[pfx] Re: UGFzc3dvcmQ6

[Robert Schetterer via Postfix-users]

Am 13.09.2023 um 02:54 schrieb DL Neil via Postfix-users:

Have been updating the .cf files (mostly ciphers, but also...)

Our old friend "UGFzc3dvcmQ6" is back.
(previously bounced-off without appearing in daily pflogsumm)

Grrr!

...
unknown[146.247.146.134]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
14-0-135-011.static.pccw-hkt.com[14.0.135.11]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6

...

What is the setting to get rid of these dozens of false-attempts from 
diverse IPaddresses, please?

(had a search through most-recent archives, but no joy)

- yes, could roll-back the versioning, but am unclear which clause is 
THE one!




as an idea

https://www.sys4.de/blog/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

fail2ban may work also
--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix: running a script on authentication failure

[Robert Schetterer via Postfix-users]

Am 22.06.23 um 19:18 schrieb Steffen Nurpmeso:

Robert Schetterer wrote in
  :
  |Am 22.06.2023 um 13:58 schrieb André Rodier via Postfix-users:
  ...
  |> Shortly after it has been setup, I see brute force attacks (not
  |> surprising) from a whole /24 network (more surprising).
  ...
  |> Is there any way, with postfix, to run a script on authentication
  |> failure, with information like the IP address and the
  |> username passed, for instance.

Have a look at blacklistd (now in parts blocklistd) as written by
Christos Zoulas of NetBSD, and also used on FreeBSD.
They maintain a postfix patch to hook in calls to bl[ao]cklistd.
It does exactly that.

   ...
  |> What are you using on your side ?

I only use a combi of an awk script that parses logs, and firewall
rules that add penalties based on connection count (and data
transfer).  This is suboptimal, especially in your scenario.  (Ie,
i would claim it would make sense to block or limit entire IP
ranges, for which the awk script would need to hold state.)

   ...
  |postfix/dovecot uses syslog so action can be taken
  |
  |see
  |
  |https://blog.schaal-24.de/firewall/postfix-postscreen-ip-in-die-firewall\
  |-eintragen/
  |
  |thinkable spread the action via ssh on other servers in your cluster
  |
  |you can also use iptables recent to be faster

This has a low default limit, and you need a kernel tunable to
overcome it, for example i have

xt_recent.ip_list_tot=250 xt_recent.ip_pkt_list_tot=32



I had 1 in the list, no problem


to make this a bit better.  (For my purpose; i found with the
default 100 that too many "rejectors" come in, so the overflowing
of the table effectively moves IPs to the "super aliens" table,
which was also overcrowded then.  With 250 my default traffic
is levelled off nicely.  But peaks cause "havoc" again.  This is
all suboptimal, for one all servers should offer some kind of
blacklistd interface for more than login requests, and the
firewall -- at least the xt_recent code -- should also reach out;
likely the latter could be done with inotifyd on the xt_recent
directories, yet i never tried it.)

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)


back to the subject, checking auth should be done very late
its "cheaper" to use ip based stuff before.

so it depends what is the exact goal, just fixing brute force
quick and dirty or develop some kind of reputation framework
with tagging div clients behave  like spamassassin
to force some action when some limit has reached
you can also include compare log history data about an email address / 
domain to rise intruder alert, i.e ( like greylist ) positve triplets

good auth from ip/net vs sudden bad/brute auth from new ip/net

i think such framework exists but are not open source

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix: running a script on authentication failure

[Robert Schetterer via Postfix-users]

Am 22.06.2023 um 13:58 schrieb André Rodier via Postfix-users:

Hello, all.

I just set-up a new server, running postfix, with submission(s) 
activated on standard ports (587, 465)


Shortly after it has been setup, I see brute force attacks (not 
surprising) from a whole /24 network (more surprising).


I carefully checked the logs, and see the modus operandi, which 
basically loop across the IP addresses in the network,
to avoid being blacklisted by tools like fail2ban. And it is true, even 
with fail2ban activated, no IP is blacklisted.


By activating verbose logging, I see multiple user names are tried, not 
only passwords.


Is there any way, with postfix, to run a script on authentication 
failure, with information like the IP address and the

username passed, for instance.

I basically need features that fail2ban doesn't offer

- I would like to not rely on reading logs, removing one step and acting 
more pro-actively.
- If a script is called on authentication failure, it is fairly easy to 
use a Levenshtein distance to differentiate

between a user having lost his password and a brute force attack.
- If I log all the failure in a database, with the IP address, and the 
whois information, the script would take decision

according to the whois information.

What are you using on your side ?

- Do you know any service, that I could use, to get the network to ban 
from an IP address reputation, something like

crowdsec, for instance ?
- Anyone has success with Suricata, Snort, or a tool like this ?

Please, do not suggest third party hosted services, I want to be part of 
my self-hosting solution.


Kind regards,
André


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


postfix/dovecot uses syslog so action can be taken

see

https://blog.schaal-24.de/firewall/postfix-postscreen-ip-in-die-firewall-eintragen/

thinkable spread the action via ssh on other servers in your cluster

you can also use iptables recent to be faster




--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: sys4 is listed in Abusix

[Robert Schetterer via Postfix-users]

Am 07.03.23 um 20:32 schrieb Charles Sprickman:




On Mar 7, 2023, at 1:14 PM, Robert Schetterer via Postfix-users 
 wrote:

Am 07.03.23 um 18:57 schrieb Patrick Ben Koetter via Postfix-users:

* toganm--- via Postfix-users :

Maybe it would have been a better idea to check if the mail server is listed
in any rbl sites. For one it is listed in Abusix and my server is rejected it 
as a result

What makes you believe the IP had been blocklisted before?
The IP was blocklisted today. It wasn't on a blocklist before that. That's
what the details show on the abusix report.
p@rick


Some rbls blocklisted ips , simply by the the fact, they never saw smtp traffic before 
from that ip, in the past. doubtful reputation policy... I remember i needed i had to do 
"warm up phase" with them ,sure long time ago.


There are a few businesses now that offer IP "warm-up" services for mailing list providers. 
Probably not helpful in this specific instance, but they are good for the large mail providers like gmail 
that do their filtering with "secret sauce". They basically maintain a fleet of user accounts on 
all the major freemail providers and send your sample content through your smtp server over a period of a 
week or so. They also automate interaction with the inbox - including marking it "not spam".  Not 
cheap though... and I have no idea how they justify a business that relies on breaking the AUP of the 
freemail providers. :)

Charles


in the old times,  i had mass IP segments never used for anything, 
starting a new mail service there with new domain and small non spam 
traffic ( with spf, dkim etc ) getting it on RBLS at once was a big 
suprise *g


The reputation idea of default hard blocklist by never seen before
should be rethinked , however in some special cases it maybe ok.

At the end i wouldnt hire somebody for simple sending warm up smtp 
traffic, also its easy to monitor your ip getting in rbls


https://blog.sys4.de/xymon-rbl-check-script-de.html

for sure very old, as i am not longer involved in mail stuff







--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org




--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: sys4 is listed in Abusix

[Robert Schetterer via Postfix-users]

Am 07.03.23 um 18:57 schrieb Patrick Ben Koetter via Postfix-users:

* toganm--- via Postfix-users :

Maybe it would have been a better idea to check if the mail server is listed
in any rbl sites. For one it is listed in Abusix and my server is rejected it 
as a result


What makes you believe the IP had been blocklisted before?
The IP was blocklisted today. It wasn't on a blocklist before that. That's
what the details show on the abusix report.

p@rick


Some rbls blocklisted ips , simply by the the fact, they never saw smtp 
traffic before from that ip, in the past. doubtful reputation policy... 
I remember i needed i had to do "warm up phase" with them ,sure long 
time ago.







--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Re: Spamtrap email — milter that can still receive, but reject?

[Robert Schetterer]

Am 24.05.22 um 16:14 schrieb Dan Mahoney:

Hey all,

Is there a milter of some sort that I can configure to reject (for some to: 
addresses) at the end of DATA, but still forward the mail on?  Im dealing with 
some deleted users who both got a lot of spam, but also were in the critical 
path for things and I’m hoping the VERP bounces trim some of this down.

-Dan

Sent from my iPad


your antispam may simply set mail on hold instead of reject, for human 
inspection, bounce/delete or forward it then manual later


--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Restricting MAIL_FROM based on SASL login

[Robert Schetterer]

Am 06.05.22 um 11:04 schrieb Víctor Rubiella Monfort:
Thanks for the proposals, the main problem is accounts names and domains 
could be totally different. I'm reconsidering this approach to add only 
selected accounts to able to cross domains, simplifing automation and 
increasing security. Although it requires more config for client.


Thanks a lot.

El 5/5/22 a las 15:23, Wietse Venema escribió:

V?ctor Rubiella Monfort:

Hello,

I'm working on a map for restrict MAIL_FROM declared on mail based on
sasl user authenticated.

For example if we want that all accounts for domain @domain1.com can
define MAIL_FROM @domain1.com and @domain2.com accounts:

@domain1.comaccou...@domain1.com  accou...@domain2.com  
accou...@domain2.com  accou...@domain2.com
@domain2.comaccou...@domain1.com  accou...@domain2.com  
accou...@domain2.com  accou...@domain2.com

Perhaps you can use reject_sender_login_mismatch with

main.cf:
 smtpd_sender_login_maps = pcre:$config_directory/sender-login.pcre

sender-login.pcre
 /^(.+)@domain1\.example$/  $1@domain1.example $1@domain2.example
 /^(.+)@domain2\.example$/  $1@domain1.example $1@domain2.example

Assuming that the usernames are the same in different domains.

Wietse



perhaps this older milter "may" help too

https://github.com/croessner/vrfydmn

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Deprecated: white is better than black

[Robert Schetterer]

Am 24.02.21 um 23:29 schrieb Wietse Venema:

j...@nunyuh.net:

I've purposefully held off on responding to any of this but if the
devs\list-owners are fine with the community converting this into a
forum about race + software & computer terms, albeit temporarily, then
fine - let's "damn the torpedos & full steam ahead" this baby and get to
work...

We all ready?


Let's not do that. I have merely done away with the implication
that white (as in whitelist) is better than black (as in blacklist).
It is not the end of the world. No-one will be forced to give up
their life style. The change is configurable, backwards-compatible
by default.

Wietse



Hi Wietse your change is welcome,
@ll please let this list tec related

Regards

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [OT] looking for a good mobile MUA

[Robert Schetterer]

Am 21.03.20 um 10:25 schrieb Wesley Peng:

Hello

On desktop I always use Thunderbird for MUA.

Thunderbird is clean and lite, handling protocol well.

But for mobile (I primarily use iOS), I couldn't find a good MUA to use.

I tried almost every release on appStore (outlook, edison, bluemail, 
spark, mymail...), they are either too complicated to use, or not 
following email standard (for example, can't choose plaintext composer, 
or can't setup sender auth username different from the email address, or 
never handle SSL correctly), or showing the message body ugly.


Can you suggest a suitable mobile MUA? it should like thunderbird, be 
fast, clean, standard, and easy to use.


Thanks.
(sorry for this OT message)


https://alternativeto.net/software/k-9/?platform=iphone

shows some alternate clients



--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: the strictest antispam laws?

[Robert Schetterer]

Am 21.11.2019 um 09:01 schrieb Wesley Peng:

Hello

I saw a trend that, every ESP has taken hard work on antispam policy.
For example, from my test cases:

1. gmail totally can't be registered from PC, only mobile client (gmail, 
outlook etc) can sign up a new username. they require mobile 
verification in the process.


2. yahoo totally can't be registered without a mobile verification, and 
each telephone number can be used once.


3. yandex is harder to sign up, it requires mobile verification, before 
every message sending, they require you to input the auth code.


4. A new registered outlook email require you to input mobile number 
once and once.


5. GMX/web.de stops auto-registration, every new registration they 
require you to call their service telephone for manual verification.


6. yahoo.co.jp stops web registration, they require mobile verification, 
and use a password-less solution for login. the first new messages 
sending they require you to input Japanese auth code.


7. others including UKR, rambler, Netease have the silimiar rules.

Does this mean every country has taken the strictest antispam laws for 
privacy protection today?


Thanks & Regards.



Why should a spammer care about law ?

--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: How to avoid being classified as spam by Google?

[Robert Schetterer]

Am 07.10.19 um 07:11 schrieb martin f krafft:

Quoting "Wietse Venema", who wrote on 2019-10-06 at 19:13 Uhr -0400:
Perhaps the SMTP client IP address 2001:db8:bad::cafe:: has no PTR 
record (or the name does not resolve to 2001:db8:bad::cafe::).


Good point, but the address has a PTR record to a name with an  
record pointing to the address.




Also a wide bug is not to include the ipv6 stuff in SPF, did you checked 
this, in the past creating a extra transport for google only via ipv4 
was helpfull too


--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Webmin and DKIM

[Robert Schetterer]

Am 27.08.19 um 18:45 schrieb Linda Pagillo:
Good day everyone. Quick question and please forgive me if this is 
redundant. I have a Postfix server running on CentOS7 and I use Webmin 
to manage it. Is there a way for me to set up and configure DKIM using 
Webmin? I have been searching Google and the only thing I could find was 
something back from 2009 which says that it was not possible. Ten years 
later.. I'm hoping that it is. Can someone please let me know if this is 
possible and perhaps point me at the instructions? Thanks in advance.


you can always execute your own bash scripts with webmin, i did this 
time ago for a third party user to  edit virtual users of postfix in a

relay only server
so the answer is: yes you can use webmin to configure DKIM stuff
but not (to my knowledge) out of the box with a module etc ,but with 
your own scripts


--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Semi-OT: Getting blacklisted by hotmail/Google again and again

[Robert Schetterer]

Am 17.03.19 um 20:59 schrieb Erwan David:


Le 17/03/2019 à 13:44, Czarek a écrit :

Check if you are not an open relay. Configure SPF, DKIM, DMARC
and Reverse DNS.
Than contact to the spam lists.
Here you can check where your IP is listed.
Rgds
Wesley.



In my case thaere is no spam list, I am not an open relay, I have DKIM,
DMARC and SPF, I even registered to MS as a sender. They accept my
emails, but the recipient does not receive it or it is in the spam.

