Re: Postfix 2.8.x anti anti backscattering settings
On 04/19/2013 12:07 AM, Stan Hoeppner wrote: On 4/18/2013 4:26 AM, Mikael Bak wrote: Hi Josef, On 04/18/2013 11:06 AM, Josef Karliak wrote: Good morning, our outgoing smtp server gets into a backscatter blacklist. When I checked my logs, there were only one mailer daemon email to some server in the time that is mentioned on the backscatter web. In all servers in the way of the email (incoming MX-antispam server- our imap server) has unknown_local_recipient_reject_code = 550. What else could I do ? There could be one thing - incoming MX accept all emails for our domain, he doesn't know our aliases. The mail is send to antispam and when antispam wanna sent the email to imap server and the target email address doesn't exists, it has 550 error and it is send away by our antispam server (it is our outgoing server). So, is this all wrong ? We decided to have more servers because of loading reasons (we've daily up to 15 000 emails, but there were a 60 000 peak) You can have reject_unverified_recipient on the MX to check the IMAP server if the email address exists before accepting it. To be clear Josef, reject_unverified_recipient performs recipient address verification via an SMTP RCPT TO test. See: http://www.postfix.org/postconf.5.html#reject_unverified_recipient You state your MX Postfix server relays all mail to the AS appliance which accepts everything regardless of recipient address, which is why you're in trouble currently. Verification queries will be sent to the AS box, so reject_unverified_recipient will not work in your setup. Last time I read ADDRESS_VERIFICATION_README, I noticed that this isn't true: you can route your probes to the final delivery machine while leaving the current delivery mechanism intact: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#probe_routing To fix your problem you must have some form of recipient validation at the MX so it only accepts mail for valid mailbox addresses and rejects mail to invalid addresses. You have a couple of options: 1. Export the valid recipient list from the mailbox server to the MX server with one address per line in a text file. Create an access table from this file with OK action. Use check_recipient_access: http://www.postfix.org/postconf.5.html#check_recipient_access 2. Implement an LDAP or mysql database containing valid addresses. This can be used with check_recipient_access, local_recipient_maps, virtual_mailbox_maps, etc. For implementation details of each see: http://www.postfix.org/postconf.5.html signature.asc Description: OpenPGP digital signature
Multiple owners in smtpd_sender_login_maps
I have a requirement of 2 different users using the same sender email address I found a very old patch for doing this in postfix. http://permalink.gmane.org/gmane.mail.postfix.devel/4 Is this patch still the only way of doing multiple owners Thanks Ram
Re: Multiple owners in smtpd_sender_login_maps
Am 19.04.2013 10:44, schrieb Ram: I have a requirement of 2 different users using the same sender email address I found a very old patch for doing this in postfix. http://permalink.gmane.org/gmane.mail.postfix.devel/4 Is this patch still the only way of doing multiple owners why does this need a patch? we are doing this since years with a mysql-table and the query returns a list of allowed login-names smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-senderaccess.cf http://www.postfix.org/postconf.5.html In all cases the result of table lookup must be either not found or a list of SASL login names separated by comma and/or whitespace signature.asc Description: OpenPGP digital signature
Re: Postfix 2.8.x anti anti backscattering settings
On 4/19/2013 1:28 AM, Tom Hendrikx wrote: Last time I read ADDRESS_VERIFICATION_README, I noticed that this isn't true: you can route your probes to the final delivery machine while leaving the current delivery mechanism intact: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#probe_routing Ahh, you are correct. This may make things much simpler for Josef. http://www.postfix.org/postconf.5.html#address_verify_relayhost But let's note the caveats: Inconsistencies can happen when probe messages don't follow the same path as regular mail. For example, a message can be accepted when it follows the regular route while an otherwise identical probe message is rejected when it follows the forced route. The opposite can happen, too, but is less likely. -- Stan
Re: Re: Routing Control of locally generated bounces in Postfix
Your description is too sketchy. Please choose appropriate domain names under example.com, example.net, example.org, ... (if the real domain names are sensitive) that make it clear what sender and recipient addresses look like in each direction. You should be able to the right thing with transport_maps, but specific guidane requires a less vague description. My apologies, I try to be more detailed. 2 organisations in 2 private networks. 2 private DNS setups in both organisations, completely independant from each other. Mail between the 2 organisations is routed via MX lookups which point to our Postfix. organisation A has the following MX records in its own DNS: @A1.example.com @B1.example.com - points to our postfix organisation B has the following MX records in its own DNS: @B1.example.com @B2.example.com @A1.example.com - points to our postfix The postfix host uses the DNS in organisation A and has a multi instance setup. The first instance routes only mail from A to B. It uses smtpd_sender_restrictions=reject_unknown_sender_domain and relays all mail to a relayhost. Everything is fine with this instance. The second instance routes only mail from B to A. Destination lookups are done via A´s DNS. Everything is fine with mail from senders in @B1.example.com to recipients in @A1.example.com. The problem rises with mail originating from senders in @B2.example.com to recipients in @A1.example.com. Because the destination server in A also does a smtpd_sender_restrictions=reject_unknown_sender_domain and @B2.example.com is unknown in A´s DNS the sender address is rejected. The missing MX Record in A´s DNS is ok, because senders in @B2.example.com are not supposed to participate mail exchange with @A1.example.com and vice versa. But where to deliver the bounce? The postfix host uses A´s DNS and the transport_maps are not complete due to not allowed zone transfers from some DNS servers in B. I tried sender_dependent_relayhost_maps but because it only works on the envelope sender, locally and remotely bounces are treated equally. My end-goal if possible is: distinguish between remotely and locally generated bounces and send locally generated bounces to a relayhost which can deliver the bounce to recipients in @B2.example.com. Can this behavior somehow be accomplished or must I go through the prcoess of log file analysis to identify the missing record @B2.example.com in transport_maps? Peter
Backscatter
Is there a way of testing for backscatter? I do not believe that my setup up is a source of backscatter. However, believing and knowing are different things. When ever I make a change in my setup, I test for open relay. But I wonder if there are other things that I should be testing for. John A
Re: Backscatter
On 2013-04-19 6:57 AM, John Allen j...@klam.ca wrote: Is there a way of testing for backscatter? I do not believe that my setup up is a source of backscatter. However, believing and knowing are different things. As long as you reject messages destined for invalid recipients, and don't accept-then-bounce messages with an after queue content (antispam etc) filter, (ie, if you use on, tag it as spam, or quarantine it, but do not bounce it), then you are not a source of backscatter... -- Best regards, Charles
Re: Backscatter
On 19/04/2013 7:03 AM, Charles Marcus wrote: On 2013-04-19 6:57 AM, John Allen j...@klam.ca wrote: Is there a way of testing for backscatter? I do not believe that my setup up is a source of backscatter. However, believing and knowing are different things. As long as you reject messages destined for invalid recipients, and don't accept-then-bounce messages with an after queue content (antispam etc) filter, (ie, if you use on, tag it as spam, or quarantine it, but do not bounce it), then you are not a source of backscatter... We work on the basis, that if we don't like it, we just drop it. On our partner server bounce is sent to their postmaster, something I would like to change. After all, if it smells like poison its usually a bad idea to do a taste test. John A
Re: Multiple owners in smtpd_sender_login_maps
Zitat von Ram r...@netcore.co.in: I have a requirement of 2 different users using the same sender email address I found a very old patch for doing this in postfix. http://permalink.gmane.org/gmane.mail.postfix.devel/4 Is this patch still the only way of doing multiple owners Not sure why you like to patch. From the documentation: In all cases the result of table lookup must be either not found or a list of SASL login names separated by comma and/or whitespace So simply doing localpart@mailaddress login-name1, login-name2 in the lookup table should do the trick. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: Routing Control of locally generated bounces in Postfix
Am 2013-04-19 12:28, schrieb nullnullachtfuenfz...@arcor.de: The problem arises with mail originating from senders in @B2.example.com to recipients in @A1.example.com. Because the destination server in A also does a smtpd_sender_restrictions=reject_unknown_sender_domain and @B2.example.com is unknown in A´s DNS the sender address is rejected. The missing MX Record in A´s DNS is ok, because senders in @B2.example.com are not supposed to participate mail exchange with @A1.example.com and vice versa. But where to deliver the bounce? Why exactly is there a bounce in the first place? If the @A1 MX rejects mail from @B2 during the SMTP session, it never receives responsibility for any bounces. Unless of course you accept the mail first and then decide later to bounce it. But why would you do that? -Timo
Re: Backscatter
On 2013-04-19 7:10 AM, John Allen j...@klam.ca wrote: On 19/04/2013 7:03 AM, Charles Marcus wrote: On 2013-04-19 6:57 AM, John Allen j...@klam.ca wrote: Is there a way of testing for backscatter? I do not believe that my setup up is a source of backscatter. However, believing and knowing are different things. As long as you reject messages destined for invalid recipients, and don't accept-then-bounce messages with an after queue content (antispam etc) filter, (ie, if you use on, tag it as spam, or quarantine it, but do not bounce it), then you are not a source of backscatter... We work on the basis, that if we don't like it, we just drop it. On our partner server bounce is sent to their postmaster, something I would like to change. After all, if it smells like poison its usually a bad idea to do a taste test. In general, it is considered a very bad idea to 'drop' (or silently discard) email once you have accepted it for final delivery. If you are going to drop it, it is best to simply REJECT it. But, your system, your rules... -- Best regards, Charles
sender_dependent_relayhost_maps Syntax
I have a series of user names that need to be relayed through a server other then the default. It is not clear from the documentation if wild cards are allowed but it appears they are not. If that is true then I need to list each one individually. However, I am also using generic mapping and again it is not explained in the documentation which address needs to be in the relay maps file, the local address vs. the translated address. Can some please clarify? Thanks.
