Re: Why aren't macros available to command syntax in pipe(8)?

[Doug Barton]

On 03/25/2017 06:55 PM, Viktor Dukhovni wrote:



On Mar 25, 2017, at 9:38 PM, Doug Barton  wrote:


Setting up a new pipe in master.cf I wanted to do 'user=${user}' but that macro 
isn't available there, only in argv. I found a workaround, but I was curious 
about why?


For good security reasons.


Can you elaborate?


Unlike .forward or files which exist for selected users, injecting
envelope data (e.g. user=${user}) into the pipe(8) execution context
could allow remote senders to execute code as any user on the system


Yes, that's what I want to do. :)  Still easily done with a wrapper script.


or modify which command is run, ...


Can you say more about this? If this is correct it seems like a major 
security risk.



Postfix attempts to be safe even
in the hands of non-expert users.


That sounds like a good thing to do, obviously  I just wonder if the 
line is drawn in the correct location for this issue.


Doug

Re: Recent upsurge of spam messages rate

[Allen Coates]

I have a script that does a simple "head-count" over the last 1500
maillog entries.

Just now it showed the following results:



Nuisance hosts blocked by firewall:97

Connections handled by Postscreen:134
Black-listed Locally:10
Black-listed by DNSBL:94
Pre-Greets:1
Hang-ups:78
No-Queues:7

Connections passed on to mail server:21
Auth Probes:2
No-Queues:1

Messages actually received:18

Ratio of bad connections is86 percent



Allen C


On 28/03/17 22:00, Daniele Nicolodi wrote:
> Hello,
>
> this is not strictly Postfix related, but I don't know how to get in
> contact with a similar crowd of experienced folks. Please direct me to a
> more suitable mailing list, it one exist.
>
> In the last two weeks I've seen an upsurge of the rate to which spam
> messages are delivered to my domain inboxes. Nothing is changed in my
> quite standard configuration, thus I guess that spammers found a way to
> circumvent the basic protections I have in place. Did anyone notice
> something similar? What are the possible countermeasures?
>
> I use Postfix with this simple configuration:
>
> header_checks = pcre:/etc/postfix/header_checks.pcre
> smtpd_helo_required = yes
> smtpd_delay_reject = yes
> disable_vrfy_command = yes
> smtpd_recipient_restrictions =
> permit_sasl_authenticated
> reject_invalid_hostname
> reject_non_fqdn_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> permit_mynetworks
> reject_unauth_destination
> permit_dnswl_client list.dnswl.org
> reject_rbl_client zen.spamhaus.org
> reject_rbl_client b.barracudacentral.org
> reject_rbl_client dul.dnsbl.sorbs.net
> reject_rhsbl_reverse_client dbl.spamhaus.org
> reject_rhsbl_sender dbl.spamhaus.org
> reject_rhsbl_helo dbl.spamhaus.org
> permit
>
> with header_checks.pcre containing:
>
> /^X-Delivered-To: .*@grinta\.net$/  REJECT Mail forwarding loop detected
> /^(Delivered-To: .*@grinta\.net)$/  REPLACE X-$1
> /^X-Spam-Status: Yes/  REJECT Looks like spam
>
> and SpamAssassin as a SMTP proxy filter via spampd.
>
> Thanks for any comment.
>
> Best,
> Daniele
>

Re: Recent upsurge of spam messages rate

[Allen Coates]

I have also noticed an increase of "bad connections" to my server.

Fortunately, very few get past postscreen - I heartily recommend its use.

