RE: Relaying to 2 SMTP servers
Or https://jyotishp.ml/tutorials/postfix/dual-delivery-for-postfix http://pjrlost.blogspot.com/2012/11/smtp-delivery-to-two-mail-servers-via.html This one, its a bit a search but the files are still available on the internet. Greetz, Louis > -Oorspronkelijk bericht- > Van: sel...@linagora.com > [mailto:owner-postfix-us...@postfix.org] Namens Simon ELBAZ > Verzonden: woensdag 17 april 2019 16:36 > Aan: postfix-users@postfix.org > Onderwerp: Re: Relaying to 2 SMTP servers > > Thanks for your reply. > > Sorry, I wanted to say using Postfix. > > I look for different open source solutions to achieve this. > > Regards > > Simon > > On 17/04/2019 16:33, Phil Stracchino wrote: > > On 4/17/19 10:03 AM, sel...@linagora.com wrote: > >> Hi, > >> > >> I would like to know if it is possible to deliver a mail to 2 SMTP > >> servers using OpenSMTPD. > > > > Perhaps that's a question you should ask on the OpenSMTPD > mailing list. > > > > > >
RE: OpenDKIM not signing
The linke of linode, but transformed in a script for Debian 9. https://github.com/thctlo/debian-scripts/blob/master/setup-opendkim-postfix.sh Read it or use it. ( make backups first ). Its tested on a clean setup, but if you read through the script you see everything thats needed to fix this. And just a question, the DNS is already updated? Greetz, Louis > -Oorspronkelijk bericht- > Van: i...@ntek.lv [mailto:owner-postfix-us...@postfix.org] > Namens Ntek, SIA Janis > Verzonden: dinsdag 9 april 2019 11:19 > Aan: postfix-users@postfix.org > Onderwerp: Re: OpenDKIM not signing > > Why do use > > inet:localhost:8891 > Instead of a socket? > I conf'ed it using this tutorial: > https://www.linode.com/docs/email/postfix/configure-spf-and-dk im-in-postfix-on-debian-8/ > > smtpd_milters = local:opendkim/opendkim.sock > non_smtpd_milters = local:opendkim/opendkim.sock > The sockets are relative path as postfix is chrooted. The > absolute path > is /var/spool/postfix/opendkim/opendkim.sock (Use the > relative though!) > > Also check the syntax in tables. I was pulling my hair out > and it turned > out my syntax was off. Refer to the tutorial! > Especially: > KeyTable /etc/opendkim/KeyTable > mydomaintld > mydomain.tld:201904:/etc/opendkim/keys/mydomain.tld/mydomaintl > d.private > > SigningTable refile:/etc/opendkim/SigningTable > *@mydomain.tld mydomaintld > > ExternalIgnoreList /etc/opendkim/TrustedHosts > InternalHosts /etc/opendkim/TrustedHosts > > What does the log file say? > search for opendkim > $ tail -n 500 /var/log/mail.log | grep opendkim # Or > wherever your mail > log file is located. > > Also check online Opendkim testers. There are many of them, > try a few. > Helped me a lot. > https://www.mail-tester.com/spf-dkim-check > > Remember that your DNS TXT records may take an hour to update > and should > be submitted BEFORE you try signing anything. dig is your > friend. Check > that your server and your work PC can read the recrods. > > $ dig TXT 201904._domainkey.mydomain.tld > Should contain something like: > ;; ANSWER SECTION: > 201902._domainkey.mydomain.tld. 21599 IN TXT "v=DKIM1; > h=sha256; > k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN... > > Remeber that 201904._domainkey is what you choose it to be when you > generate the public key you put in DNS TXT records! > > Re-read tutorial! Remember that if you think that you don't > understand > something, then the config error is probably because of that. > Don't just > copy paste, think along every step. > > On 09.04.19 11:22, Laura Smith wrote: > > Based on the responses to my previous question about using > OpenDKIM (quite what "standards have not changed" has to do > with software bugs makes no sense to me !). However, having > been told I'm stupid not to continue using software many > years old I thought I would suck it up and continue with OpenDKIM. > > > > OpenDKIM is not signing my mails. > > > > Postfix main.cf is calling as follows: > > milter_protocol = 6 # I have also tried this with 2 > > milter_default_action = accept > > smtpd_milters = inet:localhost:8891 > > non_smtpd_milters = inet:localhost:8891 > > milter_mail_macros = i {mail_addr} {daemon_addr} > {client_name} {auth_authen} > > > > netstat -an shows openDKIM as running and listening on 8891. > > > > My opendkim.conf is as follows: > > BaseDirectory /run/opendkim > > PidFile /run/opendkim/opendkim.pid > > UserID opendkim:opendkim > > Syslog yes > > SyslogSuccess yes > > LogWhy yes > > Canonicalization relaxed/relaxed > > Socket inet:8891@localhost > > SendReports no > > SoftwareHeader no > > MinimumKeyBits 1024 > > KeyTable /etc/opendkim/KeyTable > > SigningTable refile:/etc/opendkim/SigningTable > > InternalHosts refile:/etc/opendkim/TrustedHosts > > > >
RE: Postfix With OpenDKIM: milter: SMFIC_EOH
Did someone look at a "old" howto here? Postfix manual shows clearly. /etc/postfix/main.cf: # Postfix ?? 2.6 milter_protocol = 6 # 2.3 ?? Postfix ?? 2.5 milter_protocol = 2 This works fine on Debian Stretch, if you set milter_protocol = 6 dpkg -l | egrep "postfix|opend[m,k]" ii libopendkim11 2.11.0~alpha-10+deb9u1 amd64 Library for signing and verifying DomainKeys Identified Mail signatures ii libopendmarc2 1.3.2-2+deb9u1 amd64 Library for DMARC validation and reporting ii opendkim 2.11.0~alpha-10+deb9u1 amd64 Milter implementation of DomainKeys Identified Mail ii opendkim-tools2.11.0~alpha-10+deb9u1 amd64 Set of command line tools for OpenDKIM ii opendmarc 1.3.2-2+deb9u1 amd64 Milter implementation of DMARC ii postfix 3.1.8-0+deb9u1 amd64 High-performance mail transport agent ## Added for OpenDKIM (8892) OpenDMARC (8893) milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:8892 inet:localhost:8893 non_smtpd_milters = inet:localhost:8892 inet:localhost:8893 > -Oorspronkelijk bericht- > Van: postfixlists-070...@billmail.scconsult.com > [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole > Verzonden: woensdag 13 februari 2019 14:35 > Aan: Postfix users > Onderwerp: Re: Postfix With OpenDKIM: milter: SMFIC_EOH > > On 13 Feb 2019, at 0:13, Noah Huppert wrote: > > > milter_protocol = 2 > > Why? > > It would be shocking if OpenDKIM required that. Any milter > requiring it > should be considered obsolete. > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Available For Hire: https://linkedin.com/in/billcole > >
RE: multi relay host
All i can think of is. Setup 3 postfix dual smtp. Server 1, incoming relay. Which delivers on server 2 and 3 with dual smtp. Server 2 to Vessel A = *@vessel_A.domain.com Has smtp relay 1 = a ip adress:25 Server 3 to Vessel A = *@vessel_A.domain.com Has Smtp 2 relay as backup with ipadress and port 20026 If you put the relay settings in sql, you can share it over all 3 servers. Should be possible, maybe there are better ways, but i can't think of one. Greetz Louis > -Oorspronkelijk bericht- > Van: De Petter Mattheas [mailto:mattheas.depet...@jandenul.com] > Verzonden: dinsdag 5 februari 2019 9:09 > Aan: L.P.H. van Belle > CC: Postfix users > Onderwerp: RE: multi relay host > > Hello and thanks for the suggestion. > > > The thing is I need this in the transport map, as we have to > do this for each sub domain. > > Vessel A = *@vessel_A.domain.com > Has smtp relay 1 = a ip adress:25 > Has Smtp 2 relay as backup with ipadress and port 20026 > > Vessel b = *@vessel_b.domain.com > Has smtp relay 1 = a different ip adress:25 > Has Smtp 2 relay as backup with ipadress and port 20026 > > > And so on for 90 different sub adresses. > > Any ideas on how to do this? > > > > Met vriendelijke groeten > Kind regards > De Petter Mattheas > Technical support engineer - projects team > IT-Department Jan De Nul Dredging N.V. > T +32 (0)53 73 95 53 > F +32 (0)53 21 00 31 > www.jandenul.com > > > -Original Message- > From: L.P.H. van Belle > Sent: 05 February 2019 08:57 > To: De Petter Mattheas > Subject: RE: multi relay host > > This works for me. > > http://pjrlost.blogspot.com/2012/11/smtp-delivery-to-two-mail- > servers-via.html > > https://gitlab.dls-belgium.eu/tools/smptdd/tree/develop > > Greetz, > > Lois > > > -Oorspronkelijk bericht- > > Van: mattheas.depet...@jandenul.com > > [mailto:owner-postfix-us...@postfix.org] Namens De Petter Mattheas > > Verzonden: dinsdag 5 februari 2019 7:51 > > Aan: Postfix users > > Onderwerp: RE: multi relay host > > > > Helllo > > > > Indeed that's what I meant. > > > > We want smtp 1 = a ip adress: 25, the second a ipadress:20026 > > > > We have to have two routes on the server so we can have a > mail relay > > system. > > > > One route should connect to the vpn and deliver mail that way on > > standard port 25 The second was a ssh with port forwarding, > where we > > give the postfix as smtp route the adress of the ssh server that > > listen on port 20026. > > And in that ssh server there was a port forwarding made with the > > responding smtp server on port 25, so mail could get in. > > > > Do any of you know another program or solution that has this > > functionality? > > > > > > Many thanks > > > > Met vriendelijke groeten Kind regards De Petter Mattheas Technical > > support engineer - projects team IT-Department Jan De Nul Dredging > > N.V. > > T +32 (0)53 73 95 53 F +32 (0)53 21 00 31 www.jandenul.com > > > > > > -Original Message- > > From: owner-postfix-us...@postfix.org > > On Behalf Of Wietse Venema > > Sent: 04 February 2019 16:53 > > To: Postfix users > > Subject: Re: multi relay host > > > > De Petter Mattheas: > > > > > > Hello > > > > > > > > > Thanks for the feedback. > > > > > > Can you still help me with the following? > > > > > > We want to have two smtp routes for one subdomain > > > > > > For example > > > > > > *@eqx.vessel.com = smtp 1: a ip adress 25 > > > = smtp 2: a ip adress 20026 > > > > > > *@bqx.vessel.com = smtp 1: a ip adress 25 > > > = smtp 2: a ip adress 20026 > > > > Ehm. 25 is not an IP address. Did you mean TCP port? > > > > Transport maps currently can return only one result. You > can use DNS > > to go from one transport map result to multiple IP addresses, but > > multiple TCP ports. > > > > What you can do is to (also) run an SMTP daemon on port > 20026 on the > > smtp1 host. In Postfix, that means: > > > > /etc/postfix/master.cf: > > 20026 inet ... .. .. .. .. smtpd > > > > Wietse > > > > Any reaction to this e-mail or any other mail, including any files > > transmitted therewith to sender's e-mail address(es) shall be dealt > > with not as private, but as business > > communication(s) and shall be registered as such. > > > > > > > >
RE: dnsbl postscreen - not blocking
Hai, recent.spam.dnsbl.sorbs.net = 127.0.0.6 and you gave it 1 point. whats the postscreen_dnsbl_threshold set at ? I'll bet thats set higher than 1. Greetz, Louis Van: cubew...@googlemail.com [mailto:owner-postfix-us...@postfix.org] Namens Stefan Bauer Verzonden: woensdag 19 december 2018 14:01 Aan: Postfix users Onderwerp: dnsbl postscreen - not blocking Hi, Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from [209.85.166.196]:52168 to [public-ip]:25 Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by domain dnsbl.sorbs.net as 127.0.0.6 Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW [209.85.166.196]:52168 Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from mail-it1-f196.google.com[209.85.166.196] why did google pass postscreen even though its listed in one of the RBL? postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*1 dnsbl.sorbs.net*1 postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce Am i missing something obvious? Stefan
FW: RE: Double-Bounce
In order of messages. ( i got 11 message for 1 postfix list mail ). I only see this these when . 1) someone tries to mail out of my domainname. 2) when i mail the postfix list. I never figured this out, why this happens at the postfix list. This is an authentication failure report for an email message received from IP 168.100.1.3 on Fri, 14 Sep 2018 11:11:03 +0200 (CEST). This is a spf/dkim authentication-failure report for an email message received from IP 2604:8d00:0:1::3 on Fri, 14 Sep 2018 11:10:56 +0200. This is an authentication failure report for an email message received from IP 168.100.1.3 on Fri, 14 Sep 2018 05:11:04 -0400 (EDT). This is an authentication failure report for an email message received from IP 168.100.1.3 on Fri, 14 Sep 2018 11:11:19 +0200 (CEST). This is a spf/dkim authentication-failure report for an email message received from IP 168.100.1.3 on Fri, 14 Sep 2018 11:11:32 +0200. This is an authentication failure report for an email message received from IP 168.100.1.3 on Fri, 14 Sep 2018 05:11:41 -0400 (EDT). This is an authentication failure report for an email message received from IP 168.100.1.3 on Fri, 14 Sep 2018 09:11:40 + (UTC). This is an authentication failure report for an email message received from IP 168.100.1.3 on Fri, 14 Sep 2018 05:11:47 -0400 (EDT). This is an authentication failure report for an email message received from IP 129.97.167.82 on Fri, 14 Sep 2018 05:11:56 -0400 (EDT). This is an authentication failure report for an email message received from IP 129.97.167.82 on Fri, 14 Sep 2018 05:11:56 -0400 (EDT). This is a spf/dkim authentication-failure report for an email message received from IP 2604:8d00:0:1::3 on Fri, 14 Sep 2018 11:10:56 +0200. This is a spf/dkim authentication-failure report for an email message received from IP 168.100.1.3 on Fri, 14 Sep 2018 11:11:32 +0200.
RE: Double-Bounce
I had a simular things. .. Waiting for the bounce... Greetz, Louis > -Oorspronkelijk bericht- > Van: rei...@bbmk.org [mailto:owner-postfix-us...@postfix.org] > Namens B. Reino > Verzonden: vrijdag 14 september 2018 10:52 > Aan: postfix-users@postfix.org > Onderwerp: Re: Double-Bounce > > On 2018-09-14 10:36, Dominic Raferd wrote: > > > On Fri, 14 Sep 2018 at 07:14, Benny Pedersen wrote: > > > >> Benny Pedersen skrev den 2018-09-14 08:08: > >>> Dominic Raferd skrev den 2018-09-14 07:33: > On Fri, 14 Sep 2018 at 00:29, Julian Opificius > > wrote: > > > > Why is it that my system marks everything from you as > spam, Benny? > > Is > > it > > your tld? I've added you to my address book, but my server keeps > > spitting you out. > > Because the domain that he uses to send emails through > this mailing > list has DMARC p=quarantine setting: > # dig +short _dmarc.junc.eu TXT > "v=DMARC1; p=quarantine; > rua=mailto:report_...@dmarc.junc.eu; fo=d; > adkim=r; aspf=r; sp=none" > >>> > >>> postfix maillist is dkim safe, so if it breaks, show the link that > >>> breaks it, whitelist postfix maillist so it does not go into > >>> quarantine > >>> > >>> can i help more ? > >>> > >>> i get dmarc pass back on my post here > >> > >> DMARC-Filter: OpenDMARC Filter v1.3.2 linode.junc.eu 2C5B31BE06F > >> Authentication-Results: linode.junc.eu; dmarc=pass (p=quarantine > >> dis=none) header.from=junc.eu > >> Authentication-Results: linode.junc.eu; > >> dkim=pass (1024-bit key) header.d=junc.eu header.i=@junc.eu > >> header.b=Aedk3uHj; > >> dkim-atps=neutral > >> Received-SPF: none (postfix.org: No applicable sender policy > >> available) > >> receiver=localhost.junc.eu; identity=mailfrom; > >> envelope-from="owner-postfix-us...@postfix.org"; > >> helo=russian-caravan.cloud9.net; client-ip="2604:8d00:0:1::4" > > > > Sorry you are right: your emails pass DKIM and also, when > going through > > postfix mailing list (but not all others), pass DKIM > alignment, so they > > pass DMARC. However, when sent through mailing lists, they > fail SPF, > > and (for DMARC) SPF alignment, so servers that make decisions based > > only on this (which is not the DMARC way) may choose to > treat them as > > spam. Mine don't, but I have seen your emails quarantined (or, > > previously, blocked) on other mailing lists, hence my > original comment. > > I think the postfix ML is not so "DKIM safe". In my case, it > causes my > DKIM signature to fail. I have now compared a message sent by > me against > other messages sent e.g. by Benny Pedersen, and concluded that my > configuration (using rspamd) was signing way too many fields. > I have now > reduced the number of fields and hopefully this message > should now come > back from the postfix ML with a valid DKIM signature. > > So in a way this message is just a test, but hopefully also a > clarification :) > > Cheers, > Bernardo Reino. > >
RE: 5 messages per second
Yes. i did like this setup. https://wiki.deimos.fr/Postfix:_limit_outgoing_mail_throttling And now you have also options per domain. Greetz, Louis Van: paul.martin.b...@gmail.com [mailto:owner-postfix-us...@postfix.org] Namens Paul Martin Verzonden: woensdag 20 juni 2018 16:44 Aan: postfix-users Onderwerp: 5 messages per second Hello I would like to send 5 messages per second with postfix. How can I do that with postfix ? Thanks Paul
RE: Gmail discard my emails
Have a look. https://toolbox.googleapps.com/apps/checkmx/check?domain=schweb.com.ar_selector= schweb.com.ar There were some critical problems detected with this domain. Mail-flow is probably affected. Please refer to the corresponding help articles to fix these. Your base setup is ok, you could reduce your SPF record from: "v=spf1 mx a ptr ip4:24.232.174.73 mx:schweb.com.ar a:schlabs.com.ar a:sys-arquitectura.cl -all" To "v=spf1 mx a:sys-arquitectura.cl -all" You might need to validate your domain. I had the same problem few years ago. You need a txt record : google-site-verification=... Once validated and this added in your domain no problems anymore. Ms as simular services. Greetz, Louis > -Oorspronkelijk bericht- > Van: l...@schweb.com.ar > [mailto:owner-postfix-us...@postfix.org] Namens Christian Schmitz > Verzonden: maandag 7 mei 2018 16:06 > Aan: postfix-users@postfix.org > Onderwerp: Re: Gmail discard my emails > > > Hi, > > > > > 2018-05-07T09:38:23.969642-03:00 schweb postfix/smtp[26859]: > > > Untrusted TLS connection established to > > > gmail-smtp-in.l.google.com[64.233.190.27]:25: > > > TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > > > 2018-05-07T09:38:26.022482-03:00 schweb postfix/smtp[26859]: > > > 343BF39998: to=<***my_friend***@gmail.com>, > > > relay=gmail-smtp-in.l.google.com[64.233.190.27]:25, delay=3.8, > > > delays=0.46/0.03/1.4/1.9, dsn=2.0.0, status=sent (250 2.0.0 OK > > > 1525696705 b191si705526qkg.318 - gsmtp) > > > > Where do you see a discard here? > > > > Regards > > Bjoern > On Monday 07 May 2018 10:36:41 Bjoern Franke wrote: > Dear: > When i do a phone call to my friend i am sure that email is > not arrived to > inbox, and not arrived to spam folders. > Best Regards > Christian > > > -- > Be Free, Be Linux > >
RE: Postfix & logrotate
You did not get the hint.. The "wrong" thing here is mail.* Because your rotating now everything behind the mail.* so also .1 .1.1 .1.1.1 etc etc, until you server explodes ;-) You should have this in you postfix logrotate.. Try this. /var/log/mail.info /var/log/mail.warn /var/log/mail.err /var/log/mail.log { monthly missingok notifempty delaycompress compress create 640 root adm rotate 3650 size 10M } Greetz, Louis > -Oorspronkelijk bericht- > Van: more...@cerm.unifi.it > [mailto:owner-postfix-us...@postfix.org] Namens Enrico Morelli > Verzonden: woensdag 28 maart 2018 10:54 > Aan: postfix-users@postfix.org > Onderwerp: Re: Postfix & logrotate > > On Wed, 28 Mar 2018 10:24:49 +0200 > L.P.H. van Bellewrote: > > > Hai, > > > > Did you remove the mail rotate also from > /etc/logrotate.d/rsyslog ? > > > > You have these lines in the rsyslog file also. > > /var/log/mail.info > > /var/log/mail.warn > > /var/log/mail.err > > /var/log/mail.log > > > > Your now "double" rotateing your logs. ;-) > > > > > > Greetz, > > > > I removed the mail.* from rsyslog before creating the postfix file. > > > > louis > > > > > > > > > -Oorspronkelijk bericht- > > > Van: more...@cerm.unifi.it > > > [mailto:owner-postfix-us...@postfix.org] Namens Enrico Morelli > > > Verzonden: woensdag 28 maart 2018 10:19 > > > Aan: postfix-us...@cloud9.net > > > Onderwerp: Postfix & logrotate > > > > > > This problem is not strictly related to Postfix, but I'm > going crazy > > > trying to solve it. I've a postfix mail server on Debian 9. I want > > > maintain the mail log, so I create a posfix file in > /etc/logrotate.d > > > with the following content (this is the latest attempt to find a > > > solution): > > > > > > /var/log/mail.* { > > > monthly > > > missingok > > > notifempty > > > delaycompress > > > compress > > > rotate 3650 > > > size 10M > > > } > > > > > > Every day I find a lot of empty mail log like the following: > > > -rw-r--r-- 1 root adm 0 Mar 28 06:25 mail.log.1 > > > -rw-r--r-- 1 root adm11150441 Mar 28 06:25 mail.log.1.1 > > > -rw-r--r-- 1 root adm 0 Mar 28 06:25 mail.log.1.1.1 > > > -rw-r--r-- 1 root adm13200643 Mar 25 06:25 mail.log.1.1.1.1 > > > -rw-r--r-- 1 root adm 0 Mar 28 06:25 > > > mail.log.1.1.1.1.1.1 -rw-r--r-- 1 root adm14921041 Mar 23 > > > 06:25 mail.log.1.1.1.1.1.1.1 > > > -rw-r--r-- 1 root adm 0 Mar 28 06:25 > > > mail.log.1.1.1.1.1.1.1.1 > > > > > > After the weekend the logs seems a tree. Someone can help me to > > > solve the problem? > > > > > > Thanks > > > > > > > > > -- > > > --- > > > Enrico Morelli > > > System Administrator | Programmer | Web Developer > > > > > > CERM - Polo Scientifico > > > via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY > > > > > > > > > > > > > > > -- > --- > Enrico Morelli > System Administrator | Programmer | Web Developer > > CERM - Polo Scientifico > via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY > > >
RE: Postfix & logrotate
Hai, Did you remove the mail rotate also from /etc/logrotate.d/rsyslog ? You have these lines in the rsyslog file also. /var/log/mail.info /var/log/mail.warn /var/log/mail.err /var/log/mail.log Your now "double" rotateing your logs. ;-) Greetz, louis > -Oorspronkelijk bericht- > Van: more...@cerm.unifi.it > [mailto:owner-postfix-us...@postfix.org] Namens Enrico Morelli > Verzonden: woensdag 28 maart 2018 10:19 > Aan: postfix-us...@cloud9.net > Onderwerp: Postfix & logrotate > > This problem is not strictly related to Postfix, but I'm going crazy > trying to solve it. I've a postfix mail server on Debian 9. I want > maintain the mail log, so I create a posfix file in /etc/logrotate.d > with the following content (this is the latest attempt to find a > solution): > > /var/log/mail.* { > monthly > missingok > notifempty > delaycompress > compress > rotate 3650 > size 10M > } > > Every day I find a lot of empty mail log like the following: > -rw-r--r-- 1 root adm 0 Mar 28 06:25 mail.log.1 > -rw-r--r-- 1 root adm11150441 Mar 28 06:25 mail.log.1.1 > -rw-r--r-- 1 root adm 0 Mar 28 06:25 mail.log.1.1.1 > -rw-r--r-- 1 root adm13200643 Mar 25 06:25 mail.log.1.1.1.1 > -rw-r--r-- 1 root adm 0 Mar 28 06:25 mail.log.1.1.1.1.1.1 > -rw-r--r-- 1 root adm14921041 Mar 23 06:25 > mail.log.1.1.1.1.1.1.1 > -rw-r--r-- 1 root adm 0 Mar 28 06:25 > mail.log.1.1.1.1.1.1.1.1 > > After the weekend the logs seems a tree. Someone can help me to solve > the problem? > > Thanks > > > -- > --- > Enrico Morelli > System Administrator | Programmer | Web Developer > > CERM - Polo Scientifico > via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY > > >
RE: Spammer rejected, but resends every 10 minutes. Any way to prevent this
Or why not use and SPF like this in the dns. your.domain.tld TXT “v=spf1 -exists:%{ir}.zen.spamhaus.org +mx -all exp:explain.your.domain.tld” explain.your.domain.tld TXT "SPF error %{i} is not one of %{d}’s designated mail servers.” Now these never reaches your server, saving cpu cycles etc. Greetz, Louis > -Oorspronkelijk bericht- > Van: postfixlists-070...@billmail.scconsult.com > [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole > Verzonden: woensdag 14 maart 2018 4:46 > Aan: Postfix users > Onderwerp: Re: Spammer rejected, but resends every 10 > minutes. Any way to prevent this > > On 13 Mar 2018, at 23:35 (-0400), Bill Cole wrote: > > > OR: if you don't get any legitimate mail from Hunan, Chongqing, or > > Hong Kong you can probably safely block 113.240.0.0/12 from > talking at > > all to your SMTP port (or just the /13 to limit it to Hunan.) > > OR: Use the Spamhaus ZEN DNSBL, which has the whole /12 > listed via its > PBL component. > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Currently Seeking Steady Work: https://linkedin.com/in/billcole > >
RE: question about envelop from.
