Re: Transport based on domain?
On 2022-01-27 23:14, Alex wrote: btw, off-topic, but is anyone using fuglu in place of amavisd, which seems kind of dead now? so lets be offtopic, i do use fuglu in prequeue setup with postfix more info in maillist or on fuglu https://gitlab.com/fumail/fuglu
Re: Transport based on domain?
Alex wrote: Hi, I have postfix-3.5.10 configured as a multi-instance along with amavisd for spam filtering. Amavis is limited in its ability to create different filtering policies for individual domains, Unless a lot of functionality has been dropped since I last took a dive in the Amavis docs it should support policies down to per-user granularity. Look for "filter banks" (IIRC). I can't help much further since I don't use it myself, but I'm pretty sure you're going to a lot of trouble to work around a non-problem. -kgd
Re: Transport based on domain?
Viktor Dukhovni: > On Thu, Jan 27, 2022 at 05:14:06PM -0500, Alex wrote: > > > I have postfix-3.5.10 configured as a multi-instance along with > > amavisd for spam filtering. > > One of the key features of a multi-instance pipeline with separate input > and output instances is that routing of messages into content filters > uses normal transport resolution machinery without relying on > "content_filter" overrides. FILTER_README needs updating. It is stuck in the past, before proper multi-instance support was implemented Wietse
Re: Transport based on domain?
On Thu, Jan 27, 2022 at 05:14:06PM -0500, Alex wrote: > I have postfix-3.5.10 configured as a multi-instance along with > amavisd for spam filtering. One of the key features of a multi-instance pipeline with separate input and output instances is that routing of messages into content filters uses normal transport resolution machinery without relying on "content_filter" overrides. > Amavis is limited in its ability to create different filtering > policies for individual domains, so I wanted to be able to have > amavisd run on one port for one domain and another port for another > domain. Thus, in particular, you can indeed use the transport(5) table to direct various recipient domains (or even individual recipients) to a specific nexthop filter nexthop. > /etc/postfix-117/transport > domain1 relay:[127.0.0.1]:10024 > domain2 relay:[127.0.0.1]:10025 Sure. -- Viktor.
Transport based on domain?
Hi, I have postfix-3.5.10 configured as a multi-instance along with amavisd for spam filtering. Amavis is limited in its ability to create different filtering policies for individual domains, so I wanted to be able to have amavisd run on one port for one domain and another port for another domain. Is it possible to somehow use the default_transport on some type of per-domain basis? Currently I have it configured like: default_transport = smtp:[127.0.0.1]:10024 The thinking would be to send mail for domain1 to 10024, mail for domain2 to 10025, etc. Perhaps a better approach would be to use transport_maps? Maybe something like: /etc/postfix-117/transport domain1 relay:[127.0.0.1]:10024 domain2 relay:[127.0.0.1]:10025 Ideas/direction would be greatly appreciated. btw, off-topic, but is anyone using fuglu in place of amavisd, which seems kind of dead now? Thanks, Alex
main.cf += support (was: Debugging import_environment)
Viktor Dukhovni: > It is unfortunate that Postfix does not support "+=" main.cf settings > that augment the default value of a given parameter. In the case The semantics have not been worked out. Below is an attempt. Here, the parameter value should be 'whatever bar'. main.cf # Assume foo has a default value of 'whatever'. foo += bar That adds complexity, because the Postfix main.cf reader does not know parameter default values at the time that it reads parameter settings. Postfix looks up parameter default values after reading the entire main.cf file (some default values are determined dynamically, and that should happen only if really necessary). Only after that can Postfix append the '+= bar' value to 'whatever'. The complexity is that the main.cf reader will have to store the '=' and '+=' inputs differently, perhaps under 'foo' and '+foo'. Below, the second line overrides all earlier foo settings, so the value is 'whatever', not 'whatever bar': main.cf foo += bar foo = whatever This adds no significant complexity. The -o options in master.cf should behave like they do in main.cf, and the same holds for -o options on the postconf and other command lines. For consistency, settings in other config files (ldap, *sql, etc.) should also support +=. Hopefully, cfg_parser can handle that (it uses the same configuration file reader as is used for main.cf). I would advise against faking += in the postconf command, where postconf foo+=bar is fakeds by doing the equivalent of postconf foo="`postconf -h foo` bar" This would not work as expected: it would not follow changes in the default value, like the real += would. Wietse
