Re: policy server determine proxy filter?
On 7/2/2015 1:52 PM, Viktor Dukhovni wrote:
On Thu, Jul 02, 2015 at 01:44:45PM -0400, Rod K wrote:
Using "FILTER {destination}" one can use a policy server to set/override an
after queue filter, but is there anyway to set/override a before queue proxy
filter from a policy server?
No, and you can't even specify "FILTER" directives to an SMTP server
that uses a before queue proxy. Any FILTER directives must happen
in the downstream smtpd(8) that receives messages processed by the
pre-queue proxy.
Hmmm, been thinking about what you wrote here. Is a proxy filter called
before or after check_policy_service under
smtpd_recipient_restrictions? If after, would the proxy filter also be
called once per recipient? My thinking here is using PREPEND to set
how the proxy filter should handle content.
Re: policy server determine proxy filter?
On 7/2/2015 1:52 PM, Viktor Dukhovni wrote:
On Thu, Jul 02, 2015 at 01:44:45PM -0400, Rod K wrote:
Using "FILTER {destination}" one can use a policy server to set/override an
after queue filter, but is there anyway to set/override a before queue proxy
filter from a policy server?
No, and you can't even specify "FILTER" directives to an SMTP server
that uses a before queue proxy. Any FILTER directives must happen
in the downstream smtpd(8) that receives messages processed by the
pre-queue proxy.
Bummer. That wasn't really an issue. I was not planning on having
both, just using the FILTER as an example. I was hoping to move my
after queue filter to before queue but the filter I want to use depends
on policy.
policy server determine proxy filter?
Using "FILTER {destination}" one can use a policy server to set/override
an after queue filter, but is there anyway to set/override a before
queue proxy filter from a policy server?
Re: SQL table lookup
On 5/12/2015 7:55 PM, Peter wrote: On 05/08/2015 04:43 AM, Rod K wrote: check_client_restrictions = There is no such setting, you probably want smtpd_client_restrictions. Peter Yes I did. Should have been smtpd_client_restrictions = check_client_access
Re: SQL table lookup
On 5/8/2015 3:33 AM, Tobi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Am 07.05.2015 um 18:43 schrieb Rod K: I'm trying to implement check_client_restrictions = check_client_access pgsql:/path/to/local_blacklist-sql.cf, ... have you had a look at postfix postscreen featue? http://www.postfix.org/POSTSCREEN_README.html I recommend to implement ip based blocklists via postscreen. This is a LOCAL blacklist. I will probably move it to DNS based eventually where it could be used by postscreen but for now it's in testing. The listings in it are relatively short lived. The idea is to catch new spam sources quickly before they are listed on a major DNSBL. The list comes from emails reported by a few TRUSTED users (even then certain hosts are excluded). After a few hours the listing expires giving time for them to be listed elsewhere or to fix the issue.
Re: SQL table lookup
On 5/7/2015 3:01 PM, Wietse Venema wrote: Rod K: *DUNNO* Pretend that the lookup key was not found. This prevents Postfix from trying substrings of the lookup key (such as a subdomain name, or a network address subnetwork). " This to me means the first lookup would check domain.tld (receive DUNNO so skip .domain.tld), then lookup net.work.addr.ess which will return DUNNO or REJECT (no further lookups) I am handling matching for subnets internally so there is no need for further network address lookups. Am I misunderstanding? Is the initial DUNNO for domain.tld preventing net.work.addr.ess queries? DUNNO means something was found, don't look further. You want to return "not found" instead. Wietse In access.5 "not found" is not a listed response. Is that a literal "NOT FOUND" or, in the case of an SQL query, an empty string or null, or 0 rows?
Re: SQL table lookup
On 5/7/2015 1:48 PM, Wietse Venema wrote: Rod K: I'm trying to implement check_client_restrictions = check_client_access pgsql:/path/to/local_blacklist-sql.cf, Note that this also makes queries with client name parent domains and network prefixes (see the section "HOST NAME/ADDRESS PATTERNS" in the access(5) manpage). I'm aware. When the query term is NOT a valid dotted quad it returns DUNNO, even for hostnames. Search order: domain.tld .domain.tld net.work.addr.ess net.work.addr ... " *DUNNO* Pretend that the lookup key was not found. This prevents Postfix from trying substrings of the lookup key (such as a subdomain name, or a network address subnetwork). " This to me means the first lookup would check domain.tld (receive DUNNO so skip .domain.tld), then lookup net.work.addr.ess which will return DUNNO or REJECT (no further lookups) I am handling matching for subnets internally so there is no need for further network address lookups. Am I misunderstanding? Is the initial DUNNO for domain.tld preventing net.work.addr.ess queries?
SQL table lookup
I'm trying to implement check_client_restrictions = check_client_access pgsql:/path/to/local_blacklist-sql.cf, ... Previously I had the same information in a cidr: check_client_access cidr:/path/to/local_blacklist.cidr, When I check with postmap postmap -q 1.2.3.4 pgsql:/path/to/local_blacklist-sql.cf or postmap -q 1.2.3.4 cidr:/path/to/local_blacklist.cidr Postmap returns correct responses to any query (i.e. REJECT or DUNNO) local_blacklist-sql.cf query is a call to a function that returns one row with one field containing only 'REJECT' or 'DUNNO' and it is currently recording queries so I know smtpd is calling the function, however it does not reject those clients that i'm returning REJECT for. Any ideas?
Re: Whitelist specific address in postscreen
On 4/30/2015 10:15 AM, Noel Jones wrote: On 4/30/2015 8:59 AM, Rod K wrote: Postscreen is successfully blocking a lot of spam for us. Our DNSBL settings are doing a great job, however I'm having one "false positive." One of our customers does a bit of business with a Chinese firm. Their rep from this firm is using the nefarious 163.com as their service provider. Of course this is being blocked. I do NOT want to allow 163.com as a whole to be whitelisted (I'm getting 100s of connections/day from them and AFAIK only this particular address is sending legit email.) Is there anyway to have postscreen allow just the one particular address? postscreen knows the client IP address, nothing else. If the customer uses a particular IP address, you can whitelist it in postscreen_access_list. http://www.postfix.org/postconf.5.html#postscreen_access_list The alternative is to move the offending setting from postscreen to smtpd_sender_restrictions where you can whitelist by sender or client name. -- Noel Jones That is what I thought. However, postscreen DOES have that information eventually as it logs the reject with sender and recipient.
Whitelist specific address in postscreen
Postscreen is successfully blocking a lot of spam for us. Our DNSBL settings are doing a great job, however I'm having one "false positive." One of our customers does a bit of business with a Chinese firm. Their rep from this firm is using the nefarious 163.com as their service provider. Of course this is being blocked. I do NOT want to allow 163.com as a whole to be whitelisted (I'm getting 100s of connections/day from them and AFAIK only this particular address is sending legit email.) Is there anyway to have postscreen allow just the one particular address?
Re: External forwards and dovecot-lda
On 3/12/2015 7:06 PM, Noel Jones wrote: On 3/12/2015 6:03 PM, Noel Jones wrote: On 3/12/2015 5:50 PM, Rod K wrote: On 3/12/2015 6:35 PM, Noel Jones wrote: On 3/12/2015 5:28 PM, Rod K wrote: I'm currently configuring a new server using Postfix/Dovecot. My previous experience is with Courier and I've been using Postfix's virtual lda. I want to start using dovecot-lda. Here's the issue, I have several external forwards such as joeb...@internal.tld > joeb...@external.tld where external.tld is NOT hosted by me obviously. Of course, I also have internal aliases/forwards as well (janeb...@internal.tld > someonee...@internal.tld and joe...@internal.tld > joe...@anotherinternal.tld) Utilizing postfix virtual lda this wasn't an issue, both internal and external forwards/aliases worked fine. If I understand Dovecot lda correctly, I need to rewrite internal forwards/aliases before sending to Dovecot AND I need to have external forwards sent to Postfix virtual and this is the part I'm not clear on. Unless I've missed something there doesn't seem to be a way to define transport on a per address basis. Or am I totally thinking about this the wrong way? Thanks Put your local and external aliases in virtual_alias_maps (*NOT* virtual_alias_domains) and it will work fine. No need to muck around with the postfix virtual transport. -- Noel Jones That's what I initially thought. However, wouldn't external forwards still get passed to Dovecot which then couldn't deliver? No, of course not. External domains are delivered via the smtp transport. This assumes a fairly normal postfix installation, with dovecot domains listed in virtual_alias_domains, and valid users in virtual_mailbox_maps. Dang, mistyped... Dovecot domains should be listed in virtual_mailbox_domains, NOT virtual_alias_domains. -- Noel Jones http://www.postfix.org/ADDRESS_CLASS_README.html -- Noel Jones TY, Noel
Re: External forwards and dovecot-lda
On 3/12/2015 6:35 PM, Noel Jones wrote: On 3/12/2015 5:28 PM, Rod K wrote: I'm currently configuring a new server using Postfix/Dovecot. My previous experience is with Courier and I've been using Postfix's virtual lda. I want to start using dovecot-lda. Here's the issue, I have several external forwards such as joeb...@internal.tld > joeb...@external.tld where external.tld is NOT hosted by me obviously. Of course, I also have internal aliases/forwards as well (janeb...@internal.tld > someonee...@internal.tld and joe...@internal.tld > joe...@anotherinternal.tld) Utilizing postfix virtual lda this wasn't an issue, both internal and external forwards/aliases worked fine. If I understand Dovecot lda correctly, I need to rewrite internal forwards/aliases before sending to Dovecot AND I need to have external forwards sent to Postfix virtual and this is the part I'm not clear on. Unless I've missed something there doesn't seem to be a way to define transport on a per address basis. Or am I totally thinking about this the wrong way? Thanks Put your local and external aliases in virtual_alias_maps (*NOT* virtual_alias_domains) and it will work fine. No need to muck around with the postfix virtual transport. -- Noel Jones That's what I initially thought. However, wouldn't external forwards still get passed to Dovecot which then couldn't deliver?
External forwards and dovecot-lda
I'm currently configuring a new server using Postfix/Dovecot. My previous experience is with Courier and I've been using Postfix's virtual lda. I want to start using dovecot-lda. Here's the issue, I have several external forwards such as joeb...@internal.tld > joeb...@external.tld where external.tld is NOT hosted by me obviously. Of course, I also have internal aliases/forwards as well (janeb...@internal.tld > someonee...@internal.tld and joe...@internal.tld > joe...@anotherinternal.tld) Utilizing postfix virtual lda this wasn't an issue, both internal and external forwards/aliases worked fine. If I understand Dovecot lda correctly, I need to rewrite internal forwards/aliases before sending to Dovecot AND I need to have external forwards sent to Postfix virtual and this is the part I'm not clear on. Unless I've missed something there doesn't seem to be a way to define transport on a per address basis. Or am I totally thinking about this the wrong way? Thanks
Re: smtp_recipient_restrictions policy server
On 2/17/2015 9:03 PM, Viktor Dukhovni wrote: On Tue, Feb 17, 2015 at 08:52:12PM -0500, Rod K wrote: I want to create a policy server that will process once per recipient. My understanding is that this would work when placed under smtpd_recipient_restrictions. Is this correct? Yes. My other question is will access results be honored per recipient? Yes. Actions that return an SMTP [5xx] or [4xx] code to the remote MTA are per-recipient as are actions that whitelist a given recipient. REJECT, DEFER, OK are examples of such actions. No, only for message-level actions such as "FILTER", "REDIRECT", "DISCARD" or "HOLD" which apply to all recipients. Outstanding! Thanks, Victor.
smtp_recipient_restrictions policy server
I've done a bit of research into this and I'm hoping someone can verify a conclusion and also answer one question that I cannot seem to find an answer for. I want to create a policy server that will process once per recipient. My understanding is that this would work when placed under smtpd_recipient_restrictions. Is this correct? My other question is will access results be honored per recipient? By this I mean if an email has 2 recipients but one results in a REJECT and the other an OK will both actions be honored (REJECT notice sent to sending SMTP and OK continues)? If either of the answers is negative, can someone point me in a direction to where I can achieve this with a policy server, or will I have to use a content filter? Thanks, Rod K
Re: Limit PHP web application to connect postfix on localhost
On 10/24/2014 4:47 PM, li...@rhsoft.net wrote: Am 24.10.2014 um 22:41 schrieb Rod K: On 10/24/2014 2:47 PM, Julio Cesar Covolato wrote: Hi. Hello! Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? Regards Using PHP's mail() function which sends via 25 is A Bad Thing mail() don't use TCP, it uses pickup/sendmail Correct. My point was that, in the most common Apache/PHP configuration, there is no way to tell which site on a shared host sent the mail. Using SASL via submission and a policy server to rate limit, the OP gets his problem solved AND should a site be sending spam a quick check of the logs and he'll know which site generated it. Use something like phpmailer class to use submission and a policy server to rate limit don't change the fact that a web-app can't handle rate-limiting and you just lose mail which exceeds the limit - in any case you need to fix or just remove the vulnerable web-application or end with randomly lost legit mail And rate limiting would force the user to do just that, no? what should the php-app do if the MTA rejetcs the mail beause you hit the rate-control? queue it? hwo and where - that's why it talks to the MTA instead to the final MX WTF? How is the mail admin supposed to solve this problem for the user? If the user's script doesn't handle it there is nothing the mail admin can do about it. Unless you just want to accept all email from localhost and deliver it no matter what. Furthermore, even if the user's script isn't handling rejections he should be checking his error logs, no?
Re: Limit PHP web application to connect postfix on localhost
On 10/24/2014 2:47 PM, Julio Cesar Covolato wrote: Hi. Hello! Is there a way to limit connections from web applications on the same server for postfix? The web application sends messages via smtp on localhost (127.0.0.1:25). Need to limit the maximum 5k messages per hour. Is that possible? Regards Using PHP's mail() function which sends via 25 is A Bad Thing. Use something like phpmailer class to use submission and a policy server to rate limit.
Policy server returns
As I understand it Postfix only allows a single line return from a policy server. e.g. this is valid: REJECT Because I want to\n\n but this is not: PREPEND X-MYHEADER: this is my added header\nDUNNO\n\n If that is the case I want to clarify that a PREPEND or REDIRECT reply will result as a DUNNO as far as later processing. Thanks
Re: Case sensivity: Strict rfc5321 or reality compliance
On 4/15/2013 9:44 AM, Jan P. Kessler wrote: localpart case sensivity according to rfc5321: "The local-part of a mailbox MUST BE treated as case sensitive." You are misunderstanding. Relaying MTAs MUST treat the local-part as case sensitive. IOW, until the message is received at the destination, case must be preserved. However, the RFC does NOT require any organization to treat their local addresses as case sensitive. It would be pointless anyway as you could just say all the variations of case are aliases. Really? I thought about that, but I think it's not that easy. What if you are a provider (relaying for one or more organisations) and the rate-limiting happens at your relay? I know about several providers using rate limits to throttle their customers on unusual mass-mailing events. Of course these rate limits will not modify the envelope address case but nevertheless have consequences depending on their implementation (means if you count "bob" and "BoB" differently or not). Again sorry to the list maintainers. If you think, that this is not the right place for this discussion, anybody is free to share his opinion at info at postfwd dot org. Taken strictly, as not being the destination host, the relay would need to treat the addresses as case-sensitive, at least for relaying purposes. That said, rate limiting in and of itself would not be affected by the RFC. IOW, the RFC has absolutely nothing to say about the matter. Basically, all the RFC is saying is that a relay cannot assume addresses are case insensitive and MUST preserve the case of the address in the envelope. It has no bearing on anything else.
Re: Case sensivity: Strict rfc5321 or reality compliance
On 4/15/2013 8:24 AM, Jan P. Kessler wrote: Hi, sorry, I know this is not directly related to postfix but I know that there are several very experienced people reading this list. My question is how you (the people that use and administer mailservers) handle the localpart case sensivity according to rfc5321: "The local-part of a mailbox MUST BE treated as case sensitive." You are misunderstanding. Relaying MTAs MUST treat the local-part as case sensitive. IOW, until the message is received at the destination, case must be preserved. However, the RFC does NOT require any organization to treat their local addresses as case sensitive. It would be pointless anyway as you could just say all the variations of case are aliases.
Re: NOQUEUE: reject: RCPT from ... 454 4.7.1 Relay access denied
Postfix is not configured to accept mail for mhm.lv On 4/8/2013 9:30 PM, Indiana Jones wrote: Dear Sirs, From these error messages below, could you possibly advise what the reason might be that I am not able to receive messages into my Postfix-Dovecot mail server! OS: FreeBSD 9.1 Postfix 2.9.5,1 Dovecot 1.2.17 /var/log/maillog: --- Apr 9 02:44:35 mail postfix/smtpd[38430]: connect from shark2.inbox.lv[89.111.3.82] Apr 9 02:44:35 mail postfix/smtpd[38430]: NOQUEUE: reject: RCPT from shark2.inbox.lv[89.111.3.82]: 454 4.7.1 : Relay access denied; from= to= proto=ESMTP helo= Apr 9 02:44:35 mail postfix/smtpd[38430]: disconnect from shark2.inbox.lv[89.111.3.82] Apr 9 02:44:49 mail dovecot: pop3-login: Login: user=, method=PLAIN, rip=80.81.39.15, lip=80.81.39.2 Apr 9 02:44:49 mail dovecot: POP3(adam): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 - # postconf -n command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 html_directory = /usr/local/share/doc/postfix inet_protocols = ipv4 local_recipient_maps = mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = aaa.aa myhostname = .aaa.aa mynetworks = dd.dd.dd.0/24, dd.dd.dd.0/24, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix relay_domains = $mydestination sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_banner = $myhostname ESMTP Postfix soft_bounce = yes unknown_local_recipient_reject_code = 550 # Thanks a lot, Adam
Re: Postscreen RBLs
On 2/11/2013 11:13 AM, Nikolaos Milas wrote: Hello, I am using Postfix 2.9.4 on CentOS 6.3 as a gateway server with the following postscreen settings: postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites = b.barracudacentral.org*2, zen.spamhaus.org*2, psbl.surriel.com*2 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce Sometimes I receive complaints from some mail server operators that barracudacentral causes blocks of mail from their server, and "Very few email providers use Barracuda for their RBL's, so it is not an RBL we check very often or rely on". I remember that, when I had set up this gateway server, I had researched and found that barracudacentral should be OK. My questions now are: * Based on your experience and advice, should I keep the above postscreen settings? Any suggestions? * Should I avoid postscreen_dnsbl_sites and only use amavis to make decisions through scoring? How are you implementing such blocks? Thanks in advance, Nick Barracuda and Spamhaus are the only RBLs that I use that can block by themselves. All others require at least one corroborating RBL. I've not run into any issues. I'd suggest that if their response is what you quoted they need to be more concerned about why they are being listed than telling others not to use them. Of course, that tells me they probably already know why they are listed and choose not to correct the behavior that caused the listing.
Re: BCC submission from specific user
Thanks! On 9/19/2012 12:24 PM, /dev/rob0 wrote: On Wed, Sep 19, 2012 at 11:25:18AM -0400, Rod K wrote: I have a client request that any outbound emails sent by a specific user be BCCd to another email address in the organization. Any ideas on how best to accomplish this? Sounds like you want sender_bcc_maps: http://www.postfix.org/postconf.5.html#sender_bcc_maps Be aware that this is only keyed on the sender address, not the user's SASL credentials. If that user is using more than one sender address, you would have to list all those sender addresses in your map. Also, be sure that the Bcc'ed destination is always deliverable, because if it is not, the sender gets a bounce.
BCC submission from specific user
I have a client request that any outbound emails sent by a specific user be BCCd to another email address in the organization. Any ideas on how best to accomplish this?
Re: 2instances Postfix on FreeBSD 9
Good point, Viktor. "sendmail" didn't register in my head when I first read that. Motty, It is NOT postfix calling sendmail as it is called before either postfix instance start script is called. Search your logs for other errors like that. I bet you'll find a few. My theory is that something else is calling sendmail. If you installed both instances from ports you installed postfix-sendmail twice. I imagine that what's happening is that you installed Postfix2 second and gave it an alternate install directory from standard Postfix. This would have overridden /etc/mail/mailer.conf with the alternate locations. Check /etc/mail/mailer.conf to ensure it looks like this: # # Execute the Postfix sendmail program, named /usr/local/sbin/sendmail # sendmail/usr/local/sbin/sendmail send-mail /usr/local/sbin/sendmail mailq /usr/local/sbin/sendmail newaliases /usr/local/sbin/sendmail On 6/29/2012 11:34 AM, motty.cruz wrote: I can't think of any shell script that invokes that setting; below the beginning of the logs: Jun 29 08:22:23 host1 postfix/sendmail[1135]: fatal: open /etc/postfix-out/main.cf: No such file or directory Jun 29 08:22:24 host1 postfix/postfix-script[1273]: starting the Postfix mail system Jun 29 08:22:24 host1 outgoing/postfix-script[1265]: starting the Postfix mail system Jun 29 08:22:24 host1 postfix/master[1276]: daemon started -- version 2.10-20120520, configuration /usr/local/etc/postfix Jun 29 08:22:24 host1 outgoing/master[1277]: daemon started -- version 2.10-20120520, configuration /usr/local/etc/postfix-out As you can see the scripts is the only problem, I'm afriad to put in production and other issue may came up later. Thanks for your help! Motty -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni Sent: Friday, June 29, 2012 8:20 AM To: postfix-users@postfix.org Subject: Re: 2instances Postfix on FreeBSD 9 On Fri, Jun 29, 2012 at 11:16:11AM -0400, Rod K wrote: It would probably be in the startup script in /usr/local/etc/rc.d It seems unlikely that the Postfix start-up script would explicity try to send email via a secondary Postfix instance. Perhaps some other init script or shell script it invokes has "export MAIL_CONFIG=/etc/postfix-out". The sendmail(1) command is used to submit messages into the local maildrop queue, generally the Postfix start script does not do that.
