Re: First world problem ...
W dniu 16.05.2022 o 15:51, Matus UHLAR - fantomas pisze: W dniu 16.05.2022 o 15:14, Matus UHLAR - fantomas pisze: Any idea to whitlist ? On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: perhaps the null address at outgoing server, so you don't reject your own bounces W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. On 16.05.22 14:52, natan wrote: Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like please explain more deeply what do your inbound and outbound mailservers exactly do. perhaps explain, how did e-mail 4L1w1y6WBVz1DDmK enter your mailserver - if you could block it the way in, you wouldn't have to generate bounce. I guessed your incoming server is used as MX, and outgoing server for outbound e-mail from your clients. On 16.05.22 15:33, natan wrote: 1)I send email from my outgoing server smtp xxx.xxx.xxx.220 Log from serwer smtp xxx.xxx.xxx.220: May 16 12:08:38 smtp1 postfix/submission/smtpd[18768]: 4L1w1y5FpXz6c1M: client=unknown[xxx.xxx.xxx.60], sasl_method=LOGIN, sasl_username=na...@domain.ltd May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: warning: header Subject: alakot from unknown[xxx.xxx.xxx.60]; from= to= proto=ESMTP helo= May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: message-id=<6eb63dcd4d1732c33ca530cbae194...@domain.ltd> May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: from=, size=1270, nrcpt=1 (queue active) May 16 12:08:38 smtp1 postfix/smtp/smtp[36552]: 4L1w1y5FpXz6c1M: to=, relay=delay=0.18, delays=0.11/0/0.04/0.03, dsn=5.7.1, status=bounced (host mx.domain.ltd[xxx.xxx.xxx.4] said: 550 5.7.1 spam2bok bla bla (in reply to end of DATA command)) May 16 12:08:38 smtp1 postfix/bounce[3725]: 4L1w1y5FpXz6c1M: sender non-delivery notification: 4L1w1y6Yk6z6c0l May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: removed so, it's as Victor said - your outgoing server accepted mail from you to you, and your incoming server first refused to accept mail from your incoming server, then it refused to accept the bounce, both because of the same reason. You can filter such mail on your outgoing server, so you don't accept something you can't deliver. Or, you can whitelist mail from your outgoing server with null envelope on your incoming server, so you know what was refused. ... this should be safe if you don't accept or forward such mail to outside hosts. Are you aware that body_checks is very lightway compared to e.g. spam and virus filtering? Yes I know I understand it but it is more complicated. example: 1)I get "targeted spam" where in body is "fake link" 2)I block this in body_checks - works perfect (fastest) 3)Before I blocked some emails passed 4)My user send me "a spam sample" and I dont get this maybe realy good idea is block thats in outgoing serwer with REJECT bla bla --
Re: First world problem ...
W dniu 16.05.2022 o 15:14, Matus UHLAR - fantomas pisze: Any idea to whitlist ? On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: perhaps the null address at outgoing server, so you don't reject your own bounces W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. On 16.05.22 14:52, natan wrote: Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like please explain more deeply what do your inbound and outbound mailservers exactly do. perhaps explain, how did e-mail 4L1w1y6WBVz1DDmK enter your mailserver - if you could block it the way in, you wouldn't have to generate bounce. I guessed your incoming server is used as MX, and outgoing server for outbound e-mail from your clients. On 16.05.22 15:33, natan wrote: 1)I send email from my outgoing server smtp xxx.xxx.xxx.220 Log from serwer smtp xxx.xxx.xxx.220: May 16 12:08:38 smtp1 postfix/submission/smtpd[18768]: 4L1w1y5FpXz6c1M: client=unknown[xxx.xxx.xxx.60], sasl_method=LOGIN, sasl_username=na...@domain.ltd May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: warning: header Subject: alakot from unknown[xxx.xxx.xxx.60]; from= to= proto=ESMTP helo= May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: message-id=<6eb63dcd4d1732c33ca530cbae194...@domain.ltd> May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: from=, size=1270, nrcpt=1 (queue active) May 16 12:08:38 smtp1 postfix/smtp/smtp[36552]: 4L1w1y5FpXz6c1M: to=, relay= so, it's as Victor said - your outgoing server accepted mail from you to you, and your incoming server first refused to accept mail from your incoming server, then it refused to accept the bounce, both because of the same reason. You can filter such mail on your outgoing server, so you don't accept something you can't deliver. Or, you can whitelist mail from your outgoing server with null envelope on your incoming server, so you know what was refused. ... this should be safe if you don't accept or forward such mail to outside hosts. Are you aware that body_checks is very lightway compared to e.g. spam and virus filtering? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: First world problem ...
