Re: Open relay
On Fri, 21 Oct 2016 22:15:32 +0200, Paul van der Vlis wrote: > Hello, > Some settings and logs: > > smtpd_relay_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > check_sender_access hash:/etc/postfix/whitelist, > reject_invalid_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_unauth_pipelining, > reject_unauth_destination, > check_policy_service unix:private/shadelist, > reject_rbl_client bl.spamcop.net, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client ix.dnsbl.manitu.net, > permit permit after all ? pgpOWB99LbM2E.pgp Description: PGP signature
Re: Semi-OT: Exchange 2013 SMTP Callout
On Fri, 14 Jun 2013 17:10:16 +0200, Bernhard Schmidt wrote: > This gets even worse when the mail has two recipients > ... doesnotexist@ does not exist, t1@ does... > > mail from: > 250 2.1.0 Sender OK > rcpt to: > 250 2.1.5 Recipient OK > rcpt to: > 250 2.1.5 Recipient OK > data > 354 Start mail input; end with . > test > . > 550 5.1.1 User unknown quick and rough work-around might be smtp_destination_recipient_limit = 1 for the Postfix before E-2013. > According to this threat: > > http://social.technet.microsoft.com/Forums/en-US/exchangesvrdeploy/thread/91c26fd2-aa0c-4006-9326-ece609bf4f67/ > > this is expected. I can hardly believe that. Unbelievable... it's harmful threat X-(. pgpgP66rgsAdP.pgp Description: PGP signature
Re: Installing postfix with mysql
On Wed, 7 Mar 2012 15:46:25 -0800 (PST), Scott Brown wrote: > I am trying to install Postfix with mysql on CentOS 6.0. > I am trying to follow the instructions > at http://www.postfix.org/MYSQL_README.html > I downloaded the mysql libraries and source code. > The libmysql was extracted > to /usr/local/mysql-connector-c-6.0.2-linux-glibc2.3-x86-32bit > > So from the postfix-2.9.1 directory, I ran: > make -f Makefile.init makefiles \ > 'CCARGS=-DHAS_MYSQL > -I/usr/local/mysql-connector-c-6.0.2-linux-glibc2.3-x86-32bit/include' \ > 'AUXLIBS=-L/usr/local/mysql-connector-c-6.0.2-linux-glibc2.3-x86-32bit/lib > -lmysqlclient -lz -lm' Actually, I don't know the compatibility of libmysql with libmysqlclient, did you tried 'ldconfig' after installed that library ? or, you should use MySQL-devel-rpm in order to follow the README instructions safely. > Then ran the make command > > When I try to run make install, I get this error: > bin/postconf: error while loading shared > libraries: libmysql.so.16: cannot open shared object file: No such file or > directory you should check # ldd bin/postconf (in Linux) or something like that after this kind of errors. pgpi0BEIvbdFO.pgp Description: PGP signature
Re: Postscreen
On Mon, 14 Feb 2011 14:28:22 -0600, /dev/rob0 wrote: > On Mon, Feb 14, 2011 at 03:55:25PM +0200, JC Putter wrote: >> Can postscreen be compared to SNARE? > http://en.wikipedia.org/wiki/Snare gives me no clue as to what you > might be asking. However, postscreen has documentation: > http://www.postfix.org/POSTSCREEN_README.html > http://www.postfix.org/postscreen.8.html > Perhaps those can point you in the right direction? Indeed. I'm not sure but he might have meant 'honeypot' or something. or, the message itself was SNARE? (Ooops!) pgpd48gCMJqCg.pgp Description: PGP signature
Re: Postfix 2.8 stable release soon
On Fri, 14 Jan 2011 12:59:38 +0100, John Fawcett wrote: > I get the following warnings with postfix-2.8-20110112 even though I > don't use any more postscreen_whitelist_networks and > postscreen_blacklist_networks in my configuration having replaced them > by the new postscreen_access_list. At least, you may need explicit postscreen_whitelist_networks = setting for drown out the default value of 'mynetworks'. pgp7D7xfttYPP.pgp Description: PGP signature
postscreen_cache_map
(just a faint impact, ...) since postfix-2.8-20110102, postscreen_cache_map file has been named "psc_cache" by default. postfix-2.8-20110112: ./global/mail_params.h:#define DEF_PSC_CACHE_MAP "btree:$data_directory/psc_cache" though man postscreen said, ... postscreen_cache_map (btree:$data_directory/ps_cache) early adopters may have ps_cache and psc_cache ;-o. --- Tomo. pgp4LXIlPODH6.pgp Description: PGP signature
Re: Postfix queue in Mysql ?
On Wed, 29 Dec 2010 10:14:49 -0500, Joan Moreau wrote: > Can you just tell me how to put > the mailing queue in a DB (mysql database in my case) ? you may simply deploy MySQLfs (FUSE+MySQL) if you do not mind speeds, loads,...etc. http://sourceforge.net/projects/mysqlfs/ pgp7HNgIbhXrK.pgp Description: PGP signature
Re: postscreen request: pcre support
Wietse: > Again. if something can already be done with smtpd plus milter or > policy plugin or content filter then I urge you to keep using that > already existing functionality. and also said, > Postscreen's purpose is to keep zombies away so that you can keep > using the existing smtpd features. > > It is not a scoring system that makes a decision at the end. > Instead, postscreen makes the decision as early as possible. To keeping away zombies from smtpd, and do the decision as early as possible, it is natural that the similar access control functionality as implemented in smtpd may be required, I think. because zombies can be fixed their behavior over time, and the difference between legitimates may be just their IPs accesing from and reverse DNS names. so that the RBLDNS scoreing works very effectively in my site now. If there are any additional features to the postscreen, at least, policy-delegation I/F is useful for that purpose. -- Tomo. pgpMV6t9jbyOr.pgp Description: PGP signature
OT: Re: anvil stats/restictions based on SASL username?
> Cassidy Larson: >> We had an incident today where we had a user with a compromised >> machine. Their email/pass made it back to some botnet which proceeded >> to SASL auth to our mail servers and send numerous spam messages from >> many different hosts. The spamming hosts didnt trigger our >> smtpd_client_recipient_rate_limit setting, because of the many >> different hosts (all with the same SASL user authenticated) that they >> used. I'm little bit amazing to hear about the real-existing AUTHing bot. I think we must prepare for SPAM originating bots, but relayed through legitimate (compared to direct from bot PCs ) MTAs. > Maybe a good idea. This would hook into the AUTH command and after > successful AUTH, do an anvil query for the sasl_username value. > > It's not a lot of code, but I don't have a lot of time, either. > We will have time to clean-up bots ;-p -- Tomo.
Re: SRS implementation
From: Wietse Venema Subject: Re: SRS implementation Date: Sat, 22 May 2010 09:35:29 -0400 (EDT) > Tomoyuki Murakami: >> > First, this would accept mail for forwarder+anyuser=anydom...@my.dom, >> > meaning that it would be an open relay. A more secure implementation >> > would compute a hash of (orig_sen...@domain.com, local secret) and >> > include that hash in the return address. >> >> I guess, with my patch alone, could not cause open relay, but ... > > It is an open relay. > > To exploit: send mail to postmaster+anyuser=anydom...@my.dom where > my.dom is your domain, and Postfix will deliver it to anyu...@anydomain. oops! I could't find such a decoding mechanism, i.e. postmaster+anyuser=anydom...@my.dom to anyu...@anydomain in the Postfix souce. Is this realized in bare Postfix with specific configuration or cooperation with its plug-ins ? For my previous patch, just rewriting sender one-way and it may be `in-complete' in the meaning of implementing SRS. If there exists extracting function from SRS-ish (VERP ?) to original sender address in the current Postfix code, I'd like to learn about that for, either choosing any existing plug-ins or home-brewing yet-another-SRS plug-in, mainly looking into security sufficiency of its required hash mechanisms. --- Tomo. pgpFurn4YVcS6.pgp Description: PGP signature
Re: SRS implementation
Hi, Wieste, Thanks for reply. From: Wietse Venema Subject: Re: SRS implementation Date: Fri, 21 May 2010 16:13:45 -0400 (EDT) > First, this would accept mail for forwarder+anyuser=anydom...@my.dom, > meaning that it would be an open relay. A more secure implementation > would compute a hash of (orig_sen...@domain.com, local secret) and > include that hash in the return address. I guess, with my patch alone, could not cause open relay, but ... when someone implement the functions for bounce or DSN to the anyu...@anydomain address derived from that SRS'ed sender unconditionally, this would be the case, isn't it ? Or, something else I could missed here (as usual ;-p). > Second, Postfix has a plugin interface that supports implementations > SRS, SPF, DKIM, SenderID, etc. I currently have no plans to build > these into Postfix. OK, I'd like to consider these lines too. Thanks, --- Tomo. pgpln9Wpu0Vce.pgp Description: PGP signature
SRS implementation
Hi, all
I'm just playing with implement SRS(Sender Rewriting Scheme)-like
function into Postfix.
