RE: Helo issue
Perfect - a minor tweak and it worked as advertised. Thanks much Victor! ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni Sent: Monday, August 14, 2017 2:52 PM To: postfix-users@postfix.org Subject: Re: Helo issue On Mon, Aug 14, 2017 at 10:41:05PM +, Kevin Miller wrote: > smtpd_helo_restrictions = permit_mynetworks > reject_non_fqdn_helo_hostname > reject_invalid_helo_hostname This would be a complete solution, but ... > smtpd_recipient_restrictions = permit_inet_interfaces >permit_sasl_authenticated >reject_unknown_sender_domain >reject_non_fqdn_sender >reject_non_fqdn_recipient >reject_unauth_pipelining >reject_invalid_hostname >reject_non_fqdn_hostname >... >From the postconf(5) manpage: reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname) Reject the request when the HELO or EHLO hostname is not in fully-qualified domain or address literal form, as required by the RFC. Note: specify "smtpd_helo_required = yes" to fully enforce this restriction (without "smtpd_helo_required = yes", a client can simply skip reject_non_fqdn_helo_hostname by not sending HELO or EHLO). The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504). The legacy "reject_non_fqdn_hostname" is a synonym for the now preferred (less confusing) reject_non_fqdn_helo_hostname. Remove this from the recipient restrictions, as you already have it it helo restrictions. -- Viktor.
Re: Helo issue
On Mon, Aug 14, 2017 at 10:41:05PM +, Kevin Miller wrote: > smtpd_helo_restrictions = permit_mynetworks > reject_non_fqdn_helo_hostname > reject_invalid_helo_hostname This would be a complete solution, but ... > smtpd_recipient_restrictions = permit_inet_interfaces >permit_sasl_authenticated >reject_unknown_sender_domain >reject_non_fqdn_sender >reject_non_fqdn_recipient >reject_unauth_pipelining >reject_invalid_hostname >reject_non_fqdn_hostname >... >From the postconf(5) manpage: reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname) Reject the request when the HELO or EHLO hostname is not in fully-qualified domain or address literal form, as required by the RFC. Note: specify "smtpd_helo_required = yes" to fully enforce this restriction (without "smtpd_helo_required = yes", a client can simply skip reject_non_fqdn_helo_hostname by not sending HELO or EHLO). The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504). The legacy "reject_non_fqdn_hostname" is a synonym for the now preferred (less confusing) reject_non_fqdn_helo_hostname. Remove this from the recipient restrictions, as you already have it it helo restrictions. -- Viktor.
Helo issue
We have a vendor that is setting up a web page on an IIS server which will email folks when they purchase an item off of it. I'm not sure what they use for a submission agent - I believe it's something they developed in-house. The technician I'm working with isn't a programmer and doesn't really understand the ins and outs of email and doesn't know if they can change their code or not. The issue I'm running into is we have reject_non_fqdn_helo_hostname enabled on the mx host they connect to, which returns: "504 5.5.2 : Helo command rejected: need fully-qualified hostname;...helo=" I don't want to turn off reject_non_fqdn_helo_hostname but they're not sure if they can change the EHLO name. I'm not sure where it's picking that up from, probably the hostname. Obviously it isn't hard coded into their source code. We can't change the hostname, as the external domain it sends from is different than the internal domain. If they can't figure out how to set it to a FQDN, is there an easy way to override reject_non_fqdn_helo_hostname for just that one host? I added the smtpd_helo_restrictions stanza this morning but to no avail. The IP address of the sending host is in "mynetworks". It's also in the cbj_client_access file with an "OK". smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname reject_invalid_helo_hostname smtpd_recipient_restrictions = permit_inet_interfaces permit_sasl_authenticated reject_unknown_sender_domain reject_non_fqdn_sender reject_non_fqdn_recipient reject_unauth_pipelining reject_invalid_hostname reject_non_fqdn_hostname reject_unknown_recipient_domain check_sender_access hash:/etc/postfix/cbj_sender_access check_client_access hash:/etc/postfix/cbj_client_access check_policy_service unix:private/policyd-spf permit_dnswl_client list.dnswl.org reject_rbl_client dnsbl.sorbs.net reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org check_policy_service inet:127.0.0.1:10023 smtpd_client_restrictions = reject_unknown_reverse_client_hostname Thanks... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
Re: Why there is no `reject_rbl_sender` restriction?
Hello again, I discovered possibility of milters. So I have created a milter that performs the restriction I wanted. If someone would be interested, it is here: https://github.com/mjiricka/MailFrom_DNSBL_Milter So far results are as expected – all spam filtered, zero false-positives! :) Martin
Re: postfix filtering
On 8/14/2017 1:31 PM, soumi...@iitk.ac.in wrote: > Thanks for the precise replay. > >>> 1) Copy all emails containing specific pattern in body to another >>> email id, but all recipients in that will get the mails as usual. >>> >>> 2) Redirect all emails containing specific pattern in body to >>> another mail relay. >> Postfix header_checks and/or body_checks can probably do what you >> what. See the BCC, FILTER, and REDIRECT actions to decide what you >> need. >> http://www.postfix.org/header_checks.5.html >> >> Be aware that header_checks and body_checks only sees the "raw" >> email; there is no decoding of HTML or quoted-printable or base64 >> text. For more complete control, use a milter. > > Sorry, my question missed that it was the filtering primarily for > outgoing mails (i.e. smtp_body_check). > and as per the man page for BCC,FILTER and REDIRECT action "This > feature is not supported with smtp header/body checks". > Addition to this, with body_check I can not add more that one email > id in BCC/REDIRECT. And I can not redirect the "matching pattern > mail" to another server for further analysis. > > This is why i was thinking of external mail filters. apologies, if I > am wrong here in reading. > > With Regards, > Soumitri All mail enters postfix before it exits postfix. Filter your mail as it comes in to postfix with normal header/body checks. Milters and other external filters also generally work during input, not output. If you need to restrict these rules to "outgoing" mail only, use a separate postfix instance for submission. http://www.postfix.org/MULTI_INSTANCE_README.html -- Noel Jones
Re: postfix filtering
Thanks for the precise replay. 1) Copy all emails containing specific pattern in body to another email id, but all recipients in that will get the mails as usual. 2) Redirect all emails containing specific pattern in body to another mail relay. Postfix header_checks and/or body_checks can probably do what you what. See the BCC, FILTER, and REDIRECT actions to decide what you need. http://www.postfix.org/header_checks.5.html Be aware that header_checks and body_checks only sees the "raw" email; there is no decoding of HTML or quoted-printable or base64 text. For more complete control, use a milter. Sorry, my question missed that it was the filtering primarily for outgoing mails (i.e. smtp_body_check). and as per the man page for BCC,FILTER and REDIRECT action "This feature is not supported with smtp header/body checks". Addition to this, with body_check I can not add more that one email id in BCC/REDIRECT. And I can not redirect the "matching pattern mail" to another server for further analysis. This is why i was thinking of external mail filters. apologies, if I am wrong here in reading. With Regards, Soumitri
Re: postfix filtering
On 8/14/2017 5:28 AM, soumi...@iitk.ac.in wrote: > Hello, > > In Postfix, I want > > 1) Copy all emails containing specific pattern in body to another > email id, but all recipients in that will get the mails as usual. > > 2) Redirect all emails containing specific pattern in body to > another mail relay. Postfix header_checks and/or body_checks can probably do what you what. See the BCC, FILTER, and REDIRECT actions to decide what you need. http://www.postfix.org/header_checks.5.html Be aware that header_checks and body_checks only sees the "raw" email; there is no decoding of HTML or quoted-printable or base64 text. For more complete control, use a milter. > I also want to know > > 3) The best practices with postfix, any URL will help. http://www.postfix.org/documentation.html > 4) Any recent postfix version 3 book in English with . I'm not aware of any books specifically covering postfix version 3. However, there are good books on postfix version 2 that are still excellent for a beginner. "The Book of Postfix" by Hildebrandt and Koetter is a great place to start if you can find it. "Postfix: The Definitive Guide" by Dent is also good. Unfortunately for writers, postfix evolves pretty quickly. This makes it impossible to keep a print copy anywhere close to current. The best documentation is the postfix web site, which Wietse spends a great deal of effort keeping current and correct. http://www.postfix.org/documentation.html > 5) Best external mail filtering open source software for postfix. This is a very subjective question. "Best" varies based on your goals and skill level. I like amavisd-new running pre-queue with smtpd_proxy_filter or amavisd-milter, but some people are overwhelmed by the great number of config options. https://www.ijs.si/software/amavisd/ Good Luck! -- Noel Jones
Re: TLS on 587
On Mon, Aug 14, 2017 at 02:53:23PM +0400, Mohammed Khalid Ansari wrote: > I have configured my postfix to run on 587. When I choose connection type as > 'STARTTLS' everything is fine but when I choose 'SSL/TLS', the client throws > error. That's expected, since port 587 is SMTP with STARTTLS negotiation. SMTP inside TLS is typically on port 465. http://www.postfix.org/TLS_README.html#server_enable TLS is sometimes used in the non-standard "wrapper" mode where a server always uses TLS, instead of announcing STARTTLS support and waiting for remote SMTP clients to request TLS service. Some clients, namely Outlook [Express] prefer the "wrapper" mode. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all ports). It is strictly discouraged to use this mode from main.cf. If you want to support this service, enable a special port in master.cf and specify "-o smtpd_tls_wrappermode=yes" (note: no space around the "=") as an smtpd(8) command line option. Port 465 (smtps) was once chosen for this feature. The sample master.cf file distributed with Postfix source code contains: #smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Just remove the "#" comment characters, and if necessary add appropriate settings for the "mua_..." parameters to main.cf. Note that there are some in the IETF who are trying to promote and standardize port 465 for email submission: https://tools.ietf.org/html/draft-ietf-uta-email-deep-08#section-3 While this may end up in a final published RFC, it probably won't have much of an impact on the deployed base of submission servers for quite some time. > I can configure 'STARTTLS' in outlook and proceed but on my cell phone I > don't have don't option and hence not able to connect. IIRC mobile phones that do email and the like do support STARTTLS, your problem may be with the phone not accepting the server certificate. Post the logs from your server associated with connections from your phone. -- Viktor.
Re: TLS on 587
Dear Mohammed, On 08/14/17 12:53, Mohammed Khalid Ansari wrote: I have configured my postfix to run on 587. When I choose connection type as 'STARTTLS' everything is fine but when I choose 'SSL/TLS', the client throws error. Normally, but deprecated, port 465 is used for “direct” SSL/TLS (without STARTTLS) [1] 465 – This port has been deprecated since RFC 2487, after being briefly assigned for secure SMTP in the 1990s. Despite this, it is commonly used by mail providers[20][21] I can configure 'STARTTLS' in outlook and proceed but on my cell phone I don't have don't option and hence not able to connect. That’s client dependent. Which client do you use. You should contact them. Kind regards, Paul [1] https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
TLS on 587
Dear All, I have configured my postfix to run on 587. When I choose connection type as 'STARTTLS' everything is fine but when I choose 'SSL/TLS', the client throws error. I can configure 'STARTTLS' in outlook and proceed but on my cell phone I don't have don't option and hence not able to connect. Will anyone help me??? Thanks & Regards,
postfix filtering
Hello, In Postfix, I want 1) Copy all emails containing specific pattern in body to another email id, but all recipients in that will get the mails as usual. 2) Redirect all emails containing specific pattern in body to another mail relay. I also want to know 3) The best practices with postfix, any URL will help. 4) Any recent postfix version 3 book in English with . 5) Best external mail filtering open source software for postfix. Thanks for any help. -- Sincerely Soumitri Mishra http://home.iitk.ac.in/~soumitri/
