Getting smtpd restrictions right....

2017-01-19 Thread SH Development 
I have a server running Xeams for spam filtering, and another server running 
Postfix 2.6.6.  Both servers are on the same network behind a firewall.  
Haven’t had any problems until recently when Xeams tech support pointed out 
that my Xeams server is showing as an open relay, but my Postfix server is not. 
 They are telling me it’s because my Postfix server config is broken by not 
rejecting invalid user addresses passed through from Xeams.

Sure enough, if I telnet from any machine on the same network as the Postfix 
server, it accepts email to any user, real or not.  However, from any other 
machine outside that network, it rejects invalid addresses it as it should.  I 
have tried some variations with the mynetworks but that seems to break other 
things.

I need to close this hole up.  I don’t think it’s been abused as of yet, but 
it’s only a matter of time.

Attached is the postconf -n output.

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 3072
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = starionhost.net
myhostname = mail.starionhost.net
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps 
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains 
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps 
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks 
$virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination reject
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/cert.pem
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, 
mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000

Jeff

Re: pop3d Login Failed

2017-01-19 Thread D'Arcy Cain 

On 2017-01-19 05:37 PM, Maurizio Caloro wrote:

Please why pop3d become Login Failed for user joe?

var/log/mail.log

Jan 19 22:25:40 raspberrypi postfix/master[8771]: reload -- version
3.1.4, configuration /etc/postfix

Jan 19 22:26:26 raspberrypi pop3d: Connection, ip=[:::192.168.1.10]

Jan 19 22:26:26 raspberrypi authdaemond: ldap_simple_bind_s failed:
Can't contact LDAP server


As a wild guess I'll say that your server can't contact LDAP server.  As 
to why I don't know.  Do you have an LDAP server?  Is it running?  Does 
the server know where it is?


--
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:da...@vex.net
VoIP: sip:da...@vex.net

Re: How to effectively block communication to all domains except whitelisted?

2017-01-19 Thread Noel Jones 
On 1/19/2017 2:53 AM, Petr Bena wrote:
> On 01/18/17 15:35, Noel Jones wrote:
>> If you need more help, please show "postconf -nf" and "postconf -Mf"
>>
>>
>>
>>   -- Noel Jones
> 
> Hi Noel,
> 
> Here is the output:
> 
> # postconf -nf
> # postconf -Mf
...
> 465inet  n   -   n   -   -   smtpd
> -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions= -o smtpd_data_restrictions=
> -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
> submission inet  n   -   n   -   -   smtpd
> -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes
> -o smtpd_tls_security_level=may
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o smtpd_data_restrictions= -o smtpd_helo_restrictions=
> -o smtpd_recipient_restrictions=
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o syslog_name=postfix/submission -o

There's the problem.  You disable smtpd_recipient_restrictions for
smtps and submission.

The easy way to fix that is to remove "-o
smtpd_recipient_restrictions="  from the above, and restart postfix.



  -- Noel Jones

AW: pop3d Login Failed

2017-01-19 Thread Maurizio Caloro 
Hello together

Please why pop3d become Login Failed for user joe?

Seems that I have meny error with this configuration.

 

I want that me Postfix Server running as own E-mail Server.

For some help I would be grateful!

Regards

Mauri

 

var/log/mail.log

Jan 19 22:35:40 raspberrypi postfix/qmgr[25036]: E6FF561F31:
from=, size=544, nrcpt=1 (queue active)

Jan 19 22:35:50 raspberrypi postfix[25760]: fatal: usage: postfix [-c
config_dir] [-Dv] command

Jan 19 22:36:10 raspberrypi postfix/smtp[25743]: connect to
caloro.ch[158.181.112.49]:25: Connection timed out

Jan 19 22:36:10 raspberrypi postfix/smtp[25743]: E6FF561F31:
to=, relay=none, delay=4549, delays=4519/0.03/30/0,
dsn=4.4.1, status=deferred (connect to caloro.ch[158.181.112.49]:25:
Connection timed out)

Jan 19 22:42:59 raspberrypi pop3d: Connection, ip=[:::192.168.1.10]

Jan 19 22:42:59 raspberrypi authdaemond: ldap_simple_bind_s failed: Can't
contact LDAP server

Jan 19 22:42:59 raspberrypi pop3d: LOGIN FAILED, user=joe,
ip=[:::192.168.1.10]

