Re: Three trivial filtering questions

2013-08-05 Thread Ronald F. Guilmette
In message 51ff1bba.9000...@hardwarefreak.com, Stan Hoeppner s...@hardwarefreak.com wrote: Doing RBL client checks in postscreen? That would be one cause. As I mentioned, I am not using postscreen at the present time. Another could be having duplicate reject_rbl_client statements in

Re: Three trivial filtering questions

2013-08-05 Thread Ronald F. Guilmette
In message 51ff2563.1070...@hardwarefreak.com, Stan Hoeppner s...@hardwarefreak.com wrote: If not maybe a new restriction verb would be useful to perform this exact check. Maybe you should explain why you're having a problem rejecting spamware that HELO's with an IP literal. Did I say I was

Re: Three trivial filtering questions

2013-08-05 Thread Ronald F. Guilmette
In message 51ff2ad2.2080...@hardwarefreak.com, Stan Hoeppner s...@hardwarefreak.com wrote: BTW, if you want to maximize potential hits on RHSBLs just short of doing body checks, you may want to give Sahil Tandon's TCP server based RHSBL header checker a spin. It grabs domains from headers and

Re: TLS with Encrypted Private Key

2013-08-05 Thread Pau Amma
On Mon, August 5, 2013 5:12 am, Yishen Miao wrote: On Aug 4, 2013, at 9:54 PM, wie...@porcupine.org (Wietse Venema) wrote: Yishen Miao: I wonder is there any plan about adding such feature to postfix? There are no such plans. If random people can read a private key file that is read-only for

Re: TLS with Encrypted Private Key

2013-08-05 Thread DTNX Postmaster
On Aug 5, 2013, at 07:12, Yishen Miao mys72...@gmail.com wrote: I'm trying to re-use my SSL certificate for Apache on postfix which is encrypted. It would be convent if postfix can support that. Also, an encrypted private key that is read-only for root sounds more secure than a plain one

Re: Outsourced anti-spam and Issues with VRFY

2013-08-05 Thread Charles Marcus
On 2013-08-04 7:30 PM, wie...@porcupine.org (Wietse Venema) wie...@porcupine.org (Wietse Venema) wrote: Charles Marcus: We are set up for performance with VRFY probes and by modifying your postfix config file so postfix will not nave a performance issue by setting postfix option

Re: Outsourced anti-spam and Issues with VRFY

2013-08-05 Thread Mikael Bak
On 08/05/2013 02:15 PM, Charles Marcus wrote: Also - I hate to ask (it isn't your job to do their job), but could you suggest off the top of your head what they *should* be doing? Would properly closing all VRFY probe connections really impact performance on their side that much - especially

Re: Three trivial filtering questions

2013-08-05 Thread Noel Jones
On 8/4/2013 10:13 PM, Ronald F. Guilmette wrote: In message 51ff13eb.8090...@megan.vbhcs.org, Noel Jones njo...@megan.vbhcs.org wrote: On 8/4/2013 8:06 PM, Ronald F. Guilmette wrote: Does reject_non_fqdn_helo_hostname, when placed in the smtpd_helo_restrictions, permit clients to HELO/EHLO

bypass amavisd after OK from policy daemon?

2013-08-05 Thread Franz Schwartau
Dear list, I configured postfix to use amavisd as a SMTP proxy (smtpd_proxy_filter). Now I'd like to skip amavisd if a policy daemon called in smtpd_recipient_restrictions returns OK. Has anyone any idea how to accomplish this? As far as I unterstood postfix' restrictions there is no final OK

Re: bypass amavisd after OK from policy daemon?

2013-08-05 Thread /dev/rob0
On Mon, Aug 05, 2013 at 02:49:49PM +0200, Franz Schwartau wrote: I configured postfix to use amavisd as a SMTP proxy (smtpd_proxy_filter). Now I'd like to skip amavisd if a policy daemon called in smtpd_recipient_restrictions returns OK. Has anyone any idea how to accomplish this? If the

Re: Three trivial filtering questions

2013-08-05 Thread Noel Jones
On 8/5/2013 3:16 AM, Ronald F. Guilmette wrote: In message 51ff2ad2.2080...@hardwarefreak.com, Stan Hoeppner s...@hardwarefreak.com wrote: BTW, if you want to maximize potential hits on RHSBLs just short of doing body checks, you may want to give Sahil Tandon's TCP server based RHSBL

Re: Outsourced anti-spam and Issues with VRFY

2013-08-05 Thread Noel Jones
On 8/5/2013 7:15 AM, Charles Marcus wrote: On 2013-08-04 7:30 PM, wie...@porcupine.org (Wietse Venema) wie...@porcupine.org (Wietse Venema) wrote: Charles Marcus: We are set up for performance with VRFY probes and by modifying your postfix config file so postfix will not nave a performance

Re: Outsourced anti-spam and Issues with VRFY

2013-08-05 Thread Charles Marcus
On 2013-08-05 9:21 AM, Noel Jones njo...@megan.vbhcs.org wrote: Set those three limits to 100 or higher. Those controls are intended to prevent random clients from wasting your time. Since you don't allow connections from random clients, it's safe to increase them. # main.cf