Hello Victor, > -Oorspronkelijk bericht- > Van: postfix-us...@dukhovni.org > [mailto:owner-postfix-us...@postfix.org] Namens Viktor Dukhovni > Verzonden: dinsdag 13 maart 2018 15:27 > Aan: Postfix users > Onderwerp: Re: question about envelop from. > > > > > On Mar 13, 2018, at 8:54 AM, L.P.H. van Belle >wrote: > > > > Feb 7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: > reject: RCPT from smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8 > : Sender address rejected: > Domain not found; from= > > > > about this: > > envelope-from="MAILER-DAEMON@apmcsqa01.poort" > > > > Im looking for the correct rfc where its described that the > part @apmcsqa01.poort should be @thesendingdomain.tld > > where thesendingdomain.tld is also a resolvable domain, > because not it does not make sence because the now > mailer-daemon wil never be accepted because its non resolveable > > In addition to not being resolvable, the envelope sender > address here is also > problematic because "MAILER-DAEMON@" should only ever appear > in the message > headers and NEVER as the envelope sender. The correct > envelope sender for > bounces is the empty (or null) sender: > > MAIL FROM:<> > > not > > MAIL FROM: > > Sure, some domain could in theory have an actual user mailbox named > "mailer-daemon", but that is most unlikely. It is rather clear that > the server in question is generating backscatter with a non-empty > envelope sender address, thus potentially leading to mail loops. > > It is good that your server is rejecting this traffic. > > Finally, it seems you may be requesting client certificates > on port 25, > (incoming TLS status is "Untrusted" rather than "Anonymous") I wonder > why... > >http://www.postfix.org/FORWARD_SECRECY_README.html#status > > do you have "smtpd_tls_ask_ccert = yes"? > > -- > Viktor. > Yes, i've set smtpd_tls_ask_ccert to yes. I do also have Anonymous messages Anonymous TLS connection established from mail187-16.suw11.mandrillapp.com[198.2.187.16]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must be a miss on my side after the switch from 2.10 to 3.1 postfix. I need ssl verification, in not running a high volume site and i just enabled DKIM SPF TLSA and DANE for this server. Any tips on my config. Im running this config atm, postfix 3.1.8 (Debian) ( config below ) Best regards, Louis ### General Defaults smtpd_banner = $myhostname ESMTP Ready mail_version = 007 biff = no append_dot_mydomain = no delay_warning_time = 4h readme_directory = no compatibility_level = 2 mailbox_size_limit = 0 recipient_delimiter = + empty_address_recipient = MAILER-DAEMON ### Limit the info given to outside servers show_user_unknown_table_name = no ### no one needs to ask our server who is on it disable_vrfy_command = yes user!domain != user@domain swap_bangpath = no user%domain != user@domain allow_percent_hack = no ### Tarpit until RCPT TO: to reject the email for nagios compatability smtpd_delay_reject = yes ### Tarpit those bots/clients/spammers who send errors or scan for accounts smtpd_error_sleep_time = 20 smtpd_soft_error_limit = 1 smtpd_hard_error_limit = 3 smtpd_junk_command_limit = 2 ### Tranports and slowdown delivery to per domain are set here also. transport_maps = hash:/etc/postfix/personal/transport_maps.map ## Transports Tuning outgoing connections ! Esa max concurrent connections (polite) ## see also transport file and master.cf # Throttle limit policy mail (global) smtp_destination_concurrency_limit = 5 smtp_extra_recipient_limit = 2 # Polite policy polite_destination_concurrency_limit = 3 polite_destination_rate_delay = 0 polite_destination_recipient_limit = 5 # Turtle policy turtle_destination_concurrency_limit = 2 turtle_destination_rate_delay = 1s turtle_destination_recipient_limit = 2 ## ### ## 100 Mb size limit message_size_limit = 10240 # Postfix before 3.0 by default permits non-ASCII content in headers and addresses. strict_7bit_headers = yes 2bounce_notice_recipient = postmas...@somedomain.tld 2bounce_notice_recipient = postmas...@somedomain.tld bounce_notice_recipient = postmas...@somedomain.tld delay_notice_recipient = postmas...@somedomain.tld error_notice_recipient = postmas...@somedomain.tld notify_classes = bounce, resource, software ## Being strict to the RFC not only stops unwanted mail, ## it also blocks legitimate mail from poorly-written mail applications. ## default = no strict_rfc821_envelopes = yes ### # SASL disabled, its not use on this server. broken_sasl_auth_clients = no smtp_sasl_auth_enable = no smtpd_sasl_auth_enable = no # TLS parameters # Disable SSL compression tls_ssl_options = NO_COMPRESSION # cipherlists, defaults are ok.
RE: question about envelop from.
Hai Matus, Thank you for the reply, most apriciated. No, but its a "government" server, so i need to be very sure.. ;-) Thanks, i was looking in the wrong rfc. Best regards, Louis > -Oorspronkelijk bericht- > Van: uh...@fantomas.sk > [mailto:owner-postfix-us...@postfix.org] Namens Matus UHLAR - fantomas > Verzonden: dinsdag 13 maart 2018 14:05 > Aan: postfix-users@postfix.org > Onderwerp: Re: question about envelop from. > > On 13.03.18 13:54, L.P.H. van Belle wrote: > >Im reading through rfc's but the following is still not clear for me. > > > >E-mail is rejected base on the envelop-from adres from a > mail-daemon with postfix + postfix-policyd-spf > > > >I saw the following in the postfix logs. > >Feb 7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS > connection established from smtp1..nl[x.xx.xxx.xx]: > TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > >Feb 7 00:00:16 hostname postfix/policy-spf[31766]: Policy > action=PREPEND Received-SPF: none (apmcsqa01.poort: No > applicable sender policy available) > receiver=hostname.domain.nl; identity=mailfrom; > envelope-from="MAILER-DAEMON@apmcsqa01.poort"; > helo=smtp1..nl; client-ip=x.xx.xxx.xx] > >Feb 7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: > reject: RCPT from smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8 >: Sender address rejected: > Domain not found; from= > > > >about this: > >envelope-from="MAILER-DAEMON@apmcsqa01.poort" > > who and why configured non-existing domain name there? > > >Im looking for the correct rfc where its described that the > part @apmcsqa01.poort should be @thesendingdomain.tld > > RFC 5321, section 2.3.5. Domain Names: > > Only resolvable, fully-qualified domain names (FQDNs) are > permitted > when domain names are used in SMTP. > > >where thesendingdomain.tld is also a resolvable domain, > because not it does > > not make sence because the now mailer-daemon wil never be > accepted because > > its non resolveable > > correct. that is the expected behaviour. > do you expect someone to accept mail from non-existing > (invalid) addresses? > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! > >
question about envelop from.
Hai, Im reading through rfc's but the following is still not clear for me. E-mail is rejected base on the envelop-from adres from a mail-daemon with postfix + postfix-policyd-spf I saw the following in the postfix logs. Feb 7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS connection established from smtp1..nl[x.xx.xxx.xx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 7 00:00:16 hostname postfix/policy-spf[31766]: Policy action=PREPEND Received-SPF: none (apmcsqa01.poort: No applicable sender policy available) receiver=hostname.domain.nl; identity=mailfrom; envelope-from="MAILER-DAEMON@apmcsqa01.poort"; helo=smtp1..nl; client-ip=x.xx.xxx.xx] Feb 7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: reject: RCPT from smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8: Sender address rejected: Domain not found; from= about this: envelope-from="MAILER-DAEMON@apmcsqa01.poort" Im looking for the correct rfc where its described that the part @apmcsqa01.poort should be @thesendingdomain.tld where thesendingdomain.tld is also a resolvable domain, because not it does not make sence because the now mailer-daemon wil never be accepted because its non resolveable If some can point me to the correct rfc. ( and chapter ) that would be great. Thanks! Louis
RE: manitu.net RBL, opinions? Re: postwhite? (why not?)
I use this list for postscreen, big list. Use with care, this one is customized for my needs. The why to cidr's in the access list. The first is manualy maintaint. The second cidr and spamhous drop are auto updated by script. Greetz, Louis postscreen_greet_banner =$myhostname, checking blacklists, please wait. postscreen_greet_action = drop postscreen_greet_wait = 3s postscreen_greet_ttl = 2d postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/personal/postscreen_access_list.cidr, # personal white/black list. pcre:/etc/postfix/personal/postscreen_access_list-reject.fqrdns.pcre # faulty rdns record list, like hosters with dynamic ips. cidr:/etc/postfix/personal/postscreen_access_list-drop.spamhaus-lasso.cidr # Spamhaus DROP List postscreen_whitelist_interfaces = $mynetworks, static:all postscreen_blacklist_action = drop postscreen_dnsbl_reply_map = pcre:/etc/postfix/personal/postscreen_dnsbl_reply_map.pcre # customized reply. postscreen_dnsbl_action = enforce postscreen_dnsbl_ttl= 2h postscreen_dnsbl_threshold = 4 postscreen_dnsbl_threshold = 4 postscreen_dnsbl_sites = zen.spamhaus.org*4 b.barracudacentral.org*4 bad.psky.me*4 dnsbl.cobion.com*2 bl.spameatingmonkey.net*2 fresh.spameatingmonkey.net*2 cbl.anti-spam.org.cn=127.0.8.2*2 dnsbl.kempt.net*1 dnsbl.inps.de*2 bl.spamcop.net*2 srn.surgate.net=127.0.0.2 spam.dnsbl.sorbs.net*1 rbl.rbldns.ru*2 psbl.surriel.com*2 bl.mailspike.net*2 rep.mailspike.net=127.0.0.[13;14]*1 bl.suomispam.net*2 bl.blocklist.de*2 ix.dnsbl.manitu.net*2 dnsbl-2.uceprotect.net dnsbl.justspam.org=127.0.0.2*2 all.s5h.net=127.0.0.2*2 hostkarma.junkemailfilter.com=127.0.0.[2;4]*2 rbl.abuse.ro=127.0.0.[2;4]*2 dnsbl.spfbl.net=127.0.0.[2;4]*2 # No RDNS dnsbl.spfbl.net=127.0.0.3*1 hostkarma.junkemailfilter.com=127.0.0.3*1 # whitelists swl.spamhaus.org*-6 dnswl.spfbl.net=127.0.0.[2;3;4]*-3 list.dnswl.org=127.0.[0..255].[2;3]*-4 rep.mailspike.net=127.0.0.[17;18]*-1 rep.mailspike.net=127.0.0.[19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-4 nobl.junkemailfilter.com=127.0.0.5*-4 # > -Oorspronkelijk bericht- > Van: postfixlists-070...@billmail.scconsult.com > [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole > Verzonden: dinsdag 6 maart 2018 15:44 > Aan: Postfix users > Onderwerp: Re: manitu.net RBL, opinions? Re: postwhite? (why not?) > > On 6 Mar 2018, at 1:26, MRob wrote: > > > On 2018-03-05 18:05, Bill Cole wrote: > >>> Would you mind sharing which RBLs you recommend to use in > >>> postscreen? > >> > >> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2 > >> zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2 > >> zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2 > >> psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1 > > > > I just learned of manitu.net RBL is it helpful? > > Obviously I find it so... > > > Bill you don't use things like barracuda.net, spamcop, > whatever that > > monkey one is, mailspike. > > Not in postscreen (for the reasons previously cited) nor in > smtpd. I do > use the DNSBLs that SpamAssassin supports by default, but with score > adjustments. > > > Is manitu a good replacement for all those? > > No. It IS a good source of spam sources targeting primarily but not > exclusively European mailboxes, many of which show up on the > manitu list > (a.k.a. "NiX Spam") hours before they appear in Zen. > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Currently Seeking Steady Work: https://linkedin.com/in/billcole > >
RE: Calendar & Contacts
Hai, Kopano with nextcloud, z-push and webapp with files plugin rules here. Very good combo, bit harder to setup, but very compatible with lots of different devices. Greetz, Louis > -Oorspronkelijk bericht- > Van: li...@merit.unu.edu > [mailto:owner-postfix-us...@postfix.org] Namens mj > Verzonden: woensdag 27 december 2017 10:54 > Aan: postfix-users@postfix.org > Onderwerp: Re: Calendar & Contacts > > We're very happy with sogo. (https://sogo.nu/) > > MJ > > On 12/27/2017 08:40 AM, Philip Paeps wrote: > > On 2017-12-27 13:08:44 (+1030), Mal wrote: > >> Interested to hear from those running a Postfix(MTA)/Dovecot(IMAP) > >> combo on what contacts & calendar server projects they are having > >> success with. > > > > I run Nextcloud. > > > > It's implemented in PHP (of all things) so you definitely > want to lock > > it up in a jail. It stores its data in a PostgreSQL database (or > > possibly other kinds of databases -- I haven't looked). > > > > If you're on FreeBSD, you can install it in a fresh jail with `pkg > > install nextcloud`. The documentation is fairly comprehensive. > > > > Philip > > > >
RE: Question regarding use of amavisd-new
No, i know it runs fine, after about 2-3 milion emails processed, i know .. Really.. And no i did not ignore him, but i want mailscanner and i want postfix and not exim. Did you even try it and test it? And if so, what did you encounter?? I only found 1 thing and thats fixed. something with long queue id-s and releasing to ms exchange servers, these did not arrive. But again thats fixed now. Greetz, Louis > -Oorspronkelijk bericht- > Van: john-post...@peachfamily.net > [mailto:owner-postfix-us...@postfix.org] Namens John Peach > Verzonden: woensdag 13 december 2017 16:56 > Aan: L.P.H. van Belle; Postfix users > Onderwerp: Re: Question regarding use of amavisd-new > > On 12/13/2017 10:52 AM, L.P.H. van Belle wrote: > > Hai, > > > > > > mailscanner runs fine here for about 5-6 years now, with postfix. > > Mailscanner + postfix (postscreen) rules here :-) > > You *think* it's been running fine. When the author of postfix > specifically warns against using it, it would be foolhardy to > ignore him. > > > > > But if you want a quicky to test. > > https://efa-project.org/ = Mailscanner + mailwatch +... > Lots of extra's. > > > > > > Greetz, > > > > Louis > > > > > > > >> -Oorspronkelijk bericht- > >> Van: postfixlists-070...@billmail.scconsult.com > >> [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole > >> Verzonden: woensdag 13 december 2017 16:46 > >> Aan: Postfix users > >> Onderwerp: Re: Question regarding use of amavisd-new > >> > >> On 13 Dec 2017, at 4:45 (-0500), Maarten wrote: > >> > >>> According to their documentation using MailScanner with > >> postfix works > >>> too. > >>> > >>> https://www.mailscanner.info/postfix/ > >> > >> Yes, and there's a link at the bottom of that page to the > postfix.org > >> add-on page which specifically warns against MailScanner. > >> > >>> What would be the advantage to switching to something like > >>> amavisd-new? > >> > >> The advantage to something that uses the SMTP Proxy > interface or the > >> Milter interface is that you can trust that it won't be > >> broken without > >> warning or documentation in a future Postfix release. > Apart from the > >> risk that it relies on Postfix not changing queue structures and > >> behaviors which are explicitly unsupported and subject to change, > >> MailScanner works directly with the Postfix queue in a way > >> that Wietse > >> has been saying for years is already not safe. I haven't > analyzed the > >> Postfix queue-handling code (life is too short...) but I trust his > >> judgment of safety in working with the Postfix queue over > >> that of anyone > >> who didn't write that code. The MailScanner argument > >> (essentially that > >> what they do doesn't break enough to notice) is entirely > unpersuasive. > >> > >> -- > >> Bill Cole > >> b...@scconsult.com or billc...@apache.org > >> (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > >> Currently Seeking Steady Work: https://linkedin.com/in/billcole > >> > >> > > > > > > > -- > John > PGP Public Key: 412934AC > >
RE: Question regarding use of amavisd-new
Hai, mailscanner runs fine here for about 5-6 years now, with postfix. Mailscanner + postfix (postscreen) rules here :-) But if you want a quicky to test. https://efa-project.org/ = Mailscanner + mailwatch +... Lots of extra's. Greetz, Louis > -Oorspronkelijk bericht- > Van: postfixlists-070...@billmail.scconsult.com > [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole > Verzonden: woensdag 13 december 2017 16:46 > Aan: Postfix users > Onderwerp: Re: Question regarding use of amavisd-new > > On 13 Dec 2017, at 4:45 (-0500), Maarten wrote: > > > According to their documentation using MailScanner with > postfix works > > too. > > > > https://www.mailscanner.info/postfix/ > > Yes, and there's a link at the bottom of that page to the postfix.org > add-on page which specifically warns against MailScanner. > > > What would be the advantage to switching to something like > > amavisd-new? > > The advantage to something that uses the SMTP Proxy interface or the > Milter interface is that you can trust that it won't be > broken without > warning or documentation in a future Postfix release. Apart from the > risk that it relies on Postfix not changing queue structures and > behaviors which are explicitly unsupported and subject to change, > MailScanner works directly with the Postfix queue in a way > that Wietse > has been saying for years is already not safe. I haven't analyzed the > Postfix queue-handling code (life is too short...) but I trust his > judgment of safety in working with the Postfix queue over > that of anyone > who didn't write that code. The MailScanner argument > (essentially that > what they do doesn't break enough to notice) is entirely unpersuasive. > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Currently Seeking Steady Work: https://linkedin.com/in/billcole > >
RE: Jessie - Stretch to jump on Postfix 3.x
for me it was a good and easy upgrade from jessie to stretch. Things i needed to change/run was this : # for postfix postconf compatibility_level=2 && postfix reload # for ntp sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery/restrict -4 default kod notrap nomodify nopeer noquery limited/g' /etc/ntp.conf sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery/restrict -6 default kod notrap nomodify nopeer noquery limited/g' /etc/ntp.conf and i did not like all language messages with apt. update in my logs ( own repo ) if [ ! -e /etc/apt/apt.conf.d/99disable-translations ]; then echo "Adding disable translations for apt" echo "Acquire::Languages \"none\";" > /etc/apt/apt.conf.d/99disable-translations else echo "No modication needed (apt disable-translations)" fi but thats about it. Good luck in upgrading, and this was for me, for you it may be different, that depends on the packages used. Greetz, Louis Van: mauri...@caloro.ch [mailto:owner-postfix-us...@postfix.org] Namens Maurizio Caloro Verzonden: dinsdag 17 oktober 2017 10:40 Aan: 'Postfix Users' Onderwerp: Jessie - Stretch to jump on Postfix 3.x Hello Together I’am running with Debain Jessie 8.9, i play with the ideea upgrade the system 8.9 ->Stretch. Please existing here any complication, or/after the upgrade i need to reconfigure the hole mailserver? I see that Stretch are armed with Postfix 3.x I know this are not a specific Postfix question, but i am intressed to hear your expiriences! Regards Mauri
RE: Trace spam activity on mail server
Maybe its handy to tell us the real domainname and ip involving this problem?
