Re: postscreen feature request
Kov?cs Albert: On Tuesday, March 10, 2015 1:42 PM, Wietse Venema wie...@porcupine.org wrote: I'm not sure how one (type of) dns query is a performance concern, and another is not, see below. You see no performance difference between querying a small number of well-operated DNS servers that are chosen by the local sysadmin, versus random DNS servers all over the Internet that are determined by the sender's IP address? this isn't exactly what i wrote :-) Obviously querying PTR records may take some time. However, smtpd also needs the PTR record to perform some DNS tests, so sooner or later you need the query. If everything smtpd did was OK for postscreen, then we would not need postscreen. Wietse
Re: SMTP AUTH issue
On Wed, Mar 11, 2015 at 01:41:00PM +0100, Emmanuel Fust? wrote: Hello, On a heavy i/o loaded Postfix (2.11.0) server, i've got this behavior: 535 5.7.8 Error: authentication failed: Connection lost to authentication server Mar 10 16:37:08 x postfix/smtpd[20613]: warning: x.x.x[x.x.x.x]: SASL CRAM-MD5 authentication failed: Connection lost to authentication server Ok, I have an i/o load problem with this server, but a 535 error code is too much, I was expecting a 454 error code as stated in RFC2554. A complete solution would require handling similar problems for Cyrus SASL, but I never got a meaningful response to: http://archives.neohapsis.com/archives/postfix/2008-12/0405.html https://www.mail-archive.com/postfix-users@postfix.org/msg56129.html You could try the patch below and report your results (presumably for Dovecot). It would be nice to have confirmation for Cyrus also. -- Viktor. diff --git a/src/xsasl/xsasl.h b/src/xsasl/xsasl.h --- a/src/xsasl/xsasl.h +++ b/src/xsasl/xsasl.h @@ -121,6 +121,7 @@ extern ARGV *xsasl_client_types(void); #define XSASL_AUTH_DONE3 /* Authentication completed */ #define XSASL_AUTH_FORM4 /* Cannot decode response */ #define XSASL_AUTH_FAIL5 /* Error */ +#define XSASL_AUTH_TEMP6 /* Temporary error condition */ /* LICENSE /* .ad diff --git a/src/smtpd/smtpd_sasl_glue.c b/src/smtpd/smtpd_sasl_glue.c --- a/src/smtpd/smtpd_sasl_glue.c +++ b/src/smtpd/smtpd_sasl_glue.c @@ -316,8 +316,12 @@ int smtpd_sasl_authenticate(SMTPD_STATE *state, state-namaddr, sasl_method, STR(state-sasl_reply)); /* RFC 4954 Section 6. */ - smtpd_chat_reply(state, 535 5.7.8 Error: authentication failed: %s, -STR(state-sasl_reply)); + if (status == XSASL_AUTH_TEMP) + smtpd_chat_reply(state, 454 4.7.0 Temporary authentication failure: %s, +STR(state-sasl_reply)); + else + smtpd_chat_reply(state, 535 5.7.8 Error: authentication failed: %s, +STR(state-sasl_reply)); return (-1); } /* RFC 4954 Section 6. */ diff --git a/src/xsasl/xsasl_cyrus_server.c b/src/xsasl/xsasl_cyrus_server.c --- a/src/xsasl/xsasl_cyrus_server.c +++ b/src/xsasl/xsasl_cyrus_server.c @@ -474,7 +474,13 @@ static int xsasl_cyrus_server_auth_response(int sasl_status, if (sasl_status == SASL_NOUSER) /* privacy */ sasl_status = SASL_BADAUTH; vstring_strcpy(reply, xsasl_cyrus_strerror(sasl_status)); - return (XSASL_AUTH_FAIL); + switch (sasl_status) { + case SASL_TRYAGAIN: + case SASL_UNAVAIL: + return XSASL_AUTH_TEMP; + default: + return (XSASL_AUTH_FAIL); + } } } diff --git a/src/xsasl/xsasl_dovecot_server.c b/src/xsasl/xsasl_dovecot_server.c --- a/src/xsasl/xsasl_dovecot_server.c +++ b/src/xsasl/xsasl_dovecot_server.c @@ -598,7 +598,7 @@ static int xsasl_dovecot_handle_reply(XSASL_DOVECOT_SERVER *server, } vstring_strcpy(reply, Connection lost to authentication server); -return XSASL_AUTH_FAIL; +return XSASL_AUTH_TEMP; } /* is_valid_base64 - input sanitized */
Re: About table search order: not to query 'user+extens...@domain.ltd'
On Thu, Mar 12, 2015 at 12:03 AM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: You may well be able to do something with advanced SQL string manipulation to short-circuit queries that contain +. SELECT result FROM table WHERE key = '%u@%d' AND key NOT LIKE '%%+%%' An SQL server may well optimize that query away when the key contains a + and not do any disk I/O. In this case, SQL is flexible. but any solution for LDAP table? we cannot do this in ldap query filter. Again, thanks for your help. :)
Re: About table search order: not to query 'user+extens...@domain.ltd'
On Thu, Mar 12, 2015 at 12:07:49AM +0800, Zhang Huangbin wrote: An SQL server may well optimize that query away when the key contains a + and not do any disk I/O. In this case, SQL is flexible. but any solution for LDAP table? we cannot do this in ldap query filter. No. -- Viktor.
Re: About table search order: not to query 'user+extens...@domain.ltd'
On Wed, Mar 11, 2015 at 11:46 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: Not at present. You can only suppress lookups for bare keys which can happen when the domain is $myorigin or matches $mydestination by interpolating the lookup key into the query via '%u@%d' instead of '%s'. That will filter out keys with no @domain part. Thanks Victor. :) I'm afraid that '%u' doesn't work, it still has '+extension' in query. for example: *) part of my testing ldap lookup file: query_filter= (mail=%u@%d) *) Testing with 'postmap': # postmap -v -q 'postmaster+...@mydomain.ltd' ldap:./my_ldap_file.cf ... postmap: dict_ldap_lookup: ./my_ldap_file.cf: Searching with filter (mail=postmaster+...@mydomain.ltd) ... As you can see, '%u' doesn't drop extension '+abc' in my test. Anything wrong in my testing?
About table search order: not to query 'user+extens...@domain.ltd'
Dear all, According to Postfix document, virtual(8), 'user+extens...@domain.ltd' is looked up first, then 'u...@domain.ltd'. Is it possible to skip/ignore the address extension and just query 'u...@domain.ltd'? (by the way, i want to ignore the extension in SQL/LDAP lookup.) Thanks for your time and help. :) TABLE SEARCH ORDER ... The search order is as follows. The search stops upon the first suc- cessful lookup. o When the recipient has an optional address extension the user+extens...@domain.tld address is looked up first. o The u...@domain.tld address, without address extension, is looked up next.
Re: Discussion about SPF signatures / Email security.
Subject: Citizens Bank - Account Balance Threshold Notification You requested to be notified when your balance for Account xx is above $.00. Logon to Online Banking at http://www.citizensbank.com to view your balance information, transfer funds or pay bills. Your bank sends you an email that actually_*CONTAINS*_ information about your account There is enough information in the above one line of the email to make you the target of every scammer on the planet! As to the link I would have expected it to be at least https. As to the URL, I get at least one email a week that tells me to go to xyz company site to track a package, check my banks account, arrange a delivery, send my son money... all of which take me to fake web sites. Some of them are really good imitations, some of them should learn to spell before trying it on. The only consistent thing about them is that none of them is ever legit. I suggest that you should start to lobby your bank to tighten up it security practices. John A smime.p7s Description: S/MIME Cryptographic Signature
email from banks
On 11 Mar 2015, at 11:07, John j...@klam.ca wrote: Your bank sends you an email that actually CONTAINS information about your account This discussion is not relevant to postfix. Could you please take it elsewhere? Thanks.
Email gateway configuration
Hi, everyone! I need to build an email gateway that will forward emails to users in our internal Exchange. But some need to be forwarded to our old Linux-based external server instead. Reading the Postfix documentation and examples I was able to find on the web, I was still left a bit confused and was hoping someone would take the time to clear things up. I'm using Postfix 2.9 I'm able to get a big chunk of our users via LDAP (query done by another machine that pushes the list with a cron-job to the gateway machine). The gateway machine will monitor the file change and add new entries to the file for the relay_recipient_maps directive and postmap /path/to/file. The linux-based server users list rarely changes and I manage adding them by hand (at this moment). Correct me if I'v misunderstood in saying this is only a check whether a entry (user email) exists; relay_domains list the domains the gateway machine is willing to relay (e.g. if example.biz not listed, it will never be taken into consideration for relaying via the gateway) and relay_transport is a routing table about to which server should a email be sent. In my case a have used transport_maps instead, because it overrides/supersedes the relay_transport directive. (Question 1) Have I gotten the gist ? So finally we get to main question. (Question 2)Is their any other and perhaps a more reasonable way of forwarding emails to user that do not exist in Exchange (172.16.1.1) without adding lines to /etc/postfix/transport file? Maybe list non-Exchange users in other file and add it to