date:20240116

[pfx] removing Authentication-Results, how?

2024-01-16 Thread David Bürgin via Postfix-users

Matus UHLAR - fantomas:
> Do you remove those headers on your servers?

In my chain of milters, the very first one simply deletes incoming
Authentication-Results whose authserv-id equals $myhostname … The rest
of the milters can then assume that no such headers are present.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: client checks with suspect IPs

2024-01-16 Thread Viktor Dukhovni via Postfix-users

On Tue, Jan 16, 2024 at 02:28:50PM -0500, Alex via Postfix-users wrote:

In addition to other comments, beware sloppy and inappropriate use of
"regular" expressions:

> /etc/postfix-118/client_checks.pcre:
> /74\.203\.184\.40/  OK

This should be a "cidr:" table lookup instead, and should use
permit_auth_destination, instead of "OK".

74.203.184.40/32  permit_auth_destination

> /etc/postfix-118/sender_checks.pcre:
> /myclient\.com/ permit

This should not be a regular expression check at all:

main.cf:
indexed = ${default_database_type}:${config_directory}/

smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_sender_access ${indexed}sender_checks,
...

sender_checks:
myclient.compermit_auth_destination
.myclient.com   permit_auth_destination

as written it allows:

- myclient.com@anydomain.example
- other-than-myclient.com@anydomain.example
- someuser@myclient.comcast
...

Correct use of regular expressions, which not only accepts all wanted
inputs, but also rejects allallunwanted inputs, is surprisingly rare.
Best practice is to avoid REs if at all possible, because you're likely
to use them incorrectly.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: client checks with suspect IPs

2024-01-16 Thread John Fawcett via Postfix-users



On 16/01/2024 20:28, Alex via Postfix-users wrote:

Hi,

I need help with making a decision involved in determining whether to 
add an IP to my client_checks to bypass a blocklist entry on the 
Barracuda blocklist that is impacting one of our users. The problem is 
that this would also bypass the checks for other Zix hosted customers.


Jan 16 12:04:30 xavier postfix-118/postscreen[1006916]: NOQUEUE: 
reject: RCPT from  74.203.184.40]:3602: 550 5.7.1 Service unavailable; 
client [74.203.184.40] blocked using DNS Blocklist (barracuda); 
from=, to=, 
proto=ESMTP, helo=http://zh-gw.zixsmbhosted.com>>


I was also thinking I could add a sender_check for users at 
myclient.com  domain only, but that didn't work. 
The above entry relates to a client reject, but shouldn't a 
sender_check involving myclient.com  work as well?


smtpd_client_restrictions =
        permit_mynetworks,
        check_client_access ${indexed}client_checks,
        check_client_access pcre:$config_directory/client_checks.pcre,
        check_reverse_client_hostname_access 
pcre:$config_directory/reverse_client_hostname_access.pcre,

        check_client_access cidr:$config_directory/client_access_blocklist

/etc/postfix-118/client_checks.pcre:
/74\.203\.184\.40/                      OK

smtpd_sender_restrictions =
        permit_mynetworks,
        check_sender_access ${indexed}sender_checks,
        check_sender_access pcre:$config_directory/sender_checks.pcre,
        reject_unknown_sender_domain

/etc/postfix-118/sender_checks.pcre:
/myclient\.com/             permit

Any ideas greatly appreciated.


Hi Alex

that rejection is happening in postscreen, before handing off to smtpd 
so anything you configure in smtpd is not going to allow this email to 
pass. You'll at least need to allow this ip in the postscreen 
configuration for it to get to smtpd.


John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] client checks with suspect IPs

2024-01-16 Thread Alex via Postfix-users

Hi,

I need help with making a decision involved in determining whether to add
an IP to my client_checks to bypass a blocklist entry on the Barracuda
blocklist that is impacting one of our users. The problem is that
this would also bypass the checks for other Zix hosted customers.

Jan 16 12:04:30 xavier postfix-118/postscreen[1006916]: NOQUEUE: reject:
RCPT from  74.203.184.40]:3602: 550 5.7.1 Service unavailable; client
[74.203.184.40] blocked using DNS  Blocklist (barracuda); from=<
jbraz...@myclient.com>, to=, proto=ESMTP, helo=<
zh-gw.zixsmbhosted.com>

I was also thinking I could add a sender_check for users at myclient.com
domain only, but that didn't work. The above entry relates to a client
reject, but shouldn't a sender_check involving myclient.com work as well?

smtpd_client_restrictions =
permit_mynetworks,
check_client_access ${indexed}client_checks,
check_client_access pcre:$config_directory/client_checks.pcre,
check_reverse_client_hostname_access
pcre:$config_directory/reverse_client_hostname_access.pcre,
check_client_access cidr:$config_directory/client_access_blocklist

/etc/postfix-118/client_checks.pcre:
/74\.203\.184\.40/  OK

smtpd_sender_restrictions =
permit_mynetworks,
check_sender_access ${indexed}sender_checks,
check_sender_access pcre:$config_directory/sender_checks.pcre,
reject_unknown_sender_domain

/etc/postfix-118/sender_checks.pcre:
/myclient\.com/ permit

Any ideas greatly appreciated.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: relay_domains override for smtpd

2024-01-16 Thread Viktor Dukhovni via Postfix-users

On Tue, Jan 16, 2024 at 06:12:58PM +0100, Marc Dierksen via Postfix-users wrote:

> I am running Postfix 3.5.23 on Debian 11 as an edge mailserver that accepts
> mails on port 25 for a list of domains defined as relay_domains in the
> main.cf.
>
> I am currently trying to setup a second smtpd process on port 587 that
> accepts mails only for local recipients.
> 
> If I set relay_domains to empty in the main.cf it works as expected.

