Re: CVE-2015-7547
wrt: Patches are available. We have all the patches for all our systems already down loaded. Our concern is when we need to do the patching. Some want to take all the colleges data center systems down to patch right away. Others want to wait for time slots which would not take down so many systems critical to the college. I asked here with specific concern about threat to servers running Postfix. On Tue, Feb 23, 2016 at 2:03 PM, Marius Gologan <marius.golo...@gmail.com> wrote: > This one is better: > http://www.liquidweb.com/kb/protecting-against-cve-2015-7547/ > > > > *From:* Marius Gologan [mailto:marius.golo...@gmail.com] > *Sent:* Tuesday, February 23, 2016 11:01 PM > *To:* 'Robert Lopez'; 'Postfix users' > *Subject:* RE: CVE-2015-7547 > > > > Patches are available for most Linux distributions. You need to verify > your version and update in case is necessary: > > > http://www.cyberciti.biz/faq/linux-patch-cve-2015-7547-glibc-getaddrinfo-stack-based-buffer-overflow/ > > > > > > *From:* owner-postfix-us...@postfix.org [mailto: > owner-postfix-us...@postfix.org] *On Behalf Of *Robert Lopez > *Sent:* Tuesday, February 23, 2016 10:57 PM > *To:* Postfix users > *Subject:* CVE-2015-7547 > > > > Does anyone have any knowledge of postfix being exploited via > CVE-2015-7547, glibc stack-based buffer overflow in getaddrinfo()? Any > concerns about the exploitability? > > Discussion here about how fast we must patch glibc. > > > -- > > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
CVE-2015-7547
Does anyone have any knowledge of postfix being exploited via CVE-2015-7547, glibc stack-based buffer overflow in getaddrinfo()? Any concerns about the exploitability? Discussion here about how fast we must patch glibc. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: valid email addresses being rejected
On Fri, Oct 10, 2014 at 10:56 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Fri, Oct 10, 2014 at 03:35:09PM -0600, Robert Lopez wrote: Please see: http://www.postfix.org/DATABASE_README.html#safe_db The question So these errors happen while the file is being rebuilt, right? is a very good question but it is difficult for me to answer with certainty. Just follow the guidelines at the URL Noel posted. If you use CDB tables instead of Berkeley DB, the problem never happens. CDB rebuilds are atomic. I highly recommend CDB for indexed files that are rebuilt from scratch each time. -- Viktor. Today is the first time I have paid any attention to CDB. In looking at it, questions come to mind: Is D.J.B. version 0.75 considered production ready or development? Is the new database created with CDB mv'd into place after it is created and tested or is the new one built to the file Postfix is reading? Wrt: For the same reason the cdb map type cannot be used to store the persistent address verification cache for the verify(8) service Isn't the verify service used to access the virtualaliases database I am using? (Unfortunately, see original posting.) -- Robert Lopez
valid email addresses being rejected
Problem: Valid email addresses being rejected. Problem appears to be intermittent; difficult to tell most rejections are legitimate. Not found in a hash named virtualaliases.db virtual_alias_maps = hash:/etc/postfix/virtualaliases When the problem has been reported the addresses are found in the file. Questions: Could the hash file be too large? Is there a configuration error causing this problem? maillog sample line: Oct 10 12:42:42 mg08 postfix/smtpd[23005]: NOQUEUE: reject: RCPT from unknown[207.46.163.XXX]: 550 5.1.1 a...@cnm.edu: Recipient address rejected: User unknown in local recipient table; from=aaa...@livecnm.onmicrosoft.com to=aa...@cnm.edu proto=ESMTP helo=-bn1-obe.outbound.protection.outlook.com Email account is there: [root@mg08 log]$ grep A /etc/postfix/virtualaliases Aaa...@aa.cnm.edu Map involved: virtual_alias_maps = hash:/etc/postfix/virtualaliases [root@mg08 ~]# ls -l /etc/postfix/virtualaliases* -rw-r--r-- 1 root root 5053731 Oct 10 12:35 /etc/postfix/virtualaliases -rw-r--r-- 1 root root 10485760 Oct 10 12:35 /etc/postfix/virtualaliases.db [root@mg08 ~]# wc -l /etc/postfix/virtualaliases 107195 /etc/postfix/virtualaliases postfinger output: http://pastebin.com/ZjSBT4cn -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: valid email addresses being rejected
On Fri, Oct 10, 2014 at 2:09 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 10/10/2014 2:21 PM, Robert Lopez wrote: Problem: Valid email addresses being rejected. Problem appears to be intermittent; difficult to tell most rejections are legitimate. Not found in a hash named virtualaliases.db virtual_alias_maps = hash:/etc/postfix/virtualaliases When the problem has been reported the addresses are found in the file. Questions: Could the hash file be too large? Is there a configuration error causing this problem? So these errors happen while the file is being rebuilt, right? Please see: http://www.postfix.org/DATABASE_README.html#safe_db -- Noel Jones The question So these errors happen while the file is being rebuilt, right? is a very good question but it is difficult for me to answer with certainty. One of our email gateways collects data and builds the input file every hour per a cronjob: root@mg06:/var/local/vaproc/bin# crontab -l | grep bld_aliases 35 * * * * /var/local/vaproc/bin/bld_aliases.sh After that cronjob has run each gateway has a new copy of the virtualaliases file and each executes a postmap and a reload. I collected the log lines from all the gateways and counted the number of events in each minute of every hour of all the days. In that process I did not separate the legitimate from the problem failures as I could not conceive of a way to do it. A graph of the data (I am not sure the attachment will make it to the discussion list) shows two high time areas and the 35th minute is late in one and not in the other peak at all. Therefore I cannot have a good answer. I looked at the Please see. Thanks! I will try this out. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 eventtimes.pdf Description: Adobe PDF document
[Aside] Alternatives to content inspection?
A recent postfix-users thread had comments (about Spamassassin) along the lines of content inspection being evil by design. (Andreas and Stan) In my mind content inspection would include anti-virus checking. Am I wrong? I recognize postscreen as an effective defence. But there are other kinds of attacks. It seems the only thing to attempt to identify spear phishing is content inspection. When someone takes the time and puts out the effort to target an organization, appearing to be from that organization, I know of no other way than to do pattern matching against email content. If I am trying the wrong approach I would like to know. What are the alternative that are successfully used? Especially in the area of Spear Phishing? -- Robert Lopez
Re: Fwd: postscreen log lines reporting warnings and fatal errors
After looking at past logs an seeing the errors only began after the email gateway had been running for a few weeks, I deleted the /var/lib/postfix/postscreen_cache.db. Restarting postfix now has a happy postscreen+bdb again. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Fwd: postscreen log lines reporting warnings and fatal errors
It would not surprise me in the least to find out I did something wrong. :-} I know I did yum install db4-devel as part of packages I believed were prerequisites to installing Postfix. My recall is that I was missing a /usr/include file when test building a Postfix and I did a yum provides that lead me to the decision to install db4-devel. I am not convinced there are two copied of Berkeley DB installed. Does this look like two Berkeley DB copies? ... [root@mg08 ~]# locate postfix/postscreen /etc/postfix/postscreen_access.cidr /usr/libexec/postfix/postscreen /var/lib/postfix/postscreen_cache.db /var/www/postfix/postscreen.8.html [root@mg08 ~]# ldd /usr/libexec/postfix/postscreen linux-vdso.so.1 = (0x7fff31fff000) libpcre.so.0 = /lib64/libpcre.so.0 (0x7fcc8fc38000) libdb-4.7.so = /lib64/libdb-4.7.so (0x7fcc8f8c4000) libnsl.so.1 = /lib64/libnsl.so.1 (0x7fcc8f6aa000) libresolv.so.2 = /lib64/libresolv.so.2 (0x7fcc8f49) libc.so.6 = /lib64/libc.so.6 (0x7fcc8f0fd000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7fcc8eedf000) /lib64/ld-linux-x86-64.so.2 (0x7fcc8fe6d000) [root@mg08 ~]# locate libdb /lib64/libdb-4.7.so /lib64/libdbus-1.so.3 /lib64/libdbus-1.so.3.4.0 /usr/lib64/libdb-4.7.so /usr/lib64/libdb.so /usr/lib64/libdb_cxx-4.7.so /usr/lib64/libdb_cxx.so /usr/lib64/libdbus-glib-1.so.2 /usr/lib64/libdbus-glib-1.so.2.1.0 /usr/share/doc/rsyslog-5.8.10/omlibdbi.html [root@mg08 ~]# locate include/db /usr/include/db.h /usr/include/db4 /usr/include/db_185.h /usr/include/db_cxx.h /usr/include/db4/db.h /usr/include/db4/db_185.h /usr/include/db4/db_cxx.h /usr/local/src/postfix-2.10.0/include/db_common.h This is an install on a VM instance of Red Hat Enterprise Linux Server release 6.4 (Santiago), Linux mg08 2.6.32-358.6.1.el6.x86_64 #1 SMP Fri Mar 29 16:51:51 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: Fwd: postscreen log lines reporting warnings and fatal errors
On Mon, Jun 17, 2013 at 2:11 PM, Wietse Venema wie...@porcupine.org wrote: I suggest that you install a compiled version of Postfix, and that you use a simpler program to become familiar with the process of building your own binaries. There existed a project goal to install a postfix with postscreen. The goal was set because one night a botnet had crashed two production mail gateways which were both coming up on retirement dates. The crashing had never been seen before (or since for that matter). There exists another goal of moving all college RHEL4 and RHEL 5 physical servers to RHEL 6 on VM as they reach retirement. The currently available Redhat yum package (binary) for RHEL 6 is postfix 2.6.6. The ftp.wl0.org site has no package for RHEL 6. It does have a 2.9 package for RHEL 5. A development build of a VM using RHEL 5 and 2.9 from ftp.wl0.org was built. Another development build of a VM using RHEL 6 and 2.10.0 from source was built. A team of people examined both development servers and did not detect the problem. The postfix 2.10.0 compiled build on RHEL 6 was selected because it satisfied both goals. Another VM instance was built in a test environment using the exact same scripts (except for IP and hostname; read from include file). It was tested by another team for a few weeks and the current problem was not detected. A production server was built using all the same build scripts that built the previous servers. Only under real production load did the problem become apparent and only after over two weeks of production use. Wietse, Thank you. At this point I must take your advice to my team and management to discuss our options. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
postscreen log lines reporting warnings and fatal errors
n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmailunix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix-nn-2pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
Aside Note: In the above, from uucp on down, I do not think I need ay of that
but I have hesitated to comment it out as it all exists in
/var/spool/postfix/private/.