Re: 2instances Postfix on FreeBSD 9
It would probably be in the startup script in /usr/local/etc/rc.d If all else fails you could always create a symlink. On 6/29/2012 11:12 AM, motty.cruz wrote: Hello, I have two instances of Postfix on the same machine running, all working fine, except when I reboot the machine I get the following error: postfix/sendmail[1137]: fatal: open /etc/postfix-out/main.cf: No such file or directory Both configuration folders are located in /usr/local/etc/ not in /etc/ I'm not sure where to look to point to the correct configuration folder. Thanks for your help in advance. Motty - No virus found in this message. Checked by AVG - www.avg.com Version: 2012.0.2180 / Virus Database: 2437/5100 - Release Date: 06/29/12
Re: [OT] frequent TRY_AGAINs and 10s timeouts, but *only* with b.barracudacentral.org
Yes, I've seen that this week as well. On 6/2/2012 12:44 PM, Sahil Tandon wrote: I am seeing hundreds (on higher volume days, over a thousand) of lines like: Jun 2 10:04:30 mx1 postfix/dnsblog[58868]: warning: dnsblog_query: lookup error for DNS query 23.124.167.115.b.barracudacentral.org: Host or domain name not found. Name service error for name=23.124.167.115.b.barracudacentral.org type=A: Host not found, try again Jun 2 10:04:33 mx1 postfix/smtpd[89019]: warning: 17.204.24.8.b.barracudacentral.org: RBL lookup error: Host or domain name not found. Name service error for name=17.204.24.8.b.barracudacentral.org type=A: Host not found, try again Jun 2 10:04:37 mx1 postfix/postscreen[55753]: warning: dnsblog reply timeout 10s for b.barracudacentral.org These lines are interspersed among others that indicate more "normal" activity with b.barracudacentral.org, e.g.: Jun 2 10:04:10 mx1 postfix/dnsblog[55985]: addr 199.30.50.35 listed by domain b.barracudacentral.org as 127.0.0.2 Jun 2 10:04:47 mx1 postfix/dnsblog[66369]: addr 157.56.112.23 listed by domain b.barracudacentral.org as 127.0.0.2 I know this is not an issue with Postfix (which dutifully reports the TRY_AGAIN it receives from the system library), but I wonder if anyone else is seeing this from barracuda? Based on a week's worth of logs, I do not see even a single instance of this problem with any other RBL (and we query several). I've separately engaged our DNS admins in case they could offer some insight, but it would be interesting to learn if others are experiencing the same issue /only/ with barracuda.
Re: Doubling DNSBL ranks in Postscreen
On 5/30/2012 12:54 PM, /dev/rob0 wrote: On Wed, May 30, 2012 at 11:45:18AM -0500, I wrote: Yes, and it was brought up before and fixed. http://www.mail-archive.com/postfix-users@postfix.org/msg33631.html was the discussion, 2011-March. 2.8.7 Missed the previous mentions.
Doubling DNSBL ranks in Postscreen
The following appeared in my logs: May 28 01:08:24 smtp postfix/postscreen[12800]: CONNECT from [59.7.57.23]:46426 May 28 01:08:24 smtp postfix/dnsblog[13615]: addr 59.7.57.23 listed by domain bl.spamcop.net as 127.0.0.2 May 28 01:08:24 smtp postfix/dnsblog[13616]: addr 59.7.57.23 listed by domain bl.spameatingmonkey.net as 127.0.0.2 May 28 01:08:24 smtp postfix/postscreen[12800]: CONNECT from [59.7.57.23]:46428 May 28 01:08:24 smtp postfix/dnsblog[13615]: addr 59.7.57.23 listed by domain b.barracudacentral.org as 127.0.0.2 May 28 01:08:24 smtp postfix/dnsblog[13585]: addr 59.7.57.23 listed by domain psbl.surriel.com as 127.0.0.2 May 28 01:08:24 smtp postfix/postscreen[12800]: DNSBL rank 8 for [59.7.57.23]:46426 May 28 01:08:24 smtp postfix/postscreen[12800]: DNSBL rank 8 for [59.7.57.23]:46428 2 connections from the same IP. Both spamcop and spameatingmonkey have weights of 2. As you can see, because the IP is tested twice, the total of all tests are added to both connections. Not a big deal in most cases, but thought I'd bring it up.
