Re: postscreen feature request

[Wietse Venema]

Kov?cs Albert:
 On Tuesday, March 10, 2015 1:42 PM, Wietse Venema wie...@porcupine.org 
 wrote:
  I'm not sure how one (type of) dns query is a performance concern, and 
  another is not, see below.
 
  You see no performance difference between querying a small number
  of well-operated DNS servers that are chosen by the local sysadmin,
  versus random DNS servers all over the Internet that are determined
  by the sender's IP address? 
 
 this isn't exactly what i wrote :-) Obviously querying PTR records may
 take some time. However, smtpd also needs the PTR record to perform some
 DNS tests, so sooner or later you need the query.

If everything smtpd did was OK for postscreen, then we would
not need postscreen.

Wietse

Re: SMTP AUTH issue

[Viktor Dukhovni]

On Wed, Mar 11, 2015 at 01:41:00PM +0100, Emmanuel Fust? wrote:

 Hello,
 
 On a heavy i/o loaded Postfix (2.11.0) server, i've got this behavior:
 
 535 5.7.8 Error: authentication failed: Connection lost to authentication 
 server

 Mar 10 16:37:08 x postfix/smtpd[20613]: warning: x.x.x[x.x.x.x]: SASL 
 CRAM-MD5 authentication failed: Connection lost to authentication server
 
 Ok, I have an i/o load problem with this server, but a 535 error code is too 
 much, I was expecting a 454 error code as stated in RFC2554.

A complete solution would require handling similar problems for
Cyrus SASL, but I never got a meaningful response to:

http://archives.neohapsis.com/archives/postfix/2008-12/0405.html
https://www.mail-archive.com/postfix-users@postfix.org/msg56129.html

You could try the patch below and report your results (presumably
for Dovecot).  It would be nice to have confirmation for Cyrus
also.

-- 
Viktor.

diff --git a/src/xsasl/xsasl.h b/src/xsasl/xsasl.h
--- a/src/xsasl/xsasl.h
+++ b/src/xsasl/xsasl.h
@@ -121,6 +121,7 @@ extern ARGV *xsasl_client_types(void);
 #define XSASL_AUTH_DONE3   /* Authentication completed */
 #define XSASL_AUTH_FORM4   /* Cannot decode response */
 #define XSASL_AUTH_FAIL5   /* Error */
+#define XSASL_AUTH_TEMP6   /* Temporary error condition */
 
 /* LICENSE
 /* .ad
diff --git a/src/smtpd/smtpd_sasl_glue.c b/src/smtpd/smtpd_sasl_glue.c
--- a/src/smtpd/smtpd_sasl_glue.c
+++ b/src/smtpd/smtpd_sasl_glue.c
@@ -316,8 +316,12 @@ int smtpd_sasl_authenticate(SMTPD_STATE *state,
 state-namaddr, sasl_method,
 STR(state-sasl_reply));
/* RFC 4954 Section 6. */
-   smtpd_chat_reply(state, 535 5.7.8 Error: authentication failed: %s,
-STR(state-sasl_reply));
+   if (status == XSASL_AUTH_TEMP)
+   smtpd_chat_reply(state, 454 4.7.0 Temporary authentication 
failure: %s,
+STR(state-sasl_reply));
+   else
+   smtpd_chat_reply(state, 535 5.7.8 Error: authentication failed: 
%s,
+STR(state-sasl_reply));
return (-1);
 }
 /* RFC 4954 Section 6. */
diff --git a/src/xsasl/xsasl_cyrus_server.c b/src/xsasl/xsasl_cyrus_server.c
--- a/src/xsasl/xsasl_cyrus_server.c
+++ b/src/xsasl/xsasl_cyrus_server.c
@@ -474,7 +474,13 @@ static int xsasl_cyrus_server_auth_response(int 
sasl_status,
if (sasl_status == SASL_NOUSER) /* privacy */
sasl_status = SASL_BADAUTH;
vstring_strcpy(reply, xsasl_cyrus_strerror(sasl_status));
-   return (XSASL_AUTH_FAIL);
+   switch (sasl_status) {
+   case SASL_TRYAGAIN:
+   case SASL_UNAVAIL:
+   return XSASL_AUTH_TEMP;
+   default:
+   return (XSASL_AUTH_FAIL);
+   }
 }
 }
 
diff --git a/src/xsasl/xsasl_dovecot_server.c b/src/xsasl/xsasl_dovecot_server.c
--- a/src/xsasl/xsasl_dovecot_server.c
+++ b/src/xsasl/xsasl_dovecot_server.c
@@ -598,7 +598,7 @@ static int xsasl_dovecot_handle_reply(XSASL_DOVECOT_SERVER 
*server,
 }
 
 vstring_strcpy(reply, Connection lost to authentication server);
-return XSASL_AUTH_FAIL;
+return XSASL_AUTH_TEMP;
 }
 
 /* is_valid_base64 - input sanitized */

Re: About table search order: not to query 'user+extens...@domain.ltd'

[Zhang Huangbin]

On Thu, Mar 12, 2015 at 12:03 AM, Viktor Dukhovni
postfix-us...@dukhovni.org wrote:

 You may well be able to do something with advanced SQL string
 manipulation to short-circuit queries that contain +.

 SELECT result
 FROM table
 WHERE key = '%u@%d'
 AND key NOT LIKE '%%+%%'

 An SQL server may well optimize that query away when the key contains
 a + and not do any disk I/O.

In this case, SQL is flexible. but any solution for LDAP table? we cannot do
this in ldap query filter.

Again, thanks for your help. :)

Re: About table search order: not to query 'user+extens...@domain.ltd'

[Viktor Dukhovni]

On Thu, Mar 12, 2015 at 12:07:49AM +0800, Zhang Huangbin wrote:

  An SQL server may well optimize that query away when the key contains
  a + and not do any disk I/O.
 
 In this case, SQL is flexible. but any solution for LDAP table? we cannot do
 this in ldap query filter.

No.

-- 
Viktor.

Re: About table search order: not to query 'user+extens...@domain.ltd'

[Zhang Huangbin]

On Wed, Mar 11, 2015 at 11:46 PM, Viktor Dukhovni
postfix-us...@dukhovni.org wrote:

 Not at present.  You can only suppress lookups for bare keys which
 can happen when the domain is $myorigin or matches $mydestination
 by interpolating the lookup key into the query via '%u@%d' instead
 of '%s'.  That will filter out keys with no @domain part.

Thanks Victor. :)

I'm afraid that '%u' doesn't work, it still has '+extension' in query.
for example:

*) part of my testing ldap lookup file:

query_filter= (mail=%u@%d)

*) Testing with 'postmap':

# postmap -v -q 'postmaster+...@mydomain.ltd' ldap:./my_ldap_file.cf
...
postmap: dict_ldap_lookup: ./my_ldap_file.cf: Searching with filter
(mail=postmaster+...@mydomain.ltd)
...

As you can see, '%u' doesn't drop extension '+abc' in my test.
Anything wrong in my testing?

About table search order: not to query 'user+extens...@domain.ltd'

[Zhang Huangbin]

Dear all,

According to Postfix document, virtual(8), 'user+extens...@domain.ltd'
is looked up first, then 'u...@domain.ltd'. Is it possible to
skip/ignore the address extension and just query 'u...@domain.ltd'?
(by the way, i want to ignore the extension in SQL/LDAP lookup.)

Thanks for your time and help. :)


TABLE SEARCH ORDER
...
The search order is as follows. The search stops upon  the  first  suc-
cessful lookup.

o When  the  recipient  has  an  optional  address  extension  the
   user+extens...@domain.tld address is looked up first.

o The  u...@domain.tld  address,  without  address  extension,  is
   looked up next.

Re: Discussion about SPF signatures / Email security.

[John]

Subject: Citizens Bank - Account Balance Threshold Notification

You requested to be notified when your balance for Account xx is above 
$.00.

Logon to Online Banking at http://www.citizensbank.com to view your balance 
information, transfer funds or pay bills.


Your bank sends you an email that actually_*CONTAINS*_ information about your 
account
There is enough information in the above one line of the email to make you the 
target of every scammer on the planet!
As to the link I would have expected it to be at least https.
As to the URL, I get at least one email a week that tells me to go to xyz company site to track a package, check my banks account, 
arrange a delivery, send my son money... all of which take me to fake web sites. Some of them are really good imitations, some of 
them should learn to spell before trying it on. The only consistent thing about them is that none of them is ever legit.


I suggest that you should start to lobby your bank to tighten up it security 
practices.

John A







smime.p7s
Description: S/MIME Cryptographic Signature

email from banks

[Jim Reid]

On 11 Mar 2015, at 11:07, John j...@klam.ca wrote:

 Your bank sends you an email that actually CONTAINS information about your 
 account

This discussion is not relevant to postfix. Could you please take it elsewhere? 
Thanks.

Email gateway configuration

[John Bees]

Hi, everyone!

I need to build an email gateway that will forward emails to users in our
internal Exchange. But some need to be forwarded to our old Linux-based
external server instead. Reading the Postfix documentation and examples I
was able to find on the web, I was still left a bit confused and was hoping
someone would take the time to clear things up. I'm using Postfix 2.9

I'm able to get a big chunk of our users via LDAP (query done by another
machine that pushes the list with a cron-job to the gateway machine). The
gateway machine will monitor the file change and add new entries to the
file for the relay_recipient_maps directive and postmap /path/to/file.
The linux-based server users list  rarely changes and I manage adding them
by hand (at this moment). Correct me if I'v misunderstood in saying this is
only a check whether a entry (user email) exists; relay_domains list the
domains the gateway machine is willing to relay (e.g. if example.biz not
listed, it will never be taken into consideration for relaying via the
gateway) and relay_transport is a routing table about to which server
should a email be sent. In my case a have used transport_maps instead,
because it overrides/supersedes the relay_transport directive. (Question 1)
Have I gotten the gist ?

So finally we get to main question. (Question 2)Is their any other and
perhaps a more reasonable way of forwarding emails to user that do not
exist in Exchange (172.16.1.1) without adding lines to
/etc/postfix/transport file? Maybe list non-Exchange users in other file
and add it to transport_maps, i.e. transport_maps =
hash:/etc/postfix/no_exchange_account, hash:/etc/postfix/transport. Are the
lookups done in the order they are listed? I am assuming having a couple of
thousand entries in these lookup tables is performance wise a non-issue?
Especially compared to storing them in a Mysql base?

(Question 3) Also, will/could this setup create backscatter?
Any other tips, links to tutorials and suggestions would be highly
appreciated.

MAIN.CF

mydomain = example.com
myhostname = gateway
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = gateway.example.com, gateway, localhost.localdomain,
localhost
#DISABLES LOCAL DELIVERY
#mydestination =
#local_recipient_maps =
#myorigin = example.com
LINES IN QUESTION
#List of user emails which are accepted for relaying
relay_recipient_maps = hash:/etc/postfix/relay_recipients
#Possible solution, when disabling local delivery but still forward
postmaster, abuse emails to admins
#virtual_alias_domains = hash:/etc/postfix/virtual_domains
#virtual_alias_maps = hash:/etc/postfix/virtual
#destination domains (and subdomains thereof) this system will relay mail to
#we accept example.com ,example.net
relay_domains = $mydestination, hash:/etc/postfix/virtual_domains
#routing
transport_maps = hash:/etc/postfix/transport
relayhost =
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 195.222.6.0/26
172.16.1.0/24
mailbox_command = procmail -a $EXTENSION
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
#IPv4/IPv6 support
inet_protocols = all
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes

### RESTRICTIONS
smtpd_client_restrictions =
permit_mynetworks,
reject_unknown_client_hostname,
permit
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
#blocked senders
hash:/etc/postfix/access_blacklist,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
RBLs,
permit


LOOKUP FILES:::
VIRTUAL_DOMAINS:
example.com #official domain
example.net #old domain

RELAY_RECEPIENTS- mainly to keep inwards traffic to a minimum (email to
user that do not exist in our system are rejected):
#USERS - info  gathered with LDAP and exeptions by hand
us...@example.com OK
us...@example.com OK
us...@example.net OK
.
user4...@example.net OK

TRANSPORT
user...@example.net :[172.16.1.200]
user...@example.net :[172.16.1.200]
user...@example.net :[172.16.1.200]
example.com :[172.16.1.1]
.example.com :[172.16.1.1]
example.net :[172.16.1.1]
.example.net :[172.16.1.1]
#* smtp:[smtp.example.int]


could it be turned into two separate files:
1)no_exchange_account:
user...@example.net :[172.16.1.200]
user...@example.net :[172.16.1.200]
.
user...@example.net :[172.16.1.200]

2)transport:
example.com :[172.16.1.1]
.example.com :[172.16.1.1]
example.net :[172.16.1.1]
.example.net :[172.16.1.1]

SMTP AUTH issue

[Emmanuel Fusté]

Hello,

On a heavy i/o loaded Postfix (2.11.0) server, i've got this behavior:


=== Connected to x.x.x.x.
-  220 xx.xx.xx ESMTP Postfix
 - EHLO localhost
-  250-xx.xx.xx
-  250-PIPELINING
-  250-SIZE 1024
-  250-VRFY
-  250-ETRN
-  250-STARTTLS
-  250-AUTH CRAM-MD5 DIGEST-MD5
-  250-ENHANCEDSTATUSCODES
-  250-8BITMIME
-  250 DSN
 - AUTH CRAM-MD5
** 535 5.7.8 Error: authentication failed: Connection lost to 
authentication server

*** No authentication type succeeded
 - QUIT
-  221 2.0.0 Bye

In mail.log:

Mar 10 16:36:58 x postfix/smtpd[20613]: connect from xx
Mar 10 16:37:04 x dovecot: auth: Debug: client in: 
AUTH#0111#011CRAM-MD5#011service=smtp#011nologin#011lip=x.x.x.x#011rip=x.x.x.x
Mar 10 16:37:08 x postfix/smtpd[20613]: warning: x.x.x[x.x.x.x]: SASL 
CRAM-MD5 authentication failed: Connection lost to authentication server
Mar 10 16:37:08 x postfix/smtpd[20613]: disconnect from x.x.x[x.x.x.x]
Mar 10 16:37:14 x dovecot: auth: Debug: client passdb out: .
Mar 10 16:39:07 x dovecot: auth: Warning: auth client 0 disconnected 
with 1 pending requests: Connection reset by peer

Ok, I have an i/o load problem with this server, but a 535 error code is too 
much, I was expecting a 454 error code as stated in RFC2554.
As a workaround, I would like to increase the default postfix authentication 
server response timeout of 10 seconds but it seems that this is hard-coded.

Relevant postfix SASL configuration:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
smtpd_sender_login_maps = cdb:/etc/postfix/controlled_enveloppe_senders

So, I am missing something ? Should the error return code be corrected in 
postfix ? (and yes, my I/O load problem must be fixed...)

Best regards,
Emmanuel.

Tracking down www-data email sender

[Robin Rowe]

Wondering how to track down some emails being sent from WordPress.

I have mail.log entries that show www-data, that is, WordPress, is 
trying to send emails from an invalid subdomain. The machine did have 
this subdomain at some point, by the way. I turned on phpmail.log, but 
it doesn't give any clues beyond pointing to 
wp-includes/class-phpmailer.php.


Looking at the mail.log of the last www-data send, it says gmail has
shut the recipient's email address off because they're being hammered. 
The log also shows there are 5 sends in the same second for job 12446, 
like below.


Mar  9 02:21:04 goshtv postfix/qmgr[12446]: DCAF8461572:
from=www-d...@p2450473.pubip.goshtv.com, size=683, nrcpt=1 (queue active)

Why Postfix trying to send the same message five times in a row?

Suggestions? How do I track it down?

Thanks!

Robin
--

from mail.log...
Mar  9 03:21:38 goshtv postfix/qmgr[12446]: E9E67460AE6:
from=ro...@screenplaylab.com, size=1768, nrcpt=1 (queue active)
Mar  9 03:21:38 goshtv postfix/qmgr[12446]: 366EF4610B9:
from=www-d...@p2450473.pubip.goshtv.com, size=698, nrcpt=1 (queue active)
Mar  9 03:21:38 goshtv postfix/smtp[20211]: connect to
gmail-smtp-in.l.google.com[2607:f8b0:400d:c0a::1b]:25: Network is
unreachable
Mar  9 03:21:38 goshtv postfix/smtp[20211]: 366EF4610B9: host
gmail-smtp-in.l.google.com[173.194.208.26] said: 450-4.2.1 The user you
are trying to contact is receiving mail at a rate that 450-4.2.1
prevents additional messages from being delivered. Please resend your
450-4.2.1 message at a later time. If the user is able to receive mail
at that 450-4.2.1 time, your message will be delivered. For more
information, please 450-4.2.1 visit 450 4.2.1
http://support.google.com/mail/bin/answer.py?answer=6592
f35si2786537qki.85 - gsmtp (in reply to RCPT TO command)

postscreen vs. fail2ban

[Michael Fox]

I haven't implemented postscreen yet, but plan to.  So this question is for
the postscreen experts here.

 

As I understand it from the documentation, postscreen protects postfix from
having to deal with most attack vectors, including higher volume attacks.
So, does it make sense to also use something like fail2ban to block IPs that
postscreen (or postfix) logs repeatedly as offenders?  Or is postscreen
sufficient to protect posfix?  

 

Thanks much,

Michael

 

Re: postscreen vs. fail2ban

[Noel Jones]

On 3/11/2015 7:43 PM, Michael Fox wrote:
 I haven’t implemented postscreen yet, but plan to.  So this question
 is for the postscreen experts here.
 
  
 
 As I understand it from the documentation, postscreen protects
 postfix from having to deal with most attack vectors, including
 higher volume attacks.  So, does it make sense to also use something
 like fail2ban to block IPs that postscreen (or postfix) logs
 repeatedly as offenders?  Or is postscreen sufficient to protect
 posfix? 
 

The goal of postscreen is to reject zombies while using very few
system resources. Postscreen can reject thousands of connections per
minute without a significant drain on server performance, even on a
modest hardware.

Also, zombies don't generally hammer away at a server; they make a
(relatively) few connections, and then move on to the next victim.
It's probably not worth the trouble to firewall them.

That's been my experience, your mileage may vary.

On the other hand, fail2ban may be useful for detecting SASL
dictionary attacks. It's not unreasonable to block an IP for a
period of time after XX failed AUTH attempts.

Anyway, feel free to experiment if you want.  I don't think it will
help much, but it probably won't break anything.


  -- Noel Jones

Re: postscreen vs. fail2ban

[Wietse Venema]

Michael Fox:
 I haven't implemented postscreen yet, but plan to.  So this question is for
 the postscreen experts here.
 
 As I understand it from the documentation, postscreen protects postfix from
 having to deal with most attack vectors, including higher volume attacks.
 So, does it make sense to also use something like fail2ban to block IPs that
 postscreen (or postfix) logs repeatedly as offenders?  Or is postscreen
 sufficient to protect posfix?  

I would not bother, except in extreme cases where the same IP address
makes thousands and thousands of connections.

Wietse

Re: Tracking down www-data email sender

[Viktor Dukhovni]

On Wed, Mar 11, 2015 at 09:13:45PM -0700, Robin Rowe wrote:

 Wondering how to track down some emails being sent from WordPress.

Freeze them in the queue, and examine with postcat -q queue-id.

 Looking at the mail.log of the last www-data send, it says gmail has
 shut the recipient's email address off because they're being hammered. The
 log also shows there are 5 sends in the same second for job 12446, like
 below.

The same queue manager process is expected to handle multiple
messages (in fact all messages until Postfix is restarted or
reloaded).

 Mar  9 02:21:04 goshtv postfix/qmgr[12446]: DCAF8461572:
 from=www-d...@p2450473.pubip.goshtv.com, size=683, nrcpt=1 (queue active)
 

The logs you want are the pickup logs, not the qmgr logs.

Configure pickup to send mail via an extra SMTP hop that puts
all mail from www-data on hold:

pickup-sender:
www-data@   HOLD CGI form exploit

# postmap pickup-sender

main.cf:
indexed = ${default_database_type}:${config_directory}/
pickup_sender_restrictions =
check_sender_access ${indexed}pickup-sender

master.cf:
# Modify:
pickup unix  n   -   n   60  1   pickup
-o content_filter=smtp:[127.0.0.1]:2525

# Add:
127.0.0.1:2525 inet n-   n   -   -   smtpd
-o smtpd_sender_restrictions=$pickup_sender_restrictions

# postfix reload

Then look for logs indicating mail being placed on HOLD,
and:

# postcat -bhq queue-id

-- 
Viktor.