Re: understanding the logs
Am 08.11.2011 08:13, schrieb Geert Mak: Hi, We had a user account hacked (weak password) and our SMTP server was used for sending spam. We discovered it after our mail server IP began to show up in RBLs. We improved the passwords, however the question is how best to watch the server in case a similar thing happens again. We created a small regex based log analyzer and received the following result (see below) - The question is: is there somewhere a description what each entry means? If not: which number shows the number of e-mails sent by the mail server? Or should we dig deeper into some of the entries or combine some or both? Our current idea is that if we watch this number for unusual increase, we will be able to discover abuse this way before we discover it by the means of RBL. Geert RESULT: --- LINES TOTAL: 4328247 LINES_LOGIN: 20353 LINES_LOGOUT: 0 LINES_AMAVIS: 0 LINES_CYRUS_CTL_CYRUSDB: 749 LINES_CYRUS_CYR_EXPIRE: 11397 LINES_CYRUS_IMAP: 6874 LINES_CYRUS_LMTPUNIX: 8711 LINES_CYRUS_MASTER: 2182 LINES_CYRUS_TLS_PRUNE: 4 LINES_DOVECOT: 960 LINES_IMAPPROXYD: 0 LINES_POSTFIX_ANVIL: 999 LINES_POSTFIX_BOUNCE: 193 LINES_POSTFIX_CLEANUP: 1446 LINES_POSTFIX_ERROR: 974 LINES_POSTFIX_LMTP: 902 LINES_POSTFIX_LOCAL: 221 LINES_POSTFIX_PICKUP: 443 LINES_POSTFIX_QMGR: 3096601 LINES_POSTFIX_VERIFY: 0 LINES_POSTFIX_POSTMAP: 0 LINES_POSTFIX_TLSMGR: 0 LINES_POSTFIX_MASTER: 0 LINES_POSTFIX_SCACHE: 261 LINES_POSTFIX_SMTP: 20346 LINES_POSTFIX_SMTPD: 1154379 LINES_SPAMD: 0 LINES_POSTFIX: 0 LINES_POSTFIX_POSTFIX_SCRIPT: 0 LINES_POSTFIX_TRIVIAL_REWRITE: 252 LINES NOT PROCESSED: 0 Hi, there is lees you can do about pirating accounts check your password mechs and other stuff which is involved at account/password creation/changing, monitor this, monitor and ban brute force attacks to your accounts ( i.e. fail2ban ) perhaps slow down outgoing deliver rates, as workaround use clamav-milter with sanesecurity antispam/pish signatures with hold, so you get aware be deliver out spam, at last what is needed is some intruder detection based on monitoring anomalies at outgoing smtp traffic , we are working on some milter which does this, but we are not in production stage yet however looking at log is daily work, so no magical software will help you get out of this in total, anyway good log parsers will help ( i.e pflogsumm etc ) for understanding log stuff, read postfix faqs and search list archives for log entries you dont understand, and/or ask here -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
reject or discard outgoing mail ?
Hello I would like to reject or discard outgoing emails to some particuliar addresses I'm a bit confuse on what to use the more efficiently. Some machines are infected by some email robots and I would like to block those outgoing emails during the time we are searching those infected machine to eradicate the problem. Thanks a lot.
Re: reject or discard outgoing mail ?
* Frank Bonnet f.bon...@esiee.fr: Hello I would like to reject or discard outgoing emails to some particuliar addresses I'm a bit confuse on what to use the more efficiently. I would DISCARD it. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection
From: Stan Hoeppner Sent: Tuesday, November 08, 2011 8:59 AM To: postfix-users@postfix.org Subject: Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection Then you need to tell us what MDA you are currently using and what type of mailbox storage. The list welcome message directed you to paste the output of postconf -n. That will tell us what MDA you use, if what you want to do can be done, and how easy/difficult it may be to setup such a thing. If you're using Dovecot it is relatively painless, if not time consuming. If you are simply having Postfix local(8) delivery directly to mbox mailboxes it will be more difficult to move user mailboxes one by one. I've never used procmail so I have no tips for you in that case. MAIL01 ~ # postconf -n alias_maps = hash:/etc/postfix/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = //usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = /usr/share/doc/postfix-2.8.4/html inet_interfaces = all mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 3000 mydestination = $myhostname, localhost, taken.pl mydomain = taken.pl myhostname = taken.pl mynetworks = 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.8.4/readme relayhost = out.taken.pl sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/protected_destinations, check_client_access hash:/etc/postfix/access, check_recipient_access hash:/etc/postfix/recipient_access, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_checks_my, reject_unauth_pipelining smtpd_restriction_classes = insiders_only, insiders_only2 smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/smtp-cert.crt smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/smtp-cert.crt smtpd_tls_key_file = /etc/postfix/smtp-cert.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550
Re: reject or discard outgoing mail ?