W dniu 16.05.2022 o 15:14, Matus UHLAR - fantomas pisze: Any idea to whitlist ? On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: perhaps the null address at outgoing server, so you don't reject your own bounces W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. On 16.05.22 14:52, natan wrote: Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like please explain more deeply what do your inbound and outbound mailservers exactly do. perhaps explain, how did e-mail 4L1w1y6WBVz1DDmK enter your mailserver - if you could block it the way in, you wouldn't have to generate bounce. I guessed your incoming server is used as MX, and outgoing server for outbound e-mail from your clients. 1)I send email from my outgoing server smtp xxx.xxx.xxx.220 2)e-mail was delivered to my MX-node1 (external server) Log from serwer MX xxx.xxx.xxx.4: May 16 12:08:38 MX-node1 postfix/smtpd[56703]: 4L1w1y6WBVz1DDmK: client=smtp [xxx.xxx.xxx.220] May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: warning: header Subject: alakot from smtp[xxx.xxx.xxx.220]; from= to= proto=ESMTP helo= May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: message-id=<6eb63dcd4d1732c33ca530cbae194...@domain.ltd> May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: reject: body alakot from smtp[xxx.xxx.xxx.220]; from= to= proto=ESMTP helo=: 5.7.1 spam2bok bla bla Log from serwer smtp xxx.xxx.xxx.220: May 16 12:08:38 smtp1 postfix/submission/smtpd[18768]: 4L1w1y5FpXz6c1M: client=unknown[xxx.xxx.xxx.60], sasl_method=LOGIN, sasl_username=na...@domain.ltd May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: warning: header Subject: alakot from unknown[xxx.xxx.xxx.60]; from= to= proto=ESMTP helo= May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: message-id=<6eb63dcd4d1732c33ca530cbae194...@domain.ltd> May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: from=, size=1270, nrcpt=1 (queue active) May 16 12:08:38 smtp1 postfix/smtp/smtp[36552]: 4L1w1y5FpXz6c1M: to=, relay=delay=0.18, delays=0.11/0/0.04/0.03, dsn=5.7.1, status=bounced (host mx.domain.ltd[xxx.xxx.xxx.4] said: 550 5.7.1 spam2bok bla bla (in reply to end of DATA command)) May 16 12:08:38 smtp1 postfix/bounce[3725]: 4L1w1y5FpXz6c1M: sender non-delivery notification: 4L1w1y6Yk6z6c0l May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: removed May 16 12:08:38 smtp1 postfix/cleanup[43380]: 4L1w1y6Yk6z6c0l: message-id=<4L1w1y6Yk6z6c0l@smtp> May 16 12:08:38 smtp1 postfix/bounce[3725]: 4L1w1y5FpXz6c1M: sender non-delivery notification: 4L1w1y6Yk6z6c0l May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y6Yk6z6c0l: from=<>, size=3342, nrcpt=1 (queue active) May 16 12:08:39 smtp1 postfix/smtp/smtp[36560]: 4L1w1y6Yk6z6c0l: to=, relay=mx.domain.ltd[xxx.xxx.xxx.4]:25, delay=0.22, delays=0/0/0.05/0.17, dsn=5.7.1, status=bounced (host mx.domain.ltd[xxx.xxx.xxx.4] said: 550 5.7.1 spam2bok bla bla (in reply to end of DATA command)) May 16 12:08:39 smtp1 postfix/qmgr[33961]: 4L1w1y6Yk6z6c0l: removed --
Re: First world problem ...
Any idea to whitlist ? On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: perhaps the null address at outgoing server, so you don't reject your own bounces W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. On 16.05.22 14:52, natan wrote: Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like please explain more deeply what do your inbound and outbound mailservers exactly do. perhaps explain, how did e-mail 4L1w1y6WBVz1DDmK enter your mailserver - if you could block it the way in, you wouldn't have to generate bounce. I guessed your incoming server is used as MX, and outgoing server for outbound e-mail from your clients. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Re: First world problem ...
Any idea to whitlist ? On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: perhaps the null address at outgoing server, so you don't reject your own bounces On 16.05.22 22:46, Viktor Dukhovni wrote: No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. from those logs I assumed that the mail did not come through inbound server. perhaps OP could explain what exactly those inbound and outbound servers do. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
Re: First world problem ...
W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: Any idea to whitlist ? perhaps the null address at outgoing server, so you don't reject your own bounces No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like --
Re: First world problem ...
> On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: > >> Any idea to whitlist ? > > perhaps the null address at outgoing server, so you don't reject your own > bounces No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. -- Viktor.
Re: First world problem ...
On 16.05.22 12:33, natan wrote: I have probably trivial problem - but I cannot resolv I have two server 1)for outgoing 2)for incoming (typical mx) For test i create in (incoming server) body_checks.pcre: /alakot/ REJECT spam2bok bla bla If i send e-mail from external (gmail, yahoo) I get info from Mailer-Daemon about REJECT - works fine but if i send from my domain I dont get Mailer-Daemon: May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: reject: body alakot from smtp[xxx.xxx.xxx.xxx]; from= to= proto=ESMTP helo=: 5.7.1 spam2bok bla bla May 16 12:08:39 Mx1-node1 postfix/cleanup[45282]: 4L1w1z0zmpz1DDmn: reject: body alakot from smtp[xxx.xxx.xxx.]; from=<> to= proto=ESMTP helo=: 5.7.1 spam2bok bla bla Is this correct beacuse body_check check "second time" when incoming return yes, first time you reject the message itself and a bounce is generated, second time the bounce gets rejected. Any idea to whitlist ? perhaps the null address at outgoing server, so you don't reject your own bounces -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself.
Re: First world problem ...
W dniu 16.05.2022 o 13:10, Wietse Venema pisze:
natan:
Hi
I have probably trivial problem - but I cannot resolv
I have two server
1)for outgoing
2)for incoming (typical mx)
For test i create in (incoming server) body_checks.pcre:
/alakot/ REJECT spam2bok bla bla
If i send e-mail from external (gmail, yahoo) I get info from
Mailer-Daemon about REJECT - works fine
but if i send from my domain I dont get Mailer-Daemon:
May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK:
reject: body alakot from smtp[xxx.xxx.xxx.xxx];
from= to= proto=ESMTP
helo=: 5.7.1 spam2bok bla bla
May 16 12:08:39 Mx1-node1 postfix/cleanup[45282]: 4L1w1z0zmpz1DDmn:
reject: body alakot from smtp[xxx.xxx.xxx.]; from=<>
to= proto=ESMTP helo=: 5.7.1 spam2bok
bla bla
Is this correct beacuse body_check check "second time" when incoming return
Any idea to whitlist ?
You included no "postconf -n" settings, so I will wast some bandwidth
with random text.
Wietse
internal_mail_filter_classes (default: empty)
What categories of Postfix-generated mail are subject to before-queue
content inspection by non_smtpd_milters, HEADER_CHECKS and body_checks.
Specify zero or more of the following, separated by whitespace or
comma.
BOUNCE INSPECT THE CONTENT OF DELIVERY STATUS NOTIFICATIONS.
notify Inspect the content of postmaster notifications by the smtp(8)
and smtpd(8) processes.
NOTE: It's generally not safe to enable content inspection of Post-
fix-generated email messages. The user is warned.
This feature is available in Postfix 2.3 and later.
sorry
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
bounce_queue_lifetime = 5h
broken_sasl_auth_clients = yes
compatibility_level = 2
default_destination_concurrency_limit = 100
default_destination_recipient_limit = 100
default_process_limit = 850
delay_warning_time = 0h
disable_vrfy_command = yes
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
lmtp_destination_concurrency_limit = 100
lmtp_destination_recipient_limit = 1
lpolicyd = check_policy_service { unix:private/policyd-lemat3,
timeout=4s, default_action=DUNNO }
mailbox_size_limit = 0
max_idle = 1200s
max_use = 150
maximal_queue_lifetime = 24h
message_size_limit = 146800640
myhostname = mx-node1.domain.ltd
mynetworks = 127.0.0.0/8, xxx.xxx.xxx.xxx/32
myorigin = /etc/mailname
policy-spf_time_limit = 3600
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access.cidr
cidr:/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = ignore
proxy_read_maps = $canonical_maps $lmtp_generic_maps
$local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps
$recipient_canonical_maps $relay_domains $relay_recipient_maps
$relocated_maps $sender_bcc_maps $sender_canonical_maps
$smtp_generic_maps $smtpd_sender_login_maps $transport_maps
$virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains
$virtual_mailbox_maps $smtpd_sender_restrictions
$sender_dependent_relayhost_maps
proxy:mysql:/etc/postfix/mysql_whitelist_recipient.cf
readme_directory = no
recipient_delimiter = +
smtp-amavis_destination_recipient_limit = 1
smtp_connection_reuse_time_limit = 400s
smtp_data_done_timeout = 1600s
smtp_rcpt_timeout = 900s
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_count_limit = 200
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/client_checks, check_client_access
cidr:/etc/postfix/amavis_bypass, reject_unauth_pipelining, permit
smtpd_data_restrictions = check_policy_service { inet:127.0.0.1:10040
timeout=2s, default_action=DUNNO } reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
smtpd_enforce_tls = no
smtpd_hard_error_limit = 50
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
pcre:/etc/postfix/helo_access.pcre reject_unauth_pipelining,
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
smtpd_proxy_timeout = 240s
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/bad_recipients, reject_unauth_pipelining,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, check_client_access
hash:/etc/postfix/whitelista, reject_unauth_destination, lpolicyd,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_recipient_access mysql:/etc/postfix/mysql_whitelist_recipient.cf,
reject_invalid_hostname, check_sender_
Re: First world problem ...
natan: > Hi > I have probably trivial problem - but I cannot resolv > > I have two server > 1)for outgoing > 2)for incoming (typical mx) > > For test i create in (incoming server) body_checks.pcre: > /alakot/ REJECT spam2bok bla bla > > If i send e-mail from external (gmail, yahoo) I get info from > Mailer-Daemon about REJECT - works fine > but if i send from my domain I dont get Mailer-Daemon: > > May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: > reject: body alakot from smtp[xxx.xxx.xxx.xxx]; > from= to= proto=ESMTP > helo=: 5.7.1 spam2bok bla bla > May 16 12:08:39 Mx1-node1 postfix/cleanup[45282]: 4L1w1z0zmpz1DDmn: > reject: body alakot from smtp[xxx.xxx.xxx.]; from=<> > to= proto=ESMTP helo=: 5.7.1 spam2bok > bla bla > > Is this correct beacuse body_check check "second time" when incoming return > > Any idea to whitlist ? You included no "postconf -n" settings, so I will wast some bandwidth with random text. Wietse internal_mail_filter_classes (default: empty) What categories of Postfix-generated mail are subject to before-queue content inspection by non_smtpd_milters, HEADER_CHECKS and body_checks. Specify zero or more of the following, separated by whitespace or comma. BOUNCE INSPECT THE CONTENT OF DELIVERY STATUS NOTIFICATIONS. notify Inspect the content of postmaster notifications by the smtp(8) and smtpd(8) processes. NOTE: It's generally not safe to enable content inspection of Post- fix-generated email messages. The user is warned. This feature is available in Postfix 2.3 and later.
