Re: virus scanning

[Zsombor B]

Hi,

There is no dovecot.
This is a relay server and there are security constraints that must be 
follow.



Zs.

On 2022-03-08 16:07, Jeroen Geilman wrote:

This is a very bad idea; google "mailscanner postfix" for why.
Instead, scan your mailboxes after delivery, dovecot has hooks for
this.
If the smackafee product doesn't offer a service for this instead of
messing with another process' files, it is not worth whatever it
costs.

Op 8 mrt. 2022 15:57 schreef Zsombor B :


Hi,

Can you please confirm that postfix creates a file from each and
every
email at least once?

I'm asking this because we have to switch to McAfee AV and my plan
is to
use it's on-access-scan feature to scan the emails.

If postfix really creates a file at least once of each email then
this
can be a solution.

(The performance penalty will be different topic of course.)

Thanks,
Zs.

virus scanning

[Zsombor B]

Hi,


Can you please confirm that postfix creates a file from each and every 
email at least once?


I'm asking this because we have to switch to McAfee AV and my plan is to 
use it's on-access-scan feature to scan the emails.


If postfix really creates a file at least once of each email then this 
can be a solution.


(The performance penalty will be different topic of course.)


Thanks,
Zs.

multi instance and always_bcc

[Zsombor B]

Hi,



We'd like to debug some emails sent through a multi instance withouth 
having any impact on the mail flow so I have added 
always_bcc=de...@whatever.com to the main.cf of that instance and 
reloaded it.


But instead of sending copies of the emails to the debug address, 
postfix relays both the original and the bcc emails to the relayhost of 
the multi instance as well.


This is postfix v3.2.10 on a SLES 12 SP5 server.

Is this the expected behaviour?


Thanks,
Zsombor

Re: automatic config reload

[Zsombor B]

Hi Wietse,


Thanks for the explanation, now it's clear.

Zsombor




On 2021.08.25 03:54, Wietse Venema wrote:
> Zsombor B:
> > Hi All,
> > 
> > 
> > We had a mail service outage caused by a storage issue (the volume
> > with the custom config files went down) and postfix kept looking
> > for config files which were unavailable. We also see in the logs
> > that postfix keeps checking for modified config files and if it
> > finds an updated config then automatically reloads itself.
> > 
> > Is it possible to disable this automatic config file check and the
> > automatic reload?
> 
> You ask the wrong question.
> 
> Postfix does not keep checking the file system for modified files
> to reload. If you see "reload" logging from the master daemon, then
> perhaps you are running some tool to do that for you.
> 
> Most Postfix daemons will terminate after 100 connections or 100
> seconds of inactivity.
> 
> When a new process is started, that process reads Postfix config
> files as it starts up.
> 
> You can't tell a Postfix process to read configuration files as it
> starts up. You can configure Postfix to run its daemons forever,
> but that is not recommended.
> 
>   Wietse

automatic config reload

[Zsombor B]

Hi All,


We had a mail service outage caused by a storage issue (the volume with the 
custom config files went down) and postfix kept looking for config files which 
were unavailable. We also see in the logs that postfix keeps checking for 
modified config files and if it finds an updated config then automatically 
reloads itself.

Is it possible to disable this automatic config file check and the automatic 
reload?


Thanks,
Zsombor

time spent in queue

[Zsombor B]

Hi,



An email has spent ~6 hours in the queue:

2021-06-09T12:15:46+00:00 from=, size=1761, nrcpt=1 (queue active)

2021-06-09T18:25:43+00:00 postfix/smtp[26900]: 4G0R023WFLzNnVL:  
to=, relay=[]:587, delay=22197,  
delays=0/22197/0.07/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued  
as 4G0bBv3dFHzyQk)



There is nothing between the two events.

Is there a way to find out why did the mail spent so much time in the queue?


Thank you,
Zsombor

empty sender in bounce message

[Zsombor B]

Hi,


I'm sending an email with a valid address to an invalid one (i.e. the  
destination domain doesn't exist). The bounce message is rejected by  
the valid sender's mail server because the sender address is empty.


The question is why the sender is empty and how can be this solved?