RE: Trace spam activity on mail server
So far i can see, is your web site the target not you mail server. I personaly use : http://multirbl.valli.org/lookup/netlite.it.html About the same as mx toolbox, but i did notice that the list of multirbl is much shorted when the domainname is used. If i check with this hostname: mail.netlite.it (212.29.157.98) http://multirbl.valli.org/lookup/212.29.157.98.html DNSBL Blacklist Test Summary Ip based: 231 of 231 tests done. Domain base: 49 of 49 tests done. Result, not listed anywere. You are running with out of date wordpress plugins. Checked a few. Thats asking for problems. Check you webserver logs for strange/out of the order things. If you dont use mod security, get it, learn it, install it and stop the wordpress abuse. Greetz, Louis > -Oorspronkelijk bericht- > Van: dovecot_...@hotmail.com > [mailto:owner-postfix-us...@postfix.org] Namens Michael Segel > Verzonden: dinsdag 2 mei 2017 16:02 > Aan: Kevin A. McGrail > CC: li...@lazygranch.com; Matteo Cazzador; postfix users > Onderwerp: Re: Trace spam activity on mail server > > Just to follow up… > I ran the check on his domain: > https://mxtoolbox.com/domain/netlite.it/ > > Pretty clean, maybe a few things to fix, but he’s not on any > black list. > > I don’t know when he set up his domain, it could be that > Trend Micro blocked the IP block due to a previous tenant and > never took them off. > > Truthfully, I don’t use much more than Spamhaus these days. > in terms of RBLs. > > He’s not running an open relay and if there was a spammer on > his network, Spamhaus would have caught it too. Or someone else. > > Its not Matteo’s server and I suspect its Trend Micro. > > HTH > > -Mike > > > On May 2, 2017, at 8:56 AM, Kevin A. McGrail >wrote: > > > > On 5/2/2017 9:51 AM, Michael Segel wrote: > >> You can run a check on your MX Server… there are a couple > of web sites that do this… and I think one or two will > identify the RBLs that include you. > > One trick I use a lot when I have an infected machine on a > network or a customer with a problem is that I setup a > smarthost running a milter that runs the email through a spam > checker, logs the answer and then tempfails the emails. > > > > Then I can analyze if there is an issue and do a silent > discard by subject or internal IP if we find a compromised > machine while letting everything else go through. > > > > Regards, > > KAM > >
RE: Optimising new system and postscreen questions
And if you running debian you can set the min-cache-ttl.. That bind is patched with : https://anonscm.debian.org/cgit/users/lamont/bind9.git/commit/?h=patches=84fa402750fab5cd887d357501e2896494ac551f So you can set these if needed. min-cache-ttl 90; min-ncache-ttl 90; Greetz, Louis > -Oorspronkelijk bericht- > Van: si...@simonandkate.net > [mailto:owner-postfix-us...@postfix.org] Namens Simon Wilson > Verzonden: maandag 1 mei 2017 11:20 > Aan: Marco Pizzoli > CC: Postfix users > Onderwerp: Re: Optimising new system and postscreen questions > > - Message from Marco Pizzoli- > Date: Mon, 1 May 2017 11:18:30 +0200 > From: Marco Pizzoli > Subject: Re: Optimising new system and postscreen questions > To: si...@simonandkate.net > Cc: Postfix users > > > > Hello Simon, > > > > The server runs local caching DNS BIND, so it's as quick as > I can get > > it on > >> the slow Internet connection we are on. > >> > > > > I don't qualify mysef expert enough to answer the rest of > your points, > > but for the DNS part I suggest you think about replacing BIND with > > Unbound, as the DNS resolver. It has a property called min_ttl that > > permits you to impose a minimum amount of TTL to the > entries reported. > > DNSBL have always real low TTL values, on purpose. If you > are fne with > > relaxing this real-timeness, well by setting a value of i.e. 60/90 > > seconds it will permit you to reduce the network dependency. > > > > Worth a try. > > Marco > > Thanks Marco, I'll investigate that. :) > > Simon > > -- > Simon Wilson > M: 0400 12 11 16 > >
RE: Postfix cannot start tls: handshake failure
Sorry about that, i was thinking your talking about the remote connecting to you. So, it's you to remote ( so the smtp_tls settings ) I did setup also for client myself, but that more how official you need to have some things. Its about the same, for the client setup im using : # TLS Client (outgoing) smtp_tls_key_file = /etc/postfix/newreq.pem smtp_tls_cert_file = /etc/postfix/newcert.pem smtp_tls_CAfile = /etc/postfix/cacert.pem smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_ciphers = medium smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4 smtp_tls_security_level = may smtp_tls_loglevel = 1 but i do use official certificates and i then i do get the Trusted TLS connection established Maybe a tip, setup lets encrypt certificates, and test with that. Then you can see if you get the needed trusted connections. Greetz, Louis > -Oorspronkelijk bericht- > Van: webmas...@lshipping.info [mailto:owner-postfix-us...@postfix.org] > Namens Den1 > Verzonden: woensdag 29 maart 2017 14:50 > Aan: postfix-users@postfix.org > Onderwerp: RE: Postfix cannot start tls: handshake failure > > Hi Louis, > > Thank you for your input, I appreciate. I have smtpd running OK with all > the > key_file, cert_file and so on. I was asking about smtp. These two are > different :-) > > > > > > -- > View this message in context: > http://postfix.1071664.n5.nabble.com/Postfix-cannot-start-tls-handshake- > failure-tp89684p89731.html > Sent from the Postfix Users mailing list archive at Nabble.com.
RE: Postfix cannot start tls: handshake failure
Yes is advicable to enable TLS. Whats is your OS and Postfix version? For example, i use Debian. And when you want to use : ca-certificates.crt You need to setup as debian expects and it includes your cert in the ca-certifcate.crt, so thats why i want to know the os and version of postfix. ( debian/ubuntu setup ) Read: https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ Next to read postfix tls: http://www.postfix.org/TLS_README.html The setup for TLS can differ a bit compaired to versions 2.x and 3.x But this should be sufficient to start with. ## TLS smtpd_use_tls = yes smtpd_tls_key_file = /etc/postfix/newreq.pem smtpd_tls_cert_file = /etc/postfix/newcert.pem smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom And a test site for you. https://ssl-tools.net/mailservers and a nice site with stronger settings. https://cipherli.st/ Hope that this helps you a bit further. Greetz, Louis > -Oorspronkelijk bericht- > Van: webmas...@lshipping.info [mailto:owner-postfix-us...@postfix.org] > Namens Den1 > Verzonden: woensdag 29 maart 2017 14:04 > Aan: postfix-users@postfix.org > Onderwerp: Re: Postfix cannot start tls: handshake failure > > I was wondering is it actually advisable to use tls on smtp? When I tried > it > out with my self-signed certificates just to see if it's of any > convenience > to implement this feature I received the following response: > > TLS required, but was not offered by host -or- we do not run TLS engine - > or- > certificate is not trusted > > on > > smtp_tls_security_level = encrypt -or- secure > smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt > > when I tried the following: > > smtp_tls_security_level = may > smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt > > it simply went through without giving any "feedback" or warnings. My > understanding also is that it just wasn't secure / encrypted with this > 'may' > so that's why it went through OK. > > what about the rest of the settings of > > smtp_tls_cert_file = -and- > smtp_tls_key_file = > > are they not required? > > Could anyone comment on the above, please? Many thanks! > > > > > > -- > View this message in context: > http://postfix.1071664.n5.nabble.com/Postfix-cannot-start-tls-handshake- > failure-tp89684p89727.html > Sent from the Postfix Users mailing list archive at Nabble.com.
RE: postsceen and smtpd_recipients_restrictions
He is multiple times listed. See : http://multirbl.valli.org/lookup/46.22.210.2.html Spamhaus ( listed in DBL Advisory. ) ( aerial.astogle.us.dbl.spamhaus.org ) The remote server probley sends "listed at zen.spamhaus.org" but is using DBL also. https://www.spamhaus.org/dbl/ Greetz, Louis > -Oorspronkelijk bericht- > Van: wie...@porcupine.org [mailto:owner-postfix-us...@postfix.org] Namens > wie...@porcupine.org > Verzonden: maandag 27 februari 2017 13:07 > Aan: Postfix users > Onderwerp: Re: postsceen and smtpd_recipients_restrictions > > Den1: > > Wietse Venema wrote > > > Den1: > > >> 22:19:13 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:58953 > to > > >> [1.1.1.1]:25 > > >> 22:19:13 postfix/dnsblog[14391]: addr 46.22.210.20 listed by domain > > >> zen.spamhaus.org as 127.0.0.3 > > >> 22:19:17 postfix/postscreen[14390]: DNSBL rank 1 for > [46.22.210.20]:58953 > > >> 22:19:17 postfix/postscreen[14390]: DISCONNECT [46.22.210.20]:58953 > > > > > > The client is listed at zen.spamhaus.org. The client does not talk to > > > the Postfix SMTP daemon (smtpd). > > > > > >> 22:19:18 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:53440 > to > > >> [1.1.1.1]:25 > > >> 22:19:22 postfix/postscreen[14390]: PASS NEW [46.22.210.20]:53440 > > >> 22:19:22 postfix/smtpd[14403]: connect from > > >> construct.baladle.us[46.22.210.20] > > > > > > The client is NOT LISTED at zen.spamhaus.org, or more likely, you > > > use multiple DNS servers, some of which get service from spamhaus.org, > > > and some of which don't get service from spamhaus.org. > > > > > > Wietse > > > > Thank you so much for your directions and guidance. I really do > appreciate. > > That's a nice way of saying you did not understand 99% of the reply. > > > Although I am getting a bit lost. Is it possible for different clients > to > > have the same IP address in such a short period of time as per my logs > > posted? > > zen.spamhaus.org provides a service that depends the DNS client IP > address. Low-volume DNS clients get free service, but high-volume > DNS clients have to pay for a subscription. > > For example, if you use the resolver at a big ISP, or a public > service like 8.8.8.8 or 4.4.4.4, then zen.spamhaus.org won't work > well for you, if at all. > > Wietse
RE: Strong Ciphers to use with Postfix
Hai, It all depends all in what you need and want. After monitoring for about a year on with or without encryption. I have 0 unecrypted mail servers found and a handfull of SSLv2 or V3. Which i simply dont allow anymore. ( The sslv2/v3 ) Due to the dutch "Privacy laws" users are oblgated to have/use encrypted lines. And a lot should be encrypted. So I preffer a high but compatible set. A setup like this : https://tls.imirhil.fr/smtp/mail.van-belle.nl My prefered site to check ciphersets. Im also running debian jessie postfix 2.11. And yes, there is always room for improvements, but my cipher check shows me the following and im happy with it. 2 TLSv1 with cipher AES256-SHA 6 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 13 TLSv1.2 with cipher AES256-SHA 27 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA 34 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 103 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA 302 TLSv1 with cipher DHE-RSA-AES256-SHA 772 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 2307 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 11684 TLSv1 with cipher ECDHE-RSA-AES256-SHA # Add these to log you ciphers used. smtp_tls_loglevel=1 smtpd_tls_loglevel=1 # check encrypted connections with : # grep "connection established from.*with cipher" /var/log/mail.log|awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' |sort|uniq -c| sort -n # check for clear text connections: # grep "connection established from" /var/log/mail.log | grep -v cipher| awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n # outgoing connections: smtp smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_ciphers = high smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4 smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes # incoming connections: smtpd smtpd_use_tls = yes smtpd_enforce_tls = no smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_ciphers = high smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES #, RSA+AES smtpd_tls_eecdh_grade = ultra Greetz, Louis > -Oorspronkelijk bericht- > Van: domi...@timedicer.co.uk [mailto:owner-postfix-us...@postfix.org] > Namens Dominic Raferd > Verzonden: vrijdag 17 februari 2017 16:05 > Aan: Postfix users > Onderwerp: Re: Strong Ciphers to use with Postfix > > On 17 February 2017 at 14:43, Fazzina, Angelo> wrote: > > Hi, > > Here is how I am dealing with "weak ciphers" > > You may be able to do the same type of config ? > > > > > > In /etc/postfix/main.cf > > > > > > # -ALF 2016-09-07 > > # disable RC4 ciphers with TLS connections. > > #smtpd_tls_exclude_ciphers = RC4, aNULL > > # -ALF 2017-01-09 > > # disable weak ciphers, and RC4 ciphers > > smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, > aNULL > > #-ALF 2107-01-09 > > # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers > > #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES- > CBC3-SHA, RC4, aNULL > > > > > > > > -Angelo Fazzina > > Operating Systems Programmer / Analyst > > University of Connecticut, UITS, SSG, Server Systems > > 860-486-9075 > > > > -Original Message- > > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Daniel Bareiro > > Sent: Friday, February 17, 2017 9:40 AM > > To: Postfix users > > Subject: Strong Ciphers to use with Postfix > > > > Hi all! > > > > I'm using Debian GNU/Linux Jessie 8.7 with Postfix 2.11.3-1. > > > > I would like to know what you think of the security settings suggested > > here [1] for Postfix. > > > > I have tested it against this [2] site, but it seems that fails to > > discard other ciphers; on "Weak ciphers" I get "supported > > RSA_WITH_RC4_128_SHA". > > > > As I have learned from here, if your MTA is receiving from the world > or sending to the world there is little point in enforcing > super-strong ciphers on the corresponding connection (smtpd or smtp). > If you refuse all unencrypted communication, and only permit > super-strong ciphers, you may not be able to receive or send some > emails, because not all (even genuine) MTAs will support this; but > otherwise if you only permit super-strong ciphers you will just get > more unencrypted communication. Of course it is usually > pointless/unwise to permit broken ciphers, but these are anyway > disabled by default in postfix.
RE: SPF entries for IPv4 & IPv6
No mx lookup in the SPF? Why not : mail.example.org. TXT "v=spf1 mx ip4:1.2.3.4 ip6:: -all" And why no A record Every host in you dns with A can send, which is not (always) what you want. For example: www.example.org and now you server gets comprimized and is spamming.. Which is by : "v=spf1 a -all" all allowed. And if you need an A : mail.example.org. TXT "v=spf1 mx A:hostname.domain.tld -all" which covers also lookups. Just my suggestion. And best is also to read : https://tools.ietf.org/html/rfc7208#section-2.3 Greetz, Louis > -Oorspronkelijk bericht- > Van: s...@andreasschulze.de [mailto:owner-postfix-us...@postfix.org] Namens > A. Schulze > Verzonden: maandag 2 januari 2017 16:42 > Aan: postfix-users@postfix.org > Onderwerp: Re: SPF entries for IPv4 & IPv6 > > > > Am 02.01.2017 um 14:18 schrieb Sebastian Nielsen: > > OFC you must specify both unless you have completely disabled sending of > outgoing mail via IPv6. > > I think, that's wrong > > One may publish records like "v=spf1 a -all" for a host mail.example.org > > mail.example.org. A 192.0.2.25 > mail.example.org. 2001:db8::6:25 > mail.example.org. TXT "v=spf1 a -all" > > This require two or three dns lookups. (1x TXT, 1x A and 1x depending > on the spf implementation) > > To save lookups and make the authentication more robust it's also possible > to > specify the addresses explicit: > > mail.example.org. A 192.0.2.25 > mail.example.org. 2001:db8::6:25 > mail.example.org. TXT "v=spf1 ip4:192.0.2.25 ip6:2001:db8::6:25 -all" > > this way one minimize the need for a receiver to do "many" lookups. You > give the receiver all information > with the first answer and thus have a higher chance the spf authentication > will succeed. > > (hope no typo above...) > > Andreas
RE: request improved logging for postfix.
Hello Noel, Would you please stop say that im labeling.. im not. Sorry im so bad in explaining things in english. I just trying to explain something based on what i did read here: http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname) Reject the request when the HELO or EHLO hostname has no DNS A or MX record. Here the "POSTFIX MANUAL" stats > "HELO or EHLO hostname" << So I think we misunderstand one eachother. I know a "helo hostname" is just a name with refers to a A, or MX record and the MX must reffer to any A or . I know its not client-hostname or helo-hostname. Its "helo " and maybe that should be better in the manual. As long as its has a DNS A or MX record. ( as stated by RFC 5321 2.3.5 ) > Postfix mostly ignores the helo name. You should too. Why? Since in my opionion this is a very bad advice. This is my I enforce correct "HELO or EHLO hostname". And its as the postfix manual stats by : Rejecting the request when the HELO or EHLO hostname has no DNS A or MX record. Exacty what i need. rfc5321 section 2.3.5 stats: The domain name, as described in this document and in RFC 1035 [2], is the entire, fully-qualified name (often referred to as an "FQDN"). A domain name that is not in FQDN form is no more than a local alias. Local aliases MUST NOT appear in any SMTP transaction. Only resolvable, fully-qualified domain names (FQDNs) are permitted when domain names are used in SMTP. In other words, names that can be resolved to MX RRs or address (i.e., A or ) RRs (as discussed in Section 5) are permitted, as are CNAME RRs whose targets can be resolved, in turn, to MX or address RRs. Local nicknames or unqualified names MUST NOT be used. Now i just was not happy with some logging parts, but you explained all and for me its ok. I know what todo now to make things better in my logs for my colleges So they can take over some things when im on holiday. Thanks all for the replies. And sorry the the badly choosen words and misunderstandings. Best regards, Louis > -Oorspronkelijk bericht- > Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org] > Namens Noel Jones > Verzonden: dinsdag 20 december 2016 17:50 > Aan: postfix-users@postfix.org > Onderwerp: Re: request improved logging for postfix. > > On 12/20/2016 3:17 AM, L.P.H. van Belle wrote: > > > > postfix/ [smtp/smtpd/postscreen] show [client-hostname or unknown] IP > > > > (*always unknown if A/PTR mismatches in client hostname OR helo > > hostname) > > Labeling a client as unknown has nothing to do with the helo name. > > See the description for reject_unknown_client_hostname for the > conditions when a client is labeled unknown. > http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname > > Postfix mostly ignores the helo name. You should too. > > > -- Noel Jones
RE: request improved logging for postfix.
Thank you Noel, again :-) Based on my loglines i found that; postfix/ [smtp/smtpd/postscreen] show [client-hostname or unknown] IP (*always unknown if A/PTR mismatches in client hostname OR helo hostname) postfix/ cleanup (header Received) show from helo-hostname (client-hostname [IP]) Any i missed? Thank your for this one. check_client_access static:INFO Thats very usefull for me. Now, big thread for a small thing, i hope lots of others profit from it. :-) Greetings, Louis > -Oorspronkelijk bericht- > Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org] > Namens Noel Jones > Verzonden: maandag 19 december 2016 17:43 > Aan: postfix-users@postfix.org > Onderwerp: Re: request improved logging for postfix. > > On 12/19/2016 3:31 AM, L.P.H. van Belle wrote: > > > > > So when everything is setup correct the helo and hostname ares shown > > in the logs, > > On a normal, accepted connection, the HELO name is never shown in > the logs. The client is identified by the source IP and port and > verified client hostname if available. The HELO name is only logged > with a rejection or error. > > The HELO name is recorded in the Received: header added to mail. > > If you want to always see the HELO in the logs, you can force a log > entry with "check_client_access static:INFO" in your > smtpd_recipient_restrictions. > > something like: > # main.cf > smtpd_recipient_restrictions = > check_client_access static:INFO > ... other checks ... > > > > > -- Noel Jones
RE: request improved logging for postfix.
Hai, Well, Thank you Noel, This makes much more sence now. I was mislead due to the log messages of postfix. My own server has an A/PTR to the hostname and A/MX for helo name. This is the confusing part, at least it was for me. The logs showed me: postfix/smtpd[29331]: connect from core.van-belle.nl[149.210.206.148] and Dec 19 09:46:36 mailhopper postfix/cleanup[29334]: 451A6FF071: hold: header Received: from mail.van-belle.nl (core.van-belle.nl [149.210.206.148]) ... etc ??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(Client did not present a certificate)??by mailhopper.ba from core.van-belle.nl[149.210.206.148]; from=to= proto=ESMTP helo= The : connect from hostname.fqdn[ip] and : hold: header Received: from mail.van-belle.nl (core.van-belle.nl [149.210.206.148]) and here is also shows mail.van-belle.nl, the helo name and the host.fqdn[ip] since i always did see : mail.van-belle.nl (core.van-belle.nl [149.210.206.148]) i was in the understanding postfix was loggin helo hostnames also, like the client name. Which explains all the confusion at my side. > No fixes are necessary, other than maybe I should write a tutorial > on reading logs. Very good idea, the part you explained is a good one, and that wil help others also. Due to this logging i am/was having discusions. Now..this helps a lot. Thanks you so much. So when everything is setup correct the helo and hostname ares shown in the logs, but when with errors it referes only back to the client name. Why is this? Best regards, Louis > -Oorspronkelijk bericht- > Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org] > Namens Noel Jones > Verzonden: vrijdag 16 december 2016 16:56 > Aan: postfix-users@postfix.org > Onderwerp: Re: request improved logging for postfix. > > On 12/16/2016 5:13 AM, L.P.H. van Belle wrote: > > > Maybe im totaly incorrect here so correct me if needed. > > Yes. > > > Now, Im running Debian Wheezy, postfix ( debian backport ) > > 2.11.2-1~bpo70+1. Kernel : 3.2.82-1 > > > > I’ve increased the debug level in postfix for the domains. > > Don't use debug logging. Everything you need is in the normal > logging, and the extra noise just confuses you. > > > > Dec 16 08:47:31 mailhopper postfix/smtpd[16089]: warning: hostname > > sweeper.stater.com does not resolve to address 193.172.8.206: Name > > or service not known > > > > Dec 16 08:47:32 mailhopper postfix/smtpd[16089]: NOQUEUE: reject: > > RCPT from unknown[193.172.8.206]: 554 5.7.1 : > > Helo command rejected: Host not found; from= > > to= proto=ESMTP helo= > > > > > > > > This part : > > > > hostname sweeper.stater.com does not resolve to address > > 193.172.8.206 which is totaly correct. > > > > > No, the warning: message always refers to the CLIENT hostname, and > is giving you the reason the CLIENT is labeled as "unknown". > > > > The line (part of the rejected incomming ) > > > > ... NOQUEUE: reject: RCPT from unknown[193.172.8.206]: 554 5.7.1 > > > > > > More consistant would be : > > > > unknown([193.172.8.206]): 554 5.7.1 > > > > Or with correct A/PTR but incorrect helo > > But the A/PTR is not correct, as logged earlier. That is the reason > the client is labeled unknown. > > > > To many people are confused by the “unknown” since it can be 2 things: > > > > Unknown CLIENT hostname > > > > Unknown HELO hostname > > No, the "unknown" always refers to the client, unless it's in the > descriptive text of a reject message. > > > ... reject: {smtp stage} from {client hostname/unknown}[{ipaddr]}: > {reject code} {extended code}; {descriptive text} > > Notice the HELO name is never listed other than in the descriptive > text if HELO is the reason for rejection. > > > > > > Which give discusions on the fixes. > > No fixes are necessary, other than maybe I should write a tutorial > on reading logs. > > > > -- Noel Jones
request improved logging for postfix.
