Re: Duplicate spamd lines in Postfix log file
On 30 Jun 2019, at 9:36, dpjanda wrote: It sure is is, and that's why I posted the original question here. As it could, perhaps, be an error on my part how I call it from POSTFIX, so I thought I would ask the question here, first. The us...@spamassassin.apache.org list would be a far better place for it, as this is entirely about spamd, a component of SpamAssasssin. Having written some of the code involved in spamd switching to specific users, I believe that what you're seeing is normal, at least for some configurations. As I am not currently working with any system that uses spamd with per-user configurations, I am hesitant to make a definitive assertion. I am almost certain that you can get a more definitive answer on the right mailing list. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: custom mail forwarder/relay program?
On Mon, Jul 01, 2019 at 04:56:29PM +, Patton, Matthew [Contractor] wrote: > In effect I need to do; For each message in delivery queue, construct JSON > payload and use Curl to post to API endpoint, mark message as forwarded. > Next. Send it via LMTP to a proxy process that is listening on a unix-domain socket. The proxy needs a bare-bones LMTP implementation, and some code to re-post the message via HTTP and reinterpret HTTP success/fail responses as LMTP responses. The LMTP proxy is the cleanest way to do this, but will require writing an LMTP server. If you want to just assemble existing code, then fork/exec curl could work, but getting reliable success/fail/temp-fail out of curl is tricky. -- Viktor.
Re: custom mail forwarder/relay program?
On Mon, Jul 01, 2019 at 03:19:37PM +, Patton, Matthew [Contractor] wrote: > I need a way for Postfix to listen to SMTP (think smarthost) and then > re-send all emails via HTTP POST operation. Is the correct way to tackle > this (aside from telling them to go to hell) a transport definition using > Pipe(8)? I've never done this before and it doesn't appear to be a very > common scenario. Otherwise I could write a small Perl program that is > launched via inetd, that would do the same even though it wouldn't be very > efficient. Two key reasons that SMTP servers have queues: * Multi-recipient messages may require forwarding of a "split-envelope" to multiple domains. This can't be done atomically, so the message is queued and the separate parts are delivered asynchronously. * Forwarding may be to remote systems that are not always up, but the client may be ephemeral and unable to retry. If in your case all message are always shunted to the same destination one-in/one-out, and the destination is sufficiently available, or the client is capable of retries, a non-queueing proxy may well be a better choice than an MTA. It could even be more efficient (if it avoids fork/exec of scripts that involve CPU-intensive parsing the code each time). The SMTP proxy can return 4XX if the HTTP POST fails. It can run as a threaded or forking server. In Python or Perl, I'd go with a forking server for simplicity. In Haskell, threading is very light-weight and safe/correct concurrency is pain-free, so if you need a lot more performance, Haskell (or Rust) would likely raise your throughput ceiling by an order of magnitude. -- Viktor.
Re: custom mail forwarder/relay program?
On 7/1/2019 11:56 AM, Patton, Matthew [Contractor] wrote: On 7/1/2019 10:19 AM, Patton, Matthew [Contractor] wrote: I need a way for Postfix to listen to SMTP (think smarthost) and then re-send all emails via HTTP POST operation. Is the correct way to tackle this (aside from Maybe if you explain your base problem in detail someone can help with an alternate solution. A disturbing number of USA FedGov agencies have contracted with a "digitial communications provider" (aka marketing campaign site) as their outbound email provider where it concerns sending email to the filthy citizens, because SMTP is too scary. (I'm not kidding, they've "certified" this service as FedRamp approved but AWS Simple Email Service is prohibited). This so-called service does not run SMTP listeners, authenticated or otherwise. Incredibly the only way to send mail using the platform is an API call (HTTP POST) with a JSON payload or via Web browser and forms template. It seems like the best solution is to not fight the system... tell them to use the web form to send their announcements. In effect I need to do; For each message in delivery queue, construct JSON payload and use Curl to post to API endpoint, mark message as forwarded. Next. There will not be any local delivery so I'm guessing I can just change the default transport from smtp to Pipe(8)? Yes, this should work. Pretty much anything that can be reliably scripted can be implemented as a postfix pipe transport. Make sure your script exists with an appropriate sysexits.h code - 0 for success, non-zero for failure - so postfix knows if it worked. See pipe(8) for important details. I haven't looked at what's involved in writing a 'native' transport agent that Postfix can call directly to process the queue. Not recommended. The postfix internal plumbing is intentionally undocumented as it may change between versions, possibly without warning. -- Noel Jones
Re: NDR when failed to forward mail to external address, now blacklisted on backscatterer
> On Jul 1, 2019, at 11:24 AM, Tanstaafl wrote: > > On 6/28/2019, 12:52:55 PM, Bill Cole > wrote: >> The solution is to repackage messages as attachments inside entirely new >> messages, which isn't really forwarding but remailing. > > Sounds like 'forward as attachment' to me... Yes, but the recipient loses message-threading, and does not see the right From: address (which is the unfortunate point of DMARC). So, yes technically a form forwarding, but basic email "relaying" is increasingly untenable. -- Viktor.
