subject:"Re\: Relay mail from virtual domains and issue when the sender and recipient is on same server"

Re: Relay mail from virtual domains and issue when the sender and recipient is on same server

2018-04-14 Thread Christos Chatzaras


Thank you for your reply and tips :-)

> 
> Your content_filter only applies to MX mail on port 25.
> 

Yes I want to use bogofilter only for incoming mails from other mail servers. 
It's configured with a global sieve rule to move spam e-mails to Spam folder 
for each mailbox. Dovecot is configured so when user moves e-mail from Inbox to 
Spam or the opposite to train bogofilter with new ham or spam keywords. Also 
ham/spam messages are forwarded from all the servers to antis...@example.com 
(using a script that forwards the original messages as attachments) and using 
another script I train a global bogofilter database which every fews days I 
copy to all the servers. This way I get good results and only few false 
positives.

> 
> Perhaps what you want is for the other host to be the MSA (mail 
> submission agent), and do not accept submission here?
> 

I want to accept submission on server1.example.com as it's easier for end users 
to use the same hostname for SMTP, POP3 and IMAP.

> 
> This is your content_filter.  You're using a script, but better 
> practice would probably be to use smtp.  And of course SMTP doesn't 
> have to be local; your filter could be elsewhere.

Do you have a link with instructions for doing it with SMTP instead of script? 
Maybe I can setup another server for incoming filtering (bogofilter) which is 
used by all the servers so I avoid to copy the bogofilter database every few 
days to all the servers.

> 
> Check out amavisd-new as a better means of content filtering.  This 
> also gives you a means of applying different filtering depending on 
> origin: the spam filtering needed for submission differs from that 
> which makes sense on your MX stream.
> 

Maybe I can use MailScanner (hosted in other server) for incoming messages to. 
It filters spam, virus, bad attachment extensions and some more things.

> 
> You can do this by changing the server name your users use for their 
> submission server to point to this relayhost instead.  It could 
> possibly be a painless change for the users.
> 

The same hostname is used for other things too, for example FTP. So changing 
the server1.example.com hostname and point it to smtp.example.com IP is not 
possible without causing frustration to users.


> Note: I am supposing you have a large number of users, because this 
> level of complexity does not make sense for a small number.
> 

Yes there are more than 60.000 mail accounts split in 55 servers. These servers 
do shared hosting (www, ftp, dns, mail, mysql, php).

> 
> I don't consider spamcop safe for outright rejection, at least not 
> without DNSWL whitelisting.  Also, CBL is part of Zen, so this is a 
> wasted lookup.  And postscreen has been around for many years now, 
> you should look at it:
> 

I removed CBL from checks.

To add DNSWL whitelisting I have to add under smtpd_recipient_restrictions and 
before the RBL checks:

permit_dnswl_client list.dnswl.org

Is this rignt?

> http://www.postfix.org/POSTSCREEN_README.html
> http://rob0.nodns4.us/postscreen.html

I will check this too. I didn't mention it but I also use postgrey 
(greylisting). If I can get good results with postscreen maybe I can remove 
postgrey.

> You should force all submission through submission/submissions 
> services, or as mentioned above, through a separate MSA.  You don't 
> want to accept submission on port 25.

I know this but some old clients are configured to submission on port 25. Also 
some sites use port 25 for contact forms and transactional e-mails. Maybe it's 
time to send them a mass e-mail and notify them to change their submission port 
to 587 and after some time to remove submission on port 25.


>> smtpd_sasl_type = dovecot
>> smtpd_sender_restrictions = reject_unlisted_sender, 
>> permit_sasl_authenticated,
>>reject_non_fqdn_sender, check_sender_access
>>hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
>>permit
>> smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
>> smtpd_tls_ask_ccert = yes
> 
> why?

Few years ago I was using postfix for sasl authentication. After upgrading 
postfix to new version the quota patch was not working (the developer abandon 
it) so I changed it to dovecot authentication because dovecot has plugin for 
mailbox quota. So these settings are not required any more, right?

Re: Relay mail from virtual domains and issue when the sender and recipient is on same server

2018-04-14 Thread /dev/rob0

On Sat, Apr 14, 2018 at 05:17:09AM +0300, Christos Chatzaras wrote:
> What I want to do:
> 
> I want to disable local delivery for e-mails from virtual domains / 
> mailboxes when sender / recipient is on same server. I want these 
> e-mails to pass through a relay.
> 
> --
> 
> My setup :

[ is overly complicated IMO :) ]

> I have postfix and dovecot on server1.example.com and 
> smtp.example.com acts as relay for server1.example.com. MX for 
> example.com points to server1.example.com so incoming e-mails go to 
> this server. Outgoing e-mails for domains not hosted in 
> server1.example.com go through the relay. Now I want the e-mails 
> that sender and recipient is on the same server 
> (server1.example.com) to go through the relay (smtp.example.com). 
> For example, currently I send e-mail from u...@example.com to 
> u...@example.com and it does local delivery (e-mail does not leave 
> server1.example.com). I want the e-mail to pass through relay 
> smtp.example.com
> 
> The problem is that if I remove domain example.com from 
> virtual_mailbox_domains then e-mails goes from server1.example.com 
> to smtp.example.com but when it comes to server1.example.com it 
> says "Relay denied" which I believe is related to postfix don't 
> consider that is the server that actually hosts this domain (final 
> destination).

Yes, explicitly it means that the restriction 
"reject_unauth_destination" was matched in smtpd_relay_restrictions.

> --
> 
> /var/log/mailog :
> 
> Apr 12 19:49:08 server1 postfix/smtpd[24278]: connect from 
> unknown[62.103.227.xxx]
> Apr 12 19:49:08 server1 postfix/smtpd[24278]: Anonymous TLS connection 
> established from unknown[62.103.227.xxx]: TLSv1.2 with cipher 
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> Apr 12 19:49:08 server1 dovecot: auth: 
> passwd-file(u...@example.com,62.103.227.xxx): unknown user
> Apr 12 19:49:09 server1 postfix/smtpd[24278]: 24B2A2730A: 
> client=unknown[62.103.227.xxx], sasl_method=PLAIN, 
> sasl_username=u...@example.com
> Apr 12 19:49:09 server1 postfix/cleanup[33817]: 24B2A2730A: 
> message-id=<671ae13c-dbce-449e-922c-011294a59...@example.com>
> Apr 12 19:49:09 server1 postfix/qmgr[77128]: 24B2A2730A: 
> from=, size=740, nrcpt=1 (queue active)
> Apr 12 19:49:09 server1 dovecot: lmtp(40507): Connect from local
> Apr 12 19:49:09 server1 dovecot: 
> lmtp(u...@example.com)<40507>: sieve: 
> msgid=<671ae13c-dbce-449e-922c-011294a59...@example.com>: stored mail into 
> mailbox 'INBOX'
> Apr 12 19:49:09 server1 dovecot: lmtp(40507): Disconnect from local: Client 
> has quit the connection (state = READY)
> Apr 12 19:49:09 server1 postfix/lmtp[34621]: 24B2A2730A: 
> to=, relay=server1.example.com[private/dovecot-lmtp], 
> delay=0.24, delays=0.22/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 
>  w+0rEgWOz1o7ngAAPz4RRA Saved)
> Apr 12 19:49:09 server1 postfix/qmgr[77128]: 24B2A2730A: removed
> 
> postconf -Mf:
> 
> smtp   inet  n   -   n   -   -   smtpd
> -o content_filter=filter:
> -o receive_override_options=no_address_mappings

Your content_filter only applies to MX mail on port 25.

> submission inet  n   -   n   -   -   smtpd
> -o smtpd_tls_security_level=may
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
> smtps  inet  n   -   n   -   -   smtpd
> -o smtpd_tls_wrappermode=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING

Perhaps what you want is for the other host to be the MSA (mail 
submission agent), and do not accept submission here?

> pickup fifo  n   -   n   60  1   pickup
> cleanupunix  n   -   n   -   0   cleanup
> qmgr   fifo  n   -   n   300 1   qmgr
> tlsmgr unix  -   -   n   1000?   1   tlsmgr
> rewriteunix  -   -   n   -   -   trivial-rewrite
> bounce unix  -   -   n   -   0   bounce
> defer  unix  -   -   n   -   0   bounce
> trace  unix  -   -   n   -   0   bounce
> verify unix  -   -   n   -   1   verify
> flush  unix  n   -   n   1000?   0   flush
> proxymap   unix  -   -   n   -   -   proxymap
> proxywrite unix  -   -   n   -   1   proxymap
> smtp   unix  -   -   n   -   -   smtp
> relay  unix  -   -   n   -   -   smtp
> -o smtp_fallback_relay=
> showq  unix  n   -   n   -   -   showq
> error  unix  -   -   n   -   -   error
> retry  unix  -   -   n   -   -

Re: Relay mail from virtual domains and issue when the sender and recipient is on same server

2018-04-13 Thread Viktor Dukhovni

> On Apr 14, 2018, at 12:23 AM, Christos Chatzaras  wrote:
> 
> I think the only way to fix this is to have 2 postfix instances, right? One 
> for incoming and one for outgoing.

If you want to round-trip mail through an external SMTP server,
and then bring it back to the same host, then yes, there typically
need to be two queues (Postfix instances), one that sends all mail
out, and another that accepts and delivers.

One can play games with rewriting, so that mail originally rewrites
to a domain that goes off-box, possibly rewrites in the outbound
smtp delivery agent smtp_generic_maps, and then returns into an
smtpd(8)/cleanup(8) pair that does no or different rewriting.
That could make it possible to use a single queue, because the
destination domain would be different for returned mail than
for originally incoming mail.

-- 
Viktor.

Re: Relay mail from virtual domains and issue when the sender and recipient is on same server

2018-04-13 Thread Christos Chatzaras

More info to make it clearer:

The 'relay denied' I wrote in my previous is not in smtp.example.com logs.

E-mail from u...@example.com to u...@example.com :

--
client (1) --> server1.example.com (2) --> smtp.example.com (3) --> 
server1.example.com (4)
--

The 'relay denied' message is on server1.example.com logs at step (4).

I can solve the 'relay denied' by changing main.cf at server1.example.com from:

--
smtpd_relay_restrictions =
  permit_sasl_authenticated,
  defer_unauth_destination
--

to:

--
mynetworks = IP_address_for_smtp.example.com

smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  defer_unauth_destination
--


But then I have an infinitive loop:

--
client --> server1.example.com --> smtp.example.com --> server1.example.com --> 
smtp.example.com -->  server1.example.com --> smtp.example.com --> ...
--


I think the only way to fix this is to have 2 postfix instances, right? One for 
incoming and one for outgoing.

Re: Relay mail from virtual domains and issue when the sender and recipient is on same server

Re: Relay mail from virtual domains and issue when the sender and recipient is on same server

Re: Relay mail from virtual domains and issue when the sender and recipient is on same server

Re: Relay mail from virtual domains and issue when the sender and recipient is on same server

4 matches

Site Navigation

Mail list logo

Footer information