Fw: What authentication method is the best SASL

[Gaby L]

I use SASL for remote clients.
What is the best authentication mechanism for SASL security? I use outlook 
express clients.
 
My smptpd conf is:
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: saslauthd
mech_list: PLAIN LOGINFor courier-imap what is the best authenticated 
method?I want to use without MySQL 

Re: Fw: What authentication method is the best SASL

[Patrick Ben Koetter]

* Gaby L :
> I use SASL for remote clients.
> What is the best authentication mechanism for SASL security? I use outlook
> express clients.

STARTTLS and LOGIN combined give you an encrypted connection and crypted
password storage

NTLM gives you encrypted authentication and plaintext password storage

Choose for yourself


>  
> My smptpd conf is:
> /usr/local/lib/sasl2/smtpd.conf:
> pwcheck_method: saslauthd
> mech_list: PLAIN LOGINFor courier-imap what is the best authenticated 
> method?I want to use without MySQL 
-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Blocking mail "from me to me"

[Daniel L'Hommedieu]

On Aug 24, 2009, at 17:58, mouss wrote:

LuKreme a écrit :

On 24-Aug-2009, at 08:28, Daniel L'Hommedieu wrote:

The one bit of spam I'd like to stop, and I seem to remember seeing
talk of it at some point (but I've been unable to find it again) is
the spam appears to be "from me to me."  That is, the spammers who  
use
my email address as the from address.  Those emails get past the  
relay

and auth checks because the mail is not being relayed.  If I could
stop that spam, it would probably kill 100% of my spam.


The best way to deal with 'from me to me spam' in my opinion is to
implement SPF, then you can either reject SPF-fail, or hand mail to  
Spam
Assassin and score SPF fail up. That is, unless you are REALLY sure  
that

no one on your domain will ever send mail to themselves.




If you ever want to block this, there is absolutely no reason to check
dns. you know what domains are yours so you can simply use an access  
list:


check_sender_access hash:/etc/postfix/mydomain

== mydomain
example.com REJECT you cannot send on behalf of example.com
.example.comREJECT you cannot send on behalf of example.com

please do not advocate SPF on this list. check the archives and you'll
see that it is taboo here.


Well, it looks like the combination of blocking mail "from me to me"  
using check_sender_access (I used the PCRE method described earlier)  
in combination with the ZEN spamhaus list is getting practically all  
of my spam.  Those of you who were concerned about me blocking half  
the world can now rest easy - that blocking is gone.


For those who are curious, here is my smtpd_recipient_restrictions:

smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
check_sender_access pcre:/etc/postfix/reject_my_domain,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org

/etc/postfix/reject_my_domain contains:
/@foo\.net/ 554 You are not from foo.net.
/@bar\.com/ 554 You are not from bar.com.
/@oof\.com/ 554 You are not from oof.com.

If you guys don't mind looking, would you tell me if there's anything  
else I need to change?  Here's the output of postconf -n:


alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost,  
$mydomain, foo.bar.com, www.bar.com, mail.bar.com, bar.com,  
foo2.bar.com, foo3.bar.com, foo4.bar.com, foo5.bar.com,  
foo.dyndns.org, foo.gotdns.com, foo6.bar.com, foo.is-a-geek.com,  
bar2.com

mynetworks = 10.0.1.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_delimiter = +
relayhost = smtprelay.isp.net
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,  check_sender_access pcre:/etc/pos
tfix/reject_my_domain, reject_invalid_hostname, 
reject_non_fqdn_hostname,   reject_non_fqdn_sender, reject_non
_fqdn_recipient,  reject_unknown_sender_domain,
reject_unknown_recipient_domain,reject_unauth_pipelining,
   reject_unauth_destination,  reject_rbl_client  
zen.spamhaus.org

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = hash:/etc/postfix/virtual

Most of the domains in mydestination are virtual alias domains, so I'm  
guessing that those should be moved to virtual_alias_domains, and that  
mydestination should be "$myhostname, localhost.$mydomain, localhost,  
$mydomain" only.  The others are FQDNs that point to my hostname but  
are

Re: Any C api to access Postfix programmatically?

[Phill Macey]

2009/8/24 Δημήτριος Καραπιπέρης :
>
> I came to this solution, a bash script to validate a local recipient
> employing the SMTP protocol.
>
Depending on your config, wouldnt you also be able to use 'postmap -q'
or  'postalias -q' to directly query a particular lookup table? That
would avoid a network connection and avoid cluttering logs with your
half completed connections. I suppose talking SMTP lets you take
advantage of some of the smarts that postfix uses to do more recursive
type lookups or any other validations that might happen in the
background.

(recursive as in, in an access table, attempt to match
u...@host.example.com, then try host.example.com and .example.com etc.
Apologies if I have misunderstood how the access tables do their
matching - Im a noob)

-- 
Phill

Recommendation for easy to use autoresponse

[June Qiu]

Hi,

I have been looking around and found some solutions for virtual users. In my 
case, I have a mixture of virtual and local user accounts. I want to be able to 
customise the response for each user.

Is there any autoresponse add-ons that I can use?


  

Re: Any C api to access Postfix programmatically?

[Δημήτριος Καραπιπέρης]

Users source could be ldap or mysql, not a hash file.
In essence, I need to employ the local_recipient_map property, which 
holds all the valid recipients

of the particular Postfix instance.

Dimitrios

O/H Phill Macey έγραψε:

2009/8/ l24 Δημήτριος Καραπιπέρης :
  

I came to this solution, a bash script to validate a local recipient
employing the SMTP protocol.



Depending on your config, wouldnt you also be able to use 'postmap -q'
or  'postalias -q' to directly query a particular lookup table? That
would avoid a network connection and avoid cluttering logs with your
half completed connections. I suppose talking SMTP lets you take
advantage of some of the smarts that postfix uses to do more recursive
type lookups or any other validations that might happen in the
background.

(recursive as in, in an access table, attempt to match
u...@host.example.com, then try host.example.com and .example.com etc.
Apologies if I have misunderstood how the access tables do their
matching - Im a noob)

  

Re: Blocking mail "from me to me"

[kj]

Martijn de Munnik wrote:

Most of this spam is also blocked using spamhaus. Also you could add SPF
to your own domain so no other servers could send mail using your
domain.
http://www.openspf.org/Introduction


One caveat is that SPF is used to verify the envelope sender, not what's 
in the From: field.


--kj

Block messages from *.mydomain.dom

[pablo crivaro]

Hi all! My domain is mydomain.dom. I want to block messages coming from 
*.mydomain.com (i.e. spamdomain.mydomain.dom). I couldn't find any 
configuration hint to do it.
Thanks in advance,



  Yahoo! Cocina

Encontra las mejores recetas con Yahoo! Cocina.


http://ar.mujer.yahoo.com/cocina/

check_sender_access to virtual map?

[Cameron Camp]

LuKreme said to use:

check_sender_access hash:/etc/postfix/mydomain

== mydomain
example.com REJECT you cannot send on behalf of example.com
.example.comREJECT you cannot send on behalf of example.com

can I use:

check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_domains.cf

and if so, what entry should I add in mysql db mail table domains?

thx,
Cameron

Re: Block messages from *.mydomain.dom

[ghe]

On Aug 25, 2009, at 12:46 PM, pablo crivaro wrote:

Hi all! My domain is mydomain.dom. I want to block messages coming  
from *.mydomain.com (i.e. spamdomain.mydomain.dom). I couldn't find  
any configuration hint to do it.



I've done this by declaring my own internal domain names: slsware.dmz  
and .lan in the 192.168 1918 IP block and adding them to mynetworks.  
Then I just reject all mail from my .com domain by putting  
"check_helo_access hash:/etc/postfix/helo_checks" very early in the  
smtpd_recipient_restrictions:



# /etc/postfix/helo_checks

# This file has to be "compiled" with postmap
# postmap hash:/etc/postfix/helo_checks ; postfix reload

localhost   REJECT  You are not localhost
slsware.com REJECT  No, no, no. You send *to* slsware.com
.slsware.comREJECT  No, no, no. You send *to* slsware.com


--
Glenn English
g...@slsware.com

Re: Any C api to access Postfix programmatically?

[Barney Desmond]

2009/8/26 Δημήτριος Καραπιπέρης :
>
> Users source could be ldap or mysql, not a hash file.
> In essence, I need to employ the local_recipient_map property, which holds
> all the valid recipients
> of the particular Postfix instance.

You can use postmap -q to make such queries, ldap or mysql works just
the same as querying a hash file. That aside, this has the potential
to be complex anyway, so using SMTP after all isn't unreasonable.

Re: check_sender_access to virtual map?

[Magnus Bäck]

On Tuesday, August 25, 2009 at 21:24 CEST,
 Cameron Camp  wrote:

> LuKreme said to use:
> 
> check_sender_access hash:/etc/postfix/mydomain
> 
> == mydomain
> example.com REJECT you cannot send on behalf of example.com
> .example.comREJECT you cannot send on behalf of example.com
> 
> can I use:
> 
> check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_domains.cf

That depends on your table schema and the contents of
mysql-virtual_domains.cf.

> and if so, what entry should I add in mysql db mail table domains?

You should add whatever is necessary to make queries of example.com
and .example.com produce the results you're looking for. Postfix more
or less allows arbitrary queries, so you can store the data
in any way you want and just construct a suitable query.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: check_sender_access to virtual map?

[Steve]

 Original-Nachricht 
> Datum: Tue, 25 Aug 2009 12:24:15 -0700
> Von: Cameron Camp 
> An: postfix-us...@cloud9.net
> Betreff: check_sender_access to virtual map?

> LuKreme said to use:
> 
> check_sender_access hash:/etc/postfix/mydomain
> 
> == mydomain
> example.com REJECT you cannot send on behalf of example.com
> .example.comREJECT you cannot send on behalf of example.com
> 
> can I use:
> 
> check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
> 
Assuming the MySQL db you use has a table called domain and in that table you 
have a field domain holding the domain name and a field transport holding the 
transport used for that domain and assuming you want to limit that reject to 
domains using transport "maildrop", "local", "mailman", "virtual", "smtp", 
"securetls", "cyrus" and "dovecot" then I would construct the following query 
for Postfix to reject anyone claiming to be one of your domains:

query = SELECT CONCAT('REJECT You are not ','%s') FROM domain WHERE (('%s' LIKE 
CONCAT('%.',domain)) OR (domain='%s')) AND transport REGEXP 
'^\(maildrop\|local\|mailman\|virtual\|smtp\|securetls\|cyrus\|dovecot\)\:?' 
LIMIT 1


> and if so, what entry should I add in mysql db mail table domains?
> 
> thx,
> Cameron
>
Steve
-- 
Neu: GMX Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate
für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02

Re: Blocking mail "from me to me"

[mouss]

Daniel L'Hommedieu a écrit :
> [snip]
> For those who are curious, here is my smtpd_recipient_restrictions:
> 
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks,

put
reject_unauth_destination
here. don't play with fire.

> check_sender_access pcre:/etc/postfix/reject_my_domain,
> reject_invalid_hostname,
> reject_non_fqdn_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_pipelining,
> reject_unauth_destination,
> reject_rbl_client zen.spamhaus.org
> 
> /etc/postfix/reject_my_domain contains:
> /@foo\.net/ 554 You are not from foo.net.
> /@bar\.com/ 554 You are not from bar.com.
> /@oof\.com/ 554 You are not from oof.com.
> 

1- you don't need pcre here. hash (or better yet, cdb) is enough. see
the example in my previous post.

2- when using pcre, make sure to "terminate" the expression. use
/@foo\.net$/ 
otherwise, you would match @foo.networkblahblah.com.

3. do not "hijack" domains. bar.com, ... are valid domains. use:
example.com, example.org, example.net, *.example instead.


> [snip]

Re: check_sender_access to virtual map?

[mouss]

Cameron Camp a écrit :
> LuKreme said to use:

actually, it was mouss...

> 
> check_sender_access hash:/etc/postfix/mydomain
> 
> == mydomain
> example.com REJECT you cannot send on behalf of example.com
> .example.comREJECT you cannot send on behalf of example.com
> 
> can I use:
> 
> check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
> 

yes.

query = SELECT 'REJECT blah blah' from yourtable where
'%d' = domain or '%d' like concat('%.', domain);

the last part (to catch '.domain' variant) may or may not be needed,
depending on parent_domain_matches_

> and if so, what entry should I add in mysql db mail table domains?
> 
> thx,
> Cameron
> 

Re: log check_client_access

[mouss]

Martijn de Munnik a écrit :
> 
> On Aug 24, 2009, at 8:31 PM, Martijn de Munnik wrote:
> 
>>
>> On Aug 24, 2009, at 7:57 PM, /dev/rob0 wrote:
>>
>>> On Monday 24 August 2009 12:43:16 Martijn de Munnik wrote:
 How can I write a message to syslog when a check_client_access
 rule matches?
>>>
>>> See the WARN result. If you mean that you want to log and to trigger
>>> some other action, do note that REJECT and DEFER results are logged
>>> anyway. If you're wanting to log an accept action, you could make a
>>> multiple result using a restriction class:
>>>   http://www.postfix.org/RESTRICTION_CLASS_README.html
>>>   http://www.postfix.org/postconf.5.html#smtpd_restriction_classes
>>
>> Could someone please provide an example, this is a little bit too
>> technical for me ;)
>>
>> smtpd_recipient_restrictions =
>>   permit_mynetworks,
>>   permit_sasl_authenticated,
>>   reject_non_fqdn_recipient,
>>   reject_non_fqdn_sender,
>>   reject_unknown_sender_domain,
>>   reject_unverified_recipient,
>>   reject_unauth_destination,
>>   reject_invalid_helo_hostname,
>>   reject_non_fqdn_helo_hostname,
>>   reject_rbl_client virbl.dnsbl.bit.nl,
>>   check_policy_service inet:127.0.0.1:12525,
>>   check_client_access cidr:/opt/csw/etc/postfix/postfix-dnswl-permit,
>>   check_policy_service inet:127.0.0.1:10023
>>
> 
> I want to log the accept action from the check_client_access rule so I
> can use the whitelist hits in stats.
> 

replace the "permit_auth_destination ..." returned by
postfix-dnswl-permit with "policy_dnswl", so you'd get things like
222.255.237.6/32policy_dnswl

then in postfix:

smtpd_restriction_classes = ...  policy_dnswl

policy_dnswl =
check_client_access pcre:/etc/postfix/logall
permit

== /etc/postfix/logall
/./ WARN client whitelisted using DNSWL

Re: Fw: What authentication method is the best SASL

[mouss]

Gaby L a écrit :
>  
>  
> 
> I use SASL for remote clients.
> What is the best authentication mechanism for SASL security? I use
> outlook express clients.
>  
> My smptpd conf is:
> 
> /usr/local/lib/sasl2/smtpd.conf:
> pwcheck_method: saslauthd
> mech_list: PLAIN LOGIN
> 

use PLAIN or LOGIN with STARTTLS.

> For courier-imap what is the best authenticated method?

Same. but courier-imap doesn't use cyrus-sasl (it uses courier authlib),
and is anyway outside the scope of this mailing list.

> 
> I want to use without MySQL
> 
>  

Re: check_sender_access to virtual map?

[Cameron Camp]

> That depends on your table schema and the contents of 
> mysql-virtual_domains.cf.

user = xx
password = x
dbname = mail
query = SELECT domain AS virtual FROM domains WHERE domain='%s'
hosts = 127.0.0.1

table structure:

use mail;

CREATE TABLE domains (
domain varchar(50) NOT NULL,
PRIMARY KEY (domain) )
TYPE=MyISAM;

--

thx,
Cameron