LEVAI Daniel:
> Now I had the idea to simplify the $virtual_alias_maps table, and not
> specify common usernames (like abuse, postmaster etc...) for every
> single virtual domain separately, but specify only the usernames and map

Are you perhaps creating every domain by hand? Let the computer do
the work for you! Let the computer add the postmaster, abuse, etc.
entries at domain creation time. As an extra benefit there will be
fewer mistakes due to mis-typing postmaster, abuse, etc.

	 Wietse

Am 22.11.2012 10:02, schrieb Patric Falinder:
> I need to configure Postfix to be an open relay on a specific port, lets say
3326. I already have Postfix
> configured like a normal mailserver that requires authentication etc. but I
need it to not ask for authentication
> on port 3326. How do I do this?
>
> I know this isn't safe but this port wont be open for the internet, just
specific IP's that I specify on my router,
> so I wont be a target for spammers

so why do you not put that specific ip-addresses in "mynetworks"?

Wietse Venema skrev 2012-11-22 14:53:
> Patric Falinder:
>> All I actually need to do is to allow a dyndns-adress to send without
>> authentication.
> And why can't the SMTP client be bothered to authenticate?
> Did you put your printer/scanner on the Internet?
>
>  Wietse
Some of our customers "business-systems" are for some reason programmed
so they're not able to authenticate. Now this hasn't been a problem for
any of them because they've had a local mailserver (Exchange) where we
have configured it so it didn't have to authenticate. But now when we
have migrated all their mail to our servers and shutdown their old one,
they can't use that anymore and need to use ours.

We've asked the support for the software why it is like this and they
pretty much doesn't have an answer, they will probably implement it
later on hopefully. So it's pretty urgent for them to get this working
as they have a lot of business crucial emails that need to be delivered.
Also they have a dynamic IP so I was thinking I could add their
dyndns-adress to 'mynetworks' but it only takes IP addresses, so I will
have to manually add their new IP when/if they get a new one and by then
lots of emails might have been lost due to not being delivered.

Right now I have added their IP to 'mynetworks' and it's working fine
for now, but it's not reliable as they have a dynamic IP like I said.
So either I need to be able to add a hostname/domain instead of an IP to
be able to send mail without authenticating or have an open relay on a
non-standard port where I then configure in the router who can access it
from outside. Or if you guys might have a better solution?

Thanks,
-Patric

Am 22.11.2012 15:06, schrieb Patric Falinder:
> Right now I have added their IP to 'mynetworks' and it's working fine for now,
> but it's not reliable as they have a dynamic IP like I said

so make a different open-relay port is the same problem

> So either I need to be able to add a hostname/domain instead of an IP
> to be able to send mail without authenticating or have an open relay on a
> non-standard port where I then configure in the router who can access
> it from outside

and how does this solve the dynamic IP?

> Or if you guys might have a better solution?

yes, they have to setup a postfix relay on their
internal network - any other solution in context
of dynamic IP's is pure crap and dangerous

relayhost               = [your-smtp-server]:587
smtp_sasl_auth_enable   = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

cat /etc/postfix/sasl_passwd
# CHANGES: postmap /etc/postfix/sasl_passwd
[your-smtp-server]:587 username:password

Patric Falinder:
> All I actually need to do is to allow a dyndns-adress to send without
> authentication.

Wietse:
> And why can't the SMTP client be bothered to authenticate?

Patric Falinder:
> Some of our customers "business-systems" are for some reason
> programmed so they're not able to authenticate. Now this hasn't
> been a problem for any of them because they've had a local mailserver
> (Exchange) where we have configured it so it didn't have to
> authenticate. But now when we have migrated all their mail to our
> servers and shutdown their old one, they can't use that anymore
> and need to use ours.

Hostname lookup is not a solution. Due to caching effects there
simply is no guarantee that the name will always exist and resolve
to the current client address BEFORE the client connects to you.

I deplore the lack of planning that went into this migration; it
would have been easy enough to provide an SMTP proxy for off-site
locations that authenticates with SASL or TLS certificate. The
whole thing could be done in a few lines of Perl or Python.

