Postfix plain text authentication with SASL
Hi, Can anyone help me setting postfix plain authentication with SASL. I've spent a complete week on this already. Any help appreciated. -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point?
Re: Postfix plain text authentication with SASL
* Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Can anyone help me setting postfix plain authentication with SASL. I've spent a complete week on this already. Any help appreciated. Sure. Send debug output as required by Postfix debug readme and I will help you. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Postfix plain text authentication with SASL
Hello, Just to save you some more time, if your mailserver is behind a cisco asa/pix firewall, you should check this thread: http://www.mail-archive.com/postfix-users@postfix.org/msg01896.html -- Erwan Suresh Kumar Prajapati wrote: Hi, Can anyone help me setting postfix plain authentication with SASL. I've spent a complete week on this already. Any help appreciated. -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com mailto:er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point?
Re: Postfix plain text authentication with SASL
* Suresh Kumar Prajapati er.sureshprajap...@gmail.com: here is the output from saslfinger command. saslfinger - postfix Cyrus sasl configuration Wed Jun 8 11:42:39 MSD 2011 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.3.3 System: CentOS release 5.6 (Final) -- smtpd is linked to -- libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0x00a25000) -- active SMTP AUTH and TLS parameters for smtpd -- smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = domain.com smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_type = cyrus smtpd_sasl_path, smtpd_sasl_security_options and smtpd_sasl_type are at their defaults. No need to set them explicitly. -- listing of /usr/lib/sasl2 -- total 3072 drwxr-xr-x 2 root root 4096 Jun 7 15:00 . drwxr-xr-x 36 root root 20480 Jun 7 14:43 .. -rwxr-xr-x 1 root root884 Mar 17 2010 libanonymous.la -rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so -rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so.2 -rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so.2.0.22 -rwxr-xr-x 1 root root870 Mar 17 2010 libcrammd5.la -rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so -rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so.2 -rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so.2.0.22 -rwxr-xr-x 1 root root893 Mar 17 2010 libdigestmd5.la -rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so -rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so.2 -rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so.2.0.22 -rwxr-xr-x 1 root root856 Mar 17 2010 liblogin.la -rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so -rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so.2 -rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so.2.0.22 -rwxr-xr-x 1 root root856 Mar 17 2010 libplain.la -rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so -rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so.2 -rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so.2.0.22 -rwxr-xr-x 1 root root930 Mar 17 2010 libsasldb.la -rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so -rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so.2 -rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so.2.0.22 -rw-r--r-- 1 root root 25 Mar 31 2010 Sendmail.conf -rw-r--r-- 1 root root 50 Jun 7 15:00 smtpd.conf -rw-r--r-- 1 root root 64 Jun 7 14:19 smtpd.conf.rpmsave Remove /usr/lib/sasl2/smtpd.conf and /usr/lib/sasl2/smtpd.conf.rpmsave. -- listing of /var/lib/sasl2 -- total 12 drwxr-xr-x 2 root root 4096 Jun 7 13:32 . drwxr-xr-x 17 root root 4096 Jun 7 13:32 .. -rw-r--r-- 1 root root 105 Jun 7 13:32 smtpd.conf Remove /var/lib/sasl2/smtpd.conf -- listing of /etc/sasl2 -- total 16 drwxr-xr-x 2 root root4096 Jun 7 15:19 . drwxr-xr-x 54 root postfix 4096 Jun 8 04:01 .. -rw-r--r-- 1 root root 91 Jun 7 15:19 smtpd.conf -rw-r--r-- 1 root root 99 Jun 7 10:10 smtpd.conf.bak Keep (only) /etc/sasl2/smtpd.conf -- content of /etc/sasl2/smtpd.conf -- saslauthd_path: /var/run/saslauthd/mux pwcheck_method: saslauthd mech_list: plain login Reduce /etc/sasl2/smtpd.conf to this: pwcheck_method: saslauthd mech_list: plain login Make sure there's neither beginning nor trailing whitespace. -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) 21 inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes The line above won't work if it is formatted like this in your master.cf. Do you need a service called 21? I miss a line that defines the Postfix smtp server instance. Please add this: smtp inet n - n - - smtpd How do you run saslauthd? Can you post ps axf | grep saslauthd? p@rick All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- state of mind () Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht MünchenPartnerschaftsregister PR 563
virtual aliases and unlisted email addresses
Hello, I'm currently using two postfix servers. One is the MX server, it does grey/blacklisting, content filtering, and forward accepted emails to a second server. The second postfix (lets call it MailGW) does virtual aliasing, and delivery according to a transport map. Currently, an email coming from outside for one of our domains, enter MX, is transferred to MailGW where its recipients addresses are converted (most of the time) to someth...@mail.univ-lyon2.fr and forwarded via transport map to the final destination servers. Soon, our final destination servers will change (to Google App's servers). During few months, we will have to provide double delivery. Unfortunately, Google servers will receive emails for the domain univ-lyon2.fr. So the virtual aliases map will look like something like that: public-addr...@univ-lyon2.fru...@mail.univ-lyon2.fr, public-addr...@univ-lyon2.fr some-al...@univ-lyon2.fru...@mail.univ-lyon2.fr, public-addr...@univ-lyon2.fr ... and transport map will look like this: mail.univ-lyon2.fr smtp:[final destination servers] univ-lyon2.fr smtp:ASPMX.L.GOOGLE.COM ... That's not pretty, but it works. After the period of double delivery is over, we will deliver emails only to Google servers. So the virtual aliases map is to look like: public-addr...@univ-lyon2.frpublic-addr...@univ-lyon2.fr some-al...@univ-lyon2.frpublic-addr...@univ-lyon2.fr ... The first line looks pretty silly to me. Is there any way to tell that addresses not listed in virtual aliases map are to be forwarded as is ? Thanks, Patrick PRONIEWSKI -- Administrateur Système - DSI - Université Lumière Lyon 2
Error message for a couple of mails : lost connection ...
Hello, for around 5% of our outgoing mails we get the message: lost connection with mail-provider while sending end of data -- message may be sent more than once All mails go through our mail provider. There are no dependencies on the size of the mail or the mail address. It takes a few hours, then the mails are sent. Unfortunately, from these mails, some mails are send two or three times - as the message says. # cat /proc/sys/net/ipv4/tcp_window_scaling 0 # cat /proc/sys/net/ipv4/tcp_timestamps 0 # cat /proc/sys/net/ipv4/tcp_sack 1 MTU = 1500 # cat /proc/sys/net/core/[rw]mem_max 256960 256960 # cat /proc/sys/net/core/[rw]mem_default 256960 256960 # postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no inet_interfaces = all local_destination_concurrency_limit = 5 local_destination_recipient_limit = 200 mail_owner = postfix mailbox_command = /usr/bin/procmail -a $USER mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 35389440 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, kinderkrankenhaus.net mydomain = akk.local myhostname = postfix.akk.local myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix/README_FILES relayhost = smtp.1und1.de sample_directory = /usr/share/doc/postfix/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_data_xfer_timeout = 600 smtp_generic_maps = hash:/etc/postfix/generic smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_pwds smtp_sasl_security_options = noanonymous unknown_local_recipient_reject_code = 550 Firewall: FortiGate 110C Many thanks in advance. Andreas Barchfeld ** AKK Altonaer Kinderkrankenhaus gGmbH Akademisches Lehrkrankenhaus der Universitaet Hamburg Geschaeftsfuehrung: Christiane Dienhold Registergericht: Amtsgericht Hamburg HRB 87427 Sitz der Gesellschaft: Hamburg HSH Nordbank AG - BLZ 210 500 00 - Kontonummer 1000103405 ** Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This E-Mail contains confidential and/or proprietary information. If you are not the intended recipient, or if you received the E-Mail by mistake, we ask you to notify the sender immediately and destroy this E-Mail. The unauthorized reproduction or distribution of this E-Mail is prohibited. **
Re: Anyone run Postfix in FreeBSD jails environement ?
On 06/08/11 06:09, Frank Bonnet wrote: Does anyone is running postfix in FreeBSD jails environement with success on a production server ? I'm thinking of it and would be interrested by any successful experience. Yes. (Using it for about 8 years now, cannot remember any jails related problem.) -- Martin
Re: Anyone run Postfix in FreeBSD jails environement ?
Hi Le 8 juin 2011 à 12:07, Martin Schütte a écrit : On 06/08/11 06:09, Frank Bonnet wrote: Does anyone is running postfix in FreeBSD jails environement with success on a production server ? I'm thinking of it and would be interrested by any successful experience. Yes. (Using it for about 8 years now, cannot remember any jails related problem.) I use it in FreeBSD jails for ages... No problems at all... /Xavier
Re: Error message for a couple of mails : lost connection ...
Zitat von Barchfeld, Andreas andreas.barchf...@kinderkrankenhaus.net: Hello, for around 5% of our outgoing mails we get the message: lost connection with mail-provider while sending end of data -- message may be sent more than once All mails go through our mail provider. There are no dependencies on the size of the mail or the mail address. It takes a few hours, then the mails are sent. Unfortunately, from these mails, some mails are send two or three times - as the message says. # cat /proc/sys/net/ipv4/tcp_window_scaling # cat /proc/sys/net/ipv4/tcp_timestamps # cat /proc/sys/net/ipv4/tcp_sack 1 MTU = 1500 # cat /proc/sys/net/core/[rw]mem_max 256960 256960 # cat /proc/sys/net/core/[rw]mem_default 256960 256960 # postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no inet_interfaces = all local_destination_concurrency_limit = 5 local_destination_recipient_limit = 200 mail_owner = postfix mailbox_command = /usr/bin/procmail -a $USER mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 35389440 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, kinderkrankenhaus.net mydomain = akk.local myhostname = postfix.akk.local myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix/README_FILES relayhost = smtp.1und1.de sample_directory = /usr/share/doc/postfix/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_data_xfer_timeout = 600 smtp_generic_maps = hash:/etc/postfix/generic smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_pwds smtp_sasl_security_options = noanonymous unknown_local_recipient_reject_code = 550 Firewall: FortiGate 110C To debug the problem you need a complete tcpdump from both ends of a failing mail. What might be the problem - Content Filter (pre-queue) at the provider side which has load/concurrency issues - Stateful firewall with SMTP fixup issues at your side or the remote - Network errors regarding SACK/PMTU/Windows-Scaling/ECN whatever You might try to dump-down Postfix smtp with smtp_discard_ehlo_keywords to not use features like ESMTP pipelining first, but as said to debug the problem tcpdumps will be preferred. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: fqrdns.regexp
Steve Jenkins wrote: On Tue, Jun 7, 2011 at 7:06 AM, Бак Микаел mikael@yandex.ru wrote: Hi list, Reading the archives I saw that there is a nice regexp with dynamic hostnames available here: www.hardwarefreak.com/fqrdns.regexp Unfortunately this file seems to be unavailable at the moment for some reason. Do you guys happen to know from where this file (latest) version can be downloaded. TIA, Mikael It's http://www.hardwarefreak.com/fqrdns.pcre Oh, thanks. The maintainer must have renamed it. I don't know if the author reads this, but I'd suggest a smallish change for the next release: Put only REJECT alone on each line instead of having custom text. This makes it easier for anyone to change that (using sed) to a custom restriction class. Thanks! Mikael
Re: fqrdns.regexp
On 6/8/2011 8:35 AM, Бак Микаел wrote: Steve Jenkins wrote: It's http://www.hardwarefreak.com/fqrdns.pcre Oh, thanks. The maintainer must have renamed it. I don't know if the author reads this, but I'd suggest a smallish change for the next release: Put only REJECT alone on each line instead of having custom text. This makes it easier for anyone to change that (using sed) to a custom restriction class. You can do that yourself, example: sed -i -e s/REJECT.*/my_custom_reject/ fqrdns.pcre
expensive checks first
Hello, Say I wanted to whitelist a specific email recipient always and forever, but apply normal spam checks to everything else, could I do that? i.e. can I do the expensive checks in smtpd_recipient_restrictions first? Thanks.
expensive checks first
Hello, Say I wanted to whitelist a specific email recipient always and forever, but apply normal spam checks to everything else, could I do that? i.e. can I do the expensive checks in smtpd_recipient_restrictions first? Thanks.
Re: expensive checks first
2011/6/8 Wietse Venema wie...@porcupine.org: jimbob palmer: Hello, Say I wanted to whitelist a specific email recipient always and forever, but apply normal spam checks to everything else, could I do that? i.e. can I do the expensive checks in smtpd_recipient_restrictions first? /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_recipient_access hash:/etc/postfix/rcpt_access ...least expensive checks here... ...most expensive checks here... /etc/postfix/rcpt_access: sa...@example.com permit Wietse Thanks.
Re: Anyone run Postfix in FreeBSD jails environement ?
Does anyone is running postfix in FreeBSD jails environement with success on a production server ? I'm thinking of it and would be interrested by any successful experience. FreeBSD older than 7.2 did not support multiple IP addresses in jail (e.g. an IPv6 address, or a separate mail submission IP address). More recent version should be fine. Mark
Re: virtual aliases and unlisted email addresses
On Wed, Jun 08, 2011 at 11:33:48AM +0200, Patrick Proniewski wrote: After the period of double delivery is over, we will deliver emails only to Google servers. So the virtual aliases map is to look like: public-addr...@univ-lyon2.frpublic-addr...@univ-lyon2.fr some-al...@univ-lyon2.frpublic-addr...@univ-lyon2.fr ... The first line looks pretty silly to me. Is there any way to tell that addresses not listed in virtual aliases map are to be forwarded as is ? Your gateway needs a table of valid recipients, the domain in question is presumably configured as a relay domain by being listed in $relay_domains. If you don't want to have identity mappings in virtual_alias_maps, you need to add entries to relay_recipient_maps: main.cf: # Use cdb if you have it. default_database_type = hash indexed = ${default_database_type}:${config_directory}/ relay_recipient_maps = ${indexed}relay_rcpts relay_rcpts: public-addr...@univ-lyon2.frvalid ... where the word valid on the right hand side of the table can be replaced by any non-empty value that makes sense to you. Postfix only needs the lookup key to map to a non-empty result. This said, the identity virtual_alias_maps mappings are a fine way to achieve the same result. The lookup will be done anyway, and you already have a virtual alias table, so it may in fact be simpler to keep using the identity mappings, but you MUST make sure that relay_recipient_maps (assuming the domain is a relay domain) is set to some table (be it one with no entries). main.cf: # All relay recipients are listed in virtual_alias_maps, so just # create and postmap an empty file. # relay_recipient_maps = ${indexed}empty -- Viktor.
Re: postscreen_dnsbl_sites vs. reject_rbl_client
Another thing I think I see about postscreen is that it apparently will only look up IP addresses. There doesn't seem to be any postscreen_rhsbl_sites feature (which might allow me to move my current reject_rhsbl_client and permit_rhswl_client checks into postscreen). Is such a thing planned, not planned, or perhaps intrinsically evil for some reason I'm not thinking of? Rich Wales ri...@richw.org
smtpd_reject_unlisted_recipient vs. reject_unlisted_recipient
Given the smtpd_reject_unlisted_recipient parameter (which is yes by default), is there any reason to include reject_unlisted_recipient in my smtpd_recipient_restrictions? It would seem that doing this would be redundant -- or am I missing some subtle point? I also note there is an smtpd_reject_unlisted_sender parameter (which is no by default). What issues would I want to consider before deciding to enable this parameter in my configuration? I'm running Postfix 2.8.1 on an Ubuntu server. Rich Wales ri...@richw.org
Re: postscreen_dnsbl_sites vs. reject_rbl_client
On 6/8/2011 12:05 PM, Rich Wales wrote: Another thing I think I see about postscreen is that it apparently will only look up IP addresses. There doesn't seem to be any postscreen_rhsbl_sites feature (which might allow me to move my current reject_rhsbl_client and permit_rhswl_client checks into postscreen). Is such a thing planned, not planned, or perhaps intrinsically evil for some reason I'm not thinking of? Rich Wales ri...@richw.org The postscreen program doesn't do reverse DNS lookups in the interest of speed and simplicity. As a consequence, it is not possible to do any hostname-based filtering in postscreen. There are no current plans to change this. -- Noel Jones
Re: smtpd_reject_unlisted_recipient vs. reject_unlisted_recipient
On 6/8/2011 12:11 PM, Rich Wales wrote: Given the smtpd_reject_unlisted_recipient parameter (which is yes by default), is there any reason to include reject_unlisted_recipient in my smtpd_recipient_restrictions? It would seem that doing this would be redundant -- or am I missing some subtle point? The smtpd_reject_unlisted_recipient is performed after all the specified smtpd_recipient_restrictions entry. Some people want to perform the check sooner in the process, so reject_unlisted_recipient can be specified where you want the test performed. If you specify reject_unlisted_recipient, the later smtpd_reject_unlisted_recipient test is skipped (or rather, not repeated). I also note there is an smtpd_reject_unlisted_sender parameter (which is no by default). What issues would I want to consider before deciding to enable this parameter in my configuration? Some people intentionally send mail from users that can't receive mail. This is off by default to prevent surprises. I would recommend using this restriction if it doesn't break anything. -- Noel Jones
Re: smtpd_reject_unlisted_recipient vs. reject_unlisted_recipient
The smtpd_reject_unlisted_recipient is performed after all the specified smtpd_recipient_restrictions entry. I assume the smtpd_reject_unlisted_recipient check is performed (and could cause mail to be rejected) even though the processing of the smtpd_recipient_restrictions ended with a permit, right? (I think this would have to be the case, otherwise it wouldn't make any sense, but . . . .) So, having smtpd_reject_unlisted_recipient = yes is not exactly the same as having reject_unlisted_recipient at the very end of the list of smtpd_recipient_restrictions items. (Or is it?) Rich Wales ri...@richw.org
Re: smtpd_reject_unlisted_recipient vs. reject_unlisted_recipient
On 6/8/2011 12:51 PM, Rich Wales wrote: The smtpd_reject_unlisted_recipient is performed after all the specified smtpd_recipient_restrictions entry. I assume the smtpd_reject_unlisted_recipient check is performed (and could cause mail to be rejected) even though the processing of the smtpd_recipient_restrictions ended with a permit, right? (I think this would have to be the case, otherwise it wouldn't make any sense, but . . . .) The smtpd_reject_unlisted_recipient = yes check is performed regardless of what you specify in smtpd_recipient_restrictions. So, having smtpd_reject_unlisted_recipient = yes is not exactly the same as having reject_unlisted_recipient at the very end of the list of smtpd_recipient_restrictions items. (Or is it?) Effectively the same. -- Noel Jones
per-user usage metering
Hi, Postfix. Long-time fan, first time poster. I need to keep track of per-user use of our SASL-authenticated outbound relay, and to reject mail from users who are exceeding their allowed usage. The records of their usage need to be accessible to me elsewhere over extended durations, although their specific format isn't a huge concern. There is an existing system in place for this, but it's got a serious race condition in it, and I'm not 100% sure that my idea to deal with the problem is a great one. Right now, users authenticate with SASL, and that's fine. The mail then goes through a unix socket policy service via smtpd_sender_restrictions. This looks up the account (based on the sasl_username) and then checks their recent usage in a usage database. If they are over usage, it returns a 450. If they are not over usage, it signals success by prepending a header. Mail with that header is routed to another transport by header_checks. This other transport is responsible for performing a content spam check. If the message is spam, it is sent to an uninteresting destination. If it is not, the message (size, recipients, spam-check score, etc.) is recorded in the usage database and the message is re-injected to its final destination. The race condition is simple: the smtpd can accept a lot of mail before the logging transport can write to the usage database, meaning users can bypass the usage limits. My first moronic attempt to fix this was to move some of the logging to the policy service, and to communicate the record id via the added header to the logging transport, so it could update the record with the spam check score. I had forgotten that the policy service was being queried once *per recipient*, which the obvious problem that each message was logged multiple times. I didn't want to try coordinating based on instance id (incrementing the recipient count each time, etc.) -- and anyway, there is another problem: the mail might pass all the recipient restrictions and then fail during DATA. My current thinking is this: 1. a fast, idempotent policy service will check usage at rcpt time so that we can avoid accepting DATA if the user is over quota; it will signal acceptance with OK 2. an end_of_data_restriction will log the recipient count, size, etc; it will signal acceptance by PREPENDing the record identifier 3. the logging transport will still exist, and will do the content checks and update the record with the spam score I'm not sure whether I am worried about the logging done by end_of_data resulting in logging messages that for some reason do not reach the logging transport. In that case, I may mark the records as pending, with the logging transport marking them accepted, and another job purging pending records regularly. Does this make sense? Is it a terrible idea? Is this all already covered by some simple interface I have yet to discover? -- rjbs
Re: per-user usage metering
On Wed, Jun 08, 2011 at 02:18:41PM -0400, Ricardo Signes wrote: My first moronic attempt to fix this was to move some of the logging to the policy service, and to communicate the record id via the added header to the logging transport, so it could update the record with the spam check score. I had forgotten that the policy service was being queried once *per recipient*, which the obvious problem that each message was logged multiple times. I didn't want to try coordinating based on instance id (incrementing the recipient count each time, etc.) -- and anyway, there is another problem: the mail might pass all the recipient restrictions and then fail during DATA. It is easy to determine which policy service requests are for additional recipients of the same message. My current thinking is this: 1. a fast, idempotent policy service will check usage at rcpt time so that we can avoid accepting DATA if the user is over quota; it will signal acceptance with OK 2. an end_of_data_restriction will log the recipient count, size, etc; it will signal acceptance by PREPENDing the record identifier 3. the logging transport will still exist, and will do the content checks and update the record with the spam score Sounds sensible. -- Viktor.
Re: postscreen_dnsbl_sites vs. reject_rbl_client
On Wed, Jun 08, 2011 at 10:05:05AM -0700, Rich Wales wrote: Another thing I think I see about postscreen is that it apparently will only look up IP addresses. There doesn't seem to be any postscreen_rhsbl_sites feature (which might allow me to move my current reject_rhsbl_client and permit_rhswl_client checks into postscreen). Why move any checks into postscreen? I basically left my smtpd restrictions alone. I figure they can't hurt and might help. Sure, they are lonely and mostly unused, but they were a good policy in pre-postscreen days, so they're still good. I can give an example of when/why they might help. Under stress, postscreen reduces the greet pause to 2 seconds. Under stress, the possibility that DNSBL responses might be delayed is greater. Why would you not avail yourself of that second chance to query zen.spamhaus.org? It's cached now at your nameserver, whether positive or negative, so it hurts nothing. Is such a thing planned, not planned, or perhaps intrinsically evil for some reason I'm not thinking of? I think postscreen needs to stay lightweight and fast. It does not need to replace all the antispam functionality of smtpd. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: postscreen_dnsbl_sites vs. reject_rbl_client
Rich Wales: Another thing I think I see about postscreen is that it apparently will only look up IP addresses. There doesn't seem to be any postscreen_rhsbl_sites feature (which might allow me to move my current reject_rhsbl_client and permit_rhswl_client checks into postscreen). Is such a thing planned, not planned, or perhaps intrinsically evil for some reason I'm not thinking of? I concur with what others wrote, and would like to emphasize again that postscreen is not a REPLACEMENT for existing smtpd features. It is a filter that blocks the most suspicious clients with the smallest possible effort. The existing postfix features can take care of the rest of the problem. Wietse
Re: fqrdns.regexp
Le 08/06/2011 14:35, Бак Микаел a écrit : Steve Jenkins wrote: On Tue, Jun 7, 2011 at 7:06 AM, Бак Микаел mikael@yandex.ru wrote: Hi list, Reading the archives I saw that there is a nice regexp with dynamic hostnames available here: www.hardwarefreak.com/fqrdns.regexp Unfortunately this file seems to be unavailable at the moment for some reason. Do you guys happen to know from where this file (latest) version can be downloaded. TIA, Mikael It's http://www.hardwarefreak.com/fqrdns.pcre Oh, thanks. The maintainer must have renamed it. I am not sure Stan made it public. he provided it to a limited audience. if the whome internet starts downloading it every second, he'll get angry... I don't know if the author reads this, but I'd suggest a smallish change for the next release: Put only REJECT alone on each line instead of having custom text. on the opposite, I suggest removing the action part (if different actions are needed, simply use different files). This makes it easier for anyone to change that (using sed) to a custom restriction class. Thanks! Mikael
Re: expensive checks first
Le 08/06/2011 15:21, jimbob palmer a écrit : Hello, Say I wanted to whitelist a specific email recipient always and forever, but apply normal spam checks to everything else, could I do that? yes. my standard setup includes a check_recipient_access just after reject_unauth_destination. i.e. can I do the expensive checks in smtpd_recipient_restrictions first? there must be some language issue here... One puts expensive checks as later as possible. but of course, whitelists go before common checks. PS. why does your mail go to @cloud9.net? Thanks.
Re: per-user usage metering
Zitat von Ricardo Signes postfix.us...@rjbs.manxome.org: Hi, Postfix. Long-time fan, first time poster. I need to keep track of per-user use of our SASL-authenticated outbound relay, and to reject mail from users who are exceeding their allowed usage. The records of their usage need to be accessible to me elsewhere over extended durations, although their specific format isn't a huge concern. Have you checked if http://www.policyd.org/ would fit? At least it is able to manage user Quota based on number and size of e-mails sent. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: fqrdns.regexp
On 6/8/2011 7:35 AM, Бак Микаел wrote: Steve Jenkins wrote: On Tue, Jun 7, 2011 at 7:06 AM, Бак Микаел mikael@yandex.ru wrote: Hi list, Reading the archives I saw that there is a nice regexp with dynamic hostnames available here: www.hardwarefreak.com/fqrdns.regexp Unfortunately this file seems to be unavailable at the moment for some reason. Do you guys happen to know from where this file (latest) version can be downloaded. TIA, Mikael It's http://www.hardwarefreak.com/fqrdns.pcre Oh, thanks. The maintainer must have renamed it. Yes, I renamed it quite a long time ago (in internet time) when it was suggested running it through the pcre engine was more optimal. If memory serves me correctly, I made the change something like a year ago, or more, maybe much more. I don't know if the author reads this, but I'd suggest a smallish change for the next release: Put only REJECT alone on each line instead of having custom text. This makes it easier for anyone to change that (using sed) to a custom restriction class. The custom text exists for the benefit of victims of false positives, and for easy log parsing/statistics generation. Changing it is trivial with sed, as Brian mentioned. -- Stan
Re: fqrdns.regexp
On 6/8/2011 3:06 PM, mouss wrote: I am not sure Stan made it public. he provided it to a limited audience. if the whome internet starts downloading it every second, he'll get angry... It's intended to be public, free for anyone to use. Mouss, if what you described were to occur, you wouldn't know if I was angry. The pipe the file is hosted on would be so clogged I'd not be able to get a message out. ;) I don't know if the author reads this, but I'd suggest a smallish change for the next release: Put only REJECT alone on each line instead of having custom text. on the opposite, I suggest removing the action part (if different actions are needed, simply use different files). Some people change all the actions to PREPENDs for scoring use in SA et al. Given that these expressions target almost exclusively consumer/residential type rDNS patterns, it is my opinion that it's best used as is in combination with dnswl and local whitelisting. YMMV. -- Stan
..::Troubleshooting Advice::..
Hi list. We are going to work with an old postfix (I mean old because this postfix was installed and administered by another person), It works with LDAP. I don't have any experience working with LDAP authentication. I was wondering if you can give me some advices for troubleshooting, any advice will be appreciated. Thanks in advance. Regards. Alfonso.
Re: ..::Troubleshooting Advice::..
On Wed, 2011-06-08 at 19:40:13 -0500, Alfonso Alejandro Reyes Jimenez wrote: We are going to work with an old postfix (I mean old because this postfix was installed and administered by another person), It works with LDAP. I don't have any experience working with LDAP authentication. I was wondering if you can give me some advices for troubleshooting, any advice will be appreciated. Your question is too general to be answered with specificity. Please describe an *actual* problem. Before responding, carefully consult the DEBUG_README, a document to which you were introduced upon joining this mailing list: http://www.postfix.org/DEBUG_README.html#mail For general information about LDAP support in Postfix: http://www.postfix.org/LDAP_README.html http://www.postfix.org/ldap_table.5.html -- Sahil Tandon sa...@freebsd.org
RE: ..::Troubleshooting Advice::..
Thanks, Actually there's no problem right now I'm just looking for some advices about the troubleshooting. Something like any other users thinks could be a good start. Thanks for the links I will check them out. Alfonso. -Mensaje original- De: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] En nombre de Sahil Tandon Enviado el: miércoles, 08 de junio de 2011 07:46 p.m. Para: postfix-users@postfix.org Asunto: Re: ..::Troubleshooting Advice::.. On Wed, 2011-06-08 at 19:40:13 -0500, Alfonso Alejandro Reyes Jimenez wrote: We are going to work with an old postfix (I mean old because this postfix was installed and administered by another person), It works with LDAP. I don't have any experience working with LDAP authentication. I was wondering if you can give me some advices for troubleshooting, any advice will be appreciated. Your question is too general to be answered with specificity. Please describe an *actual* problem. Before responding, carefully consult the DEBUG_README, a document to which you were introduced upon joining this mailing list: http://www.postfix.org/DEBUG_README.html#mail For general information about LDAP support in Postfix: http://www.postfix.org/LDAP_README.html http://www.postfix.org/ldap_table.5.html -- Sahil Tandon sa...@freebsd.org
Re: ..::Troubleshooting Advice::..
On 6/8/2011 7:55 PM, Alfonso Alejandro Reyes Jimenez wrote: Thanks, Actually there's no problem right now I'm just looking for some advices about the troubleshooting. Something like any other users thinks could be a good start. Thanks for the links I will check them out. Alfonso. If your question is more how can I prepare for future possible problems? my advice would be: - become familiar with postfix in general. The official documentation should be trusted before any outside sources. http://www.postfix.org/documentation.html - become familiar with reading the postfix logs. Most of the log entries are self-explanatory; search the postfix-users list archives or ask here if there's something you don't understand. Knowing what normal logs look like will help isolating a problem later. http://www.postfix.org/DEBUG_README.html#logging - become familiar with your systems config. In particular, postconf will display all postfix's current settings (the vast majority of which should be at their default value), and postconf -n will display setting explicitly set in your main.cf. Find out what the settings you're using are supposed to do. http://www.postfix.org/postconf.1.html http://www.postfix.org/postconf.5.html - become familiar with LDAP. That's really outside the scope of postfix, but since your system is using it, you should have some idea of how it's supposed to work. - If you're a book person, The Book of Postfix by Ralf Hildebrandt and Patrick Koetter is excellent, although it's getting a little dated (an unavoidable problem of books covering evolving software). http://www.postfix-book.com or your favorite bookstore. -- Noel Jones
RE: ..::Troubleshooting Advice::..
Great advice thanks, I will follow your recommendations. Regards. Alfonso. -Mensaje original- De: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] En nombre de Noel Jones Enviado el: miércoles, 08 de junio de 2011 08:36 p.m. Para: postfix-users@postfix.org Asunto: Re: ..::Troubleshooting Advice::.. On 6/8/2011 7:55 PM, Alfonso Alejandro Reyes Jimenez wrote: Thanks, Actually there's no problem right now I'm just looking for some advices about the troubleshooting. Something like any other users thinks could be a good start. Thanks for the links I will check them out. Alfonso. If your question is more how can I prepare for future possible problems? my advice would be: - become familiar with postfix in general. The official documentation should be trusted before any outside sources. http://www.postfix.org/documentation.html - become familiar with reading the postfix logs. Most of the log entries are self-explanatory; search the postfix-users list archives or ask here if there's something you don't understand. Knowing what normal logs look like will help isolating a problem later. http://www.postfix.org/DEBUG_README.html#logging - become familiar with your systems config. In particular, postconf will display all postfix's current settings (the vast majority of which should be at their default value), and postconf -n will display setting explicitly set in your main.cf. Find out what the settings you're using are supposed to do. http://www.postfix.org/postconf.1.html http://www.postfix.org/postconf.5.html - become familiar with LDAP. That's really outside the scope of postfix, but since your system is using it, you should have some idea of how it's supposed to work. - If you're a book person, The Book of Postfix by Ralf Hildebrandt and Patrick Koetter is excellent, although it's getting a little dated (an unavoidable problem of books covering evolving software). http://www.postfix-book.com or your favorite bookstore. -- Noel Jones
Clarification between smtpd_sender_restrictions smtpd_recipient_restrictions
Hi, I'm a bit confused between the smtpd_recipient_restrictions http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions smtpd_sender_restrictions I want to implement RBL on my mail server and I was thinking having the reject_rbl_client on the smtpd_sender_restrictions. If someone could clarify this to me it would be great. thanks
Re: Clarification between smtpd_sender_restrictions smtpd_recipient_restrictions
On Thu, 2011-06-09 at 07:30:31 +0530, Janantha Marasinghe wrote: I'm a bit confused between the smtpd_recipient_restrictions http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions smtpd_sender_restrictions I want to implement RBL on my mail server and I was thinking having the reject_rbl_client on the smtpd_sender_restrictions. If someone could clarify this to me it would be great. http://www.postfix.org/SMTPD_ACCESS_README.html -- Sahil Tandon sa...@freebsd.org
Trivial typo fix for MULTI_INSTANCE_README.html
I noticed this one while reading the document on postfix.org. Scott K --- MULTI_INSTANCE_README.html.orig 2011-06-08 22:53:34.647880630 -0400 +++ MULTI_INSTANCE_README.html 2011-06-08 22:54:01.103880784 -0400 @@ -420,7 +420,7 @@ ul li p Lines 1-2: With a href=postconf.5.html#authorized_submit_usersauthorized_submit_users/a = root, the -superuser can test the postix-out instance with postmulti -i +superuser can test the postfix-out instance with postmulti -i postfix-out -x sendmail -bv recipient..., but otherwise local submission remains disabled. /p
Re: Postfix plain text authentication with SASL
Hi all, No one is there to help me On Wed, Jun 8, 2011 at 12:49 PM, Suresh Kumar Prajapati er.sureshprajap...@gmail.com wrote: Hi, Can anyone help me setting postfix plain authentication with SASL. I've spent a complete week on this already. Any help appreciated. -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point?
Re: Postfix plain text authentication with SASL
Which backend are you using ? ldap radius nis ? Le 09/06/2011 07:03, Suresh Kumar Prajapati a écrit : Hi all, No one is there to help me On Wed, Jun 8, 2011 at 12:49 PM, Suresh Kumar Prajapati er.sureshprajap...@gmail.com wrote: Hi, Can anyone help me setting postfix plain authentication with SASL. I've spent a complete week on this already. Any help appreciated. -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point?
Re: Postfix plain text authentication with SASL
On Wed, Jun 8, 2011 at 10:03 PM, Suresh Kumar Prajapati er.sureshprajap...@gmail.com wrote: Hi all, No one is there to help me On Wed, Jun 8, 2011 at 12:49 PM, Suresh Kumar Prajapati er.sureshprajap...@gmail.com wrote: Hi, Can anyone help me setting postfix plain authentication with SASL. I've spent a complete week on this already. Any help appreciated. Could you please be more specific and post the relevant lines of the config files? Steve