Postfix plain text authentication with SASL

[Suresh Kumar Prajapati]

Hi,

Can anyone help me setting postfix plain authentication with SASL.
I've spent a complete week on this already.
Any help appreciated.
-- 
Best Regards,
Suresh Kumar Prajapati
Linux Security Admin
E-mail: er.sureshprajap...@gmail.com

Pencils could be made with erasers at both ends, but what would be the
point?

Re: Postfix plain text authentication with SASL

[Patrick Ben Koetter]

* Suresh Kumar Prajapati er.sureshprajap...@gmail.com:
 Can anyone help me setting postfix plain authentication with SASL.
 I've spent a complete week on this already.
 Any help appreciated.

Sure. Send debug output as required by Postfix debug readme and I will help
you.

p@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/

Re: Postfix plain text authentication with SASL

[Erwan Loaëc]

Hello,

Just to save you some more time, if your mailserver is behind a cisco 
asa/pix firewall, you should check this thread:


http://www.mail-archive.com/postfix-users@postfix.org/msg01896.html

--
Erwan

Suresh Kumar Prajapati wrote:


Hi,

Can anyone help me setting postfix plain authentication with SASL.
I've spent a complete week on this already.
Any help appreciated.
--
Best Regards,
Suresh Kumar Prajapati
Linux Security Admin
E-mail: er.sureshprajap...@gmail.com mailto:er.sureshprajap...@gmail.com

Pencils could be made with erasers at both ends, but what would be the 
point?

Re: Postfix plain text authentication with SASL

[Patrick Ben Koetter]

* Suresh Kumar Prajapati er.sureshprajap...@gmail.com:
 here is the output from saslfinger command.
 
 saslfinger - postfix Cyrus sasl configuration Wed Jun  8 11:42:39 MSD 2011
 version: 1.0.2
 mode: server-side SMTP AUTH
 
 -- basics --
 Postfix: 2.3.3
 System: CentOS release 5.6 (Final)
 
 -- smtpd is linked to --
 libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0x00a25000)
 
 -- active SMTP AUTH and TLS parameters for smtpd --
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_local_domain = domain.com
 smtpd_sasl_path = smtpd
 smtpd_sasl_security_options = noanonymous
 smtpd_sasl_type = cyrus


smtpd_sasl_path, smtpd_sasl_security_options and smtpd_sasl_type are at their
defaults. No need to set them explicitly.

 -- listing of /usr/lib/sasl2 --
 total 3072
 drwxr-xr-x  2 root root   4096 Jun  7 15:00 .
 drwxr-xr-x 36 root root  20480 Jun  7 14:43 ..
 -rwxr-xr-x  1 root root884 Mar 17  2010 libanonymous.la
 -rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so
 -rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so.2
 -rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so.2.0.22
 -rwxr-xr-x  1 root root870 Mar 17  2010 libcrammd5.la
 -rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so
 -rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so.2
 -rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so.2.0.22
 -rwxr-xr-x  1 root root893 Mar 17  2010 libdigestmd5.la
 -rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so
 -rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so.2
 -rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so.2.0.22
 -rwxr-xr-x  1 root root856 Mar 17  2010 liblogin.la
 -rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so
 -rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so.2
 -rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so.2.0.22
 -rwxr-xr-x  1 root root856 Mar 17  2010 libplain.la
 -rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so
 -rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so.2
 -rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so.2.0.22
 -rwxr-xr-x  1 root root930 Mar 17  2010 libsasldb.la
 -rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so
 -rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so.2
 -rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so.2.0.22
 -rw-r--r--  1 root root 25 Mar 31  2010 Sendmail.conf
 -rw-r--r--  1 root root 50 Jun  7 15:00 smtpd.conf
 -rw-r--r--  1 root root 64 Jun  7 14:19 smtpd.conf.rpmsave

Remove /usr/lib/sasl2/smtpd.conf and /usr/lib/sasl2/smtpd.conf.rpmsave.

 -- listing of /var/lib/sasl2 --
 total 12
 drwxr-xr-x  2 root root 4096 Jun  7 13:32 .
 drwxr-xr-x 17 root root 4096 Jun  7 13:32 ..
 -rw-r--r--  1 root root  105 Jun  7 13:32 smtpd.conf

Remove /var/lib/sasl2/smtpd.conf


 -- listing of /etc/sasl2 --
 total 16
 drwxr-xr-x  2 root root4096 Jun  7 15:19 .
 drwxr-xr-x 54 root postfix 4096 Jun  8 04:01 ..
 -rw-r--r--  1 root root  91 Jun  7 15:19 smtpd.conf
 -rw-r--r--  1 root root  99 Jun  7 10:10 smtpd.conf.bak

Keep (only) /etc/sasl2/smtpd.conf


 -- content of /etc/sasl2/smtpd.conf --
 saslauthd_path: /var/run/saslauthd/mux
  pwcheck_method: saslauthd
  mech_list: plain login

Reduce /etc/sasl2/smtpd.conf to this:

pwcheck_method: saslauthd
mech_list: plain login

Make sure there's neither beginning nor trailing whitespace.


 -- active services in /etc/postfix/master.cf --
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #   (yes)   (yes)   (yes)   (never) (100)
 21  inet  n   -   n   -   -   smtpd -o
 smtpd_sasl_auth_enable=yes

The line above won't work if it is formatted like this in your master.cf.
Do you need a service called 21?

