from:"Sebastian Wiesinger"

[pfx] Re: body_checks not catching all backscatter

2023-05-03 Thread Sebastian Wiesinger via Postfix-users

* Peter via Postfix-users  [2023-05-03 07:45]:
> On 28/04/23 03:59, Sebastian Wiesinger via Postfix-users wrote:
> > Hi everyone,
> > 
> > I'm not sure if I'm missing something but I can't find out why my
> > body_checks doesn't catch all the backscatter I'm getting right now.
> 
> Oh yuck.
> 
> I've found that the best way to block backscatter is by using the
> backscatter DNSRBL.  Make sure you follow the instructions for setting it up
> properly:
> 
> https://www.backscatterer.org/?target=usage
> 
> If used correctly it will only block DSNs from known backscatter sources.

Thanks Peter but I will never ever, as long as I live, use anything
connected to UCEProtect.

Also: I might be interested in legitimate mail from backscatter MTAs.

Best Regards

Sebastian

-- 
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: body_checks not catching all backscatter

2023-04-27 Thread Sebastian Wiesinger via Postfix-users

* Sebastian Wiesinger  [2023-04-27 17:59]:
> root@alita:/etc/postfix# postmap -q - regexp:/etc/postfix/body_checks.pcre 
>  Message-ID: 
> reject SPAM backscatter with forged domain name in Message-ID header

And of course I ran into my own filter when I got the mail back from
the mailinglist. :( I've deactivated the filter for now, but for this
test case it worked.


-- 
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] body_checks not catching all backscatter

2023-04-27 Thread Sebastian Wiesinger via Postfix-users

Hi everyone,

I'm not sure if I'm missing something but I can't find out why my
body_checks doesn't catch all the backscatter I'm getting right now.

I've it configured like this:

root@alita:/etc/postfix# postconf -n body_checks
body_checks = pcre:$config_directory/body_checks.pcre


root@alita:/etc/postfix# cat body_checks.pcre
/^[> ]*Message-ID:.*@(fire-world\.de)/
reject SPAM backscatter with forged domain name in Message-ID header


One example it doesn't catch seems to match the regex when I test it
manually:

root@alita:/etc/postfix# postmap -q - regexp:/etc/postfix/body_checks.pcre 
reject 
SPAM backscatter with forged domain name in Message-ID header

I've got the original message (from my mailbox) here for you:

https://www.karotte.org/big/backscatter.txt

As I said, Postfix rejects some of the backscatter but not all. Any
idea why it didn't reject this?

Best Regards

Sebastian

-- 
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Re: About messages bounced due name resolution issues using IPv6

2020-12-04 Thread Sebastian Wiesinger

* Matus UHLAR - fantomas  [2020-12-04 15:08]:
> > El vie, 4 dic 2020 a las 2:15, Viktor Dukhovni
> > () escribió:
> > > Is there a compelling reason to run a stripped-down (and typically not
> > > adequately standards-conformant) DNS resolvers on a mail server?
> 
> On 04.12.20 08:41, Sergio Belkin wrote:
> > I use mainly for caching purposes
> 
> that's not the point. the point is, especially with allow/blocklists and spam
> filters, using own DNS resolvers is important, since shared DNS servers are
> often blocked by public DNS lists and the effectivity of filtering lowers.

The point was that his choice of software is probably not the best
choice for caching on box.

Regards

Sebastian

-- 
GPG Key: 0x58A2D94A93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Postfix, Hotmail never arrive

2017-03-08 Thread Sebastian Wiesinger

* Sebastian Wiesinger <postfix-us...@ml.karotte.org> [2017-03-08 15:53]:
> * Robert Schetterer <r...@sys4.de> [2017-03-05 21:00]:
> > Microsofts info mail ( arrived fast today )
> > said that my hetzner Ip will whitelisted , but only for small
> > amount of mail until it has a "good" score and it is not a general
> > antispam whitelisting.
> > 
> > They recommend to get part of
> > Junk E-Mail Reporting Program (JMRP)
> 
> Then you had more luck then I had. I am registered with all their
> programs and their only answer were:

Oh I almost forgot, I also asked *why* I was blocked and what I
could do, and their really helpful answer was:


As previously stated, your IP(s) do not qualify for mitigation at this
time.  I do apologize, but I am unable to provide any details about
this situation since we do not have the liberty to discuss the nature
of the block.


So I'm blocked, the block can't be mitigated and they will not tell me
why I was blocked.


Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Postfix, Hotmail never arrive

2017-03-08 Thread Sebastian Wiesinger

* Robert Schetterer  [2017-03-05 21:00]:
> Microsofts info mail ( arrived fast today )
> said that my hetzner Ip will whitelisted , but only for small
> amount of mail until it has a "good" score and it is not a general
> antispam whitelisting.
> 
> They recommend to get part of
> Junk E-Mail Reporting Program (JMRP)

Then you had more luck then I had. I am registered with all their
programs and their only answer were:


1)

Not qualified for mitigation
176.9.75.247
Our investigation has determined that the above IP(s) do not qualify
for mitigation. These IP(s) have previously received mitigations from
deliverability support, and have failed to maintain patterns within
our
guidelines, so they are ineligible for additional mitigation at this
time.

2)

My name is $SUPPORTDRONE and I work with the Outlook.com Deliverability
Support Team.


Your IP (176.9.75.247) was blocked by Outlook.com because Hotmail
customers have reported email from this IP as unwanted.  One possible
explanation for this is the automatic forwarding of unfiltered inbound
messages, including unwanted messages, to Outlook.com/MSN addresses.


Please confirm that your emails comply with Hotmail's technical
standards. This information can be found at
http://postmaster.live.com/Guidelines.aspx
 .


My remark that my server sent a whole of *3* mails in the last month
before the blacklist to hotmail addresses, none of which was spam, was
not answered. They've gone completely silent.

Ended up buying a cheap VM somewhere else which now relays to
Hotmail. (btw. don't go to Amazon Lightsail for that, they are
incapable to set PTR records.)

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Postfix ML Configuration for Sender Header

2015-10-08 Thread Sebastian Wiesinger

* Sebastian Wiesinger <sebast...@karotte.org> [2015-09-25 12:55]:
> * Wietse Venema <wie...@porcupine.org> [2015-09-18 15:51]:
> > Majordomo uses the following: Reply-To: (most preferred), From:,
> > and Apparently-From: (least preferred). It does not use Sender:.
> > The list manager runs on someone elses system. I would not want
> > to run it on my own.
> 
> Thanks, I'm using the Apparently-From: header right now. I never
> noticed that header before. :)

...and that did not work. Okay so I'm back to From/Reply-To. Thank you
for your help debugging this.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Postfix ML Configuration for Sender Header

2015-09-18 Thread Sebastian Wiesinger

* Wietse Venema <wie...@porcupine.org> [2015-09-10 15:00]:
> Sebastian Wiesinger:
> > Hello,
> > 
> > a while ago I changed my mail configuration for mailinglists. I have
> > individual mail addresses for every mailing list and the configuration
> > now looks like this:
> > 
> > From: Sebastian Wiesinger <sebast...@karotte.org>
> > Sender: postfix-us...@ml.karotte.org
> > 
> > This has the advantage that off-list answers go to my main
> > mailaddress.
> > 
> > This seems to work with all of my mailinglists (most of them use
> > Mailman I think) but not with postfix-users. Here my list address
> > needs to be in the From: field.
> > 
> > Is this something that can be changed in Majordomo (and you would be
> > willing to change)?
> 
> Sorry, that sounds bogus. No-one replies to the sender: address.

No, it's the other way around. I want off-list replies to my From:
address (which is my main mailaddress). But I'm subscribed to the ML
with the address in the Sender: header (which is unique for each ML).

Other MLs use the Sender: header in addition to the From: to check if
the sender is authorized to post to the list. The Postfix ML doesn't
do that apparently.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Postfix ML Configuration for Sender Header

2015-09-10 Thread Sebastian Wiesinger

Hello,

a while ago I changed my mail configuration for mailinglists. I have
individual mail addresses for every mailing list and the configuration
now looks like this:

From: Sebastian Wiesinger <sebast...@karotte.org>
Sender: postfix-us...@ml.karotte.org

This has the advantage that off-list answers go to my main
mailaddress.

This seems to work with all of my mailinglists (most of them use
Mailman I think) but not with postfix-users. Here my list address
needs to be in the From: field.

Is this something that can be changed in Majordomo (and you would be
willing to change)?

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: AntiSpam & AntiVirus Integration with Postfix: lots of tools, but which one's AREN'T 'dead'?

2015-09-10 Thread Sebastian Wiesinger

* joh...@fastmail.com  [2015-09-09 03:03]:
> Ken
> 
> On Tue, Sep 8, 2015, at 05:49 PM, Ken Peng wrote:
> > How about Spamassassin? we have been using it for a long time.
> 
> And how are you integrating it into Postfix.  That was my question
> not whether to use Spamassassin.  I kindof decided on that already
> in the original post.

I do it like this (albeit with Dovecot als MDA):

master.cf:

dovecot-sa   unix  -   n   n   -   -   pipe
  flags=ODRhu user=vmail:mail argv=/usr/bin/spamc -u
  ${user}@${nexthop} -e /usr/lib/dovecot/deliver -f ${sender} -a
  ${recipient} -d ${user}@${nexthop}



main.cf:

virtual_transport = dovecot-sa
dovecot-sa_destination_recipient_limit = 1

Spamassassin is getting the user config from MySQL and users can
change settings with Roundcube.

Works very reliably for some years now.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Define exception(s) from catchall domain

2014-10-24 Thread Sebastian Wiesinger

* Noel Jones njo...@megan.vbhcs.org [2014-10-24 00:36]:
  I tried to implement this by using a check_recipient_access pcre_table
  like this:
  
  /etc/postfix# cat recipient_access.pcre
  /^postfix-reject-address@.+$/   REJECT
  
 
 This must match the recipient address as sent by the client and
 logged by postfix smtpd process, NOT the rewritten address.

Yes,

I figured this out and found a way to do what I wanted. I now have the
following:

smtpd_recipient_restrictions =
check_recipient_access 
proxy:mysql:$config_directory/sql/mysql_check_recipient_access.cf,
...

(Also I had to extend proxy_read_maps for this).

The .cf contains the following query:

query = SELECT 'REJECT' FROM alias WHERE address='%s' AND 
goto='reject@postfix.access' AND active = '1'

So all the users have to do is add an alias from their address to
reject@postfix.access to reject a specific alias.

  smtpd_recipient_restrictions =
  check_recipient_access pcre:$config_directory/recipient_access.pcre,
  ...
 
 It's generally unwise to put any access tables before
 permit_mynetworks. Extra caution is needed to make sure you don't
 accidentally create an open relay.

In this specific case I think it is okay because I want noone to be
able to mail to these addresses. It should be as if the alias does not
exist.

As for the open relay, I moved all that stuff to
smtpd_relay_restrictions.

  And telling them to add an alias to
  postfix-reject-address@$THEIR_DOMAIN
 
 This should not be necessary.

It's the way postfixadmin works. Without coding up an extension that
lets user block specific aliases this is the fastest way to do it.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Define exception(s) from catchall domain

2014-10-23 Thread Sebastian Wiesinger

Hello,

I have a few users that insist on using catch-all domains. Not
surprising they get spam to some address. Now they're asking if they
can reject mail for *some* of the addresses of the catch-all domain.

They can create aliases themselves via postfixadmin and they want to
do this the same way.

I tried to implement this by using a check_recipient_access pcre_table
like this:

/etc/postfix# cat recipient_access.pcre
/^postfix-reject-address@.+$/   REJECT

smtpd_recipient_restrictions =
check_recipient_access pcre:$config_directory/recipient_access.pcre,
...

And telling them to add an alias to
postfix-reject-address@$THEIR_DOMAIN

But this doesn't work as postfix will produce bounces (backscatter)
like this:

reject-postfix-addr...@karotte.org (expanded from reject-t...@karotte.org):
user unknown

In the log I see that postfix tries to deliver the message with the
default virtual transport (dovecot) which then returns the user
unknown.