Jan 19 22:43:04 raspberrypi pop3d: Disconnected, ip=[:::192.168.1.10]

Jan 19 22:45:40 raspberrypi postfix/qmgr[25036]: 9493A61F38:
from=, size=543, nrcpt=1 (queue active)

Jan 19 22:45:40 raspberrypi postfix/smtp[25832]: 9493A61F38: host
mx00.emig.gmx.net[212.227.15.9] refused to talk to me: 554-gmx.net
(mxgmx007) Nemesis ESMTP Service not available 554-No SMTP service 554-IP
address is black listed. 554 For explanation visit
http://postmaster.gmx.com/en/error-messages?ip=151.248.162.33=bl

Jan 19 22:45:40 raspberrypi postfix/smtp[25832]: 9493A61F38:
to=, relay=mx01.emig.gmx.net[212.227.17.5]:25, delay=5043,
delays=5043/0.03/0.16/0, dsn=4.0.0, status=deferred (host
mx01.emig.gmx.net[212.227.17.5] refused to talk to me: 554-gmx.net
(mxgmx102) Nemesis ESMTP Service not available 554-No SMTP service 554-IP
address is black listed. 554 For explanation visit
http://postmaster.gmx.com/en/error-messages?ip=151.248.162.33=bl)

Jan 19 22:52:59 raspberrypi pop3d: Connection, ip=[:::192.168.1.10]

Jan 19 22:52:59 raspberrypi authdaemond: ldap_simple_bind_s failed: Can't
contact LDAP server

Jan 19 22:52:59 raspberrypi pop3d: LOGIN FAILED, user=joe,
ip=[:::192.168.1.10]

Jan 19 22:53:04 raspberrypi pop3d: Disconnected, ip=[:::192.168.1.10]

Jan 19 23:02:59 raspberrypi pop3d: Connection, ip=[:::192.168.1.10]

Jan 19 23:02:59 raspberrypi authdaemond: ldap_simple_bind_s failed: Can't
contact LDAP server

Jan 19 23:02:59 raspberrypi pop3d: LOGIN FAILED, user=joe,
ip=[:::192.168.1.10]

Jan 19 23:03:04 raspberrypi pop3d: Disconnected, ip=[:::192.168.1.10]

Jan 19 23:12:59 raspberrypi pop3d: Connection, ip=[:::192.168.1.10]

Jan 19 23:12:59 raspberrypi authdaemond: ldap_simple_bind_s failed: Can't
contact LDAP server

Jan 19 23:12:59 raspberrypi pop3d: LOGIN FAILED, user=joe,
ip=[:::192.168.1.10]

Jan 19 23:13:04 raspberrypi pop3d: Disconnected, ip=[:::192.168.1.10]

Jan 19 23:14:42 raspberrypi authdaemond: ldap_simple_bind_s failed: Can't
contact LDAP server

 

 

root@raspberrypi:/usr/source/sqwebmail-5.8.3
  # ps aux | grep
authdaemon

root 25535  0.0  0.0   2676   528 pts/0S+   22:32   0:00 grep
--color=auto authdaemon

root 28087  0.0  0.1   1820  1132 ?S20:53   0:00
/usr/local/sbin/courierlogger -pid=/usr/local/var/spool/authdaemon/pid
-start /usr/local/libexec/courier-authlib authdaemond

root 28088  0.0  0.3   6568  3200 ?S20:53   0:00
/usr/local/libexec/courier-authlib/authdaemond

root 28089  0.0  0.3   6952  3176 ?S20:53   0:00
/usr/local/libexec/courier-authlib/authdaemond

root 28090  0.0  0.3   6952  3152 ?S20:53   0:00
/usr/local/libexec/courier-authlib/authdaemond

root 28091  0.0  0.3   6952  3160 ?S20:53   0:00
/usr/local/libexec/courier-authlib/authdaemond

root 28092  0.0  0.0   6568   412 ?S20:53   0:00
/usr/local/libexec/courier-authlib/authdaemond

root 28093  0.0  0.3   6952  3176 ?S20:53   0:00
/usr/local/libexec/courier-authlib/authdaemond

root@raspberrypi:/usr/source/sqwebmail-5.8.3
  #

 

 

root@raspberrypi:/lib/systemd/system # postconf -n

 

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

append_dot_mydomain = no

biff = no

command_directory = /usr/sbin

compatibility_level = 2

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

html_directory = no

inet_interfaces = all

inet_protocols = ipv4

mail_owner = postfix

mailbox_size_limit = 0

mailq_path = /usr/bin/mailq

manpage_directory = /usr/local/man

meta_directory = /etc/postfix

mydestination = mail.caloro.ch, raspberrypi, localhost.localdomain,
localhost

myhostname = raspberrypi

mynetworks = 127.0.0.0/8 192.168.1.0/27

myorigin = /etc/mailname

pop3d Login Failed

2017-01-19 Thread Maurizio Caloro 
Please why pop3d become Login Failed for user joe?