Re: Problem with Postscreen
Heh, that d is elusive. Thanks. On 5/19/2012 9:09 PM, Wietse Venema wrote: Rod K: On 5/19/2012 6:20 PM, Rod K wrote: I am receiving the following message when testing (not enabled) postscreen: smtp postfix/postscreen[1516]: warning: cannot connect to service v private/smtpd: No such file or directory ^ The following are my main.cf entries: smtp pass- - - - - smtpd -o receive_override_options=no_address_mappings smtp inetn - n - 1 postscreen tlsproxy unix- - n - 0 tlsproxy dnsblog unix- - n - 0 dnsblog Any ideas? Edit: I of course meant master.cf Please follow instructions in http://www.postfix.org/POSTSCREEN_README.html especially the section concerning master.cf edits. The details really matter. Wietse - No virus found in this message. Checked by AVG - www.avg.com Version: 2012.0.2176 / Virus Database: 2425/5009 - Release Date: 05/19/12
Re: Problem with Postscreen
On 5/19/2012 6:20 PM, Rod K wrote: I am receiving the following message when testing (not enabled) postscreen: smtp postfix/postscreen[1516]: warning: cannot connect to service private/smtpd: No such file or directory The following are my main.cf entries: smtp pass- - - - - smtpd -o receive_override_options=no_address_mappings smtp inetn - n - 1 postscreen tlsproxy unix- - n - 0 tlsproxy dnsblog unix- - n - 0 dnsblog Any ideas? Edit: I of course meant master.cf Postfix version 2.8.7
Problem with Postscreen
I am receiving the following message when testing (not enabled) postscreen: smtp postfix/postscreen[1516]: warning: cannot connect to service private/smtpd: No such file or directory The following are my main.cf entries: smtp pass- - - - - smtpd -o receive_override_options=no_address_mappings smtp inetn - n - 1 postscreen tlsproxy unix- - n - 0 tlsproxy dnsblog unix- - n - 0 dnsblog Any ideas?
Postscreen DNSBL weights
Hi all, Was wondering if anyone would be willing to share what DNSBL and weights they are using with Postscreen. Thanks, Rod
Re: Suppressing received-from line when mail is from authenticated MUA
Here's what I did: Create file 'stripauth' with the following line: /^(Received:.*)$/ REPLACE X-Recieved: From Authenticated User In master.cf: submission inet n - n - - smtpd -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_helo_restrictions= -o smtpd_sasl_auth_enable=yes -o content_filter= -o cleanup_service_name=cleanup-out cleanup-out unixn - - - 0 cleanup -o header_checks=pcre:/usr/local/etc/postfix/stripauth I wish I could give credit for where I got that but it's been too long. Why I needed to do this? Well, Barracuda appliances offer the ability to check ALL IPs in Received From: headers (not just the delivering MTA). Obviously NOT what they should do and not the default configuration but too many people administer services that have no clue what they are doing. At any rate, these misconfigured appliances were rejecting email based on the originating user's IP (dynamic DSL). The only solution I could come up with was to strip that header for authenticated users. On 2/12/2012 3:21 PM, Alex Bligh wrote: A server I run (let's say mail.example.com) inserts a mail header similar to the one below, when it receives mail either via normal SMTP from another MTA, or when it receives mail from an authenticated MUA. Received: from [10.10.10.10] (1.1.200.192.example.com [192.200.1.1]) by mail.example.com (Postfix) with ESMTPSA id A; Sun, 12 Feb 2012 19:54:19 + (GMT) In this example, 10.10.10.10 is behind a NAT, the external IP address being 192.200.1.1. In the case of authenticated MUA submissions (only) I do not want to leak the actual IP address - in fact I'd prefer not to put any "from" information in at all. I think I need a Received: line still. I don't want to remove this for mail from other MTAs which do not authenticate. Any ideas how I do this?
