RE: Relaying to 2 SMTP servers

[L . P . H . van Belle]

Or 
https://jyotishp.ml/tutorials/postfix/dual-delivery-for-postfix


http://pjrlost.blogspot.com/2012/11/smtp-delivery-to-two-mail-servers-via.html 
This one, its a bit a search but the files are still available on the internet. 

Greetz,

Louis


> -Oorspronkelijk bericht-
> Van: sel...@linagora.com 
> [mailto:owner-postfix-us...@postfix.org] Namens Simon ELBAZ
> Verzonden: woensdag 17 april 2019 16:36
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Relaying to 2 SMTP servers
> 
> Thanks for your reply.
> 
> Sorry, I wanted to say using Postfix.
> 
> I look for different open source solutions to achieve this.
> 
> Regards
> 
> Simon
> 
> On 17/04/2019 16:33, Phil Stracchino wrote:
> > On 4/17/19 10:03 AM, sel...@linagora.com wrote:
> >> Hi,
> >>
> >> I would like to know if it is possible to deliver a mail to 2 SMTP
> >> servers using OpenSMTPD.
> >
> > Perhaps that's a question you should ask on the OpenSMTPD 
> mailing list.
> >
> >
> 
> 

RE: OpenDKIM not signing

[L . P . H . van Belle]

The linke of linode, but transformed in a script for Debian 9. 
https://github.com/thctlo/debian-scripts/blob/master/setup-opendkim-postfix.sh 

Read it or use it. ( make backups first ). 
Its tested on a clean setup, but if you read through the script you see 
everything thats needed to fix this. 
And just a question, the DNS is already updated? 

Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: i...@ntek.lv [mailto:owner-postfix-us...@postfix.org] 
> Namens Ntek, SIA Janis
> Verzonden: dinsdag 9 april 2019 11:19
> Aan: postfix-users@postfix.org
> Onderwerp: Re: OpenDKIM not signing
> 
> Why do use
> > inet:localhost:8891
> Instead of a socket?
> I conf'ed it using this tutorial:
> https://www.linode.com/docs/email/postfix/configure-spf-and-dk
im-in-postfix-on-debian-8/
> 
> smtpd_milters = local:opendkim/opendkim.sock
> non_smtpd_milters = local:opendkim/opendkim.sock
> The sockets are relative path as postfix is chrooted. The 
> absolute path 
> is /var/spool/postfix/opendkim/opendkim.sock (Use the 
> relative though!)
> 
> Also check the syntax in tables. I was pulling my hair out 
> and it turned 
> out my syntax was off. Refer to the tutorial!
> Especially:
> KeyTable  /etc/opendkim/KeyTable
> mydomaintld 
> mydomain.tld:201904:/etc/opendkim/keys/mydomain.tld/mydomaintl
> d.private
> 
> SigningTable refile:/etc/opendkim/SigningTable
> *@mydomain.tld mydomaintld
> 
> ExternalIgnoreList    /etc/opendkim/TrustedHosts
> InternalHosts /etc/opendkim/TrustedHosts
> 
> What does the log file say?
> search for opendkim
> $ tail -n 500 /var/log/mail.log | grep opendkim  # Or 
> wherever your mail 
> log file is located.
> 
> Also check online Opendkim testers. There are many of them, 
> try a few. 
> Helped me a lot.
> https://www.mail-tester.com/spf-dkim-check
> 
> Remember that your DNS TXT records may take an hour to update 
> and should 
> be submitted BEFORE you try signing anything. dig is your 
> friend. Check 
> that your server and your work PC can read the recrods.
> 
> $ dig TXT 201904._domainkey.mydomain.tld
> Should contain something like:
> ;; ANSWER SECTION:
> 201902._domainkey.mydomain.tld. 21599 IN    TXT    "v=DKIM1; 
> h=sha256; 
> k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...
> 
> Remeber that 201904._domainkey is what you choose it to be when you 
> generate the public key you put in DNS TXT records!
> 
> Re-read tutorial! Remember that if you think that you don't 
> understand 
> something, then the config error is probably because of that. 
> Don't just 
> copy paste, think along every step.
> 
> On 09.04.19 11:22, Laura Smith wrote:
> > Based on the responses to my previous question about using 
> OpenDKIM (quite what "standards have not changed" has to do 
> with software bugs makes no sense to me !). However, having 
> been told I'm stupid not to continue using software many 
> years old I thought I would suck it up and continue with OpenDKIM.
> >
> > OpenDKIM is not signing my mails.
> >
> > Postfix main.cf is calling as follows:
> > milter_protocol = 6    # I have also tried this with 2
> > milter_default_action = accept
> > smtpd_milters = inet:localhost:8891
> > non_smtpd_milters = inet:localhost:8891
> > milter_mail_macros = i {mail_addr} {daemon_addr} 
> {client_name} {auth_authen}
> >
> > netstat -an  shows openDKIM as running and listening on 8891.
> >
> > My opendkim.conf is as follows:
> > BaseDirectory   /run/opendkim
> > PidFile /run/opendkim/opendkim.pid
> > UserID  opendkim:opendkim
> > Syslog  yes
> > SyslogSuccess   yes
> > LogWhy  yes
> > Canonicalization    relaxed/relaxed
> > Socket  inet:8891@localhost
> > SendReports no
> > SoftwareHeader  no
> > MinimumKeyBits  1024
> > KeyTable    /etc/opendkim/KeyTable
> > SigningTable    refile:/etc/opendkim/SigningTable
> > InternalHosts   refile:/etc/opendkim/TrustedHosts
> >
> 
> 

RE: Postfix With OpenDKIM: milter: SMFIC_EOH

[L . P . H . van Belle]

Did someone look at a "old" howto here? 

Postfix manual shows clearly.
/etc/postfix/main.cf:
# Postfix ?? 2.6
milter_protocol = 6
# 2.3 ?? Postfix ?? 2.5
milter_protocol = 2

This works fine on Debian Stretch, if you set  milter_protocol = 6 

dpkg -l | egrep "postfix|opend[m,k]"
ii  libopendkim11 2.11.0~alpha-10+deb9u1 amd64  
  Library for signing and verifying DomainKeys Identified Mail signatures
ii  libopendmarc2 1.3.2-2+deb9u1 amd64  
  Library for DMARC validation and reporting
ii  opendkim  2.11.0~alpha-10+deb9u1 amd64  
  Milter implementation of DomainKeys Identified Mail
ii  opendkim-tools2.11.0~alpha-10+deb9u1 amd64  
  Set of command line tools for OpenDKIM
ii  opendmarc 1.3.2-2+deb9u1 amd64  
  Milter implementation of DMARC
ii  postfix   3.1.8-0+deb9u1 amd64  
  High-performance mail transport agent

## Added for OpenDKIM (8892) OpenDMARC (8893)
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8892 inet:localhost:8893
non_smtpd_milters = inet:localhost:8892 inet:localhost:8893




> -Oorspronkelijk bericht-
> Van: postfixlists-070...@billmail.scconsult.com 
> [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole
> Verzonden: woensdag 13 februari 2019 14:35
> Aan: Postfix users
> Onderwerp: Re: Postfix With OpenDKIM: milter: SMFIC_EOH
> 
> On 13 Feb 2019, at 0:13, Noah Huppert wrote:
> 
> > milter_protocol = 2
> 
> Why?
> 
> It would be shocking if OpenDKIM required that. Any milter 
> requiring it 
> should be considered obsolete.
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Available For Hire: https://linkedin.com/in/billcole
> 
> 

RE: multi relay host

[L . P . H . van Belle]

All i can think of is. 

Setup 3 postfix dual smtp. 
Server 1, incoming relay. 
Which delivers on server 2 and 3 with dual smtp. 

Server 2 to  
Vessel A = *@vessel_A.domain.com
Has smtp relay 1 = a ip adress:25

Server 3 to 
Vessel A = *@vessel_A.domain.com
Has Smtp 2 relay as backup with ipadress and port 20026

If you put the relay settings in sql, you can share it over all 3 servers. 
Should be possible, maybe there are better ways, but i can't think of one. 

Greetz

Louis



> -Oorspronkelijk bericht-
> Van: De Petter Mattheas [mailto:mattheas.depet...@jandenul.com] 
> Verzonden: dinsdag 5 februari 2019 9:09
> Aan: L.P.H. van Belle
> CC: Postfix users
> Onderwerp: RE: multi relay host
> 
> Hello and thanks for the suggestion.
> 
> 
> The thing is I need this in the transport map, as we have to 
> do this for each sub domain.
> 
> Vessel A = *@vessel_A.domain.com
> Has smtp relay 1 = a ip adress:25
> Has Smtp 2 relay as backup with ipadress and port 20026
> 
> Vessel b = *@vessel_b.domain.com
> Has smtp relay 1 = a different ip adress:25
> Has Smtp 2 relay as backup with ipadress and port 20026
> 
> 
> And so on for 90 different sub adresses.
> 
> Any ideas on how to do this?
> 
>  
> 
> Met vriendelijke groeten 
> Kind regards  
> De Petter Mattheas   
> Technical support engineer - projects team 
> IT-Department Jan De Nul Dredging N.V.
> T +32 (0)53 73 95 53  
> F +32 (0)53 21 00 31  
> www.jandenul.com    
> 
> 
> -Original Message-
> From: L.P.H. van Belle  
> Sent: 05 February 2019 08:57
> To: De Petter Mattheas 
> Subject: RE: multi relay host
> 
> This works for me. 
> 
> http://pjrlost.blogspot.com/2012/11/smtp-delivery-to-two-mail-
> servers-via.html 
> 
> https://gitlab.dls-belgium.eu/tools/smptdd/tree/develop
> 
> Greetz, 
> 
> Lois
> 
> > -Oorspronkelijk bericht-
> > Van: mattheas.depet...@jandenul.com
> > [mailto:owner-postfix-us...@postfix.org] Namens De Petter Mattheas
> > Verzonden: dinsdag 5 februari 2019 7:51
> > Aan: Postfix users
> > Onderwerp: RE: multi relay host
> > 
> > Helllo
> > 
> > Indeed that's what I meant.
> > 
> > We want smtp 1 = a ip adress: 25, the second a ipadress:20026
> > 
> > We have to have two routes on the server so we can have a 
> mail relay 
> > system.
> > 
> > One route should connect to the vpn and deliver mail that way on 
> > standard port 25 The second was a ssh with port forwarding, 
> where we 
> > give the postfix as smtp route the adress of the ssh server that 
> > listen on port 20026.
> > And in that ssh server there was a port forwarding made with the 
> > responding smtp server on port 25, so mail could get in.
> > 
> > Do any of you know another program or solution that has this 
> > functionality?
> > 
> > 
> > Many thanks
> > 
> > Met vriendelijke groeten Kind regards De Petter Mattheas Technical 
> > support engineer - projects team IT-Department Jan De Nul Dredging 
> > N.V.
> > T +32 (0)53 73 95 53 F +32 (0)53 21 00 31 www.jandenul.com
> > 
> > 
> > -Original Message-
> > From: owner-postfix-us...@postfix.org 
> >  On Behalf Of Wietse Venema
> > Sent: 04 February 2019 16:53
> > To: Postfix users 
> > Subject: Re: multi relay host
> > 
> > De Petter Mattheas:
> > > 
> > > Hello
> > > 
> > > 
> > > Thanks for the feedback.
> > > 
> > > Can you still help me with the following?
> > > 
> > > We want to have two smtp routes for one subdomain
> > > 
> > > For example
> > > 
> > > *@eqx.vessel.com = smtp 1: a ip adress 25
> > > = smtp 2: a ip adress 20026
> > > 
> > > *@bqx.vessel.com = smtp 1: a ip adress 25
> > > = smtp 2: a ip adress 20026
> > 
> > Ehm. 25 is not an IP address. Did you mean TCP port?
> > 
> > Transport maps currently can return only one result. You 
> can use DNS 
> > to go from one transport map result to multiple IP addresses, but 
> > multiple TCP ports.
> > 
> > What you can do is to (also) run an SMTP daemon on port 
> 20026 on the 
> > smtp1 host. In Postfix, that means:
> > 
> > /etc/postfix/master.cf:
> > 20026 inet  ... .. .. .. .. smtpd
> > 
> > Wietse
> > 
> > Any reaction to this e-mail or any other mail, including any files 
> > transmitted therewith to sender's e-mail address(es) shall be dealt 
> > with not as private, but as business
> > communication(s) and shall be registered as such.
> > 
> > 
> > 
> 
> 

RE: dnsbl postscreen - not blocking

[L . P . H . van Belle]

Hai, 

recent.spam.dnsbl.sorbs.net = 127.0.0.6 
and you gave it 1 point. 

whats the postscreen_dnsbl_threshold set at ? 
I'll bet thats set higher than 1.


Greetz, 

Louis




Van: cubew...@googlemail.com [mailto:owner-postfix-us...@postfix.org] 
Namens Stefan Bauer
Verzonden: woensdag 19 december 2018 14:01
Aan: Postfix users
Onderwerp: dnsbl postscreen - not blocking


Hi, 

Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from 
[209.85.166.196]:52168 to [public-ip]:25
Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed 
by domain dnsbl.sorbs.net as 127.0.0.6
Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW 
[209.85.166.196]:52168
Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from 
mail-it1-f196.google.com[209.85.166.196]

why did google pass postscreen even though its listed in one of the RBL?


postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 
b.barracudacentral.org*1 dnsbl.sorbs.net*1
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce

Am i missing something obvious?

Stefan

FW: RE: Double-Bounce

[L . P . H . van Belle]

In order of messages.  ( i got 11 message for 1 postfix list mail ).  
I only see this these when .
1) someone tries to mail out of my domainname.
2) when i mail the postfix list. 
 
I never figured this out, why this happens at the postfix list. 
 
 
This is an authentication failure report for an email message received from IP
168.100.1.3 on Fri, 14 Sep 2018 11:11:03 +0200 (CEST).

This is a spf/dkim authentication-failure report for an email message received
from IP 2604:8d00:0:1::3 on Fri, 14 Sep 2018 11:10:56 +0200.

This is an authentication failure report for an email message received from IP
168.100.1.3 on Fri, 14 Sep 2018 05:11:04 -0400 (EDT).

This is an authentication failure report for an email message received from IP
168.100.1.3 on Fri, 14 Sep 2018 11:11:19 +0200 (CEST).

This is a spf/dkim authentication-failure report for an email message received
from IP 168.100.1.3 on Fri, 14 Sep 2018 11:11:32 +0200.

This is an authentication failure report for an email message received from IP
168.100.1.3 on Fri, 14 Sep 2018 05:11:41 -0400 (EDT).

This is an authentication failure report for an email message received from IP
168.100.1.3 on Fri, 14 Sep 2018 09:11:40 + (UTC).

This is an authentication failure report for an email message received from IP
168.100.1.3 on Fri, 14 Sep 2018 05:11:47 -0400 (EDT).

This is an authentication failure report for an email message received from IP
129.97.167.82 on Fri, 14 Sep 2018 05:11:56 -0400 (EDT).

This is an authentication failure report for an email message received from IP
129.97.167.82 on Fri, 14 Sep 2018 05:11:56 -0400 (EDT).

This is a spf/dkim authentication-failure report for an email message received
from IP 2604:8d00:0:1::3 on Fri, 14 Sep 2018 11:10:56 +0200.

This is a spf/dkim authentication-failure report for an email message received
from IP 168.100.1.3 on Fri, 14 Sep 2018 11:11:32 +0200.

RE: Double-Bounce

[L . P . H . van Belle]

I had a simular things. 
.. Waiting for the bounce... 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: rei...@bbmk.org [mailto:owner-postfix-us...@postfix.org] 
> Namens B. Reino
> Verzonden: vrijdag 14 september 2018 10:52
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Double-Bounce
> 
> On 2018-09-14 10:36, Dominic Raferd wrote:
> 
> > On Fri, 14 Sep 2018 at 07:14, Benny Pedersen  wrote:
> > 
> >> Benny Pedersen skrev den 2018-09-14 08:08:
> >>> Dominic Raferd skrev den 2018-09-14 07:33:
>  On Fri, 14 Sep 2018 at 00:29, Julian Opificius 
>  
>  wrote:
> > 
> > Why is it that my system marks everything from you as 
> spam, Benny? 
> > Is
> > it
> > your tld? I've added you to my address book, but my server keeps
> > spitting you out.
>  
>  Because the domain that he uses to send emails through 
> this mailing
>  list has DMARC p=quarantine setting:
>  # dig +short _dmarc.junc.eu TXT
>  "v=DMARC1; p=quarantine; 
> rua=mailto:report_...@dmarc.junc.eu; fo=d;
>  adkim=r; aspf=r; sp=none"
> >>> 
> >>> postfix maillist is dkim safe, so if it breaks, show the link that
> >>> breaks it, whitelist postfix maillist so it does not go into
> >>> quarantine
> >>> 
> >>> can i help more ?
> >>> 
> >>> i get dmarc pass back on my post here
> >> 
> >> DMARC-Filter: OpenDMARC Filter v1.3.2 linode.junc.eu 2C5B31BE06F
> >> Authentication-Results: linode.junc.eu; dmarc=pass (p=quarantine
> >> dis=none) header.from=junc.eu
> >> Authentication-Results: linode.junc.eu;
> >> dkim=pass (1024-bit key) header.d=junc.eu header.i=@junc.eu
> >> header.b=Aedk3uHj;
> >> dkim-atps=neutral
> >> Received-SPF: none (postfix.org: No applicable sender policy 
> >> available)
> >> receiver=localhost.junc.eu; identity=mailfrom;
> >> envelope-from="owner-postfix-us...@postfix.org";
> >> helo=russian-caravan.cloud9.net; client-ip="2604:8d00:0:1::4"
> > 
> > Sorry you are right: your emails pass DKIM and also, when 
> going through 
> > postfix mailing list (but not all others), pass DKIM 
> alignment, so they 
> > pass DMARC. However, when sent through mailing lists, they 
> fail SPF, 
> > and (for DMARC) SPF alignment, so servers that make decisions based 
> > only on this (which is not the DMARC way) may choose to 
> treat them as 
> > spam. Mine don't, but I have seen your emails quarantined (or, 
> > previously, blocked) on other mailing lists, hence my 
> original comment.
> 
> I think the postfix ML is not so "DKIM safe". In my case, it 
> causes my 
> DKIM signature to fail. I have now compared a message sent by 
> me against 
> other messages sent e.g. by Benny Pedersen, and concluded that my 
> configuration (using rspamd) was signing way too many fields. 
> I have now 
> reduced the number of fields and hopefully this message 
> should now come 
> back from the postfix ML with a valid DKIM signature.
> 
> So in a way this message is just a test, but hopefully also a 
> clarification :)
> 
> Cheers,
> Bernardo Reino.
> 
> 

RE: 5 messages per second

[L . P . H . van Belle]

Yes. 
 
i did like this setup.
https://wiki.deimos.fr/Postfix:_limit_outgoing_mail_throttling 
And now you have also options per domain.
 
Greetz, 
 
Louis

Van: paul.martin.b...@gmail.com [mailto:owner-postfix-us...@postfix.org] Namens 
Paul Martin
Verzonden: woensdag 20 juni 2018 16:44
Aan: postfix-users
Onderwerp: 5 messages per second



Hello


I would like to send 5 messages per second with postfix. 



How can I do that with postfix ?


Thanks


Paul

RE: Gmail discard my emails

[L . P . H . van Belle]

Have a look. 

https://toolbox.googleapps.com/apps/checkmx/check?domain=schweb.com.ar_selector=
 
schweb.com.ar 
There were some critical problems detected with this domain. Mail-flow is 
probably affected. Please refer to the corresponding help articles to fix 
these. 

Your base setup is ok, you could reduce your SPF record from:
"v=spf1 mx a ptr ip4:24.232.174.73 mx:schweb.com.ar a:schlabs.com.ar 
a:sys-arquitectura.cl -all"
To 
"v=spf1 mx a:sys-arquitectura.cl -all"

You might need to validate your domain. I had the same problem few years ago.
You need a txt record : google-site-verification=... 

Once validated and this added in your domain no problems anymore. 
Ms as simular services. 


Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: l...@schweb.com.ar 
> [mailto:owner-postfix-us...@postfix.org] Namens Christian Schmitz
> Verzonden: maandag 7 mei 2018 16:06
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Gmail discard my emails
> 
> > Hi,
> >
> > > 2018-05-07T09:38:23.969642-03:00 schweb postfix/smtp[26859]:
> > >   Untrusted TLS connection established to
> > >   gmail-smtp-in.l.google.com[64.233.190.27]:25:
> > >   TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> > > 2018-05-07T09:38:26.022482-03:00 schweb postfix/smtp[26859]:
> > >   343BF39998: to=<***my_friend***@gmail.com>,
> > >   relay=gmail-smtp-in.l.google.com[64.233.190.27]:25, delay=3.8,
> > >   delays=0.46/0.03/1.4/1.9, dsn=2.0.0, status=sent (250 2.0.0 OK
> > > 1525696705 b191si705526qkg.318 - gsmtp)
> >
> > Where do you see a discard here?
> >
> > Regards
> > Bjoern
> On Monday 07 May 2018 10:36:41 Bjoern Franke wrote:
> Dear:
> When i do a phone call to my friend i am sure that email is 
> not arrived to 
> inbox, and not arrived to spam folders.
> Best Regards
> Christian
> 
> 
> -- 
> Be Free, Be Linux 
> 
> 

RE: Postfix & logrotate

[L . P . H . van Belle]

You did not get the hint..  The "wrong" thing here is mail.* 
Because your rotating now everything behind the mail.*
so also .1 .1.1 .1.1.1 etc etc, until you server explodes ;-)   

You should have this in you postfix logrotate.. 
Try this. 

/var/log/mail.info /var/log/mail.warn /var/log/mail.err /var/log/mail.log {
monthly
missingok
notifempty
delaycompress
compress
  create 640 root adm
rotate 3650
size 10M
}

Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: more...@cerm.unifi.it 
> [mailto:owner-postfix-us...@postfix.org] Namens Enrico Morelli
> Verzonden: woensdag 28 maart 2018 10:54
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Postfix & logrotate
> 
> On Wed, 28 Mar 2018 10:24:49 +0200
> L.P.H. van Belle  wrote:
> 
> > Hai, 
> > 
> > Did you remove the mail rotate also from 
> /etc/logrotate.d/rsyslog   ? 
> > 
> > You have these lines in the rsyslog file also.
> > /var/log/mail.info
> > /var/log/mail.warn
> > /var/log/mail.err
> > /var/log/mail.log
> > 
> > Your now "double" rotateing your logs.  ;-) 
> > 
> > 
> > Greetz, 
> > 
> 
> I removed the mail.* from rsyslog before creating the postfix file.
> 
> 
> > louis
> > 
> > 
> > 
> > > -Oorspronkelijk bericht-
> > > Van: more...@cerm.unifi.it 
> > > [mailto:owner-postfix-us...@postfix.org] Namens Enrico Morelli
> > > Verzonden: woensdag 28 maart 2018 10:19
> > > Aan: postfix-us...@cloud9.net
> > > Onderwerp: Postfix & logrotate
> > > 
> > > This problem is not strictly related to Postfix, but I'm 
> going crazy
> > > trying to solve it. I've a postfix mail server on Debian 9. I want
> > > maintain the mail log, so I create a posfix file in 
> /etc/logrotate.d
> > > with the following content (this is the latest attempt to find a
> > > solution):
> > > 
> > > /var/log/mail.* {
> > > monthly
> > > missingok
> > > notifempty
> > > delaycompress
> > > compress
> > > rotate 3650
> > > size 10M
> > > }
> > > 
> > > Every day I find a lot of empty mail log like the following:
> > > -rw-r--r--  1 root   adm   0 Mar 28 06:25 mail.log.1
> > > -rw-r--r--  1 root   adm11150441 Mar 28 06:25 mail.log.1.1
> > > -rw-r--r--  1 root   adm   0 Mar 28 06:25 mail.log.1.1.1
> > > -rw-r--r--  1 root   adm13200643 Mar 25 06:25 mail.log.1.1.1.1
> > > -rw-r--r--  1 root   adm   0 Mar 28 06:25
> > > mail.log.1.1.1.1.1.1 -rw-r--r--  1 root   adm14921041 Mar 23
> > > 06:25 mail.log.1.1.1.1.1.1.1
> > > -rw-r--r--  1 root   adm   0 Mar 28 06:25 
> > > mail.log.1.1.1.1.1.1.1.1
> > > 
> > > After the weekend the logs seems a tree. Someone can help me to
> > > solve the problem?
> > > 
> > > Thanks
> > > 
> > > 
> > > -- 
> > > ---
> > >   Enrico Morelli
> > >   System Administrator | Programmer | Web Developer
> > > 
> > >   CERM - Polo Scientifico
> > >   via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
> > > 
> > > 
> > >   
> > 
> 
> 
> 
> -- 
> ---
>   Enrico Morelli
>   System Administrator | Programmer | Web Developer
> 
>   CERM - Polo Scientifico
>   via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
> 
> 
> 

RE: Postfix & logrotate

[L . P . H . van Belle]

Hai, 

Did you remove the mail rotate also from /etc/logrotate.d/rsyslog   ? 