Re: sender_dependent_relayhost_maps Syntax
Am 19.04.2013 14:25, schrieb awingnut: I have a series of user names that need to be relayed through a server other then the default. It is not clear from the documentation if wild cards are allowed but it appears they are not no and wildchars in case of mail are generally a bad idea If that is true then I need to list each one individually. However, I am also using generic mapping and again it is not explained in the documentation which address needs to be in the relay maps file, the local address vs. the translated address. Can some please clarify? Thanks. what additional mapping? we are using sender_dependent_relayhost_maps to allow specific senders which are not hosted on our server and rely them to the customers MTA with the users login/password without rewrite anything signature.asc Description: OpenPGP digital signature
Re: sender_dependent_relayhost_maps Syntax
Reindl Harald: Am 19.04.2013 14:25, schrieb awingnut: I have a series of user names that need to be relayed through a server other then the default. It is not clear from the documentation if wild cards are allowed but it appears they are not no and wildchars in case of mail are generally a bad idea Wildcards are supported with PCRE and REGEXP tables. man 5 pcre_table man 5 regexp_table If that is true then I need to list each one individually. However, I am also using generic mapping and again it is not explained in the documentation which address needs to be in the relay maps file, the local address vs. the translated address. Can some please clarify? Thanks. As documented, smtp_sender_login_maps lists for each envelope sender addresses (left-hand side of table) the user login names that are allowed to use (right-hand side of table). If that reads like gibberish I suggest that you read up on: envelope versus header As documented, relay_recipient_maps contains the envelope recipient addresses that are used in (for example) RCPT TO commands. If that reads like gibberish I suggest that you read up on: SMTP protocol Wietse
Re: Emails getting piped to the wrong Virtual Domain
On 18/04/2013 19:05, Wietse Venema wrote: Dan Clovis: Apr 18 15:44:06 companycoServer1 postfix/local[15179]: 5F6A214EE1B4: to= d...@companycouk.com, orig_to=d...@ccpop.itco.co, relay=local, delay=0.35, delays=0.29/0/0/0.06, dsn=2.0.0, status=sent (delivered to command: procmail -a $EXTENSION) Wietse: If the address rewriting from d...@ccpop.itco.co to d...@companycouk.com is now what you want, then do not specify such a mapping in virtual_alias_maps. ... myorigin = /etc/mailname virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf With virtual_alias_maps queries, be sure to return user@domain as the result value, not a bare username. Otherwise, Postfix will append the myorigin value. Dan Clovis: I followed the howto to install - I'm guessing it would have worked if I left it as default. But the only changes I made was to add an additional field for username, so that usernames could be independent of emails (as per customer requirements)... I wonder if this has broken something between Dovecot and Postfix... Any further assistance would be greatly appreciated... See http://www.postfix.org/DATABASE_README.html First implement the database with hash: files. Then test with postmap -q all the queries that are described in the virtual(5) manpage, and don't proceed unless that looks right. Then, implement the database with mysql: files. Your job now is to get the same same query results the queries that you got with hash: files. If you don't know what the queries and replies should look like, then you need help there, first. Maybe someone else on the list has time to walk you through the steps. Wietse Ave Maria! Wietse - can I do both emails and usernames with different values... If that works - then I shall proceed... God Bless
Re: sender_dependent_relayhost_maps Syntax
On 4/19/2013 8:30 AM, Reindl Harald wrote: Am 19.04.2013 14:25, schrieb awingnut: I have a series of user names that need to be relayed through a server other then the default. It is not clear from the documentation if wild cards are allowed but it appears they are not no and wildchars in case of mail are generally a bad idea If that is true then I need to list each one individually. However, I am also using generic mapping and again it is not explained in the documentation which address needs to be in the relay maps file, the local address vs. the translated address. Can some please clarify? Thanks. what additional mapping? we are using sender_dependent_relayhost_maps to allow specific senders which are not hosted on our server and rely them to the customers MTA with the users login/password without rewrite anything Thanks for the reply. I kind of figured wildcards were out. As to what other mapping, I'm talking about smpt_generic_maps. If the local user name is xyz...@mydomain.com and it is mapped to 123...@somedomain.com, which goes into the relayhosts file?
Re: Routing Control of locally generated bounces in Postfix
Am 2013-04-19 12:28, schrieb nullnullachtfuenfz...@arcor.de: The problem arises with mail originating from senders in @B2.example.com to recipients in @A1.example.com. Because the destination server in A also does a smtpd_sender_restrictions=reject_unknown_sender_domain and @B2.example.com is unknown in A´s DNS the sender address is rejected. The missing MX Record in A´s DNS is ok, because senders in @B2.example.com are not supposed to participate mail exchange with @A1.example.com and vice versa. But where to deliver the bounce? Why exactly is there a bounce in the first place? If the @A1 MX rejects mail from @B2 during the SMTP session, it never receives responsibility for any bounces. Unless of course you accept the mail first and then decide later to bounce it. But why would you do that? Timo you opened my eyes. We have the same DNS information as the destination host has. With smtpd_sender_restrictions=reject_unknown_sender_domain activated in this postfix instance the problem silently disappears. Thanks a lot Peter
How to block incoming emails with ZIP attachments containing EXE
Hi All, I'm not sure if this is the correct group to ask so apologies if it's not. I wanted to ask if anyone has a good way of sending emails that have ZIP attachments that contain EXE files to QUARANTINE. I am using POSTFIX sending to PROCMAIL and CLAMAV. I've looked into procmail recipies and clamav options but nothing seems to work well for me. Thank you in advance for any assistance. Regards, -Andreas Andreas Freyvogel ecmarket Customer Solutions Manager E: afreyvo...@ecmarket.com P: 604.638.2300 x147 C: 604.603.3319
Re: How to block incoming emails with ZIP attachments containing EXE
On 19 Apr 2013 18:47, Andreas Freyvogel afreyvo...@ecmarket.com wrote: Hi All, I'm not sure if this is the correct group to ask so apologies if it's not. I wanted to ask if anyone has a good way of sending emails that have ZIP attachments that contain EXE files to QUARANTINE. I am using POSTFIX sending to PROCMAIL and CLAMAV. I've looked into procmail recipies and clamav options but nothing seems to work well for me. Thank you in advance for any assistance. You need a content filter like amavisd Simon
Re: How regular expression tables are processed by postfix
Daniel Flaum: /notifier@dev1\.example\.com/ notify-l...@groups.example.com /.+@dev1\.example\.com/ a.per...@example.com /.*@.*/ firehose@localhost As documented in virtual(5), virtual_alias_maps is expanded recursively (see WikiPedia for recursion). Therefore the wild-card rule at the end match all lookup results from the first two rules. Don't use wild-card rules. As documented in regexp_table(5) and pcre_table(5), Postfix does support conditional expressions. Wietse
Re: How to block incoming emails with ZIP attachments containing EXE
On 4/19/2013 11:46 AM, Andreas Freyvogel wrote: Hi All, I'm not sure if this is the correct group to ask so apologies if it's not. I wanted to ask if anyone has a good way of sending emails that have ZIP attachments that contain EXE files to QUARANTINE. I am using POSTFIX sending to PROCMAIL and CLAMAV. I've looked into procmail recipies and clamav options but nothing seems to work well for me. The Sanesecurity addon signatures for clamav has some specific signatures to detect executable files inside a zip. If you're using clamav in your procmail recipe, you can redirect infected mail to a specific mailbox or discard it. If you use the clamav-milter with postfix, it can put infected mail in the postfix hold queue. If you use amavisd-new for the clamav interface, you can save the mail in a quarantine. http://sanesecurity.com/ http://sanesecurity.com/foxhole-databases/ -- Noel Jones