On Mon, 6 Jul 2020 at 10:34, Robert Chalmers (Author) wrote:
> I’m getting lots and lots of these types of login attempts;
> and I’m wondering if there is someway - other than what I have - of blocking
> them, or automatically adding their IP to a list that I have for
> pfctl.
I also use Dovec
On Tue, Jul 07, 2020 at 03:15:22AM +, Sebby, Brian A. wrote:
> In our environment, we have two Postfix mail servers where server1
> will forward some messages to server2. We first upgraded server1 to
> 3.3.1, and then later upgraded server2, but I found that Postfix
> didn’t start sending the
We recently migrated a few of our mail servers from RHEL 6 with Postfix 2.6.6,
to RHEL 8 with Postfix 3.3.1. I noticed a change in behavior after we
upgraded, and I wondered if anyone had any insight into the change. Before,
while Postfix would send undeliverable messages from MAILER-DAEMON or
On 6 Jul 2020, at 3:33, Robert Chalmers (Author) wrote:
I’m getting lots and lots of these types of login attempts;
warning: unknown[45.125.65.52]: SASL LOGIN authentication failed:
UGFzc3dvcmQ6(postfix log)
Info: pam(s...@robert-chalmers.uk,45.125.65.52): unknown user (given
On Mon, Jul 06, 2020 at 02:13:44PM -0700, PGNet Dev wrote:
> If I've got to do the full build ANYWAY, in order to build & 'get' the
> db plugin to install alongside the distro-pkg'd, lmdb-less, postfix
> install -- there's really no point :-/
Well, Fedora 31 does provide separate packages for mul
On 7/6/20 2:38 PM, Wietse Venema wrote:
> The plugin MUST be built with the exact same source code
That I figured.
> and the
> exact same compiler options that Postfix was built with.
that hadn't dawned on me yet.
> If there are differences then you end up with a Frankenstein monster
> with par
On 06/07/2020 20:53, Viktor Dukhovni wrote:
On Mon, Jul 06, 2020 at 07:40:27PM +, Drew Tomlinson wrote:
I use postfix for my own domain and have been forwarding my email to
outlook.com for years. Recently, email has just been disappearing
between my server and my inbox so I set it to for
PGNet Dev:
> what i was digging around about was whether it was possible to
> build/extract/install just the plugin ... in a similar manner to
> phpize/compile (or pear or pecl install) a php plugin.
>
> i.e. --- lazy person's "just the plugin" install.
>
> seems N/A for F32 (that's a different
>> Various OS distributions build separate packages for the Postfix
>> database table drivers. For example, in Fedora 31:
>>
>> $ rpm -qf /usr/lib64/postfix/postfix-cdb.so
>> postfix-cdb-3.4.13-1.fc31.x86_64
>>
>> I don't see a similar package for lmdb in Fedora 31, but there is
>> for exa
On 06 Jul 2020, at 11:06, Robert Chalmers wrote:
> No to the first.
> I’m not missing any by grepping ‘unknown’ - if they are unknown users
They are not, that is not what "unknown" means on that log line.
Also, your attempt to match IP addresses over matches other numbers.
In this text
version
On 7/6/20 11:01 AM, Viktor Dukhovni wrote:
> Various OS distributions build separate packages for the Postfix
> database table drivers. For example, in Fedora 31:
>
> $ rpm -qf /usr/lib64/postfix/postfix-cdb.so
> postfix-cdb-3.4.13-1.fc31.x86_64
>
> I don't see a similar package for lm
On Mon, Jul 06, 2020 at 07:40:27PM +, Drew Tomlinson wrote:
> I use postfix for my own domain and have been forwarding my email to
> outlook.com for years. Recently, email has just been disappearing
> between my server and my inbox so I set it to forward my email to
> gmail.com. Shortly afte
I use postfix for my own domain and have been forwarding my email to
outlook.com for years. Recently, email has just been disappearing between my
server and my inbox so I set it to forward my email to gmail.com. Shortly
after, I saw some messages like these in the logs:
Jul 6 11:01:1
On 6 Jul 2020, at 13:06, Robert Chalmers wrote:
No to the first.
I’m not missing any by grepping ‘unknown’ - if they are unknown
users I don’t even want them in my system.
When postfix puts "unknown" before an IP in square brackets such as:
unknown[45.125.65.52]
then the "unknown" refer
On July 6, 2020 6:01:28 PM UTC, Viktor Dukhovni
wrote:
>On Mon, Jul 06, 2020 at 10:13:11AM -0700, PGNet Dev wrote:
>
>> I build/use Postfix with LMDB. Works great.
>>
>> Looking at distro packages, don't alway find LMDB support compiled
>in.
>>
>> I can certainly rebuild my own, but wanted
On Mon, Jul 06, 2020 at 10:13:11AM -0700, PGNet Dev wrote:
> I build/use Postfix with LMDB. Works great.
>
> Looking at distro packages, don't alway find LMDB support compiled in.
>
> I can certainly rebuild my own, but wanted to check first:
Various OS distributions build separate packages fo
On 7/6/20 10:32 AM, Wietse Venema wrote:
> You can build plugins separately from Postfix, but it will not be
> supported.
noted, and found it I believe:
http://www.postfix.org/INSTALL.html#build_dll
will give it a whirl ...
thx
PGNet Dev:
> I build/use Postfix with LMDB. Works great.
>
> Looking at distro packages, don't alway find LMDB support compiled in.
>
> I can certainly rebuild my own, but wanted to check first:
>
> Reading
>
> http://www.postfix.org/LMDB_README.html
> "To build Postfix with LMDB s
I build/use Postfix with LMDB. Works great.
Looking at distro packages, don't alway find LMDB support compiled in.
I can certainly rebuild my own, but wanted to check first:
Reading
http://www.postfix.org/LMDB_README.html
"To build Postfix with LMDB support, use something like
>
> if your filter is on a separate host, why does it reply with the same
> hostname?
>
Because it replies with what it received. It just passes everything from
its input to its output, except for the DATA which goes via filters.
it's basically this: https://github.com/jnorell/smtpprox
Oh, and I could show the log of multiple passwords being tried from the same
address.
-
Robert Chalmers
https://robert-chalmers.uk
https://robert-chalmers.com
@R_A_Chalmers
> On 6 Jul 2020, at 6:00 pm, Jerry wrote:
>
> On Mon, 06 Jul 2020 17:58:08 +0200, Benny Pedersen stated:
>> Jerry
No to the first.
I’m not missing any by grepping ‘unknown’ - if they are unknown users I don’t
even want them in my system.
Yes, it’s very strict. You have a login or you don’t. Easy.
-
Robert Chalmers
https://robert-chalmers.uk
https://robert-chalmers.com
@R_A_Chalmers
> On 6 Jul 2020, at
On Mon, 06 Jul 2020 17:58:08 +0200, Benny Pedersen stated:
>Jerry skrev den 2020-07-06 17:31:
>
>>
>> bzgrep -e auth=0/1 "/var/log/maillog" | sed
>> 's/.*\[\([^]]*\)\].*/\1/g' | sort -V | uniq > "/tmp/Bad_IP.txt"
>>
>
>sort | uniq vs sort -u, one less pipe
>
>so "sort -uV" can replace one pipe
On 06.07.20 16:51, Robert Chalmers (Author) wrote:
That’s pretty good Jerry, thanks.
A much reduced list of bad ips
ever tried to run fail2ban?
On 6 Jul 2020, at 16:31, Jerry wrote:
I was using this in a script I wrote. It seemed to work correctly.
bzgrep -e auth=0/1 "/var/log/maillog" |
Still worth documenting?
It is more effective to show an example with port 10025,
On 06.07.20 17:17, Alf Vark wrote:
It wasn't obvious to me that using port 25 invoked different behaviour.
Because my filter is on a separate host,
if your filter is on a separate host, why does it reply wit
Alf Vark:
>
>
> >> Still worth documenting?
> >
> > It is more effective to show an example with port 10025,
> > than to talk about Postfix loop detection
> It wasn't obvious to me that using port 25 invoked different behaviour.
Your mistake is extremely rare. If I added extremely rare mistake
Robert Chalmers:
> Thanks, but I have no idea what you mean. Sorry.
auth=0/1 means that the client tried to login once with SASL and
succeeded zero times. That's how you detect if a client is trying
out passwords.
Wietse
>
> -
> Robert Chalmers
> https://robert-chalmers.uk
>> Still worth documenting?
>
> It is more effective to show an example with port 10025,
It wasn't obvious to me that using port 25 invoked different behaviour.
Because my filter is on a separate host, keeping the SMTP track on 25
seemed to make sense to me as a non-expert in this field. Read
Robert Chalmers (Author) skrev den 2020-07-06 17:58:
From what I”m looking at, both these achieve much the same thing
Mine: A much longer list… but still unknowns.
grep unknown /var/log/postfix.log | grep -E -o
"([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -n | uniq > output.txt
this includes clients
From what I”m looking at, both these achieve much the same thing
Mine: A much longer list… but still unknowns.
grep unknown /var/log/postfix.log | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"
| sort -n | uniq > output.txt
Pretty good… from Jerry. Very nice and very short list of unknowns.
bzgrep
Jerry skrev den 2020-07-06 17:31:
bzgrep -e auth=0/1 "/var/log/maillog" | sed 's/.*\[\([^]]*\)\].*/\1/g'
| sort -V | uniq > "/tmp/Bad_IP.txt"
sort | uniq vs sort -u, one less pipe
so "sort -uV" can replace one pipe
That’s pretty good Jerry, thanks.
A much reduced list of bad ips
robert
> On 6 Jul 2020, at 16:31, Jerry wrote:
>
> On Mon, 6 Jul 2020 11:06:17 -0400 (EDT), Wietse Venema stated:
>> Robert Chalmers (Author):
>>>
>>>
>>> Such as this one?
>>>
>>> Jul 06 08:10:03 www postfix/smtpd[6155]: disc
Thanks Jerry,
That looks good.
-
Robert Chalmers
https://robert-chalmers.uk
https://robert-chalmers.com
@R_A_Chalmers
> On 6 Jul 2020, at 4:32 pm, Jerry wrote:
>
> On Mon, 6 Jul 2020 11:06:17 -0400 (EDT), Wietse Venema stated:
>> Robert Chalmers (Author):
>>>
>>>
>>> Such as this one?
Thanks, but I have no idea what you mean. Sorry.
-
Robert Chalmers
https://robert-chalmers.uk
https://robert-chalmers.com
@R_A_Chalmers
> On 6 Jul 2020, at 4:07 pm, Wietse Venema wrote:
>
> Robert Chalmers (Author):
>>
>>
>> Such as this one?
>>
>> Jul 06 08:10:03 www postfix/smtpd[61
On Mon, 6 Jul 2020 11:06:17 -0400 (EDT), Wietse Venema stated:
>Robert Chalmers (Author):
>>
>>
>> Such as this one?
>>
>> Jul 06 08:10:03 www postfix/smtpd[6155]: disconnect from
>> unknown[45.125.65.52] ehlo=1 auth=0/1 quit=1 commands=?
>
>Like Benny writes, you need to trigger on the auth=x
Jan Ceuleers:
> On 06/07/2020 15:23, Wietse Venema wrote:
> > MTA service is on port 25. Other ports don't count as MTA service,
> > therefore loop detection does not apply.
> Still worth documenting?
It is more effective to show an example with port 10025, than to
talk about Postfix's loop detect
Robert Chalmers (Author):
>
>
> Such as this one?
>
> Jul 06 08:10:03 www postfix/smtpd[6155]: disconnect from
> unknown[45.125.65.52] ehlo=1 auth=0/1 quit=1 commands=?
Like Benny writes, you need to trigger on the auth=x/y part, not
the client hostname.
Wietse
> So I have anyway wri
On 06/07/2020 15:23, Wietse Venema wrote:
> MTA service is on port 25. Other ports don't count as MTA service,
> therefore loop detection does not apply.
Still worth documenting?
Robert Chalmers (Author) skrev den 2020-07-06 15:38:
Such as this one?
Jul 06 08:10:03 www postfix/smtpd[6155]: disconnect from
unknown[45.125.65.52] ehlo=1 auth=0/1 quit=1 commands=⅔
So I have anyway written this to find them
sudo grep unknown /var/log/postfix.log | grep -E -o
"([0-9]{1,3}[\.]
Such as this one?
Jul 06 08:10:03 www postfix/smtpd[6155]: disconnect from unknown[45.125.65.52]
ehlo=1 auth=0/1 quit=1 commands=⅔
So I have anyway written this to find them
sudo grep unknown /var/log/postfix.log | grep -E -o
"([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -n | uniq > output.txt
Ta
Robert Chalmers (Author):
>
> I?m getting lots and lots of these types of login attempts;
>
> warning: unknown[45.125.65.52]: SASL LOGIN authentication failed:
> UGFzc3dvcmQ6(postfix log)
> Info: pam(s...@robert-chalmers.uk,45.125.65.52): unknown user (given
> password: sale01)
Alf Vark:
> >
> > Postfix implements loop detection on port 25. If you run your filter
> > on an alternate port, the HELO name will not be a problem.
> >
>
> Confirmed!
>
> Do the docs mention that difference? I must have missed it. Thanks for
> the pointer.
Apply common sense.
Postfix cares
>
> Postfix implements loop detection on port 25. If you run your filter
> on an alternate port, the HELO name will not be a problem.
>
Confirmed!
Do the docs mention that difference? I must have missed it. Thanks for
the pointer.
I’m getting lots and lots of these types of login attempts;
warning: unknown[45.125.65.52]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
(postfix log)
Info: pam(s...@robert-chalmers.uk,45.125.65.52): unknown user (given password:
sale01)(dovecot log)
and I’m wondering
On Mon, Jul 06, 2020 at 08:17:16AM +0100, Alf Vark wrote:
> Like this:
>
> msg --> postfix(25) --> filter(25) --> postfix(10025) --> mailbox
Postfix implements loop detection on port 25. If you run your filter
on an alternate port, the HELO name will not be a problem.
--
Viktor.
I have a small content filter in my very basic Postfix installation.
The content filter is a proxy based on smtpprox[1] that modifies the
message content (the DATA part of the message). Postfix and the filter
are on different hosts. I found smtpprox via a link on the
smtpd_proxy_readme page.
[1]
46 matches
Mail list logo