Re: Inbound Mail Gateway Doubts
Thanks a lot Wietse and Viktor for quick and util responses!. bent smtpprox samples are so useful it's just what i was looking for. Consider recheck doc link on this page http://www.postfix.org/FILTER_README.html because is not upgraded (it's ok on http://www.postfix.org/SMTPD_PROXY_README.html). Considering you recomendation to use milters instead of After-Queue filters, I was reading several documentation about pros/cons, and I'm specially worried about the delay of our antispam and antivirus scanner introduce on process. In fact I want to move to Before-Queue the lighter functionalities of current filter. In any case I will test both aproaches in a stress test. Best. El 27/1/22 a las 19:34, Wietse Venema escribió: V?ctor Rubiella Monfort: Hi!, I'm working on redefine inbound mail delivery but I have some basic "mixconceptions". Now I have several separate inbound servers. I want to improve deploying MX gateway postfix gateways, improve content filtering, etc. First of all if someone can provide some links with more info about configuration and architecture on this kind of layered aproach (GW->postfix->dovecot) I will be very grateful :D. (something more than official doc and "postfix the definitive guide book" :D) Now I have an old perl script doing a lot of task in one filter script, I want to refactor and optimize it. See my suggestions below. They are likely more secure and more performant. It's hard to give recommendations for writing custom code like you do. I'm need help on concepts for "advanced content filter". First of all, documentation referers to Perl sample with broken link (http://bent.latency.net/smtpprox/. ) You're looking at old documentation. The on-line doc has a link to https://web.archive.org/web/20151022025756/http://bent.latency.net/smtpprox/ I have found quite few samples for Before-Queue filters (Milters), but nothing advanced samples with After-Queue filtering. I'd suggest using Milters (i.e. before-queue) where possible, many SPAM filters have a Milter integration (examples: mimedefang, amavis, spamass-milter). Wietse
Re: Debugging import_environment = KRB5_KTNAME=/etc/postfix/smtp.keytab
On Thu, 2022-01-27 at 14:46 -0500, Viktor Dukhovni wrote: > In the case > of "import_environment" you really need to retain most of the > default imports: > > import_environment = > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ > LANG=C POSTLOG_SERVICE POSTLOG_HOSTNAME > # These are optional > XAUTHORITY DISPLAY Since KRB5_KTNAME=/etc/postfix/smtp.keytab there isn't even useful, I've just removed setting of import_environment to anything at all to restore the default value. Thanks for the info on that. > The most likely reasons for changes are in Cyrus SASL, not Postfix, > which does not directly do anything with Kerberos. Fair enough. Much thanks for your insight! Cheers, b. signature.asc Description: This is a digitally signed message part
Re: Debugging import_environment = KRB5_KTNAME=/etc/postfix/smtp.keytab
So the missing key here was not having "keytab: /etc/postfix/smtp.keytab" in /etc/sasl2/smtpd.conf. Interesting that this was not required in the previous version of postfix/sasl/kerberos. Cheers, b. signature.asc Description: This is a digitally signed message part
Re: Debugging import_environment = KRB5_KTNAME=/etc/postfix/smtp.keytab