*SRS - http://www.openspf.org/SRS
A trivial patch, attached this message would do the following.
* rewrite sender when the message will forward to other site/domain.
* Nope when the VERP setting is active.
* rewriting format:
Message sender: orig_sen...@domain.com (sender)
Forwarder: forwar...@my.dom (orig_addr)
-> MAIL From: forwarder+orig_sender=domain@my.dom
* target transport is smtp only.
ToDo.
configurable options to activate the function, target transports,
target domains, etc.
Any comments would be appreciated.
Thanks,
---
Tomo.
diff -ru postfix-2.7.0.orig/src/qmgr/qmgr_deliver.c postfix-2.7.0/src/qmgr/qmgr_deliver.c
--- postfix-2.7.0.orig/src/qmgr/qmgr_deliver.c 2009-01-17 02:42:56.0 +0900
+++ postfix-2.7.0/src/qmgr/qmgr_deliver.c 2010-05-22 00:50:40.0 +0900
@@ -140,6 +140,12 @@
MSG_STATS stats;
char *sender;
int flags;
+/* XXX playing SRS XXX */
+RECIPIENT org_sender;
+QMGR_TRANSPORT *transport = entry->queue->transport;
+char *at1;
+char *at2;
+/* XXX playing SRS XXX */
/*
* If variable envelope return path is requested, change pref...@origin
@@ -148,6 +154,23 @@
*/
if (message->verp_delims == 0) {
sender = message->sender;
+ /* XXX playing SRS XXX */
+ if (list.info->orig_addr) {
+ /* compare domain part */
+ at1 = strrchr(list.info->orig_addr, '@');
+ at2 = strrchr(list.info->address, '@');
+ if (at1 != 0 && at2 != 0
+ && strcasecmp(at1, at2) != 0
+ && (strcmp(transport->name, "smtp") == 0) ) {
+ RECIPIENT_ASSIGN(&org_sender, 0, "", 0, "", sender);
+ sender_buf = vstring_alloc(100);
+ verp_sender(sender_buf, var_verp_delims, list.info->orig_addr, &org_sender);
+ sender = vstring_str(sender_buf);
+ if (msg_verbose)
+ msg_info("%s: sender rewrite %s -> %s for %s",
+ message->queue_id, message->sender, sender, transport->name);
+ }
+ }
} else {
sender_buf = vstring_alloc(100);
verp_sender(sender_buf, message->verp_delims,
pgpx1FiDsCF08.pgp
Description: PGP signature
Re: DKIM-milter only for outgoing
From: Birta Levente Subject: DKIM-milter only for outgoing Date: Thu, 15 Apr 2010 17:23:12 +0300 > My postfix server is set up with amavisd-new and dkim-milter. > > In the main.cf: > > content_filter = smtp-amavis:[127.0.0.1]:10024 > > smtpd_milters = inet:localhost:20209 > non_smtpd_milters = inet:localhost:20209 > milter_protocol = 2 > milter_default_action = accept > With this configuration the DKIM signature is added even to the > incoming mails and I don't see any reason to do that. For dkim-filter, you can limit the signing domain by -d option. In Postfix, you should separate the services for incoming and outgoing(submission). If you do so, you can move the milter setting from main.cf to master.cf and setting like, smtpinet n - n - - smtpd -o . -o .. submission inet n - n - - smtpd -o smtpd_etern_restrictions=reject -o smtpd_sasl_auth_enable=yes -o ... -o smtpd_milters=inet:127.0.0.1:20209 ... I'm not sure how these are appropriate, but this setting smtpd_milters only for submission and work for me fine in normal operation. -- Tomo. pgpTbmczhKqgd.pgp Description: PGP signature
