Re: SASL forward problem
Hello, I didn't thing, that my Postfix is the bad guy, but I have to say - if the client is Evolution (in SSL+SASL connection with the ISPs server), the messages goes out without problem. The problem is only if Postfix is the client ?! Why ? I have try yours "to modify executable" way. The "AUTH=<>" is in /usr/lib/postfix/smtp - I had edit it in "mc" and have replaced it with " " and left the "^@" (this is probably the NULL byte). But it just give an error in log: Nov 5 11:24:05 zly-hugo postfix/master[1418]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling Nov 5 11:25:05 zly-hugo postfix/master[1418]: warning: process /usr/lib/postfix/smtp pid 2633 killed by signal 11 Thank you --kapetr - >Date: Wed, 2 Nov 2011 15:41:04 -0400 (EDT) >From: Wietse Venema >Subject: Re: SASL forward problem > >kapetr: >> 220 mailout1.t-email.cz ESMTP >> EHLO 251-43-13-46.tmcz.cz >> 250-mailout1.t-email.cz >> 250-PIPELINING >> 250-SIZE 1536 >> 250-VRFY >> 250-ETRN >> 250-AUTH LOGIN PLAIN >> 250-ENHANCEDSTATUSCODES >> 250-8BITMIME >> 250 DSN >> AUTH LOGIN >> 334 xx >> yyy >> 334 >> yyy >> 235 2.7.0 Authentication successful >> MAIL FROM: SIZE=519 AUTH=<> >> 250 2.1.0 Ok >> RCPT TO: ORCPT=rfc822;ji...@soukroma.cz >> 555 5.5.4 Unsupported option: AUTH=<> > >This SMTP server has an interesting way to report errors. > >> I thing, my Postfix should ignore the "555 5.5.4 Unsupported >> option: >> >> AUTH=<>" and continue. > >Postfix cannot ignore 555 after RCPT TO. And we already know that >the server would not accept the mail (in your earlier email it >replied with "554 5.5.1 Error: no valid recipients" to the DATA >command). > >> Or better do not send it at all - what is it at all? > >Postfix is not written by imitation. It is written by implementing >mail standards. The AUTH command and the AUTH= option are defined >in RFC 2554 which was written many years ago. > >Unfortunately, not sending AUTH= involves editing Postfix source >code or using a proxy that removes the AUTH= option. There is no >feature to filter the commands that Postfix sends, like there is >for the replies that Postfix receives. > >A third option is to edit the Postfix smtp executable file. Look >for the string " AUTH=<>" and replace the space with a null byte. > >As for editing source code, this is in src/smtp/smtp_proto.c. >Just delete the portion with: > >/* >* We authenticate the local MTA only, but not the sender. >*/ >#ifdef USE_SASL_AUTH >if (var_smtp_sasl_enable >&& (session->features & SMTP_FEATURE_AUTH)) >vstring_strcat(next_command, " AUTH=<>"); >#endif > >> As you wrote: "If that is the case, then the server >> mis-implements SMTP command >> pipelining." >> >> Did you mean my server (my postfix) or ISPs server ? > >Your machine is the SMTP client. The ISP is the SMTP server. > >Wietse sezóně? Čtěte speciál Příprava auta na zimu na http://web.volny.cz/data/click.php?id=1292 -- Jak co nejlépe přichystat automobil na provoz v nadcházející zimní sezóně? Čtěte speciál Příprava auta na zimu na http://web.volny.cz/data/click.php?id=1292
Re: SASL forward problem
Hello, I didn't thing, that my Postfix is the bad guy, but if the client is Evolution (in SSL+SASL connection with the ISPs server), the messages goes out without problem. The problem is only if Postfix is the client ?! Why ? I have try yours "to modify executable" way. The "AUTH=<>" is in /usr/lib/postfix/smtp - I had edit it in "mc" and have replaced it with " " and left the "^@" (this is probably the NULL byte). But it just give an error in log: Nov 5 11:24:05 zly-hugo postfix/master[1418]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling Nov 5 11:25:05 zly-hugo postfix/master[1418]: warning: process /usr/lib/postfix/smtp pid 2633 killed by signal 11 Thank you --kapetr - >Date: Wed, 2 Nov 2011 15:41:04 -0400 (EDT) >From: Wietse Venema >Subject: Re: SASL forward problem > >kapetr: >> 220 mailout1.t-email.cz ESMTP >> EHLO 251-43-13-46.tmcz.cz >> 250-mailout1.t-email.cz >> 250-PIPELINING >> 250-SIZE 1536 >> 250-VRFY >> 250-ETRN >> 250-AUTH LOGIN PLAIN >> 250-ENHANCEDSTATUSCODES >> 250-8BITMIME >> 250 DSN >> AUTH LOGIN >> 334 xx >> yyy >> 334 >> yyy >> 235 2.7.0 Authentication successful >> MAIL FROM: SIZE=519 AUTH=<> >> 250 2.1.0 Ok >> RCPT TO: ORCPT=rfc822;ji...@soukroma.cz >> 555 5.5.4 Unsupported option: AUTH=<> > >This SMTP server has an interesting way to report errors. > >> I thing, my Postfix should ignore the "555 5.5.4 Unsupported >> option: >> >> AUTH=<>" and continue. > >Postfix cannot ignore 555 after RCPT TO. And we already know that >the server would not accept the mail (in your earlier email it >replied with "554 5.5.1 Error: no valid recipients" to the DATA >command). > >> Or better do not send it at all - what is it at all? > >Postfix is not written by imitation. It is written by implementing >mail standards. The AUTH command and the AUTH= option are defined >in RFC 2554 which was written many years ago. > >Unfortunately, not sending AUTH= involves editing Postfix source >code or using a proxy that removes the AUTH= option. There is no >feature to filter the commands that Postfix sends, like there is >for the replies that Postfix receives. > >A third option is to edit the Postfix smtp executable file. Look >for the string " AUTH=<>" and replace the space with a null byte. > >As for editing source code, this is in src/smtp/smtp_proto.c. >Just delete the portion with: > >/* >* We authenticate the local MTA only, but not the sender. >*/ >#ifdef USE_SASL_AUTH >if (var_smtp_sasl_enable >&& (session->features & SMTP_FEATURE_AUTH)) >vstring_strcat(next_command, " AUTH=<>"); >#endif > >> As you wrote: "If that is the case, then the server >> mis-implements SMTP command >> pipelining." >> >> Did you mean my server (my postfix) or ISPs server ? > >Your machine is the SMTP client. The ISP is the SMTP server. > >Wietse -- Jak co nejlépe přichystat automobil na provoz v nadcházející zimní sezóně? Čtěte speciál Příprava auta na zimu na http://web.volny.cz/data/click.php?id=1292
Re: SASL forward problem
- PŮVODNÍ ZPRÁVA - > Date: Tue, 1 Nov 2011 20:23:08 -0400 (EDT) > From: Wietse Venema > Subject: Re: SASL forward problem > > kapetr: > > Hello, > > > > I use posfix as forwarder. > > > > The target server is connected via stunnel4. It > > was working, but now > > > I have changed ISP and the new smpt server has > > problem with Posfix > > > as client. > > > > Here is TCP stream from Wireshark: > > > > x > > 220 mailout2.t-email.cz ESMTP > > EHLO 251-43-13-46.tmcz.cz > > 250-mailout2.t-email.cz > > 250-PIPELINING > > 250-SIZE 1536 > > 250-VRFY > > 250-ETRN > > 250-AUTH LOGIN PLAIN > > 250-ENHANCEDSTATUSCODES > > 250-8BITMIME > > 250 DSN > > AUTH LOGIN > > 334 XX > > YYY > > 334 X > > YYY > > 235 2.7.0 Authentication successful (this is the > > final reply to AUTH) > > > MAIL FROM: SIZE=517 AUTH=<> > > RCPT TO: > > ORCPT=rfc822;ji...@xoma.cz > > > DATA > > 250 2.1.0 Ok(this is the reply to *what*?) > > 555 5.5.4 Unsupported option: AUTH=<> (this > > would be the reply to MAIL FROM) > > (there should be an RCPT TO reply here) > > 554 5.5.1 Error: no valid recipients(this is > > the reply to DATA) > > > Are you sure that the replies are received in this > order? > > If that is the case, then the server > mis-implements SMTP command > pipelining. To turn that feature off in Postfix: > > /etc/postfix/main.cf: > smtp_discard_ehlo_keywords = pipelining > > Do "postfix reload" and try again. > > Wietse > Hello. The result is: 220 mailout1.t-email.cz ESMTP EHLO 251-43-13-46.tmcz.cz 250-mailout1.t-email.cz 250-PIPELINING 250-SIZE 1536 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH LOGIN 334 xx yyy 334 yyy 235 2.7.0 Authentication successful MAIL FROM: SIZE=519 AUTH=<> 250 2.1.0 Ok RCPT TO: ORCPT=rfc822;ji...@soukroma.cz 555 5.5.4 Unsupported option: AUTH=<> - (why sends it ISPs smpt now ?! RSET --- (send by my postfix == out) 250 2.0.0 Ok QUIT 221 2.0.0 Bye -- Now is it , but as you can see, id didn't help. Can this something to do with another packeting of stream against direct connection ? I thing, my Postfix should ignore the "555 5.5.4 Unsupported option: AUTH=<>" and continue. Or better do not send it at all - what is it at all? As you wrote: "If that is the case, then the server mis-implements SMTP command pipelining." Did you mean my server (my postfix) or ISPs server ? --kapetr P.S: the outputs are from wireshark (not edited from me) , so I thing "replies are received in this order". I have also checked by examining packets manually. -- Jak se vyhnout nachlazení a dalším zdravotním potížím v nepříjemném podzimním období? Čtěte speciál Zdraví na podzim na http://web.volny.cz/data/click.php?id=1290
SASL forward problem
Hello, I use posfix as forwarder. The target server is connected via stunnel4. It was working, but now I have changed ISP and the new smpt server has problem with Posfix as client. Here is TCP stream from Wireshark: x 220 mailout2.t-email.cz ESMTP EHLO 251-43-13-46.tmcz.cz 250-mailout2.t-email.cz 250-PIPELINING 250-SIZE 1536 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH LOGIN 334 XX YYY 334 X YYY 235 2.7.0 Authentication successful MAIL FROM: SIZE=517 AUTH=<> RCPT TO: ORCPT=rfc822;ji...@soukroma.cz DATA 250 2.1.0 Ok 555 5.5.4 Unsupported option: AUTH=<> 554 5.5.1 Error: no valid recipients RSET QUIT xx If I set this server direct (in place of 127.0.0.1 == Postfix) in Evolution with SSL and authentication, the mail is send OK! (Such ESMTP communication I can't follow of course). So ... there is problem in my Postfix or in ISPs SMTP server. Can someone help me please ? Can I configure my Postfix to be more compatible with the other server ? The problem is in format of FROM+TO ESMTP commands. If I use the ISPs server in mode without SSL and SASL, then Postfix can forward to him. In such case the stream looks like: yyy ... MAIL FROM: SIZE=517 RCPT TO: ORCPT=rfc822;ji...@soukroma.cz DATA 250 2.1.0 Ok 250 2.1.5 Ok 354 End data with . ... yyy You see - the difference is "AUTH=<>" in first case Thanks --kapetr -- Jak se vyhnout nachlazení a dalším zdravotním potížím v nepříjemném podzimním období? Čtěte speciál Zdraví na podzim na http://web.volny.cz/data/click.php?id=1290
Re: posfix rejected from google server
Just a note ONLY FOR: Reindl Harald >Sorry but what is your problem? >you can not use your home-machine as mailserver and >nothing will change this, so what is new in your >message after this long thread where so many people >made clear what happens and why? If I know, you followed this thread - so you could know, that I have more then once said: *** Note: once again - I had understand and totally accept the fact, that I can't send mail directly from my "dynamic range" IP, so I use relayhost. *** The only problem is, that you have respond to special replay, which was determined only for Peter Evans , who has ask me for sending test e-mail directly ... --kapetr
Re: posfix rejected from google server
Hello, I have try it - see bellow, but without removing also from PBL it fail, while Peter Evans s server use zen.spamhouse.org which includes also PBL list (dynamic address check). LOG: Mar 9 11:09:07 duron650 postfix/smtp[2873]: B316BA2A79: to=, relay=mail.ixp.jp[222.147.76.196]:25, delay=9.1, delays=0.26/0.09/8/0.7, dsn=5.7.1, status=bounced (host mail.ixp.jp[222.147.76.196] said: 550 5.7.1 Service unavailable; client [85.71.234.108] blocked using zen.spamhaus.org (in reply to RCPT TO command)) Mar 9 11:09:08 duron650 postfix/cleanup[2872]: 1185DA2BE7: message-id=<20110309100908.1185da2...@108.234.broadband4.iol.cz> (FYI: This mail is send via webmail volny.cz) --kapetr ORIGINAL MESSAGE: Od: Jiří Pánek Komu: Peter Evans Předmět:Re: posfix rejected from google server Datum: Wed, 09 Mar 2011 11:08:56 +0100 Hello, this is a direct email (I have set my Postix back for this test to direct sending - without relayhost). In my main.cf is: myhostname = 108.234.broadband4.iol.cz >Date: Mon, 7 Mar 2011 09:01:21 +0900 >From: "Peter Evans" >Subject: Re: posfix rejected from google server > >Just out of curiosity, can you try to send mail directly to me? >After you have removed yourself, it should take less than about an >hour >to >clear from the CBL + PBL. >Then mail should go through. On cbl.abuseat.org I have request - it is now OK. The http://www.spamhaus.org/pbl/query/PBL043205 I have left unchanged, after reading the explanation. It is not black list, so we will see, if is it true and this email will arrive you :-) > >>A pity that cbl.abuseat.org, as described in >>http://cbl.abuseat.org/faq.html, do not explain criteria how >>someones IP can get into their CBL list. > >By sending mail to one of their very large spamtrap domains. The >reason >they >do not tell >you how you get on is that if they did, spammers would be able to >avoid >> them and thus reduce the efficacy thereof. > >Looking at the timestamp on the CBL, was that IP address your ADSL >modem at that time? Yes, it was! That is, why I am so confused about the CBL spam listing! And the listed time corresponds to the test mail send to GMAIL. Not to spamtrap domain. After that, there was no other incidents - that is why I mean, that I'm not infected. So it is mystery for me, how I get into this list. I have added to my FW rules: -A ufw-user-output -o eth0 -p tcp -m tcp --syn -m multiport --dports 25,465,587 -j LOG --log-prefix "[MAIL OUTPUT] " --log-tcp-options --log-uid and nothing suspect. No spambot here (if it is not hidden rootkit of course). Let me know, if it arrives you. Thanks --kapetr
Re: Postfix und SSL client problem.
) Mac=SHA1 2011.03.09 09:27:24 LOG7[2608:3078736752]: SSL socket closed on SSL_read 2011.03.09 09:27:24 LOG7[2608:3078736752]: Socket write shutdown 2011.03.09 09:27:24 LOG5[2608:3078736752]: Connection closed: 17 bytes sent to SSL, 137 bytes sent to socket 2011.03.09 09:27:24 LOG7[2608:3078736752]: ssmtp_client_iol finished (0 left) x it is good to see, that whole chain of 3 certificates is checked :-) The other thing: > > > > You can even generate a > > >cert such a self-signed certificate yourself > > >and throw away the > > >> >private > > >>key. Provided the subject DN matches the > > >>peer's subject DN you're > > >>> >set. > > > > > You are again talking about generating own > > certificate, but as I > > > wrote - I just need to connect to this SMTP > > server which use simple > > > SASL PLAIN/LOGIN authentication, so I need not > > own certificate to > > > authenticate me, I thing. (?) > > For stunnel, you can generate the peer's > certificate, it won't actually > check that the public keys match, only the subject > DN needs to be the > same: > > $ openssl req -new -x509 -nodes -newkey rsa:1024 > -keyout /dev/null \ > -out smtp.iol.cz.pem \ > -subj "/C=CZ/ST=Praha/L=Praha 4/O=Telefonica O2 > Czech Republic, a.s./OU=Operations/CN=smtp.iol.cz" > > Of course this DN can only be obtained by > connecting to the site, so you > can grab their cert if your prefer. > > -- > Viktor. If I understand you right, then you mean, that I could generate "fake" peers certificate with just correct CN=smtp.iol.cz (or whole subject). But I do not understand, how it could work ? After all, stunnel4 gets from other side proper certificate, which differs from that I have generate. So stunnel would be not confused, if the local copy of peers certificate (my fake selfgenerated) will differ from that, get from peer by SSL communication ?! I have read the manpage of stunnel4 (the part of "-verify"), but I can't understand the sense of security, if stunnel4 would allow such connection, where by level 3 would local copy differs from the one supplied by peer ?! Example: I have now real, correct certificate of smpt.iol.cz as local copy for verify level 3. Attacker generates fake certificate with same CN/subject as in original. I make a connection and stunnel4 will be satisfied ?! It is crazy. isn't it ? Where is the security ? --kapetr
Re: posfix rejected from google server
Hello, reply for: "Peter Evans" and Reindl Harald My ISP (without need of request it and pay for it :-) assign every time (via PPPOE on ADSL) the same IP address for the same client (DSLAM port). So my IP is from "dynamic" range, but in practice is it static IP. I'm sure about it and it is very simple to check my "outside" IP - e.g. with mojeip.cz - or simply check my IP in my ADSL modem log. In fact I am behind NAT - but this is NAT of my ADSL modem and I am the only one computer in my LAN. The FW of modem and of Ubuntu are closed for any connections from outside. Note: I prefer NAT/router mode of my ADSL modem against BRIDGE mode (where I would need to do PPPoE itself in OS) for additional FW security ring to protect my computer. So ... nobody except me can send "spam" from this IP address. (This is not a confession! ;-) Reindl wrote: >seems you do not understand what a spamtrap is >hint: your sender-address does not play in this game Thanks for explanation. Note: once again - I had understand and totally accept the fact, that I can't send mail directly from my "dynamic range" IP, so I use relayhost. I just try to understand, how I could get into spam list. In my previous post I have explain, why I do not believe, that there is no hidden spambot in my system. So when I now know, what is then it is quite impossible, that I have get into spam list this way. A pity that cbl.abuseat.org, as described in http://cbl.abuseat.org/faq.html, do not explain criteria how someones IP can get into their CBL list. --kapetr
Re: posfix rejected from google server
Hello, wrote: >Subject: Re: posfix rejected from google server > >On Fri, Mar 04, 2011 at 03:29:08PM +0100, kapetr wrote: >> first I have to say: the problem with home/dynamic IP ranges, >> business accounts, ... and therefore the need of using relay of >> my ISP in my case I have well understand and I do it so. >> >> What I'm interesting for is still the: >> >> > http://cbl.abuseat.org/lookup.cgi?ip=85.71.234.108+&.submit=Lookup >> > >> > >> > says -as you wrote: >> > IP Address 85.71.234.108 is listed in the CBL. It appears to be >> > infected with a spam sending trojan or proxy. >> > It was last detected at 2011-03-01 07:00 GMT (+/- 30 minutes), >> >> So the question is, how I get into such list and why am I >> recognized as " infected with a spam sending trojan or proxy" >> and not just "disabled while dynamic IP range". > >Did you read the rest of that page, and these links? >http://cbl.abuseat.org/nat.html >http://cbl.abuseat.org/advanced.html Of course I had read that. But the problem is - all the text is based on the assumption, then on my system/LAN/... is spambot - and I believe this is not my case - see below. > >> I have first time used Postfix (after install) at 2011-03-01 >> 06:00 >> >> GMT >> >> And at 2011-03-01 06:44 GMT I have try send test e-mail to my >> , which was rejected back. >> >> So my conclusion is, that my only "crime" was this action: >> attempt >> >> of send mail to Goggle SMTP server from homeIP address. The >> Google >> >> server probably immediately have send report of that to >> cbl.abuseat.org, which has it rated as I would be "infected with >> a >> >> spam sending trojan or proxy", which is not accurate - NOT >> correct. >> > >I doubt your conclusion. IIUC CBL detects spam based on content and >I doubt your conclusion. IIUC CBL detects spam based on content and >ONLY when it hits a spamtrap address; that is, an address which has >never been used for legitimate mail and was harvested by spammers. > It can not be so. My "from:" address used by these tests of fresh Postfix installation I have and use many years - so it fit not in yours definition of "spamtrap adress". And there was nothing/nobody sending email - how shows the time reported by cbl.abuseat.org - this was only this one accident which exactly corresponds with the test mail send via the fresh installed Postfix. After change Posfix config to "relayhost" - no new accidents was reported. That is IMHO good evidence, that there is no spambot on my system. (+ i have add iptables rule for outgoing SMTP - to check SYN packet count. Nothing suspect.) And the content of email? See, what googles server reports in error message - there is only hint of disallowed connection from my IP and recommendation to use ISPs server. No spam. >I further highly doubt any link between Gmail and CBL exists. O course - it must exist - direct or indirect. Or how do you thing, that are such list filled ? Someone must report it. And there was communication only between my computer and Googles server. (And I did not report :-) That's why I thing: > >> Maybe cbl.abuseat.org simple things, that if someone try to send >> emails from MTA on homeIP, then it must be spamer or infected >> system >> >> ?! ... after Googles server has asked about my IP address by abuseat.org. >Also it's not really on topic here. If you'll indulge a shameless >self-promotion, this would be quite on topic on this list, which I >co-manage: >http://spammers.dontlike.us/ >We do have a CBL representative who subscribes and sometimes posts. >- -- >Offlist mail to this address is discarded unless >"/dev/rob0" or "not-spam" is in Subject: header ?? I don't understand, what do you mean. Sorry my English - I'm not able to describe all as I would like - that's why I use only streamlined sentences. I work with Google translator. But to say, that I do "shameless self-promotion" ? This is too much, isn't ? --kapetr
Re: Postfix und SSL client problem.
Hello, and thanks again for answer. Victor Duchovni wrote: > Your username/password are not safe from >a man-in-the-middle attack, thwarting that requires authentication >as >>well as encryption. With stunnel that means "verify = 3" and a >local >>copy of the SMTP server certificate. You are of course right. Unfortunately I am not very (better to say - minimal) familiar with SSL, certificates, ... I have set in my stunnel.conf: [ssmtp_client_iol] client = yes accept = 10465 connect = smtp.iol.cz:465 verify = 3 CApath = /etc/ssl/certs The problem is, that I don't know: 1. How to get SSL certificate of smtp.iol.cz (and save it to file). I had try use firefofox -> https://smtp.iol.cz:465 in hope, that FF let me see, import and save the certificate, but FF do not allow connection to this port. So how to get it and save ? 2. Where to put this file to be usable by stunnel ? It will maybe be the option CAfile ... as you and manual say. Or CApath. I made a experiment (with above config): telnet 127.0.0.1 10465 in log is now: 2011.03.05 18:07:34 LOG5[4798:3079506800]: ssmtp_client_iol connected remote server from 10.6.6.6:45430 2011.03.05 18:07:34 LOG4[4798:3079506800]: VERIFY ERROR: depth=1, error=unable to get local issuer certificate: /C=US/O=Thawte, Inc./CN=Thawte SSL CA 2011.03.05 18:07:34 LOG3[4798:3079506800]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2011.03.05 18:07:34 LOG5[4798:3079506800]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket So I thing that stunnel needs at least: - peers certificate - CA root certificate (Thawte) (- ignoring CRLs, ...) You see - this is too high for me :-( > You can even generate a >cert such a self-signed certificate yourself and throw away the >private >>key. Provided the subject DN matches the peer's subject DN you're >set. > You are again talking about generating own certificate, but as I wrote - I just need to connect to this SMTP server which use simple SASL PLAIN/LOGIN authentication, so I need not own certificate to authenticate me, I thing. (?) --kapetr
Re: Postfix und SSL client problem.
Victor Duchovni wrote: >Note, however, that stunnel will not by default verify peer >certificates, so >>additional configuration is required for that. Only stunnel's >verification >>level 3, where the remote peer certificate is locally installed in >a >>local CAfile referenced in the stunnel.conf file actually verifies >that >>you are reaching the right peer server. > >Stunnel has no support for peername verification via trusted >CAs. Stunnel's verification level 2 just lulls unsuspecting users >into >>a false sense of security. It just verifies the certificate trust >chain >>(essentially pointless), but not the peername. I tried to convince >the >>author of stunnel that verification level 2 is broken, and should >be >>modified, ... he was not interested. > >- -- >Viktor. Thank you for warning! I will try to learn more about it. At the moment am I satisfied with fact, that the communication with ISPs server is encrypted. So my with SALS LOGIN/PLAIN send name/passwd are +- safe. Maybe I should at least use IP (not name) of my ISPs server in stunnel conf, or add his name to my protected /etc/hosts. --kapetr
Re: posfix rejected from google server
Hello. first I have to say: the problem with home/dynamic IP ranges, business accounts, ... and therefore the need of using relay of my ISP in my case I have well understand and I do it so. What I'm interesting for is still the: > http://cbl.abuseat.org/lookup.cgi?ip=85.71.234.108+&.submit=Lookup > > says -as you wrote: > IP Address 85.71.234.108 is listed in the CBL. It appears to be > infected with a spam sending trojan or proxy. > It was last detected at 2011-03-01 07:00 GMT (+/- 30 minutes), So the question is, how I get into such list and why am I recognized as " infected with a spam sending trojan or proxy" and not just "disabled while dynamic IP range". I have first time used Postfix (after install) at 2011-03-01 06:00 GMT And at 2011-03-01 06:44 GMT I have try send test e-mail to my , which was rejected back. So my conclusion is, that my only "crime" was this action: attempt of send mail to Goggle SMTP server from homeIP address. The Google server probably immediately have send report of that to cbl.abuseat.org, which has it rated as I would be "infected with a spam sending trojan or proxy", which is not accurate - NOT correct. Maybe cbl.abuseat.org simple things, that if someone try to send emails from MTA on homeIP, then it must be spamer or infected system ?! On spamhaus.org I am in PBL (which is correct - dynamic range) and unfortunately also in XBL, just while I am listed by the CBL at abuseat.org - as discussed above. My logs are OK. No spams. No one is abusing my system. I'm 99.99% sure :) Thanks to all --kapetr
Re: posfix rejected from google server
Hello.. On Wed, 02 Mar 2011 19:11:53 + Ned Slider wrote: > > >I think the original poster has bigger problems as his IP is listed >on a >>few DNSBLs: > >Enter server IP Address followed by [ENTER] to begin. > >RUNNING CHECKS FOR 85.71.234.108 > >== >CHECKING DNSBL BLACK LISTS >== >85.71.234.108 BLACKLISTED: zen.spamhaus.org >85.71.234.108 UNLISTED: sbl.spamhaus.org >85.71.234.108 BLACKLISTED: pbl.spamhaus.org >85.71.234.108 BLACKLISTED: xbl.spamhaus.org >85.71.234.108 BLACKLISTED: cbl.abuseat.org >85.71.234.108 UNLISTED: b.barracudacentral.org >85.71.234.108 UNLISTED: dnsbl.njabl.org >85.71.234.108 UNLISTED: dnsbl-1.uceprotect.net >85.71.234.108 UNLISTED: dnsbl-2.uceprotect.net >85.71.234.108 UNLISTED: dnsbl-3.uceprotect.net >85.71.234.108 UNLISTED: dnsbl.sorbs.net >85.71.234.108 UNLISTED: spam.dnsbl.sorbs.net >85.71.234.108 UNLISTED: aspews.ext.sorbs.net >85.71.234.108 UNLISTED: l1.apews.org >85.71.234.108 BLACKLISTED: l2.apews.org >85.71.234.108 UNLISTED: bl.spamcop.net >85.71.234.108 UNLISTED: bl.spamcannibal.org >85.71.234.108 BLACKLISTED: no-more-funn.moensted.dk >85.71.234.108 UNLISTED: ips.backscatterer.org >85.71.234.108 UNLISTED: hostkarma.junkemailfilter.com >85.71.234.108 BLACKLISTED: bl.score.senderscore.com >. >> >The CBL says: > >IP Address 85.71.234.108 is listed in the CBL. It appears to be >infected >>with a spam sending trojan or proxy. > >It was last detected at 2011-03-01 07:00 GMT (+/- 30 minutes), >approximately 1 days, 12 hours, 29 minutes ago. > >It's also listed in Spamhaus PBL: >http://www.spamhaus.org/pbl/query/PBL043205 > >I'd say it's pretty much a non-starter trying to reliably deliver >mail >>from that IP. Sorry - I do not very well understand your last sentence (due my English). But if you want to say, that I'm probably SPAMER, then it is absolutely not true! Except of some forums I send just few emails in month. And I do not believe, that my system is infected. It is very fresh installation of Ubuntu 10.10 with updates, with firewall on (ufw), apparmor, behind NAT, ... And my IP address I have since 12/2011 and I'm the only one using it (via my comp which again use only I). I have googled for DNSBL - and first I have try: http://www.dnsbl.info/dnsbl-database-check.php says my IP (with just ONE exception) is OK! Inclusive some these, you have list as they would say NOT. What check service did you use ? And the http://www.spamhaus.org/pbl/query/PBL043205 you wrote, do not talk about exactly my IP, just about range. These IP range is from biggest DSL provider by us - Telefonica O2. As I know, Czech Republic do not belong to spam countries, but maybe list maintainers simple mean, that all from middle/east Europe ... That is discrimination. And the: http://cbl.abuseat.org/lookup.cgi?ip=85.71.234.108+&.submit=Lookup says -as you wrote: IP Address 85.71.234.108 is listed in the CBL. It appears to be infected with a spam sending trojan or proxy. It was last detected at 2011-03-01 07:00 GMT (+/- 30 minutes), approximately 2 days ago. I would really very like to see, which my email was detected as spam !! So once again, I am not spamer! I hate spam and spamers !! --kapetr
Re: Postfix und SSL client problem.
Hello, I HAVE TO apologize me :-) I had present my solution with stunnel4- and now I see (as wrote by - thanks) it is in http://www.postfix.org/TLS_README.html#client_smtps. So it shows again the Great Truth - RTFM! Sorry. So at least I also see, that this is normal solution with Postfix. --kapetr
Re: posfix rejected from google server
Thanks all for replays. Just few remarks: 1. RDNS - e.g. for den...@bestcheer.com, li...@dguhl.org, ... that's what I had try to correct with myhostname = 108.234.broadband4.iol.cz yes - it is what I get with dig -x , so then dig 108.234.broadband4.iol.cz == this address. So reverse DNS lookup check should be passed - I hope. But how answered by most - in my case it can not help, because I have only personal (from dynamic range) homeuser-IP - no "business" account. So I can nothing to do with it (in Postfix) config - just to degrade Postfix with "relayhost" to my ISP SMTP server - what is exactly what I have did not want. 2 . for Andreas - lst_ho...@kwsoft.de the link http://mail.google.com/support/bin/answer.py?answer=10336 works for you ?! Thanks to all --kapetr
Re: Postfix und SSL client problem.