On 11/08/2011 09:47 AM, Ralf Hildebrandt wrote: * Frank Bonnetf.bon...@esiee.fr: Hello I would like to reject or discard outgoing emails to some particuliar addresses I'm a bit confuse on what to use the more efficiently. I would DISCARD it. Yes I too but I am confuse on WHICH Postfix functionnality to do so ? I would like to use a map because there are several addresses. thanks
Re: reject or discard outgoing mail ?
* Frank Bonnet f.bon...@esiee.fr: On 11/08/2011 09:47 AM, Ralf Hildebrandt wrote: * Frank Bonnetf.bon...@esiee.fr: Hello I would like to reject or discard outgoing emails to some particuliar addresses I'm a bit confuse on what to use the more efficiently. I would DISCARD it. Yes I too but I am confuse on WHICH Postfix functionnality to do so ? I would like to use a map because there are several addresses. It's all map driven in Postfix, isn't it? :)
Re: Quota for mail
On Mon, 7 Nov 2011, Leslie León Sinclair wrote: Thanks again, and sorry the thread, I´am stacked here. Almost near the solution. Best regards. You could too take a look to Postfix Quota Reject. http://postfixquotareject.ramattack.net. It's a postfix policy daemon which allow mail to be rejected at smtp dialogue when mailbox are overquota... can work from the own mailbox machine or from the own mailscanning machine farm asking to a daemon in mailbox machines. If you've some doubt... here I am...
Re: reject or discard outgoing mail ?
On 11/08/2011 10:16 AM, Ralf Hildebrandt wrote: * Frank Bonnetf.bon...@esiee.fr: On 11/08/2011 09:47 AM, Ralf Hildebrandt wrote: * Frank Bonnetf.bon...@esiee.fr: Hello I would like to reject or discard outgoing emails to some particuliar addresses I'm a bit confuse on what to use the more efficiently. I would DISCARD it. Yes I too but I am confuse on WHICH Postfix functionnality to do so ? I would like to use a map because there are several addresses. It's all map driven in Postfix, isn't it? :) OK I found the solution :-) smtpd_recipient_restrictions = hash:/usr/local/etc/postfix/banned, ( add this map , it seems to work :-) ) reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, permit in the map the.addr...@to.ban DISCARD
Re: reject or discard outgoing mail ?
* Frank Bonnet f.bon...@esiee.fr: smtpd_recipient_restrictions = hash:/usr/local/etc/postfix/banned, ( add this map , it seems to work :-) ) reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, permit I think: smtpd_recipient_restrictions = check_recipient_access hash:/usr/local/etc/postfix/banned, ... would be more explicit. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: reject or discard outgoing mail ?