Allen C

On 28/03/17 22:00, Daniele Nicolodi wrote:
> Hello,
>
> this is not strictly Postfix related, but I don't know how to get in
> contact with a similar crowd of experienced folks. Please direct me to a
> more suitable mailing list, it one exist.
>
> In the last two weeks I've seen an upsurge of the rate to which spam
> messages are delivered to my domain inboxes. Nothing is changed in my
> quite standard configuration, thus I guess that spammers found a way to
> circumvent the basic protections I have in place. Did anyone notice
> something similar? What are the possible countermeasures?
>
> I use Postfix with this simple configuration:
>
> header_checks = pcre:/etc/postfix/header_checks.pcre
> smtpd_helo_required = yes
> smtpd_delay_reject = yes
> disable_vrfy_command = yes
> smtpd_recipient_restrictions =
> permit_sasl_authenticated
> reject_invalid_hostname
> reject_non_fqdn_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> permit_mynetworks
> reject_unauth_destination
> permit_dnswl_client list.dnswl.org
> reject_rbl_client zen.spamhaus.org
> reject_rbl_client b.barracudacentral.org
> reject_rbl_client dul.dnsbl.sorbs.net
> reject_rhsbl_reverse_client dbl.spamhaus.org
> reject_rhsbl_sender dbl.spamhaus.org
> reject_rhsbl_helo dbl.spamhaus.org
> permit
>
> with header_checks.pcre containing:
>
> /^X-Delivered-To: .*@grinta\.net$/  REJECT Mail forwarding loop detected
> /^(Delivered-To: .*@grinta\.net)$/  REPLACE X-$1
> /^X-Spam-Status: Yes/  REJECT Looks like spam
>
> and SpamAssassin as a SMTP proxy filter via spampd.
>
> Thanks for any comment.
>
> Best,
> Daniele
>

Re: Advice smtp-->mailhub+alias --> corporate mailhubs.

[Viktor Dukhovni]

> On Mar 28, 2017, at 5:23 PM, Soporte Infraestructura Operativa y 
> Almacenamiento  wrote:
> 
> So far I have been able to setup this config but; my problem arises
> when I need to expand some aliases; this aliases point to local users
> on some servers and the main mailhubs (corporate) that runs Windows
> Exchange.

Use virtual_alias_maps:

   http://www.postfix.org/ADDRESS_REWRITING_README.html#virtual
   http://www.postfix.org/postconf.5.html#virtual_alias_maps
   http://www.postfix.org/virtual.5.html

See also:

   http://www.postfix.org/MULTI_INSTANCE_README.html#split

Note that virtual(5) rewriting happens for *all* recipients,
not just those with a domain part that is a virtual alias domain.
So do NOT list domains in virtual_alias_domains in the mistaken
belief that this is required for virtual alias rewriting to take
place.

   http://www.postfix.org/ADDRESS_CLASS_README.html

-- 
Viktor.

Advice smtp-->mailhub+alias --> corporate mailhubs.

[Soporte Infraestructura Operativa y Almacenamiento]

Hi people:
I feel in need to receive advice from you.
My main experience came from sendmail on Solaris 10 and Solaris 11.

We have this site with Solaris, CentOS, Ubuntu and Windows (with SMTP service) 
servers.

At first, every server was a SMTP server, but now we want that every box send 
email to a pair of postfix servers as mailhubs. Our localsite mailhubs are 
running postfix 2.9.4 on Solaris 10 for X86 (right now I'm planning the 
migration over CentOS with postfix).

So far I have been able to setup this config but; my problem arises when I need 
to expand some aliases; this aliases point to local users on some servers and 
the main mailhubs (corporate) that runs Windows Exchange.

I want to process the alias at our mailhubs since they are only two instead 55 
servers and I don't have access  to the Corporate Mailhubs.
So my setup is like
My site servers---> Our Mailhubs -> Corporate 
Mailhubs--->realusers@domain
Cases
1) there is an alias on the local mailhubs

{ alias1 --> 
finaluser@domain,someuser@mysite-server }
dbauser@domain ---> alias1 ---> Corporate Mailhubs 
--> finalrealuser@domain
  ^\--->someuser@mysite-server \
\   
   |
  \ --/

2) there isn't an alias on local mailhubs
dbauser@domain ---> no alias ---> Corporate 
Mailhubs --> finalrealuser@domain

As I told you, my idea is make an easier setup where the future admins just 
modify the alias instead setup that alias on every localsite server.
So my request is some advice to accomplish this task with much hassle.

On networks file I have my ip address blocks

On aliases file I have  for emails to soapbd@domain
soapbd:finalrealuser@domain,soapbd@mysite-server

on transport file
*  smtp:smtpapl.domain

On main.cf
mynetworks = $config_directory/mynetworks
transport_maps =  hash:/etc/opt/csw/postfix/transport

Any help or tutorial really appreciate.


Este mensaje de correo electr?nico, incluidos los archivos adjuntos, es para el 
uso exclusivo de la persona a la que se ha enviado, y puede contener 
informaci?n que sea confidencial o protegida legalmente. Si usted no es el 
destinatario, o ha recibido este mensaje por error, no est? autorizado a 
copiar, distribuir, o utilizar de alguna manera este mensaje. Por favor 
notifique inmediatamente al remitente por correo electr?nico y suprimir 
permanentemente este mensaje y los archivos adjuntos. No se otorga ninguna 
garant?a de que este e-mail est? libre de errores o virus.
INSTITUTO COSTARRICENSE DE ELECTRICIDAD

Re: transport table - and regular expression for dynamic generated e-mails tha

[Zalezny Niezalezny]

thanks !! it was always hard for me tonunderstand how may route some
strange adresses. i always used check_sender_regexp and
check_recipient_regexp. but it seems that with regexp transport table i
will be able to do lot more.virtual beeer fir you!

thanks a lot!!!

28 mar 2017 17:16 "Noel Jones"  napisał(a):

On 3/28/2017 2:59 AM, Zalezny Niezalezny wrote:
> Hi,
>
> I would like to route some dynamic generated E-mails to some server.
>
> My E-mail looks as follow:
>
> Original E-mail: testm...@example.com 
>
> I have a problem with routing that E-mail:
> Dynamic generate E-mail: testmail-3995485839...@example.com
> 
> Domain: example.com 
>
>
> /etc/postfix/transport file looks as follow:
>
>
> testm...@example.com 
> relay:some.server.relay
> /^testmail-.*@example\.com/   relay:some.second.server
> example.com 
> relay:some.domain
>
>
>
> Unfortunately E-mail
>
> testmail-3995485839...@example.com
> 
>
>  is routed to some.domain. (routing for example.com
> ).
>
>
>
> How to send that message to some.second.server.
>
>
> I appreciate Your support.
>
>
> With kind regards
>
> Zalezny


Looks as if you're mixing regular expressions with indexed lookups
in your transport file.  Don't do that.

Use a regexp: or pcre: transport map type, and write all the entries
as regular expressions.

# main.cf
transport_maps = regexp:/etc/postfix/transport.regexp

# transport.regexp
# in regexp maps, first match wins
/^testmail-.*@example\.com$/   relay:some.second.server
/^testmail@example\.com$/  relay:some.server.relay
/@example\.com$/   relay:some.domain


Alternately, you can use both a regexp: and a hash: map.  This may
be more convenient if you have a large number of transport entries.
# main.cf
transport_maps = regexp:/etc/postfix/transport.regexp
hash:/etc/postfix/transport

http://www.postfix.org/postconf.5.html#transport_maps
http://www.postfix.org/regexp_table.5.html

Recent upsurge of spam messages rate

[Daniele Nicolodi]

Hello,

this is not strictly Postfix related, but I don't know how to get in
contact with a similar crowd of experienced folks. Please direct me to a
more suitable mailing list, it one exist.

In the last two weeks I've seen an upsurge of the rate to which spam
messages are delivered to my domain inboxes. Nothing is changed in my
quite standard configuration, thus I guess that spammers found a way to
circumvent the basic protections I have in place. Did anyone notice
something similar? What are the possible countermeasures?

I use Postfix with this simple configuration:

header_checks = pcre:/etc/postfix/header_checks.pcre
smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated
reject_invalid_hostname
reject_non_fqdn_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
permit_dnswl_client list.dnswl.org
reject_rbl_client zen.spamhaus.org
reject_rbl_client b.barracudacentral.org
reject_rbl_client dul.dnsbl.sorbs.net
reject_rhsbl_reverse_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
permit

with header_checks.pcre containing:

/^X-Delivered-To: .*@grinta\.net$/  REJECT Mail forwarding loop detected
/^(Delivered-To: .*@grinta\.net)$/  REPLACE X-$1
/^X-Spam-Status: Yes/  REJECT Looks like spam

and SpamAssassin as a SMTP proxy filter via spampd.

Thanks for any comment.

Best,
Daniele

Re: Postfix cannot start tls: handshake failure

[Viktor Dukhovni]

> On Mar 27, 2017, at 3:26 PM, oakley  wrote:
> 
> I'm now using port 25.

Perhaps.  But logging associated failure is more useful than just noting
this claim.

> I've tested to see if my firewall or what ever was blocking it, but I can
> connect when I tested via;
> 
> $ openssl s_client -connect email-smtp.eu-west-1.amazonaws.com:25 -starttls 
> imap

Well, it may not surprise you to learn that "SMTP" is not "IMAP".
So reporting the result with "-starttls smtp" rather than
"-starttls imap" is probably more useful.

-- 
Viktor.

Re: Feature request: delay smtpd client connection response until queue item is removed

[Wietse Venema]

Maarten Vanraes:
> Hey,
> 
> Normal smtpd client connection handling (after DATA) would be "Queued as 
> ".
> 
> I would like to request a feature where the smtpd response is delayed 
> until the mail is completely actually handled (ie: removed from queue) 

I looked at a system that tried to do that that before Postfix was
released, and found that it was broken by design. It got into trouble
when one message had recipients in different domains, and some of
those were down.

Wietse

Re: Feature request: delay smtpd client connection response until queue item is removed

[Viktor Dukhovni]

> On Mar 28, 2017, at 4:40 AM, Maarten Vanraes  wrote:
> 
> The smtpd would then reply like this:
> * Timed out while waiting for queue processing(queued as XXX)
> * status = sent (delivered to u...@example.com, queued as XXX)
> * status = bounced .

With SMTP this is architecturally not possible for multi-recipient
mail.  A single message may require multiple downstream deliveries
and some may succeed while others tempfail or hardfail.  With alias
expansion this can even happen for what is initially a single-recipient
message.

This also seems like a rather bad idea.  Instead, use the DSN NOTIFY
ESMTP extension, which is the right wait to be notified of delivery
completion and status.

-- 
Viktor.

Re: Feature request: delay smtpd client connection response until queue item is removed

[Noel Jones]

On 3/28/2017 3:40 AM, Maarten Vanraes wrote:
> Hey,
> 
> Normal smtpd client connection handling (after DATA) would be
> "Queued as ".
> 
> I would like to request a feature where the smtpd response is
> delayed until the mail is completely actually handled (ie: removed
> from queue) (of course not by default).
> 

Mail is a store-and-forward protocol. Postfix replies with the
Queued response when the message is safely stored in the queue.

You're asking for a proxy that doesn't reply until the mail is
passed on to a further destination.

There are several SMTP proxies available if you search google, and
postfix has a smtpd_proxy_filter option which is usually used as a
front end for content inspection proxy.  That may or may not suit
your needs.
http://www.postfix.org/SMTPD_PROXY_README.html#config

If you describe the actual problem you're trying to solve, there may
be other options.