Re: Alias to command not working

2013-08-05 Thread Jeroen Geilman
On 08/05/2013 02:35 AM, Sam Flint wrote: I hve an alias to a command defined in my /etc/aliases file, anytime I send to it, I get this error: |postman...@flintfam.org (expanded from postman...@flintfam.org): user unknown You are apparently *piping* a copy to a /recipient/. This does not

Re: Outsourced anti-spam and Issues with VRFY

2013-08-05 Thread Noel Jones
On 8/5/2013 9:09 AM, Charles Marcus wrote: On 2013-08-05 9:21 AM, Noel Jones njo...@megan.vbhcs.org wrote: Set those three limits to 100 or higher. Those controls are intended to prevent random clients from wasting your time. Since you don't allow connections from random clients, it's safe

Re: Outsourced anti-spam and Issues with VRFY

2013-08-05 Thread Charles Marcus
On 2013-08-05 10:53 AM, Noel Jones njo...@megan.vbhcs.org wrote: I don't suppose an open idle connection from an somewhat authorized client will bother anything, so just go with it. Ok - and by 'go with it', you mean just adjust the settings per your last email and be done with it, right? I

Re: Outsourced anti-spam and Issues with VRFY

2013-08-05 Thread Noel Jones
On 8/5/2013 10:30 AM, Charles Marcus wrote: On 2013-08-05 10:53 AM, Noel Jones njo...@megan.vbhcs.org wrote: I don't suppose an open idle connection from an somewhat authorized client will bother anything, so just go with it. Ok - and by 'go with it', you mean just adjust the settings per

Re: Three trivial filtering questions

2013-08-05 Thread Ronald F. Guilmette
In message 51ff9e18.9050...@megan.vbhcs.org, Noel Jones njo...@megan.vbhcs.org wrote: I use a pcre table to reject any HELO that starts with a bracket or looks like an IP. Legit hosts that use this form are very rare here -- maybe one every couple years. ... There is no built-in postfix

Re: Outsourced anti-spam and Issues with VRFY

2013-08-05 Thread Wietse Venema
Noel Jones: On 8/5/2013 10:30 AM, Charles Marcus wrote: On 2013-08-05 10:53 AM, Noel Jones njo...@megan.vbhcs.org wrote: I don't suppose an open idle connection from an somewhat authorized client will bother anything, so just go with it. Ok - and by 'go with it', you mean just adjust

Re: Three trivial filtering questions

2013-08-05 Thread Noel Jones
On 8/5/2013 12:54 PM, Ronald F. Guilmette wrote: In message 51ff9e18.9050...@megan.vbhcs.org, Noel Jones njo...@megan.vbhcs.org wrote: I use a pcre table to reject any HELO that starts with a bracket or looks like an IP. Legit hosts that use this form are very rare here -- maybe one every

Re: Three trivial filtering questions

2013-08-05 Thread Ronald F. Guilmette
In message 51fff9c5.9070...@megan.vbhcs.org, Noel Jones njo...@megan.vbhcs.org wrote: No. Here, near-zero legit clients use bracketed HELO. Looks as if I've whitelisted 2 clients in the last ~5 years (I see one of them has fixed their HELO sometime since then). That's close enough to zero for

Re: Three trivial filtering questions

2013-08-05 Thread Noel Jones
On 8/5/2013 4:16 PM, Ronald F. Guilmette wrote: I see zero value in testing to see if the HELO IP is forged, since using any IP seems to be a very strong spambot indicator. OK. Works for me! I just wish that it wasn't necessary to have to run an external PCRE to catch it, and that the

PATCH: docs for reject_non_fqdn_helo_hostname

2013-08-05 Thread Noel Jones
This attempts to clarify the description for reject_non_fqdn_helo_hostname. There seems to be end-user confusion about whether this feature should also reject address literals, which of course it is not intended to. *** proto/postconf.protoWed Jul 10 19:01:20 2013 ---

Re: Three trivial filtering questions

2013-08-05 Thread Ronald F. Guilmette
In message 520023b2.1070...@megan.vbhcs.org, Noel Jones njo...@megan.vbhcs.org wrote: On 8/5/2013 4:16 PM, Ronald F. Guilmette wrote: I see zero value in testing to see if the HELO IP is forged, since using any IP seems to be a very strong spambot indicator. OK. Works for me! I just

Re: Outsourced anti-spam and Issues with VRFY

2013-08-05 Thread Stan Hoeppner
On 8/5/2013 9:09 AM, Charles Marcus wrote: On 2013-08-05 9:21 AM, Noel Jones njo...@megan.vbhcs.org wrote: Set those three limits to 100 or higher. Those controls are intended to prevent random clients from wasting your time. Since you don't allow connections from random clients, it's safe

basic level configuration: non-standard maildir location

2013-08-05 Thread David Benfell
Hi all, I'm trying to move my maildirs to a non-standard location (trying to balance disk activity) and there's something I think I'm missing. Here's what I tried: home_mailbox = /Maildir/$user/ But when I ran 'postfix check' it said, several times: /usr/bin/postconf: warning: