RE: Postfix 20 years ago

[Paul A]

I first started using postfix around 1998 to handle mail for a small privately 
help ISP I still work for today in MA. It’s been a pleasure using your 
software, it’s simple well written and to me the best MTA there is. Like others 
I remember being frustrated at the other MTA, especially when I was just 
starting out.  I switched to your program I couldn’t help but notice how simple 
it was to get it up and running an how reliable it was.  

Thanks for your contribution to the internet.

Paul 



On Feb 12, 2017 21:07, "Wietse Venema"  wrote:
Last month it was 20 years ago that I started writing Postfix code.
After coming to IBM research in November 1996, I spent most of
December and January making notes on paper. I knew that writing a
mail system was more work than any of my prior projects.

The oldest tarball, dated 19970220, contains library functions plus
two early versions of the master daemon. There are 8086 lines of
code, 4204 lines after stripping the comments, and the only
documentation was my pile of hand-written notes.

For comparison, today's Postfix 3.2.0 RC1 release candidate weighs
in at 236533 lines of code, 137257 after stripping comments. The
documentation amounts to 32589 lines of hand-written HTML source,
plus 41878 lines of auto-generated HTML.

Much of today's effort is not visible as new features (thought there
still are enough to make an upgrade worthwhile), but happens behind
the scenes as improvements to internal code, and updated tests to
ensure that future changes won't inadvertantly break something.

Wietse

Re: how add X-AntiAbuse header

[Paul A]

fakessh  wrote:

>hello postfix guru
>hello wieste
>hello mouss
>
>
>
>
>I would like to add anti-abuse headers. I just spent a good little time to 
>watch list archives and found no answers
>
>example of a header that I want to appear in my mail
>
>X-AntiAbuse: This header was added to track abuse, please include it with any 
>abuse report
>X-AntiAbuse: Primary Hostname - medford.localsev.com
>X-AntiAbuse: Original Domain - hotmail.com
>X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
>X-AntiAbuse: Sender Address Domain - in-ex.s
>
>
>
>thanks 
>
>
>-- 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
> gpg --keyserver pgp.mit.edu --recv-key 092164A7

RE: I'm an open relay some how

[Paul A]

Without knowing for sure I would say that one of your accounts has been
compromised and is being used to send out spam.

Look at your messages on the postfix queue, usually under
/var/spool/postfix. Use the strings command to search through the queued
email and look for common patterns like the same username, from address etc
and determine the problem that way.

-Original Message-
From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Stephen Atkins
Sent: Friday, December 30, 2011 12:31 PM
To: postfix users
Cc: Noel Jones
Subject: Re: I'm an open relay some how

On 12/30/2011 10:26 AM, Noel Jones wrote:
> On 12/30/2011 11:19 AM, Stephen Atkins wrote:
>> On 12/30/2011 10:17 AM, Gary Smith wrote:
 I've been administering the same postfix server for years so I'm
 a little
 confused as to how this happened.  Granted postifx hasn't been
 updated in a
 year or so.

 This morning I came in to a mailq of over 93000 messages all
 destine to
 @yahoo.com.tw

 For now I'm just blocking all email destined for this domain but
 I would
 really like to find out what happened.  I haven't changed my main.cf
 file for over a year.I can post it if needed.
>>>
>>>
>>> Are you an open relay or did one of your user accounts get
>>> hacked.  I'd check the envelope of one of the messages, cross that
>>> with where it originated and go from there.  Just a shoot from the
>>> hip guess with little information.
>>
>> I'm pretty sure.  I'm watching the connections coming in and they
>> are from external IP addresses.  A who is shows them as being from
>> south America and Europe.
>>
>
>
> Show all the postfix logging for one of the suspect transactions.
> Show your "postconf -n" output.
>
> http://www.postfix.org/DEBUG_README.html#mail
>
>
>
>-- Noel Jones

Here is the output of my postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases 
hash:/etc/postfix/majordomo/majoraliases
allow_untrusted_routing = no
bounce_queue_lifetime = 2h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 1
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
in_flow_delay = 5s
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
message_size_limit = 26214400
mydestination = localhost.localdomain, localhost, mta1.rcr.inc 
mta2.rcr.inc, ridelouise.com, canadiarockiessummer.com, rcr.west 
rcr.inc
mydomain = skircr.com
myhostname = smtp.skircr.com
mynetworks = 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 
192.168.4.0/24, 192.168.5.0/24, 192.168.6.0/24, 192.168.7.0/24, 
209.91.64.21, 127.0.0.0/8, 10.0.100.0/24, 10.0.6.0/24, 
192.168.10.0/24, 192.168.80.0/23, 192.168.142.0/24, 
216.133.52.45, 216.113.43.184, 192.168.143.0/24, 69.70.230.206, 
207.96.243.24, 207.96.243.25, 24.37.1.234,   10.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.0.11/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_helo_name = skircr.com
smtpd_banner = $myhostname ESMTP $mail_name.  We block/report all 
spam/spammers.
smtpd_client_restrictions = permit_mynetworks
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,  permit
smtpd_recipient_restrictions = hash:/etc/postfix/access, 
check_client_access hash:/etc/postfix/client_checks, 
check_recipient_access hash:/etc/postfix/sender_checks, 
check_sender_access hash:/etc/postfix/sender_checks,  permit_mynetworks, 
  permit_sasl_authenticated,  reject_non_fqdn_recipient, 
reject_unknown_recipient_domain,  reject_unauth_destination, 
reject_invalid_hostname,  check_client_access 
cidr:/etc/postfix/dnswl-header,  check_client_access 
cidr:/etc/postfix/dnswl-permit,  check_client_access 
hash:/etc/postfix/rbl_override,  reject_rbl_client zen.spamhaus.org, 
reject_rbl_client combined.njabl.org,  reject_rbl_client 
dbl.spamhaus.org,  check_policy_service inet:127.0.0.1:6,  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = hash:/etc/postfix/access, 
check_client_access hash:/etc/postfix/client_checks, 
check_sender_access hash:/etc/postfix/sender_checks, 
permit_sasl_authenticated,  permit_mynetworks, 
reject_unauth_pipelining,  permit
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtp

RE: forwarding to 2 domains

[Paul A]

In the aliases file

@dom.com:   toalldomain@localhost

toalldomains: @dom1.com, @dom2.com

make sure you have the wildcard entries setup in the virtual file

Paulo

-Original Message-
From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of João Pagaime
Sent: Wednesday, January 18, 2012 12:25 PM
To: postfix users
Subject: Re: forwarding to 2 domains

Hello Noel Jones

thanks, that's my fallback situation: unroll all addresses from
DOM1.com and DOM2.com:

a...@dom.com  a...@dom1.com, a...@dom2.com
a...@dom.com  a...@dom1.com, a...@dom2.com


however I would like to avoid that because of administrative overhead
(setup and future maintenance). DOM1.com and DOM2.com are 2 separate
organizations that recently gained administrative  affinities

the simply operation of obtaining the complete address lists from
DOM1.com and DOM2.com may not be easy

best regards,
João


On Wed, Jan 18, 2012 at 5:10 PM, Noel Jones  wrote:
> On 1/18/2012 10:35 AM, João Pagaime wrote:
>> Hello
>>
>> as strange as it may seem I need to forward all email coming to
>> DOM.com to DOM1.com and DOM2.com, regardless of the destination
>> address at DOM.com
>>
>> I almost got away  with a configuration like this at "
/etc/postfix/virtual"
>>
>> @DOM.com        @DOM1.com, @DOM2.com
>
> wildcard rewriting bypasses recipient validation and is strongly
> discouraged.
>
>>
>>  unfortunately postfix  only does writing on the   first domain (as
>> documented: "This  works only for the first address in a multi-address
>>    lookup result."
>>
>> can someone help out with this configuration? maybe some regexp?
>
> Use a simple script to generate virtual_alias_maps from a list of
> valid recipients.
>
> us...@example.com  us...@example1.com us...@example2.com
> us...@example.com  us...@example1.com us...@example2.com
> ...
>
>
>
>  -- Noel Jones

address rewrite

[Paul A]

I have a situation where an email from Comcast alert services is getting
rejected, as the email comes in to my postfix server it gets forward to my
phone and the service provider looks up SPF for my domain and rejects the
email as it should. I wanted to rewrite the address to remove the
@comcast.com and replace with @mydomain. I tested this with sender_canonical
and it works for sending email from my server as expected but I need a way
to change the email address as it comes in from the remote SMTP client to my
postfix server. I think I got it working with header checks but it seems
like there should be a better solution. Can anyone recommend another way to
change the sender's email address, I tried recipient_canonical but that did
not work, not sure if its because it did not configure
local_header_rewrite_clients
 .

