Re: First world problem ...
W dniu 16.05.2022 o 15:51, Matus UHLAR - fantomas pisze: W dniu 16.05.2022 o 15:14, Matus UHLAR - fantomas pisze: Any idea to whitlist ? On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: perhaps the null address at outgoing server, so you don't reject your own bounces W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. On 16.05.22 14:52, natan wrote: Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like please explain more deeply what do your inbound and outbound mailservers exactly do. perhaps explain, how did e-mail 4L1w1y6WBVz1DDmK enter your mailserver - if you could block it the way in, you wouldn't have to generate bounce. I guessed your incoming server is used as MX, and outgoing server for outbound e-mail from your clients. On 16.05.22 15:33, natan wrote: 1)I send email from my outgoing server smtp xxx.xxx.xxx.220 Log from serwer smtp xxx.xxx.xxx.220: May 16 12:08:38 smtp1 postfix/submission/smtpd[18768]: 4L1w1y5FpXz6c1M: client=unknown[xxx.xxx.xxx.60], sasl_method=LOGIN, sasl_username=na...@domain.ltd May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: warning: header Subject: alakot from unknown[xxx.xxx.xxx.60]; from= to= proto=ESMTP helo= May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: message-id=<6eb63dcd4d1732c33ca530cbae194...@domain.ltd> May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: from=, size=1270, nrcpt=1 (queue active) May 16 12:08:38 smtp1 postfix/smtp/smtp[36552]: 4L1w1y5FpXz6c1M: to=, relay=delay=0.18, delays=0.11/0/0.04/0.03, dsn=5.7.1, status=bounced (host mx.domain.ltd[xxx.xxx.xxx.4] said: 550 5.7.1 spam2bok bla bla (in reply to end of DATA command)) May 16 12:08:38 smtp1 postfix/bounce[3725]: 4L1w1y5FpXz6c1M: sender non-delivery notification: 4L1w1y6Yk6z6c0l May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: removed so, it's as Victor said - your outgoing server accepted mail from you to you, and your incoming server first refused to accept mail from your incoming server, then it refused to accept the bounce, both because of the same reason. You can filter such mail on your outgoing server, so you don't accept something you can't deliver. Or, you can whitelist mail from your outgoing server with null envelope on your incoming server, so you know what was refused. ... this should be safe if you don't accept or forward such mail to outside hosts. Are you aware that body_checks is very lightway compared to e.g. spam and virus filtering? Yes I know I understand it but it is more complicated. example: 1)I get "targeted spam" where in body is "fake link" 2)I block this in body_checks - works perfect (fastest) 3)Before I blocked some emails passed 4)My user send me "a spam sample" and I dont get this maybe realy good idea is block thats in outgoing serwer with REJECT bla bla --
Re: First world problem ...
W dniu 16.05.2022 o 15:14, Matus UHLAR - fantomas pisze: Any idea to whitlist ? On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: perhaps the null address at outgoing server, so you don't reject your own bounces W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. On 16.05.22 14:52, natan wrote: Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like please explain more deeply what do your inbound and outbound mailservers exactly do. perhaps explain, how did e-mail 4L1w1y6WBVz1DDmK enter your mailserver - if you could block it the way in, you wouldn't have to generate bounce. I guessed your incoming server is used as MX, and outgoing server for outbound e-mail from your clients. On 16.05.22 15:33, natan wrote: 1)I send email from my outgoing server smtp xxx.xxx.xxx.220 Log from serwer smtp xxx.xxx.xxx.220: May 16 12:08:38 smtp1 postfix/submission/smtpd[18768]: 4L1w1y5FpXz6c1M: client=unknown[xxx.xxx.xxx.60], sasl_method=LOGIN, sasl_username=na...@domain.ltd May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: warning: header Subject: alakot from unknown[xxx.xxx.xxx.60]; from= to= proto=ESMTP helo= May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: message-id=<6eb63dcd4d1732c33ca530cbae194...@domain.ltd> May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: from=, size=1270, nrcpt=1 (queue active) May 16 12:08:38 smtp1 postfix/smtp/smtp[36552]: 4L1w1y5FpXz6c1M: to=, relay= so, it's as Victor said - your outgoing server accepted mail from you to you, and your incoming server first refused to accept mail from your incoming server, then it refused to accept the bounce, both because of the same reason. You can filter such mail on your outgoing server, so you don't accept something you can't deliver. Or, you can whitelist mail from your outgoing server with null envelope on your incoming server, so you know what was refused. ... this should be safe if you don't accept or forward such mail to outside hosts. Are you aware that body_checks is very lightway compared to e.g. spam and virus filtering? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: First world problem ...