 

 

var/log/mail.log

Jan 19 22:25:40 raspberrypi postfix/master[8771]: reload -- version 3.1.4,
configuration /etc/postfix

Jan 19 22:26:26 raspberrypi pop3d: Connection, ip=[:::192.168.1.10]

Jan 19 22:26:26 raspberrypi authdaemond: ldap_simple_bind_s failed: Can't
contact LDAP server

Jan 19 22:26:26 raspberrypi pop3d: LOGIN FAILED, user=joe,
ip=[:::192.168.1.10]

Jan 19 22:26:41 raspberrypi authdaemond: ldap_simple_bind_s failed: Can't
contact LDAP server

Jan 19 22:26:41 raspberrypi pop3d: LOGIN FAILED, user=joe,
ip=[:::192.168.1.10]

Jan 19 22:26:53 raspberrypi authdaemond: ldap_simple_bind_s failed: Can't
contact LDAP server

Jan 19 22:26:53 raspberrypi pop3d: LOGIN FAILED, user=joe,
ip=[:::192.168.1.10]

Jan 19 22:31:00 raspberrypi pop3d: Connection, ip=[:::192.168.1.10]

Jan 19 22:31:05 raspberrypi authdaemond: ldap_simple_bind_s failed: Can't
contact LDAP server

Jan 19 22:31:05 raspberrypi pop3d: LOGIN FAILED, user=joe,
ip=[:::192.168.1.10]

 

 

root@raspberrypi:/usr/source/sqwebmail-5.8.3 # ps aux | grep authdaemon

root 25535  0.0  0.0   2676   528 pts/0S+   22:32   0:00 grep
--color=auto authdaemon

root 28087  0.0  0.1   1820  1132 ?S20:53   0:00
/usr/local/sbin/courierlogger -pid=/usr/local/var/spool/authdaemon/pid
-start /usr/local/libexec/courier-authlib authdaemond

root 28088  0.0  0.3   6568  3200 ?S20:53   0:00
/usr/local/libexec/courier-authlib/authdaemond

root 28089  0.0  0.3   6952  3176 ?S20:53   0:00
/usr/local/libexec/courier-authlib/authdaemond

root 28090  0.0  0.3   6952  3152 ?S20:53   0:00
/usr/local/libexec/courier-authlib/authdaemond

root 28091  0.0  0.3   6952  3160 ?S20:53   0:00
/usr/local/libexec/courier-authlib/authdaemond

root 28092  0.0  0.0   6568   412 ?S20:53   0:00
/usr/local/libexec/courier-authlib/authdaemond

root 28093  0.0  0.3   6952  3176 ?S20:53   0:00
/usr/local/libexec/courier-authlib/authdaemond

root@raspberrypi:/usr/source/sqwebmail-5.8.3 #

Re: Moving from version 2 to 3

2017-01-19 Thread Peter 
On 20/01/17 09:22, Wietse Venema wrote:
> Steve Matzura:
>> I'm currently running an implementation of version 2 on a Fedora
>> version 17 system, moving to a Ubuntu 16.04 LTS system which gave me
>> version 3. Before I start pulling my hair out, which I already did
>> going from version 1 to 2, is there an easy migration path for a
>> configuration file that's working perfectly under 2?
> 
> Yes. 
> 
> postconf compatibility_level=0
> postfix reload

F17 came with postfix 2.9 (the 9 is important here).  I would also do
this to make a new setting in 2.10 compatible to previous versions:

postconf smtpd_relay_restrictions=permit


Peter

Re: Autoresponder?

2017-01-19 Thread /dev/rob0 
On Thu, Jan 19, 2017 at 01:17:49PM +, Ralph Corderoy wrote:
> > > Yes, that makes sense. I hadn't thought of vacation.
> >
> > Ah.. slight hiccough, the email is a sql account, not a shell 
> > account, so not .forward.
> 
> No home directory for a .forward?  How about /etc/aliases
> instead?

