PATCH: rcpt count mismatch with Milter

[Wietse Venema]

Wietse Venema:
> J?rg Backschues:
> > Am 09.03.2016 um 01:20 schrieb Wietse Venema:
> > 
> > > How many recipients are there before the bcc action?
> > 
> > I've verified the issue with one recipient only and multiple recipients.
> > 
> > > That would be a bug. I'd appreciate it if you could run the cleanup
> > > server with the -v action and log what Postfix and batv-milter are
> > > saying to each other. That would save me the time to duplicate your
> > > setup.
> > 
> > The batv-milter log shows no errors.
> > 
> > cleanup-v has been enabled:
> > 
> 
> Thanks. This should be sufficient to reproduce what happens.

This is a minimal patch to fix the issue. It does not include the
tests that I added to verify that the problem is fixed.

Wietse

20160310

Bugfix (introduced: Postfix 2.6): the Milter SMFIR_CHGFROM
(replace sender) request lost the sender_bcc_maps address.
Fixed by moving some record keeping to the sender output
function.

diff -ur '--exclude=*.in*' '--exclude=*.ref*' 
/var/tmp/postfix-3.2-20160224/src/cleanup/cleanup_addr.c 
src/cleanup/cleanup_addr.c
--- /var/tmp/postfix-3.2-20160224/src/cleanup/cleanup_addr.c2015-01-27 
14:33:29.0 -0500
+++ src/cleanup/cleanup_addr.c  2016-03-11 08:15:45.768039070 -0500
@@ -81,6 +82,7 @@
 /* Global library. */
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -101,10 +103,13 @@
 
 /* cleanup_addr_sender - process envelope sender record */
 
-voidcleanup_addr_sender(CLEANUP_STATE *state, const char *buf)
+off_t   cleanup_addr_sender(CLEANUP_STATE *state, const char *buf)
 {
+const char myname[] = "cleanup_addr_sender";
 VSTRING *clean_addr = vstring_alloc(100);
+off_t   after_sender_offs = 0;
 const char *bcc;
+size_t  len;
 
 /*
  * Note: an unqualified envelope address is for all practical purposes
@@ -148,6 +153,15 @@
 if (state->sender) /* XXX Can't happen */
myfree(state->sender);
 state->sender = mystrdup(STR(clean_addr)); /* Used by Milter client */
+/* Fix 20160310: Moved from cleanup_envelope.c. */
+if (state->milters || cleanup_milters) {
+   /* Make room to replace sender. */
+   if ((len = strlen(state->sender)) < REC_TYPE_PTR_PAYL_SIZE)
+   rec_pad(state->dst, REC_TYPE_PTR, REC_TYPE_PTR_PAYL_SIZE - len);
+   /* Remember the after-sender record offset. */
+   if ((after_sender_offs = vstream_ftell(state->dst)) < 0)
+   msg_fatal("%s: vstream_ftell %s: %m:", myname, cleanup_path);
+}
 if ((state->flags & CLEANUP_FLAG_BCC_OK)
&& *STR(clean_addr)
&& cleanup_send_bcc_maps) {
@@ -162,6 +176,7 @@
}
 }
 vstring_free(clean_addr);
+return after_sender_offs;
 }
 
 /* cleanup_addr_recipient - process envelope recipient */
diff -ur '--exclude=*.in*' '--exclude=*.ref*' 
/var/tmp/postfix-3.2-20160224/src/cleanup/cleanup_envelope.c 
src/cleanup/cleanup_envelope.c
--- /var/tmp/postfix-3.2-20160224/src/cleanup/cleanup_envelope.c
2015-12-27 16:30:56.0 -0500
+++ src/cleanup/cleanup_envelope.c  2016-03-11 07:53:40.323914349 -0500
@@ -380,6 +380,8 @@
return;
 }
 if (type == REC_TYPE_FROM) {
+   off_t after_sender_offs;
+
/* Allow only one instance. */
if (state->sender != 0) {
msg_warn("%s: message rejected: multiple envelope sender records",
@@ -392,14 +394,10 @@
if ((state->sender_pt_offset = vstream_ftell(state->dst)) < 0)
msg_fatal("%s: vstream_ftell %s: %m:", myname, cleanup_path);
}
-   cleanup_addr_sender(state, buf);
+   after_sender_offs = cleanup_addr_sender(state, buf);
if (state->milters || cleanup_milters) {
-   /* Make room to replace sender. */
-   if ((len = strlen(state->sender)) < REC_TYPE_PTR_PAYL_SIZE)
-   rec_pad(state->dst, REC_TYPE_PTR, REC_TYPE_PTR_PAYL_SIZE - len);
/* Remember the after-sender record offset. */
-   if ((state->sender_pt_target = vstream_ftell(state->dst)) < 0)
-   msg_fatal("%s: vstream_ftell %s: %m:", myname, cleanup_path);
+   state->sender_pt_target = after_sender_offs;
}
if (cleanup_milters != 0
&& state->milters == 0
diff -ur '--exclude=*.in*' '--exclude=*.ref*' 
/var/tmp/postfix-3.2-20160224/src/cleanup/cleanup.h src/cleanup/cleanup.h
--- /var/tmp/postfix-3.2-20160224/src/cleanup/cleanup.h 2015-12-27 
16:30:56.0 -0500
+++ src/cleanup/cleanup.h   2016-03-10 19:14:21.325407225 -0500
@@ -290,7 +290,7 @@
  /*
   * cleanup_addr.c.
   */
-extern void cleanup_addr_sender(CLEANUP_STATE *, const char *);
+extern off_t cleanup_addr_sender(CLEANUP_STATE *, const char *);
 extern void cleanup_addr_recipient(CLEANUP_STATE *, const char *);
 extern void cleanup_addr_bcc_dsn(CLEANUP_STATE *, const char *, const char *, 
int);
 