W dniu 16.05.2022 o 15:14, Matus UHLAR - fantomas pisze: Any idea to whitlist ? On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: perhaps the null address at outgoing server, so you don't reject your own bounces W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. On 16.05.22 14:52, natan wrote: Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like please explain more deeply what do your inbound and outbound mailservers exactly do. perhaps explain, how did e-mail 4L1w1y6WBVz1DDmK enter your mailserver - if you could block it the way in, you wouldn't have to generate bounce. I guessed your incoming server is used as MX, and outgoing server for outbound e-mail from your clients. 1)I send email from my outgoing server smtp xxx.xxx.xxx.220 2)e-mail was delivered to my MX-node1 (external server) Log from serwer MX xxx.xxx.xxx.4: May 16 12:08:38 MX-node1 postfix/smtpd[56703]: 4L1w1y6WBVz1DDmK: client=smtp [xxx.xxx.xxx.220] May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: warning: header Subject: alakot from smtp[xxx.xxx.xxx.220]; from= to= proto=ESMTP helo= May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: message-id=<6eb63dcd4d1732c33ca530cbae194...@domain.ltd> May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: reject: body alakot from smtp[xxx.xxx.xxx.220]; from= to= proto=ESMTP helo=: 5.7.1 spam2bok bla bla Log from serwer smtp xxx.xxx.xxx.220: May 16 12:08:38 smtp1 postfix/submission/smtpd[18768]: 4L1w1y5FpXz6c1M: client=unknown[xxx.xxx.xxx.60], sasl_method=LOGIN, sasl_username=na...@domain.ltd May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: warning: header Subject: alakot from unknown[xxx.xxx.xxx.60]; from= to= proto=ESMTP helo= May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: message-id=<6eb63dcd4d1732c33ca530cbae194...@domain.ltd> May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: from=, size=1270, nrcpt=1 (queue active) May 16 12:08:38 smtp1 postfix/smtp/smtp[36552]: 4L1w1y5FpXz6c1M: to=, relay=delay=0.18, delays=0.11/0/0.04/0.03, dsn=5.7.1, status=bounced (host mx.domain.ltd[xxx.xxx.xxx.4] said: 550 5.7.1 spam2bok bla bla (in reply to end of DATA command)) May 16 12:08:38 smtp1 postfix/bounce[3725]: 4L1w1y5FpXz6c1M: sender non-delivery notification: 4L1w1y6Yk6z6c0l May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: removed May 16 12:08:38 smtp1 postfix/cleanup[43380]: 4L1w1y6Yk6z6c0l: message-id=<4L1w1y6Yk6z6c0l@smtp> May 16 12:08:38 smtp1 postfix/bounce[3725]: 4L1w1y5FpXz6c1M: sender non-delivery notification: 4L1w1y6Yk6z6c0l May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y6Yk6z6c0l: from=<>, size=3342, nrcpt=1 (queue active) May 16 12:08:39 smtp1 postfix/smtp/smtp[36560]: 4L1w1y6Yk6z6c0l: to=, relay=mx.domain.ltd[xxx.xxx.xxx.4]:25, delay=0.22, delays=0/0/0.05/0.17, dsn=5.7.1, status=bounced (host mx.domain.ltd[xxx.xxx.xxx.4] said: 550 5.7.1 spam2bok bla bla (in reply to end of DATA command)) May 16 12:08:39 smtp1 postfix/qmgr[33961]: 4L1w1y6Yk6z6c0l: removed --
Re: First world problem ...
