Re: TLS issue

2016-12-02 Thread Paweł Grzesik 
That looks like a problem with your certificates.
You can check/verify them by openssl command.

Thanks,
Pawel

2016-12-02 9:22 GMT+00:00 Zalezny Niezalezny :

> Hi,
>
> we have a problem with TLS on our Postfix server
>
>
> ec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: connect from
> smtptransit.de.net.intra[152.21.2.44]
> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error
> from smtptransit.de.net.intra[152.21.2.44]: -1
> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS
> library problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher:s3_srvr.c:1352:
> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: lost connection
> after STARTTLS from smtptransit.de.net.intra[152.21.2.44]
> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: disconnect from
> smtptransit.de.net.intra[152.21.2.44]
>
>
>
>
> But to be honest I do not understand what is this. Maybe somebody will be
> able to help here and explain.
>
>
> Thanks in advance.
>
> Zalezny
>

Re: Load balance outgoing message

2016-11-16 Thread Paweł Grzesik 
Not sure about the postfix but for sure you can use "haproxy".
It might be more easy to maintain it then.

Thanks,
Pawel

2016-11-16 11:27 GMT+00:00 Marcelo Machado :

> Hi everybody.
>
> Is possible with postfix send messages to multiple smart hosts randomly
> from a single domain?
>
> Marcelo Gomes
>

Re: From in Body mail

2016-10-21 Thread Paweł Grzesik 
> DATA
> 354 End data with .
> From: j...@mailtest.example.com <mailto:j...@mailtest.example.com>
> To: pa...@mailtest.example.com <mailto:pa...@mailtest.example.com>
> Subject: Testing SCAM
> Text: ABC123
> .
> 250 2.0.0 Ok: queued as 481D6C76B6

But I'm talking about this part. So here we have DATA where I can
type From:, To: and Subject: then message and e-mail will go
from the "From:" instead of the one from the header "MAIL FROM:".

The problem is that most of the e-mail clients will show that From
in the From. I'm not sure if there is a way to block it? Or I'm
missing something?

Thanks


2016-10-21 16:34 GMT+01:00 Noel Jones <njo...@megan.vbhcs.org>:

> On 10/21/2016 1:50 AM, Paweł Grzesik wrote:
> > Hi Noel,
> >
> > This is how I'm doing it:
> >
> > [user@mailtest ~]# telnet localhost 25
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > 220 mailtest.example.com <http://mailtest.example.com> ESMTP Postfix
> > HELO mailtest
> > 250 mailtest.example.com <http://mailtest.example.com>
> > MAIL FROM: <r...@google.com <mailto:r...@google.com>>
> > 250 2.1.0 Ok
> > RCPT TO: pa...@example.com <mailto:pa...@example.com>
> > 250 2.1.5 Ok
> > DATA
> > 354 End data with .
> > From: j...@mailtest.example.com <mailto:j...@mailtest.example.com>
> > To: pa...@mailtest.example.com <mailto:pa...@mailtest.example.com>
> > Subject: Testing SCAM
> > Text: ABC123
> > .
> > 250 2.0.0 Ok: queued as 481D6C76B6
>
>
> That's a header, not the body, and is not used for anything other
> than display in your mail client.  Looks as if you've discovered
> that the From: header doesn't have any relation to the envelope
> sender.  This is a basic feature and requirement of mail.
>
>
>   -- Noel Jones
>

Re: From in Body mail

2016-10-21 Thread Paweł Grzesik 
Hi Noel,

This is how I'm doing it:

[user@mailtest ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailtest.example.com ESMTP Postfix
HELO mailtest
250 mailtest.example.com
MAIL FROM: <r...@google.com>
250 2.1.0 Ok
RCPT TO: pa...@example.com
250 2.1.5 Ok
DATA
354 End data with .
From: j...@mailtest.example.com
To: pa...@mailtest.example.com
Subject: Testing SCAM
Text: ABC123
.
250 2.0.0 Ok: queued as 481D6C76B6

And this is my postfix config:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps = hash:/etc/postfix/local_recipients
mail_owner = postfix
mailbox_size_limit = 222880
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 25165824
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
mail.$mydomain, mmsin.$mydomain
mydomain = mailtest.example.com
myhostname = mailtest.example.com
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_bcc_maps = hash:/etc/postfix/bcc_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
show_user_unknown_table_name = no
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,   check_helo_access hash:/etc/postfix/helo_checks,
check_sender_access regexp:/etc/postfix/alert_redirections,
check_client_access hash:/etc/postfix/live_systems,   check_client_access
hash:/etc/postfix/rbl_whitelist,   check_recipient_access
pcre:/etc/postfix/special_recipients,   reject_unauth_pipelining,
reject_unauth_destination,   check_client_access
hash:/etc/postfix/opera_access,   check_client_access
hash:/etc/postfix/epdq_access,   check_sender_access
pcre:/etc/postfix/sender_address_checks,   reject_non_fqdn_sender,
reject_non_fqdn_recipient,   reject_rbl_client truncate.gbudb.net,
reject_rbl new.spam.dnsbl.sorbs.net,   reject_rbl zen.spamhaus.org,
check_sender_access regexp:/etc/postfix/reject_fake_brainstorm,   permit
smtpd_restriction_classes = insiders_only
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/sender_checks
smtpd_timeout = 45s
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mailtest.example.com.crt
smtpd_tls_key_file = /etc/pki/tls/private/mailtest.example.com.key
smtpd_tls_security_level = may
virtual_alias_domains = o2open.co.uk
virtual_alias_maps = pcre:/etc/postfix/virtual

Thanks,
Pawel

2016-10-20 21:41 GMT+01:00 Noel Jones <njo...@megan.vbhcs.org>:

> On 10/20/2016 3:08 PM, Paweł Grzesik wrote:
> > Just telnet on any host on 25 port and type From: some_real_email
> > and email will be send. I think thats how scam works.
>
>
> That doesn't work with postfix.  Either your description or your
> test method is wrong.
>
>
> $ telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 server.example.com ESTMP
> From: u...@example.com
> 221 2.7.0 Error: I can break rules, too. Goodbye.
> Connection closed by foreign host.
>
>
>
>
>

Re: From in Body mail

2016-10-20 Thread Paweł Grzesik 
Just telnet on any host on 25 port and type From: some_real_email and email
will be send. I think thats how scam works.

On Oct 20, 2016 6:21 PM, "Noel Jones" <njo...@megan.vbhcs.org> wrote:

> On 10/20/2016 8:46 AM, Paweł Grzesik wrote:
> > Hi All,
> >
> > I noticed that it's really easy to send an e-mail as a real user by
> > simply
> > typing in the mail body:
> >
> > From: 
> >
> > Is there any way to prevent from this? I checked that even when we
> > specify
> > MAIL FROM: 
> >
> > and then in the body:
> > From: 
> >
> > postfix will send an e-mail with From: , the one from the
> > body.
> > It sounds not right.
> >
> > Thanks,
> > Pawel
>
>
>
> Please provide a sample file that demonstrates the problem, along
> with your "postconf -n" and postfix logs while processing that file.
>
>
>
>   -- Noel Jones
>

From in Body mail

2016-10-20 Thread Paweł Grzesik 
Hi All,

I noticed that it's really easy to send an e-mail as a real user by simply
typing in the mail body:

From: 

Is there any way to prevent from this? I checked that even when we specify
MAIL FROM: 

and then in the body:
From: 

postfix will send an e-mail with From: , the one from the body.
It sounds not right.

Thanks,
Pawel

Re: smtpd do not try to resolve client ip while working in chroot

2016-10-17 Thread Paweł Grzesik 
You can also log in to the chroot environment and do try
to execute some commands like telnet, mtr to see if
networking is working as expected.

