Re: config smtp-cli & postfix to send CLI mail to internet

[Victoriano Giralt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Stan Hoeppner wrote:
| Go ahead and give that RPM a go, see if it works.  If not we'll search
| for another version of libsasl that will work.  You might need libsasl2
| instead.
If the OP needs SASL just for SMTP-auth in Postfix, I'd suggest to give
Docecot a go. It has excellent SASL capabilities, is quite easy to
configure and integrate with Postfix and has a lot of powerful and useful
features for authenticating users.

- --
Victoriano Giralt
Systems Manager
Central ICT Services
University of Malaga
SPAIN
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFK0DxNV6+mDjj1PTgRAmxtAKCfTNirl/3bnxu2ckC4LDQit5CfBwCeI9pr
tcPQx/hSznQMmWwiGt9gpsQ=
=wzaL
-END PGP SIGNATURE-

Re: Increasing logging on queue messages

[Stan Hoeppner]

Barney Desmond put forth on 10/10/2009 12:19 AM:

> Mask "private" information if you must, but keep
> in mind that it can make it harder for others to help diagnose
> problems.

Absolutely correct.  Obfuscate left-hand-side only to prevent valid
addresses being scraped from this public mailing list by spammers.
Please do _not_ obfuscate domain names, IP addresses of servers, and
host FQDNs.  Many problems reported here are DNS or network related.
Without real domain names, real IPs, and real host names we can't help
people until prying that info from them in successive emails.  It's
better to post the real info up front.  There's not much a criminal can
do with just a domain, host name, or IP address.  And no one is going to
sue you for listing this information in an attempt to solve a problem.
You're not really protecting anything by obfuscating those.

--
Stan

Re: Outgoing Mail Moderation

[Stan Hoeppner]

Manish Kathuria put forth on 10/10/2009 1:19 AM:

> That's a great tip. This would serve the purpose as far as the text
> messages go. However the mail administrator is more interested in having
> a look at the attachments being sent with the mail which would appear
> encoded in the queues. Is there any web interface to have a look at the
> messages in the queue and also issue the postsuper command ?

I must say, if there is such a low level of trust already of the user
base (employees?), then I'd say it's time to install hidden IP based
security cameras pointed at their screens, with high magnification.
Stream the feeds to a video server and review them nightly.  That, or
install legal business spyware on their PCs.

Your goals are very likely beyond the scope of Postfix.  I'd suggest
using bcc_maps to send copies of everyones' emails to an administrative
mailbox.  Then POP/IMAP that account, read the emails, and fire anyone
sending attachments they aren't supposed to.  Or, better, reprimand them
first with a warning.  Fire them on the 2nd offense.

--
Stan

config smtp-cli & postfix to send CLI mail to internet

[Stan Hoeppner]

Victoriano Giralt put forth on 10/10/2009 2:48 AM:
> Stan Hoeppner wrote:
> | Go ahead and give that RPM a go, see if it works.  If not we'll search
> | for another version of libsasl that will work.  You might need libsasl2
> | instead.
> If the OP needs SASL just for SMTP-auth in Postfix, I'd suggest to give
> Docecot a go. It has excellent SASL capabilities, is quite easy to
> configure and integrate with Postfix and has a lot of powerful and useful
> features for authenticating users.

He just needs to authenticate an outbound connection to an ISP relay.
All he needs is the SASL library, which requires no configuration.
Dovecote would be overkill, assuming it's even applicable to outbound
SMTP connections.

--
Stan

Re: config smtp-cli & postfix to send CLI mail to internet

[mouss]

Victoriano Giralt a écrit :
> Stan Hoeppner wrote:
> | Go ahead and give that RPM a go, see if it works.  If not we'll search
> | for another version of libsasl that will work.  You might need libsasl2
> | instead.
> If the OP needs SASL just for SMTP-auth in Postfix, I'd suggest to give
> Docecot a go.

OP needs "client side SASL" (he needs to authenticate to his
ISP/whatever relay). dovecot auth only applies to "server side SASL"



> It has excellent SASL capabilities, is quite easy to
> configure and integrate with Postfix and has a lot of powerful and useful
> features for authenticating users.
> 

Re: Increasing logging on queue messages

[Wietse Venema]

MySQL Student:
> Hi,
> 
> >> ?said: 421 smtp01.example.com Error: timeout exceeded (in reply to end
> >> of DATA command))
> >
> > Unfortunately, you deleted lots of useful information from the
vvv
> > logging, including the break-down of handshake delays and of
^^^
> > transmission delays.
> 
> I wasn't sure that I should post the whole queued message here.

I think I was asking for LOGGING, in my reply above.

Please make a tcpdump recording. It will show why your KERNEL TCP
stack stops receiving ackowledgments from the remote side, or why
your KERNEL TCP stack stops sending to the remote side.

The TCP window scale factor is chosen by your KERNEL. Your KERNEL
has no clue about how much mail will be sent over the connection.

Finally, it is possible that hardware mis-behaves with certain 
bit patterns. One should never exclude the unlikely.

Wietse

Re: Outgoing Mail Moderation

[Manish Kathuria]

On Sat, Oct 10, 2009 at 3:05 PM, Stan Hoeppner wrote:

> Manish Kathuria put forth on 10/10/2009 1:19 AM:
>
> > That's a great tip. This would serve the purpose as far as the text
> > messages go. However the mail administrator is more interested in having
> > a look at the attachments being sent with the mail which would appear
> > encoded in the queues. Is there any web interface to have a look at the
> > messages in the queue and also issue the postsuper command ?
>
> I must say, if there is such a low level of trust already of the user
> base (employees?), then I'd say it's time to install hidden IP based
> security cameras pointed at their screens, with high magnification.
> Stream the feeds to a video server and review them nightly.  That, or
> install legal business spyware on their PCs.
>
> Your goals are very likely beyond the scope of Postfix.  I'd suggest
> using bcc_maps to send copies of everyones' emails to an administrative
> mailbox.  Then POP/IMAP that account, read the emails, and fire anyone
> sending attachments they aren't supposed to.  Or, better, reprimand them
> first with a warning.  Fire them on the 2nd offense.
>
> --
> Stan
>

This particular organization has lot of sensitive information and data which
they don't want to be leaked. The bcc-maps are no doubt the best alternative
(and were my suggestion too) but they want to have a proactive approach and
prevent any kind of data leakage in the first place.

-- 
Manish

Different SMTP hostnames on different IPs?

[Rene Bartsch]

Hi,

Postfix is running on the public IPs A and B and the private IPs C, D and E.

IP A and B have correct DNS A and PTR records (A: www.mydomain.tld and B: 
vpn.mydomain.tld). The
hostname of the machine is www.mydomain.tld. Currently Postfix-SMTPD answers 
all connections from
clients with it's hostname in the ESMTP header (www.mydomain.tld).

How can I configure Postfix to use vpn.mydomain.tld on IP B? Is there an option 
for transports in
master.cf?

Thanx for any hint

Renne

Re: config smtp-cli & postfix to send CLI mail to internet

[Victoriano Giralt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

mouss wrote:
| OP needs "client side SASL" (he needs to authenticate to his
| ISP/whatever relay). dovecot auth only applies to "server side SASL"
I apologise for the noise. I could not find the original post, and I was
too fast on the send button.

- --
Victoriano Giralt
Systems Manager
Central ICT Services
University of Malaga
SPAIN
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFK0K+FV6+mDjj1PTgRAhmsAKCW4mPn/KgtADnTwitEAh9W0noUFQCeLwH8
JZSV/88Wa9hYGLpppZQYBEQ=
=WSwG
-END PGP SIGNATURE-

Re: Outgoing Mail Moderation

[Noel Jones]

On 10/10/2009 7:48 AM, Manish Kathuria wrote:


This particular organization has lot of sensitive information and data
which they don't want to be leaked. The bcc-maps are no doubt the best
alternative (and were my suggestion too) but they want to have a
proactive approach and prevent any kind of data leakage in the first place.

--
Manish



For examining mail before it's delivered, HOLD looks like your 
best option.  I don't know of any web-based tool that can 
examine/administer the hold queue, but it probably wouldn't be 
too terribly hard to code something useful.


There is a "pfqueue" command line tool listed in the add-on 
software catalog that does most of this, but it's not web 
based.  You can use "ripmime" or mime perl modules to unpack 
encoded attachments.


  -- Noel Jones

Re: Outgoing Mail Moderation

[Sahil Tandon]

On Sat, 10 Oct 2009, Manish Kathuria wrote:

> On Sat, Oct 10, 2009 at 10:29 AM, Sahil Tandon  wrote:
> 
> > On Sat, 10 Oct 2009, Manish Kathuria wrote:
> >
> > > Is there any content filtering mechanism available using which the
> > > outgoing mails from all the users or selective users are held in a
> > > queue, and are released only after they are examined and approved by
> > > the administrator or a designated person ?
> >
> > Use an access(5) map to HOLD mails from a given set of users; use
> > postcat(1) to examine messages; and use postsuper(1) to release or
> > delete from the queue.
> >
> >  http://www.postfix.org/access.5.html
> >  http://www.postfix.org/postcat.1.html
> >  http://www.postfix.org/postsuper.1.html
> >
> > --
> > Sahil Tandon 
> >
> 
> That's a great tip. This would serve the purpose as far as the text messages
> go. However the mail administrator is more interested in having a look at
> the attachments being sent with the mail which would appear encoded in the
> queues. Is there any web interface to have a look at the messages in the
> queue and also issue the postsuper command ?

There is no web interface as distributed with Postfix.  Just pipe
postcat(1) output to a mime decoder to view the attachments.

-- 
Sahil Tandon 

Re: Outgoing Mail Moderation

[Ralf Hildebrandt]

* Manish Kathuria :
> Is there any content filtering mechanism available using which the outgoing
> mails from all the users or selective users are held in a queue, and are
> released only after they are examined and approved by the administrator or a
> designated person ?

Use a combination of HOLD in header_checks or access maps and the
pfqueue program

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Outgoing Mail Moderation

[Patrick Ben Koetter]

* Manish Kathuria :
> Is there any content filtering mechanism available using which the outgoing
> mails from all the users or selective users are held in a queue, and are
> released only after they are examined and approved by the administrator or a
> designated person ?

Another idea:

Use amavisd-new. Dedicate a policy bank to all outgoing traffic. Send all
outgoing traffic to (SQL) quarantine. Notify somebody of outgoing messages
that have been sent to quarantine. Write a webbased frontend to examine the
quarantined messages and to release them (using the AM.PDP protocol) when
appropriate.

p...@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Different SMTP hostnames on different IPs?

[mouss]

Rene Bartsch a écrit :
> Hi,
> 
> Postfix is running on the public IPs A and B and the private IPs C, D and E.
> 
> IP A and B have correct DNS A and PTR records (A: www.mydomain.tld and B: 
> vpn.mydomain.tld). The
> hostname of the machine is www.mydomain.tld. Currently Postfix-SMTPD answers 
> all connections from
> clients with it's hostname in the ESMTP header (www.mydomain.tld).
> 
> How can I configure Postfix to use vpn.mydomain.tld on IP B? Is there an 
> option for transports in
> master.cf?
> 

create two smtpd listeners in master.cf, one for each IP, and use -o
myhostname to set the hostname.

192.0.2.1:25   smtpd
-o myhostname=vpn.example.com

...

Re: Outgoing Mail Moderation

[Pat]

Manish Kathuria wrote:
> the mail administrator is more interested in having a look at
> the attachments being sent with the mail which would appear
> encoded in the queues. Is there any web interface to have a
> look at the messages in the queue and also issue the postsuper
> command ?

We use postconf (.com) for exactly this (web queue management), over a half 
dozen
postfix servers. It has buttons for sa-learn, hold, unhold, delete, ...  Only 
thing
missing is a tool to work across the queue i.e., delete all messages on hold 
where
subject == xyz.

Pat