It there a way to acomplish this?

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Define exception(s) from catchall domain

2014-10-23 Thread Sebastian Wiesinger

* Sebastian Wiesinger postfix-us...@ml.karotte.org [2014-10-23 21:54]:
 Hello,
 
 I have a few users that insist on using catch-all domains. Not
 surprising they get spam to some address. Now they're asking if they
 can reject mail for *some* of the addresses of the catch-all domain.
 
 They can create aliases themselves via postfixadmin and they want to
 do this the same way.
 
 I tried to implement this by using a check_recipient_access pcre_table
 like this:
 
 /etc/postfix# cat recipient_access.pcre
 /^postfix-reject-address@.+$/   REJECT
 
 smtpd_recipient_restrictions =
 check_recipient_access pcre:$config_directory/recipient_access.pcre,
 ...
 
 And telling them to add an alias to
 postfix-reject-address@$THEIR_DOMAIN
 
 But this doesn't work as postfix will produce bounces (backscatter)
 like this:
 
 reject-postfix-addr...@karotte.org (expanded from 
 reject-t...@karotte.org):
 user unknown

Forgot the logs/configuration:

postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:$config_directory/body_checks.pcre
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
dovecot-sa_destination_recipient_limit = 1
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
greylist = check_policy_service inet:127.0.0.1:10023
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = 127.0.0.1, [::1], 176.9.75.247, 176.9.51.79,
[2a01:4f8:150:7142::25], [2a01:4f8:150:7142::587]
inet_protocols = ipv4, ipv6
mailbox_command = /usr/bin/procmail -a $EXTENSION
mailbox_size_limit = 0
message_size_limit = 10240
mydestination = mx.karotte.org, alita.karotte.org, localhost.karotte.org,
localhost
myhostname = mx.karotte.org
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:127.0.0.1:10100, inet:127.0.0.1:10101
parent_domain_matches_subdomains =
recipient_delimiter = +
relay_clientcerts = hash:$config_directory/relay_clientcerts
relay_domains = proxy:mysql:$config_directory/sql/mysql_relay_domains_maps.cf
relayhost =
smtp_address_preference = ipv6
smtp_bind_address = 176.9.75.247
smtp_bind_address6 = 2a01:4f8:150:7142::25
smtp_dns_support_level = dnssec
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_fingerprint_digest = sha1
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_policy_maps = hash:$config_directory/tls_policy
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 15
smtpd_client_event_limit_exceptions = $mynetworks, $inet_interfaces
smtpd_client_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts, check_client_access
cidr:$config_directory/unknown_reverse_hostname.cidr, check_client_access
hash:$config_directory/client_rbl_whitelist, permit_dnswl_client
list.dnswl.org=127.0.[0..255].[1..3], reject_rbl_client
zen.spamhaus.org=127.0.0.[2..11], reject_rbl_client ix.dnsbl.manitu.net,
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_milters = inet:127.0.0.1:10100, inet:127.0.0.1:10101
smtpd_recipient_restrictions = check_recipient_access
pcre:$config_directory/recipient_access.pcre, permit_mynetworks,
permit_inet_interfaces, reject_non_fqdn_recipient,
permit_sasl_authenticated, permit_tls_clientcerts, check_recipient_access
hash:$config_directory/defer_unkown_users, reject_unlisted_recipient,
check_policy_service unix:private/policyd-spf, permit_dnswl_client
list.dnswl.org=127.0.[0..255].[0..3], check_recipient_access
pcre:$config_directory/greylist.pcre
smtpd_relay_restrictions = permit_mynetworks, permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination
smtpd_restriction_classes = greylist
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_inet_interfaces,
reject_non_fqdn_sender, permit_sasl_authenticated, permit_tls_clientcerts,
reject_unlisted_sender, reject_unknown_sender_domain, reject_rhsbl_sender
dbl.spamhaus.org=127.0.1.[2;4..6]
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/cacert-karotte-combined.crt
smtpd_tls_dh1024_param_file

How to do whitelisting with milter_header_checks?

2014-10-17 Thread Sebastian Wiesinger

Hello,

the documentation states:

The milter_header_checks mechanism could also be used for
whitelisting. For example it could be used to skip heavy content
inspection for DKIM-signed mail from known friendly domains.


I want to do that for mail that passes DMARC checks (with 2.11.2 DMARC
became easy to implement thanks to the milter change).

But looking at header_checks(5) I can't see a good ACTION for doing
it. PERMIT is not listed, OK is treated at DUNNO...

Can someone point me in the right direction?

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

PERMIT smtpd_client_restrictions

2014-10-01 Thread Sebastian Wiesinger

Hello,

as I see/understand it, a check_client_access lookup that returns
PERMIT will skip over the rest of smtpd_client_restrictions but WILL
still run the checks in the other smtpd_*_restrictions classes, right?

I can't find that information in the SMTPD_ACCESS_README or other
documents. (I can't find PERMIT in the access.5 manpage either).


Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: PERMIT smtpd_client_restrictions

2014-10-01 Thread Sebastian Wiesinger

* Wietse Venema wie...@porcupine.org [2014-10-01 19:03]:
 Sebastian Wiesinger:
  Hello,
  
  as I see/understand it, a check_client_access lookup that returns
  PERMIT will skip over the rest of smtpd_client_restrictions but WILL
  still run the checks in the other smtpd_*_restrictions classes, right?
  
  I can't find that information in the SMTPD_ACCESS_README or other
 
 Begin quote from SMTPD_ACCESS_README:
 
 Each restriction list is evaluated from left to right until
 some restriction produces a result of PERMIT, REJECT or DEFER
 (try again later). The end of the list is equivalent to a PERMIT
 result.
 
 End quote.

Okay, I can't explain how I overlooked that. Thank you very much
for clearing it up for me.

  (I can't find PERMIT in the access.5 manpage either).
 
 Begin quote from access.5 manpage:
 
 OTHER ACTIONS
restriction...
 Apply the named UCE restriction(s) (permit, reject,
 reject_unauth_destination, and so on).
 
 End quote.

And that is owing to me using case sensitivity when searching. :(

Thank you and sorry for wasting your time.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Postfix SMTPUTF8 support (unicode email addresses)

2014-08-06 Thread Sebastian Wiesinger

* Wietse Venema wie...@porcupine.org [2014-07-15 19:33]:
 Proudly presenting Postfix SMTPUTF8 support! Below is text from
 the RELEASE_NOTES file for postfix-2.12-20140715, to be uploaded
 later today.

Aaand Google has announced that it will support this for GMail:

http://googleblog.blogspot.com/2014/08/a-first-step-toward-more-global-email.html

So I expect there might be an increase in interest for this. Again
Postfix is at the bleeding edge, nicely done. :)

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Test TLS DANE Records

2014-05-08 Thread Sebastian Wiesinger

* Viktor Dukhovni postfix-us...@dukhovni.org [2014-05-08 02:09]:
 On Thu, May 08, 2014 at 01:14:09AM +0200, Sebastian Wiesinger wrote:
 
  I published TLS DANE Records for my mailserver and now I am wondering
  if there is a way to verify that these records are okay/matching the
  cert. Is there a tool/site where I can test this? I suppose it would
  be possible with the right openssl s_client commands but I can't
  figure them out. The records are published for mx.karotte.org if
  someone wants to try.
 
 Postfix 2.11 and 2.12 source tarballs include posttls-finger
 which will test DANE authentication.
 
 http://www.postfix.org/posttls-finger.1.html
 
 Your domain's keys are not registered at the .org level.  You need
 to work with your registrar to publish the appropriate DS records.

Yes I know, sadly my domain registar doesn't support it right now. But
I've put the keys into the ISC DLV registry and my resolver is using
that. Looks good to me:

posttls-finger: using DANE RR: _25._tcp.mx.karotte.org IN TLSA 3 0 1
8C:63:28:DA:DB:18:FD:46:9C:0F:9D:69:F9:A9:D5:A9:E5:6C:AB:29:F1:6C:76:45:05:EC:03:D6:17:0F:A6:BD
posttls-finger: Connected to mx.karotte.org[2a01:4f8:150:7142::25]:25
posttls-finger:  220 mx.karotte.org ESMTP Postfix (Debian/GNU)
posttls-finger:  EHLO mx.karotte.org
posttls-finger:  250-mx.karotte.org
posttls-finger:  250-PIPELINING
posttls-finger:  250-SIZE 10240
posttls-finger:  250-ETRN
posttls-finger:  250-STARTTLS
posttls-finger:  250-ENHANCEDSTATUSCODES
posttls-finger:  250 8BITMIME
posttls-finger:  STARTTLS
posttls-finger:  220 2.0.0 Ready to start TLS
posttls-finger: mx.karotte.org[2a01:4f8:150:7142::25]:25: depth=0
matched end entity certificate sha256 digest
8C:63:28:DA:DB:18:FD:46:9C:0F:9D:69:F9:A9:D5:A9:E5:6C:AB:29:F1:6C:76:45:05:EC:03:D6:17:0F:A6:BD
posttls-finger: mx.karotte.org[2a01:4f8:150:7142::25]:25: Matched
subjectAltName: *.karotte.org
posttls-finger: mx.karotte.org[2a01:4f8:150:7142::25]:25: Matched
subjectAltName: karotte.org
posttls-finger: mx.karotte.org[2a01:4f8:150:7142::25]:25 CommonName
*.karotte.org
posttls-finger: mx.karotte.org[2a01:4f8:150:7142::25]:25:
subject_CN=*.karotte.org, issuer_CN=CAcert Class 3 Root,
fingerprint=7B:58:79:56:C2:92:59:35:11:94:79:04:CD:88:93:7B:C4:B6:10:BB,
pkey_fingerprint=F1:3F:0E:E9:89:1A:4B:72:90:3D:1A:6B:BB:99:A8:2A:B2:5D:FA:96
posttls-finger: Verified TLS connection established to
mx.karotte.org[2a01:4f8:150:7142::25]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Wait if downstream MTA accepts mail - reject if not

2014-05-08 Thread Sebastian Wiesinger

Hello,

I have some users that forward their mail to GMAIL. This is
implemented with virtual alias maps. So postfix forwards:

u...@example.com - example.u...@gmail.com

The problem is when SPAM mails get through all the postfix defences
and get forwarded to GMAIL. GMAIL does some body checks and rejects
the mail like this:

 relay=gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b]:25,
 delay=3.8, delays=2.7/0.01/0.51/0.6, dsn=5.7.0, status=bounced (host
 gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b] said: 552-5.7.0
 This message was blocked because its content presents a potential
 552-5.7.0 security issue. Please visit 552-5.7.0
 http://support.google.com/mail/bin/answer.py?answer=6590 to review
 our 552 5.7.0 message content and attachment content guidelines.
 f45si10647314eet.279 - gsmtp (in reply to end of DATA command))

Now postfix generates a bounce message which 99.9% of the time will
not be deliverable (because sender is faked) and just sit in the queue
for five days.

Question is, is there a way to prevent this from happening (if
possible without using sender verification)?

Something like relaying the error back to the client (delay accepting
the mail until dowstream MTA has accepted it as well) or not
generating a non-delivery notification... I can't figure out if that
is possible with postfix.


Regards

Sebastian


-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Wait if downstream MTA accepts mail - reject if not

2014-05-08 Thread Sebastian Wiesinger

* Wietse Venema wie...@porcupine.org [2014-05-08 23:36]:
 Sebastian Wiesinger:
  Hello,
  
  I have some users that forward their mail to GMAIL. This is
  implemented with virtual alias maps. So postfix forwards:
  
  u...@example.com - example.u...@gmail.com
  
  The problem is when SPAM mails get through all the postfix defences
  and get forwarded to GMAIL. GMAIL does some body checks and rejects
  the mail like this:
 
 It common for people to forward all mail including spam to Gmail,
 and to discover that some of non-spam mail is not delivered as
 expected.

I already have RBL checks any other policy in place that prevents most
of the SPAM/Malware being accepted, but sometimes Google is more
strict / has more advanced filtering it seems.

 If you wait for Gmail to reject mail then it is already too late.
 
 The solution is do not forward SPAM. Sorry, there is no simple
 solution.

Yeah, that was kind of expected. Thanks for the reply anyway.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Test TLS DANE Records

2014-05-07 Thread Sebastian Wiesinger

Hello,

I published TLS DANE Records for my mailserver and now I am wondering
if there is a way to verify that these records are okay/matching the
cert. Is there a tool/site where I can test this? I suppose it would
be possible with the right openssl s_client commands but I can't
figure them out. The records are published for mx.karotte.org if
someone wants to try.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Current Postfix under Debian

2014-01-16 Thread Sebastian Wiesinger

Hello,

currently I'm running the distributed postfix version under Debian
Stable (currently 2.9.6-2). I would like to switch to the current 2.11
version to try out DANE and other new features.

Has anyone got the current version packaged for Debian Stable (I was
unable to find one online) or does have a HOW-TO how to replace the
Debian postfix with the current version?

Thanks  Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Current Postfix under Debian

2014-01-16 Thread Sebastian Wiesinger

* Robert Schetterer r...@sys4.de [2014-01-16 12:42]:
 Am 16.01.2014 12:13, schrieb Sebastian Wiesinger:
  Hello,
  
  currently I'm running the distributed postfix version under Debian
  Stable (currently 2.9.6-2). I would like to switch to the current 2.11
  version to try out DANE and other new features.
  
  Has anyone got the current version packaged for Debian Stable (I was
  unable to find one online) or does have a HOW-TO how to replace the
  Debian postfix with the current version?
  
  Thanks  Regards
  
  Sebastian
  
 
 you might wait a few days, some dev versions for ubuntu is at
 
 https://launchpad.net/~ondrej/+archive/postfix+dane
 
 perhaps good for testing only on debian too

Thanks, but I'm searching for something that's good for production. :)
Perhaps I'll have some time somewhere in the future to build it
myself.

Regards

Sebastian


-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Distant server to test SMTP TLS ?

2013-10-24 Thread Sebastian Wiesinger

* BONNET, Frank frank.bon...@esiee.fr [2013-10-24 17:54]:
 Hello
 
 Continuing on my secured email server graal I would like to test SMTP +
 TLS exchange of emails
 
 the volume will be very low for testing purpose only and I will be the only
 user when I will suceeded to setup my server :-)
 
 My eternal gratitude If anyone knows such server that could be used for
 that purpose  ,

Hi,

almost every bigger email provider is using TLS. Get yourself a gmail
address for example and test with the gmail mailservers.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: TLS errors with GMX/web.de

2013-08-26 Thread Sebastian Wiesinger

* Viktor Dukhovni postfix-us...@dukhovni.org [2013-08-24 05:27]:
 
  I just did, here is the PCAP:
  
  http://www.karotte.org/smtp-gmx.pcap
 
 The client sends an internal error alert.  It is not clear what
 problem it is encountering.  The server elects:
 
 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
 
 and the client purports to support the curve in the server certificate.
 I don't have the expertise to try to debug the server's key exchange
 message, but it it is typically secp256r1 aka prime256v1, which the
 client purports to support.
 
 It may be overkill, but it should work.  I am afraid the best path
 forward is for GMX to debug this with their client software.

Yeah I'm not holding my breath for that. Is there a way to exclude the
web.de/GMX mailservers from the EC certificate? Let postfix always
use the other certificate for them?

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: TLS errors with GMX/web.de

2013-08-21 Thread Sebastian Wiesinger

* Viktor Dukhovni postfix-us...@dukhovni.org [2013-08-20 16:51]:
  I found the problem... In addition to my normal certificate, I had an
  EC certificate.
  
  smtpd_tls_eccert_file=/etc/postfix/certs/cacert-karotte-ec.crt
 
 Though I think OpenSSL will generally detect attempts to configure
 a public key (certificate) without a matching private key, you
 should check that the private key and certificate match:

Hi,

yes I checked and they are matching.

 If you're willing to test briefly with the EC certificate re-enabled,
 it would be helpful to capture a full packet capture tcpdump (aka
 pcap) file with a failed delivery from gmx.de/web.de.  Viewing this
 with wireshark will show exactly where in the handshake the problem
 ocurred and may shed some light on the reason.

I just did, here is the PCAP:

http://www.karotte.org/smtp-gmx.pcap

 There are no known practical attacks on 256-bit EC keys and 384-bit
 EC is slower.  AES-128 with EC-256 is sufficiently secure for SMTP
 TLS.  Though I expect that if the sender has trouble with 384-bit
 EC, they'll have trouble with EC in general.

I found no real guidance in regards to EC so I chose a higher one.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

TLS errors with GMX/web.de

2013-08-20 Thread Sebastian Wiesinger

Hello,

GMX and web.de started an initiative for secure E-Mail made in
Germany... they turned TLS on.

But in addition to that bold move the did something else that causes
the following errors when they try to send mail to my postfix:

postfix/smtpd[28706]: connect from mout.web.de[212.227.15.14]
postfix/smtpd[28706]: SSL_accept error from mout.web.de[212.227.15.14]: 0
postfix/smtpd[28706]: warning: TLS library problem: 28706:error:14094438:SSL 
routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1256:SSL alert 
number 80:
postfix/smtpd[28706]: lost connection after STARTTLS from 
mout.web.de[212.227.15.14]
postfix/smtpd[28706]: disconnect from mout.web.de[212.227.15.14]

Postfix 2.9.6 running on Debian 7.1.

This error ONLY occurs with their servers. My question is if anyone
has an idea what could cause this error. My first guess is that they
check certificates for validity and I only have an CACert certificate.
Also I would like to know if anyone else sees this on their postfix?

Currently I've disabled STARTTLS for their mailservers but of course I
would like to use TLS if possible. Would increasing the tls log level
reveal additional helpful information?

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: TLS errors with GMX/web.de

2013-08-20 Thread Sebastian Wiesinger

* Heiko Wundram modeln...@modelnine.org [2013-08-20 12:09]:
 Still delivers fine for me (and my mail-server) running Postfix 2.10.1:
 
 Received: from mout.web.de (mout.web.de [212.227.15.3])
   (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
   (No client certificate requested)
   by mail.modelnine.org (Postfix) with ESMTPS id 8854E3640A
   for modeln...@modelnine.org; Tue, 20 Aug 2013 08:35:39 +0200 (CEST)

Hi,

what kind of certificate do you have? Official, selfsigned? I have one
from CACert and I wonder if that is the problem...

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: TLS errors with GMX/web.de

2013-08-20 Thread Sebastian Wiesinger

* DTNX Postmaster postmas...@dtnx.net [2013-08-20 12:57]:
 Self-signed, 2048 bits certificate from our own root. Picks the same cipher 
 and TLS version as in Heiko's example, it seems. Perhaps it's your 
 certificate, perhaps your Postfix settings? No odd overrides for the defaults 
 anywhere, forced cipher suites or anything?
 
 Aside from the certificate and key, these are our only non-default settings;

I found the problem... In addition to my normal certificate, I had an
EC certificate.

smtpd_tls_eccert_file=/etc/postfix/certs/cacert-karotte-ec.crt

As soon as I removed that line it started working...

Noone else had a problem with that certificate. For completeness here
is the cert output:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 133035 (0x207ab)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
Validity
Not Before: Aug 13 11:39:24 2013 GMT
Not After : Aug 13 11:39:24 2015 GMT
Subject: CN=*.karotte.org
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub: 
04:6d:69:d6:06:1f:7c:b2:8d:2b:6b:a5:0e:d9:8f:
c9:6c:cf:ad:32:3d:35:3b:82:a6:58:ea:38:66:ae:
3d:43:ac:b0:cd:41:28:c6:7a:f7:3f:da:cf:50:be:
93:a5:90:30:cb:98:9c:b7:a1:07:93:39:bf:32:7f:
01:9c:59:04:8a:7d:fc:72:e9:78:a9:e5:22:e7:22:
5d:b5:80:bf:77:e1:be:65:3d:ce:10:c4:f3:5c:52:
73:aa:80:56:81:02:29
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage: 
TLS Web Client Authentication, TLS Web Server Authentication, 
Netscape Server Gated Crypto, Microsoft Server Gated Crypto
Authority Information Access: 
OCSP - URI:http://ocsp.cacert.org/

X509v3 CRL Distribution Points: 

Full Name:
  URI:http://crl.cacert.org/class3-revoke.crl

X509v3 Subject Alternative Name: 
DNS:*.karotte.org, othername:unsupported, DNS:karotte.org, 
othername:unsupported
Signature Algorithm: sha1WithRSAEncryption
 04:ca:17:b7:09:b5:00:e0:9f:ac:9b:25:9f:4b:78:d9:fb:a5:
 ...

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Is it time for 2.x.y - x.y?

2013-06-03 Thread Sebastian Wiesinger

* Wietse Venema wie...@porcupine.org [2013-05-31 22:57]:
 After the confusion that Postfix 2.10 is not Postfix 2.1, maybe it
 is time to change the release numbering scheme.

Okay, perhaps this is a European view, but I never confused Postfix
2.1 with 2.10. Perhaps because here it would be 2,1 and 2,10 if they
were real numbers? Nevertheless I'm under the impression that most
people know that version numbers are not real numbers.

Also I don't like the whole major version inflation done by most
other products today.

I would suggest:

2.10.0
2.10.1 - Bugfixes
2.11.0 - New feature(s)
2.11.1 - Bugfixes
...
3.0.0 - MAJOR changes

Fix things in the point releases, add new features in the minor number
releases. Change to 3.x for major changes which are not backwards
compatible.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Best way to protect backup-mx?

2012-08-08 Thread Sebastian Wiesinger

* tobi tobs...@brain-force.ch [2012-08-07 18:46]:
 Hi list,

Sorry list, hi Tobi:


I wanted to tell you that your DNSSEC for brain-force.ch is broken so
resolvers which validate DNSSEC will not be able to resolve your
domain (and so I can't send you mails directly). You might want to fix
this.

http://dnsviz.net/d/brain-force.ch/dnssec/

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: no route to host

2012-08-07 Thread Sebastian Wiesinger

* Stan Hoeppner s...@hardwarefreak.com [2012-07-30 14:35]:
 On 7/29/2012 6:57 PM, Engin qwert wrote:
 
  Actually it is not router. It is only BPL modem. After Static IP hiring the 
  ISP send me an email how to configure the server with this IP addresses 
  information. The 10.138.9.201 internal IP address selection was not made by 
  myself.
 
 Engin what country are you in?  Who is your ISP?
 
 A year or two ago I was assisting someone on teh Debian list, who is in
 a former Soviet block Eastern European country, can't recall now which
 one.  RIPE was apparently screwing small ISPs over in these countries
 and not giving them the netblocks they needed.

Hello,

RIPE is screwing noone over. RIPE has clearly defined rules that apply
if you request network blocks. So if they didn't get network blocks
they clearly didn't have the right documentation/reasons for it.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: defer mail for unknown recipients for one domain only

2012-04-19 Thread Sebastian Wiesinger

* Wietse Venema wie...@porcupine.org [2012-04-04 01:22]:
 To soft-reject unknown recipients in selected domains, in mail from
 clients outside the local network, request defer_if_reject at the end
 of smtpd_recipient_restrictions:
 
 /etc/postfix/main.cf:
 smtpd_recipient_restrictions =
   permit_mynetworks
   ...
   reject_unauth_destination
   ...
   check_recipient_access hash:/etc/postfix/final_rcpt_access
 
 /etc/postfix/final_rcpt_access:
 example.com defer_if_reject
 
 This is approximately the solution that Rob0 proposed.