	 Wietse

Wietse Venema skrev 2012-11-22 15:22:
> Patric Falinder:
>> All I actually need to do is to allow a dyndns-adress to send without
>> authentication.
> Wietse:
>> And why can't the SMTP client be bothered to authenticate?
> Patric Falinder:
>> Some of our customers "business-systems" are for some reason
>> programmed so they're not able to authenticate. Now this hasn't
>> been a problem for any of them because they've had a local mailserver
>> (Exchange) where we have configured it so it didn't have to
>> authenticate. But now when we have migrated all their mail to our
>> servers and shutdown their old one, they can't use that anymore
>> and need to use ours.
> Hostname lookup is not a solution. Due to caching effects there
> simply is no guarantee that the name will always exist and resolve
> to the current client address BEFORE the client connects to you.
>
> I deplore the lack of planning that went into this migration; it
> would have been easy enough to provide an SMTP proxy for off-site
> locations that authenticates with SASL or TLS certificate. The
> whole thing could be done in a few lines of Perl or Python.
>
>  Wietse
So it's not possible to have Postfix listening on another port with
different settings, like skipping the authentication bit and have it act
like an open relay?
This is easily done in Exchange and I would guess it's possible in
Postfix too, I just don't know how. I know the complications of having
it configured this way so I don't need to be told that it's dangerous
etc. because I'm aware of the dangers.


Thanks,
-Patric

On 11/22/2012 3:21 AM, Tom Kinghorn wrote:
> Good morning list.
>
> Is it possible to reject sasl_authentication from certain users?

you can use an external policy service that rejects the mail when
sasl_username is the compromised user.
http://www.postfix.org/SMTPD_POLICY_README.html

The postfwd policy server can do this pretty easily, but it's not
the only choice.
http://postfwd.org/
http://www.postfix.org/addon.html#policy




   -- Noel Jones

frist: do NOT reply off-list!

Am 22.11.2012 15:56, schrieb Patric Falinder:
> Reindl Harald skrev 2012-11-22 15:20:
>>
>> Am 22.11.2012 15:06, schrieb Patric Falinder:
>>> Right now I have added their IP to 'mynetworks' and it's working fine for
now,
>>> but it's not reliable as they have a dynamic IP like I said
>> so make a different open-relay port is the same problem
> How so?
> If I have an open relay I don't have to specify the IP in
> 'mynetworks' and don't have to care to change it if their
> IP is updated as I will fix this on the firewall

so how the hell does it make a difference?

you have to configure SOMETHING in any case
the idea of a open-relay for dyn-addresses is crap

>> yes, they have to setup a postfix relay on their
>> internal network - any other solution in context
>> of dynamic IP's is pure crap and dangerous
>>
>> relayhost               = [your-smtp-server]:587
>> smtp_sasl_auth_enable   = yes
>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>>
>> cat /etc/postfix/sasl_passwd
>> # CHANGES: postmap /etc/postfix/sasl_passwd
>> [your-smtp-server]:587 username:password
>>
> Setting up a server just for that is not an option.

so kiss the customer goodbye as long he can not
provide a solution with a relay or force to
use software which is designed to work over WAN

> I know the complications of having an open relay but I really
> don't see the problem if I specify at a firewall level which IP's
> have access to it.

with a static IP on the clients side i agree
BUT with dynamic IP's this is only a bad joke

> So technically it's not an open relay as there's only specified IP's that
> has access to it in the end. And the reason I'm going to specify it
> on the firewall is because I can specify at hostname-level who's having access
> to it from the outside, I can't do that in Postfix

from where do you take the hostname?
PTR?

sorry but this is naive

* i control the PTR for my IP's
* i can setup whatever PTR i like for whatever of my IP's

there is no clean solution
force the customer to fix HIS side or kiss him goodbye!

* Patric Falinder <patric.falinder@...>:

> So it's not possible to have Postfix listening on another port with
> different settings, like skipping the authentication bit and have it
> act like an open relay?

Well of course:

-o smtpd_recipient_restrictions=...
-o ...

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

Ralf Hildebrandt skrev 2012-11-22 16:25:
> * Patric Falinder <patric.falinder@...>:
>
>> So it's not possible to have Postfix listening on another port with
>> different settings, like skipping the authentication bit and have it
>> act like an open relay?
> Well of course:
>
> -o smtpd_recipient_restrictions=...
> -o ...
>
Thank you! However I had to use:
-o smtpd_recipient_restrictions=permit,reject

It works but I get this error: warning: restriction `reject' after
`permit' is ignored
But if I use just permit it wont work at all.
Any ideas?

Thanks,
-Patric

On Thu, Nov 22, 2012 at 11:43:51AM +0100, Patric Falinder wrote:
> Patric Falinder skrev 2012-11-22 10:02:
> >I need to configure Postfix to be an open relay on a specific
> >port, lets say 3326. I already have Postfix configured like a
> >normal mailserver that requires authentication etc. but I need it
> >to not ask for authentication on port 3326. How do I do this?
> >
> >I know this isn't safe but this port wont be open for the
> >internet, just specific IP's that I specify on my router, so I
> >wont be a target for spammers.

Even if safe, it is far from ideal.

> >I already have port 3325 open just like port 25, I did that

What is the purpose of this smtpd on 3325?

> >by just adding this to /etc/services:
> >smtp2           3325/tcp

(I don't edit services(5). I let IANA handle that. It only gives
resolution of the port by name. You could just as well use the
number.)

> >and in /etc/postfix/master.cf:
> >smtp2      inet  n       -       -       -       -       smtpd
> >
> >So I can do the same for port 3326 but I don't know how to
> >disable the authentication part. How can I do this?

> It would actually be easier if there's a way to accept
> hostnames (mail.example.com) directly on the standard ports
> without authentication.

This is doable (check_client_access) but not for you, read on.

> I use 'mynetworks' to allow different IP numbers to send mail
> without authenticating but it doesn't support domain-names/
> hostnames. Or maybe there's another way it should be done?

... And finally, the real goal is stated:

> All I actually need to do is to allow a dyndns-adress to send
> without authentication.

(You really should have started with this.)

There are lots of workarounds available to SASL-allergic admins.
Mine, years ago, was to set up a site-to-site openvpn(8) tunnel,
adding the VPN IP address to mynetworks. This has the additional
benefit (FSVO "benefit") of hiding the "real" IP address in the
headers. Postfix only sees the VPN IP.

check_client_access won't work because it looks up only forward-
confirmed reverse DNS names. Your dynamic DNS probably only sets a
"forward" name, not the PTR for the IP address.

That said, there are a few thousand ways you might manage that, as
well. An entry in /etc/hosts(5) for the dynamic address, in most
cases, will bypass the PTR lookup. A simple script to edit your
/etc/hosts file when the dynamic host changes its address might
enable check_client_access.

Your script might just as well update a hash: file for mynetworks.

And another solution is to reconsider your SASL antipathy. It's
well-documented and not that hard to set up.

http://www.postfix.org/SOHO_README.html#client_sasl_enable
--
   http://rob0.nodns4.us/ -- system administration and consulting
   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Am 22.11.2012 16:32, schrieb Patric Falinder:
> Ralf Hildebrandt skrev 2012-11-22 16:25:
>> * Patric Falinder <patric.falinder@...>:
>>
>>> So it's not possible to have Postfix listening on another port with
>>> different settings, like skipping the authentication bit and have it
>>> act like an open relay?
>> Well of course:
>>
>> -o smtpd_recipient_restrictions=...
>> -o ...
>>
> Thank you! However I had to use:
> -o smtpd_recipient_restrictions=permit,reject
>
> It works but I get this error: warning: restriction `reject' after
> `permit' is ignored
> But if I use just permit it wont work at all.
> Any ideas?
>
> Thanks,
> -Patric

for your dynamic ip problem , what about pop before smtp etc or some
port knocking  scripting etc, that may give a small piece of security

however i dont think open relays are a good idea at all
someday someone will abuse it

Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

Patric Falinder:
> Ralf Hildebrandt skrev 2012-11-22 16:25:
> > * Patric Falinder <patric.falinder@...>:
> >
> >> So it's not possible to have Postfix listening on another port with
> >> different settings, like skipping the authentication bit and have it
> >> act like an open relay?
> > Well of course:
> >
> > -o smtpd_recipient_restrictions=...
> > -o ...
> >
> Thank you! However I had to use:
> -o smtpd_recipient_restrictions=permit,reject

In the next release, Postfix will require that a reject-like
restriction appears BEFORE permit.

	 Wietse

On cs, nov 22, 2012 at 08:57:46 -0500, Wietse Venema wrote:
> LEVAI Daniel:
> > Now I had the idea to simplify the $virtual_alias_maps table, and not
> > specify common usernames (like abuse, postmaster etc...) for every
> > single virtual domain separately, but specify only the usernames and map
>
> Are you perhaps creating every domain by hand? Let the computer do
> the work for you! Let the computer add the postmaster, abuse, etc.
> entries at domain creation time. As an extra benefit there will be
> fewer mistakes due to mis-typing postmaster, abuse, etc.

Naah :) A script adds these to the table, I just thought that I'll
reduce this somewhat-redundancy and define some catch-alls, that's all
:)

But I'll stay on track with this, then.

Thanks,
Daniel

--
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

Hi,

>> I'm sure by now it's in the PBL or SBL.
>
> This is a bad assumption.  The PBL lists dynamics/etc, not snowshoe IPs.

Right, that makes sense. A spammer wouldn't have access to a
consecutive block of dynamic IPs, like from a cable company or
Verizon. It still could mean that it's listed in the PBL by now,
though.

>> They were later all tagged as spam, but it would definitely be nice to
>> be blocking these outright with postscreen.  I've now added an iptables
>> rule manually, but I wish there was a way to build in some
>> intelligence to automate it, such as with fail2ban.
>
> Unfortunately fail2ban doesn't work for snowshoe.  The rate is
> intentionally low, which is why snowshoe avoids most trap driven DNSBLs
> as well.

I have fail2ban working with dnsblog. It may not necessarily work for
snowshoe, but it works well for repeated attempts. Just to confirm my
understanding, dnsblog does the lookup and logging, then rejects based
on the policy, correct? So it wouldn't be necessary filter on
postscreen entries because it's the same IP log info as with dnsblog?

>> Are you suggesting I increase the weight of the BRBL with postscreen?
>
> I don't use postscreen.  I block outright in SMTPD on any DNSBL hit.
> I.e. I don't use weighting.  With any of the reputable DNSBLs you should
> probably outright block, not score.  So set postscreen weighting so any

Okay, I've set the postscreen threshold to 1, so any hit is a reject.
It's already dramatically increased the number of rejects.

I've also added the reject_rhsbl_reverse_client and other rhsbl
statements you've recommended. I decided not to bother with
warn_if_reject and trust the DNSBLs. I realize it's doing twice as
many DNS lookups for now. I'll also have to whitelist any false
positive IPs in multiple places for now too.

When I was working on this in 2010 (how the hell did you remember
that?), my system was so old that it not only didn't support
warn_if_reject, it didn't support any of the rhsbl statements in
smtpd_recipient_restrictions. It was certainly pre-2.0 release I was
using, so I wasn't able to implement any of the suggestions.

> smtpd_recipient_restrictions =
>         ...
>         reject_rhsbl_reverse_client dbl.spamhaus.org
>         reject_rhsbl_sender dbl.spamhaus.org
>         reject_rhsbl_helo dbl.spamhaus.org
>         ...
>
> And in fact you asked about DNSBLS in April 2010
> http://comments.gmane.org/gmane.mail.postfix.user/208344
>
> and were given all of this information then, by Ralf and myself.  You
> can also use multi.uribl.com and multi.surbl.org here, requiring a total
> of 9 parameter entries.

For now I've just added the spamhaus.org entries. I've added them
after reject_unknown_recipient_domain and before check_helo_access. Is
that correct?

How about barracuda? I'm currently using it with postscreen.

I think I like postscreen better than the rhsbl statements because of
the additional features of postscreen.

> I just noticed you don't require HELO.  So you need this as well:
>
> smtpd_helo_required = yes
>
> And in fact, your current HELO based restrictions are having no effect
> if clients don't send HELO/EHLO:
>
> check_helo_access pcre:/etc/postfix/helo_checks.pcre
> reject_invalid_helo_hostname

Okay, awesome, I've added that. I didn't even think it was possible to
send mail without that.

Headed off for some turkey, so for now I'll just say thanks and great
advice about the SSD system. I'm definitely interested in building an
SSD system, and planned on doing that early next year, once I have the
resources from the customer.

Thanks again,
Alex

LEVAI Daniel:
> On cs, nov 22, 2012 at 08:57:46 -0500, Wietse Venema wrote:
> > LEVAI Daniel:
> > > Now I had the idea to simplify the $virtual_alias_maps table, and not
> > > specify common usernames (like abuse, postmaster etc...) for every
> > > single virtual domain separately, but specify only the usernames and map
> >
> > Are you perhaps creating every domain by hand? Let the computer do
> > the work for you! Let the computer add the postmaster, abuse, etc.
> > entries at domain creation time. As an extra benefit there will be
> > fewer mistakes due to mis-typing postmaster, abuse, etc.
>
> Naah :) A script adds these to the table, I just thought that I'll
> reduce this somewhat-redundancy and define some catch-alls, that's all
> :)
>
> But I'll stay on track with this, then.

Indeed. Postfix does not have postmaster@$=virtual_mailbox_domains
(as Sendmail has) that automagically searches the specified domain
list.

	 Wietse

Jona,

The suggested solution is too specific to postfix, in my solution I might use
SMTP aware content filter like amavisd-new prior to feeding mail to my own
custom content filter, so pipe is not suitable in my case.

I am looking for a SMTP aware content filter api in C/C++ just like
'subethasmtp' (http://code.google.com/p/subethasmtp/) for Java.

Thanks
Ashish

-----Original Message-----
From: owner-postfix-users@... [mailto:owner-postfix-users@...]
On Behalf Of DTNX Postmaster
Sent: Wednesday, November 21, 2012 9:50 PM
To: Postfix users
Subject: Re: C/C++ based Content filter API

On Nov 21, 2012, at 15:10, Sharma, Ashish wrote:

> Any comments on the following  posted queries.

I suggest you read the documentation available, such as;

http://www.postfix.org/documentation.html
http://www.postfix.org/CONTENT_INSPECTION_README.html
http://www.postfix.org/FILTER_README.html
http://www.postfix.org/pipe.8.html

Cya,
Jona

--

> -----Original Message-----
> From: owner-postfix-users@... [mailto:owner-postfix-users@...]
On Behalf Of Sharma, Ashish
> Sent: Monday, November 19, 2012 8:35 PM
> To: postfix-users@...
> Subject: C/C++ based Content filter API
>
> Hi,
>
> I am implementing a customized enterprise solution where I need to receive an
email , pull out the contents from the email and initiate some enterprise
operations based on the received content of the email.
>
> I am using Postfix as mail receiving server and, for mail parsing I am
planning to use Gmime (http://spruce.sourceforge.net/gmime/),
>
> The real problem here I am facing is that I am unable to find a good C/C++
based Content filter api, as one is provided in java like 'subethasmtp'
(http://code.google.com/p/subethasmtp/).
>
> Can someone suggest one please?
>
> Thanks in advance!!!
>
> Ashish

On Nov 23, 2012, at 08:58, Sharma, Ashish wrote:

> Jona,
>
> The suggested solution is too specific to postfix, in my solution I might use
SMTP aware content filter like amavisd-new prior to feeding mail to my own
custom content filter, so pipe is not suitable in my case.
>
> I am looking for a SMTP aware content filter api in C/C++ just like
'subethasmtp' (http://code.google.com/p/subethasmtp/) for Java.

I think you either did not read/understand the documentation, are
asking on the wrong list, or both. Postfix supports several ways to
chain together components, and build custom mail workflows. Passing
mail to amavisd-new before redirecting it to a pipe is not a problem,
for example, and that's just one of the options available.

If your Google search for C/C++ libraries did not yield any usable
results, and the use of Python, Perl, Java or what have you is not an
option, then you'll either have to write something from scratch, or
redefine your problem.

Cya,
Jona

--

> -----Original Message-----
> From: owner-postfix-users@... [mailto:owner-postfix-users@...]
On Behalf Of DTNX Postmaster
> Sent: Wednesday, November 21, 2012 9:50 PM
> To: Postfix users
> Subject: Re: C/C++ based Content filter API
>
> On Nov 21, 2012, at 15:10, Sharma, Ashish wrote:
>
>> Any comments on the following  posted queries.
>
> I suggest you read the documentation available, such as;
>
> http://www.postfix.org/documentation.html
> http://www.postfix.org/CONTENT_INSPECTION_README.html
> http://www.postfix.org/FILTER_README.html
> http://www.postfix.org/pipe.8.html
>
> Cya,
> Jona
>
> --
>
>> -----Original Message-----
>> From: owner-postfix-users@...
[mailto:owner-postfix-users@...] On Behalf Of Sharma, Ashish
>> Sent: Monday, November 19, 2012 8:35 PM
>> To: postfix-users@...
>> Subject: C/C++ based Content filter API
>>
>> Hi,
>>
>> I am implementing a customized enterprise solution where I need to receive an
email , pull out the contents from the email and initiate some enterprise
operations based on the received content of the email.
>>
>> I am using Postfix as mail receiving server and, for mail parsing I am
planning to use Gmime (http://spruce.sourceforge.net/gmime/),
>>
>> The real problem here I am facing is that I am unable to find a good C/C++
based Content filter api, as one is provided in java like 'subethasmtp'
(http://code.google.com/p/subethasmtp/).
>>
>> Can someone suggest one please?
>>
>> Thanks in advance!!!
>>
>> Ashish
>

Sharma, Ashish:
> Jona,
>
> The suggested solution is too specific to postfix, in my solution
> I might use SMTP aware content filter like amavisd-new prior to
> feeding mail to my own custom content filter, so pipe is not
> suitable in my case.

CONTENT_INSPECTION_README introduces two SMTP-based filter solutions.

> I am looking for a SMTP aware content filter api in C/C++ just
> like 'subethasmtp' (http://code.google.com/p/subethasmtp/) for
> Java.

Amavisd-new is widely used with Postfix and already does all the
MIME parsing that you need.

	 Wietse

>> >         $ openssl s_client -starttls smtp -connect mail.example.com:25
>>
>> The above command returned
>>
>> SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol
>
> Check the server logs.

/var/log/mail.info:

warning: cannot get RSA private key from file /etc/postfix/smtpd.pem:
disabling TLS support
warning: TLS library problem ... Expecting: ANY PRIVATE KEY

I used these commands [0] to create smtpd.pem:

  # cd /etc/postfix
  # tmp=$(mktemp smtpd.pem.XXXXXX)
  # openssl req -x509 -new -newkey rsa:1280 -nodes -keyout /dev/stdout \
         -days $((365 * 10)) -subj "/CN=mail.example.com" > $tmp
  # chmod 0600 $tmp
  # mv $tmp smtpd.pem

Why Postfix fail to get a key from smtpd.pem?

main.cf:

smtpd_tls_cert_file = /etc/postfix/smtpd.pem
smtpd_tls_key_file = /etc/postfix/smtpd.pem

Thanks

[0] http://article.gmane.org/gmane.mail.postfix.user/233328

I was wondering who is the best CA Cert for Postfix?
--
Member - Liberal International This is doctor@... Ici doctor@...
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
http://www.fullyfollow.me/rootnl2k Merry Christmas 2012 and Happy New Year 2013

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

On 11/22/2012 12:39 PM, Alex wrote:
> Hi,
>
>>> I'm sure by now it's in the PBL or SBL.
>>
>> This is a bad assumption.  The PBL lists dynamics/etc, not snowshoe IPs.
>
> Right, that makes sense. A spammer wouldn't have access to a
> consecutive block of dynamic IPs, like from a cable company or
> Verizon. It still could mean that it's listed in the PBL by now,
> though.

Again, the IP in question will never be listed in the PBL.  SBL maybe,
PBL no.  Might be time to brush up on Spamhaus various lists and their
criteria.

>>> They were later all tagged as spam, but it would definitely be nice to
>>> be blocking these outright with postscreen.  I've now added an iptables
>>> rule manually, but I wish there was a way to build in some
>>> intelligence to automate it, such as with fail2ban.
>>
>> Unfortunately fail2ban doesn't work for snowshoe.  The rate is
>> intentionally low, which is why snowshoe avoids most trap driven DNSBLs
>> as well.
>
> I have fail2ban working with dnsblog. It may not necessarily work for
> snowshoe, but it works well for repeated attempts.

Fail2ban doesn't stop spam.  It merely shifts the burden of rejection
from Postfix to the IP stack.  And it won't work for snowshoe because
you're never going to detect snowshoe with Postscreen, or any Postfix
controls.

> Just to confirm my
> understanding, dnsblog does the lookup and logging, then rejects based
> on the policy, correct? So it wouldn't be necessary filter on
> postscreen entries because it's the same IP log info as with dnsblog?

Someone else will need to answer this.

>>> Are you suggesting I increase the weight of the BRBL with postscreen?
>>
>> I don't use postscreen.  I block outright in SMTPD on any DNSBL hit.
>> I.e. I don't use weighting.  With any of the reputable DNSBLs you should
>> probably outright block, not score.  So set postscreen weighting so any
>
> Okay, I've set the postscreen threshold to 1, so any hit is a reject.
> It's already dramatically increased the number of rejects.

And decreased the load on your content filters as well, I presume, and
likely decreased or eliminated your 220 delay issue.

> I've also added the reject_rhsbl_reverse_client and other rhsbl
> statements you've recommended. I decided not to bother with
> warn_if_reject and trust the DNSBLs. I realize it's doing twice as
> many DNS lookups for now.

You're using SA which makes all of these same DNSBL lookups.  So you're
not doing any extra lookups, just doing them sooner in the cycle.  If
mail reaches SA its lookups are now local to your resolver, which speeds
up SA as it doesn't have to wait for remote DNS server responses.

> I'll also have to whitelist any false
> positive IPs in multiple places for now too.

RHSBL restrictions trigger on domains, not IPs.  Domains that end up on
domain based block lists or URI block lists rarely, if ever, send legit
mail.

> When I was working on this in 2010 (how the hell did you remember
> that?), my system was so old that it not only didn't support
> warn_if_reject, it didn't support any of the rhsbl statements in
> smtpd_recipient_restrictions. It was certainly pre-2.0 release I was
> using, so I wasn't able to implement any of the suggestions.

It's obviously always best to stay close to current.

>> smtpd_recipient_restrictions =
>>         ...
>>         reject_rhsbl_reverse_client dbl.spamhaus.org
>>         reject_rhsbl_sender dbl.spamhaus.org
>>         reject_rhsbl_helo dbl.spamhaus.org
>>         ...
>>
>> And in fact you asked about DNSBLS in April 2010
>> http://comments.gmane.org/gmane.mail.postfix.user/208344
>>
>> and were given all of this information then, by Ralf and myself.  You
>> can also use multi.uribl.com and multi.surbl.org here, requiring a total
>> of 9 parameter entries.
>
> For now I've just added the spamhaus.org entries. I've added them
> after reject_unknown_recipient_domain and before check_helo_access. Is
> that correct?

I always put my least expensive restrictions first and most expensive
last.  So inbuilt Postfix checks go first, then local table checks, then
DNSBL lookups, then content filters.

> How about barracuda? I'm currently using it with postscreen.

Set it to reject outright (which I believe you already have) and you're
done.

> I think I like postscreen better than the rhsbl statements because of
> the additional features of postscreen.

Fuzzy dice hang'n on your mirror don't make the car go faster.  If you
find that you *need* weighting of RHS domain rejection decisions due to
high FPs (which I doubt), then you can use postfwd or policyd for
weighting.  Keep in mind policy servers are much slower than Postfix
smtpd restrictions, but faster than content filters.  Thus it's always
best to reject with inbuilt Postfix restrictions if you can, on a busy
server.

>> I just noticed you don't require HELO.  So you need this as well:
>>
>> smtpd_helo_required = yes
>>
>> And in fact, your current HELO based restrictions are having no effect
>> if clients don't send HELO/EHLO:
>>
>> check_helo_access pcre:/etc/postfix/helo_checks.pcre
>> reject_invalid_helo_hostname
>
> Okay, awesome, I've added that. I didn't even think it was possible to
> send mail without that.

I'm not sure if the latest SMTP RFC requires HELO/EHLO or not.
Regardless, you should enforce it or your HELO checks may be worthless.

> Headed off for some turkey,

Hope you didn't gain 10 pounds like many of us. :)

> so for now I'll just say thanks and great
> advice about the SSD system. I'm definitely interested in building an
> SSD system, and planned on doing that early next year, once I have the
> resources from the customer.

Prices should be a little lower by then as well, at least for the SSDs.
  The RAID card prices may not move much.  SSD simply makes soo much
sense for a mail gateway.  You never have to worry about a queue IO
bottleneck again.

> Thanks again,

Always glad to help.

--
Stan

Hello,

When I install Postfix using aptitude on a fresh Debian system, an
interactive GUI comes up asking me how it wants me to configure
postfix.  I'd like to suppress this interface and make it default to
"No configuration" (I am automating the installation and have my own
configuration files, thank you).  However I can find nothing
documented that allows me to do this.  Can anyone help?

Thank you

On Nov 23, 2012 9:48 PM, "The Doctor" <doctor@...> wrote:
>
> I was wondering who is the best CA Cert for Postfix?

The one YOU trust the most - even if that's someone no one else has heard of.

Simon

I use StartCOM (http://www.startcom.org/) for all my SSL certificate
needs. I've had no problem with the certificates generated and signed
through them working with Postfix installations.

On 23.11.2012 20:46, The Doctor wrote:
> I was wondering who is the best CA Cert for Postfix?
> --
> Member - Liberal International This is doctor@... Ici
> doctor@...
> God,Queen and country!Never Satan President Republic!Beware
> AntiChrist rising!
> http://www.fullyfollow.me/rootnl2k Merry Christmas 2012 and Happy New
> Year 2013

On Friday, November 23, 2012 07:55:57 PM Glenn Park wrote:
> Hello,
>
> When I install Postfix using aptitude on a fresh Debian system, an
> interactive GUI comes up asking me how it wants me to configure
> postfix.  I'd like to suppress this interface and make it default to
> "No configuration" (I am automating the installation and have my own
> configuration files, thank you).  However I can find nothing
> documented that allows me to do this.  Can anyone help?

There are some assumptions built into the way the postfix packaging interact
with debconf that make this a risky thing to do.  See (Debian and Ubuntu are
the same in this regard):

https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1027061

Scott K

On Fri, Nov 23, 2012 at 8:43 PM, Scott Kitterman <postfix@...> wrote:
> On Friday, November 23, 2012 07:55:57 PM Glenn Park wrote:
>> Hello,
>>
>> When I install Postfix using aptitude on a fresh Debian system, an
>> interactive GUI comes up asking me how it wants me to configure
>> postfix.  I'd like to suppress this interface and make it default to
>> "No configuration" (I am automating the installation and have my own
>> configuration files, thank you).  However I can find nothing
>> documented that allows me to do this.  Can anyone help?
>
> There are some assumptions built into the way the postfix packaging interact
> with debconf that make this a risky thing to do.  See (Debian and Ubuntu are
> the same in this regard):
>
> https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1027061

Pardon my lack of understanding here (I did read that whole
conversation), but I'm a little hazy on what the problem is.  What's
the difference between giving a "No Configuration" answer ahead of
time/by default and doing it with the GUI that is presented?  But are
you saying that it's impossible to suppress anyway?

Rather, you seem to be suggesting that upon update, we may see our
configuration changed out from under us?  We are not using puppet or
anything like that.  Config is by hand.

On Friday, November 23, 2012 09:29:08 PM Glenn Park wrote:
> On Fri, Nov 23, 2012 at 8:43 PM, Scott Kitterman <postfix@...>
wrote:
> > On Friday, November 23, 2012 07:55:57 PM Glenn Park wrote:
> >> Hello,
> >>
> >> When I install Postfix using aptitude on a fresh Debian system, an
> >> interactive GUI comes up asking me how it wants me to configure
> >> postfix.  I'd like to suppress this interface and make it default to
> >> "No configuration" (I am automating the installation and have my own
> >> configuration files, thank you).  However I can find nothing
> >> documented that allows me to do this.  Can anyone help?
> >
> > There are some assumptions built into the way the postfix packaging
> > interact with debconf that make this a risky thing to do.  See (Debian
> > and Ubuntu are the same in this regard):
> >
> > https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1027061
>
> Pardon my lack of understanding here (I did read that whole
> conversation), but I'm a little hazy on what the problem is.  What's
> the difference between giving a "No Configuration" answer ahead of
> time/by default and doing it with the GUI that is presented?  But are
> you saying that it's impossible to suppress anyway?
>
> Rather, you seem to be suggesting that upon update, we may see our
> configuration changed out from under us?  We are not using puppet or
> anything like that.  Config is by hand.

Yes.  The postfix package is designed to be configured by the debconf (Debian
Configuration) system.  If, in the internal status of the debconf system,
postfix is marked as "No configuration" via there being no status entry, so
there's currently no way to distinguish between "desired configuration is 'No
configuration'" and "Don't do anything, something else will handle it."

I have not had time to research this issue.  I expect it's reasonably
tractable to fix, but I don't know when I'll be able to get to it.

What I usually do is pick "Internet site" and then modify things from there.
If you do that once, even if you copy your config files over the provided ones,
you won't have to worry about your changes getting reverted.

Scott K

On 11/23/2012 8:46 PM, The Doctor wrote:
> I was wondering who is the best CA Cert for Postfix?
>

Probably the same as the best CA for dovecot, and it depends on your
needs.

Any certificate will give good security, the difference is how many
end-user software applications will automatically trust the certificate.

For a personal or small group server, a self-signed certificate is
great.  Just tell the small group to add your self-signed snakeoil
certificate to their "trusted" list.

For a business where you want the certificate to work automatically
with most client software, most of the low-cost CAs will be fine
(not the free ones).  I've used rapidsslonline, godaddy, and some
other one I can't think of right now.

If this is a commercial site, you may need an expensive certificate
from the big guys -- not because it provides better security, but
because it may be useful for your marketing.

So in the end, there is no single best.



   -- Noel Jones

On Fri, Nov 23, 2012 at 10:02 PM, Scott Kitterman <postfix@...> wrote:
> On Friday, November 23, 2012 09:29:08 PM Glenn Park wrote:
>> On Fri, Nov 23, 2012 at 8:43 PM, Scott Kitterman <postfix@...>
> wrote:
>> > On Friday, November 23, 2012 07:55:57 PM Glenn Park wrote:
>> >> Hello,
>> >>
>> >> When I install Postfix using aptitude on a fresh Debian system, an
>> >> interactive GUI comes up asking me how it wants me to configure
>> >> postfix.  I'd like to suppress this interface and make it default to
>> >> "No configuration" (I am automating the installation and have my own
>> >> configuration files, thank you).  However I can find nothing
>> >> documented that allows me to do this.  Can anyone help?
>> >
>> > There are some assumptions built into the way the postfix packaging
>> > interact with debconf that make this a risky thing to do.  See (Debian
>> > and Ubuntu are the same in this regard):
>> >
>> > https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1027061
>>
>> Pardon my lack of understanding here (I did read that whole
>> conversation), but I'm a little hazy on what the problem is.  What's
>> the difference between giving a "No Configuration" answer ahead of
>> time/by default and doing it with the GUI that is presented?  But are
>> you saying that it's impossible to suppress anyway?
>>
>> Rather, you seem to be suggesting that upon update, we may see our
>> configuration changed out from under us?  We are not using puppet or
>> anything like that.  Config is by hand.
>
> Yes.  The postfix package is designed to be configured by the debconf (Debian
> Configuration) system.  If, in the internal status of the debconf system,
> postfix is marked as "No configuration" via there being no status entry, so
> there's currently no way to distinguish between "desired configuration is 'No
> configuration'" and "Don't do anything, something else will handle it."
>
> I have not had time to research this issue.  I expect it's reasonably
> tractable to fix, but I don't know when I'll be able to get to it.
>
> What I usually do is pick "Internet site" and then modify things from there.
> If you do that once, even if you copy your config files over the provided
ones,
> you won't have to worry about your changes getting reverted.

Woa, wait, so even if I choose "No configuration" in the GUI, my
config may be overwritten?

If I have to choose "Internet site" in order to be able to put my own
config files in place (and not have them overwritten), that's fine.
But my question is how I can do that unattended?

Thanks, Scott