On 11/08/2011 10:39 AM, Ralf Hildebrandt wrote: * Frank Bonnetf.bon...@esiee.fr: smtpd_recipient_restrictions = hash:/usr/local/etc/postfix/banned, ( add this map , it seems to work :-) ) reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, permit I think: smtpd_recipient_restrictions = check_recipient_access hash:/usr/local/etc/postfix/banned, ... would be more explicit. Yes it works too
Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection
On 11/8/2011 2:54 AM, Marek Krolikowski wrote: From: Stan Hoeppner Sent: Tuesday, November 08, 2011 8:59 AM To: postfix-users@postfix.org Subject: Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection Then you need to tell us what MDA you are currently using and what type of mailbox storage. The list welcome message directed you to paste the output of postconf -n. That will tell us what MDA you use, if what you want to do can be done, and how easy/difficult it may be to setup such a thing. If you're using Dovecot it is relatively painless, if not time consuming. If you are simply having Postfix local(8) delivery directly to mbox mailboxes it will be more difficult to move user mailboxes one by one. I've never used procmail so I have no tips for you in that case. MAIL01 ~ # postconf -n ... mail_spool_directory = /var/spool/mail Ok, so it appears you're having Postfix deliver to UNIX style mbox mailboxes via local(8). How are your users reading their mail? A popper? Or something like pine or mutt? The point I'm getting at is reconfiguring users individually in Postfix only covers half the problem--mail delivery. You'll also have to tell the programs reading the mail of each user's new mailbox location. To address the Postfix delivery aspect, you'll need use virtual_mailbox_maps as it facilitates specifying mail_location on a per recipient bases. Read this and everything related to it: http://www.postfix.org/postconf.5.html#virtual_mailbox_maps -- Stan
Re: Quota for mail
On 11/8/2011 3:30 AM, Egoitz Aurrekoetxea Aurre wrote: On Mon, 7 Nov 2011, Leslie León Sinclair wrote: Thanks again, and sorry the thread, I´am stacked here. Almost near the solution. You could too take a look to Postfix Quota Reject. http://postfixquotareject.ramattack.net. It's a postfix policy daemon which allow mail to be rejected at smtp dialogue when mailbox are overquota... can work from the own mailbox machine or from the own mailscanning machine farm asking to a daemon in mailbox machines. His problem is spambots relaying *outbound* through Postfix. This isn't an inbound problem. You're describing an inbound policy. -- Stan
Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection
-Oryginalna wiadomość- From: Stan Hoeppner Sent: Tuesday, November 08, 2011 11:06 AM To: postfix-users@postfix.org Subject: Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection Ok, so it appears you're having Postfix deliver to UNIX style mbox mailboxes via local(8). How are your users reading their mail? A popper? Or something like pine or mutt? The point I'm getting at is reconfiguring users individually in Postfix only covers half the problem--mail delivery. You'll also have to tell the programs reading the mail of each user's new mailbox location. To address the Postfix delivery aspect, you'll need use virtual_mailbox_maps as it facilitates specifying mail_location on a per recipient bases. Read this and everything related to it: http://www.postfix.org/postconf.5.html#virtual_mailbox_maps Hello I use net-mail/uw-imap-2007e-r1 - there is inside imap and ipop3d - both have no problem with reading symlink files/dirs
Re: Distribute mail based on sending domain?
Hi, May be you should have a look at transports table, at http://www.postfix.org/transport.5.html There are some useful examples you should try. Best regards, --- Fernando Maciel Souto Maior LPIC/1(31908), LinuxCounter(391325) On Tue, Nov 8, 2011 at 3:53 AM, vr postfix-u...@iotk.net wrote: We have Exchange 2010 with a few domains and have run across the need to split outgoing mail direct to the Internet and also to smart hosts depending on their @domain.tld. Exchange 2010 does not support this by design so if Postfix does, is this functionality a relay? Looking at the BASIC_CONFIGURATION_README doesn't quite look like a match to my untrained eyes so any clues or configuration pointers are greatly appreciated.
Re: Distribute mail based on sending domain?
Hi, Just when I pressed send I realize that may be the sender dependent relayhost maps should be useful too. Have a look at it, if you please. http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps Atenciosamente, --- Fernando Maciel Souto Maior LPIC/1(31908), LinuxCounter(391325) On Tue, Nov 8, 2011 at 3:53 AM, vr postfix-u...@iotk.net wrote: We have Exchange 2010 with a few domains and have run across the need to split outgoing mail direct to the Internet and also to smart hosts depending on their @domain.tld. Exchange 2010 does not support this by design so if Postfix does, is this functionality a relay? Looking at the BASIC_CONFIGURATION_README doesn't quite look like a match to my untrained eyes so any clues or configuration pointers are greatly appreciated.