Re: custom mail forwarder/relay program?
The basics for this is quite simple. I once used this article to get started (found with a google search) http://brianbrunner.com/automation/postfix/email/2013/09/09/postfix.html -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: custom mail forwarder/relay program?
Patton, Matthew [Contractor]: > I need a way for Postfix to listen to SMTP (think smarthost) and > then re-send all emails via HTTP POST operation. Is the correct > way to tackle this (aside from telling them to go to hell) a > transport definition using Pipe(8)? I've never done this before > and it doesn't appear to be a very common scenario. Otherwise I > could write a small Perl program that is launched via inetd, that > would do the same even though it wouldn't be very efficient. It is unclear why Postfix needs to be involved at all. It sounds like you do not really want to receive this email. Wietse
RE: custom mail forwarder/relay program?
> On 7/1/2019 10:19 AM, Patton, Matthew [Contractor] wrote: > > I need a way for Postfix to listen to SMTP (think smarthost) and then > > re-send > all emails via HTTP POST operation. Is the correct way to tackle this (aside > from > Maybe if you explain your base problem in detail someone can help with an > alternate solution. A disturbing number of USA FedGov agencies have contracted with a "digitial communications provider" (aka marketing campaign site) as their outbound email provider where it concerns sending email to the filthy citizens, because SMTP is too scary. (I'm not kidding, they've "certified" this service as FedRamp approved but AWS Simple Email Service is prohibited). This so-called service does not run SMTP listeners, authenticated or otherwise. Incredibly the only way to send mail using the platform is an API call (HTTP POST) with a JSON payload or via Web browser and forms template. In effect I need to do; For each message in delivery queue, construct JSON payload and use Curl to post to API endpoint, mark message as forwarded. Next. There will not be any local delivery so I'm guessing I can just change the default transport from smtp to Pipe(8)? I haven't looked at what's involved in writing a 'native' transport agent that Postfix can call directly to process the queue.
Re: custom mail forwarder/relay program?
On 7/1/2019 10:19 AM, Patton, Matthew [Contractor] wrote: I need a way for Postfix to listen to SMTP (think smarthost) and then re-send all emails via HTTP POST operation. Is the correct way to tackle this (aside from telling them to go to hell) a transport definition using Pipe(8)? I've never done this before and it doesn't appear to be a very common scenario. Otherwise I could write a small Perl program that is launched via inetd, that would do the same even though it wouldn't be very efficient. Relaying email via HTTP POST is not really a thing. Maybe if you explain your base problem in detail someone can help with an alternate solution. -- Noel Jones
Re: NDR when failed to forward mail to external address, now blacklisted on backscatterer
On 6/28/2019, 12:52:55 PM, Bill Cole wrote: > The solution is to repackage messages as attachments inside entirely new > messages, which isn't really forwarding but remailing. ? Sounds like 'forward as attachment' to me...
custom mail forwarder/relay program?
I need a way for Postfix to listen to SMTP (think smarthost) and then re-send all emails via HTTP POST operation. Is the correct way to tackle this (aside from telling them to go to hell) a transport definition using Pipe(8)? I've never done this before and it doesn't appear to be a very common scenario. Otherwise I could write a small Perl program that is launched via inetd, that would do the same even though it wouldn't be very efficient.
postfix p0f milter
Hello, I hope this isn't to off topic, but hopefully someone will have more information on this than I do. I've got a postfix with virtual mail users system going. I'm needing to tighten my antispam setup.I'm wanting to integrate p0f in to my system, and am hoping there's a milter out there that will do it. My goal is I've got postfix going on port 25 for incoming connections, so I'm wanting the milter to passively scan that port and only if a client makes a successful connection, i.e. is able to deliver mail, p0f kicks off and scans the tcp/ip connection. As an example if it comes from a windows xp machine then a p0f header is placed in to that message with a spam probability value. Further down the line my rspamd looks for that header, finds it, reads the value, and since it's a high number from xp it immediately takes spam actions. If anyone has this working with a milter for postfix either shell, perl, python, or something similar i'd appreciate knowing it. Thanks. Dave.
Re: Mails to gmail bouncing
* Wietse Venema : > Viktor Dukhovni: > > > On Jun 21, 2019, at 3:32 AM, Ralf Hildebrandt wrote: > > > > > > /^452-4\.2\.2 (The email account that you tried to reach is over > > > quota.*)/ 552 5.2.2 ${1} > > > > Just as I expected. Now change that to: > > > > /^4(52[- ]4\.2\.2 The email account that you tried to reach is over > > quota.*)/ 5${1} > > > > and don't do it again! :-) > > > > Use smtp_delivery_status_filter instead. > > (Postfix uses the last 452-4.2.2 from the multiline response) Thanks! -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Smptd intruder
* John Plate : > Hi > > I introduced "smtpd_reject_unlisted_sender=yes" in main.cf to avoid attempts > to login to my smtpd. This doesn't block logins, it merely blocks envelope sender addresses it KNOWS NOT TO exist (mainly stuff from your own domain -- i.e. if you only have the address a@domain.example, nobody can use b@domain.example or c@domain.example as sender) > This morning it looks like an unknown ip-number succeded: > > Jun 23 07:38:02 lunar postfix/smtpd[14806]: connect from > unknown[185.137.111.22] What you want is http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname or http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname in Postfix lingo it means "block IP addresses with no hostname assigned or the assigned hostname doesn't resolve back to the same IP. -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: SMTP-Relay/Satelite-Sytem
fanfan1: > How do I get postfix to "listen" for emails that get sent from > "use...@t-online.com" and then relay them twice (destination & the > archive mailbox)? To copy one sender's email: /etc/postfix/main.cf sender_bcc_maps = inline:{ {use...@t-online.com = other@example} } ... Wietse
SMTP-Relay/Satelite-Sytem
Hi, im quite new to postfix and have a question about a scenario I would like to achieve. I would like to accomplish the following: 1. User A has an email account like use...@t-online.com at an standard E-Mail Provider 1. He is either not able or willing to setup/use exchange or some other mail server to accomplish the given scenario! 2. He is not able or willing to use some "Auto-BCC" Function (which Outlook only gets through a Plugin) because of mobile use with smartphone/tablet or E-Mail Programms that dont offer this function! 2. All (outgoing) E-Mail is sent to 1. This means using E-Mail clients like Outlook, Thunderbird and smartphones 3. The postfix server should then relay that message to the SMTP-Server from the Provider where User A has his E-Mail Account. 4. _*AND*_ as well as relaying the E-Mail to get sent to its original destination it should also be resend to a second destination for archiving (lets say user-a-arch...@t-online.com) I found countless tutorials on how to setup postfix as a relay but they all intend to sent their mail from the server directly. In my case it has to be sent from pc/mobile via standard E-Mail client to postfix and from there to its destination & the archive mailbox. How do I get postfix to "listen" for emails that get sent from "use...@t-online.com" and then relay them twice (destination & the archive mailbox)? Can anyone help me with this setup or has some more information on how to get it going? regards Luke --- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus
Re: warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197
I'm making an assumption, here. You know how dangerous assumptions are. My assumption is that you're running an exchange server. You need to modify the helo/ehlo repsonse. https://social.technet.microsoft.com/Forums/azure/en-US/4dde9b79-18e4-407f-8edc-896e6c40eb25/need-to-modify-server-response-to-ehlo-helo?forum=exchangesvradmin Cheers, Curtis On 7/1/19 1:24 AM, subscription1 wrote: I'd appreciate you help with the following: I'm looking after two server on 2 differents domains. During testing I found the following issue. On the sending server I get the following Jul 1 14:18:24 mail postfix/smtp[2135]: 9172F5FA8D: host mail1..com[xxx.xxx.231.229] said: 450 4.7.25 Client host rejected: cannot find your hostname, [xxx.xxx.73.197] (in reply to RCPT TO command) On the receiving server I get: Jul 1 06:18:21 mail1 postfix/postscreen[19345]: CONNECT from [xxx.xxx.73.197]:44014 to [xxx.xxx.231.229]:25 Jul 1 06:18:21 mail1 postfix/postscreen[19345]: PASS OLD [xxx.xxx.73.197]:44014 Jul 1 06:18:21 mail1 postfix/smtpd[19348]: warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197: Name or service not known Jul 1 06:18:21 mail1 postfix/smtpd[19348]: connect from unknown[xxx.xxx.73.197] Jul 1 06:18:24 mail1 postfix/smtpd[19348]: NOQUEUE: reject: RCPT from unknown[xxx.xxx.73.197]: 450 4.7.25 Client host rejected: cannot find your hostname, [150.107.73.197]; from= to= proto=ESMTP helo= I can ping 'mail.xxx.net' on this server ok. Sending Server postconf -n output alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no compatibility_level = 2 delay_warning_time = 4h inet_interfaces = 127.0.0.1, ::1, xxx.xxx.73.197 inet_protocols = all local_recipient_maps = $virtual_mailbox_maps mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 message_size_limit = 52428800 milter_default_action = accept milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_protocol = 6 mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject mydestination = $myhostname, localhost.