I miss a line that defines the Postfix smtp server instance. Please add this:

smtp  inet  n   -   n   -   -   smtpd


How do you run saslauthd? Can you post ps axf | grep saslauthd?

p@rick


  All technical questions asked privately will be automatically answered on
  the list and archived for public access unless privacy is explicitely
  required and justified.
 
  saslfinger (debugging SMTP AUTH):
  http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
 
 
 
 
 -- 
 Best Regards,
 Suresh Kumar Prajapati
 Linux Security Admin
 E-mail: er.sureshprajap...@gmail.com
 
 Pencils could be made with erasers at both ends, but what would be the
 point?

-- 
state of mind ()
Digitale Kommunikation

http://www.state-of-mind.de

Franziskanerstraße 15  Telefon +49 89 3090 4664
81669 München  Telefax +49 89 3090 4666

Amtsgericht MünchenPartnerschaftsregister PR 563

virtual aliases and unlisted email addresses

[Patrick Proniewski]

Hello,

I'm currently using two postfix servers. One is the MX server, it does 
grey/blacklisting, content filtering, and forward accepted emails to a second 
server. The second postfix (lets call it MailGW) does virtual aliasing, and 
delivery according to a transport map.

Currently, an email coming from outside for one of our domains, enter MX, is 
transferred to MailGW where its recipients addresses are converted (most of the 
time) to someth...@mail.univ-lyon2.fr and forwarded via transport map to the 
final destination servers.

Soon, our final destination servers will change (to Google App's servers). 
During few months, we will have to provide double delivery. Unfortunately, 
Google servers will receive emails for the domain univ-lyon2.fr. So the 
virtual aliases map will look like something like that:

public-addr...@univ-lyon2.fru...@mail.univ-lyon2.fr, 
public-addr...@univ-lyon2.fr
some-al...@univ-lyon2.fru...@mail.univ-lyon2.fr, 
public-addr...@univ-lyon2.fr
...

and transport map will look like this:

mail.univ-lyon2.fr  smtp:[final destination servers]
univ-lyon2.fr  smtp:ASPMX.L.GOOGLE.COM
...

That's not pretty, but it works.
 
After the period of double delivery is over, we will deliver emails only to 
Google servers. So the virtual aliases map is to look like:

public-addr...@univ-lyon2.frpublic-addr...@univ-lyon2.fr
some-al...@univ-lyon2.frpublic-addr...@univ-lyon2.fr
...

The first line looks pretty silly to me. Is there any way to tell that 
addresses not listed in virtual aliases map are to be forwarded as is ?

Thanks,

Patrick PRONIEWSKI
-- 
Administrateur Système - DSI - Université Lumière Lyon 2

Error message for a couple of mails : lost connection ...

[Barchfeld , Andreas]

Hello,

for around 5% of our outgoing mails we get the message:
lost connection with mail-provider while sending end of data -- message 
may be sent more than once

All mails go through our mail provider.

There are no dependencies on the size of the mail or the mail address. It takes 
a few hours, then the mails are sent. Unfortunately, from these mails, some 
mails are send two or three times - as the message says.


# cat /proc/sys/net/ipv4/tcp_window_scaling
0

# cat /proc/sys/net/ipv4/tcp_timestamps
0

# cat /proc/sys/net/ipv4/tcp_sack
1

MTU = 1500

# cat /proc/sys/net/core/[rw]mem_max
256960
256960

# cat /proc/sys/net/core/[rw]mem_default
256960
256960

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_destination_concurrency_limit = 5
local_destination_recipient_limit = 200
mail_owner = postfix
mailbox_command = /usr/bin/procmail -a $USER
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 35389440
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, 
kinderkrankenhaus.net
mydomain = akk.local
myhostname = postfix.akk.local
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relayhost = smtp.1und1.de
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_xfer_timeout = 600
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_pwds
smtp_sasl_security_options = noanonymous
unknown_local_recipient_reject_code = 550


Firewall: FortiGate 110C


Many thanks in advance.

Andreas Barchfeld


**
 
 AKK Altonaer Kinderkrankenhaus gGmbH
 Akademisches Lehrkrankenhaus der Universitaet Hamburg
 Geschaeftsfuehrung: Christiane Dienhold
 Registergericht: Amtsgericht Hamburg HRB 87427  Sitz der 
 Gesellschaft: Hamburg  HSH Nordbank AG - BLZ 210 500 00 - 
 Kontonummer 1000103405
 
**
 
 Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte  
 Informationen. Wenn Sie nicht der richtige Adressat sind oder diese  
 E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den  
 Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren  sowie 
 die unbefugte Weitergabe dieser Mail ist nicht gestattet.
 
 This E-Mail contains confidential and/or proprietary information. If 
 you  are not the intended recipient, or if you received the E-Mail by 
 mistake,  we ask you to notify the sender immediately and destroy this 
 E-Mail.
 The unauthorized reproduction or distribution of this E-Mail is 
 prohibited.
  
**

Re: Anyone run Postfix in FreeBSD jails environement ?

[Martin Schütte]

On 06/08/11 06:09, Frank Bonnet wrote:
 Does anyone is running postfix in FreeBSD jails environement
 with success on a production server ?  I'm thinking of it
 and would be interrested by any successful experience.

Yes.
(Using it for about 8 years now, cannot remember any jails related problem.)

-- 
Martin

Re: Anyone run Postfix in FreeBSD jails environement ?

[Xavier Beaudouin]

Hi
Le 8 juin 2011 à 12:07, Martin Schütte a écrit :

 On 06/08/11 06:09, Frank Bonnet wrote:
 Does anyone is running postfix in FreeBSD jails environement
 with success on a production server ?  I'm thinking of it
 and would be interrested by any successful experience.
 
 Yes.
 (Using it for about 8 years now, cannot remember any jails related problem.)

I use it in FreeBSD jails for ages...

No problems at all...

/Xavier

Re: Error message for a couple of mails : lost connection ...

[lst_hoe02]

Zitat von Barchfeld, Andreas andreas.barchf...@kinderkrankenhaus.net:


Hello,

for around 5% of our outgoing mails we get the message:
lost connection with mail-provider while sending end of data --  
message may be sent more than once


All mails go through our mail provider.

There are no dependencies on the size of the mail or the mail  
address. It takes a few hours, then the mails are sent.  
Unfortunately, from these mails, some mails are send two or three  
times - as the message says.



# cat /proc/sys/net/ipv4/tcp_window_scaling


# cat /proc/sys/net/ipv4/tcp_timestamps


# cat /proc/sys/net/ipv4/tcp_sack
1

MTU = 1500

# cat /proc/sys/net/core/[rw]mem_max
256960
256960

# cat /proc/sys/net/core/[rw]mem_default
256960
256960

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_destination_concurrency_limit = 5
local_destination_recipient_limit = 200
mail_owner = postfix
mailbox_command = /usr/bin/procmail -a $USER
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 35389440
mydestination = $myhostname, localhost.$mydomain, localhost,  
$mydomain, kinderkrankenhaus.net

mydomain = akk.local
myhostname = postfix.akk.local
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relayhost = smtp.1und1.de
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_xfer_timeout = 600
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_pwds
smtp_sasl_security_options = noanonymous
unknown_local_recipient_reject_code = 550


Firewall: FortiGate 110C


To debug the problem you need a complete tcpdump from both ends of a  
failing mail. What might be the problem


- Content Filter (pre-queue) at the provider side which has  
load/concurrency issues

- Stateful firewall with SMTP fixup issues at your side or the remote
- Network errors regarding SACK/PMTU/Windows-Scaling/ECN whatever

You might try to dump-down Postfix smtp with  
smtp_discard_ehlo_keywords to not use features like ESMTP pipelining  
first, but as said to debug the problem tcpdumps will be preferred.


Regards

Andreas






smime.p7s
Description: S/MIME Cryptographic Signature

Re: fqrdns.regexp

[Бак Микаел]

Steve Jenkins wrote:
 On Tue, Jun 7, 2011 at 7:06 AM, Бак Микаел mikael@yandex.ru wrote:
 Hi list,
 Reading the archives I saw that there is a nice regexp with dynamic
 hostnames available here: www.hardwarefreak.com/fqrdns.regexp

 Unfortunately this file seems to be unavailable at the moment for some
 reason.

 Do you guys happen to know from where this file (latest) version can be
 downloaded.

 TIA,
 Mikael

 
 It's http://www.hardwarefreak.com/fqrdns.pcre

Oh, thanks. The maintainer must have renamed it.

I don't know if the author reads this, but I'd suggest a smallish change
for the next release: Put only REJECT alone on each line instead of
having custom text. This makes it easier for anyone to change that
(using sed) to a custom restriction class.

Thanks!
Mikael

Re: fqrdns.regexp

[Brian Evans - Postfix List]

On 6/8/2011 8:35 AM, Бак Микаел wrote:
 Steve Jenkins wrote:

 It's http://www.hardwarefreak.com/fqrdns.pcre
 Oh, thanks. The maintainer must have renamed it.

 I don't know if the author reads this, but I'd suggest a smallish change
 for the next release: Put only REJECT alone on each line instead of
 having custom text. This makes it easier for anyone to change that
 (using sed) to a custom restriction class.


You can do that yourself, example:

sed -i -e s/REJECT.*/my_custom_reject/ fqrdns.pcre

expensive checks first

[jimbob palmer]

Hello,

Say I wanted to whitelist a specific email recipient always and
forever, but apply normal spam checks to everything else, could I do
that?

i.e. can I do the expensive checks in smtpd_recipient_restrictions first?

Thanks.

expensive checks first

[jimbob palmer]

Hello,

Say I wanted to whitelist a specific email recipient always and
forever, but apply normal spam checks to everything else, could I do
that?

i.e. can I do the expensive checks in smtpd_recipient_restrictions first?

Thanks.

Re: expensive checks first

[jimbob palmer]

2011/6/8 Wietse Venema wie...@porcupine.org:
 jimbob palmer:
 Hello,

 Say I wanted to whitelist a specific email recipient always and
 forever, but apply normal spam checks to everything else, could I do
 that?

 i.e. can I do the expensive checks in smtpd_recipient_restrictions first?

 /etc/postfix/main.cf:
   smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        check_recipient_access hash:/etc/postfix/rcpt_access
        ...least expensive checks here...
        ...most expensive checks here...

 /etc/postfix/rcpt_access:
    sa...@example.com   permit

        Wietse


Thanks.

Re: Anyone run Postfix in FreeBSD jails environement ?

[Mark Martinec]

 Does anyone is running postfix in FreeBSD jails environement
 with success on a production server ?  I'm thinking of it
 and would be interrested by any successful experience.

FreeBSD older than 7.2 did not support multiple IP addresses in jail
(e.g. an IPv6 address, or a separate mail submission IP address).
More recent version should be fine.

  Mark

Re: virtual aliases and unlisted email addresses

[Victor Duchovni]

On Wed, Jun 08, 2011 at 11:33:48AM +0200, Patrick Proniewski wrote:

 After the period of double delivery is over, we will deliver emails only to 
 Google servers. So the virtual aliases map is to look like:
 
   public-addr...@univ-lyon2.frpublic-addr...@univ-lyon2.fr
   some-al...@univ-lyon2.frpublic-addr...@univ-lyon2.fr
   ...
 
 The first line looks pretty silly to me. Is there any way to tell that 
 addresses not listed in virtual aliases map are to be forwarded as is ?

Your gateway needs a table of valid recipients, the domain in question
is presumably configured as a relay domain by being listed in
$relay_domains.  If you don't want to have identity mappings in
virtual_alias_maps, you need to add entries to relay_recipient_maps:

main.cf:
# Use cdb if you have it.
default_database_type = hash
indexed = ${default_database_type}:${config_directory}/
relay_recipient_maps = ${indexed}relay_rcpts

relay_rcpts:
public-addr...@univ-lyon2.frvalid
...

where the word valid on the right hand side of the table can be
replaced by any non-empty value that makes sense to you. Postfix
only needs the lookup key to map to a non-empty result.

This said, the identity virtual_alias_maps mappings are a fine way
to achieve the same result. The lookup will be done anyway, and you
already have a virtual alias table, so it may in fact be simpler to
keep using the identity mappings, but you MUST make sure that 
relay_recipient_maps (assuming the domain is a relay domain) is
set to some table (be it one with no entries).

main.cf:
# All relay recipients are listed in virtual_alias_maps, so just
# create and postmap an empty file.
#
relay_recipient_maps = ${indexed}empty

-- 
Viktor.

Re: postscreen_dnsbl_sites vs. reject_rbl_client

[Rich Wales]

Another thing I think I see about postscreen is that it apparently will only
look up IP addresses.  There doesn't seem to be any postscreen_rhsbl_sites
feature (which might allow me to move my current reject_rhsbl_client and
permit_rhswl_client checks into postscreen).  Is such a thing planned, not
planned, or perhaps intrinsically evil for some reason I'm not thinking of?

Rich Wales
ri...@richw.org

smtpd_reject_unlisted_recipient vs. reject_unlisted_recipient

[Rich Wales]

Given the smtpd_reject_unlisted_recipient parameter (which is yes
by default), is there any reason to include reject_unlisted_recipient
in my smtpd_recipient_restrictions?  It would seem that doing this
would be redundant -- or am I missing some subtle point?

I also note there is an smtpd_reject_unlisted_sender parameter (which
is no by default).  What issues would I want to consider before
deciding to enable this parameter in my configuration?

I'm running Postfix 2.8.1 on an Ubuntu server.

Rich Wales
ri...@richw.org

Re: postscreen_dnsbl_sites vs. reject_rbl_client

[Noel Jones]

On 6/8/2011 12:05 PM, Rich Wales wrote:

Another thing I think I see about postscreen is that it apparently will only
look up IP addresses.  There doesn't seem to be any postscreen_rhsbl_sites
feature (which might allow me to move my current reject_rhsbl_client and
permit_rhswl_client checks into postscreen).  Is such a thing planned, not
planned, or perhaps intrinsically evil for some reason I'm not thinking of?

Rich Wales
ri...@richw.org


The postscreen program doesn't do reverse DNS lookups in the 
interest of speed and simplicity.  As a consequence, it is not 
possible to do any hostname-based filtering in postscreen.


There are no current plans to change this.


  -- Noel Jones

Re: smtpd_reject_unlisted_recipient vs. reject_unlisted_recipient

[Noel Jones]

On 6/8/2011 12:11 PM, Rich Wales wrote:

Given the smtpd_reject_unlisted_recipient parameter (which is yes
by default), is there any reason to include reject_unlisted_recipient
in my smtpd_recipient_restrictions?  It would seem that doing this
would be redundant -- or am I missing some subtle point?


The smtpd_reject_unlisted_recipient is performed after all the 
specified smtpd_recipient_restrictions entry.


Some people want to perform the check sooner in the process, 
so reject_unlisted_recipient can be specified where you want 
the test performed.


If you specify reject_unlisted_recipient, the later 
smtpd_reject_unlisted_recipient test is skipped (or rather, 
not repeated).




I also note there is an smtpd_reject_unlisted_sender parameter (which
is no by default).  What issues would I want to consider before
deciding to enable this parameter in my configuration?


Some people intentionally send mail from users that can't 
receive mail.  This is off by default to prevent surprises.


I would recommend using this restriction if it doesn't break 
anything.



  -- Noel Jones

Re: smtpd_reject_unlisted_recipient vs. reject_unlisted_recipient

[Rich Wales]

 The smtpd_reject_unlisted_recipient is performed after all the
 specified smtpd_recipient_restrictions entry.

I assume the smtpd_reject_unlisted_recipient check is performed (and
could cause mail to be rejected) even though the processing of the
smtpd_recipient_restrictions ended with a permit, right?  (I think
this would have to be the case, otherwise it wouldn't make any sense,
but . . . .)

