Re: Autoresponse for Postfix problem
Am 13.04.2012 22:35, schrieb Tom Hendrikx: Note that Reindls point is true: anyone with a valid sasl account would be able to activate an autoresponder for any other user. If a web gui is the right solution depends on your use case, but issues will arise without more restrictions. not only authenticated ones even random dilvery can happen if you do not have a spoof-protection enabled As autoresponder seems to require the envelope_sender to be the same as the one you're configuring autoresponder for, this might be a nice job for reject_sender_login_mismatch. See http://www.postfix.org/SASL_README.html#server_sasl_authz but as above statet this does not help if any forged envelope sender is passed from outside which would bypass reject_sender_login_mismatch and SASL at all also if you have hosts in mynetwork which is usually excluded from most restrictions you may have a open door in my opinion this is simply dangerous and broken by design - a envelope sender is not any authentication signature.asc Description: OpenPGP digital signature
RE: Autoresponse for Postfix problem
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of J Gao Sent: Saturday, April 14, 2012 12:48 AM To: postfix-users@postfix.org Subject: Re: Autoresponse for Postfix problem On 12-04-13 11:35 AM, Tom Hendrikx wrote: On 13-04-12 20:24, J Gao wrote: We have a Postfix mail server (CentOS 5.7, Postfix, Courier, Virtual Domain, MailScanner) and I want setup the autoresponder for Postifx. I followed the instruction on http://nefaria.com/project_index/autoresponse/ I looked the maillog and I found that the filter override seems not working. The mail doesn't handle over to the autoresponder, it always goes to relay=virtual Here is the maillog: === Apr 13 11:10:51 zeta postfix/smtpd[26079]: 4F5108031: client=unknown[24.207.43.101], sasl_method=PLAIN, sasl_username=j...@veecall.com The message arrives from an sasl authenticated client... Yes, this is required by the autoresponse perl script. From: http://nefaria.com/project_index/autoresponse/ For security reasons, SASL authentication is required in order to configure autoresponses via e-mail And mu master.cf: == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtp inet n - n - - smtpd -o content_filter=autoresponder:dummy submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject Only submission seems to have sasl enabled, which you are using. But you seem to have the autoresponder only on the smtpd interface, not on the submission interface. Kind regards, Tom Sorry I am still learning Postfix. So do you mean I should add the filter to submission as well? smtp inet n - n - - smtpd -o content_filter=autoresponder:dummy submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter=autoresponder:dummy If you use webmin, There is a option to set auto response in to it. I have checked it and found useful. Thanks/Regards, Vishal Agarwal
Autoresponse for Postfix problem
Hello, We have a Postfix mail server (CentOS 5.7, Postfix, Courier, Virtual Domain, MailScanner) and I want setup the autoresponder for Postifx. I followed the instruction on http://nefaria.com/project_index/autoresponse/ Now, the autoresponse works in command line mode. I can add/delete/enable/disable autoresponse. But it failed to let user to create their own autoresponse messege via email. When I send an email to user+autorespo...@domain.tld, the mail just drop in inbox and no autoresponse setup. I looked the maillog and I found that the filter override seems not working. The mail doesn't handle over to the autoresponder, it always goes to relay=virtual Here is the maillog: === Apr 13 11:10:51 zeta postfix/smtpd[26079]: warning: 24.207.43.101: address not listed for hostname h24-207-43-101.cable.static.dccnet.com Apr 13 11:10:51 zeta postfix/smtpd[26079]: connect from unknown[24.207.43.101] Apr 13 11:10:51 zeta postfix/smtpd[26079]: setting up TLS connection from unknown[24.207.43.101] Apr 13 11:10:51 zeta postfix/smtpd[26079]: TLS connection established from unknown[24.207.43.101]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 13 11:10:51 zeta postfix/smtpd[26079]: 4F5108031: client=unknown[24.207.43.101], sasl_method=PLAIN, sasl_username=j...@veecall.com Apr 13 11:10:51 zeta postfix/cleanup[26090]: 4F5108031: hold: header Received: from [192.168.123.60] (unknown [24.207.43.101])??(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))??(No client certificate requested)??by zeta.sjgeophysics.com (Postfix) with ESMTP from unknown[24.207.43.101]; from=j...@veecall.com to=jgao+autorespo...@veecall.com proto=ESMTP helo=[192.168.123.60] Apr 13 11:10:51 zeta postfix/cleanup[26090]: 4F5108031: message-id=4f886c28.7070...@veecall.com Apr 13 11:10:51 zeta postfix/smtpd[26079]: disconnect from unknown[24.207.43.101] Apr 13 11:10:52 zeta MailScanner[23639]: New Batch: Scanning 1 messages, 1320 bytes Apr 13 11:10:52 zeta MailScanner[23639]: Virus and Content Scanning: Starting Apr 13 11:10:52 zeta MailScanner[23639]: Spam Checks: Starting Apr 13 11:10:52 zeta MailScanner[23639]: Expired 8 records from the SpamAssassin cache Apr 13 11:10:52 zeta MailScanner[23639]: Message 4F5108031.A4482 from 24.207.43.101 (j...@veecall.com) is whitelisted Apr 13 11:10:54 zeta MailScanner[23639]: Requeue: 4F5108031.A4482 to 4E9208096 Apr 13 11:10:54 zeta postfix/qmgr[10040]: 4E9208096: from=j...@veecall.com, size=1095, nrcpt=1 (queue active) Apr 13 11:10:54 zeta MailScanner[23639]: Uninfected: Delivered 1 messages Apr 13 11:10:54 zeta MailScanner[23639]: Deleted 1 messages from processing-database Apr 13 11:10:54 zeta postfix/virtual[26100]: 4E9208096: to=jgao+autorespo...@veecall.com, relay=virtual, delay=3.4, delays=3.4/0.01/0/0, dsn=2.0.0, status=sent (delivered to maildir) Apr 13 11:10:54 zeta postfix/qmgr[10040]: 4E9208096: removed == And mu master.cf: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: man 5 master). # # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtp inet n - n - - smtpd -o content_filter=autoresponder:dummy submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #628 inet n - n - - qmqpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix
Re: Autoresponse for Postfix problem
Am 13.04.2012 20:24, schrieb J Gao: Hello, We have a Postfix mail server (CentOS 5.7, Postfix, Courier, Virtual Domain, MailScanner) and I want setup the autoresponder for Postifx. I followed the instruction on http://nefaria.com/project_index/autoresponse/ Now, the autoresponse works in command line mode. I can add/delete/enable/disable autoresponse. But it failed to let user to create their own autoresponse messege via email. When I send an email to user+autorespo...@domain.tld, the mail just drop in inbox and no autoresponse setup. I looked the maillog and I found that the filter override seems not working. The mail doesn't handle over to the autoresponder, it always goes to relay=virtual i do not think it is a godd idea these days take the sender-address as authentication for set a responder - if you can not 100% prevent a forged email one will set a responder this way followed by a list of forged senders to get the repsonse this is a really bad idea normally such things are done via protected web-interfaces with a real login and working on the MDA side (dbmail as example has a simple autoreply sql table for which a webinterface authenticationg against the user-table is written in a few hours signature.asc Description: OpenPGP digital signature
Re: Autoresponse for Postfix problem
On 13-04-12 20:24, J Gao wrote: We have a Postfix mail server (CentOS 5.7, Postfix, Courier, Virtual Domain, MailScanner) and I want setup the autoresponder for Postifx. I followed the instruction on http://nefaria.com/project_index/autoresponse/ I looked the maillog and I found that the filter override seems not working. The mail doesn't handle over to the autoresponder, it always goes to relay=virtual Here is the maillog: === Apr 13 11:10:51 zeta postfix/smtpd[26079]: 4F5108031: client=unknown[24.207.43.101], sasl_method=PLAIN, sasl_username=j...@veecall.com The message arrives from an sasl authenticated client... And mu master.cf: == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtp inet n - n - - smtpd -o content_filter=autoresponder:dummy submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject Only submission seems to have sasl enabled, which you are using. But you seem to have the autoresponder only on the smtpd interface, not on the submission interface. Kind regards, Tom
Re: Autoresponse for Postfix problem
On 12-04-13 11:31 AM, Reindl Harald wrote: Am 13.04.2012 20:24, schrieb J Gao: Hello, We have a Postfix mail server (CentOS 5.7, Postfix, Courier, Virtual Domain, MailScanner) and I want setup the autoresponder for Postifx. I followed the instruction on http://nefaria.com/project_index/autoresponse/ Now, the autoresponse works in command line mode. I can add/delete/enable/disable autoresponse. But it failed to let user to create their own autoresponse messege via email. When I send an email to user+autorespo...@domain.tld, the mail just drop in inbox and no autoresponse setup. I looked the maillog and I found that the filter override seems not working. The mail doesn't handle over to the autoresponder, it always goes to relay=virtual i do not think it is a godd idea these days take the sender-address as authentication for set a responder - if you can not 100% prevent a forged email one will set a responder this way followed by a list of forged senders to get the repsonse this is a really bad idea normally such things are done via protected web-interfaces with a real login and working on the MDA side (dbmail as example has a simple autoreply sql table for which a webinterface authenticationg against the user-table is written in a few hours Our mail server use SASL authentication against all SMTP relay. And this server is in production so any major changes are not that easy, at least for me. Jian --
Re: Autoresponse for Postfix problem
On 12-04-13 11:35 AM, Tom Hendrikx wrote: On 13-04-12 20:24, J Gao wrote: We have a Postfix mail server (CentOS 5.7, Postfix, Courier, Virtual Domain, MailScanner) and I want setup the autoresponder for Postifx. I followed the instruction on http://nefaria.com/project_index/autoresponse/ I looked the maillog and I found that the filter override seems not working. The mail doesn't handle over to the autoresponder, it always goes to relay=virtual Here is the maillog: === Apr 13 11:10:51 zeta postfix/smtpd[26079]: 4F5108031: client=unknown[24.207.43.101], sasl_method=PLAIN, sasl_username=j...@veecall.com The message arrives from an sasl authenticated client... Yes, this is required by the autoresponse perl script. From: http://nefaria.com/project_index/autoresponse/ For security reasons, SASL authentication is required in order to configure autoresponses via e-mail And mu master.cf: == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtp inet n - n - - smtpd -o content_filter=autoresponder:dummy submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject Only submission seems to have sasl enabled, which you are using. But you seem to have the autoresponder only on the smtpd interface, not on the submission interface. Kind regards, Tom Sorry I am still learning Postfix. So do you mean I should add the filter to submission as well? smtp inet n - n - - smtpd -o content_filter=autoresponder:dummy submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter=autoresponder:dummy --
Re: Autoresponse for Postfix problem
Am 13.04.2012 20:38, schrieb J Gao: On 12-04-13 11:31 AM, Reindl Harald wrote: Am 13.04.2012 20:24, schrieb J Gao: Hello, We have a Postfix mail server (CentOS 5.7, Postfix, Courier, Virtual Domain, MailScanner) and I want setup the autoresponder for Postifx. I followed the instruction on http://nefaria.com/project_index/autoresponse/ Now, the autoresponse works in command line mode. I can add/delete/enable/disable autoresponse. But it failed to let user to create their own autoresponse messege via email. When I send an email to user+autorespo...@domain.tld, the mail just drop in inbox and no autoresponse setup. I looked the maillog and I found that the filter override seems not working. The mail doesn't handle over to the autoresponder, it always goes to relay=virtual i do not think it is a godd idea these days take the sender-address as authentication for set a responder - if you can not 100% prevent a forged email one will set a responder this way followed by a list of forged senders to get the repsonse this is a really bad idea normally such things are done via protected web-interfaces with a real login and working on the MDA side (dbmail as example has a simple autoreply sql table for which a webinterface authenticationg against the user-table is written in a few hours Our mail server use SASL authentication against all SMTP relay. And this server is in production so any major changes are not that easy, at least for me. SASL does not protect you against forged messages from foreign servers / clients reclaiming they are originating from yourself Sorry I am still learning Postfix this makes it even much more dangerous if i were you i would hire someone who is able to develop a webinterface with a real login and set what responder ever is used via cron / database but never this way signature.asc Description: OpenPGP digital signature
Re: Autoresponse for Postfix problem
On 13-04-12 20:47, J Gao wrote: On 12-04-13 11:35 AM, Tom Hendrikx wrote: On 13-04-12 20:24, J Gao wrote: We have a Postfix mail server (CentOS 5.7, Postfix, Courier, Virtual Domain, MailScanner) and I want setup the autoresponder for Postifx. I followed the instruction on http://nefaria.com/project_index/autoresponse/ I looked the maillog and I found that the filter override seems not working. The mail doesn't handle over to the autoresponder, it always goes to relay=virtual Here is the maillog: === Apr 13 11:10:51 zeta postfix/smtpd[26079]: 4F5108031: client=unknown[24.207.43.101], sasl_method=PLAIN, sasl_username=j...@veecall.com The message arrives from an sasl authenticated client... Yes, this is required by the autoresponse perl script. From: http://nefaria.com/project_index/autoresponse/ For security reasons, SASL authentication is required in order to configure autoresponses via e-mail And mu master.cf: == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtp inet n - n - - smtpd -o content_filter=autoresponder:dummy submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject Only submission seems to have sasl enabled, which you are using. But you seem to have the autoresponder only on the smtpd interface, not on the submission interface. Sorry I am still learning Postfix. So do you mean I should add the filter to submission as well? smtp inet n - n - - smtpd -o content_filter=autoresponder:dummy submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter=autoresponder:dummy If SASL is required, you should not add it to the smtp line since that does not support sasl (depends on your main.cf which you did not show) but only to submission. Note that Reindls point is true: anyone with a valid sasl account would be able to activate an autoresponder for any other user. If a web gui is the right solution depends on your use case, but issues will arise without more restrictions. As autoresponder seems to require the envelope_sender to be the same as the one you're configuring autoresponder for, this might be a nice job for reject_sender_login_mismatch. See http://www.postfix.org/SASL_README.html#server_sasl_authz -- Tom