You have these lines in the rsyslog file also.
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log

Your now "double" rotateing your logs.  ;-) 


Greetz, 

louis



> -Oorspronkelijk bericht-
> Van: more...@cerm.unifi.it 
> [mailto:owner-postfix-us...@postfix.org] Namens Enrico Morelli
> Verzonden: woensdag 28 maart 2018 10:19
> Aan: postfix-us...@cloud9.net
> Onderwerp: Postfix & logrotate
> 
> This problem is not strictly related to Postfix, but I'm going crazy
> trying to solve it. I've a postfix mail server on Debian 9. I want
> maintain the mail log, so I create a posfix file in /etc/logrotate.d
> with the following content (this is the latest attempt to find a
> solution):
> 
> /var/log/mail.* {
> monthly
> missingok
> notifempty
> delaycompress
> compress
> rotate 3650
> size 10M
> }
> 
> Every day I find a lot of empty mail log like the following:
> -rw-r--r--  1 root   adm   0 Mar 28 06:25 mail.log.1
> -rw-r--r--  1 root   adm11150441 Mar 28 06:25 mail.log.1.1
> -rw-r--r--  1 root   adm   0 Mar 28 06:25 mail.log.1.1.1
> -rw-r--r--  1 root   adm13200643 Mar 25 06:25 mail.log.1.1.1.1
> -rw-r--r--  1 root   adm   0 Mar 28 06:25 mail.log.1.1.1.1.1.1
> -rw-r--r--  1 root   adm14921041 Mar 23 06:25 
> mail.log.1.1.1.1.1.1.1
> -rw-r--r--  1 root   adm   0 Mar 28 06:25 
> mail.log.1.1.1.1.1.1.1.1
> 
> After the weekend the logs seems a tree. Someone can help me to solve
> the problem?
> 
> Thanks
> 
> 
> -- 
> ---
>   Enrico Morelli
>   System Administrator | Programmer | Web Developer
> 
>   CERM - Polo Scientifico
>   via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
> 
> 
> 

RE: Spammer rejected, but resends every 10 minutes. Any way to prevent this

[L . P . H . van Belle]

Or why not use and SPF like this in the dns. 

your.domain.tld  TXT “v=spf1 -exists:%{ir}.zen.spamhaus.org +mx -all 
exp:explain.your.domain.tld” 
explain.your.domain.tld  TXT "SPF error %{i} is not one of %{d}’s designated 
mail servers.”

Now these never reaches your server, saving cpu cycles etc. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: postfixlists-070...@billmail.scconsult.com 
> [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole
> Verzonden: woensdag 14 maart 2018 4:46
> Aan: Postfix users
> Onderwerp: Re: Spammer rejected, but resends every 10 
> minutes. Any way to prevent this
> 
> On 13 Mar 2018, at 23:35 (-0400), Bill Cole wrote:
> 
> > OR: if you don't get any legitimate mail from Hunan, Chongqing, or 
> > Hong Kong you can probably safely block 113.240.0.0/12 from 
> talking at 
> > all to your SMTP port (or just the /13 to limit it to Hunan.)
> 
> OR: Use the Spamhaus ZEN DNSBL, which has the whole /12 
> listed via its 
> PBL component.
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Currently Seeking Steady Work: https://linkedin.com/in/billcole
> 
> 

RE: question about envelop from.

[L . P . H . van Belle]

Hello Victor, 


> -Oorspronkelijk bericht-
> Van: postfix-us...@dukhovni.org 
> [mailto:owner-postfix-us...@postfix.org] Namens Viktor Dukhovni
> Verzonden: dinsdag 13 maart 2018 15:27
> Aan: Postfix users
> Onderwerp: Re: question about envelop from.
> 
> 
> 
> > On Mar 13, 2018, at 8:54 AM, L.P.H. van Belle 
>  wrote:
> > 
> > Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: 
> reject: RCPT from smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8 
> : Sender address rejected: 
> Domain not found; from= 
> >  
> > about this: 
> > envelope-from="MAILER-DAEMON@apmcsqa01.poort" 
> >  
> > Im looking for the correct rfc where its described that the 
> part @apmcsqa01.poort  should be @thesendingdomain.tld 
> > where thesendingdomain.tld is also a resolvable domain, 
> because not it does not make sence because the now 
> mailer-daemon wil never be accepted because its non resolveable
> 
> In addition to not being resolvable, the envelope sender 
> address here is also
> problematic because "MAILER-DAEMON@" should only ever appear 
> in the message
> headers and NEVER as the envelope sender.  The correct 
> envelope sender for
> bounces is the empty (or null) sender:
> 
>   MAIL FROM:<>
> 
> not
> 
>   MAIL FROM:
> 
> Sure, some domain could in theory have an actual user mailbox named
> "mailer-daemon", but that is most unlikely.  It is rather clear that
> the server in question is generating backscatter with a non-empty
> envelope sender address, thus potentially leading to mail loops.
> 
> It is good that your server is rejecting this traffic.
> 
> Finally, it seems you may be requesting client certificates 
> on port 25,
> (incoming TLS status is "Untrusted" rather than "Anonymous") I wonder
> why...
> 
>http://www.postfix.org/FORWARD_SECRECY_README.html#status
> 
> do you have "smtpd_tls_ask_ccert = yes"?
> 
> -- 
>   Viktor.
> 


Yes, i've set smtpd_tls_ask_ccert to yes. 

I do also have Anonymous messages
Anonymous TLS connection established from 
mail187-16.suw11.mandrillapp.com[198.2.187.16]: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must be 
a miss on my side after the switch from 2.10 to 3.1 postfix. 

I need ssl verification, in not running a high volume site and i just enabled 
DKIM SPF TLSA and DANE for this server. 
Any tips on my config. Im running this config atm, postfix 3.1.8 (Debian)  ( 
config below ) 

Best regards, 

Louis



### General Defaults
smtpd_banner = $myhostname ESMTP Ready
mail_version = 007
biff = no
append_dot_mydomain = no
delay_warning_time = 4h
readme_directory = no
compatibility_level = 2
mailbox_size_limit = 0
recipient_delimiter = +
empty_address_recipient = MAILER-DAEMON

### Limit the info given to outside servers
show_user_unknown_table_name = no

### no one needs to ask our server who is on it
disable_vrfy_command = yes

 user!domain != user@domain
swap_bangpath = no

 user%domain != user@domain
allow_percent_hack = no

### Tarpit until RCPT TO: to reject the email for nagios compatability
smtpd_delay_reject = yes

### Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 20
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 3
smtpd_junk_command_limit = 2

### Tranports and slowdown delivery to per domain are set here also.
transport_maps = hash:/etc/postfix/personal/transport_maps.map
## Transports Tuning outgoing connections ! Esa max concurrent connections 
(polite)
## see also transport file and master.cf
# Throttle limit policy mail (global)
smtp_destination_concurrency_limit = 5
smtp_extra_recipient_limit = 2

# Polite policy
polite_destination_concurrency_limit = 3
polite_destination_rate_delay = 0
polite_destination_recipient_limit = 5

# Turtle policy
turtle_destination_concurrency_limit = 2
turtle_destination_rate_delay = 1s
turtle_destination_recipient_limit = 2
##
###

## 100 Mb size limit 
message_size_limit = 10240

# Postfix before 3.0 by default permits non-ASCII content in headers and 
addresses.
strict_7bit_headers = yes

2bounce_notice_recipient = postmas...@somedomain.tld
2bounce_notice_recipient = postmas...@somedomain.tld
bounce_notice_recipient = postmas...@somedomain.tld
delay_notice_recipient = postmas...@somedomain.tld
error_notice_recipient = postmas...@somedomain.tld
notify_classes = bounce, resource, software

## Being strict to the RFC not only stops unwanted mail,
## it also blocks legitimate mail from poorly-written mail applications.
## default = no
strict_rfc821_envelopes = yes

###
# SASL disabled, its not use on this server.
broken_sasl_auth_clients = no
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no

# TLS parameters
# Disable SSL compression
tls_ssl_options = NO_COMPRESSION

# cipherlists, defaults are ok.

RE: question about envelop from.

[L . P . H . van Belle]

Hai Matus, 
Thank you for the reply, most apriciated. 

No, but its a "government" server, so i need to be very sure..   ;-) 
Thanks, i was looking in the wrong rfc. 


Best regards, 

Louis
 

> -Oorspronkelijk bericht-
> Van: uh...@fantomas.sk 
> [mailto:owner-postfix-us...@postfix.org] Namens Matus UHLAR - fantomas
> Verzonden: dinsdag 13 maart 2018 14:05
> Aan: postfix-users@postfix.org
> Onderwerp: Re: question about envelop from.
> 
> On 13.03.18 13:54, L.P.H. van Belle wrote:
> >Im reading through rfc's but the following is still not clear for me.
> > 
> >E-mail is rejected base on the envelop-from adres from a 
> mail-daemon with postfix + postfix-policyd-spf
> > 
> >I saw the following in the postfix logs.
> >Feb  7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS 
> connection established from smtp1..nl[x.xx.xxx.xx]: 
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> >Feb  7 00:00:16 hostname postfix/policy-spf[31766]: Policy 
> action=PREPEND Received-SPF: none (apmcsqa01.poort: No 
> applicable sender policy available) 
> receiver=hostname.domain.nl; identity=mailfrom; 
> envelope-from="MAILER-DAEMON@apmcsqa01.poort"; 
> helo=smtp1..nl; client-ip=x.xx.xxx.xx]
> >Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: 
> reject: RCPT from smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8 
> : Sender address rejected: 
> Domain not found; from=
> > 
> >about this:
> >envelope-from="MAILER-DAEMON@apmcsqa01.poort"
> 
> who and why configured non-existing domain name there?
> 
> >Im looking for the correct rfc where its described that the 
> part @apmcsqa01.poort  should be @thesendingdomain.tld
> 
> RFC 5321, section 2.3.5.  Domain Names:
> 
> Only resolvable, fully-qualified domain names (FQDNs) are 
> permitted
> when domain names are used in SMTP.
> 
> >where thesendingdomain.tld is also a resolvable domain, 
> because not it does
> > not make sence because the now mailer-daemon wil never be 
> accepted because
> > its non resolveable
> 
> correct. that is the expected behaviour.
> do you expect someone to accept mail from non-existing 
> (invalid) addresses?
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
> 
> 

question about envelop from.

[L . P . H . van Belle]

Hai, 
 
Im reading through rfc's but the following is still not clear for me. 
 
E-mail is rejected base on the envelop-from adres from a mail-daemon with 
postfix + postfix-policyd-spf 
 
I saw the following in the postfix logs. 
Feb  7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS connection 
established from smtp1..nl[x.xx.xxx.xx]: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb  7 00:00:16 hostname postfix/policy-spf[31766]: Policy action=PREPEND 
Received-SPF: none (apmcsqa01.poort: No applicable sender policy available) 
receiver=hostname.domain.nl; identity=mailfrom; 
envelope-from="MAILER-DAEMON@apmcsqa01.poort"; helo=smtp1..nl; 
client-ip=x.xx.xxx.xx]
Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: reject: RCPT from 
smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8 : 
Sender address rejected: Domain not found; from= 
 
about this: 
envelope-from="MAILER-DAEMON@apmcsqa01.poort" 
 
Im looking for the correct rfc where its described that the part 
@apmcsqa01.poort  should be @thesendingdomain.tld 
where thesendingdomain.tld is also a resolvable domain, because not it does not 
make sence because the now mailer-daemon wil never be accepted because its non 
resolveable 
 
If some can point me to the correct rfc. ( and chapter ) that would be great. 
 
 
Thanks! 
 
Louis
 
 
 

RE: manitu.net RBL, opinions? Re: postwhite? (why not?)

[L . P . H . van Belle]

I use this list for postscreen, big list. 
Use with care, this one is customized for my needs. 

The why to cidr's in the access list. The first is manualy maintaint. 
The second cidr and spamhous drop are auto updated by script.

Greetz, 
Louis


postscreen_greet_banner =$myhostname, checking blacklists, please wait.
postscreen_greet_action = drop
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/personal/postscreen_access_list.cidr, # personal 
white/black list.
pcre:/etc/postfix/personal/postscreen_access_list-reject.fqrdns.pcre # 
faulty rdns record list, like hosters with dynamic ips.
cidr:/etc/postfix/personal/postscreen_access_list-drop.spamhaus-lasso.cidr 
# Spamhaus DROP List
postscreen_whitelist_interfaces = $mynetworks, static:all
postscreen_blacklist_action = drop
postscreen_dnsbl_reply_map  = 
pcre:/etc/postfix/personal/postscreen_dnsbl_reply_map.pcre # customized reply. 
postscreen_dnsbl_action = enforce
postscreen_dnsbl_ttl= 2h
postscreen_dnsbl_threshold  = 4
postscreen_dnsbl_threshold = 4
postscreen_dnsbl_sites =
zen.spamhaus.org*4
b.barracudacentral.org*4
bad.psky.me*4
dnsbl.cobion.com*2
bl.spameatingmonkey.net*2
fresh.spameatingmonkey.net*2
cbl.anti-spam.org.cn=127.0.8.2*2
dnsbl.kempt.net*1
dnsbl.inps.de*2
bl.spamcop.net*2
srn.surgate.net=127.0.0.2
spam.dnsbl.sorbs.net*1
rbl.rbldns.ru*2
psbl.surriel.com*2
bl.mailspike.net*2
rep.mailspike.net=127.0.0.[13;14]*1
bl.suomispam.net*2
bl.blocklist.de*2
ix.dnsbl.manitu.net*2
dnsbl-2.uceprotect.net
dnsbl.justspam.org=127.0.0.2*2
all.s5h.net=127.0.0.2*2
hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
rbl.abuse.ro=127.0.0.[2;4]*2
dnsbl.spfbl.net=127.0.0.[2;4]*2
# No RDNS
dnsbl.spfbl.net=127.0.0.3*1
hostkarma.junkemailfilter.com=127.0.0.3*1
# whitelists
swl.spamhaus.org*-6
dnswl.spfbl.net=127.0.0.[2;3;4]*-3
list.dnswl.org=127.0.[0..255].[2;3]*-4
rep.mailspike.net=127.0.0.[17;18]*-1
rep.mailspike.net=127.0.0.[19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-4
nobl.junkemailfilter.com=127.0.0.5*-4
#

 

> -Oorspronkelijk bericht-
> Van: postfixlists-070...@billmail.scconsult.com 
> [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole
> Verzonden: dinsdag 6 maart 2018 15:44
> Aan: Postfix users
> Onderwerp: Re: manitu.net RBL, opinions? Re: postwhite? (why not?)
> 
> On 6 Mar 2018, at 1:26, MRob wrote:
> 
> > On 2018-03-05 18:05, Bill Cole wrote:
> >>> Would you mind sharing which RBLs you recommend to use in 
> >>> postscreen?
> >>
> >> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
> >> zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
> >> zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2
> >> psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1
> >
> > I just learned of manitu.net RBL is it helpful?
> 
> Obviously I find it so...
> 
> > Bill you don't use things like barracuda.net, spamcop, 
> whatever that 
> > monkey one is, mailspike.
> 
> Not in postscreen (for the reasons previously cited) nor in 
> smtpd. I do 
> use the DNSBLs that SpamAssassin supports by default, but with score 
> adjustments.
> 
> > Is manitu a good replacement for all those?
> 
> No. It IS a good source of spam sources targeting primarily but not 
> exclusively European mailboxes, many of which show up on the 
> manitu list 
> (a.k.a. "NiX Spam") hours before they appear in Zen.
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Currently Seeking Steady Work: https://linkedin.com/in/billcole
> 
> 

RE: Calendar & Contacts

[L . P . H . van Belle]

Hai, 

Kopano with nextcloud, z-push and webapp with files plugin rules here. 
Very good combo, bit harder to setup, but very compatible with lots of 
different devices. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: li...@merit.unu.edu 
> [mailto:owner-postfix-us...@postfix.org] Namens mj
> Verzonden: woensdag 27 december 2017 10:54
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Calendar & Contacts
> 
> We're very happy with sogo. (https://sogo.nu/)
> 
> MJ
> 
> On 12/27/2017 08:40 AM, Philip Paeps wrote:
> > On 2017-12-27 13:08:44 (+1030), Mal wrote:
> >> Interested to hear from those running a Postfix(MTA)/Dovecot(IMAP) 
> >> combo on what contacts & calendar server projects they are having 
> >> success with.
> > 
> > I run Nextcloud.
> > 
> > It's implemented in PHP (of all things) so you definitely 
> want to lock 
> > it up in a jail.  It stores its data in a PostgreSQL database (or 
> > possibly other kinds of databases -- I haven't looked).
> > 
> > If you're on FreeBSD, you can install it in a fresh jail with `pkg 
> > install nextcloud`.  The documentation is fairly comprehensive.
> > 
> > Philip
> > 
> 
> 

RE: Question regarding use of amavisd-new

[L . P . H . van Belle]

No, i know it runs fine, after about 2-3 milion emails processed, i know .. 
Really.. 
And no i did not ignore him, but i want mailscanner and i want postfix and not 
exim. 

Did you even try it and test it? And if so, what did you encounter?? 
I only found 1 thing and thats fixed. 
something with long queue id-s and releasing to ms exchange servers, these did 
not arrive.
But again thats fixed now. 


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: john-post...@peachfamily.net 
> [mailto:owner-postfix-us...@postfix.org] Namens John Peach
> Verzonden: woensdag 13 december 2017 16:56
> Aan: L.P.H. van Belle; Postfix users
> Onderwerp: Re: Question regarding use of amavisd-new
> 
> On 12/13/2017 10:52 AM, L.P.H. van Belle wrote:
> > Hai,
> > 
> > 
> > mailscanner runs fine here for about 5-6 years now, with postfix.
> > Mailscanner + postfix (postscreen) rules here :-)
> 
> You *think* it's been running fine. When the author of postfix 
> specifically warns against using it, it would be foolhardy to 
> ignore him.
> 
> > 
> > But if you want a quicky to test.
> > https://efa-project.org/  = Mailscanner + mailwatch +... 
> Lots of extra's.
> > 
> > 
> > Greetz,
> > 
> > Louis
> > 
> > 
> > 
> >> -Oorspronkelijk bericht-
> >> Van: postfixlists-070...@billmail.scconsult.com
> >> [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole
> >> Verzonden: woensdag 13 december 2017 16:46
> >> Aan: Postfix users
> >> Onderwerp: Re: Question regarding use of amavisd-new
> >>
> >> On 13 Dec 2017, at 4:45 (-0500), Maarten wrote:
> >>
> >>> According to  their documentation using MailScanner with
> >> postfix works
> >>> too.
> >>>
> >>> https://www.mailscanner.info/postfix/
> >>
> >> Yes, and there's a link at the bottom of that page to the 
> postfix.org
> >> add-on page which specifically warns against MailScanner.
> >>
> >>> What would be the advantage to switching to something like
> >>> amavisd-new?
> >>
> >> The advantage to something that uses the SMTP Proxy 
> interface or the
> >> Milter interface is that you can trust that it won't be
> >> broken without
> >> warning or documentation in a future Postfix release. 
> Apart from the
> >> risk that it relies on Postfix not changing queue structures and
> >> behaviors which are explicitly unsupported and subject to change,
> >> MailScanner works directly with the Postfix queue in a way
> >> that Wietse
> >> has been saying for years is already not safe. I haven't 
> analyzed the
> >> Postfix queue-handling code (life is too short...) but I trust his
> >> judgment of safety in working with the Postfix queue over
> >> that of anyone
> >> who didn't write that code. The MailScanner argument
> >> (essentially that
> >> what they do doesn't break enough to notice) is entirely 
> unpersuasive.
> >>
> >> -- 
> >> Bill Cole
> >> b...@scconsult.com or billc...@apache.org
> >> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> >> Currently Seeking Steady Work: https://linkedin.com/in/billcole
> >>
> >>
> > 
> 
> 
> 
> 
> -- 
> John
> PGP Public Key: 412934AC
> 
> 

RE: Question regarding use of amavisd-new

[L . P . H . van Belle]

Hai, 


mailscanner runs fine here for about 5-6 years now, with postfix. 
Mailscanner + postfix (postscreen) rules here :-) 

But if you want a quicky to test. 
https://efa-project.org/  = Mailscanner + mailwatch +... Lots of extra's. 


Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: postfixlists-070...@billmail.scconsult.com 
> [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole
> Verzonden: woensdag 13 december 2017 16:46
> Aan: Postfix users
> Onderwerp: Re: Question regarding use of amavisd-new
> 
> On 13 Dec 2017, at 4:45 (-0500), Maarten wrote:
> 
> > According to  their documentation using MailScanner with 
> postfix works 
> > too.
> >
> > https://www.mailscanner.info/postfix/
> 
> Yes, and there's a link at the bottom of that page to the postfix.org 
> add-on page which specifically warns against MailScanner.
> 
> > What would be the advantage to switching to something like 
> > amavisd-new?
> 
> The advantage to something that uses the SMTP Proxy interface or the 
> Milter interface is that you can trust that it won't be 
> broken without 
> warning or documentation in a future Postfix release. Apart from the 
> risk that it relies on Postfix not changing queue structures and 
> behaviors which are explicitly unsupported and subject to change,  
> MailScanner works directly with the Postfix queue in a way 
> that Wietse 
> has been saying for years is already not safe. I haven't analyzed the 
> Postfix queue-handling code (life is too short...) but I trust his 
> judgment of safety in working with the Postfix queue over 
> that of anyone 
> who didn't write that code. The MailScanner argument 
> (essentially that 
> what they do doesn't break enough to notice) is entirely unpersuasive.
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Currently Seeking Steady Work: https://linkedin.com/in/billcole
> 
> 

RE: Jessie - Stretch to jump on Postfix 3.x

[L . P . H . van Belle]

for me it was a good and easy upgrade from jessie to stretch. 
 
Things i needed  to change/run was this :  
 
# for postfix 
postconf compatibility_level=2 && postfix reload 
 
# for ntp
 sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery/restrict -4 
default kod notrap nomodify nopeer noquery limited/g' /etc/ntp.conf
 sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery/restrict -6 
default kod notrap nomodify nopeer noquery limited/g' /etc/ntp.conf  
and i did not like all language messages with apt. update in my logs ( own repo 
) 
 
if [ ! -e /etc/apt/apt.conf.d/99disable-translations ]; then
    echo "Adding disable translations for apt"
    echo "Acquire::Languages \"none\";" > 
/etc/apt/apt.conf.d/99disable-translations
else
 echo "No modication needed (apt disable-translations)"
fi
 
but thats about it. 
 
Good luck in upgrading, and this was for me, for you it may be different, that 
depends on the packages used. 
 
 
Greetz, 
Louis
 


Van: mauri...@caloro.ch [mailto:owner-postfix-us...@postfix.org] Namens 
Maurizio Caloro
Verzonden: dinsdag 17 oktober 2017 10:40
Aan: 'Postfix Users'
Onderwerp: Jessie - Stretch to jump on Postfix 3.x




Hello Together

 

I’am running with Debain Jessie 8.9, i play with the ideea upgrade the system 
8.9 ->Stretch.

Please existing here any complication, or/after the upgrade i need to 
reconfigure the hole mailserver?

 

I see that Stretch are armed with Postfix 3.x

 

I know this are not a specific Postfix question, but i am intressed to hear 
your expiriences!

 

Regards

Mauri

 

RE: Trace spam activity on mail server

[L . P . H . van Belle]

Maybe its handy to tell us the real domainname and ip involving this problem? 
 
 

RE: Trace spam activity on mail server

[L . P . H . van Belle]

So far i can see, is your web site the target not you mail server.

I personaly use : http://multirbl.valli.org/lookup/netlite.it.html 
About the same as mx toolbox, but i did notice that the list of multirbl is 
much shorted when the domainname is used.
If i check with this hostname:  mail.netlite.it (212.29.157.98) 
http://multirbl.valli.org/lookup/212.29.157.98.html 

DNSBL Blacklist Test Summary
Ip based:  231 of 231 tests done. 
Domain base: 49 of 49 tests done. 
Result, not listed anywere. 

You are running with out of date wordpress plugins. Checked a few.
Thats asking for problems. Check you webserver logs for strange/out of the 
order things. 

If you dont use mod security, get it, learn it, install it and stop the 
wordpress abuse.

Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: dovecot_...@hotmail.com 
> [mailto:owner-postfix-us...@postfix.org] Namens Michael Segel
> Verzonden: dinsdag 2 mei 2017 16:02
> Aan: Kevin A. McGrail
> CC: li...@lazygranch.com; Matteo Cazzador; postfix users
> Onderwerp: Re: Trace spam activity on mail server
> 
> Just to follow up…
> I ran the check on his domain:
> https://mxtoolbox.com/domain/netlite.it/
> 
> Pretty clean, maybe a few things to fix, but he’s not on any 
> black list. 
> 
> I don’t know when he set up his domain, it could be that 
> Trend Micro blocked the IP block due to a previous tenant and 
> never took them off. 
> 
> Truthfully, I don’t use much more than Spamhaus these days. 
> in terms of RBLs.  
> 
> He’s not running an open relay and if there was a spammer on 
> his network, Spamhaus would have caught it too. Or someone else. 
> 
> Its not Matteo’s server and I suspect its Trend Micro. 
> 
> HTH
> 
> -Mike
> 
> > On May 2, 2017, at 8:56 AM, Kevin A. McGrail 
>  wrote:
> > 
> > On 5/2/2017 9:51 AM, Michael Segel wrote:
> >> You can run a check on your MX Server… there are a couple 
> of web sites that do this… and I think one or two will 
> identify the RBLs that include you.
> > One trick I use a lot when I have an infected machine on a 
> network or a customer with a problem is that I setup a 
> smarthost running a milter that runs the email through a spam 
> checker, logs the answer and then tempfails the emails.
> > 
> > Then I can analyze if there is an issue and do a silent 
> discard by subject or internal IP if we find a compromised 
> machine while letting everything else go through.
> > 
> > Regards,
> > KAM
> 
> 

RE: Optimising new system and postscreen questions

[L . P . H . van Belle]

And if you running debian you can set the min-cache-ttl.. 

That bind is patched with : 
https://anonscm.debian.org/cgit/users/lamont/bind9.git/commit/?h=patches=84fa402750fab5cd887d357501e2896494ac551f


So you can set these if needed. 
min-cache-ttl 90;
min-ncache-ttl 90;


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: si...@simonandkate.net 
> [mailto:owner-postfix-us...@postfix.org] Namens Simon Wilson
> Verzonden: maandag 1 mei 2017 11:20
> Aan: Marco Pizzoli
> CC: Postfix users
> Onderwerp: Re: Optimising new system and postscreen questions
> 
> - Message from Marco Pizzoli  -
> Date: Mon, 1 May 2017 11:18:30 +0200
> From: Marco Pizzoli 
> Subject: Re: Optimising new system and postscreen questions
>   To: si...@simonandkate.net
>   Cc: Postfix users 
> 
> 
> > Hello Simon,
> >
> > The server runs local caching DNS BIND, so it's as quick as 
> I can get 
> > it on
> >> the slow Internet connection we are on.
> >>
> >
> > I don't qualify mysef expert enough to answer the rest of 
> your points, 
> > but for the DNS part I suggest you think about replacing BIND with 
> > Unbound, as the DNS resolver. It has a property called min_ttl that 
> > permits you to impose a minimum amount of TTL to the 
> entries reported. 
> > DNSBL have always real low TTL values, on purpose. If you 
> are fne with 
> > relaxing this real-timeness, well by setting a value of i.e. 60/90 
> > seconds it will permit you to reduce the network dependency.
> >
> > Worth a try.
> > Marco
> 
> Thanks Marco, I'll investigate that.  :)
> 
> Simon
> 
> --
> Simon Wilson
> M: 0400 12 11 16
> 
> 

RE: Postfix cannot start tls: handshake failure

[L . P . H . van Belle]

Sorry about that, i was thinking your talking about the remote connecting to 
you. So, it's you to remote ( so the smtp_tls settings ) 

I did setup also for client myself, but that more how official you need to have 
some things.

Its about the same, for the client setup im using : 
# TLS Client (outgoing)
smtp_tls_key_file = /etc/postfix/newreq.pem 
smtp_tls_cert_file = /etc/postfix/newcert.pem 
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
smtp_tls_security_level = may
smtp_tls_loglevel = 1

but i do use official certificates and i then i do get the 
Trusted TLS connection established 

Maybe a tip, setup lets encrypt certificates, and test with that. 
Then you can see if you get the needed trusted connections. 


Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: webmas...@lshipping.info [mailto:owner-postfix-us...@postfix.org]
> Namens Den1
> Verzonden: woensdag 29 maart 2017 14:50
> Aan: postfix-users@postfix.org
> Onderwerp: RE: Postfix cannot start tls: handshake failure
> 
> Hi Louis,
> 
> Thank you for your input, I appreciate. I have smtpd running OK with all
> the
> key_file, cert_file and so on. I was asking about smtp. These two are
> different :-)
> 
> 
> 
> 
> 
> --
> View this message in context:
> http://postfix.1071664.n5.nabble.com/Postfix-cannot-start-tls-handshake-
> failure-tp89684p89731.html
> Sent from the Postfix Users mailing list archive at Nabble.com.

RE: Postfix cannot start tls: handshake failure

[L . P . H . van Belle]

Yes is advicable to enable TLS.

Whats is your OS and Postfix version?

For example, i use Debian. 
And when you want to use : ca-certificates.crt 
You need to setup as debian expects and it includes your cert in the 
ca-certifcate.crt, so thats why i want to know the os and version of postfix. 

( debian/ubuntu setup ) Read:  
https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ 

Next to read postfix tls: 
http://www.postfix.org/TLS_README.html 

The setup for TLS can differ a bit compaired to versions 2.x and 3.x 

But this should be sufficient to start with. 

## TLS
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

And a test site for you. 
https://ssl-tools.net/mailservers 

and a nice site with stronger settings.
https://cipherli.st/ 

Hope that this helps you a bit further.


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: webmas...@lshipping.info [mailto:owner-postfix-us...@postfix.org]
> Namens Den1
> Verzonden: woensdag 29 maart 2017 14:04
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Postfix cannot start tls: handshake failure
> 
> I was wondering is it actually advisable to use tls on smtp? When I tried
> it
> out with my self-signed certificates just to see if it's of any
> convenience
> to implement this feature I received the following response:
> 
> TLS required, but was not offered by host -or- we do not run TLS engine -
> or-
> certificate is not trusted
> 
> on
> 
> smtp_tls_security_level = encrypt -or- secure
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> 
> when I tried the following:
> 
> smtp_tls_security_level = may
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> 
> it simply went through without giving any "feedback" or warnings. My
> understanding also is that it just wasn't secure / encrypted with this
> 'may'
> so that's why it went through OK.
> 
> what about the rest of the settings of
> 
> smtp_tls_cert_file = -and-
> smtp_tls_key_file =
> 
> are they not required?
> 
> Could anyone comment on the above, please? Many thanks!
> 
> 
> 
> 
> 
> --
> View this message in context:
> http://postfix.1071664.n5.nabble.com/Postfix-cannot-start-tls-handshake-
> failure-tp89684p89727.html
> Sent from the Postfix Users mailing list archive at Nabble.com.

RE: postsceen and smtpd_recipients_restrictions

[L . P . H . van Belle]

He is multiple times listed. 

See : 
http://multirbl.valli.org/lookup/46.22.210.2.html  
Spamhaus ( listed in DBL Advisory. ) ( aerial.astogle.us.dbl.spamhaus.org ) 

The remote server probley sends "listed at zen.spamhaus.org" but is using DBL 
also. 
https://www.spamhaus.org/dbl/ 


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: wie...@porcupine.org [mailto:owner-postfix-us...@postfix.org] Namens
> wie...@porcupine.org
> Verzonden: maandag 27 februari 2017 13:07
> Aan: Postfix users
> Onderwerp: Re: postsceen and smtpd_recipients_restrictions
> 
> Den1:
> > Wietse Venema wrote
> > > Den1:
> > >> 22:19:13 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:58953
> to
> > >> [1.1.1.1]:25
> > >> 22:19:13 postfix/dnsblog[14391]: addr 46.22.210.20 listed by domain
> > >> zen.spamhaus.org as 127.0.0.3
> > >> 22:19:17 postfix/postscreen[14390]: DNSBL rank 1 for
> [46.22.210.20]:58953
> > >> 22:19:17 postfix/postscreen[14390]: DISCONNECT [46.22.210.20]:58953
> > >
> > > The client is listed at zen.spamhaus.org. The client does not talk to
> > > the Postfix SMTP daemon (smtpd).
> > >
> > >> 22:19:18 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:53440
> to
> > >> [1.1.1.1]:25
> > >> 22:19:22 postfix/postscreen[14390]: PASS NEW [46.22.210.20]:53440
> > >> 22:19:22 postfix/smtpd[14403]: connect from
> > >> construct.baladle.us[46.22.210.20]
> > >
> > > The client is NOT LISTED at zen.spamhaus.org, or more likely, you
> > > use multiple DNS servers, some of which get service from spamhaus.org,
> > > and some of which don't get service from spamhaus.org.
> > >
> > >   Wietse
> >
> > Thank you so much for your directions and guidance. I really do
> appreciate.
> 
> That's a nice way of saying you did not understand 99% of the reply.
> 
> > Although I am getting a bit lost. Is it possible for different clients
> to
> > have the same IP address in such a short period of time as per my logs
> > posted?
> 
> zen.spamhaus.org provides a service that depends the DNS client IP
> address. Low-volume DNS clients get free service, but high-volume
> DNS clients have to pay for a subscription.
> 
> For example, if you use the resolver at a big ISP, or a public
> service like 8.8.8.8 or 4.4.4.4, then zen.spamhaus.org won't work
> well for you, if at all.
> 
>   Wietse

RE: Strong Ciphers to use with Postfix

[L . P . H . van Belle]

Hai, 

It all depends all in what you need and want. 

After monitoring for about a year on with or without encryption. 
I have 0 unecrypted mail servers found and a handfull of SSLv2 or V3. 
Which i simply dont allow anymore. ( The sslv2/v3 ) 
Due to the dutch "Privacy laws" users are oblgated to have/use encrypted lines. 
And a lot should be encrypted. 

So I preffer a high but compatible set. 
A setup like this : https://tls.imirhil.fr/smtp/mail.van-belle.nl  
My prefered site to check ciphersets.  
Im also running debian jessie postfix 2.11.

And yes, there is always room for improvements, but my cipher check shows me 
the following and im happy with it. 

  2 TLSv1 with cipher AES256-SHA
  6 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
 13 TLSv1.2 with cipher AES256-SHA
 27 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA
 34 TLSv1.2 with cipher DHE-RSA-AES256-SHA256
103 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA
302 TLSv1 with cipher DHE-RSA-AES256-SHA
772 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384
   2307 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
  11684 TLSv1 with cipher ECDHE-RSA-AES256-SHA


# Add these to log you ciphers used. 
smtp_tls_loglevel=1
smtpd_tls_loglevel=1

# check encrypted connections with : 
# grep "connection established from.*with cipher" /var/log/mail.log|awk 
'{printf("%s %s %s %s\n", $12, $13, $14, $15)}' |sort|uniq -c| sort -n 
# check for clear text connections:
# grep "connection established from" /var/log/mail.log | grep -v cipher| awk 
'{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n

# outgoing connections: smtp
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes

# incoming connections: smtpd
smtpd_use_tls = yes
smtpd_enforce_tls = no
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, 
DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES
#, RSA+AES
smtpd_tls_eecdh_grade = ultra



Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: domi...@timedicer.co.uk [mailto:owner-postfix-us...@postfix.org]
> Namens Dominic Raferd
> Verzonden: vrijdag 17 februari 2017 16:05
> Aan: Postfix users
> Onderwerp: Re: Strong Ciphers to use with Postfix
> 
> On 17 February 2017 at 14:43, Fazzina, Angelo 
> wrote:
> > Hi,
> > Here is how I am dealing with "weak ciphers"
> > You may be able to do the same type of config ?
> >
> >
> > In /etc/postfix/main.cf
> >
> >
> > # -ALF 2016-09-07
> > # disable RC4 ciphers with TLS connections.
> > #smtpd_tls_exclude_ciphers = RC4, aNULL
> > # -ALF 2017-01-09
> > # disable weak ciphers, and RC4 ciphers
> > smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4,
> aNULL
> > #-ALF 2107-01-09
> > # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers
> > #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES-
> CBC3-SHA, RC4, aNULL
> >
> >
> >
> > -Angelo Fazzina
> > Operating Systems Programmer / Analyst
> > University of Connecticut,  UITS, SSG, Server Systems
> > 860-486-9075
> >
> > -Original Message-
> > From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Daniel Bareiro
> > Sent: Friday, February 17, 2017 9:40 AM
> > To: Postfix users 
> > Subject: Strong Ciphers to use with Postfix
> >
> > Hi all!
> >
> > I'm using Debian GNU/Linux Jessie 8.7 with Postfix 2.11.3-1.
> >
> > I would like to know what you think of the security settings suggested
> > here [1] for Postfix.
> >
> > I have tested it against this [2] site, but it seems that fails to
> > discard other ciphers; on "Weak ciphers" I get "supported
> > RSA_WITH_RC4_128_SHA".
> >
> 
> As I have learned from here, if your MTA is receiving from the world
> or sending to the world there is little point in enforcing
> super-strong ciphers on the corresponding connection (smtpd or smtp).
> If you refuse all unencrypted communication, and only permit
> super-strong ciphers, you may not be able to receive or send some
> emails, because not all (even genuine) MTAs will support this; but
> otherwise if you only permit super-strong ciphers you will just get
> more unencrypted communication. Of course it is usually
> pointless/unwise to permit broken ciphers, but these are anyway
> disabled by default in postfix.

RE: SPF entries for IPv4 & IPv6

[L . P . H . van Belle]

No mx lookup in the SPF? 

Why not :
mail.example.org.   TXT "v=spf1 mx ip4:1.2.3.4 ip6:: -all"

And why no A record  
Every host in you dns with A can send, which is not (always) what you want.

For example: www.example.org and now you server gets comprimized and is 
spamming..  

Which is by : "v=spf1 a -all" all allowed. 

And if you need an A : 
mail.example.org.   TXT "v=spf1 mx A:hostname.domain.tld -all"
which covers also  lookups. 

Just my suggestion. 
And best is also to read : https://tools.ietf.org/html/rfc7208#section-2.3 


Greetz, 

Louis




> -Oorspronkelijk bericht-
> Van: s...@andreasschulze.de [mailto:owner-postfix-us...@postfix.org] Namens
> A. Schulze
> Verzonden: maandag 2 januari 2017 16:42
> Aan: postfix-users@postfix.org
> Onderwerp: Re: SPF entries for IPv4 & IPv6
> 
> 
> 
> Am 02.01.2017 um 14:18 schrieb Sebastian Nielsen:
> > OFC you must specify both unless you have completely disabled sending of
> outgoing mail via IPv6.
> 
> I think, that's wrong
> 
> One may publish records like "v=spf1 a -all" for a host mail.example.org
> 
> mail.example.org. A   192.0.2.25
> mail.example.org. 2001:db8::6:25
> mail.example.org. TXT "v=spf1 a -all"
> 
> This require two or three dns lookups. (1x TXT, 1x A and 1x  depending
> on the spf implementation)
> 
> To save lookups and make the authentication more robust it's also possible
> to
> specify the addresses explicit:
> 
> mail.example.org. A   192.0.2.25
> mail.example.org. 2001:db8::6:25
> mail.example.org. TXT "v=spf1 ip4:192.0.2.25 ip6:2001:db8::6:25 -all"
> 
> this way one minimize the need for a receiver to do "many" lookups. You
> give the receiver all information
> with the first answer and thus have a higher chance the spf authentication
> will succeed.
> 
> (hope no typo above...)
> 
> Andreas

RE: request improved logging for postfix.

[L . P . H . van Belle]

Hello Noel, 

Would you please stop say that im labeling.. im not.
Sorry im so bad in explaining things in english.

I just trying to explain something based on what i did read here:
http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname 
reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname)
Reject the request when the HELO or EHLO hostname has no DNS A or MX record.

Here the "POSTFIX MANUAL" stats  >  "HELO or EHLO hostname"   <<
So I think we misunderstand one eachother. 

I know a "helo hostname" is just a name with refers to a A,  or MX record 
and the MX must reffer to any A or .
I know its not client-hostname or helo-hostname. 

Its "helo " and maybe that should be better in the manual. 
As long as its has a DNS A or MX record. ( as stated by RFC 5321 2.3.5 ) 

> Postfix mostly ignores the helo name.  You should too.
Why? Since in my opionion this is a very bad advice. 

This is my I enforce correct "HELO or EHLO hostname".
And its as the postfix manual stats by :
Rejecting the request when the HELO or EHLO hostname has no DNS A or MX record. 
Exacty what i need. 

rfc5321 section 2.3.5 stats: 
   The domain name, as described in this document and in RFC 1035 [2],
   is the entire, fully-qualified name (often referred to as an "FQDN").
   A domain name that is not in FQDN form is no more than a local alias.
   Local aliases MUST NOT appear in any SMTP transaction.

Only resolvable, fully-qualified domain names (FQDNs) are permitted
   when domain names are used in SMTP.  In other words, names that can
   be resolved to MX RRs or address (i.e., A or ) RRs (as discussed
   in Section 5) are permitted, as are CNAME RRs whose targets can be
   resolved, in turn, to MX or address RRs.  Local nicknames or
   unqualified names MUST NOT be used.


Now i just was not happy with some logging parts, but you explained all and for 
me its ok.
I know what todo now to make things better in my logs for my colleges
So they can take over some things when im on holiday.


Thanks all for the replies. 
And sorry the the badly choosen words and misunderstandings. 

Best regards, 

Louis


> -Oorspronkelijk bericht-
> Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org]
> Namens Noel Jones
> Verzonden: dinsdag 20 december 2016 17:50
> Aan: postfix-users@postfix.org
> Onderwerp: Re: request improved logging for postfix.
> 
> On 12/20/2016 3:17 AM, L.P.H. van Belle wrote:
> >
> > postfix/ [smtp/smtpd/postscreen]  show [client-hostname or unknown] IP
> >
> > (*always unknown if A/PTR mismatches in client hostname OR helo
> > hostname)
> 
> Labeling a client as unknown has nothing to do with the helo name.
> 
> See the description for reject_unknown_client_hostname for the
> conditions when a client is labeled unknown.
> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
> 
> Postfix mostly ignores the helo name.  You should too.
> 
> 
>   -- Noel Jones

RE: request improved logging for postfix.

[L . P . H . van Belle]

Thank you Noel, again :-) 

 

Based on my loglines i found that; 

 

postfix/ [smtp/smtpd/postscreen]  show [client-hostname or unknown] IP  

(*always unknown if A/PTR mismatches in client hostname OR helo hostname)

 

postfix/ cleanup  (header Received) show from helo-hostname (client-hostname 
[IP]) 

 

Any i missed? 

 

Thank your for this one. 

check_client_access static:INFO 

Thats very usefull for me.

 

Now, big thread for a small thing, i hope lots of others profit from it. :-) 

 

 

Greetings, 

 

Louis

 

 

 

 

 

> -Oorspronkelijk bericht-

> Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org]

> Namens Noel Jones

> Verzonden: maandag 19 december 2016 17:43

> Aan: postfix-users@postfix.org

> Onderwerp: Re: request improved logging for postfix.

> 

> On 12/19/2016 3:31 AM, L.P.H. van Belle wrote:

> 

> >

> > So when everything is setup correct the helo and hostname ares shown

> > in the logs,

> 

> On a normal, accepted connection, the HELO name is never shown in

> the logs.  The client is identified by the source IP and port and

> verified client hostname if available.  The HELO name is only logged

> with a rejection or error.

> 

> The HELO name is recorded in the Received: header added to mail.

> 

> If you want to always see the HELO in the logs, you can force a log

> entry with "check_client_access static:INFO" in your

> smtpd_recipient_restrictions.

> 

> something like:

> # main.cf

> smtpd_recipient_restrictions =

>   check_client_access static:INFO

>   ... other checks ...

> 

> 

> 

> 

>   -- Noel Jones

 

RE: request improved logging for postfix.

[L . P . H . van Belle]

Hai, 

 

Well, Thank you Noel, 

This makes much more sence now.

 

I was mislead due to the log messages of postfix. 

My own server has an A/PTR to the hostname and A/MX for helo name. 

This is the confusing part, at least it was for me.

The logs showed me: 

postfix/smtpd[29331]: connect from core.van-belle.nl[149.210.206.148]

and 

Dec 19 09:46:36 mailhopper postfix/cleanup[29334]: 451A6FF071: hold: header 
Received: from mail.van-belle.nl (core.van-belle.nl [149.210.206.148])  ... etc 

??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 
bits))??(Client did not present a certificate)??by mailhopper.ba from 
core.van-belle.nl[149.210.206.148]; from= 
to= proto=ESMTP helo=

 

The : 

connect from hostname.fqdn[ip]  

and : 

hold: header Received: from mail.van-belle.nl (core.van-belle.nl 
[149.210.206.148])  

and here is also shows mail.van-belle.nl, the helo name and the host.fqdn[ip]

 

since i always did see : mail.van-belle.nl (core.van-belle.nl 
[149.210.206.148]) 

i was in the understanding postfix was loggin helo hostnames also, like the 
client name. 

Which explains all the confusion at my side.

 

> No fixes are necessary, other than maybe I should write a tutorial

> on reading logs.

Very good idea, the part you explained is a good one, and that wil help others 
also. 

Due to this logging i am/was having discusions. Now..this helps a lot. Thanks 
you so much.

 

So when everything is setup correct the helo and hostname ares shown in the 
logs, 

but when with errors it referes only back to the client name. 

Why is this? 

 

Best regards, 

Louis

 

 

 

> -Oorspronkelijk bericht-

> Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org]

> Namens Noel Jones

> Verzonden: vrijdag 16 december 2016 16:56

> Aan: postfix-users@postfix.org

> Onderwerp: Re: request improved logging for postfix.

> 

> On 12/16/2016 5:13 AM, L.P.H. van Belle wrote:

> 

> > Maybe im totaly incorrect here so correct me if needed.

> 

> Yes.

> 

> > Now, Im running Debian Wheezy, postfix ( debian backport )

> > 2.11.2-1~bpo70+1. Kernel : 3.2.82-1

> >

> > I’ve increased the debug level in postfix for the domains.

> 

> Don't use debug logging. Everything you need is in the normal

> logging, and the extra noise just confuses you.

> 

> 

> > Dec 16 08:47:31 mailhopper postfix/smtpd[16089]: warning: hostname

> > sweeper.stater.com does not resolve to address 193.172.8.206: Name

> > or service not known

> >

> > Dec 16 08:47:32 mailhopper postfix/smtpd[16089]: NOQUEUE: reject:

> > RCPT from unknown[193.172.8.206]: 554 5.7.1 :

> > Helo command rejected: Host not found; from=

> > to= proto=ESMTP helo=

> >

> >

> >

> > This part :

> >

> > hostname sweeper.stater.com does not resolve to address

> > 193.172.8.206  which is totaly correct.

> >

> 

> 

> No, the warning: message always refers to the CLIENT hostname, and

> is giving you the reason the CLIENT is labeled as "unknown".

> 

> 

> > The line (part of the rejected incomming )

> >

> > ...  NOQUEUE: reject: RCPT from unknown[193.172.8.206]: 554 5.7.1

> > 

> >

> > More consistant would be :

> >

> > unknown([193.172.8.206]): 554 5.7.1 

> >

> > Or with correct A/PTR  but incorrect helo

> 

> But the A/PTR is not correct, as logged earlier.  That is the reason

> the client is labeled unknown. 

> 

> 

> > To many people are confused by the “unknown” since it can be 2 things:

> >

> > Unknown CLIENT hostname

> >

> > Unknown HELO hostname

> 

> No, the "unknown" always refers to the client, unless it's in the

> descriptive text of a reject message.

> 

> 

> ... reject: {smtp stage} from {client hostname/unknown}[{ipaddr]}:

> {reject code} {extended code}; {descriptive text}

> 

> Notice the HELO name is never listed other than in the descriptive

> text if HELO is the reason for rejection.

> 

> 

> >

> > Which give discusions on the fixes.

> 

> No fixes are necessary, other than maybe I should write a tutorial

> on reading logs.

> 

> 

> 

>   -- Noel Jones

 

 

 

request improved logging for postfix.

[L . P . H . van Belle]

Hello, 

 

After the message from yesterday, im asking if the postfix logging can be 
changed. 

To improve the loggings and a better more clear reject message. 

 

A small change maybe, i dont know, i’ll show what i mean below. 

Maybe im totaly incorrect here so correct me if needed. 

 

Now, Im running Debian Wheezy, postfix ( debian backport ) 2.11.2-1~bpo70+1. 
Kernel : 3.2.82-1  

I’ve increased the debug level in postfix for the domains.

 

Im seeing the following :

Time : 08:34 : me be...@bazuin.nl sending to serviced...@stater.com 

 

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 220-sweeper.stater.com ESMTP

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 220 Connection is logged and abuse will 
be reported...

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: > 
sweeper2.stater.com[193.172.8.206]:25: EHLO mailhopper.bazuin.nl

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 250-sweeper.stater.com

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 250-8BITMIME

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 250-SIZE 52428800

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 250 STARTTLS

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: > 
sweeper2.stater.com[193.172.8.206]:25: STARTTLS

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 220 Go ahead with TLS

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: send attr cache_id = 
smtp&193.172.8.206&&4DFEB04581B7B5FE02EE5DA3C09609BF6F53AC5A02666E3BE4556ED143A51345

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: send attr cache_id = 
smtp&193.172.8.206&&4DFEB04581B7B5FE02EE5DA3C09609BF6F53AC5A02666E3BE4556ED143A51345

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: Untrusted TLS connection 
established to sweeper2.stater.com[193.172.8.206]:25: TLSv1.2 with cipher 
DHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: > 
sweeper2.stater.com[193.172.8.206]:25: EHLO mailhopper.bazuin.nl

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 250-sweeper.stater.com

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 250-8BITMIME

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 250 SIZE 52428800

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: > 
sweeper2.stater.com[193.172.8.206]:25: MAIL FROM: SIZE=19695

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 250 sender  ok

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: > 
sweeper2.stater.com[193.172.8.206]:25: RCPT TO:

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 250 recipient  ok

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: > 
sweeper2.stater.com[193.172.8.206]:25: DATA

Dec 16 08:34:39 mailhopper postfix/smtp[15288]: < 
sweeper2.stater.com[193.172.8.206]:25: 354 go ahead

 

Now, here is an inconistany of logging ( i think ) by postfix. 

I point to this line,:  sweeper2.stater.com[193.172.8.206]:25: 
220-sweeper.stater.com ESMTP  

More consistand would be (sweeper2.stater.com[193.172.8.206]):25: 
220-sweeper.stater.com ESMTP  

Or without a/ptr for the client name: (unknown[193.172.8.206]):25: 
220-sweeper.stater.com ESMTP 

 

 

At Time : 08:47  : reply from stater.com to my but rejected as it should. 

Dec 16 08:47:31 mailhopper postfix/smtpd[16089]: warning: hostname 
sweeper.stater.com does not resolve to address 193.172.8.206: Name or service 
not known

Dec 16 08:47:32 mailhopper postfix/smtpd[16089]: NOQUEUE: reject: RCPT from 
unknown[193.172.8.206]: 554 5.7.1 : Helo command rejected: 
Host not found; from= to= proto=ESMTP 
helo=

 

This part : 

hostname sweeper.stater.com does not resolve to address 193.172.8.206  which is 
totaly correct.

But it would be nicer to set :

“helo hostname sweeper.stater.com does not resolve to address 193.172.8.206“  

 

The line (part of the rejected incomming ) 

...  NOQUEUE: reject: RCPT from unknown[193.172.8.206]: 554 5.7.1 


More consistant would be :  

unknown([193.172.8.206]): 554 5.7.1 

Or with correct A/PTR  but incorrect helo 

unknown(sweeper2.stater.com[193.172.8.206]): 554 5.7.1 

 

You see the small () changes all together.. : 

unknown[193.172.8.206]: 554 5.7.1 

unknown([193.172.8.206]): 554 5.7.1 

unknown(sweeper2.stater.com[193.172.8.206]): 554 5.7.1 

 

To many people are confused by the “unknown” since it can be 2 things:

Unknown CLIENT hostname

Unknown HELO hostname

Which give discusions on the fixes. 

 

Also what i dont get here is the postfix message .

NOQUEUE: reject: RCPT 

RE: DNS round robin on helo?

[L . P . H . van Belle]

Hai, 

First sorry to have the ips and name anonymized, i had to do that.
I cant expose details until i first talked to the company in question. 
Thas a moral thing to do in my believe.
And i need to be sure that i tell the right info when i do that. 

The "helo=" space was a copy past error, sorry missed that one. 
Main reason is posted, and sorry about my english, its not my native langauge.  
I needed to understand this situation bit more. 
What by rfc is allowed. After reading the rfc, in english, wasnt clear enough. 

I digged a bit more and i found that . 

I found https://tools.ietf.org/html/rfc5321#section-2.3.5 
Only resolvable, fully-qualified domain names (FQDNs) are permitted
   when domain names are used in SMTP.  In other words, names that can
   be resolved to MX RRs or address (i.e., A or .. 

so and im not asking to help solve this but im asking is my interpetation of 
the rfc correct. 

The problem server setup is as followed.
2 servers its ptr records refer to the helo hostname the same name 
(mx1.domain.tld)
The helo hostname (mx1) has no A record but the helo is defined as mx record.
As are mx2.domain.tld and mx3.domain.tld both have an A record and PTR record

Now my server is rejecting any incorrect helo hostnames. Because the rfc stats: 
"names that can be resolved to MX RRs or address (i.e., A or .."
And due to legal resons i must correcly identify the sending server.

I do enforce most rfc parts, but i dont reject in incorrect client hostnames 
due to for example missing ptr records and my customers dont have to make much 
trouble to make that work, a simple A record in the dns is sufficient.
A few big providers here dropped there relay which made a mess in mailing, lots 
of mis configuration, so i dont reject incorrect client hostnames and for 
customers ist much harder to set the ptr record, that take to much time at most 
providers. After adding the a record it mostly works again within an hour. 

I believe this client is rejected due to missing A record on the MX record.
A change of the helo hostname to the client hostnames solves it and make them 
full rfc compiant in my opionion.

So question is, is the rfc interpetation correct this way?

And be nice, im asking this because im always helping our customers to make 
more rfc compliant setups because it simply make everyone happy. 

Now that you ended here.. , thank your for reading it all. :-) 
And Viktor, if a next help is needed, i'll post the complete log ok. 

Best regard, 

Louis





> -Oorspronkelijk bericht-
> Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org]
> Namens Noel Jones
> Verzonden: donderdag 15 december 2016 18:40
> Aan: postfix-users@postfix.org
> Onderwerp: Re: DNS round robin on helo?
> 
> On 12/15/2016 10:01 AM, L.P.H. van Belle wrote:
> ...
> > I looks to me and incorrect implementation, what do you guys think.
> ...
> 
> All this is allowed, legal, and unsurprising.
> 
> Not everything that is allowed is wise. Ideally, each host (or each
> connection on a multi-homed host) should have its own unique
> hostname/A/PTR/HELO for mail, with higher lever MX records listing
> all of them. If this is not your server, there is nothing to
> complain about.
> 
> If their HELO name really has a trailing space, that would be a
> config error.  But config errors on HELO names are not unusual.
> 
> 
> 
>   -- Noel Jones

RE: DNS round robin on helo?

[L . P . H . van Belle]

Hello Noel/Jim, 

 

Thank you for the replies. 

 

Ok, thats clear, so multple A are allowed but i thing its the way around here. 

I'll explain bit more. 

 

I did run also that way, one host multiple ip's but both ip's has a different 
helo name to match a/ptr and mx records with it.

But this customer has 1 helo hostname (A) and multiple ip's, to me this looks 
like a mess. 

 

This is what I see for this customer for the PTR. 

43.22.aa.bb.in-addr.arpa. 1398  IN    PTR host.domain.tld. 

206.8.xx.yy.in-addr.arpa. 81644 IN    PTR host.domain.tld.

 

The MX setup. 

MX 10 host.domain.tld

MX 20 host2.domain.tld

MX 30 host3.domain.tld

 

A domain test with this site : https://ssl-tools.net/mailservers 

did find the mx 20 and 30 but not the MX 10 server

 

host.domain.tld. 30  IN  A   bb.aa.22.43

host.domain.tld. 30  IN  A   yy.xx.8.206

host2.domain.tld.    3347    IN  A   yy.xx.8.206

host3.domain.tld.    2032    IN  A   bb.aa.22.43

 

2 complete different ip adresses from different providers. 

3 hostnames. 

 

The exact logs lines: 

 

warning: hostname host.domain.tld does not resolve to address bb.aa.22.43: Name 
or service not known 

connect from unknown[bb.aa.22.43]

Untrusted TLS connection established from unknown[bb.aa.22.43]: TLSv1.2 with 
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Policy action=PREPEND Received-SPF: pass ... (censored)  identity (mechanism 
'a:host3.domain.tld matched))

 

And this is really ok? host3.domain.tld matched. 

 

I hardly have problems with rejecting legit servers.

I looks to me and incorrect implementation, what do you guys think. 

 

@Jim, 

>Your starting assumption is wrong or mistaken. If the postfix logs are saying 
>"unknown[1.2.3.4]” it means reverse lookups of that IP address are not 
>returning a hostname.

And this is not because it resolve back to the other IP. I tested the PTRs and 
thesare are ok. 

 

And gmail yahoo hotmail etc etc, never any problems with them.

Even with having these in my setup.

smtpd_helo_restrictions =

    permit_mynetworks,

    check_helo_access pcre:/etc/postfix/pcre/helo.pcre

    check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map

    reject_invalid_helo_hostname,

    reject_non_fqdn_helo_hostname,

    reject_unknown_helo_hostname,

 

 

 

 

Best regards, 

 

Louis

 

 

> -Oorspronkelijk bericht-

> Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org]

> Namens Noel Jones

> Verzonden: donderdag 15 december 2016 16:20

> Aan: postfix-users@postfix.org

> Onderwerp: Re: DNS round robin on helo?

> 

> On 12/15/2016 8:56 AM, L.P.H. van Belle wrote:

> > Hello,

> >

> >

> >

> > I couldnt find this on the internet and is was thinking, the postfix

> > list wil know this.

> >

> > Customer send email which are rejected by my server.  I thinks that

> > is correctly rejected.

> >

> >

> >

> > Now i digged into this and i found the following but i dont know if

> > this is allowed by RFC.

> >

> > To me this should not be done but if someone can conform this, that

> > would make me happy.

> >

> >

> >

> > Log part

> >

> > Dec 15 14:22:23 mailrelay postfix/smtpd[3361]: NOQUEUE: reject: RCPT

> > from unknown[1.2.3.4]: 554 5.7.1 ,: Helo command

> > rejected: Host not found; from=<@DOMAIN2.TLD2>

> > to= proto=ESMTP helo=

> >

> >

> >

> 

> The message was rejected because the HELO name had no A nor MX

> record *at that time*.

> 

> Hosts are allowed to have multiple A records, but the client may be

> labeled as "unknown" because postfix won't walk through all possible

> hostname/IP combinations looking for a match.

> 

> Many legit hosts will fail reject_unknown_helo_hostname.  Use with

> caution.

> 

> 

> 

> 

>   -- Noel Jones

 

DNS round robin on helo?

[L . P . H . van Belle]

Hello, 

 

I couldnt find this on the internet and is was thinking, the postfix list wil 
know this. 

Customer send email which are rejected by my server.  I thinks that is 
correctly rejected. 

 

Now i digged into this and i found the following but i dont know if this is 
allowed by RFC. 

To me this should not be done but if someone can conform this, that would make 
me happy. 

 

Log part 

Dec 15 14:22:23 mailrelay postfix/smtpd[3361]: NOQUEUE: reject: RCPT from 
unknown[1.2.3.4]: 554 5.7.1 ,: Helo command rejected: Host not 
found; from=<@DOMAIN2.TLD2> to= proto=ESMTP 
helo=

 

What i found is that the helo hostname is correctly set but the strange thing. 

 

Ping host.domain.tld 
result : 1.2.3.4   

 

Ping host.domain.tld 
result : 4.3.2.1  

 

So the hostname resolve to 2 ipnumbers.  

 

Both ipnumbers have a PTR record.

 

Now the thing i dont get. 

 

1)   if both ipnumbers have a hostname, why do i see  : unknown[1.2.3.4]

2)   are Round Robin A record for mail Allowed. 

 

 

Thank you in advance. 

 

Greetz, 

Louis

 

RE: regexp for allowing helo host

[L . P . H . van Belle]

Hai Florian, 

No, Thats is due my setup with the mailscanner antispam behind it.

Just give those sites a good read, and the adjust the config to your needs. 

Running a caching dns on that server helps dns queries. 
Extra to that, install fail2ban and add postfix-dnsbl.conf
With filter : 
failregex = NOQUEUE: reject: RCPT from (.*)\[\]:([0-9]{4,5}:)? 550 5.7.1 
Service unavailable; client \[(.*)\] blocked 

And this all helpt my traffic down about 5-10%. Not much but still. 


Greetz, 

Louis




> -Oorspronkelijk bericht-
> Van: flo...@floppy.org [mailto:owner-postfix-us...@postfix.org] Namens
> Florian Piekert
> Verzonden: woensdag 16 november 2016 14:39
> Aan: L.P.H. van Belle; postfix-users@postfix.org
> Onderwerp: Re: regexp for allowing helo host
> 
> Am 16.11.2016 um 14:35 schrieb L.P.H. van Belle:
> 
> I have those entries in the master.cf, except it's having the "n" for
> chrooted as well (should be transparent)...
> 
> I assume it is due to the sheer NUMBER of dnsbl sites to query
> simultaneously?
> 
> > Ah yes,
> >
> > In master.cf  adust these.
> >
> > smtp  inet  n   -   -   -   1   postscreen
> > smtpd pass  -   -   -   -   -   smtpd
> > dnsblog   unix  -   -   -   -   0   dnsblog
> >
> >
> >
> >> -Oorspronkelijk bericht-
> >> Van: flo...@floppy.org [mailto:owner-postfix-us...@postfix.org] Namens
> >> Florian Piekert
> >> Verzonden: woensdag 16 november 2016 14:27
> >> Aan: L.P.H. van Belle; postfix-users@postfix.org
> >> Onderwerp: Re: regexp for allowing helo host
> >>
> >> Am 16.11.2016 um 13:59 schrieb L.P.H. van Belle:
> >>
> >> After going from
> >> postscreen_dnsbl_sites =
> >>   zen.spamhaus.org*2,
> >>   bl.mailspike.net,
> >>   bl.spamcop.net,
> >>   b.barracudacentral.org,
> >>   swl.spamhaus.org*-2
> >> to
> >>> postscreen_dnsbl_sites =
> >>> b.barracudacentral.org*4
> >>> bad.psky.me*4
> >>> zen.spamhaus.org*4
> >>> dnsbl.cobion.com*2
> >>> bl.spameatingmonkey.net*2
> >>> fresh.spameatingmonkey.net*2
> >>> dnsbl.anonmails.de*2
> >>> dnsbl.kempt.net*1
> >>> dnsbl.inps.de*2
> >>> bl.spamcop.net*2
> >>> dnsbl.sorbs.net*1
> >>> spam.dnsbl.sorbs.net*2
> >>> psbl.surriel.com*2
> >>> bl.mailspike.net*2
> >>> rep.mailspike.net=127.0.0.[13;14]*1
> >>> bl.suomispam.net*2
> >>> bl.blocklist.de*2
> >>> ix.dnsbl.manitu.net*2
> >>> dnsbl-2.uceprotect.net
> >>> hostkarma.junkemailfilter.com=127.0.0.3
> >>> hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
> >>> # whitelists
> >>> swl.spamhaus.org*-4
> >>> list.dnswl.org=127.0.[0..255].[2;3]*-1
> >>> rep.mailspike.net=127.0.0.[17;18]*-1
> >>> rep.mailspike.net=127.0.0.[19;20]*-2
> >>> hostkarma.junkemailfilter.com=127.0.0.1*-1
> >>
> >> I am rewarded with
> >> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: warning:
> >> psc_dnsbl_request: connect to private/dnsblog service: Resource
> >> temporarily
> >> unavailable
> >> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: message repeated 7
> >> times: [ warning: psc_dnsbl_request: connect to private/dnsblog
> service:
> >> Resource temporarily unavailable]
> >>
> >> Any idea?!
> >>
> >> I stopped pf, removed the postscreen_cache.db file just in case,
> restarted
> >> pf. Still getting those messages...
> 
> 
> 
> --
> 
> Florian Piekert, PMP
> flo...@floppy.org
> 
> Spargelweg 5Telephone+Fax: +49-179-
> 3928582
> 38179 Schwülper-Walle/Germany
> 
> ==
> =
> Note:  this message was  send by me *only* if the  eMail message contains
> a
> correct pgp signature corresponding to my address at  flo...@floppy.org.
> Do
> you need my  PGP  public key? Check out http://www.floppy.org or send me
> an
> email with  the subject "send pgp public key" to  this address of
> mine.Thx!
> 
> 

RE: regexp for allowing helo host

[L . P . H . van Belle]

Some good info to read into. 

http://rob0.nodns4.us/postscreen.html
http://blog.schaal-24.de/mail/postscreen-im-kampf-gegen-spam/?lang=en 

and ofcourse a must read: 
http://www.postfix.org/POSTSCREEN_README.html 

Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: flo...@floppy.org [mailto:owner-postfix-us...@postfix.org] Namens
> Florian Piekert
> Verzonden: woensdag 16 november 2016 14:27
> Aan: L.P.H. van Belle; postfix-users@postfix.org
> Onderwerp: Re: regexp for allowing helo host
> 
> Am 16.11.2016 um 13:59 schrieb L.P.H. van Belle:
> 
> After going from
> postscreen_dnsbl_sites =
>   zen.spamhaus.org*2,
>   bl.mailspike.net,
>   bl.spamcop.net,
>   b.barracudacentral.org,
>   swl.spamhaus.org*-2
> to
> > postscreen_dnsbl_sites =
> > b.barracudacentral.org*4
> > bad.psky.me*4
> > zen.spamhaus.org*4
> > dnsbl.cobion.com*2
> > bl.spameatingmonkey.net*2
> > fresh.spameatingmonkey.net*2
> > dnsbl.anonmails.de*2
> > dnsbl.kempt.net*1
> > dnsbl.inps.de*2
> > bl.spamcop.net*2
> > dnsbl.sorbs.net*1
> > spam.dnsbl.sorbs.net*2
> > psbl.surriel.com*2
> > bl.mailspike.net*2
> > rep.mailspike.net=127.0.0.[13;14]*1
> > bl.suomispam.net*2
> > bl.blocklist.de*2
> > ix.dnsbl.manitu.net*2
> > dnsbl-2.uceprotect.net
> > hostkarma.junkemailfilter.com=127.0.0.3
> > hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
> > # whitelists
> > swl.spamhaus.org*-4
> > list.dnswl.org=127.0.[0..255].[2;3]*-1
> > rep.mailspike.net=127.0.0.[17;18]*-1
> > rep.mailspike.net=127.0.0.[19;20]*-2
> > hostkarma.junkemailfilter.com=127.0.0.1*-1
> 
> I am rewarded with
> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: warning:
> psc_dnsbl_request: connect to private/dnsblog service: Resource
> temporarily
> unavailable
> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: message repeated 7
> times: [ warning: psc_dnsbl_request: connect to private/dnsblog service:
> Resource temporarily unavailable]
> 
> Any idea?!
> 
> I stopped pf, removed the postscreen_cache.db file just in case, restarted
> pf. Still getting those messages...
> 
> --
> 
> Florian Piekert, PMP
> flo...@floppy.org
> 
> Spargelweg 5Telephone+Fax: +49-179-
> 3928582
> 38179 Schwülper-Walle/Germany
> 
> ==
> =
> Note:  this message was  send by me *only* if the  eMail message contains
> a
> correct pgp signature corresponding to my address at  flo...@floppy.org.
> Do
> you need my  PGP  public key? Check out http://www.floppy.org or send me
> an
> email with  the subject "send pgp public key" to  this address of
> mine.Thx!

RE: regexp for allowing helo host

[L . P . H . van Belle]

Ah yes, 

In master.cf  adust these. 

smtp  inet  n   -   -   -   1   postscreen
smtpd pass  -   -   -   -   -   smtpd
dnsblog   unix  -   -   -   -   0   dnsblog



> -Oorspronkelijk bericht-
> Van: flo...@floppy.org [mailto:owner-postfix-us...@postfix.org] Namens
> Florian Piekert
> Verzonden: woensdag 16 november 2016 14:27
> Aan: L.P.H. van Belle; postfix-users@postfix.org
> Onderwerp: Re: regexp for allowing helo host
> 
> Am 16.11.2016 um 13:59 schrieb L.P.H. van Belle:
> 
> After going from
> postscreen_dnsbl_sites =
>   zen.spamhaus.org*2,
>   bl.mailspike.net,
>   bl.spamcop.net,
>   b.barracudacentral.org,
>   swl.spamhaus.org*-2
> to
> > postscreen_dnsbl_sites =
> > b.barracudacentral.org*4
> > bad.psky.me*4
> > zen.spamhaus.org*4
> > dnsbl.cobion.com*2
> > bl.spameatingmonkey.net*2
> > fresh.spameatingmonkey.net*2
> > dnsbl.anonmails.de*2
> > dnsbl.kempt.net*1
> > dnsbl.inps.de*2
> > bl.spamcop.net*2
> > dnsbl.sorbs.net*1
> > spam.dnsbl.sorbs.net*2
> > psbl.surriel.com*2
> > bl.mailspike.net*2
> > rep.mailspike.net=127.0.0.[13;14]*1
> > bl.suomispam.net*2
> > bl.blocklist.de*2
> > ix.dnsbl.manitu.net*2
> > dnsbl-2.uceprotect.net
> > hostkarma.junkemailfilter.com=127.0.0.3
> > hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
> > # whitelists
> > swl.spamhaus.org*-4
> > list.dnswl.org=127.0.[0..255].[2;3]*-1
> > rep.mailspike.net=127.0.0.[17;18]*-1
> > rep.mailspike.net=127.0.0.[19;20]*-2
> > hostkarma.junkemailfilter.com=127.0.0.1*-1
> 
> I am rewarded with
> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: warning:
> psc_dnsbl_request: connect to private/dnsblog service: Resource
> temporarily
> unavailable
> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: message repeated 7
> times: [ warning: psc_dnsbl_request: connect to private/dnsblog service:
> Resource temporarily unavailable]
> 
> Any idea?!
> 
> I stopped pf, removed the postscreen_cache.db file just in case, restarted
> pf. Still getting those messages...
> 
> --
> 
> Florian Piekert, PMP
> flo...@floppy.org
> 
> Spargelweg 5Telephone+Fax: +49-179-
> 3928582
> 38179 Schwülper-Walle/Germany
> 
> ==
> =
> Note:  this message was  send by me *only* if the  eMail message contains
> a
> correct pgp signature corresponding to my address at  flo...@floppy.org.
> Do
> you need my  PGP  public key? Check out http://www.floppy.org or send me
> an
> email with  the subject "send pgp public key" to  this address of
> mine.Thx!

RE: Open relay, found it

[L . P . H . van Belle]

Hai Paul, 

I saw you got it fixed, comprimized pass as i suspected.  ;-) 

I saw also this in you log. 
from [127.0.0.1] (87-92-55-206.bb.dnainternet.fi [87.92.55.206] 

This should never be allowed. ( from 127.0.0.1 ) ( on the external ip )
Thats impossible imo.

To fix that you can use something like below. 
Just make sure every known hostname and ipnumber of the server is listed here. 

Beware with these 3, these can give false positives.
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname, 


(pcre:/etc/postfix/helo.pcre) 
## Namebase
/^ip6-localhost$/   554 Don't use my own hostname
/^localhost$/   554 Don't use my own hostname
/^localhost\.localdomain$/  554 Don't use my own hostname
/^localhost\.yourdomain\.tld$/   554 Don't use my own hostname
/^localhost\.subdom\.yourdomain\.tld$/554 Don't use my own hostname

/^yourdomain\.tld$/  554 Don't use my own domainname
/^hostname\.yourdomain\.tld$/  554 Don't use my own hostname
/^hostname\.subdom\.yourdomain\.tld$/   554 Don't use my own hostname

## IP Based
/^127\.0\.0\.1$/554 Don't use my own IP address
/^\[127\.0\.0\.1\]$/554 Don't use my own IP address
/^\:\:1$/   554 Don't use my own IP address
/^\[\:\:1\]$/   554 Don't use my own IP address
/^\1\.2\.3\.4$/ 554 Don't use my own IP address
/^\[1\.2\.3\.4]$/   554 Don't use my own IP address
# and add ipv6 ip if you use it.

## Optional, but can gives false blocks.
#/^[0-9.]+$/ 554 Your software is not RFC 2821 compliant: 
EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in 
brackets)
#/^[0-9]+(\.[0-9]+){3}$/ 554 Your software is not RFC 2821 compliant: 
EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in 
brackets)
# /^[0-9.-]+$/   550 Your software is not RFC 2821 compliant: 
EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in 
brackets)
# /^[0-9]+(\.[0-9]+){3}$/   REJECT Invalid hostname


# added in main.cf
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map
check_helo_access pcre:/etc/postfix/pcre/helo.pcre,
permit_sasl_authenticated,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_unknown_helo_hostname,
reject_unauth_destination,
reject_unauth_pipelining


Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: p...@vandervlis.nl [mailto:owner-postfix-us...@postfix.org] Namens
> Paul van der Vlis
> Verzonden: zondag 23 oktober 2016 13:51
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Open relay, found it
> 
> Op 23-10-16 om 13:32 schreef Ansgar Wiechers:
> > On 2016-10-23 Paul van der Vlis wrote:
> >> Op 22-10-16 om 18:23 schreef /dev/rob0:
> >>> The only actual conclusion is that you have failed to put forth the
> >>> necessary information, as Bill [I think] pointed you to the
> >>> http://www.postfix.org/DEBUG_README.html#mail link.
> >>
> >> The problem is that somebody did send spam using port 587 with a not
> >> excisting username, and I am interested how that is possible.
> >>
> >> sigmund:/var/log# postconf -Mf
> >
> > So you finally decided to show the output of "postconf -Mf" and
> > "saslfinger -s". Good. Now you just need to provide the rest of the
> > information Bill Cole asked of you 2 days ago:
> >
> > - Full output of "postconf -nf".
> > - Full headers of a sample message (you may obfuscate personal
> >   information about the recipient).
> > - All log lines associated with that particular message. At the very
> >   least the output of "grep  /var/log/mail.log".
> 
> I am sorry when I did not give the right information. I did read the
> link, and did what was asked there.
> 
> >   In case you don't know how to find the queue ID in a log message, it's
> >   this part of the log line:
> >
> > postfix/smtpd[]: 2758BBF4062: ...
> >   ^^^
> > And did you already investigate why the authentication backend considers
> > "p...@puk.nl" a valid user, as Noel Jones asked? What did you find out?
> 
> Yes, and I found out that when the username is "p...@puk.nl" SASL
> actually checks on "piet":
> --
> saslauthd[19855] :do_auth : auth success: [user=piet]
> [service=smtp] [realm=puk.nl] [mech=pam]
> --
> 
> I did some more tests, and it seems to be that the spammer actually did
> know the password. After changing the password, the logging changed:
> --
> saslauthd[20161] :do_auth : auth failure: [user=piet]
> [service=smtp] [realm=puk.nl] [mech=pam]
> -
> 
> 
> 
> With regards,
> Paul van der Vlis.
> 
> 
> 
> --
> Paul van der Vlis Linux systeembeheer Groningen
> https://www.vandervlis.nl/

Re: permit after all

[L . P . H . van Belle]

paul, check if there are messages still in queue. 


i had a comprimized account also and same as you it didnt stop. it did after 
clearing up the queue list.


the user in question has used its email and pass om a website which was  
omprimized, at least thats what i think. 


i my case i allow my users only from specific countries for smtp, 
limited by firewalling. (xtables geoip)


i also use zpush (active sync) through webserver, for mobile devices for other 
countrie support.


not a fix, but help avoiding this problem is abuse.


and check if you landed on black lists. 


greetz 


louis

Op 22 okt. 2016 om 19:31 heeft Bill Cole 
 het volgende geschreven:


On 22 Oct 2016, at 8:54, /dev/rob0 wrote:

Should "closing 'permit' lines" be removed from live
configurations?

Of course not.  That is how it works.  If not specified as the OP did
it, the ending value of any restriction stage is "permit".  If not,
mail would not be accepted at all.

Not exactly. In principle one can end a restriction list with 'reject' 
if all desired 'permit' cases are covered by previous directives. In 
smtpd_recipient_restrictions this implies a check_recipient_access 
directive that permits local recipients (obviously AFTER anti-spam 
restrictions). And of course, many master.cf files include a service 
defined like this:

submission inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/submit
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

RE: Block certain prefixes/TLDs from accessing

[L . P . H . van Belle]

.. fail2ban 
Sasl filer. 

Of add xtable (geo ip) and block then countries. 
I only allow sasl auth from my own country AND an A record must exist in the 
dns for the host sending.

And Blacklisting the spamming domains is often useless. 
You better check for the age of the domain or so. 
http://spameatingmonkey.com/usage.html 
i use fresh.spameatingmonkey.net, if its less then 5 days old i reject it. 


Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: nmi...@noa.gr [mailto:owner-postfix-us...@postfix.org] Namens
> Nikolaos Milas
> Verzonden: donderdag 11 augustus 2016 12:45
> Aan: Richard Klingler
> CC: postfix-us...@cloud9.net
> Onderwerp: Re: Block certain prefixes/TLDs from accessing
> 
> On 11/8/2016 1:25 , Richard Klingler wrote:
> 
> > Is there an easy way to block a list of prefixes from accessing postfix?
> > ...
> > Preferably I would like to combine prefix and domain filtering
> > as plain helo_checks won't allow regular expression for hostnames.
> 
> I think you can use:
> 
> smtpd_recipient_restrictions =
>  ...
>  check_sender_access hash:/etc/postfix/blacklisted_senders
>  check_client_access cidr:/etc/postfix/blacklisted_prefixes
>  reject_unverified_recipient
>  reject_unauth_destination
>  ...
> 
> where /etc/postfix/blacklisted_senders:
> 
>  m...@example.comREJECT
>  example.net REJECT
>  subd.example.orgREJECT
>  ...
> 
> and /etc/postfix/blacklisted_prefixes:
> 
>  192.168.1.1 REJECT
>  192.168.0.0/16  REJECT
>  2001:db8::1 REJECT
>  2001:db8::/32   REJECT
> 
> Nick

RE: This ought to be simple to stop. Am I missing something?

[L . P . H . van Belle]

here your have an bind log example, WITH lame server logging.
Adjust where needed. 

Just enable only lameserver logging. 
Set all to null and enable lameserver logging. 
No performance drop. 

logging {
channel bind_log {
file "/var/log/bind/bind.log" versions 3 size 1m;
severity info;
print-category  yes;
print-severity  yes;
print-time  yes;
};
channel query_log {
file "/var/log/bind/query.log" size 1m;
// Set the severity to dynamic to see all the debug messages.
severity debug 3;
};
channel update_debug {
file "/var/log/bind/update_debug.log" versions 3 size 100k;
severity debug;
print-severity  yes;
print-time  yes;
};
channel security_info {
file "/var/log/bind/security_info.log" versions 1 size 100k;
severity info;
print-severity  yes;
print-time  yes;
};
   channel xfer_log {
   file "/var/log/bind/xfer.log" size 1m;
   print-category yes;
   print-severity yes;
   print-time yes;
   severity info;
};

   channel unmatched_log {
   file "/var/log/bind/unmatched.log" size 1m;
   print-category yes;
   print-severity yes;
   print-time yes;
   severity info;
};

   channel lameservers_log {
   file "/var/log/bind/lameservers.log" size 1m;
   print-category yes;
   print-severity yes;
   print-time yes;
   severity info;
};

category default { bind_log; };
category lame-servers { lameservers_log; };
category update { update_debug; };
category update-security { update_debug; };
category security { security_info; };
category queries { query_log; };
//category unmatched { unmatched_log; };
category xfer-in { xfer_log; };
category xfer-out { xfer_log; };

// No logging at all .. 
// category default { null; };

};


> -Oorspronkelijk bericht-
> Van: m...@junc.eu [mailto:owner-postfix-us...@postfix.org] Namens Benny
> Pedersen
> Verzonden: woensdag 13 juli 2016 11:48
> Aan: postfix-users@postfix.org
> Onderwerp: Re: This ought to be simple to stop. Am I missing something?
> 
> On 2016-07-13 11:41, L.P.H. van Belle wrote:
> 
> > recommend using your own DNS servers when doing DNSBL queries to
> > Spamhaus.
> 
> using ::1 here i dont trust others
> 
> > I no lame servers in my bind logs.
> > The set below is running over 1 year now, without any problems.
> 
> bind9 default dont log lame-servers, since there is none that if enabled
> will fill logs pretty fast and it will drop bind9 performance aswell

RE: This ought to be simple to stop. Am I missing something?

[L . P . H . van Belle]

Then stop using google dns or other dns servers 
that block dns request to rbl servers. 
Source :  https://www.spamhaus.org/faq/section/DNSBL%20Usage 

Check what DNS resolvers you are using: If you are using a free "open DNS 
resolver" service such as the Google Public DNS or large cloud/outsourced 
public DNS servers, such as Level3's or Verizon's, to resolve your DNSBL 
requests, in most cases you will receive a "not listed" (NXDOMAIN) reply from 
Spamhaus' public DNSBL servers. We recommend using your own DNS servers when 
doing DNSBL queries to Spamhaus.


I no lame servers in my bind logs. 
The set below is running over 1 year now, without any problems. 


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: m...@junc.eu [mailto:owner-postfix-us...@postfix.org] Namens Benny
> Pedersen
> Verzonden: woensdag 13 juli 2016 11:36
> Aan: postfix-users@postfix.org
> Onderwerp: Re: This ought to be simple to stop. Am I missing something?
> 
> On 2016-07-13 08:55, L.P.H. van Belle wrote:
> > A good combination of rbl lists with postscreen im using.
> >
> > postscreen_dnsbl_threshold=4
> > postscreen_dnsbl_sites =
> > b.barracudacentral.org*4
> > bad.psky.me*4
> > zen.spamhaus.org*4
> > dnsbl.cobion.com*2
> > bl.spameatingmonkey.net*2
> > fresh.spameatingmonkey.net*2
> > dnsbl.anonmails.de*2
> > dnsbl.kempt.net*2
> > dnsbl.inps.de*2
> > bl.spamcop.net*2
> > dnsbl.sorbs.net*2
> > psbl.surriel.com*2
> > bl.mailspike.net*2
> > bl.suomispam.net*2
> > all.rbl.jp*2
> > swl.spamhaus.org*-4
> 
> last time it was tryed here bind9 says lame-servers to some of them, so
> if see this then dont use them
> 
> the good part here is postscreen sadly many of the above needs datafeeds
> to be stable

RE: This ought to be simple to stop. Am I missing something?

[L . P . H . van Belle]

A good combination of rbl lists with postscreen im using. 

postscreen_dnsbl_threshold=4
postscreen_dnsbl_sites =
b.barracudacentral.org*4
bad.psky.me*4
zen.spamhaus.org*4
dnsbl.cobion.com*2
bl.spameatingmonkey.net*2
fresh.spameatingmonkey.net*2
dnsbl.anonmails.de*2
dnsbl.kempt.net*2
dnsbl.inps.de*2
bl.spamcop.net*2
dnsbl.sorbs.net*2
psbl.surriel.com*2
bl.mailspike.net*2
bl.suomispam.net*2
all.rbl.jp*2
swl.spamhaus.org*-4

basicly. If one of the servers is in barracuda spamhaus or psky 
its always spam so i gave the the max (4). 
If its a "new" domain name fresh.spameatingmonkey.net give 2. 
And mostly one of the other gives also to if its really spam. 

Works good here and espacialy with fail2ban 
Using these filter/failregex 
failregex = addr  listed by domain
client \[\] blocked using multiple DNS-based blocklists
Which reduces cpu load and unneeded connections. 

And if you use spamassassin 
https://github.com/extremeshok/spamassassin-extremeshok_fromreplyto 

but setting up dkim dmarc spf is recommended yes. 

Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: postfixlists-070...@billmail.scconsult.com [mailto:owner-postfix-
> us...@postfix.org] Namens Bill Cole
> Verzonden: woensdag 13 juli 2016 7:53
> Aan: postfix-users@postfix.org
> Onderwerp: Re: This ought to be simple to stop. Am I missing something?
> 
> On 12 Jul 2016, at 15:44, Phil Stracchino wrote:
> 
> > On 07/12/16 10:30, Bill Cole wrote:
> >> On 12 Jul 2016, at 9:14, Phil Stracchino wrote:
> >>
> >>> I'm getting spam leaking through from sites with non-resolving IP or
> >>> invalid DNS, sending mail to myself as me.
> >>
> >> You COULD use reject_unknown_client_hostname but it has substantial
> >> false positives.
> >>
> >> More directly, you could enforce your own SPF record:
> >>
> >> caerllewys.net.259200  IN  TXT "v=spf1
> ip4:216.246.132.90 -all"
> >
> > I'm trying to.  :)
> 
> Well, the choices for how to do that are many. Probably the simplest way
> to do it is with a "policy daemon" and the pypolicyd-spf implementation
> is the purest up-to-date SPF enforcement tool in that class.
> 
> Other options: there are other more comprehensive policy daemons, you
> can do SPF checks with amavisd-new, or if you're a Perl weenie like me
> you can install MIMEDefang and either implement SPF checks through one
> of the available Perl modules in filter_sender() or let SpamAssassin
> handle it.
> 
> I'd definitely choose pypolicyd-spf if I had noticeable quantities of
> this sort of crap making it to holistic filtering. SPF failure is
> actually decisive in so little mail that I see anywhere that I've not
> seen a need to push it to the top of the filtering heap.
> 
> That's assuming you have a need to accept some mail claiming to be from
> addresses in your own domain via that service, which you may not if
> you've got a submission service set up. Based on the absence of any SASL
> settings in your postconf -n output, I'm guessing you have such a
> service, unless you rely entirely on source IP (i.e. permit_mynetworks)
> for relay control.
> 
> [...]
> >> In this case it also appears that the IP address was in the CBL and
> >> hence SpamHaus Zen when you accepted it. Maybe not, but if you are
> >> not
> >> killing such IPs in postscreen you're going to have a lot of spam
> >> getting further in than it needs to. Also, if you're running a
> >> smallish
> >> mail system with a limited audience that does not include a need to
> >> communicate with Vietnamese correspondents, you can probably block
> >> all
> >> email traffic from 14.160.0.0/11.
> >
> > I considered that option, yes.  I ...  could have sworn I *was* using
> > the Zen RBL, actually.  It looks as though I took it out for some
> > reason
> > at some time in the past and never restored it.
> 
> I strongly recommend it. If you want fine-grained control over which
> parts you use, you can select which return codes to look for. In my
> case, I use these as part of my smtpd_recipient_restrictions list:
> 
> reject_rbl_client zen.spamhaus.org=127.0.0.2,
> reject_rbl_client zen.spamhaus.org=127.0.0.3,
> reject_rbl_client zen.spamhaus.org=127.0.0.4,
> reject_rbl_client zen.spamhaus.org=127.0.0.10,
> reject_rbl_client zen.spamhaus.org=127.0.0.11,
> 
> Those are, in order: SBL(chronic spam sources), CSS(snowshoers),
> CBL(spambots), PBL(ISP-designated dynamic), and PBL(Spamhaus-determined
> dynamic)
> 
> > I haven't deployed postscreen yet, as I simply don't know enough about
> > it.
> 
> It's designed for doing the simplest and most numerous spam rejections
> with the least effort. Its best features are the greeting delay, which
> catches many of the most aggressively obnoxious bots, and the ability to
> use multiple DNSBLs and DNSWLs in a scoring configuration. ~90% of the
> rejections my personal mail system does are by 

RE: thousands of "lost connection after AUTH"

[L . P . H . van Belle]

The are after username/passwords. 

And when that happend they will user your server als relay. 
Happend on one of my servers also. 

One of my users used his email and pass in facebook and linkedin. 
And the same as on the server.. :-/  
About 60.000 mails where tried to send over my server. 

What i did was, i limited the use of sasl auth with my firewall to only from 
within my country with xtables geo block. 
Port 25 does not allow sasl, only 587 is allow and that port is limited to my 
country. 

And i told my user to never use the same username/pass of the server on any 
other place. 


Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: thomas.keller8...@gmail.com [mailto:owner-postfix-us...@postfix.org]
> Namens Thomas Keller
> Verzonden: vrijdag 24 juni 2016 9:50
> Aan: Postfix users
> Onderwerp: thousands of "lost connection after AUTH"
> 
> This is not a real problem, but I am curious to understand what is
> happening here.
> 
> I am running a small postfix server for personal use. One thing that I
> observe over and over again is thousands of "lost connection after AUTH"
> connections, such as these:
> 
>   08:23:19 postfix/smtpd[4925]: connect from unknown [155.133.38.30]
>   08:23:19 postfix/smtpd[4925]: lost connection after AUTH from unknown
> [155.133.38.30]
>   08:23:19 postfix/smtpd[4925]: disconnect from unknown [155.133.38.30]
> 
> now, these are not causing much trouble for me (other than flooding my
> logs), and I know I can tweak the anvil rate limits (I am using these
> below and since these "lost connection after auth" happen every 1 - 2
> minutes, they are not caught by my anvil filter.):
> 
>   anvil_rate_time_unit= 60s
>   smtpd_client_connection_rate_limit  = 10
>   smtpd_client_message_rate_limit = 10
>   smtpd_client_new_tls_session_rate_limit = 10
> 
> I am curious to know, who are these agents connecting to my server, and
> what are they trying to achieve ?
> 
> AFAICT, they don't even attempt to send spam, or use me as relay. What
> do they want?
> 

postfix sasl auth required

[L . P . H . van Belle]

Hai, 

 

Im testing out my servers and i noticed the following 

 

telnet localhost 587

Trying ::1...

Connected to localhost.

Escape character is '^]'.

220 mail.mydomain.tld ESMTP Ready

ehlo localhost

250-mail.mydomain.tld

250-PIPELINING

250-SIZE 1536

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

 

 

Im missing my 

250-AUTH here after starttls. 

Or is this because the :  "smtpd_tls_auth_only = yes"  

 

I cant figure out what i missed, of if by default if : "smtpd_tls_auth_only = 
yes". Is set no auth is offered? 

And is ETRN needed on the sasl auth?

 

Postfix 2.11.x

 

In having now in master.cf 

submission inet n   -   -   -   -   smtpd

  -o syslog_name=postfix/submission

  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

  -o milter_macro_daemon_name=ORIGINATING

 

 

and main.cf

 

smtpd_sasl_auth_enable = yes

smtpd_sasl_path = smtpd

smtpd_sasl_local_domain =

smtpd_sasl_security_options = noanonymous

 

 

 

Greetz, 

 

Louis

 

RE: transport smtp failure after MySQL connection

[L . P . H . van Belle]

Did  you reboot the server? If not, try it first. 
Why.. find out with: 

apt-get install debian-goodies 
checkrestart 

but, most of these cant restart, so rebooting the server is the only option. 
When thats done, check again. 


Greetz. 

Louis



> -Oorspronkelijk bericht-
> Van: christian.ren...@iway.ch [mailto:owner-postfix-us...@postfix.org]
> Namens Christian Renner
> Verzonden: woensdag 24 februari 2016 16:36
> Aan: postfix-users@postfix.org
> Onderwerp: transport smtp failure after MySQL connection
> 
> Hi all
> 
> We are using postfix smtp_tls_policy_maps with a MySQL lookup table.
> This setup worked good until we upgraded the following packages today
> because of CVE-2015-7547 (its a debian wheezy, upgraded as usual via apt-
> get upgrade):
> 
> libc-bin:amd64 (2.13-38+deb7u7, 2.13-38+deb7u10), libc6-dev:amd64 (2.13-
> 38+deb7u7, 2.13-38+deb7u10), libc-dev-bin:amd64 (2.13-38+deb7u7, 2.13-
> 38+deb7u10), libc6:amd64 (2.13-38+deb7u7, 2.13-38+deb7u10),
> libk5crypto3:amd64 (1.10.1+dfsg-5+deb7u2, 1.10.1+dfsg-5+deb7u7),
> dnsutils:amd64 (9.8.4.dfsg.P1-6+nmu2+deb7u3, 9.8.4.dfsg.P1-6+nmu2+deb7u9),
> libmysqlclient18:amd64 (5.5.41-0+wheezy1, 5.5.47-0+deb7u1), libssl-
> dev:amd64 (1.0.1e-2+deb7u15, 1.0.1e-2+deb7u19), openssl:amd64 (1.0.1e-
> 2+deb7u15, 1.0.1e-2+deb7u19), mysql-common:amd64 (5.5.41-0+wheezy1,
> 5.5.47-0+deb7u1), mysql-client-5.5:amd64 (5.5.41-0+wheezy1, 5.5.47-
> 0+deb7u1), libssl1.0.0:amd64 (1.0.1e-2+deb7u15, 1.0.1e-2+deb7u19)
> (plus some other packages definitely not related to postifx/mysql)
> 
> so mainly libc and mysql-client was upgraded. postfix-packages where left
> untouched.
> 
> Now smtp is crashing right after it tries to connect to the mysql-host:
> 
> Feb 24 15:20:33 sig01 postfix/smtp[8796]: dict_mysql_get_active:
> attempting to connect to host mysql.host.tld
> Feb 24 15:20:33 sig01 postfix/qmgr[6794]: warning: private/smtp socket:
> malformed response
> Feb 24 15:20:33 sig01 postfix/qmgr[6794]: warning: transport smtp failure
> -- see a previous warning/fatal/panic logfile record for the problem
> description
> Feb 24 15:20:33 sig01 postfix/master[6785]: warning: process
> /usr/lib/postfix/smtp pid 8796 killed by signal 11
> 
> Mails remain in queue with: status=deferred (unknown mail transport error)
> Outside of postfix I am able to connect to the mysql server (from the
> affected machine) without any problems.
> 
> Anyone here with an idea how to fix this?
> 
> Regards
> Christian

RE: Change Temporary failure in name resolution response code

[L . P . H . van Belle]

First in reply to. .
...  cannot find your hostname 

Optional to add: 
unknown_hostname_reject_code = 550

but if you have dns problems, everything gets rejected as Wiets already told 
you.. .. but I think.. , so what, the sender does get the NDR, he can send 
again but thats a choice. And think carefully about it.

Optional Add: 
unknown_hostname_reject_code = 550
unknown_client_reject_code = 550
unknown_address_reject_code = 550
unverified_recipient_reject_code = 550


And this is the best trick if all imo.

Setup Postfix with postscreen with multiple rbls. ( make sure you use postfix 
2.10+  

Like : 
postscreen_dnsbl_sites =
zen.spamhaus.org*3
b.barracudacentral.org*2
bl.spameatingmonkey.net*2
dnsbl.anonmails.de
dnsbl.kempt.net
dnsbl.inps.de
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net
swl.spamhaus.org*-4
bl.suomispam.net
bad.psky.me

now create a fail2ban filter postfix-dnsblog.conf  with : 

[INCLUDES]
before = common.conf
failregex = client \[\] blocked using multiple DNS-based blocklists
addr  listed by domain

and enable it, 
Let it trigger on 1 hit, i have set the ban time to 1 week, if they come back 
this time is extended with a week..  :-) 

Result, you safe cpu time, resources, offload the dns servers and reduce the 
dns queries to the blocklist servers. 

And optional the postscreen_dnsbl_reply_map.pcre  file
!/^zen\.spamhaus\.org$/ multiple DNS-based blocklists, see 
http://multirbl.valli.org/

Also i added a cacheing dns server on localhost, i have 3 forwarding dns ip 
numbers with 3 different providers to reduce the chance of dns problems. 

This works very very good for me, until now no errors, running a year with this 
setup now. 


Last one to help out agains spam. 
Add this to your dns . ( make user tarbaby is the highest MX.) 
MX  30 tarbaby.junkemailfilter.com.

The guys at junkeemailfilter.com check if the lower mx-s are up and so we help 
in detecting spamming servers. 
Read more about it here. 
http://wiki.junkemailfilter.com/index.php/Project_tarbaby 

The junkemailfilter is used in my spamassassin. 

Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: b...@knoxvillechristian.org [mailto:owner-postfix-us...@postfix.org]
> Namens Bill Shirley
> Verzonden: vrijdag 5 februari 2016 5:21
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Change Temporary failure in name resolution response code
> 
> You might want to have a look at fail2ban.  It monitors log files and
> blocks the offender by inserting an iptables DROP entry.
> 
> I block a lot of spammers this way.  I wouldn't think of running a mail
> server without it.
> 
> Bill
> 
> 
> On 2/4/2016 4:10 PM, Inteq Solution - Dep. Tehnic wrote:
> > Thank you Wietse,
> >
> > 450 it is then.
> >
> >
> >
> >
> >
> >
> > Razvan Constantin
> >
> > -Original Message-
> > From: owner-postfix-us...@postfix.org
> > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema
> > Sent: Thursday, February 04, 2016 11:06 PM
> > To: Postfix users
> > Subject: Re: Change Temporary failure in name resolution response code
> >
> > Inteq Solution - Dep. Tehnic:
> >> "The unknown_client_reject_code parameter specifies the response code
> >> for rejected requests (default: 450). The reply is always 450 in case
> >> the
> >> address->name or name->address lookup failed due to a temporary
> problem."
> >>
> >> But is there a way to change this behaviour to 550/554?
> > No. You would lose mail whenever DNS times out, and that would be worse
> than
> > having some client retry repeatedly. Unless you are running Postfix in a
> > very limited environment, repeated retries from one system should not be
> a
> > problem.
> >
> >> This situation is not exactly temporary and it is happening for over a
> >> month. I could just forget about it, but this server's retry is very
> >> very low.
> > Postfix considers timeouts as a temporary error. Handling them as a hard
> > error would do more harm than good. But I repeat myself.
> >
> > Wietse
> >

RE: Can anyone decipher this Policyd-spf error?

[L . P . H . van Belle]

Switch to the perl version of this and your problem is fixed. 

Use postfix-policyd-spf-perl 
Not postfix-policyd-spf-python

Both work the same, but the perl version works fine with ipv6 on my server.

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: t...@whyscream.net [mailto:owner-postfix-us...@postfix.org] Namens Tom
> Hendrikx
> Verzonden: vrijdag 5 februari 2016 9:56
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Can anyone decipher this Policyd-spf error?
> 
> Hi,
> 
> As the ticket says, the error is caused by handling ipv6 addresses. When
> you hit any troubles later, you could look into disabling ipv6 :/
> 
> Regards,
>   Tom
> 
> On 05-02-16 00:08, Danny Horne wrote:
> > Thanks for both replies,
> >
> > I've just checked and I'm running python-ipaddr 2.1.9, with no updates
> > available.  I can live with the problem for now, I think this is the
> > only time I've seen that error (though that doesn't mean it hasn't
> > happened before).
> >
> > Thanks again for your help
> >
> > On 04/02/2016 9:34 pm, Scott Kitterman wrote:
> >> On Thursday, February 04, 2016 04:19:54 PM Bill Cole wrote:
> >>> On 4 Feb 2016, at 15:52, Danny Horne wrote:
>  Hi all,
> 
>  I am getting the following error on just one email address from
>  policyd-spf, called from Postfix.  No other email address has caused
>  me
>  problems (as far as I'm aware) and I had to completely disable
>  policyd-spf in Postfix to allow the email through.  Can anyone
>  decipher
>  what the problem was?

> >>> Only enough to be sure that the problem happened inside policyd-spf
> and
> >>> that you're using the Python implementation, not the Perl one, since
> >>> that log mess is a Python error trackback.
> >>>
> >>> These lines tell the immediate error:
> >>>
> >>> Feb  4 14:32:06 gallium policyd-spf[8810]:  File
> >>> "/usr/lib/python2.7/site-packages/spf.py", line 1206, in dns_a
> >>> Feb  4 14:32:06 gallium policyd-spf[8810]:return
> >>> [ipaddress.Bytes(ip) for ip in r]
> >>> Feb  4 14:32:06 gallium policyd-spf[8810]: AttributeError: 'module'
> >>> object has no attribute 'Bytes'
> >>>
> >>> That would *probably* be meaningful to the developers of policyd-spf
> and
> >>> perhaps to any good Python developer. To me it says "spf.py has a bug"
> >>> but my guess is far from expert.
> >>>
> >>> Looks possible that this is your answer:
> >>>
> >>> https://bugs.launchpad.net/pypolicyd-spf/+bug/1229862/comments/3
> >> I believe that's correct.  I just confirmed that ipaddr.Bytes (which
> gets used
> >> as ipaddress.Bytes in this policy server for python3 compatibility) was
> added
> >> in ipaddr-py 2.1.10, so running with an older version will cause that
> error.
> >>
> >> Scott K
> >
> >

RE: lmtp: transport unavailable

[L . P . H . van Belle]

Ok, debian, my thing..  ;-) 

Try : 

Edit /etc/dovecot/dovecot.conf 
To Change :  protocols = imap lmtp

And add: 

service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
protocol lmtp {
postmaster_address=postmas...@yourdomain.com
hostname=mail.yourdomain.com
}


And in postfix main.cfg 

mailbox_transport = lmtp:unix:private/dovecot-lmtp

Is this a setup with dovecot with sql? 
Then you need some extra things. 



Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: ar...@sanusi.de [mailto:owner-postfix-us...@postfix.org] Namens Arian
> Sanusi
> Verzonden: woensdag 20 januari 2016 14:44
> Aan: postfix-users@postfix.org
> Onderwerp: Re: lmtp: transport unavailable
> 
> 
> >> Just did - the only thing that's there is not helpful to me,
> >> either: Jan 20 11:31:40 chichak postfix/qmgr[31189]: warning:
> >> connect to transport private/local: Connec tion refused
> 
> > Looks like lack of rights or wrong path.
> lack of rights: postfix should be able to use the socket, if it actually
> has the path, as
> # ls /var/spool/postfix/private/dovecot-lmtp -l
> srw--- 1 postfix postfix 0 Jan 20 10:24
> /var/spool/postfix/private/dovecot-lmtp
> >
> > Did you run your smtp-source test as user postfix?
> yes: makes no difference.
> >
> > BTW - what user is your dovecot running with?
> root, standard debian config.
> >
> > What makes you shure, postfix will try to use
> > /var/spool/postfix/private/dovecot-lmtp?
> 
> nothing makes me sure, as postfix does not actually say anywhere which
> socket it tries to use. (as long as the private/local above is not the
> path - I don't know where it'd get that, it's not mentioned in the config)
> There's some doku mentioning this[1], and main.cf has the entries quoted
> before, which should point there after chrooting.
> 
> [1] http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP

RE: Helo Checks not always working?

[L . P . H . van Belle]

These are 2 different things. 

 

Unknow hostname is a missing PTR record

 

For that you can use : 

smtpd_client_restrictions = ... 

 

"unknown" is also the name in the case of a temporary dns lookup failure. so 
using 5xx for all "unknown" is not a good idea.

 

# reject_unknown_client_hostname: requires that the address->name and 
name->address mappings exist, but also that the two mappings reproduce the 
client IP address

# reject_unknown_reverse_client_hostname: Reject the request when the client IP 
address has no address->name mapping. This is a weaker restriction than the 
reject_unknown_client_hostname

 

 

Greetz, 

 

Louis

 

 

 

> -Oorspronkelijk bericht-

> Van: tn-post...@saarcube.de [mailto:owner-postfix-us...@postfix.org]

> Namens Thomas Nagel

> Verzonden: donderdag 7 januari 2016 14:18

> Aan: Postfix users

> Onderwerp: Helo Checks not always working?

> 

> Hello,

> 

> we encountered a strange behaviour.

> 

> We enabled smtp_helo_restrictions:

> 

> smtpd_helo_required = yes

> 

> smtpd_helo_restrictions =

>    permit_mynetworks,

>    permit_sasl_authenticated,

>    reject_unlisted_recipient,

> # check_client_access hash:/etc/postfix/

>    check_helo_access hash:/etc/postfix/check_helo_access

>    reject_invalid_helo_hostname

>    reject_non_fqdn_helo_hostname

>    reject_unknown_helo_hostname

> 

> unknown_hostname_reject_code = 550

> 

> in the "check_helo_access" map there are only certain senders with their

> special invalid HELOs whitelisted, but no "unknown" or the mentioned IP

> adress.

> 

> Most of the time connectors with invalid DNS Records are blocked like

> this:

> 

> 

> Jan  3 06:36:21 server postfix/smtpd[23338]: connect from

> unknown[190.11.55.217]

> Jan  3 06:36:22 server postfix/smtpd[23338]: NOQUEUE: reject: RCPT from

> unknown[190.11.55.217]: 504 5.5.2 <190.11.55.217>: Helo command

> rejected: need fully-qualified hostname; from=<>

> to= proto=SMTP helo=<190.11.55.217>

> 

> - but sometimes we see this:

> 

> Jan  5 16:43:30 server postfix/smtpd[13577]: connect from

> unknown[195.22.126.188]

> Jan  5 16:43:30 server postgrey[2604]: action=pass, reason=recipient

> whitelist, client_name=unknown, client_address=195.22.126.188,

> sender=i...@gmail.com, recipient=i...@example.com

> Jan  5 16:43:30 server postfix/smtpd[13577]: B064010A1B5E:

> client=unknown[195.22.126.188]

> Jan  5 16:43:30 server postfix/cleanup[13133]: B064010A1B5E:

> message-id=<20160105094329.fab7ffc87cc25...@gmail.com>

> Jan  5 16:43:30 server postfix/qmgr[4924]: B064010A1B5E:

> from=, size=2536, nrcpt=1 (queue active)

> Jan  5 16:43:30 server postfix/smtpd[13577]: disconnect from

> unknown[195.22.126.188]

> 

> Shouldn't this be blocked when the helo restrictions are applied? So the

> mail shouldn't actually be passed on?

> 

> Thanks,

> 

> Thomas.

 

Re: SASL binds

[L . P . H . van Belle]

never knew this, what is the SPN postix/sasl needs? 

and a simple way to make the client work, setup a samba client, if setup 
correctly, samba wil refres the keytab file.

if someone want info on this, i can answere monday again.

greetz,
louis

> Op 1 jan. 2016 om 21:17 heeft Viktor Dukhovni  
> het volgende geschreven:
> 
>> On Fri, Jan 01, 2016 at 02:46:33PM -0500, Brendan Kearney wrote:
>> 
>> Postfix version - 3.0.3 running on Fedora 22.  MIT Kerberos and OpenLDAP are
>> being used.
>> 
>> my ldap-users.cf file, for example:
>> server_host = ldap://server1.bpk2.com ldap://server2.bpk2.com
>> search_base = dc=bpk2,dc=com
>> version = 3
>> 
>> bind = sasl
>> bind_dn = uid=mta,ou=processUsers,ou=Users,dc=bpk2,dc=com
>> sasl_mechs = gssapi
>> sasl_realm = BPK2.COM
>> 
>> query_filter = (mail=%s)
> 
> Where is the credential cache for the "postfix" ($mail_owner) user?
> 
>> the above results in the below error logs:
>> Jan 01 14:33:50 mail postfix/trivial-rewrite[17185]: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more information (No
>> Kerberos credentials available)
> 
> Not surprising, you need a cred cache.
> 
>> I am assuming the keytab, /etc/postfix/postfix.keytab would be used to bind
>> to the directory, but i am not sure.  
> 
> No, Kerberos keytabs are not credential caches.  You need to run "kinit"
> to obtain credentials via a keytab.  I recommend an hourly cron job
> that runs as "postfix":
> 
>export KRB5_KTNAME=FILE:/etc/postfix/postfix.keytab
>export KRB5CCNAME=FILE:$(postconf -xh queue_directory)/ccache
>principal=smtp/$(uname -n)
>kinit -k "$principal"
> 
> Then in main.cf add:
> 
># var=import_environment
># val=$(postconf -h "$var")
># postconf -e "$var = $val KRB5CCNAME=FILE:\${queue_directory}/ccache"
> 
>> import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY
>> DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/postfix.keytab
>> export_environment = TZ MAIL_CONFIG LANG KRB5_KTNAME
> 
> This suffices for Postfix as a Kerberos server, but not as a Kerberos
> client.
> 
> -- 
>Viktor.
> 

RE: 53% of Postfix servers are black-listed (DNSBL)

[L . P . H . van Belle]

Well, your allowed to have your opionion .. no problems with that. 
And good for you then there are other MTA's you can try to configure.. 

Im using postfix for more that 10 years now, and im very happy with it. 
I get about 0.05% spam of all mails, and that 0.05% is catched by spamassassin, 
i dont see any spam at all. 
so yeah, if you dont know how to configure it, you get spam.. yes. 

Besides that. 
> 90% of global e-mail is SPAM. 
Yes ! correct, why? Because cappy IT guys configure there servers wrong. 
No postfix blame here imo. 

> 91% of targeted attacks start with e-mail.
See above..  

> What is Postfix's share of SPAM?
We dont care about the postfix "spam" share.. 
Have a look at microsoft exchange...  
94% !!! of exchange are open relays..  

Exim... 56% of exim servers are blacklisted. 

Novell GroupWize, 54% is in US. 

You see, useless stats without content. 


> Who makes Postfix?
A very nice dutch guy, living in the US..:-) 


> What is wrong with Postfix?
Nothing, if you configure it right, and based on what your saying... 
(... not typing that) 


And last. 
> > Received: from 1-160-101-156.dynamic.hinet.net ([1.160.101.156]:52001
> > helo=uwtir.com) by seth.lunarpages.com with esmtpsa [...]
> 
> > Received: from localhost (localhost.localdomain [127.0.0.1])
> > by zimbra.baycix.de (Postfix) with ESMTP id E7078416A85 [...]

Shows how badly you have configured your server. (sorry) 


Greetz, 

Louis





> -Oorspronkelijk bericht-
> Van: se...@runbox.com [mailto:owner-postfix-us...@postfix.org] Namens sb
> Verzonden: dinsdag 29 december 2015 13:02
> Aan: majord...@cloud9.net; postfix users
> Onderwerp: 53% of Postfix servers are black-listed (DNSBL)
> 
> 
> 90% of global e-mail is SPAM.
> 91% of targeted attacks start with e-mail.
> 
> What is Postfix's share of SPAM?
> 
> 
> A recent survey of 2.8M SMTP servers shows the following.
> 
> - 53% of Postfix servers are black-listed (DNSBL)
>http://www.mailradar.com/mailstat/mta/Postfix.html
> 
> - 44% of open relays are Postfix servers
>http://www.mailradar.com/mailstat/open-relay/
> 
> - 35% of Postfix servers are hosted in the USA
>http://www.mailradar.com/mailstat/mta/Postfix.html
> 
> Who makes Postfix?
> --
> 
>Wietse Venema
>IBM T.J. Watson Research
>P.O. Box 704
>Yorktown Heights, NY 10598, USA
> 
> What is Postfix's share of the SMTP server market?
> --
> 
> A recent survey of 2.3M SMTP servers shows the following.
> 
> #1: 53.25% EXIM
> #2: 32.64% POSTFIX
> #3: 6.66%  SENDMAIL
> http://www.securityspace.com/s_survey/data/man.201511/mxsurvey.html
> 
> What is wrong with Postfix?
> ---
> 
> Suppose you are a school/SME/you-name-it, you want a secure server,
> and you run Postfix. The following is what you get in your inbox.
> 
> > Date: Thu, 17 Dec 2015 15:6:1
> 
> > From: paulnoah@
> 
> > Message-ID: <8038f16fe88ca0b6a66649d005c232e9@localhost.localdomain>
> 
> > Received: from 1-160-101-156.dynamic.hinet.net ([1.160.101.156]:52001
> > helo=uwtir.com) by seth.lunarpages.com with esmtpsa [...]
> 
> > Received: from localhost (localhost.localdomain [127.0.0.1])
> > by zimbra.baycix.de (Postfix) with ESMTP id E7078416A85 [...]
> 
> > Received: from [127.0.0.1] by omp1062.mail.bf1.yahoo.com with NNFMP;
> 25 Dec 2015 23:24:21 -
> 
> > Received: from uhosp.example.com ([37.230.116.83])
> 
> > Received: [...]
> >...
> > Message-ID: [...] <---
> > Delivered-To: [...]
> > Received: [...]
> > Received: [...]
> 
> [anonymised]
> > To: 
> >...
> > Reply-To: 
> 
> There are more examples, and the all reduce to Postfix accepting
> incoming e-mail whose origin and envelope are not RFC compliant.
> 
> In fact, the task of writing PCRE parsers and policies is delegated
> to the user, that is you, as part of your own configuration
> (access, helo_access, header_checks, etc).
> 
> Writing such parsers and policies is highly rewarding: my servers
> reject 95% of SPAM by rejecting non-RFC-compliant e-mails, without
> any DNSxL or anti-spam add-on. The task required months of full-time
> labour. The same task cannot be brought to completion, however.
> 
> The postfix-users forum would be a good place where to discuss
> Postfix's problems in detail. However, the same forum is rather focused
> on self-celebration than active collaboration, where attempts to
> address SPAM as a problem are scornfully dismissed. Given the above
> statistics, this is no longer surprising.
> 
> Postfix is easy on the spammers and hard on the honest.
> 
> unsubscribe postfix-users

RE: How to Block EHLO/HELO that has IP Only

[L . P . H . van Belle]

This is how i run it.  ( postfix 2.11.x on debian Jessie ) 
This stops a lot of "spamming" servers, and if anyone sees improvements,... im 
all ear...  ;-) 
This was a drop op about 90% of all spam, remaining used "good" configured 
servers..  :-/  but for that spamassassin.. 


unknown_hostname_reject_code = 550
unknown_client_reject_code = 550
unknown_address_reject_code = 550
unverified_recipient_reject_code = 550

smtpd_client_restrictions =
permit_mynetworks,
check_client_access hash:/etc/postfix/overrule/allow_client_access.map,
check_client_access cidr:/etc/postfix/cidr/drop.spamhaus-lasso.cidr,
check_client_access cidr:/etc/postfix/cidr/drop.tor-exitnode-ips.cidr,
check_client_access cidr:/etc/postfix/cidr/drop.bad-networks.cidr,
weightcheck_policy,
spfcheck_policy,
#greycheck_policy,
reject_unauth_destination,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unauth_pipelining


smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access pcre:/etc/postfix/pcre/helo.pcre
check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_unauth_destination,
reject_unauth_pipelining


In the helo.pcre put all known hostnames and ip your server is using.
## Name based
/^localhost$/   554 Don't use my own hostname
/^localhost\.localdomain$/  554 Don't use my own hostname
/^localhost\.domain\.tld$/   554 Don't use my own hostname
/^ip6-localhost$/   554 Don't use my own hostname
/^domain\.tld$/  554 Don't use my own domainname
/^hostname\.domain\.tld$/  554 Don't use my own hostname
## IP Based
/^127\.0\.0\.1$/554 Don't use my own IP address
/^\[127\.0\.0\.1\]$/554 Don't use my own IP address
/^\:\:1$/   554 Don't use my own IP address
/^\[\:\:1\]$/   554 Don't use my own IP address
/^\1\.2\.3\.4$/ 554 Don't use my own IP address
/^\[1\.2\.3\.4]$/   554 Don't use my own IP address

If you get in trouble with customers..  overrule/allow_helo_access.map 
Put in : (IP OK ) 
1.2.3.4 OK 

smtpd_sender_restrictions = 
permit_mynetworks, 
reject_non_fqdn_sender,
reject_unknown_sender_domain, 
check_sender_mx_access 
cidr:/etc/postfix/cidr/check_sender_mx_access.cidr,
 reject_unauth_pipelining

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_unauth_destination, 
reject_unknown_recipient_domain

smtpd_relay_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_unauth_destination, 
reject_unknown_recipient_domain, 
check_policy_service unix:private/policy-spf

### Before-220 tests (postscreen / DNSBL)
postscreen_access_list  = permit_mynetworks, 
cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr, 
cidr:/etc/postfix/cidr/postscreen_spamhaus-lasso_access.cidr
postscreen_dnsbl_reply_map  = 
pcre:/etc/postfix/pcre/postscreen_dnsbl_reply_map.pcre
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_threshold  = 4
postscreen_dnsbl_sites =
zen.spamhaus.org*3
b.barracudacentral.org*2
bl.spameatingmonkey.net*2
dnsbl.anonmails.de
dnsbl.kempt.net
dnsbl.inps.de
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net
swl.spamhaus.org*-4
postscreen_whitelist_interfaces = $mynetworks, static:all



Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: nico...@devels.es [mailto:owner-postfix-us...@postfix.org] Namens
> Nicolás
> Verzonden: woensdag 23 december 2015 16:10
> Aan: postfix-users@postfix.org
> Onderwerp: Re: How to Block EHLO/HELO that has IP Only
> 
> 
> El 23/12/15 a las 08:38, L. D. James escribió:
> > I have many log entries where there are "helo=[1.2.3.4]" entries with
> > no domain name.  It has an IP address only.  Each of these occasions
> > are unwanted spam messages.
> >
> > Can some one specify a policy restriction that will block these
> messages.
> >
> > An example from the log is:
> >
> > Dec 22 16:00:52 hera5 policyd-spf[9883]: None; identity=mailfrom;
> > client-ip=75.211.27.210; helo=[63.205.88.41];
> > envelope-from=dtrue-nore...@example.com; receiver=u...@example.com
> >
> > Thanks in advance for any suggestions on this.
> >
> > -- L. James
> >
> 
> You can use reject_non_fqdn_helo_hostname in the smtpd_helo_restrictions
> parameter. For example:
> 
> smtpd_helo_restrictions =
>  permit_mynetworks
>  reject_non_fqdn_helo_hostname
>  reject_unknown_helo_hostname
>  permit
> 
> Regards,
> 
> Nicolás

RE: 2 questions: Can I add another smtp line into master.cf for spam assassin? & spa-policy.pl

[L . P . H . van Belle]

Hai, 

 

I run this on a debian Jessie, postfix 2.11 (all debian packages ) 

 

Route for me is like this. 

 

-> postscreen -> policy-weight -> policy-spf -> clamsmtp (-> 

-> spamassassin) -> user

 

 

A1.

I have in main.cfg  

 

content_filter = clamsmtp:127.0.0.1:10025 

 

A2.  Yes, you can. This is how i did set up.. ..there maybe improvements on 
this, but for now works for me. 

 ( i used this site for my example : 

https://wiki.dest-unreachable.net/pages/viewpage.action?pageId=15892484 ) 

 

 

example master.cf 

smtp  inet  n   -   -   -   1   postscreen

smtpd pass  -   -   -   -   -   smtpd

  -o content_filter=spamassassin

dnsblog   unix  -   -   -   -   0   dnsblog

tlsproxy  unix  -   -   -   -   0   tlsproxy

submission inet n   -   -   -   -   smtpd

  -o syslog_name=postfix/submission

  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

  -o content_filter=spamassassin

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

  -o milter_macro_daemon_name=ORIGINATING

 

smtps inet  n   -   -   -   -   smtpd

  -o syslog_name=postfix/smtps

  -o smtpd_tls_wrappermode=yes

  -o smtpd_sasl_auth_enable=yes

  -o content_filter=spamassassin

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

  -o milter_macro_daemon_name=ORIGINATING

 

 

## Postfix SPF Check (package to install : postfix-policyd-spf-perl )

policy-spf  unix  -   n   n   -   0   spawn

  user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl

 

## spamassasin (package to install : spamassassin spamd  )

spamassassin unix - n   n   -   -   pipe

  user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f 
${sender} ${recipient}

 

## clamsmtp (package to install : clamsmtp ) 

clamsmtp  unix  -   -   n   -   16  smtp

  -o smtp_data_done_timeout=1200

  -o smtp_send_xforward_command=yes

  -o disable_dns_lookups=yes

 

 

# reinjection from spamassassin into mailflow after checks

127.0.0.1:10026 inet    n   -   n   -   16   smtpd

  -o content_filter=

  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

  -o local_recipient_maps=

  -o relay_recipient_maps=

  -o smtpd_helo_restrictions=

  -o smtpd_client_restrictions=

  -o smtpd_sender_restrictions=

  -o smtpd_recipient_restrictions=permit_mynetworks,reject

  -o mynetworks=127.0.0.0/8

  -o mynetworks_style=host

  -o smtpd_authorized_xforward_hosts=127.0.0.0/8

 


Van: rob...@chalmers.com.au [mailto:owner-postfix-us...@postfix.org] Namens 
Robert Chalmers
Verzonden: woensdag 2 december 2015 13:26
Aan: Postfix users
Onderwerp: 2 questions: Can I add another smtp line into master.cf for spam 
assassin? & spa-policy.pl


 

Q1.


 


Already in my master.cf I have

smtp  inet  n   -   n   -   1   postscreen
#smtp  inet  n   -   n   -   -   smtpd -vv
smtpd pass  -   -   n   -   -   smtpd
dnsblog   unix  -   -   n   -   0   dnsblog
tlsproxy  unix  -   -   n   -   0   tlsproxy
submission inet n   -   n   -   -   smtpd
 -o smtpd_tls_security_level=encrypt
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_milters=inet:127.0.0.1:8891
smtp  unix  -   -   n 

However, the set up for spamassassin requires another smtp line.

smtp  inet  n   -   -   -   -   smtpd -o 
content_filter=spamfilter
So are they mutually exclusive ? or can I use it without breaking postfix 
already.
thanks


 


 


Q2


Is it possible to implement spfpolicy, and greypolicy and if so how?


 


I have tired - but mail then fails.


 


 


 


 


 


 

Robert Chalmers


rob...@chalmers.com.au  Quantum Radio: http://tinyurl.com/lwwddov


Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11. 2TB 
Storage made up of - 


Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower 
Bay




 




 


 

RE: Suggestions for more logging?

[L . P . H . van Belle]

Try starting spamd with 

--listen-ip 127.0.0.1 --listen-ip ::1 

Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: v...@cfcl.com [mailto:owner-postfix-us...@postfix.org] Namens Vicki
> Brown
> Verzonden: woensdag 18 november 2015 9:13
> Aan: Postfix users
> Onderwerp: Suggestions for more logging?
> 
> I hunted up a better script for running SpamAssassin from postfix and
> tweaked it for more logging and better errors and I'm still seeing some
> odd behavior.
> 
> e.g. from the system log:
> 
> Nov 17 23:33:14 g3po spamchk[87681]: Spam filter piping to SpamAssassin:
> /usr/local/bin/spamc -x -E -s 10485760
> Nov 17 23:33:14 g3po spamchk[87683]: SpamAssassin marked message as spam;
> diverting.
> Nov 17 23:33:14 g3po spamchk[87686]: SpamAssassin marked message as spam;
> diverting.
> Nov 17 23:33:15 g3po spamchk[87691]: SpamAssassin marked message as spam;
> diverting.
> Nov 17 23:33:15 g3po spamchk[87694]: SpamAssassin marked message as spam;
> diverting.
> Nov 17 23:33:28 g3po postfix/qmgr[87590]: warning: connect to transport
> spamchk: Connection refused
> Nov 17 23:42:28 g3po postfix/qmgr[137]: warning: connect to transport
> spamchk: Connection refused
> Nov 17 23:47:27 g3po postfix/qmgr[137]: warning: connect to transport
> spamchk: Connection refused
> Nov 17 23:52:28 g3po postfix/qmgr[137]: warning: connect to transport
> spamchk: Connection refused
> Nov 17 23:52:29 g3po spamchk[419]: Spam filter piping to SpamAssassin:
> /usr/local/bin/spamc -x -E -s 10485760
> Nov 17 23:52:31 g3po spamchk[422]: SpamAssassin marked message as spam;
> diverting.
> 
> 
> Any suggestions as to why the script would just refuse connections for a
> while and then come back?
> 
> What can I do to drill down into the cause of "connect to transport
> spamchk: Connection refused"
> 
> - Vicki

RE: Disable spooling

[L . P . H . van Belle]

> -Oorspronkelijk bericht-
> Van: pa...@matos-sorge.com [mailto:owner-postfix-us...@postfix.org] Namens
> Paulo Matos
> Verzonden: maandag 16 november 2015 21:14
> Aan: L.P.H. van Belle; postfix users
> Onderwerp: Re: Disable spooling
> 
> 
> 
> On 09/11/15 16:43, L.P.H. van Belle wrote:
> >
> >> -Oorspronkelijk bericht-
> >> Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org]
> >> Namens Noel Jones
> >> Verzonden: maandag 9 november 2015 16:05
> >> Aan: postfix-users@postfix.org
> >> Onderwerp: Re: Disable spooling
> >>
> >> On 11/9/2015 3:46 AM, Paulo Matos wrote:
> >>> Hi,
> >>>
> >>> I have configured postfix with virtual users and virtual domains so I
> >>> have it configured to serve two domains AAA.com and BBB.com. However,
> >>> the machine hostname
> >>> is centauri (none of the hostname its serving). Reverse DNS is enabled
> >>> to one of the domains. I think that as a result of this setup I am
> >>> getting a good chunk of my emails blocked by google with the following
> >>> message:
> >>>
> >>> 
> >>> Reporting-MTA: dns; centauri
> >>> X-Postfix-Queue-ID: D8B6D22FD3
> >>> X-Postfix-Sender: rfc822; pa...@matos-sorge.com
> >>> Arrival-Date: Thu,  5 Nov 2015 10:40:10 + (GMT)
> >>>
> >>> Final-Recipient: rfc822; x...@yyy.com
> >>> Original-Recipient: rfc822; x...@yyy.com
> >>> Action: failed
> >>> Status: 5.7.1
> >>> Remote-MTA: dns; aspmx.l.google.com
> >>> Diagnostic-Code: smtp; 550-5.7.1
> >>> Our
> >>> system has detected an 550-5.7.1 unusual rate of unsolicited mail
> >>> originating from your IP address. To 550-5.7.1 protect our users
> >>> from spam,
> >>> mail sent from your IP address has been 550-5.7.1 blocked. Please
> >> visit
> >>> 550-5.7.1  https://support.google.com/mail/answer/81126 to review
> >>> our Bulk
> >>> Email 550 5.7.1 Senders Guidelines. ju5si7198479wjc.28 - gsmtp
> >>> --
> >>>
> >>> The problem is most likely that Reporting-MTA doesn't match any of the
> >>> hostnames of the email we are sending from.
> >>
> >> No, the problem is most likely google thinks they are receiving an
> >> unusual rate of unsolicited mail from your IP.
> >>
> >> - First, set your SMTP HELO hostname to match your rDNS hostname with
> >> http://www.postfix.org/postconf.5.html#smtp_helo_name
> >> This probably won't fix the problem with google, but may help with
> >> other sites that don't like a non-FQDN or nonexistent HELO name.
> >>
> >> - configure your network gateway firewall such that client machines
> >> cannot access outgoing port 25 to prevent an infected client machine
> >> on your network from directly sending mail to the internet.
> >>
> >> - configure SPF, DKIM, and DMARC for your domains.  Looks as if you
> >> have SPF setup already.
> >>
> >>
> >>
> >>   -- Noel Jones
> >
> > I suggest the following.
> >
> > (this is obligated by RFCs)
> >
> > Make sure your helo mail-hostname.domain.tld has an A record.
> > Helo hostname must be resolvable.
> >
> > Make sure your hostname.domain.tld has an A and RR (PTR) record.
> > Most server do not block on this because you wil be blokking to many
> servers
> > Lots of hosts give "unknown" back so rejecting on unknown_hostname is
> not good imo.
> >
> > But an easy setting users/mail server managers can do is make sure the
> dns
> > And helo is correct.
> > So i do block on reject_invalid_helo_hostname
> reject_unknown_helo_hostname
> > And report back that the have incorrect server/dns settings.
> 
> How do you report that back?
For this on i use policiy weight, and there you can set you text also
http://www.policyd-weight.org/ 

> 
> >
> > My hostname of my server for example is core.domain.tld  (server
> hostname)
> > In postfix i have mail.domain.tld  (helo hostname)
> > ..  myhostname = mail.domain.tld
> >
> 
> For you to setup myhostname = mail.domain.tld and I guess you setup your
> FQDN to be domain.tld, does mail.domain.tld need to be a MX record?
[L.P.H. van Belle] 
No. The myhostname in postfix is the helo. 
I dont use domain.tld for any mail things thats only for my web server. 
Im thinking in the future where my web and mail server al on different servers, 
so no domain.tld on mail.

realname.domain.tld  thing one gets an A - MX and PTR record. 
mailhelo.domainname.tld  gets only an A record. 


> 
> > And you can set the same hostname in postfix and use that also for your
> server, but i dont recommend that.
> >
> > Then thats done, login at google, use the administrative tools from
> google to check your environment.
> >
> 
> I am new to that. Which tools?
[L.P.H. van Belle] good link to test : 
https://support.google.com/mail/troubleshooter/2920052?hl=en
https://support.google.com/a/answer/140038?hl=en 
https://www.google.com/webmasters/tools 
also handy.
https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard


> 
> Thanks for your help.
> 
> Paulo Matos
> 
> > Greetz,
> >
> > Louis
> >
> >
> >

RE: receiving message - checking mx record by postfix

[L . P . H . van Belle]

Read :  http://www.sorbs.net/faq/rfc_helo_enforcement.shtml  

I contains also the links to the RFC’s 

 

Greetz, 

 

Louis

 

 

 


Van: zalezny.niezale...@gmail.com [mailto:owner-postfix-us...@postfix.org] 
Namens Zalezny Niezalezny
Verzonden: dinsdag 10 november 2015 13:30
Aan: Postfix users
Onderwerp: receiving message - checking mx record by postfix


 

Dear Colleagues, 

 


I would like to understand how Postfix receiving message. I expect that Postfix 
has been written base on the RFC rules so maybe somebody will be able to 
explain me how its working inside - how this system receiving message and what 
is going on in the background.


 


Our consultant hardly trying to tell us that server during receiving phase 
checking MX record of the domain from which coming the E-mail. Does it really 
working this way ? I always thought that Postfix checking first DNS A record 
(reverse dns), then SPF etc.etc.


 


I always thought that MX record is provide clear information about the servers 
to which client needs to send a message. But right now I`m completly out of 
space...


 


 


Does system check mx record when its receiving message or not ?


 


 


Do You know where may I find RFC which fully describing this SMTP process ?


 


 


 


With kind regards


 


Zalezny


 


 


 

RE: Disable spooling

[L . P . H . van Belle]

> -Oorspronkelijk bericht-
> Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org]
> Namens Noel Jones
> Verzonden: maandag 9 november 2015 16:05
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Disable spooling
> 
> On 11/9/2015 3:46 AM, Paulo Matos wrote:
> > Hi,
> >
> > I have configured postfix with virtual users and virtual domains so I
> > have it configured to serve two domains AAA.com and BBB.com. However,
> > the machine hostname
> > is centauri (none of the hostname its serving). Reverse DNS is enabled
> > to one of the domains. I think that as a result of this setup I am
> > getting a good chunk of my emails blocked by google with the following
> > message:
> >
> > 
> > Reporting-MTA: dns; centauri
> > X-Postfix-Queue-ID: D8B6D22FD3
> > X-Postfix-Sender: rfc822; pa...@matos-sorge.com
> > Arrival-Date: Thu,  5 Nov 2015 10:40:10 + (GMT)
> >
> > Final-Recipient: rfc822; x...@yyy.com
> > Original-Recipient: rfc822; x...@yyy.com
> > Action: failed
> > Status: 5.7.1
> > Remote-MTA: dns; aspmx.l.google.com
> > Diagnostic-Code: smtp; 550-5.7.1
> > Our
> > system has detected an 550-5.7.1 unusual rate of unsolicited mail
> > originating from your IP address. To 550-5.7.1 protect our users
> > from spam,
> > mail sent from your IP address has been 550-5.7.1 blocked. Please
> visit
> > 550-5.7.1  https://support.google.com/mail/answer/81126 to review
> > our Bulk
> > Email 550 5.7.1 Senders Guidelines. ju5si7198479wjc.28 - gsmtp
> > --
> >
> > The problem is most likely that Reporting-MTA doesn't match any of the
> > hostnames of the email we are sending from.
> 
> No, the problem is most likely google thinks they are receiving an
> unusual rate of unsolicited mail from your IP.
> 
> - First, set your SMTP HELO hostname to match your rDNS hostname with
> http://www.postfix.org/postconf.5.html#smtp_helo_name
> This probably won't fix the problem with google, but may help with
> other sites that don't like a non-FQDN or nonexistent HELO name.
> 
> - configure your network gateway firewall such that client machines
> cannot access outgoing port 25 to prevent an infected client machine
> on your network from directly sending mail to the internet.
> 
> - configure SPF, DKIM, and DMARC for your domains.  Looks as if you
> have SPF setup already.
> 
> 
> 
>   -- Noel Jones

I suggest the following. 

(this is obligated by RFCs) 

Make sure your helo mail-hostname.domain.tld has an A record. 
Helo hostname must be resolvable. 

Make sure your hostname.domain.tld has an A and RR (PTR) record.  
Most server do not block on this because you wil be blokking to many servers
Lots of hosts give "unknown" back so rejecting on unknown_hostname is not good 
imo. 

But an easy setting users/mail server managers can do is make sure the dns
And helo is correct. 
So i do block on reject_invalid_helo_hostname reject_unknown_helo_hostname 
And report back that the have incorrect server/dns settings. 

My hostname of my server for example is core.domain.tld  (server hostname) 
In postfix i have mail.domain.tld  (helo hostname)  
..  myhostname = mail.domain.tld  

And you can set the same hostname in postfix and use that also for your server, 
but i dont recommend that. 

Then thats done, login at google, use the administrative tools from google to 
check your environment. 

Greetz, 

Louis

FW: Using postscreen_dnsbl_reply_map

[L . P . H . van Belle]

> Hai Alex,
> 
> I use the same as in the link you posted.
> http://rob0.nodns4.us/postscreen.html
> This is used for my bases setup also.
> 
> Just put all your servers (rbls) in here and copy the response lines, Like
> :
> /^zen\.spamhaus\.org$/blocked by rbl, see
> http://multirbl.valli.org
> /^bl\.spameatingmonkey\.net$/ blocked by rbl, see
> http://multirbl.valli.org
> /^b\.barracudacentral\.org$/ blocked by rbl, see http://multirbl.valli.org
> 
> And you see
> postfix/postscreen[24336]: NOQUEUE: reject: RCPT from
> [199.182.172.6]:59429: 550 5.7.1 Service unavailable; client
> [199.182.172.6] blocked by rbl, see http://multirbl.valli.org;
> 
> and as tip, take fail2ban and let it monitor for "blocked by rbl"
> and you reduces your dns queries also a lot.
> 
> Greetz,
> 
> Louis
> 
> 
> 
> > -Oorspronkelijk bericht-
> > Van: mysqlstud...@gmail.com [mailto:owner-postfix-us...@postfix.org]
> > Namens Alex
> > Verzonden: donderdag 22 oktober 2015 1:26
> > Aan: postfix users list
> > Onderwerp: Re: Using postscreen_dnsbl_reply_map
> >
> > Hi,
> >
> > On Wed, Oct 21, 2015 at 10:38 AM, L.P.H. van Belle 
> > wrote:
> > > I just point everything to http://multirbl.valli.org so they can see
> if
> > they are listed on multiple rbl servers.
> >
> > That's a great idea. How did you configure your system to do that?
> >
> > > And imo thats better, then, mailing, getting rejected, by for example
> > spamhaus.  Going to that site, checking,
> > > removing. Mailing again, and now again blocked, other rbl server etc.
> >
> > Absolutely.
> >
> > Thanks,
> > Alex

RE: Using postscreen_dnsbl_reply_map

[L . P . H . van Belle]

I just point everything to http://multirbl.valli.org so they can see if they 
are listed on multiple rbl servers. 

And imo thats better, then, mailing, getting rejected, by for example spamhaus. 
 Going to that site, checking, removing. 
Mailing again, and now again blocked, other rbl server etc. 

So 1 point to 1 site, customers check there. 


Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: krem...@kreme.com [mailto:owner-postfix-us...@postfix.org] Namens
> @lbutlr
> Verzonden: woensdag 21 oktober 2015 16:28
> Aan: Postfix users
> Onderwerp: Re: Using postscreen_dnsbl_reply_map
> 
> On Oct 20, 2015, at 7:44 PM, Alex  wrote:
> > I'd like to obscure the names of the DNSBLs that we use in response to
> > emails that are rejected.
> 
> Why would you do that? If someone hits your blocks and doesn’t know why
> they were blocked you may find yourself on blocklists yourself.
> 
> 
> --
> she [Esk] was already learning that if you ignore the rules people will,
> half the time, quietly rewrite them so they don't apply to you. --Equal
> Rites

RE: Initial test of postfix 3.0.2

[L . P . H . van Belle]

This example should wil not relay over outlook.com without the correct 
outlook.com settings in the dns. 

Base on :  from= to= proto=ESMTP 

@mygnus.com is missing the ms= and spf settings in the dns

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org]
> Namens Noel Jones
> Verzonden: vrijdag 18 september 2015 5:31
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Initial test of postfix 3.0.2
> 
> On 9/17/2015 9:17 PM, Tom Browder wrote:
> > I have a brand new installation, from  source, of Postfix 3.0.2 on
> > Debian 7, 64-bit.  I successfully did the initial local tests for
> > postfix as described in "The Book of Postfix."
> 
> Please note the book is now rather dated.  While the examples and
> general concepts are still valuable, lots of things have changed
> since then.  The official up-to-date documentation is supplied with
> the source code, and also available on the postfix web page
> http://www.postfix.org/documentation.html
> 
> At a minimum, you should review the various RELEASE_NOTES to see
> what has changed since the book was published.
> 
> > (Note that I have
> > virtual servers but have not yet configured postfix for handling
> > them.) Then I made my first test for outbound mail to my personal
> > gmail address and the mail.info file shows this:
> >
> > Sep 18 01:57:18 dedi2 postfix/smtpd[3154]: connect from
> > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254]
> 
> This is the smtpd process, which handles incoming mail.  Someone who
> uses Microsoft services is trying to send mail to your server.
> 
> > Sep 18 01:57:19 dedi2 postfix/smtpd[3154]: NOQUEUE: reject: RCPT from
> > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254]: 454
> > 4.7.1 : Relay access denied;
> 
> "Relay access denied" means that postfix is not configured to
> receive mail for the mygnus.com domain, and the recipient is rejected.
> http://www.postfix.org/BASIC_CONFIGURATION_README.html#mydestination
> http://www.postfix.org/VIRTUAL_README.html#canonical
> http://www.postfix.org/ADDRESS_CLASS_README.html
> http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
> 
> > from= to= proto=ESMTP
> > helo=
> 
> more details from the rejection.
> 
> > Sep 18 01:57:19 dedi2 postfix/smtpd[3154]: NOQUEUE: reject: RCPT from
> > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254]: 454
> > 4.7.1 : Relay access denied;
> > from= to= proto=ESMTP
> > helo=
> 
> A second rejected recipient...
> 
> > Sep 18 01:57:19 dedi2 postfix/smtpd[3154]: disconnect from
> > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254] ehlo=1
> > mail=1 rcpt=0/2 quit=1 commands=3/5
> 
> ... and the outlook.com client disconnects.
> 
> Note these are 4xx deferrals, not 5xx rejects, so the sending client
> will likely retry delivery periodically over the next several days.
> 
> >
> > And I have received no mail at my gmail address.
> 
> The above logging shows attempts to receive mail.  No logging here
> about sending mail.
> 
> >
> > Looking at the messages above I note that the address
> >  is at one of my virtual hosts but I have no user
> > by that name (and the IP address 157.56.112.254 is not known to me.
> >
> > I have set up my DNS records according to advice from this mailing list.
> >
> > I will read more in the book tonight but hope someone can point me in
> > the right direction while I continue to study the problem.
> 
> Basic debugging info:
> http://www.postfix.org/DEBUG_README.html
> 
> And to get help from this list:
> http://www.postfix.org/DEBUG_README.html#mail
> 
> 
> 
>   -- Noel Jones

RE: Can Postscreen and Smapassassin be used together

[L . P . H . van Belle]

Hai, 

I thinking why not put them together 

Ik run a setup like this 
https://wiki.dest-unreachable.net/pages/viewpage.action?pageId=15892484 

which uses postscreen spamassassin clamav and this works very wel for me. 
And the load is not to much, but depends on the amount of emails your 
processing. 

The extra thing i added in above setup is fail2ban + ufw to offload 
the dns queries and the server a bit.

I created the following in fail2ban. 
Jail.local 
[postfix-dnsblog]
enabled  = true
port = all
filter   = postfix-dnsblog
banaction = ufw-all
maxretry = 1
logpath  = /var/log/mail.log
bantime  = 84600

and in filter.d/postfix-dnsblog.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = addr  listed by domain

and the action 
/etc/fail2ban/action.d/ufw-all.conf
# Fail2Ban configuration file
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from  to any
actionunban = ufw delete deny from  to any



Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: li...@planetcobalt.net [mailto:owner-postfix-us...@postfix.org]
> Namens Ansgar Wiechers
> Verzonden: donderdag 10 september 2015 9:27
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Can Postscreen and Smapassassin be used together
> 
> On 2015-09-10 Robert Chalmers wrote:
> > I’m currently running postscreen, and am wondering how I would add
> > spamassassin to the main.cf configuration, or are they mutually
> > exclusive?
> 
> I'm not sure if they technically can't be used together, but they
> shouldn't be. Spamassassin is rather heavyweight whereas Postscreen was
> designed to be a lightweight zombie deflection tool. You'd lose that
> low resource impact advantage by mixing the two.
> 
> Regards
> Ansgar Wiechers
> --
> "Abstractions save us time working, but they don't save us time learning."
> --Joel Spolsky

RE: TLS cert - bug in documentation or bug in my understanding ??

[L . P . H . van Belle]

sorry, a correction on the previous. 

This is wrong : 
add in main.cf : in smtpd_client_restrictions, just after 
permit_mynetworks: 

smtpd_discard_ehlo_keyword_address_maps = 
cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr 


just add 
smtpd_discard_ehlo_keyword_address_maps = 
cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr 
to main.cf 

my error.. sorry. 

and what a fast mailing list this is ... samba list is much slower..  

-Oorspronkelijk bericht-
Van: be...@bazuin.nl [mailto:owner-postfix-us...@postfix.org] 
Namens L.P.H. van Belle
Verzonden: woensdag 19 augustus 2015 13:12
Aan: postfix-users@postfix.org
Onderwerp: RE: TLS cert - bug in documentation or bug in my 
understanding ??

-Oorspronkelijk bericht-
Van: al...@domblogger.net 
[mailto:owner-postfix-us...@postfix.org] Namens Alice Wonder
Verzonden: woensdag 19 augustus 2015 12:42
Aan: postfix-users@postfix.org
Onderwerp: Re: TLS cert - bug in documentation or bug in my 
understanding ??



On 08/19/2015 03:09 AM, L.P.H. van Belle wrote:
 Hai,

 Try it like this, there is no need for combining the certificates.


 # TLS parameters
 smtp_tls_cert_file = /etc/ssl/certs/certificate.cer
 smtp_tls_key_file = /etc/ssl/private/certificate.key
 smtpd_tls_cert_file = /etc/ssl/certs/certificate.cer
 smtpd_tls_key_file = /etc/ssl/private/certificate.key

Thank you, I think I got it figured out, will be testing shortly


 ## RootCA en Intermediate are put here.
 smtpd_tls_CApath = /etc/ssl/certs


 and dont forget to regenerate your dhparams.
 like :
 if [ -d /etc/ssl/private ]; then
  mkdir -p /etc/ssl/private
  chmod 710 /etc/ssl/private
 fi

 ## Create unique DH Groups
 openssl dhparam -out /etc/ssl/private/dhparams512.pem 512
 openssl dhparam -out /etc/ssl/private/dhparams1024.pem 1024
 openssl dhparam -out /etc/ssl/private/dhparams2048.pem 2048
 openssl dhparam -out /etc/ssl/private/dhparams4096.pem 4096

*snip*

As far as DH groups - I put a script in /etc/cron.daily that 
regenerates 
the 1024 and 2048 groups once a day.

I'm not sure 4096 adds any real world benefit, just eats CPU cycles.

I dont use the 4096 also, but its there if i need it when i need it,
and yes a daily script for the dh is good to have. 


I'm not using 512 as I built postfix against LibreSSL and it doesn't 
support the export ciphers, and I don't think postfix 2.11.6 
does either 
anyway, at least if I understood the docs.

So I'm trying with just the 2048 for now, if that's an issue 
then I'll 
follow the documentation on how to allow 1024 for some clients.

I'd like to eventually see the DHE ciphers go away in favor 
of ECDHE - 
not sure how soon that will happen.

I will be configuring postfix to only support ECDHE and DHE ciphers 
initially, well after I get TLS working on this server that is what I 
will try next. But I think DHE is only really needed for a few older 
clients at this point?



some to old tls clients wil fail with postfix. I dont know 
if the use DHE. 
and its NOT a postfix error. 

what happens is, why client-server are changing keys, the 
client closes the connection.
and a message appears in your log, server closed connection 
and no mail is recieved. 
old windows exchange servers and some lotus notes server have 
this problem, maybe more, i dont know that. 

for these the only workaround, as far i know is, dont show the 
STARTTLS. 
info here :  
http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keywo
rd_address_maps 
## used to disable buggy clients of with fautly TLS/SSL clients
1.2.3.4STARTTLS 

which means.. 
Dont show STARTTLS for that ip.

add in main.cf : in smtpd_client_restrictions, just after 
permit_mynetworks: 

smtpd_discard_ehlo_keyword_address_maps = 
cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr 

maybe there are better solutions for this, but this works for me.


Greetz, 

Louis

 

Fwd: trying to figure out regex for custom_header checks

[L . P . H . van Belle]

 set postix server to check for rfc complaince and you see a spam drop of 
 atleast 90% and 
 setup postscreen with it.. 98% less spam
 and in above just check for the helo compliance and not hostname checks, that 
 will drop to many ok servers.. 
 
 greetz 
 
 Louis
 
 
 
 
 
 
 
 Op 19 aug. 2015 om 22:23 heeft Alice Wonder al...@domblogger.net het 
 volgende geschreven:
 
 
 
 On 08/19/2015 01:14 PM, Ben Greenfield wrote:
 
 On Aug 19, 2015, at 4:08 PM, Viktor Dukhovni postfix-us...@dukhovni.org 
 wrote:
 
 On Wed, Aug 19, 2015 at 04:07:27PM -0400, Ben Greenfield wrote:
 
 /^Received:\b.*\.eu\b REJECT
 
 Is that correct or could someone point out what I'm doing wrong.
 
 What you're doing wrong deciding that all mail from a .eu domain
 should be blocked and trying to block said mail by looking at
 Received headers.
 
 Both the decision and the methodology are wrong.
 
 I'm open to suggestions.
 
 First explain the problem, rather than the solution.
 
 We receive a lot of spam that have very rare top level domains .site, 
 .link, .website, .eu.
 
 I have been using the custom header checks which appeared to working for me 
 until I started trying to reject the .eu mail. I was actually blocking all 
 mail that had .eu somewhere in the name.
 
 I decided i needed a regex that would only match patterns at the end of the 
 url.
 
 Do you have a honeypot address?
 
 I do that but still manually check them, as soon as I get 3 different 
 spammer IP addresses on same /24 I I block the /24 for two weeks.
 
 Are you using any of the dns blacklists? That cut down on my spam 
 tremendously.
 

RE: TLS cert - bug in documentation or bug in my understanding ??

[L . P . H . van Belle]

-Oorspronkelijk bericht-
Van: al...@domblogger.net 
[mailto:owner-postfix-us...@postfix.org] Namens Alice Wonder
Verzonden: woensdag 19 augustus 2015 12:42
Aan: postfix-users@postfix.org
Onderwerp: Re: TLS cert - bug in documentation or bug in my 
understanding ??



On 08/19/2015 03:09 AM, L.P.H. van Belle wrote:
 Hai,

 Try it like this, there is no need for combining the certificates.


 # TLS parameters
 smtp_tls_cert_file = /etc/ssl/certs/certificate.cer
 smtp_tls_key_file = /etc/ssl/private/certificate.key
 smtpd_tls_cert_file = /etc/ssl/certs/certificate.cer
 smtpd_tls_key_file = /etc/ssl/private/certificate.key

Thank you, I think I got it figured out, will be testing shortly


 ## RootCA en Intermediate are put here.
 smtpd_tls_CApath = /etc/ssl/certs


 and dont forget to regenerate your dhparams.
 like :
 if [ -d /etc/ssl/private ]; then
  mkdir -p /etc/ssl/private
  chmod 710 /etc/ssl/private
 fi

 ## Create unique DH Groups
 openssl dhparam -out /etc/ssl/private/dhparams512.pem 512
 openssl dhparam -out /etc/ssl/private/dhparams1024.pem 1024
 openssl dhparam -out /etc/ssl/private/dhparams2048.pem 2048
 openssl dhparam -out /etc/ssl/private/dhparams4096.pem 4096

*snip*

As far as DH groups - I put a script in /etc/cron.daily that 
regenerates 
the 1024 and 2048 groups once a day.

I'm not sure 4096 adds any real world benefit, just eats CPU cycles.

I dont use the 4096 also, but its there if i need it when i need it,
and yes a daily script for the dh is good to have. 


I'm not using 512 as I built postfix against LibreSSL and it doesn't 
support the export ciphers, and I don't think postfix 2.11.6 
does either 
anyway, at least if I understood the docs.

So I'm trying with just the 2048 for now, if that's an issue then I'll 
follow the documentation on how to allow 1024 for some clients.

I'd like to eventually see the DHE ciphers go away in favor of ECDHE - 
not sure how soon that will happen.

I will be configuring postfix to only support ECDHE and DHE ciphers 
initially, well after I get TLS working on this server that is what I 
will try next. But I think DHE is only really needed for a few older 
clients at this point?



some to old tls clients wil fail with postfix. I dont know if the use DHE. 
and its NOT a postfix error. 

what happens is, why client-server are changing keys, the client closes the 
connection.
and a message appears in your log, server closed connection and no mail is 
recieved. 
old windows exchange servers and some lotus notes server have this problem, 
maybe more, i dont know that. 

for these the only workaround, as far i know is, dont show the STARTTLS. 
info here :  
http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps 
## used to disable buggy clients of with fautly TLS/SSL clients
1.2.3.4 STARTTLS 

which means.. 
Dont show STARTTLS for that ip.

add in main.cf : in smtpd_client_restrictions, just after permit_mynetworks: 

smtpd_discard_ehlo_keyword_address_maps = 
cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr 

maybe there are better solutions for this, but this works for me.


Greetz, 

Louis

 

RE: Postfix and Mailman 2 virtual alias domain integration

[L . P . H . van Belle]

 Okay, I assume then that this should be the only PTR record:

 4.3.2.1.in-addr.arpa. IN PTR B.tld.

 Yes. Provided of course B.tld is The One True Hostname for 
your server.

It is!

No, imo, it is not.. and this setup can be better i think. 
read on..  

A hostname is not a domain name, and best is not to mixup this. 
as per example. 
The server name is core.primary-domain.tld 

for postfix in master.cf 
myhostname = core.primary-domain.tld
smtpd_banner = mail.primary-domain.tld ready

core.primary-domain.tld has an A and PTR record. (the real and only hostname of 
the server) 

mail.primary-domain.tld has an A record and is not a CNAME. ( = the helo 
hostname ) 
And the MX point to mail.primary-domain.tld

All virtual domains point the MX to mail.primary-domain.tld

and in this case mail and core have the same IP, but depending on the setup, 
this can be split up very easy over multiple servers, without change-ing 
anything in my postfix setup, 
i just move domains to other servers, and change dns MX record. ( and if needed 
the SPF record )

an SPF setup is now very easy, like :  
TXT v=spf1 mx -all  
or 
TXT v=spf1 mx ptr -all  
or 
and here is where the A record for mail is handy.. 
TXT v=spf1 mx a -all  
This is not possible with a CNAME

Why not use-ing domain.tld to and mail cnames.. 
ehlo hostname must be A record, and correct me if im wrong. 
what happens if you set the smtpd_helo_restrictions with 
 reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, 
reject_unknown_helo_hostname, 

and what people often forget, is the setup of the webserver. 
For a webserver, the best is to set the domain.tld and www.domain.tld to the 
same virtual for the webserver,
but this is not possible if you have your webserver and your mail server on 2 
different machines. 
and a certificate these days have domain.tld and subdomain.domain.tld in 1 
certificate. 

there are more reasons to not use the CNAME setup.. 
but all above is just a suggestion. 

Greetz, 

Louis

-Oorspronkelijk bericht-
Van: tom.brow...@gmail.com 
[mailto:owner-postfix-us...@postfix.org] Namens Tom Browder
Verzonden: dinsdag 18 augustus 2015 23:35
Aan: Jim Reid
CC: postfix users
Onderwerp: Re: Postfix and Mailman 2 virtual alias domain integration

On Tue, Aug 18, 2015 at 4:22 PM, Jim Reid j...@rfc1035.com wrote:

 On 18 Aug 2015, at 22:06, Tom Browder tom.brow...@gmail.com wrote:

 Okay, I assume then that this should be the only PTR record:

 4.3.2.1.in-addr.arpa. IN PTR B.tld.

 Yes. Provided of course B.tld is The One True Hostname for 
your server.

It is!

 BTW, you will get on a lot better if your postings used the actual
 IP addresses and domain names rather than hide these behind
 nonsense like B.tld and 1.2.3.4. Obscuring this information
 helps nobody, especially yourself.

Good point, but I'm not trying to obscure anything.  I am using the
nonsense names because I'm trying to emphasize the generality of the
solution to a very common setup for many users.  The chosen IP of
1.2.3.4 is easy to type and is easy to see when it's been reversed.

If anyone is interested, my current IP address which I use for all my
domains is 142.54.186.2 but I don't have a working mail server there
yet (I'm in the process of transferring it from my old server and want
to have a more robust setup than before--this is all prep work).

Thanks for all the help, Jim.  I'm sure I'll be back later for more
help on tightening up my mail server's security.

Best regards,

-Tom

RE: TLS cert - bug in documentation or bug in my understanding ??

[L . P . H . van Belle]

Hai, 

Try it like this, there is no need for combining the certificates. 


# TLS parameters
smtp_tls_cert_file = /etc/ssl/certs/certificate.cer
smtp_tls_key_file = /etc/ssl/private/certificate.key
smtpd_tls_cert_file = /etc/ssl/certs/certificate.cer
smtpd_tls_key_file = /etc/ssl/private/certificate.key

## RootCA en Intermediate are put here.
smtpd_tls_CApath = /etc/ssl/certs


and dont forget to regenerate your dhparams. 
like : 
if [ -d /etc/ssl/private ]; then
mkdir -p /etc/ssl/private
chmod 710 /etc/ssl/private
fi

## Create unique DH Groups
openssl dhparam -out /etc/ssl/private/dhparams512.pem 512
openssl dhparam -out /etc/ssl/private/dhparams1024.pem 1024
openssl dhparam -out /etc/ssl/private/dhparams2048.pem 2048
openssl dhparam -out /etc/ssl/private/dhparams4096.pem 4096

# Postfix enabled
postconf -e smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, 
RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, 
CBC3-SHA
postconf -e smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, 
RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, 
CBC3-SHA
postconf -e smtpd_tls_dh512_param_file = /etc/ssl/private/dhparams512.pem
postconf -e smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams1024.pem

Greetz, 

Louis

 

-Oorspronkelijk bericht-
Van: al...@domblogger.net 
[mailto:owner-postfix-us...@postfix.org] Namens Alice Wonder
Verzonden: woensdag 19 augustus 2015 11:09
Aan: postfix-users@postfix.org
Onderwerp: TLS cert - bug in documentation or bug in my 
understanding ??

Life was so much simpler when I just used self-signed certs for 
everything...

Looking at http://www.postfix.org/TLS_README.html

The documentation says

``This means that the Postfix server public-key certificate file must 
include the server certificate first, then the issuing CA(s) 
(bottom-up 
order).''

Then it gives an example

cat server_cert.pem intermediate_CA.pem  server.pem

-=-

With my Comodo PositiveSSL there are two intermediary certs.

So I try

cat librelamp_com.crt \
 COMODORSADomainValidationSecureServerCA.crt \
 COMODORSAAddTrustCA.crt  test.cert

But it doesn't verify

openssl verify -purpose sslserver test.crt
test.crt: OU = Domain Control Validated, OU = PositiveSSL, CN = 
librelamp.com
error 20 at 0 depth lookup:unable to get local issuer certificate

I tried switching the order, same issue.

Finally I reversed the order -

cat COMODORSAAddTrustCA.crt \
 COMODORSADomainValidationSecureServerCA.crt \
 librelamp_com.crt  test.crt

Now it verifies :

openssl verify -purpose sslserver test.crt
test.crt: OK

-=-=-

Am I not understanding something or is the documentation off?

Thank you,

Alice

RE: FW: SSL Renegotiation Attack Disabling reneotiation

[L . P . H . van Belle]

I dont know if its an option, but i suggest have a look here : 
 
multiple packages for postfix on centos 6
http://pkgs.org/search/postfix?type=name
or 
https://solusipse.net/blog/posts/compiling-postfix-with-postgresql-support-on-centos-7/
 
Not for the postgresql, but just for the upgrade of postfix. 
 
 
Greetz, 
 
Louis
 
 

Van: Abid Hussain [mailto:abid.hussai...@gmail.com] 
Verzonden: dinsdag 18 augustus 2015 10:43
Aan: L.P.H. van Belle
Onderwerp: Re: FW: SSL Renegotiation Attack Disabling reneotiation



Thanks for prompt reply


i am using CentOS 6.5. Yes i do not have an option to upgrade it :(. I want to 
stop it for DoS attack as my testing team has 
reported it. falling back to ssl V2 adds many other vulnerabilities :(



Thanks and Regards,

Abid


On Tue, Aug 18, 2015 at 1:36 PM, L.P.H. van Belle be...@bazuin.nl wrote:
Hai,

As far as i know, no.

Unless you are forceing all clients to use SSLv2 only (since that doesn't 
support renegotiation).
Are you sure you want to disable it and not just prevent old clients from
using the vulnerable renegotiation methods? If it's the last
you'll need to upgrade to 2.8+ to get access to tls_disable_workarounds.

you have 2 problems.
- One is the vulnerable methods
- the other is renegotiation is considered a denial of service vulnerability..


You really dont have any option to upgrade..
Whats the os your running?

Greetz,
Louis


-Oorspronkelijk bericht-
Van: abid.hussai...@gmail.com
[mailto:owner-  ] Namens Abid Hussain
Verzonden: dinsdag 18 augustus 2015 10:29
Aan: postfix-users@postfix.org
Onderwerp: SSL Renegotiation Attack Disabling reneotiation

Dear All,

I am using postfix 2.6 and currently cannot upgrade it. kindly
advise how
renegotiation can be disabled completely.  Probably a command in
configuration file.


regards,
Abid



--
View this message in context:
http://postfix.1071664.n5.nabble.com/SSL-Renegotiation-Attack-D
isabling-reneotiation-tp78708.html
Sent from the Postfix Users mailing list archive at Nabble.com.

SOLVED.. FW: ldap virtual split domain and forwarding.

[L . P . H . van Belle]

Finaly i did found the problem. 

In the end i did add the ldap ldap://etc/postfix/zarafa-ads-*-aliases.cf  in 
the aliases_map 
and all the redirects in the virtual_alias_maps

and now i did some testing with an e-mail address, .. which did not have any 
typos in the email adres in ldap. 
that was where my error was. 

Greetz, 


-Oorspronkelijk bericht-
Van: be...@bazuin.nl [mailto:owner-postfix-us...@postfix.org] Namens L.P.H. van 
Belle
Verzonden: vrijdag 14 augustus 2015 16:07
Aan: postfix-users@postfix.org
Onderwerp: ldap virtual split domain and forwarding.

Hai, 
 
Im new to the list, so tell me if im do-ing something wrong..  
in advance, .. sorry for my english, and sorry for the long explanation.. 
better to much than to little imo. 

Im having the following setup. 
 
Debian Jessie 8.1 with packages, running a zarafa mail server samba 4 AD 
domain, 
I have amost all info i want in the AD, but im having problems with some e-mail 
aliases and forwarding of these. 

packages of postfix used:
ii  postfix 2.11.3-1amd64
High-performance mail transport agent
ii  postfix-ldap2.11.3-1amd64
LDAP map support for Postfix
ii  postfix-mysql   2.11.3-1amd64
MySQL map support for Postfix
ii  postfix-pcre2.11.3-1amd64
PCRE map support for Postfix

 
This is the part im having problems with:  ( i'll explain more below the 
configuration ) 
(master.cf) 

 
alias_maps  = hash:/etc/aliases,
  
regexp:/etc/postfix/asp-redirect.regexp,
  
ldap://etc/postfix/zarafa-ads-local-aliases.cf,
alias_database  = hash:/etc/aliases
transport_maps  = 
ldap:/etc/postfix/zarafa-ads-zpublic-transport.cf,
virtual_transport   = lmtp:127.0.0.1:2003
virtual_mailbox_domains = domain.tld, internal.domain.tld
virtual_mailbox_maps= ldap:/etc/postfix/zarafa-ads-users.cf
 

# Active Directory has the possibility to create distribution groups which can 
be used as email distribution list in ZCP.
# To use integrate Postfix with distribution groups, Postfix 2.4 or higher is 
required.
#
virtual_alias_maps  = ldap:/etc/postfix/zarafa-ads-users.cf,
  
ldap:/etc/postfix/zarafa-ads-groups.cf,
  
ldap:/etc/postfix/zarafa-ads-zpublic-aliases.cf,
  
ldap://etc/postfix/zarafa-ads-local-redirects.cf 
  
ldap://etc/postfix/zarafa-ads-general-aliases.cf


 
So, im running zarafa 7.2 as mail server and samba 4 AD as domain for email 
adres lookups 
The zarafa server and email adresses and email aliasses and groups and public 
folder works fine. 
I need these settings for zarafa :  
virtual_transport  = lmtp:127.0.0.1:2003
virtual_mailbox_domains= domain.tld, internal.domain.tld
virtual_mailbox_maps   = ldap:/etc/postfix/zarafa-ads-users.cf
virtual_alias_maps = ldap:/etc/postfix/zarafa-ads-users.cf,
 ldap:/etc/postfix/zarafa-ads-groups.cf,
 ldap:/etc/postfix/zarafa-ads-zpublic-aliases.cf,

with a delivery to public folders, with a setup like this example. 
http://www.leckerbeef.de/zarafa-deliver-mail-to-public-folder-the-postfix-way/ 
as sad this all works fine, i can email to all users/groups/public folder email 
adresses. 

Now based on that im creating a contact and 
I use the displayName and description fiels to set my adresses for postfix. 

for the ldap -aliases files i use this filter. 
scope = sub
query_filter = ((objectClass=contact)(displayName=%s))
result_attribute = displayName 

for the ldap -redirects files i use this filter. 
scope = sub
query_filter = ((objectClass=contact)(displayName=%s))
result_attribute = description


for this one in the alias_maps : 
ldap://etc/postfix/zarafa-ads-local-aliases.cf 
i have here for example user: root with forward adres to an email adres in my 
public folders of zarafa, and a user e-mail adres. 
postmap -q root ldap://etc/postfix/zarafa-ads-local-aliases.cf  gives back root 
, which is correct in this case. 
postmap -q root ldap://etc/postfix/zarafa-ads-local-redirects.cf gives back :  
personalad...@domain.tld,publicfolderad...@domain.tld 

this works and is used for messages send to root from the server. ( and 
mailing to r...@domain.tld does NOT works and should not work ) 

here in this, i also have my ab...@domain.tld postmas...@domain.tld 
webmas...@domain.tld e-mail adresses. 
i can 

FW: SSL Renegotiation Attack Disabling reneotiation

[L . P . H . van Belle]

Hai, 

As far as i know, no.

Unless you are forceing all clients to use SSLv2 only (since that doesn't 
support renegotiation). 
Are you sure you want to disable it and not just prevent old clients from 
using the vulnerable renegotiation methods? If it's the last
you'll need to upgrade to 2.8+ to get access to tls_disable_workarounds. 

you have 2 problems. 
- One is the vulnerable methods 
- the other is renegotiation is considered a denial of service vulnerability.. 


You really dont have any option to upgrade.. 
Whats the os your running? 

Greetz, 
Louis


-Oorspronkelijk bericht-
Van: abid.hussai...@gmail.com 
[mailto:owner-postfix-us...@postfix.org] Namens Abid Hussain
Verzonden: dinsdag 18 augustus 2015 10:29
Aan: postfix-users@postfix.org
Onderwerp: SSL Renegotiation Attack Disabling reneotiation

Dear All,

I am using postfix 2.6 and currently cannot upgrade it. kindly 
advise how
renegotiation can be disabled completely.  Probably a command in
configuration file.


regards,
Abid



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/SSL-Renegotiation-Attack-D
isabling-reneotiation-tp78708.html
Sent from the Postfix Users mailing list archive at Nabble.com.

RE: Folder permissions problem, /var/spool/postfix/private

[L . P . H . van Belle]

for the policy-spf, check this one. 
https://bananasfk.wordpress.com/2015/06/05/policyd-spf-in-debian-8-fix/ 

Greetz, 

Louis
 

-Oorspronkelijk bericht-
Van: robert.sen...@lists.microscopium.de 
[mailto:owner-postfix-us...@postfix.org] Namens Robert Senger
Verzonden: dinsdag 18 augustus 2015 13:42
Aan: postfix-users@postfix.org
Onderwerp: Folder permissions problem, /var/spool/postfix/private

Hi all,

I just upgraded a server from Debian Wheezy to Jessie, and moved the
system partition to a new, bigger harddisk. Now I am having 
trouble with
the permissions of the /var/spool/postfix/private folder.

As far as I can see all folder permissions throughout the whole system
are the same as before on the old harddisk, including postfix's private
directory.

Despite this fact, all milter services that create/use sockets within
the /var/spool/postfix/private folder (OpenDKIM, OpenDMARC, postgrey,
SPF) refuse to start, complaining they cannot create/write their socket
in the private folder.

I already checked all the folder permissions, ran postfix
set-permissions and postfix check, without success.

To get the milters working, I need to set the private folders's
permissions to 777, which is certainly not what we want for a private
folder...

Running postfix set-permissions resets the permissions to 700, but
then the milters fail.

Any idea what can be wrong here? Thanks!

Cheers,

Robert


-- 
Robert Senger

RE: Postfix and Mailman 2 virtual alias domain integration

[L . P . H . van Belle]

Hai, 

... its all about correct DNS settings, so dont say that does not matter.. 

Best is you read : 
rfc2821 section-3.6 and 4.1.1.1 ( and 10.3 thank you Michael good read, i 
forgot that one.. ) 
rfc5321 section 2.3.5 

in short.. 
make sure your hostname has an A or  record and PTR record. 
make sure your MX point to a correct hostname. 
make sure your mail server ehlo : (smtpd_banner) is set to a resolvable 
hostname, 
requerements for ehlo:  DNS RR of type A is required, and there is no 
requirement 
for the A record to match the client connecting IP address (As per RFC 1123 
Section 5.2.5). 

when a connecting host uses the EHLO command to identify itself and 
where the hostname contains characters that are not one of the following:
a-z, A-Z, 0-9, . and - 
Further the hostname should start with a letter of the alphabet. 



Greetz, 

Louis


-Oorspronkelijk bericht-
Van: rwhee...@artifact-software.com 
[mailto:owner-postfix-us...@postfix.org] Namens Ron Wheeler
Verzonden: dinsdag 18 augustus 2015 16:14
Aan: postfix-users@postfix.org
Onderwerp: Re: Postfix and Mailman 2 virtual alias domain integration

This is pretty common.
The DNS does not matter all that much as long as people can 
find the MX 
server for each domain.
The MX record has to point to an A or CNAME that maps to the actual 
machine where your main service (Postfix) runs.
The A or CNAME can be in a different domain as long as that is 
resolvable to an IP somehow.
Every Domain can have its MX point to smtp.B.tld as long as smtp.B.tld 
resolves to something in the B domain's DNS.
This is probably easiest since you can move all SMTP traffic with a 
single change in the DNS for B.tld.

In the end the foreign SMTP server has to be able to reach someone who 
will take the mail off its hands and the DNS serves that purpose.
Once the mail is transferred to the right IP address, the sender 
doesn't care how you organize your domains internally.

Ron

On 18/08/2015 8:55 AM, Tom Browder wrote:
 On Sun, Aug 16, 2015 at 3:36 PM, @lbutlr krem...@kreme.com wrote:
 On 16 Aug 2015, at 10:44 , Tom Browder 
tom.brow...@gmail.com wrote:
 Okay, then I guess I should pick one of the virtual hosts 
as the domain name and add some arbitrary host  then. Does 
that mean it is then a real server and should not be treated 
as a virtual domain?
 You need a reasonable helo name and you need an rDNS that matches.
 Okay, let me be more specific:

 On a single Apache/Postfix/MM2 server I have domains A.tld ... Z.tld,
 each of which I want to have mail delivered to/from.  I will choose
 B.tld as the non-virtual server (with FQHN mail.B.tld).  I have a
 single IP address, say, 9.9.9.9, to which all domains are mapped.

 So how should the DNS records look?   Can anyone give me the exact
 settings for the A, CNAME, MX, and PTR records for A.tld and B.tld
 (and any other suggested records)?

 Many thanks.

 Best,

 -Tom



-- 
Ron Wheeler
President
Artifact Software Inc
email: rwhee...@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102

ldap virtual split domain and forwarding.

[L . P . H . van Belle]

Hai, 
 
Im new to the list, so tell me if im do-ing something wrong..  
in advance, .. sorry for my english, and sorry for the long explanation.. 
better to much than to little imo. 

Im having the following setup. 
 
Debian Jessie 8.1 with packages, running a zarafa mail server samba 4 AD 
domain, 
I have amost all info i want in the AD, but im having problems with some e-mail 
aliases and forwarding of these. 

packages of postfix used:
ii  postfix 2.11.3-1amd64
High-performance mail transport agent
ii  postfix-ldap2.11.3-1amd64
LDAP map support for Postfix
ii  postfix-mysql   2.11.3-1amd64
MySQL map support for Postfix
ii  postfix-pcre2.11.3-1amd64
PCRE map support for Postfix

 
This is the part im having problems with:  ( i'll explain more below the 
configuration ) 
(master.cf) 

 
alias_maps  = hash:/etc/aliases,
  
regexp:/etc/postfix/asp-redirect.regexp,
  
ldap://etc/postfix/zarafa-ads-local-aliases.cf,
alias_database  = hash:/etc/aliases
transport_maps  = 
ldap:/etc/postfix/zarafa-ads-zpublic-transport.cf,
virtual_transport   = lmtp:127.0.0.1:2003
virtual_mailbox_domains = domain.tld, internal.domain.tld
virtual_mailbox_maps= ldap:/etc/postfix/zarafa-ads-users.cf
 

# Active Directory has the possibility to create distribution groups which can 
be used as email distribution list in ZCP.
# To use integrate Postfix with distribution groups, Postfix 2.4 or higher is 
required.
#
virtual_alias_maps  = ldap:/etc/postfix/zarafa-ads-users.cf,
  
ldap:/etc/postfix/zarafa-ads-groups.cf,
  
ldap:/etc/postfix/zarafa-ads-zpublic-aliases.cf,
  
ldap://etc/postfix/zarafa-ads-local-redirects.cf 
  
ldap://etc/postfix/zarafa-ads-general-aliases.cf


 
So, im running zarafa 7.2 as mail server and samba 4 AD as domain for email 
adres lookups 
The zarafa server and email adresses and email aliasses and groups and public 
folder works fine. 
I need these settings for zarafa :  
virtual_transport  = lmtp:127.0.0.1:2003
virtual_mailbox_domains= domain.tld, internal.domain.tld
virtual_mailbox_maps   = ldap:/etc/postfix/zarafa-ads-users.cf
virtual_alias_maps = ldap:/etc/postfix/zarafa-ads-users.cf,
 ldap:/etc/postfix/zarafa-ads-groups.cf,
 ldap:/etc/postfix/zarafa-ads-zpublic-aliases.cf,

with a delivery to public folders, with a setup like this example. 
http://www.leckerbeef.de/zarafa-deliver-mail-to-public-folder-the-postfix-way/ 
as sad this all works fine, i can email to all users/groups/public folder email 
adresses. 

Now based on that im creating a contact and 
I use the displayName and description fiels to set my adresses for postfix. 

for the ldap -aliases files i use this filter. 
scope = sub
query_filter = ((objectClass=contact)(displayName=%s))
result_attribute = displayName 

for the ldap -redirects files i use this filter. 
scope = sub
query_filter = ((objectClass=contact)(displayName=%s))
result_attribute = description


for this one in the alias_maps : 
ldap://etc/postfix/zarafa-ads-local-aliases.cf 
i have here for example user: root with forward adres to an email adres in my 
public folders of zarafa, and a user e-mail adres. 
postmap -q root ldap://etc/postfix/zarafa-ads-local-aliases.cf  gives back root 
, which is correct in this case. 
postmap -q root ldap://etc/postfix/zarafa-ads-local-redirects.cf gives back :  
personalad...@domain.tld,publicfolderad...@domain.tld 

this works and is used for messages send to root from the server. ( and 
mailing to r...@domain.tld does NOT works and should not work ) 

here in this, i also have my ab...@domain.tld postmas...@domain.tld 
webmas...@domain.tld e-mail adresses. 
i can use this ldap file on all my servers, with this setup. and this is in a 
separated OU in the AD.  (OU=local-aliases) 
I can send to them and these are also delivered where i want. 


Now my problem(s)..  
1) what i want is email to : someadres0132...@domain.tld, forward to 
someadre...@domain.tld, forward to someadre...@offsite.domain.tld 

alias_map  has : regexp:/etc/postfix/asp-redirect.regexp and contains lines 
like 
/^someadres01/someadre...@domain.tld  
Here i catch all email adresses like someadres011...@domain.tld 

postmap -q someadres0142...@domain.tld