diff -ur '--exclude=*.in*' '--exclude=*.ref*' 

Re: OT yahoo

[@lbutlr]

On Fri Mar 11 2016 12:21:07 Noel Jones   said:
> 
> This problem (postscreen delays legit mail server) is nicely solved
> by using a dns whitelist such as dnswl.org to bypass postscreen
> tests for known mail servers... not necessarily "known good"
> servers, just known to not be a bot.  Then your smtpd and content
> filtering can decide if you want the mail.

$ postconf -nf postscreen_dnsbl_sites
postscreen_dnsbl_sites = dul.dnsbl.sorbs.net*1
zen.spamhaus.org=127.0.0.[10..11]*4 zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*6 zen.spamhaus.org=127.0.0.2*6
spam.dnsbl.sorbs.net*2 multi.surbl.org*2 dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net list.dnswl.org=127.0.[0..255].0*-3
list.dnswl.org=127.0.[0..255].1*-4 list.dnswl.org=127.0.[0..255].[2..255]*-6
dwl.spamhaus.org=127.0.2.[2;3]*-3 swl.spamhaus.org=127.0.2.[12;13]*-3

I think yahoo maybe was only looking at the primary DNS which had gone offline 
because of the fixed IP issue, and no one else seemed to notice since the other 
DNS servers were working fine.

-- 
Ahahahahaha! Ahahahaha! Aahahaha!  BEWARE!  Yrs sincerely  The Opera
Ghost

Re: Milter not to all messages

[Andrzej A. Filip]

Alfredo Saldanha  wrote:
> Is there some way to use milter check in a type of conditional ?
> In my situation here, it can not be mandatory to each message.
> I'm asking this because some users here want to receive all messages without 
> Spam verification.
>
> Part of my main.cf:
> http://dpaste.com/3HFRR6V

Milter (e.g. MIMEDefang) can conditionally turn off anti-spam checks.

*BUT*

It will work OK for all recipient of the message in the same "spam check" 
category.
Milter anti-spam checks make sense if they "refuse to accept" message in
SMTP session. Due to SMTP design milter's after seeing the message
content can only "accept for ALL recipients" or "reject/delay for ALL 
recipients".

It may be fixed in an UGLY way by using "temporary rejects"
(delaying delivery) for some recipients of "mixed recipients" messages.

-- 
A. Filip

Re: OT yahoo

[Noel Jones]

On 3/11/2016 12:54 PM, @lbutlr wrote:
> On Fri Mar 11 2016 11:45:31 Viktor Dukhovni    
> said:
>>
>> On Fri, Mar 11, 2016 at 11:38:13AM -0700, @lbutlr wrote:
>>
 You have some sort of proxy in front of your Postfix server.  The
 proxy may be blocking Yahoo's servers.
>>>
>>> That is postscreen, which has a 4 or 5 second delay for new connections  
>>> however, that connection would be logged, wouldn’t it?
>>
>> Well, the IP address of the Yahoo host would be logged, yes.  They
>> may not be willing to wait the 5 seconds.
> 
> Then shouldn’t they generate a DND to the sender?

They would likely treat connection problems as a temporary error,
and might not send a delivery notice for several days.  But they
should eventually send a notice.

This problem (postscreen delays legit mail server) is nicely solved
by using a dns whitelist such as dnswl.org to bypass postscreen
tests for known mail servers... not necessarily "known good"
servers, just known to not be a bot.  Then your smtpd and content
filtering can decide if you want the mail.


  -- Noel Jones

Re: Milter not to all messages

[Tom Hendrikx]

On 11-03-16 15:48, Alfredo Saldanha wrote:
> Is there some way to use milter check in a type of conditional ?
> In my situation here, it can not be mandatory to each message.
> I'm asking this because some users here want to receive all messages without 
> Spam verification.
> 
> Part of my main.cf:
> http://dpaste.com/3HFRR6V
> 


I;m using milter-manager [1] as a go-between for all postfix -> milter
connections. Milter-manager supports plugins for whitelisting and other
neat tricks based on envelope details (ip, sender, recipients), and is
easy extensible using ruby. WOrks very nice when off-the-shelf milters
don't support all exclusions you need, or when you don't want to
configure multiple milters in their own separate way.

[1] http://milter-manager.sourceforge.net/

Kind regards,
Tom



signature.asc
Description: OpenPGP digital signature

Re: OT yahoo

[@lbutlr]

On Fri Mar 11 2016 07:05:34 @lbutlr <@lbutlr> said:
> 
> I know this isn;t a postfix problem since postfix is not ever getting 
> anything, but I’m hoping someone on the list has some ideas?

I just found out that someone turned off the static IP pool for one of the DNS 
servers, so that may be related. Off to go onsite and fix that.

I promise not to take a large club with me.

-- 
'Pardon me for living, I'm sure.' NO-ONE GETS PARDONED FOR LIVING.

Re: yahoo vs. postscreen

[@lbutlr]

On Fri Mar 11 2016 11:49:44 /dev/rob0    said:
> 
> Also, at this point "postconf -nf ; postconf -Mf" are appropriate, 
> because there might indeed be a Postfix issue.

$ postconf -nf
alias_database = hash:$config_directory/aliases
alias_maps = hash:$config_directory/aliases,
hash:/usr/local/mailman/data/aliases
allow_percent_hack = no
always_bcc = bac...@southgaylord.com
bounce_size_limit = 10240
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
header_size_limit = 10240
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/local/bin/procmail -t -a $EXTENSION
mailbox_size_limit = 52428800
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maps_rbl_reject_code = 521
max_use = 10
message_size_limit = 26214400
meta_directory = /usr/local/libexec/postfix
mime_header_checks = pcre:$config_directory/mime_headers.pcre
mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost,
ns1.$mydomain, ns2.$mydomain, mail.$mydomain, www.$mydomain,
webmail.$mydomain
mydomain = covisp.net
myhostname = mail.covisp.net
mynetworks = 75.148.37.64/29, 127.0.0.0/8, 65.121.55.42, , 65.121.55.45,
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
policyd-spf_time_limit = 3600
postscreen_access_list = permit_mynetworks,
cidr:$config_directory/postscreen_access.cidr
postscreen_bare_newline_ttl = 7d
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = dul.dnsbl.sorbs.net*1
zen.spamhaus.org=127.0.0.[10..11]*4 zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*6 zen.spamhaus.org=127.0.0.2*6
spam.dnsbl.sorbs.net*2 multi.surbl.org*2 dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net list.dnswl.org=127.0.[0..255].0*-3
list.dnswl.org=127.0.[0..255].1*-4 list.dnswl.org=127.0.[0..255].[2..255]*-6
dwl.spamhaus.org=127.0.2.[2;3]*-3 swl.spamhaus.org=127.0.2.[12;13]*-3
postscreen_dnsbl_threshold = 6
postscreen_dnsbl_ttl = 1d
postscreen_greet_action = enforce
postscreen_greet_banner = mail.covisp.net ESTMP -- Please wait
postscreen_greet_ttl = 7d
postscreen_greet_wait = 4s
postscreen_pipelining_ttl = 7d
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +_
sample_directory = /usr/local/etc/postfix
sender_bcc_maps = pcre:$config_directory/sender_bcc.pcre
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
show_user_unknown_table_name = no
smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED, IDEA, RC2, RC5
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name $mail_version
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
smtpd_error_sleep_time = 28
smtpd_hard_error_limit = 8
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, check_helo_access
pcre:/etc/postfix/helo_checks.pcre permit
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_invalid_hostname,
reject_unlisted_recipient, reject_unlisted_sender,
reject_unknown_reverse_client_hostname, check_client_access
hash:$config_directory/access, permit
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 4
smtpd_starttls_timeout = 40s
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4, LOW, EXPORT
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtputf8_enable = no
soft_bounce = yes
swap_bangpath = no
tls_ssl_options = no_ticket, no_compression
undisclosed_recipients_header = To: List of Bcc addresses:;
unknown_local_recipient_reject_code = 550
virtual_alias_domains = kreme.com
virtual_alias_maps = hash:$config_directory/virtual
proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:89
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains =

Re: OT yahoo

[@lbutlr]

On Fri Mar 11 2016 11:45:31 Viktor Dukhovni  
said:
> 
> On Fri, Mar 11, 2016 at 11:38:13AM -0700, @lbutlr wrote:
> 
>>> You have some sort of proxy in front of your Postfix server.  The
>>> proxy may be blocking Yahoo's servers.
>> 
>> That is postscreen, which has a 4 or 5 second delay for new connections  
>> however, that connection would be logged, wouldn’t it?
> 
> Well, the IP address of the Yahoo host would be logged, yes.  They
> may not be willing to wait the 5 seconds.

Then shouldn’t they generate a DND to the sender?