Hello again, I have to report, that I have find a solution - over stunnel4. This I add to main.cf: -- smtp_sasl_auth_enable = yes relayhost = [127.0.0.1]:10111 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous And so looks my (first I ever made - and at the first attempt :-) stunel conf: - foreground = yes [ssmtp_c2s] accept = 127.0.0.1:10111 client = yes connect = smtp.iol.cz:465 delay = yes ;protocol = smtp # sudo stunnel4 ./stunel.conf I myself do not can believe it, but it works :-D Before I could test it manually, my queued messages finally gone :-) But ... it is Although nice, but I thing not very system - correct solution. So is there a possibility to do it correct - via Postfix configuration ? Thanks --kapetr
Postfix und SSL client problem.
Hello, most SMTP servers of freemails or of ISP in Czech Republic use only SASL PLAIN/LOGIN authentication with SSL possibility (over port 465 - ssmtp). I works well with e.g. Evolution as SMTP client. But I can't get this work in Postfix with "relayhost" I followed: http://www.postfix.org/SASL_README.html#client_sasl http://www.postfix.org/TLS_README.html So I have add to main.cf: -- smtp_sasl_auth_enable = yes relayhost = [smtp.iol.cz]:465 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_tls_security_options = noanonymous smtp_tls_security_level = encrypt smtp_tls_mandatory_protocols = --- ((BTW: in hash table/passwords is not the Problem)) First I have try it without ":465", but then Postfix try port 25 and because the ESMTP response do not include STARTTLS then Posfix ends with: - Mar 1 14:23:40 duron650 postfix/smtp[3641]: E6CF0A2F1C: to=, relay=smtp.iol.cz[194.228.2.82]:25, delay=1399, delays=1399/0.07/0.05/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host smtp.iol.cz[194.228.2.82]) -- And with the 465 port the response is: - Mar 1 14:32:45 duron650 postfix/smtp[3715]: CLIENT wrappermode (port smtps/465) is unimplemented Mar 1 14:32:45 duron650 postfix/smtp[3715]: instead, send to (port submission/587) with STARTTLS -- But on port 587 listens the ISPs server not. What can I do ? Thanks --kapetr
Re: posfix rejected from google server
Thank You for explanation. --kapetr - PŮVODNÍ ZPRÁVA - Od: "Reindl Harald" Komu: "kapetr" Předmět: Re: posfix rejected from google server Datum: 1.3.2011 - 10:40:28 > > Am 01.03.2011 09:28, schrieb kapetr: > > So you mean, that this is not problem of bad > > postfix config ? > > > So I can nothing do to get it working ? > > not with your homeuser-ip > > > Maybe must every, who wants to send mails to > > Google, have contract > > > with Google ? > > no, but with a ISP that has marked the ip-range > for business users > > > It seems to be too improbable to be possible. > > Is this sure or is there another possibility? > > this is sure and not only for google > spamfilter-services like messagelabs will block > you too > > most mail-servers out there will reject direct > mails > from homeuser-ips because mpst of them are > spambots > > we had even this problem with our business account > and > a new ip-range because th range was marked as > "dialup" > from our isp, it does not matter if your ip is > static > > 108.234.71.85.in-addr.arpa is a typical > homeuser-ptr > > Mit besten Grüßen, Reindl Harald > the lounge interactive design GmbH > A-1060 Vienna, Hofmühlgasse 17 > CTO / software-development / cms-solutions > p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 > icq: 154546673, http://www.thelounge.net/ > >
Re: posfix rejected from google server
Thank you, I will have to :-( In such situation the only function of Posfix left is the log. --kapetr - PŮVODNÍ ZPRÁVA - Od: "Eero Volotinen" Komu: "kapetr" Předmět: Re: posfix rejected from google server Datum: 1.3.2011 - 9:59:26 > 2011/3/1 kapetr : > > So you mean, that this is not problem of bad > > postfix config ? > > > So I can nothing do to get it working ? > > > > Maybe must every, who wants to send mails to > > Google, have contract > > > with Google ? > > It seems to be too improbable to be possible. > > > > Is this sure or is there another possibility ? > > configure relayhost parameter in postfix > > -- > Eero >
Re: posfix rejected from google server
So you mean, that this is not problem of bad postfix config ?
So I can nothing do to get it working ?
Maybe must every, who wants to send mails to Google, have contract
with Google ?
It seems to be too improbable to be possible.
Is this sure or is there another possibility ?
--kapetr
- PŮVODNÍ ZPRÁVA -
Od: "Eero Volotinen"
Komu: "kapetr"
Předmět: Re: posfix rejected from google server
Datum: 1.3.2011 - 9:13:10
> 2011/3/1 kapetr :
> > Hello,
> >
> > I need help to get sending e-mails out fo my
> > Ubuntu 10.10 box.
> > >
> > My PC is connected via ADSL modem (NAT) with
> > static public IP
> > > adress.
> > It is standard "Internet client" standalone
> > computer.
> > > I want to use Postix (e.g while logging of sent
> > mails, ..) instead
> > > of using my ISP's SMTP server. So I have
> > installed Postfix.
> > >
> > If I send (from Evolution MUA) test email via
> > Postfix
> > > from to e.g.
> > , then all
> > > goes OK.
> > But if I send email to ,
> > then it FAILS.
> > >
> > In log is:
> >
> > -
> > Mar 1 08:28:46 duron650 postfix/qmgr[12923]:
> > 4F758A2F17:
> > > from=, size=572, nrcpt=1
> > (queue active)
> > > Mar 1 08:28:47 duron650 postfix/smtp[13007]:
> > 4F758A2F17:
> > > to=,
> > relay=gmail-smtp-in.l.google.com[74.125.39.27]:25,
> > delay=0.99,
> > > delays=0.41/0.11/0.28/0.2, dsn=5.7.1,
> > status=bounced (host
> > > gmail-smtp-in.l.google.com[74.125.39.27] said:
> > 550-5.7.1
> > > [85.71.234.108] The IP you're using to send mail
> > is not authorized
> > > to 550-5.7.1 send email directly to our servers.
> > Please use the SMTP
> > > relay at your 550-5.7.1 service provider
> > instead. Learn more at
> > > 550 5.7.1
> > http://mail.google.com/support/bin/answer.py?answer=10336
> > > a17si5071366fak.100 (in reply to end of DATA
> > command))
> > > Mar 1 08:28:47 duron650 postfix/cleanup[13003]:
> > 46508A2F18:
> > > message-id=<20110301072847.46508a2...@108.234.broadband4.iol.cz>
> > > > > > Mar 1 08:28:47 duron650 postfix/qmgr[12923]:
> > 46508A2F18: from=<>,
> > > size=3139, nrcpt=1 (queue active)
> > Mar 1 08:28:47 duron650 postfix/bounce[13014]:
> > 4F758A2F17: sender
> > > non-delivery notification: 46508A2F18
> > Mar 1 08:28:47 duron650 postfix/qmgr[12923]:
> > 4F758A2F17: removed
> > > Mar 1 08:28:50 duron650 postfix/smtp[13007]:
> > 46508A2F18:
> > > to=,
> > relay=mx50.seznam.cz[77.75.77.47]:25,
> > > delay=3, delays=0.08/0.01/2.1/0.82, dsn=2.0.0,
> > status=sent (250
> > > 2.0.0 Mail 5201 queued for delivery in session
> > 7c930034.)
> > > Mar 1 08:28:50 duron650 postfix/qmgr[12923]:
> > 46508A2F18: removed
> > > ---
> >
> > I have spent many time with googling about this.
> > I have found many
> > > questions, but no answers.
> >
> > So I have try change my "myhostname" in main.cf
> > (and restart
> > > postfix):
> >
> > myhostname = 108.234.broadband4.iol.cz
> >
> > This is the correct (from reverse DNS lookup)
> > name of my "outside"
> > > address.
> > But this do not help.
> >
> > So ... what is the problem ?
> > What kind of test exact does the server of
> > Google mail ?
> > > Haw to satisfy its requirements ?
>
> Google is possibly blocking your dynamic ip range,
> you need to use
> smarthost. ("relayhost")
>
> --
> Eero
>
posfix rejected from google server
Hello, I need help to get sending e-mails out fo my Ubuntu 10.10 box. My PC is connected via ADSL modem (NAT) with static public IP adress. It is standard "Internet client" standalone computer. I want to use Postix (e.g while logging of sent mails, ..) instead of using my ISP's SMTP server. So I have installed Postfix. If I send (from Evolution MUA) test email via Postfix from to e.g. , then all goes OK. But if I send email to , then it FAILS. In log is: - Mar 1 08:28:46 duron650 postfix/qmgr[12923]: 4F758A2F17: from=, size=572, nrcpt=1 (queue active) Mar 1 08:28:47 duron650 postfix/smtp[13007]: 4F758A2F17: to=, relay=gmail-smtp-in.l.google.com[74.125.39.27]:25, delay=0.99, delays=0.41/0.11/0.28/0.2, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[74.125.39.27] said: 550-5.7.1 [85.71.234.108] The IP you're using to send mail is not authorized to 550-5.7.1 send email directly to our servers. Please use the SMTP relay at your 550-5.7.1 service provider instead. Learn more at 550 5.7.1 http://mail.google.com/support/bin/answer.py?answer=10336 a17si5071366fak.100 (in reply to end of DATA command)) Mar 1 08:28:47 duron650 postfix/cleanup[13003]: 46508A2F18: message-id=<20110301072847.46508a2...@108.234.broadband4.iol.cz> Mar 1 08:28:47 duron650 postfix/qmgr[12923]: 46508A2F18: from=<>, size=3139, nrcpt=1 (queue active) Mar 1 08:28:47 duron650 postfix/bounce[13014]: 4F758A2F17: sender non-delivery notification: 46508A2F18 Mar 1 08:28:47 duron650 postfix/qmgr[12923]: 4F758A2F17: removed Mar 1 08:28:50 duron650 postfix/smtp[13007]: 46508A2F18: to=, relay=mx50.seznam.cz[77.75.77.47]:25, delay=3, delays=0.08/0.01/2.1/0.82, dsn=2.0.0, status=sent (250 2.0.0 Mail 5201 queued for delivery in session 7c930034.) Mar 1 08:28:50 duron650 postfix/qmgr[12923]: 46508A2F18: removed --- I have spent many time with googling about this. I have found many questions, but no answers. So I have try change my "myhostname" in main.cf (and restart postfix): myhostname = 108.234.broadband4.iol.cz This is the correct (from reverse DNS lookup) name of my "outside" address. But this do not help. So ... what is the problem ? What kind of test exact does the server of Google mail ? Haw to satisfy its requirements ? I hope someone will help me, thanks --kapetr P.S.: sorry please my English
