a Django site), which would parse the
emails and do CRUD stuff with the database.‎"

Normally we read our email from a delivery agent like dovecot, but this mail 
will, if I understand the objective, with be "machine" read. That step is where 
you want to enforce SPF and DKIM. 


  Original Message  
From: Sebastian Nielsen
Sent: Monday, September 5, 2016 9:54 AM
To: postfix-users@postfix.org
Subject: SV: advice on securing a transport

There is possibility to use SPF or DKIM to ensure the sender is not spoofed.
For this particular service, you can run your SPF and/or DKIM validator in
mandatory mode, eg, a missing SPF record will be treated as -all, and a
missing DKIM signature is treated as a invalid one.

Then you can actually use a list of authorized email adresses, even for
third-party operators like GMAIL and such. So if a authorized user, sends a
mail, using a server that is authorized either per that domain's SPF records
or DKIM signature, then the mail will get accepted. Else it will be
rejected.


-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] För Sean Greenslade
Skickat: den 5 september 2016 18:36
Till: Eric Abrahamsen 
Kopia: postfix-users@postfix.org
Ämne: Re: advice on securing a transport

On Mon, Sep 05, 2016 at 07:52:02PM +0800, Eric Abrahamsen wrote:
> I have a postfix/dovecot installation on the same server as my 
> company's webapp. This webapp involves a lot of regular data entry, 
> which is a real pain to do using HTML forms. What I would really like 
> to do is be able to send structured emails to the server, and have 
> postfix pass them through a transport to the webapp (a Django site), 
> which would parse the emails and do CRUD stuff with the database.
> 
> I can figure the details out myself, but I'm hoping to get advice on 
> one particular question: security.
> 
> I guess the safest thing would be to require logged-in users: 
> presumably I could find a way to only accept emails from a local 
> account, but that would require everyone who had access to this system 
> to have an account on the server.
> 
> The other option would be to maintain a list of authorized email 
> addresses, and then check incoming messages against this list. This 
> would be preferable, in that I don't have to bother users to create 
> and set up (and remember to use) a separate email account. My question 
> is, is there a truly secure way of only accepting emails from 
> authorized addresses? Or should I just go with option one and require 
> users to have accounts?

Envelope sender / From: field is not to be trusted. Anyone can submit a
message with any envelope sender to an unauthenticated mail server.

I can see two ways of handling this. One is to implement standard submission
port authentication / TLS on this machine, possibly with virtual users to
prevent the need for all users to have local accounts.
The other way is to configure the machine to only accept incoming mail from
your organization's main mail server(s). That way, your regular mail servers
will perform the sender authentication, and then you can rely on the
envelope sender (presuming your main mail servers do not allow sender
spoofing).

--Sean

Re: advice on securing a transport

[lists]

Seems to me we are in total agreement except for sender versus receiver 
terminology . That depends on your point of view. But I don't know if you can 
enforce SPF and DKIM on a domain name basis. If you can't, I assure you much 
mail will be rejected. Incoming  mail using remailing services will fail SPF.  
I'd say I would bounce about 20% of my "desired" email. Probably 75% of the 
spam. 

I have a 100% failure rate in convincing anyone to fix their SPF and DKIM. 
Nobody cares because the mail still gets delivered. I couldn't even convince 
the claws developers that a client which could flag failed DKIM and SPF was 
worthy. Their solution was look at the header.

  Original Message  
From: Sebastian Nielsen
Sent: Monday, September 5, 2016 10:24 AM
To: postfix-users@postfix.org
Subject: SV: advice on securing a transport

No, you're wrong. What the OP should do, is to enforce SPF/DKIM on specific 
RECEIVERS. For example, enforcing SPF/DKIM on for example 
webappad...@example.org.

-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
För li...@lazygranch.com
Skickat: den 5 september 2016 19:20
Till: postfix-users@postfix.org
Ämne: Re: advice on securing a transport

‎First of all, be wary taking advice from a newbie like me. That said, if you 
enforce SPF and DKIM in postfix, you will be rejecting a lot of mail. If there 
is a way to enforce SPF and DKIM on specific senders, that would be another 
story.

But look at this line from the original message :

"What I would really like to do is be
able to send structured emails to the server, and have postfix pass them 
through a transport to the webapp (a Django site), which would parse the emails 
and do CRUD stuff with the database.‎"

Normally we read our email from a delivery agent like dovecot, but this mail 
will, if I understand the objective, with be "machine" read. That step is where 
you want to enforce SPF and DKIM. 


Original Message
From: Sebastian Nielsen
Sent: Monday, September 5, 2016 9:54 AM
To: postfix-users@postfix.org
Subject: SV: advice on securing a transport

There is possibility to use SPF or DKIM to ensure the sender is not spoofed.
For this particular service, you can run your SPF and/or DKIM validator in 
mandatory mode, eg, a missing SPF record will be treated as -all, and a missing 
DKIM signature is treated as a invalid one.

Then you can actually use a list of authorized email adresses, even for 
third-party operators like GMAIL and such. So if a authorized user, sends a 
mail, using a server that is authorized either per that domain's SPF records or 
DKIM signature, then the mail will get accepted. Else it will be rejected.


-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] För Sean Greenslade
Skickat: den 5 september 2016 18:36
Till: Eric Abrahamsen 
Kopia: postfix-users@postfix.org
Ämne: Re: advice on securing a transport

On Mon, Sep 05, 2016 at 07:52:02PM +0800, Eric Abrahamsen wrote:
> I have a postfix/dovecot installation on the same server as my 
> company's webapp. This webapp involves a lot of regular data entry, 
> which is a real pain to do using HTML forms. What I would really like 
> to do is be able to send structured emails to the server, and have 
> postfix pass them through a transport to the webapp (a Django site), 
> which would parse the emails and do CRUD stuff with the database.
> 
> I can figure the details out myself, but I'm hoping to get advice on 
> one particular question: security.
> 
> I guess the safest thing would be to require logged-in users: 
> presumably I could find a way to only accept emails from a local 
> account, but that would require everyone who had access to this system 
> to have an account on the server.
> 
> The other option would be to maintain a list of authorized email 
> addresses, and then check incoming messages against this list. This 
> would be preferable, in that I don't have to bother users to create 
> and set up (and remember to use) a separate email account. My question 
> is, is there a truly secure way of only accepting emails from 
> authorized addresses? Or should I just go with option one and require 
> users to have accounts?

Envelope sender / From: field is not to be trusted. Anyone can submit a message 
with any envelope sender to an unauthenticated mail server.

I can see two ways of handling this. One is to implement standard submission 
port authentication / TLS on this machine, possibly with virtual users to 
prevent the need for all users to have local accounts.
The other way is to configure the machine to only accept incoming mail from 
your organization's main mail server(s). That way, your regular mail servers 
will perform the sender authentication, and then you can rely on the envelope 
sender (presuming your main mail servers do not allow sender spoofing).

--Sean

Re: advice on securing a transport

[lists]

‎"Thus, the receiving postfix server, could be configured to add a pass/fail
header of SPF and DKIM authentication."

This came up a few months ago on the list, with the idea of doing a rewrite on 
the subject line. For example, SpamAssassin writes "spam". The new rewrite 
would indicate SPF and DKIM failures. Nobody came up with a turnkey solution to 
this, but I for one would like to have this, since I don't have a client that 
does this automatically. 

Supposedly there is a plugin for Thunderbird email that reads the header and 
does such notification, but I would trust a postfix implementation more.

  Original Message  
From: Sebastian Nielsen
Sent: Monday, September 5, 2016 11:18 AM
To: postfix-users@postfix.org
Subject: SV: SV: advice on securing a transport

LazyGranch:
I look it at the point of view of the server who are receiving the mail.
So basically, the OP has some email adress like "webapprecei...@example.org"
that receives mail and processes this automatically into a database.

Only authorized users are allowed to send to this specifically crafted email
adress.

Thus, the receiving postfix server, could be configured to add a pass/fail
header of SPF and DKIM authentication.
Then the program acting on transport (eg, the actual /usr/bin program that
is configured as transport destination for webapprecei...@example.org) just
checks this header. If not at least one of them is PASS and the Return-Path:
header matches whats on a authorized list, the program could be configured
to just ignore the received mail in question.

Care needs to be taken so not anyone can fool the validation by inserting a
fraudulent SPF or DKIM header, which would result in a duplicate, one
genuine and one fake header.
This can be accomplished by either checking for duplicate headers and
failing authentication if there is duplicate SPF or DKIM header. (note:
DKIM-header = The header with the validation result, inserted by the local
validator, NOT the actual signature).
Or you can configure the validation process to always purge out any existing
validation headers before inserting its own.

Thus, actually, the postfix server does not need to reject any mail, this
could be coded into the transport program which also does all the
modification to the django app database, to dump all unauthenticated (eg, no
valid SPF or DKIM) and unauthorized (not on authorized list) into /dev/null.


Sean Greenslade:
Thats the responsibility of the server who is authorized to act on behalf of
that domain.

(ot) beware libressl on Freebsd

[lists]

 Freebsd 10.3I ran freebsd "pkg" ‎and didn't see any of the mail suite or openssl in the list of files to update, so I figured it was safe to run. (I've been burnt by pkg messing up dovecot or postfix, so I always use the ports). Some program must of needed libressl and openssl got replaced, breaking my email.  Even reinstalling openssl wasn't sufficient because any program using openssl broke. SpamAssassin was having none of this, so I ended up reinstalling the whole email suite. No con file issues fortunately. Openssl and libressl have a conflict, so I had uninstalled libressl prior to reinstalling openssl.I think ntp was the program that wanted libressl. It didn't occur to me the program even used TLS 

Concurrency limit for port 25

[lists]

Not wanting to hijack the thread from Alan Coates, but I noticed the 
concurrency limit of three, which I assume was on port 25. Is there some 
science behind how to set this limit?‎

Re: (ot) beware libressl on Freebsd

[lists]

I'm fixing a few other problems due to the upgrade, but will follow up on 
libressl eventually. 

I'm a long time Linux user, but only have been using Freebsd for a little over 
a year, so I am cautious to do any rants. ;-)  (I have endured the wrath of 
Linux users mocking Yast, but I have yet to do an update of Freebsd without 
breaking something.)‎

Here is a similar thread to my issue:
‎https://forums.freebsd.org/threads/56398/

Right now, I'm just issuing a warning until I rule out pilot error.

  Original Message  
From: Jeffrey 'jf' Lim
Sent: Monday, September 12, 2016 3:17 PM
To: Postfix users
Subject: Re: (ot) beware libressl on Freebsd

On Tue, Sep 13, 2016 at 6:13 AM,  wrote:
> Freebsd 10.3
>
> I ran freebsd "pkg" ‎and didn't see any of the mail suite or openssl in the
> list of files to update, so I figured it was safe to run. (I've been burnt
> by pkg messing up dovecot or postfix, so I always use the ports).
>
> Some program must of needed libressl and openssl got replaced, breaking my
> email. Even reinstalling openssl wasn't sufficient because any program
> using openssl broke. SpamAssassin was having none of this, so I ended up
> reinstalling the whole email suite. No con file issues fortunately.
>
> Openssl and libressl have a conflict, so I had uninstalled libressl prior to
> reinstalling openssl.
>
> I think ntp was the program that wanted libressl. It didn't occur to me the
> program even used TLS
>

have you reported this to the any of the freebsd list(s)?

-jf

Re: TLD blocking revisited

[lists]

Well yeah, they can always buy a .com, etc., but right now .stream has nothing 
legit.

The last time this discussion came up (not initiated by me if it matters), I 
bought into TLD blocking being bad, but things are different half a year later. 

I suppose I can find a more effective RBL, but the more you add, the more 
likely you get false positives.


  Original Message  
From: /dev/rob0
Sent: Monday, September 19, 2016 6:11 PM
To: postfix-users@postfix.org
Reply To: postfix-users@postfix.org
Subject: Re: TLD blocking revisited

On Mon, Sep 19, 2016 at 05:29:51PM -0700, li...@lazygranch.com wrote:
> The last time TLD blocking came up, the consensus of the hive was 
> not to block based on TLD. (You may recall .xyz being used by 
> Alphabet.) However lately I'm getting a ridiculous number of 
> .stream SPAM coming through. The RBLs are getting about half.
> 
> https://www.spamhaus.org/statistics/tlds/
> 
> I have a hard time believing I will ever get legit mail from a 
> .stream or a .download.

The thing is, I don't think any TLD prescreens its registrants and 
limits domains to spammers only. Anyone can buy one of the new 
domains, whether or not a spammer.

> FWIW, many of the .stream pass SPF, which is perhaps why the RBLs 
> are not being as aggressive.

Certainly not a factor. Most significant DNSBLs operate on the basis 
of spamtraps. If a host is hitting a spamtrap, it will be listed; if 
not it will not be listed. FCrDNS and other niceties are irrelevant.
The DNSBL knows that the traffic is spam, because a good spamtrap is 
an address which was never used.
-- 
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: TLD blocking revisited

[lists]

OK. Would I score it in SpamAssassin? If not, where? Point me in the right 
direction and I assume Google will be my friend.


  Original Message  
From: Michael J Wise
Sent: Monday, September 19, 2016 6:54 PM
To: postfix-users@postfix.org
Subject: Re: TLD blocking revisited



Block? No.
+Score? Yes.

But this is the Postfix list, and ... this really belongs elsewhere.

> The last time TLD blocking came up, the consensus of the hive was not
> to block based on TLD. (You may recall .xyz being used by
> Alphabet.) However lately I'm getting a ridiculous number of .stream
> SPAM coming through. The RBLs are getting about half.

Aloha mai Nai`a.
-- 
" So this is how Liberty dies ... http://kapu.net/~mjwise/
" To Thunderous Applause.

Re: TLD blocking revisited

[lists]

‎Believe it or not, Tellus doesn't support encryption. 

https://www.reddit.com/r/canada/comments/464glo/psaif_you_use_a_telus_email_account_telus_does/?st=itb9thrx&sh=2a6ed83e

I think when Google starts to refuse unencrypted email, it would make sense for 
postfix to bounce them.

  Original Message  
From: Alice Wonder
Sent: Tuesday, September 20, 2016 1:49 AM
To: postfix-users@postfix.org
Subject: Re: TLD blocking revisited



On 09/19/2016 05:29 PM, li...@lazygranch.com wrote:
> The last time TLD blocking came up, the consensus of the hive was not
> to block based on TLD. (You may recall .xyz being used by
> Alphabet.) However lately I'm getting a ridiculous number of .stream
> SPAM coming through. The RBLs are getting about half.

I don't block by TLD but I do have a single mail server that breaks the 
RFC by rejecting any mail not sent via STARTTLS and interestingly is 
doesn't get much spam at all.

Seems a lot of spammers don't bother with TLS while most legitimate mail 
does.

Maybe (for now) that's a better metric?

Legitimate mail that doesn't use TLS tends to be blog notifications, for 
what its worth.

Re: TLD blocking revisited

[lists]

‎After studying these spam messages, I think postfix blocking via tld is the 
only solution. The problem is the message is embedded in graphics with brief 
text regarding "if you can't view this click here". There isn't enough to trip 
the spam bot. 

What is the simplest way to block a TLD?

Re: TLD blocking revisited

[lists]

Tell ya what. Let's hold the suggestions here. This one looks like something I 
can handle. (I really need things spelled out.)

BTW, the SpamAssassin enlist trick caught about 20% of this flavor of spam. But 
I'm really OK will killing the TLD. 

I did some googling on this and some claim Baracuda has this spam style licked, 
but I don't find that to be the case. I do have Baracuda as my first RBL.

I didn't mention it but the odd thing is this .stream spam goes to one email 
account. Perhaps in a daze I clicked unsubscribe. 

Thanks all for the suggestions.



  Original Message  
From: Jim Reid
Sent: Tuesday, September 20, 2016 1:56 PM
To: li...@lazygranch.com
Cc: Postfix Users
Subject: Re: TLD blocking revisited


> On 20 Sep 2016, at 21:10, li...@lazygranch.com wrote:
> 
> What is the simplest way to block a TLD?

Put the offending TLD in a map and have that map referenced through 
check_sender_access and/or check_client_access.

ie 

in main.cf:


smtpd_client_restrictions = permit_mynetworks

check_client_access hash:/etc/postfix/spamsources

mtpd_sender_restrictions = permit_mynetworks

check_sender_access hash:/etc/postfix/spamsources


and in /etc/postfix/spamsources:

xyz 500 This TLD sends spam - get lost.

Re: WoSign/StartCom CA in the news

[lists]

I don't want take this thread off course, but suggestions for low cost certs 
would be appreciated. I don't like how Let's Encrypt works, else that would be 
the obvious solution. 

Domain registration isn't free. Server time isn't free. Something like $20 a 
year would be fine. I already have a self signed cert for email, but would like 
to eventually encrypt my websites and attempt dnssec/dane.

When Symantec first announced that they would compete with Let's Encrypt, I 
signed up with them. But it looks like their free cert program is more like you 
need to recruit customers for them.


  Original Message  
From: Sven Schwedas
Sent: Wednesday, September 28, 2016 1:10 AM
To: postfix-users@postfix.org
Subject: Re: WoSign/StartCom CA in the news

On 2016-09-28 00:31, Giovanni Harting wrote:
> Correct me if I'm wrong, but that document you describe issues by
> Mozilla and others, doesn't it state that it would only affect new
> issues certs after a certain date?

Yes, but most StartSSL/WoSign certificates are only valid for a year or
less. So customers should start looking for alternative providers *now*,
because a year-long block will affect almost all of them.

> Am 09/28/16 um 00:29 schrieb Viktor Dukhovni:
>> WoSign (who seemingly purchased StartCom) seem to have run into
>> some compliance issues as reported by Firefox:
>>
>> 
>> http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/
>>
>>
>> Many SMTP servers are using certs from StartCom. In my DANE
>> adoption survey, out of 2201 certificates used by DANE MX
>> hosts 411 are issued by StartCom and 47 by WoSign. So that's
>> just over 20% of observed certificates. While the rate is
>> likely different for the larger SMTP ecosystem (DANE users
>> are bleeding edge, not representative at this time), I expect
>> that these CAs are still quite popular overall.
>>
>> If you're using StartCom/WoSign certs, and rely on them being
>> verified by MUAs and/or peer MTAs. you may want to make
>> contingency plans if Mozilla and perhaps others go through
>> with delisting (or disabling) the related root CAs from
>> their trusted CA bundles.
>>
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwe...@tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

Re: WoSign/StartCom CA in the news

[lists]

CACert came up in my search. I will look into it. Suggestions always 
appreciated since I'm quite comfortable with people out there knowing more than 
me.

I didn't like the Let's Encrypt 90 day deal with mysterious upload to your 
server. It bugs me. About the only outside control of my server I accept is 
spam RBLs, because really I have no alternative.

I understand there is github code out there (perhaps your simp_le) as an 
alternative to whatever Let's Encrypt does regarding updates, but that seems 
just as dicey.

  Original Message  
From: Sven Schwedas
Sent: Wednesday, September 28, 2016 1:34 AM
To: li...@lazygranch.com; postfix-users@postfix.org
Subject: Re: WoSign/StartCom CA in the news

On 2016-09-28 10:25, li...@lazygranch.com wrote:
> I don't want take this thread off course, but suggestions for low cost certs 
> would be appreciated. I don't like how Let's Encrypt works, else that would 
> be the obvious solution. 

"how Let's Encrypt works" is a bit vague. Domain verification is
standard for a lot of registrars (and safer than what StartSSL does,
which is allowing you to breach their TOS if you pay hush money), and
there are LE clients that don't automatically fuck up your server
configs, if that's your concern (we use simp_le, e.g., it just generates
the certs and everything else is up to you).

> Domain registration isn't free. Server time isn't free. Something like $20 a 
> year would be fine. I already have a self signed cert for email, but would 
> like to eventually encrypt my websites and attempt dnssec/dane.

Have you considered CACert? Otherwise it's either scummy registrars that
ought to be the next on the chop block (like Comodo) or gets expensive
fast. (Or both.)

> When Symantec first announced that they would compete with Let's Encrypt, I 
> signed up with them. But it looks like their free cert program is more like 
> you need to recruit customers for them.

Same with the others. Of course they want to stay in business, even if
it's dead already.

> 
> 
> Original Message 
> From: Sven Schwedas
> Sent: Wednesday, September 28, 2016 1:10 AM
> To: postfix-users@postfix.org
> Subject: Re: WoSign/StartCom CA in the news
> 
> On 2016-09-28 00:31, Giovanni Harting wrote:
>> Correct me if I'm wrong, but that document you describe issues by
>> Mozilla and others, doesn't it state that it would only affect new
>> issues certs after a certain date?
> 
> Yes, but most StartSSL/WoSign certificates are only valid for a year or
> less. So customers should start looking for alternative providers *now*,
> because a year-long block will affect almost all of them.
> 
>> Am 09/28/16 um 00:29 schrieb Viktor Dukhovni:
>>> WoSign (who seemingly purchased StartCom) seem to have run into
>>> some compliance issues as reported by Firefox:
>>>
>>>
>>> http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/
>>>
>>>
>>> Many SMTP servers are using certs from StartCom. In my DANE
>>> adoption survey, out of 2201 certificates used by DANE MX
>>> hosts 411 are issued by StartCom and 47 by WoSign. So that's
>>> just over 20% of observed certificates. While the rate is
>>> likely different for the larger SMTP ecosystem (DANE users
>>> are bleeding edge, not representative at this time), I expect
>>> that these CAs are still quite popular overall.
>>>
>>> If you're using StartCom/WoSign certs, and rely on them being
>>> verified by MUAs and/or peer MTAs. you may want to make
>>> contingency plans if Mozilla and perhaps others go through
>>> with delisting (or disabling) the related root CAs from
>>> their trusted CA bundles.
>>>
>>
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwe...@tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

Re: WoSign/StartCom CA in the news

[lists]

Bookmarked and all these emails archived. There is nothing like advice from 
someone who has done hands on work.  And it appears I was a bit hard on Let's 
Encrypt, but if a low cost cert is just as good, I rather have the simple 
solution. 

Steve Gibson's "Security Now" podcast has been covering WoSign on and off since 
the github incident. While Firefox will put them effectively out of business, 
it isn't like being sanctioned by the SEC. Employees and officers of WoSign 
could be back as some other agency.

  Original Message  
From: Mike
Sent: Wednesday, September 28, 2016 8:11 AM
To: postfix-users@postfix.org
Subject: Re: WoSign/StartCom CA in the news

On 9/28/2016 10:53 AM, KSB wrote:
> On 2016.09.28. 17:47, Mike wrote:
>> On 9/28/2016 4:55 AM, li...@lazygranch.com wrote:
>>> CACert came up in my search. I will look into it. Suggestions always 
>>> appreciated since I'm quite comfortable with people out there knowing more 
>>> than me.
>>>
>>> I didn't like the Let's Encrypt 90 day deal with mysterious upload to your 
>>> server. It bugs me. About the only outside control of my server I accept is 
>>> spam RBLs, because really I have no alternative.
>>>
>>> I understand there is github code out there (perhaps your simp_le) as an 
>>> alternative to whatever Let's Encrypt does regarding updates, but that 
>>> seems just as dicey.
>>
>>
>> fwiw, I use GeoTrust's RapidSSL cert.
>>
>> I buy it through my registrar, namecheap, but I found it is also
>> available a bit less expensively via enom (namecheap's parent) for $10
>> per year. It works fine for my low-traffic personal email and webservers.
>>
>> http://www.enom.com/secure/geotrust-ssl-certificates.aspx
>>
>>
> When we need some specific certificates, our company used to by from 
> GoGetSSL.com
> Geotrust's rapid for comparision: https://www.gogetssl.com/rapidssl/


Thanks, bookmarked.


btw, if anyone wants to check out the RapidSSL cert in production, the
Los Angeles, USA Postfix mirror uses one.

Re: WoSign/StartCom CA in the news

[lists]

Comodo has been caught for shady practices like "geek buddy." They also did 
some shady certs:

https://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/

While the cert they issue you is probably OK, I think the company has internal 
control issues. 

‎
  Original Message  
From: Alice Wonder
Sent: Thursday, September 29, 2016 8:35 PM
To: postfix-users@postfix.org
Subject: Re: WoSign/StartCom CA in the news



On 09/28/2016 01:25 AM, li...@lazygranch.com wrote:
> I don't want take this thread off course, but suggestions for low cost certs 
> would be appreciated. I don't like how Let's Encrypt works, else that would 
> be the obvious solution.
>
> Domain registration isn't free. Server time isn't free. Something like $20 a 
> year would be fine.

I use Comodo via Namecheap where it is $9.00 for a year. If you are 
still looking.

Some people have complaints about Comodo but they work for me. They 
handle both RSA and ECDSA certs.

-- 
-=-
Sent my from my laptop, may not be able to respond timely