Example:
Sender: address@valid.domain
Recipient: address@invalid.domain

Log:
postfix/bounce[18367]: 4FvShX4dlszNkGd: sender non-delivery  
notification: 4FvShn5kHhzNkbj


Log for 4FvShn5kHhzNkbj:
[...] 4FvShn5kHhzNkbj: to=, relay=VALID.DEOMAIN,  
delay=88, delays=0/88/0.08/0.01, dsn=4.7.1, status=deferred (host  
VALID.DEOMAIN said:
453 4.7.1 <>: Sender address rejected: You are not authorized to send  
as <> (in reply to RCPT TO command))


Top rows of the queue file:
*** ENVELOPE RECORDS /var/spool/postfix/deferred/C/4FvShn5kHhzNkbj ***
message_size:2450 287   1   
 02450   0

message_arrival_time: Tue Jun  1 10:15:21 2021
create_time: Tue Jun  1 10:15:21 2021
named_attribute: log_message_origin=local
named_attribute: trace_flags=0
sender:
named_attribute: dsn_orig_rcpt=rfc822;address@valid.domain
original_recipient: address@valid.domain
recipient: address@valid.domain
*** MESSAGE CONTENTS /var/spool/postfix/deferred/C/4FvShn5kHhzNkbj ***
Received: by mymailserver (Postfix)
id 4FvShn5kHhzNkbj; Tue,  1 Jun 2021 10:15:21 + (UTC)
Date: Tue,  1 Jun 2021 10:15:21 + (UTC)
From: MAILER-DAEMON@mymailserver (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: address@valid.domain
Auto-Submitted: auto-replied




Thank you in advance,
Zsombor

replying with OK

[Zsombor B]

Hi,


Is there a way to reply with 'OK' to the sender instead of 'relay  
access denied'?


Reason: thousands of junk emails per day are sent from DEV environment  
to forged recipients but there is only a couple of recipient domains  
are allowed. The others get 'relay access denied' but the developers  
are complaining that their automated tests are falsely failing because  
of the relay access denied response. (I got a promise that the tests  
will be fixed but that will take months and automated test reports  
will be red until then.)


Thank you,
Zsombor

email loops back from localhost

[Zsombor B]

Hi,


Can you help me please why does this fall into a loop?
postfix > localhost:1 > localhost:1 > localhost:1 > etc.  
until too much hops.


--- main.cf:
transport_maps = hash:/etc/postfix/transport

--- /etc/postfix/transport:
recipi...@domain.com smtp:[127.0.0.1]:1


--- master.cf
127.0.0.1:1 inet n - y - - smtpd
   -o transport_maps=hash:/etc/postfix/custom_transport
   -o smtp_sasl_password_maps=hash:/etc/postfix/custom_auth

--- /etc/postfix/custom_transport
recipi...@domain.com smtp:[some.external.server]:25



Thank you
Zsombor

Re: providing queue id for the clients

[Zsombor B]

Hi,



Please provide evidence.


This is the point. :)

External client sent us a mail we accepted with queue id "A".
I have asked them to look for this "A" in their logs.
I was told they can't find it in their logs.


Zsombor



Idézet (Wietse Venema ):


Zsombor B:

It turned out during an investigation that our postfix servers don't
provide a queue id for the external clients when accepting a new email.


Please provide evidence.

Postfix SMTP client logging:
...  status=sent (250 2.0.0 Ok: queued as AA92365E6F)

Wietse

providing queue id for the clients

[Zsombor B]

Hi,



It turned out during an investigation that our postfix servers don't  
provide a queue id for the external clients when accepting a new email.


However the very same servers do provide queue id for internal mail servers.

Is there a specific configuration option to provide the queue id under  
any circumstances?


Thank you,
Zsombor

stop retransmitting failed delivery

[Zsombor B]

Hi,


Microsoft has this policy at https://postmaster.live.com/pm/policies.aspx

"After given a numeric SMTP error response code between 500 and 599  
(also known as a permanent non-delivery response), the sender must not  
attempt to retransmit that message to that recipient."


How can this be done with postfix?


Thank you,
Zsombor

Re: limiting connections to a single host

[Zsombor B]

Thanks All,

I'll take a look.

Zsombor


Idézet ("Fazzina, Angelo" ):


Maybe this section of the docs is what you are trying to accomplish ?
http://www.postfix.org/TUNING_README.html#rope



-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  
 On Behalf Of Zsombor B

Sent: Thursday, November 5, 2020 8:12 AM
To: postfix-users@postfix.org
Subject: limiting connections to a single host

*Message sent from a system outside of UConn.*


Hi,

I have to relay mails to a mail gateway that often rejects connections
because we are too pushy.
The admin of that service suggested us to open X connections and send
Y messages per connection.

How can I set this up either for one specific destination or to all?

Thanks in advance,
Zsombor

limiting connections to a single host

[Zsombor B]

Hi,

I have to relay mails to a mail gateway that often rejects connections  
because we are too pushy.
The admin of that service suggested us to open X connections and send  
Y messages per connection.


How can I set this up either for one specific destination or to all?

Thanks in advance,
Zsombor

Re: multiple relay servers

[Zsombor B]

Hi Wietse,



Postfix 3.5 supports multiple relayhosts:


Currently we are on 3.2


If these folks want to receive mail in six places, why can't they
set up DNS records like everyone else does?


I'm already over this discussion, that's why I have asked the question. :(
Big company, rigid people, dumb rules.


Thanks,
Zsombor



Idézet (Wietse Venema ):


Zsombor B:


Hi All,


Customer asked us to relay their mails to a specific smtp server.

Actually they provided 6 possible destination servers.


When add them to sender_dependent_relayhost_maps postmap complains
that there are duplicate entries:

@foo.bar [mail1.whatever]:123
@foo.bar [mail2.whatever]:123
@foo.bar [mail3.whatever]:123


There can be only one table entry with the name @foo.bar. The
postmap command ignores the rest with a warning.


How can I solve this?


Postfix 3.5 supports multiple relayhosts:

transport_maps example:
example.com relay:[mail1.example]:123, [mail2.example]:123, ...

sender_dependent_relayhost_maps example:
@foo.bar [mail1.example]:123, [mail2.example]:123, ..

This is a fixed order (as if you had multiple records in /etc/hosts).

If these folks want to receive mail in six places, why can't they
set up DNS records like everyone else does?

Wietse





binG8w4XuAMPH.bin
Description: PGP nyilvános kulcs

Re: multiple relay servers

[Zsombor B]

I can' force the customer changing their DNS.

Any postfix solution?

BTW it looks like postfix delivers mails to all the relay servers so  
the postmap warning is a bit misleading as if it won't work.


But this brings up another question: if any of the relay servers can't  
accept mail will postfix try any other relay server in the list at the  
next attempt?



Zsombor


How can I solve this?


Create mail.whatever with A or CNAME records that point to each server.

Then you use:

@foo.bar [mail.whatever]:123





binZfTkJ7aRgS.bin
Description: PGP nyilvános kulcs

multiple relay servers

[Zsombor B]

Hi All,


Customer asked us to relay their mails to a specific smtp server.

Actually they provided 6 possible destination servers.


When add them to sender_dependent_relayhost_maps postmap complains  
that there are duplicate entries:


@foo.bar [mail1.whatever]:123
@foo.bar [mail2.whatever]:123
@foo.bar [mail3.whatever]:123
etc.


How can I solve this?


Thanks,
Zsombor


binqfKEemZKu_.bin
Description: PGP nyilvános kulcs

possible bottlenecks

[Zsombor B]

Hi,


I know this is a complicated question but what/where do you see  
possible bottlenecks in postfix?

Is it CPU? RAM? Disk IO?

I'm building an infra to send out ~3-5 million emails a day.
There are no known peak periods of the day but that's also sure that  
the load will be uneven (no emails for a while then suddenly 10-100K  
mails in a very short period of time).


The plan is to start with 4 VMs and about ~10% of the planned daily  
mail amount but it will reach the planned maximum very soon.


Do you have any experience based recommendations on CPU, RAM or other  
tuning parameters?


Thanks,
Zsombor

Re: repeated connect and disconnect

[Zsombor B]

Just set up fail2ban, it will take care of this.



Idézet (li...@lazygranch.com):


Is there something I should be doing to mitigate this problem?