transport_maps, i.e. transport_maps = hash:/etc/postfix/no_exchange_account, hash:/etc/postfix/transport. Are the lookups done in the order they are listed? I am assuming having a couple of thousand entries in these lookup tables is performance wise a non-issue? Especially compared to storing them in a Mysql base? (Question 3) Also, will/could this setup create backscatter? Any other tips, links to tutorials and suggestions would be highly appreciated. MAIN.CF mydomain = example.com myhostname = gateway alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = gateway.example.com, gateway, localhost.localdomain, localhost #DISABLES LOCAL DELIVERY #mydestination = #local_recipient_maps = #myorigin = example.com LINES IN QUESTION #List of user emails which are accepted for relaying relay_recipient_maps = hash:/etc/postfix/relay_recipients #Possible solution, when disabling local delivery but still forward postmaster, abuse emails to admins #virtual_alias_domains = hash:/etc/postfix/virtual_domains #virtual_alias_maps = hash:/etc/postfix/virtual #destination domains (and subdomains thereof) this system will relay mail to #we accept example.com ,example.net relay_domains = $mydestination, hash:/etc/postfix/virtual_domains #routing transport_maps = hash:/etc/postfix/transport relayhost = mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 195.222.6.0/26 172.16.1.0/24 mailbox_command = procmail -a $EXTENSION mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all #IPv4/IPv6 support inet_protocols = all smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20 disable_vrfy_command = yes smtpd_delay_reject = yes smtpd_helo_required = yes ### RESTRICTIONS smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname, permit smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, #blocked senders hash:/etc/postfix/access_blacklist, permit smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, RBLs, permit LOOKUP FILES::: VIRTUAL_DOMAINS: example.com #official domain example.net #old domain RELAY_RECEPIENTS- mainly to keep inwards traffic to a minimum (email to user that do not exist in our system are rejected): #USERS - info gathered with LDAP and exeptions by hand us...@example.com OK us...@example.com OK us...@example.net OK . user4...@example.net OK TRANSPORT user...@example.net :[172.16.1.200] user...@example.net :[172.16.1.200] user...@example.net :[172.16.1.200] example.com :[172.16.1.1] .example.com :[172.16.1.1] example.net :[172.16.1.1] .example.net :[172.16.1.1] #* smtp:[smtp.example.int] could it be turned into two separate files: 1)no_exchange_account: user...@example.net :[172.16.1.200] user...@example.net :[172.16.1.200] . user...@example.net :[172.16.1.200] 2)transport: example.com :[172.16.1.1] .example.com :[172.16.1.1] example.net :[172.16.1.1] .example.net :[172.16.1.1]
SMTP AUTH issue
Hello, On a heavy i/o loaded Postfix (2.11.0) server, i've got this behavior: === Connected to x.x.x.x. - 220 xx.xx.xx ESMTP Postfix - EHLO localhost - 250-xx.xx.xx - 250-PIPELINING - 250-SIZE 1024 - 250-VRFY - 250-ETRN - 250-STARTTLS - 250-AUTH CRAM-MD5 DIGEST-MD5 - 250-ENHANCEDSTATUSCODES - 250-8BITMIME - 250 DSN - AUTH CRAM-MD5 ** 535 5.7.8 Error: authentication failed: Connection lost to authentication server *** No authentication type succeeded - QUIT - 221 2.0.0 Bye In mail.log: Mar 10 16:36:58 x postfix/smtpd[20613]: connect from xx Mar 10 16:37:04 x dovecot: auth: Debug: client in: AUTH#0111#011CRAM-MD5#011service=smtp#011nologin#011lip=x.x.x.x#011rip=x.x.x.x Mar 10 16:37:08 x postfix/smtpd[20613]: warning: x.x.x[x.x.x.x]: SASL CRAM-MD5 authentication failed: Connection lost to authentication server Mar 10 16:37:08 x postfix/smtpd[20613]: disconnect from x.x.x[x.x.x.x] Mar 10 16:37:14 x dovecot: auth: Debug: client passdb out: . Mar 10 16:39:07 x dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Ok, I have an i/o load problem with this server, but a 535 error code is too much, I was expecting a 454 error code as stated in RFC2554. As a workaround, I would like to increase the default postfix authentication server response timeout of 10 seconds but it seems that this is hard-coded. Relevant postfix SASL configuration: smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_authenticated_header = yes smtpd_sender_login_maps = cdb:/etc/postfix/controlled_enveloppe_senders So, I am missing something ? Should the error return code be corrected in postfix ? (and yes, my I/O load problem must be fixed...) Best regards, Emmanuel.
