SMUGGLING WORKS with '\r\n\x00.\r\n' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\r\n' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\r' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\n' as "fake" end-of-data sequence!
Are those really standalone emails with
I create test VPS (outside my infrastructure) and install all for
python3 for testing
root@hanz:~# python3 smtp_smuggling_scanner.py --sender-domain
gmail.com piot...@mydomain.ltd
Don't use a sender-domain you don't have control over. The default
should be good enough for basic smuggling
People are welcome to test tools against postfix-3.9-20240106.
I could test against a 3.7.9 codebase if you posted a patch for it.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to
If I remember correctly, on the wire there was \r\n\r\n.\r\r\n
I will assemble a pcap and some logs when I'm back home.
> In other words, I need to see proff in the form of a PCAP file and
> NON-VERBOSE logging, or it did not happen.
___
Postfix-users
smuggling for the `\r\n.\n` case.
Sorry, that was a bad copypaste, I meant '\r\n.\r'.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
The test tool [1] revealed that my 3.7.9 Postfix using `smtpd_forbid_bare_newline = yes` admits smuggling for the `\r\n.\n` case.
One still needs `smtpd_data_restrictions = reject_unauth_pipelining` to close that one as well.
After a small adaptation to the tool to use BDAT one can see what
The recommended settings are:
It really does not matter much, but leaving BDAT enabled can help in
some cases. It is not necessary to go this deep down the rabbit hole.
So what could be smuggled into a Postfix that defines "reject_unauth_pipelining" but does not define "smtpd_discard_ehlo_keywords
= chunking"?
SHORT-TERM WORKAROUNDS
A short-term workaround can be deployed now, before the upcoming long
holiday and associated production change freeze.
NOTE: This will stop only the published form of the attack. Other forms
exist that will not be stopped in this manner.
* With all Postfix versions,
So as per your previous post, setting a policy such as this one would
do the trick?
...
This would be necessary to keep DMARC AR headers after they passed the
content_filter Amavis. It is not necessary for OpenDMARC to do its work.
It was not clear what "skipping OpenDMARC" means exactly,
This question has stirred up a lot of answers but if I’m understanding
correctly, it looks like I cannot use opendmarc with amavisd in
postfix as a pre-queue filter for dkim. The only viable option is
opendkim with opendmarc as pre-queue milters like I was originally doing.
Conceptually you
currect, but amavisd support rspamd with have dmarc
what?
Amavis has support for rspamd as a spam_scanner, i.e. for scoring, not
for DMARC policy enforcement.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email
https://amavisd-milter.sourceforge.net/
just use that, it replace all milters you have
This is a confusing statement.
in what way ?
amavisd-milter was already part of Dino's smtpd_milters. It is like you would
have said:
> http://www.postfix.org/. Just use that, it replaces the /etc you
https://amavisd-milter.sourceforge.net/
just use that, it replace all milters you have
This is a confusing statement.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
By “getting skipped” I mean I have no logs of opendmarc doing anything.
Do you have logs of opendmarc doing anything if you remove Amavis from
smtpd_milters?
I don’t understand how I would disable dkim in my content_filter
policy. Dkim verification is either enabled or disabled in Amavis
I tried this config but sadly it doesn’t work, OpenDMARC
(127.0.0.1:54321) gets skipped completely
If "getting skipped" means that you don't see Authentication-Results for
DMARC, I have a feeling that you didn't disable DKIM verification on
your content_filter Interface Policy. Amavis will
Wietse:
There. And to repeat myself, it depends on the destination
MTA how it delvers user%not-your-domain@your-domain.
Viktor:
You'll ideally let go of the goal, but if not, you'll need to allow
untrusted routing, and regularly test carefully to make sure that it
does not create open relay
Wietse:
Postfix looks for @, % or ! in the address localpart, for example,
user%not-your-domain@your-domain.
There is no special resolver.
I believe, this is what I wrote.
If Postfix finds any, like it would in user%not-your-domain@your-domain,
and "allow_untrusted_routing = yes" is
Damian:
I am trying to understand "allow_untrusted_routing = yes" and the
circumstances where it is (un)safe. The documentation mentions an open
relay loophole in the context of backup MXes. Is untrusted routing safe,
if Postfix has no explicit *_mx_* configuration?
This is a
I am trying to understand "allow_untrusted_routing = yes" and the
circumstances where it is (un)safe. The documentation mentions an open
relay loophole in the context of backup MXes. Is untrusted routing safe,
if Postfix has no explicit *_mx_* configuration?
Consider the sample setup:
how can I sub-scr1be to this list?
Sorry to write it this way, but there is a stupid filter in place that
blocks the email.
https://mail.sys4.de/mailman/listinfo/dane-users does not work?
I am looking for input how to implement a DANE- and MTA-STS-capable
Postfix setup which is able to produce SMTP TLS reports (RFC8460).
Right now I see several obstacles.
There is postfix-mta-sts-resolver [1], and my first reflex was to use it
with smtp_tls_policy_maps as documented, and fall
I can think of some (messy) ways to do this, but before I start cobbling
something together, I am hoping this is something someone has already done.