On Thu, Jan 27, 2022 at 02:46:04PM -0500, Viktor Dukhovni wrote: > Perhaps your Kerberos (GSSAPI via SASL?) library is ignoring environment > variables in processes that change uids (smtpd starts as root and then > drops privs). Of course that makes sense for a setuid process, but not > so much for a proces that starts as root... The Fedora 31 > secure_getenv(3) manpage says: See, for example, the MIT implementation: https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/ktdefname.c#L44-L47 static krb5_error_code kt_default_name(krb5_context context, char **name_out) ... } else if (context->profile_secure == FALSE && (str = secure_getenv("KRB5_KTNAME")) != NULL) { *name_out = strdup(str); return (*name_out == NULL) ? ENOMEM : 0; ... > You'll need to try a test program that starts as root, then changes > uid to (e.g.) "postfix", and see whether "secure_getenv()" reports > the expected environment variables. > > The most likely reasons for changes are in Cyrus SASL, not Postfix, > which does not directly do anything with Kerberos. On Fedora 31 (now dated), secure_getenv(3) does not suppress environment variables in processes that drop privs. See attached test program. # KRB5_KTNAME=FILE:/etc/postfix/smtp.keytab /tmp/suid -u 89 -v KRB5_KTNAME uid = 89, euid=89, suid=89 getenv('KRB5_KTNAME') = FILE:/etc/postfix/smtp.keytab secure_getenv('KRB5_KTNAME') = FILE:/etc/postfix/smtp.keytab Note that the keytab file in question does need to be readable by the "postfix" user, not just "root". The smtpd(8) process drops privs. -- Viktor. #define _GNU_SOURCE #include #include #include #include #include #include int main(int argc, char *argv[]) { const char *var = "HOME"; uid_t uid = 0; uid_t euid = 0; uid_t suid = 0; int c; while ((c = getopt(argc, argv, "u:v:")) != EOF) { switch (c) { case 'u': uid = (uid_t) atoi(optarg); break; case 'v': var = optarg; break; default: errx(1, "Usage: %s [-u uid] [-v var]", argv[0]); break; } } if (uid != 0) { if (setuid(uid) != 0) err(1, "%s: setuid", argv[0]); } if (getresuid(, , ) != 0) err(1, "%s: getresuid", argv[0]); printf("uid = %d, euid=%d, suid=%d\n", (int) uid, (int) euid, (int) suid); printf("getenv('%s') = %s\n", var, getenv(var)); printf("secure_getenv('%s') = %s\n", var, secure_getenv(var)); return 0; }
Re: Debugging import_environment = KRB5_KTNAME=/etc/postfix/smtp.keytab
On Thu, Jan 27, 2022 at 02:18:23PM -0500, Brian J. Murrell wrote: > I have a Postfix postfix-3.5.8 installation on EL8 which I just > recently upgraded from 2.10.1 on EL7. > > The installation is configured to authenticate with GSSAPI and > accordingly has: > > import_environment = KRB5_KTNAME=/etc/postfix/smtp.keytab It is unfortunate that Postfix does not support "+=" main.cf settings that augment the default value of a given parameter. In the case of "import_environment" you really need to retain most of the default imports: import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ LANG=C POSTLOG_SERVICE POSTLOG_HOSTNAME # These are optional XAUTHORITY DISPLAY > But now on postfix-3.5.8, smtpd seems to be ignoring the > "KRB5_KTNAME=/etc/postfix/smtp.keytab" environment setting and is > trying to use the default /etc/krb5.keytab as is reported by strace'ing > the smtpd process: Perhaps your Kerberos (GSSAPI via SASL?) library is ignoring environment variables in processes that change uids (smtpd starts as root and then drops privs). Of course that makes sense for a setuid process, but not so much for a proces that starts as root... The Fedora 31 secure_getenv(3) manpage says: The GNU-specific secure_getenv() function is just like getenv() except that it returns NULL in cases where "secure exe‐ cution" is required. Secure execution is required if one of the following conditions was true when the program run by the calling process was loaded: * the process's effective user ID did not match its real user ID or the process's effective group ID did not match its real group ID (typically this is the result of executing a set-user-ID or set-group-ID program); * the effective capability bit was set on the executable file; or * the process has a nonempty permitted capability set. Secure execution may also be required if triggered by some Linux security modules. which should not break smtpd(8), but perhaps something changed in later versions? > Any ideas why this would have been working on 2.10.1 but is now not > working on 3.5.8? You'll need to try a test program that starts as root, then changes uid to (e.g.) "postfix", and see whether "secure_getenv()" reports the expected environment variables. The most likely reasons for changes are in Cyrus SASL, not Postfix, which does not directly do anything with Kerberos. -- Viktor.
Debugging import_environment = KRB5_KTNAME=/etc/postfix/smtp.keytab
I have a Postfix postfix-3.5.8 installation on EL8 which I just recently upgraded from 2.10.1 on EL7. The installation is configured to authenticate with GSSAPI and accordingly has: import_environment = KRB5_KTNAME=/etc/postfix/smtp.keytab defined in main.cf. The /etc/postfix/smtp.keytab file is of course valid and all of this worked just fine on 2.10.1 on EL7. But now on postfix-3.5.8, smtpd seems to be ignoring the "KRB5_KTNAME=/etc/postfix/smtp.keytab" environment setting and is trying to use the default /etc/krb5.keytab as is reported by strace'ing the smtpd process: 3726845 openat(AT_FDCWD, "/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied) 3726845 openat(AT_FDCWD, "/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied) The KRB5_KTNAME environment variable is functional on the version of kerberos installed on the machine however as demonstrated by: # KRB5_KTNAME=/etc/postfix/smtp.keytab klist -k Keytab name: FILE:/etc/postfix/smtp.keytab KVNO Principal -- 1 smtp/server.example@example.com As you can see on the second line of output above that it is indeed using the file location defined by the KRB5_KTNAME env. var. It's almost as if the smtpd executable is clearing the environment before it gets to processing the GSSAPI authentication. That's just a theory though. Any ideas why this would have been working on 2.10.1 but is now not working on 3.5.8? Cheers, b.
Re: Inbound Mail Gateway Doubts
On Thu, Jan 27, 2022 at 06:57:12PM +0100, Víctor Rubiella Monfort wrote: > First of all if someone can provide some links with more info about > configuration and architecture on this kind of layered aproach > (GW->postfix->dovecot) I will be very grateful :D. (something more than > official doc and "postfix the definitive guide book" :D) I doubt you'll find a high quality how-to specifically tailored to your needs. The official docs are in fact reasonably comprehensive, especially if combined with either of the extant books (the "No Starch Press" book by Patrick and Ralph is more hands-on IIRC than the O'Reilly book). > I'm need help on concepts for "advanced content filter". These run as resident SMTP services typically on the same machine, listening on a non-default (not 25) 127.0.0.1 TCP port. > First of all, documentation referers to Perl sample with broken link > (http://bent.latency.net/smtpprox/. ) > I see this related link > https://stackoverflow.com/questions/40267168/advanced-content-filter-for-postfix-using-spawn-service It is/was just a Perl script that is both an SMTP server and a client (because it is a proxy). It just echoed most commands and data right through, but supported some filtering features. > That links to http://www.postfix.org/spawn.8.html and > http://www.postfix.org/SMTPD_POLICY_README.html, but this examples > confusing me because seems related to policy filters not > content_filter. Don't use spawn for this. Run a stand-alone network service. > I have found quite few samples for Before-Queue filters (Milters), but > nothing advanced samples with After-Queue filtering. They are conceptually simple SMTP-in SMTP-out proxies. > I'm looking for some code examples and best practices of advanced > filters and how to concatenate several advanced content filters: > reinjecting from one to another one, etc.. If they have similar latency/throughput just "pipe" one straight into the next (specify the next filter as the reinjection port for the previous). If the latency/concurrency requirements are sufficiently different, introduce a queue between the two filters by delivering the mail back into a Postfix "smtpd" that has the next filter as its content_filter setting. -- Viktor.
Re: Inbound Mail Gateway Doubts
V?ctor Rubiella Monfort: > Hi!, > > I'm working on redefine inbound mail delivery but I have some basic > "mixconceptions". > Now I have several separate inbound servers. I want to improve deploying > MX gateway postfix gateways, improve content filtering, etc. > > First of all if someone can provide some links with more info about > configuration and architecture on this kind of layered aproach > (GW->postfix->dovecot) I will be very grateful :D. (something more than > official doc and "postfix the definitive guide book" :D) > > Now I have an old perl script doing a lot of task in one filter script, > I want to refactor and optimize it. See my suggestions below. They are likely more secure and more performant. It's hard to give recommendations for writing custom code like you do. > I'm need help on concepts for "advanced content filter". First of all, > documentation referers to Perl sample with broken link > (http://bent.latency.net/smtpprox/. ) You're looking at old documentation. The on-line doc has a link to https://web.archive.org/web/20151022025756/http://bent.latency.net/smtpprox/ > I have found quite few samples for Before-Queue filters (Milters), but > nothing advanced samples with After-Queue filtering. I'd suggest using Milters (i.e. before-queue) where possible, many SPAM filters have a Milter integration (examples: mimedefang, amavis, spamass-milter). Wietse
Inbound Mail Gateway Doubts
Hi!, I'm working on redefine inbound mail delivery but I have some basic "mixconceptions". Now I have several separate inbound servers. I want to improve deploying MX gateway postfix gateways, improve content filtering, etc. First of all if someone can provide some links with more info about configuration and architecture on this kind of layered aproach (GW->postfix->dovecot) I will be very grateful :D. (something more than official doc and "postfix the definitive guide book" :D) Now I have an old perl script doing a lot of task in one filter script, I want to refactor and optimize it. I'm need help on concepts for "advanced content filter". First of all, documentation referers to Perl sample with broken link (http://bent.latency.net/smtpprox/. ) I see this related link https://stackoverflow.com/questions/40267168/advanced-content-filter-for-postfix-using-spawn-service That links to http://www.postfix.org/spawn.8.html and http://www.postfix.org/SMTPD_POLICY_README.html, but this examples confusing me because seems related to policy filters not content_filter. I have found quite few samples for Before-Queue filters (Milters), but nothing advanced samples with After-Queue filtering. I'm looking for some code examples and best practices of advanced filters and how to concatenate several advanced content filters: reinjecting from one to another one, etc.. Thanks a lot!
Re: Non-unique Message ID in mail messages
Daniel Ry?link: > Hello! > > I apologize for bringing perhaps trivial/well-known matter, but I am > interested in your opinion. > > RFC 5322 clearly states that mail messages SHOULD contain a Message ID > identifier, but if the do contain it, it MUST be globally unique. And when the mesage is forwarded, for example when it is sent to this mailing list, the Message ID stays the same, because it is the same message, only in a different envelope. But that is not the problem here. > Despite this requirement, I have encountered senders (namely Spamcop) > that sends obviously different (albeit related) messages called "Alert" > and "Summary" (they are always related to the same incident and have the > same Message ID). This creates all sorts of problems when processing > these mails, namely with users that have local forwards from one domain > to another (our mailserver hosts multiple domains), because for example > Dovecot refuses to forward the second message, flagging it as a > duplicate (yes, I will write also to the Dovecot related mailing list). That is nasty. Messages with different content should have different Message ID headers (if they have a Message ID header). If Spamcop has a distinct Message ID pattern, then you could use Postfix header_checks to IGNORE their Message ID headers. According to RFC 5321 or 5322 the Message ID header is not required, and Dovecot should be able to handle that. > My question to you is - did you also encounter similar problems with > Message IDs? Because according to the log records, Spamcop does not seem > to be the only offender. Do not confuse forwarded email (see my comment above) with Message ID reuse. Wietse > Thanks in advance for any reactions, and if I did something wrong by > writing this message, I apologize again in advance. > > -- > > ? --===-- > --== Best Regards! ==-- > ? --===-- > > Daniel Ry?link > Sysadmin @ Quantcom.cz > Czech Republic > >
Non-unique Message ID in mail messages
Hello! I apologize for bringing perhaps trivial/well-known matter, but I am interested in your opinion. RFC 5322 clearly states that mail messages SHOULD contain a Message ID identifier, but if the do contain it, it MUST be globally unique. Despite this requirement, I have encountered senders (namely Spamcop) that sends obviously different (albeit related) messages called "Alert" and "Summary" (they are always related to the same incident and have the same Message ID). This creates all sorts of problems when processing these mails, namely with users that have local forwards from one domain to another (our mailserver hosts multiple domains), because for example Dovecot refuses to forward the second message, flagging it as a duplicate (yes, I will write also to the Dovecot related mailing list). My question to you is - did you also encounter similar problems with Message IDs? Because according to the log records, Spamcop does not seem to be the only offender. Thanks in advance for any reactions, and if I did something wrong by writing this message, I apologize again in advance. -- --===-- --== Best Regards! ==-- --===-- Daniel Ryšlink Sysadmin @ Quantcom.cz Czech Republic