The classification of input addresses into address classes as part of
transport resolution happens in trivial-rewrite(8).  This is why
changing relay_domains in smtpd(8) is ineffective.

> So it seems to me the '-o relay_domains=' parameter for smtpd does not work
> correctly.

It works correctly, as intended.  It does not seem to make much sense to
restrict submission on port 587 for a subset of addresses that any
unauthenticated external sender can target.  Your "restricted" users
could just send to port 25 instead!

That said, if this is what you actually need, instead of trying to set
an empty list of relay domains, set an empty list of valid relay
recipients, which is checked in smtpd(8):

master.cf:
submission inet ... smtpd
-o { relay_recipient_maps = inline:{@=@} }
...

because just "@" is never going to be a lookup key for a relay recipient
address.  While an empty key is even more strongly never used, and the
form "inline:{=}" is presently accepted, I expect this is not
intentional.  It would have to be documented, otherwise, at some point,
Postfix might reject empty keys in inline table definitiions.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: relay_domains override for smtpd

2024-01-16 Thread Wietse Venema via Postfix-users

Marc Dierksen via Postfix-users:
> Salutations,
> 
> I am running Postfix 3.5.23 on Debian 11 as an edge mailserver that 
> accepts mails on port 25 for a list of domains defined as relay_domains 
> in the main.cf.
> 
> I am currently trying to setup a second smtpd process on port 587 that 
> accepts mails only for local recipients.
> 
> I have added the following entry to the master.cf:
> 
> 587inet  n   -   y   -   -   smtpd
>  -o relay_domains=
>  -o content_filter=
>  -o 
> receive_override_options=no_unknown_recipient_checks,no_address_mappings,no_header_body_checks,no_milters
>  -o smtpd_helo_restrictions=
>  -o smtpd_client_restrictions=
>  -o smtpd_sender_restrictions=
>  -o smtpd_relay_restrictions=
>  -o 
> smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
>  -o mynetworks=127.0.0.0/8
> 
> The idea is that the reject_unauth_destination will reject all mails 
> except for local recipients because relay_domains is empty.
> 
> Problem is mails for all the domains defined as relay_domains in the 
> main.cf are still accepted.
> 
> If I set relay_domains to empty in the main.cf it works as expected.
> 
> So it seems to me the '-o relay_domains=' parameter for smtpd does not 
> work correctly. According to the man page of smtpd however it should be 
> supported.

1) You need to check the output from:

postconf -P 587/inet/relay_domains

2) Verify that you are reslly sending mail into the port 587 instance.
Use John's suggestion to set a distinct syslog_name.

Wietse


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: relay_domains override for smtpd

2024-01-16 Thread John Fawcett via Postfix-users



On 16/01/2024 18:12, Marc Dierksen via Postfix-users wrote:

Salutations,

I am running Postfix 3.5.23 on Debian 11 as an edge mailserver that 
accepts mails on port 25 for a list of domains defined as 
relay_domains in the main.cf.


I am currently trying to setup a second smtpd process on port 587 that 
accepts mails only for local recipients.


I have added the following entry to the master.cf:

587    inet  n   -   y   -   -   smtpd
    -o relay_domains=
    -o content_filter=
    -o 
receive_override_options=no_unknown_recipient_checks,no_address_mappings,no_header_body_checks,no_milters

    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_relay_restrictions=
    -o 
smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination

    -o mynetworks=127.0.0.0/8

The idea is that the reject_unauth_destination will reject all mails 
except for local recipients because relay_domains is empty.


Problem is mails for all the domains defined as relay_domains in the 
main.cf are still accepted.


If I set relay_domains to empty in the main.cf it works as expected.

So it seems to me the '-o relay_domains=' parameter for smtpd does not 
work correctly. According to the man page of smtpd however it should 
be supported.


Am I overlooking something?


Hi Marc

I'm probably missing something, but what would be the advantage of 
setting up a separate smtpd processes for this?  Out of curiosity how 
are these emails being sent to port 587?


One suggestion is to customize the syslog name of the new smtpd instance 
in master.cf so as to easily distinguish the logging that comes from the 
two processes.


  -o syslog_name=postfix/submission

Could you show the log entries of what you are seeing when email arrives 
on port 587?


