Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
Am 18.01.2016 um 23:21 schrieb bi...@sent.at: > So now when I send email with the test string in it it gets rejected, I get > this in the reject message > >: host mx.example.com[###.###.###.###] > said: 550 5.7.1 id=04518-01 - Rejected by next-hop MTA on relaying, > from > MTA(smtp:[127.0.0.1]:50100): 550 5.7.1 554 5.7.1 Message not allowed > (in reply to end of DATA command) > > where > > smtp:[127.0.0.1]:50100 > > is what catches the return from before-queue Amavisd. > > So it's rejecting it now! Thanks a bunch :-) > > One thing, that reject message has the IP/Port (smtp:[127.0.0.1]:50100) of > the next-hop MTA in it. > > Can I quiet that message down somewhere to NOT include that info? Just > include the REJECT, but not the IP/Port, maybe referring to it by its > 'syslog_name' or something like that? My reject messages are also containing this information. As this interfaces aren't accessible from outside, it doesn't bother me much. As i understand, amavis is putting the "from MTA(smtp [127.0.0.1]:50100)" into the reject message. I assume, postfix can't filter this message out, because it's all happening during the smtp dialog, while getting the mail from sending outside server. You will have to rewrite amavis, to get this stopped. Willi
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
Hi Wilfried > As i understand, amavis is putting the "from MTA(smtp > [127.0.0.1]:50100)" into the reject message. I assume, postfix can't > filter this message out, because it's all happening during the smtp > dialog, while getting the mail from sending outside server. You will > have to rewrite amavis, to get this stopped. I didn't think of that coming from Amavis. Makes sense now you mention it. A little digging points to this amavisd-new: Customizable Reject Message https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=281752 Looks like it's in there already! Thanks, Billy
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
Save the message to a file. And test like this: % postmap -q - pcre:/etc/postfix/body_checks.pcre So does this. cat << EOF > /tmp/testfile TEST BAD CONTENT EOF postmap -q - pcre:/etc/postfix/body_checks.pcre You could use the message file from your imap server or look at the raw message in your mail program and save that to a file... Thanks, Billy Christian
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
On 1/18/2016 3:28 PM, bi...@sent.at wrote: > Hi Wietse > > On Mon, Jan 18, 2016, at 01:20 PM, Wietse Venema wrote: >> bi...@sent.at: >>> postconf -n | grep body_checks >>> body_checks = /etc/postfix/body_checks.pcre >> >> That's your problem. You have SPACE before body_checks. > > No sorry . That's just me. I indented output 'vs' input like I always do > for post readability. > Curious... output of your grep command above doesn't show the pcre: map type. > It's literally/unchanged > > $ postconf -n body_checks > body_checks = pcre:/etc/postfix/body_checks.pcre but here it does show. Maybe binary data in main.cf gumming up the works? Or just a really bad job of cut/paste? Also, one of the most common reasons for body/header checks not matching is due to the message being base64 or quoted-printable encoded. You'll need to examine the raw mail message with vi on your imap server store to see what's really in there. -- Noel Jones
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
* bi...@sent.at: > Hi Patrick > > Thanks for the reply. > > > To clarify: postscreen never sees a message body. It probes the client IP > > and > > fakes a few SMTP commands, but that's it. > > Ok, took me a couple of rereads, but it's not postscreen doing the check. > It's that postscreen is "part 1" of several checks. > > > The right [tm] method would be to use the postconf utility and let it return > > the parameter setting: > > > > % postconf -n body_checks > > > > If it does not return anything chances are you mistyped the parameter or > > something similiar. (That's make makes postconf better than grep). > > Ok got that. Still looks good. > > postconf -n body_checks > body_checks = pcre:/etc/postfix/body_checks.pcre > > > Save the message to a file. And test like this: > > > > % postmap -q - pcre:/etc/postfix/body_checks.pcre > So does this. > > cat << EOF > /tmp/testfile > TEST BAD CONTENT > EOF > postmap -q - pcre:/etc/postfix/body_checks.pcre TEST BAD CONTENT REJECT 554 5.7.1 Message not allowed You are proving a test with a probe that isn't in question. Test with the message that failed the test. If your Postfix config is correct, then the answer lies within the message you sent. And while you're at it: Please send complete output of 'postconf -n' so we can get a complete picture. ;) p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
Hi Patrick Thanks for the reply. > To clarify: postscreen never sees a message body. It probes the client IP and > fakes a few SMTP commands, but that's it. Ok, took me a couple of rereads, but it's not postscreen doing the check. It's that postscreen is "part 1" of several checks. > The right [tm] method would be to use the postconf utility and let it return > the parameter setting: > > % postconf -n body_checks > > If it does not return anything chances are you mistyped the parameter or > something similiar. (That's make makes postconf better than grep). Ok got that. Still looks good. postconf -n body_checks body_checks = pcre:/etc/postfix/body_checks.pcre > Save the message to a file. And test like this: > > % postmap -q - pcre:/etc/postfix/body_checks.pcre /tmp/testfile TEST BAD CONTENT EOF postmap -q - pcre:/etc/postfix/body_checks.pcre
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
Hi Noel > Or just a really bad job of cut/paste? Damn. Here I am trying to keep things all tidy-like and f'ing it all up with cp-n-paste. Sorry. Typo. Without any monkeying by me, postconf -n body_checks body_checks = pcre:/etc/postfix/body_checks.pcre postconf -n | grep body_checks body_checks = pcre:/etc/postfix/body_checks.pcre > Also, one of the most common reasons for body/header checks not > matching is due to the message being base64 or quoted-printable > encoded. You'll need to examine the raw mail message with vi on > your imap server store to see what's really in there. Yeah thought about that. No weird encoding. And testing the message sent and the message received with the "postmap -q" both work. Thanks, Billy
body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
Hi I'm building my 1st Postfix server and working on getting Postscreen setup. I RTFM here http://www.postfix.org/POSTSCREEN_README.html Where it says The third layer performs light-weight content inspection with the Postfix built-in header_checks and body_checks. This can block unacceptable attachments such as executable programs, and worms or viruses with easy-to-recognize signatures. So in my main.cf I added body_checks = /etc/postfix/body_checks.pcre Checked that it's in there postconf -n | grep body_checks body_checks = /etc/postfix/body_checks.pcre and edited /etc/postfix/body_checks.pcre /TEST BAD CONTENT/ REJECT 554 5.7.1 Message not allowed Then I test it with postmap -q "TEST BAD CONTENT" pcre:/etc/postfix/body_checks.pcre REJECT 554 5.7.1 [P5] Message not allowed So it looks ok to me. But then I send myself a test message from gmail, making sure the text "TEST BAD CONTENT" is in the body. And it passes right through :-( I'm not sure what to look at as to why or how it's getting through. Just coming up to speed on how to debug stuff. I'd appreciate a hand. Thanks, Billy
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
Re-looking at my config, I set up Postfix to 1) receive via postfix 2) hand off what passes postscreen and the body_checks to amavis So I have master.cf [mx.example.com]:25 inet n - n - 1 postscreen -o smtpd_service_name=ps-int ps-int pass - - n - - smtpd -o receive_override_options=no_address_mappings -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_client_connection_count_limit=20 -o smtpd_proxy_filter=127.0.0.1:5 -o smtpd_proxy_options=speed_adjust -o smtpd_proxy_timeout=300s -o syslog_name=postfix/ps-int .. Which then hands-off to amavisd listening on 127.0.0.1:5 Like I said above, and verified with postconf, main.cf .. body_checks=pcre:/etc/postfix/body_checks.pcre .. IIUC the 'ps-int' smtpd instance should be using body_checks from main.cf. So this should work, right? Unless ... the body_checks doesn't happen soon enough? And it gets passed to Amavisd *before* ever hitting that check? Do I need some kind of a separate additional smtpd instance in there to pass to FROM ps-int BEFORE passing to the Amavisd filter? Thanks, Billy
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
* bi...@sent.at: > Hi > > I'm building my 1st Postfix server and working on getting Postscreen setup. > > I RTFM here > > http://www.postfix.org/POSTSCREEN_README.html > > Where it says > > The third layer performs light-weight content inspection with the Postfix > built-in header_checks and body_checks. This can block unacceptable > attachments such as > executable programs, and worms or viruses with easy-to-recognize signatures. To clarify: postscreen never sees a message body. It probes the client IP and fakes a few SMTP commands, but that's it. However your content test should work. > So in my main.cf I added > > body_checks = /etc/postfix/body_checks.pcre > > Checked that it's in there > > postconf -n | grep body_checks > body_checks = /etc/postfix/body_checks.pcre The right [tm] method would be to use the postconf utility and let it return the parameter setting: % postconf -n body_checks If it does not return anything chances are you mistyped the parameter or something similiar. (That's make makes postconf better than grep). > and edited > > /etc/postfix/body_checks.pcre > /TEST BAD CONTENT/ REJECT 554 5.7.1 Message not allowed > > Then I test it with > > postmap -q "TEST BAD CONTENT" pcre:/etc/postfix/body_checks.pcre > REJECT 554 5.7.1 [P5] Message not allowed > > So it looks ok to me. > > But then I send myself a test message from gmail, making sure the text "TEST > BAD CONTENT" is in the body. > > And it passes right through :-( Save the message to a file. And test like this: % postmap -q - pcre:/etc/postfix/body_checks.pcre https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
bi...@sent.at: > postconf -n | grep body_checks > body_checks = /etc/postfix/body_checks.pcre That's your problem. You have SPACE before body_checks. Wietse
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
Hi Wietse On Mon, Jan 18, 2016, at 01:20 PM, Wietse Venema wrote: > bi...@sent.at: > > postconf -n | grep body_checks > > body_checks = /etc/postfix/body_checks.pcre > > That's your problem. You have SPACE before body_checks. No sorry . That's just me. I indented output 'vs' input like I always do for post readability. It's literally/unchanged $ postconf -n body_checks body_checks = pcre:/etc/postfix/body_checks.pcre here. Thanks, Billy
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
Hi, seems you are using amavis in before-queue mode?. As i remember, a proxy-smtpd, doesn't do any header- and body-checks The more interresting master.cf lines are the ones who get the mail from amavis. Do you have somthing like -o receive_override_options=no_header_body_checks or -o body_checks= there ? Am 18.01.2016 um 22:34 schrieb bi...@sent.at: > Re-looking at my config, I set up Postfix to > > 1) receive via postfix > 2) hand off what passes postscreen and the body_checks to amavis > > So I have > > master.cf > > [mx.example.com]:25 inet n - n - 1 postscreen > -o smtpd_service_name=ps-int > > ps-int pass - - n - - smtpd > -o receive_override_options=no_address_mappings > -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > -o smtpd_client_connection_count_limit=20 > -o smtpd_proxy_filter=127.0.0.1:5 > -o smtpd_proxy_options=speed_adjust > -o smtpd_proxy_timeout=300s > -o syslog_name=postfix/ps-int > >.. > > > Which then hands-off to amavisd listening on 127.0.0.1:5 > > Like I said above, and verified with postconf, > > main.cf >.. >body_checks=pcre:/etc/postfix/body_checks.pcre >.. > > IIUC the 'ps-int' smtpd instance should be using body_checks from main.cf. > > So this should work, right? > > Unless ... the body_checks doesn't happen soon enough? And it gets passed to > Amavisd *before* ever hitting that check? > > Do I need some kind of a separate additional smtpd instance in there to pass > to FROM ps-int BEFORE passing to the Amavisd filter? > > Thanks, > > Billy >
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
Hi Wilfried > seems you are using amavis in before-queue mode? Yep, at this first step it's before-queue > As i remember, a proxy-smtpd, doesn't do any header- and body-checks Ok, so I must have missed that :-/ I don't yet grok all the details of before-VS-after queuing. WOrkinf on that - it's pretty thick stuff. > The more interresting master.cf lines are the ones who get the mail from > amavis. Do you have somthing like > -o receive_override_options=no_header_body_checks Yep, I had -o receive_override_options=...,no_header_body_checks on the next hop that received back from the 1st-step before-queue Amavisd So changing that - -o receive_override_options=...,no_header_body_checks + -o receive_override_options=... Then figuring out that 'postfix reload' isn't enough and that I had to restart postfix, it works! So now when I send email with the test string in it it gets rejected, I get this in the reject message: host mx.example.com[###.###.###.###] said: 550 5.7.1 id=04518-01 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:50100): 550 5.7.1 554 5.7.1 Message not allowed (in reply to end of DATA command) where smtp:[127.0.0.1]:50100 is what catches the return from before-queue Amavisd. So it's rejecting it now! Thanks a bunch :-) One thing, that reject message has the IP/Port (smtp:[127.0.0.1]:50100) of the next-hop MTA in it. Can I quiet that message down somewhere to NOT include that info? Just include the REJECT, but not the IP/Port, maybe referring to it by its 'syslog_name' or something like that? Thanks, Billy
Re: postscreen test
Zitat von Victor Duchovni victor.ducho...@morganstanley.com: On Thu, Jul 16, 2009 at 05:21:13PM -0400, Rob Foehl wrote: Possible substitutes include concierge or valet, or perhaps any of the less specific guard, sentry, sentinel, ... I think sentry is short, and simple, and can even be thought of as a contraction of smtp and entry. A bit less corny than prefix IMHO (sorry Patrick, nothing personal). I too would prefare something you can easy search for. The word prefix would be to broad in use IMHO. Regards Andreas
Re: postscreen test
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/16/09 16:19, Terry Carmen wrote: prefix? It fixes things before they become a problem... Great name! I like it! +1 - -- Victoriano Giralt Systems Manager Central ICT Services University of Malaga SPAIN -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Remi - http://enigmail.mozdev.org/ iD8DBQFKYDjYV6+mDjj1PTgRAq3CAJoCIDs2nNzccgdUXjt/A8zd06r92ACeLIEz vmInQK7KHjWXF3XUfcND6yQ= =llzT -END PGP SIGNATURE-
Re: postscreen test
Victor Duchovni: On Thu, Jul 16, 2009 at 05:21:13PM -0400, Rob Foehl wrote: Possible substitutes include concierge or valet, or perhaps any of the less specific guard, sentry, sentinel, ... I think sentry is short, and simple, and can even be thought of as a contraction of smtp and entry. A bit less corny than prefix IMHO (sorry Patrick, nothing personal). sentry is good. In a similar class is triage, which I mention in the postscreen manpage at http://www.postfix.org/postscreen.8.html Wietse
Re: postscreen test
Reko Turja: Another figure from Greek mythology that has lent his hame to even a special drinks cabinet: Tantalus The mail server is there, you can even see it, but when you try to reach it it becomes unaccessible. That is almost too good; it could a name for a complete product. Wietse
Re: postscreen test
Wietse Venema schrieb: Victor Duchovni: On Thu, Jul 16, 2009 at 05:21:13PM -0400, Rob Foehl wrote: Possible substitutes include concierge or valet, or perhaps any of the less specific guard, sentry, sentinel, ... I think sentry is short, and simple, and can even be thought of as a contraction of smtp and entry. A bit less corny than prefix IMHO (sorry Patrick, nothing personal). sentry is good. In a similar class is triage, which I mention in the postscreen manpage at http://www.postfix.org/postscreen.8.html Wietse sentry is used by lots of other things http://en.wikipedia.org/wiki/Sentry -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: postscreen test
Reko Turja schrieb: Another figure from Greek mythology that has lent his hame to even a special drinks cabinet: Tantalus The mail server is there, you can even see it, but when you try to reach it it becomes unaccessible. -Reko why not orcus *g http://en.wikipedia.org/wiki/Orcus -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: postscreen test
* Wietse Venema postfix-users@postfix.org: Victor Duchovni: On Thu, Jul 16, 2009 at 05:21:13PM -0400, Rob Foehl wrote: Possible substitutes include concierge or valet, or perhaps any of the less specific guard, sentry, sentinel, ... I think sentry is short, and simple, and can even be thought of as a contraction of smtp and entry. A bit less corny than prefix IMHO (sorry Patrick, nothing personal). sentry is good. In a similar class is triage, which I mention in the postscreen manpage at http://www.postfix.org/postscreen.8.html Two more names: refuse drop(down) I am very much in favor of greek or latin mythology, but I think prefix and both words above are more in the tradition of describing what the program does e.g. pickup, cleanup, tlsmgr etc. which I actually like very much about Postfix naming convention. p...@rick -- The Book of Postfix http://www.postfix-book.com saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: postscreen test
Winnow from winnowing.
Re: postscreen test
Patrick Ben Koetter wrote: * Wietse Venema postfix-users@postfix.org: Victor Duchovni: On Thu, Jul 16, 2009 at 05:21:13PM -0400, Rob Foehl wrote: Possible substitutes include concierge or valet, or perhaps any of the less specific guard, sentry, sentinel, ... I think sentry is short, and simple, and can even be thought of as a contraction of smtp and entry. A bit less corny than prefix IMHO (sorry Patrick, nothing personal). sentry is good. In a similar class is triage, which I mention in the postscreen manpage at http://www.postfix.org/postscreen.8.html Two more names: refuse drop(down) I am very much in favor of greek or latin mythology, but I think prefix and both words above are more in the tradition of describing what the program does e.g. pickup, cleanup, tlsmgr etc. which I actually like very much about Postfix naming convention. screener, then. Oh, wait ... but then, there is also anvil J.L.
Re: postscreen test
Ralf Hildebrandt wrote: * Noel Jones njo...@megan.vbhcs.org: corona Corona, St.George, what's it with the beer names? Corona - outer atmosphere of a star I can't help it if someone named a beer that too. Makes more sense for our purpose, I'll give them a call. I like sentry too. -- Noel Jones
Re: postscreen test
On 17 Jul 2009, at 13:50, Noel Jones wrote: I like sentry too. Along that theme: doorman? bouncer? examiner? customs? patrol? G. -- Expounding the theory of infinite Abelian Badgers http://playr.co.uk/
Re: postscreen test
* Noel Jones njo...@megan.vbhcs.org: Ralf Hildebrandt wrote: * Noel Jones njo...@megan.vbhcs.org: corona Corona, St.George, what's it with the beer names? Corona - outer atmosphere of a star Latin for Crown -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
RE: postscreen test
I like turpis http://en.wiktionary.org/wiki/turpis Latin [edit] Adjective turpis m. and f., turpe n.; third declension 1. ugly, unsightly; foul, filthy 2. (of sound) cacophonous, disagreeable 3. (figuratively) base, infamous, scandalous, dishonorable, shameful, disgraceful Or modified as postturpis Michael Goodman Senior System Administrator - Email: mgood...@constantcontact.com Phone: 781-370-8632 Mobile: 617-232-3121 -
Re: postscreen test
Ralf Hildebrandt: * Noel Jones njo...@megan.vbhcs.org: Ralf Hildebrandt wrote: * Noel Jones njo...@megan.vbhcs.org: corona Corona, St.George, what's it with the beer names? Corona - outer atmosphere of a star Latin for Crown Good names I have seen sofar that suggest what the program does: sentry (the guard at the gate) and triage (the action of deciding which patients to service). Wietse
Re: postscreen test
Wietse Venema wrote: Ralf Hildebrandt: * Noel Jones njo...@megan.vbhcs.org: Ralf Hildebrandt wrote: * Noel Jones njo...@megan.vbhcs.org: corona Corona, St.George, what's it with the beer names? Corona - outer atmosphere of a star Latin for Crown Good names I have seen sofar that suggest what the program does: sentry (the guard at the gate) and triage (the action of deciding which patients to service). How about sentinel –noun 1. a person or thing that watches or stands as if watching. 2. a soldier stationed as a guard to challenge all comers and prevent a surprise attack: to stand sentinel. 3. Also called tag. Computers. a symbol, mark, or other labeling device indicating the beginning or end of a unit of information. –verb (used with object) 4. to watch over or guard as a sentinel. Bill
Re: postscreen test
On 17 Jul 2009, at 15:02, Wietse Venema wrote: Good names I have seen sofar that suggest what the program does: sentry (the guard at the gate) and triage (the action of deciding which patients to service). St Peter? -- Being drunk is feeling sophisticated without being able to say it. http://www.playr.co.uk/
Re: postscreen test
On Fri, Jul 17, 2009 at 8:02 AM, Wietse Venemawie...@porcupine.org wrote: Ralf Hildebrandt: * Noel Jones njo...@megan.vbhcs.org: Ralf Hildebrandt wrote: * Noel Jones njo...@megan.vbhcs.org: corona Corona, St.George, what's it with the beer names? Corona - outer atmosphere of a star Latin for Crown Good names I have seen sofar that suggest what the program does: sentry (the guard at the gate) and triage (the action of deciding which patients to service). Wietse From the point of view of one who has been easily confused by definitions of terms I want to also join the no to bouncer and I agree with all the reasons others have stated. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: postscreen test
On Thu, July 16, 2009 7:23 pm, Mike Cappella wrote: On 7/13/09 5:20 PM, Wietse Venema wrote: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. postcull postcullis
Re: postscreen test
On 17 Jul 2009, at 16:29, Michel Lavondes wrote: On Thu, July 16, 2009 7:23 pm, Mike Cappella wrote: On 7/13/09 5:20 PM, Wietse Venema wrote: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. postcull postcullis Sounds a little like an Irish airline or a dubious sexual act? -- Bought to you by the Department of Redundancy Department's Recursion Division of Recursion http://playr.co.uk/
Re: postscreen test
On 17-Jul-2009, at 09:29, Michel Lavondes wrote: On Thu, July 16, 2009 7:23 pm, Mike Cappella wrote: On 7/13/09 5:20 PM, Wietse Venema wrote: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. postcull postcullis Well played. -- You are responsible for your Rose
Re: postscreen test
On 7/16/2009, Wietse Venema (wie...@porcupine.org) wrote: Charon is not too bad. Certainly better than zzapper or zkiller and other ugly names that I did not mention. How about praetorian... -- Best regards, Charles
Re: postscreen test
On 07/17/2009 05:30 AM, José Luis Tallón wrote: Patrick Ben Koetter wrote: * Wietse Venema postfix-users@postfix.org: Victor Duchovni: On Thu, Jul 16, 2009 at 05:21:13PM -0400, Rob Foehl wrote: Possible substitutes include concierge or valet, or perhaps any of the less specific guard, sentry, sentinel, ... I think sentry is short, and simple, and can even be thought of as a contraction of smtp and entry. A bit less corny than prefix IMHO (sorry Patrick, nothing personal). sentry is good. In a similar class is triage, which I mention in the postscreen manpage at http://www.postfix.org/postscreen.8.html Two more names: refuse drop(down) I am very much in favor of greek or latin mythology, but I think prefix and both words above are more in the tradition of describing what the program does e.g. pickup, cleanup, tlsmgr etc. which I actually like very much about Postfix naming convention. screener, then. Oh, wait ... but then, there is also anvil J.L. Anvil is a name I always liked for a Postfix daemon, and I was also thinking that building on that theme would be a good idea. However, I'm not clever enough to come up with an example. Vise was all that I could come up with. -Mike
Re: postscreen test
* Wietse Venema wie...@porcupine.org: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. prefix? It fixes things before they become a problem... p...@rick -- The Book of Postfix http://www.postfix-book.com saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: postscreen test
Patrick Ben Koetter: * Wietse Venema wie...@porcupine.org: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. prefix? It fixes things before they become a problem... Cute. Wietse
RE: postscreen test
I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. prefix? It fixes things before they become a problem... p...@rick So simple yet so good! I like it :-D
Re: postscreen test
* Patrick Ben Koetter p...@state-of-mind.de: * Wietse Venema wie...@porcupine.org: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. prefix? It fixes things before they become a problem... I like that one. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: postscreen test
Wietse Venema wrote: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. What about an name like trooper? This is in reference to: a) A police officer with their radar guns catching speeders b) A soldier on the front line of battle
Re: postscreen test
On Thu, Jul 16, 2009 at 02:43:35PM +0200, Patrick Ben Koetter wrote: * Wietse Venema wie...@porcupine.org: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. prefix? It fixes things before they become a problem... Cute, but it does not start with post, and the existing utilities all do, breaking the pattern makes it less obvious which commands are likely to be Postfix utilities... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postscreen test
Victor Duchovni: On Thu, Jul 16, 2009 at 02:43:35PM +0200, Patrick Ben Koetter wrote: * Wietse Venema wie...@porcupine.org: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. prefix? It fixes things before they become a problem... Cute, but it does not start with post, and the existing utilities all do, breaking the pattern makes it less obvious which commands are likely to be Postfix utilities... Postfix daemon names don't start with post. The name postscreen is used only because I had to get this up and running in very little time so that I would have some results. Wietse
Re: postscreen test
On Thu, Jul 16, 2009 at 12:19:05PM -0400, Wietse Venema wrote: Victor Duchovni: On Thu, Jul 16, 2009 at 02:43:35PM +0200, Patrick Ben Koetter wrote: * Wietse Venema wie...@porcupine.org: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. prefix? It fixes things before they become a problem... Cute, but it does not start with post, and the existing utilities all do, breaking the pattern makes it less obvious which commands are likely to be Postfix utilities... Postfix daemon names don't start with post. The name postscreen is used only because I had to get this up and running in very little time so that I would have some results. Oops, you are right of course, this lives in the libexec namespace, never mind... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postscreen test
On 7/16/2009 11:56 AM, Victor Duchovni wrote: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. prefix? It fixes things before they become a problem... Cute, but it does not start with post, and the existing utilities all do, breaking the pattern makes it less obvious which commands are likely to be Postfix utilities... Ok, so how about 'postfix'? Sorry, couldn't resist... -- Best regards, Charles
Re: postscreen test
On 7/13/09 5:20 PM, Wietse Venema wrote: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. posttriage or if you have issues w/the French: postcull postreject postdiscard --- Mike
Re: postscreen test
On Thu, Jul 16, 2009 at 12:23:39PM -0700, Mike Cappella wrote: On 7/13/09 5:20 PM, Wietse Venema wrote: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. The service is an SMTP bouncer, keeping unwanted clients from entering the premises. We already have a bounce unix service, will having: smtp inet n - n - 1 bouncer ... bounceunix - - n - 0 bounce cause significant confusion? -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postscreen test
Victor Duchovni: On Thu, Jul 16, 2009 at 12:23:39PM -0700, Mike Cappella wrote: On 7/13/09 5:20 PM, Wietse Venema wrote: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. The service is an SMTP bouncer, keeping unwanted clients from entering the premises. We already have a bounce unix service, will having: smtp inet n - n - 1 bouncer ... bounceunix - - n - 0 bounce cause significant confusion? It's no worse than smtp versus smtpd. If there exists a different name for the agent at the door, then that might work. Alas, cerberus is already in use (by the kerberos authentication system). Wietse
Re: postscreen test
On Thursday, July 16, 2009, 16:01:57, Victor Duchovni wrote: On Thu, Jul 16, 2009 at 12:23:39PM -0700, Mike Cappella wrote: On 7/13/09 5:20 PM, Wietse Venema wrote: I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. The service is an SMTP bouncer, keeping unwanted clients from entering the premises. We already have a bounce unix service, will having: smtp inet n - n - 1 bouncer ... bounceunix - - n - 0 bounce cause significant confusion? Naming it bouncer might reduce the confusion a smidgen and make it slightly easier to search for. -- r...@polylogics.com The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. - Ambassador Kosh
Re: postscreen test
Victor Duchovni wrote: On Thu, Jul 16, 2009 at 02:14:06PM -0700, Mike Cappella wrote: On 7/16/09 1:01 PM, Victor Duchovni wrote: The service is an SMTP bouncer, keeping unwanted clients from entering the premises. We already have a bounce unix service, will having: smtp inet n - n - 1 bouncer ... bounceunix - - n - 0 bounce cause significant confusion? While I like the name, please no. Postfix support lists have had to call attention to smtp v. smtpd enough. I would usually concur, but the bounce service is largely invisible to users, so confusion is far less likely. You may still be right, but it is far less significant than with smtp(8) and smtpd(8). I'm inclined to agree that adding more possible confusion is not a good thing even if it is minimal. What about some variation on a propylaeum (http://en.wikipedia.org/wiki/Propylaea)? A propylaeum is a gateway that sits at the entrance of a sacred enclosure. The most famous one is at the Acropolis. Entering the Acropolis was permitted or denied at the Propylaeum. A literal reading of the Greek would be something like 'that which is before the entrance (or gates)'. Kyle
Re: postscreen test
On Thu, Jul 16, 2009 at 02:14:06PM -0700, Mike Cappella wrote: On 7/16/09 1:01 PM, Victor Duchovni wrote: The service is an SMTP bouncer, keeping unwanted clients from entering the premises. We already have a bounce unix service, will having: smtp inet n - n - 1 bouncer ... bounceunix - - n - 0 bounce cause significant confusion? While I like the name, please no. Postfix support lists have had to call attention to smtp v. smtpd enough. I would usually concur, but the bounce service is largely invisible to users, so confusion is far less likely. You may still be right, but it is far less significant than with smtp(8) and smtpd(8). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postscreen test
On Thu, 16 Jul 2009, Wietse Venema wrote: Victor Duchovni: The service is an SMTP bouncer, keeping unwanted clients from entering the premises. We already have a bounce unix service, will having: smtp inet n - n - 1 bouncer ... bounceunix - - n - 0 bounce cause significant confusion? It's no worse than smtp versus smtpd. If there exists a different name for the agent at the door, then that might work. Alas, cerberus is already in use (by the kerberos authentication system). Possible substitutes include concierge or valet, or perhaps any of the less specific guard, sentry, sentinel, ... -Rob
Re: postscreen test
On Thu, Jul 16, 2009 at 05:21:13PM -0400, Rob Foehl wrote: Possible substitutes include concierge or valet, or perhaps any of the less specific guard, sentry, sentinel, ... I think sentry is short, and simple, and can even be thought of as a contraction of smtp and entry. A bit less corny than prefix IMHO (sorry Patrick, nothing personal). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postscreen test
On Thu, 16 Jul 2009, Victor Duchovni wrote: On Thu, Jul 16, 2009 at 05:21:13PM -0400, Rob Foehl wrote: Possible substitutes include concierge or valet, or perhaps any of the less specific guard, sentry, sentinel, ... I think sentry is short, and simple, and can even be thought of as a contraction of smtp and entry. A bit less corny than prefix IMHO (sorry Patrick, nothing personal). +1 for sentry. -- Sahil Tandon sa...@tandon.net
Re: postscreen test
Wietse Venema wrote: Jose Luis Tallon: Wietse Venema wrote: [snip] It's no worse than smtp versus smtpd. If there exists a different name for the agent at the door, then that might work. Alas, cerberus is already in use (by the kerberos authentication system). And so are Heimdall (KTH's implementation of Kerberos) as well as Anubis and Horus. Unless you want to use St.Peter, of course --- no offense intended, of course. I briefly looked for alternatives to St. George, the dragon slayer but didn't come up with a sexy name. bouncer would be good if there was not a near name collision. Would zbouncer be different enough? It's a bit long, though. Perhaps, zombo (zombie bouncer)? [Charon] Charon is not too bad. Certainly better than zzapper or zkiller and other ugly names that I did not mention. Wietse From http://en.wikipedia.org/wiki/Oedipus, Continuing his journey to Thebes, Oedipus encounters the Sphinx who would stop all those who traveled to Thebes and ask them a riddle. If the travelers were unable to answer correctly, they were eaten by the Sphinx; if they were successful, they would be able to continue their journey. Short, no collisions, and has an 'x' to supply coolness. I am partial to prefix, though, and agree that bouncer would just confuse people.
Re: postscreen test
* Victor Duchovni victor.ducho...@morganstanley.com: The service is an SMTP bouncer, keeping unwanted clients from entering the premises. We already have a bounce unix service, will having: smtp inet n - n - 1 bouncer ... bounceunix - - n - 0 bounce cause significant confusion? I already see enough confusion with smtp/smtpd -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: postscreen test
* Wietse Venema wie...@porcupine.org: It's no worse than smtp versus smtpd. If there exists a different name for the agent at the door, then that might work. Alas, cerberus is already in use (by the kerberos authentication system). And your cerberus is multi-threaded, not multi-headed. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: postscreen test
* Victor Duchovni victor.ducho...@morganstanley.com: I think sentry is short, and simple, and can even be thought of as a contraction of smtp and entry. Not too bad. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: postscreen test
* Noel Jones njo...@megan.vbhcs.org: corona Corona, St.George, what's it with the beer names? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: postscreen test
* Michael Orlitzky mich...@orlitzky.com: From http://en.wikipedia.org/wiki/Oedipus, Continuing his journey to Thebes, Oedipus encounters the Sphinx who would stop all those who traveled to Thebes and ask them a riddle. If the travelers were unable to answer correctly, they were eaten by the Sphinx; if they were successful, they would be able to continue their journey. Short, no collisions, and has an 'x' to supply coolness. I am partial to prefix, though, and agree that bouncer would just confuse people. But then oedipus is more widely know for what he did with his mother. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: postscreen test
Helga Mayer: Hi, I'm testing postscreen on our secondary smtp server. First results: https://rz-static.uni-hohenheim.de/hmayer/tmp/Screenshot-68.png There are hardly anymore rejects. I did not yet adjust mailgraph for the drops. That is an interesting picture. It looks like dropping the pregreeters made your reject rates already go down quite a bit. Of course it is known that spammers prefer to use secondary MX hosts because these hosts often serve many domains and therefore have more permissive settings. This weekend I finally found time to update the non-production release. This version should support no DNS blocklists without panic, and it also has better support for postfix reload. There are still plenty of rough edges. It does not yet remove entries from the btree database so the file needs to be renamed periodically, and it does not yet log the sender/recipient of rejected mail. For that reason alone I don't recommend turning on DNS blocklist lookups except for gathering statistics. I'm still open for program name suggestions. If someone has a better name than swatter or halligan let me know. Once the name changes, all the configuration parameters will change, too. Wietse
postscreen test
Hi, I'm testing postscreen on our secondary smtp server. First results: https://rz-static.uni-hohenheim.de/hmayer/tmp/Screenshot-68.png There are hardly anymore rejects. I did not yet adjust mailgraph for the drops. Statistics: UNIQ/TOTAL EVENT 536/586PASS NEW 97/119HANGUP 808/974PREGREET But I'd prefer not to use DNSBL's by postcreen. It is for the logging. Users occasionally ask for details if mail did not arrive. If I try, I get: Jul 6 10:17:00 smtp2 postfix/postscreen[23670]: PREGREET 34 after 0.52 from 90.148.159.227: HELO 90-148-159-227.saudi.net.sa?? Jul 6 10:17:00 smtp2 postfix/postscreen[23670]: panic: postscreen_dnsbl_done: no blocklist cache entry for 90.148.159.227 in main.cf postscreen_dnsbl_sites = postscreen_greet_action = drop in master.cf smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd dnsblog unix - - n - 0 dnsblog I also tried to comment dnsblog - same problem: # dnsblog unix - - n - 0 dnsblog Jul 6 10:25:14 smtp2 postfix/postscreen[24577]: PREGREET 47 after 0.49 from 123.219.54.120: HELO p5120-ipbfp402kobeminato.hyogo.ocn.ne.jp?? Jul 6 10:25:14 smtp2 postfix/postscreen[24577]: panic: postscreen_dnsbl_done: no blocklist cache entry for 123.219.54.120 Jul 6 10:25:15 smtp2 postfix/master[24571]: warning: process /usr/libexec/postfix/postscreen pid 24577 killed by signal 6 What am I doing wrong ? Regards Helga Mayer
Re: postscreen test
On Mon, Jul 06, 2009 at 10:37:01AM +0200, Helga Mayer wrote: But I'd prefer not to use DNSBL's by postcreen. It is for the logging. More detailed logging is on the roadmap... Users occasionally ask for details if mail did not arrive. If I try, I get: Jul 6 10:17:00 smtp2 postfix/postscreen[23670]: PREGREET 34 after 0.52 from 90.148.159.227: HELO 90-148-159-227.saudi.net.sa?? Jul 6 10:17:00 smtp2 postfix/postscreen[23670]: panic: postscreen_dnsbl_done: no blocklist cache entry for 90.148.159.227 What am I doing wrong ? panic is an internal error in the code. This is non-production code. Which version (mail_version mail_release_date) are you using? -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postscreen test
Quoting Victor Duchovni victor.ducho...@morganstanley.com: On Mon, Jul 06, 2009 at 10:37:01AM +0200, Helga Mayer wrote: But I'd prefer not to use DNSBL's by postcreen. It is for the logging. More detailed logging is on the roadmap... Users occasionally ask for details if mail did not arrive. It's not only the logging. We're currently using blacklists after greylisting and after other restrictions to avoid unnecessary queries. To check the blacklists with postscreen in my opinion would increase the net traffic and the load on the servers running blacklists. reject_non_fqdn_hostname e.g. amounts to 30% of all rejects. If I try, I get: Jul 6 10:17:00 smtp2 postfix/postscreen[23670]: PREGREET 34 after 0.52 from 90.148.159.227: HELO 90-148-159-227.saudi.net.sa?? Jul 6 10:17:00 smtp2 postfix/postscreen[23670]: panic: postscreen_dnsbl_done: no blocklist cache entry for 90.148.159.227 What am I doing wrong ? panic is an internal error in the code. This is non-production code. If it is a bug and not a feature I can live with it. Which version (mail_version mail_release_date) are you using? mail_version = 2.7-20090619-nonprod Helga -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postscreen test
Helga Mayer: Hi, I'm testing postscreen on our secondary smtp server. This is non-production, unsupported, software, that is available only in postfix-2.7-xx-nonprod releases. Wietse First results: https://rz-static.uni-hohenheim.de/hmayer/tmp/Screenshot-68.png There are hardly anymore rejects. I did not yet adjust mailgraph for the drops. Statistics: UNIQ/TOTAL EVENT 536/586PASS NEW 97/119HANGUP 808/974PREGREET But I'd prefer not to use DNSBL's by postcreen. It is for the logging. Users occasionally ask for details if mail did not arrive. If I try, I get: Jul 6 10:17:00 smtp2 postfix/postscreen[23670]: PREGREET 34 after 0.52 from 90.148.159.227: HELO 90-148-159-227.saudi.net.sa?? Jul 6 10:17:00 smtp2 postfix/postscreen[23670]: panic: postscreen_dnsbl_done: no blocklist cache entry for 90.148.159.227 in main.cf postscreen_dnsbl_sites = postscreen_greet_action = drop in master.cf smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd dnsblog unix - - n - 0 dnsblog I also tried to comment dnsblog - same problem: # dnsblog unix - - n - 0 dnsblog Jul 6 10:25:14 smtp2 postfix/postscreen[24577]: PREGREET 47 after 0.49 from 123.219.54.120: HELO p5120-ipbfp402kobeminato.hyogo.ocn.ne.jp?? Jul 6 10:25:14 smtp2 postfix/postscreen[24577]: panic: postscreen_dnsbl_done: no blocklist cache entry for 123.219.54.120 Jul 6 10:25:15 smtp2 postfix/master[24571]: warning: process /usr/libexec/postfix/postscreen pid 24577 killed by signal 6 What am I doing wrong ? Regards Helga Mayer