Re: No-novice with Dovecot, but need novice-like advice (was Dovecot cracked?!)

[Richard Troy]

On Fri, 9 Jun 2023, Jochen Bern wrote:


 OH, sure, I got it down to a trickle, but these few Russian sites always
 managed to get their spam through and


(FWIW, if you can characterize the offenders by country, trying a GeoIP 
filter as a stop-gap measure sounds rather promising.)


Yes, it would; is that "a thing?" I mean, someone else has already written 
it and I just have to find and configure it?


...And THEN you get to the most interesting post I've yet gotten on this 
as I had COMPLETLY OVERLOOKED smtpd_sender_login_maps! You write:



 Give me a white-list of the ONLY accounts that can relay



I'm afraid that that's not *entirely* true [that it doesn't exist] :


 /etc/postfix# grep senderauth main.cf
 smtpd_sender_login_maps = hash:/etc/postfix/senderauth



 /etc/postfix# head -2 senderauth ; grep bern senderauth | sed -e
 's/[-a-z\.]*'"$DOMAIN/DOMAIN/g"
#  Envelope Sender:  Requires SMTP AUTH as one of:
#  actual.addr...@dom.ainuse...@dom.ain, another@else.where
 jochen.b...@domain.pawisda.de   jochen.b...@domain.de


(Also works with unspecified local part, i.e., "@some.dom.ain" for the 
left-hand side.)


Unfortunately, the correct file format is quite unclear. In my view 
neither your description nor the documentation are fully useful because 
they seem to presume a level of familiarity with lookup tables I don't 
happen to have - and/or the time to read ALL the documentation (and time 
is a scarce commodity). And, I could find no examples. ... Your excerpt 
was confusing because the head -2 should produce two lines but my email 
shows three! Further, the last line appears to have two entries, implying 
multiple entries per line are OK.


Would a plain-text file of simple one line per user entry of either 
user@domain, user, or @domain work?


BTW, I can tell right away this will eventually get "sticky" when I get to 
implementing virtual email users. However, I DO have Postgres (worked with 
the original development team at UC Berkeley in the mid '90s and 
continuously used it ever since - OH, and it's marketing name is 
PostgreSQL, by the way), and already have a vested interest in using it 
for this purpose, so I wouldn't mind too much just implementing there, but 
it seems smart to just get something simple up and working now and then 
add to the config. over time.


...Further, does the "type:name" reference in the docs mean, as in 
your example of hash:filename that I could use SQL: and point it at 
some script that fetches entries from the database?


I'll try my own suggestions shortly, but a pointer to already-written 
information would be great - or your comments, too, of course!



 Combine that with a greylist type function where the usual IP addresses
 for particular users were let through, and new ones delayed, THAT would be
 awesome, too!


Please define "delayed".


I already have postgray (or is it postgrey?) and it does fine, but it's 
for reception and not sending. ...AFTER knowing someone is a valid user of 
the system and they want to send a relayed mail, but they're sending from 
an unusual IP address, THEN it'd be nice to introduce a delay that would 
make spammers not bother. How long that is? IDK... Rate-limited to one 
every 3 minutes? five minutes? Configurable? ...It's just a concept.


I get your point about the MSA port, so maybe it's more work to implement 
than it's worth. And, if the authorized-senders only issue were resolved, 
it might not be needed.


That said, a sender-based sending rate limiter wouldn't be a bad feature 
for Postfix in my view.



[Yes, I'm German, so I capitalize German nouns like German does. :-> ]


So, a 1 paragraph digression on that:

I often do that too - I've spent close to 5 years in Germany, and for a 
citizen of the USA, that's unusual. ;-) Had a German girlfriend for nearly 
10 years, so I've picked up plenty along the way. Plus, around 20% of 
English is straight German, but then you surely know that! Heck, even the 
seemingly awkward German syntax is identical to that used in old-English! 
People fluent in old-English instantly understand Germany syntax, but 
we're not accustomed to using it, mostly just hearing it. ...And I am 
sometimes misunderstood for just using older English forms because if any 
group struggles with knowing it's own first language, it's ... Oh, 
nevermind!



 And if someone tells me I'm wrong and points me at how to do these things,
 I'll fall out of my damned chair!


[promptly invents the sport of Comfy Cushion Curling]


-chuckle-


 IF we had an IMAP supported password CHANGING scheme, we'd gladly run
 encrypted passwords, but there isn't, and we haven't invented (finished
 inventing!) our own web-way to change 'em and so we're stuck with plain
 text until one of these things changes.


Your server is Linux and SSH client software has become quite available 
(PuTTY on Windows).


It's not an issue of possibility or ease but willingness to learn 

Re: dovecot with sieve vacation plugin

[dovecot--- via dovecot]

Why convert/alias a...@aaa.com to b@bbb.local?
Why not setup dovecot to have a mailbox and receive mail for
a...@aaa.com, allowing sieve to run for a...@aaa.com, and users login as
a...@aaa.com on IMAP to check their mail?


That would work if users only had one alias, but they don't - they have
several aliases.



On my system i am using virtual accounts in postfix with virtual_mailbox_maps.
For user alias im using postfix virtual_alias_maps.

u...@example.com is a mailbox someone can login to IMAP with.
They have al...@example.com -> u...@example.com with the alias map.

If someone sends an email to al...@example.com it ends up in the 
u...@example.com inbox via LMTP

  Jun 10 13:38:23 postfix/lmtp[1953783]: 4QdlXt4pn1z7Vv0h: to=, 
orig_to=,
  relay=smtp.example.com[private/dovecot-lmtp], delay=2.1, delays=1.7/0.01/0/0.44, 
dsn=2.0.0, status=sent (250 2.0.0  N9ypKw61hGTzxB0AbpFOwA 
Saved)

For sieve plugin i have in dovecot.conf:

  sieve_vacation_use_original_recipient = no
  sieve_vacation_dont_check_recipient = no
  sieve_vacation_send_from_recipient = no
  sieve_redirect_envelope_from = sender
  sieve_user_email = %u

And as a sieve rule i have:

  require ["vacation"];
  # rule:[Out of Office]
  if true {
vacation :days 1 :addresses ["u...@example.com","al...@example.com"] :subject "TEST - Out 
of Office" "This is a test reply for the out of office auto responder.";
  }

This works for me. If someone sends an email to al...@example.com they will receive 
an auto reply with the From: header as al...@example.com and the envelope-from as 
<> which end users wont see.
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dovecot with sieve vacation plugin

[spi]

Why convert/alias a...@aaa.com to b@bbb.local?
Why not setup dovecot to have a mailbox and receive mail for
a...@aaa.com, allowing sieve to run for a...@aaa.com, and users login as
a...@aaa.com on IMAP to check their mail?


That would work if users only had one alias, but they don't - they have
several aliases.


Just to make sure that the vacation plugin works at all I set up a new
user with just one mail address x...@aaa.com. Vacation replies get sent as
long "sieve_vacation_send_from_recipient = yes" is configured in
dovecot.conf (my postfix uses different relay hosts).

As said I can't just change users' mail addresses to external ones as
they are using several aliases. And I would prefer to use
"sieve_vacation_send_from_recipient = no" (due to bounces). I wonder if
there is a way to tell postfix to choose a relay host for the vacation
replies based on the From: address (which is set by the sieve vacation
plugin) rather than the "mail from" address.


--
Cheers
spi

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dovecot with sieve vacation plugin

[spi]

Am 09.06.23 um 20:13 schrieb dovecot--- via dovecot:

postfix (*) presents the right "rcpt to a...@aaa.com" to the milter filter,
but sieve only sees the internal b@bbb.local.


Why convert/alias a...@aaa.com to b@bbb.local?
Why not setup dovecot to have a mailbox and receive mail for
a...@aaa.com, allowing sieve to run for a...@aaa.com, and users login as
a...@aaa.com on IMAP to check their mail?


That would work if users only had one alias, but they don't - they have
several aliases.


--
Cheers
spi

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org