No, same problem: aliases(5) are only used by/for local(8) delivery
and if local was in use for this account it would be solved.

BTW a virtual user *should* have a home directory, but as there is
no system account, .forward would not work.

I can suggest to the OP to use a virtual alias pointing to a system
user; then your .forward would work.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Moving from version 2 to 3

2017-01-19 Thread Wietse Venema 
Steve Matzura:
> I'm currently running an implementation of version 2 on a Fedora
> version 17 system, moving to a Ubuntu 16.04 LTS system which gave me
> version 3. Before I start pulling my hair out, which I already did
> going from version 1 to 2, is there an easy migration path for a
> configuration file that's working perfectly under 2?

Yes. 

postconf compatibility_level=0
postfix reload

Wietse

Moving from version 2 to 3

2017-01-19 Thread Steve Matzura 
I'm currently running an implementation of version 2 on a Fedora
version 17 system, moving to a Ubuntu 16.04 LTS system which gave me
version 3. Before I start pulling my hair out, which I already did
going from version 1 to 2, is there an easy migration path for a
configuration file that's working perfectly under 2?

Thanks in advance.

Re: double bounce messages 'from'

2017-01-19 Thread Dominic Raferd 
On 19 January 2017 at 14:30, Wietse Venema  wrote:
>
> Wietse Venema:
> > Dominic Raferd:
> > > On 16 January 2017 at 15:11, Wietse Venema  wrote:
> > > >
> > > > Dominic Raferd:
> > > > > One of the few remaining issues on my postfix server is that
> > > > > double-bounce messages don't come from the 'right' envelope sender.
> > > >
> > > > man 5 postconf | less '+/^double_bounce_sender'
> > > >
> > > > This also is the default for address_verify_sender.
> > >
> > > Thanks, I tried this but whatever I put it seems to append
> > > @$myhostname and this breaks my DKIM (appending @$myorigin would be
> > > ok).
> >
> > Then why don't YOU append the domain!
>
> Forgot that Postfix is hard-coded to append @$myhostname.
>
> In that case, you'd have to use canonical_maps to rewrrite
> double_bounce@$myhostname:
>
> canonical_maps = inline:{$double_bounce_sender@$myhostname=somethingelse}
>
> (assumes Postfix 3.x). Having the map inlined in main.cf brings the
> benefit of parameter expansion.
>
> Wietse


ok thanks, that would seem a good workaround. However I've given up
with this for now and am having all notice messages go to local
mailbox rather than being redirected out; so sender address becomes
irrelevant.

Re: double bounce messages 'from'

2017-01-19 Thread Wietse Venema 
Wietse Venema:
> Dominic Raferd:
> > On 16 January 2017 at 15:11, Wietse Venema  wrote:
> > >
> > > Dominic Raferd:
> > > > One of the few remaining issues on my postfix server is that
> > > > double-bounce messages don't come from the 'right' envelope sender.
> > >
> > > man 5 postconf | less '+/^double_bounce_sender'
> > >
> > > This also is the default for address_verify_sender.
> > 
> > Thanks, I tried this but whatever I put it seems to append
> > @$myhostname and this breaks my DKIM (appending @$myorigin would be
> > ok).
> 
> Then why don't YOU append the domain!

Forgot that Postfix is hard-coded to append @$myhostname.

In that case, you'd have to use canonical_maps to rewrrite
double_bounce@$myhostname:

canonical_maps = inline:{$double_bounce_sender@$myhostname=somethingelse}

(assumes Postfix 3.x). Having the map inlined in main.cf brings the
benefit of parameter expansion.

Wietse

Re: Autoresponder?

2017-01-19 Thread Ralph Corderoy 
Hi @lbutlr,

> > Yes, that makes sense. I hadn't thought of vacation.
>
> Ah.. slight hiccough, the email is a sql account, not a shell account,
> so not .forward.

No home directory for a .forward?  How about /etc/aliases instead?

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy

Re: double bounce messages 'from'

2017-01-19 Thread Wietse Venema 
Dominic Raferd:
> On 16 January 2017 at 15:11, Wietse Venema  wrote:
> >
> > Dominic Raferd:
> > > One of the few remaining issues on my postfix server is that
> > > double-bounce messages don't come from the 'right' envelope sender.
> >
> > man 5 postconf | less '+/^double_bounce_sender'
> >
> > This also is the default for address_verify_sender.
> 
> Thanks, I tried this but whatever I put it seems to append
> @$myhostname and this breaks my DKIM (appending @$myorigin would be
> ok).