Re: Quota for mail
Stan Hoeppner: His problem is spambots relaying *outbound* through Postfix. This isn't an inbound problem. You're describing an inbound policy. In that case, any policy daemon that counts the messages or bytes per client or sender will do the job. There are rate limits in policyd and postfwd, for example. Wietse
Re: Quota for mail
The problem is showing the quota for the users[I have multiple quotas, a field of a MySQL table], Users1 have 10MB quota and Users2 have 100MB, some users have 250MB, how can I show quota with a query, with Dovecot or Postfix??? If all my users have the same quota, works for me great[I have tested], but different quota here... That´s the thing... Still working on that... If someone have solved the same issue please share the piece of code, or script :D. Thanks for replies... -- /*** *Leslie León Sinclair *Administrador de Redes *Facultad de Ingenieria Electrica, CUJAE. *Calle 114 #11901 e/ Ciclovía y Rotonda *Marianao 19390, Ciudad de la Habana, Cuba *Tel: (53 7) 266-3321 *Miembro de GUTL - http://www.ecured.cu/index.php/Grupo_de_Usuarios_de_Tecnolog%C3%ADas_Libres_GUTL *Another happy Slackware Debian GNU/Linux user *Proud GNU/Linux User #445535 - http://counter.li.org/ *Katana yanai, otoko nanda. / Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu Participe en el Segundo Congreso Medio Ambiente Construido y Desarrollo Sustentable (MACDES 2011) del 6 al 9 de diciembre de 2011, Hotel Nacional, Habana, Cuba: http://macdes.cujae.edu.cu
Re: Quota for mail
Leslie Le?n Sinclair: The problem is showing the quota for the users[I have multiple quotas, a field of a MySQL table], Users1 have 10MB quota and Users2 have 100MB, some users have 250MB, how can I show quota with a query, with Dovecot or Postfix??? If all my users have the same quota, works for me great[I have tested], but different quota here... That?s the thing... Still working on that... If someone have solved the same issue please share the piece of code, or script :D. policyd supports MySQL queries, and its website supports RTFM. Wietse
Re: Quota for mail
Am 08.11.2011 15:18, schrieb Leslie León Sinclair: The problem is showing the quota for the users[I have multiple quotas, a field of a MySQL table], Users1 have 10MB quota and Users2 have 100MB, some users have 250MB, how can I show quota with a query, with Dovecot or Postfix??? If all my users have the same quota, works for me great[I have tested], but different quota here... That´s the thing... Still working on that... If someone have solved the same issue please share the piece of code, or script :D. You need the correct dovecot configuration, especially the correct quota config and user_query. I've seen in your earlier posts you use ...AS quota... in your user_query. I think you need there ...AS quota_rule...! For further information/ support please contact dovecot mailing list or the links below: - /usr/share/doc/postfixadmin/DOCUMENTS/DOVECOT.txt.gz (path in debian squeeze) - http://wiki1.dovecot.org/Quota/Dict (for Dovecot v1) - http://wiki2.dovecot.org/Quota/Dict (for Dovecot v2) Regards, Tobias
Re: understanding the logs
On 8 November 2011 02:53, Stan Hoeppner s...@hardwarefreak.com wrote: On 11/8/2011 1:13 AM, Geert Mak wrote: We had a user account hacked (weak password) and our SMTP server was used for sending spam. We discovered it after our mail server IP began to show up in RBLs. We improved the passwords, however the question is how best to watch the server in case a similar thing happens again. 1. Create and enforce a minimum password complexity policy, preferably on your web based account creation page, something like: http://www.webresourcesdepot.com/10-password-strength-meter-scripts-for-a-better-registration-interface/ For password strength, I'm not sure the conventional wisdom of numbers and punctuation are relevant any more. They help when the attacker is known to you, but password length is a much better indicator of entropy resistance. http://xkcd.com/936/ Simon
[SOLVED]Re: Quota for mail
Done, at last!!!
Missing stuff on my install:
[PostfixAdmin config file]
$CONF['used_quotas'] = 'YES'; // Was no activated, this was the main
reason of my past mails. Sorry again.
$CONF['quota'] = 'YES';
Other changes made:
[Dovecot config file]
protocol imap {
mail_plugins = quota imap_quota
}
protocol pop3 {
mail_plugins = quota
}
protocol lda {
mail_plugins = quota
}
dict {
quota = mysql:/etc/dovecot/dovecot-quota.conf
}
plugin {
quota = dict:storage=20 proxy::quota
}
[dovecot-quota.conf]
driver = mysql
connect = host=localhost dbname=postfix user=postfix password=yourpassword
default_pass_scheme = MD5-CRYPT
table = quota
select_field = current
where_field = path
username_field = username
[dovecot-sql.conf]
password_query = SELECT username AS user,password FROM mailbox WHERE
username = '%u'
user_query = SELECT maildir, 5000 AS uid, 5000 AS gid,
CONCAT('dict:storage=',floor(quota/1024),' proxy::quota') as quota FROM
mailbox WHERE username = '%u'
Best regards and many, many thanks to all.
HTH all trying to do the same, the way I did it.
--
/***
*Leslie León Sinclair
*Administrador de Redes
*Facultad de Ingenieria Electrica, CUJAE.
*Calle 114 #11901 e/ Ciclovía y Rotonda
*Marianao 19390, Ciudad de la Habana, Cuba
*Tel: (53 7) 266-3321
*Miembro de GUTL -
http://www.ecured.cu/index.php/Grupo_de_Usuarios_de_Tecnolog%C3%ADas_Libres_GUTL
*Another happy Slackware Debian GNU/Linux user
*Proud GNU/Linux User #445535 - http://counter.li.org/
*Katana yanai, otoko nanda.
/
Participe en Universidad 2012, del 13 al 17 de febrero de 2012.
Habana, Cuba: http://www.congresouniversidad.cu
Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu
Participe en el Segundo Congreso Medio Ambiente Construido y
Desarrollo Sustentable (MACDES 2011) del 6 al 9 de diciembre de 2011,
Hotel Nacional, Habana, Cuba: http://macdes.cujae.edu.cu
Re: [SOLVED]Re: Quota for mail
Am 08.11.2011 18:16, schrieb Leslie León Sinclair: Done, at last!!! Missing stuff on my install: [PostfixAdmin config file] $CONF['used_quotas'] = 'YES'; // Was no activated, this was the main reason of my past mails. Sorry again. $CONF['quota'] = 'YES'; Don't forget: [PostfixAdmin config file] // if you use dovecot = 1.2, set this to yes. // Note about dovecot config: table quota is for 1.0 1.1, table quota2 is for dovecot 1.2 and newer $CONF['new_quota_table'] = 'YES'; Regards, Tobias
Re: Quota for mail
On Tue, 8 Nov 2011, Stan Hoeppner wrote: http://postfixquotareject.ramattack.net. It's a postfix policy daemon which allow mail to be rejected at smtp dialogue when mailbox are overquota... can work from the own mailbox machine or from the own mailscanning machine farm asking to a daemon in mailbox machines. His problem is spambots relaying *outbound* through Postfix. This isn't an inbound problem. You're describing an inbound policy. I have read it pretty fast, but I would say he was talking about enforcing quota for mailboxes in Postfix and here Postfix Quota Reject does the trick pretty nice even in ISP environments. Bye!! -- Stan
Re: Quota for mail
On Tue, 8 Nov 2011, Egoitz Aurrekoetxea Aurre wrote: On Tue, 8 Nov 2011, Stan Hoeppner wrote: http://postfixquotareject.ramattack.net. It's a postfix policy daemon which allow mail to be rejected at smtp dialogue when mailbox are overquota... can work from the own mailbox machine or from the own mailscanning machine farm asking to a daemon in mailbox machines. His problem is spambots relaying *outbound* through Postfix. This isn't an inbound problem. You're describing an inbound policy. else why is he talking about mda, lmtp and so...??... they have nothing to do for calculating outbound sending quotas -- Stan
Re: Signing injected mail
On 4 November 2011 15:49, Simon Brereton simon.brere...@buongiorno.com wrote: Hi Amavis checks both incoming and outgoing mail. DKIMPROXY signs outgoing mail (sadly, before Amavis, so amavis verifies the signature - but I'm okay with that for now) on the submission port. Mail that is injected (i.e. from CRON, applications, etc), still passes through amavis (obviously) but doesn't get signed. I would like to sign those mails as well. As I was writing this, it occurred to me that the way to do that is to add the content filter in master.cf -o content_filter=dksign:[127.0.0.1]:10028 I think I need to add that to the pickup line - is that correct? If not, where do I add it so that mails that are injected are added? Well in the absence of any one telling me not to be stupid, I went ahead and tried that. It wasn't a miserable failure, but it didn't do anything. If anyone has any pointers on how to do this (or if you'd like to tell me it's not possible and why) that would be great. Thanks. Simon
Re: Signing injected mail
Simon Brereton: On 4 November 2011 15:49, Simon Brereton simon.brere...@buongiorno.com wrote: Hi Amavis checks both incoming and outgoing mail. ?DKIMPROXY signs outgoing mail (sadly, before Amavis, so amavis verifies the signature - but I'm okay with that for now) on the submission port. Mail that is injected (i.e. from CRON, applications, etc), still passes through amavis (obviously) but doesn't get signed. ?I would like to sign those mails as well. As I was writing this, it occurred to me that the way to do that is to add the content filter in master.cf ? -o content_filter=dksign:[127.0.0.1]:10028 I think I need to add that to the pickup line - is that correct? ?If not, where do I add it so that mails that are injected are added? Well in the absence of any one telling me not to be stupid, I went ahead and tried that. It wasn't a miserable failure, but it didn't do anything. First, you can add -o content_filter to the pickup daemon only if your content filter is based on SMTP otherwise you get an infinite loop. Second, you need to add the same -o content_filter information as with the smtpd line. There is nothing magical about filters, except perhaps that DKIMPROXY expects to see message headers that the pickup daemon cannot provide. Wietse If anyone has any pointers on how to do this (or if you'd like to tell me it's not possible and why) that would be great. Thanks. Simon
Re: Quota for mail
On 11/8/2011 6:48 AM, Wietse Venema wrote: Stan Hoeppner: His problem is spambots relaying *outbound* through Postfix. This isn't an inbound problem. You're describing an inbound policy. In that case, any policy daemon that counts the messages or bytes per client or sender will do the job. There are rate limits in policyd and postfwd, for example. Wietse Apologies everyone. I got my threads confused. I thought I was replying to the reject or discard outgoing mail thread. (palm to forehead) This thread has nothing to do with spambots. -- Stan
Re: Quota for mail
On Tue, 08 Nov 2011 10:30:47 +0100, Egoitz Aurrekoetxea Aurre ego...@ramattack.net wrote: You could too take a look to Postfix Quota Reject. http://postfixquotareject.ramattack.net. It's a postfix policy daemon which allow mail to be rejected at smtp dialogue when mailbox are overquota... can work from the own mailbox machine or from the own mailscanning machine farm asking to a daemon in mailbox machines. For what it's worth, here's a similar policy daemon that I've been using for a few years. - it only checks the quota if MAIL FROM has a SIZE parameter (which is not always the case) - it executes 'postmap' on each request to find the proper maildir so will not scale very well - been using it on an ancient Postfix installation together with the VDA patch and Courier - daemon must be run by a user with access to all maildirs (in my case it's 'vmail') Might not be a good idea to paste this in a message since whitespace is significant in Python, but here it is: #!/usr/bin/env python ## ## Maildir++ quota checking policy server for Postfix - http://www.postfix.org/ ## ## 1. Uses 'postconf' and 'postmap' to lookup the recipient's maildir ## 2. Reads the quota file (maildirsize) to determine available storage ## 3. Checks the message size against available storage and returns ##- REJECT if there's not enough storage ##- DUNNO if no message size was specified in 'MAIL FROM' ##- DUNNO in case of a lookup error. Perhaps this ought to be DEFER instead, not sure. ##- WARN if the recipient does not exist (if postmap returns nothing) ## ## ## ## Logging ## --- ## No logging is done unless the --debug parameter is passed in. With --debug, all policy results will be sent to syslog. ## facility = mail ## priority = debug ## ident = postfix/script-name (Just like Postfix's other daemons) ## ## ## ## Example usage ## - ## ## [master.cf] ## ... ## check-quota unix - n n - - spawn user=vmail ## argv=/usr/local/libexec/check-quota ## --debug ## ... ## ## [main.cf] ## ... ## smtpd_recipient_restrictions = ## ... ## check_policy_service unix:private/check-quota ## ... ## ## ## ## Notes ## - ## 1. Proxymap is never used since it's a private service and only the postfix user may access it. Any 'proxy:' prefix for maps is removed. ## 2. The user running this policy server must be able to read 'maildirsize' in each maildir. ## 3. This policy server only checks storage quotas, not message quotas ## import optparse import os.path import os import sys import select import syslog class InvalidRecipientError(Exception): pass class QuotaChecker: def __init__(self, timeout): self.timeout = timeout self.virtual_mailbox_base = os.popen(/usr/sbin/postconf -h virtual_mailbox_base).read().strip() self.virtual_mailbox_maps = os.popen(/usr/sbin/postconf -h virtual_mailbox_maps | sed s/proxy://g).read().strip() def find_maildir(self, recipient): # Pass recipient to postmap postmap = /usr/sbin/postmap -q '%s' '%s' % (recipient, self.virtual_mailbox_maps) input = os.popen(postmap) # Wait for postmap to finish rfds, wfds, efds = select.select( [input], [], [], self.timeout) if not rfds: input.close() raise IOError, Lookup timeout for %s % recipient # Get maildir maildir = input.read().strip() exit_code = input.close() if exit_code == 256: # Recipient does not exist return None if exit_code or not maildir: raise IOError, Lookup error for %s % recipient return maildir def get_available_storage(self, recipient): # Lookup maildir maildir = self.find_maildir(recipient) if not maildir: raise InvalidRecipientError, No such recipient: %s % recipient # Find quota file filename = os.path.join(self.virtual_mailbox_base, maildir, maildirsize) if not os.path.exists(filename): # No quota set return None # Read quota file file = open(filename) try: max_storage = 0L used_storage = 0L for line in file: line = line.strip() try: (storage, messages) = line.split() except ValueError: storage = line if
Finally, postconf dynamic parameter name support
201108 Cleanup: postconf finally supports dynamic configuration parameter names: parameters whose name depend on a mail delivery transport name in master.cf, and parameters whose names are specified with smtpd_restriction_classes in main.cf. This adds 70 parameters to the postconf output, more if additional mail delivery transports are defined in master.cf. File: postconf/postconf.c. This eliminates the long-standing problem of invisible Postfix parameters. Fixing this (and adding support for pretty-printing master.cf) took 500 lines of code, but the result was worth the effort. This is an isolated change; you can copy the postconf source directory into any supported Postfix release and it should work. Wietse
Re: Signing injected mail
On 11/8/2011 10:35 PM, Simon Brereton wrote: On 8 November 2011 15:30, Wietse Venema wie...@porcupine.org wrote: Simon Brereton: On 4 November 2011 15:49, Simon Brereton simon.brere...@buongiorno.com wrote: Hi Amavis checks both incoming and outgoing mail. ?DKIMPROXY signs outgoing mail (sadly, before Amavis, so amavis verifies the signature - but I'm okay with that for now) on the submission port. Mail that is injected (i.e. from CRON, applications, etc), still passes through amavis (obviously) but doesn't get signed. ?I would like to sign those mails as well. As I was writing this, it occurred to me that the way to do that is to add the content filter in master.cf ? -o content_filter=dksign:[127.0.0.1]:10028 I think I need to add that to the pickup line - is that correct? ?If not, where do I add it so that mails that are injected are added? Well in the absence of any one telling me not to be stupid, I went ahead and tried that. It wasn't a miserable failure, but it didn't do anything. First, you can add -o content_filter to the pickup daemon only if your content filter is based on SMTP otherwise you get an infinite loop. Second, you need to add the same -o content_filter information as with the smtpd line. There is nothing magical about filters, except perhaps that DKIMPROXY expects to see message headers that the pickup daemon cannot provide. Wietse If anyone has any pointers on how to do this (or if you'd like to tell me it's not possible and why) that would be great. I don't think this is your fault - but that went completely over my level of smtp understanding. Putting the content filter in the pickup (exactly as it is in in the smtpd) doesn't appear to do anything. But then I expect that's related to your comment about the content-filter being based on smtp.. I don't get an infinite loop. I don't get anything. I think I'll have to wait until I start running separate amavis/postfix processes to figure this out. Simon I think you should spend 15 minutes to get amavisd-new to do your DKIM signing and drop dkimproxy. Better performance, simpler setup, one less critical component in the mail path. See the amavisd-new release notes and docs for further info. -- Noel Jones