Hi,

this works for me, but I put the check before my greylist/whitelist
lines:

smtpd_recipient_restrictions =
permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
check_recipient_access hash:$config_directory/defer_unkown_users,  here
# Prevent greylisting for known good senders
permit_dnswl_client list.dnswl.org,
# Do greylisting for a few users/domains
check_recipient_access pcre:$config_directory/greylist.pcre

I did debug the smtp connections as I wasn't sure if a
defer_if_reject lookup match would prevent the following checks to
run but that's not the case.

Thanks again for all your help!

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

defer mail for unknown recipients for one domain only

2012-03-27 Thread Sebastian Wiesinger

Hello,

I have a setup with handles a few virtual domains. For one domain only
I want mails not to be rejected with an 5xx error code but be deferred
with a 4xx error code. Is that possible?

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

See which port a user connects to?

2011-12-14 Thread Sebastian Wiesinger

Hi,

is there a way (in the logs) to see which port a client connects to? I
can't find that information at the moment.

I'm interested to know if a client is using the smtp, ssmtp or
submission port to connect.

Thanks

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: See which port a user connects to?

2011-12-14 Thread Sebastian Wiesinger

* Wietse Venema wie...@porcupine.org [2011-12-14 17:34]:
 Sebastian Wiesinger:
  Hi,
  
  is there a way (in the logs) to see which port a client connects to? I
  can't find that information at the moment.
 
 Give each SMTP server its own syslog_name option in master.cf:
 
 submission inet n   -   n   -   -   smtpd
   -o syslog_name=submission

That did the trick, thank you.

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: See which port a user connects to?

2011-12-14 Thread Sebastian Wiesinger

* /dev/rob0 r...@gmx.co.uk [2011-12-14 17:58]:
 I use postfix-587 (and postfix-465) because it's shorter and 
 contains the postfix string which helps to isolate Postfix logging 
 from other mail facility logs. grep postfix maillog, et c. More 
 correct, and still meeting that need, would be postfix-submission.

I use postfix/submission at the moment which ends up as:

postfix/submission/smtpd[17048]:

Which suits me.

 It would be worthwhile to add these to sample submission and smtps 
 lines in the default master.cf. Wietse, have you considered that? 

I agree :)

Regards

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: SMTP hangs when MySQL is down

2011-12-09 Thread Sebastian Wiesinger

* Wietse Venema wie...@porcupine.org [2011-12-09 13:47]:
 A quick search shows that trivial-rewrite server has no fatal
 errors - it reports all errors that it can detect to the client (in
 this case smtpd(8)).
 
 However there is one low-level library module (match_ops) that
 exits the program with a fatal error.
 
 That module will have to be changed, so that the error can bubble
 up to its caller. That change needs to be made carefully because
 there is a lot of code that depends on match_ops: everything that
 uses mynetworks, mydestination, relay_domains, virtual_alias_domains,
 virtual_mailbox_domains, and more. That code must not break.
 
 I'll note once again that optimally reporting local configuration
 errors to remote SMTP clients has a low priority, compared to all
 the other work that need to be done on Postfix.

Hi Wietse,

thank you very much for your explanation! I understand that this has a
low priority. If there is time for it somewhere in the future I would
appreciate a change but I'm not holding my breath. :)

Thanks again and Regards

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: SMTP hangs when MySQL is down

2011-12-08 Thread Sebastian Wiesinger

* Wietse Venema wie...@porcupine.org [2011-12-07 17:20]:
 Yes it was. I point the attention to the RIGHT problem, which is
 fixing the suboptimal configuration that does domain queries from
 SQL.

Hi,

with all due respect but for me the important thing at the moment
would be to understand why it works the way it works. I understand
that it is apparently not the right way to do it but to be honest
there is not a lot information to point that out.

* There is no information regarding this limitation in trivial-rewrite(8),
  MYSQL_README or mysql_table(5). Maybe it's somewhere else where I
  did not find it.

* Every setup guide or how-to regarding MySQL and postfix that I
  found set up the domain alias table and domain table in
  MySQL. So people are using it.

* Doing a Google Search for virtual_mailbox_domains = proxy:mysql:
  returns 74k results, virtual_mailbox_domains = mysql: returns 41k
  results. So there are probably a few people using it.

* From my standpoint it makes no sense to have everything in a central
  database and then leave out the domain and domain alias tables. (But
  that is debatable)

* SMTP is not realtime messaging but customers/users nowadays expect that the
  configuration gets active at the same time they enter it into
  the system. If you can't provide that they go elsewere.

I really would like to know if it is not possible to have a temporary
error when trivial-rewrite fails to access the MySQL database. I don't
see any apparent reason for it. If there is one I would like to know.

Last but not least I would really appreciate it if that capability
would be added (make it optional by all means). I think that at least
a few people would benefit from it.

Regards,

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: SMTP hangs when MySQL is down

2011-12-08 Thread Sebastian Wiesinger

* Wietse Venema wie...@porcupine.org [2011-12-08 13:09]:
 Sebastian Wiesinger:
  I really would like to know if it is not possible to have a temporary
  error when trivial-rewrite fails to access the MySQL database. I don't
  see any apparent reason for it. If there is one I would like to know.
 
 You have the right to ask these questions. I recommend that you
 spend the energy to make your MySQL server more redundant, if you
 care so much about email performance.

I just don't want to have connections hang when there could be a
temporary error which would close down these connections. I don't care
so much about mail performance more about (again, in my opinion)
better error handling.

And I had hoped that perhaps this would be an improvement to postfix.
Sadly it seems it was some kind of blasphemy to question the way
postfix does handle this stuff.

But perhaps I'm only getting the wrong impression here.

Regards

Sebastian


-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: SMTP hangs when MySQL is down

2011-12-08 Thread Sebastian Wiesinger

* lst_ho...@kwsoft.de lst_ho...@kwsoft.de [2011-12-08 14:46]:
 And I had hoped that perhaps this would be an improvement to postfix.
 Sadly it seems it was some kind of blasphemy to question the way
 postfix does handle this stuff.
 
 No, it means until now no one needs this so important to step up
 with code/patches to improve it. If you really need a reliable
 mailsystem you simply have to use reliable parts. If your mailsystem
 respond with 4xx or simply hang in case it is not able to move any
 mail is just a matter of taste.