Then why don't YOU append the domain!

Wietse

Re: How to effectively block communication to all domains except whitelisted?

2017-01-19 Thread Petr Bena 
On 01/19/17 09:53, Petr Bena wrote:
> On 01/18/17 15:35, Noel Jones wrote:
>> If you need more help, please show "postconf -nf" and "postconf -Mf"
>>
>>
>>
>>   -- Noel Jones
> Hi Noel,
>
> Here is the output:
>
> # postconf -nf
> alias_maps = hash:/etc/aliases
> always_add_missing_headers = yes
> bounce_notice_recipient = postmaster
> bounce_queue_lifetime = 5d
> broken_sasl_auth_clients = yes
> command_directory = /opt/zimbra/postfix/sbin
> config_directory = /opt/zimbra/postfix-2.10.3.2z/conf
> content_filter = smtp-amavis:[127.0.0.1]:10024
> daemon_directory = /opt/zimbra/postfix/libexec
> delay_warning_time = 0h
> disable_dns_lookups = no
> header_checks =
> import_environment =
> in_flow_delay = 1s
> inet_protocols = ipv4
> lmtp_connection_cache_destinations =
> lmtp_connection_cache_time_limit = 4s
> lmtp_host_lookup = dns
> local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
> mail_owner = postfix
> mailbox_size_limit = 0
> mailq_path = /opt/zimbra/postfix/sbin/mailq
> manpage_directory = /opt/zimbra/postfix/man
> maximal_backoff_time = 4000s
> message_size_limit = 1024
> milter_command_timeout = 30s
> milter_connect_timeout = 30s
> milter_content_timeout = 300s
> milter_default_action = tempfail
> minimal_backoff_time = 300s
> mydestination = localhost
> myhostname = in-vx182.prod.homecredit.in
> mynetworks = trimmed
> newaliases_path = /opt/zimbra/postfix/sbin/newaliases
> non_smtpd_milters =
> notify_classes = resource,software
> propagate_unmatched_extensions = canonical
> queue_directory = /opt/zimbra/data/postfix/spool
> queue_run_delay = 300s
> recipient_delimiter =
> relayhost = trimmed
> sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
> sendmail_path = /opt/zimbra/postfix/sbin/sendmail
> setgid_group = zimbra
> smtp_cname_overrides_servername = no
> smtp_fallback_relay =
> smtp_helo_name = $myhostname
> smtp_sasl_auth_enable = no
> smtp_sasl_mechanism_filter =
> smtp_sasl_password_maps =
> smtp_sasl_security_options = noplaintext,noanonymous
> smtp_tls_security_level =
> smtpd_banner = $myhostname ESMTP $mail_name
> smtpd_client_port_logging = no
> smtpd_client_restrictions = reject_unauth_pipelining
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_end_of_data_restrictions =
> smtpd_error_sleep_time = 1s
> smtpd_hard_error_limit = 20
> smtpd_helo_required = yes
> smtpd_milters =
> smtpd_proxy_timeout = 100s
> smtpd_recipient_restrictions = check_recipient_access
> hash:/opt/zimbra/postfix/conf/recipient_domains,
> reject_unlisted_recipient,
> reject_invalid_helo_hostname, reject_non_fqdn_sender, reject
> smtpd_reject_unlisted_recipient = no
> smtpd_reject_unlisted_sender = no
> smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
> reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = no
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> smtpd_sender_restrictions = check_sender_access
> regexp:/opt/zimbra/postfix/conf/tag_as_originating.re,
> permit_mynetworks,
> permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access
> regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
> smtpd_soft_error_limit = 10
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
> smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
> smtpd_tls_loglevel = 1
> smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtpd_tls_protocols = !SSLv2,!SSLv3
> smtpd_tls_security_level = may
> transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
> virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
> virtual_alias_expansion_limit = 1
> virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
> virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
> virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
> virtual_transport = error
>
> # postconf -Mf
> smtp   inet  n   -   n   -   -   smtpd
> -o smtpd_tls_security_level=may
> 465inet  n   -   n   -   -   smtpd
> -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions= -o smtpd_data_restrictions=
> -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
> submission inet  n   -   n   -   -   smtpd
> -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes
> -o smtpd_tls_security_level=may
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o smtpd_data_restrictions= -o smtpd_helo_restrictions=
> -o smtpd_recipient_restrictions=
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o syslog_name=postfix/submission -o
> milter_macro_daemon_name=ORIGINATING
> scan   unix  -   -

Re: How to effectively block communication to all domains except whitelisted?

2017-01-19 Thread Petr Bena 
On 01/18/17 15:35, Noel Jones wrote:
> If you need more help, please show "postconf -nf" and "postconf -Mf"
>
>
>
>   -- Noel Jones

Hi Noel,

Here is the output:

# postconf -nf
alias_maps = hash:/etc/aliases
always_add_missing_headers = yes
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
broken_sasl_auth_clients = yes
command_directory = /opt/zimbra/postfix/sbin
config_directory = /opt/zimbra/postfix-2.10.3.2z/conf
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /opt/zimbra/postfix/libexec
delay_warning_time = 0h
disable_dns_lookups = no
header_checks =
import_environment =
in_flow_delay = 1s
inet_protocols = ipv4
lmtp_connection_cache_destinations =
lmtp_connection_cache_time_limit = 4s
lmtp_host_lookup = dns
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /opt/zimbra/postfix/sbin/mailq
manpage_directory = /opt/zimbra/postfix/man
maximal_backoff_time = 4000s
message_size_limit = 1024
milter_command_timeout = 30s
milter_connect_timeout = 30s
milter_content_timeout = 300s
milter_default_action = tempfail
minimal_backoff_time = 300s
mydestination = localhost
myhostname = in-vx182.prod.homecredit.in
mynetworks = trimmed
newaliases_path = /opt/zimbra/postfix/sbin/newaliases
non_smtpd_milters =
notify_classes = resource,software
propagate_unmatched_extensions = canonical
queue_directory = /opt/zimbra/data/postfix/spool
queue_run_delay = 300s
recipient_delimiter =
relayhost = trimmed
sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
sendmail_path = /opt/zimbra/postfix/sbin/sendmail
setgid_group = zimbra
smtp_cname_overrides_servername = no
smtp_fallback_relay =
smtp_helo_name = $myhostname
smtp_sasl_auth_enable = no
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_security_options = noplaintext,noanonymous
smtp_tls_security_level =
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_port_logging = no
smtpd_client_restrictions = reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions =
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_milters =
smtpd_proxy_timeout = 100s
smtpd_recipient_restrictions = check_recipient_access
hash:/opt/zimbra/postfix/conf/recipient_domains,
reject_unlisted_recipient,
reject_invalid_helo_hostname, reject_non_fqdn_sender, reject
smtpd_reject_unlisted_recipient = no
smtpd_reject_unlisted_sender = no
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sender_restrictions = check_sender_access
regexp:/opt/zimbra/postfix/conf/tag_as_originating.re,
permit_mynetworks,
permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access
regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
smtpd_soft_error_limit = 10
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
virtual_alias_expansion_limit = 1
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
virtual_transport = error

# postconf -Mf
smtp   inet  n   -   n   -   -   smtpd
-o smtpd_tls_security_level=may
465inet  n   -   n   -   -   smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions= -o smtpd_data_restrictions=
-o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
submission inet  n   -   n   -   -   smtpd
-o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes
-o smtpd_tls_security_level=may
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_data_restrictions= -o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix/submission -o
milter_macro_daemon_name=ORIGINATING
scan   unix  -   -   n   -   10  smtp
-o smtp_send_xforward_command=yes -o disable_mime_output_conversion=yes
-o smtp_generic_maps=
pickup unix  n   -   n   60  1   pickup
cleanupunix  n   -   n   -   0   cleanup
qmgr

How to modify subject line for all mail not whitelisted at dnswl.org?

2017-01-19 Thread Martin Brampton 

This is somewhat related to:

On 19/01/2017 08:53, Petr Bena wrote: Re: How to effectively block 
communication to all domains except whitelisted?


Since the start of this year, the amount of mail blocked by blacklists 
has dived from around 70% to around 30%. At the same time, spam that is 
not from blacklisted servers has rocketed. Presumably this is coming 
from distributed botnets that never send the same thing from the same 
place for long.


Given the situation, I'm wanting to mark all mail that is not 
whitelisted by prefixing *** NOT WHITELISTED *** to the subject line of 
all mail coming from servers not listed at dnswl.org.


How would I set about doing this?



smime.p7s
Description: S/MIME Cryptographic Signature