2016-10-17 18:14 GMT+01:00 Wietse Venema :

> ? ?:
> > Postfix 3.1.1
> >
> > > disable_dns_lookups = no
> > > lmtp_host_lookup = dns
> > > smtp_host_lookup = dns
> > > disable_dns_lookups = no
> > >
> > > # diff /etc/nsswitch.conf /var/spool/postfix/etc/nsswitch.conf | wc -l
> > > 0
>
> If chroot makes a difference, then you have some file difference.
>
> There are more files that determine host lookups. The first one
> that comes to mind is resolv.conf.
>
> Also don't overlook file/directory permission differences.
>
> Wietse
>

Re: how to proper use content_filter

2016-10-15 Thread Paweł Grzesik 
Ok, now it's starting to be much clear.
Really appreciate your help and time!

Thanks,
Pawel

2016-10-14 11:45 GMT+01:00 Wietse Venema :

> Pawe? Grzesik:
> > It's of course not a production code. I'm only trying to
> > learn and understand how exactly it works.
> >
> > I cannot find anything about "--" in the postfix documentation
> > (or I'm looking on the wrong page?). There is any explanation
> > somewhere? (instead of at the source code).
>
> Look at "man getopt" the, i.e. the SYSTEM LIBRARY function that
> parses command-line options. Without the '--' before the recipients,
> a recipient address starting with '-' would change the way that the
> sendmail command works.
>
> Wietse
>

Re: how to proper use content_filter

2016-10-14 Thread Paweł Grzesik 
It's of course not a production code. I'm only trying to
learn and understand how exactly it works.

I cannot find anything about "--" in the postfix documentation
(or I'm looking on the wrong page?). There is any explanation
somewhere? (instead of at the source code).

Thanks for your help!

2016-10-14 1:07 GMT+01:00 Wietse Venema :

> Pawe? Grzesik:
> > I think I can do the same in Ruby using IO.popen like:
> >
> >   IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe|
> >
> > as I see in this case I don't even need to use my_str with \" \".
> >
> > But I'm still confused about -f option in master.cf, and characters "--"
> > between ${sender} and ${recipient}.
> > Why is that?
>
> Specify
>
> popen(["/usr/sbin/sendmail", "-G", "-i", "-f", sender, "--", my_str, "w")
>
> The -- is needed to close a different security hole.
>
> If you don't know about these bugs that go back to 1996 and earlier,
> then please don't write code that handles network data.
>
> Wietse
>

Re: how to proper use content_filter

2016-10-13 Thread Paweł Grzesik 
I think I can do the same in Ruby using IO.popen like:

  IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe|

as I see in this case I don't even need to use my_str with \" \".

But I'm still confused about -f option in master.cf, and characters "--"
between ${sender} and ${recipient}.
Why is that?

Thanks,
Pawel

2016-10-13 21:24 GMT+01:00 Wietse Venema :

> Pawe? Grzesik:
> > Good point. I changed it to:
> >
> > IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|
> >
> > So now it should be secure (same as using $@ instead of $*).
> > Am I right? or I'm still missing something?
>
> Sorry, that is still a shell command line. You need an API that
> passes a vector of arguments, not a command line.
>
> Such as Python's
>
> os.popen(["/usr/sbin/sendmail", "-G", "-i", ...], "w").
>
> This bug is actually very old. An early publication is at
> https://www.cert.org/historical/advisories/CA-1996-06.cfm
>
> Wietse
>

Re: how to proper use content_filter

2016-10-13 Thread Paweł Grzesik 
Good point. I changed it to:

IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|

So now it should be secure (same as using $@ instead of $*).
Am I right? or I'm still missing something?

Thanks,
Pawel

2016-10-13 11:50 GMT+01:00 Wietse Venema :

> Pawe? Grzesik:
> > IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe|
>
> And there you have a giant security hole. What happens if an email
> address contains shell special characters? You specify flags=Rq in
> the pipe daemon command, but that quotes email addresses according
> to RFC822, not to make them resistant against shell command injection.
>
> (Note that the shell script example in FILTER_README does not
> have this issue becasue that does not re-parse its arguments).
>
> Wietse
>

how to proper use content_filter

2016-10-13 Thread Paweł Grzesik 
Hi All,

I'm trying to understand how content_filter works. According to the
documentation I can create a simple script and use content_filter to send
an e-mail to it.

That's my config of master.cf:

proxyunix  -   n   n   -   10  pipe
   flags=Rq user=filter null_sender=
   argv=/usr/local/bin/proxy -f ${sender} ${recipient}

smtp  inet  n   -   n   -   -   smtpd
  -o content_filter=proxy:dummy

So that's exactly the same as an example from to doc.

And now, my script is:

IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe|
pipe.puts @mail_content
pipe.close_write
end

Where my_str is a string of all arguments (sender and recipients):

ARGV.each { |recipient| my_str.concat("#{recipient} ") }

which is basically:
"-f sender@mymail user1@mymail user2@mymail"

The point os using it that way is because I noticed that bcc e-mail is on
that list and in the same way it's not in the mail headers. So I'm sending
that list of all recipients to the sendmail so I can put an e-mail again to
the queue without changing anything (and not losing bcc).

It works fine but when I change it to the Golang and I did mostly the same:

func sendMail(recipients string, maildata []byte) int {
  cmd := exec.Command("/usr/sbin/sendmail", "-G", "-i", recipients)
  pipe, err := cmd.StdinPipe()

  if err != nil {
log.Fatal(err)
  }

  if err = cmd.Start(); err != nil {
log.Fatal(err)
  }

  fmt.Fprintf(pipe, "%s", maildata)
  err = pipe.Close()

  if err != nil {
log.Fatal(err)
  }
  return 0
}

So exactly like in Ruby I'm executing sendmail:
  /usr/sbin/sendmail -G -i (recipients from postfix ARGS)

but that does not work, on the logs I have:
  warning: -f option specified malformed sender: ...
and
  fatal: Recipient addresses must be specified on the command line or via
the -t option

I'm not really sure why is that. Why it works in Ruby and not in Go? I'm
calling it in exactly the same way and I have the same output on the
console. How I should handle it?

Can someone give me some hint?

Thanks,
Pawel

Re: R: Identifing bounce messages whene queue lifetime is expired

2016-10-05 Thread Paweł Grzesik 
Maybe setting up:

your domain
* discard:

in your transport will do something similar? I'm not really sure what's you
plan for that. Why you need to do it?

2016-10-05 11:04 GMT+01:00 Wietse Venema :

> i...@itrezero.it:
> > Last question: is it possibile to send bounce messages derived from
> > maxlife-in-queue-expiration to something like /dev/null :-) and not
> treating
> > them as normal bounces?
>
> That functionality is not built into Postfix.
>
> Wietse
>

Re: Limit recipient in To Cc and Bcc (Milter)

2016-09-11 Thread Paweł Grzesik 
You can also use your own script to deal with it (for example using
content_filter).
But I agree with Peter. That doesn't sound like a good idea at all so the
best
might be to understand client. Why he want's something like this.

Thanks,
Pawel

2016-09-11 2:53 GMT+01:00 Peter :

> On 11/09/16 13:44, Marcelo Machado wrote:
> > I know what I'm asking is not usual, but it is a request of a customer
> > of the company where I work, and I have to solve this.
> >
> > In fact, the full request is: in any email that has more than one
> > recipient, the e-mail server should only consider the first recipient
> > and discard the others. No error message is needed. It is possible?
>
> ...in fact, you should be asking the customer why he wants to do this.
> It sounds like a very misguided request in an attempt to solve some
> problem where there is likely a better solution, see:
>
> http://xyproblem.info/
>
>
> Peter
>

Re: Webmin with Postfix: recommended or not.

2016-03-27 Thread Paweł Grzesik 
In nowadays I would say that it's probably better to go for Ansible/Pupper
postfix module to manage it.

Thanks,
Pawel

2016-03-27 14:35 GMT+01:00 jason hirsh :

> I dont know if this is an appropriate place or not
>
> I use WEBMIN with the Postfix module and find it very useful for helping
> me with my Postfix installation
>
> On Mar 27, 2016, at 8:34 AM, Tom Browder  wrote:
>
> Wow, you must be having a bad day! I hope you feel better soon.
>
> Happy Easter, for He is risen!
>
> Best regards,
>
> -Tom
>
> On Sunday, March 27, 2016, Matthew McGehrin 
> wrote:
>
>> Fuck off.  I don't care about your sorry ass Webmin. This aint the place.
>>
>>
>>
>> Tom Browder wrote:
>>
>>> I am considering using Webmin on my servers and see that it has a
>>> Postfix module. Does anyone have any experience with it or have an opinion
>>> to offer ref its ability to manage Postfix?
>>>
>>> Thanks.
>>>
>>> Best regards,
>>>
>>> -Tom
>>>
>>
>

Re: Problem with BCC in content_filter

2016-03-05 Thread Paweł Grzesik 
2016-03-05 0:56 GMT+00:00 Wietse Venema :

> Pawe? Grzesik:
> > Mar  4 22:52:09 mailtest postfix/pipe[16692]: EA9ACC794C: to=<
> p...@gmail.com>,
> > relay=dlp, delay=1.1, delays=0.31/0.01/0/0.78, dsn=2.0.0, status=sent
> > (delivered via tool service)
> > Mar  4 22:52:09 mailtest postfix/pipe[16693]: EA9ACC794C:
> to=,
> > relay=dlp, delay=1.1, delays=0.31/0.01/0/0.82, dsn=2.0.0, status=sent
> > (delivered via tool service)
>
> Mail for both recipients was delivered to the tool. They were
> delivered by different pipe daemon processes, one with pid=16692
> and one with pid=16693.
>
> Yes, you right and I just figure out where is the problem. That BCC was
simply
in my ARGV[3] and my script was not doing anything with it, so that's why
there
was no error and nothing at the logs. As I see it's only for BCC.


> > But then in my tool I don't see anything except the first testone@ ->
> pone@.
> > Nothing about ptwo@.
>
> So the tool lost the bcc recipient, i.e. the one that is not
> present in the mail header.
>
> > Am I doing somethings wrong? How can I debug it?
>
> To debug, have the tool log the command line arguments.
>

Thank's for an important clue Wietse! :-)


>
> Wietse
>

Thanks,
Pawel

Problem with BCC in content_filter

2016-03-04 Thread Paweł Grzesik 
Hi All,

I'm having a problem when an e-mail has BCC. The problem is that I don't
see anything at my logs in my script, or in strace. It's somehow missing.
I'm sure that postfix (pipe) is calling my script since I have at the logs:

Mar  4 22:52:08 mailtest postfix/qmgr[16324]: EA9ACC794C:
from=, size=1511, nrcpt=2 (queue active)
Mar  4 22:52:09 mailtest postfix/pipe[16692]: EA9ACC794C: to=,
relay=dlp, delay=1.1, delays=0.31/0.01/0/0.78, dsn=2.0.0, status=sent
(delivered via tool service)
Mar  4 22:52:09 mailtest postfix/pipe[16693]: EA9ACC794C: to=,
relay=dlp, delay=1.1, delays=0.31/0.01/0/0.82, dsn=2.0.0, status=sent
(delivered via tool service)
Mar  4 22:52:09 mailtest postfix/qmgr[16324]: EA9ACC794C: removed

So as I see there is a:

(delivered via tool service)

in both to= and bcc= (which is the second one: ptwo@).
But then in my tool I don't see anything except the first testone@ -> pone@.
Nothing about ptwo@.
I used strace in content_filter but it's exactly the same result. Nothing
about ptwo@.

Am I doing somethings wrong? How can I debug it?

Thanks,
Pawel