And that is where I disagree. IMHO a mailsystem should respond with a
temporary error if it is experiencing a temporary error (like a lookup
table not being availabe) not simply hang there and do.. nothing.

 But perhaps I'm only getting the wrong impression here.
 
 Yes
 
 Help is always welcome, simply demand how things could be better is useless.

I'm not demanding anything (at least I hope I'm not doing it) but I'm
not too happy with a simple don't do it and no explanation (but
that's my problem, isn't it?). When I try to understand why postfix
behaves the way it does I get no reply either. I hoped that on this ML
someone would know enough about the inner postfix workings to explain
it to me. I'm still waiting for the use the source shouts.

Noone even told me that they think it is fine as it is now and that a
4xx error would be the wrong thing. The only think I've been told is
don't do it.

At the moment it seems pretty simple (on a high level) to me without
knowing any of the code: When the trivial-rewrite daemon fails (which
postfix can clearly detect, it states it in the logfile), return a 4xx
error. Would it be simple to implement? No idea, that's why I'm here
on this list to ask people who probably know the code.

Am I demanding it to be implemented? No! Would I be happy if it would
be implemented? Yes! I like postfix very much, I think it's a great
program but I also like it to get better, or at least what I think of
being better.

Regards

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: SMTP hangs when MySQL is down

2011-12-08 Thread Sebastian Wiesinger

* Wietse Venema wie...@porcupine.org [2011-12-09 01:01]:
  And that is where I disagree. IMHO a mailsystem should respond with a
  temporary error if it is experiencing a temporary error (like a lookup
  table not being availabe) not simply hang there and do.. nothing.
 
 We know that. What are you going to do about it besides whining?

Well, at the moment I'm trying to convince you and the other people
here to perhaps consider changing the way this is handled today. Not
very successfully it seems so I'll stop whining as you put it and
just live with it the way it is. Thanks for your answers.

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: SMTP hangs when MySQL is down

2011-12-07 Thread Sebastian Wiesinger

* Sahil Tandon sahil+post...@tandon.net [2011-12-06 01:54]:
  that's not really an option for me, I need these lists in MySQL. It
  seems I have to live with it and make MySQL as stable as possible.
 
 Is your list of virtual mailbox domains that large or dynamic that it
 must be only in SQL?  Note that you can still have virtual_mailbox_maps
 reference an SQL location; it is just virtual_mailbox_domains (and
 anything else that is used by trivial-rewrite(8)) that causes the
 stalling symptoms you describe above.

Hi Sahil,

not large but users can add their own virtual domain aliases. I could
move the virtual domains out of SQL but not the domain aliases.

  Could you explain this in a bit more detail?
 
 Victor explains well in the posts to which I linked in my original
 reply.

I read these but it's not clear to me. So the transport lookup doesn't
work, but why does that prevent postfix from doing a 4xx error code?

Regards

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: SMTP hangs when MySQL is down

2011-12-05 Thread Sebastian Wiesinger

* Sahil Tandon sahil+post...@tandon.net [2011-12-05 03:24]:
  I'm using Postfix with MySQL via proxy:mysql maps. The documentation
  states that mails should get deferred if no mysql server is reachable.
  
  However when I shut down MySQL, SMTP transaction freeze after I enter
  the MAIL FROM:... statement.
  
  Any ideas how I can change that? There seems to be no timeout, I left
  the SMTP dialog open for a few minutes at least.
 
 Do not use SQL in virtual_mailbox_domains[1]; instead, set the latter to
 a regular list.  Then, even when MySQL is down, Postfix will defer mail
 with 4.3.0 instead of appearing to freeze.

Hi Sahil,

that's not really an option for me, I need these lists in MySQL. It
seems I have to live with it and make MySQL as stable as possible.

 [1] Actually, you should avoid using SQL or LDAP for any tables used by
 the trivial-rewrite(8) daemon.  For context, see:

Thanks for the context but I'm still not clear on why there is no way
for postfix to delay every incoming mail when that happens. Is it
because local mail (injected by sendmail interface) would probably get
lost?

Could you explain this in a bit more detail?

Thank You  Regards

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

SMTP hangs when MySQL is down

2011-12-04 Thread Sebastian Wiesinger

Hi,

I'm using Postfix with MySQL via proxy:mysql maps. The documentation
states that mails should get deferred if no mysql server is reachable.

However when I shut down MySQL, SMTP transaction freeze after I enter
the MAIL FROM:... statement.

Any ideas how I can change that? There seems to be no timeout, I left
the SMTP dialog open for a few minutes at least.

The logfile shows:

postfix/proxymap[2160]: warning: connect to mysql server localhost: Can't 
connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
postfix/trivial-rewrite[2159]: fatal: 
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf(0,lock|fold_fix): 
table lookup problem
postfix/master[30733]: warning: process /usr/lib/postfix/trivial-rewrite pid 
2159 exit status 1
postfix/trivial-rewrite[2161]: fatal: 
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf(0,lock|fold_fix): 
table lookup problem
postfix/smtpd[1372]: warning: problem talking to service rewrite: Success
postfix/master[30733]: warning: process /usr/lib/postfix/trivial-rewrite pid 
2161 exit status 1
postfix/master[30733]: warning: /usr/lib/postfix/trivial-rewrite: bad command 
startup -- throttling


postfix is Debian Version 2.7.1-1+squeeze1

postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = 127.0.0.1, [::1], x.x.x.x
inet_protocols = ipv4, ipv6
mailbox_command = /usr/bin/procmail -a $EXTENSION
mailbox_size_limit = 0
mydestination = mx.example.com, localhost.example.com, localhost
myhostname = mx.example.com
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = proxy:mysql:$config_directory/sql/mysql_relay_domains_maps.cf
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/my.crt
smtpd_tls_key_file = /etc/ssl/private/my.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,  
 proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,   
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:8
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = 
proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = 
proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,   
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_minimum_uid = 101
virtual_transport = dovecot-sa
virtual_uid_maps = static:111


-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

45 matches

Mail list logo