They just consider that only bug email provider should exist.



google seems to have another policy for ipv6 income mail, a workaround 
is to deliver mail to them via ipv4 only, but i has been reported that 
this helps only sometimes , having SPF, DKIM, DMARC
and Reverse DNS are is a must have these dayssometimes ipv6 settings 
are forgotten or not ok, perhaps double check it


--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Semi-OT: Getting blacklisted by hotmail/Google again and again

[Robert Schetterer]

Am 17.03.19 um 08:44 schrieb Matthew McGehrin:

Hi Johannes,

Gone are the days of being able to send normal emails to these 
providers. They use automated algorithms that block your email 
automatically. Your IP reputation has a lot to do with it as well, along 
with the IPs in your /24. For example, looking up your IP reputation, I 
see that this /24 has several mail providers, so while you might not be 
sending the actual spam, other IPs in your /24. Also, forwarded email 
can have the same impact, as you are forwarding spam, and not 
necessarily sending it directly.


See also:

https://www.talosintelligence.com/reputation_center/lookup?search=37.120.172.118 



37.120.172.166 mail.digi-media-net.de    Yes    0.0    1.7 No    Poor

You might need to use one of the commercial providers, such as Amazon or 
Sendgrid, to send your outbound emails, since the large providers will 
not block them as easily.


Matthew




thats whats named collective punishment ( german Sippenhaft )
this feels like big companies use their market power to shift users
to their site cause in between their noble big players club everything 
is promoted as running fine.


--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Old linux / postfix version - how add DKIM ?

[Robert Schetterer]

Am 21.02.19 um 17:03 schrieb Matus UHLAR - fantomas:

On 21.02.19 10:36, Edouard Guigné wrote:
My mail server is intalled in a old deprecated linux version (debian 
5.0) with postfix 2.5.5


oh...  debian 7.0 is not supported for (nearly) a year, 6.0 for three 
years,

5.0 for seven years (debian didn't havee LTS before 6.0)
I wonder it hasn't been compromised yet.

I did not installed this linux box, only managing it. I plan to change 
this server with an other solution (e.g. Zimbra), but this is not the 
today priority.


I succeed to configure SPF records for this mail server.

I would like configure DKIM, with OpenDKIM from sources... I will not 
use package manager on this linux box, because it is deprecated.

I would like compile / install OpenDKIM from source.


I would consider installing dkim-filter from archive.debian.org
via apt-get, changing whatever mirror you use to archive.debian.org

another possibility would be backporting - compiling from source package,
opendkim 2.0 was in squeeze.

maybe the squeeze version is compilable, maybe it's even installable 
without

upgrading half of the system.

Maybe someone could tell me it is possible according to my debian 
version and postfix version ?


you must try and see.  Current opendkim versions may require newer
libraries, newer postfix etc.

However, this is not a postfix issue.



another solution
http://dkimproxy.sourceforge.net/
http://dkimproxy.sourceforge.net/postfix-outbound-howto.html

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: detect fake mx, tls security encrypt

[Robert Schetterer]

Am 22.12.18 um 07:55 schrieb Stefan Bauer:
nights later, a better approach seems to have a policy service that does 
the tls pre-checking.



long time ago i wrote this

https://blog.sys4.de/recipient-verification-tls-mandatory-modus-en.html

perhaps it helps



Something like this already around? ( i'm no coder but want to sponsor 
that if someone can do it) pm please


Am Donnerstag, 20. Dezember 2018 schrieb Viktor Dukhovni 
mailto:postfix-us...@dukhovni.org>>:
 >> On Dec 20, 2018, at 1:25 PM, Stefan Bauer > wrote:

 >>
 >> I'm aware of such exceptions but I don't like to set them.  Our 
policy is safe or not at all via mail.

 >
 > That policy has a cost.  You don't like the cost, but there it is...
 >
 >> I would like to have a setting like do not try next mx,
 >> if first mx lacks tls support. it assumes that if tls is
 >> not avail on primary it will for sure also not be avail
 >> on second and third.
 >
 > Sorry, Postfix does not and will not do that.  Data-mine your logs
 > for deliveries that fall back to a dead MX host (connection failure
 > and a large "c" value (>= smtp_connect_timeout) in the "delays=a/b/c/d"
 > part of the log entry, e.g.
 >
 >   delays=263861/0.01/60/0, dsn=4.4.1, status=deferred
 >     (connect to : Operation timed out)
 >
 > Then, if you refuse to ever deliver in the clear, reject mail to
 > the domain.
 >
 >   transport:
 > example.com  error:5.1.2:Destination domain does 
not support STARTTLS

 >
 > --
 > --
 >         Viktor.
 >



--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Outbound DKIM signing milter options for Postfix?

[Robert Schetterer]

Am 11.10.2018 um 17:47 schrieb pg...@dev-mail.net:
> On Thu, Oct 11, 2018, at 2:37 AM, Robert Schetterer wrote:
>> http://dkimproxy.sourceforge.net/ "may"
>> help for this case
> 
> In principle.  Tho, not clear yet on whether I want/prefer a milter or proxy. 
>  Leaning to milter ...
> 
> But last release in 2010-11-14 sounds 'pretty dead' to me!
> 

yeah, but the question was for a special case and not using a milter
just for signing only it should work


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Outbound DKIM signing milter options for Postfix?

[Robert Schetterer]

Am 11.10.2018 um 10:51 schrieb Matus UHLAR - fantomas:

On 11.10.18 13:35, Илья Шипицин wrote:

we use opendkim (somehow it does not crash for us, yes, I seen many
unresolved issues).
however, I'd like to raise another question :)

opendkim is attached to postfix via milter. it is pain.
under high load (when lots of marketing letters are sent) we have to 
choose

between

1) if milter is unaccessible, send without DKIM signature
2) if milter is unaccessible, reject

what I really like to have, is a way to execute dkim sign and wait for a
child until it sign. no milter.
is it avalable ?


I believe this could be done by using post-queue content filter:
http://www.postfix.org/postconf.5.html#content_filter




http://dkimproxy.sourceforge.net/ "may"
help for this case

--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: any api to read logs ?

[Robert Schetterer]

Am 29.09.2018 um 15:32 schrieb Matus UHLAR - fantomas:
> On 29.09.18 16:42, Илья Шипицин wrote:
>> logfile analys is good for human, it is not rest api.
> 
> postfix produces logs, does not read nor parse them.
> 
>> I did search already
>>
>> any rest api ?
> 
> please tell us when you find one.
> guys may add it to http://www.postfix.org/addon.html#logfile
> 
> 
>>>  ???:
>>> > Hello,
>>> >
>>> > we use automation to send messages.
>>> > from the automation point of view it is nice to know what happened to
>>> > message
>>> >
>>> > I think about the following
>>> >
>>> > 1) automation send email via smtp --> id of message
>>> > 2) automation ask postfix via (rest) api "hey, tell me history of
>>> message
>>> > id ..."
>>> >
>>> > any suggestion ?
> 
>> сб, 29 сент. 2018 г. в 16:21, Wietse Venema :
>>> Open a web search engine, ask for for 'logfile analysis tools'.
> 

http://sareport.darold.net/
https://www.graylog.org/

and so on

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: iOS Mail Client Not Copying to Sent Folder

[Robert Schetterer]

ailfilter.com
> <http://hostkarma.junkemailfilter.com>=127.0.0.1 ${stress?sleep
> 0}${stress: sleep 5} permit
> smtpd_data_restrictions = reject_unauth_pipelining, permit
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, check_helo_access
> mysql:/etc/postfix/mysql_helo_restrictions.cf,
> permit_sasl_authenticated, reject_invalid_hostname, permit
> smtpd_milters = inet:127.0.0.1:8891
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_non_fqdn_sender,
> reject_unauth_destination, reject_invalid_hostname,
> reject_unknown_reverse_client_hostname, reject_non_fqdn_recipient,
> reject_unknown_sender_domain, check_recipient_access
> mysql:/etc/postfix/mysql_restricted_recipients.cf, permit
> smtpd_relay_restrictions = permit_mynetworks, check_recipient_access
> mysql:/etc/postfix/mysql_restricted_recipients.cf,
> permit_sasl_authenticated, reject_unauth_destination
> smtpd_sasl_auth_enable = no
> smtpd_sasl_exceptions_networks = $mynetworks
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = check_sender_access
> regexp:/etc/postfix/spam_senders_email, check_sender_access
> mysql:/etc/postfix/mysql_restricted_senders.cf, check_sender_access
> mysql:/etc/postfix/mysql_blacklist, permit_sasl_authenticated,
> permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain,
> permit
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/postfix/ssl/triata.pem
> smtpd_tls_key_file = /etc/postfix/ssl/triata.key
> smtpd_tls_received_header = no
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database =
> btree:/var/spool/postfix/smtpd_tls_session_cache
> transport_maps = mysql:/etc/postfix/mysql_virtual_transport.cf
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
> virtual_gid_maps = static:1001
> virtual_mailbox_base = /vmail
> virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> virtual_mailbox_limit = 0
> virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
> virtual_minimum_uid = 1001
> virtual_transport = dovecot
> virtual_uid_maps = static:1001
> 
> 
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: clamav as a milter

[Robert Schetterer]

Am 26.03.2018 um 23:27 schrieb André Rodier:
> Hello all,
> 
> Does anyone suffered performance loss when using clamav as a milter for
> postfix?

Not relevant, but for sure to scan something you need resources and time.

> 
> I would like to scan archives and emails with attachments. Is there any
> other way to do than using a milter?
> 
> Thanks for your advices.
> 
> André
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: SASL login and Mail From field mismatch

[Robert Schetterer]

Am 25.03.2018 um 18:44 schrieb mate...@mailbox.org:
> Hello everyone !
> 
> I'm trying to achieve a simple thing. Then user logins via SASL and
> sends mail, I want postfix to check that SASL login is identical to MAIL
> FROM filed.
> 
> As I can see, I can do that with 'reject_sender_login_mismatch', but
> usage of this option implies usage of 'smtpd_sender_login_maps'. 
> The problem is that I use MS AD as user list provider, so firstly, I
> thought about some tricky filter to achieve this, but I can't think up
> something workable. Second option is to create some hash 'file' and fill
> it with maps, but truly speaking I don't want to do this because it's a
> manual work. Of course, I may do some script to download info from AD
> and put it to the file. However, maybe another options exist too ?
> 
> I don't need user to be able to write as another user, so simple
> variable comparison like '$sasl_user == $mail_from' would be a prefect
> match.
> 
> 
> Thanks in advance.
> 
> -- 
> 
> Best regards,
> Mate200
> 
> 

do want something like this ?

https://github.com/croessner/vrfydmn


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix as Relay for Exchange, User overquota

[Robert Schetterer]

Am 02.01.2018 um 19:59 schrieb stefan novak:
> Hello!
> 
> we are using Postfix as our MX Server for several mailservers, mostly
> dovecot. We have now implemented an exchange Server as well.
> 
> We are using the reject_unverified_recipient in combination with smtp
> transport-table to submit the E-mail back to the exchange Server.
> With our dovecot backends we can use the dovecot quota service in
> combination with the check_policy_service that Mails from full
> Mailboxes get rejected. How can i achieve this with our exchange
> backend? Now the Mails get bounced, which is not very nice :/
> 
> Is there a way to tell postfix to accept the E-Mail only when the
> exchange Server also wants to deliver it. Best will be when this works
> only on quota, since somietims its good when the postfix in front
> queue's the E-Mail. (Backend-Server reboot for patching...)
> 
> kind regards and sorry for my english ;)
> Stefan
> ___
> www.epb.at - Your IT Partner in East Austria
> 

try this

https://sys4.de/de/blog/2013/04/08/postfix-dovecot-mailbox-quota/

but be aware aliases etc may not have a mailbox quota, also the blog is
old ,things may have changed , you may should cover the used port by vpn
, ssltunnel etc

more

https://www.dovecot.org/list/dovecot/2016-July/104830.html
https://wiki2.dovecot.org/Quota


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix, clamav and Spamassasin - delete high scoring spam

[Robert Schetterer]

Am 25.10.2017 um 20:55 schrieb Emanuel:
> Hello,
> 
> I use Postfix, clamav and spamassain to figth the spam in my server.
> 
> I my custom_rules from spamassasin i add the following rule to give 100
> points to emails that contain infected attachments.
> 
> priority CLAMAV -900
> shortcircuit CLAMAV spam
> score CLAMAV 200
> 
> my question is, can be removed automatically through postfix?
> 
> Regards,
> 
> Emanuel.

with spamass-milter you are able to reject
or use amavis .also works as milter, perhaps best choice to goal what
you like ,cause it is a framework with clamav and spamassassin
i never used the clamav module/rules in spamassassin

> 
> -- 
> envialosimple.com <http://www.envialosimple.com>  
> Emanuel Gonzalez
> Deliverability Specialist
> emanuel.gonza...@donweb.com <mailto:emanuel.gonza...@donweb.com>
> www.envialosimple.com <http://www.envialosimple.com>
> by donweb <http://www.envialosimple.com>
> 
>  
> Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son
> confidenciales, de uso exclusivo para el destinatario del mismo. La
> divulgación y/o uso del mismo sin autorización por parte de DonWeb.com
> queda prohibida.
> DonWeb.com no se hace responsable del mensaje por la falsificación y/o
> alteración del mismo.
> De no ser Ud el destinatario del mismo y lo ha recibido por error, por
> favor, notifique al remitente y elimínelo de su sistema.
> Confidentiality Note: This message and any attachments (the message) are
> confidential and intended solely for the addressees. Any unauthorised
> use or dissemination is prohibited by DonWeb.com.
> DonWeb.com shall not be liable  for the message if altered or falsified.
> If you are not the intended addressee of this message, please cancel it
> immediately and inform the sender
> Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem
> conter dados confidenciais ou privilegiados.
> Se você os recebeu por engano ou não é um dos destinatários aos quais
> ela foi endereçada, por favor destrua-a e a todos os seus eventuais
> anexos ou copias realizadas, imediatamente.
> É proibida a retenção, distribuição, divulgação ou utilização de
> quaisquer informações aqui contidas.
> Por favor, informenos sobre o recebimento indevido desta mensagem,
> retornando-a para o autor.
>  
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Blocking mail from clients who

[Robert Schetterer]

Am 15.10.2017 um 18:34 schrieb Gerben Wierda:
> My main restrictions in main.cf are (on macOS Server)
> 
> smtpd_client_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> check_client_access
> regexp:/Library/Server/Mail/Config/postfix/rna_rbl_whitelist_clients,
> reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>,
> permit
> smtpd_delay_reject = yes
> smtpd_enforce_tls = no
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> permit_mynetworks,
> reject_non_fqdn_helo_hostname,
> reject_invalid_helo_hostname,
> permit
> smtpd_recipient_restrictions = permit_sasl_authenticated
> reject_unauth_pipelining reject_non_fqdn_recipient permit_mynetworks
> reject_unauth_destination reject_unlisted_recipient check_client_access
> regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients
> check_sender_access
> regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders
> check_policy_service unix:private/policy permit
> 
> Rbl and greylisting helps to filter out most spam attempts. I have to
> turn of greylisting for a few hours today, and a message came through
> that had both From: and To: set to my email address. This was accepted
> because I am the delivery agent for that domain.
> 
> But an outside, non SASL-authenticated client that says it wants to
> deliver mail From my domain is illegal. Apparently, that one still gets
> through (though is generally blocked by greylisting). Anyway, is there a
> way to block that without blocking legitimate mail?
> 
> Gerben Wierda
> Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
> Mastering ArchiMate <http://masteringarchimate.com/>
> Architecture for Real Enterprises
> <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at
> InfoWorld
> On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ
> 

are you informed about dkim,spf,dmarc ?
Do you relay for third party ?


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: recommended smtp proxy script?

[Robert Schetterer]

Am 13.10.2017 um 20:42 schrieb Daniele Nicolodi:
> On 13/10/17 10:40, Matus UHLAR - fantomas wrote:
>> the only important part is - you apparently should not use milter on
>> submission ports.
> 
> Why?
> 
> Cheers,
> Dan
> 

some milters are fine to use with submission
others not, i.e clamav-milter should work, spamass-milter
on the other hand may slow down sending mail, which might lead to anger
for users, it needs time to find out spamness of an email by doing i.e
outside network operations with razor etc.
So it simply depends on what you trying to goal .,rethink of your
whole mail design , look at your logs then choose the tool or tec which
design fits best for desired task


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Copying IMAP messages instead of Forwarding?

[Robert Schetterer]

Am 25.09.2017 um 16:37 schrieb LuKreme:
> Is there a method to use IMAP to move messages to another account on another 
> server for which I have login credentials on delivery instead of simply 
> forwarding? Or would this be a question for the Dovecot list?
> 
> I am trying to get around various spam checking and DKIM failures for a local 
> user who uses gmail but whose address is on my server. She wants all her mail 
> to end up in Gmail, but forwarding it fails too often.
> 
> The other option that I am looking at is to enable POP3 so that gmail can 
> simply get the messages, but I haven’t allowed POP3 in ages and am reluctant 
> to do so now, though that is probably the simplest thing.
> 
> The user isn’t really savvy enough to manage two IMAP accounts herself.
> 
> 
> 

perhaps

imaputils help


https://github.com/mtsatsenko/imaputils

some blog

https://sys4.de/de/blog/2014/01/12/imap-weiterleitungen-mit-pop3toimap-als-ersatz-fur-smtp-weiterleitungen/


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix and Maildrop Config

[Robert Schetterer]

Am 07.09.2017 um 17:09 schrieb Stroller:
> 
>> On 6 Sep 2017, at 14:06, Bill Cole 
>> <postfixlists-070...@billmail.scconsult.com> wrote:
>>
>>  Obviously some Postfix users do use maildrop but it is not the most common 
>> LDA choice for Postfix. I'd be surprised if it is even in the top 4.
> 
> Perhaps this question is off topic, but what MTAs are more favoured, please?
> 
> I've been very happy with a fechmail ⇒ maildrop system, but have to set up a 
> new server soon.
> 
> Stroller.
> 

 see getmail

http://pyropus.ca/software/getmail/documentation.html#features

perhaps then no need for maildrop/procmail anymore, depends what you
goal add dovecot / sieve


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: postscreen fail2ban filter

[Robert Schetterer]

Am 17.07.2017 um 20:06 schrieb /dev/rob0:
> On Mon, Jul 17, 2017 at 01:33:24PM -0400, Wietse Venema wrote:
>> I don't think there is much to gain from parsing postscreen logging
>> to produce fail2ban rules. postscreen is designed to handle a lot
>> of abuse with near-zero resources.
> 
> Granted, not much benefit within Postfix.  But consider: these 
> botnets are also attacking other services: http, ssh, DNS, and more.  
> I think it's a reasonable goal to want to block botnets in the 
> firewall.
> 
> [ Linux-specific ]
> 
> We do it with ssh attacks here using the "recent" iptables module.
> (On my TODO is a plan to port those rules to the --match set and 
> --jump SET modules and ipset(8).)  These attacks, when exceeding 
> established maximum new connection rates, cause the attacker to be 
> entirely blocked in the firewall.
> 
> That obviously won't work for SMTP, where [FSVO] legitmate sites 
> might have a bunch of new connections in short periods.  For ssh, 
> we're using the assumption that these connections are humans who are 
> seeking shell access, although indeed a poorly-written script could 
> easily go beyond the limits.
> 
> So the move to ipset would allow broader participation in attack 
> deflection; fail2ban could help populate the firewall blocking with 
> input from httpd, named, and others (including Postfix.)
> 
> Another advantage of firewall blocking is at the human level: 
> decrease of noise in the logs, to potentially save time for the 
> admin.  I haven't had many systems which were vulnerable to the 
> brute-force ssh attacks, but I don't need to see that spam in the 
> system logs.
> 
> To be clear, I don't have an answer for the OP; I am just tossing 
> out a couple of coins in support of the goal.
> 

you may have a look here for ideas

https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: is there a RFC which suggests that the helo name should be DNS resolvable

[Robert Schetterer]

Am 05.07.2017 um 19:15 schrieb Viktor Dukhovni:
> On Wed, Jul 05, 2017 at 06:57:17PM +0200, Stefan Sticht wrote:
> 
>> Is there a RFC or similar which suggests/requires that the helo name should
>> be DNS resolvable?
> 
> SMTP is defined in RFC 5321 (which obsoletes 2821 and 821).
> 

I think the question might be : is

reject_unknown_helo_hostname rfc alike today, it wasnt in the past

postfix faqs are only pointing

on
reject_non_fqdn_helo_hostname for rfc

additional
reject_invalid_helo_hostname is acceptable in real world setups


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: What is the best anti-spam and anti-virus combos for Postfix?

[Robert Schetterer]

Am 28.04.2017 um 21:26 schrieb Linda Pagillo:
> Hi everyone. I was wondering which anti-spam and anti-virus programs do
> you all use with Postifx? Any advice on which programs work best?

mostly used
amavis-new (framework, milter), spamassassin ( milter ), clamav ( milter )
with sanesecurity signatures, rspamd


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Recommended way to pause postfix local delivery while taking snapshot for backup

[Robert Schetterer]

Am 09.04.2017 um 10:52 schrieb Dominic Raferd:
> Is there a best/recommended way to pause postfix local deliveries so
> that I can take an LVM snapshot of the local mails for backup purposes?
> The pause only has to be momentary, while the snapshot is taken, but the
> files need to be in a consistent state. If anyone also knows the way to
> pause Dovecot imap/pop3 similarly (as this could also be accessing the
> same files), that would be helpful too.

why not simply write copies of all mails via bcc as archive and/or
use dsync or rsync to write backups with dovecot ?


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix, Hotmail never arrive

[Robert Schetterer]

Am 05.03.2017 um 17:16 schrieb Maurizio Caloro:
> But you here in this Thread have you all three possiblities installed?
>  - SPF, DMARC, and DKIM ?

yeah all full implemented


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix, Hotmail never arrive

[Robert Schetterer]

Am 05.03.2017 um 16:27 schrieb Michael Neurohr:
> On 2017-03-05 10:01, Robert Schetterer wrote:
>> Am 05.03.2017 um 09:11 schrieb Robert Schetterer:
>>>
>>> Hi Viktor, seems that hotmail etc has included some new antispam
>>> procedures and now blocks big ip ranges ( i.e Hetzner ) , spf, dkim etc
>>> does not help
>>> i filled out a form to get my servers ip open again , however their
>>> whole new antispam seems somekind broken
>>>
>>>
>>> Best Regards
>>> MfG Robert Schetterer
>>>
>>
>> form is at
>>
>> https://support.live.com/eform.aspx?productKey=edfsmsbl3=eformts=wsignin1.0
>>
>> in my case it seems that my amount of mail to hotmail wasnt enough to
>> build a score
>> the default seems to block ip with no score, which might be ok but
>> should be overrided by existing spf,dkim ever etc
> 
> I just tested that with my server with a Hetzner IP address. My mail
> goes directly into the Junk Folder. My IP address is not listed on any
> blacklist and I have SPF in place. So far I had no Problems with Hotmail.
> 
> Michael
> 

Microsofts info mail ( arrived fast today )
said that my hetzner Ip will whitelisted , but only for small
amount of mail until it has a "good" score and it is not a general
antispam whitelisting.

They recommend to get part of
Junk E-Mail Reporting Program (JMRP)

link in the info mail is

http://support.msn.com/eform.aspx?productKey=edfsjmrpp=support_home_options_form_byemail=eformts

to me that link shows not clearly what to do .

seems they dont care very much about spf dkim etc from now
( however its noted that it stays helpfull )
and prefer their own practice of scoring


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix, Hotmail never arrive

[Robert Schetterer]

Am 05.03.2017 um 09:11 schrieb Robert Schetterer:
> Am 04.03.2017 um 23:18 schrieb Viktor Dukhovni:
>>
>>> On Mar 4, 2017, at 4:50 PM, Maurizio Caloro <mauri...@caloro.ch> wrote:
>>>
>>> If i send any mail go @hotmail this will never arrive,  but Postfix Log are 
>>> here in other thing.
>>> (Queued mail for Delivery)
>>>
>>> Mar  4 22:45:26 caloro postfix/qmgr[28159]: BD6EB4159E: 
>>> from=<n...@caloro.ch>, size=569, nrcpt=1 (queue active)
>>> Mar  4 22:45:29 caloro postfix/smtp[26958]: BD6EB4159E: 
>>> to=<inuk...@hotmail.com>, relay=mx1.hotmail.com[65.55.33.119]:25, 
>>> delay=2.7, delays=0.49/0.01/1.3/0.9, dsn=2.0.0, status=sent (250 
>>> <col004-mc5f19gzuny100046...@col004-mc5f19.hotmail.com> Queued mail for 
>>> delivery)
>>
>> Hotmail took responsibility for delivery of the message.  If it never
>> showed up in the user's mailbox, perhaps Hotmail considers your IP
>> address sufficiently "spammy" to discard your mail.
>>
>> Create a Hotmail account for yourself, and send the mail there, see if
>> it arrives.  There's not much Postfix can do to get Hotmail to not discard
>> your mail.
>>
>> Some people advocate publishing SPF records and using DKIM signatures.
>> Though my mail gets delivered without either, perhaps these would help
>> your mail not get junked.
>>
> 
> Hi Viktor, seems that hotmail etc has included some new antispam
> procedures and now blocks big ip ranges ( i.e Hetzner ) , spf, dkim etc
> does not help
> i filled out a form to get my servers ip open again , however their
> whole new antispam seems somekind broken
> 
> 
> Best Regards
> MfG Robert Schetterer
> 

form is at

https://support.live.com/eform.aspx?productKey=edfsmsbl3=eformts=wsignin1.0

in my case it seems that my amount of mail to hotmail wasnt enough to
build a score
the default seems to block ip with no score, which might be ok but
should be overrided by existing spf,dkim ever etc





Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix, Hotmail never arrive

[Robert Schetterer]

Am 04.03.2017 um 23:18 schrieb Viktor Dukhovni:
> 
>> On Mar 4, 2017, at 4:50 PM, Maurizio Caloro <mauri...@caloro.ch> wrote:
>>
>> If i send any mail go @hotmail this will never arrive,  but Postfix Log are 
>> here in other thing.
>> (Queued mail for Delivery)
>>
>> Mar  4 22:45:26 caloro postfix/qmgr[28159]: BD6EB4159E: 
>> from=<n...@caloro.ch>, size=569, nrcpt=1 (queue active)
>> Mar  4 22:45:29 caloro postfix/smtp[26958]: BD6EB4159E: 
>> to=<inuk...@hotmail.com>, relay=mx1.hotmail.com[65.55.33.119]:25, delay=2.7, 
>> delays=0.49/0.01/1.3/0.9, dsn=2.0.0, status=sent (250 
>> <col004-mc5f19gzuny100046...@col004-mc5f19.hotmail.com> Queued mail for 
>> delivery)
> 
> Hotmail took responsibility for delivery of the message.  If it never
> showed up in the user's mailbox, perhaps Hotmail considers your IP
> address sufficiently "spammy" to discard your mail.
> 
> Create a Hotmail account for yourself, and send the mail there, see if
> it arrives.  There's not much Postfix can do to get Hotmail to not discard
> your mail.
> 
> Some people advocate publishing SPF records and using DKIM signatures.
> Though my mail gets delivered without either, perhaps these would help
> your mail not get junked.
> 

Hi Viktor, seems that hotmail etc has included some new antispam
procedures and now blocks big ip ranges ( i.e Hetzner ) , spf, dkim etc
does not help
i filled out a form to get my servers ip open again , however their
whole new antispam seems somekind broken


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: postfix with possibilities for blackberry integration

[Robert Schetterer]

Am 04.03.2017 um 21:11 schrieb Maurizio Caloro:
> Hello Together
> 
> Please exist any possibilities to integrate me old Black-Berry 7.1 with 
> Postfix or Dovecot i don't have any BES Server, but here are any 
> possibilities to Install with Postfix any Protocol to communicate with it?
> 
> Thanks for any feedback
> 
> Mauri
> 
> 

 as long you have a mail app that does smtp , imap, pop3
 this should work

found by google

http://support.blackberry.com/kb/articleDetail?ArticleNumber=000010154

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: How to route mail to different isp-smarthosts depending on reply-to address

[Robert Schetterer]

Am 19.02.2017 um 17:18 schrieb Klaus Dittrich:
> What I want to achive is
> 
> an identity(me) with reply-to  kladit@isp-a should get routed to the
> smart-host of isp-a
> 
> the same identity(me) with reply-to  kladit@isp-b should get routed to
> the smart-host of isp-b

hm perhaps try with header checks on reply-to headers action transport
but i think that can result in unwanted routings cause in standard every
mail will pass header checks...wait for list better ideas

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix 20 years ago

[Robert Schetterer]

Am 12.02.2017 um 19:06 schrieb Wietse Venema:
> Last month it was 20 years ago that I started writing Postfix code.
> After coming to IBM research in November 1996, I spent most of
> December and January making notes on paper. I knew that writing a
> mail system was more work than any of my prior projects.
> 
> The oldest tarball, dated 19970220, contains library functions plus
> two early versions of the master daemon. There are 8086 lines of
> code, 4204 lines after stripping the comments, and the only
> documentation was my pile of hand-written notes.
> 
> For comparison, today's Postfix 3.2.0 RC1 release candidate weighs
> in at 236533 lines of code, 137257 after stripping comments. The
> documentation amounts to 32589 lines of hand-written HTML source,
> plus 41878 lines of auto-generated HTML.
> 
> Much of today's effort is not visible as new features (thought there
> still are enough to make an upgrade worthwhile), but happens behind
> the scenes as improvements to internal code, and updated tests to
> ensure that future changes won't inadvertantly break something.
> 
>   Wietse
> 

Happy Birthday Postfix , and thx to Wietse


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Effects of very large message_size_limit?

