On 31/03/2016 5:34 PM, /dev/rob0 wrote:
BTW, regarding the apology, thanks. It wasn't my thread, but indeed
all of us who use threaded mail readers are affected by "thread
hijacking."
Now a few comments about your config, one of which is a serious
problem ...
On Thu, Mar 31, 2016 at 01:32:02PM -0400, John Allen wrote:
As I expect local user to use submission for sending (as a result
mynetworks is 127.0.0.1 & ::1/128) do I need specify
postscreen_access_list?
I use that to whitelist one site (affiliated with us) and to block
certain undesirable ESP services.
As postscreen does dnsbl lookups do I still need the
reject_rbl_client entries in smtpd_recipient_restrictions? Do the
latter entries do more than the dnsbl entries?
Postscreen is a scoring system; reject_rbl_client is outright
rejection for a DNSBL hit. It does not hurt to leave them in if
you're sure you don't want any mail from any host on that list. I
keep a "reject_rbl_client zen.spamhaus.org" in my restrictions, and
then I have an insanely complex mess of restriction classes which
might call other DNSBLs based on recipient domain.
My postscreen setup would be something like:
# postscreen_access_list = permit_mynetworks #### do I need this
I have a cidr: lookup there.
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
Wietse covered this also: maybe premature on enabling this?
postscreen_blacklist_action = drop
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3
bl.spameatingmonkey.net*2
bl.ipv6.spameatingmonkey.net*2
dnsbl.ahbl.org*2
BZZZZZZZZZZZZZZZZ! No! Absolutely not!!
AHBL is closed and now lists the entire IPv4 Internet space.
BTW I updated my HOWTO, but you seem to be using the old version.
New version is here:
http://rob0.nodns4.us/postscreen.html
"...
Last updated: 2016-01-16
Last changes: updated for Postfix 2.11+, removed AHBL. The previous
version of this document, which did NOT require Postfix 2.11+, can be
seen here: postscreen-old.html, with AHBL left intact! (Let this
serve as a lesson to those who follow online howto documents without
reading and understanding them.)
"
bl.spamcop.net
dnsbl.sorbs.net
swl.spamhaus.org*-4
Spamhaus SWL does not list very many hosts. I really do recommend
DNSWL.org (and use it for bypassing the after-220 tests with
"postscreen_dnsbl_whitelist_threshold=-1".
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
The first two are deprecated syntax, *_helo_hostname
reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unauth_destination, reject_unknown_reverse_client_hostname,
check_recipient_access pcre:/etc/postfix/maps/recipient_checks.pcre,
check_recipient_access hash:/etc/postfix/maps/recipient_checks,
check_helo_access pcre:/etc/postfix/maps/helo_checks.pcre,
check_sender_access hash:/etc/postfix/maps/sender_checks,
check_policy_service inet:127.0.0.1:10023, reject_rbl_client
zen.spamhaus.org, reject_rbl_client bl.spamcop.net
I wouldn't reject on Spamcop. It's an automated list, and the
Spamcop folks will tell you it's best when used in a scoring system.
Your mail, so it's up to you, of course.
Thanks for the heads up on /dnsbl.ahbl.org/. I don't remember reading
your "how to", had I done so it would probably have saved me some time
and head scratching.
The list I had proposed was an amalgam of many of the articles I had read.
What I arrived at is:
b.barracudacentral.org=127.0.0.2*7
dnsbl.inps.de=127.0.0.2*7
zen.spamhaus.org=127.0.0.10*8
zen.spamhaus.org=127.0.0.11*8
zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*4
zen.spamhaus.org=127.0.0.2*3
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].2*-4
list.dnswl.org=127.0.[0..255].3*-5
bl.mailspike.net=127.0.0.2*5
bl.mailspike.net=127.0.0.10*4
bl.mailspike.net=127.0.0.11*4
bl.mailspike.net=127.0.0.12*4
wl.mailspike.net=127.0.0.18*-2
wl.mailspike.net=127.0.0.19*-2
wl.mailspike.net=127.0.0.20*-2
dnsbl.sorbs.net=127.0.0.10*8
dnsbl.sorbs.net=127.0.0.5*6
dnsbl.sorbs.net=127.0.0.7*3
dnsbl.sorbs.net=127.0.0.8*2
dnsbl.sorbs.net=127.0.0.6*2
dnsbl.sorbs.net=127.0.0.9*2
But as I did not understand it or its syntax i decided to use the list
that L.P.H van Belle used in his February posting.
I will at some future date take a closer look at it.
======== new main.cf
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_size_limit = 65536
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
default_process_limit = 20
delay_warning_time = 12h
disable_vrfy_command = yes
header_size_limit = 32768
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_protocols = ipv4, ipv6
mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 32768000
mime_header_checks = pcre:/etc/postfix/maps/mime_header_checks.pcre
mydestination = localhost, localhost.localdomain, localdomain
mydomain = klam.ca
myhostname = smtp.$mydomain
mynetworks = 127.0.0.0/8, [::1]/128
myorigin = $mydomain
postscreen_access_list = permit_mynetworks
postscreen_blacklist_action = drop
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.ipv6.spameatingmonkey.net*2
dnsbl.anonmails.de
dnsbl.kempt.net dnsbl.inps.de bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 bl.suomispam.net
bad.psky.me
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_greet_action = enforce
postscreen_helo_required = yes
postscreen_use_tls = $smtpd_use_tls
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relocated_maps = hash:/etc/postfix/maps/relocated
smtp_dns_support_level = dnssec
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS,
kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = reject_unknown_reverse_client_hostname,
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining
smtpd_error_sleep_time = 5s
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, check_helo_access
pcre:/etc/postfix/maps/helo_checks.pcre
smtpd_recipient_limit = 128
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, check_recipient_access
pcre:/etc/postfix/maps/recipient_checks.pcre, check_recipient_access
hash:/etc/postfix/maps/recipient_checks, check_policy_service
inet:127.0.0.1:10023,
smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain, check_sender_access
hash:/etc/postfix/maps/sender_checks
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers
smtpd_tls_key_file = /root/ssl/private/$mydomain.mail.key
smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols
smtpd_tls_protocols = $smtp_tls_protocols
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/maps/transport
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/virtual_alias_map.sql,
proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_map.sql
virtual_mailbox_domains =
proxy:pgsql:/etc/postfix/sql/virtual_domain_map.sql
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/virtual_mailbox_map.sql,
proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_mailbox_map.sql
virtual_transport = lmtp:unix:private/dovecot-lmtp
====new master.cf
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
-o cleanup_service_name=pre-cleanup
pickup fifo n - n 60 1 pickup
-o cleanup_service_name=pre-cleanup
submission inet n - n - 30 smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10026
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/dovecot-auth
-o smtpd_sasl_local_domain=$mydomain
-o broken_sasl_auth_clients=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=
-o smtpd_data_restrictions=
-o smtpd_etrn_restrictions=reject
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=
-o smtpd_client_connection_count_limit=15
-o smtpd_client_connection_rate_limit=80
-o smtpd_delay_reject=yes
-o cleanup_service_name=pre-cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
-o smtp_bind_address=74.116.186.178
-o smtp_bind_address6=2606:6d00:100:4301::1:200
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
smtp-amavis unix - - n - 4 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o smtp_tls_note_starttls_offer=no
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o mynetworks=127.0.0.0/8
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=permit_mynetworks,reject
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o local_header_rewrite_clients=
-o local_recipient_maps=
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o smtpd_tls_security_level=none
-o local_recipient_maps=
-o relay_recipient_maps=
pre-cleanup unix n - n - 0 cleanup
-o virtual_alias_maps=
cleanup unix n - n - 0 cleanup
-o mime_header_checks=
-o nested_header_checks=
-o header_checks=
-o body_checks=
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
I into a problem when I first tried this config because the
/smtpd_client _restrictions/ in main.cf started
with/reject_unknown_reverse_client_hostname/ which I seem to have solved
by including a null smtpd_client_restriction in the submission info.
THNX
john A