 

 

Thanks, paul

RE: Compromised Passwords

[Paul A]

What has worked for me.

Develop a policy where user must have 8 char min password that is not
dictionary based. Linux Pam for example helps with this.

Then obtain and run fail2ban against your smtp/pop/imap logs. Most passwords
are guessed using dictionary attacks, which fail2ban you can blacklist ips
if they get the password wrong X number of times. 

This will not stop 100% of the spam due to compromised accounts as some
accounts are compromised from the users PC but for me it has made a huge
improvement, it has cut down on spam generated from my servers by 98%. The
other thing to do is subscribe to yahoo/aol/etc spam feedback loops as this
will let you know if there is spam from your network and email you at which
point you can minimize the issue and fix the problem. 


I used to have an issue with compromised accounts generating spam but using
the combination of things I mentioned above it have almost no issues. I now
go several months without any issues and haven't gotten blacklisted in years
and this is running 4 smtp servers. 

p

-Original Message-
From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of lcon...@go2france.com
Sent: Wednesday, March 05, 2014 4:42 PM
To: postfix-users@postfix.org
Subject: Re: Compromised Passwords





On Wednesday 05/03/2014 at 9:25 am, Blake Hudson  wrote:
>
> Homer Wilson Smith wrote the following on 3/4/2014 4:38 PM:
>>
>>
>>Dear Gentle Folk,
>>
>>What is the state of the art in dealing with users whose SASL 
>> password has been compromised?
>>
>>Running CentOS, and latest postfix.
>>
>>When a password gets compromised, spam starts to pour out of 
>> the server from endless numbers of IP's, to endless numbers of 
>> addresses.
>>
>>Rate limiting is interesting but doesn't really stop the spam.
>>
>>Counting client=[IP] addresses until a threshold is reached is 
>> highly effective, but then what?  Change their password?
>>
>>Thanks in advance.
>>
>>Homer
>>
>
> Just to confirm what others have said. Yes. Monitor activity for 
> abusive/suspicious behavior and take action to stop it as soon as it's 
> discovered. If you can automate it, even better.
>
> While one could use a policy server, we chose to use an out of band 
> monitoring solution that used the postfix logs. We track emails sent 
> and then geolocate by IP of the client. If a single customer is 
> simultaneously (or very quickly) spending time in several countries or 
> continents then we know there's a problem. This has had a very low 
> false positive hit rate and does a good job of catching most of the 
> abuse we see coming from our customer accounts. We use other 
> thresholds based on volume to catch spam sent from one or two IP 
> addresses. Like another poster, we also use fail2ban, anvil, and have 
> minimum password requirements to help create a layered solution to 
> slow or prevent abuse in an automatic fashion.
>
> We typically change the password on accounts flagged for abuse and 
> then contact the customer to inform them of the problem and recommend 
> they take action to secure their systems and change their passwords on 
> any other accounts that may have shared similar credentials.
>
> --Blake

We run a dedicated outbound mx, omx1, which runs  postfwd tht does sender
rate limiting, at 3 levels of quantity.  This box's my_networks contains
only the 3 IPs of our 3 mail servers.


50 msgs max for everybody not whitelisted for the 50 msg limit.


700 msgs max for users we know are legit volume senders send more than
50 but less than 700 are legit volume senders


a few legit senders send over 700, so they have their own whitelist.


2000 msgs max for everybody, since no legit user sends that many.  So 
even if one of the above whitelisted senders gets cracked, the cracker 
is HOLDed at 2000 msgs.

when these limits are hit, postfwd returns a HOLD action to postfix 
for that sender.

Monit is watching the HOLD queue and sends an alert.

On the box doing SMTP AUTH submission, we observed how many different 
IPs legit users submitted from per day.that number was 10 IPs.


We run a script every 10 minutes that checks PER THIS HOUR for any 
SMTP AUTH login that exceeds 10 IPs.


That script doesn't react to block that cracked SMTP AUTH user (that's 
next), but does email an alert with  username and number of SMTP AUTH 
IPs.

this two-level checking has, so far, killed our exposure to password 
cracks.


Len



>