Tracking down www-data email sender
Wondering how to track down some emails being sent from WordPress. I have mail.log entries that show www-data, that is, WordPress, is trying to send emails from an invalid subdomain. The machine did have this subdomain at some point, by the way. I turned on phpmail.log, but it doesn't give any clues beyond pointing to wp-includes/class-phpmailer.php. Looking at the mail.log of the last www-data send, it says gmail has shut the recipient's email address off because they're being hammered. The log also shows there are 5 sends in the same second for job 12446, like below. Mar 9 02:21:04 goshtv postfix/qmgr[12446]: DCAF8461572: from=www-d...@p2450473.pubip.goshtv.com, size=683, nrcpt=1 (queue active) Why Postfix trying to send the same message five times in a row? Suggestions? How do I track it down? Thanks! Robin -- from mail.log... Mar 9 03:21:38 goshtv postfix/qmgr[12446]: E9E67460AE6: from=ro...@screenplaylab.com, size=1768, nrcpt=1 (queue active) Mar 9 03:21:38 goshtv postfix/qmgr[12446]: 366EF4610B9: from=www-d...@p2450473.pubip.goshtv.com, size=698, nrcpt=1 (queue active) Mar 9 03:21:38 goshtv postfix/smtp[20211]: connect to gmail-smtp-in.l.google.com[2607:f8b0:400d:c0a::1b]:25: Network is unreachable Mar 9 03:21:38 goshtv postfix/smtp[20211]: 366EF4610B9: host gmail-smtp-in.l.google.com[173.194.208.26] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 http://support.google.com/mail/bin/answer.py?answer=6592 f35si2786537qki.85 - gsmtp (in reply to RCPT TO command)
postscreen vs. fail2ban
I haven't implemented postscreen yet, but plan to. So this question is for the postscreen experts here. As I understand it from the documentation, postscreen protects postfix from having to deal with most attack vectors, including higher volume attacks. So, does it make sense to also use something like fail2ban to block IPs that postscreen (or postfix) logs repeatedly as offenders? Or is postscreen sufficient to protect posfix? Thanks much, Michael
Re: postscreen vs. fail2ban
On 3/11/2015 7:43 PM, Michael Fox wrote: I haven’t implemented postscreen yet, but plan to. So this question is for the postscreen experts here. As I understand it from the documentation, postscreen protects postfix from having to deal with most attack vectors, including higher volume attacks. So, does it make sense to also use something like fail2ban to block IPs that postscreen (or postfix) logs repeatedly as offenders? Or is postscreen sufficient to protect posfix? The goal of postscreen is to reject zombies while using very few system resources. Postscreen can reject thousands of connections per minute without a significant drain on server performance, even on a modest hardware. Also, zombies don't generally hammer away at a server; they make a (relatively) few connections, and then move on to the next victim. It's probably not worth the trouble to firewall them. That's been my experience, your mileage may vary. On the other hand, fail2ban may be useful for detecting SASL dictionary attacks. It's not unreasonable to block an IP for a period of time after XX failed AUTH attempts. Anyway, feel free to experiment if you want. I don't think it will help much, but it probably won't break anything. -- Noel Jones
Re: postscreen vs. fail2ban
Michael Fox: I haven't implemented postscreen yet, but plan to. So this question is for the postscreen experts here. As I understand it from the documentation, postscreen protects postfix from having to deal with most attack vectors, including higher volume attacks. So, does it make sense to also use something like fail2ban to block IPs that postscreen (or postfix) logs repeatedly as offenders? Or is postscreen sufficient to protect posfix? I would not bother, except in extreme cases where the same IP address makes thousands and thousands of connections. Wietse
Re: Tracking down www-data email sender
On Wed, Mar 11, 2015 at 09:13:45PM -0700, Robin Rowe wrote: Wondering how to track down some emails being sent from WordPress. Freeze them in the queue, and examine with postcat -q queue-id. Looking at the mail.log of the last www-data send, it says gmail has shut the recipient's email address off because they're being hammered. The log also shows there are 5 sends in the same second for job 12446, like below. The same queue manager process is expected to handle multiple messages (in fact all messages until Postfix is restarted or reloaded). Mar 9 02:21:04 goshtv postfix/qmgr[12446]: DCAF8461572: from=www-d...@p2450473.pubip.goshtv.com, size=683, nrcpt=1 (queue active) The logs you want are the pickup logs, not the qmgr logs. Configure pickup to send mail via an extra SMTP hop that puts all mail from www-data on hold: pickup-sender: www-data@ HOLD CGI form exploit # postmap pickup-sender main.cf: indexed = ${default_database_type}:${config_directory}/ pickup_sender_restrictions = check_sender_access ${indexed}pickup-sender master.cf: # Modify: pickup unix n - n 60 1 pickup -o content_filter=smtp:[127.0.0.1]:2525 # Add: 127.0.0.1:2525 inet n- n - - smtpd -o smtpd_sender_restrictions=$pickup_sender_restrictions # postfix reload Then look for logs indicating mail being placed on HOLD, and: # postcat -bhq queue-id -- Viktor.