[Robert Schetterer]

Am 15.09.2016 um 07:19 schrieb mro...@insiberia.net:
> Hi, I'm wondering what the downside of setting a large
> message_size_limit are?
> 
> By "large" I mean 30MB, 40MB, 50MB
> 
> I think sendmail has a default of no restriction for message size - that
> seems crazy, but maybe I don't understand the risks well enough.

some freemailers have a limit of 10 MB, so its perhaps a good choice to
set it for outgoing external mail, for inside a higher amount up to 50
sometimes makes sense


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Administration for PostFix 3.0 Using SMTPUTF8

[Robert Schetterer]

Am 21.08.2016 um 19:01 schrieb Benny Pedersen:
> On 2016-08-21 18:48, Robert Schetterer wrote:
> 
>>> does dns servers support it aswell as idn ?
>> sombody checked modoboa ?
> 
> somebody created a ebuild for it ?
> 
> i still miss your gentoo-overlay name :=)
> 
> 

why not write a mail to the developer

and/or read

http://modoboa.readthedocs.io/en/latest/getting_started/install.html


by the way i never used gentoo
but if you do , feel free to invest in your wish


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Administration for PostFix 3.0 Using SMTPUTF8

[Robert Schetterer]

Am 21.08.2016 um 18:05 schrieb Benny Pedersen:
> On 2016-08-21 17:51, nalini.elk...@insidethestack.com wrote:
> 
>> Can anyone give any help as to what is likely to work?
> 
> https://sourceforge.net/p/postfixadmin/bugs/297/
> 
> backends must understand utf-8 to make smtputf8 work imho
> 
> and yes it being a problem for so long, that i just hack it to
> postfixadmin adding the idn dns name to mysql, and it works, personly i
> dont need smtputf8 here
> 
> does dns servers support it aswell as idn ?
> 
> 
> 

sombody checked modoboa ?


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Extracting delivery attempts from log files

[Robert Schetterer]

Am 21.08.2016 um 14:13 schrieb Wietse Venema:
> Robert Schetterer:
>> Am 21.08.2016 um 05:10 schrieb Steve Atkins:
>>> I find I need to extract a list of deliveries, and delivery attempts, from 
>>> postfix logs. Ideally I'd like to feed /var/log/mail.log into some script 
>>> and get out something like {timestamp, peer ip, helo, envelope from, 
>>> recipient, message-id} for every email.
>>>
>>> Does anyone know of a log analyzer or some other script that'll do that?
>>>
>>> Cheers,
>>>   Steve
>>>
>>
>> http://linux.die.net/man/1/pflogsumm
>> https://github.com/benningm/saftpresse
>> https://sourceforge.net/projects/logwatch/
> 
> There also is auxiliary/collate/collate.pl in the Postfix 3.2
> source-code distribution.
> 
> "This script, by Viktor Dukhovni, untangles a Postfix logfile and
> groups the records one "session" at a time based on queue ID and
> process ID information. Records from different sessions are separated
> by an empty line.  Such text is easy to process with $/="" in perl,
> or RS="" in awk."
> 
> With the logging organized by email "session", all you need 
> is a script that picks out the desired fields.
> 
>   Wietse
> 

that sounds great


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Extracting delivery attempts from log files

[Robert Schetterer]

Am 21.08.2016 um 05:10 schrieb Steve Atkins:
> I find I need to extract a list of deliveries, and delivery attempts, from 
> postfix logs. Ideally I'd like to feed /var/log/mail.log into some script and 
> get out something like {timestamp, peer ip, helo, envelope from, recipient, 
> message-id} for every email.
> 
> Does anyone know of a log analyzer or some other script that'll do that?
> 
> Cheers,
>   Steve
> 

http://linux.die.net/man/1/pflogsumm
https://github.com/benningm/saftpresse
https://sourceforge.net/projects/logwatch/


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Dynamic "MAIL FROM" / 5321.MailFrom

[Robert Schetterer]

Am 15.08.2016 um 18:12 schrieb Pat Suwalski:
> Hello,
> 
> I'm looked in every corner of the internet for a solution to this
> seemingly simple problem I'm having.
> 
> Last week, I started signing mail with opendkim, and hope to have DMARC
> fully implemented for all of my domains.
> 
> I host dozens of domains, and send all of their mail through a single
> outward-facing postfix server (we'll call it mymailserver.com).
> 
> At this point, everything works with DKIM, but DMARC fails because
> Postfix's "MAIL FROM" envelope does not match the domain name from the
> numerous hosted domains. I believe "MAIL FROM" uses the $mydomain, which
> in this case is "mymailserver.com".
> 
> The DMARC reports come back with:
> 
> 
>   
> 11.22.33.44
> 1
> 
>   none
>   pass
>   fail
> 
>   
>   
> somedomain.com
>   
>   
> 
>   somedomain.com
>   pass
> 
> 
>   mymailserver.com
>   pass
> 
>   
> 
> 
> As you can see, although DKIM and SPF pass individually, the DMARC
> policy still marks SPF as "fail" simply because the 5322.From is
> "somedomain.com" and 5321.MailFrom is "mymailserver.com".
> 
> Is there a simple directive to give Postfix so that it always passes
> "MAIL FROM" matching the "From" for trusted hosts?
> 
> Thanks a million,
> --Pat

i am not sure  what your problem is ( do you mean sending reports with
strict spf ? ) however have a look on this too in your concept

https://tools.ietf.org/html/rfc7489

7.1.  Verifying External Destinations
...

For example, if a DMARC policy query for "blue.example.com" contained
   "rua=mailto:repo...@red.example.net;, the host extracted from the
   latter ("red.example.net") does not match "blue.example.com", so this
   procedure is enacted.  A TXT query for
   "blue.example.com._report._dmarc.red.example.net" is issued.  If a
   single reply comes back containing a tag of "v=DMARC1", then the
   relationship between the two is confirmed.




Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: OT: ISP just gave be 13 days to switch IPs

[Robert Schetterer]

Am 27.07.2016 um 17:01 schrieb Ben Greenfield:
> I know this isn’t a specific postfix question but I’m hoping to get some good 
> advice from others who have been in this spot before.
> 
> I just got noticed that my IP address of 14 years is being revoked in less 
> then 2 weeks. I can imagine the work I need to do but I’m wondering what I’m 
> not thinking about.
> 
> I think my best course of action is to as quickly as possible start to 
> publish alternative IPs for mail delivery. I have DMARC and DKIM set-up and 
> I’m currently use strict for the evaluation.
> I think I should also set-up some MX records for my new IP.
> 
> Is there anything else I can do to help my reputation as a mail server?
> 
> My fear is that as soon as google, yahooo, hotmail, … see mail from my domain 
> on a new ip they will start to reject my mail.

if your spf , dkim , reverse dns etc is ok
they wont reject you by simply having a new ip ( hopefully the new one
isnt blacklisted before by unknown reason ), but sometimes they slow you
down if you deliver lots of mail per some time limit



> 
> Is that a valid fear? 
> 
> What should I be worried about doing.
> 
> Thanks,
> 
> Ben
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Brute force attacks in various ports

[Robert Schetterer]

Am 26.07.2016 um 19:55 schrieb Lefteris Tsintjelis:
> On 26 Jul 2016, at 20:36, Benny Pedersen <m...@junc.eu> wrote:
>>
>> fail2ban based on pbl, but in fail2ban whitelist isp you have users in
> 
> Is log parsing the only way?
> 

fail2ban is a good choice

iptables with string and recent is another
way

like

https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

or

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

but it may overkill your server and examples may not fit your problem
exactly


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Is it me, or is there a problem elsewhere?

[Robert Schetterer]

Am 22.07.2016 um 02:54 schrieb Michael J Wise:
> 
> This isn't an ops list, but ...
> 
>> For over a week now, I have been seeing DNS look-up failures - always
>> with mailspike,  both whitelist and blacklist.  It is affecting about
>> ten percent of my non-whitelisted connections.
>>
>> Jul 21 15:10:28 geronimo postfix/dnsblog[27737]: warning: dnsblog_query:
>> lookup error for DNS query 163.123.219.112.bl.mailspike.net: Host or
>> domain name not found. Name service error for
>> name=163.123.219.112.bl.mailspike.net type=A: Host not found, try again.
> 
> $ host 2.0.0.127.bl.mailspike.net
> 2.0.0.127.bl.mailspike.net has address 127.0.0.2
> 2.0.0.127.bl.mailspike.net has address 127.0.0.10
> 
>> On 21/07/16 20:54, Dominik Chilla wrote:
> 
> Aloha mai Nai`a.
> 

same here, i disabled bl.mailspike.net last week


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: OT: ANN: rulestats - spamassassin and rspamd daily rule statistics

[Robert Schetterer]

Am 20.07.2016 um 19:20 schrieb Christian Rößner:
> 
>> Am 20.07.2016 um 17:59 schrieb Robert Schetterer <r...@sys4.de>:
>>
>> Am 20.07.2016 um 09:17 schrieb Christian Rößner:
>>> Hi,
>>>
>>> I was interested which spamassassin (including dspam) and rspamd rules are 
>>> used in my mail system and I needed some statistical output. For this, I 
>>> have written two little helper scripts that can be put into logrotate. They 
>>> will produce reports for each filter.
>>>
>>> https://github.com/croessner/rulestats
>>>
>>> The provided examples show reports for both filters.
>>>
>>> Thanks for feedback. Have fun...
>>>
>>> Christian
>>>
>>
>> hm looks like it only related to amavis setups, not i.e pure
>> spamass-milter but however very good idea
> 
> Does spamass-milter log rules and scores to syslog? If so, it is easy to 
> tweak the PATERN variable in the script.
> 
> Next step is storing data in PostgreSQL per day. This allows sorting for 
> different criteria and you have long term stats.
> 
> Christian
> 

Hi,
lets do it offlist, its not pure postfix stuff , perhaps after patching
an anounce to the spamassassin/amavis lists should be done too




Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: OT: ANN: rulestats - spamassassin and rspamd daily rule statistics

[Robert Schetterer]

Am 20.07.2016 um 09:17 schrieb Christian Rößner:
> Hi,
> 
> I was interested which spamassassin (including dspam) and rspamd rules are 
> used in my mail system and I needed some statistical output. For this, I have 
> written two little helper scripts that can be put into logrotate. They will 
> produce reports for each filter.
> 
> https://github.com/croessner/rulestats
> 
> The provided examples show reports for both filters.
> 
> Thanks for feedback. Have fun...
> 
> Christian
> 

hm looks like it only related to amavis setups, not i.e pure
spamass-milter but however very good idea


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: OT: ANN: S/MIME signing milter (for Postfix)

[Robert Schetterer]

Am 13.07.2016 um 15:45 schrieb Christian Rößner:
> Hi,
> 
> I developed a S/MIME signing milter that can be used with Postfix. It 
> features a simple map file, where you can define email addresses and 
> corresponding certs/keys. If a mail arrives, the milter checks the MAIL FROM 
> address and looks up the map file. If it finds a record, it signs the mail 
> with S/MIME.
> 
> The milter is written in C++ (14. Probably 11 will work as well).
> 
> I tested it on Mac OS X and Gentoo Linux. Readmes and Man-pages are included. 
> Feel free to give it a try:
> 
> https://signing-milter.org (Thanks to Andreas Schulze for the home)
> 
> Code: https://github.com/croessner/sigh
> 
> Feedback very welcome
> 
> Christian
> 

Hi Christian, do you plan SMIMEA Support on the long run ?

https://tools.ietf.org/html/draft-ietf-dane-smime-02

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Brutal attacks

[Robert Schetterer]

Am 09.07.2016 um 19:40 schrieb Lefteris Tsintjelis:
> On 09 Jul 2016, at 19:34, Robert Schetterer <r...@sys4.de> wrote:
> 
> Am 09.07.2016 um 17:07 schrieb Lefteris Tsintjelis:
>> Is this a good postfix way to stall attackers (besides log parsing and
>> fire walling)? Bots are increasing dramatically these days
>>
>> smtpd_soft_error_limit = 1
>> smtpd_hard_error_limit = 1
>> smtpd_error_sleep_time = 16s (or even more)
> 
> as i had that over years ...
> 
> firewalling ist the best solution
> something like
> 
> https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/
> 
> https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
> 
> https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/
> 
> additional fail2ban, but log parse was to slow at my side
> and for sure use postscreen
> 
> if they love you , dont expect any better time with whatever solution
> you use, but if youre in luck its only a wave
> 
> ———
> 
> They don’t just love me, they adore me but I think this is everywhere now 
> days. I am trying to avoid firewalls but there doesn’t seem to be any other 
> way anymore. Thank you for the links and hints
> 

i have one domain ,brutal shooted by bots for now over 10 years, all the
time, if i ever dont need it anymore i will use it as spamtrap *g, other
domains are attacked in waves



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Brutal attacks

[Robert Schetterer]

Am 09.07.2016 um 17:07 schrieb Lefteris Tsintjelis:
> Is this a good postfix way to stall attackers (besides log parsing and
> fire walling)? Bots are increasing dramatically these days
> 
> smtpd_soft_error_limit = 1
> smtpd_hard_error_limit = 1
> smtpd_error_sleep_time = 16s (or even more)

as i had that over years ...

firewalling ist the best solution
something like

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

additional fail2ban, but log parse was to slow at my side
and for sure use postscreen

if they love you , dont expect any better time with whatever solution
you use, but if youre in luck its only a wave

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Ordering the preque filtering?

[Robert Schetterer]

Am 22.05.2016 um 19:00 schrieb Phil Stracchino:
> On 05/22/16 12:30, Robert Schetterer wrote:
>> loose mail means silent discard, this should never happen
>> you might not get the mail or some bounce ,but there is less you can do
>> with "broken" forwarders in any case.
>>
>> If someone decides to act as forwarder he has to honor existing
>> dkim/dmarc/spf cases
> 
> In an ideal world, yes.  But some surprisingly large legitimate mail
> handlers have not yet adopted or deployed DMARC.

you may wait to apocalypse  ( not the x-men one ) *g

> 
> Don't get me wrong, I am *eagerly* looking forward to the day when I can
> *safely* set p=reject.  But that day is not here yet.  Maybe soon.
> 
> 

i have serveral domains with differ dmarc policies, the strict ones
most got problems with broken list servers ( if any ), however
dmarc/dkim/spf are no antispam tecs ( perhaps sometimes they are
helpfull with it ). Real world shows that botnets etc dont care about
your policies in every case ( but this is very different with each
domain ), so no policy promises you a rose garden it works just as designed


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Ordering the preque filtering?

[Robert Schetterer]

Am 22.05.2016 um 02:07 schrieb Phil Stracchino:
> My point stands:  Making DMARC failure an automatic reject is a sound
> policy only if you're OK with losing legitimate mail because it passed
> through a forwarder who hasn't implemented DMARC yet.
> 

loose mail means silent discard, this should never happen
you might not get the mail or some bounce ,but there is less you can do
with "broken" forwarders in any case.

If someone decides to act as forwarder he has to honor existing
dkim/dmarc/spf cases


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: reality-check on 2016 practical advice re: requiring inbound TLS?

[Robert Schetterer]

Am 12.04.2016 um 07:56 schrieb li...@lazygranch.com:
> Just a quickie here on DMARC. I set one domain to "quarantine" and set up the 
> rua to email me a report. Thus far, only MS Hotmail sends me anything, even 
> though I have emailed yahoo accounts.  
> 
> The MS Hotmail report is in XML, which I can read in vim or whatever. I'm not 
> sure what they intended me to use. 

or use

https://dmarcian.com/dmarc-xml/


> 
> Doing a survey of email clients with SPF and DKIM verification, I only found 
> Thunderbird does this, and with a plugin.  Thunderbird is in caretaker 
> status, so I don't use it. 
> 
> Thus an identification system (SPF and DKIM ) had been created that mail 
> system administrators are loathe to strictly enforce for received email, and 
> with no consequences, is only half heartedly complied with on the sending 
> side.  (Congrats to the interwebs for at least providing many DKIM/SPf 
> verification websites.)
> 
> And if we agree (OK, some agree) that strict rejection of received email 
> based on SPF and DKIM is not a good idea, you would think at least the email 
> clients would make detection of these identification methods more automatic.
> 
> Hats off to programmers for providing/maintaining tools that the masses don't 
> appreciate.
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Webmin with Postfix: recommended or not.

[Robert Schetterer]

Am 26.03.2016 um 23:48 schrieb Tom Browder:
> I am considering using Webmin on my servers and see that it has a
> Postfix module. Does anyone have any experience with it or have an
> opinion to offer ref its ability to manage Postfix?
> 
> Thanks.
> 
> Best regards,

i used it on relays , and limited the funkcions of the module
to do very small changes on a few tables for total postfix ignorant
users, you shouldnt use it as a general config tool

> 
> -Tom



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: RHEL / CentOS 7 RPMs

[Robert Schetterer]

Am 14.03.2016 um 19:15 schrieb Nikolaos Milas:
> Thank you all for the feedback.
> 
> Unfortunately, it seems that GhettoForge is currently (14 March) down
> (it shows some errors with a backtrace), while repo.mailserver.guru does
> not appear to include source rpms (SRPMs). If I am missing something,
> please point me to the right direction.

why not drop a mail to django

see

http://repo.mailserver.guru/

...
Site generated: 2015-03-06 by Django ( mailto link )


> 
> It is important to us to be able to have SRPMs, because we are modifying
> SPEC files to compile with LDAP support against LTB packages
> (http://ltb-project.org/wiki/download#openldap).
> 
> I have also found http://repos.oostergo.net/7/ packages which I have not
> tried yet. I have tried oostergo's RHEL 5 Postfix 3 sRPMs, but I have
> not had good results trying to change compilation options in the spec
> file to fit our build needs. (Yet, I cannot pretend I am the best of
> builders around. If I continue with these sRPMs, I might have to contact
> the author for some assistance.)
> 
> So, the issue still remains open to me.
> 
> All the best,
> Nick
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: RHEL / CentOS 7 RPMs

[Robert Schetterer]

Am 12.03.2016 um 14:04 schrieb Nikolaos Milas:
> Hello,
> 
> I would like to ask whether someone has worked on J. Mudd's RPMs
> (http://postfix.wl0.org/) to produce RHEL / CentOS 7 versions.
> 
> The above site includes code for RHEL / CentOS versions 5 and 6 (not for
> all Postfix versions, but which can be adapted more or less easily for
> current Postfix versions).
> 
> However, since RHEL / CentOS 7 is different in many aspects from older
> versions, I believe J. Mudd's sources might need more changes on it.
> 
> I have reached the point to like J. Mudd's sources, because they're
> quite versatile, offering many compilation options, covering practically
> most of admins' needs and for years I've always had good results using
> them as basis for our (production and test) RPMs on CentOS 5 and 6.
> 
> If someone can advise me on this subject, I would appreciate any and all
> feedback.
> 
> Thanks in advance.
> 
> All the best,
> Nick

http://repo.mailserver.guru/7/os/x86_64/repoview/postfix.html

http://repo.mailserver.guru/7/os/x86_64/Packages/postfix-2.11.6-1.el7.centos.x86_64.rpm

not total up2date but seems a fine release number going in production


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: SV: Security: How to limit authentication attempts?

[Robert Schetterer]

Am 21.02.2016 um 13:00 schrieb Kiss Gábor:
>>> My colleagues need authenticated channel to submit mails when traveling.
>>> So disabling sasl is not an option.
>>
>> read again i just say disalbe it on port 25
>>
>> and convense users to use submission port 587, or 465 as users se fits
> 
> Can you guarantee that hotel firewalls allows to reach my port 587? :->

there is no guarantee for port 25 open at all
its not exotic that 25 is blocked to kill infected win pcs.
The answer mostly is webmail ( "perhaps" active sync ) cause https open
is a must have at public networks in real world.
In modern public firewalls submission port should be open , cause in big
mail setups this port is default these days. Also
most used mail clients can be configured auto with IMAP SPECIAL-USE
and projects like
https://automx.org/en/ so no big work at migrate

> 
>>> The problem is already solved by Allen Coates. :-)
>>
>> what problem ?
> 
> "how to configure smtpd to close connection after 3 authentication error"?
> http://article.gmane.org/gmane.mail.postfix.user/254364
> 
> Gabor
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Security: How to limit authentication attempts?

[Robert Schetterer]

Am 21.02.2016 um 11:48 schrieb Allen Coates:
> Do  smtpd_hard_error_limit
> <http://www.postfix.org/postconf.5.html#smtpd_hard_error_limit> and
> smtpd_soft_error_limit
> <http://www.postfix.org/postconf.5.html#smtpd_soft_error_limit> count
> authentication failures as "errors"?
> 
> I don't receive enough emails (or attacks) to have a definitive answer.
> 
> Allen C

this help a little bit
it may free resources more quickly
but its not a good solution ( tested )

in hard cases fail2ban is a good option
also disable sasl auth on port 25 ,only use it with submission


you may also modify my iptables recent script to your needs

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

> 
> 
> On 21/02/16 07:47, Kiss Gábor wrote:
>> Dear folks,
>>
>> My logs are full of lines like this:
>>
>> Feb 21 04:12:05 MYOLDMTA postfix/smtpd[12967]: warning: 
>> unknown[195.22.126.159]: SASL LOGIN authentication failed: authentication 
>> failure
>>
>> This is a brute force attack in order to get a valid username/password pair.
>> The cracker usually does 20 attempts within a single SMTP session.
>> Thought fail2ban alerts the firewall after the third or fourth one but
>> network filtering applies to new connections only.
>> (I would not filter _all_ incoming packets until it is
>> absolutely necessary.)
>>
>> So the attacker may try any number of password quite unobtrusively.
>>
>> Is there any way to instruct smtpd to close session after 3 unsuccesful
>> attempts as is written in RFC 4954? I found no appropriate config parameter.
>>
>> https://tools.ietf.org/html/rfc4954#section-9
>>Servers MAY implement a policy whereby the connection is dropped
>>after a number of failed authentication attempts.  If they do so,
>>they SHOULD NOT drop the connection until at least 3 attempts to
>>authenticate have failed.
>>
>> The affected Postfix version is 2.11.3, our old MTA.
>> The new one is not found yet by the bad guys.
>>
>> Regards
>>
>> Gabor
> 
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: SV: SV: SV: Blocking TLDs

[Robert Schetterer]

Am 20.02.2016 um 12:01 schrieb Sebastian Nielsen:
> Why are you people so negative against DISCARD, and wants to use REJECT

Silent discard mail is not allowed in many EU countries, youre the
postman you dont have to deliver bombs ( virus ), you may react on
marketing letters (spam ) by sort them or simply reject at the start
when you recieve it, and only if  your customer ordered you to do so
but in general you are not allowed to burn otherones letters


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Spawning milter processes

[Robert Schetterer]

Am 31.01.2016 um 18:04 schrieb Ron Garret:
> 
> On Jan 31, 2016, at 1:28 AM, Robert Schetterer <r...@sys4.de> wrote:
> 
>> Am 31.01.2016 um 09:56 schrieb Ron Garret:
>>> Hello,
>>>
>>> What is the usual way to start a milter process?  Can postfix be configured 
>>> to spawn it automatically, or does the milter have to be set up as a 
>>> separate service?  If the former, how do you do it?
>>>
>>> Thanks,
>>> rg
>>>
>>
>> milters are usually seperate services
> 
> OK, but is there any way to get Postfix to restart a milter if it goes down?  
> By default, if a milter goes down, it takes postfix down with it.

in real milters have a tendence to stop sometimes, so some of them have
an auto restart feature, for safety use monit to monitor them
in postfix you can config what to do if milter isnt working anymore


http://postfix.cs.utah.edu/postconf.5.html#milter_default_action


> 
> Also, why did you hedge with “usually”?  What other possibilities are there?

to my knowledge none...but that may not ultimate

> 
> rg
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Spawning milter processes

[Robert Schetterer]

Am 31.01.2016 um 09:56 schrieb Ron Garret:
> Hello,
> 
> What is the usual way to start a milter process?  Can postfix be configured 
> to spawn it automatically, or does the milter have to be set up as a separate 
> service?  If the former, how do you do it?
> 
> Thanks,
> rg
> 

milters are usually seperate services


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: How to configure postfix so that mail are received using time from the server

[Robert Schetterer]

Am 16.01.2016 um 08:05 schrieb Eric Kom:
> Good day folk,
> I ran Postfix with Dovecot as a mailbox for years now.
> I noticed that, when a sender sent mails, the mailbox received it using
> the date and time from the sender machine not a server one.
> Which make the receiver mailbox saving the mails at the wrong time.
> Please can someone help me if something have to be done regarding this
> issue?
> Thanks
> 

do you mean issue to fix with this plugin ?

https://addons.mozilla.org/de/thunderbird/addon/imap-received-date/?src=search

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix + Dovecot and the purpose of LMTP

[Robert Schetterer]

Am 06.01.2016 um 17:51 schrieb Dennis Steinkamp:
> My first questions is, what are the benefits of letting Dovecot handle
> mail delivery instead of the postfix mda?

i.e dovecot and postfix may hosted at different places/servers,
in real complex mail setups are used widely

> If i go for the lmtp approach, directory related postfix directives like
> virtual_mailbox_base etc. are totally ignored cause the responsibility
> od delivering mails to  a certain directory is completly outsourced,
> correct?

depends, i have

virtual_transport  = lmtps:inet:localhost:24
virtual_mailbox_base = /usr/local/virtual
virtual_minimum_uid = 1001
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001

both postfix an dovecot have more data in sql
so its a question of "design" what you want

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Which Postfix Book do you recommend?

[Robert Schetterer]

Am 30.12.2015 um 23:54 schrieb Dennis Steinkamp:
> Thank you for your reply.
> My postfix "needs" are pretty vague at this time.
> 
> Lets just say my goal for now is, to configure a postfix server for a
> single (test) domain with SMTP-AUTH and Dovecot
> so that ultimately, i can send and receive e-mails from my MUA.
> (Thunderbird in my case)
> I tend to learn new things best when i start from a simple and total
> minimalistic setup and adjust the configuration step-by-step from there.
> That approach is pretty much what the book of postfix does but it
> doesn`t cover dovecot. (SASL section is about Cyrus not Dovecot for
> example)
> Of course there are many guides and howtos floating around the web but
> they don`t help me to understand how things work together.
> I looking for a book that helps me to accomplish what i described
> earlier in a "step-by-step" fashion.
> 
> I would appreciate any recommendations you guys can give.
> 
> Thank you
> 
> Dennis


this is a mostly complete complex setup

https://www.exratione.com/2014/05/a-mailserver-on-ubuntu-1404-postfix-dovecot-mysql/

you might try google

dovecot postfix ubuntu

to find masses of step by step instructions

also

http://wiki2.dovecot.org/HowTo

should help and for sure the well done postfix doku

> 
> 
> Am 30.12.2015 um 23:02 schrieb Robert Schetterer:
>> Am 30.12.2015 um 21:47 schrieb Dennis Steinkamp:
>>> Hey guys,
>>>
>>> i want to learn more about Postfix and mail servers in general.
>>> This is more out of curiosity and personal interest, i am not a
>>> postmaster or anything. :)
>>>
>>> I purchased the Book of Postfix a while ago and read through a few
>>> chapters.
>>> I am sure most of it is still valid but on the other hand, postfix
>>> evolved and afaik the (english) book never got an update.
>>>
>>> There are other german postfix books which seem to be a more or less
>>> translation of the Book of postfix but covering more recent postfix
>>> topics.
>>> (especially the postfix + dovecot part is interesting)
>>>
>>> I am talking about:
>>> http://www.postfixbuch.de/
>> Peer Heinlein
>>
>>> http://www.postfix-buch.com/
>> Ralf Hildebrandt, Patrick Ben Koetter
>>
>> https://sys4.de/de/sys4/
>>
>>> Are these books exactly the same?
>> No, written by different germans
>>
>>> Am i right to assume that the german books are a little bit more
>>> up2date?
>> Most up2date might be
>>
>> http://www.dovecot-buch.de/
>>
>> see
>>
>> Peer Heinlein pre x-mas notice
>>
>> https://www.mail-archive.com/dovecot@dovecot.org/msg64398.html
>>
>>
>>
>> But i dont know if it covers your needs
>>
>>> Thank you for answering.
>>>
>>> Dennis
>> Printed books in general can t be up2date these days
>> as both projects postfix and dovecot are very active
>> but they can teach basics
>>
>>
>> Best Regards
>> MfG Robert Schetterer
>>
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Which Postfix Book do you recommend?

[Robert Schetterer]

Am 30.12.2015 um 21:47 schrieb Dennis Steinkamp:
> Hey guys,
> 
> i want to learn more about Postfix and mail servers in general.
> This is more out of curiosity and personal interest, i am not a
> postmaster or anything. :)
> 
> I purchased the Book of Postfix a while ago and read through a few
> chapters.
> I am sure most of it is still valid but on the other hand, postfix
> evolved and afaik the (english) book never got an update.
> 
> There are other german postfix books which seem to be a more or less
> translation of the Book of postfix but covering more recent postfix topics.
> (especially the postfix + dovecot part is interesting)
> 
> I am talking about:

> http://www.postfixbuch.de/

Peer Heinlein

> http://www.postfix-buch.com/

Ralf Hildebrandt, Patrick Ben Koetter

https://sys4.de/de/sys4/

> 
> Are these books exactly the same?

No, written by different germans

> Am i right to assume that the german books are a little bit more up2date?

Most up2date might be

http://www.dovecot-buch.de/

see

Peer Heinlein pre x-mas notice

https://www.mail-archive.com/dovecot@dovecot.org/msg64398.html



But i dont know if it covers your needs

> 
> Thank you for answering.
> 
> Dennis

Printed books in general can t be up2date these days
as both projects postfix and dovecot are very active
but they can teach basics


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Save outgoing messages

[Robert Schetterer]

Am 28.12.2015 um 17:29 schrieb Gilberto Nunes:
> Hello List
> 
> Is there some way to store sent mail in a folder, using procmail or
> whatever?
> I try search in google but found nothing...
> 
> 
> Thanks a lot for any kind of help.
> 
> -- 
> 
> Gilberto Ferreira
> 
> 

in the future there maybe some sieve stuff for this ,meanwhile
sender_bcc_maps should work as workaround
often used as mail archive solution


i.e.
https://sys4.de/de/blog/2013/02/07/mailarchiv-mit-dovecot-und-postfix-sortiert-nach-datum-mailadressen-und-ein-ausgehend-unterordnern/

sorry german only


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: cleanup service and removing headers

[Robert Schetterer]

Am 20.12.2015 um 19:58 schrieb Alex:
> Hi all,
> 
> I posted a message some time ago about stripping internal headers from
> outbound mail, and I didn't receive any response. I thought I would
> follow up. Is there more information I can provide? Should I be
> approaching this a different way?
> 
> Any ideas greatly appreciated.
> 
> On Sun, Dec 13, 2015 at 10:06 PM, Alex <mysqlstud...@gmail.com> wrote:
>> Hi,
>>
>> I'd like to use the cleanup service to remove internal headers for
>> privacy. I'd also like to make sure to not break DKIM signing in the
>> process.
>>
>> I've tried to redefine the cleanup service to auth-cleanup for
>> submission. I already have a submission service that works
>> successfully.
>>
>> auth-cleanup   unix  n   -   n   -   0   cleanup
>>-o syslog_name=postfix/auth-cleanup
>>-o header_checks=pcre:/etc/postfix/auth_header_checks.pcre
>>
>> submission inet n   -   n   -   -   smtpd
>>   -o smtpd_tls_security_level=encrypt
>>   -o smtpd_sasl_auth_enable=yes
>>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>   -o milter_macro_daemon_name=ORIGINATING
>>   -o receive_override_options=$submission_overrides
>>   -o syslog_name=postfix/submission
>>   -o cleanup_service_name=auth-cleanup
>>
>> /etc/postfix/auth_header_checks.pcre
>> /^\s*(Received: from)[^\n]*(?!inside.example.com).*/ REPLACE $1
>> [127.0.0.1] (localhost 127.0.0.1])
>>
>> Received: from sage.inside.example.com (sage.inside.example.com
>> [192.168.1.7]) (using TLSv1.2
>> with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did
>> not present a certificate) (Authenticated sender: alex)
>> by orion.example.com (Postfix) with ESMTPSA id DE862A60121
>> for <web-y5x...@mail-tester.com>; Sun, 13 Dec 2015 21:57:00 -0500 (EST)
>>
>> Dec 13 21:57:00 orion postfix/submission/smtpd[30338]: DE862A60121:
>> client=sage.inside.example.com[192.168.1.
>> 7], sasl_method=PLAIN, sasl_username=alex
>> Dec 13 21:57:00 orion postfix/auth-cleanup/cleanup[30346]:
>> DE862A60121: message-id=<566e2ffc.20...@example.com>
>>
>> I'm not very good with regular expressions. Could that be the problem here?
>>
>> Please let me know if there's other information I can provide to help.
>>
>> Thanks,
>> Alex

perhaps more what you want

https://www.void.gr/kargig/blog/2013/11/24/anonymize-headers-in-postfix/


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: cleanup service and removing headers

[Robert Schetterer]

Am 20.12.2015 um 19:58 schrieb Alex:
> Hi all,
> 
> I posted a message some time ago about stripping internal headers from
> outbound mail, and I didn't receive any response. I thought I would
> follow up. Is there more information I can provide? Should I be
> approaching this a different way?
> 
> Any ideas greatly appreciated.
> 
> On Sun, Dec 13, 2015 at 10:06 PM, Alex <mysqlstud...@gmail.com> wrote:
>> Hi,
>>
>> I'd like to use the cleanup service to remove internal headers for
>> privacy. I'd also like to make sure to not break DKIM signing in the
>> process.
>>
>> I've tried to redefine the cleanup service to auth-cleanup for
>> submission. I already have a submission service that works
>> successfully.
>>
>> auth-cleanup   unix  n   -   n   -   0   cleanup
>>-o syslog_name=postfix/auth-cleanup
>>-o header_checks=pcre:/etc/postfix/auth_header_checks.pcre
>>
>> submission inet n   -   n   -   -   smtpd
>>   -o smtpd_tls_security_level=encrypt
>>   -o smtpd_sasl_auth_enable=yes
>>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>   -o milter_macro_daemon_name=ORIGINATING
>>   -o receive_override_options=$submission_overrides
>>   -o syslog_name=postfix/submission
>>   -o cleanup_service_name=auth-cleanup
>>
>> /etc/postfix/auth_header_checks.pcre
>> /^\s*(Received: from)[^\n]*(?!inside.example.com).*/ REPLACE $1
>> [127.0.0.1] (localhost 127.0.0.1])
>>
>> Received: from sage.inside.example.com (sage.inside.example.com
>> [192.168.1.7]) (using TLSv1.2
>> with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did
>> not present a certificate) (Authenticated sender: alex)
>> by orion.example.com (Postfix) with ESMTPSA id DE862A60121
>> for <web-y5x...@mail-tester.com>; Sun, 13 Dec 2015 21:57:00 -0500 (EST)
>>
>> Dec 13 21:57:00 orion postfix/submission/smtpd[30338]: DE862A60121:
>> client=sage.inside.example.com[192.168.1.
>> 7], sasl_method=PLAIN, sasl_username=alex
>> Dec 13 21:57:00 orion postfix/auth-cleanup/cleanup[30346]:
>> DE862A60121: message-id=<566e2ffc.20...@example.com>
>>
>> I'm not very good with regular expressions. Could that be the problem here?
>>
>> Please let me know if there's other information I can provide to help.
>>
>> Thanks,
>> Alex

perhaps this helps

https://posluns.com/guides/header-removal/
https://falkhusemann.de/blog/2012/08/postfix-header-anonymisieren/



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: For wrong auth , how to block IP or introduce delay for sender in real time ?

[Robert Schetterer]

Am 17.10.2015 um 09:45 schrieb Jayesh Shinde:
> Hello all  ,
> 
> I am having mailserver with centos 6.3 + cyrus-imad + postfix + ldap
> 
> Many spammer are trying to hack password for doing many authentication 
> with pop3 + imap + smtp  services.
> on server Fail2ban has been  added , but its blocking hacker IPs after
> certain interval  and not in real time.  Which is the actual issue.
> 
> I am looking for some real-time blocking where that particular  spammer
> IP + email id must get block  .
> 
> I believe this issue is very common with other too ,  is there any
> option in 'saslauthd'  /  postfix  / cyrus-imapd for below requirement ?
> 
> 1)  If server receive the wrong password , then is it possible to
> introduce the delay of say 5-10 seconds to sender client ? So that
> spammer will do less attempt ?
> 2)  After given wrong password attempt more than 3 time , the particular
> "IP + email id" must get block for next 5-10 min.
> And then need to unblock after  that. 
> 3) I check PAM-ABL , but its not working for 'saslauthd'' with pop /
> imap / smtp . Because I came to know that 'saslauthd'' is not getting IP
> of source . 
> How to pass  source IP to "saslauthd''  along with email id , password
> and relam .  Is there any patch available for this ?
> 
> 
> Please suggest
> 
> Regards
> Jayesh Shinde

perhaps you wanna poke with this

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

http://blog.schaal-24.de/firewall/postfix-postscreen-ip-in-die-firewall-eintragen/

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Can Postscreen and Smapassassin be used together

[Robert Schetterer]

Am 10.09.2015 um 10:47 schrieb Peter:
> What you don't want to do is run postscreen and postgrey on the same
> system. 

you can do it if you use i.e postgrey very selective
but for sure portscreen leaves not very much for postgrey

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Can Postscreen and Smapassassin be used together

[Robert Schetterer]

Am 10.09.2015 um 08:37 schrieb Robert Chalmers:
> I’m currently running postscreen, and am wondering how I would add 
> spamassassin to the main.cf configuration, or are they mutually exclusive?
> 
> 

no problem works nice , perhaps use it as milter


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix 3.x for RedHat/CentOS 7.x

[Robert Schetterer]

Am 06.09.2015 um 12:21 schrieb Benning, Markus:
> It tested it so far that "it worked for me".
> As you mentioned shared libs and dynamicmaps needed adjustments.
> 
> I think its best to contact the current maintainer LaMont Jones.
> If he is not able to update the package it may be possible futher
> improve the updated package and do an non-maintainer upload.

Yes, yes, yes Debian/Ubuntu should go Postfix 3.x soon


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix 3.x for RedHat/CentOS 7.x

[Robert Schetterer]

Am 05.09.2015 um 20:07 schrieb Patrick Ben Koetter:
> Greetings,
> 
> is there anyone who knows a download location of Postfix 3.x packages for
> RedHat/CentOS 7.x?
> 
> Regards,
> 
> p@rick
> 

Django has it

http://repo.mailserver.guru/7/testing/x86_64/repoview/index.html


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: 554 5.6.1 Body type not supported by Remote Host

[Robert Schetterer]

Am 28.08.2015 um 19:56 schrieb Per olof Ljungmark:
 
 
 On 2015-08-28 19:55, Robert Schetterer wrote:
 Am 28.08.2015 um 19:46 schrieb Per olof Ljungmark:
 On 2015-08-28 18:07, Viktor Dukhovni wrote:
 On Fri, Aug 28, 2015 at 05:59:08PM +0200, Per olof Ljungmark wrote:

 Yes, that helped with Thunderbird but not from Horde/IMP where it still
 bounces the same way.

 The difference seems to be that IMP sends a
 Content-Transfer-Encoding: quoted-printable

 and TB
 Content-Transfer-Encoding: 8bit

 Could this be the cause?

 Yes, if IMP sends data claimed to be quoted-printable, but contaning
 unencoded non-ASCII characters.

 You'll need to capture a sample message and find the violation.

 Looking at the sent messages I cannot find anything violating
 quoted-printable, It's is It=C2=B4s for instance.

 IMP uses
 Content-Transfer-Encoding: quoted-printable
 and that seems to be true.

 and TB uses
 Content-Transfer-Encoding: 8bit
 which also seems true and is dealt with according to Wietse's reply.

 What I do not understand is that in the bounce from the remote Exchange
 mail relay, our IMP message is presented as 8bit.

 Sent:

 --=_rJ0N-qFsVHye8YMhx4uKOaC
 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
 Content-Description: Endast text-meddelande
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable

 Bounce:

 --=_rJ0N-qFsVHye8YMhx4uKOaC
 Content-Type: text/plain;
 format=flowed;
 charset=utf-8;
 delsp=Yes
 Content-Description: Endast text-meddelande
 Content-Disposition: inline
 Content-Transfer-Encoding: 8bit

 As my knowledge sort of ends here I will ask our sysadmin Monday to look
 over what is coming out of IMP, but I seriously doubt that it is
 anything wrong with it.

 Thanks!


 old imp version ?

 https://bugs.horde.org/ticket/13851
 
 horde-imp-6.2.10
 
 Not ancient, is it?

no looks fine

http://www.horde.org/download/imp

however it may contain a new bug, perhaps file an example

at https://bugs.horde.org/

 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Tons of SMTP AUTH failures in logs

[Robert Schetterer]

Am 28.08.2015 um 20:03 schrieb Forrest:
 I've become used to the script kiddies sending out large connection
 requests (I do have a threshold set).  They are able to get around it by
 other connections.  For example, I had 857 connects of this:
 
 Aug 28 11:57:35 mail postfix/smtpd[20544]: connect from
 unknown[5.232.194.77]
 Aug 28 11:57:35 mail postfix/smtpd[20544]: warning: Connection rate
 limit exceeded: 56 from unknown[5.232.194.77] for service smtp
 Aug 28 11:57:35 mail postfix/smtpd[20544]: disconnect from
 unknown[5.232.194.77] ehlo=1 auth=0/1 unknown=0/2 commands=1/4
 
 While it may be time for an external tool like fail2ban, I'm wondering
 if there are other measures I can take, that may break things (but I'm
 the only one that uses this system), such as changing port numbers of
 certain services.
 
 I do block the IP spaces when I see this, which is a no-brainer.  But I
 wonder how others are mitigating this activity.   Pointers, advice
 welcomed (and thanks in advance).
 
 
 _F
 
 

if youre the only user, postscreen and fail2ban should be fine


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Tons of SMTP AUTH failures in logs

[Robert Schetterer]

Am 28.08.2015 um 20:28 schrieb Forrest:
 On 8/28/15 2:09 PM, Robert Schetterer wrote:
 Am 28.08.2015 um 20:03 schrieb Forrest:
 I've become used to the script kiddies sending out large connection
 requests (I do have a threshold set).  They are able to get around it by
 other connections.  For example, I had 857 connects of this:

 Aug 28 11:57:35 mail postfix/smtpd[20544]: connect from
 unknown[5.232.194.77]
 Aug 28 11:57:35 mail postfix/smtpd[20544]: warning: Connection rate
 limit exceeded: 56 from unknown[5.232.194.77] for service smtp
 Aug 28 11:57:35 mail postfix/smtpd[20544]: disconnect from
 unknown[5.232.194.77] ehlo=1 auth=0/1 unknown=0/2 commands=1/4

 While it may be time for an external tool like fail2ban, I'm wondering
 if there are other measures I can take, that may break things (but I'm
 the only one that uses this system), such as changing port numbers of
 certain services.

 I do block the IP spaces when I see this, which is a no-brainer.  But I
 wonder how others are mitigating this activity.   Pointers, advice
 welcomed (and thanks in advance).


 _F


 if youre the only user, postscreen and fail2ban should be fine


 Best Regards
 MfG Robert Schetterer

 
 There is potential this server will be used more widely, though.
 
 The default connection rate limiting seems to work; however, the above
 mentioned log had a client connecting over 800 times, and I think that
 should never happen.  I read through postscreen's README page online and
 I'm not clear about how postscreen can mitigate this.  Do you have some
 pointers to pages that show examples of this?
 
 Thanks.
 

in very short words
the only way to limit cons is rejecting/dropping with a firewall,
postscreen is able to do early rejects but however meanwhile it has smtp
slots open
so combine fail2ban etc and postscreen maybe a good idea

in the past i tested other solutions, but be warned these must fit to
your setup and needs

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

http://blog.arschkrebs.de/blog/new-fail2ban-rules-for-postscreen/

http://blog.schaal-24.de/firewall/postfix-postscreen-ip-in-die-firewall-eintragen/?lang=en

http://www.kinader.eu/postfix-in-fail2ban-sinnvoll-einbinden-395/



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: 554 5.6.1 Body type not supported by Remote Host

[Robert Schetterer]

Am 28.08.2015 um 19:46 schrieb Per olof Ljungmark:
 On 2015-08-28 18:07, Viktor Dukhovni wrote:
 On Fri, Aug 28, 2015 at 05:59:08PM +0200, Per olof Ljungmark wrote:

 Yes, that helped with Thunderbird but not from Horde/IMP where it still
 bounces the same way.

 The difference seems to be that IMP sends a
 Content-Transfer-Encoding: quoted-printable

 and TB
 Content-Transfer-Encoding: 8bit

 Could this be the cause?

 Yes, if IMP sends data claimed to be quoted-printable, but contaning
 unencoded non-ASCII characters.

 You'll need to capture a sample message and find the violation.
 
 Looking at the sent messages I cannot find anything violating
 quoted-printable, It's is It=C2=B4s for instance.
 
 IMP uses
 Content-Transfer-Encoding: quoted-printable
 and that seems to be true.
 
 and TB uses
 Content-Transfer-Encoding: 8bit
 which also seems true and is dealt with according to Wietse's reply.
 
 What I do not understand is that in the bounce from the remote Exchange
 mail relay, our IMP message is presented as 8bit.
 
 Sent:
 
 --=_rJ0N-qFsVHye8YMhx4uKOaC
 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
 Content-Description: Endast text-meddelande
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Bounce:
 
 --=_rJ0N-qFsVHye8YMhx4uKOaC
 Content-Type: text/plain;
   format=flowed;
   charset=utf-8;
   delsp=Yes
 Content-Description: Endast text-meddelande
 Content-Disposition: inline
 Content-Transfer-Encoding: 8bit
 
 As my knowledge sort of ends here I will ask our sysadmin Monday to look
 over what is coming out of IMP, but I seriously doubt that it is
 anything wrong with it.
 
 Thanks!
 

old imp version ?

https://bugs.horde.org/ticket/13851


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Looking for pointers to assist me

[Robert Schetterer]

Am 23.08.2015 um 18:15 schrieb Jeremy T. Bouse:
 I've had my Postfix mail server running for several years now using
 Postfixadmin to manage the database tables holding my virtual mailbox
 information for domains I'm hosting mail from. It's become time to move
 this mail server so I'm having to rebuild it and I'm wanting to put the
 mailboxes behind a firewall but have an SMTP relay host that will accept
 the mail and forward it in. Obviously I don't want to just blindly
 accept all email for the domains and relay it into the internal host
 which would then have to deal with sending back scatter for invalid
 addresses.
 
 My current configuration handled the configuration using
 virtual_mailbox_maps, virtual_alias_maps and virtual_mailbox_domains
 settings that were pointed to the configuration files that generated the
 appropriate queries for the database. Obviously I'll be reusing this for
 my internal postfix server behind the firewall which will be receiving
 the emails but I'm trying to determine how to modify for my relay to be
 able to validate the email before relaying it into the internal host.
 

depends on your network/firewall setup you may simply use sql as before
, another option use smtp verify, or create
static tables at/from sql change time with secure copy etc


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: SPF and forwarding

[Robert Schetterer]

Am 26.07.2015 um 03:04 schrieb Alex:
 Hi,
 
 I have a postfix-2.10.5 server on fedora, and have several users that
 forward their mail through to gmail. This is apparently enough to
 break SPF and make gmail think I'm the originator of the email,
 instead of the actual sender. Consequently, gmail considers it spam
 and moves it to a spam folder.
 
 Is there anything I can do, including somehow rewriting the email, to
 get gmail (and others, for that matter) to accept these forwarded
 emails without considering them spam?
 
 Can they be rewritten using our SPF information, somehow?
 
 I've included the header (modified user/IP addresses) in case it's helpful.
 
 Delivered-To: origu...@gmail.com
 Received: by 10.13.203.214 with SMTP id n205csp587551ywd;
 Sat, 25 Jul 2015 06:39:29 -0700 (PDT)
 X-Received: by 10.55.25.131 with SMTP id 3mr28553330qkz.85.1437831569919;
 Sat, 25 Jul 2015 06:39:29 -0700 (PDT)
 Return-Path: earl.ma...@example1.com
 Received: from orion.example.com (orion.example.com. [68.111.111.42])
 by mx.google.com with ESMTPS id 
 f79si14214872qki.10.2015.07.25.06.39.29
 for exam...@gmail.com
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 25 Jul 2015 06:39:29 -0700 (PDT)
 Received-SPF: neutral (google.com: 68.111.111.42 is neither permitted
 nor denied by best guess record for domain of earl.ma...@example1.com)
 client-ip=68.111.111.42;
 Authentication-Results: mx.google.com;
spf=neutral (google.com: 68.111.111.42 is neither permitted nor
 denied by best guess record for domain of earl.ma...@example1.com)
 smtp.mail=earl.ma...@example.com
 Received: by orion.example.com (Postfix)
 id 4DC19A60368; Sat, 25 Jul 2015 09:39:29 -0400 (EDT)
 Delivered-To: supp...@example.com
 Received: from localhost (localhost [127.0.0.1])
 by juggernaut.example.com (Postfix) with ESMTP id CB94A181A9E
 for supp...@example.com; Sat, 25 Jul 2015 09:39:28 -0400 (EDT)
 X-ActualMessageSizeBytes: 41474
 X-ActualMessageSize:
 X-Virus-Scanned: amavisd-new at example.com
 X-Spam-Flag: NO
 X-Spam-Score: -0.399
 X-Spam-Level:
 X-Spam-Status: No, score=-0.399 tagged_above=-200 required=5
 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
 LOC_IMGSPAM=0.1, RDNS_NONE=0.8, RELAYCOUNTRY_LOW=0.5]
 autolearn=no autolearn_force=no
 Received: from relay.example1.com (relay2.example1.com [206.111.111.44])
 (using TLSv1 with cipher AES128-SHA (128/128 bits))
 (No client certificate requested)
 by juggernaut.example.com (Postfix) with ESMTPS id 71AC0180271
 for supp...@example.com; Sat, 25 Jul 2015 09:39:21 -0400 (EDT)
 Received: from HQXCHA402.example1.com ([fe80::e4d8::53e5:e9d2]) by
  HQXCHA401.example.com ([fe80::7199::b314:a497%25]) with mapi id
  14.03.0224.002; Sat, 25 Jul 2015 06:39:19 -0700
 From: Operations o...@example1.com
 To: Support supp...@example.com
 CC: Operations o...@example1.com
 Subject: User List Request
 Thread-Index: AdDG30D3+GNpY2bR+6PMmxGK/70Bw==
 Sender: Marsh, Earl earl.ma...@example1.com
 Date: Sat, 25 Jul 2015 13:39:19 +
 Message-ID: 68fcc58030b4164e802bb27ff159fe0535e6b...@hqxcha402.example.com
 Accept-Language: en-US
 Content-Language: en-US
 X-MS-Has-Attach: yes
 X-MS-TNEF-Correlator:
 x-originating-ip: [172.28.53.207]
 Content-Type: multipart/related;
 boundary=_010_68FCC58030B4164E802BB27FF159FE0535E6B731HQXCHA402bes_;
 type=multipart/alternative
 MIME-Version: 1.0
 
 Any ideas greatly appreciated.
 Thanks,
 Alex
 

https://de.wikipedia.org/wiki/Sender_Rewriting_Scheme

perhaps with fedora read

https://www.mind-it.info/forward-postfix-spf-srs/
https://github.com/roehling/postsrsd

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Transparent Proxy?

[Robert Schetterer]

Am 09.06.2015 um 18:04 schrieb Michael Munger:
 Hello everyone,
 
 I need to setup an instance of postfix IN FRONT of an Exchange server,
 the purpose of which is to capture and archive all incoming email (and
 eventually outbound, but I'll tackle that later).
 
 Can someone point me to the section in the docs I should read for this?
 any example configs / howtos would be appreciated.
 
 One item of particular concern is header re-writes. I would prefer to
 have postfix retain the original sender IP address so that the spam
 filter on the Exchange box will continue to work as-is. 

Thats real nonsense, typical postfix relays for exchange are used as
cheap high performance antispam/antivirus gateways, i never heard
that any antispam installed on exchange works better then a i.e
postfix/amavis etc combo


(or I can write
 a script in Python... to do the re-writes if necessary)
 
 Any advice is welcomed. Thank you all in advance.
 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: certificate verification failed

[Robert Schetterer]

Am 14.05.2015 um 09:23 schrieb Pol Hallen:
 Hi all :-)
 
 With all other smtp, postfix runs correctly, only with hotmail.it smtp
 I've this log file:
 
 May 14 09:15:53 www postfix/smtp[23823]: certificate verification failed
 for mx2.hotmail.com[65.55.37.104]:25: untrusted issuer
 /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
 May 14 09:15:55 www postfix/smtp[23823]: 5C808132087C:
 to=roby...@hotmail.it, relay=mx2.hotmail.com[66.57.37.174]:25,
 delay=3.2, delays=0.39/0/1.4/1.4, dsn=2.0.0, status=sent (250 
 55544baa.2080...@hostinato.it Queued mail for delivery)
 May 14 09:15:55 www postfix/qmgr[31119]: 5C808132087C: removed
 
 But the email goes lost. I didn't found any of useful looking for on
 internet.
 
 Any idea to how solve the issue?
 
 thanks for help!
 
 
 

whatever trust failure
your mail was delivered to hotmail, ask them what happened to it
perhaps it went to some Junk folder etc

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: certificate verification failed

[Robert Schetterer]

Am 14.05.2015 um 10:25 schrieb Pol Hallen:
 whatever trust failure
 your mail was delivered to hotmail, ask them what happened to it
 perhaps it went to some Junk folder etc
 
 thanks for reply :-) When I see this warning/error email goes lost...
 
 I've an hotmail.it account and no email has come (also inside spam/junk).
 
 thanks
 
 Pol
 

http://mail.live.com/mail/policies.aspx


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Send copy of incoming email to old mail server

[Robert Schetterer]

Am 07.05.2015 um 12:56 schrieb Kashif Ali Bukhari:
 Hi list fellows
 
 I am in a process to move my email server from Microsoft offiice365 to 
 postfix.
 postifx is all setup and working like charm , but now i want all
 incoming emails which delivered to postfix inbox should send a copy to
 Microsoft office 365 mailbox.
 
 this will help me to trancer my users from old server to new server.
 if some one login to old server he//she would be able to see his
 emails on old server too.
 
 please guide me about postfix mail delivery as above requirment .
 

if ve written a blog which might help, but does not exact match
what you want , but it should help with mail routing  basics

https://sys4.de/de/blog/2015/05/04/postfix-gateway-virtual-bcc-multiplicator/

additional read docs from victors advice !!!

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix forward mail to other server but leaving a copy...

[Robert Schetterer]

Am 04.05.2015 um 18:31 schrieb gilbertoferreira:
 Hey guys
 
 With fetchmailrc works nicely, but some users refuse to give us the
 password, complain about privacy blah blah blah...
 
 Now, I am search something about transport.
 As we know, transport allow us do this:
 
 u...@domain.com   smtp:[smtp.server.com]
 
 So, with this line in transport, we can forward all email to
 u...@domain.com, relayied to smtp.server.com
 Of course, we have an user with same name on smtp.server.com, as well.
 
 But using this procedure, we don't have a way to leave a copy of mail.
 
 Or there is??
 
 I really really apreciate any help... Thanks
 
 
 
 --
 View this message in context: 
 http://postfix.1071664.n5.nabble.com/Postfix-forward-mail-to-other-server-but-leaving-a-copy-tp76521p76615.html
 Sent from the Postfix Users mailing list archive at Nabble.com.
 

read

http://www.postfix.org/ADDRESS_REWRITING_README.html#auto_bcc

http://www.postfix.org/postconf.5.html#recipient_bcc_maps


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Spammer getting through despite RBL use

[Robert Schetterer]

Am 26.04.2015 um 17:58 schrieb Peter Berghold:
 I've added some RBL client entries in my main.cf http://main.cf/ such
 that:
 
 --- excerpt 
 
 reject_rbl_client zen.spamhaus.org http://zen.spamhaus.org/,
 reject_rbl_client dnsbl.dronebl.org http://dnsbl.dronebl.org/,
 reject_rbl_client bl.spamcop.net http://bl.spamcop.net/ ,
 reject_rbl_client dnsbl.sorbs.net http://dnsbl.sorbs.net/
 
  end of excerpt --
 
 and one particular spammer that I know is listed by zen.spamhouse.org
 http://zen.spamhouse.org/ still gets through.  I used
 the mxtoolbox.com http://mxtoolbox.com/ to verify this.
 
 Is there something else I need to do to get things listed by them to get
 dropped?   One thing I noticed is they use differing responses based on
 some criteria about a spammer.  Is that useful to Postfix?
 

show the log related to that host, show the whole main.cf


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Blocking compromised accounts (outgoing spam) and auth cracking

[Robert Schetterer]

Am 18.04.2015 um 20:50 schrieb Viktor Dukhovni:
 On Sat, Apr 18, 2015 at 06:16:56PM +, Chuck Peters wrote:
 
 I'm researching migrating some Exim servers to Postfix and would like to
 implement automatic blocking of compromised and spammers' accounts with
 notifications to staff. Any suggestions?

 On the Exim user list today someone suggested 
 https://github.com/Exim/exim/wiki/BlockCracking.

 
 With Postfix you would generally use a policy service to detect
 anomalous outbound mail from potentially compromised accounts.
 
 What constitutes anomalous outbound mail is then up to the policy
 service.  Various policy services are in use for this purpose.
 
 A policy service might even connect to a loopback Postfix SMTP
 service port that is configured to use recipient verification to
 check for non-existent addresses (and caches positive/negative
 results) (make sure that SMTP service is not configured to also
 use the same policy service).
 
 Most users seem to get adequate results with just volume limits.
 
 If at all possible, generate strong random passwords for submission
 users, these are not passwords users type in very often.  The MUA
 will store the password, so there's no reason to have a memorable
 one.  This also avoids passwords that are used at multiple sites
 and get compromised when those sites get breached.
 

have a look at

https://github.com/croessner/vrfydmn/


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: always bcc and maps?

[Robert Schetterer]

Am 04.04.2015 um 04:48 schrieb @lbutlr:
 I was wondering if it would be possible to use a map for always_bcc that 
 would bcc emails for some users and not others, and to bcc to a custom 
 address for each user.
 
 right now, I have always_bcc set to back...@covisp.net but I would like to 
 set it up to something like:
 
 backups-user=domain-...@myslqldomain.tld
 
 But then only do that for some of the users and not use always bcc at all for 
 the rest.
 
 I suspect I can do this with a simple regex match, but am not sure what 
 happens if a map results in no return data for always_bcc. There’s nothing at 
 http://www.postfix.org/postconf.5.html about using maps with always_bcc at 
 all, so maybe not?
 
 (I use dovecot if that matters)
 

perhaps this helps a little bit

https://sys4.de/de/blog/2013/02/07/mailarchiv-mit-dovecot-und-postfix-sortiert-nach-datum-mailadressen-und-ein-ausgehend-unterordnern/

sorry german only , but tec side should be understandable anyway


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Saslfinger download link

[Robert Schetterer]

Am 27.02.2015 um 04:22 schrieb Masegaloeh:
 On Thu, Feb 26, 2015 at 1:12 AM, jekvb je...@gmx.com wrote:
 Yo,

 I found that saslfinger is build right into Ubuntu
 Otherwise you may download the rpm at filewatcher.com for rpms

 
 
 Hmm, you are right. I can find it in third-party resources (RPM and DEB file).
 
 Just out of curiosity, what happened to *original* download link
 http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ ?
 

I think it moved or is in migration, stay tuned for more info


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Domain-dependent milter?

[Robert Schetterer]

Am 23.02.2015 um 00:27 schrieb Wietse Venema:
 Kirill Peskov:
 My task is to forward only 'local' mails to the milter for processing,
 leaving 'foreign' outgoing mails untouched.
 
 Milters must see the entire SMTP session, not just the RCPT TO command.
 
 If you want different Milters for different domains, configure
 different smtpd services in master.cf, each listening on a different
 IP address, one with milter and one without. Then point each domain's
 MX records to the appropriate IP address.
 
   Wietse
 

perhaps milter-manager can do it to

http://milter-manager.sourceforge.net/reference/configuration.html


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Dovecot on a separate server as LDA

[Robert Schetterer]

Am 18.02.2015 um 18:26 schrieb Орхан Ибад-оглы Гасымов:
 Good day!
 
 I need an advice about a simple (I guess) thing.
 When Postfix and Dovecot are running on the same machine,
 then to specify Dovecot as LDA, I use this command in main.cf
 http://main.cf:
 
 mailbox_command = /usr/local/libexec/dovecot/dovecot-lda -f $SENDER -a
 $RECIPIENT
 
 But if Dovecot is running on a different machine, how should I achieve
 the same result?
 Obviously I can't use the same command, as there's no dovecot-lda on the
 Postfix VM.
 
 Please give a tip.
 Thanks in advance!

use lmtp

see

https://sys4.de/de/blog/2014/11/17/sicheres-lmtp-mit-starttls-in-dovecot/

but you should not do it via internet link ( however ssl is now possible
), setup additional private network interfaces, tunnel , vlans etc


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Unwanted mail from Users (Backscatter mail)

[Robert Schetterer]

Am 07.02.2015 um 20:05 schrieb Alamgir Shamim:
 Hi,
 
 We have an ISP. We have lots of users. They use our smtp server to
 send mail. Very often we are facing a problem. Sometimes huge unwanted
 mail comes from our users to smtp server who are basically behind nat
 IP and make our smtp server's IP listed in many black list sites like
 SORBS and others. As a result googel, yahoo, hotmail and many more
 site stop receiving mail from our server. How to stop this problem. I
 know this is happen due to kind of worm and others things. But what I
 have to do so that my smtp don't receive those mail and won't get
 black listed.
 
 Please help.
 
 Regards.
 
 Tuhin.
 Dhaka. BD.
 

do strong outgoing spam filtering, i.e with clamav-milter, spamassassin
, or as framework amavis


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: postfix, cyrus imap, backscatter?

[Robert Schetterer]

Am 01.02.2015 um 08:59 schrieb Carl Brewer:
 
 G'day,
 I've been running sendmail for years with cyrus and realtime address
 checking to (supposedly!) stop backscatter, but it seems to be broken,
 so it's probably a good time to migrate to postfix (been putting off for
 years ...)
 
 This document isn't very helpful :
 
 http://www.postfix.org/CYRUS_README.html
 
 Can anyone here point me at a good howto/setup guide to integrate
 postfix with cyrus imapd, virtual domains and realtime checking of
 addresses to prevent backscatter? My google-fu is not returning much
 that I can find.
 
 I've tried this in main.cf :
 
 mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
 
 Which I thought would mean that email to non-existent accounts would be
 instantly rejected, but tests show this :
 
 bash-4.3$  telnet localhost 25
 Trying ::1...
 telnet: connect to address ::1: Connection refused
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 220 x ESMTP Postfix (how far can a goat see-2.10)
 ehlo localhost
 250-
 250-PIPELINING
 250-SIZE 1024
 250-VRFY
 250-ETRN
 250-STARTTLS
 250-ENHANCEDSTATUSCODES
 250-8BITMIME
 250 DSN
 mail from: c...@bl.echidna.id.au
 250 2.1.0 Ok
 rcpt to: f...@bl.echidna.id.au
 250 2.1.5 Ok
 data
 354 End data with CRLF.CRLF
 oh ..
 
 .
 250 2.0.0 Ok: queued as 7F1EA1B3D454
 quit
 221 2.0.0 Bye
 Connection closed by foreign host.
 
 
 
 Thank you
 
 Carl
 
 
 

and where is your postfix conf..?

read i.e

http://de.postfix.org/httpmirror/postconf.5.html#smtpd_reject_unlisted_recipient

as well as other setup examples and conf stuff

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix SMTP mail is sent to SPAM

[Robert Schetterer]

Am 29.01.2015 um 20:10 schrieb Noel Jones:
 On 1/29/2015 12:46 PM, Aravindhan wrote:
 I have installed postfix mail server in ubuntu machine. I configured the mail
 server as well as DNS properly.

 Mails are sent from our mail server properly, but all the mails are listed
 in the spam folder(in Yahoo  Outlook). It is listing properly in the inbox
 in Gmail.

 I have implemented the following methodologies to prevent the SPAM, which is
 as follows,

  * SPF
  * DKIM
  * Domain Keys
  
 After the above implementation, Headers of the email is as follows,

  Authentication-Results: hotmail.com; spf=pass (sender IP is 
 xx.xx.xx.xx)   
 smtp.mailfrom=t...@maildomain.com; dkim=pass header.d=maildomain.com;
 x-hmca=pass   
 header.id=t...@maildomain.com
  DomainKey-Signature: a=rsa-sha1; s=mail; d=maildomain.com; c=simple; 
 q=dns;
 b=key
  DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=maildomain.com;s=mail;   
 t=1422532895;bh=W+pft8+RS+1CGEuNXIA20Br1EeZE1qaANUx3o6nvb3E=;h=From:
 To:Subject:From;b=key
  
 I have checked the several email testing service to detect why our emails
 are marked as spam and the result is as follows,

  * Sent the mail to the check-a...@verifier.port25.com and got 
the authentication report mail.
  ==
  Summary of Results
  ==
  SPF check:  pass
  DomainKeys check:   pass
  DKIM check: pass
  Sender-ID check:pass
  SpamAssassin check: ham

  * Tested the email with https://www.mail-tester.com/; and got the score
 9.3/10.

  * Checked our mail server IP address in 
   http://whatismyipaddress.com/blacklist-check; and our IP address is 
not blacklisted.

 Note:

 * Mailserver hosted in Amazon EC2 instance with a static IP address (connect
 to internet, and all traffic ports are opened for inbound and outbound in  
 security groups).

 * Mail sending service limit has been increased properly(Support query has
 been raised to amazon and the mail restriction has been removed in our
 account).

 * I am using self signed certificate in my Mail server.

 Can any one let us know, how to prevent the email sent as spam. Is there
 anything, we need to look into our mail server configuration?
 
 
 Sounds as if you're doing every thing right.  Make sure your IP has
 correct FCrDNS.  Looks as if your SPF and DKIM are working. Does
 anyone still use DomainKeys?  Not sure that adds any value.
 
 Some of the freemail providers will spam-tag perfect mail from new
 domains and/or new IP addresses, especially if a large amount of
 mail shows up from that new domain or IP.  For some undefined value
 of large.
 
 See if you can sign up for the bulk mail feedback loop or whatever
 bulk sender programs they might have at hotmail or yahoo.  Only the
 receiving system can answer why some specific mail was marked as
 spam, all we can do is guess.
 
 
 
 
   -- Noel Jones
 

just one more idea add a dmarc policy, i think there is a whitelist
feature  at yahoo


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: SPF configurations

[Robert Schetterer]

Am 21.01.2015 um 15:46 schrieb Scott Kitterman:
 On Wednesday, January 21, 2015 06:29:11 Darren Pilgrim wrote:
 On 1/18/2015 12:49 PM, SW wrote:
 I have contacted the port maintaner but he couldn't help.

 Can anyone else assist please?

 There are known issues with DNS lookups in python.  You could use
 postfix-policyd-spf-perl instead.
 
 I've been working with the OP offlist and it does appear to be an issue in 
 the 
 DNS module.  We're still trying to narrow it down.
 
 The Perl implementation is very simple.  Depending on your needs, it may or 
 may not be sufficient.

Agreed, the perl version needs to be upgraded, but i am not up2date

  The Python implementation is more developed and covers a
 significantly broader set of use cases.
 
 Scott K
 

very usefull

http://manpages.ubuntu.com/manpages/raring/man5/policyd-spf.conf.5.html

Domain Specific Receiver Policy

   Using this option, a list of domains can be defined for special
   processing when messages do not Pass SPF.  This can be useful for
   commonly spoofed domains that are not yet publishing SPF records with
   -all.  Specifically, if mail from a domain in this list has a
   Neutral/Softfail result, it will be rejected (as if it had a Fail
   result).  This option is not supported by RFC 4408, but if needed, it
   is better to do it on a per-domain basis rather than globally.

   Example:

   Reject_Not_Pass_Domains = aol.com,hotmail.com

thx Scott taking care of mail stuff in ubuntu

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Postfix with Postscreen and Fail2ban

[Robert Schetterer]

Am 15.01.2015 um 03:16 schrieb David Mehler:
 Hello,
 
 Is anyone running Postfix 2.11 on an f21 machine? I'm using it and am
 using postscreen which I really like. The system firewall is FirewallD
 and I'm using fail2ban 0.9.1 to block brute force bot hits on the
 machine. I've got the jail Fail2ban for Postfix enabled, but the
 regexp don't appear to be catching the logs of attempted postscreen
 connections. I'm assuming here that anything postscreen rejects is a
 spammer and would like them rejected out of hand.
 
 If anyone has this working I'd appreciate knowing how you did it.
 
 Thanks.
 Dave.
 

perhaps have a look at

http://blog.arschkrebs.de/blog/new-fail2ban-rules-for-postscreen/

https://kupschke.net/2013/04/20/fail2ban-und-postscreen/

alternative

you may read

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

hold trigger dmarc milter notify_classes

[Robert Schetterer]

Hi Wietse,
using dmarc milter sometimes causes hold action

like i.e ( failure pruduced by myself only for demonstrate )

2015-01-13T10:46:09.372033+01:00 mail opendmarc[15158]:
3kM6Nw3sCTzDdG2l: amazon.com fail
2015-01-13T10:46:09.411674+01:00 mail postfix/cleanup[3532]:
3kM6Nw3sCTzDdG2l: milter-hold: END-OF-MESSAGE from
mail.tuxzilla.de[88.198.69.105]: milter triggers HOLD action;
from=postmas...@amazon.com to=postmas...@mail.tlsbit.de proto=ESMTP
helo=mail.tuxzilla.de

which is tec fine with amazon.com dmarc policy

dig -t txt _dmarc.amazon.com
_dmarc.amazon.com.  900 IN  TXT v=DMARC1\;
p=quarantine\; pct=100\; rua=mailto:dmarc-repo...@bounces.amazon.com\;
ruf=mailto:dmarc-repo...@bounces.amazon.com;

the dmarc milter seems has no conf parameter to overide quarantine
policy somehow

But on small postfix mail servers without queue monitoring
someone may never notice holded mails

What about include some   notify_classes for hold

like

software
Inform the postmaster of mail not delivered due to software
problems. The notification is sent to the address specified with the
error_notice_recipient configuration parameter (default: postmaster).

but for hold actions, or any other idea how get notice about holded
mails without third party scripting or however how would you goal the
problem meanwhilesetting up a cron watch hold queue shell script etc ?




Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: hold trigger dmarc milter notify_classes

[Robert Schetterer]

Am 13.01.2015 um 13:36 schrieb A. Schulze:
 
 wietse:
 
 Maybe you can ask the Milter's developers to make their unconditional
 quarantine action configurable.

i know you will post this *g, yes might be best option
but a configurable postfix notify class hold option may help in any
case of hold

 
 that would be a good solution, too.
 But this specific developer is _very_ busy.
 
 Andreas
 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein