Hello

I actually use postgrey as greylisting utility

I have no experience with other greylisting softwares
but Postfix "gurus" advice would be greatly appreciated
to compare and eventually change for another software.

Thanks a lot

Zitat von Frank Bonnet <f.bonnet@...>:

> Hello
>
> I actually use postgrey as greylisting utility
>
> I have no experience with other greylisting softwares
> but Postfix "gurus" advice would be greatly appreciated
> to compare and eventually change for another software.

We also use Postgrey

Works stable and as expected and saved us from blocking dynamic IPs per RBLs.

What is always recommended:
- Use auto-whitelist=1 and a very long purge delay for the client list
- Use more than some seconds as greylist delay

Regards

Andreas

Stan Hoeppner wrote:
> I was going by information I received from another list.  I don't use
> the data feed service.  Does this include the CBL data set within Zen?

Yes;  CBL is a subset of XBL.  It's not provided separately, at least
not by Spamhaus.  XBL alone is at least ~50x the size (on-disk) of the
other Zen subcomponents (PBL being the next largest).

> I would make an educated guess that the size of the CBL data set would
> be over 100MB alone.  25 million 32bit IP addresses (4 bytes) would be
> 100MB, if my math is correct.  25 million bot infected hosts around the
> world seems like a very conservative estimate.

Since Spamhaus ZEN is intended to be used as a no-FP blocklist, it's
probably a lot less aggressive about listing these than some other lists
might be.

> Yeah, running the Spamhaus zones on local rbldnsd instances on each MX
> would require some distribution magic, as you state.  Never done this
> myself.  I'd be more inclined to go the route you've taken, if I were
> ever in a position to manage such a thing.

The "magic" amounts to a couple of crontab entries:

*/5 * * * * root rsync /path/to/spamhaus-in resolver1::rbldns
*/5 * * * * root rsync /path/to/spamhaus-in resolver2::rbldns

(I set up a script to only copy the actual zone data files - the inbound
Spamhaus sync sometimes leaves extra files lying around, I have to build
the local blacklist zone data from the database, and it's always nice to
trap errors of various kinds.  But it's trivial enough any ISP sysadmin
should be able to hack out a similar wrapper in an hour or two.)

-kgd

On 10/1/2010 8:43 AM, Frank Bonnet wrote:
> Hello
>
> I actually use postgrey as greylisting utility
>
> I have no experience with other greylisting softwares
> but Postfix "gurus" advice would be greatly appreciated
> to compare and eventually change for another software.
>
> Thanks a lot


What you use depends greatly on what your needs and
expectations are.

I don't know of any "bad" greylisting software, but some of
the choices may be inappropriate for particular sites (eg. too
simple for a large multi-MX site, too complex for a home/hobby
site with an inexperienced admin).

What are you looking for? Some feature that postgrey doesn't
seem to support?

If you don't have any problem with postgrey, no need to
change.  If you just want to experiment, pick something and
try it out.


    -- Noel Jones

I have a RHEL5 machine running Redhat's build of postfix 2.3.3 and am having
problems with messages being sporadically deferred with 'unknown mail transport
error'.

The machine is a gateway for listserv, so it does receive lots of mail at
times. It appears that the problem is related to the amount of mail being queued
- if I do a postqueue -f, most of the problem messages are again deferred with
the same error. If I slowly put the back onto the queue with postsuper -r <qid>
; sleep 1 then most messages flow through without any problems.

I've done some debugging - postfix appears to be successfully looking up the
user in LDAP and getting a mailhost, but fails before it opens an smtp
connection to the mailhost.

Here's some verbose output from qmgr:

Sep 30 20:22:18 jay postfix/qmgr[10510]: send attr address = <user1>@DREXEL.EDU
Sep 30 20:22:18 jay postfix/qmgr[10510]: private/rewrite socket: wanted
attribute: flags
Sep 30 20:22:18 jay postfix/qmgr[10510]: input attribute name: flags
Sep 30 20:22:18 jay postfix/qmgr[10510]: input attribute value: 0
Sep 30 20:22:18 jay postfix/qmgr[10510]: private/rewrite socket: wanted
attribute: transport
Sep 30 20:22:18 jay postfix/qmgr[10510]: input attribute name: transport
Sep 30 20:22:18 jay postfix/qmgr[10510]: input attribute value: smtp
Sep 30 20:22:18 jay postfix/qmgr[10510]: private/rewrite socket: wanted
attribute: nexthop
Sep 30 20:22:18 jay postfix/qmgr[10510]: input attribute name: nexthop
Sep 30 20:22:18 jay postfix/qmgr[10510]: input attribute value:
[<mailhost>.irt.drexel.edu]
Sep 30 20:22:18 jay postfix/qmgr[10510]: private/rewrite socket: wanted
attribute: recipient
Sep 30 20:22:18 jay postfix/qmgr[10510]: input attribute name: recipient
Sep 30 20:22:18 jay postfix/qmgr[10510]: input attribute value:
<user1>@DREXEL.EDU
Sep 30 20:22:18 jay postfix/qmgr[10510]: private/rewrite socket: wanted
attribute: flags
Sep 30 20:22:18 jay postfix/qmgr[10510]: input attribute name: flags
Sep 30 20:22:18 jay postfix/qmgr[10510]: input attribute value: 4096
Sep 30 20:22:18 jay postfix/qmgr[10510]: private/rewrite socket: wanted
attribute: (list terminator)
Sep 30 20:22:18 jay postfix/qmgr[10510]: input attribute name: (end)
Sep 30 20:22:18 jay postfix/qmgr[10510]: resolve_clnt:
`owner-drexel-official-students-all-l@...' -> `<user1>@DREXEL.EDU'
-> transp=`smtp' host=`[<mailhost>.irt.drexel.edu]' rcpt=`<user1>@DREXEL.EDU'
flags= class=default
Sep 30 20:22:18 jay postfix/qmgr[10510]: start sorted recipient list
Sep 30 20:22:18 jay postfix/qmgr[10510]: qmgr_message_sort: <user1>@DREXEL.EDU
Sep 30 20:22:18 jay postfix/qmgr[10510]: qmgr_message_sort: <user2>@DREXEL.EDU
Sep 30 20:22:18 jay postfix/qmgr[10510]: end sorted recipient list
Sep 30 20:22:18 jay postfix/qmgr[10510]: private/smtp socket: wanted attribute:
status
Sep 30 20:22:18 jay postfix/qmgr[10510]: warning: premature end-of-input on
private/smtp socket while reading input attribute
  name
Sep 30 20:22:18 jay postfix/qmgr[10510]: warning: private/smtp socket: malformed
response
Sep 30 20:22:18 jay postfix/qmgr[10510]: qmgr_transport_throttle: transport
smtp: status: 4.3.0 reason: unknown mail transport error
Sep 30 20:22:18 jay postfix/qmgr[10510]: warning: transport smtp failure -- see
a previous warning/fatal/panic logfile record for the problem description


The output from postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 3d
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
fast_flush_domains = drexel.edu, cabrini.edu, medaille.edu
html_directory = no
in_flow_delay = 0
inet_interfaces = all
local_recipient_maps = $alias_maps
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 3d
mydestination = localhost
myhostname = lists.drexel.edu
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = $mynetworks, $mydestination, lists.irttest.drexel.edu,
lists.drexel.edu
relay_recipient_maps = hash:/etc/postfix/aliases, ldap:ldappresence-lists,
ldap:ldappresence-drexeltestlists
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = cidr:/etc/postfix/client_access
transport_maps = hash:/etc/postfix/transport, ldap:ldaproute-drexel,
ldap:ldaproute-cabrini, ldap:ldaproute-drexel.com
unknown_local_recipient_reject_code = 550


Please let me know if there's any more output that would be useful in debugging
this.

Thanks,

Rich

Hi list,

I'm in the process of adding write support to postfix's mysql client (you will
find a patch against postfix-2.7.1 in the appendix). But I have two problems:
1) the dict_cache_clean_event writes _LAST_CACHE_CLEANUP_COMPLETED_ to the
database. Is this the intended behaviour?

2) If I'm guessing right then the dict_cache_clean_event will iterate with
help of dict->sequence through the database and will look for keys to expire.
But I don't know how to implement this iteration/traverse process with mysql.
My first thought was to use "SELECT * FROM verify" and mysql_use_result() but
I'm wondering if there is a better solution.
Has anyone an idea of how to do this?

Thanks for your help and best regards
Stefan

> > by Stefan Jakobs on 2010-06-13T19:43:00+00:00
> > Hello list,
> > I refer to my question of august 2008
> > (http://archives.neohapsis.com/archives/postfix/2008-08/0747.html, and see
> > below).
> > What are the necessary steps to add update support to the mysql client
> > (Postfix 2.5.6 or newer)?
> > Has someone already done this and is willing to share the code?
> > Thanks for your help and kind regards
> > Stefan
> Wietse wrote on August 22nd 2008:
> Stefan Jakobs:
> I think this involves writing, testing, and documenting code. The
> design stage can pretty much be skipped for this fill-in-the-blanks
> exercise.
> Wietse

Rich Bishop:
> Sep 30 20:22:18 jay postfix/qmgr[10510]: qmgr_transport_throttle: transport
smtp: status: 4.3.0 reason: unknown mail transport error
> Sep 30 20:22:18 jay postfix/qmgr[10510]: warning: transport smtp failure --
see a previous warning/fatal/panic logfile record for the problem description

As the logfile says, search the logfile for warning/fatal/panic
records.

See http://www.postfix.org/DEBUG_README.html#logging
for instructions.

	 Wietse

Stefan:
> Hi list,
>
> I'm in the process of adding write support to postfix's mysql client (you will
> find a patch against postfix-2.7.1 in the appendix). But I have two problems:
> 1) the dict_cache_clean_event writes _LAST_CACHE_CLEANUP_COMPLETED_ to the
> database. Is this the intended behaviour?

This record is needed by the cache cleanup pseudo-thread. This code
assumes that the verify(8) daemon is responsible for cleaning up
the verify(8) cache.

> 2) If I'm guessing right then the dict_cache_clean_event will iterate with
> help of dict->sequence through the database and will look for keys to expire.
> But I don't know how to implement this iteration/traverse process with mysql.
> My first thought was to use "SELECT * FROM verify" and mysql_use_result() but
> I'm wondering if there is a better solution.
> Has anyone an idea of how to do this?

Does the database support a first/next operation?

	 Wietse

> Thanks for your help and best regards
> Stefan
>
> > > by Stefan Jakobs on 2010-06-13T19:43:00+00:00
> > > Hello list,
> > > I refer to my question of august 2008
> > > (http://archives.neohapsis.com/archives/postfix/2008-08/0747.html, and see
> > > below).
> > > What are the necessary steps to add update support to the mysql client
> > > (Postfix 2.5.6 or newer)?
> > > Has someone already done this and is willing to share the code?
> > > Thanks for your help and kind regards
> > > Stefan
> > Wietse wrote on August 22nd 2008:
> > Stefan Jakobs:
> > I think this involves writing, testing, and documenting code. The
> > design stage can pretty much be skipped for this fill-in-the-blanks
> > exercise.
> > Wietse

[ Attachment, skipping... ]

=>I actually use postgrey as greylisting utility
>
>I have no experience with other greylisting softwares
>but Postfix "gurus" advice would be greatly appreciated
>to compare and eventually change for another software.

postgrey and its fork sqlgrey are pretty much optimum.  I think changing to
something else won't buy you much if any improvement.

I have one high volume site, 200K+ msgs/day accepted per MX, with SQLgrey on 3
MXs where the:

(new but retried) / (total new)

is less that 2%.

Len

Thanks for responding. It appears that we had a duplicate mail alias, which
caused the ldap map to return two mailhosts and made our smtp processes
die. Fixed that and the problem seems to have gone away.

Rich

Wietse Venema:
> Stefan:
> > Hi list,
> >
> > I'm in the process of adding write support to postfix's mysql client (you
will
> > find a patch against postfix-2.7.1 in the appendix). But I have two
problems:
> > 1) the dict_cache_clean_event writes _LAST_CACHE_CLEANUP_COMPLETED_ to the
> > database. Is this the intended behaviour?
>
> This record is needed by the cache cleanup pseudo-thread. This code
> assumes that the verify(8) daemon is responsible for cleaning up
> the verify(8) cache.
>
> > 2) If I'm guessing right then the dict_cache_clean_event will iterate with
> > help of dict->sequence through the database and will look for keys to
expire.
> > But I don't know how to implement this iteration/traverse process with
mysql.
> > My first thought was to use "SELECT * FROM verify" and mysql_use_result()
but
> > I'm wondering if there is a better solution.
> > Has anyone an idea of how to do this?
>
> Does the database support a first/next operation?
>

Another desirable option may be to disable cache cleanup by the
verify(8) daemon. Supposedly, the cache is meant to be shared,
otherwise why incur the overhead?

	 Wietse

> > Thanks for your help and best regards
> > Stefan
> >
> > > > by Stefan Jakobs on 2010-06-13T19:43:00+00:00
> > > > Hello list,
> > > > I refer to my question of august 2008
> > > > (http://archives.neohapsis.com/archives/postfix/2008-08/0747.html, and
see
> > > > below).
> > > > What are the necessary steps to add update support to the mysql client
> > > > (Postfix 2.5.6 or newer)?
> > > > Has someone already done this and is willing to share the code?
> > > > Thanks for your help and kind regards
> > > > Stefan
> > > Wietse wrote on August 22nd 2008:
> > > Stefan Jakobs:
> > > I think this involves writing, testing, and documenting code. The
> > > design stage can pretty much be skipped for this fill-in-the-blanks
> > > exercise.
> > > Wietse
>
> [ Attachment, skipping... ]
>
>
>

On Friday 01 October 2010 18:58:26 Wietse Venema wrote:
> Stefan:
> > Hi list,
> >
> > I'm in the process of adding write support to postfix's mysql client (you
> > will find a patch against postfix-2.7.1 in the appendix). But I have two
> > problems: 1) the dict_cache_clean_event writes
> > _LAST_CACHE_CLEANUP_COMPLETED_ to the database. Is this the intended
> > behaviour?
>
> This record is needed by the cache cleanup pseudo-thread. This code
> assumes that the verify(8) daemon is responsible for cleaning up
> the verify(8) cache.

Ah, fine. So that's OK.

> > 2) If I'm guessing right then the dict_cache_clean_event will iterate
> > with help of dict->sequence through the database and will look for keys
> > to expire. But I don't know how to implement this iteration/traverse
> > process with mysql. My first thought was to use "SELECT * FROM verify"
> > and mysql_use_result() but I'm wondering if there is a better solution.
> > Has anyone an idea of how to do this?
>
> Does the database support a first/next operation?

The operation which comes close to that, is to select the whole table and then
fetch the keys row by row. Yes, I think that is a first/next operation (with a
bad performance).

What would be the answer if there wasn't a first/next operation?

>  Wietse

Thank you in advance.
Stefan

<snip>

On 26.09.2010 13:24, Michal Bruncko wrote:
> Hello list
>
> I am using postfix (v 2.7.0) with sender policy framework
> (postfix-policyd-spf-perl-2.001) and greylisting (postgrey-1.32) with
> following configuration:
>
> smtpd_recipient_restrictions =
>  ...
>  check_policy_service unix:private/policy
>  check_policy_service unix:/var/spool/postfix/postgrey/socket
>  ...
>
> where unix:private/policy is SPF socket and followed by greylist rule.
>
> It is possible in some way to configure postfix, that SPF Passed mails
> will be automatically accepted with postfix without greylisting? And
> using greylist only for mails with other SPF result codes (none,
> softfail,..)?
> Current configuration only denies mails with SPF Fail and all other
> mails where being greylisted.

Use the attached patch for postfix-policyd-spf-perl-2.007, and you get
what you want.

>
> thanks
>
> michal
>
--
Eugene

On Saturday, October 02, 2010 08:55:49 am Eugene V. Boontseff wrote:
> On 26.09.2010 13:24, Michal Bruncko wrote:
> > Hello list
> >
> > I am using postfix (v 2.7.0) with sender policy framework
> > (postfix-policyd-spf-perl-2.001) and greylisting (postgrey-1.32) with
> > following configuration:
> >
> > smtpd_recipient_restrictions =
> >
> >  ...
> >  check_policy_service unix:private/policy
> >  check_policy_service unix:/var/spool/postfix/postgrey/socket
> >  ...
> >
> > where unix:private/policy is SPF socket and followed by greylist rule.
> >
> > It is possible in some way to configure postfix, that SPF Passed mails
> > will be automatically accepted with postfix without greylisting? And
> > using greylist only for mails with other SPF result codes (none,
> > softfail,..)?
> > Current configuration only denies mails with SPF Fail and all other
> > mails where being greylisted.
>
> Use the attached patch for postfix-policyd-spf-perl-2.007, and you get
> what you want.

Speaking as the current maintainer for that package, I don't recommend
patching it to return OK and I don't think that's consistent with what the OP
wanted (he wanted to skip greylisting, not all further checks).

A couple of other options:

tumgreyspf is an integrated SPF/Greylist solution that is designed to do what
I understand the OP has requested.

pypolicyd-spf is a more complete SPF policy server than the Perl one and has
is able to integrate with Postfix restriction classes to do different things
(one of which could be greylist or not) based on SPF result.  This is covered
in the package documentation.

Scott K

Stefan Jakobs:
> > Does the database support a first/next operation?
>
> The operation which comes close to that, is to select the whole table and then
> fetch the keys row by row. Yes, I think that is a first/next operation (with a
> bad performance).
>
> What would be the answer if there wasn't a first/next operation?

A DBMS without iterator does not seem plausible.

The dict_cache cleanup code slowly scans the DBMS for obsolete
records and removes them while allowing the verify or postscreen
process to handle requests from other Postfix processes.

This means that the MySQL client will need to handle two streams
of requests that are interleaved:

1 - One stream of first/next/lookup/delete requests from the cache
     cleanup code.

2 - One stream of lookup/update requests that are triggered by
     smtpd (lookup) and by delivery agents (update).

These two streams must be able to co-exist. Cache cleanup can take
a long time, and it is not acceptable that the cache cleanup (stream
1) must run from start to completion without allowing requests from
stream 2.

	 Wietse

After all tests have been passed and Postfix decides to accept an email, I'd
like to selectively BCC some email for
later (manual) inspection. But I don't want to "hold" that mail.

BCC isn't available in Access, stable.

Can always_bcc, recipient_bcc_maps or, sender_bcc_maps be called\applied\set
from an access_map?

Like:
smtpd_data_restrictions = check_client_access regexp:/etc/postfix/suspect.regexp
...
/static/ do_bcc_here

I am doing an installation on a new FreeBSD 8.1 box   and it fail with


postfix: warning: valid_hostname: invalid character 32(decimal):
my.domain-server.com

Bind is up ..  the server name is correct..

I have issued this on my previous server (which this is to replace)
and didn't  have a problem as I remember my installation

any thoughts??

* jason hirsh <hirshj@...>:
> I am doing an installation on a new FreeBSD 8.1 box   and it fail with
>
>
> postfix: warning: valid_hostname: invalid character 32(decimal):
> my.domain-server.com

remove the trailing or leading space
from "my.domain-server.com " or " my.domain-server.com"

--
Ralf Hildebrandt
   Geschäftsbereich IT | Abteilung Netzwerk
   Charité - Universitätsmedizin Berlin
   Campus Benjamin Franklin
   Hindenburgdamm 30 | D-12203 Berlin
   Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
   ralf.hildebrandt@... | http://www.charite.de

On Oct 2, 2010, at 3:56 PM, Ralf Hildebrandt wrote:

> * jason hirsh <hirshj@...>:
>> I am doing an installation on a new FreeBSD 8.1 box   and it fail
>> with
>>
>>
>> postfix: warning: valid_hostname: invalid character 32(decimal):
>> my.domain-server.com
>
> remove the trailing or leading space
> from "my.domain-server.com " or " my.domain-server.com"

I missed that

edit and corrected rc.conf
reboot and installation went fine

thanks for you quick response

>
> --
> Ralf Hildebrandt
>  Gesch�ftsbereich IT | Abteilung Netzwerk
>  Charit� - Universit�tsmedizin Berlin
>  Campus Benjamin Franklin
>  Hindenburgdamm 30 | D-12203 Berlin
>  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
>  ralf.hildebrandt@... | http://www.charite.de
>

the change to the rc.conf doesn't apparently take effect until you
reboot.. there might be another way but i am a bit of a newbie
On Oct 2, 2010, at 4:42 PM, joe wrote:

> You rebooted to change the hostname???
>
> Joe
>
> On 10/02/2010 01:13 PM, jason hirsh wrote:
>>
>> On Oct 2, 2010, at 3:56 PM, Ralf Hildebrandt wrote:
>>
>>> * jason hirsh <hirshj@...>:
>>>> I am doing an installation on a new FreeBSD 8.1 box   and it fail
>>>> with
>>>>
>>>>
>>>> postfix: warning: valid_hostname: invalid character 32(decimal):
>>>> my.domain-server.com
>>>
>>> remove the trailing or leading space
>>> from "my.domain-server.com " or " my.domain-server.com"
>>
>> I missed that
>>
>> edit and corrected rc.conf
>> reboot and installation went fine
>>
>> thanks for you quick response
>>
>>>
>>> --
>>> Ralf Hildebrandt
>>> Gesch�ftsbereich IT | Abteilung Netzwerk
>>> Charit� - Universit�tsmedizin Berlin
>>> Campus Benjamin Franklin
>>> Hindenburgdamm 30 | D-12203 Berlin
>>> Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
>>> ralf.hildebrandt@... | http://www.charite.de
>>>
>>
>

On 03.10.2010 03:06, jason hirsh wrote:
> the change to the rc.conf doesn't apparently take effect until you
> reboot.. there might be another way but i am a bit of a newbie
man hostname
> On Oct 2, 2010, at 4:42 PM, joe wrote:
>
>> You rebooted to change the hostname???
>>
>> Joe
>>
>> On 10/02/2010 01:13 PM, jason hirsh wrote:
>>>
>>> On Oct 2, 2010, at 3:56 PM, Ralf Hildebrandt wrote:
>>>
>>>> * jason hirsh <hirshj@...>:
>>>>> I am doing an installation on a new FreeBSD 8.1 box   and it fail
>>>>> with
>>>>>
>>>>>
>>>>> postfix: warning: valid_hostname: invalid character 32(decimal):
>>>>> my.domain-server.com
>>>>
>>>> remove the trailing or leading space
>>>> from "my.domain-server.com " or " my.domain-server.com"
>>>
>>> I missed that
>>>
>>> edit and corrected rc.conf
>>> reboot and installation went fine
>>>
>>> thanks for you quick response
>>>
>>>>
>>>> --
>>>> Ralf Hildebrandt
>>>> Gesch�ftsbereich IT | Abteilung Netzwerk
>>>> Charit� - Universit�tsmedizin Berlin
>>>> Campus Benjamin Franklin
>>>> Hindenburgdamm 30 | D-12203 Berlin
>>>> Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
>>>> ralf.hildebrandt@... | http://www.charite.de
>>>>
>>>
>>
>

Dear list,

I found that a lot of spam can be weeded out by rejecting clients
who greet me with my own hostname. Initially, I achieved this with
the following:

   main.cf:
     smtpd_helo_restrictions =
       […]
       check_helo_access pcre:$config_directory/reject_helo_myhostname

   reject_helo_myhostname:
     /^myhostname(\.mydomain)?$/ 554 do not impersonate me

I then ran into problems when the host connected to itself through
the loopback interface. Since I did not want to add
permit_mynetworks to smtpd_helo_restrictions (I expect all machines
on my network to pass the other helo restrictions), I went on to
experiment with restriction classes. I now realise that there are
other, more direct ways to achieve what I want, but I would still
like to figure out a problem I ran into:

   main.cf:
     smtpd_helo_restrictions =
       […]
       check_helo_access pcre:$config_directory/reject_helo_myhostname

     smtpd_restriction_classes =
       […]
       target_reject_helo_myhostname

     target_reject_helo_myhostname =
       permit_mynetworks
       sleep 10
       reject

   reject_helo_myhostname:
     /^myhostname(\.mydomain)?$/ target_reject_helo_myhostname

This works, but I wanted to have a more verbose error message, so
I replaced the last line with

       check_helo_access static:554 do not impersonate me

Much to my surprise, this caused the message to be accepted.

I speculated this might have to do with the spaces and tried to
quote the text, which did not work.

After discovering that

       check_helo_access static:REJECT

worked fine, I tried

       check_helo_access static:554

but that got the message accepted too.

I now found a better solution, but I am still curious what I did
wrong in using the static map.

Thanks for your time!

--
martin | http://madduck.net/ | http://two.sentenc.es/

the security, stability and reliability of a computer system
is reciprocally proportional to
the amount of vacuity between the ears of the admin.

spamtraps: madduck.bogus@...

also sprach martin f krafft <madduck@...> [2010.10.03.1434 +0200]:
>       check_helo_access static:554
>
> but that got the message accepted too.

I found in access(5):

   ACCEPT ACTIONS
         all-numerical
                 An  all-numerical  result  is  treated  as OK. This
                 format is generated by address-based relay
                 authorization schemes such as pop-before-smtp.

So indeed, this is expected behaviour and my question thus becomes
a new one:

How can I use a static map to return a "5xx message" result?

I tried:

- static:554 message     [all-numerical accept]
- static:'554 message'   [invalid smtpd restriction '554]
- static:"554 message"   [invalid smtpd restriction "554]
- "static:554 message"   [unsupported dictionary type: "static:…]
- 'static:554 message"   [unsupported dictionary type: 'static:…]

What else is there?

--
martin | http://madduck.net/ | http://two.sentenc.es/

uʍop ǝpısdn sı ɹoʇıuoɯ ɹnoʎ

spamtraps: madduck.bogus@...

also sprach martin f krafft <madduck@...> [2010.10.03.1456 +0200]:
> How can I use a static map to return a "5xx message" result?

According to http://www.irbs.net/internet/postfix/0208/0380.html,
what I am trying to do is simply not possible. Is this still the
case?

--
martin | http://madduck.net/ | http://two.sentenc.es/

"never attribute to malice what can be
  adequately explained by incompetence."
                                                        -- mark twain

spamtraps: madduck.bogus@...

martin f krafft put forth on 10/3/2010 7:34 AM:
> Dear list,
>
> I found that a lot of spam can be weeded out by rejecting clients
> who greet me with my own hostname. Initially, I achieved this with
> the following:
>
>   main.cf:
>     smtpd_helo_restrictions =
>       [�]
>       check_helo_access pcre:$config_directory/reject_helo_myhostname
>
>   reject_helo_myhostname:
>     /^myhostname(\.mydomain)?$/ 554 do not impersonate me
>
> I then ran into problems when the host connected to itself through
> the loopback interface. Since I did not want to add
> permit_mynetworks to smtpd_helo_restrictions (I expect all machines
> on my network to pass the other helo restrictions) <snip>

TTBOMK, the proper way to do this is the method you are avoiding, which
is to implement permit_mynetworks in smtpd_helo_restrictions.  Also note
you can do this just as easily with a hash table as with a PCRE table.
Excellent how-to:

http://www.unixwiz.net/techtips/postfix-HELO.html

I think you're currently making this more complicated than it needs to
be.  If not, if you absolutely can't do it this way, and you're having
reinjection problems with content filters or policy daemons, simply add
something like this to the master.cf entry for the reinjection smtpd
listener:

daemon     inet  n       -       -       -       -       smtpd
         -o smtpd_client_restrictions=
         -o smtpd_helo_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject

If you don't already have a dedicated reinjection listener, that's a
problem, and you should set one up.  You shouldn't be dumping mail
that's already been through a content filter or policy daemon back into
your public facing smtpd listener on localhost:25, which has all the
smtpd_foo_restrictions restrictions on it.

If you aren't currently eliminating these restrictions on reinjection
connections, you are doing extra unnecessary processing and throwing up
unnecessary roadblocks to internal trusted communications between your
Postfix processes.  smtpd_foo_restrictions are designed to be used
against foreign public MTAs connecting to your public facing smtpd, not
against trusted internal processes.

--
Stan

No worries -

Rebooting will indeed run through the items rc.conf, but in general you
can run any of those commands at any time. You can change the host name
with the "hostname" command and it takes effect immediately. Restart
syslog as well if you want the new host name to appear in the log files.

Joe

On 10/03/2010 01:11 AM, Eugene V. Boontseff wrote:
> On 03.10.2010 03:06, jason hirsh wrote:
>> the change to the rc.conf doesn't apparently take effect until you
>> reboot.. there might be another way but i am a bit of a newbie
> man hostname
>> On Oct 2, 2010, at 4:42 PM, joe wrote:
>>
>>> You rebooted to change the hostname???
>>>
>>> Joe
>>>
>>> On 10/02/2010 01:13 PM, jason hirsh wrote:
>>>>
>>>> On Oct 2, 2010, at 3:56 PM, Ralf Hildebrandt wrote:
>>>>
>>>>> * jason hirsh <hirshj@...>:
>>>>>> I am doing an installation on a new FreeBSD 8.1 box   and it fail
>>>>>> with
>>>>>>
>>>>>>
>>>>>> postfix: warning: valid_hostname: invalid character 32(decimal):
>>>>>> my.domain-server.com
>>>>>
>>>>> remove the trailing or leading space
>>>>> from "my.domain-server.com " or " my.domain-server.com"
>>>>
>>>> I missed that
>>>>
>>>> edit and corrected rc.conf
>>>> reboot and installation went fine
>>>>
>>>> thanks for you quick response
>>>>
>>>>>
>>>>> --
>>>>> Ralf Hildebrandt
>>>>> Gesch�ftsbereich IT | Abteilung Netzwerk
>>>>> Charit� - Universit�tsmedizin Berlin
>>>>> Campus Benjamin Franklin
>>>>> Hindenburgdamm 30 | D-12203 Berlin
>>>>> Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
>>>>> ralf.hildebrandt@... | http://www.charite.de
>>>>>
>>>>
>>>
>>
>

On 10/03/2010 09:32 PM, Nicholas Sideris wrote:
> Hello,
>
> I have the following trouble with enabling the smtpd auth for postfix ...
>
> First of all I am using Dovecot 1.2.x and I have enabled everything
> according to the available on-line HOW TOs. Everything seems fine to me
> and the appropriate socket is created under private/auth so there's no
> problem there.
>
> Now I had modified main.cf to enable SMTP AUTH as follows (I do also
> include a few lines of other config, because I think it may be useful
> for you):
>
> html_directory = /server/html/postfix
> manpage_directory = /server/man
> sample_directory = /server/etc/postfix
> readme_directory = /server/readme/postfix
> data_directory = /var/lib/postfix
>
>
> virtual_mailbox_maps = mysql:/server/etc/postfix/virtual.sql
> virtual_mailbox_base = /
> virtual_minimum_uid = 1500
> virtual_uid_maps = mysql:/server/etc/postfix/uids.sql
> virtual_gid_maps = mysql:/server/etc/postfix/gids.sql
> virtual_mailbox_limit_maps = mysql:/server/etc/postfix/quota.sql
> content_filter = avscan:[127.0.0.1]:10025
>
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
> smtpd_sasl_auth_enable = yes
> #broken_sasl_auth_clients = yes
> smtpd_sasl_security_options = noanonymous
>
>
> smtpd_recipient_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
>
>
> Now when I am trying to test if it works, I get this
>
> telnet> open xxxxx.xxxxxx.xxx 25
> Trying 127.0.0.1...
> Connected to localbase.
> Escape character is '^]'.
> 220 eurovision.oikotimes.net <http://eurovision.oikotimes.net> ESMTP Postfix
> EHLO client.test.gr <http://client.test.gr>
> 250-xxxxx.xxxxxx.xxx
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> AUTH PLAIN ncjdskl=
> 502 5.5.2 Error: command not recognized
> AUTH PLAIN bchjdbckjdsc=
> 502 5.5.2 Error: command not recognized
>
> So actually there's no SMTP authentication available.
> Any ideas of what I need to check?
>
> PS: My server is custom compiled using this command ...
>
> make AUXLIBS='-L/server/lib/mysql -lmysqlclient -lz -lm -lpcre'
> CCARGS='-DDEF_CONFIG_DIR=\"/server/etc/postfix\"
> -DDEF_COMMAND_DIR=\"/server/sbin\"
> -DDEF_DAEMON_DIR=\"/server/libexec/postfix\"
> -DDEF_MAILQ_PATH=\"/usr/bin/mailq\"
> -DDEF_HTML_DIR=\"/server/html/postfix\"
> -DDEF_MANPAGE_DIR=\"/server/man\"
> -DDEF_NEWALIAS_PATH=\"/usr/bin/newaliases\"
> -DDEF_README_DIR=\"/server/readme/postfix\"
> -DDEF_SENDMAIL_PATH=\"/usr/sbin/sendmail\" -DHAS_MYSQL
> -I/server/include/mysql -DHAS_PCRE -DUSE_SASL_AUTH
> -DDEF_SERVER_SASL_TYPE=\"dovecot\"' OPT='-O' DEBUG='-g'
>
> PS2: Obtaining mail works as it should ... everything is ok.
>


You might want to look at using smtpd_sasl_auth_enable for your smtpd
listener.

I'd suggest using submisstion port 587 as well for your authenticated
clients.

-Matt

On 10/03/2010 09:58 PM, Nicholas Sideris wrote:
>
> On Oct 4, 2010, at 4:39 AM, Matt Hayes wrote:
>
>> On 10/03/2010 09:32 PM, Nicholas Sideris wrote:
>>> Hello,
>>>
>>> I have the following trouble with enabling the smtpd auth for postfix ...
>>>
>>> First of all I am using Dovecot 1.2.x and I have enabled everything
>>> according to the available on-line HOW TOs. Everything seems fine to me
>>> and the appropriate socket is created under private/auth so there's no
>>> problem there.
>>>
>>> Now I had modified main.cf to enable SMTP AUTH as follows (I do also
>>> include a few lines of other config, because I think it may be useful
>>> for you):
>>>
>>> html_directory = /server/html/postfix
>>> manpage_directory = /server/man
>>> sample_directory = /server/etc/postfix
>>> readme_directory = /server/readme/postfix
>>> data_directory = /var/lib/postfix
>>>
>>>
>>> virtual_mailbox_maps = mysql:/server/etc/postfix/virtual.sql
>>> virtual_mailbox_base = /
>>> virtual_minimum_uid = 1500
>>> virtual_uid_maps = mysql:/server/etc/postfix/uids.sql
>>> virtual_gid_maps = mysql:/server/etc/postfix/gids.sql
>>> virtual_mailbox_limit_maps = mysql:/server/etc/postfix/quota.sql
>>> content_filter = avscan:[127.0.0.1]:10025
>>>
>>> smtpd_sasl_type = dovecot
>>> smtpd_sasl_path = private/auth
>>> smtpd_sasl_auth_enable = yes
>>> #broken_sasl_auth_clients = yes
>>> smtpd_sasl_security_options = noanonymous
>>>
>>>
>>> smtpd_recipient_restrictions =
>>> permit_mynetworks
>>> permit_sasl_authenticated
>>> reject_unauth_destination
>>>
>>>
>>> Now when I am trying to test if it works, I get this
>>>
>>> telnet> open xxxxx.xxxxxx.xxx 25
>>> Trying 127.0.0.1...
>>> Connected to localbase.
>>> Escape character is '^]'.
>>> 220 eurovision.oikotimes.net <http://eurovision.oikotimes.net>
>>> <http://eurovision.oikotimes.net> ESMTP Postfix
>>> EHLO client.test.gr <http://client.test.gr> <http://client.test.gr>
>>> 250-xxxxx.xxxxxx.xxx
>>> 250-PIPELINING
>>> 250-SIZE 10240000
>>> 250-VRFY
>>> 250-ETRN
>>> 250-ENHANCEDSTATUSCODES
>>> 250-8BITMIME
>>> 250 DSN
>>> AUTH PLAIN ncjdskl=
>>> 502 5.5.2 Error: command not recognized
>>> AUTH PLAIN bchjdbckjdsc=
>>> 502 5.5.2 Error: command not recognized
>>>
>>> So actually there's no SMTP authentication available.
>>> Any ideas of what I need to check?
>>>
>>> PS: My server is custom compiled using this command ...
>>>
>>> make AUXLIBS='-L/server/lib/mysql -lmysqlclient -lz -lm -lpcre'
>>> CCARGS='-DDEF_CONFIG_DIR=\"/server/etc/postfix\"
>>> -DDEF_COMMAND_DIR=\"/server/sbin\"
>>> -DDEF_DAEMON_DIR=\"/server/libexec/postfix\"
>>> -DDEF_MAILQ_PATH=\"/usr/bin/mailq\"
>>> -DDEF_HTML_DIR=\"/server/html/postfix\"
>>> -DDEF_MANPAGE_DIR=\"/server/man\"
>>> -DDEF_NEWALIAS_PATH=\"/usr/bin/newaliases\"
>>> -DDEF_README_DIR=\"/server/readme/postfix\"
>>> -DDEF_SENDMAIL_PATH=\"/usr/sbin/sendmail\" -DHAS_MYSQL
>>> -I/server/include/mysql -DHAS_PCRE -DUSE_SASL_AUTH
>>> -DDEF_SERVER_SASL_TYPE=\"dovecot\"' OPT='-O' DEBUG='-g'
>>>
>>> PS2: Obtaining mail works as it should ... everything is ok.
>>>
>>
>>
>> You might want to look at using smtpd_sasl_auth_enable for your smtpd
>> listener.
>>
>> I'd suggest using submisstion port 587 as well for your authenticated
>> clients.
>>
>> -Matt
>
> Still I get the same message. Well I had opened port 587 and tried it as
> well. Here's my master.cf, could be the antivirus I mean {avscan] the
> real problem? From the other hand the server doesn;t even recognize the
> command ...
>
> #
> # Postfix master process configuration file. For details on the format
> # of the file, see the master(5) manual page (command: "man 5 master").
> #
> # ==========================================================================
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> # ==========================================================================
> postspam unix - n n - - pipe
> flags=Rq user=spamdu argv=/server/bin/postspam -f ${sender} -- ${recipient}
> #policy unix - n n - - spawn
> # user=nobody argv=/usr/bin/perl /inertia/mailserver/bin/greylist.pl -v
> smtp inet n - n - - smtpd
> -o content_filter=postspam:dummy
> submission inet n - n - - smtpd
> -o smtpd_enforce_tls=no
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #smtps inet n - n - - smtpd
> # -o smtpd_tls_wrappermode=yes
> # -o smtpd_sasl_auth_enable=yes
> # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #628 inet n - n - - qmqpd
> pickup fifo n - n 60 1 pickup
> cleanup unix n - n - 0 cleanup
> qmgr fifo n - n 300 1 qmgr
> #qmgr fifo n - n 300 1 oqmgr
> tlsmgr unix - - n 1000? 1 tlsmgr
> rewrite unix - - n - - trivial-rewrite
> bounce unix - - n - 0 bounce
> defer unix - - n - 0 bounce
> trace unix - - n - 0 bounce
> verify unix - - n - 1 verify
> flush unix n - n 1000? 0 flush
> proxymap unix - - n - - proxymap
> smtp unix - - n - - smtp
> # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
> relay unix - - n - - smtp
> -o fallback_relay=
> # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
> showq unix n - n - - showq
> error unix - - n - - error
> retry unix - - n - - error
> discard unix - - n - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> anvil unix - - n - 1 anvil
> scache unix - - n - 1 scache
> #
> # ====================================================================
> # Interfaces to non-Postfix software. Be sure to examine the manual
> # pages of the non-Postfix software to find out what options it wants.
> #
> # Many of the following services use the Postfix pipe(8) delivery
> # agent. See the pipe(8) man page for information about ${recipient}
> # and other message envelope options.
> # ====================================================================
> #
> # maildrop. See the Postfix MAILDROP_README file for details.
> # Also specify in main.cf: maildrop_destination_recipient_limit=1
> #
> #maildrop unix - n n - - pipe
> # flags=DRhu user=vmail argv=/server/bin/maildrop -d ${recipient}
> #
> # ====================================================================
> #
> # The Cyrus deliver program has changed incompatibly, multiple times.
> #
> #old-cyrus unix - n n - - pipe
> # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
> #
> # ====================================================================
> #
> # Cyrus 2.1.5 (Amos Gouaux)
> # Also specify in main.cf: cyrus_destination_recipient_limit=1
> #
> #cyrus unix - n n - - pipe
> # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
> #
> # ====================================================================
> #
> # See the Postfix UUCP_README file for configuration details.
> #
> #uucp unix - n n - - pipe
> # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
> #
> # ====================================================================
> #
> # Other external delivery methods.
> #
> #ifmail unix - n n - - pipe
> # flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> #
> #bsmtp unix - n n - - pipe
> # flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop
> $recipient
> #
> #scalemail-backend unix - n n - 2 pipe
> # flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
> # ${nexthop} ${user} ${extension}
> #
> #mailman unix - n n - - pipe
> # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
> # ${nexthop} ${user}
>
> # ==========================================================================
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> # ==========================================================================
>
> avscan unix - - n - 16 smtp
> -o smtp_send_xforward_command=yes
> -o smtp_enforce_tls=no
> 127.0.0.1:10026 inet n - n - 16 smtpd
> -o content_filter=
> -o
> receive_override_options=no_unknown_recipient_checks,no_header_body_checks
> -o smtpd_helo_restrictions=
> -o smtpd_client_restrictions=
> -o smtpd_sender_restrictions=
> -o
>
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
> -o mynetworks_style=host
> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>
> proxywrite unix - - n - 1 proxymap
>
>


Do you have logs of the transaction when trying to send outbound through
port 587 using authentication?

-Matt