Here is postconf -n output:
[root@mg08 log]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
berkeley_db_read_buffer_size = 262144
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
default_process_limit = 400
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
mailbox_size_limit = 0
masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
max_use = 100
message_size_limit = 26214400
mydestination = $myhostname, $mydomain, localhost.localdomain
mydomain = cnm.edu
mynetworks = 198.133.178.0/23, 198.133.182.0/24, 198.133.181.0/24,
198.133.180.0/24, 172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8,
127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
notify_classes = resource, software
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.net*2 b.barracudacentral.org*1
dnsbl.sorbs.net*1 bl.spamcop.net*1
postscreen_dnsbl_threshold = 2
readme_directory = no
recipient_delimiter = +
relay_domains =
relayhost =
smtp_host_lookup = dns, native
smtpd_banner = cnm.edu ESMTP
smtpd_client_restrictions = reject_unauth_pipelining
check_client_access hash:/etc/postfix/whitelist check_client_access
cidr:/etc/postfix/cidr-ip check_client_access hash:/etc/postfix/access
permit_mynetworks reject_rbl_client [key].zen.dq.spamhaus.net
reject_rbl_client b.barracudacentral.org reject_rbl_client
bl.spamcop.net reject_rbl_client dnsbl.sorbs.net
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks check_helo_access
hash:/etc/postfix/helo-ip reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks
reject_unknown_recipient_domain reject_unlisted_recipient
reject_non_fqdn_recipient reject_unknown_recipient_domain
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/whitelist check_sender_access
hash:/etc/postfix/greylist check_sender_access
hash:/etc/postfix/access permit_mynetworks reject_non_fqdn_sender
reject_unknown_sender_domain
smtpd_use_tls = no
virtual_alias_maps = hash:/etc/postfix/virtualaliases
Is there a configuration change I must make to eliminate the three
types of concerning lines?
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Re: postscreen log lines reporting warnings and fatal errors
On Fri, Jun 14, 2013 at 3:09 PM, Wietse Venema wie...@porcupine.org wrote: Robert Lopez: I am trying to understand the cause/causes of these log lines: 1) postfix/postscreen[]: fatal: error [-30986] seeking /var/lib/postfix/postscreen_cache.db: Success Your Berkeley DB is screwed up. Code fragment from src/util/dict_db.c: /* * Database lookup. */ status = dict_db-cursor-c_get(dict_db-cursor, db_key, db_value, db_function); if (status != 0 status != DB_NOTFOUND) msg_fatal(error [%d] seeking %s: %m, status, dict_db-dict.name); Did you build Postfix yourself or is this a package? Wietse It was built from postfix-2.10.0.tar.gz, from Porcupine. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: Is it time for 2.x.y - x.y?
On Fri, 2013-05-31 at 16:43 -0500, /dev/rob0 wrote: My wish is that Postfix 3.0, should it ever happen, would be a rewrite which sacrifices backward compatibility and the easy upgradability. Many things were learned over the course of Postfix 1.x/2.x development, and a Postfix 3.0 (in my ideal world, that is) should have the benefits of those lessons without the burdens of the past. Absolutely a +1 :D This could/should include changing all config options to a homogeneous naming schema (I mean in the places where this isn't the case yet, for legacy reasons). And I'd that you probably can't help people who think 2.1 == 2.10 ;) Cheers, Chris. I agree with /dev/rob0, Chris, and the others who agree to leave it as is. -- Robert Lopez
Re: postscreen_dnsbl_sites
On Mon, May 6, 2013 at 3:10 PM, Wietse Venema wie...@porcupine.org wrote: Robert Lopez: Let me try again. I am assuming the link between a line in the dndsbl_reply file and the main.cf file is only a label and it could be anything. Is that a wrong assumption? Please describe what is not clear about the following text: postscreen_dnsbl_reply_map (default: empty) A mapping from actual DNSBL domain name which includes a secret pass- word, to the DNSBL domain name that postscreen will reply with when it rejects mail. When no mapping is found, the actual DNSBL domain will be used. For maximal stability it is best to use a file that is read into memory such as pcre:, regexp: or texthash: (texthash: is similar to hash:, except a) there is no need to run postmap(1) before the file can be used, and b) texthash: does not detect changes after the file is read). Example: /etc/postfix/main.cf: postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply /etc/postfix/dnsbl_reply: secret.zen.spamhaus.orgzen.spamhaus.org This feature is available in Postfix 2.8. Once you set up your postscreen_dnsbl_reply_map, you can query it to ensure that it works as expected. Using the above example, the command postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply should produce zen.spamhaus.org as output. Thanks for helping to improve Postfix. Wietse What is not clear to me in that description is the reason for my original question Does it matter what the short name returned is; that is could I use zen.spamhaus.org just to keep it shorter? I tried to make that question more clear the second time I posted by I am assuming the link between a line in the dndsbl_reply file and the main.cf file is only a label and it could be anything. Is that a wrong assumption? I have changed the label to make it more obvious. To me when I read the text you provided I am left with the question If the real query address, with the key, is being replaced by some other name, does it matter what that name is and can it be shortened up? Of course, the reason for my post in the first place was my concern that the name with the key was returned in a reply to a test email I sent from a Yahoo test account which just happened to have been delivered from a Yahoo server which was listed by zen.spam.net. Also, I did have a bit of a mix-up in that in your example text you do use zen.spamhaus.org and in my original set-up instructions from the vendor from whom CNM purchases the Spamhaus service, the address I am to query is key..zen.dq.spamhaus.net. This is not to say there is any problem in your text. It was simply my dyslexia seeing what I expect to see and not noticing the net v org that /dev/rob has pointed out. Your making clear two other points (using postmap -q and looking for the log lines to distinguish between postscreen and smtpd) were helpful to me. I can see the returned information which did disclose the key came from postscreen: May 3 17:54:01 mg08 postfix/postscreen[10279]: NOQUEUE: reject: RCPT from [98.136.218.178]:45242: 550 5.7.1 Service unavailable; client [98.136.218.178] blocked using key.zen.dq.spamhaus.org; from=rlopez...@yahoo.com, to=rlo...@mg08.cnm.edu, proto=SMTP, helo=nm5-vm3.bullet.mail.gq1.yahoo.com Finally, /dev/rob was exactly correct in the two labels used differed (.net v .org) causing the lookup to fail and When no mapping is found, the actual DNSBL domain will be used. I believe the answer to my question is the text of the label does not matter (but it must be meaningful enough to communicate) but it must be exactly the same in the dnsbl_reply file and the main.cf file. Life as a dyslexic person is often embarrassing. Thank you. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: postscreen_dnsbl_sites
Let me try again. I am assuming the link between a line in the
dndsbl_reply file and the main.cf file is only a label and it could be
anything.
Is that a wrong assumption?
I have changed the label to make it more obvious.
Right now in the dnsbl_reply file I have this line (except for the key
being hidden):
hidden-key.zen.dq.spamhaus.net h.spamhaus.net
In the main.cf file I have this line:
postscreen_dnsbl_sites = h.spamhaus.net*1
I am assuming the h.spamhaus.net in main.cf is being rewritten to
hidden-key.zen.dq.spamhaus.net when postscreen uses the dnsbl.
What I am seeing in testing is my gateway is returning a statement
such as this one:
554 5.7.1 Service unavailable; Client host [192.203.178.138] blocked
using hidden-key.zen.dq.spamhaus.net;
http://www.spamhaus.org/query/bl?ip=192.203.178.138
And the above line does in fact contain the actual key that I am trying to hide.
The version of Postfix I am using (2.10.0) is my first experience with
postscreen and I am trying to avoid the exposing of this key.
Is it possible that the key is being exposed not from the
postscreen_dnsbl_sites line but from a line also in main.cf which says
the following?
smtpd_client_restrictions = reject_rbl_client hidden-key.zen.dq.spamhaus.net
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
default_process_limit = 400
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
mailbox_size_limit = 0
masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
max_use = 100
message_size_limit = 26214400
mydestination = $myhostname, $mydomain, localhost.localdomain,
cnm.edu, mail.cnm.edu
mydomain = cnm.edu
mynetworks = 198.133.178.0/23, 198.133.182.0/24, 198.133.181.0/24,
198.133.180.0/24, 172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8,
127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
notify_classes = resource, software
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
postscreen_dnsbl_sites = h.spamhaus.net*1 b.barracudacentral.org*1
bl.spamcop.net*1 dnsbl.sorbs.net*1
postscreen_dnsbl_threshold = 2
readme_directory = no
recipient_delimiter = +
relay_domains =
relayhost =
smtp_host_lookup = dns, native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = cnm.edu ESMTP
smtpd_client_restrictions = reject_unauth_pipelining
check_client_access hash:/etc/postfix/whitelist check_client_access
cidr:/etc/postfix/cidr-ip check_client_access hash:/etc/postfix/access
permit_mynetworks reject_rbl_client
hidden-key.zen.dq.spamhaus.net.zen.dq.spamhaus.net reject_rbl_client
b.barracudacentral.org reject_rbl_client bl.spamcop.net
reject_rbl_client dnsbl.sorbs.net
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks check_helo_access
hash:/etc/postfix/helo-ip reject_invalid_hostname
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks
reject_unknown_recipient_domain reject_unlisted_recipient
reject_non_fqdn_recipient reject_unknown_recipient_domain
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/whitelist check_sender_access
hash:/etc/postfix/greylist check_sender_access
hash:/etc/postfix/access permit_mynetworks reject_non_fqdn_sender
reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtualaliases
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
postscreen_dnsbl_sites
If in /etc/postfix/dnsbl_reply file there is a line: the-authorization-key-was-here.zen.dq.spamhaus.net zen.dq.spamhaus.org And in main.cf there is the line: postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply Should the line in main.cf for postscreen_dnsbl_siter = use the long name with the key in it or the short reply name? Does it matter what the short name returned is; that is could I use zen.spamhaus.org just to keep it shorter? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: postscreen_dnsbl_sites
I had postscreen_dnsbl_sites = the-key-to-hidezen.dq.spamhaus.org and postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply in main.cf and I had the-authorization-key-was-here.zen.dq.spamhaus.nethttp://the-authorization-key-was-here.zen.dq.spamhaus.net zen.dq.spamhaus.org in the /etc/posrfix/dnsbl_reply file. One of many email sent from a yahoo test account did happen to use a yahoo server listed by zen.dq.spamhaus.org and I did get back a reply with the key exposed: Remote host said: 550 5.7.1 Service unavailable; client [98.136.218.178] blocked using th-authorization-key-was-here.zen.dq.spamhaus.org [RCPT_TO] I then changed the one line in the main.cf from postscreen_dnsbl_sites = the-key-to-hidezen.dq.spamhaus.org to postscreen_dnsbl_sites = zen.dq.spamhaus.org and since then none of the test email have been rejected. How can I prove to myself the spamhaus list actually being used now as opposed to being not used because of configuration? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Is postfix misconfiguration to send to wrong domain?
not exist. Please try 550-5.1.1
double-checking the recipient's email address for typos or 550-5.1.1
unnecessary spaces. Learn more at 550 5.1.1
http://support.google.com/mail/bin/answer.py?answer=6596 j8si3846254qaz.28
- gsmtp (in reply to RCPT TO command))
Apr 11 05:15:24 mg04 postfix/bounce[30245]: 152B0661BC5: sender
non-delivery notification: 08002661BF9
Apr 11 05:15:24 mg04 postfix/qmgr[25178]: 152B0661BC5: removed
And these are the logfile lines for our sending of the non-delivery notice
we sent. One item in these log lines I do not understand at all is relay=
server50.appriver.com[204.232.236.138]:25. I do not understand where were
that information is sourced. It looks to me that we sent the non-delivery
to a wrong location.
Apr 11 05:15:24 mg04 postfix/cleanup[28971]: 08002661BF9: message-id=
2013041524.08002661...@mg04.cnm.edu
Apr 11 05:15:24 mg04 postfix/bounce[30245]: 152B0661BC5: sender
non-delivery notification: 08002661BF9
Apr 11 05:15:24 mg04 postfix/qmgr[25178]: 08002661BF9: from=, size=3678,
nrcpt=1 (queue active)
Apr 11 05:15:24 mg04 postfix/smtp[29118]: 08002661BF9: to=
smashab...@ors-cpa.com, relay=server50.appriver.com[204.232.236.138]:25,
delay=0.37, delays=0.02/0/0.25/0.11, dsn=2.0.0, status=sent (250 412972755
message accepted for delivery)
Apr 11 05:15:24 mg04 postfix/qmgr[25178]: 08002661BF9: removed
I have looked to see if there was any relationship between the two other
servers involved in this situation and I do not see any connection between
204.232.236.138, server50.appriver.com and 70.154.182.39
adsl-070-154-182-039.sip.msy.bellsouth.net.
Does anyone see anything below that is misconfigured that could explain
this problem?
Here is the output from postconf -n (an access key is changed to PASSKEY:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
default_process_limit = 400
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 0
masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
max_use = 100
message_size_limit = 26214400
mydestination = $myhostname, $mydomain, localhost.localdomain,cnm.edu,
mail.cnm.edu
myhostname = mg04.cnm.edu
mynetworks = 198.133.178.0/23, 198.133.182.0/24, 198.133.181.0/24,
198.133.180.0/24, 172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8,
127.0.0.0/8[:::127.0.0.0]/104 [::1]/128
notify_classes = resource, software
readme_directory = no
recipient_delimiter = +
relay_domains = mg04.cnm.edu, mg05.cnm.edu, mg06.cnm.edu,nmvc.org,
mail.nmvc.org, mg04.nmvc.org, mg05.nmvc.org, mg06.nmvc.org,
nmvirtualcollege.org, mail.nmvirtualcollege.org,
mg04.nmvirtualcollege.org,mg05.
nmvirtualcollege.org,mg05.nmvirtualcollege.org,nmln.net,
ideal-nm.org, ideal-nm.net, idealnm.org, idealnm.net
relayhost =
smtp_host_lookup = dns, native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = reject_unauth_pipelining
check_client_access hash:/etc/postfix/whitelistcheck_client_access
cidr:/etc/postfix/cidr-ipcheck_client_access hash:/etc/postfix/access
permit_mynetworksreject_rbl_client PASSKEY.zen.dq.spamhaus.net
reject_rbl_client bl.spamcop.net reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.4 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.5 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.6 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.7 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.8 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.9 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.13
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworkscheck_helo_access
hash:/etc/postfix/helo-ipreject_invalid_hostname
reject_non_fqdn_helo_hostname
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/whitelist
check_sender_access hash:/etc/postfix/greylist check_sender_access
hash:/etc/postfix/access permit_mynetworksreject_non_fqdn_sender
reject_unknown_sender_domainpermit_mynetworks
reject_unauth_destination reject_unknown_recipient_domain
reject_unlisted_recipientcheck_recipient_access
hash:/etc/postfix/overquotareject_non_fqdn_recipient
reject_unknown_recipient_domain
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtualaliases
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Re: Is postfix misconfiguration to send to wrong domain?
That was a fast response Jan. Thanks. Is the overall situation suggestive of any misconfiguration here? On Thu, Apr 11, 2013 at 1:22 PM, Jan P. Kessler post...@jpkessler.infowrote: Hi, And these are the logfile lines for our sending of the non-delivery notice we sent. One item in these log lines I do not understand at all is relay=server50.appriver.com[204.232.236.138]:25. I do not understand where were that information is sourced. It looks to me that we sent the non-delivery to a wrong location. No, that is correct. Source of that routing information is the MX record for the target domain: # host -t mx ors-cpa.com ors-cpa.com mail is handled by 10 server50.appriver.com. ors-cpa.com mail is handled by 20 server51.appriver.com. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: Is postfix misconfiguration to send to wrong domain?
On Thu, Apr 11, 2013 at 2:23 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 4/11/2013 2:42 PM, Robert Lopez wrote: That was a fast response Jan. Thanks. Is the overall situation suggestive of any misconfiguration here? [please don't top-post] It appears you're generating a bounce for spam. Don't do that; the spam sender address is often forged causing your notice to go to some innocent third party. This makes you a backscatter source. As a backscatter source, your queue can become clogged with undeliverable bounces and your server may be blacklisted by others. With an after queue content filter, the only valid choice you have is to tag and deliver the message (or in some cases, discard it, but that's not legal some places and not good practice everywhere else). -- Noel Jones On Thu, Apr 11, 2013 at 1:22 PM, Jan P. Kessler post...@jpkessler.info mailto:post...@jpkessler.info wrote: Hi, And these are the logfile lines for our sending of the non-delivery notice we sent. One item in these log lines I do not understand at all is relay=server50.appriver.com http://server50.appriver.com[204.232.236.138]:25. I do not understand where were that information is sourced. It looks to me that we sent the non-delivery to a wrong location. No, that is correct. Source of that routing information is the MX record for the target domain: # host -t mx ors-cpa.com http://ors-cpa.com ors-cpa.com http://ors-cpa.com mail is handled by 10 server50.appriver.com http://server50.appriver.com. ors-cpa.com http://ors-cpa.com mail is handled by 20 server51.appriver.com http://server51.appriver.com. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 Is postscreen able to identify email as spam to prevent bouncing it? Is there a way to alter my postfix configuration to prevent bouncing it? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: md5sum of source file
Wietse, No I did not! Now I have. Thanks. Is this sufficient to know all is ok: # gpg --verify postfix-2.10.0.tar.gz.sig postfix-2.10.0.tar.gz gpg: Signature made Mon 11 Feb 2013 09:19:00 AM MST using RSA key ID C12BCD99 gpg: Good signature from Wietse Venema wie...@porcupine.org gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: FF 96 4A 8C 96 88 7C 6E A4 EF AD BF 48 34 E1 BB # echo $? 0 On Mon, Apr 1, 2013 at 5:18 PM, Wietse Venema wie...@porcupine.org wrote: Robert Lopez: For myself, my gpg stuff works well for what I use it (Google Apps) but is apparently broken for importing new keys: $ gpg -v --import wietse.pgp gpg: can't open `wietse.pgp': No such file or directory Do you have the `wietse.pgp' file? I have a copy linked from the Postfix source code download page. Wietse -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
md5sum of source file
How do I get the md5sum for postfix-2.10.0.tar.gz out of the postfix-2.10.0.tar.gz.sig file? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: md5sum of source file
Now that I know what it is, searching for gpg postfix I keep reading of others who never got it to work (rsa or not discussion etc). I have yet to find a posting of it working. For myself, my gpg stuff works well for what I use it (Google Apps) but is apparently broken for importing new keys: $ gpg -v --import wietse.pgp gpg: can't open `wietse.pgp': No such file or directory gpg: Total number processed: 0 $ gpg --verify postfix-2.10.0.tar.gz.sig postfix-2.10.0.tar.gz gpg: Signature made Mon 11 Feb 2013 09:19:00 AM MST using RSA key ID C12BCD99 gpg: Can't check signature: public key not found On Mon, Apr 1, 2013 at 2:18 PM, /dev/rob0 r...@gmx.co.uk wrote: On Mon, Apr 01, 2013 at 02:11:53PM -0600, Robert Lopez wrote: How do I get the md5sum for postfix-2.10.0.tar.gz out of the postfix-2.10.0.tar.gz.sig file? The sig file is a GPG signature. Get the public key and verify the signature: gpg postfix-2.10.0.tar.gz.sig (with postfix-2.10.0.tar.gz in the same directory) You don't need md5sum, in fact, I'd think that the GPG signature should give you greater assurance than md5sum. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: some of variable of postfix when you posinstall it
Viktor Duknovni wrote If you're using Debian, they modify Postfix with additional configuration parameteter, in particular if I recall correctly myhostname can be set to a filename rather than a hostname. myhostname = /etc/hostname and optional database drivers are installed as separate packages and a related configuration file. For help with Debian, ask on a Debian-specific list. I suppose I should have known this years ago. I did not know Debian modified the Postfix code and even added database drivers. Does Canonical then further modify it? I have never been successful in compiling and configuring a working Postfix from source on Ubuntu. I am curious which distribution delivers code that is the least modified? On Sun, Mar 17, 2013 at 6:13 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Mon, Mar 18, 2013 at 03:29:35AM +0330, Mohsen Pahlevanzadeh wrote: You made me happy ... http://www.postfix.org/BASIC_CONFIGURATION_README.html http://www.postfix.org/documentation.html If you're using Debian, they modify Postfix with additional configuration parameteter, in particular if I recall correctly myhostname can be set to a filename rather than a hostname. myhostname = /etc/hostname and optional database drivers are installed as separate packages and a related configuration file. For help with Debian, ask on a Debian-specific list. -- Viktor. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
allowing/authorized pipelining high volume email
This college has a contract with Rave Messaging to deliver high volume
(ex campus emergency) communications via many vectors including email.
In their requirements document, in the portion on email, they write:
IMPORTANT NOTE: When an emergency alert is sent by your institution,
Rave will open multiple SMTP connections and attempt to send a large
number of emails in a short period of time. Please ensure that there
are no throttling or spam rules that would slow or prevent the
delivery of these emails from Rave.
Below is the output of postconf -n (redacted for critical spamhause key).
I am wondering about pipelining.
Given this statement from http://www.postfix.com/postconf.5.html :
reject_unauth_pipelining
Reject the request when the client sends SMTP commands ahead of
time where it is not allowed, or when the client sends SMTP
commands ahead of time without knowing that Postfix actually
supports ESMTP command pipelining. This stops mail from bulk mail
software that improperly uses ESMTP command pipelining in order to
speed up deliveries.
With Postfix 2.6 and later, the SMTP server sets a per-session
flag whenever it detects illegal pipelining, including pipelined
EHLO or HELO commands. The reject_unauth_pipelining feature simply
tests whether the flag was set at any point in time during the
session.
With older Postfix versions, reject_unauth_pipelining checks the
current status of the input read queue, and its usage is not
recommended in contexts other than smtpd_data_restrictions.
Does the term unauth imply there is also authorized pipelining?
If so, what document describes authorizing it for an external site?
Using Postfix 2.5.5 currently (Redhat latest), it seems the use
I have of reject_unauth_pipelining under smtpd_client_restrictions.
If I now move it to under smtpd_data_restrictions how will that
impact the throttling the Wave company does not want?
$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
default_process_limit = 400
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 0
masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
max_use = 100
message_size_limit = 16777216
mydestination = $myhostname, $mydomain,
localhost.localdomain, cnm.edu, mail.cnm.edu
myhostname = mg04.cnm.edu
mynetworks = 198.133.182.0/24, 198.133.181.0/24, 198.133.180.0/24,
172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8, 127.0.0.0/8
[:::127.0.0.0]/104 [::1]/128
notify_classes = resource, software
readme_directory = no
recipient_delimiter = +
relay_domains = mg04.cnm.edu, mg05.cnm.edu, mg06.cnm.edu,nmvc.org,
mail.nmvc.org, mg04.nmvc.org, mg05.nmvc.org, mg06.nmvc.org,
nmvirtualcollege.org, mail.nmvirtualcollege.org,
mg04.nmvirtualcollege.org,mg05. nmvirtualcollege.org,
mg05.nmvirtualcollege.org,nmln.net, ideal-nm.org, ideal-nm.net,
idealnm.org, idealnm.net
relayhost =
smtp_host_lookup = dns, native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = reject_unauth_pipelining
check_client_access hash:/etc/postfix/whitelist check_client_access
cidr:/etc/postfix/cidr-ip check_client_access hash:/etc/postfix/access
permit_mynetworks reject_rbl_client
SNIP.zen.dq.spamhaus.net reject_rbl_client
bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.4reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.5reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.6reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.7reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.8reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.9reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.13
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks check_helo_access
hash:/etc/postfix/helo-ip reject_invalid_hostname
reject_non_fqdn_helo_hostname
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/greylist check_sender_access
hash:/etc/postfix/access
permit_mynetworks reject_non_fqdn_sender
reject_unknown_sender_domainpermit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain reject_unlisted_recipient
check_recipient_access
hash:/etc/postfix/overquota reject_non_fqdn_recipient
reject_unknown_recipient_domain
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtualaliases
--
Robert Lopez
Unix Systems Administrator
Central New
Re: allowing/authorized pipelining high volume email
On Wed, May 26, 2010 at 11:10 AM, Wietse Venema wie...@porcupine.org wrote: Robert Lopez: This college has a contract with Rave Messaging to deliver high volume (ex campus emergency) communications via many vectors including email. In their requirements document, in the portion on email, they write: IMPORTANT NOTE: When an emergency alert is sent by your institution, Rave will open multiple SMTP connections and attempt to send a large number of emails in a short period of time. Please ensure that there are no throttling or spam rules that would slow or prevent the delivery of these emails from Rave. If the system opens an insane number of SMTP connections to the same SMTP server, then that will definitely be a problem. Postfix enforces concurrency controls when it sends out mail, to avoid such problems. reject_unauth_pipelining Reject the request when the client sends SMTP commands ahead of time WHERE IT IS NOT ALLOWED, or when the client sends SMTP commands ahead of time WITHOUT KNOWING THAT POSTFIX ACTUALLY SUPPORTS ESMTP COMMAND PIPELINING. a) the system sends commands together where it is not allowed by RFC 2920, even after prior negotiation, or b) the system sends commands together without prior negotiation as per RFC 2920. Wietse Thank you. Prior to reading RFC 2920 I was assuming that pipelining was a bad thing done by spammers. I never comprehended it could be a good thing if managed by both ends correctly. At a web meeting today I was told they will use 40 concurrent connections. With the default max connection limit (given no other server resource limits) I suppose that is not blasting an insane number of SMTP connections. Would this situation be better if I moved reject_unauth_pipelining from smtpd_client_restrictions to smtpd_data_restrictions, taking it out completely, or leaving it as it is? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: SMTP Authentication in Luminis / iPlanet Environment
On Thu, May 13, 2010 at 2:55 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: To enable remote submission, provision a port 587 TLS encrypted submission service that offers AUTH PLAIN, and perhaps also GSSAPI if you are willing to expose a suitable KDC to the Internet and client software supports SMTP with GSSAPI auth. Postfix supports Cyrus SASL. As backends for PLAIN, you can use the rimap support to delegate password validation to the imap server, or directly consult the same password oracle that the IMAP server uses. What's the best way to accomplish the goal in this environment? Figure out which SASL modules are inter-operable with your IMAP server or its single-sign-on backend. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note. I have a lot to learn! There are terms and concepts in you response that are new to me. Thanks for the direction tips. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
SMTP Authentication in Luminis / iPlanet Environment
I just read Kaleb Hosie's post with the subject SMTP Authentication in Exchange environment. I did not want to steal his thread but I would like to follow up on some of the ideas that came up in that thread. I have been attempting to understand how to do the same thing with a different environment, Luminis. For those who do not know, this is how the provider, Sungard Higher Education, describes Luminis on their web site: The Luminis Platform functions as the foundation of a unified digital campus through a combination of portal features, enterprise applications, and infrastructure. Combined with the Luminis Content Management Suite’s web content management capabilities, the Luminis Platform can showcase a consistent institutional brand and fresh web content, giving your institution a vibrant web presence. A component of Luminis is a web portal to a Sun mail system called iPlanet (Sun Java Messaging Server email system). We have a few postfix servers that receive mail and forward clean email to the Luminis email / iPlanet. Users who use portable devices including notebooks, web books, and smart phones keep asking to be able to send and reply-to mail remotely. The Luminis system is setup to allow users to read their email via the web interface from any internet connection. However, if they are off the campus network they are not able to reply-to or send new email. The iPlanet has an IMAP interface (there is a 143/tcp port open for IMAP and a running imapd). LDAP is working for a single sign on system on a different server. I (like all the students) have been able to read email but have yet to be successful in sending email. The administrators of that system say they understand it is possible to use the postfix system and SASL to send email from remote devices through the postfix and SASL to the iPlanet IMAP service. I have been unable to make this happen. The college auditors require this situation to use the same password (the single sign on authentication) used for all other college systems. I have been reading Postfix, LDAP, SASL, andDovecot documentation and testing ideas on a virtual system but I have thus far not created a working solution. What's the best way to accomplish the goal in this environment? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Am I really using a CIDR map?
For some time I have been tracking changes to the access table with RCS.
Each time a change is made the ci access results in the removal of
the access file from /etc/postfix and leaving the
/etc/postfix.access.db file.
Today I tried to check in a cidr table named cidr-ip. Upon check-in
(and restart of postfix) I got this message in the maillog file:
Apr 6 10:12:57 mg05 postfix/smtpd[4632]: fatal: open
/etc/postfix/cidr-ip: No such file or directory
A postmap -q any-pattern-in-file cidr-ip returns the rest of the
matching line correctly.
An strace of postmap -q any-pattern cidr-ip shows it is the
cidr-ip.db file that is being read.
Why does postfix not like the source file being removed from the
/etc/postfix directory?
[r...@mg05 postfix]$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
default_process_limit = 400
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 0
masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
max_use = 100
message_size_limit = 16777216
mydestination = $myhostname, $mydomain,
localhost.localdomain, cnm.edu, mail.cnm.edu
myhostname = mg05.cnm.edu
mynetworks = 198.133.182.0/24, 198.133.181.0/24, 198.133.180.0/24,
172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8, 127.0.0.0/8
[:::127.0.0.0]/104 [::1]/128
notify_classes = resource, software
readme_directory = no
recipient_delimiter = +
relay_domains = mg04.cnm.edu, mg05.cnm.edu, mg06.cnm.edu,nmvc.org,
mail.nmvc.org, mg04.nmvc.org, mg05.nmvc.org, mg06.nmvc.org,
nmvirtualcollege.org, mail.nmvirtualcollege.org,
mg04.nmvirtualcollege.org,mg05. nmvirtualcollege.org,
mg05.nmvirtualcollege.org,nmln.net, ideal-nm.org, ideal-nm.net,
idealnm.org, idealnm.net
relayhost =
smtp_host_lookup = dns, native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = reject_unauth_pipelining
check_client_access hash:/etc/postfix/whitelist check_client_access
cidr:/etc/postfix/cidr-ip check_client_access hash:/etc/postfix/access
permit_mynetworks reject_rbl_client
n6mn6bwuuaertsbehompac3udq.zen.dq.spamhaus.net reject_rbl_client
bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.4reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.5reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.6reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.7reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.8reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.9reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.13
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks check_helo_access
hash:/etc/postfix/helo-ip reject_invalid_hostname
reject_non_fqdn_helo_hostname
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/greylist check_sender_access
hash:/etc/postfix/access
permit_mynetworks reject_non_fqdn_sender
reject_unknown_sender_domainpermit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain reject_unlisted_recipient
check_recipient_access
hash:/etc/postfix/overquota reject_non_fqdn_recipient
reject_unknown_recipient_domain
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtualaliases
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Re: Am I really using a CIDR map?
On Tue, Apr 6, 2010 at 10:52 AM, Noel Jones njo...@megan.vbhcs.org wrote: On 4/6/2010 11:39 AM, Robert Lopez wrote: For some time I have been tracking changes to the access table with RCS. Each time a change is made the ci access results in the removal of the access file from /etc/postfix and leaving the /etc/postfix.access.db file. Today I tried to check in a cidr table named cidr-ip. Upon check-in (and restart of postfix) I got this message in the maillog file: Apr 6 10:12:57 mg05 postfix/smtpd[4632]: fatal: open /etc/postfix/cidr-ip: No such file or directory A postmap -qany-pattern-in-file cidr-ip returns the rest of the matching line correctly. An strace of postmap -qany-pattern cidr-ip shows it is the cidr-ip.db file that is being read. Why does postfix not like the source file being removed from the /etc/postfix directory? cidr tables are plain-text tables. The source file is the live table data. The .db file is your mistake; cidr tables should not be indexed with postmap. That surprises me. The man page seems to me to indicate otherwise. My confusion is with this sentence: These tables are usually in dbm or db format. which is from the Description portion below... CIDR_TABLE(5)CIDR_TABLE(5) NAME cidr_table - format of Postfix CIDR tables SYNOPSIS postmap -q string cidr:/etc/postfix/filename postmap -q - cidr:/etc/postfix/filename inputfile DESCRIPTION The Postfix mail system uses optional lookup tables. These tables are usually in dbm or db format. Alterna- tively, lookup tables can be specified in CIDR (Classless Inter-Domain Routing) form. In this case, each input is compared against a list of patterns. When a match is found, the corresponding result is returned and the search is terminated. To find out what types of lookup tables your Postfix sys- tem supports use the postconf -m command. To test lookup tables, use the postmap -q command as snip -- Noel Jones -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: Am I really using a CIDR map?
On Tue, Apr 6, 2010 at 12:23 PM, Wietse Venema wie...@porcupine.org wrote: Robert Lopez: Now that you mention the documentation: SYNOPSIS postmap -q string cidr:/etc/postfix/filename postmap -q - cidr:/etc/postfix/filename inputfile DESCRIPTION ... To test lookup tables, use the postmap -q command as described in the SYNOPSIS above. It takes some perseverance to find that text. That is another point that has me confused. I have been testing to make certain changes I have made to the access file were really there with postmap -q. With the movement of IP addresses and CIDR blocks out of the access file and into a cidr-ip file postmap -q would find them in the cidr-ip.db file. If I remove the .db ile (As Noel points out not necessary) then I get an error because postmap seems to only look in database files: $ postmap -q 222.254.228.0/24 cidr-ip postmap: fatal: open database cidr-ip.db: No such file or directory As I originally posted: An strace of postmap -q any-pattern cidr-ip shows it is the cidr-ip.db file that is being read. by postmap. Wietse -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: Am I really using a CIDR map?
On Tue, Apr 6, 2010 at 12:33 PM, /dev/rob0 r...@gmx.co.uk wrote: On Tue, Apr 06, 2010 at 11:57:00AM -0600, Robert Lopez wrote: On Tue, Apr 6, 2010 at 10:52 AM, Noel Jones njo...@megan.vbhcs.org wrote: On 4/6/2010 11:39 AM, Robert Lopez wrote: Why does postfix not like the source file being removed from the /etc/postfix directory? cidr tables are plain-text tables. The source file is the live table data. The .db file is your mistake; cidr tables should not be indexed with postmap. That surprises me. The man page seems to me to indicate otherwise. My confusion is with this sentence: These tables are usually in dbm or db format. which is from the Description portion below... Yes, and it continues: Alternatively, lookup tables can be specified in CIDR ... form. Taken together, with emphasis added: These tables are USUALLY in dbm or db format. ALTERNATIVELY, lookup tables CAN BE ... Perhaps the wording can be improved. The usually part is not so relevant as are the particulars of what a cidr: map should be. The Postfix mail system uses optional lookup tables as described in the DATABASE_README document. Lists of IP addresses can be specified in CIDR (Classless Inter-Domain Routing) form. In this case, a plain text file is the map, with the standard key whitespace value format. When a match is found, the corresponding result is returned and the search is terminated. That would help. Then so would this: To test lookup tables, use the postmap -q command as described in the SYNOPSIS above for database files. The postmap -q will not work on the CIDR file as it is a test file. I know, it's probably not appropriate to refer to a README in that part of a man page, but it seems more thorough and less likely to confuse, to me, than the usually verbiage. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: Am I really using a CIDR map?
On Tue, Apr 6, 2010 at 12:48 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 4/6/2010 1:42 PM, Robert Lopez wrote: The Postfix mail system uses optional lookup tables as described in the DATABASE_README document. Lists of IP addresses can be specified in CIDR (Classless Inter-Domain Routing) form. In this case, a plain text file is the map, with the standard key whitespace value format. When a match is found, the corresponding result is returned and the search is terminated. That would help. Then so would this: To test lookup tables, use the postmap -q command as described in the SYNOPSIS above for database files. The postmap -q will not work on the CIDR file as it is a test file. Or how about postmap -q will not work if you use the wrong syntax Now that I understand my suggestion on that point is null and void. Thanks for the help. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: Am I really using a CIDR map?
I replied to Charles thinking I was replying to the list... On Tue, Apr 6, 2010 at 12:40 PM, Charles Marcus cmar...@media-brokers.com wrote: On 2010-04-06 2:35 PM, Robert Lopez wrote: If I remove the .db ile (As Noel points out not necessary) then I get an error because postmap seems to only look in database files: $ postmap -q 222.254.228.0/24 cidr-ip postmap: fatal: open database cidr-ip.db: No such file or directory Did you miss this from Wietse? I read it but at the time did not undestand it. SYNOPSIS postmap -q string cidr:/etc/postfix/filename Note the 'cidr:/' prefix to the file path/name? Noel already pointed out you need to use a single IP as the key... I have just confirmed that having this line in the file: 222.254.228.0/24DISCARD Then then this is working: $ postmap -q 222.254.228.0 cidr:/etc/postfix/cidr-ip DISCARD $ postmap -q 222.254.228.1 cidr:/etc/postfix/cidr-ip DISCARD So, now I understand. -- Best regards, Charles -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: order in cidr_table
192.168.1.0/24 DUNNO 192.168.2.3 REJECT blah 192.168.2.0/24 DUNNO 192.168.0.0/16 FILTER somefilter in short, create client based policies, not result based policies. The icing of the cake of two very helpful responses. Thanks both. Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
order in cidr_table
Man for CIDR_TABLE(5) says: /etc/postfix/client.cidr: # Rule order matters. Put more specific whitelist entries # before more general blacklist entries. 192.168.1.1 OK 192.168.0.0/16 REJECT I have been google-ing for information on order in a CIDR table to help me understand exactly just what the above says. Rule order matters. states this is important to understand. The point that whitelist (OK) should occur before blacklist (REJECT) is clear. Is there any more about order that is important to understand? It seems to me DUNNO is a sort of whitelist action so is there an order for OK and DUNNO? Is there any order for DISCARD and REJECT? Are there or or there any other more specific issues with the actions OK, REJECT, DISCARD, DUNNO, etc.? I think the order of the entries should be in increasing numeric order. Is that reasonable? The man page example above could be stating either that an entry in the form of a complete IP (192.168.1.1) is more specific than a CIDR (192.168.0.0/16) address. Is that true? Am I safe to create a CIDR table where in it has two parts; first a white list part and then a black list part; where each of those two parts would first list all the exact IP and then list all the CIDR patterns? Or is it sufficient to have first the white list then the black list with no further concern for the order within each part? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
safe way to remove corrupt files.
On one instance of an email gateway there are two files ...
[r...@mg05 log]# ls -l /var/spool/postfix/corrupt
total 4660
-rwx-- 1 postfix postfix 2183168 2009-08-30 21:06 2C9ED9BB*
-rwx-- 1 postfix postfix 2588672 2009-10-02 06:46 939DD23CA*
The postcat of them show unexpected EOF in data and I suspect they
were simply too large. Is the safe way to deal with them just to
remove them?
Is postsuper -d corrupt/2C9ED9BB the (best) way to remove them?
The obligatory information...
Considering the following, there are some mydestination and parameter
order changes I am testing that have not yet been made on this
production system.
[r...@mg05 log]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
default_process_limit = 400
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 0
masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
max_use = 100
message_size_limit = 16777216
mydestination = $myhostname, $mydomain, localhost.localdomain,
cnm.edu, mail.cnm.edu, mg01.cnm.edu, mg02.cnm.edu, mg03.cnm.edu,
mg04.cnm.edu, mg05.cnm.edu, nmvc.org, mail.nmvc.org, mg01.nmvc.org,
mg02.nmvc.org, mg03.nmvc.org, mg04.nmvc.org, mg05.nmvc.org,
nmvirtualcollege.org, mail.nmvirtualcollege.org,
mg01.nmvirtualcollege.org, mg02.nmvirtualcollege.org,
mg03.nmvirtualcollege.org, mg04.nmvirtualcollege.org,
mg05.nmvirtualcollege.org, nmln.net, ideal-nm.org, ideal-nm.net,
idealnm.org, idealnm.net
myhostname = mg05.cnm.edu
mynetworks = 198.133.182.0/24, 198.133.181.0/24, 198.133.180.0/24,
172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8, 127.0.0.0/8
[:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
notify_classes = resource,software
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination
relayhost =
smtp_host_lookup = dns, native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = cnm.edu
smtpd_client_restrictions = permit_mynetworks
hash:/etc/postfix/whitelist reject_rbl_client
zen.spamhaus.orgreject_rbl_client bl.spamcop.net
reject_rbl_client
dnsbl.njabl.org reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.4reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.5reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.6reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.7reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.8reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.9reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.13permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/overquota reject_non_fqdn_sender
reject_unknown_sender_domainreject_non_fqdn_recipient
reject_unknown_recipient_domain reject_unlisted_recipient
permit_mynetworks reject_unauth_destination
reject_unauth_pipeliningreject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_rbl_client zen.spamhaus.org
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/greylist check_sender_access
hash:/etc/postfix/sender_access permit_mynetworks
reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtualaliases
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Please evaluate my understanding wrt access files
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtualaliases
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Re: Please evaluate my understanding wrt access files
On Fri, Oct 30, 2009 at 1:26 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 10/30/2009 12:55 PM, Robert Lopez wrote: I would like to confirm my understanding about access files. Please let me know if any of this is not correct... The man (5) access description describes a prototype file, where that file could be a single file describing any host names, network addresses, envelope senders or recipient addresses. The file could also be a set of files all following the same format rules. Where such files might be recipient_checks, helo_checks, sender_checks, client_checks, etc. The usefulness of the content of an access file is dependent upon the parameter that selects a routine that reads the file. If check_client_access causes a read of the file it will only be looking for IP addresses of a client server that sent the email or a fully qualified domain name that successfully reverse maps to the IP address of a client server that sent the email. If check_sender_access causes a read of the file it will only be looking for an email SMTP MAIL FROM address or a pattern which could be a part that email address to the left of the @ sign. If check_helo_access causes a read of the file it will only be looking for the HELO or EHLO hostname or any valid parent domain of that hostname that is in the SMTP HELO. The routines executed vi the parameters such as check_client_access, check_sender_access, check_helo_access, etc. return the value the check to the routine that called for the check where the calling routine would be instigated by any of these parameters: smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions smtpd_data_restrictions It is possible to have all the lookups done on a single .../postfix/access.db file but that could mean the file gets confusing so in practice multiple access files with names like client_access, helo_access, sender_access, etc. so far so good... A single parameter such as check_client_access may be called multiple times in a situation like this: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/greylist check_sender_access hash:/etc/postfix/sender_access permit_mynetworks However if the above causes a pattern to be found more than once then only the last pattern match is used. (I think that is what When the same parameter is defined multiple times, only the last instance is remembered. means.) No, the last parameter is used rule refers to when indexing a single map -- when the map is indexed with postmap, a duplicate key will overwrite the previous identical key. With multiple maps -- or multiple restrictions of any type -- in smtpd_*_restrictions, the first match wins. Ah! Good. That now makes more sense. Postfix places no limit on how many maps you can use, but there is system overhead with each map. Rule of thumb is to combine maps wherever possible -- don't use two check_sender_access statements if you can do it with one. The smart way to do this is use a Makefile to build a single map from multiple similar input files. That is interesting. What is the advantage of that over directly editing a single file? I can see having unique names that pair with the parameters that cause them to be read. It is not clear to me what the benefit of multiple files is beyond this association. We do something similar with the virtualaliases table. There is a table that has all college employees who use an Exchange server, another that has all customers (students) who use Sungard Luminis, and a third that has Mailman lists. So email is delivered to one of those three systems based on that file. We build that single file from three separate files. This is how I am putting this in practice on a new virtual server where I hope to fix some problems on current production servers: r...@mg0x:/etc/postfix# postconf -d mail_version mail_version = 2.5.5 I am using 2.5.5 because that is the latest from Ubuntu. r...@mg0x:/etc/postfix# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = yes biff = no bounce_size_limit = 1 config_directory = /etc/postfix default_process_limit = 400 header_checks = regexp:/etc/postfix/header_checks inet_interfaces = all mailbox_size_limit = 0 masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org max_use = 100 message_size_limit = 16777216 mydestination = $myhostname, $mydomain, localhost.localdomain, cnm.edu, mail.cnm.edu, mg0x.cnm.edu, mg04.cnm.edu, mg05.cnm.edu, nmvc.org, mail.nmvc.org, mg0x.nmvc.org, mg04.nmvc.org, mg05.nmvc.org, mg06.nmvc, nmvirtualcollege.org, mail.nmvirtualcollege.org, mg0x.nmvirtualcollege.org, mg04.nmvirtualcollege.org, mg05.nmvirtualcollege.org, mg04.nmvirtualcollege.org, nmln.net, ideal-nm.org, ideal-nm.net, idealnm.org, idealnm.net Lots of domains in mydestination... Are you sure
Re: Are my basic definitions wrong? ip blocks in hash for check_sender_access
to the Postfix queue is an old issue that is no longer the case. In any event, I do not select what we use. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Are my basic definitions wrong? ip blocks in hash for check_sender_access
My understanding of client and sender are these: Client: An application used to send, receive e-mail messages. Sender: The from or sender name in the header that shows who (is claimed to have) sent the email. The context of the use that has me concerned are these: smtpd_client_restrictions and smtpd_sender_restrictions I currently have these lines in main.cf: check_client_access=hash:/etc/postfix/access smtpd_client_restrictions = permit_mynetworks hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client blackholes.five-ten-sg.com=127.0.0.4 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.5 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.6 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.7 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.8 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.9 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.13 permit smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/greylist check_sender_access hash:/etc/postfix/sender_access permit_mynetworks reject_unknown_sender_domain To me the content of the sender_access hash makes sense if it contains terms such as luck...@yaha.comDISCARD Does it also work correctly if that same files also has terms such as 64.94.244 DISCARD where the intent is to block any of 64.94.244.xxx ? Right now that ip address example shown above (64.94.244) is in the sender_access file (and the sender_access.db) but the log file shows events such as this: Sep 27 17:56:19 mgxx postfix/cleanup[22432]: 596A81FFCD: hold: header Received: from av7.experience.com (unknown [64.94.244.50])??by mgxx.cnm.edu (Postfix) with SMTP id 596A81FFCD??for gle...@cnm.edu; Sun, 27 Sep 2009 17:56:16 -0600 (MDT) from unknown[64.94.244.50]; from=no_re...@experience.com to=xx...@cnm.edu proto=SMTP helo=av7.experience.com Sep 27 17:56:19 mgxx postfix/cleanup[22432]: 596A81FFCD: message- id=27390832.651.1254095751632.javamail.r...@av7.experience.com Sep 27 17:56:19 mgxx postfix/cleanup[22432]: 596A81FFCD: warning: header Subject: eRecruiting Saved Search - Abq-Lots from unknown[64.94.244.50]; from=no_re...@experience.com to=xx...@cnm.edu proto=SMTP helo=av7.experience.com Sep 27 7:56:22 mgxx MailScanner[9931]: Requeue: 596A81FFCD.2D1A1 to C98C42016A Sep 27 17:56:22 mgxx postfix/qmgr[24665]: C98C42016A: from=no_re...@experience.com, size=33955, nrcpt=1 (queue active) Sep 27 17:56:22 mgxx postfix/smtp[23167]: C98C42016A: to=gle...@tvimail.cnm.edu, orig_to=gle...@cnm.edu, relay=tvimail.cnm.edu[198.133.181.119]:25, delay=5.7, delays=5.6/0/0/0.03, dsn=2.5.0, status=sent (250 2.5.0 Ok.) Sep 27 17:56:22 mg05 postfix/qmgr[24665]: C98C42016A: removed Based upon my understanding of the definitions of the terms I have always been uncertain about putting ip blocks in the same file. I have been told it has been working practice at this college for years before I got here. I need to be certain we are doing the right things. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: Are my basic definitions wrong? ip blocks in hash for check_sender_access
On Thu, Oct 1, 2009 at 11:02 AM, Brian Evans - Postfix List grkni...@scent-team.com wrote: Robert Lopez wrote: snip check_client_access=hash:/etc/postfix/access smtpd_client_restrictions = permit_mynetworks hash:/etc/postfix/whitelist This is depreciated syntax equivalent to check_client_access hash:/etc/postfix/whitelist Brian which line is depreciated syntax? reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client blackholes.five-ten-sg.com=127.0.0.4 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.5 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.6 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.7 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.8 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.9 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.13 permit smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/greylist check_sender_access hash:/etc/postfix/sender_access permit_mynetworks reject_unknown_sender_domain snip Right now that ip address example shown above (64.94.244) is in the sender_access file (and the sender_access.db) but the log file shows events such as this: You are explicitly asking postfix to check a sender for the file hash:/etc/postfix/sender_access. ...check a sender for the file... Are you confirming postfix looks only for a sender-name found in the Reply-To: in the /etc/postfix/sender_access file? This will never match an IP. Thank you for confirming that point. Based upon my understanding of the definitions of the terms I have always been uncertain about putting ip blocks in the same file. I have been told it has been working practice at this college for years before I got here. I need to be certain we are doing the right things You may put check_client_access to point to the same map in order to check for an IP. This is discouraged as that map may be abused in the future. People love putting all their eggs in one basket. Abuse can occur if placed in recipient restriction before reject_unauth_destination with an OK result. The check_client_access can be placed in sender_restrictions if you like. I am not clear who you suggest may do the abuse, but I understand your point is it is best to use separate files, each for a single purpose. So is this the implementation you would suggest... check_client_access=hash:/etc/postfix/access_domain check_client_access=hash:/etc/postfix/access_ip where the access_domain file has domain names and the access_ip file has ip addresses? This (from http://www.postfix.org/postconf.5.html) suggests a single file can have multiple uses: check_client_access type:table Search the specified access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets. See the access(5) manual page for details. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
safe way to retire postfix gateway
Having built new email gateways, it is time to retire the old ones. I have removed one email gateway running postfix from the MX records for our college. It still has a few hundred mail in the queues and some spam is still coming in. What is the best way to stop the incoming email and allow the queues to empty? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
smtpd -o stress
On one mail gateway running postfix I see about 24 lines that look like this: postfix 7579 32735 0 10:00 ?00:00:00 smtpd -n smtp -t inet -u -c -o stress On all the other gateways I normally see lines that look like this: postfix 9243 3682 0 08:52 ?00:00:00 smtpd -n smtp -t inet -u Are there configuration parameters that cause the addition of the -c -o stress? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
blocking supp...@...
We get a lot of spam from a marketing company that uses hundreds of ip addresses and hundreds of domain names but it always comes from support at which ever names they are using that day. My supervisor wants me to block all email coming from supp...@*. I have concerns about blocking legitimate email. Which postfix list would be best used for such a block? Could it be sender_access? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: postscreen test
On Fri, Jul 17, 2009 at 8:02 AM, Wietse Venemawie...@porcupine.org wrote: Ralf Hildebrandt: * Noel Jones njo...@megan.vbhcs.org: Ralf Hildebrandt wrote: * Noel Jones njo...@megan.vbhcs.org: corona Corona, St.George, what's it with the beer names? Corona - outer atmosphere of a star Latin for Crown Good names I have seen sofar that suggest what the program does: sentry (the guard at the gate) and triage (the action of deciding which patients to service). Wietse From the point of view of one who has been easily confused by definitions of terms I want to also join the no to bouncer and I agree with all the reasons others have stated. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
append_dot_mydomain no such transport filter
- - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scacheunix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmailunix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
-- end of postfinger output --
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Re: smtpd_*_restrictions
On Thu, Jul 9, 2009 at 8:28 AM, Jonjo...@iotk.net wrote: Looking for some clarification to help me understand. Are smtpd_*_restrictions processed in this order: smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions smtpd_data_restrictions I am no expert but that order has been previously stated in this mail group. If these restriction mechanisms share a common hash file for their check, for example: /etc/postfix/main.cf ... smtpd_client_restrictions = check_client_access hash:/etc/postfix/access_hash ... ... smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access_hash ... ... That I do not know. In the systems I started working with (already established and running) separate hash files are used for each. /etc/postfix/access_hash ip.ad.dre.ss ok tld.com REJECT Access denied would this OK if found in smtp_client_restrictions trump REJECT if found by smtpd_sender_restrictions against tld.com and allow the message to queue? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
empty subject, empty body, from: Postfix After-Queue Content Filter...
=
local_transport = error
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
message_size_limit = 16777216
mydestination = $myhostname, $mydomain, localhost.localdomain, cnm.edu,
mail.cnm.edu, .cnm.edu, .cnm.edu, .cnm.edu, .cnm.edu,
.cnm.edu, .cnm.edu,nmvc.org, mail.nmvc.org, .nmvc.org,
.nmvc.org, .nmvc.org, nmvirtualcollege.org,
mail.nmvirtualcollege.org, .nmvirtualcollege.org,
.nmvirtualcollege.org, .nmvirtualcollege.org,nmln.net, ideal-nm.org,
ideal-nm.net, idealnm.org, idealnm.net
mydomain = cnm.edu
myhostname = .cnm.edu
mynetworks = 198.133.182.0/24, 198.133.181.0/24, 198.133.180.0/24,
172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
notify_classes = resource,software
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
smtpd_client_restrictions = permit_mynetworks
hash:/etc/postfix/whitelistreject_rbl_client zen.spamhaus.org
reject_rbl_client blackholes.five-ten-sg.com=127.0.0.4reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.5reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.6reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.7reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.8reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.9reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.10reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.11reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.13 reject_rbl_client
bl.spamcop.netreject_rbl_client
dnsbl.njabl.org permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/overquota check_recipient_access
hash:/etc/postfix/filtered_domains permit_mynetworks
reject_unauth_destination check_client_access hash:/etc/postfix/access
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/greylistcheck_sender_access
hash:/etc/postfix/sender_accesspermit_mynetworks
reject_unknown_sender_domain
virtual_alias_maps = hash:/etc/postfix/virtualaliases
--master.cf--
smtp inet n - n - - smtpd
pickupfifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgrunix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounceunix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verifyunix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix--n-1scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension}
${user}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmailunix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
filterunix- n n - - pipe
flags=Rq user=filter argv=/u01/gluescript/filter.sh -f ${sender} --
${recipient}
-- end of postfinger output --
tcpdump shows no problem.
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Fwd: outgoing SPAM
Thank you Aaron. My supervisor asked me to find a configuration change to postfix. He wants to avoid adding any new agents/programs. It seems the person I replaced had some bad times when trying to add other programs to the mail gateway functionality. -- Forwarded message -- From: Aaron Wolfe [EMAIL PROTECTED] Date: Mon, Oct 6, 2008 at 12:55 PM Subject: Re: outgoing SPAM To: postfix-users@postfix.org On Mon, Oct 6, 2008 at 2:33 PM, Robert Lopez [EMAIL PROTECTED] wrote: In the past months there have been instances where pfishing was used to get account credentials and use the victim's account to send massive quantities of SPAM. Is there a way to configure postfix to detect such an event and/or to stop such an event from reoccurring? Is there a way to limit the number of email a person can sent in a short period of time? Is there a way to block sending an email if a maximum number of recipients is exceeded? You can do some limits with policy filters. One to limit the number of mails sent over time is: http://www.opennix.com/postfixresources/policy/ratelimit You could easily modify this to limit based on other criteria, some hints are in the docs. I have also read that policyd can do this but haven't used it myself. -Aaron -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