Hello, After the message from yesterday, im asking if the postfix logging can be changed. To improve the loggings and a better more clear reject message. A small change maybe, i dont know, i’ll show what i mean below. Maybe im totaly incorrect here so correct me if needed. Now, Im running Debian Wheezy, postfix ( debian backport ) 2.11.2-1~bpo70+1. Kernel : 3.2.82-1 I’ve increased the debug level in postfix for the domains. Im seeing the following : Time : 08:34 : me be...@bazuin.nl sending to serviced...@stater.com Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 220-sweeper.stater.com ESMTP Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 220 Connection is logged and abuse will be reported... Dec 16 08:34:39 mailhopper postfix/smtp[15288]: > sweeper2.stater.com[193.172.8.206]:25: EHLO mailhopper.bazuin.nl Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 250-sweeper.stater.com Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 250-8BITMIME Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 250-SIZE 52428800 Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 250 STARTTLS Dec 16 08:34:39 mailhopper postfix/smtp[15288]: > sweeper2.stater.com[193.172.8.206]:25: STARTTLS Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 220 Go ahead with TLS Dec 16 08:34:39 mailhopper postfix/smtp[15288]: send attr cache_id = smtp&193.172.8.206&&4DFEB04581B7B5FE02EE5DA3C09609BF6F53AC5A02666E3BE4556ED143A51345 Dec 16 08:34:39 mailhopper postfix/smtp[15288]: send attr cache_id = smtp&193.172.8.206&&4DFEB04581B7B5FE02EE5DA3C09609BF6F53AC5A02666E3BE4556ED143A51345 Dec 16 08:34:39 mailhopper postfix/smtp[15288]: Untrusted TLS connection established to sweeper2.stater.com[193.172.8.206]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 16 08:34:39 mailhopper postfix/smtp[15288]: > sweeper2.stater.com[193.172.8.206]:25: EHLO mailhopper.bazuin.nl Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 250-sweeper.stater.com Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 250-8BITMIME Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 250 SIZE 52428800 Dec 16 08:34:39 mailhopper postfix/smtp[15288]: > sweeper2.stater.com[193.172.8.206]:25: MAIL FROM:SIZE=19695 Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 250 sender ok Dec 16 08:34:39 mailhopper postfix/smtp[15288]: > sweeper2.stater.com[193.172.8.206]:25: RCPT TO: Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 250 recipient ok Dec 16 08:34:39 mailhopper postfix/smtp[15288]: > sweeper2.stater.com[193.172.8.206]:25: DATA Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < sweeper2.stater.com[193.172.8.206]:25: 354 go ahead Now, here is an inconistany of logging ( i think ) by postfix. I point to this line,: sweeper2.stater.com[193.172.8.206]:25: 220-sweeper.stater.com ESMTP More consistand would be (sweeper2.stater.com[193.172.8.206]):25: 220-sweeper.stater.com ESMTP Or without a/ptr for the client name: (unknown[193.172.8.206]):25: 220-sweeper.stater.com ESMTP At Time : 08:47 : reply from stater.com to my but rejected as it should. Dec 16 08:47:31 mailhopper postfix/smtpd[16089]: warning: hostname sweeper.stater.com does not resolve to address 193.172.8.206: Name or service not known Dec 16 08:47:32 mailhopper postfix/smtpd[16089]: NOQUEUE: reject: RCPT from unknown[193.172.8.206]: 554 5.7.1 : Helo command rejected: Host not found; from= to= proto=ESMTP helo= This part : hostname sweeper.stater.com does not resolve to address 193.172.8.206 which is totaly correct. But it would be nicer to set : “helo hostname sweeper.stater.com does not resolve to address 193.172.8.206“ The line (part of the rejected incomming ) ... NOQUEUE: reject: RCPT from unknown[193.172.8.206]: 554 5.7.1 More consistant would be : unknown([193.172.8.206]): 554 5.7.1 Or with correct A/PTR but incorrect helo unknown(sweeper2.stater.com[193.172.8.206]): 554 5.7.1 You see the small () changes all together.. : unknown[193.172.8.206]: 554 5.7.1 unknown([193.172.8.206]): 554 5.7.1 unknown(sweeper2.stater.com[193.172.8.206]): 554 5.7.1 To many people are confused by the “unknown” since it can be 2 things: Unknown CLIENT hostname Unknown HELO hostname Which give discusions on the fixes. Also what i dont get here is the postfix message . NOQUEUE: reject: RCPT
RE: DNS round robin on helo?
Hai, First sorry to have the ips and name anonymized, i had to do that. I cant expose details until i first talked to the company in question. Thas a moral thing to do in my believe. And i need to be sure that i tell the right info when i do that. The "helo=" space was a copy past error, sorry missed that one. Main reason is posted, and sorry about my english, its not my native langauge. I needed to understand this situation bit more. What by rfc is allowed. After reading the rfc, in english, wasnt clear enough. I digged a bit more and i found that . I found https://tools.ietf.org/html/rfc5321#section-2.3.5 Only resolvable, fully-qualified domain names (FQDNs) are permitted when domain names are used in SMTP. In other words, names that can be resolved to MX RRs or address (i.e., A or .. so and im not asking to help solve this but im asking is my interpetation of the rfc correct. The problem server setup is as followed. 2 servers its ptr records refer to the helo hostname the same name (mx1.domain.tld) The helo hostname (mx1) has no A record but the helo is defined as mx record. As are mx2.domain.tld and mx3.domain.tld both have an A record and PTR record Now my server is rejecting any incorrect helo hostnames. Because the rfc stats: "names that can be resolved to MX RRs or address (i.e., A or .." And due to legal resons i must correcly identify the sending server. I do enforce most rfc parts, but i dont reject in incorrect client hostnames due to for example missing ptr records and my customers dont have to make much trouble to make that work, a simple A record in the dns is sufficient. A few big providers here dropped there relay which made a mess in mailing, lots of mis configuration, so i dont reject incorrect client hostnames and for customers ist much harder to set the ptr record, that take to much time at most providers. After adding the a record it mostly works again within an hour. I believe this client is rejected due to missing A record on the MX record. A change of the helo hostname to the client hostnames solves it and make them full rfc compiant in my opionion. So question is, is the rfc interpetation correct this way? And be nice, im asking this because im always helping our customers to make more rfc compliant setups because it simply make everyone happy. Now that you ended here.. , thank your for reading it all. :-) And Viktor, if a next help is needed, i'll post the complete log ok. Best regard, Louis > -Oorspronkelijk bericht- > Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org] > Namens Noel Jones > Verzonden: donderdag 15 december 2016 18:40 > Aan: postfix-users@postfix.org > Onderwerp: Re: DNS round robin on helo? > > On 12/15/2016 10:01 AM, L.P.H. van Belle wrote: > ... > > I looks to me and incorrect implementation, what do you guys think. > ... > > All this is allowed, legal, and unsurprising. > > Not everything that is allowed is wise. Ideally, each host (or each > connection on a multi-homed host) should have its own unique > hostname/A/PTR/HELO for mail, with higher lever MX records listing > all of them. If this is not your server, there is nothing to > complain about. > > If their HELO name really has a trailing space, that would be a > config error. But config errors on HELO names are not unusual. > > > > -- Noel Jones
RE: DNS round robin on helo?
Hello Noel/Jim, Thank you for the replies. Ok, thats clear, so multple A are allowed but i thing its the way around here. I'll explain bit more. I did run also that way, one host multiple ip's but both ip's has a different helo name to match a/ptr and mx records with it. But this customer has 1 helo hostname (A) and multiple ip's, to me this looks like a mess. This is what I see for this customer for the PTR. 43.22.aa.bb.in-addr.arpa. 1398 IN PTR host.domain.tld. 206.8.xx.yy.in-addr.arpa. 81644 IN PTR host.domain.tld. The MX setup. MX 10 host.domain.tld MX 20 host2.domain.tld MX 30 host3.domain.tld A domain test with this site : https://ssl-tools.net/mailservers did find the mx 20 and 30 but not the MX 10 server host.domain.tld. 30 IN A bb.aa.22.43 host.domain.tld. 30 IN A yy.xx.8.206 host2.domain.tld. 3347 IN A yy.xx.8.206 host3.domain.tld. 2032 IN A bb.aa.22.43 2 complete different ip adresses from different providers. 3 hostnames. The exact logs lines: warning: hostname host.domain.tld does not resolve to address bb.aa.22.43: Name or service not known connect from unknown[bb.aa.22.43] Untrusted TLS connection established from unknown[bb.aa.22.43]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Policy action=PREPEND Received-SPF: pass ... (censored) identity (mechanism 'a:host3.domain.tld matched)) And this is really ok? host3.domain.tld matched. I hardly have problems with rejecting legit servers. I looks to me and incorrect implementation, what do you guys think. @Jim, >Your starting assumption is wrong or mistaken. If the postfix logs are saying >"unknown[1.2.3.4]” it means reverse lookups of that IP address are not >returning a hostname. And this is not because it resolve back to the other IP. I tested the PTRs and thesare are ok. And gmail yahoo hotmail etc etc, never any problems with them. Even with having these in my setup. smtpd_helo_restrictions = permit_mynetworks, check_helo_access pcre:/etc/postfix/pcre/helo.pcre check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, Best regards, Louis > -Oorspronkelijk bericht- > Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org] > Namens Noel Jones > Verzonden: donderdag 15 december 2016 16:20 > Aan: postfix-users@postfix.org > Onderwerp: Re: DNS round robin on helo? > > On 12/15/2016 8:56 AM, L.P.H. van Belle wrote: > > Hello, > > > > > > > > I couldnt find this on the internet and is was thinking, the postfix > > list wil know this. > > > > Customer send email which are rejected by my server. I thinks that > > is correctly rejected. > > > > > > > > Now i digged into this and i found the following but i dont know if > > this is allowed by RFC. > > > > To me this should not be done but if someone can conform this, that > > would make me happy. > > > > > > > > Log part > > > > Dec 15 14:22:23 mailrelay postfix/smtpd[3361]: NOQUEUE: reject: RCPT > > from unknown[1.2.3.4]: 554 5.7.1 ,: Helo command > > rejected: Host not found; from=<@DOMAIN2.TLD2> > > to=proto=ESMTP helo= > > > > > > > > The message was rejected because the HELO name had no A nor MX > record *at that time*. > > Hosts are allowed to have multiple A records, but the client may be > labeled as "unknown" because postfix won't walk through all possible > hostname/IP combinations looking for a match. > > Many legit hosts will fail reject_unknown_helo_hostname. Use with > caution. > > > > > -- Noel Jones
DNS round robin on helo?
Hello, I couldnt find this on the internet and is was thinking, the postfix list wil know this. Customer send email which are rejected by my server. I thinks that is correctly rejected. Now i digged into this and i found the following but i dont know if this is allowed by RFC. To me this should not be done but if someone can conform this, that would make me happy. Log part Dec 15 14:22:23 mailrelay postfix/smtpd[3361]: NOQUEUE: reject: RCPT from unknown[1.2.3.4]: 554 5.7.1 ,: Helo command rejected: Host not found; from=<@DOMAIN2.TLD2> to=proto=ESMTP helo= What i found is that the helo hostname is correctly set but the strange thing. Ping host.domain.tld result : 1.2.3.4 Ping host.domain.tld result : 4.3.2.1 So the hostname resolve to 2 ipnumbers. Both ipnumbers have a PTR record. Now the thing i dont get. 1) if both ipnumbers have a hostname, why do i see : unknown[1.2.3.4] 2) are Round Robin A record for mail Allowed. Thank you in advance. Greetz, Louis
RE: regexp for allowing helo host
Hai Florian, No, Thats is due my setup with the mailscanner antispam behind it. Just give those sites a good read, and the adjust the config to your needs. Running a caching dns on that server helps dns queries. Extra to that, install fail2ban and add postfix-dnsbl.conf With filter : failregex = NOQUEUE: reject: RCPT from (.*)\[\]:([0-9]{4,5}:)? 550 5.7.1 Service unavailable; client \[(.*)\] blocked And this all helpt my traffic down about 5-10%. Not much but still. Greetz, Louis > -Oorspronkelijk bericht- > Van: flo...@floppy.org [mailto:owner-postfix-us...@postfix.org] Namens > Florian Piekert > Verzonden: woensdag 16 november 2016 14:39 > Aan: L.P.H. van Belle; postfix-users@postfix.org > Onderwerp: Re: regexp for allowing helo host > > Am 16.11.2016 um 14:35 schrieb L.P.H. van Belle: > > I have those entries in the master.cf, except it's having the "n" for > chrooted as well (should be transparent)... > > I assume it is due to the sheer NUMBER of dnsbl sites to query > simultaneously? > > > Ah yes, > > > > In master.cf adust these. > > > > smtp inet n - - - 1 postscreen > > smtpd pass - - - - - smtpd > > dnsblog unix - - - - 0 dnsblog > > > > > > > >> -Oorspronkelijk bericht- > >> Van: flo...@floppy.org [mailto:owner-postfix-us...@postfix.org] Namens > >> Florian Piekert > >> Verzonden: woensdag 16 november 2016 14:27 > >> Aan: L.P.H. van Belle; postfix-users@postfix.org > >> Onderwerp: Re: regexp for allowing helo host > >> > >> Am 16.11.2016 um 13:59 schrieb L.P.H. van Belle: > >> > >> After going from > >> postscreen_dnsbl_sites = > >> zen.spamhaus.org*2, > >> bl.mailspike.net, > >> bl.spamcop.net, > >> b.barracudacentral.org, > >> swl.spamhaus.org*-2 > >> to > >>> postscreen_dnsbl_sites = > >>> b.barracudacentral.org*4 > >>> bad.psky.me*4 > >>> zen.spamhaus.org*4 > >>> dnsbl.cobion.com*2 > >>> bl.spameatingmonkey.net*2 > >>> fresh.spameatingmonkey.net*2 > >>> dnsbl.anonmails.de*2 > >>> dnsbl.kempt.net*1 > >>> dnsbl.inps.de*2 > >>> bl.spamcop.net*2 > >>> dnsbl.sorbs.net*1 > >>> spam.dnsbl.sorbs.net*2 > >>> psbl.surriel.com*2 > >>> bl.mailspike.net*2 > >>> rep.mailspike.net=127.0.0.[13;14]*1 > >>> bl.suomispam.net*2 > >>> bl.blocklist.de*2 > >>> ix.dnsbl.manitu.net*2 > >>> dnsbl-2.uceprotect.net > >>> hostkarma.junkemailfilter.com=127.0.0.3 > >>> hostkarma.junkemailfilter.com=127.0.0.[2;4]*2 > >>> # whitelists > >>> swl.spamhaus.org*-4 > >>> list.dnswl.org=127.0.[0..255].[2;3]*-1 > >>> rep.mailspike.net=127.0.0.[17;18]*-1 > >>> rep.mailspike.net=127.0.0.[19;20]*-2 > >>> hostkarma.junkemailfilter.com=127.0.0.1*-1 > >> > >> I am rewarded with > >> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: warning: > >> psc_dnsbl_request: connect to private/dnsblog service: Resource > >> temporarily > >> unavailable > >> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: message repeated 7 > >> times: [ warning: psc_dnsbl_request: connect to private/dnsblog > service: > >> Resource temporarily unavailable] > >> > >> Any idea?! > >> > >> I stopped pf, removed the postscreen_cache.db file just in case, > restarted > >> pf. Still getting those messages... > > > > -- > > Florian Piekert, PMP > flo...@floppy.org > > Spargelweg 5Telephone+Fax: +49-179- > 3928582 > 38179 Schwülper-Walle/Germany > > == > = > Note: this message was send by me *only* if the eMail message contains > a > correct pgp signature corresponding to my address at flo...@floppy.org. > Do > you need my PGP public key? Check out http://www.floppy.org or send me > an > email with the subject "send pgp public key" to this address of > mine.Thx! > >
RE: regexp for allowing helo host
Some good info to read into. http://rob0.nodns4.us/postscreen.html http://blog.schaal-24.de/mail/postscreen-im-kampf-gegen-spam/?lang=en and ofcourse a must read: http://www.postfix.org/POSTSCREEN_README.html Greetz, Louis > -Oorspronkelijk bericht- > Van: flo...@floppy.org [mailto:owner-postfix-us...@postfix.org] Namens > Florian Piekert > Verzonden: woensdag 16 november 2016 14:27 > Aan: L.P.H. van Belle; postfix-users@postfix.org > Onderwerp: Re: regexp for allowing helo host > > Am 16.11.2016 um 13:59 schrieb L.P.H. van Belle: > > After going from > postscreen_dnsbl_sites = > zen.spamhaus.org*2, > bl.mailspike.net, > bl.spamcop.net, > b.barracudacentral.org, > swl.spamhaus.org*-2 > to > > postscreen_dnsbl_sites = > > b.barracudacentral.org*4 > > bad.psky.me*4 > > zen.spamhaus.org*4 > > dnsbl.cobion.com*2 > > bl.spameatingmonkey.net*2 > > fresh.spameatingmonkey.net*2 > > dnsbl.anonmails.de*2 > > dnsbl.kempt.net*1 > > dnsbl.inps.de*2 > > bl.spamcop.net*2 > > dnsbl.sorbs.net*1 > > spam.dnsbl.sorbs.net*2 > > psbl.surriel.com*2 > > bl.mailspike.net*2 > > rep.mailspike.net=127.0.0.[13;14]*1 > > bl.suomispam.net*2 > > bl.blocklist.de*2 > > ix.dnsbl.manitu.net*2 > > dnsbl-2.uceprotect.net > > hostkarma.junkemailfilter.com=127.0.0.3 > > hostkarma.junkemailfilter.com=127.0.0.[2;4]*2 > > # whitelists > > swl.spamhaus.org*-4 > > list.dnswl.org=127.0.[0..255].[2;3]*-1 > > rep.mailspike.net=127.0.0.[17;18]*-1 > > rep.mailspike.net=127.0.0.[19;20]*-2 > > hostkarma.junkemailfilter.com=127.0.0.1*-1 > > I am rewarded with > Nov 16 14:20:35 blueberry postfix/postscreen[18461]: warning: > psc_dnsbl_request: connect to private/dnsblog service: Resource > temporarily > unavailable > Nov 16 14:20:35 blueberry postfix/postscreen[18461]: message repeated 7 > times: [ warning: psc_dnsbl_request: connect to private/dnsblog service: > Resource temporarily unavailable] > > Any idea?! > > I stopped pf, removed the postscreen_cache.db file just in case, restarted > pf. Still getting those messages... > > -- > > Florian Piekert, PMP > flo...@floppy.org > > Spargelweg 5Telephone+Fax: +49-179- > 3928582 > 38179 Schwülper-Walle/Germany > > == > = > Note: this message was send by me *only* if the eMail message contains > a > correct pgp signature corresponding to my address at flo...@floppy.org. > Do > you need my PGP public key? Check out http://www.floppy.org or send me > an > email with the subject "send pgp public key" to this address of > mine.Thx!
RE: regexp for allowing helo host
Ah yes, In master.cf adust these. smtp inet n - - - 1 postscreen smtpd pass - - - - - smtpd dnsblog unix - - - - 0 dnsblog > -Oorspronkelijk bericht- > Van: flo...@floppy.org [mailto:owner-postfix-us...@postfix.org] Namens > Florian Piekert > Verzonden: woensdag 16 november 2016 14:27 > Aan: L.P.H. van Belle; postfix-users@postfix.org > Onderwerp: Re: regexp for allowing helo host > > Am 16.11.2016 um 13:59 schrieb L.P.H. van Belle: > > After going from > postscreen_dnsbl_sites = > zen.spamhaus.org*2, > bl.mailspike.net, > bl.spamcop.net, > b.barracudacentral.org, > swl.spamhaus.org*-2 > to > > postscreen_dnsbl_sites = > > b.barracudacentral.org*4 > > bad.psky.me*4 > > zen.spamhaus.org*4 > > dnsbl.cobion.com*2 > > bl.spameatingmonkey.net*2 > > fresh.spameatingmonkey.net*2 > > dnsbl.anonmails.de*2 > > dnsbl.kempt.net*1 > > dnsbl.inps.de*2 > > bl.spamcop.net*2 > > dnsbl.sorbs.net*1 > > spam.dnsbl.sorbs.net*2 > > psbl.surriel.com*2 > > bl.mailspike.net*2 > > rep.mailspike.net=127.0.0.[13;14]*1 > > bl.suomispam.net*2 > > bl.blocklist.de*2 > > ix.dnsbl.manitu.net*2 > > dnsbl-2.uceprotect.net > > hostkarma.junkemailfilter.com=127.0.0.3 > > hostkarma.junkemailfilter.com=127.0.0.[2;4]*2 > > # whitelists > > swl.spamhaus.org*-4 > > list.dnswl.org=127.0.[0..255].[2;3]*-1 > > rep.mailspike.net=127.0.0.[17;18]*-1 > > rep.mailspike.net=127.0.0.[19;20]*-2 > > hostkarma.junkemailfilter.com=127.0.0.1*-1 > > I am rewarded with > Nov 16 14:20:35 blueberry postfix/postscreen[18461]: warning: > psc_dnsbl_request: connect to private/dnsblog service: Resource > temporarily > unavailable > Nov 16 14:20:35 blueberry postfix/postscreen[18461]: message repeated 7 > times: [ warning: psc_dnsbl_request: connect to private/dnsblog service: > Resource temporarily unavailable] > > Any idea?! > > I stopped pf, removed the postscreen_cache.db file just in case, restarted > pf. Still getting those messages... > > -- > > Florian Piekert, PMP > flo...@floppy.org > > Spargelweg 5Telephone+Fax: +49-179- > 3928582 > 38179 Schwülper-Walle/Germany > > == > = > Note: this message was send by me *only* if the eMail message contains > a > correct pgp signature corresponding to my address at flo...@floppy.org. > Do > you need my PGP public key? Check out http://www.floppy.org or send me > an > email with the subject "send pgp public key" to this address of > mine.Thx!
