Re: Configuring a mail gateway

[Nikolaos Milas]

Thanks to Noel (and to the Postfix community in general) for the 
guidance, my mail gateway is now running (still in test mode), together 
with spamassassin, clamav and amavis-new.


Now, one more thing:

Since this is just a relay, mail is not stored locally; yet, I would 
like to train spamassassin (if that makes any sense! - any 
advice/experience on spamassassin training?) which requires local 
directories of spam and non-spam. So I was thinking I should configure 
postfix/spamassassin to keep local copies of spam (to be also available 
for checking using IMAP) and non-spam mail so as to make training feasible.


Another option is to disable spamassassin entirely on the gateway server 
and install/use it on the internal (final) mail server (used as outgoing 
gateway and internal POP/IMAP).


At the moment, I would prefer to use the former approach, as it fits 
better in our current mail receiving architecture.


Any advice?

Also, to disable sending outgoing mails from this server (which is only 
there to receive mail from the Internet as MX-designated mail server and 
work as a local relay to internal mail server) I am planning to use the 
setting:


   mynetworks  = empty

Would this have any impact on the relay role of the server; which means: 
would relaying of relay_domains as defined in transport_maps be 
inhibited in any way)? I believe no, but I am asking, just in case?


Thanks,
Nick



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Configuring a mail gateway

[Wietse Venema]

Nikolaos Milas:
 Also, to disable sending outgoing mails from this server (which is only 
 there to receive mail from the Internet as MX-designated mail server and 
 work as a local relay to internal mail server) I am planning to use the 
 setting:
 
 mynetworks  = empty
 
 Would this have any impact on the relay role of the server; which means: 
 would relaying of relay_domains as defined in transport_maps be 
 inhibited in any way)? I believe no, but I am asking, just in case?

mynetworks is used by the permit_mynetworks feature.

If you don't use permit_mynetworks at all (check with: postconf |
grep permit_mynetworks), then mynetworks can be empty.

To allow mail from local programs that send SMTP mail through the
loopback interface, you could set one of the following:

mynetworks = 127.0.0.1/32
mynetworks = 127.0.0.1/32 [::1]/128

Wietse

Re: What does Postfix stamp...

[Kris Deugau]

Murray S. Kucherawy wrote:

X-Originating-IP: isn't standard, so I'm not surprised postfix isn't adding it 
by default.  And I wouldn't trust it anyway; how do you know it contains a true 
value?


Not to mention, at least in my experience it's the IP that introduced 
the message to the Internet (ie, the sending client's IP, or webmail 
user's IP), not the IP that connected to your server.


-kgd

Re: Configuring a mail gateway

[Nikolaos Milas]

On 9/9/2011 4:00 μμ, Wietse Venema wrote:

If you don't use permit_mynetworks at all (check with: postconf | 
grep permit_mynetworks), then mynetworks can be empty.


Thanks Wietsie,

mynetworks = 127.0.0.1/32 [::1]/128

seems the right solution.

In fact I am using permit_mynetworks as the first entry in 
smtpd_recipient_resctrictions. It seems it doesn't make any sense there, 
so I can remove it?


Also, should the above mynetworks setting cover postscreen needs (since 
postscreen_access_list = permit_mynetworks)?


# postconf | grep permit_mynetworks
postscreen_access_list = permit_mynetworks
smtpd_recipient_restrictions = permit_mynetworks, 
reject_unauth_destination, reject_invalid_hostname, 
reject_unauth_pipelining, reject_non_fqdn_sender, 
reject_unknown_sender_domain, reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, reject_unverified_recipient, 
reject_rbl_client b.barracudacentral.org, reject_rbl_client 
zen.spamhaus.org, reject_rbl_client psbl.surriel.com, 
reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender 
dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, permit


Also:

# postconf | grep postscreen
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = ignore
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = btree:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_client_connection_count_limit = 
$smtpd_client_connection_count_limit

postscreen_command_count_limit = 20
postscreen_command_filter =
postscreen_command_time_limit = ${stress?10}${stress:300}s
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_discard_ehlo_keyword_address_maps = 
$smtpd_discard_ehlo_keyword_address_maps

postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
postscreen_dnsbl_sites = b.barracudacentral.org*2, zen.spamhaus.org*2, 
psbl.surriel.com*2

postscreen_dnsbl_threshold = 2
postscreen_dnsbl_ttl = 1h
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = no
postscreen_pipelining_ttl = 30d
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = $smtpd_reject_footer
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_use_tls = $smtpd_use_tls
postscreen_watchdog_timeout = 10s

Thanks,
Nick



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Configuring a mail gateway

[Wietse Venema]

Nikolaos Milas:
 On 9/9/2011 4:00 ??, Wietse Venema wrote:
 
  If you don't use permit_mynetworks at all (check with: postconf | 
  grep permit_mynetworks), then mynetworks can be empty.
 
 Thanks Wietsie,
 
 mynetworks = 127.0.0.1/32 [::1]/128
 
 seems the right solution.
 
 In fact I am using permit_mynetworks as the first entry in 
 smtpd_recipient_resctrictions. It seems it doesn't make any sense there, 
 so I can remove it?

See my previous reply. If you need to run programs that send mail
via 127.0.0.1 or [::1], then you need permit_mynetworks.

Wietse

Re: Postfix NDR

[Fernando Maior]

On Thu, Sep 8, 2011 at 6:09 PM, Jean-Luc CHANDEZON knut...@gmail.com wrote:


 2011/9/8 Fernando Maior fernando.souto.ma...@gmail.com

 On Thu, Sep 8, 2011 at 10:22 AM, Wietse Venema wie...@porcupine.org
 wrote:
  Jean-Luc CHANDEZON:
  Hello,
  I believe my request is very simple, but I don't find how I can do
  that.
  When you receive a NDR from postfix server, the mail is sent by
  MAILER-DAEMON@hostname.local.
  I would to change the sender. I've seen you can modify master.cf, by
  adding
  null_sender= values in a pipe, but it does not work.
 
  The null_sender option works as documented. It sets the ENVELOPE
  SENDER ADDRESS not the FROM header.
 
  Setting the FROM header of (non-)delivery notifications is unsafe,
  as it may cause mail error messages to go into a loop.
 
         Wietse
 

 Hi Jean-Luc,

 Let me try to understand, you want to change
 MAILER-DAEMON@hostname.local
 for something else? In that case, what do you have for parameters
 mydomain and
 myhostname?

 Also, did you get a look at http://www.postfix.org/SOHO_README.html;?
 Perhaps
 you may find it interesting the parameter smtp_generic_maps.

 Best regards,
 ---
 Fernando Maciel Souto Maior
 LPIC/1(31908), LinuxCounter(391325)

 Hi Fernando,

 Yes, for end user, the MAILER-DAEMON appears like the sender, which is empty
 ().
 Yes, you're right, I want to change this value.
 The mydomain and my hostname values are no used on my postfix
 configuration file main.cf.
 I'll try to investigate smtp_generic_maps.
 Best Regards,
 Jean-Luc


Jean-Luc,

As per documentation, mydomain and myhostname get their values
from your host name (from operating system) if they are not set in main.cf,
so that should be the reason why you have @hostname.local. Try to
set mydomain to something else and see what happens...

Best regards,
---
Fernando Maciel Souto Maior
LPIC/1(31908), LinuxCounter(391325)

Re: Configuring a mail gateway

[Nikolaos Milas]

On 9/9/2011 3:14 μμ, Nikolaos Milas wrote:


Since this is just a relay, mail is not stored locally;
...
So I was thinking I should configure postfix/spamassassin to keep 
local copies of spam (to be also available for checking using IMAP) 
and non-spam mail so as to make training feasible. 


Can we configure the gateway mail server (postfix) to keep local copies 
of mail messages while relaying them or this should be done using other 
means e.g. some plugin?


I think always_bcc would not be relevant in this context.

Thanks,
Nick



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Configuring a mail gateway

[jeffrey j donovan]

On Sep 9, 2011, at 10:28 AM, Nikolaos Milas wrote:

 On 9/9/2011 3:14 μμ, Nikolaos Milas wrote:
 
 Since this is just a relay, mail is not stored locally;
 ...
 So I was thinking I should configure postfix/spamassassin to keep local 
 copies of spam (to be also available for checking using IMAP) and non-spam 
 mail so as to make training feasible. 
 
 Can we configure the gateway mail server (postfix) to keep local copies of 
 mail messages while relaying them or this should be done using other means 
 e.g. some plugin?
 
 I think always_bcc would not be relevant in this context.
 
 Thanks,
 Nick
 

Greetings,
use local recipient map for your local users and transport maps for the 
delivery of others. You will have to tell amavisd how to relay local and 
remote. 
do what Weiste said and allow programs to relay mail via localhost.
-j

RE: What does Postfix stamp...

[Murray S. Kucherawy]

 -Original Message-
 From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
 us...@postfix.org] On Behalf Of Kris Deugau
 Sent: Friday, September 09, 2011 6:32 AM
 To: postfix-users@postfix.org
 Subject: Re: What does Postfix stamp...
 
 Not to mention, at least in my experience it's the IP that introduced
 the message to the Internet (ie, the sending client's IP, or webmail
 user's IP), not the IP that connected to your server.

More often than not, that's what people actually want because it identifies who 
really sent the message, not who last handled it before you got it.  But it's 
unreliable for all kinds of reasons:

- it could be forged to indicate it came from a legit source when it didn't
- there could be more than one of them, so which one do you believe?
- it might be stripped in transit
- it's non-standard

If its value can't be trusted, you should just ignore it.

Re: Configuring a mail gateway

[Nikolaos Milas]

On 9/9/2011 5:52 μμ, jeffrey j donovan wrote:


use local recipient map for your local users and transport maps for the 
delivery of others. You will have to tell amavisd how to relay local and remote.
do what Weiste said and allow programs to relay mail via localhost.


Thanks Jeffrey,

I guess we could (??) also (if not using local agent) use

   virtual_mailbox_domains = gatewayhostrname.example.com

and

   virtual_mailbox_maps = ...

for virtualized local users to define mailboxes on the gateway mail 
server - which is the localhost of course - for local delivery using the 
postfix virtual agent (to addresses of the form 
xx...@gatewayhostname.example.com).


But could you give any details (or at least a start point for 
researching) on how to tell amavis to generate mail copies and address 
them to one destination if they have been designated as spam and to 
another destination if they have been designated as non-spam and then 
handle them to postfix for delivery to the above addresses? (I know this 
is more related to amavis, yet not off-topic.)


Thanks again,
Nick



smime.p7s
Description: S/MIME Cryptographic Signature

pipe_command: execvp Permission Denied

[Kaleb Hosie]

I'm attempting to setup postfix to direct incoming email to a perl script which 
will in effect scan the email with SpamAssassin and scan for viruses however 
when I added the configuration to my master.cf file, I'm getting an error.

The mail log reads as so:
Sep  9 18:50:22 localhost postfix/pipe[2960]: 9F2349ABB01: 
to=em...@domain.com, relay=postfixfilter, delay=7441, 
delays=7441/0.08/0/0.65, dsn=4.3.0, status=deferred (temporary failure. Command 
output: pipe: fatal: pipe_command: execvp /etc/postfix/Filter: Permission 
denied )

I don't understand this error because the permission on the script file is fine:
-rwxr-xr-x 1 root root 14289 Sep  9 16:32 /etc/postfix/Filter


I've made the following changes to my master.cf file:
smtp  inet  n   -   n   -   -   smtpd
-o content_filter=postfixfilter:

postfixfilter unix - n n - - pipe
  flags=Rq user=apache argv=/etc/postfix/Filter -s ${sender} -r ${recipient}

Any help is greatly appreciated.

Kaleb

Re: pipe_command: execvp Permission Denied

[Jeroen Geilman]

On 2011-09-10 01:02, Kaleb Hosie wrote:

I'm attempting to setup postfix to direct incoming email to a perl script which 
will in effect scan the email with SpamAssassin and scan for viruses however 
when I added the configuration to my master.cf file, I'm getting an error.

The mail log reads as so:
Sep  9 18:50:22 localhost postfix/pipe[2960]: 9F2349ABB01: 
to=em...@domain.com, relay=postfixfilter, delay=7441, 
delays=7441/0.08/0/0.65, dsn=4.3.0, status=deferred (temporary failure. Command 
output: pipe: fatal: pipe_command: execvp /etc/postfix/Filter: Permission denied )


Did you verify this in principle ?

# su -lc /etc/postfix/Filter apache


I don't understand this error because the permission on the script file is fine:
-rwxr-xr-x 1 root root 14289 Sep  9 16:32 /etc/postfix/Filter


Oh, it is a script ?
So, is it valid ? Does it execute by itself ?


I've made the following changes to my master.cf file:
smtp  inet  n   -   n   -   -   smtpd
 -o content_filter=postfixfilter:

postfixfilter unix - n n - - pipe
   flags=Rq user=apache argv=/etc/postfix/Filter -s ${sender} -r ${recipient}

Any help is greatly appreciated.

Kaleb



--
J.

Re: pipe_command: execvp Permission Denied

[Wietse Venema]

Kaleb Hosie:
 I'm attempting to setup postfix to direct incoming email to a perl
 script which will in effect scan the email with SpamAssassin and
 scan for viruses however when I added the configuration to my
 master.cf file, I'm getting an error.

 The mail log reads as so:
 Sep  9 18:50:22 localhost postfix/pipe[2960]: 9F2349ABB01:
 to=em...@domain.com, relay=postfixfilter, delay=7441,
 delays=7441/0.08/0/0.65, dsn=4.3.0, status=deferred (temporary
 failure. Command output: pipe: fatal: pipe_command: execvp
 /etc/postfix/Filter: Permission denied )

 I don't understand this error because the permission on the script
 file is fine: -rwxr-xr-x 1 root root 14289 Sep  9 16:32 /etc/postfix/Filter

The apache user needs search permission for all the directories
in the /etc/postfix/Filter pathname.

The apache user needs execute permissions for the file after #! on
the first line of the script.

The apache user needs search permission for all the directories in
the file name after #! on the first line of the script.

The apache user needs execute permission for the run-time linker
whose pathname is specified in the file after #! on the first line
of the script.

The apache user needs search permission for all the directories in
the pathname of the run-time linker whose pathname is specified in
the file after #! on the first line of the script.

And so on.

Wietse