Any idea to whitlist ? On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: perhaps the null address at outgoing server, so you don't reject your own bounces W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. On 16.05.22 14:52, natan wrote: Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like please explain more deeply what do your inbound and outbound mailservers exactly do. perhaps explain, how did e-mail 4L1w1y6WBVz1DDmK enter your mailserver - if you could block it the way in, you wouldn't have to generate bounce. I guessed your incoming server is used as MX, and outgoing server for outbound e-mail from your clients. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Re: First world problem ...
Any idea to whitlist ? On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: perhaps the null address at outgoing server, so you don't reject your own bounces On 16.05.22 22:46, Viktor Dukhovni wrote: No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. from those logs I assumed that the mail did not come through inbound server. perhaps OP could explain what exactly those inbound and outbound servers do. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
Re: First world problem ...
W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: Any idea to whitlist ? perhaps the null address at outgoing server, so you don't reject your own bounces No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like --
Re: First world problem ...
> On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: > >> Any idea to whitlist ? > > perhaps the null address at outgoing server, so you don't reject your own > bounces No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. -- Viktor.
Re: First world problem ...
On 16.05.22 12:33, natan wrote: I have probably trivial problem - but I cannot resolv I have two server 1)for outgoing 2)for incoming (typical mx) For test i create in (incoming server) body_checks.pcre: /alakot/ REJECT spam2bok bla bla If i send e-mail from external (gmail, yahoo) I get info from Mailer-Daemon about REJECT - works fine but if i send from my domain I dont get Mailer-Daemon: May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: reject: body alakot from smtp[xxx.xxx.xxx.xxx]; from= to= proto=ESMTP helo=: 5.7.1 spam2bok bla bla May 16 12:08:39 Mx1-node1 postfix/cleanup[45282]: 4L1w1z0zmpz1DDmn: reject: body alakot from smtp[xxx.xxx.xxx.]; from=<> to= proto=ESMTP helo=: 5.7.1 spam2bok bla bla Is this correct beacuse body_check check "second time" when incoming return yes, first time you reject the message itself and a bounce is generated, second time the bounce gets rejected. Any idea to whitlist ? perhaps the null address at outgoing server, so you don't reject your own bounces -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself.
Re: First world problem ...
W dniu 16.05.2022 o 13:10, Wietse Venema pisze: natan: Hi I have probably trivial problem - but I cannot resolv I have two server 1)for outgoing 2)for incoming (typical mx) For test i create in (incoming server) body_checks.pcre: /alakot/ REJECT spam2bok bla bla If i send e-mail from external (gmail, yahoo) I get info from Mailer-Daemon about REJECT - works fine but if i send from my domain I dont get Mailer-Daemon: May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: reject: body alakot from smtp[xxx.xxx.xxx.xxx]; from= to= proto=ESMTP helo=: 5.7.1 spam2bok bla bla May 16 12:08:39 Mx1-node1 postfix/cleanup[45282]: 4L1w1z0zmpz1DDmn: reject: body alakot from smtp[xxx.xxx.xxx.]; from=<> to= proto=ESMTP helo=: 5.7.1 spam2bok bla bla Is this correct beacuse body_check check "second time" when incoming return Any idea to whitlist ? You included no "postconf -n" settings, so I will wast some bandwidth with random text. Wietse internal_mail_filter_classes (default: empty) What categories of Postfix-generated mail are subject to before-queue content inspection by non_smtpd_milters, HEADER_CHECKS and body_checks. Specify zero or more of the following, separated by whitespace or comma. BOUNCE INSPECT THE CONTENT OF DELIVERY STATUS NOTIFICATIONS. notify Inspect the content of postmaster notifications by the smtp(8) and smtpd(8) processes. NOTE: It's generally not safe to enable content inspection of Post- fix-generated email messages. The user is warned. This feature is available in Postfix 2.3 and later. sorry postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no body_checks = pcre:/etc/postfix/body_checks.pcre bounce_queue_lifetime = 5h broken_sasl_auth_clients = yes compatibility_level = 2 default_destination_concurrency_limit = 100 default_destination_recipient_limit = 100 default_process_limit = 850 delay_warning_time = 0h disable_vrfy_command = yes enable_long_queue_ids = yes header_checks = pcre:/etc/postfix/header_checks.pcre home_mailbox = Maildir/ inet_interfaces = all inet_protocols = ipv4 lmtp_destination_concurrency_limit = 100 lmtp_destination_recipient_limit = 1 lpolicyd = check_policy_service { unix:private/policyd-lemat3, timeout=4s, default_action=DUNNO } mailbox_size_limit = 0 max_idle = 1200s max_use = 150 maximal_queue_lifetime = 24h message_size_limit = 146800640 myhostname = mx-node1.domain.ltd mynetworks = 127.0.0.0/8, xxx.xxx.xxx.xxx/32 myorigin = /etc/mailname policy-spf_time_limit = 3600 postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr cidr:/etc/postfix/postscreen_spf_whitelist.cidr postscreen_blacklist_action = ignore proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps proxy:mysql:/etc/postfix/mysql_whitelist_recipient.cf readme_directory = no recipient_delimiter = + smtp-amavis_destination_recipient_limit = 1 smtp_connection_reuse_time_limit = 400s smtp_data_done_timeout = 1600s smtp_rcpt_timeout = 900s smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_connection_count_limit = 200 smtpd_client_restrictions = check_client_access cidr:/etc/postfix/client_checks, check_client_access cidr:/etc/postfix/amavis_bypass, reject_unauth_pipelining, permit smtpd_data_restrictions = check_policy_service { inet:127.0.0.1:10040 timeout=2s, default_action=DUNNO } reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_enforce_tls = no smtpd_hard_error_limit = 50 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access pcre:/etc/postfix/helo_access.pcre reject_unauth_pipelining, reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_proxy_timeout = 240s smtpd_recipient_limit = 100 smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/bad_recipients, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/whitelista, reject_unauth_destination, lpolicyd, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_recipient_access mysql:/etc/postfix/mysql_whitelist_recipient.cf, reject_invalid_hostname, check_sender_
Re: First world problem ...
natan: > Hi > I have probably trivial problem - but I cannot resolv > > I have two server > 1)for outgoing > 2)for incoming (typical mx) > > For test i create in (incoming server) body_checks.pcre: > /alakot/ REJECT spam2bok bla bla > > If i send e-mail from external (gmail, yahoo) I get info from > Mailer-Daemon about REJECT - works fine > but if i send from my domain I dont get Mailer-Daemon: > > May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: > reject: body alakot from smtp[xxx.xxx.xxx.xxx]; > from= to= proto=ESMTP > helo=: 5.7.1 spam2bok bla bla > May 16 12:08:39 Mx1-node1 postfix/cleanup[45282]: 4L1w1z0zmpz1DDmn: > reject: body alakot from smtp[xxx.xxx.xxx.]; from=<> > to= proto=ESMTP helo=: 5.7.1 spam2bok > bla bla > > Is this correct beacuse body_check check "second time" when incoming return > > Any idea to whitlist ? You included no "postconf -n" settings, so I will wast some bandwidth with random text. Wietse internal_mail_filter_classes (default: empty) What categories of Postfix-generated mail are subject to before-queue content inspection by non_smtpd_milters, HEADER_CHECKS and body_checks. Specify zero or more of the following, separated by whitespace or comma. BOUNCE INSPECT THE CONTENT OF DELIVERY STATUS NOTIFICATIONS. notify Inspect the content of postmaster notifications by the smtp(8) and smtpd(8) processes. NOTE: It's generally not safe to enable content inspection of Post- fix-generated email messages. The user is warned. This feature is available in Postfix 2.3 and later.