Re: exempting user or domain from one RBL check ?

[/dev/rob0]

On Mon, Aug 07, 2017 at 01:17:54PM +1000, Voytek wrote:
> I have a user's inbound mail blocked by barracudacentral, is
> there a way to exempt this particular user/domain from this
> particular RBL check ?
> 
> or what else can or should I do ?

Share the looging of this rejection and be more specific.  The 
problem is with one specific client, or more?

> this is the only known issue with barracuda I have and,
> otherwise it seems quite effective, I think ?

Yes, but like Spamcop, it's an automated list, so it lists some 
legitimate outbound servers at times.

Large senders often do content filtering on outbound streams, 
directing questionable content to a certain subgroup of their 
outbound farms.  Members of those subgroups tend to be listed by 
Spamcop and BRBL.

I use BRBL in postscreen with 2 points and a threshold of 3.  But I 
had the same problem [I think] you had: intermittent rejections of 
good mail.  So I don't use it with reject_rbl_client now.

> smtpd_recipient_restrictions =
>  reject_unknown_sender_domain,
>  reject_unknown_recipient_domain,
>  reject_non_fqdn_sender,
>  reject_non_fqdn_recipient,
>  reject_unlisted_recipient,
>  check_policy_service inet:127.0.0.1:,

>  permit_mynetworks,
>  check_sasl_access hash:/etc/postfix/sasl_access
>  permit_sasl_authenticated,

You should separate submission from your inbound stream.  If you must 
accept user-submitted mail on port 25, use a different IP address.

>  reject_unauth_destination,
>  check_recipient_access hash:/etc/postfix/recipient_no_checks,
>  check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
>  check_helo_access hash:/etc/postfix/helo_checks,
>  check_sender_access hash:/etc/postfix/sender_checks,
>  check_client_access hash:/etc/postfix/client_checks,
>  check_client_access pcre:/etc/postfix/client_checks.pcre,
>  reject_rbl_client zen.spamhaus.org,
>  reject_rbl_client b.barracudacentral.org,
>  reject_rhsbl_client dbl.spamhaus.org,
>  reject_rhsbl_sender dbl.spamhaus.org,

>  reject_rbl_client psbl.surriel.com,
>  reject_rbl_client ix.dnsbl.manitu.net,
>  reject_rbl_client bl.spamcop.net,

I don't know manitu firsthand, so I wouldn't use that restriction.
I *do* know PSBL and Spamcop firsthand, and I definitely wouldn't 
recommend those restrictions.

>  reject_rbl_client cbl.abuseat.org,

Wasted lookup, as this is included in Zen.

>  reject_rhsbl_sender dsn.rfc-ignorant.org,

Ralf discontinued the RFCI lists some years back.

>  check_policy_service inet:127.0.0.1:10031
> 
> 
>  pflogsumm /var/log/maillog.1 | grep block
> blocked using b.barracudacentral.org (total: 482)
> blocked using bl.spamcop.net (total: 40)
> blocked using dbl.spamhaus.org (total: 133)
> blocked using ix.dnsbl.manitu.net (total: 37)
> blocked using psbl.surriel.com (total: 14)
> blocked using zen.spamhaus.org (total: 3438)

-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

exempting user or domain from one RBL check ?

[Voytek]

I have a user's inbound mail blocked by barracudacentral, is there a way
to exempt this particular user/domain from this particular RBL check ?

or what else can or should I do ?

this is the only known issue with barracuda I have and, otherwise it seems
quite effective, I think ?


smtpd_recipient_restrictions =
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unlisted_recipient,
 check_policy_service inet:127.0.0.1:,
 permit_mynetworks,
 check_sasl_access hash:/etc/postfix/sasl_access
 permit_sasl_authenticated,
 reject_unauth_destination,
 check_recipient_access hash:/etc/postfix/recipient_no_checks,
 check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
 check_helo_access hash:/etc/postfix/helo_checks,
 check_sender_access hash:/etc/postfix/sender_checks,
 check_client_access hash:/etc/postfix/client_checks,
 check_client_access pcre:/etc/postfix/client_checks.pcre,
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client b.barracudacentral.org,
 reject_rhsbl_client dbl.spamhaus.org,
 reject_rhsbl_sender dbl.spamhaus.org,
 reject_rbl_client psbl.surriel.com,
 reject_rbl_client ix.dnsbl.manitu.net,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client cbl.abuseat.org,
 reject_rhsbl_sender dsn.rfc-ignorant.org,
 check_policy_service inet:127.0.0.1:10031


 pflogsumm /var/log/maillog.1 | grep block
blocked using b.barracudacentral.org (total: 482)
blocked using bl.spamcop.net (total: 40)
blocked using dbl.spamhaus.org (total: 133)
blocked using ix.dnsbl.manitu.net (total: 37)
blocked using psbl.surriel.com (total: 14)
blocked using zen.spamhaus.org (total: 3438)

Re: 451 4.3.5 Server configuration error

[Wietse Venema]

Dino Edwards:
> Hello,
> 
> Having a strange issue with a server. Multiple times a day I get the 
> following errors in mail.log:
> 
> 451 4.3.5 Server configuration error; from= 
> to= proto=ESMTP helo=

The error is logged BEFORE this line.

Wietse

Re: setup for personal computer, no domain, smarthost

[Wietse Venema]

rea...@newsguy.com:
> 
> Wietse wrote:
> > I forgot about authentication.
> >
> > relayhost = [smtp.newsguy.com]:587
> >
> > See http://www.postfix.org/SOHO_README.html for this and other 
> > information of interest.
> 
> That doesn't seem to work yet at least not by itself but could also be
> seriuosly inept pilot error. But before I start posting logs
> and so on, I'm trying to get masquerading to help this work.  But must not
> be understanding the docu well enough 

Indeed. SOHO_README.html has all the info you need to have 
no real domain name and send email with your ISP account.

> This page:
>   http://www.postfix.org/ADDRESS_REWRITING_README.html#masquerade
> says in part:

Don't use that page. The masquerade feature is inferior to the
smtp_generic_maps feature described in SOHO_README.html.

Wietse

Re: hostname in aliases.db

[Marat Khalili]

On 05/08/17 21:30, /dev/rob0 wrote:

On Sat, Aug 05, 2017 at 07:58:19PM +0300, Marat Khalili wrote:

That's what I'd like to know to, is this hostname mention even
being used?

I doubt it is, but I am too lazy / busy to test. :)  You could also
consult your Berkeley DB documentation.

I do know that Postfix simply queries it for the localpart in a
localpart@domain, where domain is in $mydestination.  Metadata in
aliases.db is not queried.


Well, I looked it bit more into it and it quickly became exercise in 
software archaeology. That's what I found out:


1) It's not metadata, it's data associated with key 'YP_MASTER_NAME'.

2) It was present in sendmail and used by NIS: 
https://books.google.ru/books?id=NQblqMiVqvQC=PT152=PT152=YP_MASTER_NAME 
.


3) It was added to postfix in 1999 as documented in HISTORY:


19990325

Workaround: Solaris NIS alias maps need special entries
(YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal
keys/values include a null byte at the end, but the YP_XXX
ones don't. Problem reported by Walcir Fontanini, state
university of Campinas, Brazil.  File: postalias/postalias.c.


4) Finally, it is currently set in postalias.c but never used indeed.

Final results: no need to change it, but if necessary it can be changed 
with newaliases under chroot (tested this), directly with some Berkeley 
DB tool (since it is just one known key-value pair), or specified in 
makedbm command-line. Also, this problem is not even new: see 
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.nis/nis_movmastserv.htm


Thank you for the help, it was an interesting excursion for me.

--

With Best Regards,
Marat Khalili

451 4.3.5 Server configuration error

[Dino Edwards]

Hello,

Having a strange issue with a server. Multiple times a day I get the following 
errors in mail.log:

451 4.3.5 Server configuration error; from= 
to= proto=ESMTP helo=

I also get the following email in my admin mailbox:

From: Mail Delivery System 
Subject: Postfix SMTP server: errors from localhost[::1]
To: postmas...@domain.tld 

Transcript of session follows.

 Out: 220 server.domain.tld 
 In:  ehlo server.domain.tld
 Out: 250- server.domain.tld
 Out: 250-PIPELINING
 Out: 250-SIZE 52428800
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  mail FROM: size=527
 Out: 250 2.1.0 Ok
 In:  rcpt TO:
 Out: 451 4.3.5 Server configuration error
 In:  rset
 Out: 250 2.0.0 Ok

Session aborted, reason: lost connection

For other details, see the local mail logfile

So, it looks like some process is trying to send email from 
r...@server.domain.tld to root@localhost but I don't know what process it is or 
how to make it stop.

It doesn't seem to affect the server otherwise. Other email flows in and out as 
normal except for these errors.

I would appreciate some insight on where to look to get this resolved.

Thanks

Re: setup for personal computer, no domain, smarthost

[Marat Khalili]

On 06/08/17 05:14, rea...@newsguy.com wrote:

Marat K wrote:

Nothing to do with postfix.

Well that's good news.

When I used sendmail, fetchmail would pass incoming mail to port25 for
sendmail to deliver. I don't know how postfix works but I thought it might be
the same way when used with fetchmail.
Well, AFAIU postfix is only an SMTP server. You'll need something like 
dovecot to actually hold your incoming mail and make it accessible to 
your mail client. Since you already have external IMAP accounts I'm not 
sure this extra local server is necessary, but if you wish try dovecot, 
worked for me. Another thing that worked for me is offlineimap for 
synchronizing contents of IMAP accounts directly, without intermediate 
SMTP server.



Yes, but that didn't help the masquerading part. What I said above was that
the SmartHost wasn't enough without masquerading.
Sorry, can't say anything about masquerading: I don't use it, all my 
hosts have static FQDNs. Since postfix have own notion of hostname that 
can be different from system's, it is possible that you won't need 
masquerading too actually.


--

With Best Regards,
Marat Khalili

Re: DKIM-Signing forwarded email

[Dominic Raferd]

On 5 August 2017 at 17:46, Marco Pizzoli  wrote:

> Hi all,
> I have a postfix instance dedicated to being the main MX (IN).
> I normally use other postfix instances for sending emails out (OUT).
>
> Of course, even this "IN" instance needs to send emails out, mainly
> bounces.
>
> Now I am also implementing forwarding rules: "if you receive an email
> destined to this address, than forward it out to this other email address".
> Other addresses are @gmail.com, @msn.com, etc...
>
> In order to do that "right" I also implemented an SRS service, so to have
> my domain as the envelope sending address.
> Now I also want to enable DKIM-signing of these outgoing emails.
>
> Problem is:
> - SRS (or at least the product I am using, postsrsd) works at the
> "cleanup" level, so after smtpd
> - My DKIM-signing tool is a milter, so acts at smtpd time. So the email it
> sees is with the original sending domain and not my domain.
>
> How can I achieve the intended behaviour?
>

​I am not sure how to achieve this but, even when done, emails will
continue to be rejected by the destination server if it enforces DMARC
(e.g. AOL, Comcast, Hotmail, GMail, Yahoo) and if the domain/sub-domain of
the original sender (in the 'From:' header, unless you rewrite this as
well) has published a DMARC policy with p=reject (e.g. Yahoo, Paypal,
mailing.tesco.com, Lloyds Bank, RBS, HMRC...).