Are you asking for software or ideas?
Question really says it all. Everything in postfix, except these, seems to be
lower case. I’m not sure if this is a stylistic thing, or something having to
do with an openssl internal, but if these get lowercased in a config, will it
break?
root@265a6a1736b3:~# postconf -d smtp_tls_CAfile
Oct 20 20:07:49 libertyfp postfix/smtpd[174025]: warning: hostname
ip245.tervelnet.com does not resolve to address 87.246.7.245
Oct 20 20:07:49 libertyfp postfix/smtpd[174025]: connect from
unknown[87.246.7.245]
Oct 20 20:07:51 libertyfp postfix/smtpd[174025]: warning:
unknown[87.246.7.245]: SASL
There are 2 different and contradictory DMARC records in DNS for
raf.org. That guarantees breakage.
Interesting, according to [1] they shouldn't receive reports at all.
[1] https://datatracker.ietf.org/doc/html/rfc7489#section-6.6.3 point 5
I've been a little bit terrified of doing an upgrade, because I do have a couple of people using my mail server for real work
email and I don't want to disrupt them.
Besides Postfix you could have a look at
https://doc.dovecot.org/installation_guide/upgrading/from-2.2-to-2.3/
reject_sender_login_mismatch can be setup to only allow emails being
sent out where the from, not just the envelope-from, has to match the
users login credentials
Are you sure? The documentation only mentions the MAIL FROM address.
That's interesting... 8.4 saw the upgrade to Postfix 3.5.8 (from 3.3.1
I believe)
http://rpmfind.net/linux/centos/8.3.2011/BaseOS/x86_64/os/Packages/postfix-3.3.1-12.el8.x86_64.rpm
already had PrivateTmp.
Is it possible for two different servers to have a same long_queue_ids ?
Are the long queue ID's unique to the world or only unique to that postfix
instance?
Given 2040 Postfix mail servers that each have queued a mail at the exact same time, up to micro seconds, and a pool of 3 million
Safe to assume the 11th character is always 'z'?
Until July 2596.
Hello,
postconf(5) states that smtpd_relay_restrictions apply before
smtpd_recipient_restrictions. This seems incorrect since
postfix-3.3-20180106.
Regards
Damian
> I've defined OpenDKIM and OpenDMARC as smtpd_milters, using UNIX
> sockets. In the "normal" setup they work like a charm, but now I add
> Amavis to the mix, with smtpd_proxy_filter, and suddenly both milters
> disappear. Why?
>From [1]:
> When you use the before-queue content filter for
>> The validator [1] says TLSA is ok, so is this even be a DNS issue? If I
>> have to guess, Postfix encounters the following situation:
>>
>>
>> When TLSA records are found, but are all unusable the effective security
>> level is "encrypt"
>>
>> The documentation does not state that self-signed
The validator [1] says TLSA is ok, so is this even be a DNS issue? If I
have to guess, Postfix encounters the following situation:
> When TLSA records are found, but are all unusable the effective security
> level is "encrypt"
The documentation does not state that self-signed certificates are
I just realized this is an X-Y problem. The flag is on-the-wire as a
part of the M macro.
> is it possible, in principle, to define new milter macros that are
> passed to smtpd_milters? [1] does not list a macro that carries
> information whether SMTPUTF8 is set. [2] mentions SMFIC_MACRO, but I
>
Hi,
is it possible, in principle, to define new milter macros that are
passed to smtpd_milters? [1] does not list a macro that carries
information whether SMTPUTF8 is set. [2] mentions SMFIC_MACRO, but I
have no idea if that is what I think it might be.
Damian
[1] http://www.postfix.org
Oh Lord.
> Resending Jaroslaw Rafa's message, so that people who don't see his
> email can see it here.
>
> Apparently, Gmail considers Jaroslaw;s email address as a source
> of spam, because his postfix-users messages are sent to many people
> in a relatively short time.
>
> So if you could
Some while ago, I had a Perl script around Mail::GPG as mailbox_command,
or inside a procmailrc, I'm not sure. I had it trigger only for a
certain address extension, e.g. mailbox+...@domain.tld. It worked quite
alright.
> Can such filter work, without ever storing plaintext email on disk ?
>
>
Thank you, this is explicit enough.
Regards
Damian
Am 19.10.2018 um 17:57 schrieb Wietse Venema:
Sorry, I don't have color fonts. Again, Postfix will ignore a failed
refresh probe, From that it follows that Postfix it will keep using
the cached positive result. From that it follows
and then bounced?
Damian
Am 19.10.2018 um 16:29 schrieb Wietse Venema:
The time after which a successful address verification probe needs to
be refreshed. The address verification status is not updated when the
probe fails (optimistic caching).
It does not explain what happens with incoming mails
until day 31. But what happens
with mails for X between day 8 and 31? Will they be accepted by Postfix
and then bounced?
Thanks
Damian
Hi,
is there a reason that tcp_table has the DICT_FLAG_PATTERN flag instead of
DICT_FLAG_FIXED?
One could create more flexible transport map chains if tcp_table was also
queried for pure domains.
Regards
Damian
, user, @domain
access_maps_search = full, user@, domain, parent-domain
transport_maps_search = full, domain, .parent-domain
Wietse
Hi Wietse,
hi Viktor,
I would like to see this feature. :)
Regards
Damian
=Ru user=dspam argv=/usr/bin/dspam-retrain $nexthop $sender
$recipient
Damian Bailey | baile...@lcps.k12.va.us
Lead Technician | LCPS Technology
540.894.4373x8220
Shipping Address:
Louisa County Public Schools
953 Davis Hwy
Mineral VA 23117
Scott,
Thanks, but I don't think this is my issue. (Thought the bugs are good
to know!)
My mail just isn't being relayed to my email server. I am running
Ubuntu, though it's 10.04.2 LTS
Damian Bailey | baile...@lcps.k12.va.us
Lead Technician | LCPS Technology
540.894.4373x8220
Shipping
clear.
Were these mails stuck in amavis, there were now dropped?
I'm not very familiar with amavis, so I'm unsure what logs to check. My
mail.log showed (queue active) on all mail ...emails were eventually
getting through, just severely delayed.
Thanks for any help.
Damian Bailey
a difference, but I'm not 100% into linux / Ubuntu yet.
Damian Bailey | baile...@lcps.k12.va.us
Lead Technician | LCPS Technology
540.894.4373x8220
Shipping Address:
Louisa County Public Schools
953 Davis Hwy
Mineral VA 23117
From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us
from poorly-configured mail servers and DNS records.
For instance, say we have 500 employees with email accounts. If I have
a single sender that sends to more than 200 of them, I would want to
review it as a possible spamming attack.
Has anyone run into this?
Thanks.
Damian Bailey
and hardly understand the compiling process.
so can anyone tell me what I have done wrong?
I am new to the list and wasn't sure if it's suitable to post questions
here.
so please advice if I should try another.
Thanks
Damian J. L. Lee
Thank you for your answer Sahil.
In fact I don't fully understand the problem.
Do you mean I have to have a *static* libdb library inorder to compile my
Postfix in static linking?
2010/8/11 Sahil Tandon sa...@freebsd.org
On Wed, 2010-08-11 at 11:10:31 +0800, damian lee wrote:
recently I am
On Mon, Jan 11, 2010 at 06:15:21PM -0300, Damian Rivas wrote:
mynetworks = 127.0.0.0/8, 200.55.14.248/29, 190.210.52.88/29
These are the hosts allowed to relay. Don't mung the IP addresses.
snip
All mailing incomes seem to come from ns1.cht.com.ar, which is a
gateway for the internal mail
Hello everyone,
I have a Postfix box basically configured to send mail from my organization to
the Internet. Today I received a warning message telling me that the mail queue
was full.
It seems that some Spammer is using my server as an Open Relay, so I used the
check_sender_access function
Damian,
Please ignore the above bad advice. An OK in
smtpd_sender_restrictions can not possibly make you an open
relay. Likely it didn't work as expected because the mail
isn's submitted via SMTP.
Before you waste time on any other bad advice you may get,
examine your logs to see where
De: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
En nombre de /dev/rob0
Enviado el: lunes, 11 de enero de 2010 16:50
Para: postfix-users@postfix.org
Asunto: Re: Spam Attack on my outgoing server
On Mon, Jan 11, 2010 at 03:27:05PM -0300, Damian Rivas wrote:
I have
by hotmail?
[snip]
--
Regards,
Damian Myerscough
hotmail.com via a DNS lookup?
--
Regards,
Damian Myerscough
and spamassassin, should
one see spamassassin working (I am using a Ubuntu server)
This might be better asked on an amavisd forum -
But having said that, the spamassassin classes are actually called
directly by amavis, so you won't see any spamassassin processes running.
Joe
--
Regards,
Damian
Hello,
You can also use smtpd_sender_login_maps which allows you to map
email addresses to users e.g.
smtpd_sender_login_maps = hash:/etc/postfix/sender_maps
The contents of sender_maps would look like
dam...@example.com damian
2009/7/26 Benny Pedersen m...@junc.org:
On Sun, July 26
authentication, preferably with smtpd_sender_login_maps
(the alternative would be to give no login:pass to restricted users).
THanks !!!
This answer to my needs exactly what i want !!
--
Regards,
Damian Myerscough
Hello,
I have been recently playing with Postfix a lot and I was curious of the
consequences of disabling the VRFY command. I have disabled the
VRFY command because it allow attackers to see what users
were valid e.g. local users could be identified.
--
Regards,
Damian Myerscough
**
EHLO scent-team.com
250-smtp.thessaloniki.gr
250-PIPELINING
250-SIZE 1024
250-ETRN
250-XXXA
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Disable smtp fixup in your router. It breaks more things than solves.
--
Regards,
Damian Myerscough
falls for it...
Charles
Thanks
Ram
--
Regards,
Damian Myerscough
63 matches
Mail list logo