$mydomain, localhost mydomain = xxx.net myhostname = mail.xxx.net mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname non_smtpd_milters = inet:localhost:11332 postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access postscreen_blacklist_action = drop postscreen_dnsbl_action = drop postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2 postscreen_dnsbl_threshold = 2 postscreen_greet_action = drop readme_directory = no recipient_delimiter = + relayhost = smtp_dns_support_level = dnssec smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_ciphers = high smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = mail.xxx.net smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_ptr reject_unknown_client_hostname smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_milters = inet:localhost:11332 smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination smtpd_tls_cert_file = /etc/ssl/certs/2803b51614cb032f.crt smtpd_tls_ciphers = high smtpd_tls_key_file = /etc/ssl/private/wildcard.xxx.net.key smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf virtual_transport = lmtp:unix:private/dovecot-lmtp Sending Server postconf -Mf output --- smtp inet n - y - 1 postscreen -o smtpd_sasl_auth_enable=no smtpd pass -
Re: warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197
I think I found the issue. I just found that the reverse DNS entry at the service provider had the dc1.xxx.xom.au entry Thanks On 1/7/19 3:24 pm, subscription1 wrote: I'd appreciate you help with the following: I'm looking after two server on 2 differents domains. During testing I found the following issue. On the sending server I get the following Jul 1 14:18:24 mail postfix/smtp[2135]: 9172F5FA8D: host mail1..com[xxx.xxx.231.229] said: 450 4.7.25 Client host rejected: cannot find your hostname, [xxx.xxx.73.197] (in reply to RCPT TO command) On the receiving server I get: Jul 1 06:18:21 mail1 postfix/postscreen[19345]: CONNECT from [xxx.xxx.73.197]:44014 to [xxx.xxx.231.229]:25 Jul 1 06:18:21 mail1 postfix/postscreen[19345]: PASS OLD [xxx.xxx.73.197]:44014 Jul 1 06:18:21 mail1 postfix/smtpd[19348]: warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197: Name or service not known Jul 1 06:18:21 mail1 postfix/smtpd[19348]: connect from unknown[xxx.xxx.73.197] Jul 1 06:18:24 mail1 postfix/smtpd[19348]: NOQUEUE: reject: RCPT from unknown[xxx.xxx.73.197]: 450 4.7.25 Client host rejected: cannot find your hostname, [150.107.73.197]; from= to= proto=ESMTP helo= I can ping 'mail.xxx.net' on this server ok. Sending Server postconf -n output alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no compatibility_level = 2 delay_warning_time = 4h inet_interfaces = 127.0.0.1, ::1, xxx.xxx.73.197 inet_protocols = all local_recipient_maps = $virtual_mailbox_maps mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 message_size_limit = 52428800 milter_default_action = accept milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_protocol = 6 mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject mydestination = $myhostname, localhost.$mydomain, localhost mydomain = xxx.net myhostname = mail.xxx.net mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname non_smtpd_milters = inet:localhost:11332 postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access postscreen_blacklist_action = drop postscreen_dnsbl_action = drop postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2 postscreen_dnsbl_threshold = 2 postscreen_greet_action = drop readme_directory = no recipient_delimiter = + relayhost = smtp_dns_support_level = dnssec smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_ciphers = high smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = mail.xxx.net smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_ptr reject_unknown_client_hostname smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_milters = inet:localhost:11332 smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination smtpd_tls_cert_file = /etc/ssl/certs/2803b51614cb032f.crt smtpd_tls_ciphers = high smtpd_tls_key_file = /etc/ssl/private/wildcard.xxx.net.key smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf virtual_transport = lmtp:unix:private/dovecot-lmtp Sending Server postconf -Mf output --- smtp inet n - y - 1 postscreen -o smtpd_sasl_auth_enable=no smtpd pass - - y - - smtpd dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy 9925 inet n - y - -