So, having smtpd_reject_unlisted_recipient = yes is not exactly the
same as having reject_unlisted_recipient at the very end of the list
of smtpd_recipient_restrictions items.  (Or is it?)

Rich Wales
ri...@richw.org

Re: smtpd_reject_unlisted_recipient vs. reject_unlisted_recipient

[Noel Jones]

On 6/8/2011 12:51 PM, Rich Wales wrote:

The smtpd_reject_unlisted_recipient is performed after all the
specified smtpd_recipient_restrictions entry.


I assume the smtpd_reject_unlisted_recipient check is performed (and
could cause mail to be rejected) even though the processing of the
smtpd_recipient_restrictions ended with a permit, right?  (I think
this would have to be the case, otherwise it wouldn't make any sense,
but . . . .)



The smtpd_reject_unlisted_recipient = yes check is performed 
regardless of what you specify in smtpd_recipient_restrictions.



So, having smtpd_reject_unlisted_recipient = yes is not exactly the
same as having reject_unlisted_recipient at the very end of the list
of smtpd_recipient_restrictions items.  (Or is it?)


Effectively the same.


  -- Noel Jones

per-user usage metering

[Ricardo Signes]

Hi, Postfix.  Long-time fan, first time poster.

I need to keep track of per-user use of our SASL-authenticated outbound relay,
and to reject mail from users who are exceeding their allowed usage.  The
records of their usage need to be accessible to me elsewhere over extended
durations, although their specific format isn't a huge concern.

There is an existing system in place for this, but it's got a serious race
condition in it, and I'm not 100% sure that my idea to deal with the problem is
a great one.

Right now, users authenticate with SASL, and that's fine.

The mail then goes through a unix socket policy service via
smtpd_sender_restrictions.  This looks up the account (based on the
sasl_username) and then checks their recent usage in a usage database.  If they
are over usage, it returns a 450.  If they are not over usage, it signals
success by prepending a header.  Mail with that header is routed to another
transport by header_checks.

This other transport is responsible for performing a content spam check.  If
the message is spam, it is sent to an uninteresting destination.  If it is not,
the message (size, recipients, spam-check score, etc.) is recorded in the usage
database and the message is re-injected to its final destination.

The race condition is simple:  the smtpd can accept a lot of mail before the
logging transport can write to the usage database, meaning users can bypass the
usage limits.

My first moronic attempt to fix this was to move some of the logging to the
policy service, and to communicate the record id via the added header to the
logging transport, so it could update the record with the spam check score.  I
had forgotten that the policy service was being queried once *per recipient*,
which the obvious problem that each message was logged multiple times.  I
didn't want to try coordinating based on instance id (incrementing the
recipient count each time, etc.) -- and anyway, there is another problem:  the
mail might pass all the recipient restrictions and then fail during DATA.

My current thinking is this:

  1. a fast, idempotent policy service will check usage at rcpt time so that
 we can avoid accepting DATA if the user is over quota; it will signal
 acceptance with OK

  2. an end_of_data_restriction will log the recipient count, size, etc; it
 will signal acceptance by PREPENDing the record identifier

  3. the logging transport will still exist, and will do the content checks
 and update the record with the spam score

I'm not sure whether I am worried about the logging done by end_of_data
resulting in logging messages that for some reason do not reach the logging
transport.  In that case, I may mark the records as pending, with the logging
transport marking them accepted, and another job purging pending records
regularly.

Does this make sense?  Is it a terrible idea?  Is this all already covered by
some simple interface I have yet to discover?

-- 
rjbs

Re: per-user usage metering

[Victor Duchovni]

On Wed, Jun 08, 2011 at 02:18:41PM -0400, Ricardo Signes wrote:

 My first moronic attempt to fix this was to move some of the logging to the
 policy service, and to communicate the record id via the added header to the
 logging transport, so it could update the record with the spam check score.  I
 had forgotten that the policy service was being queried once *per recipient*,
 which the obvious problem that each message was logged multiple times.  I
 didn't want to try coordinating based on instance id (incrementing the
 recipient count each time, etc.) -- and anyway, there is another problem:  the
 mail might pass all the recipient restrictions and then fail during DATA.

It is easy to determine which policy service requests are for additional
recipients of the same message.

 My current thinking is this:
 
   1. a fast, idempotent policy service will check usage at rcpt time so that
  we can avoid accepting DATA if the user is over quota; it will signal
  acceptance with OK
 
   2. an end_of_data_restriction will log the recipient count, size, etc; it
  will signal acceptance by PREPENDing the record identifier
 
   3. the logging transport will still exist, and will do the content checks
  and update the record with the spam score

Sounds sensible.

-- 
Viktor.

Re: postscreen_dnsbl_sites vs. reject_rbl_client

[/dev/rob0]

On Wed, Jun 08, 2011 at 10:05:05AM -0700, Rich Wales wrote:
 Another thing I think I see about postscreen is that it apparently 
 will only look up IP addresses.  There doesn't seem to be any 
 postscreen_rhsbl_sites feature (which might allow me to move my 
 current reject_rhsbl_client and permit_rhswl_client checks into 
 postscreen).

Why move any checks into postscreen? I basically left my smtpd 
restrictions alone. I figure they can't hurt and might help. Sure, 
they are lonely and mostly unused, but they were a good policy in 
pre-postscreen days, so they're still good.

I can give an example of when/why they might help. Under stress, 
postscreen reduces the greet pause to 2 seconds. Under stress, the 
possibility that DNSBL responses might be delayed is greater. Why 
would you not avail yourself of that second chance to query 
zen.spamhaus.org? It's cached now at your nameserver, whether 
positive or negative, so it hurts nothing.

  Is such a thing planned, not planned, or perhaps intrinsically 
 evil for some reason I'm not thinking of?

I think postscreen needs to stay lightweight and fast. It does not 
need to replace all the antispam functionality of smtpd.
-- 
Offlist mail to this address is discarded unless
/dev/rob0 or not-spam is in Subject: header

Re: postscreen_dnsbl_sites vs. reject_rbl_client

[Wietse Venema]

Rich Wales:
 Another thing I think I see about postscreen is that it apparently will only
 look up IP addresses.  There doesn't seem to be any postscreen_rhsbl_sites
 feature (which might allow me to move my current reject_rhsbl_client and
 permit_rhswl_client checks into postscreen).  Is such a thing planned, not
 planned, or perhaps intrinsically evil for some reason I'm not thinking of?

I concur with what others wrote, and would like to emphasize again
that postscreen is not a REPLACEMENT for existing smtpd features.

It is a filter that blocks the most suspicious clients with the
smallest possible effort. The existing postfix features can take
care of the rest of the problem.

Wietse

Re: fqrdns.regexp

[mouss]

Le 08/06/2011 14:35, Бак Микаел a écrit :
 Steve Jenkins wrote:
 On Tue, Jun 7, 2011 at 7:06 AM, Бак Микаел mikael@yandex.ru wrote:
 Hi list,
 Reading the archives I saw that there is a nice regexp with dynamic
 hostnames available here: www.hardwarefreak.com/fqrdns.regexp

 Unfortunately this file seems to be unavailable at the moment for some
 reason.

 Do you guys happen to know from where this file (latest) version can be
 downloaded.

 TIA,
 Mikael


 It's http://www.hardwarefreak.com/fqrdns.pcre
 
 Oh, thanks. The maintainer must have renamed it.

I am not sure Stan made it public. he provided it to a limited
audience. if the whome internet starts downloading it every second,
he'll get angry...

 
 I don't know if the author reads this, but I'd suggest a smallish change
 for the next release: Put only REJECT alone on each line instead of
 having custom text.

on the opposite, I suggest removing the action part (if different
actions are needed, simply use different files).

 This makes it easier for anyone to change that
 (using sed) to a custom restriction class.
 
 Thanks!
 Mikael

Re: expensive checks first

[mouss]

Le 08/06/2011 15:21, jimbob palmer a écrit :
 Hello,
 
 Say I wanted to whitelist a specific email recipient always and
 forever, but apply normal spam checks to everything else, could I do
 that?

yes. my standard setup includes a
check_recipient_access
just after reject_unauth_destination.

 
 i.e. can I do the expensive checks in smtpd_recipient_restrictions first?

there must be some language issue here...

One puts expensive checks as later as possible. but of course,
whitelists go before common checks.


PS. why does your mail go to @cloud9.net?

 
 Thanks.

Re: per-user usage metering

[lst_hoe02]

Zitat von Ricardo Signes postfix.us...@rjbs.manxome.org:



Hi, Postfix.  Long-time fan, first time poster.

I need to keep track of per-user use of our SASL-authenticated  
outbound relay,

and to reject mail from users who are exceeding their allowed usage.  The
records of their usage need to be accessible to me elsewhere over extended
durations, although their specific format isn't a huge concern.


Have you checked if http://www.policyd.org/ would fit? At least it is  
able to manage user Quota based on number and size of e-mails sent.


Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

Re: fqrdns.regexp

[Stan Hoeppner]

On 6/8/2011 7:35 AM, Бак Микаел wrote:
 Steve Jenkins wrote:
 On Tue, Jun 7, 2011 at 7:06 AM, Бак Микаел mikael@yandex.ru wrote:
 Hi list,
 Reading the archives I saw that there is a nice regexp with dynamic
 hostnames available here: www.hardwarefreak.com/fqrdns.regexp

 Unfortunately this file seems to be unavailable at the moment for some
 reason.

 Do you guys happen to know from where this file (latest) version can be
 downloaded.

 TIA,
 Mikael


 It's http://www.hardwarefreak.com/fqrdns.pcre
 
 Oh, thanks. The maintainer must have renamed it.

Yes, I renamed it quite a long time ago (in internet time) when it was
suggested running it through the pcre engine was more optimal.  If
memory serves me correctly, I made the change something like a year ago,
or more, maybe much more.

 I don't know if the author reads this, but I'd suggest a smallish change
 for the next release: Put only REJECT alone on each line instead of
 having custom text. This makes it easier for anyone to change that
 (using sed) to a custom restriction class.

The custom text exists for the benefit of victims of false positives,
and for easy log parsing/statistics generation.  Changing it is trivial
with sed, as Brian mentioned.

-- 
Stan

Re: fqrdns.regexp

[Stan Hoeppner]

On 6/8/2011 3:06 PM, mouss wrote:

 I am not sure Stan made it public. he provided it to a limited
 audience. if the whome internet starts downloading it every second,
 he'll get angry...

It's intended to be public, free for anyone to use.  Mouss, if what you
described were to occur, you wouldn't know if I was angry.  The pipe the
file is hosted on would be so clogged I'd not be able to get a message
out. ;)

 I don't know if the author reads this, but I'd suggest a smallish change
 for the next release: Put only REJECT alone on each line instead of
 having custom text.
 
 on the opposite, I suggest removing the action part (if different
 actions are needed, simply use different files).

Some people change all the actions to PREPENDs for scoring use in SA et
al.  Given that these expressions target almost exclusively
consumer/residential type rDNS patterns, it is my opinion that it's best
used as is in combination with dnswl and local whitelisting.  YMMV.

-- 
Stan

..::Troubleshooting Advice::..

[Alfonso Alejandro Reyes Jimenez]

Hi list.

 

We are going to work with an old postfix (I mean old because this
postfix was installed and administered by another person), It works with
LDAP. I don't have any experience working with LDAP authentication.

 

I was wondering if you can give me some advices for troubleshooting, any
advice will be appreciated.

 

Thanks in advance.

 

Regards.

 

Alfonso.

 

 

Re: ..::Troubleshooting Advice::..

[Sahil Tandon]

On Wed, 2011-06-08 at 19:40:13 -0500, Alfonso Alejandro Reyes Jimenez wrote:

 We are going to work with an old postfix (I mean old because this
 postfix was installed and administered by another person), It works
 with LDAP. I don't have any experience working with LDAP
 authentication.
 
 I was wondering if you can give me some advices for troubleshooting,
 any advice will be appreciated.

Your question is too general to be answered with specificity.  Please
describe an *actual* problem.  Before responding, carefully consult the
DEBUG_README, a document to which you were introduced upon joining this
mailing list:

 http://www.postfix.org/DEBUG_README.html#mail

For general information about LDAP support in Postfix:

 http://www.postfix.org/LDAP_README.html
 http://www.postfix.org/ldap_table.5.html

-- 
Sahil Tandon sa...@freebsd.org

RE: ..::Troubleshooting Advice::..

[Alfonso Alejandro Reyes Jimenez]

Thanks, Actually there's no problem right now I'm just looking for some advices 
about the troubleshooting. Something like any other users thinks could be a 
good start.

Thanks for the links I will check them out.

Alfonso.

-Mensaje original-
De: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] En 
nombre de Sahil Tandon
Enviado el: miércoles, 08 de junio de 2011 07:46 p.m.
Para: postfix-users@postfix.org
Asunto: Re: ..::Troubleshooting Advice::..

On Wed, 2011-06-08 at 19:40:13 -0500, Alfonso Alejandro Reyes Jimenez wrote:

 We are going to work with an old postfix (I mean old because this
 postfix was installed and administered by another person), It works
 with LDAP. I don't have any experience working with LDAP
 authentication.
 
 I was wondering if you can give me some advices for troubleshooting,
 any advice will be appreciated.

Your question is too general to be answered with specificity.  Please
describe an *actual* problem.  Before responding, carefully consult the
DEBUG_README, a document to which you were introduced upon joining this
mailing list:

 http://www.postfix.org/DEBUG_README.html#mail

For general information about LDAP support in Postfix:

 http://www.postfix.org/LDAP_README.html
 http://www.postfix.org/ldap_table.5.html

-- 
Sahil Tandon sa...@freebsd.org

Re: ..::Troubleshooting Advice::..

[Noel Jones]

On 6/8/2011 7:55 PM, Alfonso Alejandro Reyes Jimenez wrote:

Thanks, Actually there's no problem right now I'm just looking for some advices 
about the troubleshooting. Something like any other users thinks could be a 
good start.

Thanks for the links I will check them out.

Alfonso.


If your question is more how can I prepare for future 
possible problems? my advice would be:


- become familiar with postfix in general.  The official 
documentation should be trusted before any outside sources.

http://www.postfix.org/documentation.html

- become familiar with reading the postfix logs.  Most of the 
log entries are self-explanatory; search the postfix-users 
list archives or ask here if there's something you don't 
understand.  Knowing what normal logs look like will help 
isolating a problem later.

http://www.postfix.org/DEBUG_README.html#logging

- become familiar with your systems config.  In particular, 
postconf will display all postfix's current settings (the 
vast majority of which should be at their default value), and 
postconf -n will display setting explicitly set in your 
main.cf.  Find out what the settings you're using are supposed 
to do.

http://www.postfix.org/postconf.1.html
http://www.postfix.org/postconf.5.html

- become familiar with LDAP.  That's really outside the scope 
of postfix, but since your system is using it, you should have 
some idea of how it's supposed to work.


- If you're a book person, The Book of Postfix by Ralf 
Hildebrandt and Patrick Koetter is excellent, although it's 
getting a little dated (an unavoidable problem of books 
covering evolving software).

http://www.postfix-book.com or your favorite bookstore.


  -- Noel Jones

RE: ..::Troubleshooting Advice::..

[Alfonso Alejandro Reyes Jimenez]

Great advice thanks, I will follow your recommendations.

Regards.

Alfonso.
-Mensaje original-
De: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] En 
nombre de Noel Jones
Enviado el: miércoles, 08 de junio de 2011 08:36 p.m.
Para: postfix-users@postfix.org
Asunto: Re: ..::Troubleshooting Advice::..

On 6/8/2011 7:55 PM, Alfonso Alejandro Reyes Jimenez wrote:
 Thanks, Actually there's no problem right now I'm just looking for some 
 advices about the troubleshooting. Something like any other users thinks 
 could be a good start.

 Thanks for the links I will check them out.

 Alfonso.

If your question is more how can I prepare for future 
possible problems? my advice would be:

- become familiar with postfix in general.  The official 
documentation should be trusted before any outside sources.
http://www.postfix.org/documentation.html

- become familiar with reading the postfix logs.  Most of the 
log entries are self-explanatory; search the postfix-users 
list archives or ask here if there's something you don't 
understand.  Knowing what normal logs look like will help 
isolating a problem later.
http://www.postfix.org/DEBUG_README.html#logging

- become familiar with your systems config.  In particular, 
postconf will display all postfix's current settings (the 
vast majority of which should be at their default value), and 
postconf -n will display setting explicitly set in your 
main.cf.  Find out what the settings you're using are supposed 
to do.
http://www.postfix.org/postconf.1.html
http://www.postfix.org/postconf.5.html

- become familiar with LDAP.  That's really outside the scope 
of postfix, but since your system is using it, you should have 
some idea of how it's supposed to work.

- If you're a book person, The Book of Postfix by Ralf 
Hildebrandt and Patrick Koetter is excellent, although it's 
getting a little dated (an unavoidable problem of books 
covering evolving software).
http://www.postfix-book.com or your favorite bookstore.


   -- Noel Jones

Clarification between smtpd_sender_restrictions smtpd_recipient_restrictions

[Janantha Marasinghe]

Hi,

I'm a bit confused between the

smtpd_recipient_restrictions  
http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
smtpd_sender_restrictions
I want to implement RBL on my mail server and I was thinking having the 
reject_rbl_client on the smtpd_sender_restrictions.

If someone could clarify this to me it would be great.

thanks

Re: Clarification between smtpd_sender_restrictions smtpd_recipient_restrictions

[Sahil Tandon]

On Thu, 2011-06-09 at 07:30:31 +0530, Janantha Marasinghe wrote:

 I'm a bit confused between the
 
 smtpd_recipient_restrictions
 http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
   smtpd_sender_restrictions I want to implement RBL on my mail server
 and I was thinking having the reject_rbl_client on the
 smtpd_sender_restrictions.
 
 If someone could clarify this to me it would be great.

http://www.postfix.org/SMTPD_ACCESS_README.html

-- 
Sahil Tandon sa...@freebsd.org

Trivial typo fix for MULTI_INSTANCE_README.html

[Scott Kitterman]

I noticed this one while reading the document on postfix.org.

Scott K

--- MULTI_INSTANCE_README.html.orig	2011-06-08 22:53:34.647880630 -0400
+++ MULTI_INSTANCE_README.html	2011-06-08 22:54:01.103880784 -0400
@@ -420,7 +420,7 @@
 ul
 
 li p Lines 1-2: With a href=postconf.5.html#authorized_submit_usersauthorized_submit_users/a = root, the
-superuser can test the postix-out instance with postmulti -i
+superuser can test the postfix-out instance with postmulti -i
 postfix-out -x sendmail -bv recipient..., but otherwise local
 submission remains disabled.  /p
 

Re: Postfix plain text authentication with SASL

[Suresh Kumar Prajapati]

Hi all,

No one is there to help me


On Wed, Jun 8, 2011 at 12:49 PM, Suresh Kumar Prajapati 
er.sureshprajap...@gmail.com wrote:


 Hi,

 Can anyone help me setting postfix plain authentication with SASL.
 I've spent a complete week on this already.
 Any help appreciated.
 --
 Best Regards,
 Suresh Kumar Prajapati
 Linux Security Admin
 E-mail: er.sureshprajap...@gmail.com

 
 Pencils could be made with erasers at both ends, but what would be the
 point?




-- 
Best Regards,
Suresh Kumar Prajapati
Linux Security Admin
E-mail: er.sureshprajap...@gmail.com

Pencils could be made with erasers at both ends, but what would be the
point?

Re: Postfix plain text authentication with SASL

[Frank Bonnet]

Which backend are you using ?
ldap radius nis ?

Le 09/06/2011 07:03, Suresh Kumar Prajapati a écrit :

Hi all,

No one is there to help me


On Wed, Jun 8, 2011 at 12:49 PM, Suresh Kumar Prajapati
er.sureshprajap...@gmail.com  wrote:



Hi,

Can anyone help me setting postfix plain authentication with SASL.
I've spent a complete week on this already.
Any help appreciated.
--
Best Regards,
Suresh Kumar Prajapati
Linux Security Admin
E-mail: er.sureshprajap...@gmail.com


Pencils could be made with erasers at both ends, but what would be the
point?

Re: Postfix plain text authentication with SASL

[Stephen Ingram]

On Wed, Jun 8, 2011 at 10:03 PM, Suresh Kumar Prajapati
er.sureshprajap...@gmail.com wrote:
 Hi all,

 No one is there to help me


 On Wed, Jun 8, 2011 at 12:49 PM, Suresh Kumar Prajapati
 er.sureshprajap...@gmail.com wrote:

 Hi,

 Can anyone help me setting postfix plain authentication with SASL.
 I've spent a complete week on this already.
 Any help appreciated.

Could you please be more specific and post the relevant lines of the
config files?

Steve