>> The only instances of yahoo.com I see in the logs are faked email addresses 
>> from Russian domains
> 
> You're looking for the domain, not the IP addresses of the outbound
> hosts.

I’ve looked for 66.218.66 66.218.67 and 66.218.69 which is the list of Ipv4 
prefixes I have for Yahoo.

-- 
Han : This is not going to work. Luke: Why didn't you say so before?
Han : I did say so before!

yahoo vs. postscreen

[/dev/rob0]

On Fri, Mar 11, 2016 at 11:38:13AM -0700, @lbutlr wrote:
> That is postscreen, which has a 4 or 5 second delay for new 
> connections however, that connection would be logged, wouldn’t
> it?

Yes, but if Y! outbound servers are not getting past 220, ...

> The only instances of yahoo.com I see in the logs are faked email 
> addresses from Russian domains

... you would not see the "yahoo" name in logs.  You'd only see IP 
addresses.  Perhaps you should go through some of your postscreen 
pre-220 rejections and see if Y! are among them.

Also, at this point "postconf -nf ; postconf -Mf" are appropriate, 
because there might indeed be a Postfix issue.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Mitigating DROWN

[John A @ KLaM]

Thanks, I will keep 3DES for now.

My dentist does not have to worry,  it was a transcription error.

Re: OT yahoo

[Viktor Dukhovni]

On Fri, Mar 11, 2016 at 11:38:13AM -0700, @lbutlr wrote:

> > You have some sort of proxy in front of your Postfix server.  The
> > proxy may be blocking Yahoo's servers.
> 
> That is postscreen, which has a 4 or 5 second delay for new connections  
> however, that connection would be logged, wouldn’t it?

Well, the IP address of the Yahoo host would be logged, yes.  They
may not be willing to wait the 5 seconds.

> The only instances of yahoo.com I see in the logs are faked email addresses 
> from Russian domains

You're looking for the domain, not the IP addresses of the outbound
hosts.

-- 
Viktor.

Re: OT yahoo

[@lbutlr]

On Fri Mar 11 2016 09:09:29 Viktor Dukhovni  
said:
> 
> On Fri, Mar 11, 2016 at 08:57:48AM -0700, @lbutlr wrote:
> 
>> I have MX monitoring that says I am not on any blacklists and that the 
>> server is secure 
>> 
>> # dig @8.8.8.8 covisp.net any
> 
> My first SMTP connection attempt to your server resulted in:
> 
>$ posttls-finger covisp.net
>posttls-finger: Connected to mail.covisp.net[65.121.55.42]:25
>posttls-finger: < 220-mail.covisp.net ESTMP -- Please wait
>
>posttls-finger: < 220 mail.covisp.net ESMTP Postfix 3.0.3
>...
> 
> Subsequent connections yield:
> 
>$ posttls-finger covisp.net
>posttls-finger: Connected to mail.covisp.net[65.121.55.42]:25
>posttls-finger: < 220 mail.covisp.net ESMTP Postfix 3.0.3
>...
> 
> You have some sort of proxy in front of your Postfix server.  The
> proxy may be blocking Yahoo's servers.

That is postscreen, which has a 4 or 5 second delay for new connections  
however, that connection would be logged, wouldn’t it?

The only instances of yahoo.com I see in the logs are faked email addresses 
from Russian domains

-- 
THERE WAS NO ROMAN GOD NAMED "FARTICUS" Bart chalkboard Ep. 5F06

Re: In some rare cases Postfix connect to a wrong MX server

[Viktor Dukhovni]

On Fri, Mar 11, 2016 at 06:21:06PM +0100, Msd wrote:

> >There was an MX lookup bugfix for Postfix 2.11 in May 2014.
> >
> > Wietse
> >
> >Bugfixes (fixed in Postfix 2.11 and Postfix 2.12):
> >
> >   * With connection caching enabled (the default), recipients
> > could be given to the wrong mail server.  The root cause was an
> > incorrect predicate. Due to this, the Postfix SMTP client could
> > save and restore plaintext connections that should not be cached,
> > under nonsensical lookup keys that did not distinguish by destination.
> > Problem reported by Sahil Tandon.

Specifically, (ignoring snapshots) this was introduced in 2.11.0
and fixed in 2.11.1.  The only affected stable release was 2.11.0.

-- 
Viktor.

Re: Milter not to all messages

[Alfredo Saldanha]

Nice way, Stephen.
I'll think about that.

Thank you.

- Mensagem original -
De: "Stephen Satchell" 
Para: "Alfredo Saldanha" , "postfix-users" 

Enviadas: Sexta-feira, 11 de março de 2016 14:11:11
Assunto: Re: Milter not to all messages

On 03/11/2016 06:48 AM, Alfredo Saldanha wrote: 
> Is there some way to use milter check in a type of conditional ? 
> In my situation here, it can not be mandatory to each message. 
> I'm asking this because some users here want to receive all messages without 
> Spam verification. 

When I was running mail servers for a medium-sized web hosting company, 
I ran into the same problem: some customers did not want spam filtering 
on all mailboxes in their domains, or on particular mailboxes in their 
domain. 

So I had an exception list, and my milter would query the exception list 
so that the exceptions could be short-circuited. Easy to do in Perl; 
equally easy to do in Python. 

I had also coded a global exception for "postmaster", so that the mail 
service would be RFC compliant. (I had considered also making a global 
exception for "hostmaster" but decided against it. Not many of our 
customers defined this role account for their domain.) 

Customer didn't want "postmaster"? We would redirect it to the support 
postmaster mail account. Simple. 

Re: In some rare cases Postfix connect to a wrong MX server

[Msd]

Hello,

I have updated the bug with your information.

Thank you very much for your help !


Guillaume

Le 11/03/2016 16:48, Wietse Venema a écrit :

Msd:

Hello,

I note in some rare case that Postfix tries to deliver an email to a
wrong MX server.

I have opened a bug to describe my problem here :
https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1549388/

Do you know what happens ?


There was an MX lookup bugfix for Postfix 2.11 in May 2014.

Wietse

Bugfixes (fixed in Postfix 2.11 and Postfix 2.12):

   * With connection caching enabled (the default), recipients
 could be given to the wrong mail server.  The root cause was an
 incorrect predicate. Due to this, the Postfix SMTP client could
 save and restore plaintext connections that should not be cached,
 under nonsensical lookup keys that did not distinguish by destination.
 Problem reported by Sahil Tandon.

Re: Milter not to all messages

[Stephen Satchell]

On 03/11/2016 06:48 AM, Alfredo Saldanha wrote:

Is there some way to use milter check in a type of conditional ?
In my situation here, it can not be mandatory to each message.
I'm asking this because some users here want to receive all messages without 
Spam verification.


When I was running mail servers for a medium-sized web hosting company, 
I ran into the same problem:  some customers did not want spam filtering 
on all mailboxes in their domains, or on particular mailboxes in their 
domain.


So I had an exception list, and my milter would query the exception list 
so that the exceptions could be short-circuited.  Easy to do in Perl; 
equally easy to do in Python.


I had also coded a global exception for "postmaster", so that the mail 
service would be RFC compliant.  (I had considered also making a global 
exception for "hostmaster" but decided against it.  Not many of our 
customers defined this role account for their domain.)


Customer didn't want "postmaster"?  We would redirect it to the support 
postmaster mail account.  Simple.

Re: OT yahoo

[Wietse Venema]

Viktor Dukhovni:
> On Fri, Mar 11, 2016 at 08:57:48AM -0700, @lbutlr wrote:
> 
> > I have MX monitoring that says I am not on any blacklists and that the 
> > server is secure 
> > 
> > # dig @8.8.8.8 covisp.net any
> 
> My first SMTP connection attempt to your server resulted in:
> 
> $ posttls-finger covisp.net
> posttls-finger: Connected to mail.covisp.net[65.121.55.42]:25
> posttls-finger: < 220-mail.covisp.net ESTMP -- Please wait
> 
> posttls-finger: < 220 mail.covisp.net ESMTP Postfix 3.0.3
> ...

postscreen?

Wietse
> Subsequent connections yield:
> 
> $ posttls-finger covisp.net
> posttls-finger: Connected to mail.covisp.net[65.121.55.42]:25
> posttls-finger: < 220 mail.covisp.net ESMTP Postfix 3.0.3
> ...
> 
> You have some sort of proxy in front of your Postfix server.  The
> proxy may be blocking Yahoo's servers.
> 
> -- 
>   Viktor.
> 

Re: OT yahoo

[Viktor Dukhovni]

On Fri, Mar 11, 2016 at 08:57:48AM -0700, @lbutlr wrote:

> I have MX monitoring that says I am not on any blacklists and that the server 
> is secure 
> 
> # dig @8.8.8.8 covisp.net any

My first SMTP connection attempt to your server resulted in:

$ posttls-finger covisp.net
posttls-finger: Connected to mail.covisp.net[65.121.55.42]:25
posttls-finger: < 220-mail.covisp.net ESTMP -- Please wait

posttls-finger: < 220 mail.covisp.net ESMTP Postfix 3.0.3
...

Subsequent connections yield:

$ posttls-finger covisp.net
posttls-finger: Connected to mail.covisp.net[65.121.55.42]:25
posttls-finger: < 220 mail.covisp.net ESMTP Postfix 3.0.3
...

You have some sort of proxy in front of your Postfix server.  The
proxy may be blocking Yahoo's servers.

-- 
Viktor.

Re: OT yahoo

[@lbutlr]

> On Mar 11, 2016, at 7:37 AM, /dev/rob0  wrote:
> 
> On Fri, Mar 11, 2016 at 07:05:34AM -0700, @lbutlr wrote:
>> I’ve been trying to track down why users have stopped receiving any 
>> mail from yahoo users and after searching the logs and even going 
>> so far as to create a yahoo mail account and send mail to myself, I 
>> see no attempts by yahoo to connect to my server. It seems anything 
>> sent to my mail server simply disappears. Showing the gross 
> 
> Triple-check your own DNS.

Seems to check out ok according to online tools. Google has no problems. 
Various banks have no problems. This seems to be isolated to Yahoo.

> Is the zone signed?  Did signatures expire for some reason?  It could be that 
> Y! are having issues with resolving your zone.

It could be, but then why the lack of DNDs to the senders?

> While as you said it is OT, if you share more information, we'll 
> perhaps be able to spot something wrong.

I have MX monitoring that says I am not on any blacklists and that the server 
is secure 

# dig @8.8.8.8 covisp.net any
;; ANSWER SECTION:
covisp.net. 21599   IN  SOA covisp.net. root.covisp.net. 
2015122607 300 300 300 300
covisp.net. 21599   IN  NS  ns1.covisp.net.
covisp.net. 21599   IN  NS  mail.covisp.net.
covisp.net. 21599   IN  NS  ns2.covisp.net.
covisp.net. 21599   IN  A   75.148.37.66
covisp.net. 21599   IN  A   65.121.55.44
covisp.net. 21599   IN  A   75.148.37.67
covisp.net. 21599   IN  MX  10 mail.covisp.net.
covisp.net. 21599   IN  TXT "v=spf1 mx a 
ip4:65.121.55.42/32 -all”

# dig @8.8.8.8 mail.covisp.net
;; ANSWER SECTION:
mail.covisp.net.19976   IN  A   65.121.55.42

# dig @8.8.8.8 -x 65.121.55.42
;; ANSWER SECTION:
42.55.121.65.in-addr.arpa. 21599 IN PTR mail.covisp.net.

-- 
'Sometimes there has to be a civil war, and sometimes, afterwards, it's
best to pretend something didn't happen. Sometimes people have to do a
job, and then they have to be forgotten.' --Men at Arms

Re: sender IP dependent outgoing IP address after content_filter

[Noel Jones]

On 3/11/2016 9:22 AM, gsotsas wrote:
> Thanks once again!
> 
> Do you see any possibility to use the client IP from the XFORWARD
> header? And to pass it to an external policy daemon?
> 
> Amda

No.




> 
> On 09.03.2016 22:41, Wietse Venema wrote:
>> gsotsas:
>>> Dear postfix users,
>>> I have the following outbound relayhost configuration:
>>> {client that sends mail to smtp relay} -> {postfix:587} ->
>>> {policyd} ->
>>> {postfix} -> {amavis:10024} -> {postfix:10025} -> {postfix relays
>>> mail
>>> to destination mailserver}
>>>
>>> What I need is that the last postfix process sets
>>> smtp_bind_address (or
>>> outgoing transport map) depending on the client IP.
>> That will be difficult. You can choose the Postfix SMTP client by
>> sender email address with sender_dependent_default_transport_maps,
>> but choosing it by client IP address will involve fragile hacks:
>>
>> Before content filter, an check_Client_access map with
>>
>>  /^[0-9.]+$/ PREPEND X-Client: $1
>>
>> After the content filter, a header_checks action with:
>>
>>  /^X-Client: ([0-9.]+)/FILTER smtp-$1:
>>
>> And master.cf entries with:
>>
>>  smtp-1.2.3.4 .. .. .. .. .. .. smtp -o smtp_bind_address=1.2.3.4
>>
>> Wietse
>>
>>> Is there any way to achieve this (maybe with an external plugin or
>>> something)?
>>>
>>> I know aboutsender_dependent_default_transport_maps but this only
>>> works
>>> with the envelope sender domain.
>>> I know that postfix passess the original client ip to amavis as
>>> XFORWARD
>>> header (smtp_send_xforward_command)- and amavis returns this
>>> header to
>>> {postfix:10025}by specifyingsmtpd_authorized_xforward_hosts.
>>> But the XFORWARD header is used only for logging purpose and cant be
>>> used for my needs - or am I wrong?
>>>
>>> Thank you in advance
>>> Amda
>>>
> 

Re: sender IP dependent outgoing IP address after content_filter

[Wietse Venema]

gsotsas:
> Thanks once again!
> 
> Do you see any possibility to use the client IP from the XFORWARD 
> header? And to pass it to an external policy daemon?

There is no such thing as an xforward header.

I describe the system as it exists today.

I could also describe a system that does not exist, but I think
that would not help you.

Wietse

Re: Mitigating DROWN

[Viktor Dukhovni]

On Fri, Mar 11, 2016 at 10:27:17AM -0500, John A @ KLaM wrote:

> As a result of following various - how tos, warnings, notices etc., I
> currentky exclude from both smtp & smtpd 
>
>   aNULL, DES, 3DES, MD5, RC2. RC4,
>   RC5, IDEA, SRP, PSK, aDDS, kECDhe,
>   kECDhr, kDHd, kDHr, SEED, IDEA, LOW, EXPORT
>
> Is this list reasonable and/or accurate.

I do not recommend exclusion of aNULL.

Exclusion of 3DES and RC5 is your call, no particularly strong
reason to drop or keep.  So wait I'd generally wait for OpenSSL to
drop them instead.

With 3DES there are likely still some systems that don't have AES,
and 3DES is their best cipher other than RC4, so if you exclude
both, you don't interoperate.  However, by now such systems are
fairly rare.  I'd keep 3DES for now.

Your neighbouring Doctor of Dental Surgery (DDS) does not wish to
be discriminated against.  Try "aDSS" (Digital Signature System)
instead.

-- 
Viktor.

Re: In some rare cases Postfix connect to a wrong MX server

[Wietse Venema]

Msd:
> Hello,
> 
> I note in some rare case that Postfix tries to deliver an email to a 
> wrong MX server.
> 
> I have opened a bug to describe my problem here : 
> https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1549388/
> 
> Do you know what happens ?

There was an MX lookup bugfix for Postfix 2.11 in May 2014.

Wietse

Bugfixes (fixed in Postfix 2.11 and Postfix 2.12):

  * With connection caching enabled (the default), recipients
could be given to the wrong mail server.  The root cause was an
incorrect predicate. Due to this, the Postfix SMTP client could
save and restore plaintext connections that should not be cached,
under nonsensical lookup keys that did not distinguish by destination.
Problem reported by Sahil Tandon.

Re: How can/could I redirect based upon sender.

[John A @ KLaM]

Thanks to everybody who helped.
Using the info collected the young lady was able to get a restraining order 
which, hopefully will put a stop to the harrasment.

Re: Mitigating DROWN

[John A @ KLaM]

As yhe result of following various - how tos, warnings, notices etc., I 
currentky exclude from both smtp & smtpd "aNULL, DES, 3DES, MD5, RC2. RC4. 
RC5, IDEA, SRP, PSK, aDDS, kECDhe, kECDhr, kDHd, kDHr, SEED, IDEA, LOW, EXPORT"

Is this list reasonable and/or accurate.

Re: sender IP dependent outgoing IP address after content_filter

[gsotsas]

Thanks once again!

Do you see any possibility to use the client IP from the XFORWARD 
header? And to pass it to an external policy daemon?


Amda

On 09.03.2016 22:41, Wietse Venema wrote:

gsotsas:

Dear postfix users,
I have the following outbound relayhost configuration:
{client that sends mail to smtp relay} -> {postfix:587} -> {policyd} ->
{postfix} -> {amavis:10024} -> {postfix:10025} -> {postfix relays mail
to destination mailserver}

What I need is that the last postfix process sets smtp_bind_address (or
outgoing transport map) depending on the client IP.

That will be difficult. You can choose the Postfix SMTP client by
sender email address with sender_dependent_default_transport_maps,
but choosing it by client IP address will involve fragile hacks:

Before content filter, an check_Client_access map with

 /^[0-9.]+$/ PREPEND X-Client: $1

After the content filter, a header_checks action with:

 /^X-Client: ([0-9.]+)/ FILTER smtp-$1:

And master.cf entries with:

 smtp-1.2.3.4 .. .. .. .. .. .. smtp -o smtp_bind_address=1.2.3.4

Wietse


Is there any way to achieve this (maybe with an external plugin or
something)?

I know aboutsender_dependent_default_transport_maps but this only works
with the envelope sender domain.
I know that postfix passess the original client ip to amavis as XFORWARD
header (smtp_send_xforward_command)- and amavis returns this header to
{postfix:10025}by specifyingsmtpd_authorized_xforward_hosts.
But the XFORWARD header is used only for logging purpose and cant be
used for my needs - or am I wrong?

Thank you in advance
Amda

In some rare cases Postfix connect to a wrong MX server

[Msd]

Hello,

I note in some rare case that Postfix tries to deliver an email to a 
wrong MX server.


I have opened a bug to describe my problem here : 
https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1549388/


Do you know what happens ?

Thanks,


Guillaume

Re: Milter not to all messages

[Alfredo Saldanha]

So I need another Postfix instance to do this.
I can use transport maps to select which user will pass in milter.

Thanks Wietse.

- Mensagem original -
De: "Wietse Venema" 
Para: "postfix-users" 
Enviadas: Sexta-feira, 11 de março de 2016 11:52:48
Assunto: Re: Milter not to all messages

Alfredo Saldanha: 
> Is there some way to use milter check in a type of conditional ? 

No. Milters can't start somewhere in the middle of an SMTP session. 
They must be able to inspect and respond to all connection stages. 

Wietse 

> In my situation here, it can not be mandatory to each message. 
> I'm asking this because some users here want to receive all messages without 
> Spam verification. 
> 
> Part of my main.cf: 
> http://dpaste.com/3HFRR6V 
> 
> Thanks. 
> 

Re: Milter not to all messages

[Wietse Venema]

Alfredo Saldanha:
> Is there some way to use milter check in a type of conditional ?

No. Milters can't start somewhere in the middle of an SMTP session.
They must be able to inspect and respond to all connection stages.

Wietse

> In my situation here, it can not be mandatory to each message.
> I'm asking this because some users here want to receive all messages without 
> Spam verification.
> 
> Part of my main.cf:
> http://dpaste.com/3HFRR6V
> 
> Thanks.
> 

Milter not to all messages

[Alfredo Saldanha]

Is there some way to use milter check in a type of conditional ?
In my situation here, it can not be mandatory to each message.
I'm asking this because some users here want to receive all messages without 
Spam verification.

Part of my main.cf:
http://dpaste.com/3HFRR6V

Thanks.

Re: postfix

[Robert Chalmers]

This is spam from China usually, and often India. I’ve seen a few of these over 
the years.

I can’t imagine the end game, but responding is a waste of time - it’s spam

> On 11 Mar 2016, at 14:36, Wietse Venema  wrote:
> 
> Lytton Hou:
>> Dear Sir/Madam,
>> This is a confirmation letter regarding registration of postfix,
>> please read it carefully. We are a service agency for registering
>> domain names. Our center received an application from PERF Asia
>> Limited today. They applied for the registration of postfix as
>> their Brand Name and some top-level domain names. But we found the
>> main body of domain names is same as your company name. We are not
>> sure about the relationship between you and them.
>> Now, we are processing this application. Our center needs to confirm
>> whether you have authorized them? If so, we will continue the next
>> step of registration. If not, please reply me an e-mail. Looking
>> forward to your prompt reply.
> 
> I have no relationship with PERF Asia.
> 
>   Wietse

Robert Chalmers
rob...@chalmers.com .au  Quantum Radio: 
http://tinyurl.com/lwwddov
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11.  
XCode 7.2.1
2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. 
Lower Bay

Re: OT yahoo

[/dev/rob0]

On Fri, Mar 11, 2016 at 07:05:34AM -0700, @lbutlr wrote:
> I’ve been trying to track down why users have stopped receiving any 
> mail from yahoo users and after searching the logs and even going 
> so far as to create a yahoo mail account and send mail to myself, I 
> see no attempts by yahoo to connect to my server. It seems anything 
> sent to my mail server simply disappears. Showing the gross 

Triple-check your own DNS.  Is the zone signed?  Did signatures 
expire for some reason?  It could be that Y! are having issues with 
resolving your zone.

While as you said it is OT, if you share more information, we'll 
perhaps be able to spot something wrong.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: postfix

[Wietse Venema]

Lytton Hou:
> Dear Sir/Madam,
> This is a confirmation letter regarding registration of postfix,
> please read it carefully. We are a service agency for registering
> domain names. Our center received an application from PERF Asia
> Limited today. They applied for the registration of postfix as
> their Brand Name and some top-level domain names. But we found the
> main body of domain names is same as your company name. We are not
> sure about the relationship between you and them.
> Now, we are processing this application. Our center needs to confirm
> whether you have authorized them? If so, we will continue the next
> step of registration. If not, please reply me an e-mail. Looking
> forward to your prompt reply.

I have no relationship with PERF Asia.

Wietse

Re: OT yahoo

[Wietse Venema]

@lbutlr:
> I=E2=80=99ve been trying to track down why users have stopped receiving =
> any mail from yahoo users and after searching the logs and even going so =
> far as to create a yahoo mail account and send mail to myself, I see no =
> attempts by yahoo to connect to my server. It seems anything sent to my =
> mail server simply disappears. Showing the gross incompetence of yahoo, =
> there is no NDN generated, so the sender has no idea the mail has not =
> been delivered.
> 
> I know this isn;t a postfix problem since postfix is not ever getting =
> anything, but I=E2=80=99m hoping someone on the list has some ideas?

Speculation: Yahoo has reputation barriers not only for senders but also
for receivers.

Wietse

OT yahoo

[@lbutlr]

I’ve been trying to track down why users have stopped receiving any mail from 
yahoo users and after searching the logs and even going so far as to create a 
yahoo mail account and send mail to myself, I see no attempts by yahoo to 
connect to my server. It seems anything sent to my mail server simply 
disappears. Showing the gross incompetence of yahoo, there is no NDN generated, 
so the sender has no idea the mail has not been delivered.

I know this isn;t a postfix problem since postfix is not ever getting anything, 
but I’m hoping someone on the list has some ideas?

-- 
When the least they could do to you was everything, then the most they
could do to you suddenly held no terror. --Small Gods

Re: Postfix 3.1 and TLS Cert Files

[Tom Browder]

On Wednesday, March 9, 2016, Curtis Villamizar  wrote:
>
> In message 
>