Oct  8 02:11:42 myserver postfix/smtpd[11630]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:43 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:43 myserver postfix/smtpd[11632]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:43 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:44 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:45 myserver postfix/smtpd[11632]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:45 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:45 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:46 myserver postfix/smtpd[11632]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:46 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:46 myserver postfix/smtpd[11630]: lost connection after  
CONNECT from unknown[180.123.163.212]
Oct  8 02:11:46 myserver postfix/smtpd[11630]: disconnect from  
unknown[180.123.163.212] commands=0/0
Oct  8 02:11:46 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:47 myserver postfix/smtpd[11632]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:47 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:47 myserver postfix/smtpd[11630]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:48 myserver postfix/smtpd[11630]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:48 myserver postfix/smtpd[11630]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:48 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:48 myserver postfix/smtpd[11632]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:48 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:50 myserver postfix/smtpd[11630]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:53 myserver postfix/smtpd[11630]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:53 myserver postfix/smtpd[11630]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:54 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:54 myserver postfix/smtpd[11632]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:54 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:54 myserver postfix/smtpd[11630]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:55 myserver postfix/smtpd[11630]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:55 myserver postfix/smtpd[11630]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:55 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:55 myserver postfix/smtpd[11632]: warning: Connection  
rate limit exceeded: 11 from unknown[180.123.163.212] for service smtp
Oct  8 02:11:55 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] commands=0/0
Oct  8 02:11:55 myserver postfix/smtpd[11630]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:55 myserver postfix/smtpd[11630]: warning: Connection  
rate limit exceeded: 12 from unknown[180.123.163.212] for service smtp
Oct  8 02:11:55 myserver postfix/smtpd[11630]: disconnect from  
unknown[180.123.163.212] commands=0/0
Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max  
connection rate 12/60s for (smtp:180.123.163.212) at Oct  8 02:11:55
Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max  
connection count 2 for (smtp:180.123.163.212) at Oct  8 02:11:43
Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max cache  
size 1 at Oct  8 02:11:42


-
postconf mail_version
mail_version = 3.5.7



smtpd_client_auth_rate_limit = 20
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 10
smtpd_client_new_tls_session_rate_limit = 3
smtpd_client_recipient_rate_limit = 40
smtpd_client_restrictions = permit_sasl_authenticated,  
permit_mynetworks, reject_unauth_destination,  
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,  
reject_unknown_reverse_client_hostname, check_client_access  
hash:/etc/postfix/spamsources

smtpd_error_sleep_time = 2s
smtpd_hard_error_limit = 6
smtpd_helo_required = yes
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
smtpd_recipient_limit = 20
smtpd_recipient_restrictions = permit_sasl_authenticated,  

Re: strangely incoming mails

[Zsombor B]

Hi,



Thanks everyone for the replies. Sorry I can only answer this way now.

This is postconf -n: https://pastebin.com/SmZG9SxG
This is master.cf: https://pastebin.com/S6h83rxi


1)
Bastian Blank:

I started to check the steps on  
http://www.postfix.org/DEBUG_README.html but it will take some time.



2)
Fred Morris:

Is the address in the Received: header your address or the spammer's  
or someone else's?


This is an actual "Received" header of such a spam mail:

Received: from SOME.EXTERNAL.DOMAIN (SOME.EXTERNAL.DOMAIN [A.B.C.D])
by MY.MAIL.SERVER (Postfix) with ESMTP id 4AC1F8DF7D
for ; Mon, 14 Sep 2020 16:16:01 +0200 (CEST)

* Someone sends mail (using smtp auth) which is from their local  
account and delivered locally?


I have sent a mail from my local account to myself with thunderbird:  
https://pastebin.com/ZCfX5GXg


Also these are the headers of a "good" incoming mail (with lots of  
headers added by rspamd): https://pastebin.com/qQvmKp1K



* Someone relays mail (using smtp auth) which is delivered locally?


I don't get this, sorry.


3)
Viktor Dukhovni:


But it was not at the top of the message headers!  Unless the message
headers got reordered along the way, this header was NOT prepended by
Postfix.


Hmm... I'm sure I didn't reorder the headers.
Are you saying that someone has caught the content of this extra  
header in an outbound mail and put it back when they send emails to me  
mimicking that it was sent from my server? BTW I don't use the content  
of this header anymore, it's just kind of a legacy stuff so it will be  
removed.



Thanks again,
Zsombor

strangely incoming mails

[Zsombor B]

Hello,


I'm confused and need your help.

I run a small server with rspamd as spam filter (smtpd_milters =  
inet:localhost:11332).
There are only a limited number of users, they only can send emails  
with smtp auth.


Until recently everything was fine but in the last couple of days huge  
amount of undetected spam arrived to all mailboxes.


The thing is that all these emails are avoiding rspam completely (but  
other incoming mails are filtered as it supposed to happen).


I started some investigation and found this:
- for years now, because of reasons I put an extra header to all  
outgoing emails (with header_checks and PREPEND)
- I have tested again and "normal" incoming emails (spam & ham) don't  
contain this extra header just outgoing mails so this works fine
- however the mentioned spam seemingly comes from the internet (there  
is an "external" IP and hostname in the "Received: from" header) this  
extra outgoing header ("X-Original-Outgoing-Mail") can be seen in the  
mail headers as it was sent out from my server


The whole mail header can be found here: https://pastebin.com/UVK3d2V8  
(there's nothing special in it, except there is no rspamd invoked).


My first thought was that some of the "internal" senders (family &  
friends) got infected and they are sending these mails somehow but I  
also have rspamd in "non_smtpd_milters" and it's also not triggered)  
and there is an "external" IP and hostname in the incoming mails.


Any idea what's going on (especially for the extra outgoing header  
that appears in the incoming spam)?



Any advice is appreciated,
Zsombor

Re: more recipients on the same relay server with smtp auth

[Zsombor B]

Wietse,
Viktor,


Thanks for your kind answer.
It seems a bit difficult but I'll try to understand and apply it.

This request (redirect emails of certain domains to 3rd party mail  
providers with auth) can't be denied because we are moving from  
commercial mail security appliance to postfix and this feature is  
already provided to customers. (TBH I don't know how the current  
appliance is processing such things under the hood.)


Thanks again,
Zsombor



Idézet (Viktor Dukhovni ):


On Mon, Aug 24, 2020 at 09:35:51AM -0400, Wietse Venema wrote:


> Some of our customers wanted us to forward all emails sent to some
> recipient domains to 3rd party relay servers instead of the mail
> server defined in the recipient domain's MX records.
>
> Also they provided smtp username and password for these relay servers.
>
> I.e.
> - *@foo1.bar is sent to mailprovider-X.com with foo1user + foo1pass
> - *@foo2.bar is sent to mailprovider-Y.com with foo2user + foo2pass
> - etc.

If these email messages are sent by your customers, you need:

- In master.cf, one dedicated Postfix SMTP client per customer,
with its own "-o smtp_sasl_passwd_maps=maptype:mapname" setting
with that customer's login information for the remote servers.

smtp-custxxx   unix  -  -  -  -  -  smtp
   -o smtp_sasl_passwd_maps==hash:/etc/postfix/sasl-custxxx

- In main.cf, "smtp_sender_dependent_default_transport_maps =
maptype:mapname", and use that table select the dedicated Postfix
SMTP client for each customer.


And also SASL auth, with reject_known_sender_login_mismatch or similar,
so that nobody else can impersonate these customers.


This ensures that the right customer's login is used with the
right renote SMTP server, and only for email sent by that customer.


Given authentication of the customer's credentials *and* envelope sender
address.

This can be a difficult combination of things to get right.
Caution is highly recommended, and perhaps best to not offer
the feature at all.  The risk/reward ratio may not be high
enough.

--
Viktor.

more recipients on the same relay server with smtp auth

[Zsombor B]

Hi All,


I need your thoughts.

Some of our customers wanted us to forward all emails sent to some  
recipient domains to 3rd party relay servers instead of the mail  
server defined in the recipient domain's MX records.


Also they provided smtp username and password for these relay servers.

I.e.
- *@foo1.bar is sent to mailprovider-X.com with foo1user + foo1pass
- *@foo2.bar is sent to mailprovider-Y.com with foo2user + foo2pass
- etc.

All is fine but I'm wondering what will happen if two or more  
customers will provide the same 3rd part relay server (i.e. outlook,  
gmail, etc.).


I.e.
- *@foo3.bar has to be sent to bigrelay.com with foo3user + foo3pass
- *@foo4.bar has to be sent to bigrelay.com with foo4user + foo4pass


How will postfix know which user/pass belongs to which recipient  
domain because the relay server will be the same.


Currently we are using "transport_maps" and "smtp_sasl_password_maps"  
parameters.


All advice is welcome,
Zsombor