  -- Noel Jones

Re: transport table - and regular expression for dynamic generated e-mails

[Noel Jones]

On 3/28/2017 2:59 AM, Zalezny Niezalezny wrote:
> Hi,
> 
> I would like to route some dynamic generated E-mails to some server.
> 
> My E-mail looks as follow:
> 
> Original E-mail: testm...@example.com 
> 
> I have a problem with routing that E-mail:
> Dynamic generate E-mail: testmail-3995485839...@example.com
> 
> Domain: example.com 
> 
> 
> /etc/postfix/transport file looks as follow:
> 
> 
> testm...@example.com  
> relay:some.server.relay
> /^testmail-.*@example\.com/   relay:some.second.server
> example.com    
> relay:some.domain
> 
> 
> 
> Unfortunately E-mail
> 
> testmail-3995485839...@example.com
> 
> 
>  is routed to some.domain. (routing for example.com
> ).
> 
> 
> 
> How to send that message to some.second.server.
> 
> 
> I appreciate Your support.
> 
> 
> With kind regards
> 
> Zalezny


Looks as if you're mixing regular expressions with indexed lookups
in your transport file.  Don't do that.

Use a regexp: or pcre: transport map type, and write all the entries
as regular expressions.

# main.cf
transport_maps = regexp:/etc/postfix/transport.regexp

# transport.regexp
# in regexp maps, first match wins
/^testmail-.*@example\.com$/   relay:some.second.server
/^testmail@example\.com$/  relay:some.server.relay
/@example\.com$/   relay:some.domain


Alternately, you can use both a regexp: and a hash: map.  This may
be more convenient if you have a large number of transport entries.
# main.cf
transport_maps = regexp:/etc/postfix/transport.regexp
hash:/etc/postfix/transport

http://www.postfix.org/postconf.5.html#transport_maps
http://www.postfix.org/regexp_table.5.html

Feature request: delay smtpd client connection response until queue item is removed

[Maarten Vanraes]

Hey,

Normal smtpd client connection handling (after DATA) would be "Queued as 
".


I would like to request a feature where the smtpd response is delayed 
until the mail is completely actually handled (ie: removed from queue) 
(of course not by default).


It would be (for example) only for trusted networks and be configured 
with something like this:

 * smtpd_delay_data_response = yes
 * smtpd_max_delay_data_response = 60 (seconds)
 * some parameters to limit this for specific connections (eg: client 
connections or sender classes or similar)


The smtpd would then reply like this:
 * Timed out while waiting for queue processing(queued as XXX)
 * status = sent (delivered to u...@example.com, queued as XXX)
 * status = bounced .

--
BA NV
IT & Security

Bezoek ons op 22 en 23 maart op INFOSECURITY, STORAGE EXPO & TOOLING 
EVENT 2017!
Registreer via http://ba.be/infosec en je krijgt je gratis toegangsbadge 
toegestuurd.

Re: transport table - and regular expression for dynamic generated e-mails

[Zalezny Niezalezny]

HI

You mean /etc/postfix/transport in main.cf ?


Zalezny

On Tue, Mar 28, 2017 at 10:02 AM, Wolfe, Robert <
robert.wo...@robertwolfe.org> wrote:

> Do  you have a transport mapping file set up  by any chance?
>
> --
> *From:* Zalezny Niezalezny [mailto:zalezny.niezale...@gmail.com]
> *To:* Postfix users [mailto:postfix-users@postfix.org]
> *Sent:* Tue, 28 Mar 2017 02:59:07 -0500
> *Subject:* transport table - and regular expression for dynamic generated
> e-mails
>
>
> Hi,
>
> I would like to route some dynamic generated E-mails to some server.
>
> My E-mail looks as follow:
>
> Original E-mail: testm...@example.com
>
> I have a problem with routing that E-mail:
> Dynamic generate E-mail: testmail-3995485839...@example.com
> Domain: example.com
>
>
> /etc/postfix/transport file looks as follow:
>
>
> testm...@example.com  relay:some.server.relay
> /^testmail-.*@example\.com/   relay:some.second.server
> example.comrelay:some.domain
>
>
>
> Unfortunately E-mail
>
> testmail-3995485839...@example.com
>
>  is routed to some.domain. (routing for example.com).
>
>
>
> How to send that message to some.second.server.
>
>
> I appreciate Your support.
>
>
> With kind regards
>
> Zalezny
>
>