RE: Open relay, found it
Hai Paul, I saw you got it fixed, comprimized pass as i suspected. ;-) I saw also this in you log. from [127.0.0.1] (87-92-55-206.bb.dnainternet.fi [87.92.55.206] This should never be allowed. ( from 127.0.0.1 ) ( on the external ip ) Thats impossible imo. To fix that you can use something like below. Just make sure every known hostname and ipnumber of the server is listed here. Beware with these 3, these can give false positives. reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, (pcre:/etc/postfix/helo.pcre) ## Namebase /^ip6-localhost$/ 554 Don't use my own hostname /^localhost$/ 554 Don't use my own hostname /^localhost\.localdomain$/ 554 Don't use my own hostname /^localhost\.yourdomain\.tld$/ 554 Don't use my own hostname /^localhost\.subdom\.yourdomain\.tld$/554 Don't use my own hostname /^yourdomain\.tld$/ 554 Don't use my own domainname /^hostname\.yourdomain\.tld$/ 554 Don't use my own hostname /^hostname\.subdom\.yourdomain\.tld$/ 554 Don't use my own hostname ## IP Based /^127\.0\.0\.1$/554 Don't use my own IP address /^\[127\.0\.0\.1\]$/554 Don't use my own IP address /^\:\:1$/ 554 Don't use my own IP address /^\[\:\:1\]$/ 554 Don't use my own IP address /^\1\.2\.3\.4$/ 554 Don't use my own IP address /^\[1\.2\.3\.4]$/ 554 Don't use my own IP address # and add ipv6 ip if you use it. ## Optional, but can gives false blocks. #/^[0-9.]+$/ 554 Your software is not RFC 2821 compliant: EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in brackets) #/^[0-9]+(\.[0-9]+){3}$/ 554 Your software is not RFC 2821 compliant: EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in brackets) # /^[0-9.-]+$/ 550 Your software is not RFC 2821 compliant: EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in brackets) # /^[0-9]+(\.[0-9]+){3}$/ REJECT Invalid hostname # added in main.cf smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map check_helo_access pcre:/etc/postfix/pcre/helo.pcre, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, reject_unauth_destination, reject_unauth_pipelining Greetz, Louis > -Oorspronkelijk bericht- > Van: p...@vandervlis.nl [mailto:owner-postfix-us...@postfix.org] Namens > Paul van der Vlis > Verzonden: zondag 23 oktober 2016 13:51 > Aan: postfix-users@postfix.org > Onderwerp: Re: Open relay, found it > > Op 23-10-16 om 13:32 schreef Ansgar Wiechers: > > On 2016-10-23 Paul van der Vlis wrote: > >> Op 22-10-16 om 18:23 schreef /dev/rob0: > >>> The only actual conclusion is that you have failed to put forth the > >>> necessary information, as Bill [I think] pointed you to the > >>> http://www.postfix.org/DEBUG_README.html#mail link. > >> > >> The problem is that somebody did send spam using port 587 with a not > >> excisting username, and I am interested how that is possible. > >> > >> sigmund:/var/log# postconf -Mf > > > > So you finally decided to show the output of "postconf -Mf" and > > "saslfinger -s". Good. Now you just need to provide the rest of the > > information Bill Cole asked of you 2 days ago: > > > > - Full output of "postconf -nf". > > - Full headers of a sample message (you may obfuscate personal > > information about the recipient). > > - All log lines associated with that particular message. At the very > > least the output of "grep /var/log/mail.log". > > I am sorry when I did not give the right information. I did read the > link, and did what was asked there. > > > In case you don't know how to find the queue ID in a log message, it's > > this part of the log line: > > > > postfix/smtpd[]: 2758BBF4062: ... > > ^^^ > > And did you already investigate why the authentication backend considers > > "p...@puk.nl" a valid user, as Noel Jones asked? What did you find out? > > Yes, and I found out that when the username is "p...@puk.nl" SASL > actually checks on "piet": > -- > saslauthd[19855] :do_auth : auth success: [user=piet] > [service=smtp] [realm=puk.nl] [mech=pam] > -- > > I did some more tests, and it seems to be that the spammer actually did > know the password. After changing the password, the logging changed: > -- > saslauthd[20161] :do_auth : auth failure: [user=piet] > [service=smtp] [realm=puk.nl] [mech=pam] > - > > > > With regards, > Paul van der Vlis. > > > > -- > Paul van der Vlis Linux systeembeheer Groningen > https://www.vandervlis.nl/
Re: permit after all
paul, check if there are messages still in queue. i had a comprimized account also and same as you it didnt stop. it did after clearing up the queue list. the user in question has used its email and pass om a website which was omprimized, at least thats what i think. i my case i allow my users only from specific countries for smtp, limited by firewalling. (xtables geoip) i also use zpush (active sync) through webserver, for mobile devices for other countrie support. not a fix, but help avoiding this problem is abuse. and check if you landed on black lists. greetz louis Op 22 okt. 2016 om 19:31 heeft Bill Colehet volgende geschreven: On 22 Oct 2016, at 8:54, /dev/rob0 wrote: Should "closing 'permit' lines" be removed from live configurations? Of course not. That is how it works. If not specified as the OP did it, the ending value of any restriction stage is "permit". If not, mail would not be accepted at all. Not exactly. In principle one can end a restriction list with 'reject' if all desired 'permit' cases are covered by previous directives. In smtpd_recipient_restrictions this implies a check_recipient_access directive that permits local recipients (obviously AFTER anti-spam restrictions). And of course, many master.cf files include a service defined like this: submission inet n - n - - smtpd -o syslog_name=postfix/submit -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
RE: Block certain prefixes/TLDs from accessing
.. fail2ban Sasl filer. Of add xtable (geo ip) and block then countries. I only allow sasl auth from my own country AND an A record must exist in the dns for the host sending. And Blacklisting the spamming domains is often useless. You better check for the age of the domain or so. http://spameatingmonkey.com/usage.html i use fresh.spameatingmonkey.net, if its less then 5 days old i reject it. Greetz, Louis > -Oorspronkelijk bericht- > Van: nmi...@noa.gr [mailto:owner-postfix-us...@postfix.org] Namens > Nikolaos Milas > Verzonden: donderdag 11 augustus 2016 12:45 > Aan: Richard Klingler > CC: postfix-us...@cloud9.net > Onderwerp: Re: Block certain prefixes/TLDs from accessing > > On 11/8/2016 1:25 , Richard Klingler wrote: > > > Is there an easy way to block a list of prefixes from accessing postfix? > > ... > > Preferably I would like to combine prefix and domain filtering > > as plain helo_checks won't allow regular expression for hostnames. > > I think you can use: > > smtpd_recipient_restrictions = > ... > check_sender_access hash:/etc/postfix/blacklisted_senders > check_client_access cidr:/etc/postfix/blacklisted_prefixes > reject_unverified_recipient > reject_unauth_destination > ... > > where /etc/postfix/blacklisted_senders: > > m...@example.comREJECT > example.net REJECT > subd.example.orgREJECT > ... > > and /etc/postfix/blacklisted_prefixes: > > 192.168.1.1 REJECT > 192.168.0.0/16 REJECT > 2001:db8::1 REJECT > 2001:db8::/32 REJECT > > Nick
RE: This ought to be simple to stop. Am I missing something?
here your have an bind log example, WITH lame server logging. Adjust where needed. Just enable only lameserver logging. Set all to null and enable lameserver logging. No performance drop. logging { channel bind_log { file "/var/log/bind/bind.log" versions 3 size 1m; severity info; print-category yes; print-severity yes; print-time yes; }; channel query_log { file "/var/log/bind/query.log" size 1m; // Set the severity to dynamic to see all the debug messages. severity debug 3; }; channel update_debug { file "/var/log/bind/update_debug.log" versions 3 size 100k; severity debug; print-severity yes; print-time yes; }; channel security_info { file "/var/log/bind/security_info.log" versions 1 size 100k; severity info; print-severity yes; print-time yes; }; channel xfer_log { file "/var/log/bind/xfer.log" size 1m; print-category yes; print-severity yes; print-time yes; severity info; }; channel unmatched_log { file "/var/log/bind/unmatched.log" size 1m; print-category yes; print-severity yes; print-time yes; severity info; }; channel lameservers_log { file "/var/log/bind/lameservers.log" size 1m; print-category yes; print-severity yes; print-time yes; severity info; }; category default { bind_log; }; category lame-servers { lameservers_log; }; category update { update_debug; }; category update-security { update_debug; }; category security { security_info; }; category queries { query_log; }; //category unmatched { unmatched_log; }; category xfer-in { xfer_log; }; category xfer-out { xfer_log; }; // No logging at all .. // category default { null; }; }; > -Oorspronkelijk bericht- > Van: m...@junc.eu [mailto:owner-postfix-us...@postfix.org] Namens Benny > Pedersen > Verzonden: woensdag 13 juli 2016 11:48 > Aan: postfix-users@postfix.org > Onderwerp: Re: This ought to be simple to stop. Am I missing something? > > On 2016-07-13 11:41, L.P.H. van Belle wrote: > > > recommend using your own DNS servers when doing DNSBL queries to > > Spamhaus. > > using ::1 here i dont trust others > > > I no lame servers in my bind logs. > > The set below is running over 1 year now, without any problems. > > bind9 default dont log lame-servers, since there is none that if enabled > will fill logs pretty fast and it will drop bind9 performance aswell
RE: This ought to be simple to stop. Am I missing something?
Then stop using google dns or other dns servers that block dns request to rbl servers. Source : https://www.spamhaus.org/faq/section/DNSBL%20Usage Check what DNS resolvers you are using: If you are using a free "open DNS resolver" service such as the Google Public DNS or large cloud/outsourced public DNS servers, such as Level3's or Verizon's, to resolve your DNSBL requests, in most cases you will receive a "not listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers. We recommend using your own DNS servers when doing DNSBL queries to Spamhaus. I no lame servers in my bind logs. The set below is running over 1 year now, without any problems. Greetz, Louis > -Oorspronkelijk bericht- > Van: m...@junc.eu [mailto:owner-postfix-us...@postfix.org] Namens Benny > Pedersen > Verzonden: woensdag 13 juli 2016 11:36 > Aan: postfix-users@postfix.org > Onderwerp: Re: This ought to be simple to stop. Am I missing something? > > On 2016-07-13 08:55, L.P.H. van Belle wrote: > > A good combination of rbl lists with postscreen im using. > > > > postscreen_dnsbl_threshold=4 > > postscreen_dnsbl_sites = > > b.barracudacentral.org*4 > > bad.psky.me*4 > > zen.spamhaus.org*4 > > dnsbl.cobion.com*2 > > bl.spameatingmonkey.net*2 > > fresh.spameatingmonkey.net*2 > > dnsbl.anonmails.de*2 > > dnsbl.kempt.net*2 > > dnsbl.inps.de*2 > > bl.spamcop.net*2 > > dnsbl.sorbs.net*2 > > psbl.surriel.com*2 > > bl.mailspike.net*2 > > bl.suomispam.net*2 > > all.rbl.jp*2 > > swl.spamhaus.org*-4 > > last time it was tryed here bind9 says lame-servers to some of them, so > if see this then dont use them > > the good part here is postscreen sadly many of the above needs datafeeds > to be stable
RE: This ought to be simple to stop. Am I missing something?
A good combination of rbl lists with postscreen im using. postscreen_dnsbl_threshold=4 postscreen_dnsbl_sites = b.barracudacentral.org*4 bad.psky.me*4 zen.spamhaus.org*4 dnsbl.cobion.com*2 bl.spameatingmonkey.net*2 fresh.spameatingmonkey.net*2 dnsbl.anonmails.de*2 dnsbl.kempt.net*2 dnsbl.inps.de*2 bl.spamcop.net*2 dnsbl.sorbs.net*2 psbl.surriel.com*2 bl.mailspike.net*2 bl.suomispam.net*2 all.rbl.jp*2 swl.spamhaus.org*-4 basicly. If one of the servers is in barracuda spamhaus or psky its always spam so i gave the the max (4). If its a "new" domain name fresh.spameatingmonkey.net give 2. And mostly one of the other gives also to if its really spam. Works good here and espacialy with fail2ban Using these filter/failregex failregex = addr listed by domain client \[\] blocked using multiple DNS-based blocklists Which reduces cpu load and unneeded connections. And if you use spamassassin https://github.com/extremeshok/spamassassin-extremeshok_fromreplyto but setting up dkim dmarc spf is recommended yes. Greetz, Louis > -Oorspronkelijk bericht- > Van: postfixlists-070...@billmail.scconsult.com [mailto:owner-postfix- > us...@postfix.org] Namens Bill Cole > Verzonden: woensdag 13 juli 2016 7:53 > Aan: postfix-users@postfix.org > Onderwerp: Re: This ought to be simple to stop. Am I missing something? > > On 12 Jul 2016, at 15:44, Phil Stracchino wrote: > > > On 07/12/16 10:30, Bill Cole wrote: > >> On 12 Jul 2016, at 9:14, Phil Stracchino wrote: > >> > >>> I'm getting spam leaking through from sites with non-resolving IP or > >>> invalid DNS, sending mail to myself as me. > >> > >> You COULD use reject_unknown_client_hostname but it has substantial > >> false positives. > >> > >> More directly, you could enforce your own SPF record: > >> > >> caerllewys.net.259200 IN TXT "v=spf1 > ip4:216.246.132.90 -all" > > > > I'm trying to. :) > > Well, the choices for how to do that are many. Probably the simplest way > to do it is with a "policy daemon" and the pypolicyd-spf implementation > is the purest up-to-date SPF enforcement tool in that class. > > Other options: there are other more comprehensive policy daemons, you > can do SPF checks with amavisd-new, or if you're a Perl weenie like me > you can install MIMEDefang and either implement SPF checks through one > of the available Perl modules in filter_sender() or let SpamAssassin > handle it. > > I'd definitely choose pypolicyd-spf if I had noticeable quantities of > this sort of crap making it to holistic filtering. SPF failure is > actually decisive in so little mail that I see anywhere that I've not > seen a need to push it to the top of the filtering heap. > > That's assuming you have a need to accept some mail claiming to be from > addresses in your own domain via that service, which you may not if > you've got a submission service set up. Based on the absence of any SASL > settings in your postconf -n output, I'm guessing you have such a > service, unless you rely entirely on source IP (i.e. permit_mynetworks) > for relay control. > > [...] > >> In this case it also appears that the IP address was in the CBL and > >> hence SpamHaus Zen when you accepted it. Maybe not, but if you are > >> not > >> killing such IPs in postscreen you're going to have a lot of spam > >> getting further in than it needs to. Also, if you're running a > >> smallish > >> mail system with a limited audience that does not include a need to > >> communicate with Vietnamese correspondents, you can probably block > >> all > >> email traffic from 14.160.0.0/11. > > > > I considered that option, yes. I ... could have sworn I *was* using > > the Zen RBL, actually. It looks as though I took it out for some > > reason > > at some time in the past and never restored it. > > I strongly recommend it. If you want fine-grained control over which > parts you use, you can select which return codes to look for. In my > case, I use these as part of my smtpd_recipient_restrictions list: > > reject_rbl_client zen.spamhaus.org=127.0.0.2, > reject_rbl_client zen.spamhaus.org=127.0.0.3, > reject_rbl_client zen.spamhaus.org=127.0.0.4, > reject_rbl_client zen.spamhaus.org=127.0.0.10, > reject_rbl_client zen.spamhaus.org=127.0.0.11, > > Those are, in order: SBL(chronic spam sources), CSS(snowshoers), > CBL(spambots), PBL(ISP-designated dynamic), and PBL(Spamhaus-determined > dynamic) > > > I haven't deployed postscreen yet, as I simply don't know enough about > > it. > > It's designed for doing the simplest and most numerous spam rejections > with the least effort. Its best features are the greeting delay, which > catches many of the most aggressively obnoxious bots, and the ability to > use multiple DNSBLs and DNSWLs in a scoring configuration. ~90% of the > rejections my personal mail system does are by
RE: thousands of "lost connection after AUTH"
The are after username/passwords. And when that happend they will user your server als relay. Happend on one of my servers also. One of my users used his email and pass in facebook and linkedin. And the same as on the server.. :-/ About 60.000 mails where tried to send over my server. What i did was, i limited the use of sasl auth with my firewall to only from within my country with xtables geo block. Port 25 does not allow sasl, only 587 is allow and that port is limited to my country. And i told my user to never use the same username/pass of the server on any other place. Greetz, Louis > -Oorspronkelijk bericht- > Van: thomas.keller8...@gmail.com [mailto:owner-postfix-us...@postfix.org] > Namens Thomas Keller > Verzonden: vrijdag 24 juni 2016 9:50 > Aan: Postfix users > Onderwerp: thousands of "lost connection after AUTH" > > This is not a real problem, but I am curious to understand what is > happening here. > > I am running a small postfix server for personal use. One thing that I > observe over and over again is thousands of "lost connection after AUTH" > connections, such as these: > > 08:23:19 postfix/smtpd[4925]: connect from unknown [155.133.38.30] > 08:23:19 postfix/smtpd[4925]: lost connection after AUTH from unknown > [155.133.38.30] > 08:23:19 postfix/smtpd[4925]: disconnect from unknown [155.133.38.30] > > now, these are not causing much trouble for me (other than flooding my > logs), and I know I can tweak the anvil rate limits (I am using these > below and since these "lost connection after auth" happen every 1 - 2 > minutes, they are not caught by my anvil filter.): > > anvil_rate_time_unit= 60s > smtpd_client_connection_rate_limit = 10 > smtpd_client_message_rate_limit = 10 > smtpd_client_new_tls_session_rate_limit = 10 > > I am curious to know, who are these agents connecting to my server, and > what are they trying to achieve ? > > AFAICT, they don't even attempt to send spam, or use me as relay. What > do they want? >
postfix sasl auth required
Hai, Im testing out my servers and i noticed the following telnet localhost 587 Trying ::1... Connected to localhost. Escape character is '^]'. 220 mail.mydomain.tld ESMTP Ready ehlo localhost 250-mail.mydomain.tld 250-PIPELINING 250-SIZE 1536 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN Im missing my 250-AUTH here after starttls. Or is this because the : "smtpd_tls_auth_only = yes" I cant figure out what i missed, of if by default if : "smtpd_tls_auth_only = yes". Is set no auth is offered? And is ETRN needed on the sasl auth? Postfix 2.11.x In having now in master.cf submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING and main.cf smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous Greetz, Louis
RE: transport smtp failure after MySQL connection
Did you reboot the server? If not, try it first. Why.. find out with: apt-get install debian-goodies checkrestart but, most of these cant restart, so rebooting the server is the only option. When thats done, check again. Greetz. Louis > -Oorspronkelijk bericht- > Van: christian.ren...@iway.ch [mailto:owner-postfix-us...@postfix.org] > Namens Christian Renner > Verzonden: woensdag 24 februari 2016 16:36 > Aan: postfix-users@postfix.org > Onderwerp: transport smtp failure after MySQL connection > > Hi all > > We are using postfix smtp_tls_policy_maps with a MySQL lookup table. > This setup worked good until we upgraded the following packages today > because of CVE-2015-7547 (its a debian wheezy, upgraded as usual via apt- > get upgrade): > > libc-bin:amd64 (2.13-38+deb7u7, 2.13-38+deb7u10), libc6-dev:amd64 (2.13- > 38+deb7u7, 2.13-38+deb7u10), libc-dev-bin:amd64 (2.13-38+deb7u7, 2.13- > 38+deb7u10), libc6:amd64 (2.13-38+deb7u7, 2.13-38+deb7u10), > libk5crypto3:amd64 (1.10.1+dfsg-5+deb7u2, 1.10.1+dfsg-5+deb7u7), > dnsutils:amd64 (9.8.4.dfsg.P1-6+nmu2+deb7u3, 9.8.4.dfsg.P1-6+nmu2+deb7u9), > libmysqlclient18:amd64 (5.5.41-0+wheezy1, 5.5.47-0+deb7u1), libssl- > dev:amd64 (1.0.1e-2+deb7u15, 1.0.1e-2+deb7u19), openssl:amd64 (1.0.1e- > 2+deb7u15, 1.0.1e-2+deb7u19), mysql-common:amd64 (5.5.41-0+wheezy1, > 5.5.47-0+deb7u1), mysql-client-5.5:amd64 (5.5.41-0+wheezy1, 5.5.47- > 0+deb7u1), libssl1.0.0:amd64 (1.0.1e-2+deb7u15, 1.0.1e-2+deb7u19) > (plus some other packages definitely not related to postifx/mysql) > > so mainly libc and mysql-client was upgraded. postfix-packages where left > untouched. > > Now smtp is crashing right after it tries to connect to the mysql-host: > > Feb 24 15:20:33 sig01 postfix/smtp[8796]: dict_mysql_get_active: > attempting to connect to host mysql.host.tld > Feb 24 15:20:33 sig01 postfix/qmgr[6794]: warning: private/smtp socket: > malformed response > Feb 24 15:20:33 sig01 postfix/qmgr[6794]: warning: transport smtp failure > -- see a previous warning/fatal/panic logfile record for the problem > description > Feb 24 15:20:33 sig01 postfix/master[6785]: warning: process > /usr/lib/postfix/smtp pid 8796 killed by signal 11 > > Mails remain in queue with: status=deferred (unknown mail transport error) > Outside of postfix I am able to connect to the mysql server (from the > affected machine) without any problems. > > Anyone here with an idea how to fix this? > > Regards > Christian
RE: Change Temporary failure in name resolution response code
First in reply to. . ... cannot find your hostname Optional to add: unknown_hostname_reject_code = 550 but if you have dns problems, everything gets rejected as Wiets already told you.. .. but I think.. , so what, the sender does get the NDR, he can send again but thats a choice. And think carefully about it. Optional Add: unknown_hostname_reject_code = 550 unknown_client_reject_code = 550 unknown_address_reject_code = 550 unverified_recipient_reject_code = 550 And this is the best trick if all imo. Setup Postfix with postscreen with multiple rbls. ( make sure you use postfix 2.10+ Like : postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 dnsbl.anonmails.de dnsbl.kempt.net dnsbl.inps.de bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 bl.suomispam.net bad.psky.me now create a fail2ban filter postfix-dnsblog.conf with : [INCLUDES] before = common.conf failregex = client \[\] blocked using multiple DNS-based blocklists addr listed by domain and enable it, Let it trigger on 1 hit, i have set the ban time to 1 week, if they come back this time is extended with a week.. :-) Result, you safe cpu time, resources, offload the dns servers and reduce the dns queries to the blocklist servers. And optional the postscreen_dnsbl_reply_map.pcre file !/^zen\.spamhaus\.org$/ multiple DNS-based blocklists, see http://multirbl.valli.org/ Also i added a cacheing dns server on localhost, i have 3 forwarding dns ip numbers with 3 different providers to reduce the chance of dns problems. This works very very good for me, until now no errors, running a year with this setup now. Last one to help out agains spam. Add this to your dns . ( make user tarbaby is the highest MX.) MX 30 tarbaby.junkemailfilter.com. The guys at junkeemailfilter.com check if the lower mx-s are up and so we help in detecting spamming servers. Read more about it here. http://wiki.junkemailfilter.com/index.php/Project_tarbaby The junkemailfilter is used in my spamassassin. Greetz, Louis > -Oorspronkelijk bericht- > Van: b...@knoxvillechristian.org [mailto:owner-postfix-us...@postfix.org] > Namens Bill Shirley > Verzonden: vrijdag 5 februari 2016 5:21 > Aan: postfix-users@postfix.org > Onderwerp: Re: Change Temporary failure in name resolution response code > > You might want to have a look at fail2ban. It monitors log files and > blocks the offender by inserting an iptables DROP entry. > > I block a lot of spammers this way. I wouldn't think of running a mail > server without it. > > Bill > > > On 2/4/2016 4:10 PM, Inteq Solution - Dep. Tehnic wrote: > > Thank you Wietse, > > > > 450 it is then. > > > > > > > > > > > > > > Razvan Constantin > > > > -Original Message- > > From: owner-postfix-us...@postfix.org > > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema > > Sent: Thursday, February 04, 2016 11:06 PM > > To: Postfix users > > Subject: Re: Change Temporary failure in name resolution response code > > > > Inteq Solution - Dep. Tehnic: > >> "The unknown_client_reject_code parameter specifies the response code > >> for rejected requests (default: 450). The reply is always 450 in case > >> the > >> address->name or name->address lookup failed due to a temporary > problem." > >> > >> But is there a way to change this behaviour to 550/554? > > No. You would lose mail whenever DNS times out, and that would be worse > than > > having some client retry repeatedly. Unless you are running Postfix in a > > very limited environment, repeated retries from one system should not be > a > > problem. > > > >> This situation is not exactly temporary and it is happening for over a > >> month. I could just forget about it, but this server's retry is very > >> very low. > > Postfix considers timeouts as a temporary error. Handling them as a hard > > error would do more harm than good. But I repeat myself. > > > > Wietse > >
RE: Can anyone decipher this Policyd-spf error?
Switch to the perl version of this and your problem is fixed. Use postfix-policyd-spf-perl Not postfix-policyd-spf-python Both work the same, but the perl version works fine with ipv6 on my server. Greetz, Louis > -Oorspronkelijk bericht- > Van: t...@whyscream.net [mailto:owner-postfix-us...@postfix.org] Namens Tom > Hendrikx > Verzonden: vrijdag 5 februari 2016 9:56 > Aan: postfix-users@postfix.org > Onderwerp: Re: Can anyone decipher this Policyd-spf error? > > Hi, > > As the ticket says, the error is caused by handling ipv6 addresses. When > you hit any troubles later, you could look into disabling ipv6 :/ > > Regards, > Tom > > On 05-02-16 00:08, Danny Horne wrote: > > Thanks for both replies, > > > > I've just checked and I'm running python-ipaddr 2.1.9, with no updates > > available. I can live with the problem for now, I think this is the > > only time I've seen that error (though that doesn't mean it hasn't > > happened before). > > > > Thanks again for your help > > > > On 04/02/2016 9:34 pm, Scott Kitterman wrote: > >> On Thursday, February 04, 2016 04:19:54 PM Bill Cole wrote: > >>> On 4 Feb 2016, at 15:52, Danny Horne wrote: > Hi all, > > I am getting the following error on just one email address from > policyd-spf, called from Postfix. No other email address has caused > me > problems (as far as I'm aware) and I had to completely disable > policyd-spf in Postfix to allow the email through. Can anyone > decipher > what the problem was? > >>> Only enough to be sure that the problem happened inside policyd-spf > and > >>> that you're using the Python implementation, not the Perl one, since > >>> that log mess is a Python error trackback. > >>> > >>> These lines tell the immediate error: > >>> > >>> Feb 4 14:32:06 gallium policyd-spf[8810]: File > >>> "/usr/lib/python2.7/site-packages/spf.py", line 1206, in dns_a > >>> Feb 4 14:32:06 gallium policyd-spf[8810]:return > >>> [ipaddress.Bytes(ip) for ip in r] > >>> Feb 4 14:32:06 gallium policyd-spf[8810]: AttributeError: 'module' > >>> object has no attribute 'Bytes' > >>> > >>> That would *probably* be meaningful to the developers of policyd-spf > and > >>> perhaps to any good Python developer. To me it says "spf.py has a bug" > >>> but my guess is far from expert. > >>> > >>> Looks possible that this is your answer: > >>> > >>> https://bugs.launchpad.net/pypolicyd-spf/+bug/1229862/comments/3 > >> I believe that's correct. I just confirmed that ipaddr.Bytes (which > gets used > >> as ipaddress.Bytes in this policy server for python3 compatibility) was > added > >> in ipaddr-py 2.1.10, so running with an older version will cause that > error. > >> > >> Scott K > > > >
RE: lmtp: transport unavailable
Ok, debian, my thing.. ;-) Try : Edit /etc/dovecot/dovecot.conf To Change : protocols = imap lmtp And add: service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } protocol lmtp { postmaster_address=postmas...@yourdomain.com hostname=mail.yourdomain.com } And in postfix main.cfg mailbox_transport = lmtp:unix:private/dovecot-lmtp Is this a setup with dovecot with sql? Then you need some extra things. Greetz, Louis > -Oorspronkelijk bericht- > Van: ar...@sanusi.de [mailto:owner-postfix-us...@postfix.org] Namens Arian > Sanusi > Verzonden: woensdag 20 januari 2016 14:44 > Aan: postfix-users@postfix.org > Onderwerp: Re: lmtp: transport unavailable > > > >> Just did - the only thing that's there is not helpful to me, > >> either: Jan 20 11:31:40 chichak postfix/qmgr[31189]: warning: > >> connect to transport private/local: Connec tion refused > > > Looks like lack of rights or wrong path. > lack of rights: postfix should be able to use the socket, if it actually > has the path, as > # ls /var/spool/postfix/private/dovecot-lmtp -l > srw--- 1 postfix postfix 0 Jan 20 10:24 > /var/spool/postfix/private/dovecot-lmtp > > > > Did you run your smtp-source test as user postfix? > yes: makes no difference. > > > > BTW - what user is your dovecot running with? > root, standard debian config. > > > > What makes you shure, postfix will try to use > > /var/spool/postfix/private/dovecot-lmtp? > > nothing makes me sure, as postfix does not actually say anywhere which > socket it tries to use. (as long as the private/local above is not the > path - I don't know where it'd get that, it's not mentioned in the config) > There's some doku mentioning this[1], and main.cf has the entries quoted > before, which should point there after chrooting. > > [1] http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP
RE: Helo Checks not always working?
These are 2 different things. Unknow hostname is a missing PTR record For that you can use : smtpd_client_restrictions = ... "unknown" is also the name in the case of a temporary dns lookup failure. so using 5xx for all "unknown" is not a good idea. # reject_unknown_client_hostname: requires that the address->name and name->address mappings exist, but also that the two mappings reproduce the client IP address # reject_unknown_reverse_client_hostname: Reject the request when the client IP address has no address->name mapping. This is a weaker restriction than the reject_unknown_client_hostname Greetz, Louis > -Oorspronkelijk bericht- > Van: tn-post...@saarcube.de [mailto:owner-postfix-us...@postfix.org] > Namens Thomas Nagel > Verzonden: donderdag 7 januari 2016 14:18 > Aan: Postfix users > Onderwerp: Helo Checks not always working? > > Hello, > > we encountered a strange behaviour. > > We enabled smtp_helo_restrictions: > > smtpd_helo_required = yes > > smtpd_helo_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unlisted_recipient, > # check_client_access hash:/etc/postfix/ > check_helo_access hash:/etc/postfix/check_helo_access > reject_invalid_helo_hostname > reject_non_fqdn_helo_hostname > reject_unknown_helo_hostname > > unknown_hostname_reject_code = 550 > > in the "check_helo_access" map there are only certain senders with their > special invalid HELOs whitelisted, but no "unknown" or the mentioned IP > adress. > > Most of the time connectors with invalid DNS Records are blocked like > this: > > > Jan 3 06:36:21 server postfix/smtpd[23338]: connect from > unknown[190.11.55.217] > Jan 3 06:36:22 server postfix/smtpd[23338]: NOQUEUE: reject: RCPT from > unknown[190.11.55.217]: 504 5.5.2 <190.11.55.217>: Helo command > rejected: need fully-qualified hostname; from=<> > to=proto=SMTP helo=<190.11.55.217> > > - but sometimes we see this: > > Jan 5 16:43:30 server postfix/smtpd[13577]: connect from > unknown[195.22.126.188] > Jan 5 16:43:30 server postgrey[2604]: action=pass, reason=recipient > whitelist, client_name=unknown, client_address=195.22.126.188, > sender=i...@gmail.com, recipient=i...@example.com > Jan 5 16:43:30 server postfix/smtpd[13577]: B064010A1B5E: > client=unknown[195.22.126.188] > Jan 5 16:43:30 server postfix/cleanup[13133]: B064010A1B5E: > message-id=<20160105094329.fab7ffc87cc25...@gmail.com> > Jan 5 16:43:30 server postfix/qmgr[4924]: B064010A1B5E: > from= , size=2536, nrcpt=1 (queue active) > Jan 5 16:43:30 server postfix/smtpd[13577]: disconnect from > unknown[195.22.126.188] > > Shouldn't this be blocked when the helo restrictions are applied? So the > mail shouldn't actually be passed on? > > Thanks, > > Thomas.
Re: SASL binds
never knew this, what is the SPN postix/sasl needs? and a simple way to make the client work, setup a samba client, if setup correctly, samba wil refres the keytab file. if someone want info on this, i can answere monday again. greetz, louis > Op 1 jan. 2016 om 21:17 heeft Viktor Dukhovni> het volgende geschreven: > >> On Fri, Jan 01, 2016 at 02:46:33PM -0500, Brendan Kearney wrote: >> >> Postfix version - 3.0.3 running on Fedora 22. MIT Kerberos and OpenLDAP are >> being used. >> >> my ldap-users.cf file, for example: >> server_host = ldap://server1.bpk2.com ldap://server2.bpk2.com >> search_base = dc=bpk2,dc=com >> version = 3 >> >> bind = sasl >> bind_dn = uid=mta,ou=processUsers,ou=Users,dc=bpk2,dc=com >> sasl_mechs = gssapi >> sasl_realm = BPK2.COM >> >> query_filter = (mail=%s) > > Where is the credential cache for the "postfix" ($mail_owner) user? > >> the above results in the below error logs: >> Jan 01 14:33:50 mail postfix/trivial-rewrite[17185]: GSSAPI Error: >> Unspecified GSS failure. Minor code may provide more information (No >> Kerberos credentials available) > > Not surprising, you need a cred cache. > >> I am assuming the keytab, /etc/postfix/postfix.keytab would be used to bind >> to the directory, but i am not sure. > > No, Kerberos keytabs are not credential caches. You need to run "kinit" > to obtain credentials via a keytab. I recommend an hourly cron job > that runs as "postfix": > >export KRB5_KTNAME=FILE:/etc/postfix/postfix.keytab >export KRB5CCNAME=FILE:$(postconf -xh queue_directory)/ccache >principal=smtp/$(uname -n) >kinit -k "$principal" > > Then in main.cf add: > ># var=import_environment ># val=$(postconf -h "$var") ># postconf -e "$var = $val KRB5CCNAME=FILE:\${queue_directory}/ccache" > >> import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY >> DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/postfix.keytab >> export_environment = TZ MAIL_CONFIG LANG KRB5_KTNAME > > This suffices for Postfix as a Kerberos server, but not as a Kerberos > client. > > -- >Viktor. >
RE: 53% of Postfix servers are black-listed (DNSBL)
Well, your allowed to have your opionion .. no problems with that. And good for you then there are other MTA's you can try to configure.. Im using postfix for more that 10 years now, and im very happy with it. I get about 0.05% spam of all mails, and that 0.05% is catched by spamassassin, i dont see any spam at all. so yeah, if you dont know how to configure it, you get spam.. yes. Besides that. > 90% of global e-mail is SPAM. Yes ! correct, why? Because cappy IT guys configure there servers wrong. No postfix blame here imo. > 91% of targeted attacks start with e-mail. See above.. > What is Postfix's share of SPAM? We dont care about the postfix "spam" share.. Have a look at microsoft exchange... 94% !!! of exchange are open relays.. Exim... 56% of exim servers are blacklisted. Novell GroupWize, 54% is in US. You see, useless stats without content. > Who makes Postfix? A very nice dutch guy, living in the US..:-) > What is wrong with Postfix? Nothing, if you configure it right, and based on what your saying... (... not typing that) And last. > > Received: from 1-160-101-156.dynamic.hinet.net ([1.160.101.156]:52001 > > helo=uwtir.com) by seth.lunarpages.com with esmtpsa [...] > > > Received: from localhost (localhost.localdomain [127.0.0.1]) > > by zimbra.baycix.de (Postfix) with ESMTP id E7078416A85 [...] Shows how badly you have configured your server. (sorry) Greetz, Louis > -Oorspronkelijk bericht- > Van: se...@runbox.com [mailto:owner-postfix-us...@postfix.org] Namens sb > Verzonden: dinsdag 29 december 2015 13:02 > Aan: majord...@cloud9.net; postfix users > Onderwerp: 53% of Postfix servers are black-listed (DNSBL) > > > 90% of global e-mail is SPAM. > 91% of targeted attacks start with e-mail. > > What is Postfix's share of SPAM? > > > A recent survey of 2.8M SMTP servers shows the following. > > - 53% of Postfix servers are black-listed (DNSBL) >http://www.mailradar.com/mailstat/mta/Postfix.html > > - 44% of open relays are Postfix servers >http://www.mailradar.com/mailstat/open-relay/ > > - 35% of Postfix servers are hosted in the USA >http://www.mailradar.com/mailstat/mta/Postfix.html > > Who makes Postfix? > -- > >Wietse Venema >IBM T.J. Watson Research >P.O. Box 704 >Yorktown Heights, NY 10598, USA > > What is Postfix's share of the SMTP server market? > -- > > A recent survey of 2.3M SMTP servers shows the following. > > #1: 53.25% EXIM > #2: 32.64% POSTFIX > #3: 6.66% SENDMAIL > http://www.securityspace.com/s_survey/data/man.201511/mxsurvey.html > > What is wrong with Postfix? > --- > > Suppose you are a school/SME/you-name-it, you want a secure server, > and you run Postfix. The following is what you get in your inbox. > > > Date: Thu, 17 Dec 2015 15:6:1 > > > From: paulnoah@ > > > Message-ID: <8038f16fe88ca0b6a66649d005c232e9@localhost.localdomain> > > > Received: from 1-160-101-156.dynamic.hinet.net ([1.160.101.156]:52001 > > helo=uwtir.com) by seth.lunarpages.com with esmtpsa [...] > > > Received: from localhost (localhost.localdomain [127.0.0.1]) > > by zimbra.baycix.de (Postfix) with ESMTP id E7078416A85 [...] > > > Received: from [127.0.0.1] by omp1062.mail.bf1.yahoo.com with NNFMP; > 25 Dec 2015 23:24:21 - > > > Received: from uhosp.example.com ([37.230.116.83]) > > > Received: [...] > >... > > Message-ID: [...] <--- > > Delivered-To: [...] > > Received: [...] > > Received: [...] > > [anonymised] > > To:> >... > > Reply-To: > > There are more examples, and the all reduce to Postfix accepting > incoming e-mail whose origin and envelope are not RFC compliant. > > In fact, the task of writing PCRE parsers and policies is delegated > to the user, that is you, as part of your own configuration > (access, helo_access, header_checks, etc). > > Writing such parsers and policies is highly rewarding: my servers > reject 95% of SPAM by rejecting non-RFC-compliant e-mails, without > any DNSxL or anti-spam add-on. The task required months of full-time > labour. The same task cannot be brought to completion, however. > > The postfix-users forum would be a good place where to discuss > Postfix's problems in detail. However, the same forum is rather focused > on self-celebration than active collaboration, where attempts to > address SPAM as a problem are scornfully dismissed. Given the above > statistics, this is no longer surprising. > > Postfix is easy on the spammers and hard on the honest. > > unsubscribe postfix-users
RE: How to Block EHLO/HELO that has IP Only
This is how i run it. ( postfix 2.11.x on debian Jessie ) This stops a lot of "spamming" servers, and if anyone sees improvements,... im all ear... ;-) This was a drop op about 90% of all spam, remaining used "good" configured servers.. :-/ but for that spamassassin.. unknown_hostname_reject_code = 550 unknown_client_reject_code = 550 unknown_address_reject_code = 550 unverified_recipient_reject_code = 550 smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/overrule/allow_client_access.map, check_client_access cidr:/etc/postfix/cidr/drop.spamhaus-lasso.cidr, check_client_access cidr:/etc/postfix/cidr/drop.tor-exitnode-ips.cidr, check_client_access cidr:/etc/postfix/cidr/drop.bad-networks.cidr, weightcheck_policy, spfcheck_policy, #greycheck_policy, reject_unauth_destination, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access pcre:/etc/postfix/pcre/helo.pcre check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, reject_unauth_destination, reject_unauth_pipelining In the helo.pcre put all known hostnames and ip your server is using. ## Name based /^localhost$/ 554 Don't use my own hostname /^localhost\.localdomain$/ 554 Don't use my own hostname /^localhost\.domain\.tld$/ 554 Don't use my own hostname /^ip6-localhost$/ 554 Don't use my own hostname /^domain\.tld$/ 554 Don't use my own domainname /^hostname\.domain\.tld$/ 554 Don't use my own hostname ## IP Based /^127\.0\.0\.1$/554 Don't use my own IP address /^\[127\.0\.0\.1\]$/554 Don't use my own IP address /^\:\:1$/ 554 Don't use my own IP address /^\[\:\:1\]$/ 554 Don't use my own IP address /^\1\.2\.3\.4$/ 554 Don't use my own IP address /^\[1\.2\.3\.4]$/ 554 Don't use my own IP address If you get in trouble with customers.. overrule/allow_helo_access.map Put in : (IP OK ) 1.2.3.4 OK smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_mx_access cidr:/etc/postfix/cidr/check_sender_mx_access.cidr, reject_unauth_pipelining smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf ### Before-220 tests (postscreen / DNSBL) postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr, cidr:/etc/postfix/cidr/postscreen_spamhaus-lasso_access.cidr postscreen_dnsbl_reply_map = pcre:/etc/postfix/pcre/postscreen_dnsbl_reply_map.pcre postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_dnsbl_threshold = 4 postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 dnsbl.anonmails.de dnsbl.kempt.net dnsbl.inps.de bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 postscreen_whitelist_interfaces = $mynetworks, static:all Greetz, Louis > -Oorspronkelijk bericht- > Van: nico...@devels.es [mailto:owner-postfix-us...@postfix.org] Namens > Nicolás > Verzonden: woensdag 23 december 2015 16:10 > Aan: postfix-users@postfix.org > Onderwerp: Re: How to Block EHLO/HELO that has IP Only > > > El 23/12/15 a las 08:38, L. D. James escribió: > > I have many log entries where there are "helo=[1.2.3.4]" entries with > > no domain name. It has an IP address only. Each of these occasions > > are unwanted spam messages. > > > > Can some one specify a policy restriction that will block these > messages. > > > > An example from the log is: > > > > Dec 22 16:00:52 hera5 policyd-spf[9883]: None; identity=mailfrom; > > client-ip=75.211.27.210; helo=[63.205.88.41]; > > envelope-from=dtrue-nore...@example.com; receiver=u...@example.com > > > > Thanks in advance for any suggestions on this. > > > > -- L. James > > > > You can use reject_non_fqdn_helo_hostname in the smtpd_helo_restrictions > parameter. For example: > > smtpd_helo_restrictions = > permit_mynetworks > reject_non_fqdn_helo_hostname > reject_unknown_helo_hostname > permit > > Regards, > > Nicolás
RE: 2 questions: Can I add another smtp line into master.cf for spam assassin? & spa-policy.pl
Hai, I run this on a debian Jessie, postfix 2.11 (all debian packages ) Route for me is like this. -> postscreen -> policy-weight -> policy-spf -> clamsmtp (-> -> spamassassin) -> user A1. I have in main.cfg content_filter = clamsmtp:127.0.0.1:10025 A2. Yes, you can. This is how i did set up.. ..there maybe improvements on this, but for now works for me. ( i used this site for my example : https://wiki.dest-unreachable.net/pages/viewpage.action?pageId=15892484 ) example master.cf smtp inet n - - - 1 postscreen smtpd pass - - - - - smtpd -o content_filter=spamassassin dnsblog unix - - - - 0 dnsblog tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o content_filter=spamassassin -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o content_filter=spamassassin -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING ## Postfix SPF Check (package to install : postfix-policyd-spf-perl ) policy-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl ## spamassasin (package to install : spamassassin spamd ) spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} ## clamsmtp (package to install : clamsmtp ) clamsmtp unix - - n - 16 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes # reinjection from spamassassin into mailflow after checks 127.0.0.1:10026 inet n - n - 16 smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o mynetworks_style=host -o smtpd_authorized_xforward_hosts=127.0.0.0/8 Van: rob...@chalmers.com.au [mailto:owner-postfix-us...@postfix.org] Namens Robert Chalmers Verzonden: woensdag 2 december 2015 13:26 Aan: Postfix users Onderwerp: 2 questions: Can I add another smtp line into master.cf for spam assassin? & spa-policy.pl Q1. Already in my master.cf I have smtp inet n - n - 1 postscreen #smtp inet n - n - - smtpd -vv smtpd pass - - n - - smtpd dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_milters=inet:127.0.0.1:8891 smtp unix - - n However, the set up for spamassassin requires another smtp line. smtp inet n - - - - smtpd -o content_filter=spamfilter So are they mutually exclusive ? or can I use it without breaking postfix already. thanks Q2 Is it possible to implement spfpolicy, and greypolicy and if so how? I have tired - but mail then fails. Robert Chalmers rob...@chalmers.com.au Quantum Radio: http://tinyurl.com/lwwddov Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11. 2TB Storage made up of - Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay
RE: Suggestions for more logging?
Try starting spamd with --listen-ip 127.0.0.1 --listen-ip ::1 Greetz, Louis > -Oorspronkelijk bericht- > Van: v...@cfcl.com [mailto:owner-postfix-us...@postfix.org] Namens Vicki > Brown > Verzonden: woensdag 18 november 2015 9:13 > Aan: Postfix users > Onderwerp: Suggestions for more logging? > > I hunted up a better script for running SpamAssassin from postfix and > tweaked it for more logging and better errors and I'm still seeing some > odd behavior. > > e.g. from the system log: > > Nov 17 23:33:14 g3po spamchk[87681]: Spam filter piping to SpamAssassin: > /usr/local/bin/spamc -x -E -s 10485760 > Nov 17 23:33:14 g3po spamchk[87683]: SpamAssassin marked message as spam; > diverting. > Nov 17 23:33:14 g3po spamchk[87686]: SpamAssassin marked message as spam; > diverting. > Nov 17 23:33:15 g3po spamchk[87691]: SpamAssassin marked message as spam; > diverting. > Nov 17 23:33:15 g3po spamchk[87694]: SpamAssassin marked message as spam; > diverting. > Nov 17 23:33:28 g3po postfix/qmgr[87590]: warning: connect to transport > spamchk: Connection refused > Nov 17 23:42:28 g3po postfix/qmgr[137]: warning: connect to transport > spamchk: Connection refused > Nov 17 23:47:27 g3po postfix/qmgr[137]: warning: connect to transport > spamchk: Connection refused > Nov 17 23:52:28 g3po postfix/qmgr[137]: warning: connect to transport > spamchk: Connection refused > Nov 17 23:52:29 g3po spamchk[419]: Spam filter piping to SpamAssassin: > /usr/local/bin/spamc -x -E -s 10485760 > Nov 17 23:52:31 g3po spamchk[422]: SpamAssassin marked message as spam; > diverting. > > > Any suggestions as to why the script would just refuse connections for a > while and then come back? > > What can I do to drill down into the cause of "connect to transport > spamchk: Connection refused" > > - Vicki
RE: Disable spooling
> -Oorspronkelijk bericht- > Van: pa...@matos-sorge.com [mailto:owner-postfix-us...@postfix.org] Namens > Paulo Matos > Verzonden: maandag 16 november 2015 21:14 > Aan: L.P.H. van Belle; postfix users > Onderwerp: Re: Disable spooling > > > > On 09/11/15 16:43, L.P.H. van Belle wrote: > > > >> -Oorspronkelijk bericht- > >> Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org] > >> Namens Noel Jones > >> Verzonden: maandag 9 november 2015 16:05 > >> Aan: postfix-users@postfix.org > >> Onderwerp: Re: Disable spooling > >> > >> On 11/9/2015 3:46 AM, Paulo Matos wrote: > >>> Hi, > >>> > >>> I have configured postfix with virtual users and virtual domains so I > >>> have it configured to serve two domains AAA.com and BBB.com. However, > >>> the machine hostname > >>> is centauri (none of the hostname its serving). Reverse DNS is enabled > >>> to one of the domains. I think that as a result of this setup I am > >>> getting a good chunk of my emails blocked by google with the following > >>> message: > >>> > >>> > >>> Reporting-MTA: dns; centauri > >>> X-Postfix-Queue-ID: D8B6D22FD3 > >>> X-Postfix-Sender: rfc822; pa...@matos-sorge.com > >>> Arrival-Date: Thu, 5 Nov 2015 10:40:10 + (GMT) > >>> > >>> Final-Recipient: rfc822; x...@yyy.com > >>> Original-Recipient: rfc822; x...@yyy.com > >>> Action: failed > >>> Status: 5.7.1 > >>> Remote-MTA: dns; aspmx.l.google.com > >>> Diagnostic-Code: smtp; 550-5.7.1 > >>> Our > >>> system has detected an 550-5.7.1 unusual rate of unsolicited mail > >>> originating from your IP address. To 550-5.7.1 protect our users > >>> from spam, > >>> mail sent from your IP address has been 550-5.7.1 blocked. Please > >> visit > >>> 550-5.7.1 https://support.google.com/mail/answer/81126 to review > >>> our Bulk > >>> Email 550 5.7.1 Senders Guidelines. ju5si7198479wjc.28 - gsmtp > >>> -- > >>> > >>> The problem is most likely that Reporting-MTA doesn't match any of the > >>> hostnames of the email we are sending from. > >> > >> No, the problem is most likely google thinks they are receiving an > >> unusual rate of unsolicited mail from your IP. > >> > >> - First, set your SMTP HELO hostname to match your rDNS hostname with > >> http://www.postfix.org/postconf.5.html#smtp_helo_name > >> This probably won't fix the problem with google, but may help with > >> other sites that don't like a non-FQDN or nonexistent HELO name. > >> > >> - configure your network gateway firewall such that client machines > >> cannot access outgoing port 25 to prevent an infected client machine > >> on your network from directly sending mail to the internet. > >> > >> - configure SPF, DKIM, and DMARC for your domains. Looks as if you > >> have SPF setup already. > >> > >> > >> > >> -- Noel Jones > > > > I suggest the following. > > > > (this is obligated by RFCs) > > > > Make sure your helo mail-hostname.domain.tld has an A record. > > Helo hostname must be resolvable. > > > > Make sure your hostname.domain.tld has an A and RR (PTR) record. > > Most server do not block on this because you wil be blokking to many > servers > > Lots of hosts give "unknown" back so rejecting on unknown_hostname is > not good imo. > > > > But an easy setting users/mail server managers can do is make sure the > dns > > And helo is correct. > > So i do block on reject_invalid_helo_hostname > reject_unknown_helo_hostname > > And report back that the have incorrect server/dns settings. > > How do you report that back? For this on i use policiy weight, and there you can set you text also http://www.policyd-weight.org/ > > > > > My hostname of my server for example is core.domain.tld (server > hostname) > > In postfix i have mail.domain.tld (helo hostname) > > .. myhostname = mail.domain.tld > > > > For you to setup myhostname = mail.domain.tld and I guess you setup your > FQDN to be domain.tld, does mail.domain.tld need to be a MX record? [L.P.H. van Belle] No. The myhostname in postfix is the helo. I dont use domain.tld for any mail things thats only for my web server. Im thinking in the future where my web and mail server al on different servers, so no domain.tld on mail. realname.domain.tld thing one gets an A - MX and PTR record. mailhelo.domainname.tld gets only an A record. > > > And you can set the same hostname in postfix and use that also for your > server, but i dont recommend that. > > > > Then thats done, login at google, use the administrative tools from > google to check your environment. > > > > I am new to that. Which tools? [L.P.H. van Belle] good link to test : https://support.google.com/mail/troubleshooter/2920052?hl=en https://support.google.com/a/answer/140038?hl=en https://www.google.com/webmasters/tools also handy. https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard > > Thanks for your help. > > Paulo Matos > > > Greetz, > > > > Louis > > > > > >
RE: receiving message - checking mx record by postfix
Read : http://www.sorbs.net/faq/rfc_helo_enforcement.shtml I contains also the links to the RFC’s Greetz, Louis Van: zalezny.niezale...@gmail.com [mailto:owner-postfix-us...@postfix.org] Namens Zalezny Niezalezny Verzonden: dinsdag 10 november 2015 13:30 Aan: Postfix users Onderwerp: receiving message - checking mx record by postfix Dear Colleagues, I would like to understand how Postfix receiving message. I expect that Postfix has been written base on the RFC rules so maybe somebody will be able to explain me how its working inside - how this system receiving message and what is going on in the background. Our consultant hardly trying to tell us that server during receiving phase checking MX record of the domain from which coming the E-mail. Does it really working this way ? I always thought that Postfix checking first DNS A record (reverse dns), then SPF etc.etc. I always thought that MX record is provide clear information about the servers to which client needs to send a message. But right now I`m completly out of space... Does system check mx record when its receiving message or not ? Do You know where may I find RFC which fully describing this SMTP process ? With kind regards Zalezny
RE: Disable spooling
> -Oorspronkelijk bericht- > Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org] > Namens Noel Jones > Verzonden: maandag 9 november 2015 16:05 > Aan: postfix-users@postfix.org > Onderwerp: Re: Disable spooling > > On 11/9/2015 3:46 AM, Paulo Matos wrote: > > Hi, > > > > I have configured postfix with virtual users and virtual domains so I > > have it configured to serve two domains AAA.com and BBB.com. However, > > the machine hostname > > is centauri (none of the hostname its serving). Reverse DNS is enabled > > to one of the domains. I think that as a result of this setup I am > > getting a good chunk of my emails blocked by google with the following > > message: > > > > > > Reporting-MTA: dns; centauri > > X-Postfix-Queue-ID: D8B6D22FD3 > > X-Postfix-Sender: rfc822; pa...@matos-sorge.com > > Arrival-Date: Thu, 5 Nov 2015 10:40:10 + (GMT) > > > > Final-Recipient: rfc822; x...@yyy.com > > Original-Recipient: rfc822; x...@yyy.com > > Action: failed > > Status: 5.7.1 > > Remote-MTA: dns; aspmx.l.google.com > > Diagnostic-Code: smtp; 550-5.7.1 > > Our > > system has detected an 550-5.7.1 unusual rate of unsolicited mail > > originating from your IP address. To 550-5.7.1 protect our users > > from spam, > > mail sent from your IP address has been 550-5.7.1 blocked. Please > visit > > 550-5.7.1 https://support.google.com/mail/answer/81126 to review > > our Bulk > > Email 550 5.7.1 Senders Guidelines. ju5si7198479wjc.28 - gsmtp > > -- > > > > The problem is most likely that Reporting-MTA doesn't match any of the > > hostnames of the email we are sending from. > > No, the problem is most likely google thinks they are receiving an > unusual rate of unsolicited mail from your IP. > > - First, set your SMTP HELO hostname to match your rDNS hostname with > http://www.postfix.org/postconf.5.html#smtp_helo_name > This probably won't fix the problem with google, but may help with > other sites that don't like a non-FQDN or nonexistent HELO name. > > - configure your network gateway firewall such that client machines > cannot access outgoing port 25 to prevent an infected client machine > on your network from directly sending mail to the internet. > > - configure SPF, DKIM, and DMARC for your domains. Looks as if you > have SPF setup already. > > > > -- Noel Jones I suggest the following. (this is obligated by RFCs) Make sure your helo mail-hostname.domain.tld has an A record. Helo hostname must be resolvable. Make sure your hostname.domain.tld has an A and RR (PTR) record. Most server do not block on this because you wil be blokking to many servers Lots of hosts give "unknown" back so rejecting on unknown_hostname is not good imo. But an easy setting users/mail server managers can do is make sure the dns And helo is correct. So i do block on reject_invalid_helo_hostname reject_unknown_helo_hostname And report back that the have incorrect server/dns settings. My hostname of my server for example is core.domain.tld (server hostname) In postfix i have mail.domain.tld (helo hostname) .. myhostname = mail.domain.tld And you can set the same hostname in postfix and use that also for your server, but i dont recommend that. Then thats done, login at google, use the administrative tools from google to check your environment. Greetz, Louis
FW: Using postscreen_dnsbl_reply_map
> Hai Alex, > > I use the same as in the link you posted. > http://rob0.nodns4.us/postscreen.html > This is used for my bases setup also. > > Just put all your servers (rbls) in here and copy the response lines, Like > : > /^zen\.spamhaus\.org$/blocked by rbl, see > http://multirbl.valli.org > /^bl\.spameatingmonkey\.net$/ blocked by rbl, see > http://multirbl.valli.org > /^b\.barracudacentral\.org$/ blocked by rbl, see http://multirbl.valli.org > > And you see > postfix/postscreen[24336]: NOQUEUE: reject: RCPT from > [199.182.172.6]:59429: 550 5.7.1 Service unavailable; client > [199.182.172.6] blocked by rbl, see http://multirbl.valli.org; > > and as tip, take fail2ban and let it monitor for "blocked by rbl" > and you reduces your dns queries also a lot. > > Greetz, > > Louis > > > > > -Oorspronkelijk bericht- > > Van: mysqlstud...@gmail.com [mailto:owner-postfix-us...@postfix.org] > > Namens Alex > > Verzonden: donderdag 22 oktober 2015 1:26 > > Aan: postfix users list > > Onderwerp: Re: Using postscreen_dnsbl_reply_map > > > > Hi, > > > > On Wed, Oct 21, 2015 at 10:38 AM, L.P.H. van Belle> > wrote: > > > I just point everything to http://multirbl.valli.org so they can see > if > > they are listed on multiple rbl servers. > > > > That's a great idea. How did you configure your system to do that? > > > > > And imo thats better, then, mailing, getting rejected, by for example > > spamhaus. Going to that site, checking, > > > removing. Mailing again, and now again blocked, other rbl server etc. > > > > Absolutely. > > > > Thanks, > > Alex
RE: Using postscreen_dnsbl_reply_map
I just point everything to http://multirbl.valli.org so they can see if they are listed on multiple rbl servers. And imo thats better, then, mailing, getting rejected, by for example spamhaus. Going to that site, checking, removing. Mailing again, and now again blocked, other rbl server etc. So 1 point to 1 site, customers check there. Greetz, Louis > -Oorspronkelijk bericht- > Van: krem...@kreme.com [mailto:owner-postfix-us...@postfix.org] Namens > @lbutlr > Verzonden: woensdag 21 oktober 2015 16:28 > Aan: Postfix users > Onderwerp: Re: Using postscreen_dnsbl_reply_map > > On Oct 20, 2015, at 7:44 PM, Alexwrote: > > I'd like to obscure the names of the DNSBLs that we use in response to > > emails that are rejected. > > Why would you do that? If someone hits your blocks and doesn’t know why > they were blocked you may find yourself on blocklists yourself. > > > -- > she [Esk] was already learning that if you ignore the rules people will, > half the time, quietly rewrite them so they don't apply to you. --Equal > Rites
RE: Initial test of postfix 3.0.2
This example should wil not relay over outlook.com without the correct outlook.com settings in the dns. Base on : from=to= proto=ESMTP @mygnus.com is missing the ms= and spf settings in the dns Greetz, Louis > -Oorspronkelijk bericht- > Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org] > Namens Noel Jones > Verzonden: vrijdag 18 september 2015 5:31 > Aan: postfix-users@postfix.org > Onderwerp: Re: Initial test of postfix 3.0.2 > > On 9/17/2015 9:17 PM, Tom Browder wrote: > > I have a brand new installation, from source, of Postfix 3.0.2 on > > Debian 7, 64-bit. I successfully did the initial local tests for > > postfix as described in "The Book of Postfix." > > Please note the book is now rather dated. While the examples and > general concepts are still valuable, lots of things have changed > since then. The official up-to-date documentation is supplied with > the source code, and also available on the postfix web page > http://www.postfix.org/documentation.html > > At a minimum, you should review the various RELEASE_NOTES to see > what has changed since the book was published. > > > (Note that I have > > virtual servers but have not yet configured postfix for handling > > them.) Then I made my first test for outbound mail to my personal > > gmail address and the mail.info file shows this: > > > > Sep 18 01:57:18 dedi2 postfix/smtpd[3154]: connect from > > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254] > > This is the smtpd process, which handles incoming mail. Someone who > uses Microsoft services is trying to send mail to your server. > > > Sep 18 01:57:19 dedi2 postfix/smtpd[3154]: NOQUEUE: reject: RCPT from > > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254]: 454 > > 4.7.1 : Relay access denied; > > "Relay access denied" means that postfix is not configured to > receive mail for the mygnus.com domain, and the recipient is rejected. > http://www.postfix.org/BASIC_CONFIGURATION_README.html#mydestination > http://www.postfix.org/VIRTUAL_README.html#canonical > http://www.postfix.org/ADDRESS_CLASS_README.html > http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions > > > from= to= proto=ESMTP > > helo= > > more details from the rejection. > > > Sep 18 01:57:19 dedi2 postfix/smtpd[3154]: NOQUEUE: reject: RCPT from > > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254]: 454 > > 4.7.1 : Relay access denied; > > from= to= proto=ESMTP > > helo= > > A second rejected recipient... > > > Sep 18 01:57:19 dedi2 postfix/smtpd[3154]: disconnect from > > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254] ehlo=1 > > mail=1 rcpt=0/2 quit=1 commands=3/5 > > ... and the outlook.com client disconnects. > > Note these are 4xx deferrals, not 5xx rejects, so the sending client > will likely retry delivery periodically over the next several days. > > > > > And I have received no mail at my gmail address. > > The above logging shows attempts to receive mail. No logging here > about sending mail. > > > > > Looking at the messages above I note that the address > > is at one of my virtual hosts but I have no user > > by that name (and the IP address 157.56.112.254 is not known to me. > > > > I have set up my DNS records according to advice from this mailing list. > > > > I will read more in the book tonight but hope someone can point me in > > the right direction while I continue to study the problem. > > Basic debugging info: > http://www.postfix.org/DEBUG_README.html > > And to get help from this list: > http://www.postfix.org/DEBUG_README.html#mail > > > > -- Noel Jones
RE: Can Postscreen and Smapassassin be used together
Hai, I thinking why not put them together Ik run a setup like this https://wiki.dest-unreachable.net/pages/viewpage.action?pageId=15892484 which uses postscreen spamassassin clamav and this works very wel for me. And the load is not to much, but depends on the amount of emails your processing. The extra thing i added in above setup is fail2ban + ufw to offload the dns queries and the server a bit. I created the following in fail2ban. Jail.local [postfix-dnsblog] enabled = true port = all filter = postfix-dnsblog banaction = ufw-all maxretry = 1 logpath = /var/log/mail.log bantime = 84600 and in filter.d/postfix-dnsblog.conf [INCLUDES] before = common.conf [Definition] failregex = addr listed by domain and the action /etc/fail2ban/action.d/ufw-all.conf # Fail2Ban configuration file [Definition] actionstart = actionstop = actioncheck = actionban = ufw insert 1 deny from to any actionunban = ufw delete deny from to any Greetz, Louis > -Oorspronkelijk bericht- > Van: li...@planetcobalt.net [mailto:owner-postfix-us...@postfix.org] > Namens Ansgar Wiechers > Verzonden: donderdag 10 september 2015 9:27 > Aan: postfix-users@postfix.org > Onderwerp: Re: Can Postscreen and Smapassassin be used together > > On 2015-09-10 Robert Chalmers wrote: > > I’m currently running postscreen, and am wondering how I would add > > spamassassin to the main.cf configuration, or are they mutually > > exclusive? > > I'm not sure if they technically can't be used together, but they > shouldn't be. Spamassassin is rather heavyweight whereas Postscreen was > designed to be a lightweight zombie deflection tool. You'd lose that > low resource impact advantage by mixing the two. > > Regards > Ansgar Wiechers > -- > "Abstractions save us time working, but they don't save us time learning." > --Joel Spolsky
RE: TLS cert - bug in documentation or bug in my understanding ??
sorry, a correction on the previous. This is wrong : add in main.cf : in smtpd_client_restrictions, just after permit_mynetworks: smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr just add smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr to main.cf my error.. sorry. and what a fast mailing list this is ... samba list is much slower.. -Oorspronkelijk bericht- Van: be...@bazuin.nl [mailto:owner-postfix-us...@postfix.org] Namens L.P.H. van Belle Verzonden: woensdag 19 augustus 2015 13:12 Aan: postfix-users@postfix.org Onderwerp: RE: TLS cert - bug in documentation or bug in my understanding ?? -Oorspronkelijk bericht- Van: al...@domblogger.net [mailto:owner-postfix-us...@postfix.org] Namens Alice Wonder Verzonden: woensdag 19 augustus 2015 12:42 Aan: postfix-users@postfix.org Onderwerp: Re: TLS cert - bug in documentation or bug in my understanding ?? On 08/19/2015 03:09 AM, L.P.H. van Belle wrote: Hai, Try it like this, there is no need for combining the certificates. # TLS parameters smtp_tls_cert_file = /etc/ssl/certs/certificate.cer smtp_tls_key_file = /etc/ssl/private/certificate.key smtpd_tls_cert_file = /etc/ssl/certs/certificate.cer smtpd_tls_key_file = /etc/ssl/private/certificate.key Thank you, I think I got it figured out, will be testing shortly ## RootCA en Intermediate are put here. smtpd_tls_CApath = /etc/ssl/certs and dont forget to regenerate your dhparams. like : if [ -d /etc/ssl/private ]; then mkdir -p /etc/ssl/private chmod 710 /etc/ssl/private fi ## Create unique DH Groups openssl dhparam -out /etc/ssl/private/dhparams512.pem 512 openssl dhparam -out /etc/ssl/private/dhparams1024.pem 1024 openssl dhparam -out /etc/ssl/private/dhparams2048.pem 2048 openssl dhparam -out /etc/ssl/private/dhparams4096.pem 4096 *snip* As far as DH groups - I put a script in /etc/cron.daily that regenerates the 1024 and 2048 groups once a day. I'm not sure 4096 adds any real world benefit, just eats CPU cycles. I dont use the 4096 also, but its there if i need it when i need it, and yes a daily script for the dh is good to have. I'm not using 512 as I built postfix against LibreSSL and it doesn't support the export ciphers, and I don't think postfix 2.11.6 does either anyway, at least if I understood the docs. So I'm trying with just the 2048 for now, if that's an issue then I'll follow the documentation on how to allow 1024 for some clients. I'd like to eventually see the DHE ciphers go away in favor of ECDHE - not sure how soon that will happen. I will be configuring postfix to only support ECDHE and DHE ciphers initially, well after I get TLS working on this server that is what I will try next. But I think DHE is only really needed for a few older clients at this point? some to old tls clients wil fail with postfix. I dont know if the use DHE. and its NOT a postfix error. what happens is, why client-server are changing keys, the client closes the connection. and a message appears in your log, server closed connection and no mail is recieved. old windows exchange servers and some lotus notes server have this problem, maybe more, i dont know that. for these the only workaround, as far i know is, dont show the STARTTLS. info here : http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keywo rd_address_maps ## used to disable buggy clients of with fautly TLS/SSL clients 1.2.3.4STARTTLS which means.. Dont show STARTTLS for that ip. add in main.cf : in smtpd_client_restrictions, just after permit_mynetworks: smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr maybe there are better solutions for this, but this works for me. Greetz, Louis
Fwd: trying to figure out regex for custom_header checks
set postix server to check for rfc complaince and you see a spam drop of atleast 90% and setup postscreen with it.. 98% less spam and in above just check for the helo compliance and not hostname checks, that will drop to many ok servers.. greetz Louis Op 19 aug. 2015 om 22:23 heeft Alice Wonder al...@domblogger.net het volgende geschreven: On 08/19/2015 01:14 PM, Ben Greenfield wrote: On Aug 19, 2015, at 4:08 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Wed, Aug 19, 2015 at 04:07:27PM -0400, Ben Greenfield wrote: /^Received:\b.*\.eu\b REJECT Is that correct or could someone point out what I'm doing wrong. What you're doing wrong deciding that all mail from a .eu domain should be blocked and trying to block said mail by looking at Received headers. Both the decision and the methodology are wrong. I'm open to suggestions. First explain the problem, rather than the solution. We receive a lot of spam that have very rare top level domains .site, .link, .website, .eu. I have been using the custom header checks which appeared to working for me until I started trying to reject the .eu mail. I was actually blocking all mail that had .eu somewhere in the name. I decided i needed a regex that would only match patterns at the end of the url. Do you have a honeypot address? I do that but still manually check them, as soon as I get 3 different spammer IP addresses on same /24 I I block the /24 for two weeks. Are you using any of the dns blacklists? That cut down on my spam tremendously.
RE: TLS cert - bug in documentation or bug in my understanding ??
-Oorspronkelijk bericht- Van: al...@domblogger.net [mailto:owner-postfix-us...@postfix.org] Namens Alice Wonder Verzonden: woensdag 19 augustus 2015 12:42 Aan: postfix-users@postfix.org Onderwerp: Re: TLS cert - bug in documentation or bug in my understanding ?? On 08/19/2015 03:09 AM, L.P.H. van Belle wrote: Hai, Try it like this, there is no need for combining the certificates. # TLS parameters smtp_tls_cert_file = /etc/ssl/certs/certificate.cer smtp_tls_key_file = /etc/ssl/private/certificate.key smtpd_tls_cert_file = /etc/ssl/certs/certificate.cer smtpd_tls_key_file = /etc/ssl/private/certificate.key Thank you, I think I got it figured out, will be testing shortly ## RootCA en Intermediate are put here. smtpd_tls_CApath = /etc/ssl/certs and dont forget to regenerate your dhparams. like : if [ -d /etc/ssl/private ]; then mkdir -p /etc/ssl/private chmod 710 /etc/ssl/private fi ## Create unique DH Groups openssl dhparam -out /etc/ssl/private/dhparams512.pem 512 openssl dhparam -out /etc/ssl/private/dhparams1024.pem 1024 openssl dhparam -out /etc/ssl/private/dhparams2048.pem 2048 openssl dhparam -out /etc/ssl/private/dhparams4096.pem 4096 *snip* As far as DH groups - I put a script in /etc/cron.daily that regenerates the 1024 and 2048 groups once a day. I'm not sure 4096 adds any real world benefit, just eats CPU cycles. I dont use the 4096 also, but its there if i need it when i need it, and yes a daily script for the dh is good to have. I'm not using 512 as I built postfix against LibreSSL and it doesn't support the export ciphers, and I don't think postfix 2.11.6 does either anyway, at least if I understood the docs. So I'm trying with just the 2048 for now, if that's an issue then I'll follow the documentation on how to allow 1024 for some clients. I'd like to eventually see the DHE ciphers go away in favor of ECDHE - not sure how soon that will happen. I will be configuring postfix to only support ECDHE and DHE ciphers initially, well after I get TLS working on this server that is what I will try next. But I think DHE is only really needed for a few older clients at this point? some to old tls clients wil fail with postfix. I dont know if the use DHE. and its NOT a postfix error. what happens is, why client-server are changing keys, the client closes the connection. and a message appears in your log, server closed connection and no mail is recieved. old windows exchange servers and some lotus notes server have this problem, maybe more, i dont know that. for these the only workaround, as far i know is, dont show the STARTTLS. info here : http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps ## used to disable buggy clients of with fautly TLS/SSL clients 1.2.3.4 STARTTLS which means.. Dont show STARTTLS for that ip. add in main.cf : in smtpd_client_restrictions, just after permit_mynetworks: smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr maybe there are better solutions for this, but this works for me. Greetz, Louis
RE: Postfix and Mailman 2 virtual alias domain integration
Okay, I assume then that this should be the only PTR record: 4.3.2.1.in-addr.arpa. IN PTR B.tld. Yes. Provided of course B.tld is The One True Hostname for your server. It is! No, imo, it is not.. and this setup can be better i think. read on.. A hostname is not a domain name, and best is not to mixup this. as per example. The server name is core.primary-domain.tld for postfix in master.cf myhostname = core.primary-domain.tld smtpd_banner = mail.primary-domain.tld ready core.primary-domain.tld has an A and PTR record. (the real and only hostname of the server) mail.primary-domain.tld has an A record and is not a CNAME. ( = the helo hostname ) And the MX point to mail.primary-domain.tld All virtual domains point the MX to mail.primary-domain.tld and in this case mail and core have the same IP, but depending on the setup, this can be split up very easy over multiple servers, without change-ing anything in my postfix setup, i just move domains to other servers, and change dns MX record. ( and if needed the SPF record ) an SPF setup is now very easy, like : TXT v=spf1 mx -all or TXT v=spf1 mx ptr -all or and here is where the A record for mail is handy.. TXT v=spf1 mx a -all This is not possible with a CNAME Why not use-ing domain.tld to and mail cnames.. ehlo hostname must be A record, and correct me if im wrong. what happens if you set the smtpd_helo_restrictions with reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, and what people often forget, is the setup of the webserver. For a webserver, the best is to set the domain.tld and www.domain.tld to the same virtual for the webserver, but this is not possible if you have your webserver and your mail server on 2 different machines. and a certificate these days have domain.tld and subdomain.domain.tld in 1 certificate. there are more reasons to not use the CNAME setup.. but all above is just a suggestion. Greetz, Louis -Oorspronkelijk bericht- Van: tom.brow...@gmail.com [mailto:owner-postfix-us...@postfix.org] Namens Tom Browder Verzonden: dinsdag 18 augustus 2015 23:35 Aan: Jim Reid CC: postfix users Onderwerp: Re: Postfix and Mailman 2 virtual alias domain integration On Tue, Aug 18, 2015 at 4:22 PM, Jim Reid j...@rfc1035.com wrote: On 18 Aug 2015, at 22:06, Tom Browder tom.brow...@gmail.com wrote: Okay, I assume then that this should be the only PTR record: 4.3.2.1.in-addr.arpa. IN PTR B.tld. Yes. Provided of course B.tld is The One True Hostname for your server. It is! BTW, you will get on a lot better if your postings used the actual IP addresses and domain names rather than hide these behind nonsense like B.tld and 1.2.3.4. Obscuring this information helps nobody, especially yourself. Good point, but I'm not trying to obscure anything. I am using the nonsense names because I'm trying to emphasize the generality of the solution to a very common setup for many users. The chosen IP of 1.2.3.4 is easy to type and is easy to see when it's been reversed. If anyone is interested, my current IP address which I use for all my domains is 142.54.186.2 but I don't have a working mail server there yet (I'm in the process of transferring it from my old server and want to have a more robust setup than before--this is all prep work). Thanks for all the help, Jim. I'm sure I'll be back later for more help on tightening up my mail server's security. Best regards, -Tom
RE: TLS cert - bug in documentation or bug in my understanding ??
Hai, Try it like this, there is no need for combining the certificates. # TLS parameters smtp_tls_cert_file = /etc/ssl/certs/certificate.cer smtp_tls_key_file = /etc/ssl/private/certificate.key smtpd_tls_cert_file = /etc/ssl/certs/certificate.cer smtpd_tls_key_file = /etc/ssl/private/certificate.key ## RootCA en Intermediate are put here. smtpd_tls_CApath = /etc/ssl/certs and dont forget to regenerate your dhparams. like : if [ -d /etc/ssl/private ]; then mkdir -p /etc/ssl/private chmod 710 /etc/ssl/private fi ## Create unique DH Groups openssl dhparam -out /etc/ssl/private/dhparams512.pem 512 openssl dhparam -out /etc/ssl/private/dhparams1024.pem 1024 openssl dhparam -out /etc/ssl/private/dhparams2048.pem 2048 openssl dhparam -out /etc/ssl/private/dhparams4096.pem 4096 # Postfix enabled postconf -e smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA postconf -e smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA postconf -e smtpd_tls_dh512_param_file = /etc/ssl/private/dhparams512.pem postconf -e smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams1024.pem Greetz, Louis -Oorspronkelijk bericht- Van: al...@domblogger.net [mailto:owner-postfix-us...@postfix.org] Namens Alice Wonder Verzonden: woensdag 19 augustus 2015 11:09 Aan: postfix-users@postfix.org Onderwerp: TLS cert - bug in documentation or bug in my understanding ?? Life was so much simpler when I just used self-signed certs for everything... Looking at http://www.postfix.org/TLS_README.html The documentation says ``This means that the Postfix server public-key certificate file must include the server certificate first, then the issuing CA(s) (bottom-up order).'' Then it gives an example cat server_cert.pem intermediate_CA.pem server.pem -=- With my Comodo PositiveSSL there are two intermediary certs. So I try cat librelamp_com.crt \ COMODORSADomainValidationSecureServerCA.crt \ COMODORSAAddTrustCA.crt test.cert But it doesn't verify openssl verify -purpose sslserver test.crt test.crt: OU = Domain Control Validated, OU = PositiveSSL, CN = librelamp.com error 20 at 0 depth lookup:unable to get local issuer certificate I tried switching the order, same issue. Finally I reversed the order - cat COMODORSAAddTrustCA.crt \ COMODORSADomainValidationSecureServerCA.crt \ librelamp_com.crt test.crt Now it verifies : openssl verify -purpose sslserver test.crt test.crt: OK -=-=- Am I not understanding something or is the documentation off? Thank you, Alice
RE: FW: SSL Renegotiation Attack Disabling reneotiation
I dont know if its an option, but i suggest have a look here : multiple packages for postfix on centos 6 http://pkgs.org/search/postfix?type=name or https://solusipse.net/blog/posts/compiling-postfix-with-postgresql-support-on-centos-7/ Not for the postgresql, but just for the upgrade of postfix. Greetz, Louis Van: Abid Hussain [mailto:abid.hussai...@gmail.com] Verzonden: dinsdag 18 augustus 2015 10:43 Aan: L.P.H. van Belle Onderwerp: Re: FW: SSL Renegotiation Attack Disabling reneotiation Thanks for prompt reply i am using CentOS 6.5. Yes i do not have an option to upgrade it :(. I want to stop it for DoS attack as my testing team has reported it. falling back to ssl V2 adds many other vulnerabilities :( Thanks and Regards, Abid On Tue, Aug 18, 2015 at 1:36 PM, L.P.H. van Belle be...@bazuin.nl wrote: Hai, As far as i know, no. Unless you are forceing all clients to use SSLv2 only (since that doesn't support renegotiation). Are you sure you want to disable it and not just prevent old clients from using the vulnerable renegotiation methods? If it's the last you'll need to upgrade to 2.8+ to get access to tls_disable_workarounds. you have 2 problems. - One is the vulnerable methods - the other is renegotiation is considered a denial of service vulnerability.. You really dont have any option to upgrade.. Whats the os your running? Greetz, Louis -Oorspronkelijk bericht- Van: abid.hussai...@gmail.com [mailto:owner- ] Namens Abid Hussain Verzonden: dinsdag 18 augustus 2015 10:29 Aan: postfix-users@postfix.org Onderwerp: SSL Renegotiation Attack Disabling reneotiation Dear All, I am using postfix 2.6 and currently cannot upgrade it. kindly advise how renegotiation can be disabled completely. Probably a command in configuration file. regards, Abid -- View this message in context: http://postfix.1071664.n5.nabble.com/SSL-Renegotiation-Attack-D isabling-reneotiation-tp78708.html Sent from the Postfix Users mailing list archive at Nabble.com.
SOLVED.. FW: ldap virtual split domain and forwarding.
Finaly i did found the problem. In the end i did add the ldap ldap://etc/postfix/zarafa-ads-*-aliases.cf in the aliases_map and all the redirects in the virtual_alias_maps and now i did some testing with an e-mail address, .. which did not have any typos in the email adres in ldap. that was where my error was. Greetz, -Oorspronkelijk bericht- Van: be...@bazuin.nl [mailto:owner-postfix-us...@postfix.org] Namens L.P.H. van Belle Verzonden: vrijdag 14 augustus 2015 16:07 Aan: postfix-users@postfix.org Onderwerp: ldap virtual split domain and forwarding. Hai, Im new to the list, so tell me if im do-ing something wrong.. in advance, .. sorry for my english, and sorry for the long explanation.. better to much than to little imo. Im having the following setup. Debian Jessie 8.1 with packages, running a zarafa mail server samba 4 AD domain, I have amost all info i want in the AD, but im having problems with some e-mail aliases and forwarding of these. packages of postfix used: ii postfix 2.11.3-1amd64 High-performance mail transport agent ii postfix-ldap2.11.3-1amd64 LDAP map support for Postfix ii postfix-mysql 2.11.3-1amd64 MySQL map support for Postfix ii postfix-pcre2.11.3-1amd64 PCRE map support for Postfix This is the part im having problems with: ( i'll explain more below the configuration ) (master.cf) alias_maps = hash:/etc/aliases, regexp:/etc/postfix/asp-redirect.regexp, ldap://etc/postfix/zarafa-ads-local-aliases.cf, alias_database = hash:/etc/aliases transport_maps = ldap:/etc/postfix/zarafa-ads-zpublic-transport.cf, virtual_transport = lmtp:127.0.0.1:2003 virtual_mailbox_domains = domain.tld, internal.domain.tld virtual_mailbox_maps= ldap:/etc/postfix/zarafa-ads-users.cf # Active Directory has the possibility to create distribution groups which can be used as email distribution list in ZCP. # To use integrate Postfix with distribution groups, Postfix 2.4 or higher is required. # virtual_alias_maps = ldap:/etc/postfix/zarafa-ads-users.cf, ldap:/etc/postfix/zarafa-ads-groups.cf, ldap:/etc/postfix/zarafa-ads-zpublic-aliases.cf, ldap://etc/postfix/zarafa-ads-local-redirects.cf ldap://etc/postfix/zarafa-ads-general-aliases.cf So, im running zarafa 7.2 as mail server and samba 4 AD as domain for email adres lookups The zarafa server and email adresses and email aliasses and groups and public folder works fine. I need these settings for zarafa : virtual_transport = lmtp:127.0.0.1:2003 virtual_mailbox_domains= domain.tld, internal.domain.tld virtual_mailbox_maps = ldap:/etc/postfix/zarafa-ads-users.cf virtual_alias_maps = ldap:/etc/postfix/zarafa-ads-users.cf, ldap:/etc/postfix/zarafa-ads-groups.cf, ldap:/etc/postfix/zarafa-ads-zpublic-aliases.cf, with a delivery to public folders, with a setup like this example. http://www.leckerbeef.de/zarafa-deliver-mail-to-public-folder-the-postfix-way/ as sad this all works fine, i can email to all users/groups/public folder email adresses. Now based on that im creating a contact and I use the displayName and description fiels to set my adresses for postfix. for the ldap -aliases files i use this filter. scope = sub query_filter = ((objectClass=contact)(displayName=%s)) result_attribute = displayName for the ldap -redirects files i use this filter. scope = sub query_filter = ((objectClass=contact)(displayName=%s)) result_attribute = description for this one in the alias_maps : ldap://etc/postfix/zarafa-ads-local-aliases.cf i have here for example user: root with forward adres to an email adres in my public folders of zarafa, and a user e-mail adres. postmap -q root ldap://etc/postfix/zarafa-ads-local-aliases.cf gives back root , which is correct in this case. postmap -q root ldap://etc/postfix/zarafa-ads-local-redirects.cf gives back : personalad...@domain.tld,publicfolderad...@domain.tld this works and is used for messages send to root from the server. ( and mailing to r...@domain.tld does NOT works and should not work ) here in this, i also have my ab...@domain.tld postmas...@domain.tld webmas...@domain.tld e-mail adresses. i can
FW: SSL Renegotiation Attack Disabling reneotiation
Hai, As far as i know, no. Unless you are forceing all clients to use SSLv2 only (since that doesn't support renegotiation). Are you sure you want to disable it and not just prevent old clients from using the vulnerable renegotiation methods? If it's the last you'll need to upgrade to 2.8+ to get access to tls_disable_workarounds. you have 2 problems. - One is the vulnerable methods - the other is renegotiation is considered a denial of service vulnerability.. You really dont have any option to upgrade.. Whats the os your running? Greetz, Louis -Oorspronkelijk bericht- Van: abid.hussai...@gmail.com [mailto:owner-postfix-us...@postfix.org] Namens Abid Hussain Verzonden: dinsdag 18 augustus 2015 10:29 Aan: postfix-users@postfix.org Onderwerp: SSL Renegotiation Attack Disabling reneotiation Dear All, I am using postfix 2.6 and currently cannot upgrade it. kindly advise how renegotiation can be disabled completely. Probably a command in configuration file. regards, Abid -- View this message in context: http://postfix.1071664.n5.nabble.com/SSL-Renegotiation-Attack-D isabling-reneotiation-tp78708.html Sent from the Postfix Users mailing list archive at Nabble.com.
RE: Folder permissions problem, /var/spool/postfix/private
for the policy-spf, check this one. https://bananasfk.wordpress.com/2015/06/05/policyd-spf-in-debian-8-fix/ Greetz, Louis -Oorspronkelijk bericht- Van: robert.sen...@lists.microscopium.de [mailto:owner-postfix-us...@postfix.org] Namens Robert Senger Verzonden: dinsdag 18 augustus 2015 13:42 Aan: postfix-users@postfix.org Onderwerp: Folder permissions problem, /var/spool/postfix/private Hi all, I just upgraded a server from Debian Wheezy to Jessie, and moved the system partition to a new, bigger harddisk. Now I am having trouble with the permissions of the /var/spool/postfix/private folder. As far as I can see all folder permissions throughout the whole system are the same as before on the old harddisk, including postfix's private directory. Despite this fact, all milter services that create/use sockets within the /var/spool/postfix/private folder (OpenDKIM, OpenDMARC, postgrey, SPF) refuse to start, complaining they cannot create/write their socket in the private folder. I already checked all the folder permissions, ran postfix set-permissions and postfix check, without success. To get the milters working, I need to set the private folders's permissions to 777, which is certainly not what we want for a private folder... Running postfix set-permissions resets the permissions to 700, but then the milters fail. Any idea what can be wrong here? Thanks! Cheers, Robert -- Robert Senger
RE: Postfix and Mailman 2 virtual alias domain integration
Hai, ... its all about correct DNS settings, so dont say that does not matter.. Best is you read : rfc2821 section-3.6 and 4.1.1.1 ( and 10.3 thank you Michael good read, i forgot that one.. ) rfc5321 section 2.3.5 in short.. make sure your hostname has an A or record and PTR record. make sure your MX point to a correct hostname. make sure your mail server ehlo : (smtpd_banner) is set to a resolvable hostname, requerements for ehlo: DNS RR of type A is required, and there is no requirement for the A record to match the client connecting IP address (As per RFC 1123 Section 5.2.5). when a connecting host uses the EHLO command to identify itself and where the hostname contains characters that are not one of the following: a-z, A-Z, 0-9, . and - Further the hostname should start with a letter of the alphabet. Greetz, Louis -Oorspronkelijk bericht- Van: rwhee...@artifact-software.com [mailto:owner-postfix-us...@postfix.org] Namens Ron Wheeler Verzonden: dinsdag 18 augustus 2015 16:14 Aan: postfix-users@postfix.org Onderwerp: Re: Postfix and Mailman 2 virtual alias domain integration This is pretty common. The DNS does not matter all that much as long as people can find the MX server for each domain. The MX record has to point to an A or CNAME that maps to the actual machine where your main service (Postfix) runs. The A or CNAME can be in a different domain as long as that is resolvable to an IP somehow. Every Domain can have its MX point to smtp.B.tld as long as smtp.B.tld resolves to something in the B domain's DNS. This is probably easiest since you can move all SMTP traffic with a single change in the DNS for B.tld. In the end the foreign SMTP server has to be able to reach someone who will take the mail off its hands and the DNS serves that purpose. Once the mail is transferred to the right IP address, the sender doesn't care how you organize your domains internally. Ron On 18/08/2015 8:55 AM, Tom Browder wrote: On Sun, Aug 16, 2015 at 3:36 PM, @lbutlr krem...@kreme.com wrote: On 16 Aug 2015, at 10:44 , Tom Browder tom.brow...@gmail.com wrote: Okay, then I guess I should pick one of the virtual hosts as the domain name and add some arbitrary host then. Does that mean it is then a real server and should not be treated as a virtual domain? You need a reasonable helo name and you need an rDNS that matches. Okay, let me be more specific: On a single Apache/Postfix/MM2 server I have domains A.tld ... Z.tld, each of which I want to have mail delivered to/from. I will choose B.tld as the non-virtual server (with FQHN mail.B.tld). I have a single IP address, say, 9.9.9.9, to which all domains are mapped. So how should the DNS records look? Can anyone give me the exact settings for the A, CNAME, MX, and PTR records for A.tld and B.tld (and any other suggested records)? Many thanks. Best, -Tom -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
ldap virtual split domain and forwarding.
Hai, Im new to the list, so tell me if im do-ing something wrong.. in advance, .. sorry for my english, and sorry for the long explanation.. better to much than to little imo. Im having the following setup. Debian Jessie 8.1 with packages, running a zarafa mail server samba 4 AD domain, I have amost all info i want in the AD, but im having problems with some e-mail aliases and forwarding of these. packages of postfix used: ii postfix 2.11.3-1amd64 High-performance mail transport agent ii postfix-ldap2.11.3-1amd64 LDAP map support for Postfix ii postfix-mysql 2.11.3-1amd64 MySQL map support for Postfix ii postfix-pcre2.11.3-1amd64 PCRE map support for Postfix This is the part im having problems with: ( i'll explain more below the configuration ) (master.cf) alias_maps = hash:/etc/aliases, regexp:/etc/postfix/asp-redirect.regexp, ldap://etc/postfix/zarafa-ads-local-aliases.cf, alias_database = hash:/etc/aliases transport_maps = ldap:/etc/postfix/zarafa-ads-zpublic-transport.cf, virtual_transport = lmtp:127.0.0.1:2003 virtual_mailbox_domains = domain.tld, internal.domain.tld virtual_mailbox_maps= ldap:/etc/postfix/zarafa-ads-users.cf # Active Directory has the possibility to create distribution groups which can be used as email distribution list in ZCP. # To use integrate Postfix with distribution groups, Postfix 2.4 or higher is required. # virtual_alias_maps = ldap:/etc/postfix/zarafa-ads-users.cf, ldap:/etc/postfix/zarafa-ads-groups.cf, ldap:/etc/postfix/zarafa-ads-zpublic-aliases.cf, ldap://etc/postfix/zarafa-ads-local-redirects.cf ldap://etc/postfix/zarafa-ads-general-aliases.cf So, im running zarafa 7.2 as mail server and samba 4 AD as domain for email adres lookups The zarafa server and email adresses and email aliasses and groups and public folder works fine. I need these settings for zarafa : virtual_transport = lmtp:127.0.0.1:2003 virtual_mailbox_domains= domain.tld, internal.domain.tld virtual_mailbox_maps = ldap:/etc/postfix/zarafa-ads-users.cf virtual_alias_maps = ldap:/etc/postfix/zarafa-ads-users.cf, ldap:/etc/postfix/zarafa-ads-groups.cf, ldap:/etc/postfix/zarafa-ads-zpublic-aliases.cf, with a delivery to public folders, with a setup like this example. http://www.leckerbeef.de/zarafa-deliver-mail-to-public-folder-the-postfix-way/ as sad this all works fine, i can email to all users/groups/public folder email adresses. Now based on that im creating a contact and I use the displayName and description fiels to set my adresses for postfix. for the ldap -aliases files i use this filter. scope = sub query_filter = ((objectClass=contact)(displayName=%s)) result_attribute = displayName for the ldap -redirects files i use this filter. scope = sub query_filter = ((objectClass=contact)(displayName=%s)) result_attribute = description for this one in the alias_maps : ldap://etc/postfix/zarafa-ads-local-aliases.cf i have here for example user: root with forward adres to an email adres in my public folders of zarafa, and a user e-mail adres. postmap -q root ldap://etc/postfix/zarafa-ads-local-aliases.cf gives back root , which is correct in this case. postmap -q root ldap://etc/postfix/zarafa-ads-local-redirects.cf gives back : personalad...@domain.tld,publicfolderad...@domain.tld this works and is used for messages send to root from the server. ( and mailing to r...@domain.tld does NOT works and should not work ) here in this, i also have my ab...@domain.tld postmas...@domain.tld webmas...@domain.tld e-mail adresses. i can use this ldap file on all my servers, with this setup. and this is in a separated OU in the AD. (OU=local-aliases) I can send to them and these are also delivered where i want. Now my problem(s).. 1) what i want is email to : someadres0132...@domain.tld, forward to someadre...@domain.tld, forward to someadre...@offsite.domain.tld alias_map has : regexp:/etc/postfix/asp-redirect.regexp and contains lines like /^someadres01/someadre...@domain.tld Here i catch all email adresses like someadres011...@domain.tld postmap -q someadres0142...@domain.tld