Thanks

John



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] relay_domains override for smtpd

2024-01-16 Thread Marc Dierksen via Postfix-users


Salutations,

I am running Postfix 3.5.23 on Debian 11 as an edge mailserver that 
accepts mails on port 25 for a list of domains defined as relay_domains 
in the main.cf.


I am currently trying to setup a second smtpd process on port 587 that 
accepts mails only for local recipients.


I have added the following entry to the master.cf:

587inet  n   -   y   -   -   smtpd
-o relay_domains=
-o content_filter=
-o 
receive_override_options=no_unknown_recipient_checks,no_address_mappings,no_header_body_checks,no_milters

-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=
-o 
smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination

-o mynetworks=127.0.0.0/8

The idea is that the reject_unauth_destination will reject all mails 
except for local recipients because relay_domains is empty.


Problem is mails for all the domains defined as relay_domains in the 
main.cf are still accepted.


If I set relay_domains to empty in the main.cf it works as expected.

So it seems to me the '-o relay_domains=' parameter for smtpd does not 
work correctly. According to the man page of smtpd however it should be 
supported.


Am I overlooking something?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: removing Authentication-Results, how?

2024-01-16 Thread Wietse Venema via Postfix-users

Matus UHLAR - fantomas via Postfix-users:
> Hello,
> 
> RFC 8601 section 5.  requires deleting Authentication-Results headers from 
> incoming messages.  This should be done at trusted border, so when receiving 
> message via SMTP from clients or the world, except MX gateways or possibly 
> backup MX srevers.

Indeed, the idea is to delete any Authentication-Results instance
that claims [...] to have been added within [this MTA's] trust
boundary but that did not come directly from another trusted MTA."
 
> I'm curious if there is a recommended way to achieve this.
> I see that using header_checks or message_drop_headers would do what I want, 
> however:
> 1. message_drop_headers would IIUC remove headers added by milter, which is 
> not 
> what we want
> 2. header_access would do just what I want. Still can't exempt MX gateway.
> 
> Do you remove those headers on your servers?

If it helps, header_checks happen before Milters see the message,
while milter_header_checks happen when a Milter adds a header.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] removing Authentication-Results, how?

2024-01-16 Thread Matus UHLAR - fantomas via Postfix-users


Hello,

RFC 8601 section 5.  requires deleting Authentication-Results headers from 
incoming messages.  This should be done at trusted border, so when receiving 
message via SMTP from clients or the world, except MX gateways or possibly 
backup MX srevers.



I'm curious if there is a recommended way to achieve this.
I see that using header_checks or message_drop_headers would do what I want, 
however:
1. message_drop_headers would IIUC remove headers added by milter, which is not 
what we want

2. header_access would do just what I want. Still can't exempt MX gateway.

Do you remove those headers on your servers?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix repo

2024-01-16 Thread Marvin Renich via Postfix-users

Many thanks, Scott, for keeping the official Debian postfix packages
up-to-date.  It is very much appreciated by me and, I am sure, by many
others.

...Marvin

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: ldap + 550 5.1.1

2024-01-16 Thread Matus UHLAR - fantomas via Postfix-users


On 16.01.24 06:50, jungle.hunt--- via Postfix-users wrote:

  Mail from root.brezen.example.net is rejected.


to be more precise, mail to r...@example.net is rejected:


   (expanded from ): host
      creampuff.example.net[fd00::11] said: 550 5.1.1
      : Recipient address rejected: User unknown in
      virtual mailbox table (in reply to RCPT TO command)




root's mail should not be
  masked since it will be sorted by sieve depending on the originating host.
  Is /etc/aliases ignored when ldap is in use?


/etc/aliases only applies to local mail, but example.net is not in your 
$mydestination


  myhostname = mail.example.net
  mydestination = $myhostname creampuff creampuff.example.net
  brezen.example.net


I assume that brezen.example.net should be on continued line, otherwise it's 
an error.



  virtual_alias_maps = ldap:/etc/postfix/ldap/virtual-alias-maps.cf
  virtual_mailbox_domains = $mydomain
  virtual_mailbox_maps = ldap:/etc/postfix/ldap/virtual-mailbox-maps.cf
  virtual_transport = lmtp:unix:private/dovecot-lmtp


according to the error above, domain example.net is a virtual mailbox 
domain, and r...@example.net is neither in virtual_alias_maps (which is 
processed always) nor in virtual_mailbox_maps (which is processed for 
virtual mailbox domains).



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] removing Authentication-Results, how?

[pfx] Re: client checks with suspect IPs

[pfx] Re: client checks with suspect IPs

[pfx] client checks with suspect IPs

[pfx] Re: relay_domains override for smtpd

[pfx] Re: relay_domains override for smtpd

[pfx] Re: relay_domains override for smtpd

[pfx] relay_domains override for smtpd

[pfx] Re: removing Authentication-Results, how?

[pfx] removing Authentication-Results, how?

[pfx] Re: postfix repo

[pfx] Re: ldap + 550 5.1.1

12 matches

Site Navigation

Mail list logo

Footer information