Request for feedback on SMTPD restrictions

[J Doe]

Hi,

I have a basic SMTP server set up with what I believe to be good smtpd_*_ 
restrictions, but I was wondering if anyone could provide any insight on how to 
improve them or if I have been redundant in the restrictions.  Even with 
reading the man pages, I find some of the restrictions tricky.

I am eventually having a submission service (with an -o 
smtpd_relay_restrictions=permit_sasl_authenticated in master.cf), for this 
server but right now what follows is just for a SMTP server on port 25.

smtpd_client_restrictions = permit_mynetworks,
reject_unauth_pipelining,
check_client_access hash:/etc/postfix/client_acl,
reject_unknown_client_hostname,
permit

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_unauth_pipelining,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
check_helo_access hash:/etc/postfix/helo_acl,
reject_unknown_helo_hostname,
permit

smtpd_sender_restrictions = permit_mynetworks,
reject_unauth_pipelining,
reject_non_fqdn_sender,
check_sender_access hash:/etc/postfix/sender_acl,
reject_unknown_sender_domain,
permit

smtpd_recipient_restrictions = permit_mynetworks,   
permit_auth_destination,
  
reject  
  

 
smtpd_relay_restrictions = permit_mynetworks,   
 
permit_auth_destination,
  
reject

Thanks,

- J

Re: Postfix using all CPU after nightly mail submission

[Zach Sheppard]

Hi Viktor:

I configured that internally generated mail to be filtered through our DKIM
milter. This was to allow deliveries of error messages from the server to
my inbox. However, I see above how this is not ideal since that can just be
delivered to the root user inbox. I have turned off that setting.

After making several tweaks from suggestions in this thread I saw much
better performance last night.

On Fri, Jan 19, 2018 at 2:25 PM, Viktor Dukhovni  wrote:

> On Fri, Jan 19, 2018 at 02:04:05PM -0500, Zach Sheppard wrote:
>
> > I have not made any changes to rsyslog.conf. All it does it redirect all
> > mail log messages to one log in /var/log/mail which I rotate with a cron
> > script nightly. However, I do agree that it really could be the only
> other
> > process that could be hanging the server.
>
> Your milter could be another culprit, and you've unwisely configured
> filtering of internally generated mail, including notices about
> problems.  So the first thing is to undo the filtering of internally
> generated mail.  See also my other comments about your config.
>
> As for syslog, for MTAs I prefer syslog-ng, to rsyslog, and make
> sure that /dev/log is configured as a "dgram" not "stream" socket.
> Also make sure that log writes are not synchronous.
>
> --
> Viktor.
>

-- 
This message may contain confidential information and is intended only for 
the individuals named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
prohibited.

Re: canonical based on login name

[Wietse Venema]

Joris (ideeel):
> Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM 
> username sometimes is still apache. I know gmail rewrites the envelope 
> sender and the header sender based on the login name, but i have not 
> been able to find how to do this in postfix (canonical_classes does not 

You can use the reject_sender_login_mismatch feature to enforce
that each SASL login uses its own unique emvelope sender address.

During the transition, use:

warn_if_reject reject_sender_login_mismatch

to find out which apps aren;t using the proper sender address.

Otherwise, as Victor says, this requires external code (content
filter or milter).

Wietse

Re: canonical based on login name

[Viktor Dukhovni]

> On Jan 20, 2018, at 11:08 AM, Joris (ideeel)  wrote:
> 
> I know gmail rewrites the envelope sender and the header sender based on
> the login name, but I have not been able to find how to do this in Postfix

To make it clearer, we should first understand what "rewriting" means in
Postfix.

  -  Rewriting in Postfix takes an input value (say the sender address)
 and produces a new value as a function of (via a lookup table)
 of the input value.  The *only* input into the construction of the
 new value is the original value.  Thus you can transform a sender
 address to another sender address, but this cannot take into account
 any other message properties.

Since "canonical_maps" is an address rewriting mechanism, it cannot do
what you're asking for.  The transformation you're asking for presently
requires a content filter or milter.

-- 
Viktor.

Re: Postfix using all CPU after nightly mail submission

[Ralf Hildebrandt]

> > Jan 15 00:42:42 mailrelay postfix/qmgr[5601]: 8EF0980973: 
> > from=<...@oconee.k12.sc.us>, size=2408, nrcpt=1 (queue 
> > active)^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> > Jan 15 09:31:40 mailrelay opendkim[668]: OpenDKIM Filter v2.11.0 starting 
> > (args: -x /etc/opendkim.conf)
> 
> What you see as "^@" is how ASCII NUL (the zero byte) is displayed
> by "more", "less", "vi", ...   It appears that the log file has either
> lots of NULs written to it, or perhaps has a "hole" as a result of
> truncation of the log file while it was still being written by the
> syslog daemon.  Perhaps incorrect log rotation...
> 
> As for high CPU, that's a bit hard to explain without further
> information, which is difficult to obtain with a truncated log.
> Postfix does not normally bring systems to their knees, its
> resource limits are specifically designed to avoid that.

I've seen similar issues. Machines executing one job - which either
goes hogging the CPU or using all memory, then either the OOM killer
goes mad or the whole machine panics, leaving the filesystem in an
inconsistent state. Often leaving zeros in the log.

-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
   
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

canonical based on login name

[Joris (ideeel)]

hi list

I run a webservice (and a mail service). All websites run under the same 
UID of apa...@webserver.domain.com. I know, not ideal, but i cannot 
change that bit. Problem is that if one site gets hacked, user apache 
starts sending spam with no way to figure out which website is 
misbehaving. Thus we are going to enforce websites to use SASL-auth.


Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM 
username sometimes is still apache. I know gmail rewrites the envelope 
sender and the header sender based on the login name, but i have not 
been able to find how to do this in postfix (canonical_classes does not 
seem to help me here). I cannot really reject the mail using 
reject_authenticated_sender_login_mismatch because the mails will be 
send back to the apache user with again no knowledge of the true sender.


hope you can give me some pointers or documentation how I can solve this :)

best
Joris

Re: Setup SquirreMail with Virtual Host

[Rodrigo Cunha]

*Ok!*


Livre
de vírus. www.avast.com
.
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

2018-01-20 4:43 GMT-02:00 Bill Cole <
postfixlists-070...@billmail.scconsult.com>:

> On 19 Jan 2018, at 10:20 (-0500), Rodrigo Cunha wrote:
>
> [SNIP:  NOTHING regarding Postfix!]
>
> What you posted is all Apache HTTPD configuration. Your problems appear to
> be with SquirrelMail, a webmail application that interacts with  a web
> server (i.e Apache HTTPD) an IMAP server (maybe Dovecot?) and a local
> submission mechanism (sendmail? Submission to port 587 or SMTP to port 25?)
> that MAY use Postfix.
>
> Find the right place to get help. This is not it.
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Currently Seeking Steady Work: https://linkedin.com/in/billcole
>



-- 
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil